Play interactive tour

Edit tour

Analysis Report SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Overview

General Information

Sample Name:	SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Analysis ID:	377536
MD5:	e1c700344a31aee275b86a0cc5fe707b
SHA1:	e1ca62a65559a00eac9096f7b1e0de69d82fd0c8
SHA256:	fa07eeabe6dc625c92894a62137f8c2cfb445b8e3daddd19ee3c44c00a84a708
Infos:
Most interesting Screenshot:

Detection

Score:	32
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

PE file has a writeable .text section

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Drops PE files

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Is looking for software installed on the system

May infect USB drives

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Startup

System is w10x64

SureServoPROInstall_V4_1_0_5_DB2_0_8.exe (PID: 6312 cmdline: 'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' MD5: E1C700344A31AEE275B86A0CC5FE707B)

setup.exe (PID: 6356 cmdline: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe -package:'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' -no_selfdeleter -IS_temp -media_path:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\' -tempdisk1folder:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\' -IS_OriginalLauncher:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe' MD5: 88340D6E1DE3ED49364A64B3D8796AF6)

ISBEW64.exe (PID: 6544 cmdline: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8FD074B-9EF5-416D-A3EE-6D8FB115C83F} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)

ISBEW64.exe (PID: 6584 cmdline: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3BED6DCE-3BD7-42E3-BF6F-81E3F37201FD} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)

ISBEW64.exe (PID: 6624 cmdline: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30C7FFBC-292B-4310-AFE7-0365F4C35832} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)

ISBEW64.exe (PID: 6656 cmdline: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C15C7E7D-7890-420A-86BA-7E9024358B47} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)

ISBEW64.exe (PID: 6696 cmdline: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6332241F-264C-4388-88EB-7A98CF4DBA83} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)

ISBEW64.exe (PID: 6744 cmdline: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D1BE9E7C-E67D-4CF9-BA65-428ACD016A71} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)

ISBEW64.exe (PID: 6784 cmdline: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{176CEB1A-A045-48A9-ADF5-06CDBA606E31} MD5: 8A1E5A6B1C4E0C7D706EB2B36FA6C8EA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Static PE information: certificate valid

Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _is63FD.tmp.1.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000003.00000002.699468511.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000004.00000002.700463534.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000005.00000000.699946688.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000006.00000002.703456704.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000007.00000002.934477118.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000008.00000002.934475084.00007FF7F3997000.00000002.00020000.sdmp

Source: setup.exe, 00000001.00000002.934145303.0000000000917000.00000004.00000020.sdmp	Binary or memory string: autorun.inf
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Binary or memory string: [autorun]
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Binary or memory string: autorun.infDisk1\autorun.inf0.0.0.043[autorun]
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Binary or memory string: autorun.infDisk1\autorun.inf0.0.0.043[autorun]
Source: layout.bin.0.dr	Binary or memory string: setup.iniautorun.infsetup.bmpsetup.inxISSetup.dll0x0409.inidata1.hdrdata1.cabdata2.cablayout.binsetup.exe

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_0042C966 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,		0_2_0042C966
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_00451BC7 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,		0_2_00451BC7

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	String found in binary or memory: http://=0x%04x.iniMS
Source: setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: setup.exe, 00000001.00000002.934145303.0000000000917000.00000004.00000020.sdmp	String found in binary or memory: http://deviis4.installshield.com/NetNirvana/
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	String found in binary or memory: http://deviis4.installshield.com/NetNirvana/data2.cabDisk1
Source: setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://s2.symcb.com0
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	String found in binary or memory: http://support.automationdirect.com
Source: setup.exe, 00000001.00000002.934145303.0000000000917000.00000004.00000020.sdmp	String found in binary or memory: http://support.automationdirect.com8
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://sv.symcd.com0&
Source: setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://www.flexerasoftware.com0
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	String found in binary or memory: http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	String found in binary or memory: https://d.symcb.com/rpa0

System Summary:

PE file has a writeable .text section

Show sources

Source: ISSetup.dll.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ISSetup.dll.1.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_00447C87 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_00447C87

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_00493630	0_2_00493630
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_0045E9CF	0_2_0045E9CF
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_00490B40	0_2_00490B40
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_00475CA1	0_2_00475CA1
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_0044ECB8	0_2_0044ECB8
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	Code function: 2_2_00007FF7F398CC64	2_2_00007FF7F398CC64
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	Code function: 2_2_00007FF7F3981AD0	2_2_00007FF7F3981AD0
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	Code function: 2_2_00007FF7F398FCE4	2_2_00007FF7F398FCE4
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	Code function: 2_2_00007FF7F39942FC	2_2_00007FF7F39942FC
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	Code function: 2_2_00007FF7F398D308	2_2_00007FF7F398D308
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	Code function: 2_2_00007FF7F3984230	2_2_00007FF7F3984230
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	Code function: 2_2_00007FF7F3984E10	2_2_00007FF7F3984E10
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	Code function: 2_2_00007FF7F398F11C	2_2_00007FF7F398F11C

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: String function: 004091B8 appears 84 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: String function: 0045B8C9 appears 169 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: String function: 00459F9F appears 57 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: String function: 0045B8FF appears 44 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: String function: 00459FCD appears 43 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: String function: 0045A2FE appears 64 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: String function: 0041AE03 appears 31 times
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: String function: 0045B896 appears 110 times

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ISSetup.dll.1.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe, 00000000.00000000.663826376.0000000000519000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Binary or memory string: OriginalFilenameInstallShield Setup.exe< vs SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: ISSetup.dll.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
Source: ISSetup.dll.1.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: sus32.evad.winEXE@17/97@0/0

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_00447C87 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_00447C87

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_0041F883 _memset,lstrcpyW,lstrcatW,GetDiskFreeSpaceExW,GetDiskFreeSpaceW,

0_2_0041F883

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_004443E5 __EH_prolog3_GS,GetModuleHandleW,GetProcAddress,LoadLibraryW,GetProcAddress,CoCreateInstance,

0_2_004443E5

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_00420149 __EH_prolog3_catch_GS,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

0_2_00420149

Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe

Mutant created: \Sessions\1\BaseNamedObjects\62E0592E-B1C0-499B-83F6-829789BDBD51

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

File created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}

Jump to behavior

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

File read: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.ini

Jump to behavior

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

File read: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe 'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe'
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Process created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe -package:'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' -no_selfdeleter -IS_temp -media_path:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\' -tempdisk1folder:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\' -IS_OriginalLauncher:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe'
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8FD074B-9EF5-416D-A3EE-6D8FB115C83F}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3BED6DCE-3BD7-42E3-BF6F-81E3F37201FD}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30C7FFBC-292B-4310-AFE7-0365F4C35832}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C15C7E7D-7890-420A-86BA-7E9024358B47}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6332241F-264C-4388-88EB-7A98CF4DBA83}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D1BE9E7C-E67D-4CF9-BA65-428ACD016A71}
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{176CEB1A-A045-48A9-ADF5-06CDBA606E31}
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Process created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe -package:'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' -no_selfdeleter -IS_temp -media_path:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\' -tempdisk1folder:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\' -IS_OriginalLauncher:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe'	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8FD074B-9EF5-416D-A3EE-6D8FB115C83F}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3BED6DCE-3BD7-42E3-BF6F-81E3F37201FD}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30C7FFBC-292B-4310-AFE7-0365F4C35832}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C15C7E7D-7890-420A-86BA-7E9024358B47}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6332241F-264C-4388-88EB-7A98CF4DBA83}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D1BE9E7C-E67D-4CF9-BA65-428ACD016A71}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{176CEB1A-A045-48A9-ADF5-06CDBA606E31}	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

File written: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\0x0409.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Jump to behavior

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Static PE information: certificate valid

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Static file information: File size 26675560 > 1048576

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\CodeBases\isdev\redist\Language Independent\i386\ISP\setup.pdb source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\_IsRes2k\0009-English\Debug\_isres_0x0409.pdb source: _is63FD.tmp.1.dr
Source:	Binary string: C:\CodeBases\isdev\Src\Runtime\InstallScript\ISBEW64\x64\Release\ISBEW64.pdb source: ISBEW64.exe, 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000003.00000002.699468511.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000004.00000002.700463534.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000005.00000000.699946688.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000006.00000002.703456704.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000007.00000002.934477118.00007FF7F3997000.00000002.00020000.sdmp, ISBEW64.exe, 00000008.00000002.934475084.00007FF7F3997000.00000002.00020000.sdmp

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_0047A0BB EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_0047A0BB

Source: initial sample

Static PE information: section where entry point is pointing to: .rsrc

Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Static PE information: real checksum: 0x19773c0 should be:

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_00466655 push ecx; ret		0_2_00466668
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_0045B864 push ecx; ret		0_2_0045B877

Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6A20.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\MMO6B1E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6270.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is64CC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is55FE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is66F7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5827.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5CEA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5758.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is59F4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\isr5430.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is61D2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6922.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6893.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	File created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6766.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5DE8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is63FD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5D4A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is69C0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is632E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6668.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6824.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is636E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5C1B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\_is5463.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Isr5530.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is57C7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISB542E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is646C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5994.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6ABE.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	File created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\dot542C.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	File created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\ISSetup.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5896.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is58F6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5C8A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5560.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is656A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is65CA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File created: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5B8C.tmp	Jump to dropped file

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_0048A330 GetLastError,SetLastError,_memset,lstrcpyA,_memset,lstrcpyW,lstrlenA,_memset,lstrcpyA,lstrlenA,lstrlenA,_memmove,lstrcmpiA,GetLastError,SetLastError,_memmove,GetPrivateProfileIntA,_memset,lstrcpyA,GetPrivateProfileStringA,GetSysColor,_memset,_memset,GetPrivateProfileSectionNamesA,lstrcpyA,lstrcpyA,lstrlenA,lstrcpyA,GetPrivateProfileStringA,GetSysColor,GetLastError,SysFreeString,SysFreeString,SysFreeString,SetLastError,lstrcpyA,lstrlenA,lstrcmpA,lstrcpyA,GetPrivateProfileStringA,GetProcAddress,

0_2_0048A330

Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe

Code function: 2_2_00007FF7F398CC64 RtlEncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_00007FF7F398CC64

Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\MMO6B1E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6A20.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6270.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is64CC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is55FE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is66F7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5827.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5CEA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5758.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is59F4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\isr5430.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is61D2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6922.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6893.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6766.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5DE8.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is63FD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5D4A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is69C0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6668.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is632E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6824.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is636E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5C1B.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\_is5463.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is57C7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Isr5530.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is646C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5994.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6ABE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\dot542C.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is58F6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5C8A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5896.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5560.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is656A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is65CA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5B8C.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_2-8764

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-36314

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	API coverage: 6.7 %
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	API coverage: 9.6 %

Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_0042C966 FindFirstFileW,GetFileAttributesW,SetFileAttributesW,DeleteFileW,		0_2_0042C966
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_00451BC7 __EH_prolog3_GS,FindFirstFileW,lstrcmpW,lstrcmpW,FindNextFileW,RemoveDirectoryW,__CxxThrowException@8,DeleteFileW,		0_2_00451BC7

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_0041A1F5 VirtualQuery,GetSystemInfo,MapViewOfFile,

0_2_0041A1F5

Source: setup.exe, 00000001.00000002.937591615.0000000003200000.00000004.00000001.sdmp	Binary or memory string: 0bIsVirtualMachinek
Source: setup.exe, 00000001.00000002.937591615.0000000003200000.00000004.00000001.sdmp	Binary or memory string: 0_IsVirtualMachineT
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp	Binary or memory string: 0_IsVirtualMachine
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp	Binary or memory string: 0bIsVirtualMachine'+S
Source: setup.exe, 00000001.00000002.945234294.0000000005B91000.00000040.00020000.sdmp, isr5430.tmp.1.dr	Binary or memory string: _GetVirtualMachineType
Source: setup.exe, 00000001.00000002.938253561.00000000034B4000.00000004.00000001.sdmp	Binary or memory string: 0bIsVirtualMachine=%ld
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp	Binary or memory string: 0_GetVirtualMachineType&
Source: setup.exe, 00000001.00000002.937591615.0000000003200000.00000004.00000001.sdmp	Binary or memory string: 0_GetVirtualMachineType
Source: setup.exe, 00000001.00000002.938253561.00000000034B4000.00000004.00000001.sdmp	Binary or memory string: 0bIsVirtualMachineDH
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp, isr5430.tmp.1.dr	Binary or memory string: _IsVirtualMachine
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp	Binary or memory string: 0bIsVirtualMachine
Source: setup.exe, 00000001.00000002.937827081.0000000003300000.00000004.00000001.sdmp	Binary or memory string: 0bIsVirtualMachine>
Source: setup.exe, 00000001.00000002.944364655.0000000005864000.00000004.00000001.sdmp	Binary or memory string: 0bIsVirtualMachine=%ldR+
Source: setup.exe, 00000001.00000002.945234294.0000000005B91000.00000040.00020000.sdmp, isr5430.tmp.1.dr	Binary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_ListCreate_ListCurrentIte
Source: setup.exe, 00000001.00000002.937675505.000000000323B000.00000004.00000001.sdmp	Binary or memory string: 0bIsVirtualMachineR4B
Source: setup.exe, 00000001.00000002.937675505.000000000323B000.00000004.00000001.sdmp	Binary or memory string: 0_GetVirtualMachineTypeIg
Source: setup.exe, 00000001.00000002.937591615.0000000003200000.00000004.00000001.sdmp	Binary or memory string: 0bIsVirtualMachined

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	API call chain: ExitProcess graph end node			graph_0-35378
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	API call chain: ExitProcess graph end node			graph_2-8765

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

0_2_0047A0BB

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

0_2_0047A0BB

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

0_2_0047A0BB

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_00430226 GetFileSize,GetProcessHeap,HeapAlloc,ReadFile,_strlen,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,ReadFile,GetProcessHeap,HeapFree,

0_2_00430226

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Code function: 0_2_004638EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004638EA
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	Code function: 2_2_00007FF7F398DCD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00007FF7F398DCD4
Source: C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe	Code function: 2_2_00007FF7F39907D8 SetUnhandledExceptionFilter,	2_2_00007FF7F39907D8

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Process created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe -package:'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' -no_selfdeleter -IS_temp -media_path:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\' -tempdisk1folder:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\' -IS_OriginalLauncher:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe'
Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	Process created: C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe -package:'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' -no_selfdeleter -IS_temp -media_path:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\' -tempdisk1folder:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\' -IS_OriginalLauncher:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe'			Jump to behavior

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_0041BFB9 _memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,CreateWellKnownSid,SetEntriesInAclW,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,SetSecurityDescriptorDacl,CoInitializeSecurity,

0_2_0041BFB9

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_00450887 GetCurrentThread,OpenThreadToken,GetLastError,GetLastError,GetCurrentProcess,OpenProcessToken,GetLastError,GetTokenInformation,GetTokenInformation,GetLastError,GetTokenInformation,AllocateAndInitializeSid,EqualSid,FreeSid,

0_2_00450887

Source: setup.exe, 00000001.00000002.947955047.0000000010001000.00000040.00020000.sdmp	Binary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES,
Source: setup.exe, 00000001.00000002.934167800.000000000093B000.00000004.00000020.sdmp	Binary or memory string: OPTYPE_PROGMAN0q
Source: setup.exe, 00000001.00000002.943380084.0000000005247000.00000004.00000001.sdmp	Binary or memory string: OPTYPE_PROGMAN
Source: setup.exe, 00000001.00000002.948226450.0000000010239000.00000040.00020000.sdmp	Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe, 00000000.00000002.933958937.0000000001010000.00000002.00000001.sdmp, setup.exe, 00000001.00000002.934223950.0000000000B80000.00000002.00000001.sdmp, ISBEW64.exe, 00000002.00000002.933628718.000001A0A5D50000.00000002.00000001.sdmp, ISBEW64.exe, 00000007.00000002.933619409.000001EB7B690000.00000002.00000001.sdmp, ISBEW64.exe, 00000008.00000002.933582892.0000022320160000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe, 00000000.00000002.933958937.0000000001010000.00000002.00000001.sdmp, setup.exe, 00000001.00000002.934223950.0000000000B80000.00000002.00000001.sdmp, ISBEW64.exe, 00000002.00000002.933628718.000001A0A5D50000.00000002.00000001.sdmp, ISBEW64.exe, 00000007.00000002.933619409.000001EB7B690000.00000002.00000001.sdmp, ISBEW64.exe, 00000008.00000002.933582892.0000022320160000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe, 00000000.00000002.933958937.0000000001010000.00000002.00000001.sdmp, setup.exe, 00000001.00000002.934223950.0000000000B80000.00000002.00000001.sdmp, ISBEW64.exe, 00000002.00000002.933628718.000001A0A5D50000.00000002.00000001.sdmp, ISBEW64.exe, 00000007.00000002.933619409.000001EB7B690000.00000002.00000001.sdmp, ISBEW64.exe, 00000008.00000002.933582892.0000022320160000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: setup.exe, 00000001.00000002.934167800.000000000093B000.00000004.00000020.sdmp	Binary or memory string: OPTYPE_PROGMAN
Source: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe, 00000000.00000002.933958937.0000000001010000.00000002.00000001.sdmp, setup.exe, 00000001.00000002.934223950.0000000000B80000.00000002.00000001.sdmp, ISBEW64.exe, 00000002.00000002.933628718.000001A0A5D50000.00000002.00000001.sdmp, ISBEW64.exe, 00000007.00000002.933619409.000001EB7B690000.00000002.00000001.sdmp, ISBEW64.exe, 00000008.00000002.933582892.0000022320160000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: setup.exe, 00000001.00000002.934145303.0000000000917000.00000004.00000020.sdmp	Binary or memory string: OPTYPE_PROGMANQ

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: GetLocaleInfoW,TranslateCharsetInfo,IsValidLocale,

0_2_004125AD

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_0043B52C __EH_prolog3_GS,GetCurrentProcessId,_memset,GetLocalTime,GetModuleFileNameW,

0_2_0043B52C

Source: C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Code function: 0_2_00430174 GetVersionExW,

0_2_00430174

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Replication Through Removable Media1	Command and Scripting Interpreter1	Application Shimming1	Access Token Manipulation1	Access Token Manipulation1	OS Credential Dumping	System Time Discovery1	Replication Through Removable Media1	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API3	Boot or Logon Initialization Scripts	Process Injection2	Process Injection2	LSASS Memory	Query Registry1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Application Shimming1	Deobfuscate/Decode Files or Information1	Security Account Manager	Security Software Discovery31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Process Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Peripheral Device Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery3	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery26	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	0%	Virustotal	Browse
SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	3%	Metadefender	Browse
SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\ISSetup.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\ISSetup.dll	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISB542E.tmp	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISB542E.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\dot542C.tmp	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\_is5463.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\isr5430.tmp	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\isr5430.tmp	4%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Isr5530.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\MMO6B1E.tmp	3%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://=0x%04x.iniMS	0%	Avira URL Cloud	safe
http://support.automationdirect.com8	0%	Avira URL Cloud	safe
http://www.flexerasoftware.com0	0%	URL Reputation	safe
http://www.flexerasoftware.com0	0%	URL Reputation	safe
http://www.flexerasoftware.com0	0%	URL Reputation	safe
http://www.flexerasoftware.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://deviis4.installshield.com/NetNirvana/	setup.exe, 00000001.00000002.934145303.0000000000917000.00000004.00000020.sdmp	false		high
http://deviis4.installshield.com/NetNirvana/data2.cabDisk1	SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	false		high
http://=0x%04x.iniMS	SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	false	Avira URL Cloud: safe	low
http://support.automationdirect.com8	setup.exe, 00000001.00000002.934145303.0000000000917000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d	SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr	false		high
http://support.automationdirect.com	SureServoPROInstall_V4_1_0_5_DB2_0_8.exe	false		high
http://www.flexerasoftware.com0	setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.symauth.com/cps0(	setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	false		high
http://www.symauth.com/rpa00	setup.exe, 00000001.00000002.948173876.00000000101BB000.00000040.00020000.sdmp, _is5560.tmp.1.dr	false		high
http://ocsp.thawte.com0	setup.exe, 00000001.00000003.691546035.0000000000975000.00000004.00000001.sdmp, _is5560.tmp.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	377536
Start date:	29.03.2021
Start time:	18:07:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus32.evad.winEXE@17/97@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 23.4% (good quality ratio 18.4%) Quality average: 58.5% Quality standard deviation: 37%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\isr5430.tmp	https://www.thepaynegroup.com/downloads/metadata/clients/blakecassels/ma5enterprise64.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISB542E.tmp	https://www.thepaynegroup.com/downloads/metadata/clients/blakecassels/ma5enterprise64.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\0x0409.ini Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	22490
Entropy (8bit):	3.484827950705229
Encrypted:	false
SSDEEP:	384:CTmyuV//BiTbh/Y4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/N/lWr0aa0Mhs+XVgv
MD5:	8586214463BD73E1C2716113E5BD3E13
SHA1:	F02E3A76FD177964A846D4AA0A23F738178DB2BE
SHA-256:	089D3068E42958DD2C0AEC668E5B7E57B7584ACA5C77132B1BCBE3A1DA33EF54
SHA-512:	309200F38D0E29C9AAA99BB6D95F4347F8A8C320EB65742E7C539246AD9B759608BD5151D1C5D1D05888979DAA38F2B6C3BF492588B212B583B8ADBE81FA161B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\0x0409.ini Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	22490
Entropy (8bit):	3.484827950705229
Encrypted:	false
SSDEEP:	384:CTmyuV//BiTbh/Y4AwC2WrP2DBWa/Oa0Mhs+XVgv:CT6V//BiXh/N/lWr0aa0Mhs+XVgv
MD5:	8586214463BD73E1C2716113E5BD3E13
SHA1:	F02E3A76FD177964A846D4AA0A23F738178DB2BE
SHA-256:	089D3068E42958DD2C0AEC668E5B7E57B7584ACA5C77132B1BCBE3A1DA33EF54
SHA-512:	309200F38D0E29C9AAA99BB6D95F4347F8A8C320EB65742E7C539246AD9B759608BD5151D1C5D1D05888979DAA38F2B6C3BF492588B212B583B8ADBE81FA161B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..[.0.x.0.4.0.9.].....1.1.0.0.=.S.e.t.u.p. .I.n.i.t.i.a.l.i.z.a.t.i.o.n. .E.r.r.o.r.....1.1.0.1.=.%.s.....1.1.0.2.=.%.1. .S.e.t.u.p. .i.s. .p.r.e.p.a.r.i.n.g. .t.h.e. .%.2.,. .w.h.i.c.h. .w.i.l.l. .g.u.i.d.e. .y.o.u. .t.h.r.o.u.g.h. .t.h.e. .p.r.o.g.r.a.m. .s.e.t.u.p. .p.r.o.c.e.s.s... . .P.l.e.a.s.e. .w.a.i.t.......1.1.0.3.=.C.h.e.c.k.i.n.g. .O.p.e.r.a.t.i.n.g. .S.y.s.t.e.m. .V.e.r.s.i.o.n.....1.1.0.4.=.C.h.e.c.k.i.n.g. .W.i.n.d.o.w.s.(.R.). .I.n.s.t.a.l.l.e.r. .V.e.r.s.i.o.n.....1.1.0.5.=.C.o.n.f.i.g.u.r.i.n.g. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r.....1.1.0.6.=.C.o.n.f.i.g.u.r.i.n.g. .%.s.....1.1.0.7.=.S.e.t.u.p. .h.a.s. .c.o.m.p.l.e.t.e.d. .c.o.n.f.i.g.u.r.i.n.g. .t.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .o.n. .y.o.u.r. .s.y.s.t.e.m... .T.h.e. .s.y.s.t.e.m. .n.e.e.d.s. .t.o. .b.e. .r.e.s.t.a.r.t.e.d. .i.n. .o.r.d.e.r. .t.o. .c.o.n.t.i.n.u.e. .w.i.t.h. .t.h.e. .i.n.s.t.a.l.l.a.t.i.o.n... .P.l.e.a.s.e. .c.l.i.c.k. .R.e.s.t.a.r.t. .t.o. .r.e.b.o.o.t. .t.h.e. .s.y.s.t.e.m.......1.1.0.8.

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\ISSetup.dll Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:	dropped
Size (bytes):	807696
Entropy (8bit):	7.773931629042238
Encrypted:	false
SSDEEP:	12288:DIGz7ovgUHjhKtYCdP2q4/8mnL2YCTdSxZa65jcttUO+UC1nHZc:DIGz8IUDP0OqGL2YCsxZa6RuUO+UCd5c
MD5:	05E267CD74E51EFC3A9422AF3F85F6CD
SHA1:	B369F04872D31DB0D34D96014BB57BD2776AD84B
SHA-256:	0C98534B5A70E6CFA28D22BF71CE0C3F099B8F29BDD08DC39738C7D3179B22D2
SHA-512:	33BCA3B5ADE3C8A6065E470F4AAA4A2019C1B2C3324D84F71C45A5136CC8A8944EC73A1970F45D53569784B5DE624093EB08CA943A4CEBD6BD0237E5DBE50D58
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......l.j.(...(...(......).....1...........c......./.......)...(...4}......=......#....../......S......)......)...(...)......)...Rich(...................PE..L.....yY...........!.....(...*......E.%......P................................%......M..............................8.%.G.....%.......#.0............6........%.....`X..8....................................................k.......................text.....#......"......PEC2MO...... ....rsrc.........#......&.............. ....reloc........%......4..............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\autorun.inf Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	Microsoft Windows Autorun file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.9336877903443295
Encrypted:	false
SSDEEP:	3:It1KVm0QVkT2Vk9:e1K/AkTyk9
MD5:	01992077575FE1FEFE6C7CD35DE9C143
SHA1:	019D2DF4F51DC46552AF7B147678104F9CA71B2B
SHA-256:	31A7E507A8C26F4D4DA0A7B8CE59EC9AF65959E4332A6B6115C1968D9D4D15A2
SHA-512:	3B662A894E0418A4B1C6D6AA29E41CE1081048D19FDCF702833B520B22A9D29C5DC8340FBAB3BE31687719D7B4963541E5603A5C429DC945FB4478B0E3358A69
Malicious:	false
Preview:	[autorun]..open=Setup.exe..icon=Setup.exe..

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\data1.cab Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	InstallShield CAB
Category:	dropped
Size (bytes):	7306253
Entropy (8bit):	7.99568327602191
Encrypted:	true
SSDEEP:	196608:hvKkS/vK+2IzIg/Os3VSCyZ6a4oo/OGHWDgSgWd/bJcbiHQ6nZk:hikS/i+psg/Os3VSCyZ6a4oo/OGHWDgf
MD5:	E147FF02C54D48B2A41DE1F3A1106324
SHA1:	8F47CB86B69E311345C191959230D5344B7CD9F7
SHA-256:	FE29FAE444C13656AB226FBDA2A19275467DDA8E93A60D3A5D2698FB3D5BCA8E
SHA-512:	53E44B91E3AC481695D2A48D06218D88F03460929119B20930AB50B0424E96661F4C516DB4BE011BB49EA7EE500C340AF891B2875BB2E259DDF5DB49507BDC38
Malicious:	false
Preview:	ISc(............................V.............................................................................................................................................................................................................................................................................................................................................................Y.b...I.......Q..................tgB.].EQ.sh...S..6F.&....Jm`.D...dF.c,Z.{o$.....................................................mS.n.0....?.....}.z.....A..r...DX..K...CZ..#...93;3..tLQ.t0.d..!.?9.R.\..Y../.2...-..u/...H.rI.&.PP..i"i.nL2....t.6U.^.(..).!.5...:.AM@qM....u.L.X .>...gz..0.k.D.9\|.H..>...E..+...g!9xL.\.".:..j.<...;... 1r.2....3.n:VnDyE..4.1........@.;...N.P..0..1V........Vd.=@.Y<.K...Z...Y.y.f.g...,O....8..m..!+....C*..d\|..MF=W.FI..kK.../...- C.......{9..DG./...f..Z...7s..{C.................F.$~.2...h>K.c.>...>p.'..J..bnW\v...)...;..~]..G/...]3..S.!/F..=...=...~o........lg\|.}

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\data1.hdr Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	InstallShield CAB
Category:	dropped
Size (bytes):	34512
Entropy (8bit):	3.564088931334005
Encrypted:	false
SSDEEP:	768:glvtFvfaIZjgIO6SaJvr5gp8XA/lINy+7Ijrwsfw5D:glvDvvPxIjrjqD
MD5:	BC250A5D0A3A07926924129D9C8089A7
SHA1:	671765ED01DDC6A97C5E74C042FF74A4252443B8
SHA-256:	2DBDD9CECDB45CC415278FF48FBB91EC4C8CA7D30B103E111DEB6CEDB1E44098
SHA-512:	CED97FD79F9D91370AA9855D72927ED1B1C3FD2FD65DBC6CCD10B091E7F48CDC33FB6BD0EA736BF0A802D90C84ED88C4CB0B5C44F5731F797AF769DD22AE8A2C
Malicious:	false
Preview:	ISc(.............N.............................................................................B~..........................................................................................................................................................................................................................................................................................Y.b...I.......Q..................tgB.].EQ.sh...S..6F.&....Jm`.D...dF.c,Z.{o$....................................................=...........N.......6...6..............u.........+...................1...............I...U.......a...m...y............................................................................................................ ..! ..- ..9 ..........................................E ..........Q ......] ..i ..............u ... ... ... ... ............... ............... ....... ... ................................... ....................... ...!.......!..............................)!..........5!

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\layout.bin Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	data
Category:	dropped
Size (bytes):	610
Entropy (8bit):	2.0732183138745826
Encrypted:	false
SSDEEP:	6:oMaqUlfMEl/qDjO2CbwkR5aSelhCnXl8JDWLNglETl127W7Jtn:o5flftaO2tk/aSakQyBTj
MD5:	C9D89E0C09500FBEE7C9E8916ABA26AC
SHA1:	2D8D315437E2055F3C5D4ADE094AC3FB01E54B0A
SHA-256:	8F794018826D9A76DF0897244E0EC6E9B68F57F2FF940B08AA573F53B8CBB34B
SHA-512:	DBA7D1454F7695FADC2C8D7B3E08746F195781CC1E2166DAEC3AC506E60BDB82C9C2BD03981C7C099BF69026AFBF0E15262A1A51B0078827103BB82606703973
Malicious:	false
Preview:	c..S.@..b..........@.(...................................................................................................................................................................................................................................................... ...L.....%.........x...............................$...8...N...............................................s.e.t.u.p...i.n.i.....a.u.t.o.r.u.n...i.n.f...s.e.t.u.p...b.m.p...s.e.t.u.p...i.n.x...I.S.S.e.t.u.p...d.l.l...0.x.0.4.0.9...i.n.i...d.a.t.a.1...h.d.r...d.a.t.a.1...c.a.b...d.a.t.a.2...c.a.b...l.a.y.o.u.t...b.i.n...s.e.t.u.p...e.x.e...

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.bmp Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	PC bitmap, Windows 3.x format, 640 x 480 x 8
Category:	dropped
Size (bytes):	308278
Entropy (8bit):	5.797980736269797
Encrypted:	false
SSDEEP:	3072:JtDZFgZ72kTNsyfMXT9J2UUrDQjJk0YE4wg:MZ72kTaXT9QdYt5M
MD5:	F194EA7CDAF317D96FE18D056B45D481
SHA1:	A71E90D631BF9ECD2D68E5620C23E704B1B6364C
SHA-256:	22B6525B8F0825AFD510ED60D0EAD259576DE32F38B4C501EA13BB49006D2218
SHA-512:	777038F077C772BF002AE1FBC26D5FD9E7FA741B87CFC907574A7537DC4B97B3893DDA4178E8D1412D260CBAF065A2A0B3AC136ABEA3D5919BE62F5B6DF1194D
Malicious:	false
Preview:	BM6.......6...(.............................................................................................................."...."..#!....". .#..#(.%&.1+-.(3,.33-.+2.1-3.,26.112.A<=.3H8.IL7.Td3../E.7;C...r..i.--r.A>B.@?r.:DK.;iI.8Ok.:ps.EFI.RKL.GTL.VSL.HKS.RNR.JSX.VVY.a]\.GsS.kmE.juH.pxM.cb].ksY.uyX.FJd.SMb.KWc.Y\c.FFx.UJx.N_s.VXt.a^b.b]x.Zdj.ggi.rll.irl.stk.hls.qnr.jsx.wwx..u>..vX..xN..oh..sn..\|c..\|{..~H.j.=.>.R.I.[.x.J.Q.f.t.z.Z.v.b.\|...V...V...[...v...m...r...~..V..k..w.....!....(..(...... ....&..,+..E?..A=..4C..;~../S..ON..b\..Os..gh..kw..w\|..jk..xn..m~..ux..MM..eZ..sr......!....)../....... ....&../-..C<..@>..%@..<k..?K..LL..a^..oo..ON..`_..ts...~..;...O...h...{...g...x...n...z...l...\|...^...g...z...y...o..\|......~..............................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201936
Entropy (8bit):	6.693264418797218
Encrypted:	false
SSDEEP:	24576:SGjk6PMUtgtIKIch5+915zApy/MrllllVrGifVOCWCp:Tjk6PMUtgtJphMDw3llllVrGSVs+
MD5:	88340D6E1DE3ED49364A64B3D8796AF6
SHA1:	AB49D8F6556A2F5BA46857FBE82252D1BE3B67BD
SHA-256:	4026CFDBC97F2DF519BA28353057D8BC7CFFA7A4BCCD3F84239E28CEB7B1B50F
SHA-512:	DF1094BA3A47E0E2FE58DB48151FCB78922EF258353F951F7A89C12CA350ADE18F79C912A302EB8F606840A9BB3585F61E62CCF0CCC8127C89B751A80F3DFE67
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^y....s...s...s.....s......s.....s.....s....Z.s..o....s...r...s..o....s...7.s.....s.......s.....s.Rich..s.........................PE..L...d.yY.....................r....................@..................................Z.......................................B.......................:..................8...........................x4..@...............t...H:.. ....................text............................... ..`.rdata..............................@..@.data...$L...p...&...N..............@....rsrc................t..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.ini Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	2424
Entropy (8bit):	3.6681367627408417
Encrypted:	false
SSDEEP:	48:rsAMoOOqqX1M74mcPTmscu/+S8gvn6CJkkY09TzcqYtxkYOvl5ZAMXvrcOyb0pn:rsAM3OGdcrmqrvnp6kY05w7tCYOvlnAM
MD5:	EE5F7E849785DA28D45BFCA84922B060
SHA1:	A417AD5C622C639C768E8861F2F23CE3AEE468AA
SHA-256:	A2F559B772F12833B7873116A4A5FC4BA2ACBA26A0B4A2E4ADB6E4BE61FD6876
SHA-512:	F080B8DA812AD255C689B9FE2A6EDA9908B363BB28AD34CD8BE58D717A8616DD006F601E3CAA7D95B3E251437EE714B43C5E859CA17AE9E8BB0BA4F53EC4FAE7
Malicious:	false
Preview:	..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.S.u.r.e.S.e.r.v.o. .P.R.O.....P.r.o.d.u.c.t.G.U.I.D.=.6.2.E.0.5.9.2.E.-.B.1.C.0.-.4.9.9.B.-.8.3.F.6.-.8.2.9.7.8.9.B.D.B.D.5.1.....C.o.m.p.a.n.y.N.a.m.e.=.A.u.t.o.m.a.t.i.o.n. .D.i.r.e.c.t.....C.o.m.p.a.n.y.U.R.L.=.w.w.w...a.u.t.o.m.a.t.i.o.n.d.i.r.e.c.t...c.o.m.....E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.N.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.4.0.9.....R.e.q.u.i.r.e.E.x.a.c.t.L.a.n.g.M.a.t.c.h.=.0.x.0.4.0.4.,.0.x.0.8.0.4.....R.T.L.L.a.n.g.s.=.0.x.0.4.0.1.,.0.x.0.4.0.d.........[.0.x.0.4.0.9.].....0.x.0.4.

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.inx Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	data
Category:	dropped
Size (bytes):	259601
Entropy (8bit):	7.387400499116719
Encrypted:	false
SSDEEP:	3072:jAztrbh/sEXeBISOBQmRbXSP8A1ML1S4g4SNeJSfThMdU/L7Frt6Rec3pj3tCNMa:jAz5bl9xSEqNeJqOOxMecFtVkibw
MD5:	A7AEF385AB56FF232696DAB3C7D74C6D
SHA1:	48654BBB0FF5F14CDA79390D8438297440005220
SHA-256:	AB12A8B1F80818796EF14608323C809EB59875DC760BF4C685597952C8EAE545
SHA-512:	CACAB8F2B32CC48D992400D17FB83E7667C03C7922C9D43C1CDE4BFBFC16AB981941788F912C2E3833A259B5CBAA212805EE3FB51C03D5D9D48E27349028543D
Malicious:	false
Preview:	t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a.=mQ.Y]A..M1..)!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-...............................]......a..(..H....YQQEY.0.o=55.={.gC[..W.....O.So##` ......,..x8........X......]..H.........5MM.5s..gW.CKgCC.....;..TDh..8P@........8.....p.e..Q...\| h......%]1II.1....S[wSS.[.G.W.o....L.`H ..D.. ........t....L......ayyIa......s..w!99.!....Gs[K[............T,.0,,......\|(.....l...P...yyy!a...........w.o.....W.;o?g..+O.....4.,$\.@....<......l......}uuI}.4..@....!99.!..s.w..3{.SGk.......0.D4\.... H.............4...Ye}!e. ..D....c.w......w3.;#.#C.[.THl....(.<,4p,.$.......a..t...8..L..YQQ=Y...w.{o..`.--..S.w3.7+kk .....$..H8@.X,0...y...........x...H...1miMQ.c4....{%9-%%.-c.sO.....'7?..... @\D.....H...................iuUaaUi...MEE%M..gk........?.7wK.....@.\|$d8......$.<................e}}Qe...I]1II.1.W.[.c_.;[s.....g..W..L<l...

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\ISSetup.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:	dropped
Size (bytes):	807696
Entropy (8bit):	7.773931629042238
Encrypted:	false
SSDEEP:	12288:DIGz7ovgUHjhKtYCdP2q4/8mnL2YCTdSxZa65jcttUO+UC1nHZc:DIGz8IUDP0OqGL2YCsxZa6RuUO+UCd5c
MD5:	05E267CD74E51EFC3A9422AF3F85F6CD
SHA1:	B369F04872D31DB0D34D96014BB57BD2776AD84B
SHA-256:	0C98534B5A70E6CFA28D22BF71CE0C3F099B8F29BDD08DC39738C7D3179B22D2
SHA-512:	33BCA3B5ADE3C8A6065E470F4AAA4A2019C1B2C3324D84F71C45A5136CC8A8944EC73A1970F45D53569784B5DE624093EB08CA943A4CEBD6BD0237E5DBE50D58
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......l.j.(...(...(......).....1...........c......./.......)...(...4}......=......#....../......S......)......)...(...)......)...Rich(...................PE..L.....yY...........!.....(...*......E.%......P................................%......M..............................8.%.G.....%.......#.0............6........%.....`X..8....................................................k.......................text.....#......"......PEC2MO...... ....rsrc.........#......&.............. ....reloc........%......4..............@...........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\MsiStub\{1F57C7D2-0C2E-406D-90F1-7C57BC934AB8}\SureServo PRO.msi Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	{96BB593B-34E7-4635-BEC7-ABBCC2C5C462}
Category:	dropped
Size (bytes):	5015552
Entropy (8bit):	7.968982080291819
Encrypted:	false
SSDEEP:	98304:gYyGExkMt19Xu6A/9DrrAAiVOJkgdsxMdTVmTyWEnzJ0KI3IleiDgtYu:/23t18//9DrrWVO3sS+GWEzJ0KI3Yeq+
MD5:	4705CFEB3D11C8E8BD63B664D822AF60
SHA1:	FE74B4D8BAF12129263EA0B6B9B0F37528D37DFC
SHA-256:	29AC0E87874DA09500145636EEC4FAEDA41359AC848768F7967422341853037F
SHA-512:	3456E8EE0735873BE13A08A2BF263521E8F31AF24DC5E12791B034ADA7CD710055DB42A5FBB9F4EA2ED63CD8CF7BAE7E609FCB1E0DF5B1F61F0604934A4EBB60
Malicious:	false
Preview:	......................>...................M...............8...................z...............o....................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...........................................................................................................................................^................................................................................................................... ...!..."...#...$...%...&...'...(...)......+...,...-......./...0...1...2...3...4...5...6...7...E...e...:...;...<...=...>...?...@...A...B...C...D...Y...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Z...]...[...\...`..._...d...c...a...b.......f...h.......g...i...n...j...m...........o.......p...y...r...s...t...u...v...w...x...k.......

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201936
Entropy (8bit):	6.693264418797218
Encrypted:	false
SSDEEP:	24576:SGjk6PMUtgtIKIch5+915zApy/MrllllVrGifVOCWCp:Tjk6PMUtgtJphMDw3llllVrGSVs+
MD5:	88340D6E1DE3ED49364A64B3D8796AF6
SHA1:	AB49D8F6556A2F5BA46857FBE82252D1BE3B67BD
SHA-256:	4026CFDBC97F2DF519BA28353057D8BC7CFFA7A4BCCD3F84239E28CEB7B1B50F
SHA-512:	DF1094BA3A47E0E2FE58DB48151FCB78922EF258353F951F7A89C12CA350ADE18F79C912A302EB8F606840A9BB3585F61E62CCF0CCC8127C89B751A80F3DFE67
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^y....s...s...s.....s......s.....s.....s....Z.s..o....s...r...s..o....s...7.s.....s.......s.....s.Rich..s.........................PE..L...d.yY.....................r....................@..................................Z.......................................B.......................:..................8...........................x4..@...............t...H:.. ....................text............................... ..`.rdata..............................@..@.data...$L...p...&...N..............@....rsrc................t..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.ini Download File
Process:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	2424
Entropy (8bit):	3.6681367627408417
Encrypted:	false
SSDEEP:	48:rsAMoOOqqX1M74mcPTmscu/+S8gvn6CJkkY09TzcqYtxkYOvl5ZAMXvrcOyb0pn:rsAM3OGdcrmqrvnp6kY05w7tCYOvlnAM
MD5:	EE5F7E849785DA28D45BFCA84922B060
SHA1:	A417AD5C622C639C768E8861F2F23CE3AEE468AA
SHA-256:	A2F559B772F12833B7873116A4A5FC4BA2ACBA26A0B4A2E4ADB6E4BE61FD6876
SHA-512:	F080B8DA812AD255C689B9FE2A6EDA9908B363BB28AD34CD8BE58D717A8616DD006F601E3CAA7D95B3E251437EE714B43C5E859CA17AE9E8BB0BA4F53EC4FAE7
Malicious:	false
Preview:	..[.S.t.a.r.t.u.p.].....P.r.o.d.u.c.t.=.S.u.r.e.S.e.r.v.o. .P.R.O.....P.r.o.d.u.c.t.G.U.I.D.=.6.2.E.0.5.9.2.E.-.B.1.C.0.-.4.9.9.B.-.8.3.F.6.-.8.2.9.7.8.9.B.D.B.D.5.1.....C.o.m.p.a.n.y.N.a.m.e.=.A.u.t.o.m.a.t.i.o.n. .D.i.r.e.c.t.....C.o.m.p.a.n.y.U.R.L.=.w.w.w...a.u.t.o.m.a.t.i.o.n.d.i.r.e.c.t...c.o.m.....E.r.r.o.r.R.e.p.o.r.t.U.R.L.=.h.t.t.p.:././.w.w.w...i.n.s.t.a.l.l.s.h.i.e.l.d...c.o.m./.i.s.e.t.u.p./.P.r.o.E.r.r.o.r.C.e.n.t.r.a.l...a.s.p.?.E.r.r.o.r.C.o.d.e.=.%.d. .:. .0.x.%.x.&.E.r.r.o.r.I.n.f.o.=.%.s.....M.e.d.i.a.F.o.r.m.a.t.=.1.....L.o.g.M.o.d.e.=.1.....S.m.a.l.l.P.r.o.g.r.e.s.s.=.N.....S.p.l.a.s.h.T.i.m.e.=.....C.h.e.c.k.M.D.5.=.Y.....C.m.d.L.i.n.e.=.....S.h.o.w.P.a.s.s.w.o.r.d.D.i.a.l.o.g.=.N.....S.c.r.i.p.t.D.r.i.v.e.n.=.4.........[.L.a.n.g.u.a.g.e.s.].....D.e.f.a.u.l.t.=.0.x.0.4.0.9.....S.u.p.p.o.r.t.e.d.=.0.x.0.4.0.9.....R.e.q.u.i.r.e.E.x.a.c.t.L.a.n.g.M.a.t.c.h.=.0.x.0.4.0.4.,.0.x.0.8.0.4.....R.T.L.L.a.n.g.s.=.0.x.0.4.0.1.,.0.x.0.4.0.d.........[.0.x.0.4.0.9.].....0.x.0.4.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISB542E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	182008
Entropy (8bit):	5.745001134941054
Encrypted:	false
SSDEEP:	3072:CIFNKUw8ALJ+C2T0FSmmiYQT4nF2E+JYVdeZ2bgA/qrXo:2Un0mT8Sc/T4F1bnxg85
MD5:	8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
SHA1:	49199A62DE0EDA485B5287BAD469F92AD8EBD407
SHA-256:	4104FDE5404BFB3C5347B8ECDAEC89A2E746B1162DC75186BC79738805818C0A
SHA-512:	1393BD6C06C30DF7414494E5B06242445EB8AFDF5467C6A5E875F2C63506B0B581322B6444C6D8F06B39AA5B04D1C55A631CCF932DC6D5043296DD3ED3CD9FC8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 2%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e.*.!.D.!.D.!.D../..D.D../..(.D../....D.... .D.!.E.[.D......D.....%.D..... .D.!.. .D..... .D.Rich!.D.........................PE..d...6.yY.........."......X...v.................@..........................................`..................................................J..................$...................`t..8...............................p............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data... B...`.......D..............@....pdata..$............`..............@..@.rsrc................v..............@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\cor542B.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	65503
Entropy (8bit):	3.783333450686201
Encrypted:	false
SSDEEP:	1536:biZVg/LPnypGccYM3MFe/Xvv+JcvpqLm416lt91FHWEi7I8qQdeVH3+HF2FnlP5r:gW/LPni+3MFe/XycRj4slt9HHWEi7I8M
MD5:	09D38CECA6A012F4CE5B54F03DB9B21A
SHA1:	01FCB72F22205E406FF9A48C5B98D7B7457D7D98
SHA-256:	F6D7BC8CA6550662166F34407968C7D3669613E50E98A4E40BEC1589E74FF5D1
SHA-512:	8C73CA3AF53A9BAF1B9801F87A8FF759DA9B40637A86567C6CC10AB491ACCB446B40C8966807BD06D52EB57384E2D6A4886510DE338019CFD7EF966B45315BA9
Malicious:	false
Preview:	; Corecomp.ini..;..; This file stores information about files that InstallShield..; will install to the Windows\System folder, such as Windows..; 95 and NT 4.0 core components and DAO, ODBC, and ActiveX files...; ..; The entries have the following format, without a space before ..; or after the equal sign:..;..; <file name>=<properties>..; ..; Currently, following properties are supported:..; 0x00000000 No registry entry is created for this file. It is..; not logged for uninstallation, and is therefore ..; never removed...;..; Inappropriate modification to this file can prevent an..; application from getting Windows 95/Windows NT logo...;..; Last Updated: 2/27/2002; rs....[Win32]....12500852.cpx=0x00000000 ..12510866.cpx=0x00000000 ..12520437.cpx=0x00000000..12520850.cpx=0x00000000..12520860.cpx=0x00000000..12520861.cpx=0x00000000 ..12520863.cpx=0x00000000 ..12520865.cpx=0x00000000..6to4svc.dll=0x00000000..82557ndi.dll=0x00000000..8514a.dll=0x000

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\dot542C.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	23816
Entropy (8bit):	4.157035386837471
Encrypted:	false
SSDEEP:	192:YEm805ZvWFXfXDuQkC2+Z4nYe+PjPrSBO3SwVEnujexYi:q8SZvWFSQzHOnYPLWhjei
MD5:	A6CBAC7CEF4B03FCB1A9D65A5337B46C
SHA1:	DEC659C2ADEEA0B8E6C40DB8290F5855D652D7F4
SHA-256:	46AD0972344B2C71B560DAEB90075FDC5BD80F5D3AF33F1FD8B4C2D3A09FF978
SHA-512:	E8EBB5150274882E53AE7CC2BA21B01F2A7270D0FF7E979C8163EBB7600A8245D7ADEC5AAABE705EF03B5F16987649B21D6ABEBCB438935919D7403F8B25D05A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yY..................... .......... ...@....... ....................................@....................................K....@..x............@.......`....................................................... ............... ..H............text........ ...................... ..`.rsrc...x....@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\dot542D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	146
Entropy (8bit):	4.677494553177857
Encrypted:	false
SSDEEP:	3:cTIMOoIRuQVK/FNURAmIRMNHNQAolFNURAmIRMNHjKbo5KWREBAW4QIMOn:8IffVKNC7VNQAofC7V2bopuAW4QIT
MD5:	DB722945AB9C024CE55E469644393824
SHA1:	191782B3B4C7BD21FABB3D5B655B7F2DEC2F4F56
SHA-256:	C7E5BDC4B79F7F8C68C5F09C0C055E97FB8C62FE1B5D469B3527AB6B767C8DF2
SHA-512:	40503C28296CEB68428E327AC79326579C067511638263A477534B8E33341F24E2944077ACCDABB947981980F91604B71B6715A1488181B9C48515AB81271ED8
Malicious:	false
Preview:	<configuration>.. <startup>.. <supportedRuntime version="v2.0.50727"/>.. <supportedRuntime version="v4.0"/>.. </startup>..</configuration>

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\DIF542A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	84
Entropy (8bit):	4.638552692098388
Encrypted:	false
SSDEEP:	3:m1eAsIdWVVVWhs6E2QVVK2Whsyor3Vg2Wn:mdv0am2QVVgQ3Van
MD5:	1EB6253DEE328C2063CA12CF657BE560
SHA1:	46E01BCBB287873CF59C57B616189505D2BB1607
SHA-256:	6BC8B890884278599E4C0CA4095CEFDF0F5394C5796012D169CC0933E03267A1
SHA-512:	7C573896ABC86D899AFBCE720690454C06DBFAFA97B69BC49B8E0DDEC5590CE16F3CC1A30408314DB7C4206AA95F5C684A6587EA2DA033AECC4F70720FC6189E
Malicious:	false
Preview:	[<Properties>]..DIFx32Supported=No..DIFxIntel64Supported=No..DIFxAMD64Supported=No..

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\Fon53FA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	4.175273297885966
Encrypted:	false
SSDEEP:	3:m1eAsCMWRXBQYrD:mdjXIYf
MD5:	8CE28395A49EB4ADA962F828ECA2F130
SHA1:	270730E2969B8B03DB2A08BA93DFE60CBFB36C5F
SHA-256:	A7E91B042CE33490353C00244C0420C383A837E73E6006837A60D3C174102932
SHA-512:	BB712043CDDBE62B5BFDD79796299B0C4DE0883A39F79CD006D3B04A1A2BED74B477DF985F7A89B653E20CB719B94FA255FDAA0819A8C6180C338C01F39B8382
Malicious:	false
Preview:	[<Properties>]..FontRegistration=No..

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\Str542F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3854
Entropy (8bit):	3.6972649326169598
Encrypted:	false
SSDEEP:	96:rsp62ISQHQmyrUeAL3TcnQcKH9tQDrKQNja1jiKWwNLNMuD7NkK/EVG64XzHjP:wKfLjpTdtmeYja1jxW45MsJkKmoP
MD5:	7A3335A87C9357BE6F4B779EF83569C9
SHA1:	8E5800D3031ACD076BD3796A978646A51737978E
SHA-256:	32B99F413297053477458C4458F142074D30622C38D8232A0618A03CD534D0D3
SHA-512:	AFE8B91776C77BEA90676ECA6F576B7BC31BEF8F08D8CFC407CBFF4D108AAE908FD07054BDC3E6B13076D1E2FEAD142BB9F8062426EFD93D55D4A370B34CCA7B
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.9.].....F.O.L.D.E.R._.N.A.M.E.=.S.u.r.e.S.e.r.v.o. .P.R.O.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.O.M.P.L.E.T.E.=.C.o.m.p.l.e.t.e.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.O.M.P.L.E.T.E._.D.E.S.C.=.C.o.m.p.l.e.t.e.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.U.S.T.O.M.=.C.u.s.t.o.m.....I.D.P.R.O.P._.S.E.T.U.P.T.Y.P.E._.C.U.S.T.O.M._.D.E.S.C._.P.R.O.=.C.u.s.t.o.m.....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.U.n.k.n.o.w.n. .e.r.r.o.r. .r.e.t.u.r.n.e.d. .f.r.o.m. .N.e.t.A.P.I... .S.y.s.t.e.m. .e.r.r.o.r.:. .[.2.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.p.e.n. .[.P.r.o.d.u.c.t.N.a.m.e.].'.s. .o.r.i.g.i.n.a.l. .[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.T.h.i.s. .e.x.e.c.u.t.a.b.l.e. .f.i.l.e. .d.o.e.s. .n.o.t. .a.p.p.e.a.r. .t.o. .b.e. .t.h.e. .o.r.i.g.i.n.a.l. .e.x.e.c.u.t.a.b.l.e. .f.i.l.e. .f.o.r. .[.P.r.o.d.u.c.t.N.a.m.e.]... .W.i.t.h.o.u.t. .u.s.i.n.g. .t.h.e. .o.r.i.g.i.n.a.l. .[.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\_is5463.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1863024
Entropy (8bit):	5.6880358236693995
Encrypted:	false
SSDEEP:	12288:es4d9dfaOdWUIhpJCPtjvntnSb8COevQonCLPub+7iqV:ghrWVhDCPtjvntnSb8COevQonCfrV
MD5:	A05838872C391E729B414D2B15083983
SHA1:	027038259B7C4BFE0066B6F5635E416EFBD84157
SHA-256:	A7C7DB8CE84441DF150EE880E5BDE9C17BC7C85DC87A61B1760738ECEB61AD52
SHA-512:	0B13D56945A381DCFD453E9D21D62B030007D24B89FA6F7EAF75D62CA80F7C7FE1842A44D9DEB25E286AC8FB1FE7C3567666C1E116C96DFD641B56E99262125A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...[.yY...........!.........................................................p...............................................@..(....P..V...........pP.......@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...V....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\def5462.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	RIFF (little-endian) data, palette, version 1028, 0 entries
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	2.551387347019812
Encrypted:	false
SSDEEP:	12:b126a96IlDkYTYcspSuB0MRG763GDwFGrZYOFBz3WI7KEpw3f6QL7nhem:Ax96Il9T3ISMg76KJrZtT2b5X
MD5:	0ABAFE3F69D053494405061DE2629C82
SHA1:	E414B6F1E9EB416B9895012D24110B844F9F56D1
SHA-256:	8075162DB275EB52F5D691B15FC0D970CB007F5BECE33CE5DB509EDF51C1F020
SHA-512:	63448F2BEF338EA44F3BF9EF35E594EF94B4259F3B2595D77A836E872129B879CEF912E23CF48421BABF1208275E21DA1FABFDC494958BCFCD391C78308EAA27
Malicious:	false
Preview:	RIFF....PAL data..........................................................f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3...............f...3..................f...3...............f..3.....f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3...................f...3..................f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3.....f...f...f...f.f.f.3.f...f...f...f..f.f.f.3.f...f...f...f...f.i.f.3.f...ff..ff..ff..fff.ff3.ff..f3..f3..f3..f3f.f33.f3..f...f...f...f.f.f.3.f...3...3...3...3.f.3.3.3...3...3...3..3.f.3.3.3...3...3...3...3.f.3.3.3...3f..3f..3f..3ff.3f3.3f..33..33..33..33f.333.33..3...3...3...3.f.3.3.3.............f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3.........................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\isr5430.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:	dropped
Size (bytes):	432880
Entropy (8bit):	7.972245581674079
Encrypted:	false
SSDEEP:	12288:bQaI0sMvcMcl2xwNKASn+T3BKrJ1qhfcL1B:bK0s6cMcXAAQ+1w1qAn
MD5:	67B3328F3CC34596EC941DDA8574F606
SHA1:	219A67104A18F71C0CCB7B9D73F435D76E44F584
SHA-256:	CB80BFDD8263BB9AFF04BDC7D6BE71AD09800895B616223D8F97048AA0A506F7
SHA-512:	5E81FAC5A4E48353BDD0A60E8882B4B51A79298124D9FE8235940643BF2E4BFB13A881841A69DC479E1658CD42C6772C76A761CC2BE8342122E53460357C5091
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I..{'T.{'T.{'T...T.{'Tr..T.{'T!..T.{'Tr..T.{'Tr..T.{'T...T.{'T...T.{'T.{&Twz'T...T.{'T!..T.{'T!..T.{'T!..T.{'T.{.T.{'T!..T.{'TRich.{'T................PE..L.....yY...........!.....b...6............................................... .......C..................................S...T........................~..................8....................................................=..@....................text............D......PEC2MO...... ....rsrc....@.......4...H.............. ....reloc...............\|..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\lic53F9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1033
Entropy (8bit):	4.4792827760384135
Encrypted:	false
SSDEEP:	24:+y+y5wYN7mHxrvV3ttJZlAWDwz50m/F3MDGuBKN:+y+8wYNmHxrN3t7ZmWDe50mt8FA
MD5:	6093A0F7560DE0D93A0AE3C55EC18571
SHA1:	C0CDC3AC02D454CCD54D3871F4B68DB8E3141CF9
SHA-256:	393D6905E5CCAA672A03E3C35EE2FDD3E662D27C64D22759DEC04ACA2F84B1E8
SHA-512:	F167C407E42912D7F8EE17C6D56940F08BED2286E2A6F240A0CA5AC900967D0A66C9F0C0CDB54508A85DB8F7B3AC24C119C41D38BD309F41D2AD77CDC8A709D5
Malicious:	false
Preview:	The software accompanying this license agreement (SureServo Pro(tm)) is the property of AutomationDirect.com, or its suppliers, and is protected by United States and International Copyright laws and International treaty provisions. ....No ownership rights are granted by this Agreement or possession of the Software. Therefore, you must treat the Licensed Software like any other copyrighted material (e.g., a book or musical recording), except that you may make a single copy for backup or archival purposes. ....Your rights and obligations in its use are described as follows: ....1. You may use and display this software on a SINGLE COMPUTER. ....2. You may make one copy of the software for archival purposes or you may copy the software onto your hard disk and hold the original for archival purposes. ....3. You may not modify or attempt to reverse engineer the software, or make any attempt to change or even examine the source code of the software. ....4. You may transfer

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{62E0592E-B1C0-499B-83F6-829789BDBD51}\set53F8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	259601
Entropy (8bit):	7.387400499116719
Encrypted:	false
SSDEEP:	3072:jAztrbh/sEXeBISOBQmRbXSP8A1ML1S4g4SNeJSfThMdU/L7Frt6Rec3pj3tCNMa:jAz5bl9xSEqNeJqOOxMecFtVkibw
MD5:	A7AEF385AB56FF232696DAB3C7D74C6D
SHA1:	48654BBB0FF5F14CDA79390D8438297440005220
SHA-256:	AB12A8B1F80818796EF14608323C809EB59875DC760BF4C685597952C8EAE545
SHA-512:	CACAB8F2B32CC48D992400D17FB83E7667C03C7922C9D43C1CDE4BFBFC16AB981941788F912C2E3833A259B5CBAA212805EE3FB51C03D5D9D48E27349028543D
Malicious:	false
Preview:	t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a.=mQ.Y]A..M1..)!.)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-...............................]......a..(..H....YQQEY.0.o=55.={.gC[..W.....O.So##` ......,..x8........X......]..H.........5MM.5s..gW.CKgCC.....;..TDh..8P@........8.....p.e..Q...\| h......%]1II.1....S[wSS.[.G.W.o....L.`H ..D.. ........t....L......ayyIa......s..w!99.!....Gs[K[............T,.0,,......\|(.....l...P...yyy!a...........w.o.....W.;o?g..+O.....4.,$\.@....<......l......}uuI}.4..@....!99.!..s.w..3{.SGk.......0.D4\.... H.............4...Ye}!e. ..D....c.w......w3.;#.#C.[.THl....(.<,4p,.$.......a..t...8..L..YQQ=Y...w.{o..`.--..S.w3.7+kk .....$..H8@.X,0...y...........x...H...1miMQ.c4....{%9-%%.-c.sO.....'7?..... @\D.....H...................iuUaaUi...MEE%M..gk........?.7wK.....@.\|$d8......$.<................e}}Qe...I]1II.1.W.[.c_.;[s.....g..W..L<l...

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Def5461.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	RIFF (little-endian) data, palette, version 1028, 0 entries
Category:	dropped
Size (bytes):	1168
Entropy (8bit):	2.551387347019812
Encrypted:	false
SSDEEP:	12:b126a96IlDkYTYcspSuB0MRG763GDwFGrZYOFBz3WI7KEpw3f6QL7nhem:Ax96Il9T3ISMg76KJrZtT2b5X
MD5:	0ABAFE3F69D053494405061DE2629C82
SHA1:	E414B6F1E9EB416B9895012D24110B844F9F56D1
SHA-256:	8075162DB275EB52F5D691B15FC0D970CB007F5BECE33CE5DB509EDF51C1F020
SHA-512:	63448F2BEF338EA44F3BF9EF35E594EF94B4259F3B2595D77A836E872129B879CEF912E23CF48421BABF1208275E21DA1FABFDC494958BCFCD391C78308EAA27
Malicious:	false
Preview:	RIFF....PAL data..........................................................f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3...............f...3..................f...3...............f..3.....f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3...................f...3..................f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3................f...3.....f...f...f...f.f.f.3.f...f...f...f..f.f.f.3.f...f...f...f...f.i.f.3.f...ff..ff..ff..fff.ff3.ff..f3..f3..f3..f3f.f33.f3..f...f...f...f.f.f.3.f...3...3...3...3.f.3.3.3...3...3...3..3.f.3.3.3...3...3...3...3.f.3.3.3...3f..3f..3f..3ff.3f3.3f..33..33..33..33f.333.33..3...3...3...3.f.3.3.3.............f...3..............f...3...................f...3......f...f...f...ff..f3..f...3...3...3...3f..33..3............f...3.........................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Isr5530.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, PECompact2 compressed
Category:	dropped
Size (bytes):	432880
Entropy (8bit):	7.972254690191593
Encrypted:	false
SSDEEP:	12288:eQaI0sMvcMcl2xwNKASn+T3BKrJ1qhfcL1F:eK0s6cMcXAAQ+1w1qAr
MD5:	AD2580D26A6785877D6CF9F6341D016D
SHA1:	BD2E72709F28F29A06000AAEBD13C502ED17F35C
SHA-256:	1ED4BFBEF0555A5791BBF29710DBA6D1AB45741CD5149C6C5E3E2D805142601D
SHA-512:	8A6385ABDC0A00499D972DA8107C3EDBA7CECF6D31A3C6A3D497FCB2756BA7BD2EEB454597C18ECDAA2A52B73F12E1D22B142916D6E598908D1BE28B52637B6B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I..{'T.{'T.{'T...T.{'Tr..T.{'T!..T.{'Tr..T.{'Tr..T.{'T...T.{'T...T.{'T.{&Twz'T...T.{'T!..T.{'T!..T.{'T!..T.{'T.{.T.{'T!..T.{'TRich.{'T................PE..L.....yY...........!.....b...6............................................... .......m..................................S...T........................~..................8....................................................=..@....................text............D......PEC2MO...... ....rsrc....@.......4...H.............. ....reloc...............\|..............@...................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\MMO6B1E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	56576
Entropy (8bit):	4.564991825048028
Encrypted:	false
SSDEEP:	768:KbY9TtgL/031AnweYAXp8XHgKLOznUctiNxNk:aY9TtHMHXul6UcQZk
MD5:	E319496C8AE18C9323195906503295BE
SHA1:	87ACB69AAAF0C2579CB3178016EA3F98A8EAC7D9
SHA-256:	AB57D1D9E08357DC26421B82FBB7C4E3915B5E576434EE0663D75963EF288E25
SHA-512:	26436DBD83526CBA3581FCBAC363FFDF92544CEF269AE6BD6FF852F4E24E06714970CD0C649AB78ED41C764D3A28FBB39B776F7E604CE7D620EF3C499F495157
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........O............12...........H...................u(.....M......Rich............................PE..L...J.yY...........!.....P...p......!........`..................................................................... k..r...$f..P...............................@....................................................`...............................text....B.......P.................. ..`.rdata.......`.......`..............@..@.data...@2...p...0...p..............@....rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Set5500.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	193294
Entropy (8bit):	7.395763852924137
Encrypted:	false
SSDEEP:	3072:j5YQKYcqV9W14Ih0ArHFgTosvd0WGYXa0ZQ62ecPvzXDzWt98pEycwP:j5tfTWfcdq0ZYecP1hco
MD5:	623F4E1640E711CB64FFE4D662190B89
SHA1:	013AFFDD85CE346DACB84B9F73D64C51FF0B9F6B
SHA-256:	41C8EC4BAEAEE9412A164E8B6BD9D08ED28D69101BFFB066913A229F62A447E4
SHA-512:	D93B4B311455A1724BF5E5257119D9417F1D049D6D68DBD28977F8A6432D170956FB336B842D650FC7CE8EFEBA24FAFCDA4963585659D9E294004C2BD38F2988
Malicious:	false
Preview:	t.,....(... <$.M. .=..........l.............o.c...gWSl..SW..WS[//d.d l$.XX%.......................q.y}a.=mQ.Y]A. M1"a%!o)........................................}...m..q]}}aMm.U=].E-M.5.=.%.-.............................A......a..(..H....YQQEY.0.o=55.={.gC[..W.....O.So##` ......,..x8........X......]..H.........5MM.5s..gW.CKgCC.....;..TDh..8P@........8.....p.e..Q...\| h......%]1II.1....S[wSS.[.G.W.o....L.`H ..D.. ........t....L......ayyIa......s..w!99.!....Gs[K[............T,.0,,......\|(.....l...P...yyy!a...........w.o.....W.;o?g..+O.....4.,$\.@....<......l......}uuI}.4..@....!99.!..s.w..3{.SGk.......0.D4\.... H.............4...Ye}!e. ..D....c.w......w3.;#.#C.[.THl....(.<,4p,.$.......a..t...8..L..YQQ=Y...w.{o..`.--..S.w3.7+kk .....$..H8@.X,0...y...........x...H...1miMQ.c4....{%9-%%.-c.sO.....'7?..... @\D.....H...................iuUaaUi...MEE%M..gk........?.7wK.....@.\|$d8......$.<................e}}Qe...I]1II.1.W.[.c_.;[s.....g..W..L<l...

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str55CE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4336
Entropy (8bit):	3.7067941889247735
Encrypted:	false
SSDEEP:	96:rsfGRXOJABay9AIRp+tQDrKQNwNLNMuD7NK/EVGGZFLFrs1FWnDseQrlU72:wuBOOBzmtmeY45MsJKaZxRecseSlUC
MD5:	DC44BD4F445EC0FBFCDE6B81B69341FB
SHA1:	924A596D813D65C3D3D6C16057D8DA5ABF2FBAB4
SHA-256:	0A26A322483AE1A87D9B0CB50AAE05DCC97496066E0665509966A0E40ED78FDD
SHA-512:	529703FA3B856FF8A1ECA48EAD716F78A5CADA948D0BFF0D31126C9A0ED588409F44AF763774EE14360C89BF4AD1F568DDE903FF085F5D8F45C4601F9DB4146D
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.c.0.c.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.U.n.e. .e.r.r.e.u.r. .i.n.c.o.n.n.u.e. .a. ...t... .r.e.n.v.o.y...e. .p.a.r. .N.e.t.A.P.I...E.r.r.e.u.r. .s.y.s.t...m.e...:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.u.v.r.i.r. .l.e. .f.i.c.h.i.e.r. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .d.e...:. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.C.e. .f.i.c.h.i.e.r. .e.x...c.u.t.a.b.l.e. .n.. e.s.t. .p.a.s. .l.. o.r.i.g.i.n.a.l. .e.x.i.g... .p.a.r. .[.P.r.o.d.u.c.t.N.a.m.e.]... .S.i. .v.o.u.s. .n.. u.t.i.l.i.s.e.z. .p.a.s...l.e. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .p.o.u.r. .i.n.s.t.a.l.l.e.r. .l.e.s. .d...p.e.n.d.a.n.c.e.s. .c.o.m.p.l...m.e.n.t.a.i.r.e.s.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str5757.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4088
Entropy (8bit):	4.206486866324962
Encrypted:	false
SSDEEP:	96:rsDoJLpzMytQDrKQNwNLNMuD7NK/EVGj+fsFFLFrs1FWnDseQrlU72:wsJLpzMytmeY45MsJKXusFxRecseSlUC
MD5:	B0E5311CE9DB3F68DE549E6D7ADC4767
SHA1:	151C59A13B810070A466EFFF3F4370D2D87DB21C
SHA-256:	BB81906F08B9DF1ABEC43320935266505897E5E41ED2AAD84AC119F714DCA203
SHA-512:	AD84526CECBAA344FA07C7FBD640D041AB77E6C4EE28D26DE5065E7BADD8D714C63866736DB2D5535D9E7635996023BB3D54E2D92BA368ED3A2790EEE81EFB9F
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.c.1.a.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=...5.?.>.7.=.0.B.0. .3.@.5.H.:.0. .2.@.0.[.5.=.0. .>.4. .N.e.t.A.P.I... .!.8.A.B.5.<.A.:.0. .3.@.5.H.:.0.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=...B.2.>.@.8.B.5. .[.P.r.o.d.u.c.t.N.a.m.e.]. .>.@.8.3.8.=.0.;. .[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=...2.0. .8.7.2.@.H.=.0. .4.0.B.>.B.5.:.0. .=.8.X.5. .>.@.8.3.8.=.0.;.=.0. .8.7.2.@.H.=.0. .4.0.B.>.B.5.:.0. .7.0. .[.P.r.o.d.u.c.t.N.a.m.e.]... ...5.7. .:.>.@.8.H.[.5.Z.0. .>.@.8.3.8.=.0.;.0. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .7.0. .8.=.A.B.0.;.0.F.8.X.C. .4.>.4.0.B.=.8.E. .<.5.R.C.7.0.2.8.A.=.>.A.B.8.,. .[.P.r.o.d.u.c.t.N.a.m.e.]. .<.>.6.4.0. .=.5.[.5. .?.@.0.2.8.;.=.>. .@.0.4.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str57C6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4114
Entropy (8bit):	3.6816229115047094
Encrypted:	false
SSDEEP:	96:rsNxLWZkPRmH+tQDrKQNwNLNMuD7NK/EVG+EFLFrs1FWnDseQrlU72:wXPtmeY45MsJK5xRecseSlUC
MD5:	5EB4E4FE0C7C8D6B332DD02D7215DE76
SHA1:	110B934D6953FFF5EA26709A4CF4DE79D75CDD82
SHA-256:	D8ADBA9B80D06B53ABA45D7B70FA8B9746D055EE346EAB30361843741D600B9D
SHA-512:	8EA24252FE85D86DFDDDC1A3DA3E3696D0A71585D7231BF45ACD473605A758BE4DDCCE22DE853A40EF31772F1002859EDF54BAECF7BF46735DD3346737A2956B
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.a.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.S.e. .h.a. .r.e.c.i.b.i.d.o. .u.n. .e.r.r.o.r. .d.e.s.c.o.n.o.c.i.d.o. .d.e. .N.e.t.A.P.I... .E.r.r.o.r. .d.e.l. .s.i.s.t.e.m.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.A.b.r.i.r. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .d.e. .[.P.r.o.d.u.c.t.N.a.m.e.]. .....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.E.s.t.e. .a.r.c.h.i.v.o. .e.j.e.c.u.t.a.b.l.e. .n.o. .p.a.r.e.c.e. .s.e.r. .e.l. .a.r.c.h.i.v.o. .e.j.e.c.u.t.a.b.l.e. .o.r.i.g.i.n.a.l. .d.e. .[.P.r.o.d.u.c.t.N.a.m.e.]... .S.i. .n.o. .s.e. .u.t.i.l.i.z.a. .e.l. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .p.a.r.a. .i.n.s.t.a.l.a.r. .l.a.s. .d.e.p.e.n.d.e.n.c.i.a.s. .a.d.i.c.i.o.n.a.l.e.s.,. .

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str5826.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4050
Entropy (8bit):	3.7085218919932363
Encrypted:	false
SSDEEP:	96:rsIwirf8tQDrKQNwNLNMuD7NK/EVGIFLFrs1FWnDseQrlU72:wIbrf8tmeY45MsJK0xRecseSlUC
MD5:	13F0A201CC47A57F915C49326741E5FA
SHA1:	A78D2B6062343F469E6F4FB544FAE54166079692
SHA-256:	A3E67EDB4A26F6E6326190DC115598AA594BF1FE34737E43AB65AD505ABD3931
SHA-512:	708C7414FC91D16626EE45ADE6BD52F630920381C59F0EE67C36F18E11F150E7C18D3C46B0C62E1F0E14B96D04C3D6998AE1996B68DA3DCCE6917129AAAB269D
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.b.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. .p.a.l.a.u.t.t.i. .t.u.n.t.e.m.a.t.t.o.m.a.n. .v.i.r.h.e.e.n... .J...r.j.e.s.t.e.l.m...v.i.r.h.e.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.A.v.a.a. .t.u.o.t.t.e.e.n. .[.P.r.o.d.u.c.t.N.a.m.e.]. .a.l.k.u.p.e.r...i.n.e.n. .[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.T...m... .t.i.e.d.o.s.t.o. .e.i. .n...y.t... .o.l.e.v.a.n. .t.u.o.t.t.e.e.n. .[.P.r.o.d.u.c.t.N.a.m.e.]. .a.l.k.u.p.e.r...i.n.e.n. .s.u.o.r.i.t.u.s.t.i.e.d.o.s.t.o... .J.o.s. .a.l.k.u.p.e.r...i.s.t... .t.i.e.d.o.s.t.o.a. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .e.i. .k...y.t.e.t... .l.i.s...r.i.i.p.p.u.v.u.u.k.s.i.e.n. .a.s.e.n.t.a.m.i.s.e.e.n.,. .[.P.r.o.d.u.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str5895.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4284
Entropy (8bit):	3.7127159133841943
Encrypted:	false
SSDEEP:	96:rs9QuRXEJABayGVIRC7tQDrKQNwNLNMuD7NK/EVGfUFLFrs1FWnDseQrlU72:w9VBEOBzGtmeY45MsJKQxRecseSlUC
MD5:	49B60BC07EF4BB0349AB0E230A33EF0F
SHA1:	29682B4B4BBD569AF3259BA9E5ADF8CBE2A8421A
SHA-256:	AC9AA7CAD76A8C62C955225C216105DB89BF5070681A67E1C533F30EBBB99E8F
SHA-512:	8FF0BCD3168414F90B2B343FCCFA5CEB6C9E0BDDCC5E2559D8FCD3EF7F075690ADC4606C85A2BEBFCCD1DCD23263D6E38396DA3D0F9C9665D88018A6CE41A4CC
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.c.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.U.n.e. .e.r.r.e.u.r. .i.n.c.o.n.n.u.e. .a. ...t... .r.e.n.v.o.y...e. .p.a.r. .N.e.t.A.P.I... .E.r.r.e.u.r. .s.y.s.t...m.e...:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.u.v.r.i.r. .l.e. .f.i.c.h.i.e.r. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .d.e...:. .[.P.r.o.d.u.c.t.N.a.m.e.].......I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.C.e.t. .e.x.e. .n.. e.s.t. .p.a.s. .l.. o.r.i.g.i.n.a.l. .e.x.i.g... .p.a.r. .[.P.r.o.d.u.c.t.N.a.m.e.]... .S.i. .v.o.u.s. .n.. u.t.i.l.i.s.e.z. .p.a.s...l.e. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .p.o.u.r. .i.n.s.t.a.l.l.e.r. .l.e.s. .d...p.e.n.d.a.n.c.e.s. .c.o.m.p.l...m.e.n.t.a.i.r.e.s.,. .[.P.r.o.d.u.c.t.N.a.m.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str58F5.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3966
Entropy (8bit):	3.782323551356388
Encrypted:	false
SSDEEP:	96:rsGkNUxaRz+ZhtQDrKQNwNLNMuD7NK/EVG3FLFrs1FWnDseQrlU72:wGkNyaRz+ZhtmeY45MsJK7xRecseSlUC
MD5:	9FEBCB92E2796E3DB643A98CD6A8048F
SHA1:	91A8AD2D11594DC64FA5F79473CBE7E56418E0EF
SHA-256:	6C365B18AA0936AF8CAD22CB59574728A84C406FCC272E15597C5AD4DD786365
SHA-512:	3B3F25C2E49136739EB27F6E172D7D006D2B36F542E4C45DA8DF2BE1B806A422066A03293AABD44D5F5CB9A01803DC1186330AD4AEEBCE249947E91A70BF81A2
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.e.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.I.s.m.e.r.e.t.l.e.n. .h.i.b.a. .a. .N.e.t.A.P.I.-.r...l... .R.e.n.d.s.z.e.r.h.i.b.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.[.P.r.o.d.u.c.t.N.a.m.e.].e.r.e.d.e.t.i.j...n.e.k. .m.e.g.n.y.i.t...s.a. .[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.E.z. .a. .v...g.r.e.h.a.j.t.h.a.t... .f...j.l. .n.e.m. .t.q.n.i.k. .a.(.z.). .[.P.r.o.d.u.c.t.N.a.m.e.]. .e.r.e.d.e.t.i. .v...g.r.e.h.a.j.t.h.a.t... .f...j.l.j...n.a.k... .H.a. .n.e.m. .t.e.l.e.p...t.i. .a. .t.o.v...b.b.i. .f...g.g.Q.s...g.e.k.e.t. .a.z. .e.r.e.d.e.t.i. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .h.a.s.z.n...l.a.t...v.a.l.,. .a.(.z.). .[.P.r.o.d.u.c.t.N.a.m.e.]. .e.s.e.t.l.e.g. .

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str5993.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4144
Entropy (8bit):	3.737287689507876
Encrypted:	false
SSDEEP:	96:rsetyRnR5tNtQDrKQNwNLNMuD7NK/EVGYj46FLFrs1FWnDseQrlU72:wJppNtmeY45MsJKk86xRecseSlUC
MD5:	610E8CBF4583A43517CD4A454633EA14
SHA1:	F078248D8C2C2E0B5B30466886F1712C4ACC7EC3
SHA-256:	87E995BD1EDF944B94E9965165D3E771098300980C5611B0E074F5F872DAA132
SHA-512:	5C6376125F9BC524508D3BC94979AFE29F3FFE97A38AF45772C901D340808FF083C26D7A5907CEEE3050D7B776C3C7D00FFD512D3CEFCAF438B245F95FFA585C
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.a.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. .j.a.v.l.j.a. .n.e.p.o.z.n.a.t.u. .g.r.e.a.k.u... .G.r.e.a.k.a. .s.u.s.t.a.v.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.o.t.v.a.r.a. .o.r.i.g.i.n.a.l.n.u. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .d.a.t.o.t.e.k.u. .z.a. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.O.v.a. .d.a.t.o.t.e.k.a. .n.i.j.e. .o.r.i.g.i.n.a.l.n.a. .i.z.v.r.a.n.a. .d.a.t.o.t.e.k.a. .z.a. .[.P.r.o.d.u.c.t.N.a.m.e.]... .B.e.z. .u.p.o.t.r.e.b.e. .o.r.i.g.i.n.a.l.n.e. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .d.a.t.o.t.e.k.e. .z.a. .i.n.s.t.a.l.a.c.i.j.u. .d.o.d.a.t.n.i.h. .k.o.m.p.o.n.e.n.t.i.,. .[.P.r.o.d.u.c.t.N.a.m.e.]. .m.o.~.d.a. .n.e...e. .i.s.p.r.a.v.n.o. .

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str59F3.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4208
Entropy (8bit):	3.785870569518222
Encrypted:	false
SSDEEP:	96:rs7g7GdktQDrKQNwNLNMuD7NK/EVG49FLFrs1FW6DseQrlU72:w7GtmeY45MsJKYxRedseSlUC
MD5:	BD9F3AC351222469ED8737D18DC8BE9E
SHA1:	3D8C753C4205A9EBB94DEBE85790F551CDA2F58F
SHA-256:	DDB2AE8E37DDBDEB975A81FC2A2530128394ED7B575326DA333D3DD1A86951E8
SHA-512:	4D2108CB733C313CA718C4C9F306A7A215A0004F940E991592895B2699BE16124C88319C53161A416F5687F4977E3CBB12B50E1E6111C0F75E278CE28DE12515
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.b.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.Z. .N.e.t.A.P.I. .s.a. .v.r...t.i.l.a. .n.e.z.n...m.a. .c.h.y.b.a... .S.y.s.t...m.o.v... .c.h.y.b.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.t.v.o.r.i.e. .p...v.o.d.n... .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.Z.d... .s.a.,. .~.e. .t.e.n.t.o. .s.p.u.s.t.i.t.e.>.n... .s...b.o.r. .n.i.e. .j.e. .s.p.u.s.t.i.t.e.>.n...m. .s...b.o.r.o.m. .p.r.e. .[.P.r.o.d.u.c.t.N.a.m.e.]... .B.e.z. .p.o.u.~.i.t.i.a. .p...v.o.d.n...h.o. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .p.r.e. .i.n.a.t.a.l...c.i.u. .d.o.d.a.t.o...n...c.h. .p.r...d.a.v.k.o.v.,. .n.e.m.u.s... .[.P.r.o.d.u.c.t.N.a.m.e.]. .f.u.n.g.o.v.a.e. .s.p.r...

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str5B8B.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4224
Entropy (8bit):	3.6902536137170823
Encrypted:	false
SSDEEP:	96:rsTYmGdUHkl8skHHFHiKFHFtQDrKQNwNLNMuD7NK/EVGDMFLFrs1FWnDseQrlU72:wTLkl16HtiKtFtmeY45MsJK3MxRecsei
MD5:	D7CE1D1C15336CA221C3582B75B612E8
SHA1:	169A027F3FD01E4791176D5DDE9CB82467026B35
SHA-256:	CE46FD9F9A892311F1A088B351B12299DCED570E6D29B60BA289129E049D4265
SHA-512:	B6DA4AC4C21D397B9D2682C8C59FFF48CE9332135CFBA875486747020598AEADD2F5F398649B5207CB564637A1F6AF06F7DBF688A6CBE948ECC255CF6B954481
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.d.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.E.t.t. .o.k...n.t. .f.e.l. .r.e.t.u.r.n.e.r.a.d.e.s. .f.r...n. .N.e.t.A.P.I... .S.y.s.t.e.m.f.e.l.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=...p.p.n.a. .d.e.n. .u.r.s.p.r.u.n.g.l.i.g.a. .v.e.r.s.i.o.n.e.n. .a.v. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .f...r. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.D.e.n. .h...r. .k...r.b.a.r.a. .f.i.l.e.n. .v.e.r.k.a.r. .i.n.t.e. .v.a.r.a. .d.e.n. .u.r.s.p.r.u.n.g.l.i.g.a. .k...r.b.a.r.a. .f.i.l.e.n. .f...r. .[.P.r.o.d.u.c.t.N.a.m.e.]... .O.m. .d.u. .i.n.t.e. .a.n.v...n.d.e.r. .d.e.n. .u.r.s.p.r.u.n.g.l.i.g.a. .v.e.r.s.i.o.n.e.n. .a.v. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .f...r. .a.t.t. .i.n.s.t.a.l.l.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str5C1A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4084
Entropy (8bit):	4.354359322633157
Encrypted:	false
SSDEEP:	96:rsM/X0Uo/EtQDrKQNwNLNMuD7NK/EVGY1FLFrs1FWnDseQrlU72:wM/kUaEtmeY45MsJK+xRecseSlUC
MD5:	4B75B170BD6D4A8BC9A00C24F1E69370
SHA1:	F8A437C31F4BD8773BE70AC1F0C4F74E14182D0D
SHA-256:	88E3C5A90EF88A9E56CBAD049E1C301BB0591CBF110D1E72E2FF2A22AEB30826
SHA-512:	B8397DA1296531B50F3473A5861706ECB2F032E74610A28D2BD5E4702D8DF2E8CC79FEB9D37B50D7FC60FED61B265460F8C0BB3C6E1A2E42851F9C65E10116F4
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.e.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.!.5...I.-...4.....%.2.....5.H.D.!.H...2.....4.....9....H.....%.1.....2... .N.e.t.A.P.I. ...I.-...4.....%.2...#.0.....:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.C.+.I.@...4... .[.S.E.T.U.P.E.X.E.N.A.M.E.]. ...1.I...@...4.!...-... .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.D...%.L.....4...1...4...2.#...5.I...9.@.+.!.7.-...'.H.2.D.!.H.C...H.D...%.L.....4...1...4...2.#...1.I...@...4.!..3.+.#.1... .[.P.r.o.d.u.c.t.N.a.m.e.]. .@.!.7.H.-.D.!.H.C...I. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. ...1.I...@...4.!.C.....2.#...4.....1.I....H.'.....#.0...-.....5.H..1.!...1.....L...1...@...4.H.!.@...4.!. .[.P.r.o.d.u.c.t.N.a.m.e.]. .-.2.....3...2.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str5C89.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3970
Entropy (8bit):	3.811792594718289
Encrypted:	false
SSDEEP:	96:rsW6WHitQDrKQNwNLNMuD7NK/EVGlxqFLFrs1FWnDseQrlU72:wW6EitmeY45MsJKDqxRecseSlUC
MD5:	9913E3283688E61025D3804C56C451B1
SHA1:	C70C6CBA4DF874D9CE1AA032BB34AA09DFDAC8FE
SHA-256:	2CAD6DCED29395AC2ED56696C03B0B3580ADE1B59AB21CEF8B3583E89347EB67
SHA-512:	C623A43059B06B1755AA20F0131F56AC42975D729F8668C1018FE9F490FC5ACB185D1FD1EC319F6C68AA2EFB30670F90C2CD871719E75275F12CE917A06BBA63
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.f.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I.. d.e.n. .b.i.l.i.n.m.e.y.e.n. .h.a.t.a. .d...n.d...r...l.d..... .S.i.s.t.e.m. .h.a.t.a.s.1.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.[.P.r.o.d.u.c.t.N.a.m.e.]. .i...i.n. ...z.g...n. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .a.......I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.B.u. .y...r...t...l.e.b.i.l.i.r. .d.o.s.y.a.,.[.P.r.o.d.u.c.t.N.a.m.e.]. .i...i.n. ...z.g...n. .y...r...t...l.e.b.i.l.i.r. .d.o.s.y.a. .g.i.b.i. .g...r...n.m...y.o.r... .E.k. .b.a...1.m.l.1.l.1.k.l.a.r.1. .y...k.l.e.m.e.k. .i...i.n. ...z.g...n. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .k.u.l.l.a.n.m.a.d.a.n.,. .[.P.r.o.d.u.c.t.N.a.m.e.]. .d...z.g...n. ...a.l.1._.m.a.y.a.b.i.l.i.r... ...z.g...

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str5CE9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4116
Entropy (8bit):	3.7030824451271673
Encrypted:	false
SSDEEP:	96:rsXEPXlr76nxtQDrKQNwNLNMuD7NK/EVG5NFLFrs1FWnDseQrlU72:wXEPXlr76nxtmeY45MsJKPxRecseSlUC
MD5:	15F6DDD3D701DCC9BC3D8D0DC972338E
SHA1:	48D60B3EEFC2841E41983DD46CEB052D67896734
SHA-256:	6BC7FF846AEA9D6F6BA446FEB0B01AD84CC53CD575705EED754389FB6B60BD2F
SHA-512:	B6617E4476940B4EE7DC775CD0DE66043F83509D44C7FC4EA8B46925804B0FC0AF734DD38BCA64FDCF974D64646DBEAE08204CF9EFDB97BAEC32F91880EF26A0
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.2.d.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.E.r.r.o.r.e. .e.z.e.z.a.g.u.n.a. .i.t.z.u.l.i. .d.a. .N.e.t.A.P.I.-.t.i.k... .S.i.s.t.e.m.a.-.e.r.r.o.r.e.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.Z.a.b.a.l.d.u. .[.P.r.o.d.u.c.t.N.a.m.e.].-.r.e.n. .j.a.t.o.r.r.i.z.k.o. .[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.E.z. .d.i.r.u.d.i. .f.i.t.x.a.t.e.g.i. .e.x.e.k.u.t.a.g.a.r.r.i. .h.a.u. .[.P.r.o.d.u.c.t.N.a.m.e.]. .j.a.t.o.r.r.i.z.k.o. .f.i.t.x.a.t.e.g.i. .e.x.e.k.u.t.a.g.a.r.r.i.a. .d.e.n.i.k... .M.e.n.d.e.k.o.t.a.s.u.n. .o.s.a.g.a.r.r.i.a.k. .i.n.s.t.a.l.a.t.z.e.k.o.,. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .j.a.t.o.r.r.i.z.k.o.a. .e.r.a.b.i.l.i. .e.z.e.a.n.,. .b.a.l.i.t.e.k.e.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str5D49.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4066
Entropy (8bit):	4.188023453000621
Encrypted:	false
SSDEEP:	96:rsC+QA1Rky91RkstQDrKQNwNLNMuD7NK/EVGAjnFLFrsIkFWnDseQrlU72:wC+QA1Rky91RkstmeY45MsJKyxRIcsei
MD5:	E249C8AF20C688C103414DB347AC22E2
SHA1:	9428DBC7E2ED5F934B94597A50FF4EE01E11F1AF
SHA-256:	2CC62AEAA5A549DD4EE54D260828007D7C5FF7CD9C8D47C92225DF2501D5ECA0
SHA-512:	3AB9976FF39093DEC6430691E6BF5D0DCB7C2A2F697A0265156F2779DEAFAD2E97734AE10FDDA7F8DA0198863CA4035F50F3AA81BEDB64AA21B68953916E9BE7
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.2.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=...B. .N.e.t.A.P.I. .5. .2.J.@.=.0.B.0. .=.5.8.7.2.5.A.B.=.0. .3.@.5.H.:.0... .!.8.A.B.5.<.=.0. .3.@.5.H.:.0.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=...B.2.>.@.5.B.5. .>.@.8.3.8.=.0.;.=.8.O. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .=.0. .[.P.r.o.d.u.c.t.N.a.m.e.]. .....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=...:.0.7.2.0. .A.5.,. .G.5. .B.>.7.8. .8.7.?.J.;.=.O.2.0.I. .D.0.9.;. .=.5. .5. .>.@.8.3.8.=.0.;.=.8.O. .7.0. .[.P.r.o.d.u.c.t.N.a.m.e.]... ...5.7. .?.>.<.>.I.B.0. .=.0. .>.@.8.3.8.=.0.;.=.8.O. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .7.0. .8.=.A.B.0.;.8.@.0.=.5. .=.0. .4.>.?.J.;.=.8.B.5.;.=.8. .7.0.2.8.A.8.<.>.A.B.8. .[.P.r.o.d.u.c.t.N.a.m.e.]. .<.>.6.5. .4.0. .=.5.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str5DE7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4178
Entropy (8bit):	3.69229861554142
Encrypted:	false
SSDEEP:	96:rst8bA3/j3cmZYMdW+tQDrKQNwNLNMuD7NK/EVG2X8AxpFLFrsIkFWnDseQrlU72:wmA3/j3btmeY45MsJKMfxRIcseSlUC
MD5:	E24CAD8451A5F6911B0E31D0E0C9F9EF
SHA1:	9F58E9B57BAC5BC8FFBC16591C2F1133FD0084AA
SHA-256:	33964E48ED968D8EB3B7AAA3FC4A1818DB43AD1469253AC5E7A6F71F9BB8D5BD
SHA-512:	E933B1ABDF24D92072DDD1DA03BE40CACC7241957DB4B260B4A428D60D3262357BD3896599450A3C61B1CF4D1AB0F85C60509797270893266A66472DC84B5D77
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.3.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. .h.a. .r.e.t.o.r.n.a.t. .u.n. .e.r.r.o.r. .d.e.s.c.o.n.e.g.u.t... .E.r.r.o.r. .d.e.l. .s.i.s.t.e.m.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.b.r.i.r. .e.l. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .d.e. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.A.q.u.e.s.t. .f.i.t.x.e.r. .e.x.e.c.u.t.a.b.l.e. .n.o. .s.e.m.b.l.a. .s.e.r. .e.l. .f.i.t.x.e.r. .e.x.e.c.u.t.a.b.l.e. .o.r.i.g.i.n.a.l. .p.e.r. .a. .[.P.r.o.d.u.c.t.N.a.m.e.]... .S.i. .n.o. .e.s. .f.a. .s.e.r.v.i.r. .e.l. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .p.e.r. .i.n.s.t.a.l...l.a.r. .l.e.s. .d.e.p.e.n.d...n.c.i.e.s. .a.d.d.i.c.i.o.n.a.l.s.,.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str61D1.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3418
Entropy (8bit):	4.169474695508292
Encrypted:	false
SSDEEP:	96:rsoNigLsAs3tQDrKQNwNLNMuD7NK/EVGAFLFrsIkFWnDseQrlU72:woNdLsAs3tmeY45MsJK8xRIcseSlUC
MD5:	238F3F00D54860840F513F485F9779AB
SHA1:	FC1CDBF3DBBABAA98653F47D31A78F9666404BBC
SHA-256:	A920114F4BE44709D686A71C4020638F24662EC50FD847990B02356C29DF1E35
SHA-512:	1297AD815E3FBE023EBF5F25F6D45D3FB9007D9CED2B19E8F0D8F6B3AE5D9D00C533C9B797DB89B958F2E5AC9997E5CDE87E327B10A70F3B2E15FBC14C8DAC74
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.4.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. ..P.V.N.P/......S.V.N.f.0 ..\|q}/...U. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=..._U .[.P.r.o.d.u.c.t.N.a.m.e.]. ..S.O.v .[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.dk.WL..j}Y.P.N/f .[.P.r.o.d.u.c.t.N.a.m.e.]. ..S.O.v.WL..j.0 ...N(u.S.O.v .[.S.E.T.U.P.E.X.E.N.A.M.E.]. ..[.vQ.N.v.....[.P.r.o.d.u.c.t.N.a.m.e.]. ..S...g.Q.sOUL..0 ./f&T.\~b.S.O.v .[.S.E.T.U.P.E.X.E.N.A.M.E.].......I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.S.E.A.R.C.H.=.,g!k.[..S.......O(uvQ.N.v....0 ..l.g...N.v.....[.P.r.o.d.u.c.t.N.a.m.e.]. ..S...g.Q.sOUL..0 ./f&T.\~b.S.O.v .[.S.E.T.U.P.E.X.E.N.A.M.E.].......I.D.S._.P.R.O.G.M.S.G.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str626F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4002
Entropy (8bit):	3.789808526965293
Encrypted:	false
SSDEEP:	96:rsC0FXh4n4tQDrKQNwNLNMuD7NK/EVG2HVFLFrsIkFWnDseQrlU72:w1Qn4tmeY45MsJKUxRIcseSlUC
MD5:	92ED43C2549B222BCD1FA7173458C264
SHA1:	7C82E9DA06A608A40DAB266B7CA0C06F7D4452E6
SHA-256:	05A5FA308678F8E86E519B3D99E3D6A07A210D608587B3448468308958C8C8AE
SHA-512:	33D22C5DFAA70D73D70E845E3AB5EF66ADC83958C9D6C713E78C9BFEC4577A84583BC1D53819FE7271A990E27768124DC904CBDA6D641216FD808DD64CACAB79
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.5.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.R.o.z.h.r.a.n... .N.e.t.A.P.I. .v.r...t.i.l.o. .n.e.z.n...m.o.u. .c.h.y.b.u... .S.y.s.t...m.o.v... .c.h.y.b.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.t.e.v.Y...t. .p.o.v.o.d.n... .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .p.r.o.d.u.k.t.u. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.T.e.n.t.o. .s.p.u.s.t.i.t.e.l.n... .s.o.u.b.o.r. .s.e. .n.e.j.e.v... .j.a.k.o. .p.o.v.o.d.n... .s.p.u.s.t.i.t.e.l.n... .s.o.u.b.o.r. .p.r.o.d.u.k.t.u. .[.P.r.o.d.u.c.t.N.a.m.e.]... .B.e.z. .p.o.u.~.i.t... .p.o.v.o.d.n...h.o. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .k...i.n.s.t.a.l.a.c.i. .d.a.l.a...c.h. .z...v.i.s.l.o.s.t... .n.e.m.u.s... .[.P.r.o.d.u.c.t.N.a.m.e.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str62FE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4078
Entropy (8bit):	3.693427637312151
Encrypted:	false
SSDEEP:	96:rs4+G3TINFd/5FrtQDrKQNwNLNMuD7NK/EVGEFLFrsIkFWnDseQrlU72:wIM5rtmeY45MsJKoxRIcseSlUC
MD5:	B55E97DF4BC6CF5A58E6358FCC17174C
SHA1:	4BE6387473039A0D6185CEE6C833EAE883FC56B3
SHA-256:	905A175B585C6129B4A4318C51BC9799FE7E36307C920DBEE5C2940D5EDE363C
SHA-512:	39CA41DED43D7BF49FEA84943F0F8E10F462AF2F71445401731E87E3D33DC5AD0EF97760B8649C9947E6EDC75EDCF88E801172B61FCEF0A4353C6FD6B212149C
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.6.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.U.k.e.n.d.t. .f.e.j.l. .r.e.t.u.r.n.e.r.e.t. .f.r.a. .N.e.t.A.P.I... .S.y.s.t.e.m.f.e.j.l.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=...b.n. .[.P.r.o.d.u.c.t.N.a.m.e.].s. .o.r.i.g.i.n.a.l.e. .[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.D.e.n.n.e. .e.k.s.e.k.v.e.r.b.a.r.e. .f.i.l. .s.e.r. .i.k.k.e. .u.d. .t.i.l. .a.t. .v...r.e. .d.e.n. .o.r.i.g.i.n.a.l.e. .e.k.s.e.k.v.e.r.b.a.r.e. .f.i.l. .t.i.l. .[.P.r.o.d.u.c.t.N.a.m.e.]... .H.v.i.s. .d.e.n. .o.r.i.g.i.n.a.l.e. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .i.k.k.e. .b.r.u.g.e.s. .t.i.l. .a.t. .i.n.s.t.a.l.l.e.r.e. .y.d.e.r.l.i.g.e.r.e. .a.f.h...n.g.i.g.h.e.d.e.r.,. .v.i.l. .[.P.r.o.d.u.c.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str636D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4716
Entropy (8bit):	3.719544510550221
Encrypted:	false
SSDEEP:	96:rs0/zz+XzU8tQDrKQNwNLNMuD7NK/EVGzIBP/s8FLFrsIkFWnDseQrlU72:w0H+XTtmeY45MsJK/IBPnxRIcseSlUC
MD5:	9907D0B6FEAD612C422EE16E058624D0
SHA1:	7D0EF7DB3DD310AE5DB589D5DAF7A741DA269470
SHA-256:	236807D734A07ADE78940742DFE6D4F30B108D39BC119ADD685DC551A9D21B3D
SHA-512:	933818568C16E7359289A0C1F55BB2AC378EFC29B39A38188FEA2C4AF0E711B8445659DAB6A0D4DDA90C3899F4F461F66726ABA49C356D0CD7062C153CAAC1CC
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.7.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. .h.a.t. .e.i.n.e.n. .u.n.b.e.k.a.n.n.t.e.n. .F.e.h.l.e.r. .z.u.r...c.k.g.e.g.e.b.e.n... .S.y.s.t.e.m.f.e.h.l.e.r.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.r.i.g.i.n.a.l.d.a.t.e.i. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .v.o.n. .[.P.r.o.d.u.c.t.N.a.m.e.]. ...f.f.n.e.n.....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.D.i.e.s.e. .a.u.s.f...h.r.b.a.r.e. .D.a.t.e.i. .i.s.t. .o.f.f.e.n.b.a.r. .n.i.c.h.t. .d.i.e. .a.u.s.f...h.r.b.a.r.e. .O.r.i.g.i.n.a.l.d.a.t.e.i. .f...r. .[.P.r.o.d.u.c.t.N.a.m.e.]... .W.e.n.n. .z.u.s...t.z.l.i.c.h.e. .A.b.h...n.g.i.g.k.e.i.t.e.n. .n.i.c.h.t. .m.i.t.h.i.l.f.e. .d.e.r. .O.r.i.g.i.n.a.l.d.a.t.e.i. .[.S.E.T.U.P.E.X.E.N.A.M.E.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str63FC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4136
Entropy (8bit):	4.3186474621982365
Encrypted:	false
SSDEEP:	96:rs8d9AWOMprEtQDrKQNwNLNMuD7NK/EVGEhgWFLFrsIkFWnDseQrlU72:wYA6rEtmeY45MsJK4vxRIcseSlUC
MD5:	E08B34A09F134746811B216923BC461C
SHA1:	6DA2D5E79D416C7F869A80315B61F939BC2FE0CC
SHA-256:	8195CBE20C627D18F5E3942D0F29387F5ED5C38622E47DCC8AEBEA681F1ED957
SHA-512:	29D2896EB948097A48DC37015F36A3A30BC95AF265FDAAE9AD2521E3830E9548BC06C8A3168535D5633717C3F7A6215207AEC1B7BFE3324B5C09566769A283EA
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.8.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=............... ............. ....... ..... .N.e.t.A.P.I... ............. .....................:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=............... ............... .[.P.r.o.d.u.c.t.N.a.m.e.].[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=......... ..... ..................... ............. ....... ................. ..... ........... ..... ............. ..................... ............. ....... ..... .[.P.r.o.d.u.c.t.N.a.m.e.]... ........... ..... ........... ....... ............... .[.S.E.T.U.P.E.X.E.N.A.M.E.]. ....... ....... ....................... ................... .....................,. ..... .[.P.r.o.d.u.c.t.N.a.m.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str646B.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4868
Entropy (8bit):	3.7114248634864744
Encrypted:	false
SSDEEP:	96:rs+yrUeAL3TcnQcKH9tQDrKQNwNLNMuD7NK/EVGzIBP/s6gFLFrs1FWnDseQrlUC:wsfLjpTdtmeY45MsJK/IBPpgxRecseSH
MD5:	9D8B071E65631600CB38B2BA79B5500C
SHA1:	F5DD23DBE257C59CD4F4980111AC5F55FEE16EB1
SHA-256:	7DD513653C65DBD891DCE0D9055B1EA47A6BCFD9A4FBE7AB7FB7655FCC1317C1
SHA-512:	969CB16A7045776C36F610E548BCBBDB1C30D2685F11BCB1CBA3E668D7D6587C451461FC795A2F7725A514A066E6A855003BAE27C7E18B16DB64C5013B551597
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.0.9.].....I.D.S._.E.R.R.O.R._.1.2.8.=.T.h.e. .W.i.n.d.o.w.s. .I.n.s.t.a.l.l.e.r. .s.e.r.v.i.c.e. .c.a.n.n.o.t. .u.p.d.a.t.e. .o.n.e. .o.r. .m.o.r.e. .p.r.o.t.e.c.t.e.d. .W.i.n.d.o.w.s. .f.i.l.e.s... .S.F.P. .E.r.r.o.r.:. .[.2.]... .L.i.s.t. .o.f. .p.r.o.t.e.c.t.e.d. .f.i.l.e.s.:. .[.3.].....I.D.S._.E.R.R.O.R._.1.2.9.=.U.s.e.r. .i.n.s.t.a.l.l.a.t.i.o.n.s. .a.r.e. .d.i.s.a.b.l.e.d. .v.i.a. .p.o.l.i.c.y. .o.n. .t.h.e. .m.a.c.h.i.n.e.......I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.U.n.k.n.o.w.n. .e.r.r.o.r. .r.e.t.u.r.n.e.d. .f.r.o.m. .N.e.t.A.P.I... .S.y.s.t.e.m. .e.r.r.o.r.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.p.e.n. .[.P.r.o.d.u.c.t.N.a.m.e.].'.s. .o.r.i.g.i.n.a.l. .[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str64CB.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4230
Entropy (8bit):	3.6763122905328247
Encrypted:	false
SSDEEP:	96:rsd3MeOitQDrKQNwNLNMuD7NK/EVGo1AFnZFLFrs1FWnDseQrlU72:wdceVtmeY45MsJKD1ZxRecseSlUC
MD5:	1BAD0A57D67D1F217EA2C07D5C6D39E1
SHA1:	BC25266746CC79C93AF7001AE0AAEA02DEAF3515
SHA-256:	2F09E90F440931737AC030D24FA8D0EED3A803074B83F8C20BC59A3A6FDBAB37
SHA-512:	970AAB1840DE73EF703F1A3C01646259428B7B6D8A5CB63CBB4CA6D88F6C8DFFABD02D6E0B4FACC378AC5563920669877926CC7A0A2B7DCA9ACF673D68ABDF43
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.0.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. .h.a. .r.e.s.t.i.t.u.i.t.o. .u.n. .e.r.r.o.r.e. .s.c.o.n.o.s.c.i.u.t.o... .E.r.r.o.r.e. .d.i. .s.i.s.t.e.m.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.A.p.r.i.r.e. .i.l. .f.i.l.e. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l.e. .d.i. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.Q.u.e.s.t.o. .n.o.n. .s.e.m.b.r.a. .e.s.s.e.r.e. .i.l. .f.i.l.e. .e.s.e.g.u.i.b.i.l.e. .o.r.i.g.i.n.a.l.e. .d.i. .[.P.r.o.d.u.c.t.N.a.m.e.]... .S.e. .n.o.n. .s.i. .u.s.a. .l.a. .v.e.r.s.i.o.n.e. .o.r.i.g.i.n.a.l.e. .d.i. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .p.e.r. .i.n.s.t.a.l.l.a.r.e. .l.e. .d.i.p.e.n.d.e.n.z.e. .a.g.g.i.u.n.t.i.v.e.,. .[.P.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str652B.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3996
Entropy (8bit):	4.205781947317776
Encrypted:	false
SSDEEP:	96:rsZBatQDrKQNwNLNMuD7NK/EVGzIBP/s+FLFrs1FWnDseQrlU72:wratmeY45MsJK/IBP5xRecseSlUC
MD5:	9D5F4B531FD698C68DFE9CB1690EB081
SHA1:	02CBF48ADC016DC97CDB35D8AFB151B903EBF9DC
SHA-256:	76379950A4C30BCE217F7E285077E5599C294E7F09AA6F6A0C7D6CD706DD4053
SHA-512:	0E56F4A5D4CFA184E2002EF3F0D0B118DE5BF7A97C5F86821C3731FA24AE31BEECF4CBC5B2F36CD9B71DEB635BF69613AD64804E152021F8B31D25B7803724F5
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.1.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. .K0.0.N.fj0.0.0.0L0.U0.0~0W0_0.0 ..0.0.0.0 ..0.0.0:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.[.P.r.o.d.u.c.t.N.a.m.e.]. .n0CQn0 .[.S.E.T.U.P.E.X.E.N.A.M.E.]. ..0..O0....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.S0n0.[L..S...0.0.0.0o0.0[.P.r.o.d.u.c.t.N.a.m.e.]. .n0CQn0.[L..S...0.0.0.0g0o0j0D0.0F0g0Y0.0 .CQn0 .[.S.E.T.U.P.E.X.E.N.A.M.E.]. ..0.O(u[0Z0k0...Rn0.OX[...O.0.0.0.0.0.0.0Y0.0h0.0[.P.r.o.d.u.c.t.N.a.m.e.]. .L0i..Rk0.R\OW0j0D0.S..'`L0B0.0~0Y0.0 .CQn0 .[.S.E.T.U.P.E.X.E.N.A.M.E.]. ..0.i"}W0~0Y0K0?.....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.S.E.A.R.C.H.=.S0n0.0.0.0.0.0.0o0.0...Rn0.OX[...O.0._..h0Y0.0.S..'`L0B0.0~0Y0.0 ..OX[...Oj0

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str65C9.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3618
Entropy (8bit):	4.277404242152466
Encrypted:	false
SSDEEP:	96:rs9/Mnr8Nz0tQDrKQNwNLNMuD7NK/EVGDFLFrs1FWnDseQrlU72:w9/MnrNtmeY45MsJKfxRecseSlUC
MD5:	7AE0E03B82A1CB6F2500B2E2CD59A486
SHA1:	E2E3334CF2FF7E7FBC22AFC62A10A3A9FACECFDB
SHA-256:	446EC42E3842AAC9CEAB953FF46A208B492451646097B746C33134874EEBE5FB
SHA-512:	B3F2720EB9D59F0391192B945DBA71A41BF625BA5B480CBE9BB36545795E1BE171E1D611E35FDC078690F8054375FE17D248B99BE06EA8933B09AFFDB056BD92
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.2.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I.\...0. .L. ... .... .$.X... ...X.......... ....\. .$.X.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.[.P.r.o.d.u.c.t.N.a.m.e.].X. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. ..... ...0.....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.t. .... ...\|.@. .[.P.r.o.d.u.c.t.N.a.m.e.].X. ..... .... ...\|.t. .D...... .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .....D. .....X... .J.. ..... .... .m..D. .$.X.X.t. .[.P.r.o.d.u.c.t.N.a.m.e.].t.(...). .....\. ....X... .J.D. ... ........ .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .....D. .>.<.......L.?.....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.S.E.A.R.C.H.=.t. .$.X.\|. ...t. ..... .... .m..t. .D..`. ... ........ ....\. ...

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str6667.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4174
Entropy (8bit):	3.690995189213825
Encrypted:	false
SSDEEP:	96:rsCy244ZOx1GOYtQDrKQNwNLNMuD7NK/EVGWFLFrs1FWnDseQrlU72:w+HtmeY45MsJK6xRecseSlUC
MD5:	FA85564A755F5D03455FFB6FD9243C56
SHA1:	33A9A3D215D58E5284DE6F5CCAE646E69438D614
SHA-256:	5C3EE71A61110C293061B6C2C3A42BE8669675674B72BA7F25E36934AD85CAA2
SHA-512:	8A2767B14F2CCE4ED65FB65C55410BE998742842670AF9CDEBC2D9218DCFDACD90729EE636AEBDBB141E6C191EDB3001161EB7FCCF879653E9BAB8FA67B0CBB8
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.3.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.O.n.b.e.k.e.n.d.e. .f.o.u.t. .g.e.r.e.t.o.u.r.n.e.e.r.d. .v.a.n. .N.e.t.A.P.I... .S.y.s.t.e.e.m.f.o.u.t.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.r.i.g.i.n.e.l.e. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .v.a.n. .[.P.r.o.d.u.c.t.N.a.m.e.]. .o.p.e.n.e.n. .....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.D.i.t. .u.i.t.v.o.e.r.i.n.g.s.b.e.s.t.a.n.d. .i.s. .s.c.h.i.j.n.b.a.a.r. .n.i.e.t. .h.e.t. .o.r.i.g.i.n.e.l.e. .u.i.t.v.o.e.r.i.n.g.s.b.e.s.t.a.n.d. .v.o.o.r. .[.P.r.o.d.u.c.t.N.a.m.e.]... .Z.o.n.d.e.r. .g.e.b.r.u.i.k. .v.a.n. .d.e. .o.r.i.g.i.n.e.l.e. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .v.o.o.r. .h.e.t. .i.n.s.t.a.l.l.e.r.e.n. .v.a.n. .d.e. .e.x.t.r.a. .a.f.h.a.n.k.e.l.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str66C7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4122
Entropy (8bit):	3.690315951986377
Encrypted:	false
SSDEEP:	96:rsU0mxCEJ0ikSvLJ0i/Ym5tQDrKQNwNLNMuD7NK/EVGfUFLFrs1FWnDseQrlU72:wXmwjNSvO6Ym5tmeY45MsJK7UxRecsei
MD5:	050779396F7FC99FFC5B81AD6254D25D
SHA1:	892CC925EF1C760A8B2177CCDC293B0CE08C2D18
SHA-256:	1DC65B0E43A63EF06611D093133A61BAE13D6CAE234B3A6442DDAABB1373F5B4
SHA-512:	ABB18375BB5FDB0560AD1F3EC772A9B524B5312C4E1E4DF5259F5347AF7E3C1602EF092EB25BE229AFCAF6870B961A6B63B77C2016D6C37486425E08D0C4EA2F
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.4.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. .r.e.t.u.r.n.e.r.t.e. .u.k.j.e.n.t. .f.e.i.l... .S.y.s.t.e.m.f.e.i.l.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=...p.n.e. .[.P.r.o.d.u.c.t.N.a.m.e.].s. .o.p.p.r.i.n.n.e.l.i.g.e. .[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.D.e.n.n.e. .k.j...r.b.a.r.e. .f.i.l.e.n. .e.r. .i.k.k.e. .d.e.n. .o.p.p.r.i.n.n.e.l.i.g.e. .k.j...r.b.a.r.e. .f.i.l.e.n. .f.o.r. .[.P.r.o.d.u.c.t.N.a.m.e.]... .D.e.t. .e.r. .m.u.l.i.g. .a.t. .[.P.r.o.d.u.c.t.N.a.m.e.]. .i.k.k.e. .f.u.n.g.e.r.e.r. .s.o.m. .d.e.t. .s.k.a.l. .u.t.e.n. ... .b.r.u.k.e. .d.e.t. .o.p.p.r.i.n.n.e.l.i.g.e. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .f.o.r. ... .i.n.s.t.a.l.l.e.r.e.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str6765.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4276
Entropy (8bit):	3.8059353573148105
Encrypted:	false
SSDEEP:	96:rsb85Wd53tQHrKQlwlLl0uH7lK/EVG0FLFrs1FWnDseQrlU72:wbMo3t6ewQh0UxK4xRecseSlUC
MD5:	6971EE08A8BC5C8E4836D03EDFBC566D
SHA1:	E132BB2ACC742511C40AFE904DC387C34C10E80C
SHA-256:	44D69276FDA8862CDC529C8F4CD2830E2B583A327B7ABC738EC5D6AF8ABD252C
SHA-512:	2634235FBB253839835498F4FA25F55120412FC7BACFF1DA593B86820391F32C57E84A9462159EBA13C0E44B52657892301DEE4ED9EC49C925816A4D3EB554E4
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.5.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.I.n.t.e.r.f.e.j.s. .N.e.t.A.P.I. .z.w.r...c.i.B. .n.i.e.z.n.a.n.y. .b.B...d... .B.B...d. .s.y.s.t.e.m.o.w.y.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.t.w...r.z. .o.r.y.g.i.n.a.l.n.y. .p.l.i.k. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .p.r.o.d.u.k.t.u. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.T.e.n. .p.l.i.k. .w.y.k.o.n.y.w.a.l.n.y. .p.r.a.w.d.o.p.o.d.o.b.n.i.e. .n.i.e. .j.e.s.t. .o.r.y.g.i.n.a.l.n.y.m. .p.l.i.k.i.e.m. . .[.P.r.o.d.u.c.t.N.a.m.e.]... .B.e.z. .z.a.i.n.s.t.a.l.o.w.a.n.i.a. .d.o.d.a.t.k.o.w.y.c.h. .w.y.m.a.g.a.n.y.c.h. .e.l.e.m.e.n.t...w. .z.a. .p.o.m.o.c... .o.r.y.g.i.n.a.l.n.e.g.o. .p.l.i.k.u. .[.S.E.T.U.P.E.X.E.N.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str6823.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4094
Entropy (8bit):	3.696909822919476
Encrypted:	false
SSDEEP:	96:rsDGJ0NpGMS9aQS9+tQDrKQNwNLNMuD7NK/EVGQZFLFrs1FWnDseQrlU72:woo6tmeY45MsJKKxRecseSlUC
MD5:	1543BD3E0859BF4D1BED934250048EF2
SHA1:	E540507993A87BBFDEFBCB225DDCDA186DE928F0
SHA-256:	D3C5DAEE54797B805F4E10D6017CE72CAB413677393C38CF8998543052AF5441
SHA-512:	B7651DE2A540F70E0EC4F24C68F122C2D9EE6440A00605160C2BAD15C6E199F286134838113327CC972EA82AF9B502FEB8764AF69B5026650FB717082C4BD9F8
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.6.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. .r.e.t.o.r.n.o.u. .u.m. .e.r.r.o. .d.e.s.c.o.n.h.e.c.i.d.o... .E.r.r.o. .d.o. .s.i.s.t.e.m.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.A.b.r.i.r. .o. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .d.o. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.E.s.t.e. .a.r.q.u.i.v.o. .e.x.e.c.u.t...v.e.l. .n...o. .p.a.r.e.c.e. .s.e.r. .o. .a.r.q.u.i.v.o. .e.x.e.c.u.t...v.e.l. .o.r.i.g.i.n.a.l. .d.o. .[.P.r.o.d.u.c.t.N.a.m.e.]... .S.e.m. .u.s.a.r. .o. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .p.a.r.a. .i.n.s.t.a.l.a.r. .a.s. .d.e.p.e.n.d...n.c.i.a.s. .a.d.i.c.i.o.n.a.i.s.,. .o. .[.P.r.o.d.u.c.t.N.a.m.e.]. .t.a.l.v.e.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str6892.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4326
Entropy (8bit):	3.742736488733376
Encrypted:	false
SSDEEP:	96:rs0bm4iNhU443044+tQDrKQNwNLNMuD7NK/EVG0FLFrs1FWnDseQrlU72:w0BP6wtmeY45MsJKwxRecseSlUC
MD5:	CE0F6EDB4A13A61C274F84C14904E4D0
SHA1:	4EA7758EF297D0200C15DDFA15057B9072D01627
SHA-256:	9AFC89E8F72AB0F39C3C1BC239AEF2704290F661FB46C85803176AF737CB2CCA
SHA-512:	30D3387EC76822BA6D753D1B9EED11F414EB3398B35D6205AA5BF9BFEAC2295EE08864FDD2F718F588B2C84D47A04FC1FE921E7FF1CC4C2DC25CDB0B02FAFE90
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.8.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.E.r.o.a.r.e. .n.e.c.u.n.o.s.c.u.t... .r.e.t.u.r.n.a.t... .d.e. .N.e.t.A.P.I... .E.r.o.a.r.e. .d.e. .s.i.s.t.e.m.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.D.e.s.c.h.i.d.e.c.i. .f.i._.i.e.r.u.l. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .c.o.r.e.s.p.u.n.z...t.o.r. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.A.c.e.s.t. .f.i._.i.e.r. .e.x.e.c.u.t.a.b.i.l. .n.u. .p.a.r.e. .a. .f.i. .f.i._.i.e.r.u.l. .e.x.e.c.u.t.a.b.i.l. .o.r.i.g.i.n.a.l. .p.e.n.t.r.u. .[.P.r.o.d.u.c.t.N.a.m.e.]... .D.a.c... .l.a. .i.n.s.t.a.l.a.r.e.a. .d.e.p.e.n.d.e.n.c.e.l.o.r. .s.u.p.l.i.m.e.n.t.a.r.e. .n.u. .s.e. .u.t.i.l.i.z.e.a.z... .f.i._.i.e.r.u.l.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str6921.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4044
Entropy (8bit):	4.21849362276469
Encrypted:	false
SSDEEP:	96:rsCHsLlyhC19OtQDrKQNwNLNMuD7NK/EVGiFLFrs1FWnDseQrlU72:wiyyhC19OtmeY45MsJKexRecseSlUC
MD5:	E69CB7D48EA9CF5AB3821E5A83AF8E42
SHA1:	95A7A4AB79C880DE1C87BA8BD8C045A6FDC67743
SHA-256:	4C23AC79366731B8E032131C7F8EF2B476655AB90431B5A282A4DB78578325D4
SHA-512:	8C6F6939B9AC32B21BED59C87371CEE4DE26888874332B09FAB48ECC78DB1A988CD5641BF95FFD3C965B22BA3485DA71E5B2BDCF2F5E903D93AE8EB3F53ED6DA
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.1.9.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=...5.8.7.2.5.A.B.=.0.O. .>.H.8.1.:.0.,. .2.K.4.0.=.=.0.O. .N.e.t.A.P.I... .!.8.A.B.5.<.=.0.O. .>.H.8.1.:.0.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=...B.:.@.K.B.L. .>.@.8.3.8.=.0.;.L.=.K.9. .D.0.9.;. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=...>.E.>.6.5. .8.A.?.>.;.=.O.5.<.K.9. .D.0.9.;. .=.5. .O.2.;.O.5.B.A.O. .>.@.8.3.8.=.0.;.L.=.K.<. .8.A.?.>.;.=.O.5.<.K.<. .D.0.9.;.>.<. .4.;.O. .[.P.r.o.d.u.c.t.N.a.m.e.]... ...A.;.8. .=.5. .8.A.?.>.;.L.7.>.2.0.B.L. .>.@.8.3.8.=.0.;.L.=.K.9. .D.0.9.;. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .4.;.O. .C.A.B.0.=.>.2.:.8. .4.>.?.>.;.=.8.B.5.;.L.=.K.E. .7.0.2.8.A.8.<.>.A.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str69BF.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4106
Entropy (8bit):	3.693476713395635
Encrypted:	false
SSDEEP:	96:rs4uqh8NoqHecStV5DtQDrKQNwNLNMuD7NK/EVGQFFLFrs1FWnDseQrlU72:wxTePtmeY45MsJKExRecseSlUC
MD5:	67432E541206A23E5C96E74EA6D2FEA1
SHA1:	89EC40E0DC1BCA402D4D5B3F2B499CC85BAA4560
SHA-256:	9E0A28EB77E264E84093BA81F8044CB299C586AEA1E81801782E18BFC8425A9D
SHA-512:	E4232746B289793938FC9936180FB03CE7A7009AD1F8A49FCEE152C5ABA43649ED3717BD54E9274A4D8C11F3FB237E98A3B2B5F92B76C1F106CAB613E264C1B4
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.2.1.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.K.e.s.a.l.a.h.a.n. .t.a.k. .d.i.k.e.n.a.l. .d.i.k.e.m.b.a.l.i.k.a.n. .d.a.r.i. .N.e.t.A.P.I... .K.e.s.a.l.a.h.a.n. .s.i.s.t.e.m.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.B.u.k.a. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .a.s.l.i. .u.n.t.u.k. .[.P.r.o.d.u.c.t.N.a.m.e.]. .....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.F.i.l.e. .e.x.e.c.u.t.a.b.l.e. .i.n.i. .t.a.m.p.a.k.n.y.a. .b.u.k.a.n. .f.i.l.e. .e.x.e.c.u.t.a.b.l.e. .a.s.l.i. .u.n.t.u.k. .[.P.r.o.d.u.c.t.N.a.m.e.]... .T.a.n.p.a. .m.e.n.g.g.u.n.a.k.a.n. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .a.s.l.i. .u.n.t.u.k. .m.e.n.g.i.n.s.t.a.l. .d.e.p.e.n.d.e.n.s.i. .t.a.m.b.a.h.a.n.,. .[.P.r.o.d.u.c.t.N.a.m.e.]. .t.i.d.a.k. .d.a.p.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str6A1F.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4066
Entropy (8bit):	3.7080241126917253
Encrypted:	false
SSDEEP:	96:rs4/ZulXtQDrKQNwNLNMuD7NK/EVG2fFLFrs1FWnDseQrlU72:w4/c5tmeY45MsJKcxRecseSlUC
MD5:	27F54FD5C0B794C5AFBAF65CB9F560BF
SHA1:	515DF34E99932A1D4348B02DE102B267069CD7AE
SHA-256:	0EBEC6EDC28341F56705DD91A70E99499C24177A8CCDF8B5F16086EE04D03630
SHA-512:	31714B56E53CCE7A2D9070D572AEFFE35C5D584AD009F61A179FC463F8960DC139AC58B1E60C2C5F88F29A374015BCCD298D29E887C543E0ECCEA7F93AA33FB2
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.4.2.4.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. .j.e. .v.r.n.i.l. .n.e.z.n.a.n.o. .n.a.p.a.k.o... .S.i.s.t.e.m.s.k.a. .n.a.p.a.k.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.O.d.p.r.i. .o.r.i.g.i.n.a.l.n.i. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .p.r.o.g.r.a.m.a. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.N.i. .v.i.d.e.t.i.,. .d.a. .b.i. .b.i.l.a. .t.a. .i.z.v.r.a.l.j.i.v.a. .d.a.t.o.t.e.k.a. .o.r.i.g.i.n.a.l.n.a. .i.z.v.r.a.l.j.i.v.a. .d.a.t.o.t.e.k.a. .z.a. .[.P.r.o.d.u.c.t.N.a.m.e.]... ...e. .p.r.i. .n.a.m.e.s.t.i.t.v.i. .d.o.d.a.t.n.i.h. .o.d.v.i.s.n.o.s.t.i. .n.e. .u.p.o.r.a.b.l.j.a.t.e. .o.r.i.g.i.n.a.l.n.i.[.S.E.T.U.P.E.X.E.N.A.M.E.].,. .[.P.r.o.d.u.c.t.N.a.m.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str6A8E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	3428
Entropy (8bit):	4.162682161486157
Encrypted:	false
SSDEEP:	96:rsEXRtQDrKQNwNLNMuD7NK/EVGEFLFrs1FWnDseQrlU72:wEXRtmeY45MsJKIxRecseSlUC
MD5:	747F4E546F471E9FB4A2A998A9937060
SHA1:	00FF0CFD40DFA3A72AAEB9BE641A11CA44BF7900
SHA-256:	13C438785ED135355515619E4FD39DF8BFD037A6DF0F3D0A2D8685CBCB33C702
SHA-512:	20F1F703F57C5E3B5B729EB6760F5648A6C533D5843FB0A137336829D53CA48C9AAB28E37383B9742213D9FEF058E8164F3711CD11C4BF83F21795D5361F713F
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.8.0.4.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.N.e.t.A.P.I. ...V.N*N......S.V.N..0 ..\|.~...U. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.Sb._ .[.P.r.o.d.u.c.t.N.a.m.e.]. ..SHr .[.S.E.T.U.P.E.X.E.N.A.M.E.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=...N.SgbL..e.N}Ya..N/f .[.P.r.o.d.u.c.t.N.a.m.e.]. ..SHr.v.SgbL..e.N.0 ...N(u.SHr.v .[.S.E.T.U.P.E.X.E.N.A.M.E.]. ..[.vQ.N.vsQo..N..[.P.r.o.d.u.c.t.N.a.m.e.]. ..S...O.Q.s...0 ./f&T.[~b.SHr.v .[.S.E.T.U.P.E.X.E.N.A.M.E.].......I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.S.E.A.R.C.H.=.,g!k.[..S.......O(uvQ.N.vsQo..N.0 ..l.g..N.vsQo..N..[.P.r.o.d.u.c.t.N.a.m.e.]. ..S...O.Q.s...0 ./f&T.[~b.Seg.v .[.S.E.T.U.P.E.X.E.N.A.M.E.].......I.D.S._.P.R.O.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\Str6B1D.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	4062
Entropy (8bit):	3.700139722926891
Encrypted:	false
SSDEEP:	96:rsiQvGJS0BGE9a49+tQDrKQNwNLNMuD7NK/EVGNEFLFrs1FWnDseQrlU72:w2SRtmeY45MsJKCxRecseSlUC
MD5:	1806AF207B3B3554176BE2DE76068302
SHA1:	908E69CD833D1259E7826D6272BFE7B30E4F43B0
SHA-256:	5692791A3D2B35EA82E334BB5E80C1701A8D9B1CC9E87A152659383888E6EE08
SHA-512:	CF8B3BE17BFBFB0B384418E1E3E5D2724C428B98F288FCD79645B83FA8A436BFDB4B3A4AC3298E1484361A3A0347B48412CBBC727F8A8C1135F644387C3B801C
Malicious:	false
Preview:	..[.S.t.r.i.n.g.T.a.b.l.e.:.D.a.t.a.:.0.8.1.6.].....I.D.S._.E.R.R.O.R._.2.7.5.3.0.=.E.r.r.o. .d.e.s.c.o.n.h.e.c.i.d.o. .i.n.f.o.r.m.a.d.o. .p.o.r. .N.e.t.A.P.I... .E.r.r.o. .d.e. .s.i.s.t.e.m.a.:. .[.2.].....I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.1.2.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .1...2. .E.n.g.i.n.e...........I.D.S._.I.N.S.T.A.L.L.I.N.G._.M.S.I.2.0.=.I.n.s.t.a.l.l.i.n.g. .M.s.i. .2...0. .E.n.g.i.n.e...........I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.B.R.O.W.S.E.=.A.b.r.i.r. .o. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .d.o. .[.P.r.o.d.u.c.t.N.a.m.e.].....I.D.S._.P.R.E.R.E.Q.U.I.S.I.T.E._.S.E.T.U.P._.I.N.V.A.L.I.D.=.E.s.t.e. .f.i.c.h.e.i.r.o. .e.x.e.c.u.t...v.e.l. .n...o. .p.a.r.e.c.e. .s.e.r. .o. .o.r.i.g.i.n.a.l. .p.a.r.a. .[.P.r.o.d.u.c.t.N.a.m.e.]... .S.e. .n...o. .s.e. .u.s.a.r. .o. .[.S.E.T.U.P.E.X.E.N.A.M.E.]. .o.r.i.g.i.n.a.l. .p.a.r.a. .i.n.s.t.a.l.a.r. .d.e.p.e.n.d...n.c.i.a.s. .a.d.i.c.i.o.n.a.i.s.,. .o. .[.P.r.o.d.u.c.t.N.a.m.e.]. .p.o.d.e. .n...o. .f.u.n.c.i.o.n.

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5560.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1432832
Entropy (8bit):	6.450183155296358
Encrypted:	false
SSDEEP:	12288:DyIspJCPtjvntnSb8COevQonCLPubu76R7:DLsDCPtjvntnSb8COevQonC3+R7
MD5:	CD76B0EE50AD6DCE22DC8D788F5E1766
SHA1:	4E41CE3DE7FED1EE21E7D7075ADE58B2C41EE798
SHA-256:	32C91742D14671451B165B00D85D9BCCEA7A37EA138EA2550F1E4543906944E6
SHA-512:	1C5903D2B21061E0651475B62219AE3164428D77A348E51E4B04328E8683E7CA36D6BB39F758B41A1DBDF0477508E96349374AAB6D8B5B1B0A9307F8AE480B68
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...................P......................................;^.......................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is55FE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1420544
Entropy (8bit):	6.560293282221256
Encrypted:	false
SSDEEP:	12288:xyIapJCPtjvntnSb8COevQonCLPubu791:xLaDCPtjvntnSb8COevQonC3h1
MD5:	721FB29713080245684C8D5F7EB3ED21
SHA1:	E9404840900044E2124882008F48C5CD12951DE6
SHA-256:	DB11F22F90110D5610434739DA084BA377BEE08566BFCD0C5C186C8A01F8CCBC
SHA-512:	81DC39DAF4C0FED935542E415F80F9012008A73024A0EFE0BD39934C837EB5789BB5970A0D3780BA9D67152087AFB0735292F3683D65FB8A788991F2FD0C80DD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...P...............P.......................................Z.......................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5758.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1432832
Entropy (8bit):	6.44446385785103
Encrypted:	false
SSDEEP:	12288:LyI5pJCPtjvntnSb8COevQonCLPubu7YL:LL5DCPtjvntnSb8COevQonC3EL
MD5:	C9F769E50CFD7FA59C1010D1124CF664
SHA1:	02398AFEDFC4824D97B263EB8FC7DDD8A52DE22F
SHA-256:	4F741EF0EB097DF3719431C016DED31B499F71E61FA9E45234FDB23C4BCC56BC
SHA-512:	0FA3CEC0C93DD0CE0BDFFD388205B8FE7E1B162DEB029D9865D415AD1130A2E60B3A20C9D7055FD52E94FD17D4F2AFA413DD9C75827FA991367BBE89DBBBC959
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L...r.yY...........!.....@...................P...............................................................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is57C7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1416448
Entropy (8bit):	6.464456578512818
Encrypted:	false
SSDEEP:	12288:6yIWpJCPtjvntnSb8COevQonCLPubu79+rpdT:6LWDCPtjvntnSb8COevQonC3Z+rpdT
MD5:	D9C32D0F07E68B978E9C589945001A16
SHA1:	2325889A15F38A6665F7EDA61A6E881B6A11F132
SHA-256:	B4159D9D8B3B144E3F262B2C93E2D2BFEA95B2C4BDD52DA13A0BA002B6B9C26B
SHA-512:	E814234F9EEC63F9B8E2C4E0E740F9F1EF2BD21B521967AFD4D7789196736CBD1C97587CF0AFB18F227B8613A71AD06378B0917F2792EB2FB503AA1BEDA99BD8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L...u.yY...........!.....@...@...............P...............................................................................V..(............................p.......................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc.......p... ...`..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5827.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1432832
Entropy (8bit):	6.449034862379667
Encrypted:	false
SSDEEP:	12288:IyIKpJCPtjvntnSb8COevQonCLPubu7gDx:ILKDCPtjvntnSb8COevQonC3UDx
MD5:	81530086EA62B38C00AD0AD1BB608F88
SHA1:	9EFCBC817DA901D39030893B9F5524FAB1A4F3CC
SHA-256:	BA803C78AC63A2353DE986AEB528CC2AC251712C3B3826B5A892A2400078B863
SHA-512:	60CF62AFC7324774A8E8FACAF935B0FB0CD621821AAFF1403C90515EBC818CCC63999736339CBE4AB40A97ACE61254C8B875F11B6EEA2242EF5CAE53629877D0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...................P...............................................................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5896.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1420544
Entropy (8bit):	6.471998519259824
Encrypted:	false
SSDEEP:	12288:YyIFpJCPtjvntnSb8COevQonCLPubu7aN:YLFDCPtjvntnSb8COevQonC3+N
MD5:	570B0E3A2C9CA9497843E22CF4F281DC
SHA1:	79CE61360451547B3B42B0558151D4996D5BBE72
SHA-256:	788AD433D6DA5C6218C7079D58AD7BC818F43463FF6ADC8AF119A2E21DB3AF5B
SHA-512:	4C3D82592992B201F4D5840947293B01B3ABAB5C0FC36470BC35D12F591D3E5F02EBF12772D9E8268F17D4B9C9EC69AED45207283DE06383C38FC3F8F57C1F3F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L...y.yY...........!.....@...P...............P...............................................................................V..(.......x............................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...x...........................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is58F6.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1420544
Entropy (8bit):	6.46137601862
Encrypted:	false
SSDEEP:	12288:zyIoLpJCPtjvntnSb8COevQonCLPubu7mq:zLoLDCPtjvntnSb8COevQonC36q
MD5:	14934B54E6DD7AE9F7C9AC006305671A
SHA1:	C6C3CFE0AA036E32626CD802EE402F459C1FF2F2
SHA-256:	2DA5CD58D3B4701EBC73C987C1E87DB111DC9F40C833B586CBF01D0D0243ACF3
SHA-512:	2F3E20D9E0DD422BC05ADA557FAF6A63D32F965F5D4C23766CE8BCD0A7A6E900422D899B62EE76853A76334B27BC6D081AE0E358814C952C1E0012EBBB048C61
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...P...............P.......................................W.......................................V..(.......P............................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...P...........................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5994.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1420544
Entropy (8bit):	6.467479267856592
Encrypted:	false
SSDEEP:	12288:3yIEpJCPtjvntnSb8COevQonCLPubu7Rh:3LEDCPtjvntnSb8COevQonC3lh
MD5:	1D3FD400FA8F1F9818EB71870AF6B2FD
SHA1:	DEA1FA580E28427CBB9B8F0E45AA025760C76D45
SHA-256:	695E55D535BC96C72D6929EAC47386743468D756D72CFB58093FB29DC6481E73
SHA-512:	089FC766506D5F06842068AED3EAF7DAC2FEC4859A5EE0F6D5B490F5B969DF56FE0893850D07EC19B53A30AD7F2BB1B6A376EBEF037C3061CC33CBD54F893A01
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...P...............P..............................................................................V..(....... ............................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc... ...........................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is59F4.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1416448
Entropy (8bit):	6.465632629662606
Encrypted:	false
SSDEEP:	12288:2yIZpJCPtjvntnSb8COevQonCLPubu74t:2LZDCPtjvntnSb8COevQonC3st
MD5:	DA9F99CA15A1EA4498971E75A471C5B4
SHA1:	A74A240EB87C49FD92CE6889429C1EF21A15F1BD
SHA-256:	83371792C3FCA7461CD48AA90B86EC52B4F43F44B99CA6B870796C71DE32C30E
SHA-512:	DD23DB976B9589F2A5449B68D327DBE0BF2911A1F125E3242AC9F9B97841CE1024D2FF072E970100C6D1869C4F784AFC8E98F977C105DDB41DABDBEFA2C4274D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...@...............P.......................................:.......................................V..(............................p.......................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc.......p... ...`..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5B8C.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1416448
Entropy (8bit):	6.585466383792146
Encrypted:	false
SSDEEP:	12288:GyIupJCPtjvntnSb8COevQonCLPubu7BWs:GLuDCPtjvntnSb8COevQonC3VWs
MD5:	60FB86CF64CEA5D9D0B24111E352941A
SHA1:	1D4F5B0CB55B6BEBCD1CA86E8FF1364F41137993
SHA-256:	FAEF7ABAF313762324909FF104DF9F54CA3CA03E365B6F5592A662B8FBC50294
SHA-512:	56906F6157D1EEAF7E91C6320DB35E48583E8E5CB7370F723B51DBBE498BFDA5E912C86FE88F684EBBA945195968513A97D385DCA46712AFAA33D3ED9EF5D530
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...@...............P...............................................................................V..(............................p.......................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc.......p... ...`..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5C1B.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1416448
Entropy (8bit):	6.475657915504315
Encrypted:	false
SSDEEP:	12288:9yIapJCPtjvntnSb8COevQonCLPubu7Vyv0k:9LaDCPtjvntnSb8COevQonC3Hk
MD5:	4840C2447975B7BF9EA3A422C83491BB
SHA1:	8035BC050A0F168654578F8A772FBA8B872C4CFB
SHA-256:	40DA10E2A79F7B8FDA6AB8D54D626555EF9C3592428ED9C5C687ED09AD630466
SHA-512:	9CCDE09598FC95E55B165E502A3CFAAC78DFECE727F90E63583A0FFDECE669065DF30878CE21F635B1B48CD318EEF809DB2FB9638F5A654878E20617298755C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...@...............P...............................................................................V..(.......P....................p.......................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...P...........................@..@.reloc.......p... ...`..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5C8A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1420544
Entropy (8bit):	6.460063429651935
Encrypted:	false
SSDEEP:	12288:UyITpJCPtjvntnSb8COevQonCLPubu7C7:ULTDCPtjvntnSb8COevQonC3G7
MD5:	D4C06AD994D95F4EF4D6D6470A1651ED
SHA1:	6ACBBF16499E6DB0793854C1B99D04EEC582CD29
SHA-256:	B1F411B68CBE57EBBCC223017249AC4623F00CF19DE4294EF4E5D7DC657F7CC4
SHA-512:	92678F30A723F158AF852C56CA7747F84F506FAA33E31713C144BC9884C2BE56936F9B54726780D96A4E0C77BD043859D9E9395977BDF046AD412447B5214166
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...P...............P......................................,........................................V..(.......x............................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...x...........................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5CEA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1424640
Entropy (8bit):	6.564955152994468
Encrypted:	false
SSDEEP:	12288:9yIspJCPtjvntnSb8COevQonCLPubu7MY:9LsDCPtjvntnSb8COevQonC3gY
MD5:	745EE4446117B55785F92E972E552A2E
SHA1:	16014E4691C2E7EB2454F323B72B2CDD0D36D6B0
SHA-256:	FFA7CF1E056B0F9F881BF5AA035B2E6F241E9A6E5BE3B2807AB458EF061D7E30
SHA-512:	4C32CF81D0B5466B652EC03D68CA0CA8C7019A741958C474E76C75CE5DECFA9114522CB10B8BA8F5A840156AAE65D7E197B56AC772E9759C088FF7628BC271A0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...`...............P.......................................R.......................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5D4A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1428736
Entropy (8bit):	6.451397234248691
Encrypted:	false
SSDEEP:	12288:ayIIpJCPtjvntnSb8COevQonCLPubu7T0:aLIDCPtjvntnSb8COevQonC3P0
MD5:	BB0D273CA35C9011A7E10E1B5EDCE27F
SHA1:	96E684B6790E9977CB76D7CE8F50EA65F14E4FDF
SHA-256:	9BEC0617B1DD5088DE564234A1AFD28D0B5F2CD0577627A1FC9AB40CED323D45
SHA-512:	D160D95325D382F7F8D1C33B0589C90E1CD42E2A3416DE1F76CD4BDE51C8AD2C66ACB7D2217B7B546AA73B22E4485CCD36DB88523576D53206E22BB59D3BA117
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L...`.yY...........!.....@...p...............P......................................fq.......................................V..(.......X............................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...X...........................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is5DE8.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1367296
Entropy (8bit):	6.559069593802875
Encrypted:	false
SSDEEP:	12288:VyIEpJCPtjvntnSb8COevQonCLPubu74dhxk:VLEDCPtjvntnSb8COevQonC3Ok
MD5:	030F8C1384243570A67F72E644703049
SHA1:	6CD81F58E773560CEE31D10699BAFACD10B97896
SHA-256:	38443E36A9AFEA135C2501653DD599248DF8D7433EC5DE52A2A505AD5E983560
SHA-512:	CD3276A3A1ACFBFE98DB697ED583F0661BB78D36D1D615E145A498C637F1C5090A126267789E80D21B508873BAE332277AA152993B60142E04E588F86F4BCB53
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...................P.......................................S.......................................V..(.......8............................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...8...........................@..@.reloc..p........ ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is61D2.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1416448
Entropy (8bit):	6.475370549575337
Encrypted:	false
SSDEEP:	12288:AyIPpJCPtjvntnSb8COevQonCLPubu7hp4h:ALPDCPtjvntnSb8COevQonC3gh
MD5:	06C64C6119B5D8C81F1A70FDA9F3C4F7
SHA1:	0C0A76A48EAAB2466357651E601F871C8BBD7830
SHA-256:	ACC5EFAAD2EEE18DEA7F1AA130E198564860E9D89AD69E6FDF7BC40A61C49E42
SHA-512:	6FBC0129B74A2F25A012643FF40B9A0D02973D6B0AC03AAF201393505D6A6665A3280851EEBC3C318E8C7DB25E396A2025FBBBFBE7BC18709F1037D7BB0EED80
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L...a.yY...........!.....@...@...............P....................................../........................................V..(............................p.......................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc.......p... ...`..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6270.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1420544
Entropy (8bit):	6.4604608790360265
Encrypted:	false
SSDEEP:	12288:NyIcpJCPtjvntnSb8COevQonCLPubu7hV:NLcDCPtjvntnSb8COevQonC3VV
MD5:	21A509036A1F5F9DA32824A72BC21523
SHA1:	0568D0625DF21B50A958BFF26BAA187E35F95DA6
SHA-256:	61B09BE71B66D53A372A5C7E3F405FEDEFE5ED754916C811D699FF3D72AD7DB6
SHA-512:	892BE8E5D4BC16481D18C62728CA8B4865A972C5EE3D6A7DA6B1C28561820F515A0F1546D7323F4A701FFBD3EA7D03B443989046FED4DCCFA07183AF29A5DFB2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L...f.yY...........!.....@...P...............P.......................................".......................................V..(.......`............................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...`...........................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is632E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1432832
Entropy (8bit):	6.443315775449897
Encrypted:	false
SSDEEP:	12288:CyIXpJCPtjvntnSb8COevQonCLPubu7q64:CLXDCPtjvntnSb8COevQonC3e64
MD5:	701432D28B4BF6997365480461BD694F
SHA1:	52487E31E0BE8041D9E745BA991CC6648BC4B301
SHA-256:	58FE405AF724A2A24969AD68517B01FEEA45E7012345438C24421C6CBF4AC110
SHA-512:	5C579E93F11E2BB0C2744761FE7DE172CE3452C52A25125803E6489D2F9EAFCD0EDA9EA373621565589B6B5742F388667FA5A2451AFE9C0756A50768EB7E8F52
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L...l.yY...........!.....@...................P......................................4A.......................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is636E.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1432832
Entropy (8bit):	6.545845810539532
Encrypted:	false
SSDEEP:	12288:iyIVpJCPtjvntnSb8COevQonCLPubu79d:iLVDCPtjvntnSb8COevQonC3Zd
MD5:	6FC83CCDC28F4ED74FA61CA181DCE654
SHA1:	3C08CBDD5827BEE4D21AACDB3AA5F9BACE06F260
SHA-256:	8E519077CC53112B80799A85DF185564905A1D0A3CD69CFD2E1D45832F326994
SHA-512:	9F73CED928492DEFCEF4BFCBA98E2AF8615DE42EED467A3154E859B167AE2D193E2C095A5B677333B25365AABE937825E418B4CCDD62819A74AA9FA949CF6322
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L...p.yY...........!.....@...................P....................................../D.......................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is63FD.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1863024
Entropy (8bit):	5.68804336966568
Encrypted:	false
SSDEEP:	12288:zs4d9dfaOdWUIhpJCPtjvntnSb8COevQonCLPub+7iqm:ThrWVhDCPtjvntnSb8COevQonCfrm
MD5:	D9C3BC738104B03B367E2C6ACF8FAFBF
SHA1:	EB7197EB446A5831F99661E021921896B98DC2E2
SHA-256:	F5FD2D49A163D35E4D8FB90C5BCD59CD4BF19B77B5A6F0C36580B7A25A9E75FE
SHA-512:	93F7B899DB22023049E028ABDAE3CD2FB9067E0A9F4EF28E82DE90CA573B85B7B42F1303515E6563C2CB48860F1F282EE108B43612E12221F4EF16AB29FE2437
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^..(...{...{...{...{...{,..{J..{...{P..{..{...{,..{...{..{...{Rich...{........PE..L...[.yY...........!.........................................................p......O........................................@..(....P..V...........pP.......@.......................................................A...............................text...@........................... ..`.rdata........... ..................@..@.data....f.......P..................@....idata.......@....... ..............@....rsrc...V....P.......0..............@..@.reloc...)...@...0... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is646C.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1424640
Entropy (8bit):	6.458123690535173
Encrypted:	false
SSDEEP:	12288:ByIrpJCPtjvntnSb8COevQonCLPubu7A5k:BLrDCPtjvntnSb8COevQonC3k5k
MD5:	BB84615532980AD38E781744D6AD4215
SHA1:	A29A71F1BA7F470933F4EAFACFDD11924B636213
SHA-256:	4309C1A2181081DE7113F2956D038043F99C25C05573686243F0D5A9C4BDA8A4
SHA-512:	D6DDA0FCA6EDD0D3CF10FFB1167E523019D9DE40066987B99D031E06B8DE92571CEE9F898BC86E748BF3C989CF6EDB39934D7E3EBF0A161EE3E4BBB168C5571D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...`...............P.......................................y.......................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is64CC.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1387776
Entropy (8bit):	6.557180411066131
Encrypted:	false
SSDEEP:	12288:myI3pJCPtjvntnSb8COevQonCLPubu7Gg:mL3DCPtjvntnSb8COevQonC3Sg
MD5:	0F14422D86948CC1F7434A678221005D
SHA1:	E3E057850E3EE2D3AA57B6DA7CD9B3C149E5E4CC
SHA-256:	E4902E52BD344150622B6F50AD2EF0C58BD3A86476325E1D9244204D02C7191F
SHA-512:	FA53F58DFFB69A0A876C299D255E4BFA029A04E3A1BF1DCC2EF8A3FE51EFD073981D62058EC57D1BD9B011EFD545639F4ADB8FCB5165E02399852CCA9024FBD4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...................P............................... ..............................................V..(.......pU...........................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...pU.......`..................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is656A.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1379584
Entropy (8bit):	6.572389836216373
Encrypted:	false
SSDEEP:	12288:KyIOpJCPtjvntnSb8COevQonCLPubu7Ed:KLODCPtjvntnSb8COevQonC3gd
MD5:	F267C3DCD41D4B7969E8E5B422CBF206
SHA1:	951474BEDF04961934722997F10D1770D9D567AB
SHA-256:	0DE20F94CE658FDFD4F4C808D821A7ADC58BB1CC471A36E311D7FD1231A3584D
SHA-512:	C8E206CA6D8B8285BBCD17827E35453640ECEDD3E1F05D0AE22F097FE3E561DC04DD675DE9CE0AECF3007DD8C62DDC23C31E4B1CE0080996D7CAA2125937A3AE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...................P......................................,........................................V..(........<...........................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc....<.......@..................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is65CA.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1424640
Entropy (8bit):	6.456823380709671
Encrypted:	false
SSDEEP:	12288:oyIDpJCPtjvntnSb8COevQonCLPubu78C:oLDDCPtjvntnSb8COevQonC3AC
MD5:	C2E3F6A7F78B7AF7D83A49C8DE07FE02
SHA1:	1E8755A5E4CB433A874E1159ECCEFE99E5F78E76
SHA-256:	AD24853D5F2D5C88777F955FD84BE0F8F76D5369972DBD7EF23B21BCA176D266
SHA-512:	DCD9DE3272C74EEC64C5C3D8EA4238A1E66EB0CAC0A5A7EF85003FC9C3C479E8CEB3856587A23888746CADDF260111227D64E8958B08D3E29CE134279E494C88
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...`...............P......................................./.......................................V..(.......H............................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...H...........................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6668.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1420544
Entropy (8bit):	6.458365440906146
Encrypted:	false
SSDEEP:	12288:cyIWpJCPtjvntnSb8COevQonCLPubu7Bj3:cLWDCPtjvntnSb8COevQonC3d3
MD5:	35AE94CD1BF2864C640176A6046A5C0C
SHA1:	16009CCC8F3F8F3D1879F8373AFE93C1AF5DA629
SHA-256:	DD92BF15CD0229EAC0E938EDB0CD0D1F15B517BC1E1179F5047A7EA87975BE6D
SHA-512:	6E0E3856AD9E20DAD413653AF9A578E17B37C0610D10E93B39B1FA658ECAFA7FF830930CD5D8361C81D66205B771F21880483254ECF9EF74CE230C281FABD082
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...P...............P...............................................................................V..(.......P............................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...P...........................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is66F7.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1424640
Entropy (8bit):	6.459431156458696
Encrypted:	false
SSDEEP:	12288:JyIcpJCPtjvntnSb8COevQonCLPubu7r0:JLcDCPtjvntnSb8COevQonC3P0
MD5:	0131ED35F5C407F5E5A6F5318DAF61DC
SHA1:	7F17C8345942B466E504490975E5EF019DEEBEDB
SHA-256:	E4E9876D9B1E9FF8E86A56FC5AAB3CDE617F7054DA7E667E2753F66271664717
SHA-512:	48026E421AD93E190FA6376CA2BE2C424C55BC8977B7814313B944532BF0B33A289C6A0746435BD151A09940C9C49FD93DEC4290EDD85ABC1271E715538DFDD2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...`...............P...............................................................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6766.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1424640
Entropy (8bit):	6.4540275232225355
Encrypted:	false
SSDEEP:	12288:/yIKpJCPtjvntnSb8COevQonCLPub+7Aw:/LKDCPtjvntnSb8COevQonCfkw
MD5:	223F0CDA7C6BE8F0E861000D9BEB032E
SHA1:	589DBA0092F732A4427389B8ACB0C2B7D9F6E301
SHA-256:	3281FD0BF396B4B12E91EA19764CD1042A1947A0EFC72C753A962E461FCFBBC0
SHA-512:	7BA24EE4A40B657C8E2FE93385140443FA049E36B3CD7CC422ED42D6CEAB3AB533353B0F27C234B5819755E65D1E068D45999448A9B83D6F43A2A2C379289591
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...`...............P......................................^........................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6824.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1428736
Entropy (8bit):	6.447744240413919
Encrypted:	false
SSDEEP:	12288:cyIgpJCPtjvntnSb8COevQonCLPubu7z7:cLgDCPtjvntnSb8COevQonC3f7
MD5:	9FDFCCAC597E3AC1AFE41871614FD479
SHA1:	AB6B0ED43A70959B956038841A41A1B0DE578B16
SHA-256:	092C70260132E7F4411F0874D910CB44DE8B930205FD1670E83B54D107EBB462
SHA-512:	2DF9BB7D2F45495BF92D145C4DF6E0C87FC592B2DF432E5D2F50CD6993BE9D844B081279675102FE4A3DB1ED9A8AA9C74095E05FF8E882DAB30A87D5D2B2BF50
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...p...............P...............................................................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6893.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1420544
Entropy (8bit):	6.566543446724177
Encrypted:	false
SSDEEP:	12288:SyIIpJCPtjvntnSb8COevQonCLPubu7Q+:SLIDCPtjvntnSb8COevQonC3s+
MD5:	1485AB9FE9CED95744AA0E53E00EA61B
SHA1:	62FFC621F13EA08468553365705AC945863233BD
SHA-256:	89441DC6F4528B9454F3913FAA9802307AA8093A11A0A97ECC656FADEC2A6E86
SHA-512:	75E715A6204641D477B73A8A306B2C929886CF3B1F6119B9B76F13678CEB9D7FF704BD24B9F480551EC200C7CAF7F50F98DDE57DC3B02F7B09DEADCA47D843AB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...P...............P...............................................................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6922.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1420544
Entropy (8bit):	6.460642297632325
Encrypted:	false
SSDEEP:	12288:oyIVpJCPtjvntnSb8COevQonCLPubu7MJ:oLVDCPtjvntnSb8COevQonC3IJ
MD5:	B96E8269F6840266DD1D616A895979BA
SHA1:	614439FB7E9DAE3DBA8A789833A40CDF27623101
SHA-256:	C1DE28ECA51C2274334435E7B114EB597CB368233B39E92FDC87BA7F27705325
SHA-512:	C4EF55CCFFD4573CF18F4B003105E76E63592B49DE50098EB963E672E196606C8BB3927B5D26F122BC88EFBD65A500F302AAC7246E9B01636247C158F7783618
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...P...............P...............................................................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is69C0.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1420544
Entropy (8bit):	6.465918679261405
Encrypted:	false
SSDEEP:	12288:kyI2pJCPtjvntnSb8COevQonCLPubu7Vkj:kL2DCPtjvntnSb8COevQonC3Cj
MD5:	CA1D993432BF00141FEB87D459679FC1
SHA1:	109C9A324600DE88B9B517BEC62175BCC97307E7
SHA-256:	53CB769D6612161634C08A8D1CAB58489CE3FA1219EE7198F3857B7FAF224385
SHA-512:	1A33F4EE2DA274E794DA553EA72F61A96534B35E683099FDE0AC84F97E54BEBCF84851ED78F99460817946617656A8751C6C0F9714855C1FD37C09D8DB5CBC1B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...P...............P...............................................................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ...p..............@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6A20.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1367296
Entropy (8bit):	6.556230678083565
Encrypted:	false
SSDEEP:	12288:QyIlpJCPtjvntnSb8COevQonCLPubu7xhCoM:QLlDCPtjvntnSb8COevQonC3NhCoM
MD5:	10DE879EA38823729653D91907F4DF49
SHA1:	443F8C90BD04B749A1B358C5DBF097560FAFBE15
SHA-256:	61C7CCCB9E343A7ADF0E93A556068B1DBAECB7202B9403425100DF3E996F1FCA
SHA-512:	20DB9942D7BDFB70455D866C79B14D6CF705FA421F27FC24CD946D33EF1C36910BE3C913D6B611C4DCBDF0F1216A143B2C3B37E4BCFC506EEE2F9CBCD448AED6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...................P.......................................'.......................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc..p........ ..................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\{8DA8AB7C-68BD-40BE-B843-21CE4CD3DBA4}\_is6ABE.tmp Download File
Process:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1428736
Entropy (8bit):	6.456695021897723
Encrypted:	false
SSDEEP:	12288:VyILpJCPtjvntnSb8COevQonCLPub+7Ml:VLLDCPtjvntnSb8COevQonCfwl
MD5:	E4D7DD41D2F3FA29A82660A3A6F89190
SHA1:	584E0B8FD1EFB2A22FCE28D02F3B835C9F223E97
SHA-256:	EAEDEC4D9F0769765D24D84945C948CA468813414B4A4811C50F28380392FB2A
SHA-512:	C647919B1FCBDEEC5ACC25724694414A930EEB9EAF599319B8DD8ABA4DF3DCE999537660EFB34E433E5EF0B40416F79BFF79DD1EEB90838348490B154554BA6B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6...6...6......."...........6...w......5.......5.....7...Rich6...................PE..L.....yY...........!.....@...p...............P...............................................................................V..(....................................................................................P...............................text...Z?.......@.................. ..`.rdata.......P.......P..............@..@.data... 1...`...0...`..............@....rsrc...............................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.955804644263245
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
File size:	26675560
MD5:	e1c700344a31aee275b86a0cc5fe707b
SHA1:	e1ca62a65559a00eac9096f7b1e0de69d82fd0c8
SHA256:	fa07eeabe6dc625c92894a62137f8c2cfb445b8e3daddd19ee3c44c00a84a708
SHA512:	2868da24290c51bfdfabce9c7523e6c5d717d387d21b5e71ccc6b2695f897a0e0b7227abb2b82625258fb8e521381ab57182e4e40a6ba5aa240842658f1a8b78
SSDEEP:	786432:ak/XpsaOs3VSCyZ6a4oo/OGHRSgWd/tOiHQ6nZWsnTrcfZ+iFpMwHw/J6:ak/XpsaOs3VSCyZ6a4oo/OGHRSgG/tOR
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^y....s...s...s.......s.......s.......s.......s.....Z.s..o....s...r...s..o....s.....7.s.......s.......s.......s.Rich..s........

File Icon


Icon Hash:	0063551165753100

Static PE Info

General
Entrypoint:	0x45e61f
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE, NX_COMPAT
Time Stamp:	0x5979D664 [Thu Jul 27 12:02:44 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	952608687d343553fa2ebbe1a801044c

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Symantec Class 3 SHA256 Code Signing CA, OU=Symantec Trust Network, O=Symantec Corporation, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	6/22/2016 2:00:00 AM 7/23/2019 1:59:59 AM
Subject Chain	CN=Automationdirect.com, O=Automationdirect.com, L=Cumming, S=Georgia, C=US
Version:	3
Thumbprint MD5:	F4F931C45F2EB68904EC3E0CA08B9567
Thumbprint SHA-1:	3B2E79F2DA570A8C20BB6E30B31E2EFBCB588D1B
Thumbprint SHA-256:	4EFA0B423F04D38D58D3E46D4A6CDB5D9C92027E4EC89B8F5C82D9A8AE4D3FBA
Serial:	6872DC611BBCFB37A8E37BA86F3198B2

Entrypoint Preview

Instruction
call 00007F6D30A3877Fh
jmp 00007F6D30A2AB6Eh
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+14h]
push esi
test eax, eax
je 00007F6D30A2AD6Eh
cmp dword ptr [ebp+08h], 00000000h
jne 00007F6D30A2AD45h
call 00007F6D30A29BFCh
push 00000016h
pop esi
mov dword ptr [eax], esi
call 00007F6D30A317C2h
mov eax, esi
jmp 00007F6D30A2AD57h
cmp dword ptr [ebp+10h], 00000000h
je 00007F6D30A2AD19h
cmp dword ptr [ebp+0Ch], eax
jnc 00007F6D30A2AD3Bh
call 00007F6D30A29BDEh
push 00000022h
jmp 00007F6D30A2AD12h
push eax
push dword ptr [ebp+10h]
push dword ptr [ebp+08h]
call 00007F6D30A27658h
add esp, 0Ch
xor eax, eax
pop esi
pop ebp
ret
push ebp
mov ebp, esp
xor edx, edx
mov eax, edx
cmp dword ptr [ebp+0Ch], eax
jbe 00007F6D30A2AD43h
mov ecx, dword ptr [ebp+08h]
cmp word ptr [ecx], dx
je 00007F6D30A2AD3Bh
inc eax
add ecx, 02h
cmp eax, dword ptr [ebp+0Ch]
jc 00007F6D30A2AD24h
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov ecx, dword ptr [esp+0Ch]
push edi
test ecx, ecx
je 00007F6D30A2ADC8h
push esi
push ebx
mov ebx, ecx
mov esi, dword ptr [esp+14h]
test esi, 00000003h
mov edi, dword ptr [esp+10h]
jne 00007F6D30A2AD3Dh
shr ecx, 02h
jne 00007F6D30A2ADBBh
jmp 00007F6D30A2AD59h
mov al, byte ptr [esi]
add esi, 01h
mov byte ptr [edi], al
add edi, 01h
sub ecx, 01h
je 00007F6D30A2AD5Dh
test al, al
je 00007F6D30A2AD61h
test esi, 00000003h
jne 00007F6D30A2AD17h

Rich Headers

Programming Language:

[RES] VS2012 UPD1 build 51106
[C++] VS2012 UPD1 build 51106
[ C ] VS2012 UPD1 build 51106
[LNK] VS2012 UPD1 build 51106

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd420c	0xdc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xdc000	0x4c600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x196ec58	0x1d10
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xae700	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xc3478	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xae000	0x674	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xd3a48	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xac3bb	0xac400	False	0.471233218433	data	6.54203736845	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xae000	0x2850e	0x28600	False	0.424596071981	data	5.1940985024	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xd7000	0x4c24	0x2600	False	0.292249177632	PGP symmetric key encrypted data - Plaintext or unencrypted data	4.51395817046	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xdc000	0x4c600	0x4c600	False	0.359125664894	data	6.52947632143	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
GIF	0xdcf04	0x339f	GIF image data, version 89a, 350 x 624	English	United States
PNG	0xe02a4	0x39ed	PNG image data, 360 x 150, 8-bit/color RGBA, non-interlaced
PNG	0xe3c94	0x2fc9	PNG image data, 240 x 227, 8-bit/color RGBA, non-interlaced
RT_BITMAP	0xe6c60	0x14220	data
RT_BITMAP	0xfae80	0x1b5c	data
RT_BITMAP	0xfc9dc	0x38e4	data
RT_BITMAP	0x1002c0	0x1238	data
RT_BITMAP	0x1014f8	0x6588	data
RT_BITMAP	0x107a80	0x11f88	data
RT_ICON	0x119a08	0x668	data
RT_ICON	0x11a070	0x2e8	data
RT_ICON	0x11a358	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x11a480	0xea8	data
RT_ICON	0x11b328	0x8a8	data
RT_ICON	0x11bbd0	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x11c138	0x25a8	data
RT_ICON	0x11e6e0	0x10a8	data
RT_ICON	0x11f788	0x468	GLS_BINARY_LSB_FIRST
RT_ICON	0x11fbf0	0x2e8	data
RT_ICON	0x11fed8	0x2e8	data
RT_ICON	0x1201c0	0x2e8	data
RT_DIALOG	0x1204a8	0x1ce	data
RT_DIALOG	0x120678	0x266	data
RT_DIALOG	0x1208e0	0x2b0	data
RT_DIALOG	0x120b90	0x54	data
RT_DIALOG	0x120be4	0x34	data
RT_DIALOG	0x120c18	0xd6	data
RT_DIALOG	0x120cf0	0x114	data
RT_DIALOG	0x120e04	0xd6	data
RT_DIALOG	0x120edc	0x246	data
RT_DIALOG	0x121124	0x3c8	data
RT_DIALOG	0x1214ec	0x14e	data
RT_DIALOG	0x12163c	0x1e8	data
RT_DIALOG	0x121824	0x1c6	data
RT_DIALOG	0x1219ec	0x1ee	data
RT_DIALOG	0x121bdc	0x7c	data
RT_DIALOG	0x121c58	0x3bc	data
RT_DIALOG	0x122014	0x158	data
RT_DIALOG	0x12216c	0x1da	data
RT_DIALOG	0x122348	0x10a	data
RT_DIALOG	0x122454	0xde	data
RT_DIALOG	0x122534	0x1d4	data
RT_DIALOG	0x122708	0x1dc	data
RT_DIALOG	0x1228e4	0x294	data
RT_STRING	0x122b78	0x160	data	English	United States
RT_STRING	0x122cd8	0x23e	data	English	United States
RT_STRING	0x122f18	0x378	data	English	United States
RT_STRING	0x123290	0x252	data	English	United States
RT_STRING	0x1234e4	0x1f4	data	English	United States
RT_STRING	0x1236d8	0x66a	data	English	United States
RT_STRING	0x123d44	0x366	data	English	United States
RT_STRING	0x1240ac	0x27e	data	English	United States
RT_STRING	0x12432c	0x518	data	English	United States
RT_STRING	0x124844	0x882	data	English	United States
RT_STRING	0x1250c8	0x23e	data	English	United States
RT_STRING	0x125308	0x3ba	data	English	United States
RT_STRING	0x1256c4	0x12c	data	English	United States
RT_STRING	0x1257f0	0x4a	data	English	United States
RT_STRING	0x12583c	0xda	data	English	United States
RT_STRING	0x125918	0x110	data	English	United States
RT_STRING	0x125a28	0x20a	data	English	United States
RT_STRING	0x125c34	0xba	data	English	United States
RT_STRING	0x125cf0	0xa8	data	English	United States
RT_STRING	0x125d98	0x12a	data	English	United States
RT_STRING	0x125ec4	0x422	data	English	United States
RT_STRING	0x1262e8	0x5c2	data	English	United States
RT_STRING	0x1268ac	0x40	data	English	United States
RT_STRING	0x1268ec	0xcaa	data	English	United States
RT_STRING	0x127598	0x284	data	English	United States
RT_GROUP_ICON	0x12781c	0x14	data
RT_GROUP_ICON	0x127830	0x14	data
RT_GROUP_ICON	0x127844	0x14	data
RT_VERSION	0x127858	0x45c	data
RT_MANIFEST	0x127cb4	0x626	XML 1.0 document, ASCII text, with CRLF line terminators
RT_MANIFEST	0x1282dc	0x323	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL	Import
COMCTL32.dll
KERNEL32.dll	IsBadReadPtr, CompareStringW, CompareStringA, GetSystemDefaultLangID, GetUserDefaultLangID, ExpandEnvironmentStringsW, GetCurrentDirectoryW, FileTimeToLocalFileTime, GetFileTime, SetFileAttributesW, HeapAlloc, HeapFree, GetProcessHeap, CopyFileW, GetWindowsDirectoryW, InterlockedDecrement, InterlockedIncrement, GetTempPathW, CreateFileW, LoadLibraryA, GetSystemDirectoryA, FindResourceW, GlobalFree, GlobalUnlock, GlobalLock, GlobalAlloc, GetPrivateProfileIntW, LockResource, LoadResource, MultiByteToWideChar, MoveFileExW, WriteProcessMemory, VirtualProtectEx, GetSystemDirectoryW, FlushInstructionCache, SetThreadContext, GetThreadContext, ResumeThread, TerminateProcess, ExitProcess, LoadLibraryW, lstrcatW, lstrcpynW, lstrcmpiW, LoadLibraryExW, FreeLibrary, FindResourceExW, UnmapViewOfFile, MapViewOfFile, CreateFileMappingW, VirtualQuery, GetSystemInfo, GetSystemTimeAsFileTime, CreateEventW, CreateMutexW, ReleaseMutex, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, QueryPerformanceFrequency, SetErrorMode, RaiseException, FreeResource, GetPrivateProfileSectionNamesA, GetPrivateProfileStringA, GetPrivateProfileIntA, lstrcatA, lstrcmpiA, MulDiv, FlushFileBuffers, WriteConsoleW, SetStdHandle, OutputDebugStringW, SetConsoleCtrlHandler, SetFilePointerEx, GetConsoleMode, WriteFile, SetFilePointer, GetFileSize, GetFileAttributesW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, FindFirstFileW, FindClose, CreateDirectoryW, VerLanguageNameW, IsValidLocale, GetLocaleInfoW, WideCharToMultiByte, lstrcpyA, GetTickCount, ExitThread, CreateThread, GetExitCodeProcess, ReadFile, GetCommandLineW, FormatMessageW, LocalFree, SizeofResource, GetVersionExW, GetCurrentProcess, WaitForSingleObject, SetLastError, GetLastError, DuplicateHandle, RemoveDirectoryW, DeleteFileW, SetCurrentDirectoryW, lstrlenW, lstrcpyW, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, CreateProcessW, Sleep, CloseHandle, GetSystemDefaultUILanguage, ReadConsoleW, GetConsoleCP, EnumSystemLocalesW, GetUserDefaultLCID, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetFileType, HeapReAlloc, GetStdHandle, HeapSize, AreFileApisANSI, GetModuleHandleExW, GetStringTypeW, GetCurrentThreadId, GetCPInfo, GetOEMCP, IsValidCodePage, CreateSemaphoreW, GetStartupInfoW, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FatalAppExitA, GetACP, IsProcessorFeaturePresent, IsDebuggerPresent, RtlUnwind, lstrcpynA, LocalAlloc, FindNextFileW, WritePrivateProfileSectionW, GetPrivateProfileSectionW, lstrcmpW, GetShortPathNameW, GetCurrentThread, QueryPerformanceCounter, lstrcmpA, SystemTimeToFileTime, ResetEvent, SetEvent, Process32NextW, Process32FirstW, CreateToolhelp32Snapshot, GetDateFormatW, GetTimeFormatW, GetTempFileNameW, GetEnvironmentVariableW, CompareFileTime, InterlockedExchange, LoadLibraryExA, EnterCriticalSection, LeaveCriticalSection, EncodePointer, DecodePointer, LCMapStringW, GetVersion, GetCurrentProcessId, GetLocalTime, lstrlenA, GetProcessTimes, OpenProcess, SetFileTime
USER32.dll	DialogBoxIndirectParamW, MoveWindow, SendMessageW, CharUpperBuffW, WaitForInputIdle, wsprintfW, GetDlgItem, SetDlgItemTextW, SetActiveWindow, SetForegroundWindow, SetWindowTextW, GetWindowRect, MessageBoxW, GetWindowLongW, SetWindowLongW, LoadIconW, TranslateMessage, DispatchMessageW, PeekMessageW, EndDialog, SystemParametersInfoW, GetWindow, FillRect, GetSysColor, MapWindowPoints, RemovePropW, GetPropW, SetPropW, EndPaint, BeginPaint, EnableMenuItem, GetSystemMetrics, SetFocus, ExitWindowsEx, CharUpperW, wsprintfA, CallWindowProcW, CreateWindowExW, DrawIcon, DrawTextW, UpdateWindow, GetWindowDC, InvalidateRect, DrawFocusRect, CopyRect, InflateRect, EnumChildWindows, GetClassNameW, MapDialogRect, RegisterClassExW, GetDlgItemTextW, IntersectRect, MonitorFromPoint, DefWindowProcW, GetMessageW, LoadStringW, LoadImageW, ReleaseDC, GetDC, CreateDialogParamW, GetParent, GetWindowTextW, CharNextW, GetDesktopWindow, GetClientRect, IsWindowEnabled, CreateDialogIndirectParamW, IsWindowVisible, IsDialogMessageW, FindWindowExW, ScreenToClient, EnableWindow, MsgWaitForMultipleObjects, SendDlgItemMessageW, SetWindowPos, ShowWindow, DestroyWindow, IsWindow, PostMessageW
GDI32.dll	SetTextColor, SetBkMode, SetBkColor, SaveDC, RestoreDC, CreateSolidBrush, UnrealizeObject, CreateHalftonePalette, GetDIBColorTable, SelectPalette, SelectObject, RealizePalette, GetSystemPaletteEntries, GetDeviceCaps, DeleteDC, CreatePalette, CreateCompatibleDC, BitBlt, GetObjectW, TranslateCharsetInfo, DeleteObject, CreateFontIndirectW, CreateCompatibleBitmap, CreateDCW, CreatePatternBrush, GetStockObject, GetTextExtentPoint32W, DeleteMetaFile, CreateDIBitmap, CreateBitmap, CreateRectRgn, PatBlt, PlayMetaFile, SelectClipRgn, SetMapMode, SetMetaFileBitsEx, SetPixel, StretchBlt, SetStretchBltMode, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, TextOutW
ADVAPI32.dll	CryptSignHashW, RegEnumValueW, RegQueryValueExW, SetEntriesInAclW, RegQueryInfoKeyW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CreateWellKnownSid, RegSetValueExW, RegOpenKeyExW, RegCreateKeyExW, RegCloseKey, RegOpenKeyW, OpenProcessToken, AdjustTokenPrivileges, AllocateAndInitializeSid, FreeSid, LookupPrivilegeValueW, RegOverridePredefKey, RegCreateKeyW, RegEnumKeyW, OpenThreadToken, GetTokenInformation, EqualSid, CryptAcquireContextW, CryptReleaseContext, CryptDeriveKey, CryptDestroyKey, CryptSetHashParam, CryptGetHashParam, CryptExportKey, CryptImportKey, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptVerifySignatureW
SHELL32.dll	SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHGetMalloc, ShellExecuteExW
ole32.dll	CoTaskMemFree, CoTaskMemRealloc, CoTaskMemAlloc, CoCreateInstance, CoInitializeSecurity, ProgIDFromCLSID, CreateStreamOnHGlobal, CoInitializeEx, CoUninitialize, GetRunningObjectTable, CreateItemMoniker, CoLoadLibrary, CoCreateGuid, StringFromGUID2
OLEAUT32.dll	VariantChangeType, VarBstrCmp, CreateErrorInfo, SetErrorInfo, UnRegisterTypeLib, RegisterTypeLib, LoadTypeLib, VariantInit, VariantClear, VarUI4FromStr, SysAllocString, SysFreeString, SysStringLen, SysAllocStringLen, SysReAllocStringLen, GetErrorInfo, SysStringByteLen, VarBstrCat, SysAllocStringByteLen
RPCRT4.dll	UuidCreate, RpcStringFreeW, UuidFromStringW, UuidToStringW
gdiplus.dll	GdipFree, GdipDrawImageRectI, GdipSetInterpolationMode, GdipDeleteGraphics, GdipCreateFromHDC, GdipCreateBitmapFromResource, GdipCreateBitmapFromFileICM, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromFile, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdiplusStartup, GdipGetImageWidth, GdipGetImageHeight, GdipAlloc

Version Infos

Description	Data
LegalCopyright	Copyright (c) 2015 Flexera Software LLC. All Rights Reserved.
ISInternalVersion	22.0.401
InternalName	Setup
FileVersion	4.1.0.5
CompanyName	Automation Direct
Internal Build Number	176888
ProductName	SureServo PRO
ProductVersion	4.1.0.5
FileDescription	InstallScript Setup Launcher Unicode
ISInternalDescription	InstallScript Setup Launcher Unicode
OriginalFilename	InstallShield Setup.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe PID: 6312 Parent PID: 5872

General

Start time:	18:08:23
Start date:	29/03/2021
Path:	C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe'
Imagebase:	0x400000
File size:	26675560 bytes
MD5 hash:	E1C700344A31AEE275B86A0CC5FE707B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: setup.exe PID: 6356 Parent PID: 6312

General

Start time:	18:08:24
Start date:	29/03/2021
Path:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\setup.exe -package:'C:\Users\user\Desktop\SureServoPROInstall_V4_1_0_5_DB2_0_8.exe' -no_selfdeleter -IS_temp -media_path:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\' -tempdisk1folder:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\' -IS_OriginalLauncher:'C:\Users\user\AppData\Local\Temp\{13FF6051-2C7F-44D5-BA42-894B5CE410C5}\Disk1\setup.exe'
Imagebase:	0x400000
File size:	1201936 bytes
MD5 hash:	88340D6E1DE3ED49364A64B3D8796AF6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 2%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: ISBEW64.exe PID: 6544 Parent PID: 6356

General

Start time:	18:08:38
Start date:	29/03/2021
Path:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8FD074B-9EF5-416D-A3EE-6D8FB115C83F}
Imagebase:	0x7ff7f3980000
File size:	182008 bytes
MD5 hash:	8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ISBEW64.exe PID: 6584 Parent PID: 6356

General

Start time:	18:08:39
Start date:	29/03/2021
Path:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3BED6DCE-3BD7-42E3-BF6F-81E3F37201FD}
Imagebase:	0x7ff7f3980000
File size:	182008 bytes
MD5 hash:	8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ISBEW64.exe PID: 6624 Parent PID: 6356

General

Start time:	18:08:39
Start date:	29/03/2021
Path:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30C7FFBC-292B-4310-AFE7-0365F4C35832}
Imagebase:	0x7ff7f3980000
File size:	182008 bytes
MD5 hash:	8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ISBEW64.exe PID: 6656 Parent PID: 6356

General

Start time:	18:08:39
Start date:	29/03/2021
Path:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C15C7E7D-7890-420A-86BA-7E9024358B47}
Imagebase:	0x7ff7f3980000
File size:	182008 bytes
MD5 hash:	8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ISBEW64.exe PID: 6696 Parent PID: 6356

General

Start time:	18:08:40
Start date:	29/03/2021
Path:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6332241F-264C-4388-88EB-7A98CF4DBA83}
Imagebase:	0x7ff7f3980000
File size:	182008 bytes
MD5 hash:	8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ISBEW64.exe PID: 6744 Parent PID: 6356

General

Start time:	18:08:41
Start date:	29/03/2021
Path:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D1BE9E7C-E67D-4CF9-BA65-428ACD016A71}
Imagebase:	0x7ff7f3980000
File size:	182008 bytes
MD5 hash:	8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: ISBEW64.exe PID: 6784 Parent PID: 6356

General

Start time:	18:08:42
Start date:	29/03/2021
Path:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\{5A5FC2C6-9262-4BBA-8AD9-F7AEF29201FF}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{176CEB1A-A045-48A9-ADF5-06CDBA606E31}
Imagebase:	0x7ff7f3980000
File size:	182008 bytes
MD5 hash:	8A1E5A6B1C4E0C7D706EB2B36FA6C8EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe PID: 6312 Parent PID: 5872 SureServoPROInstall_V4_1_0_5_DB2_0_8.exeCOMMON

Execution Graph

Execution Coverage:	5.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.2%
Total number of Nodes:	1945
Total number of Limit Nodes:	16

Executed Functions

Function 0043B52C, Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 290
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E0043B52C(void* __ebx, void* __edx, struct HINSTANCE__* __edi, void* __esi, void* __eflags) {
				char _t85;
				void* _t91;
				void* _t99;
				void* _t105;
				intOrPtr* _t129;
				unsigned int _t144;
				unsigned int* _t180;
				unsigned int* _t184;
				unsigned int* _t189;
				unsigned int _t192;
				unsigned int* _t193;
				void* _t202;
				struct HINSTANCE__* _t208;
				intOrPtr* _t211;
				void* _t212;
				void* _t213;
				void* _t214;
				void* _t215;
				intOrPtr _t216;
				void* _t217;
				intOrPtr _t219;
				intOrPtr _t220;
				void* _t221;
				void* _t222;
				unsigned int* _t223;
				unsigned int* _t224;
				void* _t225;
				unsigned int* _t227;
				unsigned int* _t229;
				void* _t236;
				signed int _t238;

				_t205 = __edi;
				_t202 = __edx;
				_push(0x108);
				E0045B8C9(0x4a653a, __ebx, __edi, __esi);
				_t214 = _t213 - 0x30;
				_t207 = L"ISlogit";
				E004091B8(_t214, L"ISlogit", _t212 - 0xf9, 1);
				_push(0x80000001); // executed
				_t85 = E004484C2(); // executed
				_t215 = _t214 + 0x34;
				 *0x4d99f0 = _t85;
				if(_t85 != 0) {
					_t205 = 0;
					_push(0);
					_t216 = _t215 - 0x30;
					 *((intOrPtr*)(_t212 - 0x104)) = _t216;
					E004091B8(_t216, L"TraceStd", _t212 - 0xf9, 1);
					_t217 = _t216 - 0x30;
					 *(_t212 - 4) = 0;
					E004091B8(_t217, L"ISlogit", _t212 - 0xf9, 1);
					 *(_t212 - 4) =  *(_t212 - 4) | 0xffffffff;
					_push(0x80000001);
					_t91 = E00448BFF();
					_push(0x20019);
					 *0x4d99f1 = _t91 != 0;
					_t219 = _t217 + 0x68 - 0x30;
					 *((intOrPtr*)(_t212 - 0x108)) = _t219;
					E004091B8(_t219, 0x4c2d7c, _t212 - 0xf9, 1);
					_t220 = _t219 - 0x30;
					 *((intOrPtr*)(_t212 - 0x104)) = _t220;
					 *(_t212 - 4) = 1;
					E004091B8(_t220, L"FileNamePath", _t212 - 0xf9, 1);
					_t221 = _t220 - 0x30;
					 *(_t212 - 4) = 2;
					E004091B8(_t221, _t207, _t212 - 0xf9, 1);
					 *(_t212 - 4) =  *(_t212 - 4) | 0xffffffff;
					_push(0x80000001);
					_push(_t212 - 0xb0);
					_t99 = E00448D7A(1, 0, _t207, _t91);
					_t222 = _t221 + 0x9c;
					 *(_t212 - 4) = 3;
					E004095E2(0x4d7600, _t99);
					 *(_t212 - 4) =  *(_t212 - 4) | 0xffffffff;
					E00401B80(_t212 - 0xb0);
					_t236 =  *0x4d7614 - _t205; // 0x0
					if(_t236 == 0) {
						_push(0);
						_push(_t212 - 0xb0);
						_t23 = E0043A837(1, 0, _t207, _t236) + 4; // 0x4
						_t211 = _t23;
						 *(_t212 - 4) = 4;
						if( *((intOrPtr*)(_t211 + 0x14)) >= 8) {
							_t211 =  *_t211;
						}
						_push(L"bin");
						_push(GetCurrentProcessId());
						_push(L"setuptrace");
						E0040DD64(0x4d7600, L"%s%s%d.%s", _t211);
						_t26 = _t212 - 4;
						 *_t26 =  *(_t212 - 4) | 0xffffffff;
						_t238 =  *_t26;
						_t222 = _t222 + 0x18;
						E00401B80(_t212 - 0xb0);
					}
					_push(0x18);
					_t208 = E0045C169(1, _t202, _t205, _t238);
					_t239 = _t208;
					if(_t208 == 0) {
						_t208 = _t205;
					} else {
						E0045A4D0(_t208, _t205, 0x18);
						_t222 = _t222 + 0xc;
					}
					 *0x4d99ec = _t208;
					E0041B6FC(_t208);
					_push(0xc);
					_t223 = _t222 - 0x30;
					_t180 = _t223;
					_push(_t205);
					_t207 = 0x4c2fa0;
					_push(0x4d7600);
					 *_t180 = 0x4c2fa0;
					_t180[0xa] = 0x4c2f40;
					E00408E82(1, _t180, _t205, 0x4c2fa0, _t239);
					_t105 = E00441E34(1, _t202, _t205, 0x4c2fa0, _t239);
					_t224 =  &(_t223[0xd]);
					_t240 = _t105;
					if(_t105 == 0) {
						_t225 = _t224 - 0x30;
						E004091B8(_t225, L"FormatVersion=00000112\r\n\r\n", _t212 - 0xf9, 1);
						E0043BDD3(1, _t225, _t202, _t205, 0x4c2fa0, _t240);
						E004091B8(_t225, L"(c) Copyright 2004 InstallShield Software Corporation (All Rights Reserved)\r\n\r\n", _t212 - 0xf9, 1);
						E0043BDD3(1, _t225, _t202, _t205, 0x4c2fa0, _t240);
						GetLocalTime(_t212 - 0x20);
						 *(_t212 - 0x80) = 0x4c2fa0;
						 *(_t212 - 0x58) = 0x4c2f40;
						E00404200(_t212 - 0x80, _t212 - 0xf9, _t205);
						_push( *(_t212 - 0x14) & 0x0000ffff);
						_push( *(_t212 - 0x16) & 0x0000ffff);
						_push( *(_t212 - 0x18) & 0x0000ffff);
						_push( *(_t212 - 0x20) & 0x0000ffff);
						_push( *(_t212 - 0x1a) & 0x0000ffff);
						 *(_t212 - 4) = 5;
						E0040DD64(_t212 - 0x80, L"TraceStarted: %.2ld/%.2ld/%.2ld %.2ld:%.2ld:%.2ld\r\n",  *(_t212 - 0x1e) & 0x0000ffff);
						_t227 = _t225 + 0x30 - 0x10;
						_t184 = _t227;
						_push(_t205);
						_push(_t212 - 0x80);
						 *_t184 = 0x4c2fa0;
						_t184[0xa] = 0x4c2f40;
						E00408E82(1, _t184, _t205, 0x4c2fa0, _t240);
						E0043BDD3(1, _t184, _t202, _t205, 0x4c2fa0, _t240);
						 *(_t212 - 0x50) = 0x4c2fa0;
						 *(_t212 - 0x28) = 0x4c2f40;
						E00404200(_t212 - 0x50, _t212 - 0xf9, _t205);
						 *(_t212 - 4) = 6;
						_t129 = E0040A14B(_t212 - 0x50, _t212 - 0x114, 0x104);
						 *(_t212 - 4) = 7;
						 *((char*)(_t129 + 4)) = 1;
						GetModuleFileNameW(_t205,  *(E0040A0F0(_t129,  *_t129)), 0x104);
						 *(_t212 - 4) = 6;
						E00409574(1, _t212 - 0x114, _t205, 0x104, _t240);
						_t134 =  >=  ?  *((void*)(_t212 - 0x4c)) : _t212 - 0x4c;
						E0040DD64(_t212 - 0x80, L"SetupExe: %ls\r\n",  >=  ?  *((void*)(_t212 - 0x4c)) : _t212 - 0x4c);
						_t229 =  &(_t227[0xc]) - 0x24;
						_t189 = _t229;
						_push(_t205);
						_push(_t212 - 0x80);
						 *_t189 = 0x4c2fa0;
						_t189[0xa] = 0x4c2f40;
						E00408E82(1, _t189, _t205, 0x104,  *((intOrPtr*)(_t212 - 0x38)) - 8);
						E0043BDD3(1, _t189, _t202, _t205, 0x104,  *((intOrPtr*)(_t212 - 0x38)) - 8);
						E0043B19F(_t212 - 0xf8);
						_t142 =  >=  ?  *((void*)(_t212 - 0x4c)) : _t212 - 0x4c;
						 *(_t212 - 4) = 8;
						E004530B2(_t212 - 0xf8, _t202, _t205, 0x104,  >=  ?  *((void*)(_t212 - 0x4c)) : _t212 - 0x4c);
						_t144 =  *(_t212 - 0xe8);
						_t192 =  *(_t212 - 0xec);
						_push(_t144 & 0x0000ffff);
						_t204 = _t144 >> 0x10;
						_push(_t144 >> 0x10);
						_push(_t192 & 0x0000ffff);
						_t207 = _t192 >> 0x10;
						_t243 = _t192 >> 0x10;
						E0040DD64(_t212 - 0x80, L"SetupExeVersion: %ld.%ld.%ld.%ld\r\n", _t192 >> 0x10);
						_t231 =  &(_t229[0xc]) - 0x18;
						_t193 =  &(_t229[0xc]) - 0x18;
						_push(_t205);
						_push(_t212 - 0x80);
						 *_t193 = 0x4c2fa0;
						_t193[0xa] = 0x4c2f40;
						E00408E82(1, _t193, _t205, _t207, _t192 >> 0x10);
						E0043BDD3(1, _t193, _t144 >> 0x10, _t205, _t207, _t192 >> 0x10);
						E004091B8(_t231, L"\r\nTraceData:\r\n", _t212 - 0xf9, 1);
						E0043BDD3(1, _t231, _t144 >> 0x10, _t205, _t207, _t192 >> 0x10);
						E004091B8(_t231, L"Category|SubCategory|Details\r\n", _t212 - 0xf9, 1);
						E0043BDD3(1, _t231, _t204, _t205, _t207, _t243);
						 *((intOrPtr*)(_t212 - 0xf8)) = 0x4b5d64;
						E0043C503(_t212 - 0xf8);
						E00401B80(_t212 - 0x50);
						E00401B80(_t212 - 0x80);
					}
				}
				return E0045B878(1, _t205, _t207);
			}

0x0043b52c
0x0043b52c
0x0043b52c
0x0043b536
0x0043b53b
0x0043b54b
0x0043b551
0x0043b556
0x0043b55b
0x0043b560
0x0043b563
0x0043b56a
0x0043b570
0x0043b572
0x0043b573
0x0043b578
0x0043b58b
0x0043b590
0x0043b59e
0x0043b5a1
0x0043b5a6
0x0043b5aa
0x0043b5af
0x0043b5b9
0x0043b5be
0x0043b5c5
0x0043b5ca
0x0043b5dd
0x0043b5e2
0x0043b5e7
0x0043b5fa
0x0043b5fd
0x0043b602
0x0043b610
0x0043b614
0x0043b619
0x0043b623
0x0043b628
0x0043b629
0x0043b62e
0x0043b63a
0x0043b641
0x0043b646
0x0043b650
0x0043b655
0x0043b65b
0x0043b663
0x0043b664
0x0043b66c
0x0043b66c
0x0043b66f
0x0043b67a
0x0043b67c
0x0043b67c
0x0043b67e
0x0043b689
0x0043b68a
0x0043b69a
0x0043b69f
0x0043b69f
0x0043b69f
0x0043b6a3
0x0043b6ac
0x0043b6ac
0x0043b6b1
0x0043b6b8
0x0043b6bb
0x0043b6bd
0x0043b6cd
0x0043b6bf
0x0043b6c3
0x0043b6c8
0x0043b6c8
0x0043b6d1
0x0043b6d7
0x0043b6dc
0x0043b6de
0x0043b6e1
0x0043b6e3
0x0043b6e4
0x0043b6e9
0x0043b6ee
0x0043b6f0
0x0043b6f7
0x0043b6fc
0x0043b701
0x0043b704
0x0043b706
0x0043b70c
0x0043b71e
0x0043b723
0x0043b737
0x0043b73c
0x0043b748
0x0043b759
0x0043b75c
0x0043b763
0x0043b76c
0x0043b771
0x0043b776
0x0043b77b
0x0043b780
0x0043b78f
0x0043b796
0x0043b79b
0x0043b79e
0x0043b7a0
0x0043b7a4
0x0043b7a5
0x0043b7a7
0x0043b7ae
0x0043b7b3
0x0043b7c6
0x0043b7c9
0x0043b7d0
0x0043b7e5
0x0043b7e9
0x0043b7f0
0x0043b7f4
0x0043b800
0x0043b80c
0x0043b810
0x0043b81c
0x0043b82a
0x0043b82f
0x0043b832
0x0043b834
0x0043b838
0x0043b839
0x0043b83f
0x0043b846
0x0043b84b
0x0043b859
0x0043b865
0x0043b870
0x0043b874
0x0043b879
0x0043b87f
0x0043b88a
0x0043b88e
0x0043b891
0x0043b892
0x0043b895
0x0043b895
0x0043b8a2
0x0043b8a7
0x0043b8aa
0x0043b8ac
0x0043b8b0
0x0043b8b1
0x0043b8b7
0x0043b8be
0x0043b8c3
0x0043b8d7
0x0043b8dc
0x0043b8f0
0x0043b8f5
0x0043b903
0x0043b90d
0x0043b915
0x0043b91d
0x0043b91d
0x0043b706
0x0043b927

APIs

__EH_prolog3_GS.LIBCMT ref: 0043B536

Part of subcall function 00448D7A: __EH_prolog3_GS.LIBCMT ref: 00448D81
Part of subcall function 00448D7A: RegQueryValueExW.KERNELBASE(?,?,00000000,00000008,00000000,@/L,0000005C,0041AB68,?,-80000001,?,?), ref: 00448DF6

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

GetCurrentProcessId.KERNEL32(bin,00000000), ref: 0043B683
_memset.LIBCMT ref: 0043B6C3
GetLocalTime.KERNEL32(?), ref: 0043B748

Part of subcall function 0043A837: __EH_prolog3_GS.LIBCMT ref: 0043A841
Part of subcall function 0043A837: _memset.LIBCMT ref: 0043A866
Part of subcall function 0043A837: SHGetSpecialFolderLocation.SHELL32(00000000,@/L,?,?,00000000,00000000), ref: 0043A884
Part of subcall function 0043A837: SHGetPathFromIDListW.SHELL32(?,?), ref: 0043A8A2
Part of subcall function 0043A837: SHGetMalloc.SHELL32(?), ref: 0043A8AF

GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 0043B800

Strings

ISlogit, xrefs: 0043B54B, 0043B550, 0043B59D, 0043B60F
@/L, xrefs: 0043B75C
TraceStd, xrefs: 0043B586
FormatVersion=00000112, xrefs: 0043B719
bin, xrefs: 0043B67E
(c) Copyright 2004 InstallShield Software Corporation (All Rights Reserved), xrefs: 0043B732
d]K, xrefs: 0043B903
TraceData:, xrefs: 0043B8D2
%s%s%d.%s, xrefs: 0043B690
setuptrace, xrefs: 0043B68A
SetupExe: %ls, xrefs: 0043B824
@/L, xrefs: 0043B8B7
Category|SubCategory|Details, xrefs: 0043B8EB
SetupExeVersion: %ld.%ld.%ld.%ld, xrefs: 0043B89C
@/L, xrefs: 0043B7C9
TraceStarted: %.2ld/%.2ld/%.2ld %.2ld:%.2ld:%.2ld, xrefs: 0043B789
FileNamePath, xrefs: 0043B5F5

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_$ErrorFreeLastString_memset$CurrentFileFolderFromListLocalLocationMallocModuleNamePathProcessQuerySpecialTimeValue
String ID: TraceData:$%s%s%d.%s$(c) Copyright 2004 InstallShield Software Corporation (All Rights Reserved)$@/L$@/L$@/L$Category|SubCategory|Details$FileNamePath$FormatVersion=00000112$ISlogit$SetupExe: %ls$SetupExeVersion: %ld.%ld.%ld.%ld$TraceStarted: %.2ld/%.2ld/%.2ld %.2ld:%.2ld:%.2ld$TraceStd$bin$d]K$setuptrace
API String ID: 2855092573-4001883202
Opcode ID: 7ee207a32539ae16116172d88402257923b4904b49a538cb56b9e8eaaf1a7e6f
Instruction ID: 3d2c0ecb5225ad2b930c800e3017c8f0c72d876dafc2baba95723155e1d2cc0b
Opcode Fuzzy Hash: 7ee207a32539ae16116172d88402257923b4904b49a538cb56b9e8eaaf1a7e6f
Instruction Fuzzy Hash: A0A195B1D00119ABDB10EB95CC46FEEBB7CAF05714F1001AFF905A7182EB785A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041BFB9, Relevance: 25.7, APIs: 17, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E0041BFB9(void* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				intOrPtr _v48;
				int _v52;
				int _v56;
				int _v60;
				int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char* _v76;
				intOrPtr _v80;
				int _v84;
				int _v88;
				int _v92;
				int _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char* _v108;
				intOrPtr _v112;
				int _v116;
				int _v120;
				int _v124;
				int _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				void* _v140;
				intOrPtr _v144;
				int _v148;
				int _v152;
				int _v156;
				int _v160;
				char _v164;
				char _v168;
				char _v232;
				int _v236;
				void _v240;
				char _v304;
				int _v308;
				char _v312;
				char _v376;
				int _v380;
				char _v384;
				char _v448;
				int _v452;
				char _v456;
				char _v520;
				int _v524;
				char _v528;
				char _v532;
				int _v536;
				struct _SECURITY_DESCRIPTOR _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t97;
				char* _t137;
				struct _SECURITY_DESCRIPTOR* _t148;
				signed int _t149;
				intOrPtr _t153;
				void* _t155;
				char* _t156;
				intOrPtr* _t157;
				signed int _t158;

				_t155 = __edx;
				_t97 =  *0x4d7e88; // 0x9518852c
				_v8 = _t97 ^ _t158;
				_t149 = 0;
				_v556.Revision = 0;
				_t156 =  &(_v556.Sbz1);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_v168 = 0;
				E0045A4D0( &_v164, 0, 0x9c);
				_t157 = 0x40;
				_v240 = 0;
				_v236 = 0;
				E0045A4D0( &_v232, 0, _t157);
				_v312 = 0;
				_v308 = 0;
				E0045A4D0( &_v304, 0, _t157);
				_v384 = 0;
				_v380 = 0;
				E0045A4D0( &_v376, 0, _t157);
				_v456 = 0;
				_v452 = 0;
				E0045A4D0( &_v448, 0, _t157);
				_v528 = 0;
				_v524 = 0;
				E0045A4D0( &_v520, 0, _t157);
				if(InitializeSecurityDescriptor( &_v556, 1) != 0) {
					_t157 = __imp__CreateWellKnownSid;
					_t156 = 0x48;
					_push( &_v532);
					_push( &_v240);
					_push(0);
					_push(0x1a);
					_v532 = _t156;
					if( *_t157() == 0) {
						goto L1;
					} else {
						_push( &_v532);
						_push( &_v312);
						_push(0);
						_push(0x17);
						_v532 = _t156;
						if( *_t157() == 0) {
							goto L1;
						} else {
							_push( &_v532);
							_push( &_v384);
							_push(0);
							_push(0x18);
							_v532 = _t156;
							if( *_t157() == 0) {
								goto L1;
							} else {
								_push( &_v532);
								_push( &_v456);
								_push(0);
								_push(0x10);
								_v532 = _t156;
								if( *_t157() == 0) {
									goto L1;
								} else {
									_push( &_v532);
									_push( &_v528);
									_push(0);
									_push(0x16);
									_v532 = _t156;
									if( *_t157() == 0) {
										goto L1;
									} else {
										_v140 =  &_v240;
										_t153 = 3;
										_v108 =  &_v312;
										_v76 =  &_v384;
										_t157 = 2;
										_v44 =  &_v456;
										_v12 =  &_v528;
										_t137 =  &_v168;
										_v168 = _t153;
										_v164 = _t157;
										_v160 = 0;
										_v156 = 0;
										_v152 = 0;
										_v148 = 0;
										_v144 = _t157;
										_v136 = _t153;
										_v132 = _t157;
										_v128 = 0;
										_v124 = 0;
										_v120 = 0;
										_v116 = 0;
										_v112 = _t157;
										_v104 = _t153;
										_v100 = _t157;
										_v96 = 0;
										_v92 = 0;
										_v88 = 0;
										_v84 = 0;
										_v80 = _t157;
										_v72 = _t153;
										_v68 = _t157;
										_v64 = 0;
										_v60 = 0;
										_v56 = 0;
										_v52 = 0;
										_v48 = _t157;
										_v40 = _t153;
										_v36 = _t157;
										_v32 = 0;
										_v28 = 0;
										_v24 = 0;
										_v20 = 0;
										_v16 = _t157;
										_v536 = 0;
										__imp__SetEntriesInAclW(5, _t137, 0,  &_v536);
										if(_t137 == 0 && _v536 != 0 && SetSecurityDescriptorOwner( &_v556,  &_v240, 0) != 0 && SetSecurityDescriptorGroup( &_v556,  &_v240, 0) != 0 && SetSecurityDescriptorDacl( &_v556, 1, _v536, 0) != 0) {
											_t148 =  &_v556;
											__imp__CoInitializeSecurity(_t148, 0xffffffff, 0, 0, 6, _t157, 0, 0x2000, 0); // executed
											_t149 = 0 | _t148 > 0x00000000;
										}
										E0042385E( &_v536);
									}
								}
							}
						}
					}
				} else {
					L1:
				}
				return E0045A457(_t149, _v8 ^ _t158, _t155, _t156, _t157);
			}

0x0041bfb9
0x0041bfc2
0x0041bfc9
0x0041bfd1
0x0041bfd3
0x0041bfd9
0x0041bfdf
0x0041bfe0
0x0041bfe1
0x0041bfe2
0x0041bfe3
0x0041bfea
0x0041bff3
0x0041bff9
0x0041c000
0x0041c00a
0x0041c010
0x0041c016
0x0041c024
0x0041c02a
0x0041c030
0x0041c03e
0x0041c044
0x0041c04a
0x0041c058
0x0041c05e
0x0041c064
0x0041c072
0x0041c078
0x0041c07e
0x0041c097
0x0041c0a0
0x0041c0a8
0x0041c0af
0x0041c0b6
0x0041c0b7
0x0041c0b8
0x0041c0ba
0x0041c0c4
0x00000000
0x0041c0c6
0x0041c0cc
0x0041c0d3
0x0041c0d4
0x0041c0d5
0x0041c0d7
0x0041c0e1
0x00000000
0x0041c0e3
0x0041c0e9
0x0041c0f0
0x0041c0f1
0x0041c0f2
0x0041c0f4
0x0041c0fe
0x00000000
0x0041c100
0x0041c106
0x0041c10d
0x0041c10e
0x0041c10f
0x0041c111
0x0041c11b
0x00000000
0x0041c121
0x0041c127
0x0041c12e
0x0041c12f
0x0041c130
0x0041c132
0x0041c13c
0x00000000
0x0041c142
0x0041c148
0x0041c150
0x0041c157
0x0041c160
0x0041c165
0x0041c16c
0x0041c175
0x0041c180
0x0041c189
0x0041c18f
0x0041c195
0x0041c19b
0x0041c1a1
0x0041c1a7
0x0041c1ad
0x0041c1b3
0x0041c1b9
0x0041c1bc
0x0041c1bf
0x0041c1c2
0x0041c1c5
0x0041c1c8
0x0041c1cb
0x0041c1ce
0x0041c1d1
0x0041c1d4
0x0041c1d7
0x0041c1da
0x0041c1dd
0x0041c1e0
0x0041c1e3
0x0041c1e6
0x0041c1e9
0x0041c1ec
0x0041c1ef
0x0041c1f2
0x0041c1f5
0x0041c1f8
0x0041c1fb
0x0041c1fe
0x0041c201
0x0041c204
0x0041c207
0x0041c20a
0x0041c210
0x0041c218
0x0041c27c
0x0041c283
0x0041c28d
0x0041c28d
0x0041c296
0x0041c29b
0x0041c13c
0x0041c11b
0x0041c0fe
0x0041c0e1
0x0041c099
0x0041c099
0x0041c099
0x0041c2ab

APIs

_memset.LIBCMT ref: 0041BFF9
_memset.LIBCMT ref: 0041C016
_memset.LIBCMT ref: 0041C030
_memset.LIBCMT ref: 0041C04A
_memset.LIBCMT ref: 0041C064
_memset.LIBCMT ref: 0041C07E
InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 0041C08F
CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 0041C0C0
CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 0041C0DD
CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 0041C0FA
CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 0041C117
CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 0041C138

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memset$CreateKnownWell$DescriptorInitializeSecurity
String ID:
API String ID: 520831841-0
Opcode ID: 45b932497ae50f25b3d509d89c8eac2ed41aa6b69056bb56c1a86ce22cf307ac
Instruction ID: 09a9ff13bd7ead82815606be7f2904bc22e582a76c39c0dc913cfcecf0a334bb
Opcode Fuzzy Hash: 45b932497ae50f25b3d509d89c8eac2ed41aa6b69056bb56c1a86ce22cf307ac
Instruction Fuzzy Hash: B891DBB1D4122CAEDB20CFA5DCC4BDEBBBCBB08340F4045ABA51DE6241D7749A848F64

Uniqueness

Uniqueness Score: -1.00%

Function 00450887, Relevance: 18.1, APIs: 12, Instructions: 138
threadmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 70%

			E00450887(void* __edx, void* __edi, intOrPtr _a4, char _a8) {
				signed int _v8;
				short _v12;
				struct _SID_IDENTIFIER_AUTHORITY _v16;
				void* _v20;
				long _v24;
				long _v28;
				void* _v32;
				void* __ebx;
				void* __esi;
				signed int _t33;
				int _t37;
				signed int _t39;
				signed int _t45;
				signed int _t50;
				long _t51;
				signed int _t55;
				long _t56;
				void** _t62;
				void* _t73;
				void* _t74;
				signed int _t76;
				void* _t77;
				signed int _t78;

				_t74 = __edi;
				_t73 = __edx;
				_t33 =  *0x4d7e88; // 0x9518852c
				_v8 = _t33 ^ _t78;
				_t61 = 0;
				_v16.Value = 0;
				_v12 = 0x500;
				_t37 = OpenThreadToken(GetCurrentThread(), 8, 0,  &_v20);
				_t77 = GetLastError;
				if(_t37 != 0) {
					L8:
					_push(_t74);
					_t39 = GetTokenInformation(_v20, 2, _t61, _t61,  &_v28); // executed
					__eflags = _t39;
					if(_t39 == 0) {
						__eflags = GetLastError() - 0x7a;
						if(__eflags != 0) {
							goto L9;
						} else {
							_push(_v28);
							_t77 = E0045C169(_t61, _t73, GetTokenInformation, __eflags);
							_t45 = GetTokenInformation(_v20, 2, _t77, _v28,  &_v28); // executed
							__eflags = _t45;
							if(_t45 != 0) {
								__eflags = _a4 - _t61;
								_t48 =  !=  ? 0x220 : 0x223;
								_t50 = AllocateAndInitializeSid( &_v16, 2, 0x20,  !=  ? 0x220 : 0x223, _t61, _t61, _t61, _t61, _t61, _t61,  &_v32);
								__eflags = _t50;
								if(_t50 == 0) {
									goto L12;
								} else {
									_v24 = _t61;
									_t76 = _t61;
									__eflags =  *_t77 - _t61;
									if( *_t77 > _t61) {
										_t19 = _t77 + 4; // 0x4
										_t62 = _t19;
										while(1) {
											_t55 = EqualSid( *_t62, _v32);
											__eflags = _t55;
											if(_t55 != 0) {
												break;
											}
											_t76 = _t76 + 1;
											_t62 =  &(_t62[2]);
											__eflags = _t76 -  *_t77;
											if(_t76 <  *_t77) {
												continue;
											} else {
											}
											goto L22;
										}
										__eflags = _a8;
										if(_a8 == 0) {
											L21:
											_v24 = 1;
										} else {
											__eflags =  *(_t77 + 8 + _t76 * 8) & 0x00000010;
											_v24 = 0;
											if(( *(_t77 + 8 + _t76 * 8) & 0x00000010) == 0) {
												goto L21;
											}
										}
									}
									L22:
									FreeSid(_v32);
									_push(_v24);
								}
							} else {
								L12:
								_push(_t61);
							}
							_push(_v20);
							_t51 = E004509E1(); // executed
							_t61 = _t51;
							L0045A2FE(_t77);
						}
					} else {
						L9:
						E004509E1(_v20, _t61);
					}
					_pop(_t74);
				} else {
					_t56 = GetLastError();
					if(_t56 == 0x3f0) {
						OpenProcessToken(GetCurrentProcess(), 8,  &_v20);
						_t56 = GetLastError();
					}
					if(_t56 != 0x78) {
						__eflags = _t56;
						if(_t56 != 0) {
							goto L8;
						} else {
							_push(_t61);
							goto L5;
						}
					} else {
						_push(1);
						L5:
						_push(_v20);
						E004509E1();
					}
				}
				return E0045A457(_t61, _v8 ^ _t78, _t73, _t74, _t77);
			}

0x00450887
0x00450887
0x0045088d
0x00450894
0x0045089d
0x004508a2
0x004508a5
0x004508b2
0x004508b8
0x004508c0
0x004508fd
0x004508fd
0x0045090f
0x00450911
0x00450913
0x00450926
0x00450929
0x00000000
0x0045092b
0x0045092b
0x00450934
0x00450943
0x00450945
0x00450947
0x0045094c
0x00450961
0x0045096d
0x00450973
0x00450975
0x00000000
0x00450977
0x00450977
0x0045097a
0x0045097c
0x0045097e
0x00450980
0x00450980
0x00450983
0x00450988
0x0045098e
0x00450990
0x00000000
0x00000000
0x00450992
0x00450993
0x00450996
0x00450998
0x00000000
0x00000000
0x0045099a
0x00000000
0x00450998
0x0045099c
0x004509a0
0x004509ad
0x004509ad
0x004509a2
0x004509a2
0x004509a7
0x004509ab
0x00000000
0x00000000
0x004509ab
0x004509a0
0x004509b1
0x004509b4
0x004509ba
0x004509ba
0x00450949
0x00450949
0x00450949
0x00450949
0x004509bd
0x004509c0
0x004509c8
0x004509ca
0x004509cf
0x00450915
0x00450915
0x00450919
0x0045091e
0x004509d2
0x004508c2
0x004508c2
0x004508c9
0x004508d8
0x004508de
0x004508de
0x004508e3
0x004508f6
0x004508f8
0x00000000
0x004508fa
0x004508fa
0x00000000
0x004508fa
0x004508e5
0x004508e5
0x004508e7
0x004508e7
0x004508ea
0x004508f0
0x004508e3
0x004509e0

APIs

GetCurrentThread.KERNEL32 ref: 004508AB
OpenThreadToken.ADVAPI32(00000000,?,?,0045083B,00000001,00000001), ref: 004508B2
GetLastError.KERNEL32(?,?,0045083B,00000001,00000001), ref: 004508C2
GetCurrentProcess.KERNEL32(00000008,00000001,?,?,0045083B,00000001,00000001), ref: 004508D1
OpenProcessToken.ADVAPI32(00000000,?,?,0045083B,00000001,00000001), ref: 004508D8
GetLastError.KERNEL32(?,?,0045083B,00000001,00000001), ref: 004508DE
GetTokenInformation.KERNELBASE(00000001,00000002,00000000,00000000,?,?,?,?,0045083B,00000001,00000001), ref: 0045090F
GetLastError.KERNEL32(?,?,0045083B,00000001,00000001), ref: 00450924
GetTokenInformation.KERNELBASE(00000001,00000002,00000000,?,?,?,?,0045083B,00000001,00000001), ref: 00450943
AllocateAndInitializeSid.ADVAPI32(00000001,00000002,00000020,00000223,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0045083B,00000001,00000001), ref: 0045096D
EqualSid.ADVAPI32(00000004,?,?,?,0045083B,00000001,00000001), ref: 00450988
FreeSid.ADVAPI32(?,?,?,0045083B,00000001,00000001), ref: 004509B4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Token$ErrorLast$CurrentInformationOpenProcessThread$AllocateEqualFreeInitialize
String ID:
API String ID: 884311744-0
Opcode ID: 9282fae2ae07c28a76f4abe73e73501eb6079978da8400cfcad06de279dd95f2
Instruction ID: b3435590b7724b8fb763c90f05a53a234fe44bf457c41d70f53487cd3cfa1901
Opcode Fuzzy Hash: 9282fae2ae07c28a76f4abe73e73501eb6079978da8400cfcad06de279dd95f2
Instruction Fuzzy Hash: 2541F6B5904219AFEF109BA1DC85FBF7BBCEF05305F10442AF901A2193D6788D49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0041A1F5, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 128
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A1F5(void* _a4, void* _a8, signed int _a12, intOrPtr _a16) {
				void* _v8;
				signed int _v12;
				long _v16;
				struct _MEMORY_BASIC_INFORMATION _v44;
				struct _SYSTEM_INFO _v80;
				long _t53;
				void* _t56;
				signed int _t58;
				signed int _t61;
				void* _t66;
				signed int _t68;
				long _t70;
				void* _t71;
				signed int _t74;
				signed int _t75;
				signed int _t83;
				void* _t86;
				signed int _t92;
				signed int _t95;
				signed int _t99;
				void* _t100;
				void* _t101;
				intOrPtr* _t102;
				void* _t103;
				long _t106;

				_t74 = _a12;
				_t99 =  *((intOrPtr*)(_t74 + 0xa8));
				_t106 = 0;
				_v8 = 0;
				_a12 = _t99;
				if(_t99 != 0) {
					_t53 = 0x1c;
					VirtualQuery(_a8,  &_v44, _t53);
					_t78 =  !=  ? _v44.RegionSize : 0;
					_v16 =  !=  ? _v44.RegionSize : 0;
					_t56 = E0041AFCF(".debug", _t74); // executed
					if(_t56 == 0 ||  *((intOrPtr*)(_t56 + 0xc)) != _t99) {
						_t100 = E0041AFCF(".rdata", _t74);
						if(_t100 != 0) {
							L6:
							_t58 =  *(_t74 + 0xac);
							_t83 = 0x1c;
							_v12 = _t58;
							_t75 = _t58 / _t83;
							if(_t75 != 0) {
								_t95 = _a12;
								if(_t95 <=  *((intOrPtr*)(_t100 + 0x10)) +  *((intOrPtr*)(_t100 + 0xc))) {
									_t86 = _a8;
									_t61 =  *((intOrPtr*)(_t100 + 0x14)) + _t95 -  *((intOrPtr*)(_t100 + 0xc));
									_a12 = _t61;
									_t101 = _t61 + _t86;
									goto L9;
								}
							}
						} else {
							_t100 = E0041AFCF(".text", _t74);
							if(_t100 != 0) {
								goto L6;
							}
						}
					} else {
						_t92 =  *((intOrPtr*)(_t56 + 0x14));
						_t75 =  *(_t74 + 0xac);
						_a12 = _t92;
						_t101 = _a8 + _t92;
						_t86 = _a8;
						_v12 = _t75;
						L9:
						if(_t101 - _t86 <= _v16 || _a4 == _t106) {
							L13:
							if(_t75 != 0) {
								_t102 = _t101 + 0x10;
								do {
									if( *((intOrPtr*)(_t102 + 8)) +  *_t102 > _a16) {
										_t106 = _t106 +  *_t102;
									}
									_t66 = 0x1c;
									_t102 = _t102 + _t66;
									_t75 = _t75 - 1;
								} while (_t75 != 0);
							}
						} else {
							GetSystemInfo( &_v80); // executed
							_t68 = _a12;
							_t70 = _t68 / _v80.dwAllocationGranularity * _v80.dwAllocationGranularity;
							_v16 = _t70;
							_t71 = MapViewOfFile(_a4, 4, _t106, _t70, _v12 + _t68 % _v80.dwAllocationGranularity); // executed
							_t103 = _t71;
							if(_t103 != 0) {
								E004237F6( &_v8);
								_v8 = _t103;
								_t101 = _t103 - _v16 + _a12;
								goto L13;
							}
						}
					}
				}
				E004237F6( &_v8);
				return _t106;
			}

0x0041a1fc
0x0041a201
0x0041a207
0x0041a209
0x0041a20c
0x0041a211
0x0041a219
0x0041a222
0x0041a22c
0x0041a236
0x0041a239
0x0041a242
0x0041a26d
0x0041a273
0x0041a28c
0x0041a28c
0x0041a296
0x0041a297
0x0041a29c
0x0041a2a0
0x0041a2ac
0x0041a2b1
0x0041a2b9
0x0041a2bc
0x0041a2be
0x0041a2c1
0x00000000
0x0041a2c1
0x0041a2b1
0x0041a275
0x0041a280
0x0041a286
0x00000000
0x00000000
0x0041a286
0x0041a249
0x0041a249
0x0041a24f
0x0041a255
0x0041a258
0x0041a25a
0x0041a25d
0x0041a2c4
0x0041a2cb
0x0041a315
0x0041a317
0x0041a319
0x0041a31c
0x0041a324
0x0041a326
0x0041a326
0x0041a32a
0x0041a32b
0x0041a32d
0x0041a32d
0x0041a31c
0x0041a2d2
0x0041a2d6
0x0041a2dc
0x0041a2e7
0x0041a2f5
0x0041a2f8
0x0041a2fe
0x0041a302
0x0041a307
0x0041a30c
0x0041a312
0x00000000
0x0041a312
0x0041a302
0x0041a2cb
0x0041a242
0x0041a333
0x0041a33e

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 0041A222

Part of subcall function 0041AFCF: CompareStringA.KERNELBASE(00000400,00000001,?,00000008,?,000000FF,?,00000000,?,?,0041A23E,.debug,?), ref: 0041AFF7

GetSystemInfo.KERNELBASE(?), ref: 0041A2D6
MapViewOfFile.KERNELBASE(?,00000004,00000000,?,?,?), ref: 0041A2F8

Strings

.rdata, xrefs: 0041A263
.debug, xrefs: 0041A231
.text, xrefs: 0041A276

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CompareFileInfoQueryStringSystemViewVirtual
String ID: .debug$.rdata$.text
API String ID: 2597005349-733372908
Opcode ID: 523184ae0b0de6f3e55d0c113f4fe987be42d1687d59bfc980439c151a559eab
Instruction ID: 46f27250027f57cc5518d663b895eec603ef4a01fc78586ed2f5d97e3ef76f8b
Opcode Fuzzy Hash: 523184ae0b0de6f3e55d0c113f4fe987be42d1687d59bfc980439c151a559eab
Instruction Fuzzy Hash: 7E41AF72A01209AFDB04CF55D884ADEB7B5FF84320B24812BEC1497341DB34E960CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0041E830, Relevance: 42.6, APIs: 1, Strings: 23, Instructions: 572
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0041E830(void* __ebx, void* __ecx, void* __edx, void* __edi, char* __esi, void* __eflags) {
				void* _t212;
				intOrPtr _t220;
				void* _t228;
				void* _t240;
				intOrPtr _t249;
				intOrPtr _t254;
				char _t266;
				char _t271;
				char _t276;
				char _t281;
				void* _t289;
				void* _t299;
				void* _t309;
				void* _t319;
				void* _t328;
				void* _t338;
				void* _t354;
				signed int _t358;
				intOrPtr* _t362;
				intOrPtr* _t426;
				void* _t449;
				void* _t452;
				void* _t453;
				intOrPtr _t454;
				intOrPtr* _t455;
				intOrPtr _t456;
				void* _t457;
				intOrPtr _t458;
				intOrPtr _t459;
				void* _t460;
				intOrPtr _t461;
				intOrPtr _t462;
				void* _t463;
				intOrPtr _t464;
				void* _t465;
				intOrPtr _t466;
				void* _t467;
				intOrPtr _t468;
				void* _t469;
				intOrPtr _t470;
				void* _t471;
				intOrPtr _t472;
				void* _t473;
				intOrPtr _t474;
				void* _t475;
				intOrPtr _t476;
				void* _t477;
				intOrPtr _t478;
				intOrPtr _t479;
				void* _t480;
				intOrPtr _t481;
				intOrPtr _t482;
				void* _t483;
				intOrPtr _t484;
				intOrPtr _t485;
				void* _t486;
				intOrPtr _t487;
				intOrPtr _t488;
				void* _t489;
				intOrPtr* _t490;
				intOrPtr _t491;
				void* _t492;
				intOrPtr _t493;
				intOrPtr _t494;
				void* _t495;
				intOrPtr _t496;
				void* _t500;

				_t500 = __eflags;
				_t450 = __esi;
				_push(0x134);
				E0045B8C9(0x4a3547, __ebx, __edi, __esi);
				_t449 = __ecx;
				E0044BDFA(__ebx, _t452 - 0x130, __ecx, __esi, _t500);
				_t358 = 0;
				_push(0);
				_t454 = _t453 - 0x30;
				 *((intOrPtr*)(_t452 - 0x140)) = _t454;
				 *(_t452 - 4) = 0;
				E004091B8(_t454, "=", _t452 - 0x131, 1);
				_t455 = _t454 - 0x30;
				_t362 = _t455;
				_push(0);
				_push(_t449 + 0x108);
				 *(_t452 - 4) = 1;
				 *_t362 = 0x4c2fa0;
				 *((intOrPtr*)(_t362 + 0x28)) = 0x4c2f40;
				E00408E82(0, _t362, _t449, __esi, _t500);
				 *(_t452 - 4) = 0;
				_t212 = E0044DA4D(0, _t452 - 0x130, __edx, _t449, __esi, _t500); // executed
				_t501 = _t212;
				if(_t212 != 0) {
					_push(4);
					_t456 = _t455 - 0x30;
					 *((intOrPtr*)(_t452 - 0x138)) = _t456;
					E004091B8(_t456, L"ScriptDriven", _t452 - 0x131, 1);
					_t457 = _t456 - 0x30;
					_t450 = L"Startup";
					 *(_t452 - 4) = 2;
					E004091B8(_t457, L"Startup", _t452 - 0x131, 1);
					 *(_t452 - 4) = 0;
					_t220 = E0044E0D6(0, _t452 - 0x130, _t449, L"Startup", _t501);
					_t458 = _t457 - 0x30;
					 *((intOrPtr*)(_t452 - 0x138)) = _t458;
					 *((intOrPtr*)(_t449 + 0x40)) = _t220;
					_push(1);
					_push(_t452 - 0x131);
					_push(0x4c2bd0);
					E004090B1(0, _t458, _t449, L"Startup", _t501);
					_t459 = _t458 - 0x30;
					 *((intOrPtr*)(_t452 - 0x140)) = _t459;
					 *(_t452 - 4) = 3;
					E004091B8(_t459, L"Product", _t452 - 0x131, 1);
					_t460 = _t459 - 0x30;
					 *(_t452 - 4) = 4;
					E004091B8(_t460, _t450, _t452 - 0x131, 1);
					_push(_t452 - 0x70);
					 *(_t452 - 4) = 0;
					_t228 = L0044E255(0, _t452 - 0x130, _t449, _t450, _t501);
					 *(_t452 - 4) = 5;
					E004095E2(_t449 + 0x1c8, _t228);
					 *(_t452 - 4) = 0;
					E00401B80(_t452 - 0x70);
					_t461 = _t460 - 0x30;
					 *((intOrPtr*)(_t452 - 0x13c)) = _t461;
					_push(1);
					_push(_t452 - 0x131);
					_push(0x4c2bd0);
					E004090B1(0, _t461, _t449, _t450, _t501);
					_t462 = _t461 - 0x30;
					 *((intOrPtr*)(_t452 - 0x138)) = _t462;
					 *(_t452 - 4) = 6;
					_t235 =  ==  ? L"ProductGUID" : L"ProductCode";
					E004091B8(_t462,  ==  ? L"ProductGUID" : L"ProductCode", _t452 - 0x131, 1);
					_t463 = _t462 - 0x30;
					 *(_t452 - 4) = 7;
					E004091B8(_t463, _t450, _t452 - 0x131, 1);
					_push(_t452 - 0x70);
					 *(_t452 - 4) = 0;
					_t240 = L0044E255(0, _t452 - 0x130, _t449, _t450,  *((intOrPtr*)(_t449 + 0x40)) - 4);
					 *(_t452 - 4) = 8;
					E004095E2(_t449 + 0x288, _t240);
					 *(_t452 - 4) = 0;
					E00401B80(_t452 - 0x70);
					_t503 =  *((intOrPtr*)(_t449 + 0x40)) - 4;
					if( *((intOrPtr*)(_t449 + 0x40)) == 4) {
						_push(0);
						_t464 = _t463 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t464;
						E004091B8(_t464, L"MediaFormat", _t452 - 0x131, 1);
						_t465 = _t464 - 0x30;
						 *(_t452 - 4) = 9;
						E004091B8(_t465, _t450, _t452 - 0x131, 1);
						 *(_t452 - 4) = 0;
						_t249 = E0044E0D6(0, _t452 - 0x130, _t449, _t450, _t503);
						_push(1);
						_t466 = _t465 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t466;
						 *((intOrPtr*)(_t449 + 0x28)) = _t249;
						E004091B8(_t466, L"LogMode", _t452 - 0x131, 1);
						_t467 = _t466 - 0x30;
						 *(_t452 - 4) = 0xa;
						E004091B8(_t467, _t450, _t452 - 0x131, 1);
						 *(_t452 - 4) = 0;
						_t254 = E0044E0D6(0, _t452 - 0x130, _t449, _t450, _t503);
						_push(5);
						_t468 = _t467 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t468;
						 *((intOrPtr*)(_t449 + 0x2c)) = _t254;
						E004091B8(_t468, L"SplashTime", _t452 - 0x131, 1);
						_t469 = _t468 - 0x30;
						 *(_t452 - 4) = 0xb;
						E004091B8(_t469, _t450, _t452 - 0x131, 1);
						 *(_t452 - 4) = 0;
						 *((intOrPtr*)(_t449 + 0x24)) = E0044E0D6(0, _t452 - 0x130, _t449, _t450, _t503);
						_push(E00450826() & 0x000000ff);
						_t470 = _t469 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t470;
						E004091B8(_t470, L"AllUsers", _t452 - 0x131, 1);
						_t471 = _t470 - 0x30;
						 *(_t452 - 4) = 0xc;
						E004091B8(_t471, _t450, _t452 - 0x131, 1);
						 *(_t452 - 4) = 0;
						_t266 = E0044DFF7(0, _t452 - 0x130, _t449, _t450, _t503);
						_push(0);
						_t472 = _t471 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t472;
						 *((char*)(_t449 + 0xe)) = _t266;
						E004091B8(_t472, L"SmallProgress", _t452 - 0x131, 1);
						_t473 = _t472 - 0x30;
						 *(_t452 - 4) = 0xd;
						E004091B8(_t473, _t450, _t452 - 0x131, 1);
						 *(_t452 - 4) = 0;
						_t271 = E0044DFF7(0, _t452 - 0x130, _t449, _t450, _t503);
						_push(0);
						_t474 = _t473 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t474;
						 *((char*)(_t449 + 8)) = _t271;
						E004091B8(_t474, L"ShowPasswordDialog", _t452 - 0x131, 1);
						_t475 = _t474 - 0x30;
						 *(_t452 - 4) = 0xe;
						E004091B8(_t475, _t450, _t452 - 0x131, 1);
						 *(_t452 - 4) = 0;
						_t276 = E0044DFF7(0, _t452 - 0x130, _t449, _t450, _t503);
						_push(1);
						_t476 = _t475 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t476;
						 *((char*)(_t449 + 0xa)) = _t276;
						E004091B8(_t476, L"CheckMD5", _t452 - 0x131, 1);
						_t477 = _t476 - 0x30;
						 *(_t452 - 4) = 0xf;
						E004091B8(_t477, _t450, _t452 - 0x131, 1);
						 *(_t452 - 4) = 0;
						_t281 = E0044DFF7(0, _t452 - 0x130, _t449, _t450, _t503);
						_t478 = _t477 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t478;
						 *((char*)(_t449 + 0xb)) = _t281;
						_push(1);
						_push(_t452 - 0x131);
						_push(0x4c2bd0);
						E004090B1(0, _t478, _t449, _t450, _t503);
						_t479 = _t478 - 0x30;
						 *((intOrPtr*)(_t452 - 0x138)) = _t479;
						 *(_t452 - 4) = 0x10;
						E004091B8(_t479, L"CompanyName", _t452 - 0x131, 1);
						_t480 = _t479 - 0x30;
						 *(_t452 - 4) = 0x11;
						E004091B8(_t480, _t450, _t452 - 0x131, 1);
						_push(_t452 - 0x40);
						 *(_t452 - 4) = 0;
						_t289 = L0044E255(0, _t452 - 0x130, _t449, _t450, _t503);
						 *(_t452 - 4) = 0x12;
						E004095E2(_t449 + 0x1f8, _t289);
						 *(_t452 - 4) = 0;
						E00401B80(_t452 - 0x40);
						_t481 = _t480 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t481;
						_push(1);
						_push(_t452 - 0x131);
						_push(0x4c2bd0);
						E004090B1(0, _t481, _t449, _t450, _t503);
						_t482 = _t481 - 0x30;
						 *((intOrPtr*)(_t452 - 0x138)) = _t482;
						 *(_t452 - 4) = 0x13;
						E004091B8(_t482, L"CompanyURL", _t452 - 0x131, 1);
						_t483 = _t482 - 0x30;
						 *(_t452 - 4) = 0x14;
						E004091B8(_t483, _t450, _t452 - 0x131, 1);
						_push(_t452 - 0x40);
						 *(_t452 - 4) = 0;
						_t299 = L0044E255(0, _t452 - 0x130, _t449, _t450, _t503);
						 *(_t452 - 4) = 0x15;
						E004095E2(_t449 + 0x228, _t299);
						 *(_t452 - 4) = 0;
						E00401B80(_t452 - 0x40);
						_t484 = _t483 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t484;
						_push(1);
						_push(_t452 - 0x131);
						_push(0x4c2bd0);
						E004090B1(0, _t484, _t449, _t450, _t503);
						_t485 = _t484 - 0x30;
						 *((intOrPtr*)(_t452 - 0x138)) = _t485;
						 *(_t452 - 4) = 0x16;
						E004091B8(_t485, L"Skin", _t452 - 0x131, 1);
						_t486 = _t485 - 0x30;
						 *(_t452 - 4) = 0x17;
						E004091B8(_t486, _t450, _t452 - 0x131, 1);
						_push(_t452 - 0x40);
						 *(_t452 - 4) = 0;
						_t309 = L0044E255(0, _t452 - 0x130, _t449, _t450, _t503);
						 *(_t452 - 4) = 0x18;
						E004095E2(_t449 + 0x258, _t309);
						 *(_t452 - 4) = 0;
						E00401B80(_t452 - 0x40);
						_t487 = _t486 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t487;
						E004091B8(_t487, L"http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s", _t452 - 0x131, 1);
						_t488 = _t487 - 0x30;
						 *((intOrPtr*)(_t452 - 0x138)) = _t488;
						 *(_t452 - 4) = 0x19;
						E004091B8(_t488, L"ErrorReportURL", _t452 - 0x131, 1);
						_t489 = _t488 - 0x30;
						 *(_t452 - 4) = 0x1a;
						E004091B8(_t489, _t450, _t452 - 0x131, 1);
						_push(_t452 - 0x40);
						 *(_t452 - 4) = 0;
						_t319 = L0044E255(0, _t452 - 0x130, _t449, _t450, _t503);
						 *(_t452 - 4) = 0x1b;
						E004095E2(_t449 + 0xd8, _t319);
						 *(_t452 - 4) = 0;
						E00401B80(_t452 - 0x40);
						_t490 = _t489 - 0x30;
						_t426 = _t490;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t490;
						_t451 = _t449 + 0x198;
						_push(0);
						 *_t426 = 0x4c2fa0;
						 *((intOrPtr*)(_t426 + 0x28)) = 0x4c2f40;
						_push(_t449 + 0x198);
						E00408E82(0, _t426, _t449, _t449 + 0x198, _t503);
						_t491 = _t490 - 0x30;
						 *((intOrPtr*)(_t452 - 0x138)) = _t491;
						 *(_t452 - 4) = 0x1c;
						E004091B8(_t491, L"InstallGUID", _t452 - 0x131, 1);
						_t492 = _t491 - 0x30;
						 *(_t452 - 4) = 0x1d;
						E004091B8(_t492, L"Startup", _t452 - 0x131, 1);
						_push(_t452 - 0x40);
						 *(_t452 - 4) = 0;
						_t328 = L0044E255(0, _t452 - 0x130, _t449, _t449 + 0x198, _t503);
						 *(_t452 - 4) = 0x1e;
						E004095E2(_t451, _t328);
						 *(_t452 - 4) = 0;
						E00401B80(_t452 - 0x40);
						_t493 = _t492 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t493;
						_push(1);
						_push(_t452 - 0x131);
						_push("setup.exe");
						E004090B1(0, _t493, _t449, _t451, _t503);
						_t494 = _t493 - 0x30;
						 *((intOrPtr*)(_t452 - 0x138)) = _t494;
						 *(_t452 - 4) = 0x1f;
						E004091B8(_t494, L"LauncherName", _t452 - 0x131, 1);
						_t495 = _t494 - 0x30;
						_t450 = L"Startup";
						 *(_t452 - 4) = 0x20;
						E004091B8(_t495, L"Startup", _t452 - 0x131, 1);
						_push(_t452 - 0x40);
						 *(_t452 - 4) = 0;
						_t338 = L0044E255(0, _t452 - 0x130, _t449, L"Startup", _t503);
						 *(_t452 - 4) = 0x21;
						E004095E2(_t449 + 0x2b8, _t338);
						 *(_t452 - 4) = 0;
						E00401B80(_t452 - 0x40);
						_t496 = _t495 - 0x30;
						 *((intOrPtr*)(_t452 - 0x13c)) = _t496;
						_push(1);
						_push(_t452 - 0x131);
						_push(0x4c2bd0);
						E004090B1(0, _t496, _t449, L"Startup", _t503);
						_t497 = _t496 - 0x30;
						 *((intOrPtr*)(_t452 - 0x138)) = _t496 - 0x30;
						 *(_t452 - 4) = 0x22;
						E004091B8(_t496 - 0x30, L"cmdline", _t452 - 0x131, 1);
						 *(_t452 - 4) = 0x23;
						E004091B8(_t497 - 0x30, _t450, _t452 - 0x131, 1);
						_push(_t452 - 0x70);
						 *(_t452 - 4) = 0;
						L0044E255(0, _t452 - 0x130, _t449, _t450, _t503);
						 *(_t452 - 4) = 0x24;
						_t504 =  *((intOrPtr*)(_t452 - 0x5c));
						if( *((intOrPtr*)(_t452 - 0x5c)) != 0) {
							E0041E108(0, _t449, _t449, _t450, _t504, _t452 - 0x70);
							_t505 =  *((intOrPtr*)(_t452 - 0x5c));
							if( *((intOrPtr*)(_t452 - 0x5c)) != 0) {
								_push(_t452 - 0x70);
								_push(" ");
								_push(_t452 - 0x40);
								_t354 = E0040B2A8(0, _t449, _t450, _t505);
								 *(_t452 - 4) = 0x25;
								E0040B99A(_t449 + 0x78, _t354);
								E00401B80(_t452 - 0x40);
							}
						}
						 *(_t452 - 4) = _t358;
						E00401B80(_t452 - 0x70);
					}
					_push(_t452 - 0x130);
					_t358 = E0041F024(_t358, _t449, _t449, _t450, _t505);
				}
				 *(_t452 - 4) =  *(_t452 - 4) | 0xffffffff;
				E0044BF62(_t452 - 0x130,  *(_t452 - 4));
				return E0045B878(_t358, _t449, _t450);
			}

0x0041e830
0x0041e830
0x0041e830
0x0041e83a
0x0041e83f
0x0041e847
0x0041e84c
0x0041e84e
0x0041e84f
0x0041e854
0x0041e868
0x0041e86b
0x0041e870
0x0041e873
0x0041e875
0x0041e87c
0x0041e87d
0x0041e881
0x0041e887
0x0041e88e
0x0041e899
0x0041e89c
0x0041e8a1
0x0041e8a3
0x0041e8a9
0x0041e8ab
0x0041e8b0
0x0041e8c4
0x0041e8c9
0x0041e8d7
0x0041e8dd
0x0041e8e1
0x0041e8ec
0x0041e8ef
0x0041e8f4
0x0041e8f9
0x0041e8ff
0x0041e902
0x0041e90a
0x0041e90b
0x0041e910
0x0041e915
0x0041e91a
0x0041e92e
0x0041e932
0x0041e937
0x0041e946
0x0041e94a
0x0041e952
0x0041e959
0x0041e95c
0x0041e968
0x0041e96c
0x0041e974
0x0041e977
0x0041e97c
0x0041e981
0x0041e987
0x0041e98f
0x0041e990
0x0041e995
0x0041e99a
0x0041e99f
0x0041e9ae
0x0041e9c0
0x0041e9c4
0x0041e9c9
0x0041e9d8
0x0041e9dc
0x0041e9e4
0x0041e9eb
0x0041e9ee
0x0041e9fa
0x0041e9fe
0x0041ea06
0x0041ea09
0x0041ea0e
0x0041ea12
0x0041ea18
0x0041ea19
0x0041ea1e
0x0041ea32
0x0041ea37
0x0041ea46
0x0041ea4a
0x0041ea55
0x0041ea58
0x0041ea5d
0x0041ea5f
0x0041ea64
0x0041ea6a
0x0041ea7b
0x0041ea80
0x0041ea8f
0x0041ea93
0x0041ea9e
0x0041eaa1
0x0041eaa6
0x0041eaa8
0x0041eaad
0x0041eab3
0x0041eac4
0x0041eac9
0x0041ead8
0x0041eadc
0x0041eae7
0x0041eaef
0x0041eafa
0x0041eafb
0x0041eb00
0x0041eb14
0x0041eb19
0x0041eb1c
0x0041eb2c
0x0041eb37
0x0041eb3a
0x0041eb3f
0x0041eb40
0x0041eb45
0x0041eb4b
0x0041eb5c
0x0041eb61
0x0041eb70
0x0041eb74
0x0041eb7f
0x0041eb82
0x0041eb87
0x0041eb88
0x0041eb8d
0x0041eb93
0x0041eba4
0x0041eba9
0x0041ebb8
0x0041ebbc
0x0041ebc7
0x0041ebca
0x0041ebcf
0x0041ebd1
0x0041ebd6
0x0041ebdc
0x0041ebed
0x0041ebf2
0x0041ec01
0x0041ec05
0x0041ec10
0x0041ec13
0x0041ec18
0x0041ec1d
0x0041ec23
0x0041ec26
0x0041ec2e
0x0041ec2f
0x0041ec34
0x0041ec39
0x0041ec3e
0x0041ec52
0x0041ec56
0x0041ec5b
0x0041ec6a
0x0041ec6e
0x0041ec76
0x0041ec7d
0x0041ec80
0x0041ec8c
0x0041ec90
0x0041ec98
0x0041ec9b
0x0041eca0
0x0041eca5
0x0041ecab
0x0041ecb3
0x0041ecb4
0x0041ecb9
0x0041ecbe
0x0041ecc3
0x0041ecd7
0x0041ecdb
0x0041ece0
0x0041ecef
0x0041ecf3
0x0041ecfb
0x0041ed02
0x0041ed05
0x0041ed11
0x0041ed15
0x0041ed1d
0x0041ed20
0x0041ed25
0x0041ed2a
0x0041ed30
0x0041ed38
0x0041ed39
0x0041ed3e
0x0041ed43
0x0041ed48
0x0041ed5c
0x0041ed60
0x0041ed65
0x0041ed74
0x0041ed78
0x0041ed80
0x0041ed87
0x0041ed8a
0x0041ed96
0x0041ed9a
0x0041eda2
0x0041eda5
0x0041edaa
0x0041edaf
0x0041edc3
0x0041edc8
0x0041edcd
0x0041ede1
0x0041ede5
0x0041edea
0x0041edf9
0x0041edfd
0x0041ee05
0x0041ee0c
0x0041ee0f
0x0041ee1b
0x0041ee1f
0x0041ee27
0x0041ee2a
0x0041ee2f
0x0041ee32
0x0041ee34
0x0041ee3a
0x0041ee40
0x0041ee41
0x0041ee47
0x0041ee4e
0x0041ee4f
0x0041ee54
0x0041ee59
0x0041ee6d
0x0041ee71
0x0041ee76
0x0041ee89
0x0041ee8d
0x0041ee95
0x0041ee9c
0x0041ee9f
0x0041eea7
0x0041eeab
0x0041eeb3
0x0041eeb6
0x0041eebb
0x0041eec0
0x0041eec6
0x0041eece
0x0041eecf
0x0041eed4
0x0041eed9
0x0041eede
0x0041eef2
0x0041eef6
0x0041eefb
0x0041ef09
0x0041ef0f
0x0041ef13
0x0041ef1b
0x0041ef22
0x0041ef25
0x0041ef31
0x0041ef35
0x0041ef3d
0x0041ef40
0x0041ef45
0x0041ef4a
0x0041ef50
0x0041ef58
0x0041ef59
0x0041ef5e
0x0041ef63
0x0041ef68
0x0041ef7c
0x0041ef80
0x0041ef94
0x0041ef98
0x0041efa0
0x0041efa7
0x0041efaa
0x0041efaf
0x0041efb3
0x0041efb6
0x0041efbe
0x0041efc3
0x0041efc6
0x0041efcb
0x0041efcf
0x0041efd4
0x0041efd5
0x0041efe1
0x0041efe5
0x0041efed
0x0041efed
0x0041efc6
0x0041eff5
0x0041eff8
0x0041eff8
0x0041f003
0x0041f00b
0x0041f00b
0x0041f00d
0x0041f017
0x0041f023

APIs

__EH_prolog3_GS.LIBCMT ref: 0041E83A

Part of subcall function 0044BDFA: __EH_prolog3.LIBCMT ref: 0044BE01

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0044DA4D: __EH_prolog3_GS.LIBCMT ref: 0044DA57

Part of subcall function 0044E0D6: __EH_prolog3_GS.LIBCMT ref: 0044E0E0

Part of subcall function 004090B1: __EH_prolog3_GS.LIBCMT ref: 004090B8

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 0044DFF7: __EH_prolog3_GS.LIBCMT ref: 0044DFFE

Part of subcall function 0041E108: __EH_prolog3_GS.LIBCMT ref: 0041E112

Part of subcall function 0040B2A8: __EH_prolog3_GS.LIBCMT ref: 0040B2AF

Strings

cmdline, xrefs: 0041EF77
SplashTime, xrefs: 0041EABF
%, xrefs: 0041EFE1
CompanyName, xrefs: 0041EC4D
@/L, xrefs: 0041EE47
InstallGUID, xrefs: 0041EE68
ScriptDriven, xrefs: 0041E8BF
http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s, xrefs: 0041EDBE
SmallProgress, xrefs: 0041EB57
CompanyURL, xrefs: 0041ECD2
MediaFormat, xrefs: 0041EA2D
ErrorReportURL, xrefs: 0041EDDC
Skin, xrefs: 0041ED57
ShowPasswordDialog, xrefs: 0041EB9F
LauncherName, xrefs: 0041EEED
ProductGUID, xrefs: 0041E9B7
Product, xrefs: 0041E929
Startup, xrefs: 0041E8D7, 0041E8DC, 0041E945, 0041E9D7, 0041EA45, 0041EA8E, 0041EAD7, 0041EB2B, 0041EB6F, 0041EBB7, 0041EC00, 0041EC69, 0041ECEE, 0041ED73, 0041EDF8, 0041EE84, 0041EF09, 0041EF0E, 0041EF93
CheckMD5, xrefs: 0041EBE8
ProductCode, xrefs: 0041E9B2, 0041E9C3
LogMode, xrefs: 0041EA76
AllUsers, xrefs: 0041EB0F
setup.exe, xrefs: 0041EECF

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_$ErrorLast$FreeH_prolog3String
String ID: %$@/L$AllUsers$CheckMD5$CompanyName$CompanyURL$ErrorReportURL$InstallGUID$LauncherName$LogMode$MediaFormat$Product$ProductCode$ProductGUID$ScriptDriven$ShowPasswordDialog$Skin$SmallProgress$SplashTime$Startup$cmdline$http://www.installshield.com/isetup/ProErrorCentral.asp?ErrorCode=%d : 0x%x&ErrorInfo=%s$setup.exe
API String ID: 806320983-2088667960
Opcode ID: 31f754f2cd5b838df9ab238fe3e7f42f67d510738a877af28ee4a5d012b18bea
Instruction ID: d0b572ee2ee85a1741b3f3b92f37e59d9c28d760f179574b644976fe918189f3
Opcode Fuzzy Hash: 31f754f2cd5b838df9ab238fe3e7f42f67d510738a877af28ee4a5d012b18bea
Instruction Fuzzy Hash: 4522B731A01259BEEB04F7A5C956BEDBBB8AF05704F4000DEE504671C2DBB85F48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00418E75, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 229
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00418E75(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t81;
				void* _t121;
				void* _t127;
				void* _t132;
				signed short _t133;
				intOrPtr* _t149;
				intOrPtr* _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				void* _t155;
				void* _t159;
				intOrPtr _t162;
				intOrPtr _t163;
				void* _t167;
				void* _t168;
				void* _t169;
				intOrPtr* _t170;
				intOrPtr _t171;
				intOrPtr _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				intOrPtr* _t180;
				intOrPtr* _t181;

				_t155 = __edx;
				_push(0xb4);
				E0045B8C9(0x4a2762, __ebx, __edi, __esi);
				_t162 = __ecx;
				 *((intOrPtr*)(_t167 - 0x98)) = __ecx;
				 *((intOrPtr*)(_t167 - 4)) = 0;
				_t157 = __ecx + 8;
				 *((intOrPtr*)(_t167 - 0x8c)) = 0;
				 *((intOrPtr*)(_t167 - 0x14)) = __ecx;
				E0045A8B0(_t167 - 0x54, __ecx + 8, 0x40);
				_t169 = _t168 + 0xc;
				 *((char*)(_t167 - 4)) = 2;
				_t81 = E004043D0(_t167 - 0x84, _t155, "setup.cpp", _t167 - 0x91, 1) + 4;
				if(_t81[0xa] >= 8) {
					_t81 =  *_t81;
				}
				lstrcpyW(_t162 + 0x50, _t81);
				E00401AC0(_t167 - 0x84);
				_t163 = E0045E1A0(0, _t157, _t162, _t167, _t157, 3, 0x45bdcb,  *((intOrPtr*)(_t167 - 4)), 0x4c8ef8);
				_t170 = _t169 + 0x14;
				if(_t163 != 0) {
					 *((intOrPtr*)(_t167 - 0x8c)) = _t163;
					_t159 = 1;
					__eflags = 1;
					goto L11;
				} else {
					_t111 =  >=  ?  *((void*)(_t167 + 0x3c)) : _t167 + 0x3c;
					_push( >=  ?  *((void*)(_t167 + 0x3c)) : _t167 + 0x3c);
					_t18 = _t167 + 0xc; // 0x4c2f40
					_t19 = _t167 + 0xc; // 0x4c2f40
					_t113 =  >=  ?  *_t19 : _t18;
					_push( >=  ?  *_t19 : _t18);
					_push(L"SourceFile=%s\tTargetFile=%s");
					_t177 = _t170 - 0x30;
					 *((intOrPtr*)(_t167 - 0xb8)) = _t177;
					_t159 = 1;
					E004091B8(_t177, L"CopyDisk1FileToTempBegin", _t167 - 0x8e, 1);
					_t178 = _t177 - 0x30;
					 *((intOrPtr*)(_t167 - 0x9c)) = _t178;
					 *((char*)(_t167 - 4)) = 3;
					E004091B8(_t178, L"ISSetupDLLOp", _t167 - 0x90, 1);
					 *((char*)(_t167 - 4)) = 2;
					E0043BB71(0, _t155, 1, _t163,  *((intOrPtr*)(_t167 + 0x20)) - 8);
					_t121 = E0040AB22(_t167 + 8, _t167 + 0x38);
					_t170 = _t178 + 0x74;
					_t187 = _t121;
					if(_t121 != 0) {
						L7:
						_t163 =  *((intOrPtr*)(_t167 - 0x8c));
					} else {
						_push(0xc);
						_t179 = _t170 - 0x30;
						_t152 = _t179;
						 *((intOrPtr*)(_t167 - 0xc0)) = _t179;
						_push(0);
						_push(_t167 + 0x38);
						 *_t152 = 0x4c2fa0;
						 *((intOrPtr*)(_t152 + 0x28)) = 0x4c2f40;
						E00408E82(0, _t152, 1, 0x4c2fa0, _t187); // executed
						_t127 = E00441E34(0, _t155, 1, 0x4c2fa0, _t187); // executed
						_t170 = _t179 + 0x34;
						_t188 = _t127;
						if(_t127 != 0) {
							goto L7;
						} else {
							_push(0);
							_push(0x8000);
							_t180 = _t170 - 0x30;
							_t153 = _t180;
							 *((intOrPtr*)(_t167 - 0xa4)) = _t180;
							_push(0);
							_push(_t167 + 0x38);
							 *_t153 = 0x4c2fa0;
							 *((intOrPtr*)(_t153 + 0x28)) = 0x4c2f40;
							E00408E82(0, _t153, 1, 0x4c2fa0, _t188);
							_t181 = _t180 - 0x30;
							_t154 = _t181;
							 *((intOrPtr*)(_t167 - 0xb4)) = _t181;
							_push(0);
							_push(_t167 + 8);
							 *((char*)(_t167 - 4)) = 4;
							 *_t154 = 0x4c2fa0;
							 *((intOrPtr*)(_t154 + 0x28)) = 0x4c2f40;
							E00408E82(0, _t154, 1, 0x4c2fa0, _t188);
							 *((char*)(_t167 - 4)) = 2;
							_t132 = E0044160B(0, _t155, 1, 0x4c2fa0, _t188); // executed
							_t170 = _t181 + 0x68;
							if(_t132 != 0) {
								goto L7;
							} else {
								_t133 =  *0x4d99f8; // 0x0
								_t163 =  <=  ? _t133 : _t133 & 0x0000ffff | 0x80070000;
								 *((intOrPtr*)(_t167 - 0x8c)) = _t163;
							}
						}
					}
					_t191 = _t163;
					if(_t163 < 0) {
						L12:
						_t102 =  >=  ?  *((void*)(_t167 + 0x3c)) : _t167 + 0x3c;
						_push( >=  ?  *((void*)(_t167 + 0x3c)) : _t167 + 0x3c);
						_t51 = _t167 + 0xc; // 0x4c2f40
						_t52 = _t167 + 0xc; // 0x4c2f40
						_t104 =  >=  ?  *_t52 : _t51;
						_push( >=  ?  *_t52 : _t51);
						_push(_t163);
						_push(_t159);
						_push(L"Failure");
						_push(L"Result=%s\t\tError=0x%08lx\tCopied=%ld\tSourceFile=%s\tTargetFile=%s");
						_t175 = _t170 - 0x30;
						 *((intOrPtr*)(_t167 - 0xbc)) = _t175;
						E004091B8(_t175, L"CopyDisk1FileToTempEnd", _t167 - 0x8f, _t159);
						 *((intOrPtr*)(_t167 - 0xa0)) = _t175 - 0x30;
						 *((char*)(_t167 - 4)) = 5;
						E004091B8(_t175 - 0x30, L"ISSetupDLLOp", _t167 - 0x8d, _t159);
						 *((char*)(_t167 - 4)) = 2;
						E0043BB71(0, _t155, _t159, _t163,  *((intOrPtr*)(_t167 + 0x20)) - 8);
					} else {
						_t170 = _t170 - 0x30;
						_t149 = _t170;
						 *((intOrPtr*)(_t167 - 0xac)) = _t170;
						_push(0);
						_push(_t167 + 0x38);
						 *_t149 = 0x4c2fa0;
						 *((intOrPtr*)(_t149 + 0x28)) = 0x4c2f40;
						E00408E82(0, _t149, _t159, _t163, _t191);
						E00417EFF(0,  *((intOrPtr*)( *((intOrPtr*)(_t167 - 0x98)) + 0x3d4)), _t159, _t163, _t191);
						L11:
						if(_t163 >= 0) {
							__eflags =  *((intOrPtr*)(_t167 + 0x50)) - 8;
							_t87 =  >=  ?  *((void*)(_t167 + 0x3c)) : _t167 + 0x3c;
							__eflags =  *((intOrPtr*)(_t167 + 0x20)) - 8;
							_push( >=  ?  *((void*)(_t167 + 0x3c)) : _t167 + 0x3c);
							_t63 = _t167 + 0xc; // 0x4c2f40
							_t64 = _t167 + 0xc; // 0x4c2f40
							_t89 =  >=  ?  *_t64 : _t63;
							_push( >=  ?  *_t64 : _t63);
							_push(_t159);
							_push(L"Success");
							_push(L"Result=%s\tCopied=%ld\tSourceFile=%s\tTargetFile=%s");
							_t171 = _t170 - 0x30;
							 *((intOrPtr*)(_t167 - 0xa8)) = _t171;
							E004091B8(_t171, L"CopyDisk1FileToTempEnd", _t167 - 0x85, _t159);
							 *((intOrPtr*)(_t167 - 0xb0)) = _t171 - 0x30;
							 *((char*)(_t167 - 4)) = 6;
							E004091B8(_t171 - 0x30, L"ISSetupDLLOp", _t167 - 0x86, _t159);
							 *((char*)(_t167 - 4)) = 2;
							E0043BB71(0, _t155, _t159, _t163, __eflags);
						} else {
							goto L12;
						}
					}
				}
				E0045A8B0( *((intOrPtr*)(_t167 - 0x14)) + 8, _t167 - 0x54, 0x40);
				E00401B80(_t167 + 8);
				E00401B80(_t167 + 0x38);
				return E0045B878(0, _t159, _t163);
			}

0x00418e75
0x00418e75
0x00418e7f
0x00418e84
0x00418e86
0x00418e8e
0x00418e93
0x00418e9b
0x00418ea1
0x00418ea4
0x00418ea9
0x00418ec0
0x00418ec9
0x00418ed0
0x00418ed2
0x00418ed2
0x00418ed9
0x00418ee5
0x00418eff
0x00418f01
0x00418f06
0x0041906e
0x00419074
0x00419074
0x00000000
0x00418f0c
0x00418f13
0x00418f1b
0x00418f1c
0x00418f1f
0x00418f1f
0x00418f23
0x00418f24
0x00418f29
0x00418f2e
0x00418f36
0x00418f44
0x00418f49
0x00418f4e
0x00418f61
0x00418f65
0x00418f6a
0x00418f6e
0x00418f7b
0x00418f80
0x00418f88
0x00418f8a
0x0041902d
0x0041902d
0x00418f90
0x00418f90
0x00418f92
0x00418f95
0x00418f97
0x00418f9d
0x00418fa1
0x00418fa2
0x00418fa4
0x00418fab
0x00418fb0
0x00418fb5
0x00418fb8
0x00418fba
0x00000000
0x00418fbc
0x00418fbc
0x00418fbd
0x00418fc2
0x00418fc5
0x00418fc7
0x00418fcd
0x00418fd1
0x00418fd2
0x00418fd4
0x00418fdb
0x00418fe0
0x00418fe3
0x00418fe5
0x00418feb
0x00418fef
0x00418ff0
0x00418ff4
0x00418ff6
0x00418ffd
0x00419002
0x00419006
0x0041900b
0x00419010
0x00000000
0x00419012
0x00419012
0x00419022
0x00419025
0x00419025
0x00419010
0x00418fba
0x00419033
0x00419035
0x00419079
0x00419080
0x00419088
0x00419089
0x0041908c
0x0041908c
0x00419090
0x00419091
0x00419092
0x00419093
0x00419098
0x0041909d
0x004190a2
0x004190b5
0x004190bf
0x004190d2
0x004190d6
0x004190db
0x004190df
0x00419037
0x00419037
0x0041903a
0x0041903c
0x00419042
0x00419046
0x00419047
0x0041904d
0x00419054
0x00419065
0x00419075
0x00419077
0x004190e9
0x004190f0
0x004190f4
0x004190f8
0x004190f9
0x004190fc
0x004190fc
0x00419100
0x00419101
0x00419102
0x00419107
0x0041910c
0x00419111
0x00419124
0x0041912e
0x00419141
0x00419145
0x0041914a
0x0041914e
0x00000000
0x00000000
0x00000000
0x00419077
0x00419035
0x00419163
0x0041916e
0x00419176
0x00419182

APIs

__EH_prolog3_GS.LIBCMT ref: 00418E7F
_memmove.LIBCMT ref: 00418EA4

Part of subcall function 004043D0: GetLastError.KERNEL32(9518852C,73B74C30,?,73B74D40,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8

lstrcpyW.KERNEL32(?,-00000004), ref: 00418ED9
__setjmp3.LIBCMT ref: 00418EFA
_memmove.LIBCMT ref: 00419163

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00417EFF: __EH_prolog3.LIBCMT ref: 00417F06

Strings

Success, xrefs: 00419102
setup.cpp, xrefs: 00418EB5
Failure, xrefs: 00419093
ISSetupDLLOp, xrefs: 00418F5C, 004190CD, 0041913C
CopyDisk1FileToTempEnd, xrefs: 004190B0, 0041911F
Result=%sCopied=%ldSourceFile=%sTargetFile=%s, xrefs: 00419107
SourceFile=%sTargetFile=%s, xrefs: 00418F24
@/L, xrefs: 0041904D
@/L, xrefs: 004190F9, 004190FC, 00419089, 0041908C, 00418F1C, 00418F1F, 00418F23, 00419090, 00419100
Result=%sError=0x%08lxCopied=%ldSourceFile=%sTargetFile=%s, xrefs: 00419098
CopyDisk1FileToTempBegin, xrefs: 00418F3F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeH_prolog3String_memmove$H_prolog3___setjmp3lstrcpy
String ID: @/L$@/L$CopyDisk1FileToTempBegin$CopyDisk1FileToTempEnd$Failure$ISSetupDLLOp$Result=%sError=0x%08lxCopied=%ldSourceFile=%sTargetFile=%s$Result=%sCopied=%ldSourceFile=%sTargetFile=%s$SourceFile=%sTargetFile=%s$Success$setup.cpp
API String ID: 720208508-1089413182
Opcode ID: 71b525c5f8580f0167f18c7559bc0b7964fbe490f381bbd45a327d05658d3599
Instruction ID: 062987b381fab29ed39045fae4b0a3f623b42c973eb7f709b5c6a6387a1f3e91
Opcode Fuzzy Hash: 71b525c5f8580f0167f18c7559bc0b7964fbe490f381bbd45a327d05658d3599
Instruction Fuzzy Hash: F091B1B1900218EBDB10EF55CC46FDE7BB8AF05708F50419FF909A7141DBB89A48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00425FCC, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 65%

			E00425FCC(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a12) {
				signed int _v8;
				intOrPtr _v16;
				char _v56;
				char _v104;
				char _v1096;
				char _v1097;
				char _v1116;
				char _v1144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t28;
				signed int _t30;
				int _t32;
				void* _t33;
				intOrPtr* _t44;
				intOrPtr _t65;
				intOrPtr* _t77;
				void* _t85;
				intOrPtr _t86;
				int _t89;
				signed int _t90;
				void* _t91;
				void* _t92;
				void* _t93;
				void* _t95;

				_t85 = __edx;
				_t28 =  *0x4d7e88; // 0x9518852c
				_v8 = _t28 ^ _t90;
				_t65 = _a12;
				_t86 = _a4;
				_t30 = SetErrorMode(0); // executed
				_t32 = SetErrorMode(_t30 | 0x00008001); // executed
				__imp__CoInitializeEx(0, 2); // executed
				_t89 = _t32;
				_t33 = E004455D3();
				_t98 = _t33 - 6;
				if(_t33 >= 6) {
					E0041BFB9(_t85); // executed
				}
				__imp__#17();
				_v56 = 0x4c2fa0;
				_v16 = 0x4c2f40;
				E00404200( &_v56,  &_v1097, 0);
				 *((char*)(E0040A14B( &_v56,  &_v1116, 0x104) + 4)) = 1;
				GetModuleFileNameW(0,  *(E0040A0F0(_t37,  *_t37)), 0x104);
				E00409574(_t65,  &_v1116, _t86, _t89, _t98);
				_push(_t86); // executed
				E0043B52C(_t65, _t85, _t86, _t89, _t98); // executed
				_push(0);
				_push( &_v104);
				_t44 = E0040E057(_t65,  &_v56, _t85, _t86, _t89, _t98) + 4;
				_t99 =  *((intOrPtr*)(_t44 + 0x14)) - 8;
				if( *((intOrPtr*)(_t44 + 0x14)) >= 8) {
					_t44 =  *_t44;
				}
				_push(_t44);
				_push(L"EXE=%s");
				_t92 = _t91 - 0x30;
				E004091B8(_t92, L"EXEProcessBegin",  &_v1097, 1);
				_t93 = _t92 - 0x30;
				E004091B8(_t93, L"ISSetupInit",  &_v1097, 1);
				E0043BB71(_t65, _t85, _t86, _t89, _t99);
				E00401B80( &_v104);
				E004092E9( &_v1144);
				_t95 = _t93 + 0x68 - 0x30;
				E004091B8(_t95, _t65,  &_v1097, 1);
				_t77 = _t95 - 0x30;
				_push(0);
				_push( &_v56);
				 *_t77 = 0x4c2fa0;
				 *((intOrPtr*)(_t77 + 0x28)) = 0x4c2f40;
				E00408E82(_t65, _t77, _t86, _t89, _t99);
				_push(_t86);
				_t87 = L00420A4A(_t65, E00416235( &_v1096, _t99,  &_v1144), _t85, _t86, _t89, _t99);
				L00417333(_t65,  &_v1096, _t58, _t89, _t99);
				L00409334(_t65,  &_v1144, _t85, _t58, _t89, _t99);
				E00401B80( &_v56);
				if(_t89 >= 0) {
					__imp__CoUninitialize();
				}
				return E0045A457(_t65, _v8 ^ _t90, _t85, _t87, _t89);
			}

0x00425fcc
0x00425fd5
0x00425fdc
0x00425fe0
0x00425feb
0x00425ff0
0x00425ff8
0x00425ffe
0x00426004
0x00426006
0x0042600b
0x0042600e
0x00426010
0x00426010
0x00426015
0x00426027
0x0042602e
0x00426035
0x00426050
0x00426062
0x0042606e
0x00426073
0x00426074
0x0042607a
0x0042607f
0x00426088
0x0042608b
0x0042608f
0x00426091
0x00426091
0x00426093
0x00426094
0x00426099
0x004260ac
0x004260b1
0x004260c4
0x004260c9
0x004260d4
0x004260df
0x004260e4
0x004260f3
0x004260fb
0x004260fd
0x00426102
0x00426103
0x00426109
0x00426110
0x00426115
0x00426135
0x00426137
0x00426142
0x0042614a
0x00426151
0x00426153
0x00426153
0x00426169

APIs

SetErrorMode.KERNELBASE(00000000), ref: 00425FF0
SetErrorMode.KERNELBASE(00000000), ref: 00425FF8
CoInitializeEx.OLE32(00000000,00000002), ref: 00425FFE

Part of subcall function 004455D3: GetVersionExW.KERNEL32(?), ref: 004455F7

#17.COMCTL32 ref: 00426015
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00426062

Strings

ISSetupInit, xrefs: 004260BF
@/L, xrefs: 00426109
@/L, xrefs: 0042602E
EXE=%s, xrefs: 00426094
EXEProcessBegin, xrefs: 004260A7

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorMode$FileInitializeModuleNameVersion
String ID: @/L$@/L$EXE=%s$EXEProcessBegin$ISSetupInit
API String ID: 1856150884-1180914206
Opcode ID: 1f2c51feeb113955e9bd91a2b7e297ffdd715c1f2d96d394ea757a7c58cc2b20
Instruction ID: 49ee131d2c6c14ddb2ee0931906a32ff461b3aad57ecbfe64d40510d5b71d258
Opcode Fuzzy Hash: 1f2c51feeb113955e9bd91a2b7e297ffdd715c1f2d96d394ea757a7c58cc2b20
Instruction Fuzzy Hash: 513165B15002086BDB04EBA1DD46FEE77799F45704F4000AEF605AB1D2DFB85A44CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 00441B01, Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00441B01(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				int _t18;
				intOrPtr* _t21;
				void* _t26;
				struct _SECURITY_ATTRIBUTES* _t28;
				int _t30;
				void* _t31;

				_t26 = __edx;
				_push(0);
				E0045B896(0x4a6f07, __ebx, __edi, __esi);
				_t28 =  *(_t31 + 0x38);
				_t30 = 0;
				 *((intOrPtr*)(_t31 - 4)) = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "CreateDirectoryW") == 0) {
					_t21 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "CreateDirectoryA");
					if(_t21 != 0) {
						_t17 = E00412F8A(_t21, _t31 + 8, _t26);
						_t18 =  *_t21(_t17, _t28);
						goto L4;
					}
				} else {
					_t4 = _t31 + 0xc; // 0x4c2f40
					_t5 = _t31 + 0xc; // 0x4c2f40
					_t25 =  >=  ?  *_t5 : _t4;
					_t18 = CreateDirectoryW( >=  ?  *_t5 : _t4, _t28); // executed
					L4:
					_t30 = _t18;
				}
				E00401B80(_t31 + 8);
				return E0045B864(_t30);
			}

0x00441b01
0x00441b01
0x00441b08
0x00441b0d
0x00441b1b
0x00441b22
0x00441b30
0x00441b56
0x00441b5a
0x00441b5f
0x00441b66
0x00000000
0x00441b66
0x00441b32
0x00441b36
0x00441b39
0x00441b39
0x00441b3f
0x00441b68
0x00441b68
0x00441b68
0x00441b6d
0x00441b79

APIs

__EH_prolog3.LIBCMT ref: 00441B08
GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryW,00000000,0044269D), ref: 00441B25
GetProcAddress.KERNEL32(00000000), ref: 00441B28
CreateDirectoryW.KERNELBASE(@/L,00000001), ref: 00441B3F
GetModuleHandleW.KERNEL32(kernel32.dll,CreateDirectoryA), ref: 00441B4D
GetProcAddress.KERNEL32(00000000), ref: 00441B50

Strings

kernel32.dll, xrefs: 00441B1D, 00441B48
CreateDirectoryA, xrefs: 00441B43
CreateDirectoryW, xrefs: 00441B16
@/L, xrefs: 00441B36, 00441B39, 00441B3E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc$CreateDirectoryH_prolog3
String ID: @/L$CreateDirectoryA$CreateDirectoryW$kernel32.dll
API String ID: 662308948-3360337979
Opcode ID: fdfb3521f710bff9fd83bdadc5a0edee52d24d1746d097b2a669540433ea7db8
Instruction ID: b1c665df828f0f440f157cb71fb04a9db391db4a6d36b46aabb71bb12b0827f4
Opcode Fuzzy Hash: fdfb3521f710bff9fd83bdadc5a0edee52d24d1746d097b2a669540433ea7db8
Instruction Fuzzy Hash: 1DF0AF30640314ABDF14AFB6CC95E9E7B78EF54B41B51402EB80597160DB7CEA45C7AC

Uniqueness

Uniqueness Score: -1.00%

Function 004437BF, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004437BF(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t17;
				void* _t23;
				intOrPtr* _t26;
				long _t28;
				void* _t29;

				_t23 = __edx;
				_push(0);
				E0045B896(0x4a72ab, __ebx, __edi, __esi);
				_t28 = 0;
				 *((intOrPtr*)(_t29 - 4)) = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetFileAttributesW") == 0) {
					_t26 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetFileAttributesA");
					if(_t26 != 0) {
						_t17 =  *_t26(E00412F8A(__ebx, _t29 + 8, _t23));
						goto L4;
					}
				} else {
					_t22 =  >=  ?  *((void*)(_t29 + 0xc)) : _t29 + 0xc;
					_t17 = GetFileAttributesW( >=  ?  *((void*)(_t29 + 0xc)) : _t29 + 0xc); // executed
					L4:
					_t28 = _t17;
				}
				E00401B80(_t29 + 8);
				return E0045B864(_t28);
			}

0x004437bf
0x004437bf
0x004437c6
0x004437d6
0x004437dd
0x004437eb
0x00443810
0x00443814
0x0044381f
0x00000000
0x0044381f
0x004437ed
0x004437f4
0x004437f9
0x00443821
0x00443821
0x00443821
0x00443826
0x00443832

APIs

__EH_prolog3.LIBCMT ref: 004437C6
GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesW,00000000,00441EB3,?,?,?,?,?,?,?,?,?,?,?,004097FA), ref: 004437E0
GetProcAddress.KERNEL32(00000000), ref: 004437E3
GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,004097FA), ref: 004437F9
GetModuleHandleW.KERNEL32(kernel32.dll,GetFileAttributesA,?,?,?,?,?,?,?,?,?,?,?,004097FA), ref: 00443807
GetProcAddress.KERNEL32(00000000), ref: 0044380A

Strings

GetFileAttributesW, xrefs: 004437D1
kernel32.dll, xrefs: 004437D8, 00443802
GetFileAttributesA, xrefs: 004437FD

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc$AttributesFileH_prolog3
String ID: GetFileAttributesA$GetFileAttributesW$kernel32.dll
API String ID: 3512441749-1399581607
Opcode ID: b85165ea86fdc975b851c57e26976d7a3fd7a01e57c2aac18914b16de7f7a04c
Instruction ID: 3088d5ed7bf6eec272a4b6ba293ed67cf6ec91cb0f4024647908f381bc384104
Opcode Fuzzy Hash: b85165ea86fdc975b851c57e26976d7a3fd7a01e57c2aac18914b16de7f7a04c
Instruction Fuzzy Hash: 76F0C231600304A7CF14BFB68C15E8EBAB4AF50B51B62452AF81197150DB7CD601CBEC

Uniqueness

Uniqueness Score: -1.00%

Function 00441E34, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00441E34(void* __ebx, void* __edx, void* __edi, signed int __esi, void* __eflags) {
				signed char _t66;
				void* _t92;
				intOrPtr* _t98;
				intOrPtr* _t104;
				intOrPtr* _t113;
				void* _t114;
				void* _t117;
				void* _t118;
				intOrPtr* _t119;
				void* _t120;

				_t116 = __esi;
				_t115 = __edi;
				_t114 = __edx;
				_push(0xc8);
				E0045B8C9(0x4a6f8e, __ebx, __edi, __esi);
				_t97 = 0;
				_t126 =  *(_t117 + 0x38) & 0x00000010;
				 *((intOrPtr*)(_t117 - 4)) = 0;
				if(( *(_t117 + 0x38) & 0x00000010) == 0) {
					L4:
					_t119 = _t118 - 0x30;
					_t98 = _t119;
					_push(_t97);
					_push(_t117 + 8);
					 *_t98 = 0x4c2fa0;
					 *((intOrPtr*)(_t98 + 0x28)) = 0x4c2f40;
					E00408E82(_t97, _t98, _t115, _t116, __eflags); // executed
					_t66 = E004437BF(_t97, _t114, _t115, _t116, __eflags); // executed
					_t120 = _t119 + 0x30;
					__eflags = _t66 - 0xffffffff;
					if(_t66 == 0xffffffff) {
						_t116 = GetLastError();
						__eflags = _t116 - 2;
						if(_t116 == 2) {
							L23:
							E00401B80(_t117 + 8);
							__eflags = 0;
						} else {
							__eflags = _t116 - 3;
							if(_t116 == 3) {
								goto L23;
							} else {
								__eflags = _t116 - 5;
								if(__eflags != 0) {
									L21:
									__eflags =  *(_t117 + 0x38) & 0x00000020;
									if(__eflags == 0) {
										goto L3;
									} else {
										_push(_t97);
										_push(_t117 + 8);
										 *((intOrPtr*)(_t117 - 0x40)) = 0x4ae964;
										 *((intOrPtr*)(_t117 - 0x18)) = 0x4ae96c;
										E00408E82(_t97, _t117 - 0x40, _t115, _t116, __eflags);
										_push(1);
										_push(_t116);
										_t57 = _t117 - 0x40; // 0x4ae964
										 *((char*)(_t117 - 4)) = 3;
										E00416974(_t117 - 0x90, _t116, __eflags);
										E0045A466(_t117 - 0x90, 0x4c9bf0);
										goto L23;
									}
								} else {
									E0043EAA1(_t117 - 0xcc);
									 *(_t117 - 0xd0) =  *(_t117 - 0xd0) | 0xffffffff;
									_push(_t117 - 0xcc);
									_t104 = _t120 - 0x30;
									_push(_t97);
									_push(_t117 + 8);
									 *((char*)(_t117 - 4)) = 2;
									 *_t104 = 0x4c2fa0;
									 *((intOrPtr*)(_t104 + 0x28)) = 0x4c2f40;
									E00408E82(_t97, _t104, _t115, _t116, __eflags);
									_t116 = E00443199(_t97, _t115, _t116, __eflags);
									__eflags = _t116 - 0xffffffff;
									if(_t116 == 0xffffffff) {
										_t116 = GetLastError();
										E0042382A(_t117 - 0xd0);
										 *((char*)(_t117 - 4)) = _t97;
										E00401B80(_t117 - 0x70);
										E00401B80(_t117 - 0xa0);
										goto L21;
									} else {
										E0042382A(_t117 - 0xd0);
										__eflags =  *(_t117 + 0x38) & 0x00000004;
										 *(_t117 - 0xd0) = _t116;
										if(( *(_t117 + 0x38) & 0x00000004) == 0) {
											L16:
											__eflags =  *(_t117 + 0x38) & 0x00000008;
											if(( *(_t117 + 0x38) & 0x00000008) != 0) {
												__eflags =  *(_t117 - 0xcc) & 0x00000010;
												if(( *(_t117 - 0xcc) & 0x00000010) != 0) {
													goto L18;
												}
											}
										} else {
											__eflags =  *(_t117 - 0xcc) & 0x00000010;
											if(( *(_t117 - 0xcc) & 0x00000010) == 0) {
												L18:
												_t97 = 1;
											} else {
												goto L16;
											}
										}
										E0042382A(_t117 - 0xd0);
										E00401B80(_t117 - 0x70);
										E00401B80(_t117 - 0xa0);
										goto L3;
									}
								}
							}
						}
					} else {
						__eflags =  *(_t117 + 0x38) & 0x00000004;
						if(( *(_t117 + 0x38) & 0x00000004) == 0) {
							L7:
							__eflags =  *(_t117 + 0x38) & 0x00000008;
							if(( *(_t117 + 0x38) & 0x00000008) == 0) {
								goto L3;
							} else {
								__eflags = _t66 & 0x00000010;
								if((_t66 & 0x00000010) == 0) {
									goto L3;
								} else {
									goto L9;
								}
							}
						} else {
							__eflags = _t66 & 0x00000010;
							if((_t66 & 0x00000010) == 0) {
								L9:
								_t97 = 1;
								goto L3;
							} else {
								goto L7;
							}
						}
						L25:
					}
				} else {
					_t92 = E00424D42(_t117 + 8, _t126);
					_t127 = _t92;
					if(_t92 == 0) {
						goto L4;
					} else {
						_push( *(_t117 + 0x38));
						_t113 = _t118 - 0x30;
						_push(0);
						_push(_t117 + 8);
						 *_t113 = 0x4c2fa0;
						 *((intOrPtr*)(_t113 + 0x28)) = 0x4c2f40;
						E00408E82(0, _t113, __edi, __esi, _t127);
						_t97 = E00442017(0, __edi, __esi, _t127);
						L3:
						E00401B80(_t117 + 8);
					}
				}
				return E0045B878(_t97, _t115, _t116);
				goto L25;
			}

0x00441e34
0x00441e34
0x00441e34
0x00441e34
0x00441e3e
0x00441e43
0x00441e45
0x00441e49
0x00441e4c
0x00441e92
0x00441e92
0x00441e95
0x00441e97
0x00441e9b
0x00441e9c
0x00441ea2
0x00441ea9
0x00441eae
0x00441eb3
0x00441eb6
0x00441eb9
0x00441ed9
0x00441edb
0x00441ede
0x00442007
0x0044200a
0x0044200f
0x00441ee4
0x00441ee4
0x00441ee7
0x00000000
0x00441eed
0x00441eed
0x00441ef0
0x00441fbb
0x00441fbb
0x00441fbf
0x00000000
0x00441fc5
0x00441fc5
0x00441fc9
0x00441fcd
0x00441fd4
0x00441fdb
0x00441fe0
0x00441fe2
0x00441fe3
0x00441fed
0x00441ff1
0x00442002
0x00000000
0x00442002
0x00441ef6
0x00441efc
0x00441f01
0x00441f0e
0x00441f12
0x00441f14
0x00441f18
0x00441f19
0x00441f1d
0x00441f23
0x00441f2a
0x00441f34
0x00441f39
0x00441f3c
0x00441f9e
0x00441fa0
0x00441fa8
0x00441fab
0x00441fb6
0x00000000
0x00441f3e
0x00441f44
0x00441f49
0x00441f4d
0x00441f53
0x00441f5e
0x00441f5e
0x00441f62
0x00441f64
0x00441f6b
0x00000000
0x00000000
0x00441f6b
0x00441f55
0x00441f55
0x00441f5c
0x00441f6d
0x00441f6d
0x00000000
0x00000000
0x00000000
0x00441f5c
0x00441f75
0x00441f7d
0x00441f88
0x00000000
0x00441f88
0x00441f3c
0x00441ef0
0x00441ee7
0x00441ebb
0x00441ebb
0x00441ebf
0x00441ec5
0x00441ec5
0x00441ec9
0x00000000
0x00441ecb
0x00441ecb
0x00441ecd
0x00000000
0x00000000
0x00000000
0x00000000
0x00441ecd
0x00441ec1
0x00441ec1
0x00441ec3
0x00441ecf
0x00441ecf
0x00000000
0x00000000
0x00000000
0x00000000
0x00441ec3
0x00000000
0x00441ebf
0x00441e4e
0x00441e51
0x00441e56
0x00441e58
0x00000000
0x00441e5a
0x00441e5a
0x00441e63
0x00441e65
0x00441e66
0x00441e67
0x00441e6d
0x00441e74
0x00441e81
0x00441e83
0x00441e86
0x00441e8b
0x00441e58
0x00442016
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 00441E3E
GetLastError.KERNEL32 ref: 00441ED3
GetLastError.KERNEL32 ref: 00441F92
__CxxThrowException@8.LIBCMT ref: 00442002

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00442017: __EH_prolog3_catch_GS.LIBCMT ref: 00442021
Part of subcall function 00442017: __CxxThrowException@8.LIBCMT ref: 004420E0

Strings

dJ, xrefs: 00441FE3, 00441FE6
@/L, xrefs: 00441F23
, xrefs: 00441FBB
lJ, xrefs: 00441FD4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$Exception@8Throw$H_prolog3H_prolog3_H_prolog3_catch_
String ID: $@/L$dJ$lJ
API String ID: 3135901474-310088486
Opcode ID: 11feb997cf6f3efc188a7024f8470415e17837cb5f3adfa69233eb6fe9aadd1d
Instruction ID: 024aebdfad30573a76e4f50047cbbd5e19666ba93c77f482c8ad1b4a1462f21a
Opcode Fuzzy Hash: 11feb997cf6f3efc188a7024f8470415e17837cb5f3adfa69233eb6fe9aadd1d
Instruction Fuzzy Hash: AE51F870400208AAEB14FFA5C955BDE7BB46F01358F54419FFC49271E2EB7C4A8ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 004252EC, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 83
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E004252EC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t35;
				void* _t42;
				LONG* _t57;
				intOrPtr* _t59;
				void* _t68;
				void* _t71;

				_push(0x108);
				E0045B8C9(0x4a423d, __ebx, __edi, __esi);
				_t68 = __ecx;
				_t59 =  *((intOrPtr*)(__ecx + 4));
				_t57 =  *(_t71 + 0x10);
				_push( *((intOrPtr*)(_t71 + 0xc)));
				if(_t59 == 0) {
					L4:
					_t35 = SetFilePointer( *(_t68 + 8),  *(_t71 + 8), _t57, ??); // executed
					_t70 = _t35;
					if(_t35 == 0xffffffff) {
						_t77 = _t57;
						if(_t57 != 0) {
							_t57 = GetLastError();
							__eflags = _t57;
							if(__eflags != 0) {
								_push(0);
								_push(_t68 + 0xc);
								 *((intOrPtr*)(_t71 - 0x70)) = 0x4ae964;
								 *((intOrPtr*)(_t71 - 0x48)) = 0x4ae96c;
								E00408E82(_t57, _t71 - 0x70, _t68, _t70, __eflags);
								_push(1);
								_push(_t57);
								_t29 = _t71 - 0x70; // 0x4ae964
								 *(_t71 - 4) = 2;
								E00416974(_t71 - 0x114, _t70, __eflags);
								_push(0x4c9bf0);
								_t42 = _t71 - 0x114;
								goto L3;
							}
						} else {
							_push(_t57);
							_push(_t68 + 0xc);
							 *((intOrPtr*)(_t71 - 0x40)) = 0x4ae964;
							 *((intOrPtr*)(_t71 - 0x18)) = 0x4ae96c;
							E00408E82(_t57, _t71 - 0x40, _t68, _t70, _t77);
							_push(1);
							 *(_t71 - 4) = 1;
							_t22 = _t71 - 0x40; // 0x4ae964
							E00416910(_t71 - 0xc0, _t70, _t77);
							_push(0x4c9bf0);
							_t42 = _t71 - 0xc0;
							goto L3;
						}
					}
				} else {
					_t70 =  *((intOrPtr*)( *_t59 + 0x14))( *(_t71 + 8));
					_t74 = _t70 - 0xffffffff;
					if(_t70 == 0xffffffff) {
						_push(0);
						_push(__ecx + 0xc);
						 *((intOrPtr*)(_t71 - 0x40)) = 0x4ae964;
						 *((intOrPtr*)(_t71 - 0x18)) = 0x4ae96c;
						E00408E82(_t57, _t71 - 0x40, __ecx, _t70, _t74);
						 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
						_push(1);
						_t12 = _t71 - 0x40; // 0x4ae964
						E00416CE9(_t57, _t71 - 0xc4, _t68, _t70,  *(_t71 - 4));
						_push(0x4c9c64);
						_t42 = _t71 - 0xc4;
						L3:
						_push(_t42);
						E0045A466();
						goto L4;
					}
				}
				return E0045B878(_t57, _t68, _t70);
			}

0x004252ec
0x004252f6
0x004252fb
0x004252fd
0x00425300
0x00425303
0x00425308
0x0042535f
0x00425366
0x0042536c
0x00425371
0x00425377
0x00425379
0x004253bf
0x004253c1
0x004253c3
0x004253c5
0x004253ca
0x004253ce
0x004253d5
0x004253dc
0x004253e1
0x004253e3
0x004253e4
0x004253ee
0x004253f5
0x004253fa
0x004253ff
0x00000000
0x004253ff
0x0042537b
0x0042537b
0x0042537f
0x00425383
0x0042538a
0x00425391
0x00425399
0x0042539a
0x0042539d
0x004253a7
0x004253ac
0x004253b1
0x00000000
0x004253b1
0x00425379
0x0042530a
0x00425312
0x00425314
0x00425317
0x0042531d
0x00425322
0x00425326
0x0042532d
0x00425334
0x00425339
0x0042533d
0x0042533f
0x00425349
0x0042534e
0x00425353
0x00425359
0x00425359
0x0042535a
0x00000000
0x0042535a
0x00425317
0x00425411

APIs

__EH_prolog3_GS.LIBCMT ref: 004252F6
__CxxThrowException@8.LIBCMT ref: 0042535A
SetFilePointer.KERNELBASE(?,?,?,?,00000108,0042442C,00000000,00000000,00000000,00000000,00000000,00000010,004246AC), ref: 00425366
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004253B9

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0

Strings

dJ, xrefs: 0042533F, 00425342
dJ, xrefs: 004253E4, 004253E7
lJ, xrefs: 004253D5
lJ, xrefs: 0042538A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3$Exception@8FileH_prolog3_PointerThrow
String ID: dJ$dJ$lJ$lJ
API String ID: 2919269545-2563680426
Opcode ID: 8d2b546f7e3d873672aad8cd1b5a24ab6e95af9ee3eee59a8c9df0d3ac62f50c
Instruction ID: af51474dedc5b26f7e802cd600de06d5f3abcaf2f955c679b4fb138413ebcb4e
Opcode Fuzzy Hash: 8d2b546f7e3d873672aad8cd1b5a24ab6e95af9ee3eee59a8c9df0d3ac62f50c
Instruction Fuzzy Hash: 663161B6900218EBCB14EF91CC85FEEB778BF14304F10426FE915A3181DB749A45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00441B7A, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 51
libraryloaderfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00441B7A(intOrPtr _a4, long _a8, long _a12, struct _SECURITY_ATTRIBUTES* _a16, long _a20, long _a24, void* _a28) {
				void* __ebx;
				signed int _t19;
				void* _t21;
				void* _t23;
				WCHAR* _t24;
				WCHAR* _t27;
				void* _t28;
				signed int _t30;

				_t24 = L"kernel32.dll";
				if(GetProcAddress(GetModuleHandleW(_t24), "CreateFileW") == 0) {
					_t19 = GetProcAddress(GetModuleHandleW(_t24), "CreateFileA");
					_t30 = _t19;
					if(_t30 == 0) {
						return _t19 | 0xffffffff;
					}
					_t21 = E00412F8A(_t24, _a4, _t28);
					return  *_t30(_t21, _a8, _a12, _a16, _a20, _a24, _a28);
				}
				_t27 = _a4 + 4;
				if(_t27[0xa] >= 8) {
					_t27 =  *_t27;
				}
				_t23 = CreateFileW(_t27, _a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t23;
			}

0x00441b8a
0x00441b9b
0x00441bcb
0x00441bd1
0x00441bd5
0x00000000
0x00441bf6
0x00441bda
0x00000000
0x00441bf2
0x00441ba0
0x00441ba7
0x00441ba9
0x00441ba9
0x00441bbe
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileW,?,00000000,?,0042469A,?,?,?,?,?,?,?,?,00000000,0044208C), ref: 00441B90
GetProcAddress.KERNEL32(00000000), ref: 00441B93
CreateFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000000,?,0042469A,?,?,?,?,?), ref: 00441BBE
GetModuleHandleW.KERNEL32(kernel32.dll,CreateFileA,?,00000000,?,0042469A,?,?,?,?,?,?,?,?,00000000,0044208C), ref: 00441BC8
GetProcAddress.KERNEL32(00000000), ref: 00441BCB

Strings

kernel32.dll, xrefs: 00441B8A, 00441B8F, 00441BC7
CreateFileA, xrefs: 00441BC2
CreateFileW, xrefs: 00441B85

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc$CreateFile
String ID: CreateFileA$CreateFileW$kernel32.dll
API String ID: 2362759813-3217398002
Opcode ID: 02d42acd285fee06010f2fe6d359a1c1e867698318d47a66b01dc30a36c81fdf
Instruction ID: e6a1661a0682fcf3c0b1e3af4245b7ebd0ec74b0ed3e6b90110b66c31ac7ed74
Opcode Fuzzy Hash: 02d42acd285fee06010f2fe6d359a1c1e867698318d47a66b01dc30a36c81fdf
Instruction Fuzzy Hash: 12015E32500249BBDF025FA4DC44DEB3F3AFF09354B04451AFE2596161D67AD861EBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041CF22, Relevance: 13.6, APIs: 9, Instructions: 144
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0041CF22(WCHAR* _a4, void** _a8, void** _a12, intOrPtr* _a16, long* _a20) {
				struct _SECURITY_ATTRIBUTES* _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				struct _SECURITY_ATTRIBUTES* _v16;
				long _v20;
				void* _v24;
				void* _v28;
				struct _SYSTEM_INFO _v64;
				void* _t42;
				void* _t43;
				long _t51;
				void* _t52;
				long _t55;
				void* _t57;
				void* _t60;
				void* _t63;
				long _t67;
				void** _t73;
				void** _t74;
				long* _t75;
				long _t77;
				intOrPtr* _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;

				_t67 = 0;
				_t81 = 0;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				_t42 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t82 = _t42;
				if(_t82 == 0) {
					L2:
					_t43 = CreateFileMappingW(_t81, _t67, 2, _t67, _t67, _t67); // executed
					_t83 = _t43;
					_v24 = _t83;
					if(_t83 == 0) {
						L23:
						_t67 = GetLastError();
						L24:
						E00423844( &_v8);
						E00405170( &_v12);
						E00405170( &_v16);
						return _t67;
					}
					E00405170( &_v12);
					_v12 = _t83;
					GetSystemInfo( &_v64); // executed
					_t51 = _v64.dwPageSize;
					_v28 = _t51;
					_t52 = MapViewOfFile(_t83, 4, _t67, _t67, _t51); // executed
					_t84 = _t52;
					if(_t84 == 0) {
						goto L23;
					}
					E00423844( &_v8);
					_v8 = _t84;
					if( *_t84 != 0x5a4d) {
						_t55 = _v28;
						L15:
						_t73 = _a8;
						if(_t73 != 0) {
							 *_t73 = _t84;
							_v8 = _t67;
						}
						_t74 = _a12;
						if(_t74 != 0) {
							 *_t74 = _t81;
							_v16 = _t67;
						}
						_t80 = _a16;
						if(_t80 != 0) {
							 *_t80 = _v24;
							_v12 = _t67;
						}
						_t75 = _a20;
						if(_t75 != 0) {
							 *_t75 = _t55;
						}
						goto L24;
					}
					_t57 =  *((intOrPtr*)(_t84 + 0x3c)) + _t84;
					_v20 = _t57;
					if(IsBadReadPtr(_t57, 0xf8) != 0) {
						L13:
						_t67 = 0xc1;
						goto L24;
					}
					_t55 = _v20;
					if( *_t55 != 0x4550) {
						goto L13;
					}
					_t77 =  *((intOrPtr*)(_t55 + 0x54));
					_v20 = _t77;
					if(_v28 >= _t77) {
						goto L15;
					}
					UnmapViewOfFile(_t84);
					_t60 = MapViewOfFile(_v24, 4, _t67, _t67, _v20);
					_v28 = _t60;
					if(_t84 != _t60) {
						E00423844( &_v8);
						_t84 = _v28;
						_v8 = _t84;
					}
					if( *_t84 == 0x5a4d) {
						_t63 =  *((intOrPtr*)(_t84 + 0x3c)) + _t84;
						_v20 = _t63;
						if(IsBadReadPtr(_t63, 0xf8) != 0) {
							goto L13;
						}
						_t55 = _v20;
						if( *_t55 == 0x4550) {
							goto L15;
						}
					}
					goto L13;
				}
				E00405170( &_v16);
				_t81 = _t82;
				_v16 = _t81;
				if(_t82 == 0xffffffff) {
					goto L23;
				}
				goto L2;
			}

0x0041cf2b
0x0041cf40
0x0041cf42
0x0041cf45
0x0041cf48
0x0041cf4b
0x0041cf51
0x0041cf55
0x0041cf6d
0x0041cf74
0x0041cf7a
0x0041cf7c
0x0041cf81
0x0041d094
0x0041d09a
0x0041d09c
0x0041d09f
0x0041d0a7
0x0041d0af
0x0041d0ba
0x0041d0ba
0x0041cf8a
0x0041cf93
0x0041cf96
0x0041cf9c
0x0041cfa5
0x0041cfa8
0x0041cfae
0x0041cfb2
0x00000000
0x00000000
0x0041cfbb
0x0041cfc5
0x0041cfcb
0x0041d05f
0x0041d062
0x0041d062
0x0041d067
0x0041d069
0x0041d06b
0x0041d06b
0x0041d06e
0x0041d073
0x0041d075
0x0041d077
0x0041d077
0x0041d07a
0x0041d07f
0x0041d084
0x0041d086
0x0041d086
0x0041d089
0x0041d08e
0x0041d090
0x0041d090
0x00000000
0x0041d08e
0x0041cfd4
0x0041cfdc
0x0041cfe7
0x0041d058
0x0041d058
0x00000000
0x0041d058
0x0041cfe9
0x0041cff2
0x00000000
0x00000000
0x0041cff4
0x0041cff7
0x0041cffd
0x00000000
0x00000000
0x0041d000
0x0041d010
0x0041d016
0x0041d01b
0x0041d020
0x0041d025
0x0041d028
0x0041d028
0x0041d033
0x0041d038
0x0041d040
0x0041d04b
0x00000000
0x00000000
0x0041d04d
0x0041d056
0x00000000
0x00000000
0x0041d056
0x00000000
0x0041d033
0x0041cf5a
0x0041cf5f
0x0041cf61
0x0041cf67
0x00000000
0x00000000
0x00000000

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000), ref: 0041CF4B
CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,?,00000000), ref: 0041CF74
GetSystemInfo.KERNELBASE(?,?,00000000,?,?,?,?,?,?,?,?,?,0041AD54,?,?,?), ref: 0041CF96
MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,?,?,00000000), ref: 0041CFA8
IsBadReadPtr.KERNEL32(?,000000F8,?,00000000,?,?,?,?,?,?,?,?,?,0041AD54,?,?), ref: 0041CFDF
UnmapViewOfFile.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,0041AD54,?,?,?), ref: 0041D000
MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,00000000), ref: 0041D010
GetLastError.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,0041AD54,?,?,?,?), ref: 0041D094
IsBadReadPtr.KERNEL32(?,000000F8,?,00000000,?,?,?,?,?,?,?,?,?,0041AD54,?,?), ref: 0041D043

Part of subcall function 00405170: FindCloseChangeNotification.KERNELBASE(?,?,0041781D), ref: 00405183

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: File$View$CreateRead$ChangeCloseErrorFindInfoLastMappingNotificationSystemUnmap
String ID:
API String ID: 4059205213-0
Opcode ID: b361bc07e0d3ad07dce9cb873b320832fb538301f77cedf8724d4f0d5a86891d
Instruction ID: 1d51cd8d086f613c9da9948f2c1a6f690b32e3ce424fba7af812f89d14476e72
Opcode Fuzzy Hash: b361bc07e0d3ad07dce9cb873b320832fb538301f77cedf8724d4f0d5a86891d
Instruction Fuzzy Hash: FD5160B0E00219AFDB14DF65C885AAFBFB8FF09748F50406AE915A7290D7749E41CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004425A8, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E004425A8(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t44;
				void* _t56;
				void* _t62;
				long _t63;
				long _t70;
				void* _t82;
				intOrPtr* _t85;
				intOrPtr* _t86;
				void* _t90;
				void* _t93;
				void* _t94;
				void* _t95;
				intOrPtr* _t96;
				void* _t99;

				_t99 = __eflags;
				_t88 = __edx;
				_push(0x74);
				E0045B8C9(0x4a70a7, __ebx, __edi, __esi);
				_t70 = 0;
				 *((intOrPtr*)(_t94 - 4)) = 0;
				E0040A1AF(0, _t94 + 8, __edx, _t99, _t94 - 0x40);
				E00401B80(_t94 - 0x40);
				 *0x4d99f8 = 0;
				 *((char*)(_t94 - 0x71)) = E0040A4F3(_t94 + 8);
				 *((intOrPtr*)(_t94 - 0x70)) = 0x4c2fa0;
				 *((intOrPtr*)(_t94 - 0x48)) = 0x4c2f40;
				E00404200(_t94 - 0x70, _t94 - 0x79, 0);
				_t44 = 0;
				 *((char*)(_t94 - 4)) = 1;
				 *((intOrPtr*)(_t94 - 0x78)) = 0;
				_t93 = 1;
				while(1) {
					_t14 = _t94 + 0xc; // 0x4c2f40
					 *((intOrPtr*)(_t94 - 0x80)) = 0x5c;
					_t90 = E0040A017(_t14, _t94 - 0x80, _t44, 1);
					_t101 = _t90 - 0xffffffff;
					if(_t90 == 0xffffffff) {
						goto L12;
					}
					_t16 = _t94 - 0x78; // 0x4c2f40
					E0040AABC(_t94 + 8, _t94 - 0x40,  *_t16, _t46 -  *_t16 + 1);
					 *((char*)(_t94 - 4)) = 2;
					_t56 = E0042967F(_t88, _t90, _t101, _t94 - 0x40, "\\");
					_t82 = _t94 - 0x70;
					_push(_t94 - 0x40);
					if(_t56 == 0) {
						E0040B99A(_t82);
					} else {
						E0043F429(_t82);
					}
					_t23 = _t90 + 1; // 0x1
					 *((intOrPtr*)(_t94 - 0x78)) = _t23;
					if(_t93 <= 1) {
						L11:
						 *((char*)(_t94 - 4)) = 1;
						E00401B80(_t94 - 0x40);
						goto L12;
					} else {
						if(_t93 > 4) {
							L8:
							_push(_t70);
							_t96 = _t95 - 0x30;
							_t85 = _t96;
							_push(_t70);
							_push(_t94 - 0x70);
							 *_t85 = 0x4c2fa0;
							 *((intOrPtr*)(_t85 + 0x28)) = 0x4c2f40;
							E00408E82(_t70, _t85, _t90, _t93, _t105); // executed
							_t62 = E00441B01(_t70, _t88, _t90, _t93, _t105); // executed
							_t95 = _t96 + 0x34;
							if(_t62 != 0) {
								goto L11;
							} else {
								_t63 = GetLastError();
								 *0x4d99f8 = _t63;
								if(_t63 != 0xb7) {
									_t86 = _t95 - 0x30;
									_push(_t70);
									_push(_t94 - 0x70);
									 *_t86 = 0x4c2fa0;
									 *((intOrPtr*)(_t86 + 0x28)) = 0x4c2f40;
									E00408E82(_t70, _t86, _t90, _t93, __eflags);
									E004496BE(_t70, _t90, _t93, __eflags);
									E00401B80(_t94 - 0x40);
								} else {
									 *0x4d99f8 = _t70;
									goto L11;
								}
							}
						} else {
							_t105 =  *((char*)(_t94 - 0x71));
							if( *((char*)(_t94 - 0x71)) != 0) {
								goto L11;
							} else {
								goto L8;
							}
						}
					}
					L16:
					E00401B80(_t94 - 0x70);
					E00401B80(_t94 + 8);
					return E0045B878(_t70, _t90, _t93);
					L12:
					_t93 = _t93 + 1;
					if(_t90 == 0xffffffff) {
						_t70 = 1;
					} else {
						_t30 = _t94 - 0x78; // 0x4c2f40
						_t44 =  *_t30;
						continue;
					}
					goto L16;
				}
			}

0x004425a8
0x004425a8
0x004425a8
0x004425af
0x004425b7
0x004425bd
0x004425c0
0x004425c8
0x004425d0
0x004425db
0x004425e6
0x004425ed
0x004425f4
0x004425f9
0x004425fd
0x00442601
0x00442604
0x00442605
0x0044260c
0x0044260f
0x0044261b
0x0044261d
0x00442620
0x00000000
0x00000000
0x00442626
0x00442635
0x00442643
0x00442647
0x00442653
0x00442656
0x00442657
0x00442660
0x00442659
0x00442659
0x00442659
0x00442665
0x00442668
0x0044266e
0x004426bc
0x004426bf
0x004426c3
0x00000000
0x00442670
0x00442673
0x0044267b
0x0044267b
0x0044267c
0x0044267f
0x00442681
0x00442685
0x00442686
0x0044268c
0x00442693
0x00442698
0x0044269d
0x004426a2
0x00000000
0x004426a4
0x004426a4
0x004426aa
0x004426b4
0x004426d9
0x004426db
0x004426df
0x004426e0
0x004426e6
0x004426ed
0x004426f2
0x004426fd
0x004426b6
0x004426b6
0x00000000
0x004426b6
0x004426b4
0x00442675
0x00442675
0x00442679
0x00000000
0x00000000
0x00000000
0x00000000
0x00442679
0x00442673
0x00442706
0x00442709
0x00442711
0x0044271d
0x004426c8
0x004426c8
0x004426cc
0x00442704
0x004426ce
0x004426ce
0x004426ce
0x00000000
0x004426ce
0x00000000
0x004426cc

APIs

__EH_prolog3_GS.LIBCMT ref: 004425AF

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

GetLastError.KERNEL32 ref: 004426A4

Strings

@/L, xrefs: 004425ED
@/L, xrefs: 004426CE, 00442626, 00442607, 0044262D
@/L, xrefs: 004426E6
\, xrefs: 0044260F
@/L, xrefs: 0044260C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3_
String ID: @/L$@/L$@/L$@/L$\
API String ID: 2549205776-2956137688
Opcode ID: 727859a4d26247b066e980e7e2c053824ca06b9e1fda651589b9d0085ee8ffe5
Instruction ID: e2230353d362fa85eb07b59c5b4e32cf780bde26922efe29a9011714be2845c6
Opcode Fuzzy Hash: 727859a4d26247b066e980e7e2c053824ca06b9e1fda651589b9d0085ee8ffe5
Instruction Fuzzy Hash: B941D6B1800118DFDB14EFE5C991AEE7B78BF14358F50012FF815A7292EBB85A09CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00415549, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00415549(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t28;
				int _t29;
				void* _t36;
				void* _t37;
				void* _t51;
				intOrPtr _t54;
				void* _t56;
				void* _t57;

				_push(0x10c);
				E0045B8C9(0x4a1cd6, __ebx, __edi, __esi);
				_t56 = __ecx;
				_t45 =  *((intOrPtr*)(__ecx + 4));
				_t51 =  *(_t57 + 8);
				_t54 = 1;
				_t28 =  ==  ? 1 :  *((intOrPtr*)(_t57 + 0xc));
				 *(_t57 - 0x118) = 0;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					L4:
					_t29 = ReadFile( *(_t56 + 8), _t51, _t28, _t57 - 0x118, 0); // executed
					_t62 = _t29;
					if(_t29 == 0) {
						_push(0);
						_push(_t56 + 0xc);
						_t17 = _t57 - 0x40; // 0x4ae964
						 *((intOrPtr*)(_t57 - 0x40)) = 0x4ae964;
						 *((intOrPtr*)(_t57 - 0x18)) = 0x4ae96c;
						E00408E82(0, _t17, _t54, _t56, _t62);
						_push(_t54);
						_t20 = _t57 - 0x40; // 0x4ae964
						 *((intOrPtr*)(_t57 - 4)) = _t54;
						E00416910(_t57 - 0xc0, _t56, _t62);
						_push(0x4c9bf0);
						_t36 = _t57 - 0xc0;
						goto L3;
					}
				} else {
					_t54 = _t57 - 0x118;
					_t37 = E00450260(_t28, _t45, _t51, _t51, _t28, _t54);
					_t61 = _t37;
					if(_t37 == 0) {
						_push(0);
						_push(__ecx + 0xc);
						 *((intOrPtr*)(_t57 - 0x70)) = 0x4ae964;
						 *((intOrPtr*)(_t57 - 0x48)) = 0x4ae96c;
						E00408E82(0, _t57 - 0x70, _t54, __ecx, _t61);
						_push(1);
						_t10 = _t57 - 0x70; // 0x4ae964
						 *((intOrPtr*)(_t57 - 4)) = 0;
						E00416CE9(0, _t57 - 0x114, _t54, _t56, _t61);
						_push(0x4c9c64);
						_t36 = _t57 - 0x114;
						L3:
						_push(_t36);
						_t28 = E0045A466();
						goto L4;
					}
				}
				return E0045B878(0, _t54, _t56);
			}

0x00415549
0x00415553
0x00415558
0x0041555d
0x00415560
0x00415567
0x0041556b
0x0041556e
0x00415576
0x004155ce
0x004155db
0x004155e1
0x004155e3
0x004155e5
0x004155e9
0x004155ea
0x004155ed
0x004155f4
0x004155fb
0x00415600
0x00415601
0x0041560b
0x0041560e
0x00415613
0x00415618
0x00000000
0x00415618
0x00415578
0x00415578
0x00415581
0x00415586
0x00415588
0x0041558e
0x00415592
0x00415596
0x0041559d
0x004155a4
0x004155a9
0x004155ab
0x004155b5
0x004155b8
0x004155bd
0x004155c2
0x004155c8
0x004155c8
0x004155c9
0x00000000
0x004155c9
0x00415588
0x0041562b

APIs

__EH_prolog3_GS.LIBCMT ref: 00415553
__CxxThrowException@8.LIBCMT ref: 004155C9
ReadFile.KERNELBASE(?,?,?,?,00000000,0000010C,004243E8,?,00000003,00000000,00000000,00000000,00000000,00000000,00000010,004246AC), ref: 004155DB

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0

Strings

lJ, xrefs: 004155F4
lJ, xrefs: 0041559D
dJ, xrefs: 004155AB, 004155AE
dJ, xrefs: 004155EA

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ReadThrow
String ID: dJ$dJ$lJ$lJ
API String ID: 2465803405-2563680426
Opcode ID: 2ce2bcd62077d47cbaec742ce579053ab29440419f78ca5c7f4ce532d42330ba
Instruction ID: 757f649c0f24d707cddd3cc6026ecbff9cc7938ff61cd9537476a12cee485af9
Opcode Fuzzy Hash: 2ce2bcd62077d47cbaec742ce579053ab29440419f78ca5c7f4ce532d42330ba
Instruction Fuzzy Hash: 5D212CB5900218EBCB14DF91CC81EEEB7BCBF54314F50855FE915A3141DB74AA89CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042AB1A, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E0042AB1A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t28;
				int _t29;
				void* _t36;
				void* _t37;
				void* _t51;
				intOrPtr _t54;
				void* _t56;
				void* _t57;

				_push(0x10c);
				E0045B8C9(0x4a4afc, __ebx, __edi, __esi);
				_t56 = __ecx;
				_t45 =  *((intOrPtr*)(__ecx + 4));
				_t51 =  *(_t57 + 8);
				_t54 = 1;
				_t28 =  ==  ? 1 :  *((intOrPtr*)(_t57 + 0xc));
				 *(_t57 - 0x118) = 0;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					L4:
					_t29 = ReadFile( *(_t56 + 8), _t51, _t28, _t57 - 0x118, 0); // executed
					_t62 = _t29;
					if(_t29 == 0) {
						_push(0);
						_push(_t56 + 0xc);
						_t17 = _t57 - 0x40; // 0x4ae964
						 *((intOrPtr*)(_t57 - 0x40)) = 0x4ae964;
						 *((intOrPtr*)(_t57 - 0x18)) = 0x4ae96c;
						E00408E82(0, _t17, _t54, _t56, _t62);
						_push(_t54);
						_t20 = _t57 - 0x40; // 0x4ae964
						 *((intOrPtr*)(_t57 - 4)) = _t54;
						E00416910(_t57 - 0xc0, _t56, _t62);
						_push(0x4c9bf0);
						_t36 = _t57 - 0xc0;
						goto L3;
					}
				} else {
					_t54 = _t57 - 0x118;
					_t37 = E00450260(_t28, _t45, _t51, _t51, _t28, _t54);
					_t61 = _t37;
					if(_t37 == 0) {
						_push(0);
						_push(__ecx + 0xc);
						 *((intOrPtr*)(_t57 - 0x70)) = 0x4ae964;
						 *((intOrPtr*)(_t57 - 0x48)) = 0x4ae96c;
						E00408E82(0, _t57 - 0x70, _t54, __ecx, _t61);
						_push(1);
						_t10 = _t57 - 0x70; // 0x4ae964
						 *((intOrPtr*)(_t57 - 4)) = 0;
						E00416CE9(0, _t57 - 0x114, _t54, _t56, _t61);
						_push(0x4c9c64);
						_t36 = _t57 - 0x114;
						L3:
						_push(_t36);
						_t28 = E0045A466();
						goto L4;
					}
				}
				return E0045B878(0, _t54, _t56);
			}

0x0042ab1a
0x0042ab24
0x0042ab29
0x0042ab2e
0x0042ab31
0x0042ab38
0x0042ab3c
0x0042ab3f
0x0042ab47
0x0042ab9f
0x0042abac
0x0042abb2
0x0042abb4
0x0042abb6
0x0042abba
0x0042abbb
0x0042abbe
0x0042abc5
0x0042abcc
0x0042abd1
0x0042abd2
0x0042abdc
0x0042abdf
0x0042abe4
0x0042abe9
0x00000000
0x0042abe9
0x0042ab49
0x0042ab49
0x0042ab52
0x0042ab57
0x0042ab59
0x0042ab5f
0x0042ab63
0x0042ab67
0x0042ab6e
0x0042ab75
0x0042ab7a
0x0042ab7c
0x0042ab86
0x0042ab89
0x0042ab8e
0x0042ab93
0x0042ab99
0x0042ab99
0x0042ab9a
0x00000000
0x0042ab9a
0x0042ab59
0x0042abfc

APIs

__EH_prolog3_GS.LIBCMT ref: 0042AB24
__CxxThrowException@8.LIBCMT ref: 0042AB9A
ReadFile.KERNELBASE(?,?,?,?,00000000,0000010C,00434682,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042ABAC

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0

Strings

lJ, xrefs: 0042ABC5
lJ, xrefs: 0042AB6E
dJ, xrefs: 0042ABBB
dJ, xrefs: 0042AB7C, 0042AB7F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ReadThrow
String ID: dJ$dJ$lJ$lJ
API String ID: 2465803405-2563680426
Opcode ID: 1e3e81b38b9ad3d8f8f6abdeb858c764bb4ec9f2b4ea65a2894f83b470fa1c7b
Instruction ID: 50163081e22a8741a6ef9c83be601ddddf0d375e3d6d594970b190840ee6b15b
Opcode Fuzzy Hash: 1e3e81b38b9ad3d8f8f6abdeb858c764bb4ec9f2b4ea65a2894f83b470fa1c7b
Instruction Fuzzy Hash: 85213BB5900218EBCB14DF91CC81EEEB77CBF44304F00859FFA15A3141DB74AA89CA59

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA5A, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0041AA5A(void* __ebx, char* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t111;
				void* _t112;
				char _t113;
				void* _t117;
				char _t133;
				void* _t155;
				void* _t167;
				char* _t171;
				void* _t172;
				void* _t173;
				intOrPtr _t174;
				intOrPtr _t175;

				_push(0x154);
				E0045B8C9(0x4a2c21, __ebx, __edi, __esi);
				_t171 = __ecx;
				_t180 =  *((intOrPtr*)(__ecx + 0x1ac));
				_t166 =  !=  ? __ecx + 0x198 : __ecx + 0x288;
				_t133 = 0;
				_push(0);
				_push( !=  ? __ecx + 0x198 : __ecx + 0x288);
				 *((intOrPtr*)(_t172 - 0x100)) = 0x4c2fa0;
				 *((intOrPtr*)(_t172 - 0xd8)) = 0x4c2f40;
				E00408E82(0, _t172 - 0x100, 0x4c2fa0, __ecx,  *((intOrPtr*)(__ecx + 0x1ac)));
				 *((intOrPtr*)(_t172 - 4)) = 0;
				E00423585(0, _t172 - 0x100, _t166, _t180, _t172 - 0x130);
				 *((char*)(_t172 - 4)) = 2;
				E00401B80(_t172 - 0x100);
				_push(0x20019);
				_t174 = _t173 - 0x30;
				 *((intOrPtr*)(_t172 - 0x144)) = _t174;
				E004091B8(_t174, 0x4c2d7c, _t172 - 0x131, 1);
				_t175 = _t174 - 0x30;
				 *((intOrPtr*)(_t172 - 0x14c)) = _t175;
				 *((char*)(_t172 - 4)) = 3;
				E004091B8(_t175, L"UninstallString", _t172 - 0x131, 1);
				_push(0);
				_push(_t172 - 0x131);
				_push(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\");
				 *((char*)(_t172 - 4)) = 4;
				 *((intOrPtr*)(_t172 - 0x70)) = 0x4c2fa0;
				 *((intOrPtr*)(_t172 - 0x48)) = 0x4c2f40;
				E00408F6D(0, _t172 - 0x70, 0x4c2fa0, _t171, _t180);
				_push(_t172 - 0x130);
				_push(_t175 - 0x30);
				 *((char*)(_t172 - 4)) = 5;
				E0040B91E(0, _t172 - 0x70, 0x4c2fa0, _t171, _t180);
				 *((char*)(_t172 - 4)) = 6;
				_push((0 | _t171[0xe] != 0x00000000) + 0x80000001);
				_push(_t172 - 0xd0); // executed
				E00448D7A(0, 0x4c2fa0, _t171, _t171[0xe]); // executed
				 *((char*)(_t172 - 4)) = 8;
				E00401B80(_t172 - 0x70);
				if( *((intOrPtr*)(_t172 - 0xbc)) != 0) {
					 *((intOrPtr*)(_t172 - 0x40)) = 0x4c2fa0;
					 *((intOrPtr*)(_t172 - 0x18)) = 0x4c2f40;
					E00404200(_t172 - 0x40, _t172 - 0x131, 0);
					_t108 =  >=  ?  *((void*)(_t172 - 0xcc)) : _t172 - 0xcc;
					_push( >=  ?  *((void*)(_t172 - 0xcc)) : _t172 - 0xcc);
					 *((char*)(_t172 - 4)) = 9;
					E004160F7(0, _t172 - 0x160, 0x4c2fa0, _t171,  *((intOrPtr*)(_t172 - 0xb8)) - 8);
					_t111 = E00417A4B(_t172 - 0x40, _t172 - 0x140);
					 *((char*)(_t172 - 4)) = 0xb;
					 *((char*)(_t111 + 4)) = 1;
					_t112 = E0040A0F0(_t111,  *_t111);
					_push(0);
					_push(0);
					_push(_t112);
					_push("l");
					_t113 = E0041AE03(0, _t172 - 0x160, 0x4c2fa0, _t171,  *((intOrPtr*)(_t172 - 0xb8)) - 8);
					 *((char*)(_t172 - 0x131)) = _t113;
					 *((char*)(_t172 - 4)) = 0xa;
					if( *((intOrPtr*)(_t172 - 0x13c)) != 0) {
						E00404260( *((intOrPtr*)(_t172 - 0x140)), 0x4c2fa0,  *((intOrPtr*)( *((intOrPtr*)(_t172 - 0x140)) + 0x24)));
						_t113 =  *((intOrPtr*)(_t172 - 0x131));
					}
					if(_t113 != 0) {
						_t171 = L"0x";
						 *((char*)(_t172 - 0x131)) = _t133;
						_t117 = E0040A017(_t172 - 0x3c, _t171, _t133, E0045B5D4(_t171));
						_t186 = _t117;
						if(_t117 == 0) {
							_push(1);
							_push(_t172 - 0x131);
							_push(0x4c2d7c);
							E00408F6D(_t133, _t172 - 0x70, 0x4c2fa0, _t171, _t186);
							_push(1);
							_push(_t172 - 0x131);
							_push(_t171);
							 *((char*)(_t172 - 4)) = 0xc;
							E00408F6D(_t133, _t172 - 0xa0, 0x4c2fa0, _t171, _t186);
							_t126 =  >=  ?  *((void*)(_t172 - 0x9c)) : _t172 - 0x9c;
							 *((char*)(_t172 - 4)) = 0xd;
							if(E0040A017(_t172 - 0x3c,  >=  ?  *((void*)(_t172 - 0x9c)) : _t172 - 0x9c, _t133,  *((intOrPtr*)(_t172 - 0x8c))) != 0xffffffff) {
								E0040A6AD(_t172 - 0x40, _t127,  *((intOrPtr*)(_t172 - 0x8c)), _t172 - 0x70);
							}
							E00401B80(_t172 - 0xa0);
							E00401B80(_t172 - 0x70);
							 *((char*)(_t172 - 0x131)) = 1;
						}
						_t167 = 0x10;
						_t119 =  >=  ?  *((void*)(_t172 - 0x3c)) : _t172 - 0x3c;
						_t155 = 0xa;
						_t156 =  !=  ? _t167 : _t155;
						_t133 = E0045D9C2( >=  ?  *((void*)(_t172 - 0x3c)) : _t172 - 0x3c, _t133,  !=  ? _t167 : _t155);
					}
					E004172BB(_t133, _t172 - 0x160, 0x4c2fa0);
					E00401B80(_t172 - 0x40);
				}
				E00401B80(_t172 - 0xd0);
				E00401B80(_t172 - 0x130);
				return E0045B878(_t133, 0x4c2fa0, _t171);
			}

0x0041aa5a
0x0041aa64
0x0041aa69
0x0041aa6b
0x0041aa7e
0x0041aa81
0x0041aa83
0x0041aa89
0x0041aa90
0x0041aa96
0x0041aaa0
0x0041aab2
0x0041aab5
0x0041aac0
0x0041aac4
0x0041aac9
0x0041aace
0x0041aad3
0x0041aae7
0x0041aaec
0x0041aaf1
0x0041ab05
0x0041ab09
0x0041ab0e
0x0041ab15
0x0041ab16
0x0041ab1e
0x0041ab22
0x0041ab25
0x0041ab2c
0x0041ab3c
0x0041ab3d
0x0041ab41
0x0041ab45
0x0041ab4f
0x0041ab5b
0x0041ab62
0x0041ab63
0x0041ab71
0x0041ab75
0x0041ab80
0x0041ab91
0x0041ab94
0x0041ab9b
0x0041abad
0x0041abb4
0x0041abbb
0x0041abbf
0x0041abce
0x0041abd5
0x0041abd9
0x0041abdd
0x0041abe2
0x0041abe3
0x0041abe4
0x0041abe5
0x0041abf0
0x0041abf5
0x0041abfb
0x0041ac05
0x0041ac10
0x0041ac15
0x0041ac15
0x0041ac1d
0x0041ac23
0x0041ac29
0x0041ac3b
0x0041ac40
0x0041ac42
0x0041ac48
0x0041ac50
0x0041ac51
0x0041ac59
0x0041ac5e
0x0041ac66
0x0041ac67
0x0041ac6e
0x0041ac72
0x0041ac8a
0x0041ac96
0x0041aca2
0x0041acb2
0x0041acb2
0x0041acbd
0x0041acc5
0x0041acca
0x0041acca
0x0041acd7
0x0041acdd
0x0041ace8
0x0041ace9
0x0041acf7
0x0041acf7
0x0041acff
0x0041ad07
0x0041ad07
0x0041ad12
0x0041ad1d
0x0041ad29

APIs

__EH_prolog3_GS.LIBCMT ref: 0041AA64

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925

Part of subcall function 00448D7A: __EH_prolog3_GS.LIBCMT ref: 00448D81
Part of subcall function 00448D7A: RegQueryValueExW.KERNELBASE(?,?,00000000,00000008,00000000,@/L,0000005C,0041AB68,?,-80000001,?,?), ref: 00448DF6

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 004160F7: __EH_prolog3.LIBCMT ref: 004160FE

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

Part of subcall function 0041AE03: __EH_prolog3_GS.LIBCMT ref: 0041AE0D
Part of subcall function 0041AE03: SysStringLen.OLEAUT32(?), ref: 0041AF0D
Part of subcall function 0041AE03: SysFreeString.OLEAUT32(?), ref: 0041AF18

Strings

UninstallString, xrefs: 0041AB00
@/L, xrefs: 0041AB94
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 0041AB16
@/L, xrefs: 0041AB25
@/L, xrefs: 0041AA96

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$H_prolog3_$FreeH_prolog3$AllocQueryValue
String ID: @/L$@/L$@/L$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\$UninstallString
API String ID: 582199494-1771472271
Opcode ID: 0d1bea1d8e93f29cf81d7ed662dfd11f2b86fa780c2fe4902eeb20014bd7b005
Instruction ID: 2133936ac230856c8cd993649dd183d126aef40e66d99f475f238cbc8be83664
Opcode Fuzzy Hash: 0d1bea1d8e93f29cf81d7ed662dfd11f2b86fa780c2fe4902eeb20014bd7b005
Instruction Fuzzy Hash: 62715071900258EEDB25EBA5CC91BEEB7B8AF14304F1440DEE44963192DBB85F88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004018F0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E004018F0(int* __ecx, void* _a4, short* _a8, int _a12) {
				void* _v8;
				long _t14;
				void* _t15;
				struct HINSTANCE__* _t17;
				_Unknown_base(*)()* _t18;
				intOrPtr* _t20;
				long _t25;
				int _t27;
				int* _t31;

				_push(__ecx);
				_t31 = __ecx;
				_t20 =  *((intOrPtr*)(__ecx + 8));
				_t27 = _a12;
				_v8 = 0;
				if(_t20 == 0) {
					L8:
					_t14 = RegOpenKeyExW(_a4, _a8, 0, _t27,  &_v8); // executed
				} else {
					if( *_t20 == 0) {
						if( *((intOrPtr*)(_t20 + 4)) != 0) {
							goto L8;
						} else {
							goto L7;
						}
					} else {
						_t17 = GetModuleHandleW(L"Advapi32.dll");
						if(_t17 != 0) {
							_t18 = GetProcAddress(_t17, "RegOpenKeyTransactedW");
							if(_t18 == 0) {
								L7:
								_t14 = 1;
							} else {
								_t14 =  *_t18(_a4, _a8, 0, _t27,  &_v8,  *_t20, 0);
							}
						} else {
							_t14 = 1;
						}
					}
				}
				if(_t14 == 0) {
					_t15 =  *_t31;
					_t25 = 0;
					if(_t15 != 0) {
						_t25 = RegCloseKey(_t15);
						 *_t31 = 0;
					}
					 *_t31 = _v8;
					_t31[1] = _t27 & 0x00000300;
					_t14 = _t25;
				}
				return _t14;
			}

0x004018f3
0x004018f6
0x004018f9
0x004018fc
0x004018ff
0x00401908
0x00401957
0x00401964
0x0040190a
0x0040190d
0x0040194e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040190f
0x00401914
0x0040191c
0x0040192b
0x00401933
0x00401950
0x00401950
0x00401935
0x00401946
0x00401946
0x0040191e
0x0040191e
0x0040191e
0x0040191c
0x0040190d
0x0040196c
0x0040196e
0x00401970
0x00401974
0x0040197d
0x0040197f
0x0040197f
0x0040198e
0x00401990
0x00401993
0x00401993
0x0040199b

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 0040192B
RegOpenKeyExW.KERNELBASE(?,?,00000000,?,00000000), ref: 00401964
RegCloseKey.ADVAPI32(00000000), ref: 00401977

Strings

Advapi32.dll, xrefs: 0040190F
RegOpenKeyTransactedW, xrefs: 00401925

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressCloseHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 823179699-3913318428
Opcode ID: 6ee1d71fa988bb30e016b90a3485b7a829df65091cdd77d6608e423e28bc6611
Instruction ID: 666d2447c34f23843a47037dd86c3aafb36c38135b32122c0204c92dcdb19132
Opcode Fuzzy Hash: 6ee1d71fa988bb30e016b90a3485b7a829df65091cdd77d6608e423e28bc6611
Instruction Fuzzy Hash: 181190B5200205EBEF248F56CC54FABBBA8EB55700F14403AF905B72A0D7B9DD40DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00423878, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00423878(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t27;
				void* _t43;
				void* _t44;

				_t41 = __edi;
				_t35 = __ebx;
				_push(0x84);
				E0045B8C9(0x4a3fe0, __ebx, __edi, __esi);
				_t43 = __ecx;
				if( *(__ecx + 0x3c) == 0 || InterlockedDecrement( *(__ecx + 0x3c)) != 0) {
					L7:
					 *(_t43 + 0x3c) =  *(_t43 + 0x3c) & 0x00000000;
					 *(_t43 + 8) =  *(_t43 + 8) | 0xffffffff;
					 *(_t43 + 4) =  *(_t43 + 4) & 0x00000000;
					return E0045B878(_t35, _t41, _t43);
				} else {
					L0045A2FE( *(_t43 + 0x3c));
					_t38 =  *(_t43 + 4);
					_t48 =  *(_t43 + 4);
					if( *(_t43 + 4) != 0) {
						E0042393F(_t38, _t48);
					}
					if( *(_t43 + 8) != 0xffffffff) {
						_t27 = FindCloseChangeNotification( *(_t43 + 8)); // executed
						_t50 = _t27;
						if(_t27 == 0) {
							_push(_t27);
							_push(_t43 + 0xc);
							 *((intOrPtr*)(_t44 - 0x40)) = 0x4ae964;
							 *((intOrPtr*)(_t44 - 0x18)) = 0x4ae96c;
							E00408E82(_t35, _t44 - 0x40, _t41, _t43, _t50);
							 *(_t44 - 4) =  *(_t44 - 4) & 0x00000000;
							_push(1);
							_t13 = _t44 - 0x40; // 0x4ae964
							E00416910(_t44 - 0x90, _t43,  *(_t44 - 4));
							E0045A466(_t44 - 0x90, 0x4c9bf0);
						}
					}
					goto L7;
				}
			}

0x00423878
0x00423878
0x00423878
0x00423882
0x00423887
0x0042388d
0x00423905
0x00423905
0x00423909
0x0042390d
0x00423916
0x0042389c
0x0042389f
0x004238a5
0x004238a8
0x004238aa
0x004238ac
0x004238ac
0x004238b5
0x004238ba
0x004238c0
0x004238c2
0x004238c4
0x004238c8
0x004238cc
0x004238d3
0x004238da
0x004238df
0x004238e3
0x004238e5
0x004238ef
0x00423900
0x00423900
0x004238c2
0x00000000
0x004238b5

APIs

__EH_prolog3_GS.LIBCMT ref: 00423882
InterlockedDecrement.KERNEL32(00000000), ref: 00423892
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004238BA
__CxxThrowException@8.LIBCMT ref: 00423900

Part of subcall function 0042393F: InterlockedDecrement.KERNEL32(004D9B10), ref: 00423964

Strings

dJ, xrefs: 004238E5, 004238E8
lJ, xrefs: 004238D3

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: DecrementInterlocked$ChangeCloseException@8FindH_prolog3_NotificationThrow
String ID: dJ$lJ
API String ID: 3897068468-817211891
Opcode ID: 295f4e8b5555499cd0c663863b0da7ca42d8ac130088bf4623272b2f54e1579c
Instruction ID: 7255c558e0f31a824aed04fa6c2964e07d47cf900ee808a719c10db471b8f681
Opcode Fuzzy Hash: 295f4e8b5555499cd0c663863b0da7ca42d8ac130088bf4623272b2f54e1579c
Instruction Fuzzy Hash: 9E110C70500314DFCB20AF62DC09B6BB7B4BF01316F50851FE456925A1EBBCAA54CF48

Uniqueness

Uniqueness Score: -1.00%

Function 0044A2D3, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 19%

			E0044A2D3(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;
				void* _t4;

				_t3 = GetProcAddress(GetModuleHandleW(L"kernel32"), "GetNativeSystemInfo");
				_push(_a4);
				if(_t3 != 0) {
					_t4 =  *_t3(); // executed
					return _t4;
				} else {
					GetSystemInfo();
					return _t3; // executed
				}
			}

0x0044a2e7
0x0044a2ed
0x0044a2f2
0x0044a2fc
0x0044a2ff
0x0044a2f4
0x0044a2f4
0x0044a2fb
0x0044a2fb

APIs

GetModuleHandleW.KERNEL32(kernel32,GetNativeSystemInfo,?,00445F90,?), ref: 0044A2E0
GetProcAddress.KERNEL32(00000000), ref: 0044A2E7
GetSystemInfo.KERNEL32(00445F90,?,00445F90,?), ref: 0044A2F4
GetNativeSystemInfo.KERNELBASE(00445F90,?,00445F90,?), ref: 0044A2FC

Strings

GetNativeSystemInfo, xrefs: 0044A2D6
kernel32, xrefs: 0044A2DB

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProc
String ID: GetNativeSystemInfo$kernel32
API String ID: 3433367815-3846845290
Opcode ID: 256408497a1f18058d8b92a3c99123d6efa964475f3e904f55bcd00cd31760d0
Instruction ID: eeda1bff8ae2d38d38734f80f42187ee96ac42355eff14b92fb034eb7986a4c9
Opcode Fuzzy Hash: 256408497a1f18058d8b92a3c99123d6efa964475f3e904f55bcd00cd31760d0
Instruction Fuzzy Hash: 50D0C932181209AB9F002BE2AC09AAA3F6CAA46B593500466F919C1120DBAA90915B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0044160B, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 291
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E0044160B(void* __ebx, void* __edx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t104;
				signed int _t107;
				signed int _t122;
				signed int _t128;
				void* _t130;
				signed int _t134;
				void* _t138;
				void* _t140;
				void* _t154;
				long _t168;
				intOrPtr* _t174;
				signed int _t197;
				intOrPtr* _t202;
				intOrPtr* _t205;
				intOrPtr* _t206;
				signed int _t211;
				void* _t212;
				void* _t213;
				intOrPtr* _t214;
				void* _t215;
				void* _t216;
				void* _t217;
				void* _t219;
				void* _t220;
				void* _t227;

				_t227 = __eflags;
				_t210 = __esi;
				_t208 = __edi;
				_t207 = __edx;
				_push(0x114);
				E0045B935(0x4a6ed7, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t212 - 0xe8)) =  *((intOrPtr*)(_t212 + 0x68));
				 *((intOrPtr*)(_t212 - 4)) = 0;
				_t214 = _t213 - 0x30;
				_t174 = _t214;
				_push(0);
				 *0x4d99f8 = 0;
				_push(_t212 + 0x38);
				 *((char*)(_t212 - 4)) = 2;
				 *_t174 = 0x4c2fa0;
				 *((intOrPtr*)(_t174 + 0x28)) = 0x4c2f40;
				E00408E82(0, _t174, __edi, __esi, _t227); // executed
				_t104 = E004470DB(0, __edx, __edi, __esi, _t227); // executed
				_t215 = _t214 + 0x30;
				_t228 = _t104;
				if(_t104 != 0) {
					_push(0xc);
					_t216 = _t215 - 0x30;
					_push(0);
					_push(0);
					_push(_t216);
					E0040A206(0, _t212 + 0x38, __edx, __edi, __esi, __eflags); // executed
					_t107 = E00441E34(0, __edx, _t208, _t210, __eflags); // executed
					_t217 = _t216 + 0x34;
					__eflags = _t107;
					if(_t107 == 0) {
						goto L2;
					} else {
						__eflags =  *((intOrPtr*)(_t212 + 0x20)) - 8;
						_t13 = _t212 + 0xc; // 0x4c2f40
						_t14 = _t212 + 0xc; // 0x4c2f40
						_t113 =  >=  ?  *_t14 : _t13;
						E00442F1F(6,  >=  ?  *_t14 : _t13, 0xffffffff, 0xffffffff);
						__eflags =  *((intOrPtr*)(_t212 + 0x50)) - 8;
						_t116 =  >=  ?  *((void*)(_t212 + 0x3c)) : _t212 + 0x3c;
						E00442F1F(5,  >=  ?  *((void*)(_t212 + 0x3c)) : _t212 + 0x3c, 0xffffffff, 0xffffffff);
						_t219 = _t217 + 0x20;
						while(1) {
							L6:
							 *(_t212 - 0xe4) =  *(_t212 - 0xe4) | 0xffffffff;
							_t208 = 1;
							 *((intOrPtr*)(_t212 - 0xf4)) = 0;
							 *((intOrPtr*)(_t212 - 0xf0)) = 0;
							E00416831(0, _t212 - 0x90, 1, _t210, __eflags);
							_push(0);
							_push(_t212 + 8);
							 *((char*)(_t212 - 4)) = 3;
							 *((intOrPtr*)(_t212 - 0x44)) = 0x4affb8;
							 *((intOrPtr*)(_t212 - 0x1c)) = 0x4affc0;
							E00408E82(0, _t212 - 0x44, 1, _t210, __eflags);
							_push(0);
							_push(0);
							_push(3);
							_push(0x80);
							_push(1);
							_push(0x80000000);
							_push(_t212 - 0x44);
							 *((char*)(_t212 - 4)) = 4;
							_t122 = E00424632(0, _t212 - 0x90, 1, _t210, __eflags); // executed
							_t211 = _t122;
							 *((char*)(_t212 - 4)) = 3;
							E00401B80(_t212 - 0x44);
							__eflags = _t211;
							if(__eflags != 0) {
								break;
							}
							__eflags =  *((char*)(_t212 + 0x6c));
							 *((char*)(_t212 - 0xdd)) = 0;
							if(__eflags != 0) {
								 *((char*)(_t212 - 4)) = 5;
								E004451AC(0, _t212 - 0x90, 1, _t211, __eflags, _t212 - 0x104, _t212 - 0x110, _t212 - 0x11c);
								__eflags =  *(_t212 - 0x8c);
								 *((char*)(_t212 - 0xdd)) =  *(_t212 - 0x8c) != 0;
								 *((intOrPtr*)(_t212 - 4)) = 3;
							}
							__eflags =  *0x4d9a18;
							if(__eflags != 0) {
								 *((char*)(_t212 - 4)) = 7;
								 *((intOrPtr*)(_t212 - 0xfc)) = E00425464(0, _t212 - 0x90, _t208, _t211, __eflags, _t212 - 0xf8);
								E00442F1F(7, 0, _t159,  *((intOrPtr*)(_t212 - 0xf8)));
								_t219 = _t219 + 0x10;
								 *((intOrPtr*)(_t212 - 4)) = 3;
							}
							E00416831(0, _t212 - 0xdc, _t208, _t211, __eflags);
							_push(0);
							_push(_t212 + 0x38);
							 *((char*)(_t212 - 4)) = 9;
							 *((intOrPtr*)(_t212 - 0x44)) = 0x4affb8;
							 *((intOrPtr*)(_t212 - 0x1c)) = 0x4affc0;
							E00408E82(0, _t212 - 0x44, _t208, _t211, __eflags);
							_push(0);
							_push(0);
							_push(2);
							_push(0x80);
							_push(_t208);
							_push(0x40000000);
							_push(_t212 - 0x44);
							 *((char*)(_t212 - 4)) = 0xa;
							_t128 = E00424632(0, _t212 - 0xdc, _t208, _t211, __eflags); // executed
							_t210 = _t128;
							 *((char*)(_t212 - 4)) = 9;
							E00401B80(_t212 - 0x44);
							__eflags = _t210;
							if(__eflags == 0) {
								_t130 = E00442F1F(0, 0, 0xffffffff, 0xffffffff);
								_t220 = _t219 + 0x10;
								__eflags = _t130 - 2;
								if(__eflags == 0) {
									goto L17;
								} else {
									_push( *((intOrPtr*)(_t212 - 0xe8)));
									_t210 = E0045C169(0, _t207, _t208, __eflags);
									 *(_t212 - 0xec) = _t210;
									do {
										 *((char*)(_t212 - 4)) = 0xc;
										_t134 = E00415549(0, _t212 - 0x90, _t208, _t210, __eflags, _t210,  *((intOrPtr*)(_t212 - 0xe8))); // executed
										_t208 = _t134;
										 *(_t212 - 0xe4) = _t208;
										 *((intOrPtr*)(_t212 - 4)) = 0xb;
										__eflags = _t208 - 0xffffffff;
										if(_t208 != 0xffffffff) {
											__eflags = _t208;
											if(__eflags != 0) {
												goto L23;
											}
										}
										L25:
										__eflags =  *((char*)(_t212 + 0x6c));
										if( *((char*)(_t212 + 0x6c)) != 0) {
											__eflags = _t208 - 0xffffffff;
											if(_t208 != 0xffffffff) {
												_t197 =  *((intOrPtr*)(_t212 - 0xdd));
												_t207 = 0;
												__eflags = _t197;
												_t147 =  !=  ? 0 : _t212 - 0x11c;
												__eflags = _t197;
												_t149 =  !=  ? 0 : _t212 - 0x110;
												 *((char*)(_t212 - 4)) = 0xe;
												E004496EA(0, _t212 - 0xdc, _t208, _t210, _t197, _t212 - 0x104,  !=  ? 0 : _t212 - 0x110,  !=  ? 0 : _t212 - 0x11c);
												 *((intOrPtr*)(_t212 - 4)) = 0xb;
											}
										}
										L0045A2FE(_t210); // executed
										 *((char*)(_t212 - 4)) = 3;
										E004176D4(0, _t212 - 0xdc, _t208, _t210, __eflags); // executed
										 *((char*)(_t212 - 4)) = 2;
										E004176D4(0, _t212 - 0x90, _t208, _t210, __eflags);
										_push( *((intOrPtr*)(_t212 - 0xf0)));
										_push( *((intOrPtr*)(_t212 - 0xf4)));
										_push(0);
										_t138 = 3;
										__eflags = _t208 - 0xffffffff;
										_t139 =  !=  ? 1 : _t138;
										_push( !=  ? 1 : _t138);
										_t140 = E00442F1F();
										_t219 = _t220 + 0x10;
										__eflags = _t140 - 4;
										if(__eflags == 0) {
											goto L6;
										} else {
											 *0x4d99f8 = GetLastError();
											E00401B80(_t212 + 8);
											E00401B80(_t212 + 0x38);
											__eflags = _t208 - 0xffffffff;
										}
										goto L3;
										L23:
										_push(_t208);
										_push(_t210);
										E0043AF40(0, _t212 - 0xdc, _t208, _t210, __eflags); // executed
										asm("adc eax, ebx");
										 *((intOrPtr*)(_t212 - 0xf4)) =  *((intOrPtr*)(_t212 - 0xf4)) + _t208;
										_t154 = E00442F1F(4, 0,  *((intOrPtr*)(_t212 - 0xf4)) + _t208,  *((intOrPtr*)(_t212 - 0xf0)));
										_t220 = _t220 + 0x10;
										__eflags = _t154 - 2;
									} while (__eflags != 0);
									_t208 = _t208 | 0xffffffff;
									__eflags = _t208;
									 *(_t212 - 0xe4) = _t208;
									goto L25;
								}
							} else {
								_t202 = _t219 - 0x30;
								_push(0);
								 *0x4d99f8 = _t210;
								_push(_t212 + 0x38);
								 *_t202 = 0x4c2fa0;
								 *((intOrPtr*)(_t202 + 0x28)) = 0x4c2f40;
								E00408E82(0, _t202, _t208, _t210, __eflags);
								E004496BE(0, _t208, _t210, __eflags);
								L17:
								 *((char*)(_t212 - 4)) = 3;
								E004176D4(0, _t212 - 0xdc, _t208, _t210, __eflags);
								L8:
								 *((char*)(_t212 - 4)) = 2;
								E004176D4(0, _t212 - 0x90, _t208, _t210, __eflags);
								goto L2;
							}
							goto L3;
						}
						_t205 = _t219 - 0x30;
						_push(0);
						 *0x4d99f8 = _t211;
						_push(_t212 + 8);
						 *_t205 = 0x4c2fa0;
						 *((intOrPtr*)(_t205 + 0x28)) = 0x4c2f40;
						E00408E82(0, _t205, 1, _t211, __eflags);
						E004496BE(0, 1, _t211, __eflags);
						goto L8;
					}
				} else {
					_t168 = GetLastError();
					_t206 = _t215 - 0x30;
					 *0x4d99f8 = _t168;
					_push(0);
					_push(_t212 + 0x38);
					 *_t206 = 0x4c2fa0;
					 *((intOrPtr*)(_t206 + 0x28)) = 0x4c2f40;
					E00408E82(0, _t206, __edi, __esi, _t228);
					E004496BE(0, _t208, _t210, _t228);
					L2:
					E00401B80(_t212 + 8);
					E00401B80(_t212 + 0x38);
				}
				L3:
				return E0045B887(0, _t208, _t210);
			}

0x0044160b
0x0044160b
0x0044160b
0x0044160b
0x0044160b
0x00441615
0x0044161d
0x00441625
0x00441628
0x0044162b
0x0044162d
0x00441631
0x00441637
0x00441638
0x0044163c
0x00441642
0x00441649
0x0044164e
0x00441653
0x00441656
0x00441658
0x004416a1
0x004416a3
0x004416a8
0x004416a9
0x004416aa
0x004416ae
0x004416b3
0x004416b8
0x004416bb
0x004416bd
0x00000000
0x004416bf
0x004416bf
0x004416c5
0x004416c8
0x004416c8
0x004416d1
0x004416d9
0x004416e2
0x004416eb
0x004416f0
0x004416f3
0x004416f3
0x004416f3
0x00441702
0x00441703
0x00441709
0x0044170f
0x00441714
0x00441718
0x0044171c
0x00441720
0x00441727
0x0044172e
0x00441733
0x00441734
0x00441735
0x00441737
0x0044173c
0x0044173d
0x00441745
0x0044174c
0x00441750
0x00441758
0x0044175a
0x0044175e
0x00441763
0x00441765
0x00000000
0x00000000
0x004417a5
0x004417a9
0x004417af
0x004417cc
0x004417d0
0x004417d5
0x004417dc
0x004417f4
0x004417f4
0x004417fb
0x00441802
0x00441815
0x00441824
0x0044182e
0x00441833
0x00441883
0x00441883
0x00441890
0x00441895
0x00441899
0x0044189d
0x004418a1
0x004418a8
0x004418af
0x004418b4
0x004418b5
0x004418b6
0x004418b8
0x004418bd
0x004418be
0x004418c6
0x004418cd
0x004418d1
0x004418d9
0x004418db
0x004418df
0x004418e4
0x004418e6
0x0044192c
0x00441931
0x00441934
0x00441937
0x00000000
0x00441939
0x00441939
0x00441944
0x00441947
0x0044194d
0x0044195a
0x0044195e
0x00441963
0x00441965
0x004419b7
0x004419be
0x004419c1
0x004419c3
0x004419c5
0x00000000
0x00000000
0x004419c5
0x00441a0f
0x00441a0f
0x00441a13
0x00441a15
0x00441a18
0x00441a1a
0x00441a20
0x00441a22
0x00441a2a
0x00441a2e
0x00441a36
0x00441a47
0x00441a4b
0x00441a66
0x00441a66
0x00441a18
0x00441a6e
0x00441a7a
0x00441a7e
0x00441a89
0x00441a8d
0x00441a92
0x00441a9a
0x00441aa1
0x00441aa4
0x00441aa5
0x00441aa8
0x00441aab
0x00441aac
0x00441ab1
0x00441ab4
0x00441ab7
0x00000000
0x00441abd
0x00441ac6
0x00441acb
0x00441ad3
0x00441ada
0x00441add
0x00000000
0x004419c7
0x004419c7
0x004419c8
0x004419cf
0x004419e2
0x004419e9
0x004419f5
0x004419fa
0x004419fd
0x004419fd
0x00441a06
0x00441a06
0x00441a09
0x00000000
0x00441a09
0x004418e8
0x004418eb
0x004418ed
0x004418f1
0x004418f7
0x004418f8
0x004418fe
0x00441905
0x0044190a
0x00441912
0x00441918
0x0044191c
0x00441791
0x00441797
0x0044179b
0x00000000
0x0044179b
0x00000000
0x004418e6
0x0044176a
0x0044176c
0x00441770
0x00441776
0x00441777
0x0044177d
0x00441784
0x00441789
0x00000000
0x0044178e
0x0044165a
0x0044165a
0x00441663
0x00441665
0x0044166a
0x0044166e
0x0044166f
0x00441675
0x0044167c
0x00441681
0x00441689
0x0044168c
0x00441694
0x00441699
0x0044169b
0x004416a0

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00441615

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 004470DB: __EH_prolog3.LIBCMT ref: 004470E2

GetLastError.KERNEL32 ref: 0044165A

Part of subcall function 004496BE: __EH_prolog3.LIBCMT ref: 004496C5

Part of subcall function 004451AC: __EH_prolog3_GS.LIBCMT ref: 004451B6
Part of subcall function 004451AC: __CxxThrowException@8.LIBCMT ref: 00445218
Part of subcall function 004451AC: GetFileTime.KERNEL32(?,@/L,?,?,00000108,004417D5,?,?,?,004AFFB8,80000000,00000001,00000080,00000003,00000000,00000000), ref: 00445222

Strings

@/L, xrefs: 004418FE
@/L, xrefs: 004416C5, 004416C8, 004416CE

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_H_prolog3_catch_ThrowTime
String ID: @/L$@/L
API String ID: 2981398202-2149722323
Opcode ID: 3a5c586f2fd986cabb02e1e58dfc93d0c81e6bddf09de758146a92bbc2512264
Instruction ID: d24d2329456ce2d65250a96b37950dba0df017dd7ff9d5dc863a5a96e2a9edb2
Opcode Fuzzy Hash: 3a5c586f2fd986cabb02e1e58dfc93d0c81e6bddf09de758146a92bbc2512264
Instruction Fuzzy Hash: C1B1D2B1801158EFEB10EB64CD41BEE7B78AB01318F50429FF82962291EB744F89CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0044DA4D, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0044DA4D(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t123;
				intOrPtr _t139;
				intOrPtr _t140;
				intOrPtr* _t141;
				void* _t142;
				intOrPtr _t147;
				void* _t151;
				void* _t167;
				void* _t178;
				intOrPtr _t185;
				char _t186;
				intOrPtr* _t193;
				intOrPtr _t201;
				intOrPtr _t205;
				void* _t210;
				intOrPtr _t227;
				void* _t228;
				void* _t229;
				intOrPtr* _t230;
				void* _t231;
				void* _t232;

				_t232 = __eflags;
				_push(0x1b8);
				E0045B8C9(0x4a9069, __ebx, __edi, __esi);
				_t227 = __ecx;
				 *((intOrPtr*)(_t228 - 0x188)) = __ecx;
				_t185 = __ecx + 4;
				 *((intOrPtr*)(_t228 - 4)) = 1;
				 *((intOrPtr*)(_t228 - 0x18c)) = _t185;
				E0044CBB0(_t185);
				_t5 = _t185 + 0xc; // 0x11
				E0044CB4A(_t5);
				 *((char*)(_t227 + 0x4c)) =  *((intOrPtr*)(_t228 + 0x68));
				 *((intOrPtr*)(_t228 - 0x19c)) = _t227 + 0x50;
				E004095E2(_t227 + 0x50, _t228 + 0x38);
				E004095E2(_t227 + 0x1c, _t228 + 8);
				_t186 = 0;
				 *((intOrPtr*)(_t228 - 0x198)) = 0;
				 *((intOrPtr*)(_t228 - 0x194)) = 0;
				 *((intOrPtr*)(_t228 - 0x190)) = 0;
				_push(_t227 + 0x88);
				_push(_t227 + 0x84);
				_push(_t228 - 0x198);
				_t230 = _t229 - 0x30;
				_t193 = _t230;
				_push(0);
				_t225 = 0x4c2fa0;
				_push(_t228 + 8);
				 *((char*)(_t228 - 4)) = 2;
				 *_t193 = 0x4c2fa0;
				 *((intOrPtr*)(_t193 + 0x28)) = 0x4c2f40;
				E00408E82(0, _t193, 0x4c2fa0, _t227, _t232); // executed
				_t123 = E0044D5E6(0, __edx, 0x4c2fa0, _t227, _t232); // executed
				_t231 = _t230 + 0x3c;
				 *((intOrPtr*)(_t227 + 0x8c)) = _t123;
				if(_t123 == 0) {
					 *((intOrPtr*)(_t228 - 0x40)) = 0x4c2fa0;
					 *((intOrPtr*)(_t228 - 0x18)) = 0x4c2f40;
					E00404200(_t228 - 0x40, _t228 - 0x17d, 0);
					_t225 =  *((intOrPtr*)(_t227 + 8));
					_t227 =  *((intOrPtr*)(_t228 - 0x198));
					 *((char*)(_t228 - 4)) = 3;
					while(_t227 !=  *((intOrPtr*)(_t228 - 0x194))) {
						E004095E2(_t228 - 0x40, _t227);
						__eflags =  *((intOrPtr*)(_t228 - 0x2c));
						if( *((intOrPtr*)(_t228 - 0x2c)) != 0) {
							__eflags =  *((intOrPtr*)(_t228 - 0x28)) - 8;
							_t133 =  >=  ?  *((void*)(_t228 - 0x3c)) : _t228 - 0x3c;
							__eflags =  *((short*)( >=  ?  *((void*)(_t228 - 0x3c)) : _t228 - 0x3c)) - 0x3b;
							if( *((short*)( >=  ?  *((void*)(_t228 - 0x3c)) : _t228 - 0x3c)) == 0x3b) {
								goto L3;
							} else {
								__eflags =  *((intOrPtr*)(_t228 - 0x28)) - 8;
								_t138 =  >=  ?  *((void*)(_t228 - 0x3c)) : _t228 - 0x3c;
								__eflags =  *((short*)( >=  ?  *((void*)(_t228 - 0x3c)) : _t228 - 0x3c)) - 0x5b;
								if( *((short*)( >=  ?  *((void*)(_t228 - 0x3c)) : _t228 - 0x3c)) != 0x5b) {
									_t139 =  *((intOrPtr*)(_t228 - 0x188));
									__eflags =  *((intOrPtr*)(_t139 + 8)) - _t225;
									if( *((intOrPtr*)(_t139 + 8)) != _t225) {
										_t140 =  *((intOrPtr*)(_t228 - 0x19c));
										__eflags = _t140;
										if(_t140 == 0) {
											_t141 = _t186;
										} else {
											_t141 = _t140 + 4;
										}
										__eflags =  *((intOrPtr*)(_t141 + 0x14)) - 8;
										_t201 =  *((intOrPtr*)(_t141 + 0x10));
										if( *((intOrPtr*)(_t141 + 0x14)) >= 8) {
											_t141 =  *_t141;
										}
										_t142 = E0040A017(_t228 - 0x3c, _t141, _t186, _t201);
										__eflags = _t142 - 0xffffffff;
										_t143 =  ==  ?  *((void*)(_t228 - 0x2c)) : _t142;
										 *((intOrPtr*)(_t228 - 0x184)) =  ==  ?  *((void*)(_t228 - 0x2c)) : _t142;
										E0040AABC(_t228 - 0x40, _t228 - 0xd0, _t186,  ==  ?  *((void*)(_t228 - 0x2c)) : _t142);
										_push(1);
										 *((char*)(_t228 - 4)) = 8;
										E00457EDE(_t228 - 0xa0);
										_t147 =  *((intOrPtr*)(_t228 - 0x2c));
										_t205 =  *((intOrPtr*)(_t228 - 0x184));
										 *((char*)(_t228 - 4)) = 9;
										__eflags = _t205 - _t147;
										if(__eflags < 0) {
											__eflags = _t147 - _t205 - 1;
											E0040AABC(_t228 - 0x40, _t228 - 0x100, _t205 + 1, _t147 - _t205 - 1);
											 *((char*)(_t228 - 4)) = 0xa;
											E004095E2(_t228 - 0xa0, _t228 - 0x100);
											 *((char*)(_t228 - 4)) = 9;
											E00401B80(_t228 - 0x100);
										}
										_push(_t228 - 0xa0);
										_push(_t228 - 0xd0);
										_push(_t228 - 0x130);
										_t151 = E0044BA62(_t186, _t225, _t227, __eflags);
										_t231 = _t231 + 0xc;
										 *((char*)(_t228 - 4)) = 0xb;
										E0044D971(_t225 + 0x34, _t228 - 0x1a0, _t151);
										 *((char*)(_t228 - 4)) = 0xc;
										L00457F09(_t228 - 0x100);
										E00401B80(_t228 - 0x130);
										 *((char*)(_t228 - 4)) = 8;
										L00457F09(_t228 - 0xa0);
										_t210 = _t228 - 0xd0;
										goto L19;
									}
								} else {
									 *((intOrPtr*)(_t228 - 0x184)) = 0x5d;
									_t167 = E0040A017(_t228 - 0x3c, _t228 - 0x184, _t186, 1);
									__eflags = _t167 - 0xffffffff;
									if(__eflags != 0) {
										_push(_t186);
										_push(_t228 - 0x17d);
										_push(_t167 - 1);
										_push(1);
										_push(_t228 - 0x40);
										 *((intOrPtr*)(_t228 - 0x70)) = 0x4c2fa0;
										 *((intOrPtr*)(_t228 - 0x48)) = 0x4c2f40;
										E00408EF3(_t186, _t228 - 0x70, _t225, _t227, __eflags);
										 *((char*)(_t228 - 4)) = 4;
										_t225 =  *((intOrPtr*)(E0044D865( *((intOrPtr*)(_t228 - 0x18c)), _t228 - 0x1a8, _t228 - 0x70)));
										__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t228 - 0x188)) + 8)) - _t225;
										if(__eflags == 0) {
											_push(E00458DA8(_t228 - 0x1c4));
											_push(_t228 - 0x70);
											_push(_t228 - 0x17c);
											 *((char*)(_t228 - 4)) = 5;
											_t178 = E0044BABC(_t186, _t225, _t227, __eflags);
											_t231 = _t231 + 0xc;
											 *((char*)(_t228 - 4)) = 6;
											_t225 =  *((intOrPtr*)(E0044D9DF( *((intOrPtr*)(_t228 - 0x18c)), _t228 - 0x1a4, _t178)));
											 *((char*)(_t228 - 4)) = 7;
											E00458DEE(_t228 - 0x14c);
											E00401B80(_t228 - 0x17c);
											 *((char*)(_t228 - 4)) = 4;
											E00458DEE(_t228 - 0x1c4);
										}
										_t210 = _t228 - 0x70;
										L19:
										 *((char*)(_t228 - 4)) = 3;
										E00401B80(_t210);
										goto L20;
									}
								}
							}
						} else {
							L3:
							E00409FA9(_t228 - 0x40, _t186, 0xffffffff);
							L20:
							_t227 = _t227 + 0x30;
							__eflags = _t227;
							continue;
						}
						L23:
						E00401B80(_t228 - 0x40);
						goto L24;
					}
					 *((char*)( *((intOrPtr*)(_t228 - 0x188)) + 0x4d)) = _t186;
					_t186 = 1;
					goto L23;
				}
				L24:
				E00409C7E(_t228 - 0x198);
				E00401B80(_t228 + 8);
				E00401B80(_t228 + 0x38);
				return E0045B878(_t186, _t225, _t227);
			}

0x0044da4d
0x0044da4d
0x0044da57
0x0044da5c
0x0044da5e
0x0044da64
0x0044da69
0x0044da70
0x0044da76
0x0044da7b
0x0044da7e
0x0044da86
0x0044da92
0x0044da98
0x0044daa4
0x0044daa9
0x0044daab
0x0044dab1
0x0044dab7
0x0044dac3
0x0044daca
0x0044dad1
0x0044dad2
0x0044dad5
0x0044dad7
0x0044dadb
0x0044dae0
0x0044dae1
0x0044dae5
0x0044dae7
0x0044daee
0x0044daf3
0x0044daf8
0x0044dafb
0x0044db03
0x0044db14
0x0044db17
0x0044db1e
0x0044db23
0x0044db26
0x0044db2c
0x0044dd77
0x0044db39
0x0044db3e
0x0044db42
0x0044db54
0x0044db5b
0x0044db5f
0x0044db63
0x00000000
0x0044db65
0x0044db65
0x0044db6c
0x0044db70
0x0044db74
0x0044dc59
0x0044dc5f
0x0044dc62
0x0044dc68
0x0044dc6e
0x0044dc70
0x0044dc77
0x0044dc72
0x0044dc72
0x0044dc72
0x0044dc79
0x0044dc7d
0x0044dc80
0x0044dc82
0x0044dc82
0x0044dc8a
0x0044dc8f
0x0044dc92
0x0044dc97
0x0044dca8
0x0044dcad
0x0044dcb5
0x0044dcb9
0x0044dcbe
0x0044dcc1
0x0044dcc7
0x0044dccb
0x0044dccd
0x0044dcd1
0x0044dce1
0x0044dcf3
0x0044dcf7
0x0044dd02
0x0044dd06
0x0044dd06
0x0044dd11
0x0044dd18
0x0044dd1f
0x0044dd20
0x0044dd25
0x0044dd33
0x0044dd37
0x0044dd42
0x0044dd46
0x0044dd51
0x0044dd5c
0x0044dd60
0x0044dd65
0x00000000
0x0044dd65
0x0044db7a
0x0044db87
0x0044db91
0x0044db96
0x0044db99
0x0044db9f
0x0044dba6
0x0044dba8
0x0044dba9
0x0044dbae
0x0044dbb2
0x0044dbb9
0x0044dbc0
0x0044dbd6
0x0044dbdf
0x0044dbe7
0x0044dbea
0x0044dbf7
0x0044dbfb
0x0044dc02
0x0044dc03
0x0044dc07
0x0044dc0c
0x0044dc1d
0x0044dc26
0x0044dc2e
0x0044dc32
0x0044dc3d
0x0044dc48
0x0044dc4c
0x0044dc4c
0x0044dc51
0x0044dd6b
0x0044dd6b
0x0044dd6f
0x00000000
0x0044dd6f
0x0044db99
0x0044db74
0x0044db44
0x0044db44
0x0044db4a
0x0044dd74
0x0044dd74
0x0044dd74
0x00000000
0x0044dd74
0x0044dd8e
0x0044dd91
0x00000000
0x0044dd91
0x0044dd89
0x0044dd8c
0x00000000
0x0044dd8c
0x0044dd96
0x0044dd9c
0x0044dda4
0x0044ddac
0x0044ddb8

APIs

__EH_prolog3_GS.LIBCMT ref: 0044DA57

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0044D5E6: __EH_prolog3_GS.LIBCMT ref: 0044D5ED

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Strings

@/L, xrefs: 0044DB17
@/L, xrefs: 0044DBB9
@/L, xrefs: 0044DAE7
], xrefs: 0044DB87

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$H_prolog3
String ID: @/L$@/L$@/L$]
API String ID: 532146472-2667237272
Opcode ID: 76af3a991ef2415d7249b3b6997e83aa715108f18a696abe5775bb80f1e85060
Instruction ID: 70d7903d7185445953a6820a8f3bb1263b7c72cf5dde4c93e5d95424a7bf9854
Opcode Fuzzy Hash: 76af3a991ef2415d7249b3b6997e83aa715108f18a696abe5775bb80f1e85060
Instruction Fuzzy Hash: 7EA16E71C00118EEDB11EBA5C891BDDB7B8AF15304F5040EEE50AA3292EF74AB48CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00448D7A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91
registryCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00448D7A(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t50;
				long _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				intOrPtr* _t88;
				long _t91;
				void* _t94;

				_push(0x5c);
				E0045B8C9(0x4a81f7, __ebx, __edi, __esi);
				_t88 =  *((intOrPtr*)(_t94 + 8));
				 *((intOrPtr*)(_t94 - 0x5c)) = 0;
				 *((intOrPtr*)(_t94 - 4)) = 0;
				 *((intOrPtr*)(_t94 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t94 - 0x18)) = 0x4c2f40;
				E00404200(_t94 - 0x40, _t94 - 0x41, 0);
				 *(_t94 - 0x54) = 0;
				 *((intOrPtr*)(_t94 - 0x50)) = 0;
				 *((intOrPtr*)(_t94 - 0x4c)) = 0;
				_t49 =  >=  ?  *((void*)(_t94 + 0x14)) : _t94 + 0x14;
				 *((char*)(_t94 - 4)) = 4;
				_t50 = E004018F0(_t94 - 0x54,  *((intOrPtr*)(_t94 + 0xc)),  >=  ?  *((void*)(_t94 + 0x14)) : _t94 + 0x14,  *((intOrPtr*)(_t94 + 0xa0))); // executed
				_t91 = _t50;
				if(_t91 == 0) {
					_t19 = _t94 - 0x48; // 0x4c2f40
					_t62 =  >=  ?  *((void*)(_t94 + 0x44)) : _t94 + 0x44;
					_t63 = RegQueryValueExW( *(_t94 - 0x54),  >=  ?  *((void*)(_t94 + 0x44)) : _t94 + 0x44, 0, _t94 - 0x58, 0, _t19); // executed
					_t91 = _t63;
					if(_t91 == 0) {
						_t24 = _t94 - 0x48; // 0x4c2f40
						_t65 = E0040A14B(_t94 - 0x40, _t94 - 0x68,  *_t24);
						_t93 =  >=  ?  *((void*)(_t94 + 0x44)) : _t94 + 0x44;
						 *((char*)(_t94 - 4)) = 5;
						 *((char*)(_t65 + 4)) = 1;
						_t66 = E0040A0F0(_t65,  *_t65);
						_push(_t94 - 0x48);
						_push( >=  ?  *((void*)(_t94 + 0x44)) : _t94 + 0x44);
						_t91 = E0043F577(_t94 - 0x54, _t88,  *_t66);
						 *((char*)(_t94 - 4)) = 4;
						E00409574(0, _t94 - 0x68, _t88, _t91,  *((intOrPtr*)(_t94 + 0x58)) - 8);
					}
				}
				_t52 =  !=  ? _t94 + 0x70 : _t94 - 0x40;
				_push(0);
				 *0x4d99f8 = _t91;
				_push( !=  ? _t94 + 0x70 : _t94 - 0x40);
				 *_t88 = 0x4c2fa0;
				 *((intOrPtr*)(_t88 + 0x28)) = 0x4c2f40;
				E00408E82(0, _t88, _t88, _t91, _t91);
				E004018C0(_t94 - 0x54);
				E00401B80(_t94 - 0x40);
				E00401B80(_t94 + 0x10);
				E00401B80(_t94 + 0x40);
				E00401B80(_t94 + 0x70);
				return E0045B878(0, _t88, _t91);
			}

0x00448d7a
0x00448d81
0x00448d86
0x00448d8e
0x00448d91
0x00448d9c
0x00448da3
0x00448daa
0x00448daf
0x00448db2
0x00448db5
0x00448dc5
0x00448dce
0x00448dd2
0x00448dd7
0x00448ddb
0x00448de1
0x00448ded
0x00448df6
0x00448dfc
0x00448e00
0x00448e02
0x00448e0c
0x00448e1a
0x00448e1e
0x00448e22
0x00448e26
0x00448e2e
0x00448e2f
0x00448e3d
0x00448e3f
0x00448e43
0x00448e43
0x00448e00
0x00448e50
0x00448e53
0x00448e54
0x00448e5a
0x00448e5d
0x00448e63
0x00448e6a
0x00448e72
0x00448e7a
0x00448e82
0x00448e8a
0x00448e92
0x00448e9e

APIs

__EH_prolog3_GS.LIBCMT ref: 00448D81

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977

RegQueryValueExW.KERNELBASE(?,?,00000000,00000008,00000000,@/L,0000005C,0041AB68,?,-80000001,?,?), ref: 00448DF6

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

Part of subcall function 0043F577: RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,@/L,00448E3A,00000000,?,004C2F40,?,@/L), ref: 0043F598

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

Strings

@/L, xrefs: 00448E63
@/L, xrefs: 00448DA3
@/L, xrefs: 00448DE1, 00448E02, 00448DE4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_QueryStringValue$AllocCloseHandleModule
String ID: @/L$@/L$@/L
API String ID: 3053678408-1531812684
Opcode ID: b3adcc722fab45b2e15634526bf07b98baf854b6c79dfcfd57094ceb0fba8d98
Instruction ID: ac7b5066a87a6bc5963b6742557b43daf190e8c0cacba5cf6ef970dab64e48b7
Opcode Fuzzy Hash: b3adcc722fab45b2e15634526bf07b98baf854b6c79dfcfd57094ceb0fba8d98
Instruction Fuzzy Hash: 6D310671800259DFCB05EF96C9919DEBBB8FF14348F50406EE905A7291DB74AE09CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0043AF40, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0043AF40(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				int _t19;
				void* _t38;
				void* _t39;

				_t36 = __edi;
				_push(0x88);
				E0045B8C9(0x4a63ec, __ebx, __edi, __esi);
				_t38 = __ecx;
				_t17 =  *((intOrPtr*)(_t39 + 0xc));
				_t18 =  ==  ? 1 : _t17;
				_t19 = WriteFile( *(__ecx + 8),  *(_t39 + 8),  ==  ? 1 : _t17, _t39 - 0x94, 0); // executed
				_t42 = _t19;
				if(_t19 == 0) {
					_push(_t19);
					_push(_t38 + 0xc);
					 *((intOrPtr*)(_t39 - 0x40)) = 0x4ae964;
					 *((intOrPtr*)(_t39 - 0x18)) = 0x4ae96c;
					E00408E82(1, _t39 - 0x40, __edi, _t38, _t42);
					_t9 = _t39 - 4;
					 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
					_push(1);
					_push(_t39 - 0x40);
					E00416910(_t39 - 0x90, _t38,  *_t9);
					E0045A466(_t39 - 0x90, 0x4c9bf0);
				}
				return E0045B878(1, _t36, _t38);
			}

0x0043af40
0x0043af40
0x0043af4a
0x0043af4f
0x0043af51
0x0043af66
0x0043af6e
0x0043af74
0x0043af76
0x0043af78
0x0043af7c
0x0043af80
0x0043af87
0x0043af8e
0x0043af93
0x0043af93
0x0043af97
0x0043af9b
0x0043afa2
0x0043afb3
0x0043afb3
0x0043afc3

APIs

__EH_prolog3_GS.LIBCMT ref: 0043AF4A
WriteFile.KERNELBASE(?,?,?,?,00000000,00000088,0048A746,?,00000000,004AFFB8,40000000,00000001,00000080,00000002,00000000,00000000), ref: 0043AF6E

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00416910: __EH_prolog3.LIBCMT ref: 00416917

__CxxThrowException@8.LIBCMT ref: 0043AFB3

Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7

Strings

dJ, xrefs: 0043AF80
lJ, xrefs: 0043AF87

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$ExceptionException@8FileH_prolog3_RaiseThrowWrite
String ID: dJ$lJ
API String ID: 3362004152-817211891
Opcode ID: 7afeebe6458d2cddc67b9b2e8b5f920693a36522f19a3d81d8e2acb1d0efa69c
Instruction ID: 8fda84865bcee345883bac21e4513330d2e3b4510c507b3030c9d7ca402fde36
Opcode Fuzzy Hash: 7afeebe6458d2cddc67b9b2e8b5f920693a36522f19a3d81d8e2acb1d0efa69c
Instruction Fuzzy Hash: 7B011AB1900218EFDB10EBA1CC81FAEB37CFB14314F10856EF959A6191DB74AE49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00421F5D, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00421F5D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t79;
				intOrPtr _t85;
				void* _t87;
				char _t88;
				char _t98;
				signed int _t113;
				void* _t116;
				void* _t119;
				intOrPtr _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				intOrPtr _t126;
				intOrPtr _t127;
				void* _t128;

				_push(0xb0);
				E0045B8C9(0x4a3d13, __ebx, __edi, __esi);
				_t119 = __ecx;
				 *((intOrPtr*)(_t122 - 0xb0)) = 0;
				 *((intOrPtr*)(_t122 - 0xac)) = 0;
				 *((intOrPtr*)(_t122 - 0xa8)) = 0;
				 *((intOrPtr*)(_t122 - 4)) = 0;
				_push(_t122 - 0xb0);
				_t124 = _t123 - 0x30;
				_t98 = 1;
				E004091B8(_t124, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\", _t122 - 0xa1, 1);
				_push((0 |  *((intOrPtr*)(__ecx + 0xe)) != 0x00000000) + 0x80000001); // executed
				E0044880F(1, __ecx, __esi,  *((intOrPtr*)(__ecx + 0xe))); // executed
				_t121 =  *((intOrPtr*)(_t122 - 0xb0));
				_t125 = _t124 + 0x38;
				while(_t121 !=  *((intOrPtr*)(_t122 - 0xac))) {
					_push(_t122 - 0x70);
					_push(0x20019);
					_t126 = _t125 - 0x30;
					 *((intOrPtr*)(_t122 - 0xb4)) = _t126;
					E004091B8(_t126, 0x4c2d7c, _t122 - 0xa1, _t98);
					_t127 = _t126 - 0x30;
					 *((intOrPtr*)(_t122 - 0xbc)) = _t127;
					 *((char*)(_t122 - 4)) = _t98;
					E004091B8(_t127, L"ProductGuid", _t122 - 0xa1, _t98);
					_push(0);
					_push(_t122 - 0xa1);
					_push(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\");
					 *((char*)(_t122 - 4)) = 2;
					 *((intOrPtr*)(_t122 - 0x40)) = 0x4c2fa0;
					 *((intOrPtr*)(_t122 - 0x18)) = 0x4c2f40;
					E00408F6D(_t98, _t122 - 0x40, _t119, _t121, __eflags);
					_t128 = _t127 - 0x30;
					_push(_t121);
					_push(_t128);
					 *((char*)(_t122 - 4)) = 3;
					E0040B91E(_t98, _t122 - 0x40, _t119, _t121, __eflags);
					__eflags =  *((intOrPtr*)(_t119 + 0xe));
					 *((char*)(_t122 - 4)) = 4;
					_push((0 | __eflags != 0x00000000) + 0x80000001);
					_t79 = E00448D7A(_t98, _t119, _t121, __eflags); // executed
					_t125 = _t128 + 0x9c;
					 *((char*)(_t122 - 4)) = 5;
					E00425109(_t98, _t79, _t116, __eflags, _t122 - 0xa0);
					E00401B80(_t122 - 0xa0);
					 *((char*)(_t122 - 4)) = 8;
					E00401B80(_t122 - 0x40);
					_t85 = E0040AB22(_t119 + 0x288, _t122 - 0x70);
					__eflags = _t85;
					if(_t85 != 0) {
						_push(_t121);
						E00425020(_t98, _t119 + 0x30);
					}
					 *((char*)(_t122 - 4)) = 0;
					E00401B80(_t122 - 0x70);
					_t87 = 0x30;
					_t121 = _t121 + _t87;
					__eflags = _t121;
				}
				if( *((intOrPtr*)(_t119 + 0x2c)) != 4 || ( *(_t119 + 0x28) & 0x00000002) != 0) {
					_t98 = 0;
				}
				 *((char*)(_t119 + 0x17)) = _t98;
				_t88 = E00422126(_t98, _t119);
				 *((char*)(_t119 + 0x16)) = _t88;
				if(_t88 == 0 &&  *((intOrPtr*)(_t119 + 0x17)) == _t88) {
					asm("cdq");
					_t113 = 0x30;
					if(( *((intOrPtr*)(_t119 + 0x34)) -  *((intOrPtr*)(_t119 + 0x30))) / _t113 != 0 &&  *((intOrPtr*)(_t119 + 0x1ac)) == 0) {
						E004095E2(_t119 + 0x198,  *((intOrPtr*)(_t119 + 0x30)));
					}
				}
				E00409C7E(_t122 - 0xb0);
				return E0045B878(_t98, _t119, _t121);
			}

0x00421f5d
0x00421f67
0x00421f6c
0x00421f70
0x00421f76
0x00421f7c
0x00421f82
0x00421f8b
0x00421f8c
0x00421f93
0x00421fa1
0x00421fb3
0x00421fb4
0x00421fb9
0x00421fbf
0x004220be
0x00421fca
0x00421fcb
0x00421fd0
0x00421fd5
0x00421fe8
0x00421fed
0x00421ff2
0x00422005
0x00422008
0x0042200d
0x00422015
0x00422016
0x0042201e
0x00422022
0x00422029
0x00422030
0x00422035
0x0042203a
0x0042203b
0x0042203f
0x00422043
0x0042204a
0x0042204d
0x00422059
0x00422061
0x00422066
0x0042206e
0x00422072
0x0042207d
0x00422085
0x00422089
0x00422099
0x004220a0
0x004220a2
0x004220a7
0x004220a8
0x004220a8
0x004220b0
0x004220b4
0x004220bb
0x004220bc
0x004220bc
0x004220bc
0x004220ce
0x004220d6
0x004220d6
0x004220da
0x004220dd
0x004220e2
0x004220e7
0x004220f6
0x004220f7
0x004220fc
0x00422110
0x00422110
0x004220fc
0x0042211b
0x00422125

APIs

__EH_prolog3_GS.LIBCMT ref: 00421F67

Part of subcall function 0044880F: __EH_prolog3_GS.LIBCMT ref: 00448816
Part of subcall function 0044880F: RegEnumKeyW.ADVAPI32(?,00000000,00000000,00000105), ref: 004488A2

Strings

@/L, xrefs: 00422029
ProductGuid, xrefs: 00422000
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\, xrefs: 00421F9C, 00422016

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_$Enum
String ID: @/L$ProductGuid$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
API String ID: 1600297748-2925473471
Opcode ID: 8ec6a6804986d299706b9169cb0423e2aefd9c48fecaf79df0704a302d837ae6
Instruction ID: bf98871ca9daf05328db170f2a05c5691e57a03d0f2efade93cd812357568720
Opcode Fuzzy Hash: 8ec6a6804986d299706b9169cb0423e2aefd9c48fecaf79df0704a302d837ae6
Instruction Fuzzy Hash: B6411631A00259BEDB11EBB5C902BEEB7B8BF05304F44009FE544A3182DB785E58CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0044880F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70
registryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0044880F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t38;
				intOrPtr* _t47;
				long _t49;
				intOrPtr _t55;
				int _t67;
				intOrPtr _t69;
				void* _t70;

				_push(0x54);
				E0045B8C9(0x4a80f4, __ebx, __edi, __esi);
				_t55 =  *((intOrPtr*)(_t70 + 0x3c));
				_t67 = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				 *(_t70 - 0x54) = 0;
				 *((intOrPtr*)(_t70 - 0x50)) = 0;
				 *((intOrPtr*)(_t70 - 0x4c)) = 0;
				_t37 =  >=  ?  *((void*)(_t70 + 0x10)) : _t70 + 0x10;
				 *((char*)(_t70 - 4)) = 1;
				_t38 = E004018F0(_t70 - 0x54,  *((intOrPtr*)(_t70 + 8)),  >=  ?  *((void*)(_t70 + 0x10)) : _t70 + 0x10, 0x20019); // executed
				_t69 = _t38;
				_t73 = _t69;
				if(_t69 == 0) {
					do {
						 *((intOrPtr*)(_t70 - 0x40)) = 0x4c2fa0;
						 *((intOrPtr*)(_t70 - 0x18)) = 0x4c2f40;
						E00404200(_t70 - 0x40, _t70 - 0x41, 0);
						 *((char*)(_t70 - 4)) = 2;
						_t47 = E0040A14B(_t70 - 0x40, _t70 - 0x60, 0x105);
						 *((char*)(_t70 - 4)) = 3;
						 *((char*)(_t47 + 4)) = 1;
						_t49 = RegEnumKeyW( *(_t70 - 0x54), _t67,  *(E0040A0F0(_t47,  *_t47)), 0x105); // executed
						 *(_t70 - 0x48) = _t49;
						 *((char*)(_t70 - 4)) = 2;
						E00409574(_t55, _t70 - 0x60, _t67, _t69, _t73);
						if( *(_t70 - 0x48) == 0) {
							_push(_t70 - 0x40);
							E00425020(_t55, _t55); // executed
						}
						 *((char*)(_t70 - 4)) = 1;
						E00401B80(_t70 - 0x40);
						_t67 = _t67 + 1;
					} while ( *(_t70 - 0x48) == 0);
				}
				 *0x4d99f8 = _t69;
				E004018C0(_t70 - 0x54);
				_t31 = _t70 + 0xc; // 0x4c2f40
				E00401B80(_t31);
				return E0045B878(_t55, _t67, _t69);
			}

0x0044880f
0x00448816
0x0044881e
0x00448821
0x00448823
0x00448826
0x00448829
0x0044882c
0x00448836
0x00448844
0x00448848
0x0044884d
0x0044884f
0x00448851
0x00448857
0x00448860
0x00448867
0x0044886e
0x0044887f
0x00448883
0x0044888a
0x0044888e
0x004488a2
0x004488ab
0x004488ae
0x004488b2
0x004488bb
0x004488c0
0x004488c3
0x004488c3
0x004488cb
0x004488cf
0x004488d4
0x004488d5
0x00448857
0x004488e2
0x004488e8
0x004488ed
0x004488f0
0x00448901

APIs

__EH_prolog3_GS.LIBCMT ref: 00448816

Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

RegEnumKeyW.ADVAPI32(?,00000000,00000000,00000105), ref: 004488A2

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

Strings

@/L, xrefs: 004488ED
@/L, xrefs: 00448867

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_String$AllocCloseEnumHandleModule
String ID: @/L$@/L
API String ID: 1559478826-2149722323
Opcode ID: 8f1f77d589f158ef80a589f5fba9a142a14b9878544738e0e9628704a2a3122d
Instruction ID: 0862246865320fa8c614a0330e91448f7e826122adb17bd63a28118c75009012
Opcode Fuzzy Hash: 8f1f77d589f158ef80a589f5fba9a142a14b9878544738e0e9628704a2a3122d
Instruction Fuzzy Hash: BC217C70D0035CDEDB01EF95C855BDDBBB4BF14308F50806EE801AB292DBB85A49DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0045C169, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 87%

			E0045C169(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				void* _t13;
				void* _t20;
				void* _t24;
				void* _t25;

				_t25 = __edi;
				_t24 = __edx;
				_t20 = __ebx;
				while(1) {
					_t13 = E0045D6BB(_t20, _t24, _t25, _a4); // executed
					if(_t13 != 0) {
						break;
					}
					if(E00466890(_t13, _a4) == 0) {
						_push(1);
						_v16 = "bad allocation";
						E0045C74E( &_v28,  &_v16);
						_v28 = 0x4b75bc;
						E0045A466( &_v28, 0x4d0de8);
						asm("int3");
						_t11 =  &_v28; // 0x4d0de8
						return E0045C1D6( &_v28, _v32,  *_t11, _v24, _v20, 0, _v16);
					} else {
						continue;
					}
					L5:
				}
				return _t13;
				goto L5;
			}

0x0045c169
0x0045c169
0x0045c169
0x0045c17e
0x0045c181
0x0045c189
0x00000000
0x00000000
0x0045c17c
0x0045c18d
0x0045c196
0x0045c19d
0x0045c1ab
0x0045c1b2
0x0045c1b7
0x0045c1c6
0x0045c1d5
0x00000000
0x00000000
0x00000000
0x00000000
0x0045c17c
0x0045c18c
0x00000000

APIs

_malloc.LIBCMT ref: 0045C181

Part of subcall function 0045D6BB: __FF_MSGBANNER.LIBCMT ref: 0045D6D2
Part of subcall function 0045D6BB: __NMSG_WRITE.LIBCMT ref: 0045D6D9
Part of subcall function 0045D6BB: RtlAllocateHeap.NTDLL(00620000,00000000,00000001,00000000,?,00000000,?,00469FAC,00000008,00000008,00000008,?,?,00463326,00000018,004D1140), ref: 0045D6FE

std::exception::exception.LIBCMT ref: 0045C19D
__CxxThrowException@8.LIBCMT ref: 0045C1B2

Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7

Strings

M, xrefs: 0045C1C6

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: M
API String ID: 3074076210-1509087228
Opcode ID: f370604034ebb9023af3bb48c00bab255d4b8208b9f1e33c9cc197d90bd6f1ca
Instruction ID: ab6835afcc36a44ea13adfcc277e871d0861d516d0f772babc60f854880cee70
Opcode Fuzzy Hash: f370604034ebb9023af3bb48c00bab255d4b8208b9f1e33c9cc197d90bd6f1ca
Instruction Fuzzy Hash: BDF08C3140020EBECF01AFA5CC42ADE7BAAAF04355F10401AFD0855192DB759629AAAA

Uniqueness

Uniqueness Score: -1.00%

Function 00401B80, Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
SysFreeString.OLEAUT32(00000000), ref: 00401BAB
SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
SetLastError.KERNEL32(?), ref: 00401BD4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorFreeLastString
String ID:
API String ID: 3822639702-0
Opcode ID: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
Instruction ID: 87582723e2ee77c9659d4f9fbdc80b87d3f6132b9e241a893794d654d51cb242
Opcode Fuzzy Hash: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
Instruction Fuzzy Hash: 1AF0F435400512EFD7009F1AE948A40FBB5FF49329B15826AE81893A31DB71F9B4CFC8

Uniqueness

Uniqueness Score: -1.00%

Function 00407B10, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407BD9

Strings

invalid string position, xrefs: 00407C0C, 00407C16
string too long, xrefs: 00407C20

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 7c159c4a84880d4635d3051864a3d4ffcecdf03bc06ad88ed44cca12a1609d2e
Instruction ID: 09161259ddf798214b76fbfb6ec8959239b43407d1cf874b146bc26462550609
Opcode Fuzzy Hash: 7c159c4a84880d4635d3051864a3d4ffcecdf03bc06ad88ed44cca12a1609d2e
Instruction Fuzzy Hash: 4C31AB327083049BC7249E1CE88196BF3BAFF917153204A3FE451E7291EB75F85587AA

Uniqueness

Uniqueness Score: -1.00%

Function 0044D5E6, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0044D5ED

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00433F0A: __EH_prolog3_GS.LIBCMT ref: 00433F14

Strings

@/L, xrefs: 0044D612
@/L, xrefs: 0044D638

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$H_prolog3
String ID: @/L$@/L
API String ID: 532146472-2149722323
Opcode ID: a2bb8d2bf68a5e7786acfc18f428a473960dd8f5e56b0311b6465602a3c9448f
Instruction ID: a7fdae8bbe90649986b60283a3b181dd8e8d809a7fbc7a59daf10507d4c4f308
Opcode Fuzzy Hash: a2bb8d2bf68a5e7786acfc18f428a473960dd8f5e56b0311b6465602a3c9448f
Instruction Fuzzy Hash: 2531B171900108EADB14EFE5CC81EDEBB78AF55348F10402EF915A7282DB786D09CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00424632, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00424639

Part of subcall function 00423878: __EH_prolog3_GS.LIBCMT ref: 00423882
Part of subcall function 00423878: InterlockedDecrement.KERNEL32(00000000), ref: 00423892
Part of subcall function 00423878: FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004238BA
Part of subcall function 00423878: __CxxThrowException@8.LIBCMT ref: 00423900

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

Part of subcall function 0045C169: std::exception::exception.LIBCMT ref: 0045C19D
Part of subcall function 0045C169: __CxxThrowException@8.LIBCMT ref: 0045C1B2

GetLastError.KERNEL32(000000FF,00000000,80400100,?,00000000,0044208C,004AFFB8,80000000,00000001,00000080,00000003,00000000,00000000,?,00000000,0000013C), ref: 00424714

Strings

toys::file, xrefs: 004246D4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$ChangeCloseDecrementErrorFindH_prolog3H_prolog3_InterlockedLastNotification_mallocstd::exception::exception
String ID: toys::file
API String ID: 525007960-314977804
Opcode ID: dc6c228a8838b4f988282084029368165863bca82599e202f11d4c1f97709a6e
Instruction ID: 7a66d1111341c666b0ff6e124b5620924924d1741a0c7ee76a3493a771a79ac9
Opcode Fuzzy Hash: dc6c228a8838b4f988282084029368165863bca82599e202f11d4c1f97709a6e
Instruction Fuzzy Hash: 30210270700315AFDF14AFA1A881A6E37A5EF86348F50402EF9569B292CB3DDC11CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004081C0, Relevance: 4.6, APIs: 3, Instructions: 73memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

SysAllocStringLen.OLEAUT32(00000000,?), ref: 00408209
_memmove.LIBCMT ref: 00408231
SysFreeString.OLEAUT32(004D9420), ref: 00408241

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String$AllocFree_memmove
String ID:
API String ID: 439004091-0
Opcode ID: 5fb5e50e56c7e47b454bebe101ff4f5299ac69a5b3bcd84836b3907a48ba9055
Instruction ID: b43cf874c5bbdaf5efb746692ba2c0685d91bb06690e60d7722d971cbff4e6c2
Opcode Fuzzy Hash: 5fb5e50e56c7e47b454bebe101ff4f5299ac69a5b3bcd84836b3907a48ba9055
Instruction Fuzzy Hash: 1621E772A047049FC7249FA8D5C456AB7E9EF85310320463FE8D6C77A0DF70A845C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 00408E82, Relevance: 4.5, APIs: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00408E89
GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3
String ID:
API String ID: 3502553090-0
Opcode ID: b591589db8382f3a53e4722cc0a8441831acecdfbee6480e83bf172b1ce2c978
Instruction ID: cd4775aae2f589b2b6190ba357f6bb552be386f9e6396f327a4e4cbd48ebdd8e
Opcode Fuzzy Hash: b591589db8382f3a53e4722cc0a8441831acecdfbee6480e83bf172b1ce2c978
Instruction Fuzzy Hash: 340128B5900212EBC7009F19C944A15BBF4FB58715B05812AA8049BB51CB74E911CFC8

Uniqueness

Uniqueness Score: -1.00%

Function 0041E051, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041E058

Part of subcall function 0041E830: __EH_prolog3_GS.LIBCMT ref: 0041E83A

Part of subcall function 0041E108: __EH_prolog3_GS.LIBCMT ref: 0041E112

Part of subcall function 0040B2A8: __EH_prolog3_GS.LIBCMT ref: 0040B2AF

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

@/L, xrefs: 0041E062, 0041E0F6, 0041E06D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_$ErrorFreeLastString
String ID: @/L
API String ID: 2278686355-3803013380
Opcode ID: bc945ff16b6d0ed2995fb2ef97eae8a78a2a7d4e73a5dcd7c5328964f522f2f0
Instruction ID: d43dc1dfd1c1d366e0ea72215a4e762f3d586d334f07ae9165dfa1a365a6cae9
Opcode Fuzzy Hash: bc945ff16b6d0ed2995fb2ef97eae8a78a2a7d4e73a5dcd7c5328964f522f2f0
Instruction Fuzzy Hash: DC110871901214EACB01FBA68851ADD77B89F15748F00406FF956A7282EB3CAB0DC3D9

Uniqueness

Uniqueness Score: -1.00%

Function 0042341D, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00423424

Strings

0, xrefs: 00423459

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_catch
String ID: 0
API String ID: 3886170330-4108050209
Opcode ID: e07d3322c20fb1e6faadfa5c349eb27e76dfc147e5447f22a36f85aef96843d6
Instruction ID: 1fd2965e065748cf62c6a7fa8096d60270a7602916f02e7b6492d4e078cd3bba
Opcode Fuzzy Hash: e07d3322c20fb1e6faadfa5c349eb27e76dfc147e5447f22a36f85aef96843d6
Instruction Fuzzy Hash: 6211C275A012059FCB14EF65C4426AEBBB1EF44314F20842FF88597381C7389A40CF88

Uniqueness

Uniqueness Score: -1.00%

Function 00415462, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00415469

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Strings

@/L, xrefs: 00415487

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last
String ID: @/L
API String ID: 685212868-3803013380
Opcode ID: e6f01ac3d16a584b9ac28880e0d5266b2c760821b6eb3e499ac6d90e072e62c5
Instruction ID: 32e3fda1b680a593550d4b26a9284ff40ed6650362c56bb69f7499e5daed3f81
Opcode Fuzzy Hash: e6f01ac3d16a584b9ac28880e0d5266b2c760821b6eb3e499ac6d90e072e62c5
Instruction Fuzzy Hash: DDE0EC74541208E7DB04AF51C602B9D7670EF54319F50905FA9445A292CBF94644D69C

Uniqueness

Uniqueness Score: -1.00%

Function 004199FF, Relevance: 3.1, APIs: 2, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a380af8c49e81da325641f793c3316773586ba9f4006d4935bfe4379c1f45da
Instruction ID: 58e0045d7d6f8f9b5b65513340df0367d2d4103165b97ae2735c2a79332c1d3b
Opcode Fuzzy Hash: 7a380af8c49e81da325641f793c3316773586ba9f4006d4935bfe4379c1f45da
Instruction Fuzzy Hash: 2311E739254391D5CF206BE694212EAF3B8AF92B84710040FED5293752D7B97C89C76E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0F0, Relevance: 3.0, APIs: 2, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32(?), ref: 0040A0FD
SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String$Alloc
String ID:
API String ID: 143312630-0
Opcode ID: 5d998b37f2e4c6abc6d1c2a57a714ee287e2c6bb9c09061057d11d74e06b29c0
Instruction ID: 615fde8f543c55ab24c86d3adad9553ea8878bb0dc9239741de85c37b35b7681
Opcode Fuzzy Hash: 5d998b37f2e4c6abc6d1c2a57a714ee287e2c6bb9c09061057d11d74e06b29c0
Instruction Fuzzy Hash: 89F08C31100502FFDB108F19ED84A62B7BAFF49300B000176E0009B5A0DB70FC74CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 0042432C, Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00424333

Part of subcall function 00425464: __EH_prolog3_GS.LIBCMT ref: 0042546E
Part of subcall function 00425464: __CxxThrowException@8.LIBCMT ref: 004254D3
Part of subcall function 00425464: GetFileSize.KERNEL32(?,?,00000108,00424345,00000000,00000010,004246AC,?,?,?,?,?,?,00000000), ref: 004254DC
Part of subcall function 00425464: GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004254E9

Part of subcall function 004252EC: __EH_prolog3_GS.LIBCMT ref: 004252F6
Part of subcall function 004252EC: __CxxThrowException@8.LIBCMT ref: 0042535A
Part of subcall function 004252EC: SetFilePointer.KERNELBASE(?,?,?,?,00000108,0042442C,00000000,00000000,00000000,00000000,00000000,00000010,004246AC), ref: 00425366
Part of subcall function 004252EC: GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004253B9

Part of subcall function 00415549: __EH_prolog3_GS.LIBCMT ref: 00415553
Part of subcall function 00415549: __CxxThrowException@8.LIBCMT ref: 004155C9
Part of subcall function 00415549: ReadFile.KERNELBASE(?,?,?,?,00000000,0000010C,004243E8,?,00000003,00000000,00000000,00000000,00000000,00000000,00000010,004246AC), ref: 004155DB

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8FileH_prolog3_Throw$ErrorLast$H_prolog3_catchPointerReadSize
String ID:
API String ID: 2159634448-0
Opcode ID: 500855b1677724a8cc5570667c0c80bc56a84ea79e9f84727f41942d5ba3cddd
Instruction ID: 6f042c7f5be1895180e12ea151be4674697b2fd49855ba8023a2fcefa1d4d327
Opcode Fuzzy Hash: 500855b1677724a8cc5570667c0c80bc56a84ea79e9f84727f41942d5ba3cddd
Instruction Fuzzy Hash: E5213970B0076999DF30E7A954417BFAAB9AB91328F90024FE5A2922D2C77C4D41935E

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC74, Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041CC7E

Part of subcall function 00416831: __EH_prolog3.LIBCMT ref: 00416838

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00425464: __EH_prolog3_GS.LIBCMT ref: 0042546E
Part of subcall function 00425464: __CxxThrowException@8.LIBCMT ref: 004254D3
Part of subcall function 00425464: GetFileSize.KERNEL32(?,?,00000108,00424345,00000000,00000010,004246AC,?,?,?,?,?,?,00000000), ref: 004254DC
Part of subcall function 00425464: GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004254E9

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3$FreeH_prolog3_String$Exception@8FileSizeThrow
String ID:
API String ID: 3623232617-0
Opcode ID: 49a349a22a42cd11433ac022693faf57aa284f8db0cc27edbc0a6a7a0d10b8ce
Instruction ID: 180204596517c0e9b6ac9009096acaf67d3b5e0577b6137ead57bd40ceddf8f6
Opcode Fuzzy Hash: 49a349a22a42cd11433ac022693faf57aa284f8db0cc27edbc0a6a7a0d10b8ce
Instruction Fuzzy Hash: 36215E31900218DEEB14EBA4CC55BDDB7B8BF10319F5041AEE445A7192EB38AE49CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00433F0A, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00433F14

Part of subcall function 00416831: __EH_prolog3.LIBCMT ref: 00416838

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3$FreeString$H_prolog3_
String ID:
API String ID: 1866482717-0
Opcode ID: 73c65bbe125acbbc9f5ae55ec18e9875de501598b5492e8ab105c17a457aefdc
Instruction ID: 5bcea37284075e25d5198c2aa56f72f07ba9248de4b731e2aa7ee767efa03dfb
Opcode Fuzzy Hash: 73c65bbe125acbbc9f5ae55ec18e9875de501598b5492e8ab105c17a457aefdc
Instruction Fuzzy Hash: 6C21A130801258DBDB21EF94C841BDDBB70BF14708F54809EF984A7282DB786F49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00434698, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0043469F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3
String ID:
API String ID: 431132790-0
Opcode ID: c315891d4d42ed6812b04c74ac90575924ca375c0f3912b782645ced92bc139b
Instruction ID: d0641d1f687521412102d89772f4c76c1110b4f3c346837fc0c295e9d452b566
Opcode Fuzzy Hash: c315891d4d42ed6812b04c74ac90575924ca375c0f3912b782645ced92bc139b
Instruction Fuzzy Hash: 36F0F6B2A000205BCB15BE658D434BEA1AAEBE8704F04283FF91197353DA3C6E40869C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFCF, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

CompareStringA.KERNELBASE(00000400,00000001,?,00000008,?,000000FF,?,00000000,?,?,0041A23E,.debug,?), ref: 0041AFF7

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CompareString
String ID:
API String ID: 1825529933-0
Opcode ID: 20a314cae8d14066ab1c315db32f16a6f30b3824b53d335ad9eeebe919a7255f
Instruction ID: 530d9d599951c99dcc0185d0d228e63b42ac07b487ab74325c1618bcfae99184
Opcode Fuzzy Hash: 20a314cae8d14066ab1c315db32f16a6f30b3824b53d335ad9eeebe919a7255f
Instruction Fuzzy Hash: E9F0E53234412576DB114A965C81AE7FB59EB06770F518222FA38A6180D7B5ECC292E8

Uniqueness

Uniqueness Score: -1.00%

Function 0042508B, Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 004250A7

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d4ac50bccea01211118c50626b05f59935f398a5f128bbe2cdea3913c471716a
Instruction ID: 6ce1b97a90a1347bbbf41986e1d0e4c0939c7b018aad587f643f27bf801551af
Opcode Fuzzy Hash: d4ac50bccea01211118c50626b05f59935f398a5f128bbe2cdea3913c471716a
Instruction Fuzzy Hash: B5F0E532200118FFCF009F40CC40E99BB6DEF06755F108165BE145A0A1D332DE12EBD4

Uniqueness

Uniqueness Score: -1.00%

Function 004470DB, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004470E2

Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210

Part of subcall function 004425A8: __EH_prolog3_GS.LIBCMT ref: 004425AF
Part of subcall function 004425A8: GetLastError.KERNEL32 ref: 004426A4

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeH_prolog3_String$H_prolog3
String ID:
API String ID: 386487564-0
Opcode ID: bb416fd25fe376ab0b7eee05979aeb2bfe3b8989df880676763b4553eb18912c
Instruction ID: eeda302224e1e2d715bd7bc18639648045e25d061f8b8f5264039f371051b528
Opcode Fuzzy Hash: bb416fd25fe376ab0b7eee05979aeb2bfe3b8989df880676763b4553eb18912c
Instruction Fuzzy Hash: 81D0C2A49111007AEB0CBB26C8179AD37288F11354B40502FFC15473A2EA7C560C81ED

Uniqueness

Uniqueness Score: -1.00%

Function 004151C6, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 004151CD

Part of subcall function 00415462: __EH_prolog3.LIBCMT ref: 00415469

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3H_prolog3_catch
String ID:
API String ID: 1882928916-0
Opcode ID: 0ad919a521f2e055eab9ffcef74c0a5f3d5a80d7ad020efa133144dfd19ed34e
Instruction ID: 8b18382f5678aaa6d813228de1e50a62db69bcf4f26b2a3607d7dc471782994d
Opcode Fuzzy Hash: 0ad919a521f2e055eab9ffcef74c0a5f3d5a80d7ad020efa133144dfd19ed34e
Instruction Fuzzy Hash: D9E04632A11A59EBCB01FF8588016DF7721BF85715F59440AFC002B301C738AE458BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00425414, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(000000FF,?,000000FF,?), ref: 0042542F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 6180d160bf37eafee95e332dd2cfcb138bc450929d0c8947b1cf6e744e2f61e0
Instruction ID: 6c1d035aab9d24d55cc3c180fec6a0c56823e5c399f9d78deba1b07ba70a0e0b
Opcode Fuzzy Hash: 6180d160bf37eafee95e332dd2cfcb138bc450929d0c8947b1cf6e744e2f61e0
Instruction Fuzzy Hash: 30E0DF31100109FFCB00DF50D905E99BF78FF02329F208198F4194A2A0C336EA12EF95

Uniqueness

Uniqueness Score: -1.00%

Function 00425F8F, Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000), ref: 00425FA2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 9bbfac0eb4c3612a7822d6e7e9d00e82deabb6554d21890c00abd8639293d43b
Instruction ID: 59e2199c77b72c2af7b3068cab168a224e5da579144f00fc689edbda4a8099af
Opcode Fuzzy Hash: 9bbfac0eb4c3612a7822d6e7e9d00e82deabb6554d21890c00abd8639293d43b
Instruction Fuzzy Hash: 4ED01736200108BBDB059B91CD06E997BACEB09360F108264BA26850A0D772DE109B50

Uniqueness

Uniqueness Score: -1.00%

Function 004018C0, Relevance: 1.5, APIs: 1, Instructions: 15registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNELBASE(00000000,?,0040E90B), ref: 004018CA

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 913714d106289af44a3233bedb904f0d2cfd092c40a8ecab6c1ddbfcccfbf739
Instruction ID: 35568107ca6a2d1c2ae5aa4ac90370f89ea05eb17667ed646162b5df9abaad68
Opcode Fuzzy Hash: 913714d106289af44a3233bedb904f0d2cfd092c40a8ecab6c1ddbfcccfbf739
Instruction Fuzzy Hash: 9ED0C9715097208BD7709F2DF9047837BE8AF04710F15886EE499D3644D7B8DC818B94

Uniqueness

Uniqueness Score: -1.00%

Function 0045C926, Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 00469DC6: __lock.LIBCMT ref: 00469DC8

__onexit_nolock.LIBCMT ref: 0045C93E

Part of subcall function 0045C966: RtlDecodePointer.NTDLL(00000001,00000002,00000000,?,?,0045C943,?,004D1018,0000000C,0045CA27,?,?,00410534,004AD0F5), ref: 0045C979
Part of subcall function 0045C966: DecodePointer.KERNEL32(?,?,0045C943,?,004D1018,0000000C,0045CA27,?,?,00410534,004AD0F5), ref: 0045C984
Part of subcall function 0045C966: __realloc_crt.LIBCMT ref: 0045C9C5
Part of subcall function 0045C966: __realloc_crt.LIBCMT ref: 0045C9D9
Part of subcall function 0045C966: EncodePointer.KERNEL32(00000000,?,?,0045C943,?,004D1018,0000000C,0045CA27,?,?,00410534,004AD0F5), ref: 0045C9EB
Part of subcall function 0045C966: EncodePointer.KERNEL32(?,?,?,0045C943,?,004D1018,0000000C,0045CA27,?,?,00410534,004AD0F5), ref: 0045C9F9
Part of subcall function 0045C966: EncodePointer.KERNEL32(00000004,?,?,0045C943,?,004D1018,0000000C,0045CA27,?,?,00410534,004AD0F5), ref: 0045CA05

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Pointer$Encode$Decode__realloc_crt$__lock__onexit_nolock
String ID:
API String ID: 3536590627-0
Opcode ID: 2f6b7ccf0d32d990e2db2941f1cd6271799fe4f3aea352ef2f35c9fb7becfc7d
Instruction ID: e61f7a5fd2340c191262a7d2e2f52bb6cc9e9b6a8b3263a2fd31eeb11c82e8f1
Opcode Fuzzy Hash: 2f6b7ccf0d32d990e2db2941f1cd6271799fe4f3aea352ef2f35c9fb7becfc7d
Instruction Fuzzy Hash: D4D05B71900305AACF117F6AD84274C75605F00B19F50415FF410A61D2DB7C0B859A8E

Uniqueness

Uniqueness Score: -1.00%

Function 00423917, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(000000FF,?,0041772A,00000004,00417C5E), ref: 0042392F

Part of subcall function 0042393F: InterlockedDecrement.KERNEL32(004D9B10), ref: 00423964

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ChangeCloseDecrementFindInterlockedNotification
String ID:
API String ID: 148996130-0
Opcode ID: 7e3afa3cab65c4c4bfcc074b3dc16802bff0ad01fb72513ec71fcb362ec066b1
Instruction ID: 1a04bbf9125ed3f6d2895db98d060ad1f499ef540b6d0e15ad137bed5879aa94
Opcode Fuzzy Hash: 7e3afa3cab65c4c4bfcc074b3dc16802bff0ad01fb72513ec71fcb362ec066b1
Instruction Fuzzy Hash: DBD05B70602B118BC7345F19F509753B6F45F06B32744471E90FB429F087B86841C608

Uniqueness

Uniqueness Score: -1.00%

Function 00405170, Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,0041781D), ref: 00405183

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: a02228b7d65cdfe4733a7f04c3010a86aefe6b0324a7f5084bb205d60545f0bf
Instruction ID: ddf6ed067c745a12368ff6712c0ccd030511df265d9738625be335e2a2687e02
Opcode Fuzzy Hash: a02228b7d65cdfe4733a7f04c3010a86aefe6b0324a7f5084bb205d60545f0bf
Instruction Fuzzy Hash: CCC01230A096115ADB788F2AA850B6322D8AF48300B14093EAC91EB380CA78DC818B98

Uniqueness

Uniqueness Score: -1.00%

Function 004176D4, Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004176DB

Part of subcall function 00423878: __EH_prolog3_GS.LIBCMT ref: 00423882
Part of subcall function 00423878: InterlockedDecrement.KERNEL32(00000000), ref: 00423892
Part of subcall function 00423878: FindCloseChangeNotification.KERNELBASE(000000FF), ref: 004238BA
Part of subcall function 00423878: __CxxThrowException@8.LIBCMT ref: 00423900

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorFreeLastString$ChangeCloseDecrementException@8FindH_prolog3H_prolog3_InterlockedNotificationThrow
String ID:
API String ID: 3768595382-0
Opcode ID: 66c70106b11f875f12e948a588e9645b5f6bfb61fe69adafccc8b296f8bbef83
Instruction ID: c9b6578549235cf6f3dbc7e3a3525ac85d01a6b0fd05b1095f0ee83cd0c0895b
Opcode Fuzzy Hash: 66c70106b11f875f12e948a588e9645b5f6bfb61fe69adafccc8b296f8bbef83
Instruction Fuzzy Hash: 01D0A9B0D002109BDB04BF96800236C72F4EF1031AF80885FF6402B283DBBC0A08C79C

Uniqueness

Uniqueness Score: -1.00%

Function 0042382A, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(?,00000000,00441FA5), ref: 0042383D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: b61493307950c84b608308377377f83a7f5e9d1cd166965de3d354f56a6fadc7
Instruction ID: ae8555a7cb1c572486ceaff3455ae899c07b9457a7eadcf2c98346052d023e21
Opcode Fuzzy Hash: b61493307950c84b608308377377f83a7f5e9d1cd166965de3d354f56a6fadc7
Instruction Fuzzy Hash: ACC012312181228AC6242E3DBC0054276E86B41731364076EA0F0862F0D7248D828654

Uniqueness

Uniqueness Score: -1.00%

Function 004509E1, Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000001,?,0045091E,00000001,00000000,?,?,0045083B,00000001,00000001), ref: 004509E7

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 02bc53965f6046cd0c41efb203bf0ae1cdd8c2a0326ad8be3410e072c7548079
Instruction ID: 2d9258ea693c0498e80f38f83c37258ef96db77be6c8460a30c14699e006fea5
Opcode Fuzzy Hash: 02bc53965f6046cd0c41efb203bf0ae1cdd8c2a0326ad8be3410e072c7548079
Instruction Fuzzy Hash: 09B0123800414CBBCF011F62EC044D8BFACDA0A160B40C061FCAC0A223C732A5119F94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00490B40, Relevance: 176.5, APIs: 80, Strings: 20, Instructions: 1483
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 74%

			E00490B40(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v119;
				char _v120;
				char _v219;
				char _v220;
				char _v1219;
				char _v1220;
				char _v1479;
				char _v1480;
				char _v1739;
				char _v1740;
				long _v1744;
				char _v1748;
				int _v1752;
				int _v1756;
				CHAR* _v1760;
				intOrPtr _v1764;
				signed int _v1768;
				short _v1784;
				char _v1788;
				long _v1792;
				intOrPtr _v1796;
				signed int _v1800;
				signed int _v1804;
				signed int _v1808;
				int _v1812;
				int _v1816;
				char _v1832;
				char _v1836;
				long _v1840;
				intOrPtr _v1844;
				short _v1848;
				short _v1852;
				short _v1856;
				int _v1860;
				int _v1864;
				char _v1880;
				char _v1884;
				char _v1928;
				char _v1932;
				char _v1980;
				intOrPtr _v2008;
				char _v2024;
				char _v2028;
				char _v2072;
				char _v2076;
				char _v2120;
				char _v2124;
				char _v2125;
				int _v2132;
				char _v2133;
				intOrPtr* _v2140;
				CHAR* _v2144;
				intOrPtr _v2148;
				intOrPtr _v2152;
				intOrPtr _v2156;
				intOrPtr* _v2160;
				int _v2164;
				char _v2165;
				char _v2166;
				char _v2167;
				CHAR* _v2172;
				char _v2173;
				char _v2174;
				char _v2175;
				char _v2176;
				char _v2177;
				int _v2184;
				intOrPtr _v2188;
				long _v2192;
				int _v2196;
				long _v2200;
				char _v2204;
				char _v2216;
				char _v2228;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t629;
				signed int _t630;
				CHAR* _t638;
				intOrPtr _t659;
				intOrPtr _t663;
				void* _t665;
				CHAR* _t669;
				intOrPtr* _t690;
				void* _t698;
				CHAR* _t702;
				signed int _t708;
				char _t710;
				CHAR* _t713;
				char _t724;
				CHAR* _t731;
				signed int _t735;
				char _t737;
				CHAR* _t742;
				char _t753;
				CHAR* _t761;
				signed int _t765;
				char _t767;
				CHAR* _t772;
				char _t783;
				signed int _t794;
				char _t796;
				CHAR* _t799;
				char _t811;
				int _t814;
				CHAR* _t823;
				intOrPtr* _t832;
				CHAR* _t845;
				intOrPtr* _t854;
				CHAR* _t867;
				long _t876;
				CHAR* _t889;
				long _t898;
				intOrPtr* _t905;
				int _t916;
				intOrPtr* _t920;
				signed int _t921;
				int _t932;
				int _t937;
				CHAR* _t938;
				signed int _t939;
				intOrPtr* _t943;
				CHAR* _t950;
				signed int _t951;
				intOrPtr* _t955;
				char _t980;
				char _t995;
				intOrPtr* _t1010;
				void* _t1015;
				int _t1019;
				void* _t1021;
				void* _t1026;
				CHAR* _t1032;
				void* _t1034;
				void* _t1035;
				CHAR* _t1036;
				intOrPtr* _t1037;
				CHAR* _t1039;
				intOrPtr* _t1040;
				CHAR* _t1042;
				intOrPtr* _t1043;
				void* _t1044;
				CHAR* _t1045;
				intOrPtr* _t1046;
				intOrPtr* _t1047;
				CHAR* _t1048;
				CHAR* _t1049;
				CHAR* _t1050;
				CHAR* _t1051;
				intOrPtr* _t1052;
				void* _t1053;
				intOrPtr* _t1082;
				signed int _t1083;
				signed int _t1084;
				intOrPtr* _t1092;
				signed int _t1093;
				signed int _t1094;
				intOrPtr* _t1104;
				signed int _t1105;
				signed int _t1106;
				intOrPtr* _t1114;
				signed int _t1115;
				signed int _t1116;
				intOrPtr* _t1161;
				signed int _t1162;
				signed int _t1163;
				void* _t1214;
				void* _t1216;
				void* _t1218;
				void* _t1220;
				void* _t1222;
				intOrPtr _t1225;
				intOrPtr* _t1226;
				void* _t1227;
				unsigned int _t1229;
				signed int _t1232;
				void* _t1235;
				void* _t1236;
				unsigned int _t1237;
				signed int _t1240;
				unsigned int _t1243;
				signed int _t1246;
				unsigned int _t1249;
				signed int _t1252;
				unsigned int _t1255;
				signed int _t1258;
				intOrPtr* _t1261;
				unsigned int _t1262;
				signed int _t1265;
				unsigned int _t1266;
				signed int _t1269;
				unsigned int _t1270;
				signed int _t1273;
				long* _t1274;
				unsigned int _t1275;
				signed int _t1278;
				long* _t1279;
				intOrPtr* _t1280;
				intOrPtr* _t1281;
				signed int _t1288;
				void* _t1289;
				void* _t1290;
				void* _t1291;
				void* _t1292;
				void* _t1293;
				void* _t1294;
				void* _t1295;
				void* _t1296;
				void* _t1297;
				void* _t1298;

				_t1214 = __edx;
				_push(0xffffffff);
				_push(0x4ab96b);
				_push( *[fs:0x0]);
				_t1290 = _t1289 - 0x8a4;
				_t629 =  *0x4d7e88; // 0x9518852c
				_t630 = _t629 ^ _t1288;
				_v20 = _t630;
				_push(_t630);
				 *[fs:0x0] =  &_v16;
				_v2140 = __ecx;
				_t1225 = _a4;
				_v2156 = _a8;
				_t634 =  !=  ? _t1225 : 0x4c2d7c;
				_v1788 = 0x4c2f50;
				_v1748 = 0x4c3454;
				_v2152 =  !=  ? _t1225 : 0x4c2d7c;
				E00403FB0(0x4c2d7c,  &_v2133, 0);
				_v8 = 0;
				_v2148 = __ecx + 8;
				_t1032 = E00490850(__ecx + 8, _t1214);
				_t638 = _v1760;
				_t1229 = 2 + _v1768 * 2;
				_t1059 = _v1756;
				if(_t1229 >= _v1756 || _t638 == 0) {
					L0045A7D5(_t638);
					_t1232 = (_t1229 >> 6) + 1 << 6;
					_push(_t1232);
					_v1756 = _t1232;
					_t638 = E00459ADF(_t1032, _t1214, _t1225, _t1232);
					_t1059 = _v1756;
					_t1290 = _t1290 + 8;
					_v1760 = _t638;
				}
				E0048DE60( &_v1788, _t638, _t1059, 3);
				_v2184 = GetPrivateProfileIntA(_v1760, "BUTTONS", 0, _t1032);
				_v8 = 0xffffffff;
				E00401AC0( &_v1788);
				_v220 = 0;
				E0045A4D0( &_v219, 0, 0x63);
				_v120 = 0;
				E0045A4D0( &_v119, 0, 0x63);
				_v1220 = 0;
				E0045A4D0( &_v1219, 0, 0x3e7);
				_v1740 = 0;
				E0045A4D0( &_v1739, 0, 0x103);
				_v1480 = 0;
				E0045A4D0( &_v1479, 0, 0x103);
				_t1291 = _t1290 + 0x3c;
				GetSysColor(8);
				GetSysColor(0x11);
				E00403FB0(_t1225,  &_v2133, 1);
				_t1034 = GetLastError;
				_v8 = 1;
				_v1836 = 0x4c2f78;
				_v1796 = 0x4c2fa8;
				_v1792 = GetLastError();
				_v1832 = 0;
				_v1808 = 0;
				_v1804 = 0;
				_v1800 = 0;
				_t659 = _v1796;
				_v1812 = 7;
				_v1816 = 0;
				_t51 = _t659 + 4; // 0x4
				SetLastError( *(_t1288 +  *_t51 - 0x700));
				_v1884 = 0x4c2f78;
				_v1844 = 0x4c2fa8;
				_v1840 = GetLastError();
				_v1860 = 7;
				_v1880 = 0;
				_v1856 = 0;
				_v1852 = 0;
				_v1848 = 0;
				_t663 = _v1844;
				_v1864 = 0;
				_t64 = _t663 + 4; // 0x4
				SetLastError( *(_t1288 +  *_t64 - 0x730));
				_v8 = 3;
				_t665 = E004068B0( &_v2024, "-", 0, 1);
				_t1234 = _t665;
				if(_t665 != 0xffffffff) {
					_t1021 = E00494EB0( &_v1980, 0, _t1234);
					_v8 = 4;
					if(_t1021 == 0) {
						_t1022 = 0;
						__eflags = 0;
						goto L8;
					} else {
						_t1022 = _t1021 + 4;
						if( &_v1880 != _t1021 + 4) {
							L8:
							_push(0xffffffff);
							E00406630(_t1034,  &_v1880, _t1225, _t1022, 0);
						}
					}
					_v8 = 3;
					E00401AC0( &_v1980);
					_t1026 = E00494EB0( &_v1980, _t1234, 0xffffffff);
					_v8 = 5;
					if(_t1026 == 0) {
						_t1027 = 0;
						__eflags = 0;
						goto L13;
					} else {
						_t1027 = _t1026 + 4;
						if( &_v1832 != _t1026 + 4) {
							L13:
							_push(0xffffffff);
							E00406630(_t1034,  &_v1832, _t1225, _t1027, 0);
						}
					}
					_v8 = 3;
					E00401AC0( &_v1980);
				}
				_push(3);
				if(E004086E0(_t1034,  &_v1880, _t1225, _t1234, 0, _v1864, L"ALL") == 0) {
					L24:
					_t1226 = _v2140;
				} else {
					_push(3);
					if(E004086E0(_t1034,  &_v2024, _t1225, _t1234, 0, _v2008, L"ALL") == 0) {
						goto L24;
					} else {
						_t1310 = _v1816;
						if(_v1816 == 0) {
							_t1226 = _v2140;
							goto L22;
						} else {
							_t1015 = E00480E50(_t1310,  &_v1980, L"ALL",  &_v1836);
							_t1291 = _t1291 + 0xc;
							_t1226 = _v2140;
							_v8 = 6;
							E0048FB40(_t1226 + 0x4c,  &_v2132, _t1015);
							_v8 = 3;
							E00401AC0( &_v1980);
							_t1019 = _v2132;
							if(_t1019 ==  *((intOrPtr*)(_t1226 + 0x4c))) {
								L22:
								E00403FB0(L"ALL",  &_v2133, 1);
								_v8 = 7;
								_t1286 =  *((intOrPtr*)(E00487D40(_t1226 + 0x4c,  &_v1932)));
								_v8 = 3;
								E00401AC0( &_v1932);
							} else {
								_t1286 =  *((intOrPtr*)(_t1019 + 0x40));
								if( *((intOrPtr*)(_t1019 + 0x40)) == 0) {
									goto L22;
								}
							}
						}
						_v2132 = 0;
						_v2164 = 0;
						_t1010 = E00487900(E004893F0(_t1034, _t1286),  &_v2132);
						 *((intOrPtr*)(E00487900(_v2156,  &_v2164))) =  *_t1010;
					}
				}
				_v2132 = 0;
				_t669 = E00490850( *((intOrPtr*)(E00487900(_v2156,  &_v2132))) + 4, _t1214);
				_t1235 = lstrcpyA;
				lstrcpyA( &_v1740, _t669);
				_v2132 = 0;
				lstrcpyA( &_v1480, E00490850( *((intOrPtr*)(E00487900(_v2156,  &_v2132))) + 0x34, _t1214));
				_v2132 = 0;
				_v2196 =  *((intOrPtr*)( *((intOrPtr*)(E00487900(_v2156,  &_v2132))) + 0x78));
				_v2132 = 0;
				_v2188 =  *((intOrPtr*)( *((intOrPtr*)(E00487900(_v2156,  &_v2132))) + 0x6c));
				_v2132 = 0;
				_v2192 =  *((intOrPtr*)( *((intOrPtr*)(E00487900(_v2156,  &_v2132))) + 0x70));
				_v2132 = 0;
				_t690 = E00487900(_v2156,  &_v2132);
				_t1313 = _v2184 - 1;
				_v2164 = 1;
				_v2200 =  *((intOrPtr*)( *_t690 + 0x74));
				if(_v2184 >= 1) {
					_v2160 = _t1226 + 0x40;
					do {
						_push(0x84);
						_t698 = E0045C169(_t1034, _t1214, _t1226, _t1313);
						_t1292 = _t1291 + 4;
						if(_t698 == 0) {
							_t1226 = 0;
							__eflags = 0;
						} else {
							_t1226 = E00486570(_t698);
						}
						lstrcpyA( &_v220, "BUTTON");
						_t702 = E0049C6BE(_v2164,  &_v1220, 0xa);
						_t1293 = _t1292 + 0xc;
						lstrcatA( &_v220, _t702);
						_v1788 = 0x4c2f50;
						_v1748 = 0x4c3454;
						_v1744 = GetLastError();
						_t1216 =  !=  ? _v2152 : 0x4c2d7c;
						_v8 = 8;
						_v1764 = 7;
						_v1768 = 0;
						_v1784 = 0;
						if( *0x4c2d7c != 0) {
							_t1082 = 0x4c2d7c;
							_t157 = _t1082 + 2; // 0x4c2d7e
							_t1235 = _t157;
							do {
								_t708 =  *_t1082;
								_t1082 = _t1082 + 2;
								__eflags = _t708;
							} while (_t708 != 0);
							_t1083 = _t1082 - _t1235;
							__eflags = _t1083;
							_t1084 = _t1083 >> 1;
						} else {
							_t1084 = 0;
						}
						_push(_t1084);
						_push(_t1216);
						E00406EB0(_t1034,  &_v1784, _t1226, _t1235);
						_t710 = _v1748;
						_v1760 = 0;
						_v1756 = 0;
						_v1752 = 0;
						_t163 = _t710 + 4; // 0x4
						SetLastError( *(_t1288 +  *_t163 - 0x6d0));
						_v8 = 9;
						_t1036 = E00490850(_v2148, _t1216);
						_t713 = _v1760;
						_t1237 = 2 + _v1768 * 2;
						_t1088 = _v1756;
						if(_t1237 >= _v1756 || _t713 == 0) {
							L0045A7D5(_t713);
							_t1240 = (_t1237 >> 6) + 1 << 6;
							_push(_t1240);
							_v1756 = _t1240;
							_t713 = E00459ADF(_t1036, _t1216, _t1226, _t1240);
							_t1088 = _v1756;
							_t1293 = _t1293 + 8;
							_v1760 = _t713;
						}
						E0048DE60( &_v1788, _t713, _t1088, 3);
						 *_t1226 = GetPrivateProfileIntA(_v1760,  &_v220, 0, _t1036);
						_t181 = _v1748 + 4; // 0x4
						_v8 = 3;
						_t1242 =  &_v1748 +  *_t181;
						 *((intOrPtr*)( &_v1748 +  *_t181)) = GetLastError();
						L0045A7D5(_v1760);
						_t1037 = __imp__#6;
						_t1294 = _t1293 + 4;
						 *_t1037(_v1752);
						if(_v1764 >= 8) {
							 *_t1037(_v1784);
						}
						_v1784 = 0;
						_t724 = _v1788;
						_v1764 = 7;
						_v1768 = 0;
						_t191 = _t724 + 4; // 0x2c
						SetLastError( *(_t1288 +  *_t191 - 0x6f8));
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "UP");
						_t198 = _t1226 + 4; // 0x4
						_t731 = E00490770(_t198,  &_v2216, 0x104);
						_t1038 = _t731;
						_v2172 = _t731;
						_v1788 = 0x4c2f50;
						_v1748 = 0x4c3454;
						_v1744 = GetLastError();
						_t1218 =  !=  ? _v2152 : 0x4c2d7c;
						_v8 = 0xb;
						_v1764 = 7;
						_v1768 = 0;
						_v1784 = 0;
						if( *0x4c2d7c != 0) {
							_t1092 = 0x4c2d7c;
							_t208 = _t1092 + 2; // 0x4c2d7e
							_t1242 = _t208;
							do {
								_t735 =  *_t1092;
								_t1092 = _t1092 + 2;
								__eflags = _t735;
							} while (_t735 != 0);
							_t1093 = _t1092 - _t1242;
							__eflags = _t1093;
							_t1094 = _t1093 >> 1;
						} else {
							_t1094 = 0;
						}
						_push(_t1094);
						_push(_t1218);
						E00406EB0(_t1038,  &_v1784, _t1226, _t1242);
						_t737 = _v1748;
						_v1760 = 0;
						_v1756 = 0;
						_v1752 = 0;
						_t214 = _t737 + 4; // 0x4
						SetLastError( *(_t1288 +  *_t214 - 0x6d0));
						_v8 = 0xc;
						_v2144 = E00490850(_v2148, _t1218);
						_t1039 = E00490850( *_t1038, _t1218);
						_v2172[8] = _t1039;
						_t742 = _v1760;
						_t1243 = 2 + _v1768 * 2;
						_t1099 = _v1756;
						if(_t1243 >= _v1756 || _t742 == 0) {
							L0045A7D5(_t742);
							_t1246 = (_t1243 >> 6) + 1 << 6;
							_push(_t1246);
							_v1756 = _t1246;
							_t742 = E00459ADF(_t1039, _t1218, _t1226, _t1246);
							_t1099 = _v1756;
							_t1294 = _t1294 + 8;
							_v1760 = _t742;
						}
						E0048DE60( &_v1788, _t742, _t1099, 3);
						GetPrivateProfileStringA(_v1760,  &_v120, 0x4c2bd0, _t1039, 0x104, _v2144);
						_t236 = _v1748 + 4; // 0x4
						_t1248 =  &_v1748 +  *_t236;
						 *((intOrPtr*)( &_v1748 +  *_t236)) = GetLastError();
						L0045A7D5(_v1760);
						_t1040 = __imp__#6;
						_t1295 = _t1294 + 4;
						 *_t1040(_v1752);
						if(_v1764 >= 8) {
							 *_t1040(_v1784);
						}
						_v1784 = 0;
						_t753 = _v1788;
						_v1764 = 7;
						_v1768 = 0;
						_t245 = _t753 + 4; // 0x2c
						SetLastError( *(_t1288 +  *_t245 - 0x6f8));
						_v8 = 3;
						E00487390( &_v2216);
						_t1327 =  *((intOrPtr*)(_t1226 + 0x18));
						if( *((intOrPtr*)(_t1226 + 0x18)) == 0) {
							_push(0);
							_push( &_v2133);
							_push( &_v1740);
							_v1788 = 0x4ae964;
							_v1748 = 0x4ae96c;
							E00415AF8(_t1040,  &_v1788, _t1226, _t1248, _t1327);
							_t256 = _t1226 + 8; // 0x8
							_t1195 = _t256;
							_v8 = 0xd;
							if(_t256 !=  &_v1784) {
								_push(0xffffffff);
								_push(0);
								E00407B10(_t1040, _t1195, _t1226,  &_v1784);
							}
							_t261 = _v1748 + 4; // 0x4
							_v8 = 3;
							_t1248 =  &_v1748 +  *_t261;
							 *((intOrPtr*)( &_v1748 +  *_t261)) = GetLastError();
							L0045A7D5(_v1760);
							_t1295 = _t1295 + 4;
							 *_t1040(_v1752);
							if(_v1764 >= 8) {
								 *_t1040(_v1784);
							}
							_v1784 = 0;
							_t995 = _v1788;
							_v1764 = 7;
							_v1768 = 0;
							_t271 = _t995 + 4; // 0x2c
							SetLastError( *(_t1288 +  *_t271 - 0x6f8));
						}
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "DOWN");
						_t278 = _t1226 + 0x34; // 0x34
						_t761 = E00490770(_t278,  &_v2228, 0x104);
						_t1041 = _t761;
						_v2144 = _t761;
						_v1788 = 0x4c2f50;
						_v1748 = 0x4c3454;
						_v1744 = GetLastError();
						_t1220 =  !=  ? _v2152 : 0x4c2d7c;
						_v8 = 0xf;
						_v1764 = 7;
						_v1768 = 0;
						_v1784 = 0;
						if( *0x4c2d7c != 0) {
							_t1104 = 0x4c2d7c;
							_t288 = _t1104 + 2; // 0x4c2d7e
							_t1248 = _t288;
							do {
								_t765 =  *_t1104;
								_t1104 = _t1104 + 2;
								__eflags = _t765;
							} while (_t765 != 0);
							_t1105 = _t1104 - _t1248;
							__eflags = _t1105;
							_t1106 = _t1105 >> 1;
						} else {
							_t1106 = 0;
						}
						_push(_t1106);
						_push(_t1220);
						E00406EB0(_t1041,  &_v1784, _t1226, _t1248);
						_t767 = _v1748;
						_v1760 = 0;
						_v1756 = 0;
						_v1752 = 0;
						_t294 = _t767 + 4; // 0x4
						SetLastError( *(_t1288 +  *_t294 - 0x6d0));
						_v8 = 0x10;
						_v2172 = E00490850(_v2148, _t1220);
						_t1042 = E00490850( *_t1041, _t1220);
						_v2144[8] = _t1042;
						_t772 = _v1760;
						_t1249 = 2 + _v1768 * 2;
						_t1111 = _v1756;
						if(_t1249 >= _v1756 || _t772 == 0) {
							L0045A7D5(_t772);
							_t1252 = (_t1249 >> 6) + 1 << 6;
							_push(_t1252);
							_v1756 = _t1252;
							_t772 = E00459ADF(_t1042, _t1220, _t1226, _t1252);
							_t1111 = _v1756;
							_t1295 = _t1295 + 8;
							_v1760 = _t772;
						}
						E0048DE60( &_v1788, _t772, _t1111, 3);
						GetPrivateProfileStringA(_v1760,  &_v120, 0x4c2bd0, _t1042, 0x104, _v2172);
						_t316 = _v1748 + 4; // 0x4
						_t1254 =  &_v1748 +  *_t316;
						 *((intOrPtr*)( &_v1748 +  *_t316)) = GetLastError();
						L0045A7D5(_v1760);
						_t1043 = __imp__#6;
						_t1296 = _t1295 + 4;
						 *_t1043(_v1752);
						if(_v1764 >= 8) {
							 *_t1043(_v1784);
						}
						_v1784 = 0;
						_t783 = _v1788;
						_v1764 = 7;
						_v1768 = 0;
						_t325 = _t783 + 4; // 0x2c
						SetLastError( *(_t1288 +  *_t325 - 0x6f8));
						_v8 = 3;
						E00487390( &_v2228);
						_t1337 =  *((intOrPtr*)(_t1226 + 0x48));
						if( *((intOrPtr*)(_t1226 + 0x48)) != 0) {
							_t1044 = SetLastError;
						} else {
							_push(0);
							_push( &_v2177);
							_push( &_v1480);
							_v1788 = 0x4ae964;
							_v1748 = 0x4ae96c;
							E00415AF8(_t1043,  &_v1788, _t1226, _t1254, _t1337);
							_t336 = _t1226 + 0x38; // 0x38
							_t1193 = _t336;
							_v8 = 0x11;
							if(_t336 !=  &_v1784) {
								_push(0xffffffff);
								_push(0);
								E00407B10(_t1043, _t1193, _t1226,  &_v1784);
							}
							_t341 = _v1748 + 4; // 0x4
							_t1254 =  &_v1748 +  *_t341;
							 *((intOrPtr*)( &_v1748 +  *_t341)) = GetLastError();
							L0045A7D5(_v1760);
							_t1296 = _t1296 + 4;
							 *_t1043(_v1752);
							if(_v1764 >= 8) {
								 *_t1043(_v1784);
							}
							_t1044 = SetLastError;
							_v1784 = 0;
							_t980 = _v1788;
							_v1764 = 7;
							_v1768 = 0;
							_t350 = _t980 + 4; // 0x2c
							SetLastError( *(_t1288 +  *_t350 - 0x6f8));
						}
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "POS");
						_v1788 = 0x4c2f50;
						_v1748 = 0x4c3454;
						_v1744 = GetLastError();
						_t1222 =  !=  ? _v2152 : 0x4c2d7c;
						_v8 = 0x12;
						_v1764 = 7;
						_v1768 = 0;
						_v1784 = 0;
						if( *0x4c2d7c != 0) {
							_t1114 = 0x4c2d7c;
							_t364 = _t1114 + 2; // 0x4c2d7e
							_t1254 = _t364;
							do {
								_t794 =  *_t1114;
								_t1114 = _t1114 + 2;
								__eflags = _t794;
							} while (_t794 != 0);
							_t1115 = _t1114 - _t1254;
							__eflags = _t1115;
							_t1116 = _t1115 >> 1;
						} else {
							_t1116 = 0;
						}
						_push(_t1116);
						_push(_t1222);
						E00406EB0(_t1044,  &_v1784, _t1226, _t1254);
						_t796 = _v1748;
						_v1760 = 0;
						_v1756 = 0;
						_v1752 = 0;
						_t370 = _t796 + 4; // 0x4
						SetLastError( *(_t1288 +  *_t370 - 0x6d0));
						_v8 = 0x13;
						_t1045 = E00490850(_v2148, _t1222);
						_t799 = _v1760;
						_t1255 = 2 + _v1768 * 2;
						_t1120 = _v1756;
						if(_t1255 >= _v1756 || _t799 == 0) {
							L0045A7D5(_t799);
							_t1258 = (_t1255 >> 6) + 1 << 6;
							_push(_t1258);
							_v1756 = _t1258;
							_t799 = E00459ADF(_t1045, _t1222, _t1226, _t1258);
							_t1120 = _v1756;
							_t1296 = _t1296 + 8;
							_v1760 = _t799;
						}
						E0048DE60( &_v1788, _t799, _t1120, 3);
						GetPrivateProfileStringA(_v1760,  &_v120, 0x4c2bd0,  &_v1220, 0x3e8, _t1045);
						_t389 = _v1748 + 4; // 0x4
						_v8 = 3;
						 *((intOrPtr*)( &_v1748 +  *_t389)) = GetLastError();
						L0045A7D5(_v1760);
						_t1046 = __imp__#6;
						_t1297 = _t1296 + 4;
						 *_t1046(_v1752);
						if(_v1764 >= 8) {
							 *_t1046(_v1784);
						}
						_v1784 = 0;
						_t811 = _v1788;
						_v1764 = 7;
						_v1768 = 0;
						_t399 = _t811 + 4; // 0x2c
						SetLastError( *(_t1288 +  *_t399 - 0x6f8));
						_t403 = _t1226 + 0x68; // 0x68
						_t1261 = _t403;
						_t404 = _t1226 + 0x64; // 0x64
						_t1047 = _t404;
						 *_t1261 = 0xffffffff;
						 *_t1047 = 0xffffffff;
						_t814 = lstrcmpA( &_v1220, 0x4c2bd0);
						_t1346 = _t814;
						if(_t814 != 0) {
							_push(_t1261);
							_push(_t1047);
							_t1297 = _t1297 - 0x30;
							E00485E90(_t1297,  &_v1220,  &_v2167, 1);
							E00490020(_t1222, _t1346);
						}
						 *(_t1226 + 0x78) = 0;
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "OPT");
						_v1788 = 0x4c2f50;
						_v1748 = 0x4c3454;
						E00403FB0(_v2152,  &_v2125, 0);
						_v8 = 0x14;
						_t1048 = E00490850(_v2148, _t1222);
						_t823 = _v1760;
						_t1262 = 2 + _v1768 * 2;
						_t1125 = _v1756;
						if(_t1262 >= _v1756 || _t823 == 0) {
							L0045A7D5(_t823);
							_t1265 = (_t1262 >> 6) + 1 << 6;
							_push(_t1265);
							_v1756 = _t1265;
							_t823 = E00459ADF(_t1048, _t1222, _t1226, _t1265);
							_t1125 = _v1756;
							_t1297 = _t1297 + 8;
							_v1760 = _t823;
						}
						E0048DE60( &_v1788, _t823, _t1125, 3);
						GetPrivateProfileStringA(_v1760,  &_v120, 0x4c2bd0,  &_v1220, 0x3e8, _t1048);
						_v8 = 3;
						E00401AC0( &_v1788);
						if(lstrcmpA( &_v1220, 0x4c2bd0) != 0) {
							_t436 = _t1226 + 0x78; // 0x78
							_t832 = _t436;
							_push(_t832);
							_t1297 = _t1297 - 0x30;
							 *_t832 = 2;
							E00485E90(_t1297,  &_v1220,  &_v2176, 1);
							E0048FE10(_t1222, __eflags);
						} else {
							 *(_t1226 + 0x78) = _v2196;
						}
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "TRNSPRNTCLR");
						_v1788 = 0x4c2f50;
						_v1748 = 0x4c3454;
						E00403FB0(_v2152,  &_v2125, 0);
						_v8 = 0x15;
						_t1049 = E00490850(_v2148, _t1222);
						_t845 = _v1760;
						_t1266 = 2 + _v1768 * 2;
						_t1133 = _v1756;
						if(_t1266 >= _v1756 || _t845 == 0) {
							L0045A7D5(_t845);
							_t1269 = (_t1266 >> 6) + 1 << 6;
							_push(_t1269);
							_v1756 = _t1269;
							_t845 = E00459ADF(_t1049, _t1222, _t1226, _t1269);
							_t1133 = _v1756;
							_t1297 = _t1297 + 8;
							_v1760 = _t845;
						}
						E0048DE60( &_v1788, _t845, _t1133, 3);
						GetPrivateProfileStringA(_v1760,  &_v120, 0x4c2bd0,  &_v1220, 0x3e8, _t1049);
						_v8 = 3;
						E00401AC0( &_v1788);
						if(lstrcmpA( &_v1220, 0x4c2bd0) != 0) {
							_t467 = _t1226 + 0x6c; // 0x6c
							_t854 = _t467;
							_push(_t854);
							_t1297 = _t1297 - 0x30;
							 *_t854 = 0x808080;
							E00485E90(_t1297,  &_v1220,  &_v2174, 1);
							E0048FCA0(_t1222);
						} else {
							 *((intOrPtr*)(_t1226 + 0x6c)) = _v2188;
						}
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "TXTCLR");
						_v1788 = 0x4c2f50;
						_v1748 = 0x4c3454;
						E00403FB0(_v2152,  &_v2125, 0);
						_v8 = 0x16;
						_t1050 = E00490850(_v2148, _t1222);
						_t867 = _v1760;
						_t1270 = 2 + _v1768 * 2;
						_t1141 = _v1756;
						if(_t1270 >= _v1756 || _t867 == 0) {
							L0045A7D5(_t867);
							_t1273 = (_t1270 >> 6) + 1 << 6;
							_push(_t1273);
							_v1756 = _t1273;
							_t867 = E00459ADF(_t1050, _t1222, _t1226, _t1273);
							_t1141 = _v1756;
							_t1297 = _t1297 + 8;
							_v1760 = _t867;
						}
						E0048DE60( &_v1788, _t867, _t1141, 3);
						GetPrivateProfileStringA(_v1760,  &_v120, 0x4c2bd0,  &_v1220, 0x3e8, _t1050);
						_v8 = 3;
						E00401AC0( &_v1788);
						if(lstrcmpA( &_v1220, 0x4c2bd0) != 0) {
							_t498 = _t1226 + 0x70; // 0x70
							_t1274 = _t498;
							_t876 = GetSysColor(8);
							_push(_t1274);
							_t1297 = _t1297 - 0x30;
							 *_t1274 = _t876;
							E00485E90(_t1297,  &_v1220,  &_v2165, 1);
							E0048FCA0(_t1222);
						} else {
							 *(_t1226 + 0x70) = _v2192;
						}
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "DISTXTCLR");
						_v1788 = 0x4c2f50;
						_v1748 = 0x4c3454;
						E00403FB0(_v2152,  &_v2125, 0);
						_v8 = 0x17;
						_t1051 = E00490850(_v2148, _t1222);
						_t889 = _v1760;
						_t1275 = 2 + _v1768 * 2;
						_t1149 = _v1756;
						if(_t1275 >= _v1756 || _t889 == 0) {
							L0045A7D5(_t889);
							_t1278 = (_t1275 >> 6) + 1 << 6;
							_push(_t1278);
							_v1756 = _t1278;
							_t889 = E00459ADF(_t1051, _t1222, _t1226, _t1278);
							_t1149 = _v1756;
							_t1297 = _t1297 + 8;
							_v1760 = _t889;
						}
						E0048DE60( &_v1788, _t889, _t1149, 3);
						GetPrivateProfileStringA(_v1760,  &_v120, 0x4c2bd0,  &_v1220, 0x3e8, _t1051);
						_v8 = 3;
						E00401AC0( &_v1788);
						if(lstrcmpA( &_v1220, 0x4c2bd0) != 0) {
							_t529 = _t1226 + 0x74; // 0x74
							_t1279 = _t529;
							_t898 = GetSysColor(0x11);
							_push(_t1279);
							_t1297 = _t1297 - 0x30;
							 *_t1279 = _t898;
							E00485E90(_t1297,  &_v1220,  &_v2173, 1);
							E0048FCA0(_t1222);
						} else {
							 *(_t1226 + 0x74) = _v2200;
						}
						_t534 = _t1226 + 0x78; // 0x78
						_t1052 = _t534;
						wsprintfA( &_v1220, "%x",  *(_t1226 + 0x78));
						_t536 = _t1226 + 8; // 0x8
						_t1280 = _t536;
						_t1298 = _t1297 + 0xc;
						if( *((intOrPtr*)(_t1280 + 0x14)) < 8) {
							_t905 = _t1280;
						} else {
							_t905 =  *_t1280;
						}
						E00403FB0(_t905,  &_v2125, 1);
						_v8 = 0x18;
						E00485E90( &_v2124,  &_v1220,  &_v2175, 1);
						_v8 = 0x19;
						E00407F60(_t1052,  &_v1928, _t1226, _t1280,  &_v2120, 0, 0xffffffff);
						_v8 = 0x18;
						E00401AC0( &_v2124);
						E0048FAC0(_v2160,  &_v2132,  &_v1932);
						_t916 = _v2132;
						_t1364 = _t916 -  *_v2160;
						if(_t916 !=  *_v2160) {
							 *((intOrPtr*)(_t1226 + 0x7c)) =  *((intOrPtr*)(_t916 + 0x40));
						} else {
							_push(0xc);
							_t950 = E0045C169(_t1052, _t1222, _t1226, _t1364);
							_t1298 = _t1298 + 4;
							_v2144 = _t950;
							_v8 = 0x1a;
							_t1365 = _t950;
							if(_t950 == 0) {
								_t951 = 0;
								__eflags = 0;
							} else {
								_t951 = E004862F0(_t1052, _t950, _t1222, _t1226, _t1365);
							}
							 *((intOrPtr*)(_t1226 + 0x7c)) = _t951;
							_t1366 =  *((intOrPtr*)(_t1280 + 0x14)) - 8;
							_v8 = 0x18;
							if( *((intOrPtr*)(_t1280 + 0x14)) >= 8) {
								_t1280 =  *_t1280;
							}
							_push(1);
							_push( &_v2125);
							_push(_t1280);
							E00408F6D(_t1052,  &_v1788, _t1226, _t1280, _t1366);
							_v8 = 0x1b;
							_t955 = E00487E20(_v2140 + 0x38,  &_v1788);
							_v8 = 0x18;
							E00401B80( &_v1788);
							_t569 = _t1226 + 4; // 0x4
							_t570 = _t1226 + 0x6c; // 0x6c
							E00490930( *((intOrPtr*)(_t1226 + 0x7c)), _t1222, _t1366, _t570, _t1052, _t569,  *((intOrPtr*)( *_t955)),  *((intOrPtr*)( *_t955 + 4)));
							 *((intOrPtr*)(E00487C60(_v2160,  &_v1932))) =  *((intOrPtr*)(_t1226 + 0x7c));
						}
						wsprintfA( &_v1220, "%x",  *_t1052);
						_t577 = _t1226 + 0x38; // 0x38
						_t1281 = _t577;
						_t1291 = _t1298 + 0xc;
						if( *((intOrPtr*)(_t1281 + 0x14)) < 8) {
							_t920 = _t1281;
						} else {
							_t920 =  *_t1281;
						}
						_t1214 =  !=  ? _t920 : 0x4c2d7c;
						if( *0x4c2d7c != 0) {
							_t1161 = 0x4c2d7c;
							_t579 = _t1161 + 2; // 0x4c2d7e
							_t1053 = _t579;
							do {
								_t921 =  *_t1161;
								_t1161 = _t1161 + 2;
								__eflags = _t921;
							} while (_t921 != 0);
							_t1162 = _t1161 - _t1053;
							__eflags = _t1162;
							_t1163 = _t1162 >> 1;
							_t580 = _t1226 + 0x78; // 0x78
							_t1052 = _t580;
						} else {
							_t1163 = 0;
						}
						_push(_t1163);
						_push(_t1214);
						E00406EB0(_t1052,  &_v1928, _t1226, _t1281);
						E00485E90( &_v2076,  &_v1220,  &_v2166, 1);
						_v8 = 0x1c;
						E00407F60(_t1052,  &_v1928, _t1226, _t1281,  &_v2072, 0, 0xffffffff);
						_v8 = 0x18;
						E00401AC0( &_v2076);
						_t932 =  *(E0048FAC0(_v2160,  &_v2204,  &_v1932));
						_v2132 = _t932;
						_t1370 = _t932 -  *_v2160;
						if(_t932 !=  *_v2160) {
							 *((intOrPtr*)(_t1226 + 0x80)) =  *((intOrPtr*)(_t932 + 0x40));
						} else {
							_push(0xc);
							_t938 = E0045C169(_t1052, _t1214, _t1226, _t1370);
							_t1291 = _t1291 + 4;
							_v2144 = _t938;
							_v8 = 0x1d;
							_t1371 = _t938;
							if(_t938 == 0) {
								_t939 = 0;
								__eflags = 0;
							} else {
								_t939 = E004862F0(_t1052, _t938, _t1214, _t1226, _t1371);
							}
							 *((intOrPtr*)(_t1226 + 0x80)) = _t939;
							_t1372 =  *((intOrPtr*)(_t1281 + 0x14)) - 8;
							_v8 = 0x18;
							if( *((intOrPtr*)(_t1281 + 0x14)) >= 8) {
								_t1281 =  *_t1281;
							}
							_push(1);
							_push( &_v2125);
							_push(_t1281);
							E00408F6D(_t1052,  &_v1980, _t1226, _t1281, _t1372);
							_v8 = 0x1e;
							_t943 = E00487E20(_v2140 + 0x38,  &_v1980);
							_v8 = 0x18;
							E00401B80( &_v1980);
							_t610 = _t1226 + 0x34; // 0x34
							_t611 = _t1226 + 0x6c; // 0x6c
							E00490930( *((intOrPtr*)(_t1226 + 0x80)), _t1214, _t1372, _t611, _t1052, _t610,  *((intOrPtr*)( *_t943)),  *((intOrPtr*)( *_t943 + 4)));
							 *((intOrPtr*)(E00487C60(_v2160,  &_v1932))) =  *((intOrPtr*)(_t1226 + 0x80));
						}
						 *((intOrPtr*)(E00487990(_v2156, _t1226))) = _t1226;
						_v8 = 3;
						E00401AC0( &_v1932);
						_t1034 = GetLastError;
						_t1235 = lstrcpyA;
						_t937 = _v2164 + 1;
						_v2164 = _t937;
					} while (_t937 <= _v2184);
				}
				E00401AC0( &_v1884);
				E00401AC0( &_v1836);
				E00401AC0( &_v2028);
				 *[fs:0x0] = _v16;
				_pop(_t1227);
				_pop(_t1236);
				_pop(_t1035);
				return E0045A457(_t1035, _v20 ^ _t1288, _t1214, _t1227, _t1236);
			}

0x00490b40
0x00490b43
0x00490b45
0x00490b50
0x00490b51
0x00490b57
0x00490b5c
0x00490b5e
0x00490b64
0x00490b68
0x00490b70
0x00490b79
0x00490b7c
0x00490b91
0x00490b9c
0x00490ba6
0x00490bb0
0x00490bb6
0x00490bc0
0x00490bc7
0x00490bd8
0x00490bda
0x00490be0
0x00490be7
0x00490bef
0x00490bf6
0x00490bff
0x00490c02
0x00490c03
0x00490c09
0x00490c0e
0x00490c14
0x00490c17
0x00490c17
0x00490c27
0x00490c46
0x00490c4c
0x00490c53
0x00490c63
0x00490c6a
0x00490c77
0x00490c7b
0x00490c8e
0x00490c95
0x00490ca8
0x00490caf
0x00490cc2
0x00490cc9
0x00490cd4
0x00490cd9
0x00490cdd
0x00490cef
0x00490cf4
0x00490cfa
0x00490d01
0x00490d0b
0x00490d1d
0x00490d25
0x00490d2c
0x00490d32
0x00490d38
0x00490d3e
0x00490d44
0x00490d4e
0x00490d58
0x00490d62
0x00490d64
0x00490d6e
0x00490d7a
0x00490d80
0x00490d8c
0x00490d93
0x00490d99
0x00490d9f
0x00490da5
0x00490dab
0x00490db5
0x00490dbf
0x00490dd0
0x00490dd4
0x00490dd9
0x00490dde
0x00490df4
0x00490df9
0x00490dff
0x00490e10
0x00490e10
0x00000000
0x00490e01
0x00490e01
0x00490e0c
0x00490e12
0x00490e12
0x00490e1d
0x00490e1d
0x00490e0c
0x00490e28
0x00490e2c
0x00490e41
0x00490e46
0x00490e4c
0x00490e5d
0x00490e5d
0x00000000
0x00490e4e
0x00490e4e
0x00490e59
0x00490e5f
0x00490e5f
0x00490e6a
0x00490e6a
0x00490e59
0x00490e75
0x00490e79
0x00490e79
0x00490e7e
0x00490e9a
0x00490fa9
0x00490fa9
0x00490ea0
0x00490ea0
0x00490ebc
0x00000000
0x00490ec2
0x00490ec2
0x00490ec9
0x00490f23
0x00000000
0x00490ecb
0x00490ede
0x00490ee3
0x00490ee6
0x00490ef7
0x00490efb
0x00490f06
0x00490f0a
0x00490f0f
0x00490f18
0x00490f29
0x00490f3d
0x00490f4c
0x00490f55
0x00490f5d
0x00490f61
0x00490f1a
0x00490f1a
0x00490f1f
0x00000000
0x00490f21
0x00490f1f
0x00490f18
0x00490f6f
0x00490f79
0x00490f8a
0x00490fa5
0x00490fa5
0x00490ebc
0x00490fbc
0x00490fd0
0x00490fd5
0x00490fe3
0x00490ff2
0x00491013
0x00491022
0x0049103c
0x00491049
0x00491063
0x00491070
0x0049108a
0x00491097
0x004910a1
0x004910a6
0x004910af
0x004910bc
0x004910c2
0x004910cb
0x004910d1
0x004910d1
0x004910d6
0x004910db
0x004910e0
0x004910ed
0x004910ed
0x004910e2
0x004910e9
0x004910e9
0x004910fb
0x0049110c
0x00491111
0x0049111c
0x00491122
0x0049112c
0x00491138
0x0049114b
0x00491150
0x00491154
0x0049115e
0x00491168
0x00491172
0x00491178
0x0049117a
0x0049117a
0x00491180
0x00491180
0x00491183
0x00491186
0x00491186
0x0049118b
0x0049118b
0x0049118d
0x00491174
0x00491174
0x00491174
0x0049118f
0x00491190
0x00491197
0x0049119c
0x004911a2
0x004911ac
0x004911b6
0x004911c0
0x004911ca
0x004911d6
0x004911e5
0x004911e7
0x004911ed
0x004911f4
0x004911fc
0x00491203
0x0049120c
0x0049120f
0x00491210
0x00491216
0x0049121b
0x00491221
0x00491224
0x00491224
0x00491234
0x0049124f
0x0049125d
0x00491260
0x00491264
0x0049126c
0x00491274
0x00491279
0x0049127f
0x00491288
0x00491291
0x00491299
0x00491299
0x0049129d
0x004912a4
0x004912aa
0x004912b4
0x004912be
0x004912c8
0x004912d9
0x004912e8
0x004912fa
0x004912fd
0x00491302
0x00491304
0x0049130a
0x00491314
0x00491324
0x00491337
0x0049133c
0x00491340
0x0049134a
0x00491354
0x0049135e
0x00491364
0x00491366
0x00491366
0x00491370
0x00491370
0x00491373
0x00491376
0x00491376
0x0049137b
0x0049137b
0x0049137d
0x00491360
0x00491360
0x00491360
0x0049137f
0x00491380
0x00491387
0x0049138c
0x00491392
0x0049139c
0x004913a6
0x004913b0
0x004913ba
0x004913c6
0x004913d1
0x004913dc
0x004913e4
0x004913ed
0x004913f3
0x004913fa
0x00491402
0x00491409
0x00491412
0x00491415
0x00491416
0x0049141c
0x00491421
0x00491427
0x0049142a
0x0049142a
0x0049143a
0x0049145a
0x0049146c
0x0049146f
0x00491477
0x0049147f
0x00491484
0x0049148a
0x00491493
0x0049149c
0x004914a4
0x004914a4
0x004914a8
0x004914af
0x004914b5
0x004914bf
0x004914c9
0x004914d3
0x004914df
0x004914e3
0x004914e8
0x004914ec
0x004914f2
0x004914fa
0x00491501
0x00491508
0x00491512
0x0049151c
0x00491521
0x00491521
0x0049152a
0x00491530
0x00491532
0x00491534
0x00491537
0x00491537
0x00491548
0x0049154b
0x0049154f
0x00491557
0x0049155f
0x00491564
0x0049156d
0x00491576
0x0049157e
0x0049157e
0x00491582
0x00491589
0x0049158f
0x00491599
0x004915a3
0x004915ad
0x004915ad
0x004915be
0x004915cd
0x004915df
0x004915e2
0x004915e7
0x004915e9
0x004915ef
0x004915f9
0x00491609
0x0049161c
0x00491621
0x00491625
0x0049162f
0x00491639
0x00491643
0x00491649
0x0049164b
0x0049164b
0x00491650
0x00491650
0x00491653
0x00491656
0x00491656
0x0049165b
0x0049165b
0x0049165d
0x00491645
0x00491645
0x00491645
0x0049165f
0x00491660
0x00491667
0x0049166c
0x00491672
0x0049167c
0x00491686
0x00491690
0x0049169a
0x004916a6
0x004916b1
0x004916bc
0x004916c4
0x004916cd
0x004916d3
0x004916da
0x004916e2
0x004916e9
0x004916f2
0x004916f5
0x004916f6
0x004916fc
0x00491701
0x00491707
0x0049170a
0x0049170a
0x0049171a
0x0049173a
0x0049174c
0x0049174f
0x00491757
0x0049175f
0x00491764
0x0049176a
0x00491773
0x0049177c
0x00491784
0x00491784
0x00491788
0x0049178f
0x00491795
0x0049179f
0x004917a9
0x004917b3
0x004917bf
0x004917c3
0x004917c8
0x004917cc
0x00491893
0x004917d2
0x004917d2
0x004917da
0x004917e1
0x004917e8
0x004917f2
0x004917fc
0x00491801
0x00491801
0x0049180a
0x00491810
0x00491812
0x00491814
0x00491817
0x00491817
0x00491828
0x0049182b
0x00491833
0x0049183b
0x00491840
0x00491849
0x00491852
0x0049185a
0x0049185a
0x0049185c
0x00491864
0x0049186b
0x00491871
0x0049187b
0x00491885
0x0049188f
0x0049188f
0x004918a4
0x004918b3
0x004918b9
0x004918c3
0x004918d3
0x004918e6
0x004918eb
0x004918ef
0x004918f9
0x00491903
0x0049190d
0x00491913
0x00491915
0x00491915
0x00491920
0x00491920
0x00491923
0x00491926
0x00491926
0x0049192b
0x0049192b
0x0049192d
0x0049190f
0x0049190f
0x0049190f
0x0049192f
0x00491930
0x00491937
0x0049193c
0x00491942
0x0049194c
0x00491956
0x00491960
0x0049196a
0x00491972
0x00491981
0x00491983
0x00491989
0x00491990
0x00491998
0x0049199f
0x004919a8
0x004919ab
0x004919ac
0x004919b2
0x004919b7
0x004919bd
0x004919c0
0x004919c0
0x004919d0
0x004919f1
0x00491a03
0x00491a06
0x00491a12
0x00491a1a
0x00491a1f
0x00491a25
0x00491a2e
0x00491a37
0x00491a3f
0x00491a3f
0x00491a43
0x00491a4a
0x00491a50
0x00491a5a
0x00491a64
0x00491a6e
0x00491a7f
0x00491a7f
0x00491a82
0x00491a82
0x00491a86
0x00491a8c
0x00491a92
0x00491a98
0x00491a9a
0x00491a9c
0x00491a9d
0x00491a9e
0x00491ab3
0x00491abe
0x00491abe
0x00491ace
0x00491ad5
0x00491ae4
0x00491aff
0x00491b09
0x00491b13
0x00491b1e
0x00491b2d
0x00491b2f
0x00491b35
0x00491b3c
0x00491b44
0x00491b4b
0x00491b54
0x00491b57
0x00491b58
0x00491b5e
0x00491b63
0x00491b69
0x00491b6c
0x00491b6c
0x00491b7c
0x00491b9d
0x00491ba9
0x00491bad
0x00491bc6
0x00491bd3
0x00491bd3
0x00491bd6
0x00491bd7
0x00491bdc
0x00491bf2
0x00491bfd
0x00491bc8
0x00491bce
0x00491bce
0x00491c0d
0x00491c1c
0x00491c37
0x00491c41
0x00491c4b
0x00491c56
0x00491c65
0x00491c67
0x00491c6d
0x00491c74
0x00491c7c
0x00491c83
0x00491c8c
0x00491c8f
0x00491c90
0x00491c96
0x00491c9b
0x00491ca1
0x00491ca4
0x00491ca4
0x00491cb4
0x00491cd5
0x00491ce1
0x00491ce5
0x00491cfe
0x00491d0b
0x00491d0b
0x00491d0e
0x00491d0f
0x00491d14
0x00491d2a
0x00491d35
0x00491d00
0x00491d06
0x00491d06
0x00491d45
0x00491d54
0x00491d6f
0x00491d79
0x00491d83
0x00491d8e
0x00491d9d
0x00491d9f
0x00491da5
0x00491dac
0x00491db4
0x00491dbb
0x00491dc4
0x00491dc7
0x00491dc8
0x00491dce
0x00491dd3
0x00491dd9
0x00491ddc
0x00491ddc
0x00491dec
0x00491e0d
0x00491e19
0x00491e1d
0x00491e36
0x00491e45
0x00491e45
0x00491e48
0x00491e4e
0x00491e4f
0x00491e54
0x00491e66
0x00491e71
0x00491e38
0x00491e3e
0x00491e3e
0x00491e81
0x00491e90
0x00491eab
0x00491eb5
0x00491ebf
0x00491eca
0x00491ed9
0x00491edb
0x00491ee1
0x00491ee8
0x00491ef0
0x00491ef7
0x00491f00
0x00491f03
0x00491f04
0x00491f0a
0x00491f0f
0x00491f15
0x00491f18
0x00491f18
0x00491f28
0x00491f49
0x00491f55
0x00491f59
0x00491f72
0x00491f81
0x00491f81
0x00491f84
0x00491f8a
0x00491f8b
0x00491f90
0x00491fa2
0x00491fad
0x00491f74
0x00491f7a
0x00491f7a
0x00491fb5
0x00491fb5
0x00491fc4
0x00491fca
0x00491fca
0x00491fcd
0x00491fd4
0x00491fda
0x00491fd6
0x00491fd6
0x00491fd6
0x00491fec
0x00492007
0x0049200b
0x00492021
0x00492025
0x00492030
0x00492034
0x0049204d
0x00492058
0x0049205e
0x00492060
0x00492109
0x00492066
0x00492066
0x00492068
0x0049206d
0x00492070
0x00492076
0x0049207a
0x0049207c
0x00492087
0x00492087
0x0049207e
0x00492080
0x00492080
0x00492089
0x0049208c
0x00492090
0x00492094
0x00492096
0x00492096
0x00492098
0x004920a0
0x004920a1
0x004920a8
0x004920bd
0x004920c1
0x004920ce
0x004920d2
0x004920df
0x004920e4
0x004920e8
0x00492102
0x00492102
0x0049211a
0x00492120
0x00492120
0x00492123
0x0049212a
0x00492130
0x0049212c
0x0049212c
0x0049212c
0x00492139
0x00492140
0x00492146
0x00492148
0x00492148
0x00492150
0x00492150
0x00492153
0x00492156
0x00492156
0x0049215b
0x0049215b
0x0049215d
0x0049215f
0x0049215f
0x00492142
0x00492142
0x00492142
0x00492162
0x00492163
0x0049216a
0x00492185
0x0049219b
0x0049219f
0x004921aa
0x004921ae
0x004921cc
0x004921d4
0x004921da
0x004921dc
0x0049228e
0x004921e2
0x004921e2
0x004921e4
0x004921e9
0x004921ec
0x004921f2
0x004921f6
0x004921f8
0x00492203
0x00492203
0x004921fa
0x004921fc
0x004921fc
0x00492205
0x0049220b
0x0049220f
0x00492213
0x00492215
0x00492215
0x00492217
0x0049221f
0x00492220
0x00492227
0x0049223c
0x00492240
0x0049224d
0x00492251
0x00492261
0x00492266
0x0049226a
0x00492287
0x00492287
0x004922a6
0x004922a8
0x004922ac
0x004922b7
0x004922bd
0x004922c3
0x004922c4
0x004922ca
0x004910d1
0x004922dc
0x004922e7
0x004922f2
0x004922fa
0x00492302
0x00492303
0x00492304
0x00492312

APIs

Part of subcall function 00403FB0: GetLastError.KERNEL32(9518852C,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068

Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000002,?,?,0048A841,?,00000000,00000103), ref: 00490876
Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?), ref: 004908BE

GetPrivateProfileIntA.KERNEL32 ref: 00490C3A
_memset.LIBCMT ref: 00490C6A
_memset.LIBCMT ref: 00490C7B
_memset.LIBCMT ref: 00490C95
_memset.LIBCMT ref: 00490CAF
_memset.LIBCMT ref: 00490CC9
GetSysColor.USER32(00000008), ref: 00490CD9
GetSysColor.USER32(00000011), ref: 00490CDD
GetLastError.KERNEL32 ref: 00490D15
SetLastError.KERNEL32(004C2FA8), ref: 00490D62
GetLastError.KERNEL32 ref: 00490D78
SetLastError.KERNEL32(004C2FA8), ref: 00490DBF

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

lstrcpyA.KERNEL32(00000000,00000000,?,00000000,00000000,ALL,00000003,004B1A74,00000000,00000001), ref: 00490FE3
lstrcpyA.KERNEL32(00000000,00000000,00000000), ref: 00491013

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

lstrcpyA.KERNEL32(00000000,BUTTON,00000000), ref: 004910FB
__itow.LIBCMT ref: 0049110C
lstrcatA.KERNEL32(00000000,00000000), ref: 0049111C
GetLastError.KERNEL32 ref: 00491136
SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 004911CA
GetPrivateProfileIntA.KERNEL32 ref: 00491249
GetLastError.KERNEL32 ref: 00491266
SysFreeString.OLEAUT32(00000000), ref: 00491288
SysFreeString.OLEAUT32(?), ref: 00491299

Part of subcall function 00486570: GetLastError.KERNEL32(00000000,00492C07,?,?,?,?,?,?,?,?,?,9518852C,?,000001A4,00000000), ref: 00486581
Part of subcall function 00486570: SetLastError.KERNEL32(53746547,?,?,?,?,?,?,?,?,?,9518852C,?,000001A4,00000000), ref: 004865B1
Part of subcall function 00486570: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,9518852C,?,000001A4,00000000), ref: 004865C5
Part of subcall function 00486570: SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,9518852C,?,000001A4,00000000), ref: 004865F5

SetLastError.KERNEL32(004C2F50), ref: 004912C8
lstrcpyA.KERNEL32(00000000,00000000), ref: 004912D9
lstrcatA.KERNEL32(00000000,004BCD28), ref: 004912E8
GetLastError.KERNEL32(?,00000104), ref: 0049131E
SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 004913BA
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,00000104,?), ref: 0049145A
GetLastError.KERNEL32 ref: 00491471
SysFreeString.OLEAUT32(00000000), ref: 00491493
SysFreeString.OLEAUT32(?), ref: 004914A4
SetLastError.KERNEL32(004C2F50), ref: 004914D3
GetLastError.KERNEL32(00000000,?,00000000), ref: 00491551
SysFreeString.OLEAUT32(00000000), ref: 0049156D
SysFreeString.OLEAUT32(?), ref: 0049157E
SetLastError.KERNEL32(004AE964), ref: 004915AD
lstrcpyA.KERNEL32(00000000,00000000), ref: 004915BE
lstrcatA.KERNEL32(00000000,DOWN), ref: 004915CD
GetLastError.KERNEL32(?,00000104), ref: 00491603
SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 0049169A
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,00000104,?), ref: 0049173A
GetLastError.KERNEL32 ref: 00491751
SysFreeString.OLEAUT32(00000000), ref: 00491773
SysFreeString.OLEAUT32(?), ref: 00491784
SetLastError.KERNEL32(004C2F50), ref: 004917B3
GetLastError.KERNEL32(00000000,?,00000000), ref: 0049182D
SysFreeString.OLEAUT32(00000000), ref: 00491849
SysFreeString.OLEAUT32(?), ref: 0049185A
SetLastError.KERNEL32(004AE964), ref: 0049188F
lstrcpyA.KERNEL32(00000000,00000000), ref: 004918A4
lstrcatA.KERNEL32(00000000,POS), ref: 004918B3
GetLastError.KERNEL32 ref: 004918CD
SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 0049196A
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 004919F1
GetLastError.KERNEL32 ref: 00491A0C
SysFreeString.OLEAUT32(00000000), ref: 00491A2E
SysFreeString.OLEAUT32(?), ref: 00491A3F
SetLastError.KERNEL32(004C2F50), ref: 00491A6E
lstrcmpA.KERNEL32(00000000,004C2BD0), ref: 00491A92
lstrcpyA.KERNEL32(00000000,00000000), ref: 00491AD5
lstrcatA.KERNEL32(00000000,OPT), ref: 00491AE4
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00491B9D
lstrcmpA.KERNEL32(00000000,004C2BD0), ref: 00491BBE

Part of subcall function 00485E90: GetLastError.KERNEL32(9518852C,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485EE4
Part of subcall function 00485E90: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485F1D

Part of subcall function 0048FE10: GetLastError.KERNEL32(004B16A4,00000001,00000001,?,?,76E3D5B0,00000000,?,?,?,?,?,?,00000000,004AB660,000000FF), ref: 0048FF96
Part of subcall function 0048FE10: SysFreeString.OLEAUT32(004AB660), ref: 0048FFB2
Part of subcall function 0048FE10: SysFreeString.OLEAUT32(00000000), ref: 0048FFBD
Part of subcall function 0048FE10: SetLastError.KERNEL32(76E3D5B0,?,?,?,76E3D5B0,00000000), ref: 0048FFDD

lstrcpyA.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00491C0D
lstrcatA.KERNEL32(00000000,TRNSPRNTCLR,?,?,?,?,?,?,?,?,?,?,?,00000078), ref: 00491C1C
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00491CD5
lstrcmpA.KERNEL32(00000000,004C2BD0,?,?,?,?,?,?,?,?,?,?,?,?,?,00000078), ref: 00491CF6
lstrcpyA.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00491D45
lstrcatA.KERNEL32(00000000,TXTCLR,?,?,?,?,?,?,?,?,?,?,?,0000006C), ref: 00491D54
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00491E0D
lstrcmpA.KERNEL32(00000000,004C2BD0,?,?,?,?,?,?,?,?,?,?,?,?,?,0000006C), ref: 00491E2E
GetSysColor.USER32(00000008), ref: 00491E48
lstrcpyA.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00491E81
lstrcatA.KERNEL32(00000000,DISTXTCLR), ref: 00491E90
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00491F49
lstrcmpA.KERNEL32(00000000,004C2BD0), ref: 00491F6A
GetSysColor.USER32(00000011), ref: 00491F84

Part of subcall function 00407F60: _memmove.LIBCMT ref: 00408015

wsprintfA.USER32 ref: 00491FC4
wsprintfA.USER32 ref: 0049211A

Part of subcall function 0045C169: std::exception::exception.LIBCMT ref: 0045C19D
Part of subcall function 0045C169: __CxxThrowException@8.LIBCMT ref: 0045C1B2

Part of subcall function 004862F0: _memset.LIBCMT ref: 00486301
Part of subcall function 004862F0: _memset.LIBCMT ref: 00486315

Strings

OPT, xrefs: 00491ADB
lJ, xrefs: 00490B40
|-L, xrefs: 00492134
|-L, xrefs: 004918E1
|-L, xrefs: 00491332
x/L, xrefs: 00490D64
DOWN, xrefs: 004915C4
|-L, xrefs: 00491146
DISTXTCLR, xrefs: 00491E87
BUTTONS, xrefs: 00490C2F
BUTTON, xrefs: 004910EF
TRNSPRNTCLR, xrefs: 00491C13
|-L, xrefs: 00491617
P/L, xrefs: 00491EAB
T4L, xrefs: 00491EB5
ALL, xrefs: 00490E80, 00490EA2, 00490ED8, 00490F32
x/L, xrefs: 00490D01
|-L, xrefs: 00490B8A
TXTCLR, xrefs: 00491D4B
POS, xrefs: 004918AA

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$Free$lstrcpy$PrivateProfile$lstrcat$_memset$lstrcmp$Color$ByteCharMultiWidewsprintf$Exception@8Throw__itow_malloc_memmovestd::exception::exception
String ID: ALL$BUTTON$BUTTONS$DISTXTCLR$DOWN$OPT$P/L$POS$T4L$TRNSPRNTCLR$TXTCLR$lJ$x/L$x/L$|-L$|-L$|-L$|-L$|-L$|-L
API String ID: 1098502464-2208858857
Opcode ID: 74dddf9f12f0a130c5b723eff300c0e75ddb6c5f86d3b8ba138a34ced113496b
Instruction ID: d90ebabf519ae0549fa234705d987d1b988953ce10c5817453ccb74728b57cef
Opcode Fuzzy Hash: 74dddf9f12f0a130c5b723eff300c0e75ddb6c5f86d3b8ba138a34ced113496b
Instruction Fuzzy Hash: E2E25871E0022A9FDF60DB61DC44BDEBBB9BB44304F0041EAE509A3291DB75AE94CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00493630, Relevance: 139.2, APIs: 62, Strings: 17, Instructions: 923
stringCOMMONCrypto

Download Yara Rule

C-Code - Quality: 65%

			E00493630(short __ecx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v119;
				char _v120;
				char _v219;
				char _v220;
				char _v1219;
				char _v1220;
				long _v1224;
				char _v1228;
				int _v1232;
				int _v1236;
				CHAR* _v1240;
				int _v1244;
				signed int _v1248;
				short _v1264;
				char _v1268;
				long _v1272;
				char _v1276;
				int _v1280;
				int _v1284;
				int _v1288;
				intOrPtr _v1292;
				int _v1296;
				short _v1312;
				char _v1316;
				char _v1324;
				intOrPtr _v1328;
				intOrPtr _v1336;
				intOrPtr _v1340;
				int _v1344;
				short _v1360;
				char _v1364;
				short _v1368;
				char _v1369;
				CHAR* _v1376;
				char _v1380;
				intOrPtr _v1384;
				intOrPtr* _v1388;
				char _v1389;
				char _v1390;
				char _v1391;
				char _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				char _v1408;
				char _v1420;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t405;
				signed int _t406;
				intOrPtr _t408;
				CHAR* _t412;
				CHAR* _t429;
				signed int _t437;
				char _t439;
				CHAR* _t443;
				char _t448;
				char _t454;
				signed int _t465;
				char _t467;
				CHAR* _t470;
				char _t476;
				char _t482;
				int* _t484;
				signed int _t497;
				char _t499;
				CHAR* _t502;
				char _t508;
				char _t514;
				int* _t516;
				signed int _t529;
				char _t531;
				CHAR* _t534;
				char _t546;
				intOrPtr* _t548;
				signed int _t557;
				char _t559;
				intOrPtr* _t576;
				intOrPtr* _t578;
				intOrPtr _t579;
				intOrPtr* _t582;
				intOrPtr _t589;
				signed int _t595;
				char _t597;
				intOrPtr _t607;
				void* _t619;
				char _t620;
				void* _t621;
				intOrPtr* _t622;
				short _t634;
				void* _t635;
				intOrPtr* _t636;
				intOrPtr* _t650;
				signed int _t651;
				signed int _t652;
				intOrPtr* _t661;
				signed int _t662;
				signed int _t663;
				int* _t670;
				intOrPtr* _t673;
				signed int _t674;
				signed int _t675;
				intOrPtr* _t684;
				signed int _t685;
				signed int _t686;
				intOrPtr* _t695;
				signed int _t696;
				signed int _t697;
				intOrPtr _t702;
				intOrPtr* _t704;
				signed int _t705;
				signed int _t706;
				intOrPtr _t715;
				void* _t720;
				void* _t722;
				void* _t724;
				void* _t726;
				CHAR* _t730;
				int _t731;
				void* _t732;
				void* _t733;
				CHAR* _t734;
				void* _t735;
				CHAR* _t736;
				void* _t737;
				CHAR* _t738;
				void* _t739;
				CHAR* _t740;
				intOrPtr* _t741;
				intOrPtr* _t742;
				unsigned int _t744;
				signed int _t747;
				void* _t748;
				void* _t749;
				intOrPtr* _t750;
				void* _t751;
				unsigned int _t752;
				signed int _t755;
				intOrPtr* _t758;
				unsigned int _t759;
				signed int _t762;
				intOrPtr* _t765;
				unsigned int _t766;
				signed int _t769;
				intOrPtr* _t772;
				unsigned int _t773;
				signed int _t776;
				intOrPtr* _t779;
				intOrPtr* _t780;
				intOrPtr* _t783;
				char _t784;
				intOrPtr* _t787;
				CHAR* _t789;
				void* _t790;
				intOrPtr* _t793;
				signed int _t794;
				void* _t795;
				void* _t796;
				void* _t797;
				void* _t798;
				void* _t799;
				void* _t800;
				void* _t801;
				void* _t802;
				void* _t803;
				void* _t804;
				void* _t805;
				void* _t806;
				void* _t807;
				void* _t808;
				void* _t809;

				_push(0xffffffff);
				_push(0x4abbb3);
				_push( *[fs:0x0]);
				_t796 = _t795 - 0x57c;
				_t405 =  *0x4d7e88; // 0x9518852c
				_t406 = _t405 ^ _t794;
				_v20 = _t406;
				_push(_t406);
				 *[fs:0x0] =  &_v16;
				_t634 = __ecx;
				_v1368 = __ecx;
				_t408 = _a4;
				_t718 =  !=  ? _t408 : 0x4c2d7c;
				_v1404 = _a8;
				_v1268 = 0x4c2f50;
				_v1228 = 0x4c3454;
				_v1384 =  !=  ? _t408 : 0x4c2d7c;
				E00403FB0(0x4c2d7c,  &_v1369, 0);
				_v8 = 0;
				_t730 = E00490850(__ecx + 8,  !=  ? _t408 : 0x4c2d7c);
				_t412 = _v1240;
				_t744 = 2 + _v1248 * 2;
				_t642 = _v1236;
				if(_t744 >= _v1236 || _t412 == 0) {
					L0045A7D5(_t412);
					_t747 = (_t744 >> 6) + 1 << 6;
					_push(_t747);
					_v1236 = _t747;
					_t412 = E00459ADF(_t634, _t718, _t730, _t747);
					_t642 = _v1236;
					_t796 = _t796 + 8;
					_v1240 = _t412;
				}
				E0048DE60( &_v1268, _t412, _t642, 3);
				_t731 = GetPrivateProfileIntA(_v1240, "IMAGES", 0, _t730);
				_v1400 = _t731;
				_v8 = 0xffffffff;
				E00401AC0( &_v1268);
				_v220 = 0;
				E0045A4D0( &_v219, 0, 0x63);
				_v120 = 0;
				E0045A4D0( &_v119, 0, 0x63);
				_v1220 = 0;
				E0045A4D0( &_v1219, 0, 0x3e7);
				_t748 = 1;
				_t797 = _t796 + 0x24;
				_v1380 = 1;
				_t814 = _t731 - 1;
				if(_t731 >= 1) {
					_t733 = GetLastError;
					_v1388 = _t634 + 0x40;
					do {
						_push(0x48);
						_t636 = E0045C169(_t634, _t718, _t733, _t814);
						_t798 = _t797 + 4;
						if(_t636 == 0) {
							_t634 = 0;
							__eflags = 0;
						} else {
							 *_t636 = 0x4ae964;
							 *((intOrPtr*)(_t636 + 0x28)) = 0x4ae96c;
							 *((intOrPtr*)(_t636 + 0x2c)) = GetLastError();
							 *((intOrPtr*)(_t636 + 0x18)) = 7;
							 *(_t636 + 0x14) = 0;
							 *((short*)(_t636 + 4)) = 0;
							 *((intOrPtr*)(_t636 + 0x1c)) = 0;
							 *((intOrPtr*)(_t636 + 0x20)) = 0;
							 *((intOrPtr*)(_t636 + 0x24)) = 0;
							SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t636 + 0x28)) + 4)) + _t636 + 0x28));
							_t748 = _v1380;
						}
						lstrcpyA( &_v220, "IMAGE");
						_t429 = E0049C6BE(_t748,  &_v1220, 0xa);
						_t799 = _t798 + 0xc;
						lstrcatA( &_v220, _t429);
						_t750 = E00490770(_t634,  &_v1420, 0x104);
						_v1376 = _t750;
						_v8 = 1;
						_v1268 = 0x4c2f50;
						_v1228 = 0x4c3454;
						_v1224 = GetLastError();
						_t720 =  !=  ? _v1384 : 0x4c2d7c;
						_v8 = 2;
						_v1244 = 7;
						_v1248 = 0;
						_v1264 = 0;
						if( *0x4c2d7c != 0) {
							_t650 = 0x4c2d7c;
							_t63 = _t650 + 2; // 0x4c2d7e
							_t751 = _t63;
							do {
								_t437 =  *_t650;
								_t650 = _t650 + 2;
								__eflags = _t437;
							} while (_t437 != 0);
							_t651 = _t650 - _t751;
							__eflags = _t651;
							_t750 = _v1376;
							_t652 = _t651 >> 1;
						} else {
							_t652 = 0;
						}
						_push(_t652);
						_push(_t720);
						E00406EB0(_t634,  &_v1264, _t733, _t750);
						_t439 = _v1228;
						_v1240 = 0;
						_v1236 = 0;
						_v1232 = 0;
						_t70 = _t439 + 4; // 0x4
						SetLastError( *(_t794 +  *_t70 - 0x4c8));
						_v8 = 3;
						_v1376 = E00490850(_v1368 + 8, _t720);
						_t734 = E00490850( *_t750, _t720);
						 *(_t750 + 8) = _t734;
						_t443 = _v1240;
						_t752 = 2 + _v1248 * 2;
						_t658 = _v1236;
						if(_t752 >= _v1236 || _t443 == 0) {
							L0045A7D5(_t443);
							_t755 = (_t752 >> 6) + 1 << 6;
							_push(_t755);
							_v1236 = _t755;
							_t443 = E00459ADF(_t634, _t720, _t734, _t755);
							_t658 = _v1236;
							_t799 = _t799 + 8;
							_v1240 = _t443;
						}
						E0048DE60( &_v1268, _t443, _t658, 3);
						GetPrivateProfileStringA(_v1240,  &_v220, 0x4c2bd0, _t734, 0x104, _v1376);
						_t448 = _v1228;
						_t735 = GetLastError;
						_t91 = _t448 + 4; // 0x4
						 *((intOrPtr*)( &_v1228 +  *_t91)) = GetLastError();
						L0045A7D5(_v1240);
						_t758 = __imp__#6;
						_t800 = _t799 + 4;
						 *_t758(_v1232);
						if(_v1244 >= 8) {
							 *_t758(_v1264);
						}
						_v1264 = 0;
						_t454 = _v1268;
						_v1244 = 7;
						_v1248 = 0;
						_t101 = _t454 + 4; // 0x2c
						SetLastError( *(_t794 +  *_t101 - 0x4f0));
						_v8 = 0xffffffff;
						E00487390( &_v1420);
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "POS");
						_v1268 = 0x4c2f50;
						_v1228 = 0x4c3454;
						_v1224 = GetLastError();
						_t722 =  !=  ? _v1384 : 0x4c2d7c;
						_v8 = 4;
						_v1244 = 7;
						_v1248 = 0;
						_v1264 = 0;
						if( *0x4c2d7c != 0) {
							_t661 = 0x4c2d7c;
							_t117 = _t661 + 2; // 0x4c2d7e
							_t758 = _t117;
							do {
								_t465 =  *_t661;
								_t661 = _t661 + 2;
								__eflags = _t465;
							} while (_t465 != 0);
							_t662 = _t661 - _t758;
							__eflags = _t662;
							_t663 = _t662 >> 1;
						} else {
							_t663 = 0;
						}
						_push(_t663);
						_push(_t722);
						E00406EB0(_t634,  &_v1264, _t735, _t758);
						_t467 = _v1228;
						_v1240 = 0;
						_v1236 = 0;
						_v1232 = 0;
						_t123 = _t467 + 4; // 0x4
						SetLastError( *(_t794 +  *_t123 - 0x4c8));
						_v8 = 5;
						_t736 = E00490850(_v1368 + 8, _t722);
						_t470 = _v1240;
						_t759 = 2 + _v1248 * 2;
						_t668 = _v1236;
						if(_t759 >= _v1236 || _t470 == 0) {
							L0045A7D5(_t470);
							_t762 = (_t759 >> 6) + 1 << 6;
							_push(_t762);
							_v1236 = _t762;
							_t470 = E00459ADF(_t634, _t722, _t736, _t762);
							_t668 = _v1236;
							_t800 = _t800 + 8;
							_v1240 = _t470;
						}
						E0048DE60( &_v1268, _t470, _t668, 3);
						GetPrivateProfileStringA(_v1240,  &_v120, 0x4c2bd0,  &_v1220, 0x3e8, _t736);
						_t476 = _v1228;
						_t737 = GetLastError;
						_t142 = _t476 + 4; // 0x4
						_v8 = 0xffffffff;
						 *((intOrPtr*)( &_v1228 +  *_t142)) = GetLastError();
						L0045A7D5(_v1240);
						_t765 = __imp__#6;
						_t801 = _t800 + 4;
						 *_t765(_v1232);
						_t827 = _v1244 - 8;
						if(_v1244 >= 8) {
							 *_t765(_v1264);
						}
						_v1264 = 0;
						_t482 = _v1268;
						_v1244 = 7;
						_v1248 = 0;
						_t153 = _t482 + 4; // 0x2c
						SetLastError( *(_t794 +  *_t153 - 0x4f0));
						_t156 = _t634 + 0x38; // 0x38
						_t670 = _t156;
						_push(_t670);
						_t157 = _t634 + 0x34; // 0x34
						_t484 = _t157;
						_push(_t484);
						_t802 = _t801 - 0x30;
						 *_t670 = 0;
						 *_t484 = 0;
						E00485E90(_t802,  &_v1220,  &_v1369, 1);
						E00490020(_t722, _t827);
						 *(_t634 + 0x40) = 0;
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "OPT");
						_v1268 = 0x4c2f50;
						_v1228 = 0x4c3454;
						_v1224 = GetLastError();
						_t724 =  !=  ? _v1384 : 0x4c2d7c;
						_v8 = 6;
						_v1244 = 7;
						_v1248 = 0;
						_v1264 = 0;
						if( *0x4c2d7c != 0) {
							_t673 = 0x4c2d7c;
							_t173 = _t673 + 2; // 0x4c2d7e
							_t765 = _t173;
							do {
								_t497 =  *_t673;
								_t673 = _t673 + 2;
								__eflags = _t497;
							} while (_t497 != 0);
							_t674 = _t673 - _t765;
							__eflags = _t674;
							_t675 = _t674 >> 1;
						} else {
							_t675 = 0;
						}
						_push(_t675);
						_push(_t724);
						E00406EB0(_t634,  &_v1264, _t737, _t765);
						_t499 = _v1228;
						_v1240 = 0;
						_v1236 = 0;
						_v1232 = 0;
						_t179 = _t499 + 4; // 0x4
						SetLastError( *(_t794 +  *_t179 - 0x4c8));
						_v8 = 7;
						_t738 = E00490850(_v1368 + 8, _t724);
						_t502 = _v1240;
						_t766 = 2 + _v1248 * 2;
						_t680 = _v1236;
						if(_t766 >= _v1236 || _t502 == 0) {
							L0045A7D5(_t502);
							_t769 = (_t766 >> 6) + 1 << 6;
							_push(_t769);
							_v1236 = _t769;
							_t502 = E00459ADF(_t634, _t724, _t738, _t769);
							_t680 = _v1236;
							_t802 = _t802 + 8;
							_v1240 = _t502;
						}
						E0048DE60( &_v1268, _t502, _t680, 3);
						GetPrivateProfileStringA(_v1240,  &_v120, 0x4c2bd0,  &_v1220, 0x3e8, _t738);
						_t508 = _v1228;
						_t739 = GetLastError;
						_t198 = _t508 + 4; // 0x4
						_v8 = 0xffffffff;
						 *((intOrPtr*)( &_v1228 +  *_t198)) = GetLastError();
						L0045A7D5(_v1240);
						_t772 = __imp__#6;
						_t803 = _t802 + 4;
						 *_t772(_v1232);
						_t833 = _v1244 - 8;
						if(_v1244 >= 8) {
							 *_t772(_v1264);
						}
						_v1264 = 0;
						_t514 = _v1268;
						_v1244 = 7;
						_v1248 = 0;
						_t209 = _t514 + 4; // 0x2c
						SetLastError( *(_t794 +  *_t209 - 0x4f0));
						_t212 = _t634 + 0x40; // 0x40
						_t516 = _t212;
						_push(_t516);
						_t804 = _t803 - 0x30;
						 *_t516 = 0;
						E00485E90(_t804,  &_v1220,  &_v1391, 1);
						E0048FE10(_t724, _t833);
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "TRNSPRNTCLR");
						_v1268 = 0x4c2f50;
						_v1228 = 0x4c3454;
						_v1224 = GetLastError();
						_t726 =  !=  ? _v1384 : 0x4c2d7c;
						_v8 = 8;
						_v1244 = 7;
						_v1248 = 0;
						_v1264 = 0;
						if( *0x4c2d7c != 0) {
							_t684 = 0x4c2d7c;
							_t227 = _t684 + 2; // 0x4c2d7e
							_t772 = _t227;
							do {
								_t529 =  *_t684;
								_t684 = _t684 + 2;
								__eflags = _t529;
							} while (_t529 != 0);
							_t685 = _t684 - _t772;
							__eflags = _t685;
							_t686 = _t685 >> 1;
						} else {
							_t686 = 0;
						}
						_push(_t686);
						_push(_t726);
						E00406EB0(_t634,  &_v1264, _t739, _t772);
						_t531 = _v1228;
						_v1240 = 0;
						_v1236 = 0;
						_v1232 = 0;
						_t233 = _t531 + 4; // 0x4
						SetLastError( *(_t794 +  *_t233 - 0x4c8));
						_v8 = 9;
						_t740 = E00490850(_v1368 + 8, _t726);
						_t534 = _v1240;
						_t773 = 2 + _v1248 * 2;
						_t691 = _v1236;
						if(_t773 >= _v1236 || _t534 == 0) {
							L0045A7D5(_t534);
							_t776 = (_t773 >> 6) + 1 << 6;
							_push(_t776);
							_v1236 = _t776;
							_t534 = E00459ADF(_t634, _t726, _t740, _t776);
							_t691 = _v1236;
							_t804 = _t804 + 8;
							_v1240 = _t534;
						}
						E0048DE60( &_v1268, _t534, _t691, 3);
						GetPrivateProfileStringA(_v1240,  &_v120, 0x4c2bd0,  &_v1220, 0x3e8, _t740);
						_t253 = _v1228 + 4; // 0x4
						_v8 = 0xffffffff;
						 *((intOrPtr*)( &_v1228 +  *_t253)) = GetLastError();
						L0045A7D5(_v1240);
						_t779 = __imp__#6;
						_t805 = _t804 + 4;
						 *_t779(_v1232);
						if(_v1244 >= 8) {
							 *_t779(_v1264);
						}
						_v1264 = 0;
						_t546 = _v1268;
						_v1244 = 7;
						_v1248 = 0;
						_t263 = _t546 + 4; // 0x2c
						SetLastError( *(_t794 +  *_t263 - 0x4f0));
						_t266 = _t634 + 0x3c; // 0x3c
						_t548 = _t266;
						_push(_t548);
						_t806 = _t805 - 0x30;
						 *_t548 = 0x808080;
						E00485E90(_t806,  &_v1220,  &_v1389, 1);
						E0048FCA0(_t726);
						wsprintfA( &_v1220, "%x",  *(_t634 + 0x40));
						_t272 = _t634 + 4; // 0x4
						_t741 = _t272;
						_t807 = _t806 + 0xc;
						if( *((intOrPtr*)(_t741 + 0x14)) < 8) {
							_t780 = _t741;
						} else {
							_t780 =  *_t741;
						}
						_v1316 = 0x4c2f78;
						_v1276 = 0x4c2fa8;
						_v1272 = GetLastError();
						_t718 =  !=  ? _t780 : 0x4c2d7c;
						_v1292 = 7;
						_v1296 = 0;
						_v1312 = 0;
						_v8 = 0xa;
						if( *0x4c2d7c != 0) {
							_t695 = 0x4c2d7c;
							_t281 = _t695 + 2; // 0x4c2d7e
							_t780 = _t281;
							do {
								_t557 =  *_t695;
								_t695 = _t695 + 2;
								__eflags = _t557;
							} while (_t557 != 0);
							_t696 = _t695 - _t780;
							__eflags = _t696;
							_t697 = _t696 >> 1;
						} else {
							_t697 = 0;
						}
						E00406EB0(_t634,  &_v1312, _t741, _t780);
						_t559 = _v1276;
						_v1288 = 0;
						_v1284 = 0;
						_v1280 = 0;
						_t287 = _t559 + 4; // 0x4
						SetLastError( *(_t794 +  *_t287 - 0x4f8));
						_v8 = 0xb;
						E00485E90( &_v1364,  &_v1220,  &_v1390, 1);
						_v8 = 0xc;
						E00407F60(_t634,  &_v1312, _t741, _t780,  &_v1360, 0, 0xffffffff);
						_v8 = 0xb;
						 *((intOrPtr*)( &_v1324 +  *((intOrPtr*)(_v1324 + 4)))) = GetLastError();
						L0045A7D5(_v1336);
						_t783 = __imp__#6;
						_t808 = _t807 + 4;
						 *_t783(_v1328, _t718, _t697);
						if(_v1340 >= 8) {
							 *_t783(_v1360);
						}
						_v1360 = 0;
						_v1340 = 7;
						_v1344 = 0;
						SetLastError( *(_t794 +  *((intOrPtr*)(_v1364 + 4)) - 0x550));
						_t784 = E0048C430(_v1388,  &_v1316);
						_t576 = _v1388;
						if(_t784 ==  *_t576) {
							L67:
							_v1408 =  *_t576;
							_t578 =  &_v1408;
						} else {
							_t315 = _t784 + 0x10; // 0x10
							_t621 = _t315;
							if(_t621 == 0) {
								_t622 = 0;
								__eflags = 0;
							} else {
								_t622 = _t621 + 4;
							}
							_t715 =  *((intOrPtr*)(_t622 + 0x10));
							if( *((intOrPtr*)(_t622 + 0x14)) >= 8) {
								_t622 =  *_t622;
							}
							_push(_t715);
							if(E004086E0(_t634,  &_v1312, _t741, _t784, 0, _v1296, _t622) < 0) {
								_t576 = _v1388;
								goto L67;
							} else {
								_v1396 = _t784;
								_t578 =  &_v1396;
							}
						}
						_t702 = _v1368;
						_t579 =  *_t578;
						_t848 = _t579 -  *((intOrPtr*)(_t702 + 0x40));
						if(_t579 !=  *((intOrPtr*)(_t702 + 0x40))) {
							 *(_t634 + 0x44) =  *(_t579 + 0x40);
						} else {
							_push(0xc);
							_t789 = E0045C169(_t634, _t718, _t741, _t848);
							_t809 = _t808 + 4;
							_v1376 = _t789;
							_v8 = 0xd;
							_t849 = _t789;
							if(_t789 == 0) {
								_t789 = 0;
								__eflags = 0;
							} else {
								_push(0x30);
								 *_t789 = E0045C169(_t634, _t718, _t741, _t849);
								E0045A4D0(_t615, 0, 0x30);
								_push(0x4c);
								_t789[4] = E0045C169(_t634, _t718, _t741, _t849);
								E0045A4D0(_t617, 0, 0x4c);
								_push(0x18);
								_t619 = E0045C169(_t634, _t718, _t741, _t849);
								_t809 = _t809 + 0x24;
								if(_t619 == 0) {
									_t620 = 0;
									__eflags = 0;
								} else {
									_t620 = E00486860(_t619);
								}
								_t789[8] = _t620;
								 *_t620 = 0;
								 *((intOrPtr*)(_t620 + 4)) = 0;
								 *((intOrPtr*)(_t620 + 8)) = 0;
								 *((intOrPtr*)(_t620 + 0xc)) = 0;
								 *((intOrPtr*)(_t620 + 0x10)) = 0;
								 *((intOrPtr*)(_t620 + 0x14)) = 0;
							}
							 *(_t634 + 0x44) = _t789;
							if( *((intOrPtr*)(_t741 + 0x14)) >= 8) {
								_t741 =  *_t741;
							}
							_v1268 = 0x4c346c;
							_v1228 = 0x4c2f90;
							_v1224 = GetLastError();
							_t718 =  !=  ? _t741 : 0x4c2d7c;
							_v1244 = 7;
							_v1248 = 0;
							_v1264 = 0;
							_v8 = 0xe;
							if( *0x4c2d7c != 0) {
								_t704 = 0x4c2d7c;
								_t345 = _t704 + 2; // 0x4c2d7e
								_t790 = _t345;
								do {
									_t595 =  *_t704;
									_t704 = _t704 + 2;
									__eflags = _t595;
								} while (_t595 != 0);
								_t705 = _t704 - _t790;
								__eflags = _t705;
								_t706 = _t705 >> 1;
							} else {
								_t706 = 0;
							}
							E004075B0( &_v1264, _t741, _t718, _t706);
							_t597 = _v1228;
							_v1240 = 0;
							_v1236 = 0;
							_v1232 = 0;
							_t351 = _t597 + 4; // 0x4
							SetLastError( *(_t794 +  *_t351 - 0x4c8));
							_v8 = 0xf;
							_t742 =  *((intOrPtr*)(E00487E20(_v1368 + 0x38,  &_v1268)));
							_t360 = _v1228 + 4; // 0x4
							_v8 = 0xb;
							 *((intOrPtr*)( &_v1228 +  *_t360)) = GetLastError();
							L0045A7D5(_v1240);
							_t793 = __imp__#6;
							_t808 = _t809 + 4;
							 *_t793(_v1232);
							_t854 = _v1244 - 8;
							if(_v1244 >= 8) {
								 *_t793(_v1264);
							}
							_v1264 = 0;
							_t607 = _v1268;
							_v1244 = 7;
							_v1248 = 0;
							_t370 = _t607 + 4; // 0x2c
							SetLastError( *(_t794 +  *_t370 - 0x4f0));
							_t375 = _t634 + 0x40; // 0x40
							_t376 = _t634 + 0x3c; // 0x3c
							E00490930( *(_t634 + 0x44), _t718, _t854, _t376, _t375, _t634,  *_t742,  *((intOrPtr*)(_t742 + 4)));
							 *(E00487C60(_v1388,  &_v1316)) =  *(_t634 + 0x44);
						}
						_t582 = E00487B40(_v1404,  &_v1380);
						_t733 = GetLastError;
						 *_t582 = _t634;
						_t386 = _v1276 + 4; // 0x4
						_v8 = 0xffffffff;
						 *((intOrPtr*)( &_v1276 +  *_t386)) = GetLastError();
						L0045A7D5(_v1288);
						_t787 = __imp__#6;
						_t797 = _t808 + 4;
						 *_t787(_v1280);
						if(_v1292 >= 8) {
							 *_t787(_v1312);
						}
						_v1312 = 0;
						_t589 = _v1316;
						_v1292 = 7;
						_v1296 = 0;
						_t396 = _t589 + 4; // 0x2c
						SetLastError( *(_t794 +  *_t396 - 0x520));
						_t748 = _v1380 + 1;
						_v1380 = _t748;
					} while (_t748 <= _v1400);
				}
				 *[fs:0x0] = _v16;
				_pop(_t732);
				_pop(_t749);
				_pop(_t635);
				return E0045A457(_t635, _v20 ^ _t794, _t718, _t732, _t749);
			}

0x00493633
0x00493635
0x00493640
0x00493641
0x00493647
0x0049364c
0x0049364e
0x00493654
0x00493658
0x0049365e
0x00493660
0x00493666
0x00493673
0x0049367f
0x0049368c
0x00493696
0x004936a0
0x004936a6
0x004936ae
0x004936c0
0x004936c2
0x004936c8
0x004936cf
0x004936d7
0x004936de
0x004936e7
0x004936ea
0x004936eb
0x004936f1
0x004936f6
0x004936fc
0x004936ff
0x004936ff
0x0049370f
0x00493728
0x00493730
0x00493736
0x0049373d
0x0049374d
0x00493754
0x00493761
0x00493765
0x00493778
0x0049377f
0x00493784
0x00493789
0x0049378c
0x00493792
0x00493794
0x0049379a
0x004937a3
0x004937b0
0x004937b0
0x004937b7
0x004937b9
0x004937be
0x00493807
0x00493807
0x004937c0
0x004937c0
0x004937c6
0x004937cf
0x004937d2
0x004937d9
0x004937e2
0x004937e6
0x004937e9
0x004937ec
0x004937f9
0x004937ff
0x004937ff
0x00493815
0x00493825
0x0049382a
0x00493835
0x0049384e
0x00493850
0x00493856
0x0049385d
0x00493867
0x00493873
0x00493886
0x0049388b
0x0049388f
0x00493899
0x004938a3
0x004938ad
0x004938b3
0x004938b5
0x004938b5
0x004938c0
0x004938c0
0x004938c3
0x004938c6
0x004938c6
0x004938cb
0x004938cb
0x004938cd
0x004938d3
0x004938af
0x004938af
0x004938af
0x004938d5
0x004938d6
0x004938dd
0x004938e2
0x004938e8
0x004938f2
0x004938fc
0x00493906
0x00493910
0x0049391c
0x0049392a
0x00493935
0x00493937
0x00493940
0x00493946
0x0049394d
0x00493955
0x0049395c
0x00493965
0x00493968
0x00493969
0x0049396f
0x00493974
0x0049397a
0x0049397d
0x0049397d
0x0049398d
0x004939b0
0x004939b6
0x004939bc
0x004939c2
0x004939cf
0x004939d7
0x004939dc
0x004939e2
0x004939eb
0x004939f4
0x004939fc
0x004939fc
0x00493a00
0x00493a07
0x00493a0d
0x00493a17
0x00493a21
0x00493a2b
0x00493a37
0x00493a3e
0x00493a4e
0x00493a5d
0x00493a63
0x00493a6d
0x00493a79
0x00493a8c
0x00493a91
0x00493a98
0x00493aa2
0x00493aac
0x00493ab6
0x00493abc
0x00493abe
0x00493abe
0x00493ac1
0x00493ac1
0x00493ac4
0x00493ac7
0x00493ac7
0x00493acc
0x00493acc
0x00493ace
0x00493ab8
0x00493ab8
0x00493ab8
0x00493ad0
0x00493ad1
0x00493ad8
0x00493add
0x00493ae3
0x00493aed
0x00493af7
0x00493b01
0x00493b0b
0x00493b17
0x00493b2c
0x00493b2e
0x00493b34
0x00493b3b
0x00493b43
0x00493b4a
0x00493b53
0x00493b56
0x00493b57
0x00493b5d
0x00493b62
0x00493b68
0x00493b6b
0x00493b6b
0x00493b7b
0x00493b9c
0x00493ba2
0x00493ba8
0x00493bae
0x00493bb7
0x00493bc2
0x00493bca
0x00493bcf
0x00493bd5
0x00493bde
0x00493be0
0x00493be7
0x00493bef
0x00493bef
0x00493bf3
0x00493bfa
0x00493c00
0x00493c0a
0x00493c14
0x00493c1e
0x00493c24
0x00493c24
0x00493c27
0x00493c28
0x00493c28
0x00493c2b
0x00493c2c
0x00493c2f
0x00493c37
0x00493c4d
0x00493c58
0x00493c68
0x00493c6f
0x00493c7e
0x00493c84
0x00493c8e
0x00493c9a
0x00493cad
0x00493cb2
0x00493cb9
0x00493cc3
0x00493ccd
0x00493cd7
0x00493cdd
0x00493cdf
0x00493cdf
0x00493ce2
0x00493ce2
0x00493ce5
0x00493ce8
0x00493ce8
0x00493ced
0x00493ced
0x00493cef
0x00493cd9
0x00493cd9
0x00493cd9
0x00493cf1
0x00493cf2
0x00493cf9
0x00493cfe
0x00493d04
0x00493d0e
0x00493d18
0x00493d22
0x00493d2c
0x00493d38
0x00493d4d
0x00493d4f
0x00493d55
0x00493d5c
0x00493d64
0x00493d6b
0x00493d74
0x00493d77
0x00493d78
0x00493d7e
0x00493d83
0x00493d89
0x00493d8c
0x00493d8c
0x00493d9c
0x00493dbd
0x00493dc3
0x00493dc9
0x00493dcf
0x00493dd8
0x00493de3
0x00493deb
0x00493df0
0x00493df6
0x00493dff
0x00493e01
0x00493e08
0x00493e10
0x00493e10
0x00493e14
0x00493e1b
0x00493e21
0x00493e2b
0x00493e35
0x00493e3f
0x00493e45
0x00493e45
0x00493e48
0x00493e49
0x00493e4e
0x00493e64
0x00493e6f
0x00493e7f
0x00493e8e
0x00493e94
0x00493e9e
0x00493eaa
0x00493ebd
0x00493ec2
0x00493ec9
0x00493ed3
0x00493edd
0x00493ee7
0x00493eed
0x00493eef
0x00493eef
0x00493ef2
0x00493ef2
0x00493ef5
0x00493ef8
0x00493ef8
0x00493efd
0x00493efd
0x00493eff
0x00493ee9
0x00493ee9
0x00493ee9
0x00493f01
0x00493f02
0x00493f09
0x00493f0e
0x00493f14
0x00493f1e
0x00493f28
0x00493f32
0x00493f3c
0x00493f48
0x00493f5d
0x00493f5f
0x00493f65
0x00493f6c
0x00493f74
0x00493f7b
0x00493f84
0x00493f87
0x00493f88
0x00493f8e
0x00493f93
0x00493f99
0x00493f9c
0x00493f9c
0x00493fac
0x00493fcd
0x00493fdf
0x00493fe2
0x00493ff1
0x00493ff9
0x00493ffe
0x00494004
0x0049400d
0x00494016
0x0049401e
0x0049401e
0x00494022
0x00494029
0x0049402f
0x00494039
0x00494043
0x0049404d
0x00494053
0x00494053
0x00494056
0x00494057
0x0049405c
0x00494072
0x0049407d
0x00494091
0x00494097
0x00494097
0x0049409a
0x004940a1
0x004940a7
0x004940a3
0x004940a3
0x004940a3
0x004940a9
0x004940b3
0x004940c3
0x004940d0
0x004940d5
0x004940df
0x004940e9
0x004940f0
0x004940fa
0x00494100
0x00494102
0x00494102
0x00494105
0x00494105
0x00494108
0x0049410b
0x0049410b
0x00494110
0x00494110
0x00494112
0x004940fc
0x004940fc
0x004940fc
0x0049411c
0x00494121
0x00494127
0x00494131
0x0049413b
0x00494145
0x0049414f
0x0049416b
0x00494172
0x00494188
0x0049418c
0x004941a0
0x004941ac
0x004941b4
0x004941b9
0x004941bf
0x004941c8
0x004941d1
0x004941d9
0x004941d9
0x004941dd
0x004941ea
0x004941f4
0x00494208
0x00494220
0x00494222
0x0049422a
0x00494272
0x00494274
0x0049427a
0x0049422c
0x0049422c
0x0049422c
0x00494231
0x00494238
0x00494238
0x00494233
0x00494233
0x00494233
0x0049423e
0x00494241
0x00494243
0x00494243
0x00494245
0x0049425c
0x0049426c
0x00000000
0x0049425e
0x0049425e
0x00494264
0x00494264
0x0049425c
0x00494280
0x00494286
0x00494288
0x0049428b
0x0049448a
0x00494291
0x00494291
0x00494298
0x0049429a
0x0049429d
0x004942a3
0x004942a7
0x004942a9
0x00494303
0x00494303
0x004942ab
0x004942ab
0x004942b7
0x004942b9
0x004942be
0x004942ca
0x004942cd
0x004942d2
0x004942d4
0x004942d9
0x004942de
0x004942e9
0x004942e9
0x004942e0
0x004942e2
0x004942e2
0x004942ed
0x004942f0
0x004942f2
0x004942f5
0x004942f8
0x004942fb
0x004942fe
0x004942fe
0x00494305
0x0049430c
0x0049430e
0x0049430e
0x00494310
0x0049431a
0x0049432a
0x00494337
0x0049433c
0x00494346
0x00494350
0x00494357
0x0049435e
0x00494364
0x00494366
0x00494366
0x00494370
0x00494370
0x00494373
0x00494376
0x00494376
0x0049437b
0x0049437b
0x0049437d
0x00494360
0x00494360
0x00494360
0x00494387
0x0049438c
0x00494392
0x0049439c
0x004943a6
0x004943b0
0x004943ba
0x004943d0
0x004943d9
0x004943e7
0x004943ea
0x004943f6
0x004943fe
0x00494403
0x00494409
0x00494412
0x00494414
0x0049441b
0x00494423
0x00494423
0x00494427
0x0049442e
0x00494434
0x0049443e
0x00494448
0x00494452
0x00494460
0x00494465
0x00494469
0x00494483
0x00494483
0x0049449a
0x0049449f
0x004944a5
0x004944b3
0x004944b6
0x004944c1
0x004944c9
0x004944ce
0x004944d4
0x004944dd
0x004944e6
0x004944ee
0x004944ee
0x004944f2
0x004944f9
0x004944ff
0x00494509
0x00494513
0x0049451d
0x00494529
0x0049452a
0x00494530
0x004937b0
0x0049453f
0x00494547
0x00494548
0x00494549
0x00494557

APIs

Part of subcall function 00403FB0: GetLastError.KERNEL32(9518852C,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068

Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000002,?,?,0048A841,?,00000000,00000103), ref: 00490876
Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?), ref: 004908BE

GetPrivateProfileIntA.KERNEL32 ref: 00493722
_memset.LIBCMT ref: 00493754
_memset.LIBCMT ref: 00493765
_memset.LIBCMT ref: 0049377F
GetLastError.KERNEL32 ref: 004937CD
SetLastError.KERNEL32(?), ref: 004937F9
lstrcpyA.KERNEL32(00000000,IMAGE), ref: 00493815
__itow.LIBCMT ref: 00493825
lstrcatA.KERNEL32(00000000,00000000), ref: 00493835
GetLastError.KERNEL32(?,00000104), ref: 00493871
SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 00493910
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,00000104,?), ref: 004939B0
GetLastError.KERNEL32 ref: 004939CD
SysFreeString.OLEAUT32(00000000), ref: 004939EB
SysFreeString.OLEAUT32(?), ref: 004939FC
SetLastError.KERNEL32(004C2F50), ref: 00493A2B
lstrcpyA.KERNEL32(00000000,00000000), ref: 00493A4E
lstrcatA.KERNEL32(00000000,POS), ref: 00493A5D
GetLastError.KERNEL32 ref: 00493A77
SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 00493B0B
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00493B9C
GetLastError.KERNEL32 ref: 00493BC0
SysFreeString.OLEAUT32(00000000), ref: 00493BDE
SysFreeString.OLEAUT32(?), ref: 00493BEF
SetLastError.KERNEL32(004C2F50), ref: 00493C1E
lstrcpyA.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00493C6F
lstrcatA.KERNEL32(00000000,OPT), ref: 00493C7E
GetLastError.KERNEL32 ref: 00493C98
SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 00493D2C
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00493DBD
GetLastError.KERNEL32 ref: 00493DE1
SysFreeString.OLEAUT32(00000000), ref: 00493DFF
SysFreeString.OLEAUT32(?), ref: 00493E10
SetLastError.KERNEL32(004C2F50), ref: 00493E3F
lstrcpyA.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 00493E7F
lstrcatA.KERNEL32(00000000,TRNSPRNTCLR), ref: 00493E8E
GetLastError.KERNEL32 ref: 00493EA8
SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 00493F3C
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00493FCD
GetLastError.KERNEL32 ref: 00493FEB
SysFreeString.OLEAUT32(00000000), ref: 0049400D
SysFreeString.OLEAUT32(?), ref: 0049401E
SetLastError.KERNEL32(004C2F50), ref: 0049404D
wsprintfA.USER32 ref: 00494091
GetLastError.KERNEL32 ref: 004940BD
SetLastError.KERNEL32(004C2FA8,004C2D7C,004C2D7A), ref: 0049414F
GetLastError.KERNEL32(?,00000000,000000FF,00000000,?,00000001), ref: 004941A6
SysFreeString.OLEAUT32(?), ref: 004941C8
SysFreeString.OLEAUT32(?), ref: 004941D9
SetLastError.KERNEL32(?), ref: 00494208
_memset.LIBCMT ref: 004942B9
_memset.LIBCMT ref: 004942CD
GetLastError.KERNEL32(004C2F78), ref: 00494324
SetLastError.KERNEL32(004C2F90,004C2D7C,004C2D7A), ref: 004943BA
GetLastError.KERNEL32(004C346C), ref: 004943F0
SysFreeString.OLEAUT32(00000000), ref: 00494412
SysFreeString.OLEAUT32(?), ref: 00494423
SetLastError.KERNEL32(004C346C), ref: 00494452
GetLastError.KERNEL32(?,004C2F78), ref: 004944BF
SysFreeString.OLEAUT32(00000000), ref: 004944DD
SysFreeString.OLEAUT32(?), ref: 004944EE
SetLastError.KERNEL32(004C2F78), ref: 0049451D

Strings

lJ, xrefs: 004937C6
|-L, xrefs: 0049366E
OPT, xrefs: 00493C75
lJ, xrefs: 00493630
T4L, xrefs: 00493E9E
|-L, xrefs: 004940CB
IMAGES, xrefs: 00493717
|-L, xrefs: 00494332
IMAGE, xrefs: 00493809
TRNSPRNTCLR, xrefs: 00493E85
|-L, xrefs: 00493881
l4L, xrefs: 00494310
x/L, xrefs: 004940A9
|-L, xrefs: 00493CA8
|-L, xrefs: 00493A87
|-L, xrefs: 00493EB8
POS, xrefs: 00493A54

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$Free$PrivateProfile_memset$lstrcatlstrcpy$ByteCharMultiWide$__itowwsprintf
String ID: IMAGE$IMAGES$OPT$POS$T4L$TRNSPRNTCLR$l4L$lJ$lJ$x/L$|-L$|-L$|-L$|-L$|-L$|-L$|-L
API String ID: 3785155570-3440035
Opcode ID: 3578e64925d2d76bb4eee3fa6dea25dbfcddcedffb800c89a117afe886f8d0e9
Instruction ID: 11c7ab37fef8d3dff5e0cda20183a2382f350a1949ed283372000eb80e5d894e
Opcode Fuzzy Hash: 3578e64925d2d76bb4eee3fa6dea25dbfcddcedffb800c89a117afe886f8d0e9
Instruction Fuzzy Hash: AB926EB1900229DFDF60DF54CC44B9ABBB8BF44309F1041EAE909A7291DB74AE85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0048A330, Relevance: 100.6, APIs: 39, Strings: 18, Instructions: 884
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0048A330(void* __ecx, void* __edx, CHAR** _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v123;
				char _v124;
				char _v223;
				char _v224;
				char _v323;
				char _v324;
				char _v583;
				char _v584;
				char _v1102;
				short _v1104;
				char _v4175;
				char _v4176;
				long _v4180;
				char _v4184;
				char _v4188;
				char _v4192;
				char _v4196;
				int _v4200;
				char _v4204;
				short _v4220;
				char _v4224;
				long _v4228;
				char _v4232;
				intOrPtr _v4236;
				intOrPtr _v4240;
				intOrPtr _v4244;
				int _v4248;
				char _v4252;
				char _v4268;
				char _v4272;
				char _v4320;
				intOrPtr _v4328;
				char _v4364;
				char _v4368;
				intOrPtr _v4376;
				char _v4416;
				char _v4460;
				char _v4464;
				char _v4512;
				char _v4556;
				char _v4560;
				char _v4624;
				char _v4636;
				char _v4637;
				char _v4638;
				char _v4639;
				struct HINSTANCE__* _v4644;
				char _v4645;
				char _v4646;
				char _v4647;
				char _v4648;
				char _v4649;
				intOrPtr _v4656;
				char _v4660;
				intOrPtr _v4664;
				CHAR* _v4668;
				char _v4672;
				CHAR** _v4676;
				char* _v4680;
				int _v4684;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t335;
				signed int _t336;
				void* _t360;
				int _t366;
				struct HINSTANCE__* _t367;
				long _t377;
				struct HINSTANCE__* _t405;
				_Unknown_base(*)()* _t409;
				signed char _t412;
				struct HINSTANCE__* _t420;
				struct HINSTANCE__* _t423;
				char* _t427;
				void* _t439;
				void* _t445;
				void* _t451;
				void* _t457;
				void* _t463;
				struct HINSTANCE__* _t477;
				struct HINSTANCE__* _t487;
				char* _t491;
				long _t500;
				void* _t503;
				void* _t509;
				void* _t515;
				intOrPtr* _t522;
				intOrPtr* _t528;
				void* _t533;
				void* _t544;
				void* _t547;
				int _t551;
				void* _t570;
				void* _t572;
				char _t583;
				char* _t589;
				WCHAR* _t595;
				void* _t596;
				intOrPtr _t597;
				intOrPtr _t598;
				CHAR* _t599;
				CHAR* _t600;
				intOrPtr _t601;
				intOrPtr _t603;
				intOrPtr* _t641;
				intOrPtr* _t645;
				intOrPtr* _t649;
				intOrPtr* _t669;
				intOrPtr* _t673;
				void* _t707;
				CHAR** _t709;
				void* _t710;
				intOrPtr _t712;
				void* _t713;
				CHAR* _t714;
				long* _t715;
				long* _t720;
				CHAR* _t721;
				CHAR* _t722;
				struct HINSTANCE__* _t723;
				signed int _t724;
				intOrPtr _t725;
				void* _t728;
				void* _t729;
				void* _t730;
				void* _t732;
				void* _t733;
				void* _t737;
				void* _t738;
				void* _t741;
				void* _t742;
				void* _t745;

				_t707 = __edx;
				_push(0xffffffff);
				_push(0x4ab557);
				_push( *[fs:0x0]);
				_push(__ecx);
				E0045BDF0(0x1238);
				_t335 =  *0x4d7e88; // 0x9518852c
				_t336 = _t335 ^ _t724;
				_v24 = _t336;
				_push(_t336);
				 *[fs:0x0] =  &_v16;
				_v20 = _t725;
				_t709 = _a4;
				_t595 = _a8;
				_t712 = _a12;
				_v4660 = 0;
				if(_t709 == 0) {
					L62:
					__eflags = 0;
					L63:
					 *[fs:0x0] = _v16;
					_pop(_t710);
					_pop(_t713);
					_pop(_t596);
					__eflags = _v24 ^ _t724;
					return E0045A457(_t596, _v24 ^ _t724, _t707, _t710, _t713);
				}
				if( *0x4daabc == 0) {
					L3:
					_v4272 = 0x4ae964;
					_v4232 = 0x4ae96c;
					_v4228 = GetLastError();
					_v4268 = 0;
					_v4244 = 0;
					_v4240 = 0;
					_v4236 = 0;
					_t16 =  &_v4232; // 0x4ae96c
					_v4248 = 7;
					_v4252 = 0;
					_t21 =  *((intOrPtr*)( *_t16 + 4)) - 0x1084; // 0x4ae96c
					SetLastError( *(_t724 + _t21));
					_push(0);
					_push( &_v4637);
					_push(_t712);
					_v8 = 0;
					_v4416 = 0x4ae964;
					_v4376 = 0x4ae96c;
					E00408F6D(_t595,  &_v4416, _t709, _t712, _t748);
					_v8 = 2;
					_v224 = 0;
					E0045A4D0( &_v223, 0, 0x63);
					lstrcpyA( &_v224, "NO DOUBT");
					_v1104 = 0;
					E0045A4D0( &_v1102, 0, 0x206);
					lstrcpyW( &_v1104, _t595);
					_v4684 = 1;
					_v4680 =  &M00488DE0;
					_v4676 = _t709;
					_v4672 = 0;
					_t360 = E0049C444( &_v4416, _t707, _t709, _t748,  &_v1104,  &_v224, lstrlenA( &_v224), 0,  &_v4684);
					_t728 = _t725 + 0x2c;
					if(_t360 == 0) {
						E00401B80( &_v4416);
						E00401B80( &_v4272);
						goto L62;
					} else {
						_t714 =  *_t709;
						_v584 = 0;
						E0045A4D0( &_v583, 0, 0x103);
						_t729 = _t728 + 0xc;
						_t597 = 0;
						while(1) {
							_t751 = _t597 - _t709[1];
							if(_t597 >= _t709[1]) {
								break;
							}
							lstrcpyA( &_v584, _t714);
							_t544 = lstrlenA( &_v584) + 1;
							_t721 =  &(_t714[_t544]);
							_push(_t721);
							_v4656 = _t597 + _t544;
							_t603 = E0045D629();
							_t547 = lstrlenA(_t721) + 1;
							_v4656 = _v4656 + _t547;
							_push(_t603);
							_t722 =  &(_t721[_t547]);
							_v4664 = E00459ADF(_t603, _t707, _t709, _t751);
							E0045A8B0(_t548, _t722, _t603);
							_v4656 = _v4656 + _t603;
							_t741 = _t729 + 0x14;
							_t714 =  &(_t722[_t603]);
							_v4668 = _t714;
							_t551 = lstrcmpiA( &_v584, "skin.ini");
							_t752 = _t551;
							if(_t551 != 0) {
								_push(8);
								_t723 = E0045C169(_t603, _t707, _t709, __eflags);
								_t742 = _t741 + 4;
								_v4644 = _t723;
								_v8 = 0xb;
								__eflags = _t723;
								if(__eflags == 0) {
									_t604 = _v4664;
									_t723 = 0;
									__eflags = 0;
								} else {
									_push(_t603);
									 *((intOrPtr*)(_t723 + 4)) = _t603;
									_t723->i = E00459ADF(_t603, _t707, _t709, __eflags);
									_t604 = _v4664;
									E0045A8B0(_t560, _v4664, _t603);
									_t742 = _t742 + 0x10;
								}
								_push(1);
								_push( &_v4638);
								_push( &_v584);
								_v8 = 2;
								E00415AF8(_t604,  &_v4368, _t709, _t723, __eflags);
								_v8 = 0xc;
								 *(E00487E20( &(_t709[0xe]),  &_v4368)) = _t723;
								_v8 = 2;
								E00401B80( &_v4368);
								_t714 = _v4668;
								L0045A7D5(_t604);
								_t597 = _v4656;
								_t729 = _t742 + 4;
							} else {
								_push(_t551);
								_push( &_v4637);
								_push( &_v584);
								_v4368 = 0x4ae964;
								_v4328 = 0x4ae96c;
								E00415AF8(_t603,  &_v4368, _t709, _t714, _t752);
								_push(0);
								_push( &_v4639);
								_push("\\");
								_v8 = 3;
								_v4224 = 0x4ae964;
								_v4184 = 0x4ae96c;
								E00415AF8(_t603,  &_v4224, _t709, _t714, _t752);
								_v8 = 4;
								_t570 = E004889A0(_t603,  &_v4320,  &_v4416,  &_v4224);
								_v8 = 5;
								_t572 = E004889A0(_t603,  &_v4512, _t570,  &_v4368);
								_t745 = _t741 + 0x18;
								_v8 = 6;
								E004946B0( &_v4272, _t707, _t572);
								E00401B80( &_v4512);
								E00401B80( &_v4320);
								E00401B80( &_v4224);
								_v8 = 2;
								E00401B80( &_v4368);
								E00416831(_t603,  &_v4636, _t709, _t714, _t752);
								_v4224 = 0x4affb8;
								_v4184 = 0x4affc0;
								_v4180 = GetLastError();
								_push(0xffffffff);
								_push(0);
								_v4220 = 0;
								_v8 = 8;
								_v4200 = 7;
								_v4204 = 0;
								E00407B10(_t603,  &_v4220, _t709,  &_v4268);
								_t583 = _v4184;
								_v4196 = 0;
								_v4192 = 0;
								_v4188 = 0;
								_t93 = _t583 + 4; // 0x4
								SetLastError( *(_t724 +  *_t93 - 0x1054));
								_v8 = 9;
								_push(0);
								_push(0);
								_push(2);
								_push(0x80);
								_push(1);
								_push(0x40000000);
								_push( &_v4224);
								E00424632(_t603,  &_v4636, _t709, _t714, _t752);
								_v8 = 7;
								E00401B80( &_v4224);
								_push(_t603);
								_t605 = _v4664;
								_push(_v4664);
								E0043AF40(_v4664,  &_v4636, _t709, _t714, _t752);
								_t704 =  &(_t709[3]);
								_t589 =  &_v4268;
								_t753 =  &(_t709[3]) - _t589;
								if( &(_t709[3]) != _t589) {
									_push(0xffffffff);
									_push(0);
									E00407B10(_t605, _t704, _t709, _t589);
								}
								_v4636 = 0x4b0964;
								_v8 = 0xa;
								E00423878(_t605,  &_v4636, _t709, _t714, _t753);
								_v8 = 2;
								E00401B80( &_v4624);
								L0045A7D5(_t605);
								_t597 = _v4656;
								_t729 = _t745 + 4;
							}
						}
						_t366 = GetPrivateProfileIntA("SKINS", "VERSION", 1, E00490850( &(_t709[2]), _t707));
						_push(0x1b8);
						_t709[0x12] = _t366;
						_t367 = E0045C169(_t597, _t707, _t709, __eflags);
						_t730 = _t729 + 4;
						_v4644 = _t367;
						_v8 = 0xd;
						__eflags = _t367;
						if(_t367 == 0) {
							_t598 = 0;
							__eflags = 0;
						} else {
							_t598 = E004863B0();
						}
						_push(3);
						_push(L"ALL");
						_t131 = _t598 + 0x15c; // 0x15c
						_v8 = 2;
						E00406EB0(_t598, _t131, _t709, _t714);
						_v324 = 0;
						E0045A4D0( &_v323, 0, 0x63);
						lstrcpyA( &_v324, "TEXTCOLOR");
						GetPrivateProfileStringA("ALL",  &_v324, 0x4c2bd0,  &_v224, 0x64, E00490850( &(_t709[2]), _t707));
						_t139 = _t598 + 0x1ac; // 0x1ac
						_t715 = _t139;
						_t377 = GetSysColor(8);
						_push(_t715);
						_t732 = _t730 + 0xc - 0x30;
						 *_t715 = _t377;
						E00485E90(_t732,  &_v224,  &_v4638, 1);
						E0048FCA0(_t707);
						_t142 = _t598 + 0x18c; // 0x18c
						E00492320(_t709, _t707, L"ALL", _t142);
						_t143 = _t598 + 0x194; // 0x194
						E00493630(_t709, L"ALL", _t143);
						_t144 = _t598 + 0x1a4; // 0x1a4
						_t716 = _t144;
						E00492B50(_t709, _t707, __eflags, L"ALL", _t144);
						E00490B40(_t709, _t707, L"ALL", _t144);
						 *(_t598 + 0x14c) = _t709;
						E00403FB0(L"ALL",  &_v4638, 1);
						_v8 = 0xe;
						 *((intOrPtr*)(E00487D40( &(_t709[0x13]),  &_v4368))) = _t598;
						_v8 = 2;
						E00401AC0( &_v4368);
						_v4176 = 0;
						E0045A4D0( &_v4175, 0, 0xbff);
						_v124 = 0;
						E0045A4D0( &_v123, 0, 0x63);
						_t733 = _t732 + 0x18;
						GetPrivateProfileSectionNamesA( &_v4176, 0xc00, E00490850( &(_t709[2]), _t707));
						_t599 =  &_v4176;
						while(1) {
							__eflags =  *_t599;
							if( *_t599 == 0) {
								break;
							}
							lstrcpyA( &_v124, _t599);
							_t599 =  &(_t599[lstrlenA(_t599) + 1]);
							_v4668 = _t599;
							E00485E90( &_v4224,  &_v124,  &_v4638, 1);
							_v8 = 0xf;
							_t477 = E004068B0( &_v4220, L"ALL-", 0, 4);
							__eflags = _t477 - 0xffffffff;
							if(_t477 == 0xffffffff) {
								L35:
								_v8 = 2;
								 *((intOrPtr*)( &_v4184 +  *((intOrPtr*)(_v4184 + 4)))) = GetLastError();
								L0045A7D5(_v4196);
								_t716 = __imp__#6;
								_t733 = _t733 + 4;
								 *_t716(_v4188);
								__eflags = _v4200 - 8;
								if(_v4200 >= 8) {
									 *_t716(_v4220);
								}
								_v4220 = 0;
								_v4200 = 7;
								_v4204 = 0;
								SetLastError( *(_t724 +  *((intOrPtr*)(_v4224 + 4)) - 0x107c));
								continue;
							}
							__eflags = _t477;
							if(__eflags != 0) {
								goto L35;
							}
							_push(0x1b8);
							_t487 = E0045C169(_t599, _t707, _t709, __eflags);
							_t738 = _t733 + 4;
							_v4644 = _t487;
							_v8 = 0x10;
							__eflags = _t487;
							if(_t487 == 0) {
								_t601 = 0;
								__eflags = 0;
							} else {
								_t601 = E004863B0();
							}
							_v8 = 0xf;
							E00485E90( &_v4464,  &_v124,  &_v4639, 1);
							_t173 = _t601 + 0x15c; // 0x15c
							_t661 = _t173;
							_t491 =  &_v4460;
							_v8 = 0x11;
							__eflags = _t173 - _t491;
							if(_t173 != _t491) {
								_push(0xffffffff);
								E00406630(_t601, _t661, _t709, _t491, 0);
							}
							_v8 = 0xf;
							E00401AC0( &_v4464);
							_v324 = 0;
							_v224 = 0;
							lstrcpyA( &_v324, "TEXTCOLOR");
							GetPrivateProfileStringA( &_v124,  &_v324, 0x4c2bd0,  &_v224, 0x64, E00490850( &(_t709[2]), _t707));
							_t185 = _t601 + 0x1ac; // 0x1ac
							_t720 = _t185;
							_t500 = GetSysColor(8);
							_push(_t720);
							 *_t720 = _t500;
							_t503 = E004043D0( &_v4320, _t707,  &_v224,  &_v4637, 1);
							_t733 = _t738 - 0x30;
							_v8 = 0x12;
							E004053A0(_t503, 1);
							E0048FCA0(_t707);
							_v8 = 0xf;
							E00401AC0( &_v4320);
							_t509 = E004043D0( &_v4320, _t707,  &_v124,  &_v4648, 1);
							__eflags =  *((intOrPtr*)(_t509 + 0x18)) - 8;
							_t196 = _t509 + 4; // 0x4
							_t669 = _t196;
							_v8 = 0x13;
							if( *((intOrPtr*)(_t509 + 0x18)) >= 8) {
								_t669 =  *_t669;
							}
							_t198 = _t601 + 0x18c; // 0x18c
							E00492320(_t709, _t707, _t669, _t198);
							_v8 = 0xf;
							E00401AC0( &_v4320);
							_t515 = E004043D0( &_v4320, _t707,  &_v124,  &_v4645, 1);
							__eflags =  *((intOrPtr*)(_t515 + 0x18)) - 8;
							_t205 = _t515 + 4; // 0x4
							_t673 = _t205;
							_v8 = 0x14;
							if( *((intOrPtr*)(_t515 + 0x18)) >= 8) {
								_t673 =  *_t673;
							}
							_t207 = _t601 + 0x194; // 0x194
							E00493630(_t709, _t673, _t207);
							_v8 = 0xf;
							E00401AC0( &_v4320);
							_t522 = E004043D0( &_v4320, _t707,  &_v124,  &_v4647, 1) + 4;
							_v8 = 0x15;
							__eflags =  *((intOrPtr*)(_t522 + 0x14)) - 8;
							if(__eflags >= 0) {
								_t522 =  *_t522;
							}
							_t215 = _t601 + 0x1a4; // 0x1a4
							_t716 = _t215;
							E00492B50(_t709, _t707, __eflags, _t522, _t215);
							_v8 = 0xf;
							E00401AC0( &_v4320);
							_t528 = E004043D0( &_v4320, _t707,  &_v124,  &_v4649, 1) + 4;
							_v8 = 0x16;
							__eflags =  *((intOrPtr*)(_t528 + 0x14)) - 8;
							if( *((intOrPtr*)(_t528 + 0x14)) >= 8) {
								_t528 =  *_t528;
							}
							E00490B40(_t709, _t707, _t528, _t716);
							_v8 = 0xf;
							E00401AC0( &_v4320);
							 *(_t601 + 0x14c) = _t709;
							_t533 = E004043D0( &_v4320, _t707,  &_v124,  &_v4646, 1);
							_v8 = 0x17;
							 *((intOrPtr*)(E00487D40( &(_t709[0x13]), _t533))) = _t601;
							E00401AC0( &_v4320);
							_v8 = 2;
							E00401AC0( &_v4224);
							_t599 = _v4668;
						}
						_t600 =  &_v4176;
						while(1) {
							__eflags =  *_t600;
							if( *_t600 == 0) {
								break;
							}
							lstrcpyA( &_v124, _t600);
							_t600 =  &(_t600[lstrlenA(_t600) + 1]);
							E00485E90( &_v4368,  &_v124,  &_v4646, 1);
							_v8 = 0x18;
							_t420 = E004068B0( &_v4364, L"ALL", 0, 3);
							__eflags = _t420 - 0xffffffff;
							if(_t420 == 0xffffffff) {
								L42:
								__eflags = lstrcmpA("SKINS",  &_v124);
								if(__eflags != 0) {
									_push(0x1b8);
									_t423 = E0045C169(_t600, _t707, _t709, __eflags);
									_t737 = _t733 + 4;
									_v4644 = _t423;
									_v8 = 0x19;
									__eflags = _t423;
									if(_t423 == 0) {
										_t716 = 0;
										__eflags = 0;
									} else {
										_t716 = E004863B0();
									}
									_v8 = 0x18;
									E00485E90( &_v4560,  &_v124,  &_v4649, 1);
									_t266 = _t716 + 0x15c; // 0x15c
									_t633 = _t266;
									_t427 =  &_v4556;
									_v8 = 0x1a;
									__eflags = _t266 - _t427;
									if(_t266 != _t427) {
										_push(0xffffffff);
										E00406630(_t600, _t633, _t709, _t427, 0);
									}
									_v8 = 0x18;
									E00401AC0( &_v4560);
									_v324 = 0;
									_v224 = 0;
									lstrcpyA( &_v324, "TEXTCOLOR");
									GetPrivateProfileStringA( &_v124,  &_v324, 0x4c2bd0,  &_v224, 0x64, E00490850( &(_t709[2]), _t707));
									_t278 = _t716 + 0x1ac; // 0x1ac
									_t439 = E004043D0( &_v4320, _t707,  &_v224,  &_v4647, 1);
									_t733 = _t737 - 0x30;
									_v8 = 0x1b;
									E004053A0(_t439, 1);
									E0048FCA0(_t707);
									_v8 = 0x18;
									E00401AC0( &_v4320);
									_t445 = E004043D0( &_v4320, _t707,  &_v124,  &_v4645, 1);
									__eflags =  *((intOrPtr*)(_t445 + 0x18)) - 8;
									_t289 = _t445 + 4; // 0x4
									_t641 = _t289;
									_v8 = 0x1c;
									if( *((intOrPtr*)(_t445 + 0x18)) >= 8) {
										_t641 =  *_t641;
									}
									_t291 = _t716 + 0x18c; // 0x18c
									E00492320(_t709, _t707, _t641, _t291);
									_v8 = 0x18;
									E00401AC0( &_v4320);
									_t451 = E004043D0( &_v4320, _t707,  &_v124,  &_v4648, 1);
									__eflags =  *((intOrPtr*)(_t451 + 0x18)) - 8;
									_t298 = _t451 + 4; // 0x4
									_t645 = _t298;
									_v8 = 0x1d;
									if( *((intOrPtr*)(_t451 + 0x18)) >= 8) {
										_t645 =  *_t645;
									}
									_t300 = _t716 + 0x194; // 0x194
									E00493630(_t709, _t645, _t300);
									_v8 = 0x18;
									E00401AC0( &_v4320);
									_t457 = E004043D0( &_v4320, _t707,  &_v124,  &_v4638, 1);
									__eflags =  *((intOrPtr*)(_t457 + 0x18)) - 8;
									_t307 = _t457 + 4; // 0x4
									_t649 = _t307;
									_v8 = 0x1e;
									if( *((intOrPtr*)(_t457 + 0x18)) >= 8) {
										_t649 =  *_t649;
									}
									_t309 = _t716 + 0x1a4; // 0x1a4
									E00490B40(_t709, _t707, _t649, _t309);
									_v8 = 0x18;
									E00401AC0( &_v4320);
									 *(_t716 + 0x14c) = _t709;
									_t463 = E004043D0( &_v4320, _t707,  &_v124,  &_v4639, 1);
									_v8 = 0x1f;
									 *((intOrPtr*)(E00487D40( &(_t709[0x13]), _t463))) = _t716;
									E00401AC0( &_v4320);
									_v8 = 2;
									E00401AC0( &_v4368);
									continue;
								}
								L43:
								_v8 = 2;
								E00401AC0( &_v4368);
								continue;
							}
							__eflags = _t420;
							if(_t420 == 0) {
								goto L43;
							}
							goto L42;
						}
						E00481460(_t709,  &(_t709[0xe]));
						E0043EBEE(_t733 + 4 - 0x30,  &_v4272, 1);
						E00451BC7(_t600, _t733 + 4 - 0x30, _t709, _t716, __eflags);
						_t405 = _t709[0x16];
						_v8 = 1;
						__eflags = _t405;
						if(_t405 != 0) {
							_t409 = GetProcAddress(_t405, "GetThemeAppProperties");
							__eflags = _t409;
							if(_t409 != 0) {
								_t412 =  *_t409() >> 0x00000001 & 0x00000001;
								__eflags = _t412;
								_t709[0x15] = _t412;
							}
						}
						 *0x4daabc = 1;
						E00401B80( &_v4416);
						E00401B80( &_v4272);
						L60:
						goto L63;
					}
				}
				_t748 = _a16;
				if(_a16 != 0) {
					goto L60;
				}
				goto L3;
			}

0x0048a330
0x0048a333
0x0048a335
0x0048a340
0x0048a341
0x0048a347
0x0048a34c
0x0048a351
0x0048a353
0x0048a359
0x0048a35d
0x0048a363
0x0048a366
0x0048a369
0x0048a36c
0x0048a36f
0x0048a37b
0x0048b18f
0x0048b18f
0x0048b191
0x0048b194
0x0048b19c
0x0048b19d
0x0048b19e
0x0048b1a2
0x0048b1ac
0x0048b1ac
0x0048a388
0x0048a394
0x0048a394
0x0048a39e
0x0048a3ae
0x0048a3b6
0x0048a3bd
0x0048a3c3
0x0048a3c9
0x0048a3cf
0x0048a3d5
0x0048a3df
0x0048a3ec
0x0048a3f3
0x0048a3f9
0x0048a401
0x0048a402
0x0048a409
0x0048a410
0x0048a41a
0x0048a424
0x0048a434
0x0048a438
0x0048a43f
0x0048a453
0x0048a461
0x0048a46f
0x0048a47f
0x0048a495
0x0048a49f
0x0048a4a9
0x0048a4af
0x0048a4ce
0x0048a4d3
0x0048a4d8
0x0048b17f
0x0048b18a
0x00000000
0x0048a4de
0x0048a4de
0x0048a4ee
0x0048a4f5
0x0048a4fa
0x0048a4fd
0x0048a500
0x0048a500
0x0048a503
0x00000000
0x00000000
0x0048a511
0x0048a524
0x0048a525
0x0048a529
0x0048a52a
0x0048a538
0x0048a541
0x0048a542
0x0048a548
0x0048a549
0x0048a553
0x0048a55c
0x0048a561
0x0048a567
0x0048a575
0x0048a578
0x0048a57e
0x0048a584
0x0048a586
0x0048a799
0x0048a7a0
0x0048a7a2
0x0048a7a5
0x0048a7ab
0x0048a7af
0x0048a7b1
0x0048a7d4
0x0048a7da
0x0048a7da
0x0048a7b3
0x0048a7b3
0x0048a7b4
0x0048a7bf
0x0048a7c2
0x0048a7ca
0x0048a7cf
0x0048a7cf
0x0048a7dc
0x0048a7e4
0x0048a7eb
0x0048a7f2
0x0048a7f6
0x0048a805
0x0048a814
0x0048a816
0x0048a81a
0x0048a81f
0x0048a826
0x0048a82b
0x0048a831
0x0048a58c
0x0048a58c
0x0048a593
0x0048a59a
0x0048a5a1
0x0048a5ab
0x0048a5b5
0x0048a5ba
0x0048a5c2
0x0048a5c3
0x0048a5ce
0x0048a5d2
0x0048a5dc
0x0048a5e6
0x0048a600
0x0048a604
0x0048a61b
0x0048a61f
0x0048a624
0x0048a62e
0x0048a632
0x0048a63d
0x0048a648
0x0048a653
0x0048a65e
0x0048a662
0x0048a66d
0x0048a672
0x0048a67c
0x0048a68c
0x0048a694
0x0048a696
0x0048a697
0x0048a6ab
0x0048a6af
0x0048a6b9
0x0048a6c3
0x0048a6c8
0x0048a6ce
0x0048a6d8
0x0048a6e2
0x0048a6ec
0x0048a6f6
0x0048a6fc
0x0048a700
0x0048a702
0x0048a704
0x0048a706
0x0048a70b
0x0048a70d
0x0048a718
0x0048a71f
0x0048a72a
0x0048a72e
0x0048a733
0x0048a734
0x0048a73a
0x0048a741
0x0048a746
0x0048a749
0x0048a74f
0x0048a751
0x0048a753
0x0048a755
0x0048a758
0x0048a758
0x0048a75d
0x0048a76d
0x0048a771
0x0048a77c
0x0048a780
0x0048a786
0x0048a78b
0x0048a791
0x0048a791
0x0048a586
0x0048a84e
0x0048a854
0x0048a859
0x0048a85c
0x0048a861
0x0048a864
0x0048a86a
0x0048a86e
0x0048a870
0x0048a87d
0x0048a87d
0x0048a872
0x0048a879
0x0048a879
0x0048a87f
0x0048a881
0x0048a886
0x0048a88c
0x0048a890
0x0048a8a0
0x0048a8a7
0x0048a8bb
0x0048a8e4
0x0048a8ec
0x0048a8ec
0x0048a8f2
0x0048a8f8
0x0048a8f9
0x0048a8fe
0x0048a910
0x0048a917
0x0048a91c
0x0048a92a
0x0048a92f
0x0048a93d
0x0048a942
0x0048a942
0x0048a950
0x0048a95d
0x0048a976
0x0048a97c
0x0048a98b
0x0048a99a
0x0048a99c
0x0048a9a0
0x0048a9aa
0x0048a9ba
0x0048a9c7
0x0048a9cb
0x0048a9d0
0x0048a9e8
0x0048a9ee
0x0048a9f4
0x0048a9f4
0x0048a9f7
0x00000000
0x00000000
0x0048aa08
0x0048aa12
0x0048aa27
0x0048aa2d
0x0048aa41
0x0048aa45
0x0048aa4a
0x0048aa4d
0x0048acc3
0x0048acd2
0x0048acde
0x0048ace6
0x0048aceb
0x0048acf1
0x0048acfa
0x0048acfc
0x0048ad03
0x0048ad0b
0x0048ad0b
0x0048ad0f
0x0048ad1c
0x0048ad26
0x0048ad3a
0x00000000
0x0048ad3a
0x0048aa53
0x0048aa55
0x00000000
0x00000000
0x0048aa5b
0x0048aa60
0x0048aa65
0x0048aa68
0x0048aa6e
0x0048aa72
0x0048aa74
0x0048aa81
0x0048aa81
0x0048aa76
0x0048aa7d
0x0048aa7d
0x0048aa96
0x0048aa9a
0x0048aa9f
0x0048aa9f
0x0048aaa5
0x0048aaab
0x0048aaaf
0x0048aab1
0x0048aab3
0x0048aab8
0x0048aab8
0x0048aac3
0x0048aac7
0x0048aad8
0x0048aadf
0x0048aae6
0x0048ab0a
0x0048ab12
0x0048ab12
0x0048ab18
0x0048ab1e
0x0048ab1f
0x0048ab37
0x0048ab3c
0x0048ab44
0x0048ab48
0x0048ab4f
0x0048ab5a
0x0048ab5e
0x0048ab76
0x0048ab7b
0x0048ab7f
0x0048ab7f
0x0048ab82
0x0048ab86
0x0048ab88
0x0048ab88
0x0048ab8a
0x0048ab94
0x0048ab9f
0x0048aba3
0x0048abbb
0x0048abc0
0x0048abc4
0x0048abc4
0x0048abc7
0x0048abcb
0x0048abcd
0x0048abcd
0x0048abcf
0x0048abd9
0x0048abe4
0x0048abe8
0x0048ac05
0x0048ac08
0x0048ac0c
0x0048ac10
0x0048ac12
0x0048ac12
0x0048ac14
0x0048ac14
0x0048ac1e
0x0048ac29
0x0048ac2d
0x0048ac4a
0x0048ac4d
0x0048ac51
0x0048ac55
0x0048ac57
0x0048ac57
0x0048ac5d
0x0048ac68
0x0048ac6c
0x0048ac84
0x0048ac8a
0x0048ac93
0x0048aca2
0x0048aca4
0x0048acaf
0x0048acb3
0x0048acb8
0x0048acb8
0x0048ad45
0x0048ad50
0x0048ad50
0x0048ad53
0x00000000
0x00000000
0x0048ad5e
0x0048ad6c
0x0048ad81
0x0048ad95
0x0048ad99
0x0048ad9e
0x0048ada1
0x0048ada7
0x0048adb6
0x0048adb8
0x0048adcb
0x0048add0
0x0048add5
0x0048add8
0x0048adde
0x0048ade2
0x0048ade4
0x0048adf1
0x0048adf1
0x0048ade6
0x0048aded
0x0048aded
0x0048ae06
0x0048ae0a
0x0048ae0f
0x0048ae0f
0x0048ae15
0x0048ae1b
0x0048ae1f
0x0048ae21
0x0048ae23
0x0048ae28
0x0048ae28
0x0048ae33
0x0048ae37
0x0048ae48
0x0048ae4f
0x0048ae56
0x0048ae7e
0x0048ae84
0x0048aea1
0x0048aea6
0x0048aeae
0x0048aeb2
0x0048aeb9
0x0048aec4
0x0048aec8
0x0048aee0
0x0048aee5
0x0048aee9
0x0048aee9
0x0048aeec
0x0048aef0
0x0048aef2
0x0048aef2
0x0048aef4
0x0048aefe
0x0048af09
0x0048af0d
0x0048af25
0x0048af2a
0x0048af2e
0x0048af2e
0x0048af31
0x0048af35
0x0048af37
0x0048af37
0x0048af39
0x0048af43
0x0048af4e
0x0048af52
0x0048af6a
0x0048af6f
0x0048af73
0x0048af73
0x0048af76
0x0048af7a
0x0048af7c
0x0048af7c
0x0048af7e
0x0048af88
0x0048af93
0x0048af97
0x0048afaf
0x0048afb5
0x0048afbe
0x0048afcd
0x0048afcf
0x0048afda
0x0048afde
0x00000000
0x0048afde
0x0048adba
0x0048adc0
0x0048adc4
0x00000000
0x0048adc4
0x0048ada3
0x0048ada5
0x00000000
0x00000000
0x00000000
0x0048ada5
0x0048afec
0x0048b002
0x0048b007
0x0048b00c
0x0048b012
0x0048b019
0x0048b01b
0x0048b023
0x0048b029
0x0048b02b
0x0048b031
0x0048b031
0x0048b033
0x0048b033
0x0048b02b
0x0048b03c
0x0048b043
0x0048b04e
0x0048b053
0x00000000
0x0048b053
0x0048a4d8
0x0048a38a
0x0048a38e
0x00000000
0x00000000
0x00000000

APIs

GetLastError.KERNEL32 ref: 0048A3A8
SetLastError.KERNEL32(lJ), ref: 0048A3F3
_memset.LIBCMT ref: 0048A43F
lstrcpyA.KERNEL32(?,NO DOUBT), ref: 0048A453
_memset.LIBCMT ref: 0048A46F
lstrcpyW.KERNEL32(?,?), ref: 0048A47F
lstrlenA.KERNEL32 ref: 0048A4B9
_memset.LIBCMT ref: 0048A4F5
lstrcpyA.KERNEL32(?,?,?,00000000,00000103,?,?,?,00000000,?), ref: 0048A511
lstrlenA.KERNEL32(?,?,?,?,00000000,?), ref: 0048A51E
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,00000000,?), ref: 0048A53B
_memmove.LIBCMT ref: 0048A55C
lstrcmpiA.KERNEL32(?,skin.ini,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0048A57E
GetLastError.KERNEL32 ref: 0048A686
SetLastError.KERNEL32(004AFFC0,?,00000000,000000FF), ref: 0048A6F6

Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 0043AF40: __EH_prolog3_GS.LIBCMT ref: 0043AF4A
Part of subcall function 0043AF40: WriteFile.KERNELBASE(?,?,?,?,00000000,00000088,0048A746,?,00000000,004AFFB8,40000000,00000001,00000080,00000002,00000000,00000000), ref: 0043AF6E
Part of subcall function 0043AF40: __CxxThrowException@8.LIBCMT ref: 0043AFB3

_memmove.LIBCMT ref: 0048A7CA
GetPrivateProfileIntA.KERNEL32 ref: 0048A84E
_memset.LIBCMT ref: 0048A8A7
lstrcpyA.KERNEL32(?,TEXTCOLOR,00000063,ALL,00000003,?,?,?,?,?,?,?,00000000,?), ref: 0048A8BB
GetPrivateProfileStringA.KERNEL32(ALL,?,004C2BD0,?,00000064,00000000), ref: 0048A8E4
GetSysColor.USER32(00000008), ref: 0048A8F2

Part of subcall function 00403FB0: GetLastError.KERNEL32(9518852C,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

_memset.LIBCMT ref: 0048A9BA
_memset.LIBCMT ref: 0048A9CB

Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000002,?,?,0048A841,?,00000000,00000103), ref: 00490876
Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?), ref: 004908BE

GetPrivateProfileSectionNamesA.KERNEL32 ref: 0048A9E8
lstrcpyA.KERNEL32(00000000,?), ref: 0048AA08
lstrlenA.KERNEL32(?), ref: 0048AA0B

Part of subcall function 00485E90: GetLastError.KERNEL32(9518852C,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485EE4
Part of subcall function 00485E90: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485F1D

lstrcpyA.KERNEL32 ref: 0048AAE6
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,00000064,00000000), ref: 0048AB0A
GetSysColor.USER32(00000008), ref: 0048AB18
GetLastError.KERNEL32(ALL-,00000000,00000004,00000000,?,00000001), ref: 0048ACD8
SysFreeString.OLEAUT32(?), ref: 0048ACFA
SysFreeString.OLEAUT32(?), ref: 0048AD0B
SetLastError.KERNEL32(?), ref: 0048AD3A

Part of subcall function 004043D0: GetLastError.KERNEL32(9518852C,73B74C30,?,73B74D40,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
Part of subcall function 004043D0: SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
Part of subcall function 004043D0: GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044BD
Part of subcall function 004043D0: SysFreeString.OLEAUT32(?), ref: 004044C8
Part of subcall function 004043D0: SetLastError.KERNEL32(?), ref: 004044E8

lstrcpyA.KERNEL32(00000000,?), ref: 0048AD5E
lstrlenA.KERNEL32(?), ref: 0048AD65
lstrcmpA.KERNEL32(SKINS,00000000,ALL,00000000,00000003,00000000,?,00000001), ref: 0048ADB0
lstrcpyA.KERNEL32 ref: 0048AE56
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,00000064,00000000), ref: 0048AE7E

Strings

dJ, xrefs: 0048A394
dJ, xrefs: 0048A5A1
ALL-, xrefs: 0048AA36
lJ, xrefs: 0048A3CF
lJ, xrefs: 0048A41A
ALL, xrefs: 0048A8DF
dJ, xrefs: 0048A410
TEXTCOLOR, xrefs: 0048A8B5, 0048AACC, 0048AE3C
dK, xrefs: 0048A75D
lJ, xrefs: 0048A5AB
dJ, xrefs: 0048A5D2
NO DOUBT, xrefs: 0048A44D
skin.ini, xrefs: 0048A570
SKINS, xrefs: 0048A849, 0048ADAB
GetThemeAppProperties, xrefs: 0048B01D
ALL, xrefs: 0048A881, 0048A923, 0048A936, 0048A949, 0048A956, 0048A96B, 0048AD8A
VERSION, xrefs: 0048A844
lJ, xrefs: 0048A5DC

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$Freelstrcpy$_memset$PrivateProfilelstrlen$ByteCharColorMultiWide_memmove$Exception@8FileH_prolog3H_prolog3_NamesSectionThrowWritelstrcmplstrcmpi
String ID: ALL$ALL$ALL-$GetThemeAppProperties$NO DOUBT$SKINS$TEXTCOLOR$VERSION$dK$dJ$dJ$dJ$dJ$lJ$lJ$lJ$lJ$skin.ini
API String ID: 2276469943-1455993456
Opcode ID: 03846ef255bd12024e27c8e968e249677df1cbb2fa18fe825adc6b29e097dc22
Instruction ID: 79012e49ed486ce22d0537f09b4fbe6ad00e0975ff4e1d2c00a5e82a599fa431
Opcode Fuzzy Hash: 03846ef255bd12024e27c8e968e249677df1cbb2fa18fe825adc6b29e097dc22
Instruction Fuzzy Hash: EC829871900258EEEB10EBA1DD45BDEB7B8AF15304F0040EBE549E7181DBB86B98CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004443E5, Relevance: 26.4, APIs: 6, Strings: 9, Instructions: 186
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E004443E5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t78;
				WCHAR* _t84;
				struct HINSTANCE__* _t88;
				void* _t89;
				struct HINSTANCE__* _t91;
				intOrPtr* _t98;
				_Unknown_base(*)()* _t106;
				intOrPtr* _t110;
				intOrPtr* _t111;
				intOrPtr* _t120;
				intOrPtr* _t121;
				intOrPtr* _t158;
				void* _t161;

				_push(0xbc);
				E0045B8C9(0x4a75f7, __ebx, __edi, __esi);
				_t158 =  *((intOrPtr*)(_t161 + 8));
				 *(_t161 - 0xbc) =  *(_t161 - 0xbc) & 0x00000000;
				_t78 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "LCIDToLocaleName");
				 *(_t161 - 0xa8) = _t78;
				_t163 = _t78;
				_push(0);
				_push(_t161 - 0xa1);
				if(_t78 == 0) {
					_push(L"mlang.dll");
					 *((intOrPtr*)(_t161 - 0x70)) = 0x4c2fa0;
					 *(_t161 - 0x48) = 0x4c2f40;
					E00408F6D(0x4c2fa0, _t161 - 0x70, _t158, __esi, __eflags);
					_push(_t161 - 0x70);
					_push(_t161 - 0xa0);
					 *(_t161 - 4) = 2;
					_t84 = E00444261(0x4c2fa0, _t161 - 0x70, _t158, __esi, __eflags) + 4;
					__eflags = _t84[0xa] - 8;
					if(_t84[0xa] >= 8) {
						_t84 =  *_t84;
					}
					_t160 = LoadLibraryW(_t84);
					 *(_t161 - 0xa8) = _t160;
					E00401B80(_t161 - 0xa0);
					E00401B80(_t161 - 0x70);
					__eflags = _t160;
					if(_t160 == 0) {
						L7:
						 *(_t161 - 0xac) =  *(_t161 - 0xac) & 0x00000000;
						_t88 = _t161 - 0xac;
						 *(_t161 - 4) = 7;
						__imp__CoCreateInstance(0x4c18e0, 0, 0x17, 0x4c1850, _t88);
						__eflags = _t88;
						_t89 = _t161 - 0xa1;
						if(_t88 < 0) {
							E004091B8(_t158, 0x4c2d7c, _t89, 1);
						} else {
							 *((intOrPtr*)(_t161 - 0x40)) = 0x4c2fa0;
							 *(_t161 - 0x18) = 0x4c2f40;
							E00404200(_t161 - 0x40, _t89, 0);
							_t160 =  *(_t161 - 0xac);
							_t98 = E00424315(_t161 - 0x40, _t161 - 0xb4);
							 *(_t161 - 4) = 9;
							 *((char*)(_t98 + 4)) = 1;
							 *((intOrPtr*)(_t160->i + 0x34))(_t160,  *(_t161 + 0xc) & 0x0000ffff, E0040A0F0(_t98,  *_t98));
							__eflags =  *(_t161 - 0xb0);
							 *(_t161 - 4) = 8;
							if(__eflags != 0) {
								E00404260( *((intOrPtr*)(_t161 - 0xb4)), _t158,  *((intOrPtr*)( *((intOrPtr*)(_t161 - 0xb4)) + 0x24)));
							}
							_push(0);
							_push(_t161 - 0x40);
							 *_t158 = 0x4c2fa0;
							 *(_t158 + 0x28) = 0x4c2f40;
							E00408E82(0x4c2fa0, _t158, _t158, _t160, __eflags);
							E00401B80(_t161 - 0x40);
						}
						_t91 =  *(_t161 - 0xac);
						 *(_t161 - 4) = 4;
						__eflags = _t91;
						if(_t91 != 0) {
							 *((intOrPtr*)(_t91->i + 8))(_t91);
						}
						goto L14;
					} else {
						_t106 = GetProcAddress(_t160, "LcidToRfc1766W");
						 *(_t161 - 0xb0) = _t106;
						__eflags = _t106;
						if(_t106 == 0) {
							goto L7;
						}
						_t160 = 0x4c2f40;
						 *((intOrPtr*)(_t161 - 0x40)) = 0x4c2fa0;
						 *(_t161 - 0x18) = 0x4c2f40;
						E00404200(_t161 - 0x40, _t161 - 0xa1, 0);
						 *(_t161 - 4) = 5;
						_t110 = E0040A14B(_t161 - 0x40, _t161 - 0xc8, 0x55);
						 *(_t161 - 4) = 6;
						 *((char*)(_t110 + 4)) = 1;
						_t111 = E0040A0F0(_t110,  *_t110);
						 *(_t161 - 0xb0)( *(_t161 + 0xc) & 0x0000ffff,  *_t111, 0x55);
						 *(_t161 - 4) = 5;
						E00409574(0x4c2fa0, _t161 - 0xc8, _t158, 0x4c2f40, __eflags);
						_push(0);
						_push(_t161 - 0x40);
						 *_t158 = 0x4c2fa0;
						 *(_t158 + 0x28) = 0x4c2f40;
						E00408E82(0x4c2fa0, _t158, _t158, 0x4c2f40, __eflags);
						E00401B80(_t161 - 0x40);
						L14:
						E004237DC(_t161 - 0xa8);
						L15:
						return E0045B878(0x4c2fa0, _t158, _t160);
					}
				}
				_t160 = 0x4c2f40;
				 *((intOrPtr*)(_t161 - 0x40)) = 0x4c2fa0;
				 *(_t161 - 0x18) = 0x4c2f40;
				E00404200(_t161 - 0x40);
				 *(_t161 - 4) =  *(_t161 - 4) & 0x00000000;
				_t120 = E0040A14B(_t161 - 0x40, _t161 - 0xb8, 0x55);
				 *(_t161 - 4) = 1;
				 *((char*)(_t120 + 4)) = 1;
				_t121 = E0040A0F0(_t120,  *_t120);
				 *(_t161 - 0xa8)( *(_t161 + 0xc) & 0x0000ffff,  *_t121, 0x55, 0);
				 *(_t161 - 4) = 0;
				E00409574(0x4c2fa0, _t161 - 0xb8, _t158, 0x4c2f40, _t163);
				_push(0);
				_push(_t161 - 0x40);
				 *_t158 = 0x4c2fa0;
				 *(_t158 + 0x28) = 0x4c2f40;
				E00408E82(0x4c2fa0, _t158, _t158, 0x4c2f40, _t163);
				E00401B80(_t161 - 0x40);
				goto L15;
			}

0x004443e5
0x004443ef
0x004443f4
0x004443f7
0x0044440f
0x00444415
0x0044441b
0x0044441d
0x0044442a
0x0044442b
0x004444a3
0x004444ab
0x004444ae
0x004444b5
0x004444bd
0x004444c4
0x004444c5
0x004444d1
0x004444d5
0x004444da
0x004444dc
0x004444dc
0x004444e5
0x004444e7
0x004444f3
0x004444fb
0x00444500
0x00444502
0x0044459b
0x0044459b
0x004445a2
0x004445b7
0x004445bb
0x004445c1
0x004445c3
0x004445c9
0x00444659
0x004445cf
0x004445d5
0x004445d8
0x004445df
0x004445e4
0x004445f4
0x004445fb
0x004445ff
0x00444611
0x00444614
0x0044461b
0x0044461f
0x0044462a
0x0044462a
0x0044462f
0x00444634
0x00444637
0x00444639
0x00444640
0x00444648
0x00444648
0x0044465e
0x00444664
0x00444668
0x0044466a
0x0044466f
0x0044466f
0x00000000
0x00444508
0x0044450e
0x00444514
0x0044451a
0x0044451c
0x00000000
0x00000000
0x00444526
0x0044452f
0x00444532
0x00444535
0x00444546
0x0044454a
0x00444551
0x00444555
0x00444559
0x00444567
0x00444573
0x00444577
0x0044457f
0x00444581
0x00444584
0x00444586
0x00444589
0x00444591
0x00444672
0x00444678
0x0044467d
0x00444684
0x00444684
0x00444502
0x0044442d
0x00444435
0x00444438
0x0044443b
0x00444440
0x00444450
0x00444457
0x0044445b
0x0044445f
0x0044446f
0x0044447b
0x0044447f
0x00444487
0x00444489
0x0044448c
0x0044448e
0x00444491
0x00444499
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 004443EF
GetModuleHandleW.KERNEL32(Kernel32.dll,LCIDToLocaleName), ref: 00444408
GetProcAddress.KERNEL32(00000000), ref: 0044440F
LoadLibraryW.KERNEL32(-00000004,mlang.dll,?,00000000), ref: 004444DF
GetProcAddress.KERNEL32(00000000,LcidToRfc1766W), ref: 0044450E

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

Kernel32.dll, xrefs: 00444403
@/L, xrefs: 004444AE
LCIDToLocaleName, xrefs: 004443FE
@/L, xrefs: 00444639
@/L, xrefs: 00444526
@/L, xrefs: 004445D8
LcidToRfc1766W, xrefs: 00444508
mlang.dll, xrefs: 004444A3
@/L, xrefs: 0044442D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$AddressFreeH_prolog3_Proc$AllocH_prolog3HandleLibraryLoadModule
String ID: @/L$@/L$@/L$@/L$@/L$Kernel32.dll$LCIDToLocaleName$LcidToRfc1766W$mlang.dll
API String ID: 1118478212-902657132
Opcode ID: 2bd63b1464da248b0bf7750dab4b21f0f8a3abdf87617b7ec6aa2b9d08839140
Instruction ID: fb490cd4c4185951d43f97ecbd8599a8fae49d0cfa27e50f6b17a355b2b286b9
Opcode Fuzzy Hash: 2bd63b1464da248b0bf7750dab4b21f0f8a3abdf87617b7ec6aa2b9d08839140
Instruction Fuzzy Hash: 35713F70900318EEEB10EF91CC55BDDBB78BF15704F1440AEE509B7292DBB85A45CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00475CA1, Relevance: 21.5, APIs: 14, Instructions: 537
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 90%

			E00475CA1(void* __ebx, void* __esi, signed int _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				char _v15;
				void _v16;
				short _v1724;
				char _v5140;
				void _v6844;
				void* _v6848;
				signed int _v6852;
				short _v6856;
				signed int _v6860;
				signed int _v6864;
				signed int _v6868;
				char _v6872;
				long _v6876;
				long _v6880;
				char _v6881;
				long _v6888;
				intOrPtr _v6892;
				signed int _v6896;
				int _v6900;
				void* __edi;
				signed int _t252;
				signed int _t254;
				signed int _t257;
				intOrPtr _t259;
				signed int _t260;
				signed int* _t271;
				signed int _t276;
				signed int _t282;
				signed int _t283;
				signed int _t284;
				signed int _t286;
				signed int _t292;
				short _t295;
				signed int _t296;
				signed int _t302;
				void* _t307;
				signed int _t312;
				int _t313;
				short _t315;
				signed int _t317;
				void* _t318;
				signed int _t323;
				void* _t325;
				signed int _t326;
				long _t330;
				signed int _t334;
				signed int _t340;
				void* _t347;
				short _t351;
				void* _t352;
				signed char _t364;
				signed int _t365;
				signed int _t366;
				signed int* _t367;
				long _t368;
				char* _t369;
				long _t370;
				signed int _t371;
				signed int _t372;
				signed int _t374;
				intOrPtr _t375;
				short _t382;
				signed int _t383;
				signed int _t386;
				signed int _t388;
				signed int _t391;
				char _t394;
				signed int _t395;
				signed int _t396;
				signed short* _t399;
				void* _t400;
				char _t401;
				short _t407;
				signed int _t408;
				signed int _t410;
				short _t411;
				intOrPtr _t416;
				intOrPtr* _t417;
				signed int _t418;
				signed int _t420;
				char _t421;
				signed int _t426;
				signed int _t427;
				signed short* _t428;
				signed int _t430;
				signed int _t431;
				signed int _t432;
				void* _t433;

				_t423 = __esi;
				_t361 = __ebx;
				E0045BDF0(0x1af0);
				_t252 =  *0x4d7e88; // 0x9518852c
				_v8 = _t252 ^ _t432;
				_t254 = _a4;
				_t372 = _a8;
				_t407 = 0;
				_t418 = 0;
				_v6852 = _t254;
				_v6848 = _t372;
				_v6856 = 0;
				_v6872 = 0;
				if(_a12 != 0) {
					__eflags = _t372;
					if(__eflags != 0) {
						_push(__ebx);
						_push(__esi);
						_t374 = _t254 >> 5;
						_t426 = (_t254 & 0x0000001f) << 6;
						_v6868 = _t374;
						_t375 =  *((intOrPtr*)(0x4da6e0 + _t374 * 4));
						_v6896 = _t426;
						_t364 =  *((intOrPtr*)(_t426 + _t375 + 0x24)) +  *((intOrPtr*)(_t426 + _t375 + 0x24)) >> 1;
						__eflags = _t364 - 2;
						if(_t364 == 2) {
							L6:
							__eflags =  !_a12 & 0x00000001;
							if(__eflags != 0) {
								_t254 = _v6852;
								L9:
								__eflags =  *(_t426 + _t375 + 4) & 0x00000020;
								if(__eflags != 0) {
									E004765C7(_t375, __eflags, _t254, _t407, _t407, 2);
									_t433 = _t433 + 0x10;
								}
								_t257 = E00475B6B(_v6852);
								__eflags = _t257;
								if(_t257 == 0) {
									L50:
									_t259 =  *((intOrPtr*)(0x4da6e0 + _v6868 * 4));
									__eflags =  *(_t426 + _t259 + 4) & 0x00000080;
									if(( *(_t426 + _t259 + 4) & 0x00000080) == 0) {
										_t260 = WriteFile( *(_t426 + _t259), _v6848, _a12,  &_v6876, 0);
										__eflags = _t260;
										if(_t260 == 0) {
											goto L92;
										}
										_t418 = _v6876;
										_t427 = 0;
										goto L93;
									}
									_t407 = _v6848;
									_t427 = 0;
									_v6860 = 0;
									__eflags = _t364;
									if(_t364 != 0) {
										_t382 = _t407;
										__eflags = _t364 - 2;
										if(_t364 != 2) {
											_t366 = _a12;
											_v6880 = _t382;
											__eflags = _t366;
											if(_t366 == 0) {
												goto L99;
											}
											_v6892 = 0xa;
											do {
												_v6888 = _v6888 & 0x00000000;
												_t428 = _v6880;
												_t383 = _t382 - _t407;
												__eflags = _t383;
												_t408 = _v6888;
												_t271 =  &_v1724;
												do {
													__eflags = _t383 - _t366;
													if(_t383 >= _t366) {
														break;
													}
													_t420 =  *_t428 & 0x0000ffff;
													_t428 =  &(_t428[1]);
													_t383 = _t383 + 2;
													_v6880 = _t428;
													__eflags = _t420 - _v6892;
													if(_t420 == _v6892) {
														_t430 = 0xd;
														 *_t271 = _t430;
														_t428 = _v6880;
														_t271 =  &(_t271[0]);
														_t408 = _t408 + 2;
														__eflags = _t408;
													}
													 *_t271 = _t420;
													_t408 = _t408 + 2;
													_t271 =  &(_t271[0]);
													__eflags = _t408 - 0x6a8;
												} while (_t408 < 0x6a8);
												asm("cdq");
												_t276 = WideCharToMultiByte(0xfde9, 0,  &_v1724, _t271 -  &_v1724 - _t408 >> 1,  &_v5140, 0xd55, 0, 0);
												_t427 = _v6860;
												_t418 = _v6856;
												_v6864 = _t276;
												__eflags = _t276;
												if(_t276 == 0) {
													goto L92;
												}
												_t386 = 0;
												__eflags = 0;
												_v6852 = 0;
												while(1) {
													_t282 = WriteFile( *(_v6896 +  *((intOrPtr*)(0x4da6e0 + _v6868 * 4))),  &(( &_v5140)[_t386]), _t276 - _t386,  &_v6876, 0);
													__eflags = _t282;
													if(_t282 == 0) {
														break;
													}
													_t386 = _v6852 + _v6876;
													_t276 = _v6864;
													_v6852 = _t386;
													__eflags = _t276 - _t386;
													if(_t276 > _t386) {
														continue;
													}
													L87:
													__eflags = _t284 - _t388;
													if(_t284 > _t388) {
														goto L93;
													}
													goto L88;
												}
												_t283 = GetLastError();
												_t388 = _v6852;
												_t427 = _t283;
												_t284 = _v6864;
												_v6860 = _t427;
												goto L87;
												L88:
												_t382 = _v6880;
												_t407 = _v6848;
												_t418 = _t382 - _t407;
												_v6856 = _t418;
												__eflags = _t418 - _t366;
											} while (_t418 < _t366);
											goto L94;
										}
										_v6852 = _t382;
										__eflags = _a12;
										if(_a12 <= 0) {
											goto L99;
										}
										_v6892 = 0xa;
										do {
											_v6888 = _v6888 & 0x00000000;
											_t421 = _v6872;
											_t286 = _t382 - _t407;
											__eflags = _t286;
											_t410 = _v6888;
											_t367 =  &_v6844;
											do {
												__eflags = _t286 - _a12;
												if(_t286 >= _a12) {
													break;
												}
												_t431 =  *_t382 & 0x0000ffff;
												_t382 = _t382 + 2;
												_t286 = _t286 + 2;
												_v6852 = _t382;
												__eflags = _t431 - _v6892;
												if(_t431 == _v6892) {
													_t391 = 0xd;
													 *_t367 = _t391;
													_t382 = _v6852;
													_t421 = _t421 + 2;
													_t367 =  &(_t367[0]);
													_t410 = _t410 + 2;
													__eflags = _t410;
												}
												 *_t367 = _t431;
												_t410 = _t410 + 2;
												_t367 =  &(_t367[0]);
												__eflags = _t410 - 0x13fe;
											} while (_t410 < 0x13fe);
											_t368 = _t367 -  &_v6844;
											_v6872 = _t421;
											_t292 = WriteFile( *(_v6896 +  *((intOrPtr*)(0x4da6e0 + _v6868 * 4))),  &_v6844, _t368,  &_v6876, 0);
											_t427 = _v6860;
											_t418 = _v6856;
											__eflags = _t292;
											if(_t292 == 0) {
												goto L92;
											}
											_t418 = _t418 + _v6876;
											_t407 = _v6848;
											_v6856 = _t418;
											__eflags = _v6876 - _t368;
											if(_v6876 < _t368) {
												goto L94;
											}
											_t382 = _v6852;
											__eflags = _t382 - _t407 - _a12;
										} while (_t382 - _t407 < _a12);
										goto L94;
									}
									_t295 = _t407;
									_v6856 = _t295;
									__eflags = _a12;
									if(_a12 <= 0) {
										goto L99;
									} else {
										goto L53;
									}
									do {
										L53:
										_t296 = _t295 - _t407;
										__eflags = _t296;
										_t411 = _v6856;
										_t369 =  &_v6844;
										_v6852 = 0;
										do {
											__eflags = _t296 - _a12;
											if(_t296 >= _a12) {
												break;
											}
											_t394 =  *_t411;
											_t296 = _t296 + 1;
											_v6881 = _t394;
											__eflags = _t394 - 0xa;
											_t395 = _v6852;
											_v6856 = _t411 + 1;
											if(_t394 == 0xa) {
												_v6872 = _v6872 + 1;
												 *_t369 = 0xd;
												_t369 = _t369 + 1;
												_t395 = _t395 + 1;
												__eflags = _t395;
											}
											 *_t369 = _v6881;
											_t411 = _v6856;
											_t369 = _t369 + 1;
											_t396 = _t395 + 1;
											_v6852 = _t396;
											__eflags = _t396 - 0x13ff;
										} while (_t396 < 0x13ff);
										_t370 = _t369 -  &_v6844;
										_t302 = WriteFile( *(_v6896 +  *((intOrPtr*)(0x4da6e0 + _v6868 * 4))),  &_v6844, _t370,  &_v6876, 0);
										__eflags = _t302;
										if(_t302 == 0) {
											goto L92;
										}
										_t418 = _t418 + _v6876;
										_t407 = _v6848;
										__eflags = _v6876 - _t370;
										if(_v6876 < _t370) {
											goto L94;
										}
										__eflags = _v6856 - _t407 - _a12;
										_t295 = _v6856;
									} while (_v6856 - _t407 < _a12);
									goto L94;
								} else {
									__eflags =  *(_t426 +  *((intOrPtr*)(0x4da6e0 + _v6868 * 4)) + 4) & 0x00000080;
									if(__eflags == 0) {
										goto L50;
									}
									_t307 = E00464D84(_t407, _t418, __eflags);
									__eflags =  *( *((intOrPtr*)(_t307 + 0x6c)) + 0xa8);
									_v6852 = 0 |  *( *((intOrPtr*)(_t307 + 0x6c)) + 0xa8) == 0x00000000;
									_t312 = GetConsoleMode( *(_t426 +  *((intOrPtr*)(0x4da6e0 + _v6868 * 4))),  &_v6888);
									__eflags = _t312;
									if(_t312 == 0) {
										goto L50;
									}
									__eflags = _v6852 - _t418;
									if(_v6852 == _t418) {
										L16:
										_t313 = GetConsoleCP();
										_t407 = _v6848;
										_v6880 = _v6880 & _t418;
										_t399 = _t407;
										_v6900 = _t313;
										_v6864 = _t399;
										__eflags = _a12 - _t418;
										if(_a12 <= _t418) {
											_t427 = _v6852;
											L95:
											__eflags = _t427;
											if(_t427 == 0) {
												L99:
												__eflags =  *(_v6896 +  *((intOrPtr*)(0x4da6e0 + _v6868 * 4)) + 4) & 0x00000040;
												if(__eflags == 0) {
													L102:
													 *((intOrPtr*)(E0045D506(__eflags))) = 0x1c;
													_t267 = E0045D4D2(__eflags);
													 *_t267 =  *_t267 & 0x00000000;
													__eflags =  *_t267;
													L103:
													L105:
													_pop(_t423);
													_pop(_t361);
													L106:
													return E0045A457(_t361, _v8 ^ _t432, _t407, _t418, _t423);
												}
												__eflags =  *_t407 - 0x1a;
												if(__eflags != 0) {
													goto L102;
												}
												goto L105;
											}
											_t365 = 5;
											__eflags = _t427 - _t365;
											if(__eflags != 0) {
												_t267 = E0045D4E5(_t427);
											} else {
												 *((intOrPtr*)(E0045D506(__eflags))) = 9;
												 *(E0045D4D2(__eflags)) = _t365;
											}
											goto L103;
										}
										__eflags = 0;
										_v6860 = 0;
										_v6892 = 0xa;
										do {
											__eflags = _t364;
											if(_t364 != 0) {
												__eflags = _t364 - 1;
												if(_t364 == 1) {
													L37:
													_t315 =  *_t399 & 0x0000ffff;
													__eflags = _t315 - _v6892;
													_v6856 = _t315;
													_t399 =  &(_t399[1]);
													_t317 = _v6860 + 2;
													__eflags = _t317;
													_v6864 = _t399;
													_v6860 = _t317;
													_v6852 = 0 | _t315 == _v6892;
													L38:
													__eflags = _t364 - 1;
													if(_t364 == 1) {
														L40:
														_t318 = E0047B98A(_t399, _v6856);
														_pop(_t400);
														__eflags = _t318 - _v6856;
														if(_t318 != _v6856) {
															L92:
															_t427 = GetLastError();
															L93:
															_t407 = _v6848;
															L94:
															__eflags = _t418;
															if(_t418 != 0) {
																__eflags = _t418;
																goto L105;
															}
															goto L95;
														}
														_t418 = _t418 + 2;
														__eflags = _v6852;
														if(_v6852 == 0) {
															L44:
															_t317 = _v6860;
															_t399 = _v6864;
															goto L45;
														}
														_t351 = 0xd;
														_v6856 = _t351;
														_t352 = E0047B98A(_t400, _t351);
														__eflags = _t352 - _v6856;
														if(_t352 != _v6856) {
															goto L92;
														}
														_t418 = _t418 + 1;
														_t118 =  &_v6872;
														 *_t118 = _v6872 + 1;
														__eflags =  *_t118;
														goto L44;
													}
													__eflags = _t364 - 2;
													if(_t364 != 2) {
														goto L45;
													}
													goto L40;
												}
												__eflags = _t364 - 2;
												if(_t364 != 2) {
													goto L38;
												}
												goto L37;
											}
											_t401 =  *_t399;
											__eflags = _t401 - 0xa;
											_v6852 = 0 | _t401 == 0x0000000a;
											_t416 =  *((intOrPtr*)(0x4da6e0 + _v6868 * 4));
											__eflags =  *(_t426 + _t416 + 0x38);
											if( *(_t426 + _t416 + 0x38) == 0) {
												_t323 = E00464B18(_t401);
												__eflags = _t323;
												if(_t323 == 0) {
													_push(1);
													_push(_v6864);
													L26:
													_push( &_v6856);
													_t325 = E00476ACC();
													_t433 = _t433 + 0xc;
													__eflags = _t325 - 0xffffffff;
													if(_t325 == 0xffffffff) {
														L48:
														_t427 = _v6852;
														goto L93;
													}
													_t326 = _v6864;
													L28:
													_v6860 = _v6860 + 1;
													_v6864 = _t326 + 1;
													_t330 = WideCharToMultiByte(_v6900, 0,  &_v6856, 1,  &_v16, 5, 0, 0);
													_v6888 = _t330;
													__eflags = _t330;
													if(_t330 == 0) {
														goto L48;
													}
													_t334 = WriteFile( *(_t426 +  *((intOrPtr*)(0x4da6e0 + _v6868 * 4))),  &_v16, _t330,  &_v6880, 0);
													__eflags = _t334;
													if(_t334 == 0) {
														goto L92;
													}
													_t418 = _v6860 + _v6872;
													__eflags = _v6880 - _v6888;
													if(_v6880 < _v6888) {
														goto L48;
													}
													__eflags = _v6852;
													if(_v6852 == 0) {
														goto L44;
													}
													_v16 = 0xd;
													_t340 = WriteFile( *(_t426 +  *((intOrPtr*)(0x4da6e0 + _v6868 * 4))),  &_v16, 1,  &_v6880, 0);
													__eflags = _t340;
													if(_t340 == 0) {
														goto L92;
													}
													__eflags = _v6880 - 1;
													if(_v6880 < 1) {
														goto L48;
													}
													_v6872 = _v6872 + 1;
													_t418 = _t418 + 1;
													goto L44;
												}
												_t417 = _v6864;
												__eflags = _v6848 - _t417 + _a12 - 1;
												if(_v6848 - _t417 + _a12 <= 1) {
													_t371 = _v6868;
													_t418 = _t418 + 1;
													__eflags = _t418;
													 *((char*)(_t426 +  *((intOrPtr*)(0x4da6e0 + _t371 * 4)) + 0x34)) =  *_t417;
													 *(_t426 +  *((intOrPtr*)(0x4da6e0 + _t371 * 4)) + 0x38) = 1;
													goto L48;
												}
												_t347 = E00476ACC( &_v6856, _t417, 2);
												_t433 = _t433 + 0xc;
												__eflags = _t347 - 0xffffffff;
												if(_t347 == 0xffffffff) {
													goto L48;
												}
												_t326 = _v6864 + 1;
												_v6860 = _v6860 + 1;
												goto L28;
											}
											_v16 =  *((intOrPtr*)(_t426 + _t416 + 0x34));
											_push(2);
											_v15 = _t401;
											 *(_t426 + _t416 + 0x38) =  *(_t426 + _t416 + 0x38) & 0x00000000;
											_push( &_v16);
											goto L26;
											L45:
											__eflags = _t317 - _a12;
										} while (_t317 < _a12);
										goto L48;
									}
									__eflags = _t364;
									if(_t364 == 0) {
										goto L50;
									}
									goto L16;
								}
							}
							 *(E0045D4D2(__eflags)) =  *_t354 & _t418;
							 *((intOrPtr*)(E0045D506(__eflags))) = 0x16;
							_t267 = E004650D6();
							goto L103;
						}
						__eflags = _t364 - 1;
						if(_t364 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E0045D4D2(__eflags)) =  *_t356 & 0;
					 *((intOrPtr*)(E0045D506(__eflags))) = 0x16;
					E004650D6();
					goto L106;
				}
				goto L106;
			}

0x00475ca1
0x00475ca1
0x00475ca9
0x00475cae
0x00475cb5
0x00475cb8
0x00475cbb
0x00475cbe
0x00475cc1
0x00475cc3
0x00475cc9
0x00475ccf
0x00475cd5
0x00475cde
0x00475ce7
0x00475ce9
0x00475d0a
0x00475d0b
0x00475d0e
0x00475d16
0x00475d19
0x00475d1f
0x00475d26
0x00475d32
0x00475d34
0x00475d37
0x00475d3e
0x00475d43
0x00475d45
0x00475d63
0x00475d69
0x00475d69
0x00475d6e
0x00475d75
0x00475d7a
0x00475d7a
0x00475d83
0x00475d89
0x00475d8b
0x004760a9
0x004760af
0x004760b6
0x004760bb
0x0047642b
0x00476431
0x00476433
0x00000000
0x00000000
0x00476435
0x0047643b
0x00000000
0x0047643b
0x004760c1
0x004760c7
0x004760c9
0x004760cf
0x004760d1
0x004761b8
0x004761ba
0x004761bd
0x004762c1
0x004762c4
0x004762ca
0x004762cc
0x00000000
0x00000000
0x004762d2
0x004762dc
0x004762dc
0x004762e3
0x004762e9
0x004762e9
0x004762eb
0x004762f1
0x004762f7
0x004762f7
0x004762f9
0x00000000
0x00000000
0x004762fb
0x004762fe
0x00476301
0x00476304
0x0047630a
0x00476311
0x00476315
0x00476316
0x00476319
0x0047631f
0x00476322
0x00476322
0x00476322
0x00476325
0x00476328
0x0047632b
0x0047632e
0x0047632e
0x0047634e
0x0047635d
0x00476363
0x00476369
0x0047636f
0x00476375
0x00476377
0x00000000
0x00000000
0x0047637d
0x0047637d
0x0047637f
0x00476385
0x004763b0
0x004763b6
0x004763b8
0x00000000
0x00000000
0x004763c0
0x004763c6
0x004763cc
0x004763d2
0x004763d4
0x00000000
0x00000000
0x004763f2
0x004763f2
0x004763f4
0x00000000
0x00000000
0x00000000
0x004763f4
0x004763d8
0x004763de
0x004763e4
0x004763e6
0x004763ec
0x00000000
0x004763f6
0x004763f6
0x004763fc
0x00476404
0x00476406
0x0047640c
0x0047640c
0x00000000
0x00476414
0x004761c3
0x004761c9
0x004761cc
0x00000000
0x00000000
0x004761d2
0x004761dc
0x004761dc
0x004761e3
0x004761eb
0x004761eb
0x004761ed
0x004761f3
0x004761f9
0x004761f9
0x004761fc
0x00000000
0x00000000
0x004761fe
0x00476201
0x00476204
0x00476207
0x0047620d
0x00476214
0x00476218
0x00476219
0x0047621c
0x00476222
0x00476225
0x00476228
0x00476228
0x00476228
0x0047622b
0x0047622e
0x00476231
0x00476234
0x00476234
0x00476248
0x00476261
0x00476271
0x00476277
0x0047627d
0x00476283
0x00476285
0x00000000
0x00000000
0x0047628b
0x00476291
0x00476297
0x0047629d
0x004762a3
0x00000000
0x00000000
0x004762a9
0x004762b3
0x004762b3
0x00000000
0x004762bc
0x004760d7
0x004760d9
0x004760df
0x004760e2
0x00000000
0x00000000
0x00000000
0x00000000
0x004760e8
0x004760e8
0x004760ea
0x004760ea
0x004760ec
0x004760f2
0x004760f8
0x004760fe
0x004760fe
0x00476101
0x00000000
0x00000000
0x00476103
0x00476106
0x00476107
0x0047610d
0x00476110
0x00476116
0x0047611c
0x0047611e
0x00476124
0x00476127
0x00476128
0x00476128
0x00476128
0x0047612f
0x00476131
0x00476137
0x00476138
0x00476139
0x0047613f
0x0047613f
0x00476153
0x00476176
0x0047617c
0x0047617e
0x00000000
0x00000000
0x00476184
0x0047618a
0x00476190
0x00476196
0x00000000
0x00000000
0x004761a4
0x004761a7
0x004761a7
0x00000000
0x00475d91
0x00475d9e
0x00475da3
0x00000000
0x00000000
0x00475da9
0x00475db3
0x00475dd3
0x00475dd9
0x00475ddf
0x00475de1
0x00000000
0x00000000
0x00475de7
0x00475ded
0x00475df7
0x00475df7
0x00475dfd
0x00475e03
0x00475e09
0x00475e0b
0x00475e11
0x00475e17
0x00475e1a
0x0047609e
0x00476451
0x00476451
0x00476453
0x00476479
0x0047648c
0x00476491
0x0047649c
0x004764a1
0x004764a7
0x004764ac
0x004764ac
0x004764af
0x004764bc
0x004764bc
0x004764bd
0x004764be
0x004764ca
0x004764ca
0x00476493
0x00476496
0x00000000
0x00000000
0x00000000
0x00476498
0x00476457
0x00476458
0x0047645a
0x00476471
0x0047645c
0x00476461
0x0047646c
0x0047646c
0x00000000
0x0047645a
0x00475e20
0x00475e22
0x00475e28
0x00475e32
0x00475e32
0x00475e34
0x00475fc9
0x00475fcc
0x00475fd3
0x00475fd3
0x00475fd8
0x00475fdf
0x00475fee
0x00475ff1
0x00475ff1
0x00475ff4
0x00475ffa
0x00476000
0x00476006
0x00476006
0x00476009
0x00476010
0x00476016
0x0047601b
0x0047601c
0x00476023
0x0047643f
0x00476445
0x00476447
0x00476447
0x0047644d
0x0047644d
0x0047644f
0x004764b4
0x00000000
0x004764ba
0x00000000
0x0047644f
0x00476029
0x0047602c
0x00476033
0x00476059
0x00476059
0x0047605f
0x00000000
0x0047605f
0x00476037
0x00476039
0x0047603f
0x00476045
0x0047604c
0x00000000
0x00000000
0x00476052
0x00476053
0x00476053
0x00476053
0x00000000
0x00476053
0x0047600b
0x0047600e
0x00000000
0x00000000
0x00000000
0x0047600e
0x00475fce
0x00475fd1
0x00000000
0x00000000
0x00000000
0x00475fd1
0x00475e3a
0x00475e3e
0x00475e44
0x00475e50
0x00475e57
0x00475e5c
0x00475e79
0x00475e7f
0x00475e81
0x00475ec7
0x00475ec9
0x00475ecf
0x00475ed5
0x00475ed6
0x00475edb
0x00475ede
0x00475ee1
0x00476093
0x00476093
0x00000000
0x00476093
0x00475ee7
0x00475eed
0x00475ef2
0x00475efa
0x00475f14
0x00475f1a
0x00475f20
0x00475f22
0x00000000
0x00000000
0x00475f46
0x00475f4c
0x00475f4e
0x00000000
0x00000000
0x00475f60
0x00475f66
0x00475f6c
0x00000000
0x00000000
0x00475f72
0x00475f79
0x00000000
0x00000000
0x00475f94
0x00475fa2
0x00475fa8
0x00475faa
0x00000000
0x00000000
0x00475fb0
0x00475fb7
0x00000000
0x00000000
0x00475fbd
0x00475fc3
0x00000000
0x00475fc3
0x00475e89
0x00475e94
0x00475e97
0x00476070
0x0047607f
0x0047607f
0x00476080
0x0047608b
0x00000000
0x0047608b
0x00475ea7
0x00475eac
0x00475eaf
0x00475eb2
0x00000000
0x00000000
0x00475ebe
0x00475ebf
0x00000000
0x00475ebf
0x00475e62
0x00475e65
0x00475e6a
0x00475e6d
0x00475e72
0x00000000
0x00476065
0x00476065
0x00476065
0x00000000
0x0047606e
0x00475def
0x00475df1
0x00000000
0x00000000
0x00000000
0x00475df1
0x00475d8b
0x00475d4c
0x00475d53
0x00475d59
0x00000000
0x00475d59
0x00475d39
0x00475d3c
0x00000000
0x00000000
0x00000000
0x00475d3c
0x00475cf0
0x00475cf7
0x00475cfd
0x00000000
0x00475d02
0x00000000

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eb8f3866b5ea48272a6f9154bea011b6ec47790a0d751755b6acb7a5d7e2f49
Instruction ID: bcaf2ade6dbcaa6ecbdc78d049e7b0f52704d079f8f8195321b0f73386b771a1
Opcode Fuzzy Hash: 6eb8f3866b5ea48272a6f9154bea011b6ec47790a0d751755b6acb7a5d7e2f49
Instruction Fuzzy Hash: 0C326175B026688FCB24CF55DD406EAB7B5FB46314F0980DAE40EA7A81D7349E80CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 00451BC7, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 125
filestringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00451BC7(int __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed char _t51;
				int _t54;
				WCHAR* _t66;
				int _t72;
				int _t80;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t110;

				_t110 = __eflags;
				_t104 = __esi;
				_t103 = __edi;
				_t88 = __ebx;
				_push(0x2e0);
				E0045B8C9(0x4a98c8, __ebx, __edi, __esi);
				 *(_t105 - 4) =  *(_t105 - 4) & 0x00000000;
				_push(_t105 + 8);
				_t51 = E00450E91(__ebx, __edi, __esi, _t110);
				_t111 = _t51 & 0x00000010;
				if((_t51 & 0x00000010) == 0) {
					L12:
					__eflags =  *((intOrPtr*)(_t105 + 0x20)) - 8;
					_t53 =  >=  ?  *((void*)(_t105 + 0xc)) : _t105 + 0xc;
					_t54 = DeleteFileW( >=  ?  *((void*)(_t105 + 0xc)) : _t105 + 0xc);
					__eflags = _t54;
					if(__eflags != 0) {
						L14:
						E00401B80(_t105 + 8);
						return E0045B878(_t88, _t103, _t104);
					}
					_push(_t54);
					_push(_t105 + 8);
					 *((intOrPtr*)(_t105 - 0x40)) = 0x4ae964;
					 *((intOrPtr*)(_t105 - 0x18)) = 0x4ae96c;
					E00408E82(_t88, _t105 - 0x40, _t103, _t104, __eflags);
					 *(_t105 - 4) = 4;
					L11:
					_push(1);
					_push(_t105 - 0x40);
					E00416910(_t105 - 0x90, _t104, __eflags);
					E0045A466(_t105 - 0x90, 0x4c9bf0);
					goto L12;
				}
				_push(L"*.*");
				_push(_t105 + 8);
				_push(_t105 - 0x70);
				_t88 = 1;
				_t66 = E00450C01(1, __edi, __esi, _t111) + 4;
				_t107 = _t106 + 0xc;
				if(_t66[0xa] >= 8) {
					_t66 =  *_t66;
				}
				_t104 = FindFirstFileW(_t66, _t105 - 0x2e0);
				 *(_t105 - 0x2e8) = _t104;
				 *(_t105 - 4) = 1;
				E00401B80(_t105 - 0x70);
				if(_t104 == 0xffffffff) {
					L9:
					 *(_t105 - 4) = 0;
					E0042382A(_t105 - 0x2e8);
					__eflags =  *((intOrPtr*)(_t105 + 0x20)) - 8;
					_t71 =  >=  ?  *((void*)(_t105 + 0xc)) : _t105 + 0xc;
					_t72 = RemoveDirectoryW( >=  ?  *((void*)(_t105 + 0xc)) : _t105 + 0xc);
					__eflags = _t72;
					if(__eflags != 0) {
						goto L14;
					}
					_push(_t72);
					_push(_t105 + 8);
					 *((intOrPtr*)(_t105 - 0x40)) = 0x4ae964;
					 *((intOrPtr*)(_t105 - 0x18)) = 0x4ae96c;
					E00408E82(_t88, _t105 - 0x40, _t103, _t104, __eflags);
					 *(_t105 - 4) = 3;
					goto L11;
				} else {
					while(_t88 != 0) {
						if(lstrcmpW(_t105 - 0x2b4, ".") != 0) {
							_t80 = lstrcmpW(_t105 - 0x2b4, L"..");
							_t116 = _t80;
							if(_t80 != 0) {
								_push(0);
								_push(_t105 - 0x2e1);
								_push(_t105 - 0x2b4);
								 *((intOrPtr*)(_t105 - 0x40)) = 0x4affb8;
								 *((intOrPtr*)(_t105 - 0x18)) = 0x4affc0;
								E00408F6D(_t88, _t105 - 0x40, _t103, _t104, _t116);
								_t108 = _t107 - 0x30;
								_push(_t105 - 0x40);
								_push(_t105 + 8);
								_push(_t108);
								 *(_t105 - 4) = 2;
								E00450B9E(_t88, _t103, _t104, _t116);
								E00451BC7(_t88, _t105 + 8, _t103, _t104, _t116);
								_t107 = _t108 + 0x3c;
								 *(_t105 - 4) = 1;
								E00401B80(_t105 - 0x40);
							}
						}
						_t88 = FindNextFileW(_t104, _t105 - 0x2e0);
					}
					goto L9;
				}
			}

0x00451bc7
0x00451bc7
0x00451bc7
0x00451bc7
0x00451bc7
0x00451bd1
0x00451bd6
0x00451bdd
0x00451bde
0x00451be4
0x00451be6
0x00451d3d
0x00451d3d
0x00451d44
0x00451d49
0x00451d4f
0x00451d51
0x00451d74
0x00451d77
0x00451d81
0x00451d81
0x00451d53
0x00451d57
0x00451d5b
0x00451d62
0x00451d69
0x00451d6e
0x00451d1b
0x00451d1b
0x00451d20
0x00451d27
0x00451d38
0x00000000
0x00451d38
0x00451bec
0x00451bf4
0x00451bfa
0x00451bfb
0x00451c01
0x00451c04
0x00451c0b
0x00451c0d
0x00451c0d
0x00451c1d
0x00451c1f
0x00451c28
0x00451c2c
0x00451c34
0x00451cd7
0x00451cdd
0x00451ce1
0x00451ce6
0x00451ced
0x00451cf2
0x00451cf8
0x00451cfa
0x00000000
0x00000000
0x00451cfc
0x00451d00
0x00451d04
0x00451d0b
0x00451d12
0x00451d17
0x00000000
0x00451c3a
0x00451c3a
0x00451c56
0x00451c64
0x00451c6a
0x00451c6c
0x00451c6e
0x00451c76
0x00451c7d
0x00451c81
0x00451c88
0x00451c8f
0x00451c94
0x00451c9c
0x00451ca0
0x00451ca1
0x00451ca2
0x00451ca6
0x00451cae
0x00451cb3
0x00451cb9
0x00451cbd
0x00451cbd
0x00451c6c
0x00451cd0
0x00451cd0
0x00000000
0x00451c3a

APIs

__EH_prolog3_GS.LIBCMT ref: 00451BD1

Part of subcall function 00450E91: __EH_prolog3_GS.LIBCMT ref: 00450E9B
Part of subcall function 00450E91: GetFileAttributesW.KERNEL32(00000000,00000084,00451BE3,?,000002E0,0048B00C,?,00000001), ref: 00450EAF
Part of subcall function 00450E91: __CxxThrowException@8.LIBCMT ref: 00450EF4

FindFirstFileW.KERNEL32(-00000004,?,0048B00C,?,00000001), ref: 00451C17
lstrcmpW.KERNEL32(?,004AECA0), ref: 00451C4E
lstrcmpW.KERNEL32(?,004B60E8), ref: 00451C64
FindNextFileW.KERNEL32(00000000,?), ref: 00451CCA
RemoveDirectoryW.KERNEL32(?), ref: 00451CF2
__CxxThrowException@8.LIBCMT ref: 00451D38
DeleteFileW.KERNEL32(?,000002E0,0048B00C,?,00000001), ref: 00451D49

Part of subcall function 00450C01: __EH_prolog3_GS.LIBCMT ref: 00450C08

Strings

dJ, xrefs: 00451D5B
lJ, xrefs: 00451D62
*.*, xrefs: 00451BEC

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: File$H_prolog3_$Exception@8FindThrowlstrcmp$AttributesDeleteDirectoryFirstNextRemove
String ID: *.*$dJ$lJ
API String ID: 1087441661-4156733564
Opcode ID: 168bcfbae65a6738b584ec5ab83d4e8e886bb6a940d237cdd6fb89bcf1716c23
Instruction ID: 143d3da405b5dbad7b1d6632039a36703aa4dcd64b6036911f87ea3ed7e8dd09
Opcode Fuzzy Hash: 168bcfbae65a6738b584ec5ab83d4e8e886bb6a940d237cdd6fb89bcf1716c23
Instruction Fuzzy Hash: 48418271900248EECB00EFA1CC89BDE77BCAF15309F40416AF915A3152EB789B4DCB69

Uniqueness

Uniqueness Score: -1.00%

Function 00430226, Relevance: 18.1, APIs: 12, Instructions: 104
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00430226(void* __ecx, void* __edx, void** _a4, char _a8, intOrPtr _a12) {
				signed int _v8;
				long _v12;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t30;
				int _t39;
				void** _t45;
				void* _t46;
				void* _t53;
				long _t55;
				void* _t56;
				void* _t59;
				void* _t60;
				signed int _t61;
				void* _t62;

				_t53 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x4d7e88; // 0x9518852c
				_v8 = _t18 ^ _t61;
				_t45 = _a4;
				_t55 = GetFileSize( *_t45, 0);
				if(_t55 == 0xffffffff) {
					L14:
					L15:
					_pop(_t56);
					_pop(_t59);
					_pop(_t46);
					return E0045A457(_t46, _v8 ^ _t61, _t53, _t56, _t59);
				}
				if(_a8 != 0) {
					_t11 = _t55 + 3; // 0x3
					_t60 = HeapAlloc(GetProcessHeap(), 8, _t11);
					if(_t60 == 0) {
						goto L14;
					}
					_v12 = _v12 & 0x00000000;
					if(ReadFile( *_t45, _t60, _t55,  &_v12, 0) == 0) {
						_push(_t60);
						L13:
						HeapFree(GetProcessHeap(), 0, ??);
						goto L14;
					}
					_t30 = _t60;
					if( *_t60 == 0xfeff) {
						_t15 = _t60 + 2; // 0x2
						_t30 = _t15;
					}
					L7:
					E00432FB5(_t45, _a12, _t30);
					HeapFree(GetProcessHeap(), 0, _t60);
					goto L15;
				}
				_t4 = _t55 + 1; // 0x1
				_t60 = HeapAlloc(GetProcessHeap(), 8, _t4);
				if(_t60 == 0) {
					goto L14;
				}
				_v12 = _v12 & 0x00000000;
				_t39 = ReadFile( *_t45, _t60, _t55,  &_v12, 0);
				_push(_t60);
				if(_t39 == 0) {
					goto L13;
				} else {
					_t8 = E0045AF00() + 1; // 0x1
					_t57 = _t8;
					if(_t8 <= 0x3fffffff) {
						E0045E170(_t57 + _t57);
						_t30 = E0042C713(_t62, _t60, _t57, 3);
					} else {
						_t30 = 0;
					}
					goto L7;
				}
			}

0x00430226
0x00430229
0x0043022a
0x0043022b
0x00430232
0x00430236
0x00430245
0x0043024a
0x0043032c
0x0043032e
0x00430331
0x00430332
0x00430333
0x0043033f
0x0043033f
0x00430254
0x004302da
0x004302ed
0x004302f1
0x00000000
0x00000000
0x004302f3
0x00430309
0x0043031c
0x0043031d
0x00430326
0x00000000
0x00430326
0x00430310
0x00430315
0x00430317
0x00430317
0x00430317
0x004302bd
0x004302c1
0x004302d0
0x00000000
0x004302d6
0x0043025a
0x0043026d
0x00430271
0x00000000
0x00000000
0x00430277
0x00430285
0x0043028b
0x0043028e
0x00000000
0x00430294
0x00430299
0x00430299
0x004302a3
0x004302ac
0x004302b8
0x004302a5
0x004302a5
0x004302a5
0x00000000
0x004302a3

APIs

GetFileSize.KERNEL32(?,00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 0043023F
GetProcessHeap.KERNEL32(00000008,00000001,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 00430260
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 00430267
ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF), ref: 00430285
_strlen.LIBCMT ref: 00430294
GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 004302C9
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 004302D0
GetProcessHeap.KERNEL32(00000008,00000003,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 004302E0
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 004302E7
ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF), ref: 00430301
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 0043031F
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,004303A9,000000FF,?,?,000000FF,?), ref: 00430326

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Heap$Process$File$AllocFreeRead$Size_strlen
String ID:
API String ID: 3537955524-0
Opcode ID: 8525024322926dda2b8c73ce46ddf0f5c2a4bfa67a9af4508137702a1035c735
Instruction ID: d969d208ad07ff395abe69dae3ca2b342e6068e6d281f30907df666d4f1ca5ed
Opcode Fuzzy Hash: 8525024322926dda2b8c73ce46ddf0f5c2a4bfa67a9af4508137702a1035c735
Instruction Fuzzy Hash: 7B31D432600214BBDB109BA6DC4DFAB7FACEF4E711F000266FA15C7190DB749904CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420149, Relevance: 12.1, APIs: 8, Instructions: 97
libraryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E00420149(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t40;
				void* _t41;
				void* _t48;
				struct HINSTANCE__* _t52;
				signed int _t59;
				void* _t61;
				struct HINSTANCE__* _t64;
				WCHAR* _t66;
				struct HRSRC__* _t67;
				void* _t68;
				int _t69;
				void* _t70;

				_t61 = __edx;
				_push(0x424);
				E0045B935(0x4a379a, __ebx, __edi, __esi);
				_t66 =  *(_t70 + 8);
				 *(_t70 - 0x41c) =  *(_t70 + 0xc);
				 *(_t70 - 0x420) =  *(_t70 + 0x10);
				 *((intOrPtr*)(_t70 - 0x430)) = 0;
				 *((intOrPtr*)(_t70 - 4)) = 0;
				 *((intOrPtr*)(_t70 - 0x428)) = __ecx;
				 *((intOrPtr*)(_t70 - 0x42c)) = 0;
				 *(_t70 - 0x418) = 0;
				 *((char*)(_t70 - 4)) = 1;
				_t64 = LoadLibraryExW(_t66, 0, 0x60);
				 *(_t70 - 0x424) = _t64;
				if(_t64 != 0) {
					L3:
					_t67 = FindResourceW(_t64,  *(_t70 - 0x41c),  *(_t70 - 0x420));
					__eflags = _t67;
					if(_t67 != 0) {
						_t40 = LoadResource(_t64, _t67);
						 *(_t70 - 0x420) = _t40;
						__eflags = _t40;
						if(_t40 == 0) {
							goto L4;
						} else {
							_t69 = SizeofResource(_t64, _t67);
							 *(_t70 - 0x41c) = _t69;
							_t18 = _t69 + 1; // 0x1
							_t48 = _t18;
							__eflags = _t48 - _t69;
							if(_t48 >= _t69) {
								 *((char*)(_t70 - 4)) = 2;
								E00418471(0, _t70 - 0x418, _t61, _t64, _t48);
								__eflags =  *(_t70 - 0x418);
								 *((intOrPtr*)(_t70 - 4)) = 1;
								if( *(_t70 - 0x418) == 0) {
									goto L7;
								} else {
									_t59 = MultiByteToWideChar(3, 0,  *(_t70 - 0x420), _t69,  *(_t70 - 0x418), _t69);
									__eflags = _t59;
									if(_t59 == 0) {
										goto L4;
									} else {
										__eflags = 0;
										( *(_t70 - 0x418))[_t59] = 0;
										_t41 = E00420010(0, _t70 - 0x42c, 0, 0,  *(_t70 - 0x418),  *((intOrPtr*)(_t70 + 0x14)));
									}
									goto L12;
								}
							} else {
								L7:
								_t68 = 0x8007000e;
							}
						}
					} else {
						L4:
						_t41 = E0041886B();
						L12:
						_t68 = _t41;
					}
					__eflags = _t64;
					if(_t64 != 0) {
						FreeLibrary(_t64);
					}
				} else {
					_t52 = LoadLibraryExW(_t66, 0, 2);
					_t64 = _t52;
					 *(_t70 - 0x424) = _t52;
					if(_t64 != 0) {
						goto L3;
					} else {
						_t68 = E0041886B();
					}
				}
				if( *(_t70 - 0x418) != _t70 - 0x414) {
					E00419EEF(_t70 - 0x418);
				}
				return E0045B887(0, _t64, _t68);
			}

0x00420149
0x00420149
0x00420153
0x0042015b
0x0042015e
0x00420169
0x0042016f
0x00420175
0x00420178
0x0042017e
0x00420184
0x0042018e
0x00420198
0x0042019a
0x004201a2
0x004201c6
0x004201d9
0x004201db
0x004201dd
0x004201eb
0x004201f1
0x004201f7
0x004201f9
0x00000000
0x004201fb
0x00420203
0x00420205
0x0042020b
0x0042020b
0x0042020e
0x00420210
0x00420220
0x00420224
0x0042023f
0x00420246
0x0042024d
0x00000000
0x0042024f
0x00420266
0x00420268
0x0042026a
0x00000000
0x00420270
0x00420279
0x0042027b
0x0042028b
0x0042028b
0x00000000
0x0042026a
0x00420212
0x00420212
0x00420212
0x00420212
0x00420210
0x004201df
0x004201df
0x004201df
0x00420290
0x00420290
0x00420290
0x00420292
0x00420294
0x00420297
0x00420297
0x004201a4
0x004201a8
0x004201ae
0x004201b0
0x004201b8
0x00000000
0x004201ba
0x004201bf
0x004201bf
0x004201b8
0x004202a9
0x004202b1
0x004202b1
0x004202bd

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00420153
LoadLibraryExW.KERNEL32(?,00000000,00000060,00000424,00420A3B,?,00000000,?,00000000,00000004,00422F16,004AFD3C,?,?,REGISTRY,004AFD3C), ref: 00420192
LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 004201A8
FindResourceW.KERNEL32(00000000,?,?), ref: 004201D3
LoadResource.KERNEL32(00000000,00000000), ref: 004201EB
SizeofResource.KERNEL32(00000000,00000000), ref: 004201FD

Part of subcall function 0041886B: GetLastError.KERNEL32(00422C2D), ref: 0041886B

FreeLibrary.KERNEL32(00000000), ref: 00420297

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: LibraryLoadResource$ErrorFindFreeH_prolog3_catch_LastSizeof
String ID:
API String ID: 1818814483-0
Opcode ID: 5c40c895b842d40c583e07fe4555a5f175d465904de97858630341c00a426d0b
Instruction ID: dcd30aa2ccdba2c5da9b84cebe88835904bb6204f87880d06d77132595859cd1
Opcode Fuzzy Hash: 5c40c895b842d40c583e07fe4555a5f175d465904de97858630341c00a426d0b
Instruction Fuzzy Hash: B64151B1A0022D9BCB219F559C44BDE7AF5AF09354F9040EEF508A3252DB358E81CF6D

Uniqueness

Uniqueness Score: -1.00%

Function 00447C87, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50
shutdownCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00447C87(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				struct _TOKEN_PRIVILEGES _v24;
				void* _v28;
				struct _LUID _v36;
				void* __esi;
				signed int _t13;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t34;
				signed int _t36;

				_t33 = __edi;
				_t32 = __edx;
				_t28 = __ebx;
				_t13 =  *0x4d7e88; // 0x9518852c
				_v8 = _t13 ^ _t36;
				if(E00445E51(__eflags) != 0 && OpenProcessToken(GetCurrentProcess(), 0x28,  &_v28) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &_v36);
					_v24.Privileges = _v36.LowPart;
					_v16 = _v36.HighPart;
					_v24.PrivilegeCount = 1;
					_v12 = 2;
					AdjustTokenPrivileges(_v28, 0,  &_v24, 0, 0, 0);
					_t34 = _t34;
				}
				ExitWindowsEx(2, 0xffff);
				asm("sbb eax, eax");
				return E0045A457(_t28, _v8 ^ _t36, _t32, _t33, _t34);
			}

0x00447c87
0x00447c87
0x00447c87
0x00447c8d
0x00447c94
0x00447c9e
0x00447cc4
0x00447cce
0x00447cd6
0x00447ce1
0x00447ce8
0x00447cef
0x00447cf5
0x00447cf5
0x00447cfd
0x00447d08
0x00447d13

APIs

GetCurrentProcess.KERNEL32 ref: 00447CA0
OpenProcessToken.ADVAPI32(00000000,00000028,?), ref: 00447CAD
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00447CC4
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00447CEF
ExitWindowsEx.USER32(00000002,0000FFFF), ref: 00447CFD

Strings

SeShutdownPrivilege, xrefs: 00447CBC

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ProcessToken$AdjustCurrentExitLookupOpenPrivilegePrivilegesValueWindows
String ID: SeShutdownPrivilege
API String ID: 1314775590-3733053543
Opcode ID: cae947374c0860c7edd667b7751e3f78878a15f2567542bbc16948047883a3d6
Instruction ID: 2539294db1c5de14d8f2708d0915bb8bd6db43c244828c1143cea3debbdc729d
Opcode Fuzzy Hash: cae947374c0860c7edd667b7751e3f78878a15f2567542bbc16948047883a3d6
Instruction Fuzzy Hash: 48011E71901229ABEB10DFE5DC49EEFBFB8EF09714F004029E915E2281D7B89945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041F883, Relevance: 7.6, APIs: 5, Instructions: 92
stringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0041F883(WCHAR* _a4, union _ULARGE_INTEGER* _a8, union _ULARGE_INTEGER* _a12, union _ULARGE_INTEGER* _a16, signed int* _a20) {
				signed int _v8;
				char _v526;
				short _v528;
				short _v1042;
				short _v1044;
				short _v1046;
				signed int _v1048;
				long _v1052;
				union _ULARGE_INTEGER* _v1056;
				long _v1060;
				union _ULARGE_INTEGER* _v1064;
				union _ULARGE_INTEGER* _v1068;
				long _v1072;
				long _v1076;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				signed int _t44;
				int _t55;
				signed int* _t62;
				short _t63;
				void* _t71;
				void* _t72;
				WCHAR* _t74;
				int _t75;
				signed int _t76;

				_t36 =  *0x4d7e88; // 0x9518852c
				_v8 = _t36 ^ _t76;
				_v1064 = _a8;
				_t62 = _a20;
				_t74 = _a4;
				_v1068 = _a12;
				_v1056 = _a16;
				_v528 = 0;
				_t72 = 0;
				E0045A4D0( &_v526, 0, 0x206);
				_t44 =  *_t74 & 0x0000ffff;
				_t63 = 0x5c;
				if(_t44 != _t63 || _t74[1] != _t63) {
					_v1048 = _t44;
					_v1046 = _t74[1];
					_v1044 = _t63;
					_v1042 = 0;
				} else {
					lstrcpyW( &_v528, _t74);
					lstrcatW( &_v528, "\\");
				}
				_t48 =  ==  ?  &_v1048 :  &_v528;
				_t75 = GetDiskFreeSpaceExW( ==  ?  &_v1048 :  &_v528, _v1064, _v1068, _v1056);
				_t66 =  ==  ?  &_v1048 :  &_v528;
				_t55 = GetDiskFreeSpaceW( ==  ?  &_v1048 :  &_v528,  &_v1060,  &_v1052,  &_v1076,  &_v1072);
				if(_t55 != 0) {
					 *_t62 = _v1060 * _v1052;
				}
				if(_t75 != 0 && _t55 != 0) {
					_t72 = 1;
				}
				return E0045A457(_t62, _v8 ^ _t76, _t71, _t72, _t75);
			}

0x0041f88c
0x0041f893
0x0041f899
0x0041f8a3
0x0041f8a7
0x0041f8aa
0x0041f8b4
0x0041f8c1
0x0041f8c8
0x0041f8d2
0x0041f8d7
0x0041f8df
0x0041f8e3
0x0041f90d
0x0041f918
0x0041f921
0x0041f928
0x0041f8eb
0x0041f8f3
0x0041f905
0x0041f905
0x0041f954
0x0041f965
0x0041f98f
0x0041f993
0x0041f99b
0x0041f9aa
0x0041f9aa
0x0041f9ae
0x0041f9b6
0x0041f9b6
0x0041f9c7

APIs

_memset.LIBCMT ref: 0041F8D2
lstrcpyW.KERNEL32(?,?), ref: 0041F8F3
lstrcatW.KERNEL32(?,004AE888), ref: 0041F905
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0041F958
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041F993

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: DiskFreeSpace$_memsetlstrcatlstrcpy
String ID:
API String ID: 261897053-0
Opcode ID: 8670e210f1eb612daf3d2ecbc7a5aff9b6b776ee31e69f4f1e93af5896754901
Instruction ID: 873bf96a49d19b41ee034ed5d301f20db3e8f34d1a7460c1cb3171d2c04efd02
Opcode Fuzzy Hash: 8670e210f1eb612daf3d2ecbc7a5aff9b6b776ee31e69f4f1e93af5896754901
Instruction Fuzzy Hash: E23130B6A1022C9ACF20DF65CC44ADAB7B8EF48300F4085EAA619E3141E6749EC5CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0042C966, Relevance: 6.1, APIs: 4, Instructions: 57
fileCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0042C966(void* __ebx, void* __ecx, void* __edx) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v600;
				signed int _v604;
				void* __edi;
				void* __esi;
				signed int _t15;
				WCHAR* _t18;
				WCHAR* _t22;
				void* _t27;
				void* _t34;
				void* _t35;
				signed int _t36;
				WCHAR* _t37;
				void* _t38;
				WCHAR* _t39;
				signed int _t40;

				_t34 = __edx;
				_t27 = __ebx;
				_t15 =  *0x4d7e88; // 0x9518852c
				_v8 = _t15 ^ _t40;
				if( *((intOrPtr*)(__ecx + 0x14)) != 0) {
					_v604 = _v604 | 0xffffffff;
					_push(_t38);
					_t39 = __ecx + 4;
					_push(_t35);
					if(_t39[0xa] < 8) {
						_t18 = _t39;
					} else {
						_t18 =  *_t39;
					}
					_t36 = FindFirstFileW(_t18,  &_v600);
					if(_t36 != 0xffffffff) {
						E0042382A( &_v604);
						_v604 = _t36;
						if(_t39[0xa] < 8) {
							_t22 = _t39;
						} else {
							_t22 =  *_t39;
						}
						if(_t39[0xa] < 8) {
							_t37 = _t39;
						} else {
							_t37 =  *_t39;
						}
						SetFileAttributesW(_t37, GetFileAttributesW(_t22) & 0xfffffffe);
						if(_t39[0xa] >= 8) {
							_t39 =  *_t39;
						}
						DeleteFileW(_t39);
					}
					E0042382A( &_v604);
					_pop(_t35);
					_pop(_t38);
				}
				return E0045A457(_t27, _v8 ^ _t40, _t34, _t35, _t38);
			}

0x0042c966
0x0042c966
0x0042c96f
0x0042c976
0x0042c97d
0x0042c983
0x0042c98a
0x0042c98b
0x0042c98e
0x0042c993
0x0042c999
0x0042c995
0x0042c995
0x0042c995
0x0042c9a9
0x0042c9ae
0x0042c9b6
0x0042c9bf
0x0042c9c5
0x0042c9cb
0x0042c9c7
0x0042c9c7
0x0042c9c7
0x0042c9d1
0x0042c9d7
0x0042c9d3
0x0042c9d3
0x0042c9d3
0x0042c9e5
0x0042c9ef
0x0042c9f1
0x0042c9f1
0x0042c9f4
0x0042c9f4
0x0042ca00
0x0042ca05
0x0042ca06
0x0042ca06
0x0042ca12

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0042C9A3
GetFileAttributesW.KERNEL32(?), ref: 0042C9DA
SetFileAttributesW.KERNEL32(?,00000000), ref: 0042C9E5
DeleteFileW.KERNEL32(?), ref: 0042C9F4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: File$Attributes$DeleteFindFirst
String ID:
API String ID: 2297122337-0
Opcode ID: 8bb42c000784f76d68038a9efd1e5df228410e67c8050de428b4ce5ea6037d64
Instruction ID: b0eac9454e78ba0cc43f222def109c854297570c411374b70cd897779411f04e
Opcode Fuzzy Hash: 8bb42c000784f76d68038a9efd1e5df228410e67c8050de428b4ce5ea6037d64
Instruction Fuzzy Hash: 40110671600664DBC720EF18EC8C55DB7B4EF46316B50066EE052A71A0CB789ECACB5C

Uniqueness

Uniqueness Score: -1.00%

Function 004125AD, Relevance: 4.6, APIs: 3, Instructions: 52COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 004125E1
TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 004125FC
IsValidLocale.KERNEL32(?,00000001), ref: 0041262A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: InfoLocale$CharsetTranslateValid
String ID:
API String ID: 1865635962-0
Opcode ID: fdad4521af90eed553c557b12d549d6fd565ed28d828521a4f028f7a35e841a9
Instruction ID: 734faa13da326b0d3bf3c840113cfb97524dd83f0da8d1589cdf40ad58ad38cc
Opcode Fuzzy Hash: fdad4521af90eed553c557b12d549d6fd565ed28d828521a4f028f7a35e841a9
Instruction Fuzzy Hash: CE11A534A00104AADB14DF65D945AFA77B8AF18700B10442AFA01E72D1EBB5EC91C76C

Uniqueness

Uniqueness Score: -1.00%

Function 004638EA, Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00000000,0046506C,-00000328,?,?,00000000), ref: 004638EF
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 004638F8

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b3c0995ca9dcfc7afc3a07d0810cdba9dc8b7ef18029e92b741bebfdc5385ad4
Instruction ID: a806ce8369760a9c6af41a4dce02634ed36d858a0decaec111c82d450c93e079
Opcode Fuzzy Hash: b3c0995ca9dcfc7afc3a07d0810cdba9dc8b7ef18029e92b741bebfdc5385ad4
Instruction Fuzzy Hash: 58B09231044208BBDF002BD2EC29B583F28EB06652F000024FB1D468608B6254208B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0044ECB8, Relevance: 1.9, Strings: 1, Instructions: 666COMMON

Download Yara Rule

Strings

\D, xrefs: 0044EDCC, 0044F05B, 0044F111, 0044F1FE

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID:
String ID: \D
API String ID: 0-1527081192
Opcode ID: 30adf0d1228f2950ae5ffa1d256c1ca02b0ba35888cf4765d916033da292e78b
Instruction ID: f6d0890ebfba3c15744015abe6898818d66b420a7ee8ff72e3914e6c1dc2cf08
Opcode Fuzzy Hash: 30adf0d1228f2950ae5ffa1d256c1ca02b0ba35888cf4765d916033da292e78b
Instruction Fuzzy Hash: DE1277B7F9161447DB0CCA99CCA27EDB2E3AFD4214B0E913DA80AE3745EE7DD8054684

Uniqueness

Uniqueness Score: -1.00%

Function 00430174, Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 004301A1

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 2832456f11c060cd0b794991ee57ccbb05c39478b69244dc5654ccd42b1bfb3b
Instruction ID: 7319d55478f440adb9be3f0c93e2518c3f23ad37675a81d97adda49a0b8018e7
Opcode Fuzzy Hash: 2832456f11c060cd0b794991ee57ccbb05c39478b69244dc5654ccd42b1bfb3b
Instruction Fuzzy Hash: 11F08C30A2125C9FCB54FF79D84A7DA7BE46B0A704F4040BEA409D3291DB799E88CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00402200, Relevance: 96.7, APIs: 44, Strings: 11, Instructions: 404
timeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00402200(char __ecx, void* __edx, void* __eflags, intOrPtr _a4) {
				int _v8;
				char _v16;
				signed int _v24;
				char _v28;
				char _v36;
				char _v40;
				char _v48;
				char _v52;
				signed int _v60;
				char _v64;
				int _v68;
				int _v72;
				short _v88;
				intOrPtr _v92;
				int _v100;
				int _v104;
				short _v120;
				intOrPtr _v124;
				char _v140;
				intOrPtr _v144;
				char _v148;
				intOrPtr _v152;
				int _v160;
				int _v164;
				intOrPtr _v168;
				char _v176;
				short _v180;
				char _v184;
				intOrPtr _v188;
				char _v196;
				int _v204;
				int _v208;
				short _v224;
				char _v228;
				intOrPtr _v232;
				intOrPtr _v240;
				int _v248;
				int _v252;
				short _v268;
				intOrPtr _v272;
				char _v296;
				intOrPtr _v300;
				char _v308;
				int _v316;
				int _v320;
				char _v328;
				short _v336;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				int _v356;
				int _v360;
				int _v364;
				char _v368;
				char _v372;
				char _v376;
				short _v380;
				int _v384;
				int _v388;
				char _v400;
				short _v404;
				char _v408;
				intOrPtr _v412;
				long _v420;
				int _v424;
				short _v428;
				short _v432;
				short _v436;
				int _v440;
				int _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				short _v460;
				int _v464;
				int _v468;
				char _v472;
				char _v476;
				short _v484;
				intOrPtr _v488;
				char _v489;
				intOrPtr _v492;
				char _v505;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t221;
				signed int _t223;
				long _t226;
				intOrPtr* _t231;
				intOrPtr* _t240;
				void* _t245;
				void* _t246;
				void* _t248;
				void* _t249;
				void* _t250;
				void* _t346;
				void* _t347;
				void* _t348;
				void* _t377;
				void* _t378;
				intOrPtr* _t379;
				void* _t380;
				void* _t381;
				void* _t402;
				signed int _t403;
				signed int _t405;
				void* _t406;
				void* _t407;
				void* _t408;
				void* _t409;
				void* _t410;
				void* _t411;
				void* _t412;
				void* _t413;
				void* _t414;
				signed int _t415;

				_t375 = __edx;
				_t405 = (_t403 & 0xfffffff8) - 0x1d0;
				_t221 =  *0x4d7e88; // 0x9518852c
				_v24 = _t221 ^ _t405;
				_t223 =  *0x4d7e88; // 0x9518852c
				 *[fs:0x0] =  &_v16;
				_t378 = __edx;
				_v472 = __ecx;
				_v408 = 0x4c2f50;
				_v368 = 0x4c3454;
				_t226 = GetLastError();
				_t347 = SetLastError;
				_v364 = _t226;
				_v404 = 0;
				_v380 = 0;
				_v376 = 0;
				_v372 = 0;
				_t11 =  &_v368; // 0x4c3454
				_v384 = 7;
				_v388 = 0;
				_t16 =  *((intOrPtr*)( *_t11 + 4)) + 0x80; // 0x4c3454
				SetLastError( *(_t405 + _t16));
				_v8 = 0;
				_t231 = E00403020( &_v408,  &_v468, 0x80);
				_v16 = 1;
				 *((char*)(_t231 + 4)) = 1;
				GetDateFormatW(0x800, 0, 0, L"M-d-yyyy",  *(E004040F0(_t231,  *_t231)), 0x80);
				_v16 = 0;
				E00403CF0( &_v476);
				_v464 = 0x4c2f50;
				_v424 = 0x4c3454;
				_v420 = GetLastError();
				_v460 = 0;
				_v436 = 0;
				_v432 = 0;
				_v428 = 0;
				_t31 =  &_v424; // 0x4c3454
				_v440 = 7;
				_v444 = 0;
				_t36 =  *((intOrPtr*)( *_t31 + 4)) + 0x50; // 0x4c3454
				SetLastError( *(_t405 + _t36));
				_v16 = 2;
				_t240 = E00403020( &_v464,  &_v476, 0x80);
				_v24 = 3;
				 *((char*)(_t240 + 4)) = 1;
				GetTimeFormatW(0x800, 0, 0, L"hh\':\'mm\':\'ss tt",  *(E004040F0(_t240,  *_t240)), 0x80);
				_v24 = 2;
				E00403CF0( &_v484);
				_t245 = E00402CE0(_t378,  &_v489, 1);
				_v36 = 4;
				_t246 = E00403080(_t245,  &_v196);
				_v40 = 5;
				_t248 = E00402CE0(_t378,  &_v505, 1);
				_v52 = 6;
				_t249 = E004034E0(_t248,  &_v308, 0, 0);
				_v64 = 7;
				_t250 = E00403080(_t249,  &_v176);
				_v68 = 8;
				E00402DE0(_t250,  &_v372, _t246);
				 *((intOrPtr*)( &_v148 +  *((intOrPtr*)(_v148 + 4)))) = GetLastError();
				L0045A7D5(_v160);
				_t379 = __imp__#6;
				_t406 = _t405 + 4;
				 *_t379(_v152, _t223 ^ _t405, _t377, _t381, _t346,  *[fs:0x0], 0x4ac5d3, 0xffffffff);
				if(_v168 >= 8) {
					 *_t379(_v120);
				}
				_v120 = 0;
				_v100 = 7;
				_v104 = 0;
				SetLastError( *(_t406 +  *((intOrPtr*)(_v124 + 4)) + 0x178));
				 *((intOrPtr*)( &_v228 +  *((intOrPtr*)(_v228 + 4)))) = GetLastError();
				L0045A7D5(_v240);
				_t407 = _t406 + 4;
				 *_t379(_v232);
				if(_v248 >= 8) {
					 *_t379(_v268);
				}
				_v268 = 0;
				_v248 = 7;
				_v252 = 0;
				SetLastError( *(_t407 +  *((intOrPtr*)(_v272 + 4)) + 0xe8));
				 *((intOrPtr*)( &_v184 +  *((intOrPtr*)(_v184 + 4)))) = GetLastError();
				L0045A7D5(_v196);
				_t408 = _t407 + 4;
				 *_t379(_v188);
				if(_v204 >= 8) {
					 *_t379(_v224);
				}
				_v224 = 0;
				_v204 = 7;
				_v208 = 0;
				SetLastError( *(_t408 +  *((intOrPtr*)(_v228 + 4)) + 0x118));
				 *((intOrPtr*)( &_v140 +  *((intOrPtr*)(_v140 + 4)))) = GetLastError();
				L0045A7D5(_v152);
				_t409 = _t408 + 4;
				 *_t379(_v144);
				if(_v160 >= 8) {
					 *_t379(_v180);
				}
				_v180 = 0;
				_v160 = 7;
				_v164 = 0;
				SetLastError( *(_t409 +  *((intOrPtr*)(_v184 + 4)) + 0x148));
				 *((intOrPtr*)( &_v48 +  *((intOrPtr*)(_v48 + 4)))) = GetLastError();
				L0045A7D5(_v60);
				_t410 = _t409 + 4;
				 *_t379(_v52);
				if(_v68 >= 8) {
					 *_t379(_v88);
				}
				_v88 = 0;
				_v68 = 7;
				_v72 = 0;
				SetLastError( *(_t410 +  *((intOrPtr*)(_v92 + 4)) + 0x1a8));
				_v380 = 0x4c2f50;
				_v340 = 0x4c3454;
				_v336 = GetLastError();
				_v376 = 0;
				_v352 = 0;
				_v348 = 0;
				_v344 = 0;
				_t134 =  &_v340; // 0x4c3454
				_v356 = 7;
				_v360 = 0;
				_t139 =  *((intOrPtr*)( *_t134 + 4)) + 0xb0; // 0x4c3454
				SetLastError( *(_t410 + _t139));
				_v28 = 0xf;
				if( *0x4d9419 == 0) {
					__eflags = _v452 - 8;
					_push(_v492);
					_t367 =  >=  ? _v472 :  &_v472;
					__eflags = _v404 - 8;
					_push( >=  ? _v472 :  &_v472);
					_t297 =  >=  ? _v424 :  &_v424;
					E00403B50( &_v380, L"%s[%s]: %s\r\n",  >=  ? _v424 :  &_v424);
					_t411 = _t410 + 0x14;
				} else {
					_push(_a4);
					_t375 =  >=  ? _v328 :  &_v328;
					_push( >=  ? _v328 :  &_v328);
					_t374 =  >=  ? _v472 :  &_v472;
					_push(_v492);
					_push( >=  ? _v472 :  &_v472);
					_t338 =  >=  ? _v424 :  &_v424;
					_t152 =  &_v380; // 0x4c2f50
					E00403B50(_t152, L"%s[%s]: %s  --  File: %s, Line: %d\r\n",  >=  ? _v424 :  &_v424);
					_t411 = _t410 + 0x1c;
				}
				_t369 =  >=  ? _v376 :  &_v376;
				E00402000(_t347,  >=  ? _v376 :  &_v376, _t375, _v356 - 8);
				 *((intOrPtr*)( &_v340 +  *((intOrPtr*)(_v340 + 4)))) = GetLastError();
				L0045A7D5(_v352);
				_t412 = _t411 + 4;
				 *_t379(_v344);
				if(_v360 >= 8) {
					 *_t379(_v380);
				}
				_v380 = 0;
				_v360 = 7;
				_v364 = 0;
				SetLastError( *(_t412 +  *((intOrPtr*)(_v384 + 4)) + 0x88));
				 *((intOrPtr*)( &_v296 +  *((intOrPtr*)(_v296 + 4)))) = GetLastError();
				L0045A7D5(_v308);
				_t413 = _t412 + 4;
				 *_t379(_v300);
				if(_v316 >= 8) {
					 *_t379(_v336);
				}
				_v336 = 0;
				_v316 = 7;
				_v320 = 0;
				SetLastError( *(_t413 +  *((intOrPtr*)(_v340 + 4)) + 0xb8));
				 *((intOrPtr*)( &_v444 +  *((intOrPtr*)(_v444 + 4)))) = GetLastError();
				L0045A7D5(_v456);
				_t414 = _t413 + 4;
				 *_t379(_v448);
				if(_v464 >= 8) {
					 *_t379(_v484);
				}
				_v484 = 0;
				_v464 = 7;
				_v468 = 0;
				SetLastError( *(_t414 +  *((intOrPtr*)(_v488 + 4)) + 0x28));
				 *((intOrPtr*)( &_v400 +  *((intOrPtr*)(_v400 + 4)))) = GetLastError();
				L0045A7D5(_v412);
				_t415 = _t414 + 4;
				 *_t379(_v404);
				if(_v420 >= 8) {
					 *_t379(_v440);
				}
				_v440 = 0;
				_v420 = 7;
				_v424 = 0;
				SetLastError( *(_t415 +  *((intOrPtr*)(_v444 + 4)) + 0x58));
				 *[fs:0x0] = _v52;
				_pop(_t380);
				_pop(_t402);
				_pop(_t348);
				return E0045A457(_t348, _v60 ^ _t415, _t375, _t380, _t402);
			}

0x00402200
0x00402214
0x0040221a
0x00402221
0x0040222b
0x0040223a
0x00402240
0x00402242
0x0040224c
0x00402254
0x0040225f
0x00402261
0x00402267
0x00402270
0x00402275
0x00402279
0x0040227d
0x00402281
0x00402288
0x00402290
0x0040229b
0x004022a2
0x004022b2
0x004022bd
0x004022c2
0x004022cc
0x004022ea
0x004022f4
0x004022fc
0x00402301
0x00402309
0x00402313
0x00402319
0x0040231e
0x00402322
0x00402326
0x0040232a
0x0040232e
0x00402336
0x00402341
0x00402345
0x00402355
0x0040235d
0x00402362
0x0040236c
0x0040238a
0x00402394
0x0040239c
0x004023b0
0x004023bf
0x004023c7
0x004023dd
0x004023e5
0x004023f8
0x00402400
0x0040240f
0x00402417
0x00402427
0x0040242f
0x0040244d
0x00402456
0x0040245b
0x00402461
0x0040246b
0x00402475
0x0040247e
0x0040247e
0x00402482
0x00402491
0x0040249c
0x004024b1
0x004024cc
0x004024d5
0x004024da
0x004024e4
0x004024ee
0x004024f7
0x004024f7
0x004024fb
0x0040250a
0x00402515
0x0040252a
0x00402545
0x0040254e
0x00402553
0x0040255d
0x00402567
0x00402570
0x00402570
0x00402574
0x00402583
0x0040258e
0x004025a3
0x004025be
0x004025c7
0x004025cc
0x004025d6
0x004025e0
0x004025e9
0x004025e9
0x004025ed
0x004025fc
0x00402607
0x0040261c
0x00402637
0x00402640
0x00402645
0x0040264f
0x00402659
0x00402662
0x00402662
0x00402666
0x00402675
0x00402680
0x00402695
0x00402697
0x004026a2
0x004026b3
0x004026bc
0x004026c4
0x004026cb
0x004026d2
0x004026d9
0x004026e0
0x004026eb
0x004026f9
0x00402700
0x00402702
0x00402719
0x00402767
0x0040276c
0x00402770
0x00402775
0x0040277a
0x0040277b
0x0040278e
0x00402793
0x0040271b
0x00402723
0x0040272d
0x0040273a
0x0040273b
0x00402740
0x00402749
0x0040274a
0x00402750
0x0040275d
0x00402762
0x00402762
0x004027a5
0x004027ad
0x004027cb
0x004027d4
0x004027d9
0x004027e3
0x004027ed
0x004027f6
0x004027f6
0x004027fa
0x00402809
0x00402814
0x00402829
0x00402844
0x0040284d
0x00402852
0x0040285c
0x00402866
0x0040286f
0x0040286f
0x00402873
0x00402882
0x0040288d
0x004028a2
0x004028b7
0x004028bd
0x004028c2
0x004028c9
0x004028d0
0x004028d6
0x004028d6
0x004028da
0x004028e3
0x004028eb
0x004028fa
0x00402915
0x0040291b
0x00402920
0x00402927
0x0040292e
0x00402934
0x00402934
0x00402938
0x00402941
0x00402949
0x00402958
0x00402961
0x00402969
0x0040296a
0x0040296b
0x0040297d

APIs

GetLastError.KERNEL32 ref: 0040225F
SetLastError.KERNEL32(T4L), ref: 004022A2

Part of subcall function 004040F0: SysStringLen.OLEAUT32(?), ref: 004040FE
Part of subcall function 004040F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00404118

GetDateFormatW.KERNEL32(00000800,00000000,00000000,M-d-yyyy,00000000,00000080,?,00000080), ref: 004022EA

Part of subcall function 00403CF0: GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403D2F
Part of subcall function 00403CF0: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00403DC9
Part of subcall function 00403CF0: SysFreeString.OLEAUT32(?), ref: 00403DE3
Part of subcall function 00403CF0: SysFreeString.OLEAUT32(?), ref: 00403DF0
Part of subcall function 00403CF0: SetLastError.KERNEL32(?), ref: 00403E14
Part of subcall function 00403CF0: SetLastError.KERNEL32(?,?,00000000,73B74C30,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403E1A

GetLastError.KERNEL32 ref: 00402311
SetLastError.KERNEL32(T4L), ref: 00402345

Part of subcall function 004040F0: _wmemcpy_s.LIBCMT ref: 00404145

GetTimeFormatW.KERNEL32(00000800,00000000,00000000,hh':'mm':'ss tt,00000000,00000080,?,00000080), ref: 0040238A

Part of subcall function 00402CE0: GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8

Part of subcall function 00403080: GetLastError.KERNEL32 ref: 004030E5
Part of subcall function 00403080: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 0040314E
Part of subcall function 00403080: GetLastError.KERNEL32(?), ref: 004031A4
Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 004031BE
Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 004031CB
Part of subcall function 00403080: SetLastError.KERNEL32(?), ref: 004031EF

Part of subcall function 004034E0: GetLastError.KERNEL32 ref: 0040354B
Part of subcall function 004034E0: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 004035B4
Part of subcall function 004034E0: SysFreeString.OLEAUT32(?), ref: 004036A6

Part of subcall function 00403080: GetLastError.KERNEL32(00000000,?,00000000,?), ref: 00403290
Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 004032A8
Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 004032B5
Part of subcall function 00403080: SetLastError.KERNEL32(?), ref: 004032D9
Part of subcall function 00403080: GetLastError.KERNEL32(00000000,00000000,000000FF), ref: 00403334
Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 0040334C
Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 00403359

Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402E45
Part of subcall function 00402DE0: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 00402EA5
Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402ECE
Part of subcall function 00402DE0: SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00402F2E
Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402F4E

GetLastError.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,00000001,?,?,?,00000001), ref: 00402447
SysFreeString.OLEAUT32(?), ref: 0040246B
SysFreeString.OLEAUT32(?), ref: 0040247E
SetLastError.KERNEL32(?), ref: 004024B1
GetLastError.KERNEL32 ref: 004024C6
SysFreeString.OLEAUT32(?), ref: 004024E4
SysFreeString.OLEAUT32(?), ref: 004024F7
SetLastError.KERNEL32(?), ref: 0040252A
GetLastError.KERNEL32 ref: 0040253F
SysFreeString.OLEAUT32(?), ref: 0040255D
SysFreeString.OLEAUT32(?), ref: 00402570
SetLastError.KERNEL32(?), ref: 004025A3
GetLastError.KERNEL32 ref: 004025B8
SysFreeString.OLEAUT32(?), ref: 004025D6
SysFreeString.OLEAUT32(?), ref: 004025E9
SetLastError.KERNEL32(?), ref: 0040261C
GetLastError.KERNEL32 ref: 00402631
SysFreeString.OLEAUT32(?), ref: 0040264F
SysFreeString.OLEAUT32(?), ref: 00402662
SetLastError.KERNEL32(?), ref: 00402695
GetLastError.KERNEL32 ref: 004026AD
SetLastError.KERNEL32(T4L), ref: 00402700
GetLastError.KERNEL32 ref: 004027C5
SysFreeString.OLEAUT32(?), ref: 004027E3
SysFreeString.OLEAUT32(?), ref: 004027F6
SetLastError.KERNEL32(?), ref: 00402829
GetLastError.KERNEL32 ref: 0040283E
SysFreeString.OLEAUT32(?), ref: 0040285C
SysFreeString.OLEAUT32(?), ref: 0040286F
SetLastError.KERNEL32(?), ref: 004028A2
GetLastError.KERNEL32 ref: 004028B1
SysFreeString.OLEAUT32(?), ref: 004028C9
SysFreeString.OLEAUT32(?), ref: 004028D6
SetLastError.KERNEL32(?), ref: 004028FA
GetLastError.KERNEL32 ref: 0040290F
SysFreeString.OLEAUT32(?), ref: 00402927
SysFreeString.OLEAUT32(?), ref: 00402934

Part of subcall function 00403B50: __vwprintf_p.LIBCMT ref: 00403B7F
Part of subcall function 00403B50: vswprintf.LIBCMT ref: 00403BB1

SetLastError.KERNEL32(?), ref: 00402958

Strings

P/L, xrefs: 00402697
T4L, xrefs: 004026D9
P/L, xrefs: 00402301
T4L, xrefs: 00402281
%s[%s]: %s, xrefs: 00402788
%s[%s]: %s -- File: %s, Line: %d, xrefs: 00402757
P/L, xrefs: 00402750, 0040275C
hh':'mm':'ss tt, xrefs: 0040237C
M-d-yyyy, xrefs: 004022DC
T4L, xrefs: 0040232A
P/L, xrefs: 0040224C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$Free$Format$AllocDateTime__vwprintf_p_wmemcpy_svswprintf
String ID: %s[%s]: %s$%s[%s]: %s -- File: %s, Line: %d$M-d-yyyy$P/L$P/L$P/L$P/L$T4L$T4L$T4L$hh':'mm':'ss tt
API String ID: 1002200784-2789026671
Opcode ID: f69a7b9fae25941d03fa104c4305318c631f64017a0491884069ae751dd80c88
Instruction ID: 688b1669901aab8b91c164d4b3d8465613a847ef94fe040e21fb9ed64ef3d503
Opcode Fuzzy Hash: f69a7b9fae25941d03fa104c4305318c631f64017a0491884069ae751dd80c88
Instruction Fuzzy Hash: 1B12F671508380DFD721DF69C849B9ABBE4BF89308F00892DE98C932A1DB75A814CF57

Uniqueness

Uniqueness Score: -1.00%

Function 00492320, Relevance: 74.0, APIs: 34, Strings: 8, Instructions: 494
stringCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E00492320(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				int _v8;
				char _v16;
				signed int _v20;
				char _v119;
				char _v120;
				char _v219;
				char _v220;
				char _v1219;
				char _v1220;
				long _v1224;
				char _v1228;
				int _v1232;
				int _v1236;
				CHAR* _v1240;
				intOrPtr _v1244;
				signed int _v1248;
				short _v1264;
				char _v1268;
				char _v1269;
				intOrPtr _v1276;
				int _v1280;
				char _v1281;
				long* _v1288;
				char _v1289;
				char _v1296;
				intOrPtr _v1304;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t207;
				signed int _t208;
				CHAR* _t214;
				CHAR* _t230;
				signed int _t235;
				char _t237;
				CHAR* _t240;
				char _t252;
				long _t254;
				signed int _t267;
				char _t269;
				CHAR* _t272;
				char _t284;
				long* _t286;
				int* _t287;
				signed int _t298;
				char _t300;
				CHAR* _t303;
				intOrPtr _t315;
				int* _t317;
				long** _t323;
				intOrPtr* _t325;
				long* _t331;
				void* _t332;
				CHAR* _t333;
				intOrPtr* _t334;
				long* _t335;
				CHAR* _t336;
				intOrPtr* _t337;
				void* _t338;
				CHAR* _t339;
				intOrPtr* _t340;
				intOrPtr* _t353;
				signed int _t354;
				signed int _t355;
				intOrPtr* _t364;
				signed int _t365;
				signed int _t366;
				int* _t373;
				int* _t381;
				intOrPtr _t385;
				void* _t386;
				void* _t389;
				intOrPtr* _t390;
				unsigned int _t393;
				signed int _t396;
				int _t397;
				void* _t398;
				unsigned int _t399;
				signed int _t402;
				void* _t405;
				unsigned int _t406;
				signed int _t409;
				intOrPtr _t412;
				unsigned int _t413;
				signed int _t416;
				signed int _t421;
				void* _t422;
				void* _t423;
				void* _t424;
				void* _t426;
				void* _t427;
				void* _t428;
				void* _t429;
				void* _t430;
				void* _t431;
				long* _t437;

				_t386 = __edx;
				_push(0xffffffff);
				_push(0x4ab9ed);
				_push( *[fs:0x0]);
				_t423 = _t422 - 0x508;
				_t207 =  *0x4d7e88; // 0x9518852c
				_t208 = _t207 ^ _t421;
				_v20 = _t208;
				_push(_t208);
				 *[fs:0x0] =  &_v16;
				_v1276 = __ecx;
				_t331 =  !=  ? _a4 : 0x4c2d7c;
				_v1304 = _a8;
				_v1268 = 0x4c2f50;
				_v1228 = 0x4c3454;
				E00403FB0(0x4c2d7c,  &_v1269, 0);
				_v8 = 0;
				_v1280 = E00490850(__ecx + 8, _t386);
				_t214 = _v1240;
				_t393 = 2 + _v1248 * 2;
				_t346 = _v1236;
				if(_t393 >= _v1236 || _t214 == 0) {
					L0045A7D5(_t214);
					_t396 = (_t393 >> 6) + 1 << 6;
					_push(_t396);
					_v1236 = _t396;
					_t214 = E00459ADF(_t331, _t386, 0x4c2d7c, _t396);
					_t346 = _v1236;
					_t423 = _t423 + 8;
					_v1240 = _t214;
				}
				E0048DE60( &_v1268, _t214, _t346, 3);
				_v1280 = GetPrivateProfileIntA(_v1240, "RECTS", 0, _v1280);
				_v8 = 0xffffffff;
				E00401AC0( &_v1268);
				_v220 = 0;
				E0045A4D0( &_v219, 0, 0x63);
				_v120 = 0;
				E0045A4D0( &_v119, 0, 0x63);
				_v1220 = 0;
				E0045A4D0( &_v1219, 0, 0x3e7);
				_t397 = 1;
				_t424 = _t423 + 0x24;
				_v1296 = 1;
				if(_v1280 >= 1) {
					_t437 = _t331;
					_t390 =  !=  ? _t331 : 0x4c2d7c;
					do {
						_push(0x18);
						_v1288 = E0045C169(_t331, _t386, _t390, _t437);
						lstrcpyA( &_v220, "RECT");
						_t230 = E0049C6BE(_t397,  &_v1220, 0xa);
						_t426 = _t424 + 0x10;
						lstrcatA( &_v220, _t230);
						_v1268 = 0x4c2f50;
						_v1228 = 0x4c3454;
						_v1224 = GetLastError();
						_v8 = 1;
						_v1244 = 7;
						_v1248 = 0;
						_v1264 = 0;
						if( *_t390 != 0) {
							_t353 = _t390;
							_t47 = _t353 + 2; // 0x4c2d7e
							_t386 = _t47;
							do {
								_t235 =  *_t353;
								_t353 = _t353 + 2;
								__eflags = _t235;
							} while (_t235 != 0);
							_t354 = _t353 - _t386;
							__eflags = _t354;
							_t355 = _t354 >> 1;
						} else {
							_t355 = 0;
						}
						_push(_t355);
						_push(_t390);
						E00406EB0(_t331,  &_v1264, _t390, _t397);
						_t237 = _v1228;
						_v1240 = 0;
						_v1236 = 0;
						_v1232 = 0;
						_t53 = _t237 + 4; // 0x4
						SetLastError( *(_t421 +  *_t53 - 0x4c8));
						_v8 = 2;
						_t333 = E00490850(_v1276 + 8, _t386);
						_t240 = _v1240;
						_t399 = 2 + _v1248 * 2;
						_t360 = _v1236;
						if(_t399 >= _v1236 || _t240 == 0) {
							L0045A7D5(_t240);
							_t402 = (_t399 >> 6) + 1 << 6;
							_push(_t402);
							_v1236 = _t402;
							_t240 = E00459ADF(_t333, _t386, _t390, _t402);
							_t360 = _v1236;
							_t426 = _t426 + 8;
							_v1240 = _t240;
						}
						E0048DE60( &_v1268, _t240, _t360, 3);
						GetPrivateProfileStringA(_v1240,  &_v220, 0x4c2bd0,  &_v1220, 0x3e8, _t333);
						_t73 = _v1228 + 4; // 0x4
						_v8 = 0xffffffff;
						 *((intOrPtr*)( &_v1228 +  *_t73)) = GetLastError();
						L0045A7D5(_v1240);
						_t334 = __imp__#6;
						_t427 = _t426 + 4;
						 *_t334(_v1232);
						if(_v1244 >= 8) {
							 *_t334(_v1264);
						}
						_t405 = SetLastError;
						_v1264 = 0;
						_t252 = _v1268;
						_v1244 = 7;
						_v1248 = 0;
						_t83 = _t252 + 4; // 0x2c
						SetLastError( *(_t421 +  *_t83 - 0x4f0));
						_t254 = GetSysColor(0xf);
						_t335 = _v1288;
						_push(_t335);
						_t428 = _t427 - 0x30;
						 *_t335 = _t254;
						E00485E90(_t428,  &_v1220,  &_v1269, 1);
						E0048FCA0(_t386);
						_t335[1] = CreateSolidBrush( *_t335);
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "POS");
						_v1268 = 0x4c2f50;
						_v1228 = 0x4c3454;
						_v1224 = GetLastError();
						_v8 = 3;
						_v1244 = 7;
						_v1248 = 0;
						_v1264 = 0;
						if( *_t390 != 0) {
							_t364 = _t390;
							_t101 = _t364 + 2; // 0x4c2d7e
							_t386 = _t101;
							do {
								_t267 =  *_t364;
								_t364 = _t364 + 2;
								__eflags = _t267;
							} while (_t267 != 0);
							_t365 = _t364 - _t386;
							__eflags = _t365;
							_t366 = _t365 >> 1;
						} else {
							_t366 = 0;
						}
						_push(_t366);
						_push(_t390);
						E00406EB0(_t335,  &_v1264, _t390, _t405);
						_t269 = _v1228;
						_v1240 = 0;
						_v1236 = 0;
						_v1232 = 0;
						_t107 = _t269 + 4; // 0x4
						SetLastError( *(_t421 +  *_t107 - 0x4c8));
						_v8 = 4;
						_t336 = E00490850(_v1276 + 8, _t386);
						_t272 = _v1240;
						_t406 = 2 + _v1248 * 2;
						_t371 = _v1236;
						if(_t406 >= _v1236 || _t272 == 0) {
							L0045A7D5(_t272);
							_t409 = (_t406 >> 6) + 1 << 6;
							_push(_t409);
							_v1236 = _t409;
							_t272 = E00459ADF(_t336, _t386, _t390, _t409);
							_t371 = _v1236;
							_t428 = _t428 + 8;
							_v1240 = _t272;
						}
						E0048DE60( &_v1268, _t272, _t371, 3);
						GetPrivateProfileStringA(_v1240,  &_v120, 0x4c2bd0,  &_v1220, 0x3e8, _t336);
						_t127 = _v1228 + 4; // 0x4
						_v8 = 0xffffffff;
						 *((intOrPtr*)( &_v1228 +  *_t127)) = GetLastError();
						L0045A7D5(_v1240);
						_t337 = __imp__#6;
						_t429 = _t428 + 4;
						 *_t337(_v1232);
						_t447 = _v1244 - 8;
						if(_v1244 >= 8) {
							 *_t337(_v1264);
						}
						_t338 = SetLastError;
						_v1264 = 0;
						_t284 = _v1268;
						_v1244 = 7;
						_v1248 = 0;
						_t137 = _t284 + 4; // 0x2c
						SetLastError( *(_t421 +  *_t137 - 0x4f0));
						_t286 = _v1288;
						_t373 = _t286 + 0xc;
						_push(_t373);
						_t287 = _t286 + 8;
						_push(_t287);
						_t430 = _t429 - 0x30;
						 *_t373 = 0;
						 *_t287 = 0;
						E00485E90(_t430,  &_v1220,  &_v1281, 1);
						_t412 = _v1276;
						E00490020(_t386, _t447);
						lstrcpyA( &_v120,  &_v220);
						lstrcatA( &_v120, "AREA");
						_v1268 = 0x4c2f50;
						_v1228 = 0x4c3454;
						_v1224 = GetLastError();
						_t298 = 0;
						_v8 = 5;
						_v1244 = 7;
						_v1248 = 0;
						_v1264 = 0;
						if( *_t390 != 0) {
							_t325 = _t390;
							_t155 = _t325 + 2; // 0x4c2d7e
							_t386 = _t155;
							do {
								_t385 =  *_t325;
								_t325 = _t325 + 2;
							} while (_t385 != 0);
							_t298 = _t325 - _t386 >> 1;
						}
						_push(_t298);
						_push(_t390);
						E00406EB0(_t338,  &_v1264, _t390, _t412);
						_t300 = _v1228;
						_v1240 = 0;
						_v1236 = 0;
						_v1232 = 0;
						_t161 = _t300 + 4; // 0x4
						SetLastError( *(_t421 +  *_t161 - 0x4c8));
						_v8 = 6;
						_t339 = E00490850(_t412 + 8, _t386);
						_t303 = _v1240;
						_t413 = 2 + _v1248 * 2;
						_t379 = _v1236;
						if(_t413 >= _v1236 || _t303 == 0) {
							L0045A7D5(_t303);
							_t416 = (_t413 >> 6) + 1 << 6;
							_push(_t416);
							_v1236 = _t416;
							_t303 = E00459ADF(_t339, _t386, _t390, _t416);
							_t379 = _v1236;
							_t430 = _t430 + 8;
							_v1240 = _t303;
						}
						E0048DE60( &_v1268, _t303, _t379, 3);
						GetPrivateProfileStringA(_v1240,  &_v120, 0x4c2bd0,  &_v1220, 0x3e8, _t339);
						_t180 = _v1228 + 4; // 0x4
						_v8 = 0xffffffff;
						 *((intOrPtr*)( &_v1228 +  *_t180)) = GetLastError();
						L0045A7D5(_v1240);
						_t340 = __imp__#6;
						_t431 = _t430 + 4;
						 *_t340(_v1232);
						_t454 = _v1244 - 8;
						if(_v1244 >= 8) {
							 *_t340(_v1264);
						}
						_v1264 = 0;
						_t315 = _v1268;
						_v1244 = 7;
						_v1248 = 0;
						_t190 = _t315 + 4; // 0x2c
						SetLastError( *(_t421 +  *_t190 - 0x4f0));
						_t331 = _v1288;
						_t317 =  &(_t331[5]);
						_push(_t317);
						_t381 =  &(_t331[4]);
						_push(_t381);
						_t424 = _t431 - 0x30;
						 *_t381 = 0;
						 *_t317 = 0;
						E00485E90(_t424,  &_v1220,  &_v1289, 1);
						E00490020(_t386, _t454);
						_t323 = E00487A20(_v1304,  &_v1296);
						_t397 = _v1296 + 1;
						 *_t323 = _t331;
						_v1296 = _t397;
					} while (_t397 <= _v1280);
				}
				 *[fs:0x0] = _v16;
				_pop(_t389);
				_pop(_t398);
				_pop(_t332);
				return E0045A457(_t332, _v20 ^ _t421, _t386, _t389, _t398);
			}

0x00492320
0x00492323
0x00492325
0x00492330
0x00492331
0x00492337
0x0049233c
0x0049233e
0x00492344
0x00492348
0x00492350
0x00492365
0x00492371
0x0049237e
0x00492388
0x00492392
0x0049239a
0x004923ac
0x004923b2
0x004923b8
0x004923bf
0x004923c7
0x004923ce
0x004923d7
0x004923da
0x004923db
0x004923e1
0x004923e6
0x004923ec
0x004923ef
0x004923ef
0x004923ff
0x00492423
0x00492429
0x00492430
0x00492440
0x00492447
0x00492454
0x00492458
0x0049246b
0x00492472
0x00492477
0x0049247c
0x0049247f
0x0049248b
0x00492491
0x00492493
0x00492496
0x00492496
0x004924a0
0x004924b2
0x004924c2
0x004924c7
0x004924d2
0x004924d8
0x004924e2
0x004924f2
0x004924fa
0x00492501
0x0049250b
0x00492515
0x0049251f
0x00492525
0x00492527
0x00492527
0x00492530
0x00492530
0x00492533
0x00492536
0x00492536
0x0049253b
0x0049253b
0x0049253d
0x00492521
0x00492521
0x00492521
0x0049253f
0x00492540
0x00492547
0x0049254c
0x00492552
0x0049255c
0x00492566
0x00492570
0x0049257a
0x00492586
0x0049259b
0x0049259d
0x004925a3
0x004925aa
0x004925b2
0x004925b9
0x004925c2
0x004925c5
0x004925c6
0x004925cc
0x004925d1
0x004925d7
0x004925da
0x004925da
0x004925ea
0x0049260e
0x00492620
0x00492623
0x00492632
0x0049263a
0x0049263f
0x00492645
0x0049264e
0x00492657
0x0049265f
0x0049265f
0x00492661
0x00492669
0x00492670
0x00492676
0x00492680
0x0049268a
0x00492694
0x00492698
0x0049269e
0x004926a4
0x004926a5
0x004926aa
0x004926bc
0x004926c7
0x004926d4
0x004926e2
0x004926f1
0x004926f7
0x00492701
0x00492711
0x00492719
0x00492720
0x0049272a
0x00492734
0x0049273e
0x00492744
0x00492746
0x00492746
0x00492750
0x00492750
0x00492753
0x00492756
0x00492756
0x0049275b
0x0049275b
0x0049275d
0x00492740
0x00492740
0x00492740
0x0049275f
0x00492760
0x00492767
0x0049276c
0x00492772
0x0049277c
0x00492786
0x00492790
0x0049279a
0x004927a2
0x004927b7
0x004927b9
0x004927bf
0x004927c6
0x004927ce
0x004927d5
0x004927de
0x004927e1
0x004927e2
0x004927e8
0x004927ed
0x004927f3
0x004927f6
0x004927f6
0x00492806
0x00492827
0x00492839
0x0049283c
0x0049284b
0x00492853
0x00492858
0x0049285e
0x00492867
0x00492869
0x00492870
0x00492878
0x00492878
0x0049287a
0x00492882
0x00492889
0x0049288f
0x00492899
0x004928a3
0x004928ad
0x004928af
0x004928b5
0x004928b8
0x004928b9
0x004928bc
0x004928bd
0x004928c0
0x004928c8
0x004928de
0x004928e3
0x004928eb
0x004928fb
0x0049290a
0x00492910
0x0049291a
0x0049292a
0x00492930
0x00492932
0x00492939
0x00492943
0x0049294d
0x00492957
0x00492959
0x0049295b
0x0049295b
0x00492960
0x00492960
0x00492963
0x00492966
0x0049296d
0x0049296d
0x0049296f
0x00492970
0x00492977
0x0049297c
0x00492982
0x0049298c
0x00492996
0x004929a0
0x004929aa
0x004929af
0x004929c1
0x004929c3
0x004929c9
0x004929d0
0x004929d8
0x004929df
0x004929e8
0x004929eb
0x004929ec
0x004929f2
0x004929f7
0x004929fd
0x00492a00
0x00492a00
0x00492a10
0x00492a31
0x00492a43
0x00492a46
0x00492a55
0x00492a5d
0x00492a62
0x00492a68
0x00492a71
0x00492a73
0x00492a7a
0x00492a82
0x00492a82
0x00492a8c
0x00492a93
0x00492a99
0x00492aa3
0x00492aad
0x00492ab7
0x00492ab9
0x00492abf
0x00492ac2
0x00492ac3
0x00492ac6
0x00492ac7
0x00492aca
0x00492ad2
0x00492ae8
0x00492af3
0x00492b05
0x00492b10
0x00492b11
0x00492b13
0x00492b19
0x00492496
0x00492b28
0x00492b30
0x00492b31
0x00492b32
0x00492b40

APIs

Part of subcall function 00403FB0: GetLastError.KERNEL32(9518852C,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068

Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000002,?,?,0048A841,?,00000000,00000103), ref: 00490876
Part of subcall function 00490850: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,?,00000000,00000000,?,?), ref: 004908BE

GetPrivateProfileIntA.KERNEL32 ref: 00492417
_memset.LIBCMT ref: 00492447
_memset.LIBCMT ref: 00492458
_memset.LIBCMT ref: 00492472
lstrcpyA.KERNEL32(00000000,RECT), ref: 004924B2
__itow.LIBCMT ref: 004924C2
lstrcatA.KERNEL32(00000000,00000000), ref: 004924D2
GetLastError.KERNEL32 ref: 004924EC
SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 0049257A
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 0049260E
GetLastError.KERNEL32 ref: 0049262C
SysFreeString.OLEAUT32(00000000), ref: 0049264E
SysFreeString.OLEAUT32(?), ref: 0049265F
SetLastError.KERNEL32(004C2F50), ref: 00492694
GetSysColor.USER32(0000000F), ref: 00492698
CreateSolidBrush.GDI32(?), ref: 004926CE
lstrcpyA.KERNEL32(00000000,00000000), ref: 004926E2
lstrcatA.KERNEL32(00000000,POS), ref: 004926F1
GetLastError.KERNEL32 ref: 0049270B
SetLastError.KERNEL32(004C3454,004C2D7C,004C2D7A), ref: 0049279A
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00492827
GetLastError.KERNEL32 ref: 00492845
SysFreeString.OLEAUT32(00000000), ref: 00492867
SysFreeString.OLEAUT32(?), ref: 00492878
SetLastError.KERNEL32(004C2F50), ref: 004928AD
lstrcpyA.KERNEL32(00000000,00000000,00000000,?,00000001), ref: 004928FB
lstrcatA.KERNEL32(00000000,AREA), ref: 0049290A
GetLastError.KERNEL32 ref: 00492924
SetLastError.KERNEL32(004C3454,004C2D7C,00000000), ref: 004929AA
GetPrivateProfileStringA.KERNEL32(00000000,00000000,004C2BD0,00000000,000003E8,00000000), ref: 00492A31
GetLastError.KERNEL32 ref: 00492A4F
SysFreeString.OLEAUT32(00000000), ref: 00492A71
SysFreeString.OLEAUT32(?), ref: 00492A82
SetLastError.KERNEL32(004C2F50), ref: 00492AB7

Strings

T4L, xrefs: 0049291A
lJ, xrefs: 00492320
P/L, xrefs: 00492910
AREA, xrefs: 00492901
RECTS, xrefs: 0049240C
RECT, xrefs: 004924A6
|-L, xrefs: 0049235C
POS, xrefs: 004926E8

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$Free$PrivateProfile$_memsetlstrcatlstrcpy$ByteCharMultiWide$BrushColorCreateSolid__itow
String ID: AREA$P/L$POS$RECT$RECTS$T4L$lJ$|-L
API String ID: 792308993-3612069791
Opcode ID: 676644e03dce56ef09630d3f305d4d9f0cc9e76f444dab0f7d4242ff0ec598dc
Instruction ID: 847f3d342a300f7a84bb54192f6ac905bd70cd248483a1ad69a0eaab08ef64dd
Opcode Fuzzy Hash: 676644e03dce56ef09630d3f305d4d9f0cc9e76f444dab0f7d4242ff0ec598dc
Instruction Fuzzy Hash: C82240B59012299FDF60DF54CD85B9EBBB8BF44308F0041EAEA09A7291DB745E84CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004946B0, Relevance: 65.1, APIs: 33, Strings: 4, Instructions: 329
memoryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E004946B0(intOrPtr __ecx, WCHAR* __edx, intOrPtr _a4) {
				char _v8;
				char _v16;
				signed int _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				short _v64;
				char _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				short _v112;
				char _v116;
				char _v124;
				intOrPtr _v128;
				intOrPtr _v136;
				intOrPtr _v140;
				char _v144;
				short _v160;
				char _v164;
				char _v172;
				intOrPtr _v176;
				intOrPtr _v184;
				intOrPtr _v188;
				char _v192;
				short _v208;
				char _v212;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v232;
				intOrPtr _v236;
				char _v240;
				short _v256;
				char _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				char _v272;
				signed short _v276;
				WCHAR* _v280;
				intOrPtr _v284;
				char _v288;
				char _v292;
				intOrPtr _v296;
				char _v308;
				char _v320;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t159;
				signed int _t160;
				signed short _t162;
				void* _t165;
				void* _t166;
				void* _t168;
				void* _t170;
				short _t171;
				char _t206;
				intOrPtr* _t209;
				WCHAR* _t210;
				long _t217;
				char _t218;
				intOrPtr _t219;
				intOrPtr _t224;
				intOrPtr _t232;
				intOrPtr _t235;
				intOrPtr* _t237;
				intOrPtr* _t242;
				void* _t249;
				intOrPtr _t250;
				signed short _t251;
				void* _t252;
				WCHAR* _t262;
				intOrPtr* _t271;
				signed int _t273;
				intOrPtr* _t275;
				void* _t276;
				WCHAR** _t290;
				char* _t292;
				void* _t294;
				signed int _t296;
				void* _t297;
				void* _t298;
				void* _t299;
				void* _t300;
				void* _t301;
				void* _t302;
				void* _t303;
				void* _t304;
				signed int _t306;

				_t272 = __edx;
				_push(0xffffffff);
				_push(0x4abc27);
				_push( *[fs:0x0]);
				_t298 = _t297 - 0x130;
				_t159 =  *0x4d7e88; // 0x9518852c
				_t160 = _t159 ^ _t296;
				_t306 = _t160;
				_v20 = _t160;
				_push(_t160);
				 *[fs:0x0] =  &_v16;
				_v264 = __ecx;
				_t278 = _a4;
				_v268 = _a4;
				_t162 = GetTickCount();
				_t275 = __imp__#6;
				_t249 = GetLastError;
				_v276 = _t162 & 0x0000ffff;
				_v272 = 0;
				do {
					_t165 = E0048F9A0(_t278, _t272, _t306,  &_v212);
					_v8 = 0;
					_t166 = E00451ED3(_t165,  &_v116, 0, 4);
					_v8 = 1;
					_t168 = E0048DC10(_v268, _t306,  &_v260);
					_v8 = 2;
					_t170 = E00480F50( &_v164, _t168, _t166);
					_t299 = _t298 + 0xc;
					_v8 = 3;
					if(_t170 == 0) {
						_t171 = 0;
						__eflags = 0;
					} else {
						_t171 = _t170 + 4;
					}
					_t260 = _v264 + 4;
					if(_v264 + 4 != _t171) {
						_push(0xffffffff);
						_push(0);
						E00407B10(_t249, _t260, _t275, _t171);
					}
					 *((intOrPtr*)( &_v124 +  *((intOrPtr*)(_v124 + 4)))) = GetLastError();
					L0045A7D5(_v136);
					_t300 = _t299 + 4;
					 *_t275(_v128);
					if(_v140 >= 8) {
						 *_t275(_v160);
					}
					_v160 = 0;
					_v140 = 7;
					_v144 = 0;
					SetLastError( *(_t296 +  *((intOrPtr*)(_v164 + 4)) - 0xa0));
					 *((intOrPtr*)( &_v220 +  *((intOrPtr*)(_v220 + 4)))) = GetLastError();
					L0045A7D5(_v232);
					_t301 = _t300 + 4;
					 *_t275(_v224);
					if(_v236 >= 8) {
						 *_t275(_v256);
					}
					_v256 = 0;
					_v236 = 7;
					_v240 = 0;
					SetLastError( *(_t296 +  *((intOrPtr*)(_v260 + 4)) - 0x100));
					 *((intOrPtr*)( &_v76 +  *((intOrPtr*)(_v76 + 4)))) = GetLastError();
					L0045A7D5(_v88);
					_t302 = _t301 + 4;
					 *_t275(_v80);
					if(_v92 >= 8) {
						 *_t275(_v112);
					}
					_v112 = 0;
					_v92 = 7;
					_v96 = 0;
					SetLastError( *(_t296 +  *((intOrPtr*)(_v116 + 4)) - 0x70));
					 *((intOrPtr*)( &_v172 +  *((intOrPtr*)(_v172 + 4)))) = GetLastError();
					L0045A7D5(_v184);
					_t303 = _t302 + 4;
					 *_t275(_v176);
					if(_v188 >= 8) {
						 *_t275(_v208);
					}
					_v208 = 0;
					_v188 = 7;
					_v192 = 0;
					SetLastError( *(_t296 +  *((intOrPtr*)(_v212 + 4)) - 0xd0));
					_v68 = 0x4ae964;
					_v28 = 0x4ae96c;
					_v24 = GetLastError();
					_v64 = 0;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_t206 = _v28;
					_v44 = 7;
					_v48 = 0;
					_t84 = _t206 + 4; // 0x4
					SetLastError( *(_t296 +  *_t84 - 0x18));
					_v8 = 4;
					_t209 = E00490770( &_v68,  &_v320, 0x104);
					_t250 =  *_t209;
					 *((char*)(_t209 + 4)) = 1;
					__imp__#7( *(_t250 + 0x24));
					if( *(_t250 + 0x14) == _t209) {
						_t210 =  *(_t250 + 0x24);
						_t98 = _t250 + 0x24; // 0x73b74d64
						_t290 = _t98;
						_v280 = _t210;
						__eflags = _t210;
						if(_t210 != 0) {
							_t273 =  *(_t250 + 0x14);
							__eflags =  *(_t250 + 0x14) - _t273;
							_t102 = _t250 + 4; // 0x73b74d44
							_t271 = _t102;
							_t272 =  <  ?  *((void*)(_t271 + 0x10)) : _t273;
							__eflags =  *((intOrPtr*)(_t271 + 0x14)) - 8;
							if( *((intOrPtr*)(_t271 + 0x14)) >= 8) {
								_t271 =  *_t271;
							}
							__eflags = _t272;
							if(_t272 != 0) {
								E0045B7E2(_v280,  *(_t250 + 0x14), _t271, _t272);
								_t303 = _t303 + 0x10;
							}
						}
					} else {
						_t94 = _t250 + 4; // 0x73b74d44
						_t242 = _t94;
						if( *((intOrPtr*)(_t250 + 0x18)) >= 8) {
							_t242 =  *_t242;
						}
						_t96 = _t250 + 0x24; // 0x73b74d64
						_t290 = _t96;
						__imp__#5(_t290, _t242,  *(_t250 + 0x14));
					}
					_t262 =  *_t290;
					if(_t262 != 0) {
						_t272 = 0;
						_t262[ *(_t250 + 0x14)] = 0;
					}
					_t251 = _v276;
					wsprintfW( *_t290, L"%hx.rra", _t251 & 0x0000ffff);
					_t304 = _t303 + 0xc;
					_v8 = 4;
					E00487390( &_v320);
					_push(0xffffffff);
					E0040DA0C(_t251, _v264 + 4,  &_v64, 0);
					_t217 = GetFileAttributesW(E0040B8F2(_v264));
					_t218 = _v28;
					_t292 =  &_v28;
					_t118 = _t218 + 4; // 0x4
					_t219 =  *_t118;
					if(_t217 == 0xffffffff) {
						L33:
						 *((intOrPtr*)(_t292 + _t219)) = GetLastError();
						L0045A7D5(_v40);
						 *_t275(_v32);
						if(_v44 >= 8) {
							 *_t275(_v64);
						}
						_v64 = 0;
						_t224 = _v68;
						_v44 = 7;
						_v48 = 0;
						_t153 = _t224 + 4; // 0x2c
						SetLastError( *(_t296 +  *_t153 - 0x40));
						 *[fs:0x0] = _v16;
						_pop(_t276);
						_pop(_t294);
						_pop(_t252);
						return E0045A457(_t252, _v20 ^ _t296, _t272, _t276, _t294);
					}
					_v276 = _t251 + 1;
					_t249 = GetLastError;
					_v8 = 0xffffffff;
					 *((intOrPtr*)(_t292 + _t219)) = GetLastError();
					L0045A7D5(_v40);
					_t298 = _t304 + 4;
					 *_t275(_v32);
					if(_v44 >= 8) {
						 *_t275(_v64);
					}
					_v64 = 0;
					_t232 = _v68;
					_v44 = 7;
					_v48 = 0;
					_t129 = _t232 + 4; // 0x2c
					SetLastError( *(_t296 +  *_t129 - 0x40));
					_t278 = _v268;
					_t235 = _v272 + 1;
					_v272 = _t235;
					_t319 = _t235 - 0xffff;
				} while (_t235 < 0xffff);
				E0045C78C( &_v308);
				_push(4);
				_v8 = 6;
				_v308 = 0x4ae89c;
				_v296 = 0x50;
				_v292 = 0;
				_v288 = 0;
				_t237 = E0045C169(_t249, _t272, _t275, _t319);
				_t304 = _t298 + 4;
				if(_t237 == 0) {
					_v284 = 0;
				} else {
					 *_t237 = 1;
					_v284 = _t237;
				}
				_v8 = 0xffffffff;
				_t219 = E0045A466( &_v308, 0x4c6ab8);
				goto L33;
			}

0x004946b0
0x004946b3
0x004946b5
0x004946c0
0x004946c1
0x004946c7
0x004946cc
0x004946cc
0x004946ce
0x004946d4
0x004946d8
0x004946de
0x004946e4
0x004946e7
0x004946ed
0x004946f3
0x004946f9
0x00494702
0x00494708
0x00494712
0x0049471b
0x0049472a
0x00494731
0x00494745
0x00494749
0x00494757
0x0049475b
0x00494760
0x00494763
0x00494769
0x00494770
0x00494770
0x0049476b
0x0049476b
0x0049476b
0x00494778
0x0049477d
0x0049477f
0x00494781
0x00494784
0x00494784
0x00494796
0x0049479e
0x004947a3
0x004947a9
0x004947b2
0x004947ba
0x004947ba
0x004947be
0x004947cb
0x004947d5
0x004947e9
0x00494802
0x0049480a
0x0049480f
0x00494818
0x00494821
0x00494829
0x00494829
0x0049482d
0x0049483a
0x00494844
0x00494858
0x0049486b
0x00494870
0x00494875
0x0049487b
0x00494881
0x00494886
0x00494886
0x0049488a
0x00494891
0x00494898
0x004948a6
0x004948bf
0x004948c7
0x004948cc
0x004948d5
0x004948de
0x004948e6
0x004948e6
0x004948f0
0x004948fd
0x00494907
0x0049491b
0x0049491d
0x00494924
0x0049492d
0x00494932
0x00494936
0x00494939
0x0049493c
0x0049493f
0x00494942
0x00494949
0x00494950
0x00494957
0x00494968
0x0049496f
0x00494974
0x00494976
0x00494980
0x00494988
0x004949a5
0x004949a8
0x004949a8
0x004949ab
0x004949b1
0x004949b3
0x004949b5
0x004949b8
0x004949bb
0x004949bb
0x004949be
0x004949c2
0x004949c6
0x004949c8
0x004949c8
0x004949ca
0x004949cc
0x004949d9
0x004949de
0x004949de
0x004949cc
0x0049498a
0x0049498e
0x0049498e
0x00494991
0x00494993
0x00494993
0x00494998
0x00494998
0x0049499d
0x0049499d
0x004949e1
0x004949e5
0x004949ea
0x004949ec
0x004949ec
0x004949f0
0x00494a01
0x00494a07
0x00494a10
0x00494a14
0x00494a1f
0x00494a2a
0x00494a37
0x00494a40
0x00494a43
0x00494a46
0x00494a46
0x00494a49
0x00494b3b
0x00494b43
0x00494b48
0x00494b53
0x00494b59
0x00494b5e
0x00494b5e
0x00494b62
0x00494b66
0x00494b69
0x00494b70
0x00494b77
0x00494b7e
0x00494b87
0x00494b8f
0x00494b90
0x00494b91
0x00494b9f
0x00494b9f
0x00494a50
0x00494a56
0x00494a5c
0x00494a67
0x00494a6c
0x00494a71
0x00494a77
0x00494a7d
0x00494a82
0x00494a82
0x00494a86
0x00494a8a
0x00494a8d
0x00494a94
0x00494a9b
0x00494aa2
0x00494aae
0x00494ab4
0x00494ab5
0x00494abb
0x00494abb
0x00494acc
0x00494ad1
0x00494ad3
0x00494ada
0x00494ae4
0x00494aee
0x00494af8
0x00494aff
0x00494b04
0x00494b09
0x00494b19
0x00494b0b
0x00494b0b
0x00494b11
0x00494b11
0x00494b2f
0x00494b36
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004946ED

Part of subcall function 00480F50: GetLastError.KERNEL32(9518852C,76E3D5B0), ref: 00480F9C
Part of subcall function 00480F50: SetLastError.KERNEL32(004C2F90,00000000,00000000,000000FF), ref: 00480FFC
Part of subcall function 00480F50: GetLastError.KERNEL32(00000000,00000000,000000FF), ref: 0048102A
Part of subcall function 00480F50: SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00481078

GetLastError.KERNEL32(00000000,00000004,?), ref: 00494794
SysFreeString.OLEAUT32(?), ref: 004947A9
SysFreeString.OLEAUT32(?), ref: 004947BA
SetLastError.KERNEL32(?), ref: 004947E9
GetLastError.KERNEL32 ref: 00494800
SysFreeString.OLEAUT32(?), ref: 00494818
SysFreeString.OLEAUT32(?), ref: 00494829
SetLastError.KERNEL32(?), ref: 00494858
GetLastError.KERNEL32 ref: 00494869
SysFreeString.OLEAUT32(?), ref: 0049487B
SysFreeString.OLEAUT32(?), ref: 00494886
SetLastError.KERNEL32(?), ref: 004948A6
GetLastError.KERNEL32 ref: 004948BD
SysFreeString.OLEAUT32(?), ref: 004948D5
SysFreeString.OLEAUT32(?), ref: 004948E6
SetLastError.KERNEL32(?), ref: 0049491B
GetLastError.KERNEL32 ref: 0049492B
SetLastError.KERNEL32(004AE96C), ref: 00494957
SysStringLen.OLEAUT32(?), ref: 00494980
SysReAllocStringLen.OLEAUT32(73B74D64,73B74D44,?), ref: 0049499D
_wmemcpy_s.LIBCMT ref: 004949D9
wsprintfW.USER32 ref: 00494A01
GetFileAttributesW.KERNEL32(00000000,?,00000000,000000FF), ref: 00494A37
GetLastError.KERNEL32 ref: 00494A65
SysFreeString.OLEAUT32(?), ref: 00494A77
SysFreeString.OLEAUT32(?), ref: 00494A82
SetLastError.KERNEL32(004AE964), ref: 00494AA2
__CxxThrowException@8.LIBCMT ref: 00494B36
GetLastError.KERNEL32(004AE89C,004C6AB8), ref: 00494B3D
SysFreeString.OLEAUT32(?), ref: 00494B53
SysFreeString.OLEAUT32(?), ref: 00494B5E
SetLastError.KERNEL32(004AE964), ref: 00494B7E

Strings

lJ, xrefs: 004946B0
%hx.rra, xrefs: 004949FA
lJ, xrefs: 00494924
dJ, xrefs: 0049491D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$Free$AllocAttributesCountException@8FileThrowTick_wmemcpy_swsprintf
String ID: %hx.rra$dJ$lJ$lJ
API String ID: 2442431672-3032772394
Opcode ID: 994a42e1a2bea919821b88bda0209dcf58087b5bc0da4104dba25f3a91007b82
Instruction ID: 57c3e9b993fe8f9d33eff172e26738e36be1e758f2be950968eea74ca9e0be38
Opcode Fuzzy Hash: 994a42e1a2bea919821b88bda0209dcf58087b5bc0da4104dba25f3a91007b82
Instruction Fuzzy Hash: 64E14871900218DFDF10DFA9CC85B9EBBB4BF09314F1081A9E818A72A1D735AE95CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00489C10, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 476
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00489C10(struct HWND__** __edx, void* __eflags, intOrPtr _a4, struct HWND__** _a8) {
				RECT* _v8;
				char _v16;
				signed int _v20;
				char _v23;
				RECT* _v27;
				char _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v84;
				RECT* _v88;
				short _v104;
				char _v108;
				char _v152;
				char _v156;
				struct tagRECT _v172;
				struct HWND__** _v176;
				char _v177;
				intOrPtr _v184;
				void* _v188;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t206;
				signed int _t207;
				void* _t253;
				struct HICON__** _t268;
				intOrPtr* _t270;
				intOrPtr* _t271;
				intOrPtr* _t272;
				intOrPtr* _t281;
				intOrPtr* _t282;
				intOrPtr* _t283;
				intOrPtr* _t296;
				intOrPtr* _t297;
				intOrPtr* _t298;
				intOrPtr _t302;
				intOrPtr _t303;
				int _t304;
				intOrPtr _t305;
				int _t306;
				intOrPtr* _t314;
				intOrPtr* _t315;
				intOrPtr* _t316;
				signed int _t317;
				CHAR* _t327;
				void* _t328;
				struct HWND__** _t329;
				struct HWND__** _t331;
				void* _t332;
				short* _t334;
				void* _t342;
				void* _t372;
				void* _t373;
				void* _t374;
				struct HWND__** _t376;
				char _t377;
				intOrPtr* _t380;
				void* _t381;
				intOrPtr* _t384;
				struct HDC__* _t385;
				intOrPtr* _t387;
				intOrPtr* _t389;
				intOrPtr* _t391;
				signed int _t392;
				void* _t393;
				void* _t394;
				char _t395;

				_t371 = __edx;
				_push(0xffffffff);
				_push(0x4ab35b);
				_push( *[fs:0x0]);
				_t394 = _t393 - 0xac;
				_t206 =  *0x4d7e88; // 0x9518852c
				_t207 = _t206 ^ _t392;
				_v20 = _t207;
				_push(_t372);
				_push(_t207);
				 *[fs:0x0] =  &_v16;
				_t376 = _a8;
				_v184 = _a4;
				_t327 = _t376 + 4;
				_v176 = _t376;
				E00485E90( &_v108, _t327,  &_v177, 1);
				_v8 = 0;
				if( *((intOrPtr*)(_t376 + 0x138)) >= 2) {
					_t317 =  *(_t376 + 0x13c) & 0x0000ffff;
					if(_t317 != 0) {
						_v28 = 0;
						_v27 = 0;
						_v23 = 0;
						wsprintfA( &_v28, "-%04x", _t317);
						_t394 = _t394 + 0xc;
						E00485E90( &_v156,  &_v28,  &_v177, 1);
						_v8 = 1;
						E00407F60(_t327,  &_v104, _t372, _t376,  &_v152, 0, 0xffffffff);
						E00401AC0( &_v156);
					}
				}
				_t395 = _t394 - 0x30;
				_t377 = _t395;
				_v28 = _t377;
				 *_t377 = 0x4c2f78;
				 *((intOrPtr*)(_t377 + 0x28)) = 0x4c2fa8;
				 *((intOrPtr*)(_t377 + 0x2c)) = GetLastError();
				_t334 = _t377 + 4;
				_push(0xffffffff);
				 *((intOrPtr*)(_t334 + 0x14)) = 7;
				 *(_t334 + 0x10) = 0;
				 *_t334 = 0;
				_v8 = 2;
				E00406630(_t327, _t334, _t372,  &_v104, 0);
				 *(_t377 + 0x1c) = 0;
				 *(_t377 + 0x20) = 0;
				 *(_t377 + 0x24) = 0;
				_t36 =  *((intOrPtr*)(_t377 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t36 + _t377 + 0x28));
				_v8 = 0;
				_t373 = E004903C0(_v184, _t371);
				if(_t373 == 0) {
					L66:
					 *((intOrPtr*)( &_v68 +  *((intOrPtr*)(_v68 + 4)))) = GetLastError();
					L0045A7D5(_v80);
					_t380 = __imp__#6;
					 *_t380(_v72);
					if(_v84 >= 8) {
						 *_t380(_v104);
					}
					_v84 = 7;
					_v88 = 0;
					_v104 = 0;
					SetLastError( *(_t392 +  *((intOrPtr*)(_v108 + 4)) - 0x68));
					 *[fs:0x0] = _v16;
					_pop(_t374);
					_pop(_t381);
					_pop(_t328);
					return E0045A457(_t328, _v20 ^ _t392, _t371, _t374, _t381);
				} else {
					_t342 = _v176;
					 *_t373 =  *_t342;
					 *((intOrPtr*)(_t373 + 0xcc)) =  *((intOrPtr*)(_t342 + 0xcc));
					_t45 = _t373 + 0xd0; // 0xd0
					lstrcpyA(_t45, _t342 + 0xd0);
					_t46 = _t373 + 4; // 0x4
					lstrcpyA(_t46, _t327);
					_t329 = _v176;
					_t49 = _t373 + 0x68; // 0x68
					lstrcpyA(_t49,  &(_t329[0x1a]));
					 *(_t373 + 0x134) = _t329[0x4d];
					 *((short*)(_t373 + 0x13c)) = _t329[0x4f];
					_v44.left = 0;
					_v44.top = 0;
					_v44.right = 4;
					_v44.bottom = 8;
					MapDialogRect( *_t329,  &_v44);
					_t330 = MulDiv;
					 *(_t373 + 0x140) = _v44.right;
					 *(_t373 + 0x144) = _v44.bottom;
					 *((intOrPtr*)(_t373 + 0x150)) = MulDiv( *(_t373 + 0x140), 0x186a0, 6);
					 *((intOrPtr*)(_t373 + 0x154)) = MulDiv( *(_t373 + 0x144), 0x186a0, 0xd);
					_t384 =  *((intOrPtr*)( *((intOrPtr*)(E00489560(MulDiv, _t373)))));
					if(_t384 ==  *((intOrPtr*)(E00489560(MulDiv, _t373)))) {
						L22:
						GetClientRect( *_v176,  &_v172);
						_t385 = CreateDCW(L"DISPLAY", 0, 0, 0);
						_v28 = _t385;
						 *(_t373 + 0x148) = CreateCompatibleDC(_t385);
						_t253 = CreateCompatibleBitmap(_t385, _v172.right, _v172.bottom);
						_v188 = _t253;
						SelectObject( *(_t373 + 0x148), _t253);
						_t387 =  *((intOrPtr*)( *((intOrPtr*)(E00489470(_t330, _t373)))));
						if(_t387 ==  *((intOrPtr*)(E00489470(_t330, _t373)))) {
							L35:
							_t389 =  *((intOrPtr*)( *((intOrPtr*)(E00489560(_t330, _t373)))));
							if(_t389 ==  *((intOrPtr*)(E00489560(_t330, _t373)))) {
								L47:
								_t331 = _v176;
								E004891A0(_v184,  *_t331, _t373);
								_t391 =  *((intOrPtr*)( *((intOrPtr*)(E004894E0(_t331, _t373)))));
								if(_t391 ==  *((intOrPtr*)(E004894E0(_t331, _t373)))) {
									L65:
									DeleteObject(_v188);
									DeleteDC(_v28);
									SetPropW( *_t331, L"PROP_PSKIN", _t373);
									 *(_t373 + 0x134) = SetWindowLongW( *_t331, 0xfffffffc,  &M0048B260);
									InvalidateRect( *_t331, 0, 0);
									UpdateWindow( *_t331);
									_t373 = 1;
									goto L66;
								}
								_t332 = GetDlgItem;
								do {
									_t268 =  *(_t391 + 0x14);
									if(_t268 != 0 &&  *_t268 != 0 && GetDlgItem( *_v176, _t268[5]) != 0) {
										DrawIcon( *(_t373 + 0x148), ( *(_t391 + 0x14))[1], ( *(_t391 + 0x14))[2],  *( *(_t391 + 0x14)));
									}
									if( *((char*)(_t391 + 0xd)) == 0) {
										_t270 =  *((intOrPtr*)(_t391 + 8));
										if( *((char*)(_t270 + 0xd)) != 0) {
											_t271 =  *((intOrPtr*)(_t391 + 4));
											if( *((char*)(_t271 + 0xd)) != 0) {
												L62:
												_t391 = _t271;
												goto L63;
											}
											while(_t391 ==  *((intOrPtr*)(_t271 + 8))) {
												_t391 = _t271;
												_t271 =  *((intOrPtr*)(_t271 + 4));
												if( *((char*)(_t271 + 0xd)) == 0) {
													continue;
												}
												goto L62;
											}
											goto L62;
										}
										_t391 = _t270;
										_t272 =  *_t391;
										if( *((char*)(_t272 + 0xd)) != 0) {
											goto L63;
										} else {
											goto L56;
										}
										do {
											L56:
											_t391 = _t272;
											_t272 =  *_t391;
										} while ( *((char*)(_t272 + 0xd)) == 0);
									}
									L63:
								} while (_t391 !=  *((intOrPtr*)(E004894E0(_t332, _t373))));
								_t331 = _v176;
								goto L65;
							}
							do {
								E00498430(_t371,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t389 + 0x14)) + 0x44)))),  *(_t373 + 0x148),  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t389 + 0x14)) + 0x44)) + 4)));
								_t395 = _t395 + 0xc;
								if( *((char*)(_t389 + 0xd)) != 0) {
									goto L46;
								}
								_t281 =  *((intOrPtr*)(_t389 + 8));
								if( *((char*)(_t281 + 0xd)) != 0) {
									_t282 =  *((intOrPtr*)(_t389 + 4));
									if( *((char*)(_t282 + 0xd)) != 0) {
										L45:
										_t389 = _t282;
										goto L46;
									}
									while(_t389 ==  *((intOrPtr*)(_t282 + 8))) {
										_t389 = _t282;
										_t282 =  *((intOrPtr*)(_t282 + 4));
										if( *((char*)(_t282 + 0xd)) == 0) {
											continue;
										}
										goto L45;
									}
									goto L45;
								}
								_t389 = _t281;
								_t283 =  *_t389;
								if( *((char*)(_t283 + 0xd)) != 0) {
									goto L46;
								} else {
									goto L40;
								}
								do {
									L40:
									_t389 = _t283;
									_t283 =  *_t389;
								} while ( *((char*)(_t283 + 0xd)) == 0);
								L46:
							} while (_t389 !=  *((intOrPtr*)(E00489560(_t330, _t373))));
							goto L47;
						}
						do {
							_v60.left = MulDiv( *( *((intOrPtr*)(_t387 + 0x14)) + 8),  *(_t373 + 0x140), 4);
							_v60.top = MulDiv( *( *((intOrPtr*)(_t387 + 0x14)) + 0xc),  *(_t373 + 0x144), 8);
							_v60.right = MulDiv( *( *((intOrPtr*)(_t387 + 0x14)) + 0x10),  *(_t373 + 0x140), 4);
							_v60.bottom = MulDiv( *( *((intOrPtr*)(_t387 + 0x14)) + 0x14),  *(_t373 + 0x144), 8);
							FillRect( *(_t373 + 0x148),  &_v60,  *( *((intOrPtr*)(_t387 + 0x14)) + 4));
							if( *((char*)(_t387 + 0xd)) != 0) {
								goto L34;
							}
							_t296 =  *((intOrPtr*)(_t387 + 8));
							if( *((char*)(_t296 + 0xd)) != 0) {
								_t297 =  *((intOrPtr*)(_t387 + 4));
								if( *((char*)(_t297 + 0xd)) != 0) {
									L33:
									_t387 = _t297;
									goto L34;
								}
								while(_t387 ==  *((intOrPtr*)(_t297 + 8))) {
									_t387 = _t297;
									_t297 =  *((intOrPtr*)(_t297 + 4));
									if( *((char*)(_t297 + 0xd)) == 0) {
										continue;
									}
									goto L33;
								}
								goto L33;
							}
							_t387 = _t296;
							_t298 =  *_t387;
							if( *((char*)(_t298 + 0xd)) != 0) {
								goto L34;
							}
							do {
								_t387 = _t298;
								_t298 =  *_t387;
							} while ( *((char*)(_t298 + 0xd)) == 0);
							L34:
						} while (_t387 !=  *((intOrPtr*)(E00489470(_t330, _t373))));
						goto L35;
					} else {
						goto L5;
					}
					do {
						L5:
						_t371 = _v176;
						 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t384 + 0x14)) + 0x44)))) + 4) =  *_v176;
						_t302 = E0049A110( *_v176);
						_t395 = _t395 + 4;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t384 + 0x14)) + 0x44)))) + 0xc)) = _t302;
						_t303 =  *((intOrPtr*)(_t384 + 0x14));
						if(( *(_t303 + 0x40) & 0x00000200) == 0) {
							_t304 = MulDiv( *(_t303 + 0x34),  *(_t373 + 0x140), 4);
						} else {
							_t304 = 0x4000;
						}
						 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t384 + 0x14)) + 0x44)) + 4)) + 0x38) = _t304;
						_t305 =  *((intOrPtr*)(_t384 + 0x14));
						if(( *(_t305 + 0x40) & 0x00000100) == 0) {
							_t306 = MulDiv( *(_t305 + 0x38),  *(_t373 + 0x144), 8);
						} else {
							_t306 = 0x4000;
						}
						 *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t384 + 0x14)) + 0x44)) + 4)) + 0x3c) = _t306;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t384 + 0x14)) + 0x44)) + 4)) + 0x40)) =  *((intOrPtr*)(_t373 + 0x150));
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t384 + 0x14)) + 0x44)) + 4)) + 0x44)) =  *((intOrPtr*)(_t373 + 0x154));
						if( *((char*)(_t384 + 0xd)) == 0) {
							_t314 =  *((intOrPtr*)(_t384 + 8));
							if( *((char*)(_t314 + 0xd)) != 0) {
								_t315 =  *((intOrPtr*)(_t384 + 4));
								if( *((char*)(_t315 + 0xd)) != 0) {
									L20:
									_t384 = _t315;
									goto L21;
								}
								while(_t384 ==  *((intOrPtr*)(_t315 + 8))) {
									_t384 = _t315;
									_t315 =  *((intOrPtr*)(_t315 + 4));
									if( *((char*)(_t315 + 0xd)) == 0) {
										continue;
									}
									goto L20;
								}
								goto L20;
							}
							_t384 = _t314;
							_t316 =  *_t384;
							if( *((char*)(_t316 + 0xd)) != 0) {
								goto L21;
							}
							do {
								_t384 = _t316;
								_t316 =  *_t384;
							} while ( *((char*)(_t316 + 0xd)) == 0);
						}
						L21:
					} while (_t384 !=  *((intOrPtr*)(E00489560(_t330, _t373))));
					goto L22;
				}
			}

0x00489c10
0x00489c13
0x00489c15
0x00489c20
0x00489c21
0x00489c27
0x00489c2c
0x00489c2e
0x00489c33
0x00489c34
0x00489c38
0x00489c41
0x00489c44
0x00489c53
0x00489c5a
0x00489c60
0x00489c6c
0x00489c73
0x00489c75
0x00489c7f
0x00489c8b
0x00489c8f
0x00489c96
0x00489c9a
0x00489ca0
0x00489cb6
0x00489cc9
0x00489ccd
0x00489cd8
0x00489cd8
0x00489c7f
0x00489cdd
0x00489ce0
0x00489ce2
0x00489ce5
0x00489ceb
0x00489cf8
0x00489cfb
0x00489d00
0x00489d02
0x00489d09
0x00489d11
0x00489d18
0x00489d1c
0x00489d21
0x00489d28
0x00489d2f
0x00489d39
0x00489d40
0x00489d4c
0x00489d55
0x00489d59
0x0048a1f8
0x0048a209
0x0048a20e
0x0048a213
0x0048a21f
0x0048a225
0x0048a22a
0x0048a22a
0x0048a231
0x0048a238
0x0048a23f
0x0048a24a
0x0048a255
0x0048a25d
0x0048a25e
0x0048a25f
0x0048a26d
0x00489d5f
0x00489d5f
0x00489d6d
0x00489d75
0x00489d82
0x00489d89
0x00489d8c
0x00489d90
0x00489d92
0x00489d9c
0x00489da0
0x00489da8
0x00489db5
0x00489dc2
0x00489dc9
0x00489dd0
0x00489dd7
0x00489dde
0x00489de7
0x00489def
0x00489e03
0x00489e18
0x00489e22
0x00489e31
0x00489e3a
0x00489f36
0x00489f45
0x00489f5c
0x00489f5f
0x00489f68
0x00489f7b
0x00489f88
0x00489f8e
0x00489f9f
0x00489fa8
0x0048a066
0x0048a071
0x0048a07a
0x0048a0e4
0x0048a0e4
0x0048a0f3
0x0048a103
0x0048a10c
0x0048a1a7
0x0048a1ad
0x0048a1b6
0x0048a1c4
0x0048a1dd
0x0048a1e5
0x0048a1ed
0x0048a1f3
0x00000000
0x0048a1f3
0x0048a112
0x0048a118
0x0048a118
0x0048a11d
0x0048a146
0x0048a146
0x0048a150
0x0048a152
0x0048a159
0x0048a171
0x0048a178
0x0048a190
0x0048a190
0x00000000
0x0048a190
0x0048a180
0x0048a185
0x0048a187
0x0048a18e
0x00000000
0x00000000
0x00000000
0x0048a18e
0x00000000
0x0048a180
0x0048a15b
0x0048a15d
0x0048a163
0x00000000
0x00000000
0x00000000
0x00000000
0x0048a165
0x0048a165
0x0048a165
0x0048a167
0x0048a169
0x0048a16f
0x0048a192
0x0048a199
0x0048a1a1
0x00000000
0x0048a1a1
0x0048a080
0x0048a091
0x0048a096
0x0048a09d
0x00000000
0x00000000
0x0048a09f
0x0048a0a6
0x0048a0be
0x0048a0c5
0x0048a0d7
0x0048a0d7
0x00000000
0x0048a0d7
0x0048a0c7
0x0048a0cc
0x0048a0ce
0x0048a0d5
0x00000000
0x00000000
0x00000000
0x0048a0d5
0x00000000
0x0048a0c7
0x0048a0a8
0x0048a0aa
0x0048a0b0
0x00000000
0x00000000
0x00000000
0x00000000
0x0048a0b2
0x0048a0b2
0x0048a0b2
0x0048a0b4
0x0048a0b6
0x0048a0d9
0x0048a0e0
0x00000000
0x0048a080
0x00489fb0
0x00489fc0
0x00489fd3
0x00489fe6
0x00489ff9
0x0048a00c
0x0048a016
0x00000000
0x00000000
0x0048a018
0x0048a01f
0x0048a03c
0x0048a043
0x0048a055
0x0048a055
0x00000000
0x0048a055
0x0048a045
0x0048a04a
0x0048a04c
0x0048a053
0x00000000
0x00000000
0x00000000
0x0048a053
0x00000000
0x0048a045
0x0048a021
0x0048a023
0x0048a029
0x00000000
0x00000000
0x0048a030
0x0048a030
0x0048a032
0x0048a034
0x0048a057
0x0048a05e
0x00000000
0x00000000
0x00000000
0x00000000
0x00489e40
0x00489e40
0x00489e43
0x00489e50
0x00489e55
0x00489e5d
0x00489e65
0x00489e68
0x00489e72
0x00489e86
0x00489e74
0x00489e74
0x00489e74
0x00489e91
0x00489e94
0x00489e9e
0x00489eb2
0x00489ea0
0x00489ea0
0x00489ea0
0x00489ebd
0x00489ecf
0x00489ee1
0x00489ee8
0x00489eea
0x00489ef1
0x00489f0c
0x00489f13
0x00489f25
0x00489f25
0x00000000
0x00489f25
0x00489f15
0x00489f1a
0x00489f1c
0x00489f23
0x00000000
0x00000000
0x00000000
0x00489f23
0x00000000
0x00489f15
0x00489ef3
0x00489ef5
0x00489efb
0x00000000
0x00000000
0x00489f00
0x00489f00
0x00489f02
0x00489f04
0x00489f0a
0x00489f27
0x00489f2e
0x00000000
0x00489e40

APIs

Part of subcall function 00485E90: GetLastError.KERNEL32(9518852C,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485EE4
Part of subcall function 00485E90: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,004AAF61,000000FF,?,00489C65,?,?,00000001), ref: 00485F1D

wsprintfA.USER32 ref: 00489C9A

Part of subcall function 00407F60: _memmove.LIBCMT ref: 00408015

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

GetLastError.KERNEL32 ref: 00489CF2
SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00489D40
lstrcpyA.KERNEL32(000000D0,?), ref: 00489D89
lstrcpyA.KERNEL32(00000004,?), ref: 00489D90
lstrcpyA.KERNEL32(00000068,?), ref: 00489DA0
MapDialogRect.USER32(?,?), ref: 00489DDE
MulDiv.KERNEL32(?,000186A0,00000006), ref: 00489E09
MulDiv.KERNEL32(?,000186A0,0000000D), ref: 00489E1E
MulDiv.KERNEL32(?,?,00000004), ref: 00489E86
MulDiv.KERNEL32(?,?,00000008), ref: 00489EB2
GetClientRect.USER32 ref: 00489F45
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00489F56
CreateCompatibleDC.GDI32(00000000), ref: 00489F62
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00489F7B
SelectObject.GDI32(?,00000000), ref: 00489F8E
MulDiv.KERNEL32(?,?,00000004), ref: 00489FBE
MulDiv.KERNEL32(?,?,00000008), ref: 00489FD1
MulDiv.KERNEL32(?,?,00000004), ref: 00489FE4
MulDiv.KERNEL32(?,?,00000008), ref: 00489FF7
FillRect.USER32 ref: 0048A00C
GetDlgItem.USER32 ref: 0048A12F
DrawIcon.USER32 ref: 0048A146

Strings

DISPLAY, xrefs: 00489F51
PROP_PSKIN, xrefs: 0048A1BD
-%04x, xrefs: 00489C85

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$CreateRectlstrcpy$CompatibleFreeString$BitmapClientDialogDrawFillIconItemObjectSelect_memmovewsprintf
String ID: -%04x$DISPLAY$PROP_PSKIN
API String ID: 4259255117-337460466
Opcode ID: 699e3fec2dd89d017e5b6cf3d41b093f95551703619165cb3b4e5b9639e52c7b
Instruction ID: 70738925456c83a3d94c2be7d828d2fde00a464bb3ee72cafabbb019b9fd451b
Opcode Fuzzy Hash: 699e3fec2dd89d017e5b6cf3d41b093f95551703619165cb3b4e5b9639e52c7b
Instruction Fuzzy Hash: 1722BF31A00614EFEB21DF64C848FAEBBF1BF09304F08859AE559AB3A1D775AC54CB45

Uniqueness

Uniqueness Score: -1.00%

Function 004034E0, Relevance: 59.9, APIs: 24, Strings: 10, Instructions: 356
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E004034E0(void* __ecx, char _a4, char _a8, char _a12) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				signed int _v24;
				char _v32;
				intOrPtr _v36;
				signed int _v44;
				char _v76;
				char _v80;
				char _v84;
				char _v100;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				void* _v124;
				short _v132;
				intOrPtr _v136;
				intOrPtr _v144;
				signed int _v152;
				intOrPtr _v156;
				short _v172;
				intOrPtr _v176;
				long _v180;
				char _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				signed int _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				char _v216;
				char _v220;
				short _v224;
				intOrPtr _v228;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				short _v280;
				intOrPtr _v284;
				char _v285;
				intOrPtr* _v288;
				signed int _v292;
				char _v300;
				intOrPtr _v312;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t178;
				signed int _t180;
				void* _t183;
				intOrPtr _t187;
				void* _t192;
				intOrPtr* _t193;
				signed char _t195;
				intOrPtr _t225;
				intOrPtr* _t229;
				void* _t258;
				void* _t276;
				void* _t277;
				void* _t278;
				intOrPtr _t285;
				short* _t287;
				intOrPtr _t296;
				char _t307;
				void* _t309;
				short _t310;
				intOrPtr* _t311;
				void* _t312;
				void* _t314;
				intOrPtr* _t315;
				void* _t320;
				void* _t321;
				signed int _t328;
				signed int _t330;
				void* _t331;
				signed int _t332;
				void* _t333;

				_push(0xffffffff);
				_push(0x4ac8a4);
				_push( *[fs:0x0]);
				_t330 = (_t328 & 0xfffffff8) - 0x110;
				_t178 =  *0x4d7e88; // 0x9518852c
				_v24 = _t178 ^ _t330;
				_push(_t276);
				_t180 =  *0x4d7e88; // 0x9518852c
				_push(_t180 ^ _t330);
				 *[fs:0x0] =  &_v16;
				_t309 = __ecx;
				_t183 = _a4;
				_v276 = 0;
				_t314 = GetLastError;
				_v280 = _t183;
				_v268 = _t183;
				_v264 = 0x4c2f50;
				_v224 = 0x4c3454;
				_v220 = GetLastError();
				_v8 = 0;
				if(_t309 == 0) {
					_t310 = 0;
					__eflags = 0;
				} else {
					_t310 = _t309 + 4;
				}
				_push(0xffffffff);
				_v240 = 7;
				_v244 = 0;
				_v260 = 0;
				E00406630(_t276,  &_v260, _t310, _t310, 0);
				_t187 = _v236;
				_t277 = SetLastError;
				_v248 = 0;
				_v244 = 0;
				_v240 = 0;
				_t19 = _t187 + 4; // 0x4
				_t21 =  *_t19 + 0x50; // 0x4c3454
				SetLastError( *(_t330 + _t21));
				_t22 =  &_v300; // 0x4c3454
				_v20 = 1;
				_v300 = 0x5c;
				_v312 = E004056D0( &_v272, _t22, 0xffffffff, 1);
				if(_v268 < 3) {
					L7:
					_t192 = E00404C00( &_v268,  &_v172, 0);
					_v20 = 2;
					_t193 = _t192 + 4;
					_v288 = 1;
					__eflags =  *((intOrPtr*)(_t193 + 0x14)) - 8;
					if( *((intOrPtr*)(_t193 + 0x14)) >= 8) {
						_t193 =  *_t193;
					}
					goto L9;
				} else {
					_t307 = _v264;
					_t273 =  >=  ? _t307 :  &_v264;
					_t337 =  *((short*)( >=  ? _t307 :  &_v264)) - 0x5c;
					if( *((short*)( >=  ? _t307 :  &_v264)) != 0x5c) {
						goto L7;
					}
					_t275 =  >=  ? _t307 :  &_v264;
					if( *((short*)(( >=  ? _t307 :  &_v264) + 2)) != 0x5c) {
						goto L7;
					} else {
						_t193 = 0x4c2d7c;
						L9:
						E00402CE0(_t193,  &_v285, 1);
						_v24 = 4;
						_t311 = __imp__#6;
						if((_v292 & 0x00000001) != 0) {
							 *( &_v132 +  *((intOrPtr*)(_v132 + 4))) = GetLastError();
							L0045A7D5(_v144);
							_t330 = _t330 + 4;
							 *_t311(_v136);
							if(_v152 >= 8) {
								 *_t311(_v172);
							}
							_v172 = 0;
							_v152 = 7;
							_v156 = 0;
							SetLastError( *(_t330 +  *((intOrPtr*)(_v176 + 4)) + 0x88));
							_t314 = GetLastError;
						}
						_t195 = _v292;
						_t285 = _v104;
						_v276 = _t285;
						if(_t195 == 0xffffffff || _t195 < _t285) {
							_push(0xffffffff);
							E00406630(_t277,  &_v264, _t311,  &_v120, 0);
							goto L22;
						} else {
							_t258 = E00404580( &_v76, 0, _t195 + 1);
							_v24 = 5;
							if(_t258 == 0) {
								_t259 = 0;
								__eflags = 0;
								L19:
								_push(0xffffffff);
								E00406630(_t277,  &_v264, _t311, _t259, 0);
								L20:
								_v16 = 4;
								E00401A60( &_v80);
								L22:
								if(_a8 == 0) {
									_t348 = _v252 - _v280 + 1;
									if(_v252 > _v280 + 1) {
										E00404AB0( &_v272, _t348,  &_v80);
										E00401A60( &_v84);
									}
								}
								if(_a12 != 0) {
									_v224 = 0x4c2f78;
									_v184 = 0x4c2fa8;
									_v180 = GetLastError();
									_v16 = 6;
									_push(0);
									_push(0x4c2d7c);
									_v200 = 7;
									_v204 = 0;
									_v220 = 0;
									E00406EB0(_t277,  &_v220, _t311, _t314);
									_t225 = _v192;
									_v204 = 0;
									_v200 = 0;
									_v196 = 0;
									_t89 = _t225 + 4; // 0x4
									SetLastError( *(_t330 +  *_t89 + 0x80));
									_v24 = 7;
									_t321 = E00404C00( &_v280,  &_v184, 0);
									_v32 = 8;
									if(_t321 == 0) {
										_t229 = 0;
										__eflags = 0;
									} else {
										_t96 = _t321 + 4; // 0x4
										_t229 = _t96;
									}
									_t296 =  *((intOrPtr*)(_t229 + 0x10));
									if( *((intOrPtr*)(_t229 + 0x14)) >= 8) {
										_t229 =  *_t229;
									}
									if(E004068B0( &_v264, _t229, 0, _t296) != 0xffffffff) {
										_push(0xffffffff);
										E004070A0(_t277,  &_v264, _t321, _t230,  *((intOrPtr*)(_t321 + 0x14)),  &_v216, 0);
									}
									 *( &_v132 +  *((intOrPtr*)(_v132 + 4))) = GetLastError();
									L0045A7D5(_v144);
									_t333 = _t330 + 4;
									 *_t311(_v136);
									if(_v152 >= 8) {
										 *_t311(_v172);
									}
									_v172 = 0;
									_v152 = 7;
									_v156 = 0;
									SetLastError( *(_t333 +  *((intOrPtr*)(_v176 + 4)) + 0x88));
									 *((intOrPtr*)( &_v184 +  *((intOrPtr*)(_v184 + 4)))) = GetLastError();
									L0045A7D5(_v196);
									_t330 = _t333 + 4;
									 *_t311(_v188);
									if(_v204 >= 8) {
										 *_t311(_v224);
									}
									_v224 = 0;
									_v204 = 7;
									_v208 = 0;
									SetLastError( *(_t330 +  *((intOrPtr*)(_v228 + 4)) + 0x58));
								}
								_t315 = _v288;
								 *_t315 = 0x4c2f50;
								 *((intOrPtr*)(_t315 + 0x28)) = 0x4c3454;
								 *((intOrPtr*)(_t315 + 0x2c)) = GetLastError();
								_t134 = _t315 + 4; // 0x4c3458
								_t287 = _t134;
								_v16 = 9;
								 *((intOrPtr*)(_t287 + 0x14)) = 7;
								 *((intOrPtr*)(_t287 + 0x10)) = 0;
								 *_t287 = 0;
								E00406630(_t277, _t287, _t311,  &_v268, 0);
								 *((intOrPtr*)(_t315 + 0x1c)) = 0;
								 *((intOrPtr*)(_t315 + 0x20)) = 0;
								 *((intOrPtr*)(_t315 + 0x24)) = 0;
								_t142 = _t315 + 0x28; // 0x0
								_t143 =  *_t142 + 4; // 0x4
								SetLastError( *( *_t143 + _t315 + 0x28));
								 *((intOrPtr*)( &_v100 +  *((intOrPtr*)(_v100 + 4)))) = GetLastError();
								L0045A7D5(_v112);
								_t331 = _t330 + 4;
								 *_t311(_v104, 0xffffffff);
								if(_v120 >= 8) {
									 *_t311(_v132);
								}
								_v132 = 0;
								_v112 = 7;
								_v116 = 0;
								SetLastError( *(_t331 +  *((intOrPtr*)(_v136 + 4)) + 0xb8));
								 *((intOrPtr*)( &_v240 +  *((intOrPtr*)(_v240 + 4)))) = GetLastError();
								L0045A7D5(_v252);
								_t332 = _t331 + 4;
								 *_t311(_v244);
								if(_v260 >= 8) {
									 *_t311(_v280);
								}
								_v260 = 7;
								_v264 = 0;
								_v280 = 0;
								SetLastError( *(_t332 +  *((intOrPtr*)(_v284 + 4)) + 0x28));
								 *[fs:0x0] = _v36;
								_pop(_t312);
								_pop(_t320);
								_pop(_t278);
								return E0045A457(_t278, _v44 ^ _t332, _t307, _t312, _t320);
							}
							_t259 = _t258 + 4;
							if( &_v264 == _t258 + 4) {
								goto L20;
							}
							goto L19;
						}
					}
				}
			}

0x004034e6
0x004034e8
0x004034f3
0x004034f4
0x004034fa
0x00403501
0x00403508
0x0040350b
0x00403512
0x0040351a
0x00403520
0x00403522
0x00403525
0x0040352d
0x00403533
0x00403537
0x0040353b
0x00403543
0x0040354d
0x00403551
0x0040355e
0x00403565
0x00403565
0x00403560
0x00403560
0x00403560
0x00403569
0x00403571
0x00403579
0x00403581
0x00403586
0x0040358b
0x0040358f
0x00403595
0x0040359d
0x004035a5
0x004035ad
0x004035b0
0x004035b4
0x004035ba
0x004035be
0x004035ce
0x004035e0
0x004035e4
0x00403616
0x00403624
0x00403629
0x00403631
0x00403634
0x0040363c
0x00403640
0x00403642
0x00403642
0x00000000
0x004035e6
0x004035ea
0x004035f5
0x004035f8
0x004035fc
0x00000000
0x00000000
0x00403605
0x0040360d
0x00000000
0x0040360f
0x0040360f
0x00403644
0x00403653
0x00403658
0x00403668
0x0040366e
0x0040368e
0x00403697
0x0040369c
0x004036a6
0x004036b0
0x004036b9
0x004036b9
0x004036bd
0x004036cc
0x004036d7
0x004036ec
0x004036ee
0x004036ee
0x004036f4
0x004036f8
0x004036ff
0x00403706
0x00403760
0x00403770
0x00000000
0x0040370c
0x0040371c
0x00403721
0x0040372b
0x0040373a
0x0040373a
0x0040373c
0x0040373c
0x00403745
0x0040374a
0x00403751
0x00403759
0x00403775
0x00403779
0x00403780
0x00403784
0x00403792
0x0040379e
0x0040379e
0x00403784
0x004037a7
0x004037ad
0x004037b5
0x004037c2
0x004037cb
0x004037d3
0x004037d4
0x004037dd
0x004037e5
0x004037ed
0x004037f2
0x004037f7
0x004037fe
0x00403806
0x0040380e
0x00403816
0x00403820
0x00403830
0x0040383d
0x0040383f
0x00403849
0x00403850
0x00403850
0x0040384b
0x0040384b
0x0040384b
0x0040384b
0x00403856
0x00403859
0x0040385b
0x0040385b
0x0040386d
0x0040386f
0x00403880
0x00403880
0x0040389f
0x004038a8
0x004038ad
0x004038b7
0x004038c1
0x004038ca
0x004038ca
0x004038ce
0x004038dd
0x004038e8
0x004038fd
0x00403918
0x0040391e
0x00403923
0x0040392a
0x00403931
0x00403937
0x00403937
0x0040393b
0x00403944
0x0040394c
0x0040395b
0x0040395b
0x0040395d
0x00403961
0x00403967
0x00403974
0x00403977
0x00403977
0x0040397a
0x00403986
0x0040398d
0x00403995
0x0040399d
0x004039a2
0x004039a9
0x004039b0
0x004039b7
0x004039ba
0x004039c1
0x004039dc
0x004039e5
0x004039ea
0x004039f4
0x004039fe
0x00403a07
0x00403a07
0x00403a0b
0x00403a1a
0x00403a25
0x00403a3a
0x00403a4f
0x00403a55
0x00403a5a
0x00403a61
0x00403a68
0x00403a6e
0x00403a6e
0x00403a76
0x00403a7e
0x00403a86
0x00403a92
0x00403a9f
0x00403aa7
0x00403aa8
0x00403aa9
0x00403abb
0x00403abb
0x0040372d
0x00403736
0x00000000
0x00000000
0x00000000
0x00403738
0x00403706
0x0040360d

APIs

GetLastError.KERNEL32 ref: 0040354B
SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 004035B4
SysFreeString.OLEAUT32(?), ref: 004036A6
SysFreeString.OLEAUT32(?), ref: 004036B9
SetLastError.KERNEL32(?), ref: 004036EC

Part of subcall function 00404C00: GetLastError.KERNEL32 ref: 00404C5F
Part of subcall function 00404C00: SetLastError.KERNEL32(T4L), ref: 00404C97
Part of subcall function 00404C00: GetLastError.KERNEL32(00000000,00000000,000000FF,00000007,00000000,00000000,T4L,00000002,00000001), ref: 00404D70

GetLastError.KERNEL32(00000000,00000000,000000FF,-00000004,?,00000001,?,00000000,T4L,000000FF,00000001), ref: 004037C0
SetLastError.KERNEL32(004C2FA8,004C2D7C,00000000), ref: 00403820
SysFreeString.OLEAUT32(?), ref: 004038B7
SysFreeString.OLEAUT32(?), ref: 004038CA
SetLastError.KERNEL32(?), ref: 004038FD
GetLastError.KERNEL32 ref: 00403912
SysFreeString.OLEAUT32(?), ref: 0040392A
SysFreeString.OLEAUT32(?), ref: 00403937
SetLastError.KERNEL32(?), ref: 0040395B
GetLastError.KERNEL32(00000000,00000000,000000FF,-00000004,?,00000001,?,00000000,T4L,000000FF,00000001), ref: 0040396E
SetLastError.KERNEL32(004C3454,?,00000000,000000FF), ref: 004039C1
GetLastError.KERNEL32 ref: 004039D6
SysFreeString.OLEAUT32(?), ref: 004039F4
SysFreeString.OLEAUT32(?), ref: 00403A07
SetLastError.KERNEL32(?), ref: 00403A3A
GetLastError.KERNEL32 ref: 00403A49
SysFreeString.OLEAUT32(?), ref: 00403A61
SysFreeString.OLEAUT32(?), ref: 00403A6E
SetLastError.KERNEL32(?), ref: 00403A92

Strings

T4L, xrefs: 0040395D
|-L, xrefs: 0040360F
T4L, xrefs: 004034E0
P/L, xrefs: 004035E6
x/L, xrefs: 004037AD
T4L, xrefs: 004035B0
\, xrefs: 004035CE
T4L, xrefs: 00403967
T4L, xrefs: 0040358B
T4L, xrefs: 004035BA, 004035C9

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: P/L$T4L$T4L$T4L$T4L$T4L$T4L$\$x/L$|-L
API String ID: 2425351278-287230183
Opcode ID: 56883721c9be912f890d81e5cbbc93743505d3d47445bc7f9bbc895427947d14
Instruction ID: 53b28444c9a5f6a0617d672a815299116ac8577a540bc7507e3a6f2d8aaabfa0
Opcode Fuzzy Hash: 56883721c9be912f890d81e5cbbc93743505d3d47445bc7f9bbc895427947d14
Instruction Fuzzy Hash: E0F13A71508380DFD720DF25C844B9BBBE4BF89318F10892EE499972A1DB75E948CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00437C63, Relevance: 52.7, APIs: 28, Strings: 2, Instructions: 175
stringCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00437C63(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t75;
				int _t78;
				signed short _t87;
				signed int _t88;
				int _t101;
				struct HDC__* _t107;
				long _t119;
				int _t122;
				struct HWND__* _t141;
				signed int _t145;
				void* _t152;
				void* _t155;
				intOrPtr _t157;
				void* _t159;
				struct HBRUSH__* _t160;
				void* _t161;

				_t152 = __edx;
				_push(0x19c);
				E0045B8C9(0x4a6069, __ebx, __edi, __esi);
				_t157 = __ecx;
				 *((intOrPtr*)(_t161 - 0x1a4)) = __ecx;
				_t75 =  *(__ecx + 4);
				 *(_t161 - 0x150) = _t75;
				BeginPaint(_t75, _t161 - 0x190);
				_t155 = 0;
				 *((intOrPtr*)(_t161 - 4)) = 0;
				_t141 = GetDlgItem( *(_t157 + 4), 0xd9);
				_t78 = IsWindow(_t141);
				_t165 = _t78;
				if(_t78 != 0) {
					 *(_t161 - 0x14c) = 0;
					E0045A4D0(_t161 - 0x148, 0, 0x58);
					_push( *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t157 + 0xc)) + 4)) + 0x25c)) + 0x44) & 0x0000ffff);
					_t87 = E0040CF3D(_t141,  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t157 + 0xc)) + 4)) + 0x25c)), _t152, 0, _t157, _t165);
					_t88 = GetDeviceCaps( *(_t161 - 0x190), 0x5a);
					_t145 = 0xffffffb8;
					asm("cdq");
					_push(0);
					 *((intOrPtr*)(_t161 - 0x13c)) = 0x190;
					 *((intOrPtr*)(_t161 - 0xf0)) = 0x4c2fa0;
					 *((intOrPtr*)(_t161 - 0xc8)) = 0x4c2f40;
					 *(_t161 - 0x14c) = _t88 * (_t87 & 0x0000ffff) / _t145;
					_push(_t161 - 0x199);
					_push(L"MS Sans Serif");
					E00408F6D(_t141, _t161 - 0xf0, 0, _t87 & 0x0000ffff, _t165);
					_t94 =  >=  ?  *((void*)(_t161 - 0xec)) : _t161 - 0xec;
					lstrcpyW(_t161 - 0x130,  >=  ?  *((void*)(_t161 - 0xec)) : _t161 - 0xec);
					E00401B80(_t161 - 0xf0);
					 *(_t161 - 0x198) = 0;
					_t159 = CreateFontIndirectW(_t161 - 0x14c);
					if(_t159 != 0) {
						E0043956A(_t161 - 0x198);
						_t155 = _t159;
						 *(_t161 - 0x198) = _t155;
					}
					_t160 = 0;
					 *(_t161 - 0x1a0) = 0;
					_t101 = CreateSolidBrush(GetSysColor(0xf));
					 *(_t161 - 0x194) = _t101;
					if(_t101 != 0) {
						E00439550(_t161 - 0x1a0);
						_t160 =  *(_t161 - 0x194);
						 *(_t161 - 0x1a0) = _t160;
					}
					LoadStringW( *( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t161 - 0x1a4)) + 0xc)) + 4)) + 0x268), 0x73e, _t161 - 0xb0, 0xa0);
					_t107 =  *(_t161 - 0x190);
					 *(_t161 - 0x1a8) = _t107;
					 *(_t161 - 0x194) = SaveDC(_t107);
					SelectObject( *(_t161 - 0x190), _t160);
					SelectObject( *(_t161 - 0x190), _t155);
					FillRect( *(_t161 - 0x190), _t161 - 0x188, _t160);
					GetWindowRect(_t141, _t161 - 0xc0);
					MapWindowPoints(0,  *( *((intOrPtr*)(_t161 - 0x1a4)) + 4), _t161 - 0xc0, 2);
					SetBkMode( *(_t161 - 0x190), 1);
					_t119 = GetSysColor(0x14);
					_t155 = SetTextColor;
					SetTextColor( *(_t161 - 0x190), _t119);
					_t157 = lstrlenW;
					_t122 = lstrlenW(_t161 - 0xb0);
					_t141 = TextOutW;
					TextOutW( *(_t161 - 0x190),  *(_t161 - 0xc0),  *(_t161 - 0xbc), _t161 - 0xb0, _t122);
					SetTextColor( *(_t161 - 0x190), GetSysColor(0x10));
					TextOutW( *(_t161 - 0x190),  *(_t161 - 0xc0) - 1,  *(_t161 - 0xbc) - 1, _t161 - 0xb0, lstrlenW(_t161 - 0xb0));
					RestoreDC( *(_t161 - 0x1a8),  *(_t161 - 0x194));
					E00439550(_t161 - 0x1a0);
					E0043956A(_t161 - 0x198);
				}
				EndPaint( *(_t161 - 0x150), _t161 - 0x190);
				return E0045B878(_t141, _t155, _t157);
			}

0x00437c63
0x00437c63
0x00437c6d
0x00437c72
0x00437c74
0x00437c7a
0x00437c85
0x00437c8b
0x00437c99
0x00437c9b
0x00437ca4
0x00437ca7
0x00437cad
0x00437caf
0x00437cbf
0x00437cc5
0x00437cdd
0x00437cde
0x00437cee
0x00437cf9
0x00437cfa
0x00437cfd
0x00437d04
0x00437d0e
0x00437d18
0x00437d22
0x00437d2e
0x00437d2f
0x00437d34
0x00437d46
0x00437d55
0x00437d61
0x00437d6d
0x00437d79
0x00437d7d
0x00437d85
0x00437d8a
0x00437d8c
0x00437d8c
0x00437d92
0x00437d96
0x00437da3
0x00437da9
0x00437db1
0x00437db9
0x00437dbe
0x00437dc4
0x00437dc4
0x00437ded
0x00437df3
0x00437dfa
0x00437e0d
0x00437e13
0x00437e20
0x00437e34
0x00437e42
0x00437e5c
0x00437e6a
0x00437e72
0x00437e78
0x00437e85
0x00437e87
0x00437e94
0x00437e96
0x00437eb6
0x00437ec7
0x00437ef0
0x00437efe
0x00437f0a
0x00437f15
0x00437f15
0x00437f27
0x00437f32

APIs

__EH_prolog3_GS.LIBCMT ref: 00437C6D
BeginPaint.USER32(?,?,0000019C,004391EE), ref: 00437C8B
GetDlgItem.USER32 ref: 00437C9E
IsWindow.USER32(00000000), ref: 00437CA7
_memset.LIBCMT ref: 00437CC5

Part of subcall function 0040CF3D: __EH_prolog3_GS.LIBCMT ref: 0040CF47

GetDeviceCaps.GDI32(?,0000005A), ref: 00437CEE

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

lstrcpyW.KERNEL32(?,?), ref: 00437D55

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

CreateFontIndirectW.GDI32(?), ref: 00437D73
GetSysColor.USER32(0000000F), ref: 00437D9C
CreateSolidBrush.GDI32(00000000), ref: 00437DA3
LoadStringW.USER32(?,0000073E,?,000000A0), ref: 00437DED
SaveDC.GDI32(?), ref: 00437E00
SelectObject.GDI32(?,00000000), ref: 00437E13
SelectObject.GDI32(?,00000000), ref: 00437E20
FillRect.USER32 ref: 00437E34
GetWindowRect.USER32 ref: 00437E42
MapWindowPoints.USER32 ref: 00437E5C
SetBkMode.GDI32(?,00000001), ref: 00437E6A
GetSysColor.USER32(00000014), ref: 00437E72
SetTextColor.GDI32(?,00000000), ref: 00437E85
lstrlenW.KERNEL32(?), ref: 00437E94
TextOutW.GDI32(?,?,?,?,00000000), ref: 00437EB6
GetSysColor.USER32(00000010), ref: 00437EBA
SetTextColor.GDI32(?,00000000), ref: 00437EC7
lstrlenW.KERNEL32(?), ref: 00437ED0
TextOutW.GDI32(?,?,?,?,00000000), ref: 00437EF0
RestoreDC.GDI32(?,?), ref: 00437EFE
EndPaint.USER32(?,?), ref: 00437F27

Strings

@/L, xrefs: 00437D18
MS Sans Serif, xrefs: 00437D2F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Color$ErrorLastText$StringWindow$CreateFreeH_prolog3_ObjectPaintRectSelectlstrlen$BeginBrushCapsDeviceFillFontH_prolog3IndirectItemLoadModePointsRestoreSaveSolid_memsetlstrcpy
String ID: @/L$MS Sans Serif
API String ID: 1449101240-1405392024
Opcode ID: 8ffdd00555782330dc0dcd66b509c4e0a0df66e06f001afab14431aa004ad126
Instruction ID: a869d08e883939682daee22346d02ef69935202b5247ef9eedaca9d12c911eb6
Opcode Fuzzy Hash: 8ffdd00555782330dc0dcd66b509c4e0a0df66e06f001afab14431aa004ad126
Instruction Fuzzy Hash: EE710771901128AFDB219B91DC58FEABBB9FF09304F0040EAF61DA6160DB749E84CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0040971C, Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 287
threadinjectionprocessCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040971C(void* __edx, void* __eflags, char _a4) {
				signed int _v8;
				char _v16;
				signed int _v20;
				char _v514;
				short _v540;
				intOrPtr _v548;
				void* _v564;
				char _v584;
				char _v588;
				intOrPtr _v596;
				void* _v612;
				intOrPtr _v616;
				char _v632;
				char _v636;
				void* _v660;
				char _v680;
				char _v684;
				struct _CONTEXT _v1400;
				char _v1923;
				char _v2443;
				char _v2444;
				intOrPtr _v2452;
				intOrPtr _v2456;
				intOrPtr _v2460;
				intOrPtr _v2464;
				intOrPtr _v2468;
				intOrPtr _v2472;
				void* _v2476;
				char _v4524;
				void _v4528;
				char _v4529;
				struct _PROCESS_INFORMATION _v4548;
				char _v4564;
				long _v4568;
				struct _STARTUPINFOW _v4636;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t102;
				signed int _t103;
				intOrPtr* _t108;
				void* _t116;
				intOrPtr* _t120;
				void* _t152;
				void* _t156;
				void* _t188;
				char _t191;
				void* _t192;
				intOrPtr* _t198;
				signed int _t203;
				intOrPtr* _t214;
				void* _t215;
				void* _t221;
				long _t226;
				void* _t227;
				void* _t232;
				signed int _t233;
				void* _t234;
				intOrPtr* _t235;
				void* _t236;
				void* _t238;
				void* _t239;
				intOrPtr* _t241;
				void* _t242;

				_t242 = __eflags;
				_t215 = __edx;
				_push(0xffffffff);
				_push(0x4a0512);
				_push( *[fs:0x0]);
				E0045BDF0(0x120c);
				_t102 =  *0x4d7e88; // 0x9518852c
				_t103 = _t102 ^ _t233;
				_v20 = _t103;
				_push(_t103);
				 *[fs:0x0] =  &_v16;
				_v588 = 0x4c2fa0;
				_v548 = 0x4c2f40;
				E00404200( &_v588,  &_v4529, 0);
				_v8 = _v8 & 0x00000000;
				_t108 = E0040A14B( &_v588,  &_v4564, 0x104);
				_t191 = 1;
				_v8 = 1;
				 *((char*)(_t108 + 4)) = 1;
				GetModuleFileNameW(0,  *(E0040A0F0(_t108,  *_t108)), 0x104);
				_v8 = 0;
				E00409574(1,  &_v4564, 0x4c2fa0, 0x104, _t242);
				_push(0);
				_push(0);
				_push( &_v684);
				E0040A206(1,  &_v588, _t215, 0x4c2fa0, 0x104, _t242);
				_push(0xc);
				_t235 = _t234 - 0x30;
				_t198 = _t235;
				_push(0);
				_push( &_v588);
				_v8 = 2;
				 *_t198 = 0x4c2fa0;
				 *((intOrPtr*)(_t198 + 0x28)) = 0x4c2f40;
				E00408E82(1, _t198, 0x4c2fa0, 0x104, _t242);
				_t116 = E00441E34(1, _t215, 0x4c2fa0, 0x104, _t242);
				_t236 = _t235 + 0x34;
				if(_t116 != 0) {
					L3:
					_v636 = 0x4c2fa0;
					_v596 = 0x4c2f40;
					E00404200( &_v636,  &_v4529, 0);
					_v8 = 3;
					_t120 = E0040A14B( &_v636,  &_v4564, 0x104);
					_v8 = 4;
					 *((char*)(_t120 + 4)) = _t191;
					GetSystemDirectoryW( *(E0040A0F0(_t120,  *_t120)), 0x104);
					_v8 = 3;
					E00409574(_t191,  &_v4564, 0x4c2fa0, 0x104, _t245);
					if(_v616 != 0) {
						_t184 =  >=  ? _v632 :  &_v632;
						SetCurrentDirectoryW( >=  ? _v632 :  &_v632);
					}
					_t203 = 6;
					memcpy( &_v540, L"explorer.exe", _t203 << 2);
					asm("movsw");
					E0045A4D0( &_v514, 0, 0x1ee);
					_t226 = 0x44;
					_v4636.cb = _t226;
					E0045A4D0( &(_v4636.lpReserved), 0, 0x40);
					_t238 = _t236 + 0x24;
					if(CreateProcessW(0,  &_v540, 0, 0, 0, _t226, 0, 0,  &_v4636,  &_v4548) == 0) {
						L10:
						_t191 = 0;
					} else {
						_v4528 = _v4528 & 0x00000000;
						E0045A4D0( &_v4524, 0, 0xc31);
						_v2472 = WaitForSingleObject;
						_v2464 = DeleteFileW;
						_v2460 = RemoveDirectoryW;
						_v2456 = Sleep;
						_v2452 = ExitProcess;
						_v2444 = _a4;
						_t147 =  >=  ? _v584 :  &_v584;
						_v2468 = CloseHandle;
						E0045B5ED( &_v2443,  >=  ? _v584 :  &_v584, 0x104);
						_t239 = _t238 + 0x18;
						if(_a4 != 0) {
							_t180 =  >=  ? _v680 :  &_v680;
							E0045B5ED( &_v1923,  >=  ? _v680 :  &_v680, 0x104);
							_t239 = _t239 + 0xc;
						}
						_t152 = GetCurrentProcess();
						DuplicateHandle(GetCurrentProcess(), _t152, _v4548.hProcess,  &_v2476, 0, 0, 0);
						_t156 = 0x409cfe - E0040A58E;
						if(0x409cfe <= 0x800) {
							E0045A8B0( &_v4524, E0040A58E, _t156);
							_v1400.ContextFlags = 0x10003;
							GetThreadContext(_v4548.hThread,  &_v1400);
							_t232 = _v1400.Esp + 0xfffff3cb & 0xffffffe0;
							_v4528 = _t232;
							_v1400.Esp = _t232 - 4;
							_v1400.Eip = _t232 + 4;
							VirtualProtectEx(_v4548.hProcess, _t232, 0xc35, 0x40,  &_v4568);
							WriteProcessMemory(_v4548.hProcess, _t232,  &_v4528, 0xc35, 0);
							FlushInstructionCache(_v4548.hProcess, _t232, 0xc35);
							SetThreadContext(_v4548.hThread,  &_v1400);
							ResumeThread(_v4548.hThread);
							CloseHandle(_v4548.hThread);
							CloseHandle(_v4548.hProcess);
						} else {
							TerminateProcess(_v4548.hProcess, 0);
							CloseHandle(_v4548);
							CloseHandle(_v4548.hThread);
							_t177 =  >=  ? _v584 :  &_v584;
							MoveFileExW( >=  ? _v584 :  &_v584, 0, 4);
							goto L10;
						}
					}
					E00401B80( &_v636);
				} else {
					_t244 = _a4 - _t116;
					if(_a4 != _t116) {
						_push(0xc);
						_t241 = _t236 - 0x30;
						_t214 = _t241;
						_push(0);
						_push( &_v684);
						 *_t214 = 0x4c2fa0;
						 *((intOrPtr*)(_t214 + 0x28)) = 0x4c2f40;
						E00408E82(1, _t214, 0x4c2fa0, 0x104, _t244);
						_t188 = E00441E34(1, _t215, 0x4c2fa0, 0x104, _t244);
						_t236 = _t241 + 0x34;
						_t245 = _t188;
						if(_t188 != 0) {
							goto L3;
						}
					}
				}
				E00401B80( &_v684);
				E00401B80( &_v588);
				 *[fs:0x0] = _v16;
				_pop(_t221);
				_pop(_t227);
				_pop(_t192);
				return E0045A457(_t192, _v20 ^ _t233, _t215, _t221, _t227);
			}

0x0040971c
0x0040971c
0x0040971f
0x00409721
0x0040972c
0x00409732
0x00409737
0x0040973c
0x0040973e
0x00409744
0x00409748
0x00409762
0x00409768
0x00409772
0x00409777
0x0040978e
0x00409797
0x00409798
0x0040979b
0x004097a8
0x004097b4
0x004097b8
0x004097bd
0x004097bf
0x004097c7
0x004097ce
0x004097d3
0x004097d5
0x004097d8
0x004097da
0x004097e2
0x004097e3
0x004097e7
0x004097e9
0x004097f0
0x004097f5
0x004097fa
0x004097ff
0x00409838
0x00409847
0x0040984d
0x00409857
0x0040986a
0x0040986e
0x00409875
0x00409879
0x00409884
0x00409890
0x00409894
0x004098a0
0x004098af
0x004098b7
0x004098b7
0x004098bf
0x004098cb
0x004098db
0x004098dd
0x004098e4
0x004098f0
0x004098f6
0x004098fb
0x00409924
0x00409a59
0x00409a59
0x0040992a
0x0040992a
0x0040993f
0x00409956
0x00409961
0x0040996c
0x00409977
0x00409982
0x0040998b
0x00409997
0x004099ac
0x004099b2
0x004099b7
0x004099be
0x004099cd
0x004099dd
0x004099e2
0x004099e2
0x004099fd
0x00409a03
0x00409a13
0x00409a1a
0x00409aa1
0x00409ab6
0x00409ac0
0x00409ad2
0x00409ad5
0x00409ade
0x00409ae7
0x00409b02
0x00409b1d
0x00409b2f
0x00409b42
0x00409b4e
0x00409b5a
0x00409b62
0x00409a1c
0x00409a24
0x00409a30
0x00409a38
0x00409a49
0x00409a53
0x00000000
0x00409a53
0x00409a1a
0x00409a61
0x00409801
0x00409801
0x00409804
0x0040980a
0x0040980c
0x0040980f
0x00409811
0x00409819
0x0040981a
0x0040981c
0x00409823
0x00409828
0x0040982d
0x00409830
0x00409832
0x00000000
0x00000000
0x00409832
0x00409804
0x00409a6c
0x00409a77
0x00409a81
0x00409a89
0x00409a8a
0x00409a8b
0x00409a97

APIs

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 004097A8

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00441E34: __EH_prolog3_GS.LIBCMT ref: 00441E3E

GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 00409884
SetCurrentDirectoryW.KERNEL32(?), ref: 004098B7
_memset.LIBCMT ref: 004098DD
_memset.LIBCMT ref: 004098F6
CreateProcessW.KERNEL32 ref: 0040991C
_memset.LIBCMT ref: 0040993F
_wcsncpy.LIBCMT ref: 004099B2

Part of subcall function 00441E34: GetLastError.KERNEL32 ref: 00441ED3
Part of subcall function 00441E34: GetLastError.KERNEL32 ref: 00441F92
Part of subcall function 00441E34: __CxxThrowException@8.LIBCMT ref: 00442002

_wcsncpy.LIBCMT ref: 004099DD
GetCurrentProcess.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004099FD
GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409A00
DuplicateHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409A03
TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409A24
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409A30
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00409A38
MoveFileExW.KERNEL32(?,00000000,00000004), ref: 00409A53
_memmove.LIBCMT ref: 00409AA1
GetThreadContext.KERNEL32 ref: 00409AC0
VirtualProtectEx.KERNEL32(?,?,00000C35,00000040,?), ref: 00409B02
WriteProcessMemory.KERNEL32(?,?,?,00000C35,00000000), ref: 00409B1D
FlushInstructionCache.KERNEL32(?,?,00000C35), ref: 00409B2F
SetThreadContext.KERNEL32(?,00010003), ref: 00409B42
ResumeThread.KERNEL32(?), ref: 00409B4E
CloseHandle.KERNEL32(?), ref: 00409B5A
CloseHandle.KERNEL32(?), ref: 00409B62

Strings

@/L, xrefs: 0040984D
@/L, xrefs: 00409768
explorer.exe, xrefs: 004098C0
@/L, xrefs: 0040981C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$HandleProcess$Close$CurrentH_prolog3_Thread_memset$ContextDirectoryFileString_wcsncpy$AllocCacheCreateDuplicateException@8FlushH_prolog3InstructionMemoryModuleMoveNameProtectResumeSystemTerminateThrowVirtualWrite_memmove
String ID: @/L$@/L$@/L$explorer.exe
API String ID: 3542506763-3744986830
Opcode ID: 83c6ae8b79bbbc8214795928a5ba19c2c8e8c667a72215abff7e68fb8a218bf3
Instruction ID: f51911a9ddecf8f95a698078a3ab9431c8a2878545a22eec0a50bb54fcfc93b8
Opcode Fuzzy Hash: 83c6ae8b79bbbc8214795928a5ba19c2c8e8c667a72215abff7e68fb8a218bf3
Instruction Fuzzy Hash: ABC13C71900228AFEB25DB65CC49FDABBB8EF05344F0041EAF909A71A1DB745E84CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00403080, Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 292
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00403080(void* __ecx, short _a4) {
				char _v8;
				char _v16;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				short _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				short _v124;
				char _v128;
				short _v132;
				short _v136;
				char _v138;
				short _v140;
				char _v144;
				char _v145;
				intOrPtr* _v148;
				char _v149;
				char _v150;
				void* _v156;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t150;
				signed int _t152;
				short _t155;
				intOrPtr _t159;
				intOrPtr _t161;
				char _t164;
				void* _t173;
				intOrPtr* _t174;
				void* _t211;
				void* _t230;
				void* _t231;
				void* _t232;
				void* _t233;
				signed int _t236;
				intOrPtr _t239;
				short* _t241;
				char _t253;
				void* _t255;
				intOrPtr* _t256;
				void* _t257;
				void* _t259;
				short _t260;
				intOrPtr* _t265;
				void* _t268;
				signed int _t273;
				signed int _t275;
				void* _t276;
				void* _t277;
				signed int _t278;

				_push(0xffffffff);
				_push(0x4aca29);
				_push( *[fs:0x0]);
				_t275 = (_t273 & 0xfffffff8) - 0x78;
				_t150 =  *0x4d7e88; // 0x9518852c
				_v24 = _t150 ^ _t275;
				_push(_t231);
				_t152 =  *0x4d7e88; // 0x9518852c
				_push(_t152 ^ _t275);
				 *[fs:0x0] =  &_v16;
				_t259 = __ecx;
				_t155 = _a4;
				_v128 = 0;
				_t255 = GetLastError;
				_v132 = _t155;
				_v124 = _t155;
				_v72 = 0x4c2f50;
				_v32 = 0x4c3454;
				_v28 = GetLastError();
				_v8 = 0;
				if(_t259 == 0) {
					_t260 = 0;
					__eflags = 0;
				} else {
					_t260 = _t259 + 4;
				}
				_push(0xffffffff);
				_v48 = 7;
				_v52 = 0;
				_v68 = 0;
				E00406630(_t231,  &_v68, _t255, _t260, 0);
				_t159 = _v44;
				_t232 = SetLastError;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_t19 = _t159 + 4; // 0x4
				_t21 =  *_t19 + 0x78; // 0x4c3454
				SetLastError( *(_t275 + _t21));
				_v20 = 1;
				_t161 = _v64;
				_t236 = _t161 - 1;
				if(_t161 == 0 || _t236 >= _t161) {
					_v138 = 0;
				} else {
					_t230 =  >=  ? _v72 :  &_v72;
					_t283 =  *((short*)(_t230 + _t236 * 2)) - 0x5c;
					_v138 =  *((short*)(_t230 + _t236 * 2)) == 0x5c;
				}
				E00404AB0( &_v76, _t283,  &_v124);
				_t164 = _v88;
				_t262 =  &_v88 +  *((intOrPtr*)(_t164 + 4));
				 *((intOrPtr*)( &_v88 +  *((intOrPtr*)(_t164 + 4)))) = GetLastError();
				L0045A7D5(_v100);
				_t256 = __imp__#6;
				_t276 = _t275 + 4;
				 *_t256(_v92);
				if(_v108 >= 8) {
					 *_t256(_v124);
				}
				_v124 = 0;
				_v104 = 7;
				_v108 = 0;
				SetLastError( *(_t276 +  *((intOrPtr*)(_v128 + 4)) + 0x20));
				_t173 = E00404C00( &_v80,  &_v128, 0);
				_v24 = 2;
				_v144 = 1;
				if(_t173 == 0) {
					_t174 = 0;
					__eflags = 0;
				} else {
					_t174 = _t173 + 4;
				}
				_t239 =  *((intOrPtr*)(_t174 + 0x10));
				if( *((intOrPtr*)(_t174 + 0x14)) >= 8) {
					_t174 =  *_t174;
				}
				_push(_t239);
				if(E004086E0(_t232,  &_v76, _t256, _t262, 0, _v60, _t174) != 0) {
					L19:
					_v145 = 1;
				} else {
					if(_v64 < 3) {
						L18:
						_v145 = 0;
					} else {
						_t253 = _v80;
						_t225 =  >=  ? _t253 :  &_v80;
						_t290 =  *((short*)( >=  ? _t253 :  &_v80)) - 0x5c;
						if( *((short*)( >=  ? _t253 :  &_v80)) != 0x5c) {
							goto L18;
						} else {
							_t227 =  >=  ? _t253 :  &_v80;
							if( *((short*)(( >=  ? _t253 :  &_v80) + 2)) == 0x5c) {
								goto L19;
							} else {
								goto L18;
							}
						}
					}
				}
				_v20 = 1;
				 *((intOrPtr*)( &_v92 +  *((intOrPtr*)(_v92 + 4)))) = GetLastError();
				L0045A7D5(_v104);
				_t277 = _t276 + 4;
				 *_t256(_v96);
				if(_v112 >= 8) {
					 *_t256(_v132);
				}
				_v132 = 0;
				_v112 = 7;
				_v116 = 0;
				SetLastError( *(_t277 +  *((intOrPtr*)(_v136 + 4)) + 0x20));
				if(_v149 != 0) {
					_t211 = E00404640( &_v88, _t253,  &_v136, 0);
					_v32 = 3;
					if(_t211 == 0) {
						_t212 = 0;
						__eflags = 0;
						goto L27;
					} else {
						_t212 = _t211 + 4;
						if( &_v84 != _t211 + 4) {
							L27:
							_push(0xffffffff);
							E00406630(_t232,  &_v84, _t256, _t212, 0);
						}
					}
					_v28 = 1;
					 *((intOrPtr*)( &_v100 +  *((intOrPtr*)(_v100 + 4)))) = GetLastError();
					L0045A7D5(_v112);
					_t277 = _t277 + 4;
					 *_t256(_v104);
					if(_v120 >= 8) {
						 *_t256(_v140);
					}
					_v140 = 0;
					_v120 = 7;
					_v124 = 0;
					SetLastError( *(_t277 +  *((intOrPtr*)(_v144 + 4)) + 0x20));
				}
				_t299 = _v150;
				if(_v150 != 0) {
					E00404960( &_v88, _t299,  &_v136);
					 *((intOrPtr*)( &_v100 +  *((intOrPtr*)(_v100 + 4)))) = GetLastError();
					L0045A7D5(_v112);
					_t277 = _t277 + 4;
					 *_t256(_v104);
					if(_v120 >= 8) {
						 *_t256(_v136);
					}
					_v136 = 0;
					_v116 = 7;
					_v120 = 0;
					SetLastError( *(_t277 +  *((intOrPtr*)(_v140 + 4)) + 0x20));
				}
				_t265 = _v148;
				 *_t265 = 0x4c2f50;
				 *((intOrPtr*)(_t265 + 0x28)) = 0x4c3454;
				 *((intOrPtr*)(_t265 + 0x2c)) = GetLastError();
				_t241 = _t265 + 4;
				_v24 = 4;
				 *((intOrPtr*)(_t241 + 0x14)) = 7;
				 *((intOrPtr*)(_t241 + 0x10)) = 0;
				 *_t241 = 0;
				E00406630(_t232, _t241, _t256,  &_v84, 0);
				 *((intOrPtr*)(_t265 + 0x1c)) = 0;
				 *((intOrPtr*)(_t265 + 0x20)) = 0;
				 *((intOrPtr*)(_t265 + 0x24)) = 0;
				_t129 =  *((intOrPtr*)(_t265 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t129 + _t265 + 0x28));
				 *((intOrPtr*)( &_v60 +  *((intOrPtr*)(_v60 + 4)))) = GetLastError();
				L0045A7D5(_v72);
				_t278 = _t277 + 4;
				 *_t256(_v64, 0xffffffff);
				if(_v80 >= 8) {
					 *_t256(_v92);
				}
				_v72 = 7;
				_v76 = 0;
				_v92 = 0;
				SetLastError( *(_t278 +  *((intOrPtr*)(_v96 + 4)) + 0x50));
				 *[fs:0x0] = _v40;
				_pop(_t257);
				_pop(_t268);
				_pop(_t233);
				return E0045A457(_t233, _v48 ^ _t278, _t253, _t257, _t268);
			}

0x00403086
0x00403088
0x00403093
0x00403094
0x00403097
0x0040309e
0x004030a2
0x004030a5
0x004030ac
0x004030b4
0x004030ba
0x004030bc
0x004030bf
0x004030c7
0x004030cd
0x004030d1
0x004030d5
0x004030dd
0x004030e7
0x004030eb
0x004030f8
0x004030ff
0x004030ff
0x004030fa
0x004030fa
0x004030fa
0x00403103
0x0040310b
0x00403113
0x0040311b
0x00403120
0x00403125
0x00403129
0x0040312f
0x00403137
0x0040313f
0x00403147
0x0040314a
0x0040314e
0x00403150
0x0040315b
0x0040315f
0x00403164
0x00403184
0x0040316a
0x00403173
0x00403178
0x0040317d
0x0040317d
0x00403192
0x00403197
0x004031a2
0x004031a6
0x004031ac
0x004031b1
0x004031b7
0x004031be
0x004031c5
0x004031cb
0x004031cb
0x004031cf
0x004031d8
0x004031e0
0x004031ef
0x004031fc
0x00403201
0x00403209
0x00403213
0x0040321a
0x0040321a
0x00403215
0x00403215
0x00403215
0x00403220
0x00403223
0x00403225
0x00403225
0x00403227
0x0040323a
0x00403273
0x00403273
0x0040323c
0x00403241
0x0040326c
0x0040326c
0x00403243
0x00403247
0x00403252
0x00403255
0x00403259
0x00000000
0x0040325b
0x00403262
0x0040326a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040326a
0x00403259
0x00403241
0x00403278
0x00403296
0x0040329c
0x004032a1
0x004032a8
0x004032af
0x004032b5
0x004032b5
0x004032b9
0x004032c2
0x004032ca
0x004032d9
0x004032e0
0x004032f1
0x004032f6
0x00403300
0x0040330f
0x0040330f
0x00000000
0x00403302
0x00403302
0x0040330b
0x00403311
0x00403311
0x0040331a
0x0040331a
0x0040330b
0x0040331f
0x0040333a
0x00403340
0x00403345
0x0040334c
0x00403353
0x00403359
0x00403359
0x0040335d
0x00403366
0x0040336e
0x0040337d
0x0040337d
0x0040337f
0x00403384
0x0040338f
0x004033a7
0x004033ad
0x004033b2
0x004033b9
0x004033c0
0x004033c6
0x004033c6
0x004033ca
0x004033d3
0x004033db
0x004033ea
0x004033ea
0x004033ec
0x004033f0
0x004033f6
0x00403403
0x00403406
0x00403409
0x00403415
0x0040341c
0x00403424
0x0040342c
0x00403431
0x00403438
0x0040343f
0x00403449
0x00403450
0x00403465
0x0040346b
0x00403470
0x00403477
0x0040347e
0x00403484
0x00403484
0x0040348c
0x00403494
0x0040349c
0x004034a8
0x004034b5
0x004034bd
0x004034be
0x004034bf
0x004034ce

APIs

GetLastError.KERNEL32 ref: 004030E5
SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 0040314E
GetLastError.KERNEL32(?), ref: 004031A4
SysFreeString.OLEAUT32(?), ref: 004031BE
SysFreeString.OLEAUT32(?), ref: 004031CB
SetLastError.KERNEL32(?), ref: 004031EF
GetLastError.KERNEL32(00000000,?,00000000,?), ref: 00403290
SysFreeString.OLEAUT32(?), ref: 004032A8
SysFreeString.OLEAUT32(?), ref: 004032B5
SetLastError.KERNEL32(?), ref: 004032D9
GetLastError.KERNEL32(00000000,00000000,000000FF), ref: 00403334
SysFreeString.OLEAUT32(?), ref: 0040334C
SysFreeString.OLEAUT32(?), ref: 00403359
SetLastError.KERNEL32(?), ref: 0040337D
GetLastError.KERNEL32(?), ref: 004033A1
SysFreeString.OLEAUT32(?), ref: 004033B9
SysFreeString.OLEAUT32(?), ref: 004033C6
SetLastError.KERNEL32(?), ref: 004033EA
GetLastError.KERNEL32 ref: 004033FD
SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00403450
GetLastError.KERNEL32 ref: 0040345F
SysFreeString.OLEAUT32(?), ref: 00403477
SysFreeString.OLEAUT32(?), ref: 00403484
SetLastError.KERNEL32(?), ref: 004034A8

Strings

P/L, xrefs: 004030D5
T4L, xrefs: 004033F6
T4L, xrefs: 00403125
T4L, xrefs: 0040314A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: P/L$T4L$T4L$T4L
API String ID: 2425351278-1200131689
Opcode ID: 6b6a69e4ba41ba705042928edccfa2fed6931e6c1a1777c602503b3daafe187a
Instruction ID: 22d11826e0c1668008a41dfd77dc262dcad763a081af4891c21d333d2568ea8a
Opcode Fuzzy Hash: 6b6a69e4ba41ba705042928edccfa2fed6931e6c1a1777c602503b3daafe187a
Instruction Fuzzy Hash: 49D135715083409FD710DF69C984B1BBBF4BF88318F10496EF989972A1DB79E948CB4A

Uniqueness

Uniqueness Score: -1.00%

Function 00405AE0, Relevance: 49.2, APIs: 22, Strings: 6, Instructions: 250
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00405AE0(void* __ecx, void* __edx, char _a4) {
				char _v8;
				char _v12;
				char _v16;
				signed char _v20;
				signed int _v24;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v76;
				short _v80;
				intOrPtr _v84;
				long _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				intOrPtr _v108;
				char _v112;
				intOrPtr _v116;
				char _v120;
				long _v124;
				short _v128;
				intOrPtr _v132;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				char _v172;
				char _v176;
				signed char _v180;
				intOrPtr _v184;
				intOrPtr* _v188;
				char _v189;
				char _v192;
				intOrPtr _v200;
				intOrPtr _v204;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t132;
				signed int _t134;
				char _t137;
				char _t141;
				intOrPtr* _t149;
				long _t150;
				void* _t175;
				void* _t197;
				void* _t199;
				void* _t200;
				signed char _t204;
				intOrPtr _t205;
				short* _t206;
				intOrPtr _t207;
				void* _t218;
				void* _t219;
				intOrPtr _t220;
				intOrPtr* _t221;
				void* _t222;
				void* _t224;
				signed char _t225;
				void* _t231;
				signed int _t238;
				signed int _t240;
				void* _t241;
				signed int _t242;

				_t218 = __edx;
				_push(0xffffffff);
				_push(0x4ac961);
				_push( *[fs:0x0]);
				_t240 = (_t238 & 0xfffffff8) - 0xb0;
				_t132 =  *0x4d7e88; // 0x9518852c
				_v24 = _t132 ^ _t240;
				_push(_t219);
				_t134 =  *0x4d7e88; // 0x9518852c
				_push(_t134 ^ _t240);
				 *[fs:0x0] =  &_v16;
				_t224 = __ecx;
				_t137 = _a4;
				_t199 = GetLastError;
				_v184 = _t137;
				_v172 = _t137;
				_v176 = 0;
				_v168 = 0x4c2f50;
				_v128 = 0x4c3454;
				_v124 = GetLastError();
				_v8 = 0;
				if(_t224 == 0) {
					_t225 = 0;
				} else {
					_t225 = _t224 + 4;
				}
				_push(0xffffffff);
				_v144 = 7;
				_v148 = 0;
				_v164 = 0;
				E00406630(_t199,  &_v164, _t219, _t225, 0);
				_t141 = _v140;
				_v152 = 0;
				_v148 = 0;
				_v144 = 0;
				_t19 = _t141 + 4; // 0x4
				_t21 =  *_t19 + 0x50; // 0x4c3454
				SetLastError( *(_t240 + _t21));
				_v20 = 1;
				_v132 = 0x4c2f50;
				_v92 = 0x4c3454;
				_v88 = GetLastError();
				_v128 = 0;
				_v104 = 0;
				_v100 = 0;
				_v96 = 0;
				_t30 =  &_v92; // 0x4c3454
				_v108 = 7;
				_v112 = 0;
				_t35 =  *((intOrPtr*)( *_t30 + 4)) + 0x80; // 0x4c3454
				SetLastError( *(_t240 + _t35));
				_v20 = 2;
				_v192 = 0x2e;
				_t220 = E004056D0( &_v176,  &_v192, 0xffffffff, 1);
				_v204 = _t220;
				if(_t220 == 0xffffffff) {
					_t204 = _v180;
					goto L7;
				} else {
					_t197 = E004034E0( &_v172,  &_v76, 0, 0);
					_t204 = 1;
					if(_t220 <  *((intOrPtr*)(_t197 + 0x14))) {
						L7:
						_v189 = 0;
					} else {
						_v189 = 1;
					}
				}
				_t221 = __imp__#6;
				if((_t204 & 0x00000001) != 0) {
					 *((intOrPtr*)( &_v36 +  *((intOrPtr*)(_v36 + 4)))) = GetLastError();
					L0045A7D5(_v48);
					_t240 = _t240 + 4;
					 *_t221(_v40);
					if(_v56 >= 8) {
						 *_t221(_v76);
					}
					_v76 = 0;
					_v56 = 7;
					_v60 = 0;
					SetLastError( *(_t240 +  *((intOrPtr*)(_v80 + 4)) + 0x88));
				}
				if(_v189 != 0) {
					_t175 = E00404580( &_v76, _v184, 0xffffffff);
					_v24 = 3;
					if(_t175 == 0) {
						_t176 = 0;
						goto L17;
					} else {
						_t176 = _t175 + 4;
						if( &_v120 != _t175 + 4) {
							L17:
							_push(0xffffffff);
							E00406630(_t199,  &_v120, _t221, _t176, 0);
						}
					}
					 *((intOrPtr*)( &_v40 +  *((intOrPtr*)(_v40 + 4)))) = GetLastError();
					L0045A7D5(_v52);
					_t240 = _t240 + 4;
					 *_t221(_v44);
					if(_v60 >= 8) {
						 *_t221(_v80);
					}
					_v80 = 0;
					_v60 = 7;
					_v64 = 0;
					SetLastError( *(_t240 +  *((intOrPtr*)(_v84 + 4)) + 0x88));
				}
				_t149 = _v188;
				 *_t149 = 0x4c2f50;
				 *((intOrPtr*)(_t149 + 0x28)) = 0x4c3454;
				_t150 = GetLastError();
				_t205 = _v188;
				 *(_t205 + 0x2c) = _t150;
				_t206 = _t205 + 4;
				_v12 = 4;
				 *((intOrPtr*)(_t206 + 0x14)) = 7;
				 *((intOrPtr*)(_t206 + 0x10)) = 0;
				 *_t206 = 0;
				E00406630(_t199, _t206, _t221,  &_v120, 0);
				_t207 = _v200;
				 *((intOrPtr*)(_t207 + 0x1c)) = 0;
				 *((intOrPtr*)(_t207 + 0x20)) = 0;
				 *((intOrPtr*)(_t207 + 0x24)) = 0;
				_t97 =  *((intOrPtr*)(_t207 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t97 + _t207 + 0x28));
				_t100 =  &_v96; // 0x4c3454
				_t101 =  &_v96; // 0x4c3454
				 *((intOrPtr*)(_t101 +  *((intOrPtr*)( *_t100 + 4)))) = GetLastError();
				L0045A7D5(_v108);
				_t241 = _t240 + 4;
				 *_t221(_v100, 0xffffffff);
				if(_v116 >= 8) {
					 *_t221(_v128);
				}
				_v128 = 0;
				_v108 = 7;
				_v112 = 0;
				SetLastError( *(_t241 +  *((intOrPtr*)(_v132 + 4)) + 0x58));
				 *((intOrPtr*)( &_v140 +  *((intOrPtr*)(_v140 + 4)))) = GetLastError();
				L0045A7D5(_v152);
				_t242 = _t241 + 4;
				 *_t221(_v144);
				if(_v160 >= 8) {
					 *_t221(_v180);
				}
				_v160 = 7;
				_v164 = 0;
				_v180 = 0;
				SetLastError( *(_t242 +  *((intOrPtr*)(_v184 + 4)) + 0x28));
				 *[fs:0x0] = _v32;
				_pop(_t222);
				_pop(_t231);
				_pop(_t200);
				return E0045A457(_t200, _v40 ^ _t242, _t218, _t222, _t231);
			}

0x00405ae0
0x00405ae6
0x00405ae8
0x00405af3
0x00405af4
0x00405afa
0x00405b01
0x00405b0a
0x00405b0b
0x00405b12
0x00405b1a
0x00405b20
0x00405b22
0x00405b25
0x00405b2b
0x00405b2f
0x00405b33
0x00405b3b
0x00405b43
0x00405b4d
0x00405b51
0x00405b5e
0x00405b65
0x00405b60
0x00405b60
0x00405b60
0x00405b69
0x00405b71
0x00405b79
0x00405b81
0x00405b86
0x00405b8b
0x00405b95
0x00405b9d
0x00405ba5
0x00405bad
0x00405bb0
0x00405bb4
0x00405bb6
0x00405bc1
0x00405bc9
0x00405bd6
0x00405bdf
0x00405be4
0x00405be8
0x00405bec
0x00405bf0
0x00405bf7
0x00405bff
0x00405c0a
0x00405c11
0x00405c1b
0x00405c28
0x00405c35
0x00405c37
0x00405c3e
0x00405c65
0x00000000
0x00405c40
0x00405c50
0x00405c55
0x00405c5d
0x00405c69
0x00405c69
0x00405c5f
0x00405c5f
0x00405c5f
0x00405c5d
0x00405c6e
0x00405c77
0x00405c8e
0x00405c97
0x00405c9c
0x00405ca6
0x00405cb0
0x00405cb9
0x00405cb9
0x00405cc3
0x00405cd2
0x00405cdd
0x00405cf2
0x00405cf2
0x00405cf9
0x00405d11
0x00405d16
0x00405d20
0x00405d2f
0x00000000
0x00405d22
0x00405d22
0x00405d2b
0x00405d31
0x00405d31
0x00405d3a
0x00405d3a
0x00405d2b
0x00405d54
0x00405d5d
0x00405d62
0x00405d6c
0x00405d76
0x00405d7f
0x00405d7f
0x00405d89
0x00405d98
0x00405da3
0x00405db8
0x00405db8
0x00405dba
0x00405dbe
0x00405dc4
0x00405dcb
0x00405dcd
0x00405dd1
0x00405dd4
0x00405dd7
0x00405de3
0x00405dea
0x00405df2
0x00405dfa
0x00405dff
0x00405e03
0x00405e0a
0x00405e11
0x00405e1b
0x00405e22
0x00405e24
0x00405e2b
0x00405e39
0x00405e3f
0x00405e44
0x00405e4b
0x00405e52
0x00405e58
0x00405e58
0x00405e5c
0x00405e65
0x00405e6d
0x00405e7c
0x00405e91
0x00405e97
0x00405e9c
0x00405ea3
0x00405eaa
0x00405eb0
0x00405eb0
0x00405eb8
0x00405ec0
0x00405ec8
0x00405ed4
0x00405ee5
0x00405eed
0x00405eee
0x00405eef
0x00405f01

APIs

GetLastError.KERNEL32 ref: 00405B4B
SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 00405BB4
GetLastError.KERNEL32 ref: 00405BD4
SetLastError.KERNEL32(T4L), ref: 00405C11
GetLastError.KERNEL32(?,000000FF,00000001), ref: 00405C8C
SysFreeString.OLEAUT32(?), ref: 00405CA6
SysFreeString.OLEAUT32(?), ref: 00405CB9
SetLastError.KERNEL32(?), ref: 00405CF2
GetLastError.KERNEL32(00000000,00000000,000000FF,?,?,000000FF,?,000000FF,00000001), ref: 00405D52
SysFreeString.OLEAUT32(?), ref: 00405D6C
SysFreeString.OLEAUT32(?), ref: 00405D7F
SetLastError.KERNEL32(?), ref: 00405DB8
GetLastError.KERNEL32(?,000000FF,00000001), ref: 00405DCB
SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00405E22
GetLastError.KERNEL32 ref: 00405E37
SysFreeString.OLEAUT32(?), ref: 00405E4B
SysFreeString.OLEAUT32(?), ref: 00405E58
SetLastError.KERNEL32(?), ref: 00405E7C
GetLastError.KERNEL32 ref: 00405E8F
SysFreeString.OLEAUT32(?), ref: 00405EA3
SysFreeString.OLEAUT32(?), ref: 00405EB0
SetLastError.KERNEL32(?), ref: 00405ED4

Strings

T4L, xrefs: 00405BF0
T4L, xrefs: 00405B8B
T4L, xrefs: 00405AE0
T4L, xrefs: 00405BB0
P/L, xrefs: 00405BC1
T4L, xrefs: 00405DC4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: P/L$T4L$T4L$T4L$T4L$T4L
API String ID: 2425351278-1114961416
Opcode ID: bae9bababab1643fc427e99a430b4058c6078c8af4335f0efac4ce899c9eef20
Instruction ID: f040519dc64b790a380e079862b9e4b9806259381dd47372e147210011703477
Opcode Fuzzy Hash: bae9bababab1643fc427e99a430b4058c6078c8af4335f0efac4ce899c9eef20
Instruction Fuzzy Hash: 15B12A715083809FD720DF29C844B5BBBE4FF89318F114A2EE498972A1DB79D859CF4A

Uniqueness

Uniqueness Score: -1.00%

Function 0042E2AA, Relevance: 44.0, APIs: 9, Strings: 16, Instructions: 240
windowCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E0042E2AA(void* __ebx, struct HINSTANCE__* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t113;
				void* _t118;
				intOrPtr* _t126;
				void* _t133;
				void* _t141;
				long _t165;
				intOrPtr* _t170;
				void* _t212;
				intOrPtr* _t214;
				intOrPtr _t216;
				int _t220;
				void* _t221;

				_t212 = __edx;
				_push(0x10c);
				E0045B8C9(0x4a5273, __ebx, __edi, __esi);
				_t176 = __ecx;
				_t216 =  *((intOrPtr*)(_t221 + 0xc));
				_t214 =  *((intOrPtr*)(_t221 + 8));
				 *((intOrPtr*)(_t221 - 0x108)) = _t216;
				 *((intOrPtr*)(_t221 - 0x118)) = 0;
				_push(0);
				if( *((intOrPtr*)(_t216 + 0x14)) != 0) {
					_push(__ecx + 0x3a4);
					 *((intOrPtr*)(_t221 - 0xa0)) = 0x4c2f50;
					 *((intOrPtr*)(_t221 - 0x78)) = 0x4c3454;
					E004053A0();
					 *(_t221 - 4) =  *(_t221 - 4) & 0x00000000;
					_t13 = _t221 - 0x40; // 0x4c2f50
					_t14 = _t221 - 0xa0; // 0x4c2f50
					E00404960(_t14, __eflags, _t13);
					_t15 = _t221 - 0x40; // 0x4c2f50
					E00401AC0(_t15);
					 *((intOrPtr*)(_t221 - 0x70)) = 0x4c2f50;
					 *((intOrPtr*)(_t221 - 0x48)) = 0x4c3454;
					E004053A0(_t216, 0);
					_t113 =  *(__ecx + 0x438);
					 *(_t221 - 4) = 1;
					__eflags = _t113;
					if(_t113 == 0) {
						 *((intOrPtr*)(_t221 - 0x40)) = 0x4c2f50;
						 *((intOrPtr*)(_t221 - 0x18)) = 0x4c3454;
						E00403FB0(L"[ProductLanguage]", _t221 - 0x101, 0);
						_push(1);
						_push(0xa);
						_push( *( *((intOrPtr*)(__ecx + 0x474)) + 0x44) & 0x0000ffff);
						 *(_t221 - 4) = 3;
						_t118 = E00415C6B(__ecx, _t221 - 0x100, _t214, 0x4c2f50, __eflags);
						_t47 = _t221 - 0x40; // 0x4c2f50
						_t48 = _t221 - 0x70; // 0x4c2f50
						 *(_t221 - 4) = 4;
						E00434C03(_t48, _t47, _t118);
						E00401AC0(_t221 - 0x100);
						_t51 = _t221 - 0x40; // 0x4c2f50
						E00401AC0(_t51);
						_t176 = 0;
						__eflags = 0;
						 *((intOrPtr*)(_t221 - 0xd0)) = 0x4c2f50;
						 *((intOrPtr*)(_t221 - 0xa8)) = 0x4c3454;
						E00403F50(_t221 - 0xd0, _t221 - 0x101, 0);
						 *(_t221 - 4) = 5;
						_t126 = E00403020(_t221 - 0xd0, _t221 - 0x114, 0x104);
						 *(_t221 - 4) = 6;
						 *((char*)(_t126 + 4)) = 1;
						GetModuleFileNameW(0,  *(E004040F0(_t126,  *_t126)), 0x104);
						 *(_t221 - 4) = 5;
						E00403CF0(_t221 - 0x114);
						_t216 = 0x4c2f50;
						 *((intOrPtr*)(_t221 - 0x40)) = 0x4c2f50;
						 *((intOrPtr*)(_t221 - 0x18)) = 0x4c3454;
						E00403FB0(L"[SETUPEXENAME]", _t221 - 0x101, 0);
						 *(_t221 - 4) = 7;
						_t133 = E00404640(_t221 - 0xd0, _t212, _t221 - 0x100, 0);
						_t70 = _t221 - 0x40; // 0x4c2f50
						_t71 = _t221 - 0x70; // 0x4c2f50
						 *(_t221 - 4) = 8;
						E00434C03(_t71, _t70, _t133);
						E00401AC0(_t221 - 0x100);
						_t74 = _t221 - 0x40; // 0x4c2f50
						 *(_t221 - 4) = 5;
						E00401AC0(_t74);
						 *((intOrPtr*)(_t221 - 0x40)) = 0x4c2f50;
						 *((intOrPtr*)(_t221 - 0x18)) = 0x4c3454;
						E00403FB0(L"[SETUPEXEDIR]", _t221 - 0x101, 0);
						 *(_t221 - 4) = 9;
						_t141 = E004034E0(_t221 - 0xd0, _t221 - 0x100, 0, 0);
						_t83 = _t221 - 0x40; // 0x4c2f50
						_t84 = _t221 - 0x70; // 0x4c2f50
						 *(_t221 - 4) = 0xa;
						E00434C03(_t84, _t83, _t141);
						E00401AC0(_t221 - 0x100);
						_t87 = _t221 - 0x40; // 0x4c2f50
						 *(_t221 - 4) = 5;
						E00401AC0(_t87);
						 *((intOrPtr*)(_t221 - 0x40)) = 0x4c2f50;
						 *((intOrPtr*)(_t221 - 0x18)) = 0x4c3454;
						E00403FB0(L"[ISPREREQDIR]", _t221 - 0x101, 0);
						_t93 = _t221 - 0xa0; // 0x4c2f50
						_t94 = _t221 - 0x40; // 0x4c2f50
						_t95 = _t221 - 0x70; // 0x4c2f50
						 *(_t221 - 4) = 0xb;
						E00434C03(_t95, _t94, _t93);
						_t97 = _t221 - 0x40; // 0x4c2f50
						E00401AC0(_t97);
						 *(_t221 - 4) = 1;
						E00401AC0(_t221 - 0xd0);
					} else {
						SendMessageW(_t113, 0xc, 0, L"ISPREREQDIR");
						__eflags =  *((intOrPtr*)(_t221 - 0x88)) - 8;
						_t161 =  >=  ?  *((void*)(_t221 - 0x9c)) : _t221 - 0x9c;
						SendMessageW( *(_t176 + 0x438), 0xc, 0,  >=  ?  *((void*)(_t221 - 0x9c)) : _t221 - 0x9c);
						SendMessageW( *(_t176 + 0x438), 0x111, 8, 0);
						_t165 =  *((intOrPtr*)(_t221 - 0x108)) + 4;
						__eflags =  *((intOrPtr*)(_t165 + 0x14)) - 8;
						if( *((intOrPtr*)(_t165 + 0x14)) >= 8) {
							_t165 =  *_t165;
						}
						SendMessageW( *(_t176 + 0x438), 0xc, 0, _t165);
						SendMessageW( *(_t176 + 0x438), 0x111, 7, 0);
						_t31 = SendMessageW( *(_t176 + 0x438), 0xe, 0, 0) + 1; // 0x1
						_t220 = _t31;
						_t33 = _t221 - 0x70; // 0x4c2f50
						_t170 = E00403020(_t33, _t221 - 0x114, _t220);
						 *(_t221 - 4) = 2;
						 *((char*)(_t170 + 4)) = 1;
						SendMessageW( *(_t176 + 0x438), 0xd, _t220,  *(E004040F0(_t170,  *_t170)));
						 *(_t221 - 4) = 1;
						E00403CF0(_t221 - 0x114);
						_t176 = 0;
						_t216 = 0x4c2f50;
					}
					_t100 = _t221 - 0x70; // 0x4c2f50
					 *_t214 = _t216;
					 *((intOrPtr*)(_t214 + 0x28)) = 0x4c3454;
					E004053A0(_t100, _t176);
					_t102 = _t221 - 0x70; // 0x4c2f50
					E00401AC0(_t102);
					_t103 = _t221 - 0xa0; // 0x4c2f50
					E00401AC0(_t103);
				} else {
					_push(_t216);
					 *_t214 = 0x4c2f50;
					 *((intOrPtr*)(_t214 + 0x28)) = 0x4c3454;
					E004053A0();
				}
				return E0045B878(_t176, _t214, _t216);
			}

0x0042e2aa
0x0042e2aa
0x0042e2b4
0x0042e2b9
0x0042e2bb
0x0042e2be
0x0042e2c3
0x0042e2c9
0x0042e2cf
0x0042e2d3
0x0042e2f5
0x0042e2fc
0x0042e306
0x0042e30d
0x0042e312
0x0042e316
0x0042e31a
0x0042e320
0x0042e325
0x0042e328
0x0042e333
0x0042e33a
0x0042e341
0x0042e346
0x0042e34c
0x0042e350
0x0042e352
0x0042e43d
0x0042e440
0x0042e447
0x0042e452
0x0042e458
0x0042e45a
0x0042e461
0x0042e465
0x0042e46b
0x0042e46f
0x0042e472
0x0042e476
0x0042e481
0x0042e486
0x0042e489
0x0042e48e
0x0042e48e
0x0042e49e
0x0042e4a4
0x0042e4ae
0x0042e4c6
0x0042e4ca
0x0042e4d1
0x0042e4d5
0x0042e4e2
0x0042e4ee
0x0042e4f2
0x0042e4ff
0x0042e50c
0x0042e50f
0x0042e516
0x0042e529
0x0042e52d
0x0042e533
0x0042e537
0x0042e53a
0x0042e53e
0x0042e549
0x0042e54e
0x0042e551
0x0042e555
0x0042e56a
0x0042e56d
0x0042e574
0x0042e588
0x0042e58c
0x0042e592
0x0042e596
0x0042e599
0x0042e59d
0x0042e5a8
0x0042e5ad
0x0042e5b0
0x0042e5b4
0x0042e5c9
0x0042e5cc
0x0042e5d3
0x0042e5d8
0x0042e5df
0x0042e5e3
0x0042e5e6
0x0042e5ea
0x0042e5ef
0x0042e5f2
0x0042e5fd
0x0042e601
0x0042e358
0x0042e368
0x0042e36a
0x0042e377
0x0042e389
0x0042e39a
0x0042e3a2
0x0042e3a5
0x0042e3a9
0x0042e3ab
0x0042e3ab
0x0042e3b8
0x0042e3c9
0x0042e3d9
0x0042e3d9
0x0042e3e4
0x0042e3e7
0x0042e3ee
0x0042e3f2
0x0042e406
0x0042e412
0x0042e416
0x0042e41b
0x0042e41d
0x0042e41d
0x0042e607
0x0042e60d
0x0042e60f
0x0042e616
0x0042e61b
0x0042e61e
0x0042e623
0x0042e629
0x0042e2d5
0x0042e2d5
0x0042e2d8
0x0042e2de
0x0042e2e5
0x0042e2e5
0x0042e635

APIs

__EH_prolog3_GS.LIBCMT ref: 0042E2B4
SendMessageW.USER32(?,0000000C,00000000,ISPREREQDIR), ref: 0042E368
SendMessageW.USER32(?,0000000C,00000000,?), ref: 0042E389
SendMessageW.USER32(?,00000111,00000008,00000000), ref: 0042E39A
SendMessageW.USER32(?,0000000C,00000000,?), ref: 0042E3B8
SendMessageW.USER32(?,00000111,00000007,00000000), ref: 0042E3C9
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0042E3D7
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0042E406

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Strings

T4L, xrefs: 0042E33A
T4L, xrefs: 0042E4A4
P/L, xrefs: 0042E430
T4L, xrefs: 0042E60F
P/L, xrefs: 0042E31A
P/L, xrefs: 0042E316, 0042E325, 0042E43A, 0042E46B, 0042E486, 0042E509, 0042E533, 0042E54E, 0042E567, 0042E592, 0042E5AD, 0042E5C6, 0042E5DF, 0042E5EF, 0042E319, 0042E46E, 0042E536, 0042E595, 0042E5E2
T4L, xrefs: 0042E306
ISPREREQDIR, xrefs: 0042E35E
[SETUPEXEDIR], xrefs: 0042E562
[ISPREREQDIR], xrefs: 0042E5C1
T4L, xrefs: 0042E5CC
P/L, xrefs: 0042E41D
P/L, xrefs: 0042E3E4
[SETUPEXENAME], xrefs: 0042E504
[ProductLanguage], xrefs: 0042E435
P/L, xrefs: 0042E4FF

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: MessageSend$ErrorLast$H_prolog3_
String ID: ISPREREQDIR$P/L$P/L$P/L$P/L$P/L$P/L$T4L$T4L$T4L$T4L$T4L$[ISPREREQDIR]$[ProductLanguage]$[SETUPEXEDIR]$[SETUPEXENAME]
API String ID: 860943175-2351489034
Opcode ID: f829a352067c94b8d2136d2da42c29586a9d3a204320ed353cdc83418de33877
Instruction ID: 79434aba791d9d0bd5f5de81912bae10fd3ddc51b5e82914d9b94aa6d9080963
Opcode Fuzzy Hash: f829a352067c94b8d2136d2da42c29586a9d3a204320ed353cdc83418de33877
Instruction Fuzzy Hash: 8AA15E75900218EEDB15DB91CD41BDEBBB8AF18304F0440AEF50977182DBB86A48DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00404640, Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00404640(void* __ecx, void* __edx, short _a4, char _a8) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				signed int _v24;
				char _v28;
				signed int _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v64;
				short _v80;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				short _v124;
				intOrPtr _v128;
				short _v132;
				char _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				char _v168;
				char _v172;
				short _v176;
				intOrPtr _v180;
				void* _v184;
				void* _v188;
				intOrPtr _v192;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t100;
				signed int _t102;
				short _t107;
				intOrPtr _t109;
				void* _t112;
				void* _t133;
				void* _t135;
				void* _t157;
				void* _t158;
				void* _t176;
				void* _t177;
				intOrPtr* _t178;
				void* _t179;
				void* _t181;
				void* _t186;
				signed int _t191;
				signed int _t193;
				void* _t194;
				signed int _t195;
				void* _t196;

				_t176 = __edx;
				_push(0xffffffff);
				_push(0x4ac9be);
				_push( *[fs:0x0]);
				_t193 = (_t191 & 0xfffffff8) - 0xa0;
				_t100 =  *0x4d7e88; // 0x9518852c
				_v24 = _t100 ^ _t193;
				_push(_t177);
				_t102 =  *0x4d7e88; // 0x9518852c
				_push(_t102 ^ _t193);
				 *[fs:0x0] =  &_v16;
				_t181 = __ecx;
				_t157 = GetLastError;
				_v176 = _a4;
				_v172 = 0;
				_v168 = 0x4c2f50;
				_v128 = 0x4c3454;
				_v124 = GetLastError();
				_v8 = 0;
				if(_t181 == 0) {
					_t107 = 0;
				} else {
					_t107 = _t181 + 4;
				}
				_push(0xffffffff);
				_v164 = 0;
				_v144 = 7;
				_v148 = 0;
				E00406630(_t157,  &_v164, _t177, _t107, 0);
				_t109 = _v140;
				_v152 = 0;
				_v148 = 0;
				_v144 = 0;
				_t19 = _t109 + 4; // 0x4
				_t21 =  *_t19 + 0x40; // 0x4c3454
				SetLastError( *(_t193 + _t21));
				_v20 = 1;
				_t178 = __imp__#6;
				if(_a8 != 0) {
					_t133 = E00405AE0(_t181, _t176,  &_v124);
					_v16 = 2;
					_t135 = E00404580( &_v80, 0,  *((intOrPtr*)(_t181 + 0x14)) -  *((intOrPtr*)(_t133 + 0x14)));
					_v28 = 3;
					if(_t135 == 0) {
						_t136 = 0;
						goto L8;
					} else {
						_t136 = _t135 + 4;
						if( &_v168 != _t135 + 4) {
							L8:
							_push(0xffffffff);
							E00406630(_t157,  &_v168, _t178, _t136, 0);
						}
					}
					 *((intOrPtr*)( &_v40 +  *((intOrPtr*)(_v40 + 4)))) = GetLastError();
					L0045A7D5(_v52);
					_t196 = _t193 + 4;
					 *_t178(_v44);
					if(_v60 >= 8) {
						 *_t178(_v80);
					}
					_v80 = 0;
					_v60 = 7;
					_v64 = 0;
					SetLastError( *(_t196 +  *((intOrPtr*)(_v84 + 4)) + 0x78));
					_v20 = 1;
					 *((intOrPtr*)( &_v92 +  *((intOrPtr*)(_v92 + 4)))) = GetLastError();
					L0045A7D5(_v104);
					_t193 = _t196 + 4;
					 *_t178(_v96);
					if(_v112 >= 8) {
						 *_t178(_v132);
					}
					_v132 = 0;
					_v112 = 7;
					_v116 = 0;
					SetLastError( *(_t193 +  *((intOrPtr*)(_v136 + 4)) + 0x48));
				}
				_t112 = E004034E0( &_v172,  &_v124, 1, 0);
				_v24 = 4;
				E00404580(_v192,  *((intOrPtr*)(_t112 + 0x14)), 0xffffffff);
				 *((intOrPtr*)( &_v108 +  *((intOrPtr*)(_v108 + 4)))) = GetLastError();
				L0045A7D5(_v120);
				_t194 = _t193 + 4;
				 *_t178(_v112);
				if(_v128 >= 8) {
					 *_t178(_v124);
				}
				_v124 = 0;
				_v104 = 7;
				_v108 = 0;
				SetLastError( *(_t194 +  *((intOrPtr*)(_v128 + 4)) + 0x48));
				 *((intOrPtr*)( &_v136 +  *((intOrPtr*)(_v136 + 4)))) = GetLastError();
				L0045A7D5(_v148);
				_t195 = _t194 + 4;
				 *_t178(_v140);
				if(_v156 >= 8) {
					 *_t178(_v176);
				}
				_v156 = 7;
				_v160 = 0;
				_v176 = 0;
				SetLastError( *(_t195 +  *((intOrPtr*)(_v180 + 4)) + 0x18));
				 *[fs:0x0] = _v28;
				_pop(_t179);
				_pop(_t186);
				_pop(_t158);
				return E0045A457(_t158, _v36 ^ _t195, _t176, _t179, _t186);
			}

0x00404640
0x00404646
0x00404648
0x00404653
0x00404654
0x0040465a
0x00404661
0x0040466a
0x0040466b
0x00404672
0x0040467a
0x00404680
0x00404685
0x0040468b
0x0040468f
0x00404697
0x0040469f
0x004046a9
0x004046ad
0x004046ba
0x004046c1
0x004046bc
0x004046bc
0x004046bc
0x004046c5
0x004046c8
0x004046d2
0x004046da
0x004046e2
0x004046e7
0x004046eb
0x004046f3
0x004046fb
0x00404703
0x00404706
0x0040470a
0x00404714
0x0040471f
0x00404725
0x00404732
0x00404737
0x00404751
0x00404756
0x00404760
0x0040476f
0x00000000
0x00404762
0x00404762
0x0040476b
0x00404771
0x00404771
0x0040477a
0x0040477a
0x0040476b
0x00404794
0x0040479d
0x004047a2
0x004047ac
0x004047b6
0x004047bc
0x004047bc
0x004047c0
0x004047c9
0x004047d4
0x004047e6
0x004047ec
0x00404803
0x00404809
0x0040480e
0x00404815
0x0040481c
0x00404822
0x00404822
0x00404826
0x0040482f
0x00404837
0x00404846
0x00404846
0x00404859
0x00404860
0x00404873
0x00404887
0x0040488d
0x00404892
0x00404899
0x004048a0
0x004048a6
0x004048a6
0x004048aa
0x004048b3
0x004048bb
0x004048ca
0x004048df
0x004048e5
0x004048ea
0x004048f1
0x004048f8
0x004048fe
0x004048fe
0x00404906
0x0040490e
0x00404916
0x00404922
0x00404933
0x0040493b
0x0040493c
0x0040493d
0x0040494f

APIs

GetLastError.KERNEL32 ref: 004046A7
SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 0040470A
GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000,?,?), ref: 00404792
SysFreeString.OLEAUT32(?), ref: 004047AC
SysFreeString.OLEAUT32(?), ref: 004047BC
SetLastError.KERNEL32(?), ref: 004047E6
GetLastError.KERNEL32 ref: 00404801
SysFreeString.OLEAUT32(?), ref: 00404815
SysFreeString.OLEAUT32(?), ref: 00404822
SetLastError.KERNEL32(?), ref: 00404846

Part of subcall function 00404580: GetLastError.KERNEL32(9518852C,?,?,?,00000000,004ACAC8,000000FF,T4L,004050D6,00000000,00000001,000000FF), ref: 004045BE
Part of subcall function 00404580: SetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 0040461A

GetLastError.KERNEL32(?,?,000000FF,?,00000001,00000000), ref: 00404885
SysFreeString.OLEAUT32(?), ref: 00404899
SysFreeString.OLEAUT32(?), ref: 004048A6
SetLastError.KERNEL32(?), ref: 004048CA
GetLastError.KERNEL32 ref: 004048DD
SysFreeString.OLEAUT32(?), ref: 004048F1
SysFreeString.OLEAUT32(?), ref: 004048FE
SetLastError.KERNEL32(?), ref: 00404922

Strings

T4L, xrefs: 004046E7
T4L, xrefs: 00404640
T4L, xrefs: 00404706
P/L, xrefs: 00404697

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: P/L$T4L$T4L$T4L
API String ID: 2425351278-1200131689
Opcode ID: e21d52ea6584db1b08c492c2dc4f3a2eef207e403f46286ccb6dab0482927bdd
Instruction ID: cde076b80f0a8efed71b4ffcd14bd0697ccf1f34df26b5c4eb0a563b8905cb2f
Opcode Fuzzy Hash: e21d52ea6584db1b08c492c2dc4f3a2eef207e403f46286ccb6dab0482927bdd
Instruction Fuzzy Hash: CF9125711083809FD720DF29C845B5BBBE5BF89318F104A2DF599972A1D776E818CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0043A837, Relevance: 37.2, APIs: 8, Strings: 13, Instructions: 417
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0043A837(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t172;
				void* _t176;
				void* _t179;
				void* _t181;
				void* _t187;
				long _t190;
				void* _t199;
				void* _t200;
				void* _t204;
				void* _t215;
				void* _t218;
				void* _t228;
				void* _t233;
				void* _t237;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t248;
				void* _t252;
				void* _t258;
				void* _t265;
				void* _t271;
				void* _t277;
				void* _t279;
				intOrPtr* _t280;
				intOrPtr* _t282;
				signed char _t286;
				signed int _t291;
				void* _t337;
				signed char _t345;
				signed char _t361;
				intOrPtr* _t380;
				void* _t381;

				_push(0x618);
				E0045B8C9(0x4a638c, __ebx, __edi, __esi);
				_t380 =  *((intOrPtr*)(_t381 + 8));
				 *(_t381 - 0x61c) =  *(_t381 - 0x61c) & 0x00000000;
				 *((short*)(_t381 - 0x218)) = 0;
				E0045A4D0(_t381 - 0x216, 0, 0x206);
				_t6 = _t381 + 0xc; // 0x4c2f40
				_t378 =  *_t6;
				_t286 = 1;
				 *((char*)(_t381 - 0x617)) = 1;
				if(SHGetSpecialFolderLocation(0, _t378, _t381 - 0x620) >= 0) {
					 *((char*)(_t381 - 0x617)) = 0;
					__imp__SHGetPathFromIDListW( *(_t381 - 0x620), _t381 - 0x218);
					_t279 = _t381 - 0x624;
					__imp__SHGetMalloc(_t279);
					_t386 = _t279;
					if(_t279 >= 0) {
						_t280 =  *((intOrPtr*)(_t381 - 0x624));
						 *((intOrPtr*)( *_t280 + 0x14))(_t280,  *(_t381 - 0x620));
						_t282 =  *((intOrPtr*)(_t381 - 0x624));
						 *((intOrPtr*)( *_t282 + 8))(_t282);
					}
				}
				_push(0);
				_push(_t381 - 0x616);
				_push(_t381 - 0x218);
				 *(_t381 - 0x615) = 0;
				 *((intOrPtr*)(_t381 - 0x2a8)) = 0x4ae964;
				 *((intOrPtr*)(_t381 - 0x280)) = 0x4ae96c;
				E00408F6D(_t286, _t381 - 0x2a8, _t378, _t380, _t386);
				 *(_t381 - 4) =  *(_t381 - 4) & 0x00000000;
				_t26 = _t381 - 0x2a8; // 0x4ae964
				E0040B9F3(_t26, _t378, "\\");
				_t27 = _t381 - 0x2a8; // 0x4ae964
				E0043C748(_t27, _t386);
				if(_t378 == 0x2b || _t378 == 0x26) {
					_t28 = _t381 - 0x2a8; // 0x4ae964
					_t172 = E0043BFDB(_t28);
					_t389 = _t172;
					if(_t172 == 0) {
						_t291 =  *(_t381 - 0x61c);
						L9:
						 *(_t381 - 0x615) = _t286;
						L10:
						if((_t286 & _t291) != 0) {
							 *(_t381 - 0x61c) = _t291 & 0xfffffffe;
							E00401B80(_t381 - 0x2e4);
						}
						goto L12;
					}
					_t30 = _t381 - 0x2a8; // 0x4ae964
					_t277 = E0040DBCC(_t30, _t389, _t381 - 0x2e4);
					_t291 = _t286;
					 *(_t381 - 0x61c) = _t291;
					if( *((intOrPtr*)(_t277 + 0x14)) == 0) {
						goto L9;
					} else {
						 *(_t381 - 0x615) = 0;
						goto L10;
					}
				} else {
					L12:
					if( *((char*)(_t381 - 0x617)) != 0 ||  *(_t381 - 0x615) != 0) {
						 *((intOrPtr*)(_t381 - 0x248)) = 0x4ae964;
						 *((intOrPtr*)(_t381 - 0x220)) = 0x4ae96c;
						E00404200(_t381 - 0x248, _t381 - 0x616, 0);
						 *(_t381 - 4) = _t286;
						_t176 = _t378 - 5;
						if(_t176 == 0) {
							_t378 = GetVersion;
							__eflags = GetVersion() - 0x80000000;
							if(__eflags <= 0) {
								_push(2);
								_push(_t381 - 0x2d8);
								_t179 = E0043A837(_t286, GetVersion, _t380, __eflags);
								_push(_t381 - 0x614);
								 *(_t381 - 4) = 4;
								_t181 = E0043BF28(_t286, E0043C85F(_t286, _t179, GetVersion), GetVersion, _t380, __eflags);
								_t144 = _t381 - 0x248; // 0x4ae964
								 *(_t381 - 4) = 5;
								E004095E2(_t144, _t181);
								E00401B80(_t381 - 0x614);
								 *(_t381 - 4) = _t286;
								E00401B80(_t381 - 0x2d8);
								_push(_t381 - 0x5d8);
								_t150 = _t381 - 0x248; // 0x4ae964
								_t187 = E0043BF28(_t286, E0043C85F(_t286, _t150, _t378), _t378, _t380, __eflags);
								_t151 = _t381 - 0x248; // 0x4ae964
								 *(_t381 - 4) = 6;
								E004095E2(_t151, _t187);
								 *(_t381 - 4) = _t286;
								E00401B80(_t381 - 0x5d8);
								_t190 = GetVersion();
								__eflags = _t190 - 5;
								if(_t190 >= 5) {
									L53:
									_push(L"My Documents\\");
									L56:
									_t155 = _t381 - 0x248; // 0x4ae964
									E0040B9F3(_t155, _t378);
									_push(0);
									_t156 = _t381 - 0x248; // 0x4ae964
									 *_t380 = 0x4ae964;
									 *((intOrPtr*)(_t380 + 0x28)) = 0x4ae96c;
									E00408E82(_t286, _t380, _t378, _t380, __eflags);
									L57:
									_t158 = _t381 - 0x248; // 0x4ae964
									E00401B80(_t158);
									goto L58;
								}
								_push(L"Personal\\");
								goto L56;
							}
							_push(0);
							_push(_t381 - 0x404);
							_t199 = E0040B51F(_t286, GetVersion, _t380, __eflags);
							 *(_t381 - 4) = 2;
							_t200 = E0040DBCC(_t199, __eflags, _t381 - 0x59c);
							_t136 = _t381 - 0x248; // 0x4ae964
							 *(_t381 - 4) = 3;
							E004095E2(_t136, _t200);
							E00401B80(_t381 - 0x59c);
							 *(_t381 - 4) = _t286;
							E00401B80(_t381 - 0x404);
							goto L53;
						}
						_t204 = _t176 - 0xf;
						if(_t204 == 0) {
							_push(_t286);
							_push(_t381 - 0x278);
							E0040B51F(_t286, _t378, _t380, __eflags);
							_push(_t286);
							_push(_t381 - 0x616);
							_push("Fonts");
							 *(_t381 - 4) = 0x11;
							E00415AF8(_t286, _t381 - 0x344, _t378, _t380, __eflags);
							 *(_t381 - 4) = 0x12;
							E0043B22F(_t381 - 0x278, _t381 - 0x344);
							 *(_t381 - 4) = 0x11;
							E00401B80(_t381 - 0x344);
							L32:
							_push(0);
							_push(_t381 - 0x278);
							 *_t380 = 0x4ae964;
							 *((intOrPtr*)(_t380 + 0x28)) = 0x4ae96c;
							E00408E82(_t286, _t380, _t378, _t380, __eflags);
							E00401B80(_t381 - 0x278);
							goto L57;
						}
						_t215 = _t204 - 6;
						if(_t215 == 0) {
							L41:
							__eflags = GetVersion() - 0x80000000;
							if(__eflags <= 0) {
								_push(5);
								_push(_t381 - 0x434);
								_t218 = E0043A837(_t286, _t378, _t380, __eflags);
								_t100 = _t381 - 0x248; // 0x4ae964
								 *(_t381 - 4) = 8;
								E004095E2(_t100, _t218);
								 *(_t381 - 4) = _t286;
								E00401B80(_t381 - 0x434);
								__eflags =  *(_t381 - 0x234);
								if( *(_t381 - 0x234) == 0) {
									L47:
									__eflags = _t378 - 0x23;
									if(__eflags == 0) {
										_push(_t286);
										_push(_t381 - 0x616);
										_push("All Users\\");
										E00415AF8(_t286, _t381 - 0x314, _t378, _t380, __eflags);
										_t120 = _t381 - 0x248; // 0x4ae964
										 *(_t381 - 4) = 0xb;
										E0043B22F(_t120, _t381 - 0x314);
										 *(_t381 - 4) = _t286;
										E00401B80(_t381 - 0x314);
									}
									L49:
									_push(L"Application Data\\");
									goto L56;
								}
								_push(_t381 - 0x4ac);
								_t106 = _t381 - 0x248; // 0x4ae964
								_t228 = E0043BF28(_t286, E0043C85F(_t286, _t106, _t378), _t378, _t380, __eflags);
								_t107 = _t381 - 0x248; // 0x4ae964
								 *(_t381 - 4) = 9;
								E004095E2(_t107, _t228);
								 *(_t381 - 4) = _t286;
								E00401B80(_t381 - 0x4ac);
								__eflags = _t378 - 0x23;
								if(_t378 != 0x23) {
									goto L49;
								}
								_push(_t381 - 0x524);
								_t112 = _t381 - 0x248; // 0x4ae964
								_t233 = E0043BF28(_t286, E0043C85F(_t286, _t112, _t378), _t378, _t380, __eflags);
								_t113 = _t381 - 0x248; // 0x4ae964
								 *(_t381 - 4) = 0xa;
								E004095E2(_t113, _t233);
								_t337 = _t381 - 0x524;
								L46:
								 *(_t381 - 4) = _t286;
								E00401B80(_t337);
								goto L47;
							}
							_push(0);
							_push(_t381 - 0x3d4);
							_t237 = E0040B51F(_t286, _t378, _t380, __eflags);
							_t96 = _t381 - 0x248; // 0x4ae964
							 *(_t381 - 4) = 7;
							E004095E2(_t96, _t237);
							_t337 = _t381 - 0x3d4;
							goto L46;
						}
						_t240 = _t215;
						if(_t240 == 0) {
							goto L41;
						}
						_t241 = _t240 - 7;
						if(_t241 == 0) {
							goto L41;
						}
						_t242 = _t241 - 3;
						if(_t242 == 0) {
							_push(0);
							_push(_t381 - 0x278);
							E0043C3A2(_t286, _t378, _t380, __eflags);
							 *(_t381 - 4) = 0xe;
							E0043C748(_t381 - 0x278, __eflags);
							__eflags = E0043BFDB(_t381 - 0x278);
							if(__eflags == 0) {
								_t345 =  *(_t381 - 0x61c);
							} else {
								_t258 = E0040DBCC(_t381 - 0x278, __eflags, _t381 - 0x560);
								_t345 =  *(_t381 - 0x61c) | 0x00000008;
								__eflags =  *(_t258 + 0x14);
								if( *(_t258 + 0x14) != 0) {
									_t286 = 0;
								}
							}
							__eflags = _t345 & 0x00000008;
							if((_t345 & 0x00000008) != 0) {
								E00401B80(_t381 - 0x560);
							}
							__eflags = _t286;
							if(__eflags != 0) {
								_push(0);
								_push(_t381 - 0x374);
								_t248 = E0040B51F(_t286, _t378, _t380, __eflags);
								 *(_t381 - 4) = 0xf;
								E004095E2(_t381 - 0x278, _t248);
								 *(_t381 - 4) = 0xe;
								E00401B80(_t381 - 0x374);
								_t252 = E0040DBCC(_t381 - 0x278, __eflags, _t381 - 0x4e8);
								 *(_t381 - 4) = 0x10;
								E004095E2(_t381 - 0x278, _t252);
								 *(_t381 - 4) = 0xe;
								E00401B80(_t381 - 0x4e8);
								_push(L"Program Files");
								L31:
								E0040B9F3(_t381 - 0x278, _t378);
							}
							goto L32;
						}
						_t401 = _t242 == 5;
						if(_t242 == 5) {
							_push(_t286);
							_push(_t381 - 0x278);
							E0043C3A2(_t286, _t378, _t380, __eflags);
							 *(_t381 - 4) = 0xc;
							E0043C748(_t381 - 0x278, __eflags);
							__eflags = E0043BFDB(_t381 - 0x278);
							if(__eflags == 0) {
								_t361 =  *(_t381 - 0x61c);
							} else {
								_t271 = E0040DBCC(_t381 - 0x278, __eflags, _t381 - 0x470);
								_t361 =  *(_t381 - 0x61c) | 0x00000004;
								__eflags =  *(_t271 + 0x14);
								if( *(_t271 + 0x14) != 0) {
									_t286 = 0;
								}
							}
							__eflags = _t361 & 0x00000004;
							if((_t361 & 0x00000004) != 0) {
								E00401B80(_t381 - 0x470);
							}
							__eflags = _t286;
							if(__eflags == 0) {
								goto L32;
							} else {
								_push(0x26);
								_push(_t381 - 0x3a4);
								_t265 = E0043A837(_t286, _t378, _t380, __eflags);
								 *(_t381 - 4) = 0xd;
								E004095E2(_t381 - 0x278, E0043C85F(_t286, _t265, _t378));
								 *(_t381 - 4) = 0xc;
								E00401B80(_t381 - 0x3a4);
								_push(L"Common Files\\");
								goto L31;
							}
						}
						_t47 = _t381 - 0x248; // 0x4ae964
						 *(_t381 - 4) = 0;
						E00401B80(_t47);
						goto L22;
					} else {
						L22:
						_push(0);
						_t49 = _t381 - 0x2a8; // 0x4ae964
						 *_t380 = 0x4ae964;
						 *((intOrPtr*)(_t380 + 0x28)) = 0x4ae96c;
						E00408E82(_t286, _t380, _t378, _t380, _t401);
						L58:
						_t159 = _t381 - 0x2a8; // 0x4ae964
						E00401B80(_t159);
						return E0045B878(_t286, _t378, _t380);
					}
				}
			}

0x0043a837
0x0043a841
0x0043a846
0x0043a849
0x0043a858
0x0043a866
0x0043a86b
0x0043a86b
0x0043a87b
0x0043a87e
0x0043a88c
0x0043a89b
0x0043a8a2
0x0043a8a8
0x0043a8af
0x0043a8b5
0x0043a8b7
0x0043a8b9
0x0043a8c8
0x0043a8cb
0x0043a8d4
0x0043a8d4
0x0043a8b7
0x0043a8d7
0x0043a8df
0x0043a8e6
0x0043a8ed
0x0043a8f4
0x0043a8fe
0x0043a908
0x0043a90d
0x0043a916
0x0043a91c
0x0043a921
0x0043a927
0x0043a92f
0x0043a936
0x0043a93c
0x0043a941
0x0043a943
0x0043a96e
0x0043a974
0x0043a974
0x0043a97a
0x0043a97c
0x0043a981
0x0043a98d
0x0043a98d
0x00000000
0x0043a97c
0x0043a94c
0x0043a952
0x0043a95b
0x0043a95d
0x0043a963
0x00000000
0x0043a965
0x0043a965
0x00000000
0x0043a965
0x0043a992
0x0043a992
0x0043a999
0x0043a9b3
0x0043a9bd
0x0043a9c7
0x0043a9ce
0x0043a9d1
0x0043a9d4
0x0043ad78
0x0043ad80
0x0043ad85
0x0043ade2
0x0043ade4
0x0043ade5
0x0043adf2
0x0043adf5
0x0043ae00
0x0043ae06
0x0043ae0c
0x0043ae10
0x0043ae1b
0x0043ae26
0x0043ae29
0x0043ae34
0x0043ae35
0x0043ae42
0x0043ae48
0x0043ae4e
0x0043ae52
0x0043ae5d
0x0043ae60
0x0043ae65
0x0043ae67
0x0043ae69
0x0043add2
0x0043add2
0x0043ae74
0x0043ae74
0x0043ae7a
0x0043ae7f
0x0043ae81
0x0043ae8a
0x0043ae90
0x0043ae97
0x0043ae9c
0x0043ae9c
0x0043aea2
0x00000000
0x0043aea2
0x0043ae6f
0x00000000
0x0043ae6f
0x0043ad8d
0x0043ad8f
0x0043ad90
0x0043ada0
0x0043ada4
0x0043adaa
0x0043adb0
0x0043adb4
0x0043adbf
0x0043adca
0x0043adcd
0x00000000
0x0043adcd
0x0043a9da
0x0043a9dd
0x0043ad29
0x0043ad2a
0x0043ad2b
0x0043ad32
0x0043ad39
0x0043ad3a
0x0043ad45
0x0043ad49
0x0043ad5b
0x0043ad5f
0x0043ad6a
0x0043ad6e
0x0043aaee
0x0043aaee
0x0043aaf6
0x0043aaf9
0x0043aaff
0x0043ab06
0x0043ab11
0x00000000
0x0043ab11
0x0043a9e3
0x0043a9e6
0x0043abf6
0x0043abfc
0x0043ac01
0x0043ac34
0x0043ac36
0x0043ac37
0x0043ac3f
0x0043ac45
0x0043ac49
0x0043ac54
0x0043ac57
0x0043ac5c
0x0043ac63
0x0043acd8
0x0043acd8
0x0043acdb
0x0043acdd
0x0043ace4
0x0043ace5
0x0043acf0
0x0043acfc
0x0043ad02
0x0043ad06
0x0043ad11
0x0043ad14
0x0043ad14
0x0043ad19
0x0043ad19
0x00000000
0x0043ad19
0x0043ac6b
0x0043ac6c
0x0043ac79
0x0043ac7f
0x0043ac85
0x0043ac89
0x0043ac94
0x0043ac97
0x0043ac9c
0x0043ac9f
0x00000000
0x00000000
0x0043aca7
0x0043aca8
0x0043acb5
0x0043acbb
0x0043acc1
0x0043acc5
0x0043acca
0x0043acd0
0x0043acd0
0x0043acd3
0x00000000
0x0043acd3
0x0043ac09
0x0043ac0b
0x0043ac0c
0x0043ac14
0x0043ac1a
0x0043ac1e
0x0043ac23
0x00000000
0x0043ac23
0x0043a9ed
0x0043a9ee
0x00000000
0x00000000
0x0043a9f4
0x0043a9f7
0x00000000
0x00000000
0x0043a9fd
0x0043aa00
0x0043ab21
0x0043ab23
0x0043ab24
0x0043ab31
0x0043ab35
0x0043ab45
0x0043ab47
0x0043ab6e
0x0043ab49
0x0043ab56
0x0043ab61
0x0043ab64
0x0043ab68
0x0043ab6a
0x0043ab6a
0x0043ab68
0x0043ab74
0x0043ab77
0x0043ab7f
0x0043ab7f
0x0043ab84
0x0043ab86
0x0043ab92
0x0043ab94
0x0043ab95
0x0043aba3
0x0043aba7
0x0043abb2
0x0043abb6
0x0043abc8
0x0043abd4
0x0043abd8
0x0043abe3
0x0043abe7
0x0043abec
0x0043aae3
0x0043aae9
0x0043aae9
0x00000000
0x0043ab86
0x0043aa06
0x0043aa09
0x0043aa42
0x0043aa43
0x0043aa44
0x0043aa51
0x0043aa55
0x0043aa65
0x0043aa67
0x0043aa8e
0x0043aa69
0x0043aa76
0x0043aa81
0x0043aa84
0x0043aa88
0x0043aa8a
0x0043aa8a
0x0043aa88
0x0043aa94
0x0043aa97
0x0043aa9f
0x0043aa9f
0x0043aaa4
0x0043aaa6
0x00000000
0x0043aaa8
0x0043aaae
0x0043aab0
0x0043aab1
0x0043aaba
0x0043aaca
0x0043aad5
0x0043aad9
0x0043aade
0x00000000
0x0043aade
0x0043aaa6
0x0043aa0b
0x0043aa11
0x0043aa15
0x00000000
0x0043aa1a
0x0043aa1a
0x0043aa1a
0x0043aa1c
0x0043aa25
0x0043aa2b
0x0043aa32
0x0043aea7
0x0043aea7
0x0043aead
0x0043aeb9
0x0043aeb9
0x0043a999

APIs

__EH_prolog3_GS.LIBCMT ref: 0043A841
_memset.LIBCMT ref: 0043A866
SHGetSpecialFolderLocation.SHELL32(00000000,@/L,?,?,00000000,00000000), ref: 0043A884
SHGetPathFromIDListW.SHELL32(?,?), ref: 0043A8A2
SHGetMalloc.SHELL32(?), ref: 0043A8AF

Part of subcall function 0043C3A2: __EH_prolog3_GS.LIBCMT ref: 0043C3AC
Part of subcall function 0043C3A2: _memset.LIBCMT ref: 0043C3D2
Part of subcall function 0043C3A2: RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,?), ref: 0043C3F4
Part of subcall function 0043C3A2: RegQueryValueExW.ADVAPI32(?,CommonFilesDir,00000000,00000000,?,?), ref: 0043C433

Part of subcall function 0043BFDB: GetFileAttributesW.KERNEL32(dJ,0043A941,?,?,00000000), ref: 0043BFE7

GetVersion.KERNEL32(?,?,00000000), ref: 0043ABF6
GetVersion.KERNEL32(?,?,00000000), ref: 0043AD7E
GetVersion.KERNEL32(00000000,?,00000000,?), ref: 0043AE65

Part of subcall function 0040B51F: __EH_prolog3_GS.LIBCMT ref: 0040B529
Part of subcall function 0040B51F: GetModuleHandleW.KERNEL32(KERNEL32.DLL,00000274,0043AD95,?,00000000), ref: 0040B54C
Part of subcall function 0040B51F: GetProcAddress.KERNEL32(00000000,GetSystemWindowsDirectoryW), ref: 0040B560

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

lJ, xrefs: 0043A8FE
Application Data\, xrefs: 0043AD19
My Documents\, xrefs: 0043ADD2
Fonts, xrefs: 0043AD3A
dJ, xrefs: 0043AA0B
Personal\, xrefs: 0043AE6F
lJ, xrefs: 0043AE90
lJ, xrefs: 0043A9BD
All Users\, xrefs: 0043ACE5
Common Files\, xrefs: 0043AADE
@/L, xrefs: 0043A86B, 0043A87A
dJ, xrefs: 0043A916
Program Files, xrefs: 0043ABEC

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_Version$ErrorFreeLastString_memset$AddressAttributesFileFolderFromHandleListLocationMallocModuleOpenPathProcQuerySpecialValue
String ID: @/L$All Users\$Application Data\$Common Files\$Fonts$My Documents\$Personal\$Program Files$dJ$dJ$lJ$lJ$lJ
API String ID: 1011625025-502265293
Opcode ID: 863c874bd6181c5ea0adc2259dc54ea81c594d4b0012e11c2dd0005884be91d5
Instruction ID: bf6d20eef09fdc84e89b69ed726bbf1ce7202a806fd1a8f855702ac999b10b21
Opcode Fuzzy Hash: 863c874bd6181c5ea0adc2259dc54ea81c594d4b0012e11c2dd0005884be91d5
Instruction Fuzzy Hash: 16028D718442589ADB25EB61CC59BDEB7B8AF18304F1401DFE14A63192DF386B88CF1A

Uniqueness

Uniqueness Score: -1.00%

Function 00404C00, Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00404C00(void* __ecx, intOrPtr* _a4, char _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				short _v72;
				short _v76;
				char _v80;
				short _v84;
				short _v88;
				char _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				char _v116;
				char _v120;
				short _v124;
				intOrPtr _v128;
				intOrPtr* _v132;
				char _v136;
				void* _v140;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t114;
				signed int _t116;
				intOrPtr* _t119;
				signed int _t124;
				signed int _t151;
				signed int _t154;
				signed int _t155;
				void* _t161;
				void* _t176;
				void* _t177;
				void* _t178;
				short* _t180;
				short* _t192;
				void* _t193;
				intOrPtr _t199;
				intOrPtr* _t201;
				void* _t202;
				intOrPtr* _t204;
				void* _t207;
				signed int _t212;
				signed int _t214;
				signed int _t215;

				_push(0xffffffff);
				_push(0x4ac900);
				_push( *[fs:0x0]);
				_t214 = (_t212 & 0xfffffff8) - 0x78;
				_t114 =  *0x4d7e88; // 0x9518852c
				_v24 = _t114 ^ _t214;
				_t116 =  *0x4d7e88; // 0x9518852c
				_push(_t116 ^ _t214);
				 *[fs:0x0] =  &_v16;
				_t176 = __ecx;
				_t119 = _a4;
				_v132 = _t119;
				_v128 = _t119;
				_v124 = 0;
				_v120 = 0x4c2f50;
				_v80 = 0x4c3454;
				_v76 = GetLastError();
				_v116 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t14 =  &_v80; // 0x4c3454
				_v96 = 7;
				_v100 = 0;
				_t19 =  *((intOrPtr*)( *_t14 + 4)) + 0x48; // 0x4c3454
				SetLastError( *(_t214 + _t19));
				_v8 = 0;
				_t124 =  *(_t176 + 0x14);
				_t201 = __imp__#6;
				if(_t124 < 3) {
					L19:
					__eflags = _t124;
					if(__eflags != 0) {
						__eflags = _t124 - 1;
						if(__eflags > 0) {
							__eflags =  *((intOrPtr*)(_t176 + 0x18)) - 8;
							_t151 = _t176 + 4;
							if( *((intOrPtr*)(_t176 + 0x18)) >= 8) {
								_t151 =  *_t151;
							}
							__eflags =  *((short*)(_t151 + 2)) - 0x3a;
							__eflags = _t151 & 0xffffff00 |  *((short*)(_t151 + 2)) == 0x0000003a;
							if(__eflags != 0) {
								_t154 = E00404580( &_v72, 0, 2);
								_v20 = 2;
								__eflags = _t154;
								if(_t154 == 0) {
									_t155 = 0;
									__eflags = 0;
									goto L28;
								} else {
									_t155 = _t154 + 4;
									__eflags =  &_v116 - _t155;
									if( &_v116 != _t155) {
										L28:
										_push(0xffffffff);
										E00406630(_t176,  &_v116, _t201, _t155, 0);
									}
								}
								_v12 = 0;
								E00401A60( &_v76);
							}
						}
					}
					_t177 = SetLastError;
				} else {
					_t199 =  *((intOrPtr*)(_t176 + 0x18));
					if(_t199 < 8) {
						_t192 = _t176 + 4;
					} else {
						_t192 =  *(_t176 + 4);
					}
					if( *_t192 != 0x5c) {
						goto L19;
					} else {
						if(_t199 < 8) {
							_t193 = _t176 + 4;
						} else {
							_t193 =  *(_t176 + 4);
						}
						if( *((short*)(_t193 + 2)) != 0x5c) {
							goto L19;
						} else {
							_t28 =  &_v136; // 0x4c3454
							_v136 = 0x5c;
							if(E004068B0(_t176 + 4, _t28, 2, 1) != 0xffffffff) {
								_t31 =  &_v136; // 0x4c3454
								_v136 = 0x5c;
								_t159 = E004068B0(_t176 + 4, _t31, _t159 + 1, 1);
							}
							_t161 = E00404580( &_v72, 0, _t159);
							_v20 = 1;
							if(_t161 == 0) {
								_t162 = 0;
								__eflags = 0;
								goto L15;
							} else {
								_t162 = _t161 + 4;
								if( &_v116 != _t161 + 4) {
									L15:
									_push(0xffffffff);
									E00406630(_t176,  &_v116, _t201, _t162, 0);
								}
							}
							_v12 = 0;
							 *((intOrPtr*)( &_v36 +  *((intOrPtr*)(_v36 + 4)))) = GetLastError();
							L0045A7D5(_v48);
							_t214 = _t214 + 4;
							 *_t201(_v40);
							if(_v56 >= 8) {
								 *_t201(_v76);
							}
							_t177 = SetLastError;
							_v76 = 0;
							_v56 = 7;
							_v60 = 0;
							SetLastError( *(_t214 +  *((intOrPtr*)(_v80 + 4)) + 0x50));
						}
					}
				}
				_t226 = _a8;
				if(_a8 != 0) {
					E00404960( &_v120, _t226,  &_v72);
					 *((intOrPtr*)( &_v36 +  *((intOrPtr*)(_v36 + 4)))) = GetLastError();
					L0045A7D5(_v48);
					_t214 = _t214 + 4;
					 *_t201(_v40);
					if(_v56 >= 8) {
						 *_t201(_v72);
					}
					_v72 = 0;
					_v52 = 7;
					_v56 = 0;
					SetLastError( *(_t214 +  *((intOrPtr*)(_v76 + 4)) + 0x50));
				}
				_t204 = _v132;
				 *_t204 = 0x4c2f50;
				 *((intOrPtr*)(_t204 + 0x28)) = 0x4c3454;
				 *((intOrPtr*)(_t204 + 0x2c)) = GetLastError();
				_t180 = _t204 + 4;
				_v8 = 3;
				 *((intOrPtr*)(_t180 + 0x14)) = 7;
				 *((intOrPtr*)(_t180 + 0x10)) = 0;
				 *_t180 = 0;
				E00406630(_t177, _t180, _t201,  &_v116, 0);
				 *((intOrPtr*)(_t204 + 0x1c)) = 0;
				 *((intOrPtr*)(_t204 + 0x20)) = 0;
				 *((intOrPtr*)(_t204 + 0x24)) = 0;
				_t93 =  *((intOrPtr*)(_t204 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t93 + _t204 + 0x28));
				_t96 =  &_v92; // 0x4c3454
				_t97 =  &_v92; // 0x4c3454
				 *((intOrPtr*)(_t97 +  *((intOrPtr*)( *_t96 + 4)))) = GetLastError();
				L0045A7D5(_v104);
				_t215 = _t214 + 4;
				 *_t201(_v96, 0xffffffff);
				if(_v112 >= 8) {
					 *_t201(_v124);
				}
				_v104 = 7;
				_v108 = 0;
				_v124 = 0;
				SetLastError( *(_t215 +  *((intOrPtr*)(_v128 + 4)) + 0x20));
				 *[fs:0x0] = _v24;
				_pop(_t202);
				_pop(_t207);
				_pop(_t178);
				return E0045A457(_t178, _v32 ^ _t215, _t199, _t202, _t207);
			}

0x00404c06
0x00404c08
0x00404c13
0x00404c14
0x00404c17
0x00404c1e
0x00404c25
0x00404c2c
0x00404c34
0x00404c3a
0x00404c3c
0x00404c3f
0x00404c43
0x00404c47
0x00404c4f
0x00404c57
0x00404c65
0x00404c6b
0x00404c70
0x00404c74
0x00404c78
0x00404c7c
0x00404c80
0x00404c88
0x00404c93
0x00404c97
0x00404c9d
0x00404ca8
0x00404cab
0x00404cb4
0x00404dc3
0x00404dc3
0x00404dc5
0x00404dc7
0x00404dca
0x00404dcc
0x00404dd0
0x00404dd3
0x00404dd5
0x00404dd5
0x00404dd7
0x00404ddf
0x00404de1
0x00404dee
0x00404df3
0x00404dfb
0x00404dfd
0x00404e0c
0x00404e0c
0x00000000
0x00404dff
0x00404dff
0x00404e06
0x00404e08
0x00404e0e
0x00404e0e
0x00404e17
0x00404e17
0x00404e08
0x00404e20
0x00404e28
0x00404e28
0x00404de1
0x00404dca
0x00404e2d
0x00404cba
0x00404cba
0x00404cc0
0x00404cc7
0x00404cc2
0x00404cc2
0x00404cc2
0x00404cce
0x00000000
0x00404cd4
0x00404cd7
0x00404cde
0x00404cd9
0x00404cd9
0x00404cd9
0x00404ce6
0x00000000
0x00404cec
0x00404cf0
0x00404cf8
0x00404d08
0x00404d0e
0x00404d16
0x00404d1e
0x00404d1e
0x00404d2d
0x00404d32
0x00404d3c
0x00404d4b
0x00404d4b
0x00000000
0x00404d3e
0x00404d3e
0x00404d47
0x00404d4d
0x00404d4d
0x00404d56
0x00404d56
0x00404d47
0x00404d5b
0x00404d76
0x00404d7c
0x00404d81
0x00404d88
0x00404d8f
0x00404d95
0x00404d95
0x00404d97
0x00404d9f
0x00404da8
0x00404db0
0x00404dbf
0x00404dbf
0x00404ce6
0x00404cce
0x00404e33
0x00404e37
0x00404e42
0x00404e5a
0x00404e60
0x00404e65
0x00404e6c
0x00404e73
0x00404e79
0x00404e79
0x00404e7d
0x00404e86
0x00404e8e
0x00404e9d
0x00404e9d
0x00404e9f
0x00404ea3
0x00404ea9
0x00404eb6
0x00404eb9
0x00404ebc
0x00404ec8
0x00404ecf
0x00404ed7
0x00404edf
0x00404ee4
0x00404eeb
0x00404ef2
0x00404efc
0x00404f03
0x00404f05
0x00404f09
0x00404f18
0x00404f1e
0x00404f23
0x00404f2a
0x00404f31
0x00404f37
0x00404f37
0x00404f3f
0x00404f47
0x00404f4f
0x00404f5b
0x00404f68
0x00404f70
0x00404f71
0x00404f72
0x00404f81

APIs

GetLastError.KERNEL32 ref: 00404C5F
SetLastError.KERNEL32(T4L), ref: 00404C97
GetLastError.KERNEL32(00000000,00000000,000000FF,00000007,00000000,00000000,T4L,00000002,00000001), ref: 00404D70
SysFreeString.OLEAUT32(?), ref: 00404D88
SysFreeString.OLEAUT32(?), ref: 00404D95
SetLastError.KERNEL32(?), ref: 00404DBF
GetLastError.KERNEL32(?), ref: 00404E54
SysFreeString.OLEAUT32(?), ref: 00404E6C
SysFreeString.OLEAUT32(?), ref: 00404E79
SetLastError.KERNEL32(?), ref: 00404E9D
GetLastError.KERNEL32 ref: 00404EB0
SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00404F03
GetLastError.KERNEL32 ref: 00404F12
SysFreeString.OLEAUT32(?), ref: 00404F2A
SysFreeString.OLEAUT32(?), ref: 00404F37
SetLastError.KERNEL32(?), ref: 00404F5B

Strings

T4L, xrefs: 00404C7C
\, xrefs: 00404D16
P/L, xrefs: 00404C4F
T4L, xrefs: 00404EA9
T4L, xrefs: 00404CF0, 00404D0E, 00404CF4, 00404D12

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: P/L$T4L$T4L$T4L$\
API String ID: 2425351278-1825822663
Opcode ID: 4659591ec9c173596597a223606b4cff03fb49f5437a1000925287c0d0ce57ef
Instruction ID: aa9b36dd0ea5038fb1f37e920e4466eefaced8f4359d97b31f3457d675e79404
Opcode Fuzzy Hash: 4659591ec9c173596597a223606b4cff03fb49f5437a1000925287c0d0ce57ef
Instruction Fuzzy Hash: FEA15BB1108340DFD710DF24C985B5BBBE4BF88318F10492EF999972A1D779E948CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00401CA0, Relevance: 37.0, APIs: 14, Strings: 7, Instructions: 214
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00401CA0(void* __ecx, void* __edx) {
				struct HINSTANCE__* _v8;
				char _v16;
				signed int _v20;
				long _v24;
				char _v28;
				short _v32;
				short _v36;
				short _v40;
				intOrPtr _v44;
				struct HINSTANCE__* _v48;
				char _v64;
				char _v68;
				long _v72;
				char _v76;
				short _v80;
				short _v84;
				short _v88;
				intOrPtr _v92;
				struct HINSTANCE__* _v96;
				short _v112;
				char _v116;
				char _v164;
				char _v165;
				struct HINSTANCE__* _v172;
				struct HINSTANCE__* _v176;
				void* _v180;
				long _v184;
				char _v196;
				struct HINSTANCE__* _v200;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t99;
				signed int _t100;
				void* _t102;
				long _t103;
				intOrPtr _t125;
				void* _t127;
				intOrPtr _t135;
				intOrPtr* _t138;
				void* _t143;
				intOrPtr* _t149;
				void* _t156;
				intOrPtr* _t157;
				void* _t158;
				void* _t183;
				void* _t185;
				void* _t186;
				void* _t193;
				signed int _t194;

				_t183 = __edx;
				_push(0xffffffff);
				_push(0x4ac534);
				_push( *[fs:0x0]);
				_t99 =  *0x4d7e88; // 0x9518852c
				_t100 = _t99 ^ _t194;
				_v20 = _t100;
				_push(_t100);
				 *[fs:0x0] =  &_v16;
				_t185 = __ecx;
				_v200 = 0;
				if( *0x4d9430 == 0) {
					_v180 = 0;
					_v176 = 0;
					_v172 = 0;
					_v8 = 0;
					_t102 = E004018F0( &_v180, 0x80000001, L"SOFTWARE\\InstallShield\\22.0\\Professional", 0x20019);
					_v68 = 0x4c2f50;
					_v28 = 0x4c3454;
					_t103 = GetLastError();
					_t156 = SetLastError;
					_v24 = _t103;
					_v64 = 0;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_t17 =  &_v28; // 0x4c3454
					_v44 = 7;
					_v48 = 0;
					_t22 =  *((intOrPtr*)( *_t17 + 4)) - 0x18; // 0x4c3454
					SetLastError( *(_t194 + _t22));
					_v8 = 1;
					if(_t102 == 0) {
						_v184 = 0x104;
						_t149 = E00403020( &_v68,  &_v196, 0x104);
						_v8 = 2;
						 *((char*)(_t149 + 4)) = 1;
						E004019E0( &_v180, L"VerboseLogPath",  *((intOrPtr*)(E004040F0(_t149,  *_t149))),  &_v184);
						_v8 = 1;
						E00403CF0( &_v196);
					}
					if(_v48 != 0) {
						L11:
						E00402CE0(L"InstallShield.log",  &_v165, 1);
						_v8 = 6;
						E00402DE0( &_v68, _t185,  &_v116);
						_t69 = _v76 + 4; // 0x4
						 *((intOrPtr*)( &_v76 +  *_t69)) = GetLastError();
						L0045A7D5(_v88);
						_t157 = __imp__#6;
						 *_t157(_v80);
						if(_v92 >= 8) {
							 *_t157(_v112);
						}
						_v112 = 0;
						_v92 = 7;
						_v96 = 0;
						SetLastError( *(_t194 +  *((intOrPtr*)(_v116 + 4)) - 0x70));
						_t83 = _v28 + 4; // 0x4
						 *((intOrPtr*)( &_v28 +  *_t83)) = GetLastError();
						L0045A7D5(_v40);
						 *_t157(_v32);
						if(_v44 >= 8) {
							 *_t157(_v64);
						}
						_v64 = 0;
						_t125 = _v68;
						_v44 = 7;
						_v48 = 0;
						_t92 = _t125 + 4; // 0x2c
						SetLastError( *(_t194 +  *_t92 - 0x40));
						_t127 = _v180;
						if(_t127 != 0) {
							RegCloseKey(_t127);
						}
						L17:
						 *[fs:0x0] = _v16;
						_pop(_t186);
						_pop(_t193);
						_pop(_t158);
						return E0045A457(_t158, _v20 ^ _t194, _t183, _t186, _t193);
					} else {
						_v116 = 0x4c2f50;
						_v76 = 0x4c3454;
						_v72 = GetLastError();
						_v112 = 0;
						_v88 = 0;
						_v84 = 0;
						_v80 = 0;
						_t135 = _v76;
						_v92 = 7;
						_v96 = 0;
						_t44 = _t135 + 4; // 0x4
						SetLastError( *(_t194 +  *_t44 - 0x48));
						_v8 = 3;
						_t138 = E00403020( &_v116,  &_v196, 0x104);
						_v8 = 4;
						 *((char*)(_t138 + 4)) = 1;
						GetModuleFileNameW(0,  *(E004040F0(_t138,  *_t138)), 0x104);
						_v8 = 3;
						E00403CF0( &_v196);
						_t143 = E004034E0( &_v116,  &_v164, 0, 0);
						_v8 = 5;
						if(_t143 == 0) {
							_t144 = 0;
							L9:
							_push(0xffffffff);
							E00406630(_t156,  &_v64, _t185, _t144, 0);
							L10:
							E00401A60( &_v164);
							_v8 = 1;
							E00401A60( &_v116);
							goto L11;
						}
						_t144 = _t143 + 4;
						if( &_v64 == _t143 + 4) {
							goto L10;
						}
						goto L9;
					}
				}
				_t181 =  >=  ?  *0x4d9420 : 0x4d9420;
				E00402CE0( >=  ?  *0x4d9420 : 0x4d9420,  &_v165, 1);
				goto L17;
			}

0x00401ca0
0x00401ca3
0x00401ca5
0x00401cb0
0x00401cb7
0x00401cbc
0x00401cbe
0x00401cc4
0x00401cc8
0x00401cce
0x00401cd7
0x00401ce1
0x00401d0c
0x00401d16
0x00401d20
0x00401d3f
0x00401d46
0x00401d4d
0x00401d54
0x00401d5b
0x00401d61
0x00401d67
0x00401d6c
0x00401d70
0x00401d73
0x00401d76
0x00401d79
0x00401d7c
0x00401d83
0x00401d8d
0x00401d91
0x00401d93
0x00401d99
0x00401daa
0x00401db4
0x00401db9
0x00401dbf
0x00401ddc
0x00401de7
0x00401deb
0x00401deb
0x00401df4
0x00401ecc
0x00401edd
0x00401eea
0x00401eee
0x00401ef9
0x00401f04
0x00401f09
0x00401f0e
0x00401f1a
0x00401f20
0x00401f25
0x00401f25
0x00401f29
0x00401f30
0x00401f37
0x00401f45
0x00401f51
0x00401f5c
0x00401f61
0x00401f6c
0x00401f72
0x00401f77
0x00401f77
0x00401f7b
0x00401f7f
0x00401f82
0x00401f89
0x00401f90
0x00401f97
0x00401f9d
0x00401fa5
0x00401fa8
0x00401fa8
0x00401fae
0x00401fb3
0x00401fbb
0x00401fbc
0x00401fbd
0x00401fcb
0x00401dfa
0x00401dfa
0x00401e01
0x00401e0e
0x00401e13
0x00401e17
0x00401e1a
0x00401e1d
0x00401e20
0x00401e23
0x00401e2a
0x00401e31
0x00401e38
0x00401e49
0x00401e4d
0x00401e52
0x00401e58
0x00401e6a
0x00401e76
0x00401e7a
0x00401e8d
0x00401e92
0x00401e98
0x00401ea6
0x00401ea8
0x00401ea8
0x00401eb0
0x00401eb5
0x00401ebb
0x00401ec3
0x00401ec7
0x00000000
0x00401ec7
0x00401e9a
0x00401ea2
0x00000000
0x00000000
0x00000000
0x00401ea4
0x00401df4
0x00401cf7
0x00401d02
0x00000000

APIs

GetLastError.KERNEL32(9518852C), ref: 00401D5B
SetLastError.KERNEL32(T4L), ref: 00401D91
GetLastError.KERNEL32(?,00000104), ref: 00401E08
SetLastError.KERNEL32(004C3454), ref: 00401E38
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,00000104), ref: 00401E6A

Part of subcall function 00402CE0: GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8

Strings

SOFTWARE\InstallShield\22.0\Professional, xrefs: 00401D2F
InstallShield.log, xrefs: 00401ED5
P/L, xrefs: 00401DFA
T4L, xrefs: 00401D79
P/L, xrefs: 00401D4D
VerboseLogPath, xrefs: 00401DD7
T4L, xrefs: 00401E01

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FileModuleName
String ID: InstallShield.log$P/L$P/L$SOFTWARE\InstallShield\22.0\Professional$T4L$T4L$VerboseLogPath
API String ID: 1026760046-777573538
Opcode ID: 1d6d3eb3d8f6c7f78560d07c1a3589e2c246a6b27d59768c343c7773800a5df6
Instruction ID: a826d0a235e98ca63236490f962bccbb2077009cf1f65bafaa1f07d6c467c3ca
Opcode Fuzzy Hash: 1d6d3eb3d8f6c7f78560d07c1a3589e2c246a6b27d59768c343c7773800a5df6
Instruction Fuzzy Hash: B8914671900258DFDB10DFA4CC45BDDBBB4BF08308F1041AAE905B72A2DBB86A48CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040BBD6, Relevance: 33.6, APIs: 3, Strings: 16, Instructions: 393
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040BBD6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t148;
				void* _t150;
				void* _t154;
				void* _t155;
				void* _t156;
				intOrPtr* _t166;
				void* _t180;
				intOrPtr* _t181;
				void* _t196;
				void* _t202;
				void* _t204;
				void* _t208;
				void* _t229;
				intOrPtr* _t233;
				signed int _t242;
				intOrPtr* _t249;
				signed int _t253;
				void* _t254;
				intOrPtr* _t265;
				intOrPtr* _t294;
				intOrPtr* _t320;
				void* _t340;
				void* _t343;
				intOrPtr* _t344;
				void* _t345;
				void* _t346;
				void* _t347;
				void* _t348;
				void* _t350;
				void* _t354;
				signed int _t355;
				void* _t356;
				void* _t357;
				intOrPtr* _t358;
				signed int _t362;

				_push(0x1c4);
				E0045B8C9(0x4a095a, __ebx, __edi, __esi);
				_t340 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x3c0)) == 0) {
					 *((intOrPtr*)(__ecx + 0x3c0)) = 0xffffec77;
				}
				_t264 = _t340 + 0x2cc;
				E00409FA9(_t340 + 0x2cc, 0, 0xffffffff);
				 *((intOrPtr*)(_t346 - 0x1cc)) = 0;
				 *(_t346 - 4) = 0;
				__imp__#200(0, _t346 - 0x1cc);
				_t148 =  *((intOrPtr*)(_t346 - 0x1cc));
				if(_t148 != 0) {
					 *(_t346 - 0x1c8) =  *(_t346 - 0x1c8) & 0x00000000;
					_t337 = _t346 - 0x1c8;
					 *(_t346 - 4) = 1;
					 *((intOrPtr*)( *_t148 + 0x14))(_t148, _t346 - 0x1c8);
					_t362 =  *(_t346 - 0x1c8);
					_t261 =  !=  ?  *(_t346 - 0x1c8) : 0x4c2d7c;
					E00404260(_t264, _t340,  !=  ?  *(_t346 - 0x1c8) : 0x4c2d7c);
					 *(_t346 - 4) = 0;
					__imp__#6( *(_t346 - 0x1c8));
				}
				_t342 = _t340 + 0x50;
				_t150 = E004091B8(_t346 - 0x1c0, _t340 + 0x50, _t346 - 0x1c1, 1);
				_push(0);
				_push(_t346 - 0x160);
				 *(_t346 - 4) = 2;
				E0040E057(_t264, _t150, _t337, _t340, _t340 + 0x50, _t362);
				 *(_t346 - 4) = 4;
				E00401B80(_t346 - 0x1c0);
				_t154 = E004091B8(_t346 - 0x40, _t342, _t346 - 0x1c1, 1);
				_push(0);
				_push(0);
				_push(_t346 - 0x70);
				 *(_t346 - 4) = 5;
				_t155 = E0040A206(_t264, _t154, _t337, _t340, _t342, _t362);
				 *(_t346 - 4) = 6;
				_t156 = E0040A528(_t264, _t155, _t337, _t362, _t346 - 0x100);
				_push(0);
				_push(_t346 - 0x190);
				 *(_t346 - 4) = 7;
				E0040E057(_t264, _t156, _t337, _t340, _t342, _t362);
				E00401B80(_t346 - 0x100);
				E00401B80(_t346 - 0x70);
				E00401B80(_t346 - 0x40);
				 *((intOrPtr*)(_t346 - 0xa0)) = 0x4c2fa0;
				 *((intOrPtr*)(_t346 - 0x78)) = 0x4c2f40;
				E00404200(_t346 - 0xa0, _t346 - 0x1c1, 0);
				_push(_t346 - 0x160);
				_push(_t346 - 0x40);
				 *(_t346 - 4) = 0xc;
				_t166 = E0040B91E(_t264, _t346 - 0x190, _t340, _t342, _t362) + 4;
				 *(_t346 - 4) = 0xd;
				_t363 =  *((intOrPtr*)(_t166 + 0x14)) - 8;
				if( *((intOrPtr*)(_t166 + 0x14)) >= 8) {
					_t166 =  *_t166;
				}
				E0040DD64(_t346 - 0xa0, L">%s (%d)\r\n", _t166);
				_t348 = _t347 + 0x10;
				 *(_t346 - 4) = 0xc;
				E00401B80(_t346 - 0x40);
				E0040B99A(_t264, _t346 - 0xa0);
				_t265 = _t340 + 4;
				_t343 = E0040D191( *((intOrPtr*)( *_t265 + 0x2c))( *((intOrPtr*)(_t340 + 0x4c))), _t346 - 0x100);
				 *(_t346 - 4) = 0xe;
				 *(_t346 - 0x1c8) = E0040BAFD(_t265, _t340, _t343, _t363);
				_t338 =  *_t265;
				 *(_t346 - 4) = 0xf;
				_t180 = E0040D1C1( *((intOrPtr*)( *_t265 + 0x2c))(_t346 - 0x70, _t340), _t346 - 0x40);
				_t344 = _t343 + 4;
				 *(_t346 - 4) = 0x10;
				if( *((intOrPtr*)(_t344 + 0x14)) >= 8) {
					_t344 =  *_t344;
				}
				_t294 =  *(_t346 - 0x1c8) + 4;
				if( *((intOrPtr*)(_t294 + 0x14)) >= 8) {
					_t294 =  *_t294;
				}
				_t181 = _t180 + 4;
				_t366 =  *((intOrPtr*)(_t181 + 0x14)) - 8;
				if( *((intOrPtr*)(_t181 + 0x14)) >= 8) {
					_t181 =  *_t181;
				}
				E0040DD64(_t346 - 0xa0, L"PAPP:%s\r\nPVENDOR:%s\r\nPGUID:%s\r\n", _t181);
				E00401B80(_t346 - 0x40);
				E00401B80(_t346 - 0x70);
				 *(_t346 - 4) = 0xc;
				E00401B80(_t346 - 0x100);
				_t345 = _t340 + 0x2cc;
				E0040B99A(_t345, _t346 - 0xa0);
				 *(_t346 - 4) = 0x11;
				 *(_t346 - 4) = 0x12;
				_t196 = E0040B2A8(_t265, _t340, _t345, _t366);
				_t350 = _t348 + 0x28;
				 *(_t346 - 4) = 0x13;
				E0040B99A(_t345, _t196);
				E00401B80(_t346 - 0x40);
				E00401B80(_t346 - 0x70);
				 *(_t346 - 4) = 0xc;
				E00401B80(_t346 - 0x100);
				_t202 =  *((intOrPtr*)( *_t265 + 0x2c))(_t346 - 0x40, "$", E00443833(_t265, _t338, _t340, _t345, _t366), _t346 - 0x70, E0040D131( *((intOrPtr*)( *_t265 + 0x2c))(_t294, _t344), _t346 - 0x100));
				_t367 =  *((char*)(_t202 + 0x13));
				if( *((char*)(_t202 + 0x13)) != 0) {
					_push(E0045B5D4(L"WEB"));
					E0040DAD9(_t265, _t340 + 0x2d0, _t340, _t367, L"WEB");
				}
				_t204 =  *((intOrPtr*)( *_t265 + 0x2c))();
				_t368 =  *((char*)(_t204 + 9));
				if( *((char*)(_t204 + 9)) != 0) {
					_push(E0045B5D4(L"PAK"));
					E0040DAD9(_t265, _t340 + 0x2d0, _t340, _t368, L"PAK");
				}
				_push(0);
				_push(0);
				_push(_t346 - 0x70);
				_push(E0044542C(_t265, _t340, _t345, _t368));
				_push(L"\r\n@");
				_push(_t346 - 0x40);
				 *(_t346 - 4) = 0x14;
				_t208 = E0040B2A8(_t265, _t340, _t345, _t368);
				 *(_t346 - 4) = 0x15;
				E0040B99A(_t345, _t208);
				E00401B80(_t346 - 0x40);
				E00401B80(_t346 - 0x70);
				 *((intOrPtr*)(_t346 - 0xd0)) = 0x4c2fa0;
				 *((intOrPtr*)(_t346 - 0xa8)) = 0x4c2f40;
				E00404200(_t346 - 0xd0, _t346 - 0x1c1, 0);
				 *(_t346 - 4) = 0x16;
				E0040DD64(_t346 - 0xd0, L" Service Pack %ld", E00445591());
				E0040B99A(_t345, _t346 - 0xd0);
				 *((intOrPtr*)(_t346 - 0x130)) = 0x4c2fa0;
				 *((intOrPtr*)(_t346 - 0x108)) = 0x4c2f40;
				E00404200(_t346 - 0x130, _t346 - 0x1c1, 0);
				 *(_t346 - 4) = 0x17;
				E0040DD64(_t346 - 0x130, L" (%ld) ", E00445551());
				E0040B99A(_t345, _t346 - 0x130);
				_push(_t346 - 0x70);
				_push(E00444363(_t265, _t340, _t345, _t368));
				_push(L"\r\nIE Version: ");
				_push(_t346 - 0x40);
				 *(_t346 - 4) = 0x18;
				_t229 = E0040B2A8(_t265, _t340, _t345, _t368);
				_t354 = _t350 + 0x40;
				 *(_t346 - 4) = 0x19;
				E0040B99A(_t345, _t229);
				E00401B80(_t346 - 0x40);
				 *(_t346 - 4) = 0x17;
				E00401B80(_t346 - 0x70);
				_t233 = _t340 + 0x2d0;
				_t369 =  *((intOrPtr*)(_t233 + 0x14)) - 8;
				if( *((intOrPtr*)(_t233 + 0x14)) >= 8) {
					_t233 =  *_t233;
				}
				_push(_t233);
				_push( *((intOrPtr*)(_t340 + 0x48)));
				_push( *((intOrPtr*)(_t340 + 0x3c0)));
				_push(L"ErrorCode=%ld\tException=0x%08lx\tErrorInformation=%s");
				_t355 = _t354 - 0x30;
				 *(_t346 - 0x1c8) = _t355;
				E004091B8(_t355, L"UnhandledException", _t346 - 0x1c1, 1);
				_t356 = _t355 - 0x30;
				 *(_t346 - 4) = 0x1a;
				E004091B8(_t356, L"ISSetupDLLOp", _t346 - 0x1c1, 1);
				 *(_t346 - 4) = 0x17;
				E0043BB71(_t265, _t338, _t340, _t345, _t369);
				_t357 = _t356 + 0x70;
				E0040C163(_t265, _t340, _t338, _t340, _t345, _t369);
				_t370 =  *((char*)(_t346 + 8));
				if( *((char*)(_t346 + 8)) != 0) {
					L21:
					_t358 = _t357 - 0x30;
					_t320 = _t358;
					 *((intOrPtr*)(_t346 - 0x1d0)) = _t358;
					 *_t320 = 0x4c2fa0;
					 *((intOrPtr*)(_t320 + 0x28)) = 0x4c2f40;
					E00408E82(_t265, _t320, _t340, _t345, _t372);
					 *(_t346 - 4) = 0x1b;
					_t242 =  *((intOrPtr*)( *_t265 + 0x2c))(_t345, 0, 0x10, 1, 0);
					_push(0);
					 *(_t346 - 0x1c8) = _t242;
					 *(_t346 - 4) = 0x17;
					E0040D922(_t265, _t346 - 0x1c8, _t338, _t340, _t345, _t372);
				} else {
					_t253 =  *((intOrPtr*)( *_t265 + 0x2c))();
					_push(0);
					_push(1);
					_push(_t340);
					_push(0x40c4f0);
					_push(0);
					_push(0x77);
					 *(_t346 - 0x1c8) = _t253;
					_t254 = E0040D57E(_t265, _t346 - 0x1c8, _t338, _t340, _t345, _t370);
					if(_t254 == 0xffffffff) {
						goto L21;
					} else {
						_t372 = _t254;
						if(_t254 == 0) {
							goto L21;
						}
					}
				}
				E00401B80(_t346 - 0x130);
				E00401B80(_t346 - 0xd0);
				E00401B80(_t346 - 0xa0);
				E00401B80(_t346 - 0x190);
				E00401B80(_t346 - 0x160);
				_t249 =  *((intOrPtr*)(_t346 - 0x1cc));
				 *(_t346 - 4) =  *(_t346 - 4) | 0xffffffff;
				if(_t249 != 0) {
					 *((intOrPtr*)( *_t249 + 8))(_t249);
				}
				return E0045B878(_t265, _t340, _t345);
			}

0x0040bbd6
0x0040bbe0
0x0040bbe5
0x0040bbee
0x0040bbf0
0x0040bbf0
0x0040bbfc
0x0040bc06
0x0040bc0d
0x0040bc1b
0x0040bc1e
0x0040bc24
0x0040bc2c
0x0040bc2e
0x0040bc37
0x0040bc3f
0x0040bc43
0x0040bc46
0x0040bc52
0x0040bc5c
0x0040bc67
0x0040bc6b
0x0040bc6b
0x0040bc7a
0x0040bc84
0x0040bc89
0x0040bc91
0x0040bc94
0x0040bc98
0x0040bca3
0x0040bca7
0x0040bcb9
0x0040bcbe
0x0040bcc0
0x0040bcc5
0x0040bcc8
0x0040bccc
0x0040bcda
0x0040bcde
0x0040bce3
0x0040bceb
0x0040bcee
0x0040bcf2
0x0040bcfd
0x0040bd05
0x0040bd0d
0x0040bd21
0x0040bd2b
0x0040bd32
0x0040bd3d
0x0040bd41
0x0040bd48
0x0040bd51
0x0040bd54
0x0040bd58
0x0040bd5c
0x0040bd5e
0x0040bd5e
0x0040bd70
0x0040bd75
0x0040bd7b
0x0040bd7f
0x0040bd8d
0x0040bd92
0x0040bdaa
0x0040bdb1
0x0040bdbc
0x0040bdc2
0x0040bdca
0x0040bdd3
0x0040bdd8
0x0040bddb
0x0040bde3
0x0040bde5
0x0040bde5
0x0040bded
0x0040bdf4
0x0040bdf6
0x0040bdf6
0x0040bdf8
0x0040bdfb
0x0040bdff
0x0040be01
0x0040be01
0x0040be12
0x0040be1d
0x0040be25
0x0040be30
0x0040be34
0x0040be3f
0x0040be48
0x0040be67
0x0040be7a
0x0040be7e
0x0040be83
0x0040be89
0x0040be8d
0x0040be95
0x0040be9d
0x0040bea8
0x0040beac
0x0040beb5
0x0040beb8
0x0040bebc
0x0040bec9
0x0040bed5
0x0040bed5
0x0040bede
0x0040bee1
0x0040bee5
0x0040bef2
0x0040befe
0x0040befe
0x0040bf03
0x0040bf08
0x0040bf0a
0x0040bf10
0x0040bf14
0x0040bf19
0x0040bf1a
0x0040bf1e
0x0040bf29
0x0040bf2d
0x0040bf35
0x0040bf3d
0x0040bf51
0x0040bf5b
0x0040bf65
0x0040bf6a
0x0040bf80
0x0040bf91
0x0040bfa5
0x0040bfaf
0x0040bfb9
0x0040bfbe
0x0040bfd4
0x0040bfe5
0x0040bfed
0x0040bff3
0x0040bff7
0x0040bffc
0x0040bffd
0x0040c001
0x0040c006
0x0040c00c
0x0040c010
0x0040c018
0x0040c01d
0x0040c024
0x0040c029
0x0040c02f
0x0040c033
0x0040c035
0x0040c035
0x0040c037
0x0040c038
0x0040c041
0x0040c047
0x0040c04c
0x0040c051
0x0040c05f
0x0040c064
0x0040c077
0x0040c07b
0x0040c080
0x0040c084
0x0040c089
0x0040c08e
0x0040c093
0x0040c097
0x0040c0c8
0x0040c0ce
0x0040c0d1
0x0040c0d3
0x0040c0dc
0x0040c0e2
0x0040c0e9
0x0040c0f2
0x0040c0f6
0x0040c0f9
0x0040c101
0x0040c107
0x0040c10b
0x0040c099
0x0040c09d
0x0040c0a0
0x0040c0a2
0x0040c0a4
0x0040c0a5
0x0040c0aa
0x0040c0ac
0x0040c0b4
0x0040c0ba
0x0040c0c2
0x00000000
0x0040c0c4
0x0040c0c4
0x0040c0c6
0x00000000
0x00000000
0x0040c0c6
0x0040c0c2
0x0040c116
0x0040c121
0x0040c12c
0x0040c137
0x0040c142
0x0040c147
0x0040c14d
0x0040c153
0x0040c158
0x0040c158
0x0040c160

APIs

__EH_prolog3_GS.LIBCMT ref: 0040BBE0
GetErrorInfo.OLEAUT32(00000000,?,00000000,000000FF,000001C4,00421597,00000000,?,?,?,?,?,?,004C2FA0,00000000), ref: 0040BC1E
SysFreeString.OLEAUT32(00000000), ref: 0040BC6B

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 0040BAFD: __EH_prolog3_GS.LIBCMT ref: 0040BB07

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 00445591: GetVersionExW.KERNEL32(?), ref: 004455B5

Part of subcall function 00445551: GetVersionExW.KERNEL32(?), ref: 00445575

Part of subcall function 00444363: __EH_prolog3.LIBCMT ref: 0044436A

Part of subcall function 0040B2A8: __EH_prolog3_GS.LIBCMT ref: 0040B2AF

Strings

ErrorCode=%ldException=0x%08lxErrorInformation=%s, xrefs: 0040C047
@/L, xrefs: 0040BD2B
UnhandledException, xrefs: 0040C05A
ISSetupDLLOp, xrefs: 0040C072
Service Pack %ld, xrefs: 0040BF7A
WEB, xrefs: 0040BEBE, 0040BED0
@/L, xrefs: 0040BFAF
@/L, xrefs: 0040BF5B
@/L, xrefs: 0040C0E2
@, xrefs: 0040BF14
IE Version: , xrefs: 0040BFF7
PAK, xrefs: 0040BEE7, 0040BEF9
(%ld) , xrefs: 0040BFCE
PAPP:%sPVENDOR:%sPGUID:%s, xrefs: 0040BE0C
|-L, xrefs: 0040BC4D
>%s (%d), xrefs: 0040BD6A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Error$Last$FreeH_prolog3_String$Version$H_prolog3Info
String ID: @$IE Version: $ (%ld) $ Service Pack %ld$>%s (%d)$@/L$@/L$@/L$@/L$ErrorCode=%ldException=0x%08lxErrorInformation=%s$ISSetupDLLOp$PAK$PAPP:%sPVENDOR:%sPGUID:%s$UnhandledException$WEB$|-L
API String ID: 547947699-1689130257
Opcode ID: 95c9b4f029ba529dc8caffb91fed8deea7a42bff6a581324bad97106d91bed76
Instruction ID: 19e321f862d881a7afa1f41671265f5d306a75ad34c5880e65e651ed653eec87
Opcode Fuzzy Hash: 95c9b4f029ba529dc8caffb91fed8deea7a42bff6a581324bad97106d91bed76
Instruction Fuzzy Hash: 51F16F71A00218EEDB14EBA5CC55FDD77B8AF15304F1400AEF509B71D2DB786A48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00436D52, Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 197
stringCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E00436D52(void* __ebx, void* __ecx, signed int __edi, void* __esi, void* __eflags) {
				long _t77;
				signed int _t80;
				signed int _t83;
				WCHAR* _t106;
				void* _t122;
				void* _t134;
				signed int _t142;
				signed int _t149;
				signed int _t150;
				signed int _t152;
				signed int _t164;
				signed int _t167;
				signed char _t168;
				signed int _t172;
				intOrPtr* _t178;
				intOrPtr* _t180;
				void* _t181;
				void* _t182;
				void* _t183;

				_t171 = __edi;
				_push(0x4bc);
				E0045B8C9(0x4a5f33, __ebx, __edi, __esi);
				_t134 = __ecx;
				_t178 = __ecx + 4;
				if( *((char*)( *((intOrPtr*)( *_t178 + 0x2c))() + 0x13)) != 0) {
					_t77 = GetTickCount();
					_t171 = (_t77 -  *((intOrPtr*)(_t134 + 0x3cc))) / 0x3e8;
					if((_t77 -  *((intOrPtr*)(_t134 + 0x3cc))) / 0x3e8 != 0) {
						_t80 =  *(_t134 + 0x278);
						_t164 =  *(_t134 + 0x27c);
						_t189 = _t80 | _t164;
						if((_t80 | _t164) != 0) {
							_t172 = E0045D040(_t80, _t164, _t171, 0);
							asm("sbb eax, [ebx+0x27c]");
							_t83 = E0045D040( *((intOrPtr*)(_t134 + 0x270)) -  *(_t134 + 0x278),  *((intOrPtr*)(_t134 + 0x274)), _t172, 0);
							_t142 = 0x3c;
							 *(_t181 - 0x4c8) = _t83 / _t142;
							 *(_t181 - 0x4c4) = _t83 % _t142;
							E0040D268(_t134,  *((intOrPtr*)( *_t178 + 0x2c))(_t181 - 0x490, 0x650), _t83 % _t142, _t172,  *_t178, _t189);
							 *(_t181 - 4) =  *(_t181 - 4) & 0x00000000;
							_t180 = _t134 + 4;
							E0040D268(_t134,  *((intOrPtr*)( *_t180 + 0x2c))(_t181 - 0x460, 0x651), _t83 % _t142, _t172, _t180, _t189);
							 *(_t181 - 4) = 1;
							E0040D268(_t134,  *((intOrPtr*)( *_t180 + 0x2c))(_t181 - 0x4c0, 0x758), _t83 % _t142, _t172, _t180, _t189);
							 *(_t181 - 0x230) = 0;
							E0045A4D0(_t181 - 0x22e, 0, 0x1fe);
							_t167 =  *(_t181 - 0x4c8);
							_t178 = wsprintfW;
							_t183 = _t182 + 0xc;
							if(_t167 > 0) {
								_t130 =  >=  ?  *((void*)(_t181 - 0x48c)) : _t181 - 0x48c;
								wsprintfW(_t181 - 0x230, L"%ld %s", _t167,  >=  ?  *((void*)(_t181 - 0x48c)) : _t181 - 0x48c);
								_t167 =  *(_t181 - 0x4c8);
								_t183 = _t183 + 0x10;
							}
							_t149 =  *(_t181 - 0x4c4);
							if(_t149 > 0) {
								_t122 = _t181 - 0x45c;
								if(_t167 <= 0) {
									__eflags =  *((intOrPtr*)(_t181 - 0x448)) - 8;
									_t123 =  >=  ?  *((void*)(_t181 - 0x45c)) : _t122;
									wsprintfW(_t181 - 0x230, L"%ld %s", _t149,  >=  ?  *((void*)(_t181 - 0x45c)) : _t122);
									_t183 = _t183 + 0x10;
								} else {
									_t126 =  >=  ?  *((void*)(_t181 - 0x45c)) : _t122;
									wsprintfW(_t181 - 0x230, L"%s %ld %s", _t181 - 0x230, _t149,  >=  ?  *((void*)(_t181 - 0x45c)) : _t122);
									_t183 = _t183 + 0x14;
								}
							}
							if(lstrlenW(_t181 - 0x230) != 0) {
								SetDlgItemTextW( *(_t134 + 0x26c), 0x136, _t181 - 0x230);
							}
							asm("sbb eax, eax");
							_t150 = 0xa;
							_t168 = (0x00100000 & _t150) + _t150 & 0x0000ffff;
							 *(_t181 - 0x30) = 0;
							 *(_t181 - 0x4c4) = _t172 * 0xa >> _t168;
							_t152 = 7;
							memset(_t181 - 0x2e, 0, _t152 << 2);
							asm("stosw");
							_t106 = _t181 - 0x30;
							if(_t168 != 0x14) {
								_push(L"KB");
							} else {
								_push(L"MB");
							}
							wsprintfW(_t106, ??);
							 *(_t181 - 0x430) = 0;
							E0045A4D0(_t181 - 0x42e, 0, 0x1fe);
							_t171 = 0xa;
							_t157 =  >=  ?  *((void*)(_t181 - 0x4bc)) : _t181 - 0x4bc;
							wsprintfW(_t181 - 0x430, L"%01d.%01d %s%s",  *(_t181 - 0x4c4) / _t171,  *(_t181 - 0x4c4) % _t171, _t181 - 0x30,  >=  ?  *((void*)(_t181 - 0x4bc)) : _t181 - 0x4bc);
							SetDlgItemTextW( *(_t134 + 0x26c), 0x134, _t181 - 0x430);
							E00401B80(_t181 - 0x4c0);
							E00401B80(_t181 - 0x460);
							E00401B80(_t181 - 0x490);
						}
					}
				}
				return E0045B878(_t134, _t171, _t178);
			}

0x00436d52
0x00436d52
0x00436d5c
0x00436d61
0x00436d63
0x00436d71
0x00436d77
0x00436d8c
0x00436d90
0x00436d96
0x00436d9c
0x00436da4
0x00436da6
0x00436dc2
0x00436dca
0x00436dd5
0x00436ddc
0x00436deb
0x00436df8
0x00436e03
0x00436e08
0x00436e17
0x00436e24
0x00436e39
0x00436e42
0x00436e4f
0x00436e5d
0x00436e62
0x00436e68
0x00436e6e
0x00436e73
0x00436e82
0x00436e97
0x00436e99
0x00436e9f
0x00436e9f
0x00436ea2
0x00436eaa
0x00436eac
0x00436eb4
0x00436eda
0x00436ee1
0x00436ef6
0x00436ef8
0x00436eb6
0x00436ebd
0x00436ed3
0x00436ed5
0x00436ed5
0x00436eb4
0x00436f0a
0x00436f1e
0x00436f1e
0x00436f2b
0x00436f32
0x00436f37
0x00436f42
0x00436f46
0x00436f4c
0x00436f50
0x00436f52
0x00436f54
0x00436f5b
0x00436f64
0x00436f5d
0x00436f5d
0x00436f5d
0x00436f6a
0x00436f76
0x00436f84
0x00436f98
0x00436f9f
0x00436fbd
0x00436fd4
0x00436fe0
0x00436feb
0x00436ff6
0x00436ff6
0x00436da6
0x00436d90
0x00437000

APIs

__EH_prolog3_GS.LIBCMT ref: 00436D5C
GetTickCount.KERNEL32 ref: 00436D77
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00436DB1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00436DD5

Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272

_memset.LIBCMT ref: 00436E5D
wsprintfW.USER32 ref: 00436E97
wsprintfW.USER32 ref: 00436ED3
wsprintfW.USER32 ref: 00436EF6
lstrlenW.KERNEL32(?), ref: 00436F02
SetDlgItemTextW.USER32 ref: 00436F1E
wsprintfW.USER32 ref: 00436F6A
_memset.LIBCMT ref: 00436F84
wsprintfW.USER32 ref: 00436FBD
SetDlgItemTextW.USER32 ref: 00436FD4

Strings

%ld %s, xrefs: 00436E91, 00436EF0
%01d.%01d %s%s, xrefs: 00436FB7
%s %ld %s, xrefs: 00436ECD

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: wsprintf$H_prolog3_ItemTextUnothrow_t@std@@@__ehfuncinfo$??2@_memset$CountTicklstrlen
String ID: %01d.%01d %s%s$%ld %s$%s %ld %s
API String ID: 3427785818-823035955
Opcode ID: 06a8148f372eeefc8d0fdf581d4ffcb3bd04572c3f94379654452908213bf06f
Instruction ID: 56e075abca8451662efa70617554c6d102e20980e8f55309094f19b6979e2e84
Opcode Fuzzy Hash: 06a8148f372eeefc8d0fdf581d4ffcb3bd04572c3f94379654452908213bf06f
Instruction Fuzzy Hash: 95718271A00214AFDF24DF64CD95FEA73B9AF48304F1445AEEA09A7181DB74EA44CF28

Uniqueness

Uniqueness Score: -1.00%

Function 00408999, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 175
sleepprocessstringCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00408999(signed int* __edx, WCHAR* _a4, char _a8, intOrPtr _a12, intOrPtr _a16, char* _a20) {
				signed int _v8;
				char _v2054;
				short _v2056;
				char _v2072;
				signed int _v2076;
				signed int _v2080;
				char _v2084;
				char _v2088;
				signed int _v2092;
				intOrPtr _v2096;
				intOrPtr _v2100;
				struct _PROCESS_INFORMATION _v2116;
				struct _STARTUPINFOW _v2184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				WCHAR* _t72;
				intOrPtr* _t78;
				signed int* _t80;
				signed int* _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				signed int _t86;
				void* _t98;
				WCHAR* _t99;
				signed int _t104;
				WCHAR* _t112;
				signed int* _t113;
				intOrPtr* _t117;
				signed int _t119;

				_t111 = __edx;
				_t56 =  *0x4d7e88; // 0x9518852c
				_v8 = _t56 ^ _t119;
				_v2084 = _a8;
				_t115 = _a20;
				_v2100 = _a12;
				_t112 = _a4;
				_v2096 = _a16;
				_v2056 = 0;
				E0045A4D0( &_v2054, 0, 0x7fe);
				lstrcpyW( &_v2056, _t112);
				_t98 = 0;
				if(_a20 == 0) {
					_t98 = 1;
					__imp__CoCreateGuid( &_v2072);
					_t115 =  &_v2072;
				}
				E0040895F(E0040883A(_t98,  &_v2088, _t111, _t112, _t115, _t115),  &_v2088);
				E0040895F(E0040883A(_t98,  &_v2084, _t111, _t112, _t115, _v2084),  &_v2084);
				wsprintfW( &_v2056, L"%s %s:%s", _t112, _v2084, _v2088);
				if(_t98 == 0) {
					L6:
					_v2092 = _v2092 & 0x00000000;
					_t99 = 0x64;
					_t113 = 0x80004005;
					while(1) {
						_t72 = _t99;
						_t99 = _t99 - 1;
						if(_t72 == 0) {
							break;
						}
						_v2076 = _v2076 & 0x00000000;
						_t80 =  &_v2076;
						__imp__CreateItemMoniker("!", _v2088, _t80);
						if(_t80 >= 0) {
							_v2080 = _v2080 & 0x00000000;
							_t81 =  &_v2080;
							__imp__GetRunningObjectTable(0, _t81);
							_t113 = _t81;
							if(_t113 < 0) {
								L12:
								Sleep(0x12c);
								L13:
								_t82 = _v2080;
								if(_t82 != 0) {
									 *((intOrPtr*)( *_t82 + 8))(_t82);
								}
								L15:
								_t83 = _v2076;
								if(_t83 != 0) {
									 *((intOrPtr*)( *_t83 + 8))(_t83);
								}
								if(_t113 < 0) {
									continue;
								} else {
									break;
								}
							}
							_t86 = _v2080;
							_t111 =  &_v2092;
							_t113 =  *((intOrPtr*)( *_t86 + 0x18))(_t86, _v2076,  &_v2092);
							if(_t113 >= 0) {
								goto L13;
							}
							goto L12;
						}
						Sleep(0x12c);
						goto L15;
					}
					if(_t113 >= 0) {
						_t78 = _v2092;
						_t113 =  *((intOrPtr*)( *_t78))(_t78, _v2100, _v2096);
					}
					_t104 = _v2092;
					if(_t104 != 0) {
						_t111 =  *_t104;
						 *((intOrPtr*)( *_t104 + 8))(_t104);
					}
					L22:
					_t117 = __imp__#6;
					 *_t117(_v2084);
					 *_t117();
					return E0045A457(_t99, _v8 ^ _t119, _t111, _t113, _t117, _v2088);
				}
				_t99 = 0;
				E0045A4D0( &(_v2184.lpReserved), 0, 0x40);
				_v2184.cb = 0x44;
				if(CreateProcessW(0,  &_v2056, 0, 0, 0, 0, 0, 0,  &_v2184,  &_v2116) != 0) {
					WaitForInputIdle(_v2116.hProcess, 0x4e20);
					CloseHandle(_v2116.hThread);
					CloseHandle(_v2116);
					goto L6;
				}
				_t113 = 0x80070002;
				goto L22;
			}

0x00408999
0x004089a2
0x004089a9
0x004089af
0x004089ba
0x004089bd
0x004089c7
0x004089ca
0x004089d8
0x004089e6
0x004089f6
0x004089fc
0x00408a00
0x00408a09
0x00408a0b
0x00408a11
0x00408a11
0x00408a29
0x00408a45
0x00408a63
0x00408a6e
0x00408ae5
0x00408ae5
0x00408af4
0x00408af5
0x00408afa
0x00408afa
0x00408afc
0x00408aff
0x00000000
0x00000000
0x00408b05
0x00408b0c
0x00408b1e
0x00408b28
0x00408b33
0x00408b3a
0x00408b43
0x00408b49
0x00408b4d
0x00408b6e
0x00408b73
0x00408b75
0x00408b75
0x00408b7d
0x00408b82
0x00408b82
0x00408b85
0x00408b85
0x00408b8d
0x00408b92
0x00408b92
0x00408b97
0x00000000
0x00000000
0x00000000
0x00000000
0x00408b97
0x00408b4f
0x00408b55
0x00408b68
0x00408b6c
0x00000000
0x00000000
0x00000000
0x00408b6c
0x00408b2f
0x00000000
0x00408b2f
0x00408b9f
0x00408ba7
0x00408bb8
0x00408bb8
0x00408bba
0x00408bc2
0x00408bc4
0x00408bc7
0x00408bc7
0x00408bca
0x00408bd0
0x00408bd6
0x00408bde
0x00408bf0
0x00408bf0
0x00408a72
0x00408a7c
0x00408aa0
0x00408ab2
0x00408ac9
0x00408adb
0x00408ae3
0x00000000
0x00408ae3
0x00408ab4
0x00000000

APIs

_memset.LIBCMT ref: 004089E6
lstrcpyW.KERNEL32(?,?), ref: 004089F6
CoCreateGuid.OLE32(?), ref: 00408A0B
wsprintfW.USER32 ref: 00408A63
_memset.LIBCMT ref: 00408A7C
CreateProcessW.KERNEL32 ref: 00408AAA
WaitForInputIdle.USER32 ref: 00408AC9
CloseHandle.KERNEL32(?), ref: 00408ADB
CloseHandle.KERNEL32(?), ref: 00408AE3
CreateItemMoniker.OLE32(004AE788,?,00000000), ref: 00408B1E
Sleep.KERNEL32(0000012C), ref: 00408B2F
GetRunningObjectTable.OLE32(00000000,00000000), ref: 00408B43
Sleep.KERNEL32(0000012C), ref: 00408B73
SysFreeString.OLEAUT32(?), ref: 00408BD6
SysFreeString.OLEAUT32(?), ref: 00408BDE

Strings

%s %s:%s, xrefs: 00408A5D
D, xrefs: 00408AA0

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Create$CloseFreeHandleSleepString_memset$GuidIdleInputItemMonikerObjectProcessRunningTableWaitlstrcpywsprintf
String ID: %s %s:%s$D
API String ID: 1856294533-3221625341
Opcode ID: caa98a643aa1c9f07a7de46df3d2a173a0f0c0a318de980771262210bcc06cb9
Instruction ID: 6d2a3535a564949f3a27c88a7dc45fa473a966758db7ff26171fb717b92680c0
Opcode Fuzzy Hash: caa98a643aa1c9f07a7de46df3d2a173a0f0c0a318de980771262210bcc06cb9
Instruction Fuzzy Hash: 9F615E72900129ABCF20DB61CD44B9A77F9BF48315F0480EAE989A7251DF35AE85CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 0042B47B, Relevance: 28.3, APIs: 4, Strings: 12, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E0042B47B(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				struct _OSVERSIONINFOW* _t147;
				struct _OSVERSIONINFOW* _t149;
				int _t150;
				intOrPtr* _t154;
				intOrPtr* _t159;
				intOrPtr* _t164;
				intOrPtr* _t169;
				intOrPtr* _t174;
				intOrPtr* _t179;
				intOrPtr* _t184;
				intOrPtr* _t193;
				intOrPtr* _t195;
				intOrPtr* _t196;
				intOrPtr* _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t202;
				intOrPtr* _t203;
				intOrPtr* _t204;
				intOrPtr _t228;
				void* _t235;

				_push(0x3c);
				E0045B8C9(0x4a4d1a, __ebx, __edi, __esi);
				_t228 = __ecx;
				_t195 = __ecx + 4;
				 *((intOrPtr*)(__ecx)) = 0x4b19fc;
				 *((intOrPtr*)(_t235 - 0x48)) = __ecx;
				 *_t195 = 0x4c2f50;
				 *((intOrPtr*)(_t195 + 0x28)) = 0x4c3454;
				E00403F50(_t195, _t235 - 0x41, 0);
				 *((intOrPtr*)(__ecx + 0x264)) = 0;
				 *((char*)(__ecx + 0x268)) = 1;
				 *((short*)(__ecx + 0x269)) = 0;
				 *((intOrPtr*)(_t235 - 4)) = 0;
				 *((intOrPtr*)(__ecx + 0x26c)) = 0;
				 *((intOrPtr*)(__ecx + 0x270)) = 0;
				 *((intOrPtr*)(__ecx + 0x274)) = 0;
				 *((intOrPtr*)(__ecx + 0x278)) = 0;
				 *((intOrPtr*)(__ecx + 0x27c)) = 0;
				 *((intOrPtr*)(__ecx + 0x280)) = 0;
				_t196 = __ecx + 0x284;
				 *_t196 = 0x4c2f50;
				 *((intOrPtr*)(_t196 + 0x28)) = 0x4c3454;
				E00403F50(_t196, _t235 - 0x41, 0);
				_t197 = __ecx + 0x2b4;
				 *_t197 = 0x4c2f50;
				 *((intOrPtr*)(_t197 + 0x28)) = 0x4c3454;
				E00403F50(_t197, _t235 - 0x41, 0);
				_t198 = __ecx + 0x2e4;
				 *_t198 = 0x4c2f50;
				 *((intOrPtr*)(_t198 + 0x28)) = 0x4c3454;
				E00403F50(_t198, _t235 - 0x41, 0);
				_t199 = __ecx + 0x314;
				 *_t199 = 0x4c2f50;
				 *((intOrPtr*)(_t199 + 0x28)) = 0x4c3454;
				E00403F50(_t199, _t235 - 0x41, 0);
				_t200 = __ecx + 0x344;
				 *_t200 = 0x4c2f50;
				 *((intOrPtr*)(_t200 + 0x28)) = 0x4c3454;
				E00403F50(_t200, _t235 - 0x41, 0);
				_t201 = __ecx + 0x374;
				 *_t201 = 0x4c2f50;
				 *((intOrPtr*)(_t201 + 0x28)) = 0x4c3454;
				E00403F50(_t201, _t235 - 0x41, 0);
				_t202 = __ecx + 0x3a4;
				 *_t202 = 0x4c2f50;
				 *((intOrPtr*)(_t202 + 0x28)) = 0x4c3454;
				E00403F50(_t202, _t235 - 0x41, 0);
				_t203 = __ecx + 0x3d4;
				 *_t203 = 0x4c2f50;
				 *((intOrPtr*)(_t203 + 0x28)) = 0x4c3454;
				E00403F50(_t203, _t235 - 0x41, 0);
				_t204 = __ecx + 0x408;
				 *((intOrPtr*)(__ecx + 0x404)) = 0;
				 *_t204 = 0x4c2f50;
				 *((intOrPtr*)(_t204 + 0x28)) = 0x4c3454;
				E00403F50(_t204, _t235 - 0x41, 0);
				 *((intOrPtr*)(__ecx + 0x454)) = 1;
				 *((intOrPtr*)(__ecx + 0x458)) = 1;
				_t193 = __ecx + 0x460;
				 *((intOrPtr*)(__ecx + 0x438)) = 0;
				 *((char*)(__ecx + 0x43e)) = 0;
				 *((short*)(__ecx + 0x45c)) = 0;
				 *((char*)(_t235 - 4)) = 0xb;
				 *_t193 = 0;
				 *((intOrPtr*)(_t193 + 4)) = 0;
				 *_t193 = E00431EBD(_t193);
				 *((intOrPtr*)(_t228 + 0x468)) =  *((intOrPtr*)(_t235 + 8));
				_t53 = _t235 + 0xc; // 0x4c2f40
				 *((intOrPtr*)(_t228 + 0x46c)) =  *_t53;
				 *((intOrPtr*)(_t228 + 0x470)) =  *((intOrPtr*)(_t235 + 0x14));
				 *((intOrPtr*)(_t228 + 0x474)) =  *((intOrPtr*)(_t235 + 0x10));
				_t147 = _t228 + 0x34;
				 *((char*)(_t235 - 4)) = 0xc;
				_t147->dwOSVersionInfoSize = 0x114;
				GetVersionExW(_t147);
				_t149 = _t228 + 0x148;
				_t149->dwOSVersionInfoSize = 0x11c;
				_t150 = GetVersionExW(_t149);
				_t239 = _t150;
				if(_t150 == 0) {
					E0045A4D0(_t228 + 0x148, 0, 0x11c);
				}
				 *((intOrPtr*)(_t235 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t235 - 0x18)) = 0x4c3454;
				E00403FB0(L"HKEY_CLASSES_ROOT", _t235 - 0x41, 0);
				_t67 = _t235 - 0x40; // 0x4c2f50
				 *((char*)(_t235 - 4)) = 0xd;
				_t154 = E0042BDD3(_t193, _t193, _t228, 0, _t239);
				_t69 = _t235 - 0x40; // 0x4c2f50
				 *_t154 = 0x80000000;
				 *((char*)(_t235 - 4)) = 0xc;
				E00401AC0(_t69);
				 *((intOrPtr*)(_t235 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t235 - 0x18)) = 0x4c3454;
				E00403FB0(L"HKEY_CURRENT_USER", _t235 - 0x41, 0);
				_t75 = _t235 - 0x40; // 0x4c2f50
				 *((char*)(_t235 - 4)) = 0xe;
				_t159 = E0042BDD3(_t193, _t193, _t228, 0, _t239);
				_t77 = _t235 - 0x40; // 0x4c2f50
				 *_t159 = 0x80000001;
				 *((char*)(_t235 - 4)) = 0xc;
				E00401AC0(_t77);
				 *((intOrPtr*)(_t235 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t235 - 0x18)) = 0x4c3454;
				E00403FB0(L"HKEY_LOCAL_MACHINE", _t235 - 0x41, 0);
				_t83 = _t235 - 0x40; // 0x4c2f50
				 *((char*)(_t235 - 4)) = 0xf;
				_t164 = E0042BDD3(_t193, _t193, _t228, 0, _t239);
				_t85 = _t235 - 0x40; // 0x4c2f50
				 *_t164 = 0x80000002;
				 *((char*)(_t235 - 4)) = 0xc;
				E00401AC0(_t85);
				 *((intOrPtr*)(_t235 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t235 - 0x18)) = 0x4c3454;
				E00403FB0(L"HKEY_USERS", _t235 - 0x41, 0);
				_t91 = _t235 - 0x40; // 0x4c2f50
				 *((char*)(_t235 - 4)) = 0x10;
				_t169 = E0042BDD3(_t193, _t193, _t228, 0, _t239);
				_t93 = _t235 - 0x40; // 0x4c2f50
				 *_t169 = 0x80000003;
				 *((char*)(_t235 - 4)) = 0xc;
				E00401AC0(_t93);
				 *((intOrPtr*)(_t235 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t235 - 0x18)) = 0x4c3454;
				E00403FB0(L"HKEY_PERFORMANCE_DATA", _t235 - 0x41, 0);
				_t99 = _t235 - 0x40; // 0x4c2f50
				 *((char*)(_t235 - 4)) = 0x11;
				_t174 = E0042BDD3(_t193, _t193, _t228, 0, _t239);
				_t101 = _t235 - 0x40; // 0x4c2f50
				 *_t174 = 0x80000004;
				 *((char*)(_t235 - 4)) = 0xc;
				E00401AC0(_t101);
				 *((intOrPtr*)(_t235 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t235 - 0x18)) = 0x4c3454;
				E00403FB0(L"HKEY_CURRENT_CONFIG", _t235 - 0x41, 0);
				_t107 = _t235 - 0x40; // 0x4c2f50
				 *((char*)(_t235 - 4)) = 0x12;
				_t179 = E0042BDD3(_t193, _t193, _t228, 0, _t239);
				_t109 = _t235 - 0x40; // 0x4c2f50
				 *_t179 = 0x80000005;
				 *((char*)(_t235 - 4)) = 0xc;
				E00401AC0(_t109);
				 *((intOrPtr*)(_t235 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t235 - 0x18)) = 0x4c3454;
				E00403FB0(L"HKEY_DYN_DATA", _t235 - 0x41, 0);
				_t115 = _t235 - 0x40; // 0x4c2f50
				 *((char*)(_t235 - 4)) = 0x13;
				_t184 = E0042BDD3(_t193, _t193, _t228, 0, _t239);
				_t117 = _t235 - 0x40; // 0x4c2f50
				 *_t184 = 0x80000006;
				E00401AC0(_t117);
				return E0045B878(_t193, _t228, 0);
			}

0x0042b47b
0x0042b482
0x0042b487
0x0042b489
0x0042b492
0x0042b499
0x0042b49c
0x0042b4a2
0x0042b4a9
0x0042b4b2
0x0042b4b9
0x0042b4bf
0x0042b4c6
0x0042b4c9
0x0042b4cf
0x0042b4d5
0x0042b4db
0x0042b4e1
0x0042b4e7
0x0042b4ee
0x0042b4fd
0x0042b4ff
0x0042b506
0x0042b50b
0x0042b514
0x0042b51a
0x0042b521
0x0042b526
0x0042b531
0x0042b537
0x0042b53e
0x0042b543
0x0042b54e
0x0042b554
0x0042b55b
0x0042b560
0x0042b56b
0x0042b571
0x0042b578
0x0042b57d
0x0042b588
0x0042b58e
0x0042b595
0x0042b59a
0x0042b5a1
0x0042b5a7
0x0042b5b2
0x0042b5b7
0x0042b5c2
0x0042b5c8
0x0042b5cf
0x0042b5d4
0x0042b5de
0x0042b5e5
0x0042b5eb
0x0042b5f2
0x0042b5f9
0x0042b5ff
0x0042b605
0x0042b60b
0x0042b611
0x0042b617
0x0042b620
0x0042b624
0x0042b626
0x0042b62e
0x0042b639
0x0042b63f
0x0042b642
0x0042b64b
0x0042b654
0x0042b65a
0x0042b65e
0x0042b662
0x0042b668
0x0042b66a
0x0042b671
0x0042b677
0x0042b67b
0x0042b67d
0x0042b68c
0x0042b691
0x0042b6a1
0x0042b6a8
0x0042b6af
0x0042b6b4
0x0042b6ba
0x0042b6be
0x0042b6c3
0x0042b6c6
0x0042b6cc
0x0042b6d0
0x0042b6e2
0x0042b6e9
0x0042b6f0
0x0042b6f5
0x0042b6fb
0x0042b6ff
0x0042b704
0x0042b707
0x0042b70d
0x0042b711
0x0042b723
0x0042b72a
0x0042b731
0x0042b736
0x0042b73c
0x0042b740
0x0042b745
0x0042b748
0x0042b74e
0x0042b752
0x0042b764
0x0042b76b
0x0042b772
0x0042b777
0x0042b77d
0x0042b781
0x0042b786
0x0042b789
0x0042b78f
0x0042b793
0x0042b7a5
0x0042b7ac
0x0042b7b3
0x0042b7b8
0x0042b7be
0x0042b7c2
0x0042b7c7
0x0042b7ca
0x0042b7d0
0x0042b7d4
0x0042b7e6
0x0042b7ed
0x0042b7f4
0x0042b7f9
0x0042b7ff
0x0042b803
0x0042b808
0x0042b80b
0x0042b811
0x0042b815
0x0042b827
0x0042b82e
0x0042b835
0x0042b83a
0x0042b840
0x0042b844
0x0042b849
0x0042b84c
0x0042b852
0x0042b85e

APIs

__EH_prolog3_GS.LIBCMT ref: 0042B482

Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F

GetVersionExW.KERNEL32(004C2FA0,0000003C,0042804A,00000000,00000000,00000000,?,?,?,?,?,?,?,?,P/L,?), ref: 0042B668
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?,P/L,?,?,@/L,00000000), ref: 0042B677
_memset.LIBCMT ref: 0042B68C

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Part of subcall function 00403FB0: GetLastError.KERNEL32(9518852C,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068

Part of subcall function 0042BDD3: __EH_prolog3_GS.LIBCMT ref: 0042BDDA

Strings

HKEY_LOCAL_MACHINE, xrefs: 0042B71B
P/L, xrefs: 0042B4F7
T4L, xrefs: 0042B5EB
P/L, xrefs: 0042B6B4, 0042B6B7
HKEY_PERFORMANCE_DATA, xrefs: 0042B79D
HKEY_CURRENT_USER, xrefs: 0042B6DA
HKEY_USERS, xrefs: 0042B75C
HKEY_CURRENT_CONFIG, xrefs: 0042B7DE
HKEY_DYN_DATA, xrefs: 0042B81F
@/L, xrefs: 0042B63F
HKEY_CLASSES_ROOT, xrefs: 0042B699
T4L, xrefs: 0042B82E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeH_prolog3_StringVersion$_memset
String ID: @/L$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_DYN_DATA$HKEY_LOCAL_MACHINE$HKEY_PERFORMANCE_DATA$HKEY_USERS$P/L$P/L$T4L$T4L
API String ID: 1506729085-2271539512
Opcode ID: 3e4ef5d878523f28b3f2058aae382fd0e3a512b536f69615f3b74ba494985a70
Instruction ID: 0ddb801eca970d9b31fc6813bbcbc2479e65f3e3b8567fb5da67400be7724c76
Opcode Fuzzy Hash: 3e4ef5d878523f28b3f2058aae382fd0e3a512b536f69615f3b74ba494985a70
Instruction Fuzzy Hash: 5DC164B590121ADECB45DFA4C840BDDFBBCBF09308F10416EE50DA7241DBB4560ADBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041395C, Relevance: 27.2, APIs: 18, Instructions: 192
windowCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0041395C(struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, struct HWND__* _a16) {
				signed int _v8;
				intOrPtr _v32;
				char _v52;
				char _v56;
				char _v104;
				char _v152;
				char _v200;
				char _v248;
				char _v249;
				long _v256;
				struct HWND__* _v260;
				char _v264;
				int _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t49;
				void* _t52;
				WCHAR* _t59;
				WCHAR* _t64;
				WCHAR* _t69;
				WCHAR* _t74;
				int _t87;
				int _t97;
				struct HWND__* _t99;
				struct HWND__* _t104;
				struct HWND__* _t105;
				intOrPtr* _t106;
				void* _t123;
				struct HWND__* _t124;
				char _t126;
				signed int _t127;

				_t49 =  *0x4d7e88; // 0x9518852c
				_v8 = _t49 ^ _t127;
				_t104 = _a4;
				_t124 = _a16;
				_v260 = _t104;
				_t52 = _a8 - 0x110;
				if(_t52 == 0) {
					_v256 = GetDlgItem(_t104, 0x132);
					SetWindowLongW(_t104, 0xffffffeb, _t124);
					_t106 =  *((intOrPtr*)(_t124 + 0x4c));
					_t126 =  *_t106;
					_v249 = 0;
					_v264 = _t126;
					__eflags = _t126 - _t106;
					if(__eflags == 0) {
						L13:
						SendMessageW(_v256, 0x14e, 0, 0);
						L14:
						_push(0x715);
						_push( &_v152);
						_t59 = E0040D268(_t104, _t124, _t123, _t124, _t126, __eflags) + 4;
						__eflags = _t59[0xa] - 8;
						if(_t59[0xa] >= 8) {
							_t59 =  *_t59;
						}
						_t125 = SetDlgItemTextW;
						SetDlgItemTextW(_t104, 1, _t59);
						E00401B80( &_v152);
						_push(0x71e);
						_push( &_v248);
						_t64 = E0040D268(_t104, _t124, _t123, _t124, SetDlgItemTextW, __eflags) + 4;
						__eflags = _t64[0xa] - 8;
						if(_t64[0xa] >= 8) {
							_t64 =  *_t64;
						}
						SetDlgItemTextW(_t104, 2, _t64);
						E00401B80( &_v248);
						_push(0x714);
						_push( &_v200);
						_t69 = E0040D268(_t104, _t124, _t123, _t124, _t125, __eflags) + 4;
						__eflags = _t69[0xa] - 8;
						if(_t69[0xa] >= 8) {
							_t69 =  *_t69;
						}
						SetDlgItemTextW(_t104, 0x33, _t69);
						E00401B80( &_v200);
						_push(0);
						_push( &_v104);
						_v260 = _t124;
						_t74 = E0040D72B(_t104,  &_v260, _t123, _t124, _t125, __eflags) + 4;
						__eflags = _t74[0xa] - 8;
						if(_t74[0xa] >= 8) {
							_t74 =  *_t74;
						}
						SetWindowTextW(_t104, _t74);
						E00401B80( &_v104);
						SetForegroundWindow(_t104);
						SetActiveWindow(_t104);
						L23:
						__eflags = 1;
						L24:
						return E0045A457(_t104, _v8 ^ _t127, _t123, _t124, _t125);
					}
					_t105 = _v256;
					do {
						_push( *(_t126 + 0xe) & 0x0000ffff);
						_push( &_v56);
						E004135B7(_t105, _t124, _t123, _t124, _t126, __eflags);
						__eflags = _v32 - 8;
						_t86 =  >=  ? _v52 :  &_v52;
						_t87 = SendMessageW(_t105, 0x143, 0,  >=  ? _v52 :  &_v52);
						_v268 = _t87;
						SendMessageW(_t105, 0x151, _t87,  *(_t126 + 0xe) & 0x0000ffff);
						__eflags =  *((intOrPtr*)(_t124 + 0x44)) -  *(_t126 + 0xe);
						if( *((intOrPtr*)(_t124 + 0x44)) ==  *(_t126 + 0xe)) {
							_v249 = 1;
							SendMessageW(_t105, 0x14e, _v268, 0);
						}
						E00401B80( &_v56);
						E0041357D( &_v264);
						_t126 = _v264;
						__eflags = _t126 -  *((intOrPtr*)(_t124 + 0x4c));
					} while (__eflags != 0);
					_t104 = _v260;
					__eflags = _v249;
					if(__eflags != 0) {
						goto L14;
					}
					goto L13;
				}
				if(_t52 == 1) {
					_v256 = GetWindowLongW(_t104, 0xffffffeb);
					__eflags = _a12 - 1;
					if(_a12 == 1) {
						_t99 = GetDlgItem(_t104, 0x132);
						_t125 = SendMessageW;
						_t124 = _t99;
						 *((short*)(_v256 + 0x44)) = SendMessageW(_t124, 0x150, SendMessageW(_t124, 0x147, 0, 0), 0);
						EndDialog(_t104, 1);
					}
					_t97 = 2;
					__eflags = _a12 - _t97;
					if(_a12 == _t97) {
						EndDialog(_t104, _t97);
					}
					goto L23;
				}
				goto L24;
			}

0x00413965
0x0041396c
0x00413973
0x00413978
0x0041397b
0x00413981
0x00413986
0x00413a12
0x00413a18
0x00413a1e
0x00413a23
0x00413a25
0x00413a2b
0x00413a31
0x00413a33
0x00413ad8
0x00413ae7
0x00413aed
0x00413aed
0x00413af8
0x00413b00
0x00413b03
0x00413b07
0x00413b09
0x00413b09
0x00413b0b
0x00413b15
0x00413b1d
0x00413b22
0x00413b2d
0x00413b35
0x00413b38
0x00413b3c
0x00413b3e
0x00413b3e
0x00413b44
0x00413b4c
0x00413b51
0x00413b5c
0x00413b64
0x00413b67
0x00413b6b
0x00413b6d
0x00413b6d
0x00413b73
0x00413b7b
0x00413b80
0x00413b85
0x00413b8c
0x00413b97
0x00413b9a
0x00413b9e
0x00413ba0
0x00413ba0
0x00413ba4
0x00413bad
0x00413bb3
0x00413bba
0x00413bc0
0x00413bc2
0x00413bc3
0x00413bd1
0x00413bd1
0x00413a39
0x00413a3f
0x00413a43
0x00413a47
0x00413a4a
0x00413a4f
0x00413a56
0x00413a63
0x00413a75
0x00413a7b
0x00413a85
0x00413a89
0x00413a93
0x00413aa0
0x00413aa0
0x00413aa9
0x00413ab4
0x00413ab9
0x00413abf
0x00413abf
0x00413ace
0x00413ad4
0x00413ad6
0x00000000
0x00000000
0x00000000
0x00413ad6
0x00413989
0x0041399b
0x004139a4
0x004139a8
0x004139b0
0x004139b6
0x004139c0
0x004139de
0x004139e2
0x004139e2
0x004139ea
0x004139eb
0x004139ef
0x004139f7
0x004139f7
0x00000000
0x004139ef
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00413995
GetDlgItem.USER32 ref: 004139B0
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 004139C8
SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 004139D3
EndDialog.USER32(?,00000001), ref: 004139E2
EndDialog.USER32(?,00000002), ref: 004139F7
GetDlgItem.USER32 ref: 00413A08
SetWindowLongW.USER32 ref: 00413A18
SendMessageW.USER32(?,00000143,00000000,?), ref: 00413A63
SendMessageW.USER32(?,00000151,00000000,?), ref: 00413A7B
SendMessageW.USER32(?,0000014E,?,00000000), ref: 00413AA0
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00413AE7
SetDlgItemTextW.USER32 ref: 00413B15
SetDlgItemTextW.USER32 ref: 00413B44

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: MessageSend$Item$DialogLongTextWindow
String ID:
API String ID: 2170773771-0
Opcode ID: e89c6c6adb54a7e03043bf22a54b3d7a78cc0902868f5c982ed59d9ec464d729
Instruction ID: 3b6d6ef19ab52c10d3152e65af3cdf29203d4157a6d83b327bbbed7131554b5b
Opcode Fuzzy Hash: e89c6c6adb54a7e03043bf22a54b3d7a78cc0902868f5c982ed59d9ec464d729
Instruction Fuzzy Hash: 34619371900218AFDB20EF65CC85FEA7B7DAF19701F0000AAF656A71D1E774AA84CF24

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4B6, Relevance: 26.6, APIs: 2, Strings: 13, Instructions: 397
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040F4B6(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t185;
				intOrPtr _t192;
				void* _t204;
				void* _t211;
				void* _t224;
				void* _t226;
				void* _t233;
				void* _t244;
				intOrPtr* _t245;
				intOrPtr* _t279;
				void* _t287;
				intOrPtr* _t290;
				signed int _t299;
				intOrPtr _t306;
				intOrPtr* _t320;
				intOrPtr _t334;
				intOrPtr _t347;
				intOrPtr* _t361;
				void* _t362;
				intOrPtr* _t373;
				intOrPtr _t375;
				void* _t376;
				intOrPtr* _t377;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				intOrPtr* _t384;

				_push(0x1a4);
				E0045B8C9(0x4a1321, __ebx, __edi, __esi);
				_t375 = __ecx;
				 *((intOrPtr*)(_t380 - 0x1a4)) = __ecx;
				_t2 = _t380 + 0xc; // 0x4c2f40
				_t373 =  *((intOrPtr*)(_t380 + 8));
				 *(_t380 - 0x1b0) =  *(_t380 - 0x1b0) & 0x00000000;
				 *((intOrPtr*)(_t380 - 0x19c)) =  *_t2;
				 *((intOrPtr*)(_t380 - 0x1a0)) =  *((intOrPtr*)(_t380 + 0x10));
				_t10 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xe8))))))() - 1; // -1
				_t185 =  *0x4d9620; // 0x0
				asm("sbb ebx, ebx");
				 *(_t380 - 0x1a8) =  *(_t380 - 0x1a8) & 0x00000000;
				_t299 =  ~_t10 & 0x00000001;
				if(_t185 != 0) {
					 *(_t380 - 0x1a8) = GetDlgItem(_t185, 0x40b);
				}
				E0040F466( *((intOrPtr*)(_t380 - 0x19c)), _t380 - 0x100);
				 *(_t380 - 4) =  *(_t380 - 4) & 0x00000000;
				 *((intOrPtr*)(_t380 - 0xa0)) = 0x4c2f50;
				 *((intOrPtr*)(_t380 - 0x78)) = 0x4c3454;
				E004053A0( *((intOrPtr*)(_t380 - 0x1a0)), 0);
				_t23 = _t380 - 0xa0; // 0x4c2f50
				 *(_t380 - 4) = 1;
				E00413296(_t23, _t380 - 0x100);
				_t306 = E0042EA72( *((intOrPtr*)(_t380 - 0x19c)));
				_t192 = 0;
				 *((intOrPtr*)(_t380 - 0x1a0)) = _t306;
				 *((intOrPtr*)(_t380 - 0x198)) = 0;
				_t387 = _t306;
				if(_t306 <= 0) {
					L25:
					_t164 = _t380 - 0xa0; // 0x4c2f50
					 *_t373 = 0x4c2f50;
					 *((intOrPtr*)(_t373 + 0x28)) = 0x4c3454;
					E004053A0(_t164, 0);
					goto L26;
				} else {
					do {
						_push(_t192);
						_push(_t380 - 0x130);
						E0042EB76(_t299,  *((intOrPtr*)(_t380 - 0x19c)), _t373, _t375, _t387);
						_t388 =  *((intOrPtr*)(_t380 - 0x198));
						 *(_t380 - 4) = 2;
						if( *((intOrPtr*)(_t380 - 0x198)) != 0) {
							L8:
							_t202 =  >=  ?  *((void*)(_t380 - 0x9c)) : _t380 - 0x9c;
							_t382 = _t381 - 0x30;
							E004091B8(_t382,  >=  ?  *((void*)(_t380 - 0x9c)) : _t380 - 0x9c, _t380 - 0x191, 1);
							_t204 = E004425A8(_t299, _t380 - 0x191, _t373, _t375,  *((intOrPtr*)(_t380 - 0x88)) - 8);
							_t383 = _t382 + 0x30;
							if(_t204 == 0) {
								E00402CE0(0x4c2d7c, _t380 - 0x191, 1);
								L30:
								E00401AC0(_t380 - 0x130);
								L26:
								_t166 = _t380 - 0xa0; // 0x4c2f50
								E00401AC0(_t166);
								E00401AC0(_t380 - 0x100);
								return E0045B878(_t299, _t373, _t375);
							}
							if( *((intOrPtr*)(_t380 - 0x198)) == 0 && _t299 != 0) {
								_t259 =  >=  ?  *((void*)(_t380 - 0x9c)) : _t380 - 0x9c;
								_t78 = _t380 - 0x40; // 0x4c2f50
								E004091B8(_t78,  >=  ?  *((void*)(_t380 - 0x9c)) : _t380 - 0x9c, _t380 - 0x191, 1);
								_t80 = _t380 - 0x40; // 0x4c2f50
								 *(_t380 - 4) = 9;
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t375 + 0xe8)))) + 4))(_t80);
								_t83 = _t380 - 0x40; // 0x4c2f50
								 *(_t380 - 4) = 2;
								E00401B80(_t83);
							}
							_t85 = _t380 - 0xa0; // 0x4c2f50
							 *((intOrPtr*)(_t380 - 0x70)) = 0x4c2f50;
							 *((intOrPtr*)(_t380 - 0x48)) = 0x4c3454;
							E004053A0(_t85, 0);
							_t89 = _t380 - 0x40; // 0x4c2f50
							 *(_t380 - 4) = 0xa;
							_t211 = E00403080(_t380 - 0x130, _t89);
							_t92 = _t380 - 0x70; // 0x4c2f50
							 *(_t380 - 4) = 0xb;
							E00413296(_t92, _t211);
							_t94 = _t380 - 0x40; // 0x4c2f50
							E00401AC0(_t94);
							 *((intOrPtr*)(_t380 - 0xd0)) = 0x4c2f50;
							 *((intOrPtr*)(_t380 - 0xa8)) = 0x4c3454;
							E00403F50(_t380 - 0xd0, _t380 - 0x191, 0);
							_t99 = _t380 - 0x40; // 0x4c2f50
							 *(_t380 - 4) = 0xc;
							_t102 = E00403080(_t380 - 0x130, _t99) + 4; // 0x4
							_t320 = _t102;
							 *(_t380 - 4) = 0xd;
							if( *((intOrPtr*)(_t320 + 0x14)) >= 8) {
								_t320 =  *_t320;
							}
							_t219 =  >=  ?  *((void*)(_t380 - 0xfc)) : _t380 - 0xfc;
							_t108 = _t380 - 0xd0; // 0x4c2f50
							E00403B50(_t108, L"%s.%s",  >=  ?  *((void*)(_t380 - 0xfc)) : _t380 - 0xfc);
							_t381 = _t383 + 0x10;
							_t109 = _t380 - 0x40; // 0x4c2f50
							 *(_t380 - 4) = 0xc;
							E00401AC0(_t109);
							_t367 =  >=  ?  *((void*)(_t380 - 0xcc)) : _t380 - 0xcc;
							_t224 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t375 + 0xe8)))) + 0x58))( >=  ?  *((void*)(_t380 - 0xcc)) : _t380 - 0xcc, _t320);
							_t400 = _t224;
							if(_t224 == 0) {
								_t226 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t375 + 0xe8))))))();
								__eflags = _t226;
								if(_t226 != 0) {
									goto L24;
								}
								__eflags =  *0x4d9620 - _t226; // 0x0
								if(__eflags != 0) {
									_push(0x681);
									_push(_t226);
									_push(_t226);
									_push( *((intOrPtr*)(_t380 + 0x14)));
									_push( *(_t380 - 0x1a8));
									E00411846(_t299, _t375, _t367, _t373, _t375, __eflags);
									_t132 = _t380 - 0x40; // 0x4c2f50
									 *((intOrPtr*)(_t380 - 0x40)) = 0x4c2f50;
									 *((intOrPtr*)(_t380 - 0x18)) = 0x4c3454;
									E00403F50(_t132, _t380 - 0x191, 0);
									_t136 = _t380 - 0x70; // 0x4c2f50
									 *(_t380 - 4) = 0xe;
									_t376 = E00403080(_t136, _t380 - 0x160);
									_t334 =  *0x4d962c; // 0x0
									_push(0x681);
									_push(_t380 - 0x190);
									 *(_t380 - 4) = 0xf;
									_t244 = E0040D268(_t299, _t334, _t367, _t373, _t376, __eflags);
									_t377 = _t376 + 4;
									 *(_t380 - 4) = 0x10;
									__eflags =  *((intOrPtr*)(_t377 + 0x14)) - 8;
									if( *((intOrPtr*)(_t377 + 0x14)) >= 8) {
										_t377 =  *_t377;
									}
									_t245 = _t244 + 4;
									__eflags =  *((intOrPtr*)(_t245 + 0x14)) - 8;
									if( *((intOrPtr*)(_t245 + 0x14)) >= 8) {
										_t245 =  *_t245;
									}
									_push(_t377);
									_t143 = _t380 - 0x40; // 0x4c2f50
									E00403B50(_t143, L"%s: %s", _t245);
									_t381 = _t381 + 0x10;
									E00401B80(_t380 - 0x190);
									 *(_t380 - 4) = 0xe;
									E00401AC0(_t380 - 0x160);
									__eflags =  *((intOrPtr*)(_t380 - 0x28)) - 8;
									_t375 =  *((intOrPtr*)(_t380 - 0x1a4));
									_t251 =  >=  ?  *((void*)(_t380 - 0x3c)) : _t380 - 0x3c;
									E00411EFB(_t375, _t375,  >=  ?  *((void*)(_t380 - 0x3c)) : _t380 - 0x3c);
									E00411FC6(_t375, _t367);
									_t151 = _t380 - 0x40; // 0x4c2f50
									 *(_t380 - 4) = 0xc;
									E00401AC0(_t151);
								}
								_push(_t380 - 0x1a0);
								_push( *((intOrPtr*)(_t380 - 0x198)));
								_t155 = _t380 - 0x70; // 0x4c2f50
								_push( *((intOrPtr*)(_t380 - 0x19c)));
								_t233 = E0040ED6A(_t299, _t375, _t367, _t373, _t375, __eflags);
								__eflags = _t233;
								if(_t233 == 0) {
									E00402CE0(0x4c2d7c, _t380 - 0x191, 1);
									_t176 = _t380 - 0xd0; // 0x4c2f50
									E00401AC0(_t176);
									_t177 = _t380 - 0x70; // 0x4c2f50
									E00401AC0(_t177);
									goto L30;
								} else {
									goto L24;
								}
							} else {
								E00411846(_t299, _t375, _t367, _t373, _t375, _t400);
								_t379 =  >=  ?  *((void*)(_t380 - 0x6c)) : _t380 - 0x6c;
								_t367 =  >=  ?  *((void*)(_t380 - 0xcc)) : _t380 - 0xcc;
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t380 - 0x1a4)) + 0xe8)))) + 0x30))( >=  ?  *((void*)(_t380 - 0xcc)) : _t380 - 0xcc, 1, 1,  >=  ?  *((void*)(_t380 - 0x6c)) : _t380 - 0x6c, _t299,  *(_t380 - 0x1a8),  *((intOrPtr*)(_t380 + 0x14)), 0, 0, 0x680);
								_t375 =  *((intOrPtr*)(_t380 - 0x1a4));
								goto L24;
							}
						}
						_t347 =  *0x4d962c; // 0x0
						_t32 = _t380 - 0x40; // 0x4c2f50
						E0040D1D8(_t347, _t32);
						_push(0);
						_push(_t380 - 0x191);
						_push(L"ISSetupPrerequisites");
						 *(_t380 - 4) = 3;
						 *((intOrPtr*)(_t380 - 0x70)) = 0x4c2fa0;
						 *((intOrPtr*)(_t380 - 0x48)) = 0x4c2f40;
						E00408F6D(_t299, _t380 - 0x70, _t373, _t375, _t388);
						_t39 = _t380 - 0x40; // 0x4c2f50
						 *(_t380 - 4) = 4;
						E00413303(_t39, _t380 - 0x70);
						 *(_t380 - 4) = 3;
						E00401B80(_t380 - 0x70);
						_t272 =  >=  ?  *((void*)(_t380 - 0xfc)) : _t380 - 0xfc;
						E004091B8(_t380 - 0x70,  >=  ?  *((void*)(_t380 - 0xfc)) : _t380 - 0xfc, _t380 - 0x191, 1);
						_t49 = _t380 - 0x40; // 0x4c2f50
						 *(_t380 - 4) = 5;
						E00413303(_t49, _t380 - 0x70);
						 *(_t380 - 4) = 3;
						E00401B80(_t380 - 0x70);
						_t279 = E00403080(_t380 - 0x130, _t380 - 0xd0) + 4;
						 *(_t380 - 4) = 6;
						_t390 =  *((intOrPtr*)(_t279 + 0x14)) - 8;
						if( *((intOrPtr*)(_t279 + 0x14)) >= 8) {
							_t279 =  *_t279;
						}
						E004091B8(_t380 - 0x70, _t279, _t380 - 0x191, 1);
						_t60 = _t380 - 0x40; // 0x4c2f50
						 *(_t380 - 4) = 7;
						E00413303(_t60, _t380 - 0x70);
						E00401B80(_t380 - 0x70);
						 *(_t380 - 4) = 3;
						E00401AC0(_t380 - 0xd0);
						_push(4);
						_t384 = _t381 - 0x30;
						_t361 = _t384;
						_push(0);
						_t65 = _t380 - 0x40; // 0x4c2f50
						 *_t361 = 0x4c2fa0;
						 *((intOrPtr*)(_t361 + 0x28)) = 0x4c2f40;
						E00408E82(_t299, _t361, _t373, _t375, _t390);
						_t287 = E00441E34(_t299, _t367, _t373, _t375, _t390);
						_t381 = _t384 + 0x34;
						_t67 = _t380 - 0x40; // 0x4c2f50
						_t362 = _t67;
						if(_t287 != 0) {
							_push(0);
							_push(0);
							_push(_t380 - 0x160);
							_t290 = E0040A206(_t299, _t362, _t367, _t373, _t375, __eflags) + 4;
							 *(_t380 - 4) = 8;
							__eflags =  *((intOrPtr*)(_t290 + 0x14)) - 8;
							if( *((intOrPtr*)(_t290 + 0x14)) >= 8) {
								_t290 =  *_t290;
							}
							E00402CE0(_t290, _t380 - 0x191, 1);
							E00401B80(_t380 - 0x160);
							_t173 = _t380 - 0x40; // 0x4c2f50
							E00401B80(_t173);
							goto L30;
						} else {
							 *(_t380 - 4) = 2;
							E00401B80(_t362);
							goto L8;
						}
						L24:
						_t157 = _t380 - 0xd0; // 0x4c2f50
						E00401AC0(_t157);
						_t158 = _t380 - 0x70; // 0x4c2f50
						E00401AC0(_t158);
						 *(_t380 - 4) = 1;
						E00401AC0(_t380 - 0x130);
						_t192 =  *((intOrPtr*)(_t380 - 0x198)) + 1;
						 *((intOrPtr*)(_t380 - 0x198)) = _t192;
					} while (_t192 <  *((intOrPtr*)(_t380 - 0x1a0)));
					goto L25;
				}
			}

0x0040f4b6
0x0040f4c0
0x0040f4c5
0x0040f4c7
0x0040f4cd
0x0040f4d6
0x0040f4d9
0x0040f4e0
0x0040f4e9
0x0040f4f3
0x0040f4f6
0x0040f4fd
0x0040f4ff
0x0040f506
0x0040f50b
0x0040f519
0x0040f519
0x0040f52c
0x0040f531
0x0040f543
0x0040f54d
0x0040f554
0x0040f560
0x0040f566
0x0040f56a
0x0040f57a
0x0040f57c
0x0040f57e
0x0040f584
0x0040f58a
0x0040f58c
0x0040fa08
0x0040fa0a
0x0040fa13
0x0040fa19
0x0040fa20
0x00000000
0x0040f592
0x0040f592
0x0040f598
0x0040f59f
0x0040f5a0
0x0040f5a5
0x0040f5ac
0x0040f5b0
0x0040f6e0
0x0040f6ed
0x0040f6f4
0x0040f703
0x0040f708
0x0040f70d
0x0040f712
0x0040facf
0x0040fa88
0x0040fa8e
0x0040fa25
0x0040fa25
0x0040fa2b
0x0040fa36
0x0040fa42
0x0040fa42
0x0040f71f
0x0040f73a
0x0040f743
0x0040f746
0x0040f751
0x0040f757
0x0040f75b
0x0040f75e
0x0040f761
0x0040f765
0x0040f765
0x0040f76c
0x0040f776
0x0040f77d
0x0040f784
0x0040f789
0x0040f793
0x0040f797
0x0040f79d
0x0040f7a0
0x0040f7a4
0x0040f7a9
0x0040f7ac
0x0040f7c0
0x0040f7ca
0x0040f7d4
0x0040f7d9
0x0040f7e3
0x0040f7ec
0x0040f7ec
0x0040f7ef
0x0040f7f7
0x0040f7f9
0x0040f7f9
0x0040f809
0x0040f811
0x0040f81d
0x0040f822
0x0040f825
0x0040f828
0x0040f82c
0x0040f844
0x0040f84e
0x0040f851
0x0040f853
0x0040f8b8
0x0040f8ba
0x0040f8bc
0x00000000
0x00000000
0x0040f8c2
0x0040f8c8
0x0040f8ce
0x0040f8d3
0x0040f8d4
0x0040f8d5
0x0040f8da
0x0040f8e0
0x0040f8ee
0x0040f8f1
0x0040f8f8
0x0040f8ff
0x0040f90b
0x0040f90e
0x0040f917
0x0040f919
0x0040f91f
0x0040f92a
0x0040f92b
0x0040f92f
0x0040f934
0x0040f937
0x0040f93b
0x0040f93f
0x0040f941
0x0040f941
0x0040f943
0x0040f946
0x0040f94a
0x0040f94c
0x0040f94c
0x0040f94e
0x0040f950
0x0040f959
0x0040f95e
0x0040f967
0x0040f972
0x0040f976
0x0040f97b
0x0040f97f
0x0040f988
0x0040f98f
0x0040f996
0x0040f99b
0x0040f99e
0x0040f9a2
0x0040f9a2
0x0040f9ad
0x0040f9ae
0x0040f9b4
0x0040f9b8
0x0040f9c0
0x0040f9c5
0x0040f9c7
0x0040faa5
0x0040faaa
0x0040fab0
0x0040fab5
0x0040fab8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f855
0x0040f869
0x0040f882
0x0040f898
0x0040f8a2
0x0040f8a5
0x00000000
0x0040f8a5
0x0040f853
0x0040f5b6
0x0040f5bc
0x0040f5c0
0x0040f5c5
0x0040f5cd
0x0040f5ce
0x0040f5d6
0x0040f5da
0x0040f5e1
0x0040f5e8
0x0040f5f1
0x0040f5f4
0x0040f5f8
0x0040f600
0x0040f604
0x0040f61e
0x0040f62a
0x0040f633
0x0040f636
0x0040f63a
0x0040f642
0x0040f646
0x0040f65d
0x0040f660
0x0040f664
0x0040f668
0x0040f66a
0x0040f66a
0x0040f679
0x0040f682
0x0040f685
0x0040f689
0x0040f691
0x0040f69c
0x0040f6a0
0x0040f6a5
0x0040f6a7
0x0040f6aa
0x0040f6ac
0x0040f6ae
0x0040f6b2
0x0040f6b8
0x0040f6bf
0x0040f6c4
0x0040f6c9
0x0040f6cc
0x0040f6cc
0x0040f6d1
0x0040fa45
0x0040fa47
0x0040fa4f
0x0040fa55
0x0040fa58
0x0040fa5c
0x0040fa60
0x0040fa62
0x0040fa62
0x0040fa70
0x0040fa7b
0x0040fa80
0x0040fa83
0x00000000
0x0040f6d7
0x0040f6d7
0x0040f6db
0x00000000
0x0040f6db
0x0040f9cd
0x0040f9cd
0x0040f9d3
0x0040f9d8
0x0040f9db
0x0040f9e6
0x0040f9ea
0x0040f9f5
0x0040f9f6
0x0040f9fc
0x00000000
0x0040f592

APIs

__EH_prolog3_GS.LIBCMT ref: 0040F4C0
GetDlgItem.USER32 ref: 0040F513

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00441E34: __EH_prolog3_GS.LIBCMT ref: 00441E3E

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 004425A8: __EH_prolog3_GS.LIBCMT ref: 004425AF
Part of subcall function 004425A8: GetLastError.KERNEL32 ref: 004426A4

Strings

T4L, xrefs: 0040F77D
ISSetupPrerequisites, xrefs: 0040F5CE
T4L, xrefs: 0040F8F8
%s.%s, xrefs: 0040F817
P/L, xrefs: 0040F53D
%s: %s, xrefs: 0040F953
@/L, xrefs: 0040F4CD
P/L, xrefs: 0040F79D
T4L, xrefs: 0040FA19
T4L, xrefs: 0040F54D
P/L, xrefs: 0040F5BC, 0040F5BF
T4L, xrefs: 0040F7CA
P/L, xrefs: 0040F811, 0040F81C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$FreeString$H_prolog3Item
String ID: %s.%s$%s: %s$@/L$ISSetupPrerequisites$P/L$P/L$P/L$P/L$T4L$T4L$T4L$T4L$T4L
API String ID: 2081473146-411223273
Opcode ID: a599716554c256bccf49b8a7cfba22dc805a62703019bbe2fb787418089d6ec4
Instruction ID: a45cc4d22d49aed402b709e780eb6eceac6e559057337c84c3885825b2676eeb
Opcode Fuzzy Hash: a599716554c256bccf49b8a7cfba22dc805a62703019bbe2fb787418089d6ec4
Instruction Fuzzy Hash: 8E027C70A10219DEDB24EBA0CC55BDDB7B8BF14308F1040EEE549B7191DBB86A88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041D8B2, Relevance: 26.6, APIs: 1, Strings: 14, Instructions: 370
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0041D8B2(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t152;
				intOrPtr* _t161;
				void* _t162;
				char _t163;
				intOrPtr* _t166;
				void* _t167;
				char _t168;
				intOrPtr* _t171;
				void* _t172;
				char _t173;
				void* _t174;
				void* _t176;
				void* _t177;
				void* _t178;
				intOrPtr* _t181;
				void* _t182;
				char _t183;
				intOrPtr* _t186;
				void* _t187;
				char _t188;
				intOrPtr* _t191;
				void* _t192;
				char _t193;
				void* _t194;
				char _t203;
				intOrPtr* _t234;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t329;

				_t329 = __eflags;
				_t321 = __edx;
				_push(0xb8);
				E0045B8C9(0x4a326d, __ebx, __edi, __esi);
				_t323 = __ecx;
				 *((intOrPtr*)(_t328 - 4)) = 1;
				E004095E2(__ecx + 0x2e8, _t328 + 8);
				_t325 = 0;
				_push(0);
				_push(0);
				_push(_t328 - 0x70);
				_t152 = E0040A206(__ebx, _t328 + 8, __edx, __ecx, 0, _t329);
				_t246 = _t323 + 0x138;
				 *((char*)(_t328 - 4)) = 2;
				E004095E2(_t323 + 0x138, _t152);
				 *((char*)(_t328 - 4)) = 1;
				E00401B80(_t328 - 0x70);
				_t156 =  >=  ?  *((void*)(_t328 + 0x3c)) : _t328 + 0x3c;
				_push( >=  ?  *((void*)(_t328 + 0x3c)) : _t328 + 0x3c);
				E004160F7(_t323 + 0x138, _t328 - 0xc4, _t323, 0,  *((intOrPtr*)(_t328 + 0x50)) - 8);
				 *((intOrPtr*)(_t328 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t328 - 0x18)) = 0x4c2f40;
				E00404200(_t328 - 0x40, _t328 - 0xa1, 0);
				_t161 = E00417A4B(_t328 - 0x40, _t328 - 0xb0);
				 *((char*)(_t328 - 4)) = 5;
				 *((char*)(_t161 + 4)) = 1;
				_t162 = E0040A0F0(_t161,  *_t161);
				_push(1);
				_push(0);
				_push(_t162);
				_push(L"delayedstart:");
				_t163 = E0041AE03(_t323 + 0x138, _t328 - 0xc4, _t323, 0,  *((intOrPtr*)(_t328 + 0x50)) - 8);
				 *((char*)(_t328 - 0xa1)) = _t163;
				 *((char*)(_t328 - 4)) = 4;
				if( *((char*)(_t328 - 0xac)) != 0) {
					E00404260( *((intOrPtr*)(_t328 - 0xb0)), _t323,  *((intOrPtr*)( *((intOrPtr*)(_t328 - 0xb0)) + 0x24)));
					_t163 =  *((intOrPtr*)(_t328 - 0xa1));
				}
				_t332 = _t163;
				if(_t163 != 0) {
					_push(E00412F8A(_t246, _t328 - 0x40, _t321));
					 *((intOrPtr*)(_t323 + 0x3c)) = E0045D629();
				}
				E00409FA9(_t328 - 0x40, _t325, 0xffffffff);
				_t166 = E00417A4B(_t328 - 0x40, _t328 - 0xb0);
				 *((char*)(_t328 - 4)) = 6;
				 *((char*)(_t166 + 4)) = 1;
				_t167 = E0040A0F0(_t166,  *_t166);
				_push(1);
				_push(_t325);
				_push(_t167);
				_push(L"tempdisk1folder:");
				_t168 = E0041AE03(_t246, _t328 - 0xc4, _t323, _t325, _t332);
				 *((char*)(_t328 - 0xa1)) = _t168;
				 *((char*)(_t328 - 4)) = 4;
				if( *((char*)(_t328 - 0xac)) != 0) {
					E00404260( *((intOrPtr*)(_t328 - 0xb0)), _t323,  *((intOrPtr*)( *((intOrPtr*)(_t328 - 0xb0)) + 0x24)));
					_t168 =  *((intOrPtr*)(_t328 - 0xa1));
				}
				if(_t168 != 0) {
					_t234 = E0040A0F0(_t168, _t328 - 0x40);
					_t321 =  *_t234;
					_t236 =  !=  ?  *_t234 : 0x4c2d7c;
					E00404260(_t323 + 0x318, _t323,  !=  ?  *_t234 : 0x4c2d7c);
					E00424F41(_t246, _t323 + 0x318,  *_t234,  *_t234, _t328 - 0x70);
					E00401B80(_t328 - 0x70);
					 *((char*)(_t323 + 0x14)) = 1;
					_t325 = 0;
				}
				E00409FA9(_t328 - 0x40, _t325, 0xffffffff);
				_t171 = E00417A4B(_t328 - 0x40, _t328 - 0xb0);
				 *((char*)(_t328 - 4)) = 7;
				 *((char*)(_t171 + 4)) = 1;
				_t172 = E0040A0F0(_t171,  *_t171);
				_push(1);
				_push(_t325);
				_push(_t172);
				_push(L"extract_all:");
				_t173 = E0041AE03(_t246, _t328 - 0xc4, _t323, _t325, 0);
				 *((char*)(_t328 - 0xa1)) = _t173;
				 *((char*)(_t328 - 4)) = 4;
				if( *((char*)(_t328 - 0xac)) != 0) {
					E00404260( *((intOrPtr*)(_t328 - 0xb0)), _t323,  *((intOrPtr*)( *((intOrPtr*)(_t328 - 0xb0)) + 0x24)));
					_t173 =  *((intOrPtr*)(_t328 - 0xa1));
				}
				if(_t173 != 0) {
					_t308 =  !=  ?  *((void*)(E0040A0F0(_t173, _t328 - 0x40))) : 0x4c2d7c;
					E00404260(_t323 + 0x318, _t323,  !=  ?  *((void*)(E0040A0F0(_t173, _t328 - 0x40))) : 0x4c2d7c);
					E00424F41(_t246, _t323 + 0x318, _t321,  *_t228, _t328 - 0x70);
					E00401B80(_t328 - 0x70);
					 *((char*)(_t323 + 0x15)) = 1;
					_t325 = 0;
				}
				_push(1);
				_push(1);
				_push(_t325);
				_push(L"runfromtemp");
				_t174 = E0041AE03(_t246, _t328 - 0xc4, _t323, _t325, 0);
				_t341 = _t174;
				if(_t174 != 0) {
					 *((char*)(_t323 + 0x11)) = 1;
				}
				_push(1);
				_push(1);
				_push(_t325);
				_push(L"IS_temp");
				E0041AE03(_t246, _t328 - 0xc4, _t323, _t325, _t341);
				_push(_t325);
				_push(1);
				_push(_t325);
				_push("s");
				_t176 = E0041AE03(_t246, _t328 - 0xc4, _t323, _t325, _t341);
				_t342 = _t176;
				if(_t176 != 0) {
					 *((char*)(_t323 + 1)) = 1;
				}
				_push(_t325);
				_push(1);
				_push(_t325);
				_push(L"auto");
				_t177 = E0041AE03(_t246, _t328 - 0xc4, _t323, _t325, _t342);
				_t343 = _t177;
				if(_t177 != 0) {
					 *((char*)(_t323 + 2)) = 1;
				}
				_push(_t325);
				_push(1);
				_push(_t325);
				_push(L"no_engine");
				_t178 = E0041AE03(_t246, _t328 - 0xc4, _t323, _t325, _t343);
				_t344 = _t178;
				if(_t178 != 0) {
					 *((char*)(_t323 + 3)) = 1;
				}
				E00409FA9(_t328 - 0x40, _t325, 0xffffffff);
				_t181 = E00417A4B(_t328 - 0x40, _t328 - 0xb0);
				 *((char*)(_t328 - 4)) = 8;
				 *((char*)(_t181 + 4)) = 1;
				_t182 = E0040A0F0(_t181,  *_t181);
				_push(1);
				_push(_t325);
				_push(_t182);
				_push(L"media_path:");
				_t183 = E0041AE03(_t246, _t328 - 0xc4, _t323, _t325, _t344);
				 *((char*)(_t328 - 0xa1)) = _t183;
				 *((char*)(_t328 - 4)) = 4;
				if( *((char*)(_t328 - 0xac)) != 0) {
					E00404260( *((intOrPtr*)(_t328 - 0xb0)), _t323,  *((intOrPtr*)( *((intOrPtr*)(_t328 - 0xb0)) + 0x24)));
					_t183 =  *((intOrPtr*)(_t328 - 0xa1));
				}
				_t346 = _t183;
				if(_t183 != 0) {
					_push(_t325);
					_push(_t328 - 0x40);
					 *((intOrPtr*)(_t328 - 0x70)) = 0x4c2fa0;
					 *((intOrPtr*)(_t328 - 0x48)) = 0x4c2f40;
					E00408E82(_t246, _t328 - 0x70, _t323, _t325, _t346);
					_t347 =  *((intOrPtr*)(_t328 - 0x5c));
					 *((char*)(_t328 - 4)) = 9;
					if( *((intOrPtr*)(_t328 - 0x5c)) != 0) {
						E004095E2(_t246, _t328 - 0x70);
						E00424F41(_t246, _t246, _t321, _t347, _t328 - 0xa0);
						E00401B80(_t328 - 0xa0);
					}
					 *((char*)(_t328 - 4)) = 4;
					E00401B80(_t328 - 0x70);
				}
				E00409FA9(_t328 - 0x40, _t325, 0xffffffff);
				_t186 = E00417A4B(_t328 - 0x40, _t328 - 0xb0);
				 *((char*)(_t328 - 4)) = 0xa;
				 *((char*)(_t186 + 4)) = 1;
				_t187 = E0040A0F0(_t186,  *_t186);
				_push(1);
				_push(_t325);
				_push(_t187);
				_push(L"installfromweb:");
				_t188 = E0041AE03(_t246, _t328 - 0xc4, _t323, _t325, _t347);
				 *((char*)(_t328 - 0xa1)) = _t188;
				 *((char*)(_t328 - 4)) = 4;
				if( *((char*)(_t328 - 0xac)) != 0) {
					E00404260( *((intOrPtr*)(_t328 - 0xb0)), _t323,  *((intOrPtr*)( *((intOrPtr*)(_t328 - 0xb0)) + 0x24)));
					_t188 =  *((intOrPtr*)(_t328 - 0xa1));
				}
				_t349 = _t188;
				if(_t188 != 0) {
					_push(_t325);
					_push(_t328 - 0x40);
					 *((intOrPtr*)(_t328 - 0x70)) = 0x4c2fa0;
					 *((intOrPtr*)(_t328 - 0x48)) = 0x4c2f40;
					E00408E82(_t246, _t328 - 0x70, _t323, _t325, _t349);
					_t350 =  *((intOrPtr*)(_t328 - 0x5c));
					 *((char*)(_t328 - 4)) = 0xb;
					if( *((intOrPtr*)(_t328 - 0x5c)) != 0) {
						E004095E2(_t246, _t328 - 0x70);
						E00424F41(_t246, _t246, _t321, _t350, _t328 - 0xa0);
						E00401B80(_t328 - 0xa0);
					}
					 *((char*)(_t323 + 0x13)) = 1;
					 *((char*)(_t328 - 4)) = 4;
					E00401B80(_t328 - 0x70);
				}
				E00409FA9(_t328 - 0x40, _t325, 0xffffffff);
				_t191 = E00417A4B(_t328 - 0x40, _t328 - 0xb0);
				 *((char*)(_t328 - 4)) = 0xc;
				 *((char*)(_t191 + 4)) = 1;
				_t192 = E0040A0F0(_t191,  *_t191);
				_push(1);
				_push(_t325);
				_push(_t192);
				_push(L"IS_OriginalLauncher:");
				_t193 = E0041AE03(_t246, _t328 - 0xc4, _t323, _t325, _t350);
				 *((char*)(_t328 - 0xa1)) = _t193;
				 *((char*)(_t328 - 4)) = 4;
				if( *((char*)(_t328 - 0xac)) != 0) {
					E00404260( *((intOrPtr*)(_t328 - 0xb0)), _t323,  *((intOrPtr*)( *((intOrPtr*)(_t328 - 0xb0)) + 0x24)));
					_t193 =  *((intOrPtr*)(_t328 - 0xa1));
				}
				_t352 = _t193;
				if(_t193 != 0) {
					E00424F41(_t246, _t328 - 0x40, _t321, _t352, _t328 - 0xa0);
					E00401B80(_t328 - 0xa0);
					if( *((intOrPtr*)(_t328 - 0x2c)) != 0) {
						E004095E2(_t323 + 0x378, _t328 - 0x40);
					}
				}
				_t354 =  *((char*)(_t323 + 0x13));
				if( *((char*)(_t323 + 0x13)) != 0) {
					L39:
					_t194 = E00424D6D(_t246, _t321, _t323, _t355);
					_t356 = _t194;
					if(_t194 != 0) {
						_push(_t328 - 0xa0);
						E00424AC0(_t246, _t246, _t321, _t323, _t325, _t356);
						E00401B80(_t328 - 0xa0);
					}
					goto L41;
				} else {
					_t203 = E00424D42(_t246, _t354);
					 *((char*)(_t323 + 0x13)) = _t203;
					_t355 = _t203;
					if(_t203 == 0) {
						L41:
						E00401B80(_t328 - 0x40);
						E004172BB(_t246, _t328 - 0xc4, _t323);
						E00401B80(_t328 + 8);
						E00401B80(_t328 + 0x38);
						return E0045B878(_t246, _t323, _t325);
					}
					goto L39;
				}
			}

0x0041d8b2
0x0041d8b2
0x0041d8b2
0x0041d8bc
0x0041d8c1
0x0041d8cd
0x0041d8d4
0x0041d8d9
0x0041d8db
0x0041d8dc
0x0041d8e0
0x0041d8e4
0x0041d8e9
0x0041d8f2
0x0041d8f6
0x0041d8fe
0x0041d902
0x0041d90e
0x0041d912
0x0041d919
0x0041d929
0x0041d930
0x0041d937
0x0041d946
0x0041d94d
0x0041d951
0x0041d955
0x0041d95a
0x0041d95c
0x0041d95d
0x0041d95e
0x0041d969
0x0041d975
0x0041d97b
0x0041d97f
0x0041d98a
0x0041d98f
0x0041d98f
0x0041d995
0x0041d997
0x0041d9a1
0x0041d9a8
0x0041d9a8
0x0041d9b1
0x0041d9c0
0x0041d9c7
0x0041d9cb
0x0041d9cf
0x0041d9d4
0x0041d9d6
0x0041d9d7
0x0041d9d8
0x0041d9e3
0x0041d9ef
0x0041d9f5
0x0041d9f9
0x0041da04
0x0041da09
0x0041da09
0x0041da11
0x0041da16
0x0041da1b
0x0041da24
0x0041da30
0x0041da3b
0x0041da43
0x0041da48
0x0041da4c
0x0041da4c
0x0041da54
0x0041da63
0x0041da6a
0x0041da6e
0x0041da72
0x0041da77
0x0041da79
0x0041da7a
0x0041da7b
0x0041da86
0x0041da92
0x0041da98
0x0041da9c
0x0041daa7
0x0041daac
0x0041daac
0x0041dab4
0x0041dac6
0x0041dad2
0x0041dadd
0x0041dae5
0x0041daea
0x0041daee
0x0041daee
0x0041daf0
0x0041daf2
0x0041daf4
0x0041daf5
0x0041db00
0x0041db05
0x0041db07
0x0041db09
0x0041db09
0x0041db0d
0x0041db0f
0x0041db11
0x0041db12
0x0041db1d
0x0041db22
0x0041db23
0x0041db25
0x0041db26
0x0041db31
0x0041db36
0x0041db38
0x0041db3a
0x0041db3a
0x0041db3e
0x0041db3f
0x0041db41
0x0041db42
0x0041db4d
0x0041db52
0x0041db54
0x0041db56
0x0041db56
0x0041db5a
0x0041db5b
0x0041db5d
0x0041db5e
0x0041db69
0x0041db6e
0x0041db70
0x0041db72
0x0041db72
0x0041db7c
0x0041db8b
0x0041db92
0x0041db96
0x0041db9a
0x0041db9f
0x0041dba1
0x0041dba2
0x0041dba3
0x0041dbae
0x0041dbba
0x0041dbc0
0x0041dbc4
0x0041dbcf
0x0041dbd4
0x0041dbd4
0x0041dbda
0x0041dbdc
0x0041dbde
0x0041dbe2
0x0041dbe6
0x0041dbed
0x0041dbf4
0x0041dbf9
0x0041dbfd
0x0041dc01
0x0041dc09
0x0041dc17
0x0041dc22
0x0041dc22
0x0041dc2a
0x0041dc2e
0x0041dc2e
0x0041dc39
0x0041dc48
0x0041dc4f
0x0041dc53
0x0041dc57
0x0041dc5c
0x0041dc5e
0x0041dc5f
0x0041dc60
0x0041dc6b
0x0041dc77
0x0041dc7d
0x0041dc81
0x0041dc8c
0x0041dc91
0x0041dc91
0x0041dc97
0x0041dc99
0x0041dc9b
0x0041dc9f
0x0041dca3
0x0041dcaa
0x0041dcb1
0x0041dcb6
0x0041dcba
0x0041dcbe
0x0041dcc6
0x0041dcd4
0x0041dcdf
0x0041dcdf
0x0041dce7
0x0041dceb
0x0041dcef
0x0041dcef
0x0041dcfa
0x0041dd09
0x0041dd10
0x0041dd14
0x0041dd18
0x0041dd1d
0x0041dd1f
0x0041dd20
0x0041dd21
0x0041dd2c
0x0041dd38
0x0041dd3e
0x0041dd42
0x0041dd4d
0x0041dd52
0x0041dd52
0x0041dd58
0x0041dd5a
0x0041dd66
0x0041dd71
0x0041dd7a
0x0041dd86
0x0041dd86
0x0041dd7a
0x0041dd8b
0x0041dd8f
0x0041dd9f
0x0041dda1
0x0041dda6
0x0041dda8
0x0041ddb0
0x0041ddb3
0x0041ddbe
0x0041ddbe
0x00000000
0x0041dd91
0x0041dd93
0x0041dd98
0x0041dd9b
0x0041dd9d
0x0041ddc3
0x0041ddc6
0x0041ddd1
0x0041ddd9
0x0041dde1
0x0041ddeb
0x0041ddeb
0x00000000
0x0041dd9d

APIs

__EH_prolog3_GS.LIBCMT ref: 0041D8BC

Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 004160F7: __EH_prolog3.LIBCMT ref: 004160FE

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

Part of subcall function 0041AE03: __EH_prolog3_GS.LIBCMT ref: 0041AE0D
Part of subcall function 0041AE03: SysStringLen.OLEAUT32(?), ref: 0041AF0D
Part of subcall function 0041AE03: SysFreeString.OLEAUT32(?), ref: 0041AF18

Part of subcall function 0041AE03: SysFreeString.OLEAUT32(?), ref: 0041AF53

Strings

delayedstart:, xrefs: 0041D95E
installfromweb:, xrefs: 0041DC60
extract_all:, xrefs: 0041DA7B
runfromtemp, xrefs: 0041DAF5
auto, xrefs: 0041DB42
|-L, xrefs: 0041DAC1
tempdisk1folder:, xrefs: 0041D9D8
@/L, xrefs: 0041D930
IS_temp, xrefs: 0041DB12
media_path:, xrefs: 0041DBA3
no_engine, xrefs: 0041DB5E
|-L, xrefs: 0041DA1F
@/L, xrefs: 0041DCAA
IS_OriginalLauncher:, xrefs: 0041DD21

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String$ErrorFreeLast$H_prolog3_$AllocH_prolog3
String ID: @/L$@/L$IS_OriginalLauncher:$IS_temp$auto$delayedstart:$extract_all:$installfromweb:$media_path:$no_engine$runfromtemp$tempdisk1folder:$|-L$|-L
API String ID: 126701897-1698992500
Opcode ID: fb06f9c35445f785ee054ad8a290ba95409f0049d4a28f277c84a0b6636a9f04
Instruction ID: 4d0e82a3e1fc830d835c838a24e5cf109e40e4a2356c89bde4cad9fd60ae6b00
Opcode Fuzzy Hash: fb06f9c35445f785ee054ad8a290ba95409f0049d4a28f277c84a0b6636a9f04
Instruction Fuzzy Hash: C3E1B170A04258AECB25EB61CC51BDEBB74AF11308F0441EEF146371D2DBB95E89CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00408BF3, Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 108
stringCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E00408BF3(void* __edx, struct HINSTANCE__* _a4, struct HINSTANCE__* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v526;
				short _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				char _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				struct HINSTANCE__* _t35;
				_Unknown_base(*)()* _t38;
				struct HINSTANCE__* _t42;
				struct HINSTANCE__* _t48;
				intOrPtr _t52;
				void* _t53;
				void* _t63;
				struct HINSTANCE__* _t64;
				struct HINSTANCE__* _t65;
				signed int _t66;
				void* _t67;
				void* _t68;

				_t63 = __edx;
				_t24 =  *0x4d7e88; // 0x9518852c
				_v8 = _t24 ^ _t66;
				_t52 = _a12;
				_t65 = _a8;
				_t64 = _a4;
				_v536 = _a16;
				_v532 = _a20;
				if(lstrlenW(_t65) != 0) {
					_v528 = 0;
					E0045A4D0( &_v526, 0, 0x206);
					_t68 = _t67 + 0xc;
					lstrcpyW( &_v528, _t65);
					_push(0x5c);
					_push( &_v528);
					_t35 = E0045A303(_t53);
					__eflags = _t35;
					if(_t35 == 0) {
						GetModuleFileNameW(_t64,  &_v528, 0x208);
						_t48 = E0045A3B1( &_v528, 0x5c);
						__eflags = _t48;
						if(_t48 != 0) {
							__eflags = 0;
							_t48->i = 0;
							wsprintfW( &_v528, L"%s\\%s",  &_v528, _t65);
							_t68 = _t68 + 0x10;
						}
					}
					_t65 = GetModuleHandleW( &_v528);
					__eflags = _t65;
					if(_t65 != 0) {
						L8:
						_t38 = GetProcAddress(_t65, "DllGetClassObject");
						 *_t38(_t52, _v536, _v532);
						goto L9;
					} else {
						_t42 = E00408892( &_v540, _t65,  &_v528);
						__imp__CoLoadLibrary(_t42->i, 1);
						_t65 = _t42;
						__imp__#6(_v540);
						__eflags = _t65;
						if(__eflags != 0) {
							goto L8;
						}
						_push(0x80041f42);
						_push(0x4b3478);
						_push(0x2d);
						_push("..\\..\\..\\inc\\CoCreate.cpp");
						_push( &_v528);
						_push(0x4b3478);
						E0043A6DB(_t52, _t64, _t65, __eflags);
						L9:
						return E0045A457(_t52, _v8 ^ _t66, _t63, _t64, _t65);
					}
				}
				goto L9;
			}

0x00408bf3
0x00408bfc
0x00408c03
0x00408c0a
0x00408c0e
0x00408c12
0x00408c15
0x00408c1f
0x00408c2d
0x00408c41
0x00408c4f
0x00408c54
0x00408c5f
0x00408c6b
0x00408c6d
0x00408c6e
0x00408c75
0x00408c77
0x00408c86
0x00408c95
0x00408c9c
0x00408c9e
0x00408ca0
0x00408ca2
0x00408cb3
0x00408cb9
0x00408cb9
0x00408c9e
0x00408cc9
0x00408ccb
0x00408ccd
0x00408d21
0x00408d27
0x00408d3a
0x00000000
0x00408ccf
0x00408cdc
0x00408ce5
0x00408cf1
0x00408cf3
0x00408cf9
0x00408cfb
0x00000000
0x00000000
0x00408cfd
0x00408d07
0x00408d08
0x00408d0a
0x00408d15
0x00408d16
0x00408d17
0x00408d3c
0x00408d4a
0x00408d4a
0x00408ccd
0x00000000

APIs

lstrlenW.KERNEL32(?), ref: 00408C25
_memset.LIBCMT ref: 00408C4F
lstrcpyW.KERNEL32(?,?), ref: 00408C5F
_wcschr.LIBCMT ref: 00408C6E
GetModuleFileNameW.KERNEL32(?,?,00000208), ref: 00408C86
_wcsrchr.LIBCMT ref: 00408C95
wsprintfW.USER32 ref: 00408CB3
GetModuleHandleW.KERNEL32(?), ref: 00408CC3
CoLoadLibrary.OLE32(00000000,00000001), ref: 00408CE5
SysFreeString.OLEAUT32(?), ref: 00408CF3

Strings

..\..\..\inc\CoCreate.cpp, xrefs: 00408D0A
%s\%s, xrefs: 00408CAD
x4K, xrefs: 00408D02
DllGetClassObject, xrefs: 00408D21

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Module$FileFreeHandleLibraryLoadNameString_memset_wcschr_wcsrchrlstrcpylstrlenwsprintf
String ID: %s\%s$..\..\..\inc\CoCreate.cpp$DllGetClassObject$x4K
API String ID: 836880797-3589990351
Opcode ID: 62448f792ccd6f6464d93e8e352c8bc92f98070b702b0d51859baf54152be34a
Instruction ID: 816578f38f4b4d2644b821f4f19a0e6ae83ca2fdd092241f6fd384f9e14ada88
Opcode Fuzzy Hash: 62448f792ccd6f6464d93e8e352c8bc92f98070b702b0d51859baf54152be34a
Instruction Fuzzy Hash: C131C675901318ABDF20EBA1DC49EDA77BCEF19300F0045AAF915E3181EB789E448F69

Uniqueness

Uniqueness Score: -1.00%

Function 0044542C, Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0044542C(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t40;
				intOrPtr _t42;
				void* _t43;
				void* _t47;

				_push(0x3c);
				E0045B8C9(0x4a784d, __ebx, __edi, __esi);
				_t42 =  *((intOrPtr*)(_t43 + 0x10));
				_t40 =  *((intOrPtr*)(_t43 + 8));
				 *((intOrPtr*)(_t43 - 0x48)) = 0;
				if(_t42 == 0 &&  *((intOrPtr*)(_t43 + 0xc)) == 0) {
					_t6 = _t43 + 0xc; // 0x4c2f40
					E00445309(_t6, _t43 + 0x10);
					_t42 =  *((intOrPtr*)(_t43 + 0x10));
				}
				 *((intOrPtr*)(_t43 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t43 - 0x18)) = 0x4c2f40;
				E00404200(_t43 - 0x40, _t43 - 0x41, 0);
				 *((intOrPtr*)(_t43 - 4)) = 0;
				_t47 = _t42 - 0x400000;
				if(_t47 > 0) {
					__eflags = _t42 - 0x800000;
					if(_t42 == 0x800000) {
						_push(L"Windows Server 2003");
					} else {
						__eflags = _t42 - 0x1000000;
						if(_t42 == 0x1000000) {
							_push(L"Windows Vista / Server 2008");
						} else {
							__eflags = _t42 - 0x2000000;
							if(_t42 == 0x2000000) {
								_push(L"Windows 7 / Server 2008 R2");
							} else {
								__eflags = _t42 - 0x4000000;
								if(_t42 == 0x4000000) {
									_push(L"Windows 8 / Server 2012");
								} else {
									__eflags = _t42 - 0x8000000;
									if(_t42 == 0x8000000) {
										_push(L"Windows 8.1 / Server 2012 R2");
									} else {
										goto L21;
									}
								}
							}
						}
					}
				} else {
					if(_t47 == 0) {
						_push(L"Windows XP");
					} else {
						_t42 = _t42 - 0x10;
						if(_t42 == 0) {
							_push(L"Windows 95");
						} else {
							_t42 = _t42 - 0x30;
							if(_t42 == 0) {
								_push(L"Windows 98");
							} else {
								_t42 = _t42 - 0x40;
								if(_t42 == 0) {
									_push(L"Windows Me");
								} else {
									_t42 = _t42 - 0xff80;
									if(_t42 == 0) {
										_push(L"Windows NT 4.0");
									} else {
										_t42 = _t42 - 0xf0000;
										_t52 = _t42;
										if(_t42 != 0) {
											L21:
											_push(0x4c2d7c);
										} else {
											_push(L"Windows 2000");
										}
									}
								}
							}
						}
					}
				}
				E00406A00(_t43 - 0x3c, _t40);
				_push(_t43 - 0x40);
				 *_t40 = 0x4c2fa0;
				 *((intOrPtr*)(_t40 + 0x28)) = 0x4c2f40;
				E00408E82(0, _t40, _t40, _t42, _t52);
				E00401B80(_t43 - 0x40);
				return E0045B878(0, _t40, _t42);
			}

0x0044542c
0x00445433
0x00445438
0x0044543b
0x00445440
0x00445445
0x00445450
0x00445454
0x00445459
0x0044545d
0x00445466
0x0044546d
0x00445474
0x0044547e
0x00445481
0x00445483
0x004454d0
0x004454d6
0x0044551b
0x004454d8
0x004454d8
0x004454de
0x00445514
0x004454e0
0x004454e0
0x004454e6
0x0044550d
0x004454e8
0x004454e8
0x004454ee
0x00445506
0x004454f0
0x004454f0
0x004454f6
0x004454ff
0x00000000
0x00000000
0x00000000
0x004454f6
0x004454ee
0x004454e6
0x004454de
0x00445485
0x00445485
0x004454c9
0x00445487
0x00445487
0x0044548a
0x004454c2
0x0044548c
0x0044548c
0x0044548f
0x004454bb
0x00445491
0x00445491
0x00445494
0x004454b4
0x00445496
0x00445496
0x0044549c
0x004454ad
0x0044549e
0x0044549e
0x0044549e
0x004454a4
0x004454f8
0x004454f8
0x004454a6
0x004454a6
0x004454a6
0x004454a4
0x0044549c
0x00445494
0x0044548f
0x0044548a
0x00445485
0x00445523
0x0044552c
0x0044552f
0x00445535
0x0044553c
0x00445544
0x00445550

APIs

__EH_prolog3_GS.LIBCMT ref: 00445433

Part of subcall function 00445309: GetVersionExW.KERNEL32(?,?,00000000), ref: 0044533B

Strings

@/L, xrefs: 00445535
Windows 8 / Server 2012, xrefs: 00445506
Windows 95, xrefs: 004454C2
Windows Vista / Server 2008, xrefs: 00445514
Windows XP, xrefs: 004454C9
@/L, xrefs: 00445450, 00445453
Windows 8.1 / Server 2012 R2, xrefs: 004454FF
Windows 2000, xrefs: 004454A6
Windows NT 4.0, xrefs: 004454AD
Windows Me, xrefs: 004454B4
Windows Server 2003, xrefs: 0044551B
Windows 7 / Server 2008 R2, xrefs: 0044550D
@/L, xrefs: 0044546D
Windows 98, xrefs: 004454BB

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_Version
String ID: @/L$@/L$@/L$Windows 2000$Windows 7 / Server 2008 R2$Windows 8 / Server 2012$Windows 8.1 / Server 2012 R2$Windows 95$Windows 98$Windows Me$Windows NT 4.0$Windows Server 2003$Windows Vista / Server 2008$Windows XP
API String ID: 3152847492-3735908412
Opcode ID: 1cd9a6287cde444437cf7d9742eceb90f602e66114381f045e12fafac483c39e
Instruction ID: 89d619f7e0f2fec5d0ca7ad439ae17567f4ff9548112a3e4181b66542faee5d8
Opcode Fuzzy Hash: 1cd9a6287cde444437cf7d9742eceb90f602e66114381f045e12fafac483c39e
Instruction Fuzzy Hash: C021F672900B14F7FF14AA589845BFEB2259B04300F65412BF801772DAE6BC2E459B9F

Uniqueness

Uniqueness Score: -1.00%

Function 00411FC6, Relevance: 25.7, APIs: 17, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E00411FC6(int __ecx, void* __edx) {
				signed int _v8;
				struct tagRECT _v24;
				struct tagRECT _v40;
				struct tagRECT _v56;
				struct tagRECT _v72;
				struct tagPOINT _v80;
				struct HWND__* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				struct HWND__* _t56;
				struct HWND__* _t85;
				void* _t94;
				struct HWND__* _t96;
				struct HWND__* _t97;
				intOrPtr _t104;
				intOrPtr _t107;
				intOrPtr _t111;
				void* _t114;
				void* _t115;
				int _t117;
				int _t119;
				int _t122;
				signed int _t129;

				_t114 = __edx;
				_t53 =  *0x4d7e88; // 0x9518852c
				_v8 = _t53 ^ _t129;
				_t122 = __ecx;
				if( *((char*)(__ecx + 0xee)) == 0) {
					_t56 =  *0x4d9620; // 0x0
					if(_t56 != 0 && IsWindow(_t56) != 0) {
						 *((char*)(_t122 + 0xee)) = 1;
						GetWindowRect(GetDlgItem( *0x4d9620, 0x3ec),  &_v24);
						_t96 = GetDlgItem( *0x4d9620, 0x12d);
						_v84 = _t96;
						GetWindowRect(_t96,  &_v40);
						_t104 =  *0x4d962c; // 0x0
						_t117 = _v40.bottom - _v40.top;
						E0040D238(_t104,  *(_t104 + 0x44) & 0x0000ffff);
						_t106 =  !=  ? _v24.right : _v24.left;
						_v80.y = _v24.top - _t117 - 0xa;
						_v80.x =  !=  ? _v24.right : _v24.left;
						ScreenToClient( *0x4d9620,  &_v80);
						SetWindowPos(_t96, 0, _v80.x, _v80.y, _v40.right - _v40.left, _t117, 4);
						_t97 = GetDlgItem( *0x4d9620, 0x3eb);
						GetWindowRect(_t97,  &_v56);
						_t119 = _v56.bottom - _v56.top;
						GetWindowRect(_v84,  &_v40);
						_t107 =  *0x4d962c; // 0x0
						E0040D238(_t107,  *(_t107 + 0x44) & 0x0000ffff);
						_t109 =  !=  ? _v24.right : _v24.left;
						_v80.y = _v40.top - _t119 - 0xa;
						_v80.x =  !=  ? _v24.right : _v24.left;
						ScreenToClient( *0x4d9620,  &_v80);
						SetWindowPos(_t97, 0, _v80.x, _v80.y, _v56.right - _v56.left, _t119, 4);
						_t85 = GetDlgItem( *0x4d9620, 0x40b);
						_v84 = _t85;
						GetWindowRect(_t85,  &_v72);
						GetWindowRect(_t97,  &_v56);
						_t111 =  *0x4d962c; // 0x0
						_t122 = _v72.top;
						E0040D238(_t111,  *(_t111 + 0x44) & 0x0000ffff);
						_t113 =  !=  ? _v24.right : _v24.left;
						_v80.x =  !=  ? _v24.right : _v24.left;
						_v80.y = _t122;
						ScreenToClient( *0x4d9620,  &_v80);
						SetWindowPos(_v84, 0, _v80, _v80.y, _v72.right - _v72.left, _v56.top - _t122 - 0xa, 4);
						_t115 = _t115;
						_t94 = _t94;
					}
				}
				return E0045A457(_t94, _v8 ^ _t129, _t114, _t115, _t122);
			}

0x00411fc6
0x00411fcc
0x00411fd3
0x00411fd7
0x00411fe0
0x00411fe6
0x00411fed
0x00412013
0x00412029
0x00412038
0x0041203f
0x00412042
0x00412044
0x00412054
0x0041205b
0x00412065
0x00412071
0x0041207e
0x00412081
0x00412094
0x004120ab
0x004120b2
0x004120be
0x004120cb
0x004120d1
0x004120dc
0x004120e6
0x004120f2
0x004120ff
0x00412102
0x00412115
0x00412126
0x00412137
0x0041213a
0x00412141
0x00412143
0x00412150
0x0041215f
0x00412169
0x00412177
0x0041217a
0x0041217d
0x00412192
0x00412198
0x00412199
0x00412199
0x00411fed
0x004121a6

APIs

IsWindow.USER32(00000000), ref: 00411FF4
GetDlgItem.USER32 ref: 00412020
GetWindowRect.USER32 ref: 00412029
GetDlgItem.USER32 ref: 00412036
GetWindowRect.USER32 ref: 00412042
ScreenToClient.USER32 ref: 00412081
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000004), ref: 00412094
GetDlgItem.USER32 ref: 004120A5
GetWindowRect.USER32 ref: 004120B2
GetWindowRect.USER32 ref: 004120CB
ScreenToClient.USER32 ref: 00412102
SetWindowPos.USER32(00000000,00000000,?,?,?,?,00000004), ref: 00412115
GetDlgItem.USER32 ref: 00412126
GetWindowRect.USER32 ref: 0041213A
GetWindowRect.USER32 ref: 00412141
ScreenToClient.USER32 ref: 0041217D
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00412192

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Window$Rect$Item$ClientScreen
String ID:
API String ID: 1521148189-0
Opcode ID: 03d8f41e63986f824cd9499d5980d3e3cc7b4f54c68830348ee8837366ffa1bd
Instruction ID: 3c1246fc33e8bfaa141091deeb84a48d6a8805fb812ee7279d1519111118527a
Opcode Fuzzy Hash: 03d8f41e63986f824cd9499d5980d3e3cc7b4f54c68830348ee8837366ffa1bd
Instruction Fuzzy Hash: 0C51D772D00218AFCF14DFE5DD48AAEBFB9FB49304F04416AFA11B7250DA75A905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00436AE1, Relevance: 25.6, APIs: 17, Instructions: 113
windowCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00436AE1(void* __edx, void* __edi, void* __esi, struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				struct HWND__* _v28;
				struct HDC__* _v32;
				struct HWND__* _v36;
				int _v52;
				int _v56;
				void _v60;
				void* __ebx;
				signed int _t23;
				void* _t31;
				struct HWND__* _t58;
				void* _t62;
				int _t64;
				struct HDC__* _t67;
				signed int _t69;

				_t66 = __esi;
				_t63 = __edi;
				_t62 = __edx;
				_t23 =  *0x4d7e88; // 0x9518852c
				_v8 = _t23 ^ _t69;
				_t58 = _a4;
				_v28 = _t58;
				if(_a8 == 0x14) {
					if( *0x4d98cc == 0) {
						L3:
						L4:
						return E0045A457(_t58, _v8 ^ _t69, _t62, _t63, _t66);
					}
					_push(__esi);
					_push(__edi);
					_t67 = GetDC(_t58);
					_v32 = _t67;
					GetObjectW( *0x4d98cc, 0x18,  &_v60);
					_t58 = CreateCompatibleDC(_t67);
					_t31 =  *0x4d98c8; // 0x0
					_t64 = 0;
					_v36 = _t58;
					if(_t31 != 0) {
						UnrealizeObject(_t31);
						SelectPalette(_t67,  *0x4d98c8, 0);
						RealizePalette(_t67);
						UnrealizeObject( *0x4d98c8);
						_t58 = _v36;
						SelectPalette(_t58,  *0x4d98c8, 0);
						RealizePalette(_t58);
						_t67 = _v32;
						_t64 = 0;
					}
					SelectObject(_t58,  *0x4d98cc);
					BitBlt(_t67, _t64, _t64, _v56, _v52, _t58, _t64, _t64, 0xcc0020);
					ReleaseDC(_v28, _t67);
					DeleteDC(_t58);
					_pop(_t63);
					_pop(_t66);
					goto L4;
				}
				if(_a8 == 0x110) {
					GetObjectW( *0x4d98cc, 0x18,  &_v60);
					GetClientRect(GetDesktopWindow(),  &_v24);
					asm("cdq");
					asm("cdq");
					MoveWindow(_t58, _v24.right - _v56 - _t62 >> 1, _v24.bottom - _v52 - _t62 >> 1, _v56, _v52, 1);
				}
				goto L3;
			}

0x00436ae1
0x00436ae1
0x00436ae1
0x00436ae7
0x00436aee
0x00436af6
0x00436af9
0x00436afc
0x00436b69
0x00436b51
0x00436b53
0x00436b5f
0x00436b5f
0x00436b6b
0x00436b6c
0x00436b74
0x00436b82
0x00436b85
0x00436b92
0x00436b94
0x00436b99
0x00436b9b
0x00436ba0
0x00436ba9
0x00436bb9
0x00436bc2
0x00436bca
0x00436bcc
0x00436bd8
0x00436bdb
0x00436bdd
0x00436be0
0x00436be0
0x00436be9
0x00436c00
0x00436c0a
0x00436c11
0x00436c19
0x00436c1b
0x00000000
0x00436c1b
0x00436b05
0x00436b13
0x00436b24
0x00436b35
0x00436b44
0x00436b4b
0x00436b4b
0x00000000

APIs

GetObjectW.GDI32(00000018,?), ref: 00436B13
GetDesktopWindow.USER32 ref: 00436B1D
GetClientRect.USER32 ref: 00436B24
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00436B4B
GetDC.USER32(?), ref: 00436B6E
GetObjectW.GDI32(00000018,?), ref: 00436B85
CreateCompatibleDC.GDI32(00000000), ref: 00436B8C
UnrealizeObject.GDI32(00000000), ref: 00436BA9
SelectPalette.GDI32(00000000,00000000), ref: 00436BB9
RealizePalette.GDI32(00000000), ref: 00436BC2
UnrealizeObject.GDI32 ref: 00436BCA
SelectPalette.GDI32(?,00000000), ref: 00436BD8
RealizePalette.GDI32(?), ref: 00436BDB
SelectObject.GDI32(00000000), ref: 00436BE9
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00436C00
ReleaseDC.USER32 ref: 00436C0A
DeleteDC.GDI32(00000000), ref: 00436C11

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Object$Palette$Select$RealizeUnrealizeWindow$ClientCompatibleCreateDeleteDesktopMoveRectRelease
String ID:
API String ID: 366568439-0
Opcode ID: 56bbd96b143a01167bae965127809d0ea88bafe7f6a90493af8f92de331c2a9a
Instruction ID: ceb5995f1fafb50015571fc41b7c9e931649de96f5a1c626a3625a1dfa46fbad
Opcode Fuzzy Hash: 56bbd96b143a01167bae965127809d0ea88bafe7f6a90493af8f92de331c2a9a
Instruction Fuzzy Hash: 2B414A71900229BFDB10AFA6EC88DDF7FB9EB4E700F014426F611E2160DA749944DF68

Uniqueness

Uniqueness Score: -1.00%

Function 0042D048, Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 342
registryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0042D048(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t151;
				void* _t157;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				void* _t168;
				signed int _t174;
				short* _t176;
				signed int _t177;
				intOrPtr* _t187;
				signed int _t188;
				signed int _t189;
				signed int _t191;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t197;
				signed int _t205;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t215;
				signed int _t219;
				int _t256;
				signed int _t260;
				intOrPtr* _t265;
				void* _t266;
				void* _t267;
				signed int _t268;
				void* _t272;
				void* _t280;

				_t272 = __eflags;
				_push(0xc8);
				E0045B8C9(0x4a500d, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t266 - 0xcc)) = __ecx;
				_t263 =  *(_t266 + 0x18);
				 *(_t266 - 0xb4) =  *(_t266 + 0x14);
				 *((intOrPtr*)(_t266 - 0xb8)) =  *((intOrPtr*)(_t266 + 0x1c));
				 *(_t266 - 0xbc) = 0;
				 *(_t266 - 0xa8) =  *(_t266 + 0x10);
				 *((intOrPtr*)(_t266 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t266 - 0x18)) = 0x4c3454;
				E00403F50(_t266 - 0x40, _t266 - 0xa1, 0);
				 *(_t266 - 4) = 0;
				 *(_t266 - 0xb0) = E004068B0( *(_t266 + 0x10) + 4, "\\", 0, E0045B5D4("\\"));
				_t260 = 0;
				E0043673B( *(_t266 + 0x18), _t266 - 0xac, 0xa);
				_t151 = E00445F68(_t272);
				_t219 = 1;
				if(_t151 != 0) {
					if(( *(_t266 - 0xac) & 1) == 0) {
						__eflags =  *(_t266 - 0xac) & 0x00000002;
						_t260 =  !=  ? 0x100 : 0;
					} else {
						_t260 = 0x200;
					}
				}
				_t152 =  *(_t266 - 0xb0);
				_t256 =  *(_t266 - 0xb0) + 1;
				 *(_t266 - 0xb0) = _t256;
				if(_t256 >=  *((intOrPtr*)( *(_t266 - 0xa8) + 0x14))) {
					L76:
					_t219 = 0;
					__eflags = 0;
					L77:
					E00401AC0(_t266 - 0x40);
					return E0045B878(_t219, _t260, _t263);
				}
				_t157 = E00404580(_t266 - 0xa0, 0, _t152);
				 *(_t266 - 4) = _t219;
				E00402B90(_t266 - 0x40, _t157);
				 *(_t266 - 4) = 0;
				E00401AC0(_t266 - 0xa0);
				if(E00433248(_t266 - 0x3c, L"HKEY_CLASSES_ROOT") != 0) {
					_t161 = E00433248(_t266 - 0x3c, L"HKEY_CURRENT_USER");
					__eflags = _t161;
					if(_t161 != 0) {
						_t162 = E00433248(_t266 - 0x3c, L"HKEY_LOCAL_MACHINE");
						__eflags = _t162;
						if(_t162 != 0) {
							_t163 = E00433248(_t266 - 0x3c, L"HKEY_USERS");
							__eflags = _t163;
							if(_t163 != 0) {
								_t164 = E00433248(_t266 - 0x3c, L"HKEY_PERFORMANCE_DATA");
								__eflags = _t164;
								if(_t164 != 0) {
									_t165 = E00433248(_t266 - 0x3c, L"HKEY_CURRENT_CONFIG");
									__eflags = _t165;
									if(_t165 != 0) {
										_t166 = E00433248(_t266 - 0x3c, L"HKEY_DYN_DATA");
										__eflags = _t166;
										if(_t166 != 0) {
											goto L76;
										}
										_t263 = 0x80000006;
										goto L19;
									}
									_t263 = 0x80000005;
									goto L19;
								}
								_t263 = 0x80000004;
								goto L19;
							}
							_t263 = 0x80000003;
							goto L19;
						}
						_t263 = 0x80000002;
						goto L19;
					}
					_t263 = 0x80000001;
					goto L19;
				} else {
					_t263 = 0x80000000;
					L19:
					_t168 = E00404580(_t266 - 0xa0,  *(_t266 - 0xb0), 0xffffffff);
					 *(_t266 - 4) = 2;
					E00402B90(_t266 - 0x40, _t168);
					E00401AC0(_t266 - 0xa0);
					 *(_t266 - 0xc8) = 0;
					 *((intOrPtr*)(_t266 - 0xc4)) = 0;
					 *((intOrPtr*)(_t266 - 0xc0)) = 0;
					_t173 =  >=  ?  *((void*)(_t266 - 0x3c)) : _t266 - 0x3c;
					_t260 = _t260 | 0x00020019;
					 *(_t266 - 4) = 3;
					 *(_t266 - 0xa8) = _t260;
					_t174 = E004018F0(_t266 - 0xc8, _t263,  >=  ?  *((void*)(_t266 - 0x3c)) : _t266 - 0x3c, _t260);
					if(_t174 != 0) {
						L70:
						__eflags =  *((intOrPtr*)(_t266 + 8)) - _t219;
						if( *((intOrPtr*)(_t266 + 8)) != _t219) {
							__eflags =  *((intOrPtr*)(_t266 + 0xc)) - 2;
							if( *((intOrPtr*)(_t266 + 0xc)) != 2) {
								__eflags =  *((intOrPtr*)(_t266 + 0xc)) - 0x20;
								if( *((intOrPtr*)(_t266 + 0xc)) != 0x20) {
									_t219 = 0;
									__eflags = 0;
								}
							}
						} else {
							__eflags =  *((intOrPtr*)(_t266 + 0xc)) - 2;
							_t219 = _t219 & 0xffffff00 |  *((intOrPtr*)(_t266 + 0xc)) == 0x00000002;
						}
						L75:
						E004018C0(_t266 - 0xc8);
						goto L77;
					}
					if( *((intOrPtr*)(_t266 + 8)) != _t219) {
						_t260 =  *(_t266 - 0xb4) + 4;
						 *(_t266 - 0xb0) = 4;
						__eflags =  *((intOrPtr*)(_t260 + 0x14)) - 8;
						if( *((intOrPtr*)(_t260 + 0x14)) < 8) {
							_t176 = _t260;
						} else {
							_t176 =  *_t260;
						}
						_t177 = RegQueryValueExW( *(_t266 - 0xc8), _t176, 0, _t266 - 0xb4, _t266 - 0xac, _t266 - 0xb0);
						__eflags = _t177;
						if(_t177 != 0) {
							__eflags = _t177 - 2;
							if(_t177 == 2) {
								goto L70;
							}
							goto L42;
						} else {
							__eflags =  *(_t266 - 0xb4) - 4;
							if( *(_t266 - 0xb4) != 4) {
								L42:
								_push( *(_t266 - 0xa8));
								_t268 = _t267 - 0x30;
								 *(_t266 - 0xa8) = _t268;
								E004091B8(_t268, 0x4c2d7c, _t266 - 0xa1, _t219);
								__eflags =  *((intOrPtr*)(_t260 + 0x14)) - 8;
								 *(_t266 - 4) = 4;
								if( *((intOrPtr*)(_t260 + 0x14)) >= 8) {
									_t260 =  *_t260;
								}
								_t269 = _t268 - 0x30;
								 *((intOrPtr*)(_t266 - 0xd0)) = _t268 - 0x30;
								E004091B8(_t268 - 0x30, _t260, _t266 - 0xa1, _t219);
								__eflags =  *((intOrPtr*)(_t266 - 0x28)) - 8;
								_t96 = _t266 - 0x3c; // 0x4c2d7c
								_t97 = _t266 - 0x3c; // 0x4c2d7c
								_t183 =  >=  ?  *_t97 : _t96;
								 *(_t266 - 4) = 5;
								E004091B8(_t269 - 0x30,  >=  ?  *_t97 : _t96, _t266 - 0xa1, _t219);
								_push(_t263);
								_push(_t266 - 0x70);
								 *(_t266 - 4) = 3;
								E00448D7A(_t219, _t260, _t263, __eflags);
								_t265 =  *((intOrPtr*)(_t266 - 0xb8)) + 4;
								 *(_t266 - 4) = 6;
								__eflags =  *((intOrPtr*)(_t265 + 0x14)) - 8;
								if( *((intOrPtr*)(_t265 + 0x14)) < 8) {
									_t187 = _t265;
								} else {
									_t187 =  *_t265;
								}
								_t188 = E00412BD8(_t266 - 0x6c, _t187, 0);
								__eflags =  *((intOrPtr*)(_t266 + 8)) - 0x20;
								_t260 = _t188;
								if( *((intOrPtr*)(_t266 + 8)) != 0x20) {
									__eflags =  *((intOrPtr*)(_t265 + 0x14)) - 8;
									if( *((intOrPtr*)(_t265 + 0x14)) >= 8) {
										_t265 =  *_t265;
									}
									_t189 = E00423AD2(_t266 - 0x6c, _t265);
								} else {
									__eflags =  *((intOrPtr*)(_t266 - 0x58)) - 8;
									_t252 =  >=  ?  *((void*)(_t266 - 0x6c)) : _t266 - 0x6c;
									E00402CE0( >=  ?  *((void*)(_t266 - 0x6c)) : _t266 - 0x6c, _t266 - 0xa1, _t219);
									 *(_t266 - 4) = 7;
									 *(_t266 - 0xbc) = _t219;
									_t189 = E0042CA13( *((intOrPtr*)(_t266 - 0xcc)), __eflags, _t266 - 0xa0,  *((intOrPtr*)(_t266 - 0xb8)));
								}
								_t263 = _t189;
								__eflags =  *(_t266 - 0xbc) & _t219;
								if(( *(_t266 - 0xbc) & _t219) != 0) {
									E00401AC0(_t266 - 0xa0);
								}
								_t191 =  *((intOrPtr*)(_t266 + 0xc)) - 1;
								__eflags = _t191;
								if(_t191 == 0) {
									__eflags = _t263;
									goto L67;
								} else {
									_t194 = _t191 - 1;
									__eflags = _t194;
									if(_t194 == 0) {
										__eflags = _t263;
										_t192 = _t194 & 0xffffff00 | _t263 < 0x00000000;
										L68:
										_t219 = _t192;
										L69:
										E00401B80(_t266 - 0x70);
										goto L75;
									}
									_t196 = _t194;
									__eflags = _t196;
									if(_t196 == 0) {
										__eflags = _t263;
										_t192 = _t196 & 0xffffff00 | _t263 > 0x00000000;
										goto L68;
									}
									_t191 = _t196 - 4;
									__eflags = _t191;
									if(_t191 == 0) {
										__eflags = _t260;
										L67:
										_t131 = __eflags == 0;
										__eflags = _t131;
										_t192 = _t191 & 0xffffff00 | _t131;
										goto L68;
									}
									_t197 = _t191 - 8;
									__eflags = _t197;
									if(_t197 == 0) {
										__eflags = _t260 - 0xffffffff;
										L62:
										_t192 = _t197 & 0xffffff00 | __eflags != 0x00000000;
										goto L68;
									}
									_t197 = _t197 - 0x10;
									__eflags = _t197;
									if(_t197 != 0) {
										goto L69;
									}
									__eflags = _t263;
									goto L62;
								}
							}
							__eflags =  *(_t266 - 0xb0) - 4;
							if( *(_t266 - 0xb0) != 4) {
								goto L42;
							}
							E0043673B( *((intOrPtr*)(_t266 - 0xb8)), _t266 - 0xa8, 0xa);
							_t205 =  *((intOrPtr*)(_t266 + 0xc)) - 1;
							__eflags = _t205;
							if(_t205 == 0) {
								_t174 =  *(_t266 - 0xac);
								L38:
								__eflags = _t174 -  *(_t266 - 0xa8);
								L39:
								_t206 = _t174 & 0xffffff00 | _t280 == 0x00000000;
								L40:
								_t219 = _t206;
								goto L75;
							}
							_t207 = _t205 - 1;
							__eflags = _t207;
							if(_t207 == 0) {
								_t208 =  *(_t266 - 0xac);
								__eflags = _t208 -  *(_t266 - 0xa8);
								_t206 = _t208 & 0xffffff00 | _t208 -  *(_t266 - 0xa8) > 0x00000000;
								goto L40;
							}
							_t210 = _t207;
							__eflags = _t210;
							if(_t210 == 0) {
								_t211 =  *(_t266 - 0xac);
								__eflags = _t211 -  *(_t266 - 0xa8);
								_t206 = _t211 & 0xffffff00 | _t211 -  *(_t266 - 0xa8) > 0x00000000;
								goto L40;
							}
							_t212 = _t210 - 0xc;
							__eflags = _t212;
							if(_t212 == 0) {
								_t174 =  *(_t266 - 0xa8) &  *(_t266 - 0xac);
								goto L38;
							}
							__eflags = _t212 != 0x10;
							if(_t212 != 0x10) {
								goto L75;
							}
							_t215 =  *(_t266 - 0xac);
							__eflags = _t215 -  *(_t266 - 0xa8);
							_t206 = _t215 & 0xffffff00 | _t215 !=  *(_t266 - 0xa8);
							goto L40;
						}
					}
					_t280 =  *((intOrPtr*)(_t266 + 0xc)) - _t219;
					goto L39;
				}
			}

0x0042d048
0x0042d048
0x0042d052
0x0042d057
0x0042d063
0x0042d066
0x0042d071
0x0042d07e
0x0042d088
0x0042d08e
0x0042d095
0x0042d09c
0x0042d0a6
0x0042d0be
0x0042d0cf
0x0042d0d1
0x0042d0d6
0x0042d0db
0x0042d0de
0x0042d0e6
0x0042d0ef
0x0042d0fb
0x0042d0e8
0x0042d0e8
0x0042d0e8
0x0042d0e6
0x0042d0fe
0x0042d10a
0x0042d10d
0x0042d116
0x0042d4f2
0x0042d4f2
0x0042d4f2
0x0042d4f4
0x0042d4f7
0x0042d503
0x0042d503
0x0042d126
0x0042d12f
0x0042d132
0x0042d13d
0x0042d141
0x0042d155
0x0042d169
0x0042d16e
0x0042d170
0x0042d181
0x0042d186
0x0042d188
0x0042d199
0x0042d19e
0x0042d1a0
0x0042d1b1
0x0042d1b6
0x0042d1b8
0x0042d1c9
0x0042d1ce
0x0042d1d0
0x0042d1e1
0x0042d1e6
0x0042d1e8
0x00000000
0x00000000
0x0042d1ee
0x00000000
0x0042d1ee
0x0042d1d2
0x00000000
0x0042d1d2
0x0042d1ba
0x00000000
0x0042d1ba
0x0042d1a2
0x00000000
0x0042d1a2
0x0042d18a
0x00000000
0x0042d18a
0x0042d172
0x00000000
0x0042d157
0x0042d157
0x0042d1f3
0x0042d208
0x0042d211
0x0042d215
0x0042d220
0x0042d227
0x0042d22d
0x0042d233
0x0042d240
0x0042d244
0x0042d253
0x0042d257
0x0042d25d
0x0042d264
0x0042d4c9
0x0042d4c9
0x0042d4cc
0x0042d4d7
0x0042d4db
0x0042d4dd
0x0042d4e1
0x0042d4e3
0x0042d4e3
0x0042d4e3
0x0042d4e1
0x0042d4ce
0x0042d4ce
0x0042d4d2
0x0042d4d2
0x0042d4e5
0x0042d4eb
0x00000000
0x0042d4eb
0x0042d26d
0x0042d27d
0x0042d280
0x0042d28a
0x0042d28e
0x0042d294
0x0042d290
0x0042d290
0x0042d290
0x0042d2b4
0x0042d2ba
0x0042d2bc
0x0042d362
0x0042d365
0x00000000
0x00000000
0x00000000
0x0042d2c2
0x0042d2c2
0x0042d2c9
0x0042d36b
0x0042d36b
0x0042d377
0x0042d37c
0x0042d389
0x0042d38e
0x0042d392
0x0042d396
0x0042d398
0x0042d398
0x0042d39a
0x0042d39f
0x0042d3ae
0x0042d3b3
0x0042d3b7
0x0042d3ba
0x0042d3ba
0x0042d3cc
0x0042d3d0
0x0042d3d8
0x0042d3d9
0x0042d3da
0x0042d3de
0x0042d3ef
0x0042d3f2
0x0042d3f6
0x0042d3fa
0x0042d400
0x0042d3fc
0x0042d3fc
0x0042d3fc
0x0042d408
0x0042d40d
0x0042d411
0x0042d413
0x0042d458
0x0042d45c
0x0042d45e
0x0042d45e
0x0042d464
0x0042d415
0x0042d415
0x0042d423
0x0042d42f
0x0042d447
0x0042d44b
0x0042d451
0x0042d451
0x0042d469
0x0042d46b
0x0042d471
0x0042d479
0x0042d479
0x0042d481
0x0042d481
0x0042d482
0x0042d4b8
0x00000000
0x0042d484
0x0042d484
0x0042d484
0x0042d485
0x0042d4b1
0x0042d4b3
0x0042d4bd
0x0042d4bd
0x0042d4bf
0x0042d4c2
0x00000000
0x0042d4c2
0x0042d488
0x0042d488
0x0042d489
0x0042d4aa
0x0042d4ac
0x00000000
0x0042d4ac
0x0042d48b
0x0042d48b
0x0042d48e
0x0042d4a6
0x0042d4ba
0x0042d4ba
0x0042d4ba
0x0042d4ba
0x00000000
0x0042d4ba
0x0042d490
0x0042d490
0x0042d493
0x0042d49e
0x0042d4a1
0x0042d4a1
0x00000000
0x0042d4a1
0x0042d495
0x0042d495
0x0042d498
0x00000000
0x00000000
0x0042d49a
0x00000000
0x0042d49a
0x0042d482
0x0042d2cf
0x0042d2d6
0x00000000
0x00000000
0x0042d2eb
0x0042d2f3
0x0042d2f3
0x0042d2f4
0x0042d34c
0x0042d352
0x0042d352
0x0042d358
0x0042d358
0x0042d35b
0x0042d35b
0x00000000
0x0042d35b
0x0042d2f6
0x0042d2f6
0x0042d2f7
0x0042d33b
0x0042d341
0x0042d347
0x00000000
0x0042d347
0x0042d2fa
0x0042d2fa
0x0042d2fb
0x0042d32a
0x0042d330
0x0042d336
0x00000000
0x0042d336
0x0042d2fd
0x0042d2fd
0x0042d300
0x0042d322
0x00000000
0x0042d322
0x0042d302
0x0042d305
0x00000000
0x00000000
0x0042d30b
0x0042d311
0x0042d317
0x00000000
0x0042d317
0x0042d2bc
0x0042d26f
0x00000000
0x0042d26f

APIs

__EH_prolog3_GS.LIBCMT ref: 0042D052

Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,00000004), ref: 0042D2B4

Strings

HKEY_LOCAL_MACHINE, xrefs: 0042D179
, xrefs: 0042D40D
T4L, xrefs: 0042D095
HKEY_PERFORMANCE_DATA, xrefs: 0042D1A9
HKEY_CURRENT_USER, xrefs: 0042D161
HKEY_USERS, xrefs: 0042D191
, xrefs: 0042D4DD
P/L, xrefs: 0042D08E
HKEY_CURRENT_CONFIG, xrefs: 0042D1C1
HKEY_DYN_DATA, xrefs: 0042D1D9
|-L, xrefs: 0042D3B7, 0042D3BA, 0042D3CB
HKEY_CLASSES_ROOT, xrefs: 0042D146

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_QueryValue
String ID: $ $HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_DYN_DATA$HKEY_LOCAL_MACHINE$HKEY_PERFORMANCE_DATA$HKEY_USERS$P/L$T4L$|-L
API String ID: 2669483599-3843504692
Opcode ID: f06eae71abe48cfbbd86e421a7393177120c22bba0bcb7f614c21f1382e8ce41
Instruction ID: 760d87769cb27e9a3106f8434ad31bc11ce91334da186b466ba4f57283696265
Opcode Fuzzy Hash: f06eae71abe48cfbbd86e421a7393177120c22bba0bcb7f614c21f1382e8ce41
Instruction Fuzzy Hash: 3FD1A331E00229EEDF24EF54DC41BEEB374AF15304F54419AE80967251DB38AE85CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C163, Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 245
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040C163(char __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t139;
				void* _t145;
				void* _t146;
				void* _t153;
				void* _t157;
				intOrPtr* _t168;
				intOrPtr* _t181;
				intOrPtr* _t185;
				void* _t190;
				void* _t198;
				void* _t207;
				void* _t209;
				void* _t213;
				void* _t214;
				intOrPtr _t215;
				intOrPtr* _t216;
				intOrPtr _t217;
				intOrPtr _t218;
				void* _t219;
				intOrPtr _t220;
				intOrPtr _t221;
				void* _t222;
				intOrPtr _t223;
				void* _t224;
				intOrPtr* _t225;
				intOrPtr _t226;
				void* _t227;

				_t207 = __edx;
				_t161 = __ebx;
				_push(0x1c4);
				E0045B8C9(0x4a0a34, __ebx, __edi, __esi);
				_t209 = __ecx;
				_t211 = __ecx + 4;
				if( *((char*)( *((intOrPtr*)( *_t211 + 0x2c))() + 1)) != 0) {
					E0040D161( *((intOrPtr*)( *_t211 + 0x2c))(), _t213 - 0x70);
					_t161 = 0;
					 *((intOrPtr*)(_t213 - 4)) = 0;
					if( *((intOrPtr*)(_t213 - 0x5c)) == 0) {
						_t139 =  *((intOrPtr*)( *_t211 + 0x2c))();
						_t232 =  *((intOrPtr*)(_t139 + 0x13));
						_push(0);
						_push(_t213 - 0x1c1);
						 *((intOrPtr*)(_t213 - 0x18)) = 0x4c2f40;
						_t190 = _t213 - 0x40;
						_push(L"setup.log");
						if( *((intOrPtr*)(_t139 + 0x13)) == 0) {
							 *((intOrPtr*)(_t213 - 0x40)) = 0x4c2fa0;
							E00408F6D(0, _t190, _t209, _t211, __eflags);
							 *((char*)(_t213 - 4)) = 5;
							_t145 = E0040D1D8( *((intOrPtr*)( *_t211 + 0x2c))(), _t213 - 0x100);
							_push(_t213 - 0x40);
							_push(_t213 - 0xd0);
							 *((char*)(_t213 - 4)) = 6;
							_t146 = E0040B91E(0, _t145, _t209, _t211, __eflags);
							 *((char*)(_t213 - 4)) = 7;
							E004095E2(_t213 - 0x70, _t146);
							E00401B80(_t213 - 0xd0);
							_t198 = _t213 - 0x100;
						} else {
							_t211 = 0x4c2fa0;
							 *((intOrPtr*)(_t213 - 0x40)) = 0x4c2fa0;
							E00408F6D(0, _t190, _t209, 0x4c2fa0, _t232);
							_push(0);
							_push(_t213 - 0xd0);
							 *((char*)(_t213 - 4)) = 1;
							_t153 = E0040B30D(0, _t209, 0x4c2fa0, _t232);
							_push(0);
							_push(_t153);
							 *((char*)(_t213 - 4)) = 2;
							 *((intOrPtr*)(_t213 - 0xa0)) = 0x4c2fa0;
							 *((intOrPtr*)(_t213 - 0x78)) = 0x4c2f40;
							E00408E82(0, _t213 - 0xa0, _t209, 0x4c2fa0, _t232);
							_push(_t213 - 0x40);
							_push(_t213 - 0x100);
							 *((char*)(_t213 - 4)) = 3;
							_t157 = E0040B91E(0, _t213 - 0xa0, _t209, _t211, _t232);
							 *((char*)(_t213 - 4)) = 4;
							E004095E2(_t213 - 0x70, _t157);
							E00401B80(_t213 - 0x100);
							E00401B80(_t213 - 0xa0);
							_t198 = _t213 - 0xd0;
						}
						E00401B80(_t198);
						 *((char*)(_t213 - 4)) = _t161;
						E00401B80(_t213 - 0x40);
					}
					E0044BDFA(_t161, _t213 - 0x1c0, _t209, _t211, _t232);
					_push(_t161);
					_t215 = _t214 - 0x30;
					 *((intOrPtr*)(_t213 - 0x1d0)) = _t215;
					 *((char*)(_t213 - 4)) = 8;
					E004091B8(_t215, "=", _t213 - 0x1c1, 1);
					_t216 = _t215 - 0x30;
					_t168 = _t216;
					_push(_t161);
					_push(_t213 - 0x70);
					 *((char*)(_t213 - 4)) = 9;
					 *_t168 = 0x4c2fa0;
					 *((intOrPtr*)(_t168 + 0x28)) = 0x4c2f40;
					E00408E82(_t161, _t168, _t209, _t211, _t232);
					 *((char*)(_t213 - 4)) = 8;
					E0044DA4D(_t161, _t213 - 0x1c0, _t207, _t209, _t211, _t232);
					_t217 = _t216 - 0x30;
					 *((intOrPtr*)(_t213 - 0x1c8)) = _t217;
					E004091B8(_t217, L"Log File", _t213 - 0x1c1, 1);
					_t218 = _t217 - 0x30;
					 *((intOrPtr*)(_t213 - 0x1d0)) = _t218;
					 *((char*)(_t213 - 4)) = 0xa;
					E004091B8(_t218, L"File", _t213 - 0x1c1, 1);
					_t219 = _t218 - 0x30;
					_t212 = L"InstallShield Silent";
					 *((char*)(_t213 - 4)) = 0xb;
					E004091B8(_t219, L"InstallShield Silent", _t213 - 0x1c1, 1);
					 *((char*)(_t213 - 4)) = 8;
					L0044E9C6(_t161, _t213 - 0x1c0, _t209, L"InstallShield Silent", _t232);
					_t220 = _t219 - 0x30;
					 *((intOrPtr*)(_t213 - 0x1cc)) = _t220;
					E004091B8(_t220, L"v7.00", _t213 - 0x1c1, 1);
					_t221 = _t220 - 0x30;
					 *((intOrPtr*)(_t213 - 0x1c8)) = _t221;
					 *((char*)(_t213 - 4)) = 0xc;
					E004091B8(_t221, L"Version", _t213 - 0x1c1, 1);
					_t222 = _t221 - 0x30;
					 *((char*)(_t213 - 4)) = 0xd;
					E004091B8(_t222, _t212, _t213 - 0x1c1, 1);
					 *((char*)(_t213 - 4)) = 8;
					L0044E9C6(_t161, _t213 - 0x1c0, _t209, _t212, _t232);
					_push( *((intOrPtr*)(_t209 + 0x3c0)));
					_t223 = _t222 - 0x30;
					 *((intOrPtr*)(_t213 - 0x1cc)) = _t223;
					E004091B8(_t223, L"ResultCode", _t213 - 0x1c1, 1);
					_t224 = _t223 - 0x30;
					 *((char*)(_t213 - 4)) = 0xe;
					E004091B8(_t224, L"ResponseResult", _t213 - 0x1c1, 1);
					 *((char*)(_t213 - 4)) = 8;
					E0044E967(_t161, _t213 - 0x1c0, _t209, _t212, _t232);
					_t225 = _t224 - 0x30;
					_t181 = _t225;
					 *((intOrPtr*)(_t213 - 0x1cc)) = _t225;
					_push(_t161);
					_t211 = 0x4c2fa0;
					_push(_t209 + 0x2cc);
					 *_t181 = 0x4c2fa0;
					 *((intOrPtr*)(_t181 + 0x28)) = 0x4c2f40;
					E00408E82(_t161, _t181, _t209, 0x4c2fa0, _t232);
					_t226 = _t225 - 0x30;
					 *((intOrPtr*)(_t213 - 0x1c8)) = _t226;
					 *((char*)(_t213 - 4)) = 0xf;
					E004091B8(_t226, L"ErrorInfo", _t213 - 0x1c1, 1);
					_t227 = _t226 - 0x30;
					 *((char*)(_t213 - 4)) = 0x10;
					E004091B8(_t227, L"ExtendedError", _t213 - 0x1c1, 1);
					 *((char*)(_t213 - 4)) = 8;
					L0044E9C6(_t161, _t213 - 0x1c0, _t209, 0x4c2fa0, _t232);
					_push(1);
					_push(_t161);
					_push(_t161);
					_t185 = _t227 - 0x30;
					_push(_t161);
					_push(_t213 - 0x70);
					 *_t185 = 0x4c2fa0;
					 *((intOrPtr*)(_t185 + 0x28)) = 0x4c2f40;
					E00408E82(_t161, _t185, _t209, 0x4c2fa0, _t232);
					E0044E60F(_t161, _t213 - 0x1c0, _t209, _t211, _t232);
					 *((char*)(_t213 - 4)) = _t161;
					E0044BF62(_t213 - 0x1c0, _t232);
					E00401B80(_t213 - 0x70);
				}
				return E0045B878(_t161, _t209, _t211);
			}

0x0040c163
0x0040c163
0x0040c163
0x0040c16d
0x0040c172
0x0040c174
0x0040c182
0x0040c195
0x0040c19a
0x0040c19c
0x0040c1a2
0x0040c1ac
0x0040c1af
0x0040c1b2
0x0040c1b9
0x0040c1ba
0x0040c1c1
0x0040c1c4
0x0040c1c9
0x0040c252
0x0040c259
0x0040c269
0x0040c272
0x0040c27a
0x0040c281
0x0040c284
0x0040c288
0x0040c291
0x0040c295
0x0040c2a0
0x0040c2a5
0x0040c1cf
0x0040c1cf
0x0040c1d4
0x0040c1d7
0x0040c1e2
0x0040c1e3
0x0040c1e4
0x0040c1e8
0x0040c1ef
0x0040c1f0
0x0040c1f7
0x0040c1fb
0x0040c201
0x0040c208
0x0040c210
0x0040c217
0x0040c21e
0x0040c222
0x0040c22b
0x0040c22f
0x0040c23a
0x0040c245
0x0040c24a
0x0040c24a
0x0040c2ab
0x0040c2b3
0x0040c2b6
0x0040c2b6
0x0040c2c1
0x0040c2c6
0x0040c2c7
0x0040c2cc
0x0040c2e0
0x0040c2e4
0x0040c2e9
0x0040c2ec
0x0040c2ee
0x0040c2f2
0x0040c2f3
0x0040c2f7
0x0040c2fd
0x0040c304
0x0040c30f
0x0040c313
0x0040c318
0x0040c31d
0x0040c331
0x0040c336
0x0040c33b
0x0040c34f
0x0040c353
0x0040c358
0x0040c366
0x0040c36c
0x0040c370
0x0040c37b
0x0040c37f
0x0040c384
0x0040c389
0x0040c39d
0x0040c3a2
0x0040c3a7
0x0040c3bb
0x0040c3bf
0x0040c3c4
0x0040c3c9
0x0040c3d7
0x0040c3e2
0x0040c3e6
0x0040c3eb
0x0040c3f7
0x0040c3fc
0x0040c40a
0x0040c40f
0x0040c422
0x0040c426
0x0040c431
0x0040c435
0x0040c43a
0x0040c43d
0x0040c43f
0x0040c445
0x0040c44c
0x0040c451
0x0040c452
0x0040c454
0x0040c45b
0x0040c460
0x0040c465
0x0040c479
0x0040c47d
0x0040c482
0x0040c495
0x0040c499
0x0040c4a4
0x0040c4a8
0x0040c4ad
0x0040c4af
0x0040c4b0
0x0040c4b4
0x0040c4b6
0x0040c4ba
0x0040c4bb
0x0040c4bd
0x0040c4c4
0x0040c4cf
0x0040c4da
0x0040c4dd
0x0040c4e5
0x0040c4e5
0x0040c4ef

APIs

__EH_prolog3_GS.LIBCMT ref: 0040C16D

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Part of subcall function 0040B30D: __EH_prolog3_GS.LIBCMT ref: 0040B317
Part of subcall function 0040B30D: GetTempPathW.KERNEL32(00000104,?,000003C4,0040C1ED,004C2FA0,00000000,setup.log,?,00000000), ref: 0040B333
Part of subcall function 0040B30D: __CxxThrowException@8.LIBCMT ref: 0040B354
Part of subcall function 0040B30D: _memset.LIBCMT ref: 0040B366
Part of subcall function 0040B30D: GetVersionExW.KERNEL32(?), ref: 0040B37F
Part of subcall function 0040B30D: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000), ref: 0040B400

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

@/L, xrefs: 0040C1BA
setup.log, xrefs: 0040C1C4
Version, xrefs: 0040C3B6
v7.00, xrefs: 0040C398
ErrorInfo, xrefs: 0040C474
InstallShield Silent, xrefs: 0040C366, 0040C36B, 0040C3D6
File, xrefs: 0040C34A
@/L, xrefs: 0040C201
Log File, xrefs: 0040C32C
@/L, xrefs: 0040C4BD
ExtendedError, xrefs: 0040C490
ResponseResult, xrefs: 0040C41D
ResultCode, xrefs: 0040C405

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$FreeH_prolog3String$CreateException@8FilePathTempThrowVersion_memset
String ID: @/L$@/L$@/L$ErrorInfo$ExtendedError$File$InstallShield Silent$Log File$ResponseResult$ResultCode$Version$setup.log$v7.00
API String ID: 2783467436-2482715196
Opcode ID: 554b3578239a804229bda08e9ce2873447de69ce75a977c4a12ecf3687e2db24
Instruction ID: c68d3ea23bdf467265571757f091d5588a3b108f499c8db3734d4648a1fd0980
Opcode Fuzzy Hash: 554b3578239a804229bda08e9ce2873447de69ce75a977c4a12ecf3687e2db24
Instruction Fuzzy Hash: 4AA1D770A41218EEEB15EBA5C856FDDBB78AF15304F1000DEE409671C2DBB95F48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004903C0, Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 243
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E004903C0(void* __ecx, void* __edx, char _a4, char _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				long _v24;
				intOrPtr _v28;
				short _v32;
				short _v36;
				short _v40;
				char _v44;
				signed int _v48;
				char _v64;
				char _v68;
				long _v72;
				char _v76;
				short _v80;
				short _v84;
				short _v88;
				char _v92;
				intOrPtr _v96;
				char _v112;
				char _v116;
				long _v120;
				intOrPtr _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				signed int _v144;
				char _v160;
				char _v164;
				char _v172;
				intOrPtr _v176;
				char _v208;
				char _v212;
				char _v260;
				signed int _v264;
				char _v265;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t108;
				signed int _t109;
				intOrPtr _t117;
				intOrPtr _t121;
				intOrPtr _t132;
				intOrPtr _t137;
				intOrPtr _t140;
				intOrPtr _t158;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t170;
				intOrPtr _t171;
				void* _t175;
				void* _t176;
				intOrPtr _t191;
				void* _t209;
				void* _t210;
				void* _t211;
				void* _t214;
				void* _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t209 = __edx;
				_push(0xffffffff);
				_push(0x4ab79f);
				_push( *[fs:0x0]);
				_t219 = _t218 - 0xfc;
				_t108 =  *0x4d7e88; // 0x9518852c
				_t109 = _t108 ^ _t217;
				_v20 = _t109;
				_push(_t210);
				_push(_t109);
				 *[fs:0x0] =  &_v16;
				_t175 = __ecx;
				_v8 = 0;
				if( *((intOrPtr*)(E0048FB40(__ecx + 0x4c,  &_v264,  &_a4))) ==  *((intOrPtr*)(__ecx + 0x4c))) {
					_v68 = 0x4c2f78;
					_v28 = 0x4c2fa8;
					_v24 = GetLastError();
					_v64 = 0;
					_v40 = 0;
					_v36 = 0;
					_v32 = 0;
					_t117 = _v28;
					_v44 = 7;
					_v48 = 0;
					_t19 = _t117 + 4; // 0x4
					SetLastError( *(_t217 +  *_t19 - 0x18));
					_v164 = 0x4c2f78;
					_v124 = 0x4c2fa8;
					_v120 = GetLastError();
					_v160 = 0;
					_v136 = 0;
					_v132 = 0;
					_v128 = 0;
					_t121 = _v124;
					_v140 = 7;
					_v144 = 0;
					_t32 = _t121 + 4; // 0x4
					SetLastError( *(_t217 +  *_t32 - 0x78));
					_v8 = 2;
					_t214 = E004068B0( &_a8, "-", 0, 1);
					__eflags = _t214 - 0xffffffff;
					if(_t214 != 0xffffffff) {
						_t165 = E00494EB0( &_v260, 0, _t214);
						_v8 = 3;
						__eflags = _t165;
						if(_t165 == 0) {
							_t166 = 0;
							__eflags = 0;
							goto L7;
						} else {
							_t166 = _t165 + 4;
							__eflags =  &_v160 - _t166;
							if( &_v160 != _t166) {
								L7:
								_push(0xffffffff);
								E00406630(_t175,  &_v160, _t210, _t166, 0);
							}
						}
						_v8 = 2;
						E00401AC0( &_v260);
						_t170 = E00494EB0( &_v260, _t214, 0xffffffff);
						_v8 = 4;
						__eflags = _t170;
						if(_t170 == 0) {
							_t171 = 0;
							__eflags = 0;
							goto L12;
						} else {
							_t171 = _t170 + 4;
							__eflags =  &_v64 - _t171;
							if( &_v64 != _t171) {
								L12:
								_push(0xffffffff);
								E00406630(_t175,  &_v64, _t210, _t171, 0);
							}
						}
						_v8 = 2;
						E00401AC0( &_v260);
					}
					__eflags = _v48;
					if(_v48 == 0) {
						L23:
						E004053A0( &_a4, 1);
						E00490100(_t175, _t209, __eflags);
					} else {
						_push(3);
						_t132 = E004086E0(_t175,  &_v160, _t210, _t214, 0, _v144, L"ALL");
						__eflags = _t132;
						if(_t132 == 0) {
							goto L23;
						} else {
							__eflags = _v44 - 8;
							_push(0);
							_t191 =  >=  ? _v64 :  &_v64;
							_push( &_v265);
							__eflags = _t191;
							_t135 =  !=  ? _t191 : 0x4c2d7c;
							_push( !=  ? _t191 : 0x4c2d7c);
							_v264 = 0;
							_v212 = 0x4c2fa0;
							_v172 = 0x4c2f40;
							E00408F6D(_t175,  &_v212, _t210, _t214, _t191);
							_t137 = _v176;
							_v8 = 5;
							__eflags = _t137;
							if(_t137 != 0) {
								__imp__#6(_t137);
								_v176 = 0;
							}
							E004080F0(_t175,  &_v208, _t210, _t214, 0, 1);
							_t140 = E004293F3( &_v212,  &_v264, 0x10);
							__eflags = _t140;
							if(_t140 == 0) {
								L22:
								_v8 = 2;
								E00401B80( &_v212);
								goto L23;
							} else {
								_v116 = 0x4c2fa0;
								_v76 = 0x4c2f40;
								_v72 = GetLastError();
								_v112 = 0;
								_v88 = 0;
								_v84 = 0;
								_v80 = 0;
								_t75 =  &_v76; // 0x4c2f40
								_v92 = 7;
								_v96 = 0;
								_t80 =  *((intOrPtr*)( *_t75 + 4)) - 0x48; // 0x4c2f40
								SetLastError( *(_t217 + _t80));
								_v8 = 6;
								E0040DD64( &_v116, L"-%04x", _v264 & 0x000003ff);
								__eflags = _v92 - 8;
								_t151 =  >=  ? _v112 :  &_v112;
								_t87 =  &_v164; // 0x4c2f78
								E00480CE0(_t209,  &_v260, _t87,  >=  ? _v112 :  &_v112);
								_t219 = _t219 + 0x18;
								_v8 = 7;
								_t158 =  *((intOrPtr*)(E0048FB40(_t175 + 0x4c,  &_v264,  &_v260)));
								__eflags = _t158 -  *((intOrPtr*)(_t175 + 0x4c));
								if(_t158 ==  *((intOrPtr*)(_t175 + 0x4c))) {
									E00401AC0( &_v260);
									E00401B80( &_v116);
									goto L22;
								} else {
									E00401AC0( &_v260);
									E00401B80( &_v116);
									E00401B80( &_v212);
								}
							}
						}
					}
					_t102 =  &_v164; // 0x4c2f78
					E00401AC0(_t102);
					_t103 =  &_v68; // 0x4c2f78
					E00401AC0(_t103);
				} else {
				}
				E00401AC0( &_a4);
				 *[fs:0x0] = _v16;
				_pop(_t211);
				_pop(_t216);
				_pop(_t176);
				return E0045A457(_t176, _v20 ^ _t217, _t209, _t211, _t216);
			}

0x004903c0
0x004903c3
0x004903c5
0x004903d0
0x004903d1
0x004903d7
0x004903dc
0x004903de
0x004903e3
0x004903e4
0x004903e8
0x004903ee
0x004903fe
0x0049040f
0x0049041f
0x00490426
0x0049042f
0x00490434
0x00490438
0x0049043b
0x0049043e
0x00490441
0x00490444
0x0049044b
0x00490452
0x00490459
0x0049045f
0x00490469
0x00490472
0x00490477
0x0049047e
0x00490484
0x00490487
0x0049048a
0x0049048d
0x00490497
0x004904a1
0x004904a8
0x004904ba
0x004904c3
0x004904c5
0x004904c8
0x004904db
0x004904e0
0x004904e4
0x004904e6
0x004904f7
0x004904f7
0x00000000
0x004904e8
0x004904e8
0x004904f1
0x004904f3
0x004904f9
0x004904f9
0x00490504
0x00490504
0x004904f3
0x0049050f
0x00490513
0x00490525
0x0049052a
0x0049052e
0x00490530
0x0049053e
0x0049053e
0x00000000
0x00490532
0x00490532
0x00490538
0x0049053a
0x00490540
0x00490540
0x00490548
0x00490548
0x0049053a
0x00490553
0x00490557
0x00490557
0x0049055c
0x00490560
0x004906fe
0x00490709
0x00490710
0x00490566
0x00490566
0x0049057b
0x00490580
0x00490582
0x00000000
0x00490588
0x00490588
0x0049058c
0x00490591
0x0049059b
0x0049059c
0x004905a3
0x004905a6
0x004905ad
0x004905b7
0x004905c1
0x004905cb
0x004905d0
0x004905d6
0x004905da
0x004905dc
0x004905df
0x004905e5
0x004905e5
0x004905f9
0x0049060d
0x00490612
0x00490614
0x004906ef
0x004906f5
0x004906f9
0x00000000
0x0049061a
0x0049061a
0x00490621
0x0049062e
0x00490633
0x00490637
0x0049063a
0x0049063d
0x00490640
0x00490643
0x0049064a
0x00490654
0x00490658
0x00490673
0x00490677
0x0049067c
0x00490683
0x00490688
0x00490696
0x0049069b
0x004906af
0x004906b8
0x004906c0
0x004906c3
0x004906e2
0x004906ea
0x00000000
0x004906c5
0x004906c8
0x004906d0
0x004906db
0x004906db
0x004906c3
0x00490614
0x00490582
0x00490717
0x0049071d
0x00490722
0x00490725
0x00490411
0x00490411
0x0049072d
0x00490737
0x0049073f
0x00490740
0x00490741
0x0049074f

APIs

GetLastError.KERNEL32(?,?,9518852C,?,?,?), ref: 0049042D
SetLastError.KERNEL32(004C2FA8,?,?,?), ref: 00490459
GetLastError.KERNEL32(?,?,?), ref: 00490470
SetLastError.KERNEL32(004C2FA8,?,?,?), ref: 004904A8

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

@/L, xrefs: 00490640
x/L, xrefs: 00490688, 0049068E
-%04x, xrefs: 0049066D
@/L, xrefs: 004905C1
ALL, xrefs: 00490568
|-L, xrefs: 0049059E
x/L, xrefs: 00490722

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: -%04x$@/L$@/L$ALL$x/L$x/L$|-L
API String ID: 2425351278-1512846612
Opcode ID: f411d0e9ab147324a2a143e4e91464cc4e801e1a86f6e993452bf474e68b4d2b
Instruction ID: ebecb8ea2020591ad02cc0cc64adcfa2df6b7ac4c083aef3c2a62466a0d9f0de
Opcode Fuzzy Hash: f411d0e9ab147324a2a143e4e91464cc4e801e1a86f6e993452bf474e68b4d2b
Instruction Fuzzy Hash: F6B16B71900218DFDF14DFA5CD45BDEBBB8AF14304F1041AEE519A7291EBB86A48CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDEE, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0041DDEE(void* __ebx, WCHAR** __ecx, void* __edi, WCHAR* __esi, void* __eflags) {
				intOrPtr* _t42;
				WCHAR* _t52;
				WCHAR* _t54;
				WCHAR* _t55;
				WCHAR* _t56;
				WCHAR* _t59;
				WCHAR* _t60;
				WCHAR* _t61;
				WCHAR* _t62;
				WCHAR* _t64;
				void* _t66;
				WCHAR* _t67;
				WCHAR* _t68;
				WCHAR* _t69;
				WCHAR* _t70;
				WCHAR* _t72;
				WCHAR* _t79;
				WCHAR* _t80;
				WCHAR* _t81;
				WCHAR* _t84;
				void* _t91;
				void* _t92;
				signed int _t93;
				void* _t100;
				signed int _t105;
				WCHAR* _t108;
				WCHAR* _t109;
				WCHAR** _t111;
				void* _t113;
				void* _t114;

				_t112 = __esi;
				_push(0x60);
				E0045B8C9(0x4a329d, __ebx, __edi, __esi);
				_t111 = __ecx;
				_t84 =  *(_t113 + 8);
				_t42 =  *((intOrPtr*)(_t113 + 0xc));
				 *((intOrPtr*)(_t113 - 0x68)) = _t42;
				if(_t84 == 0 || _t42 == 0) {
					goto L50;
				} else {
					 *_t42 = 0;
					E004161D8(_t113 - 0x64, E0045B5D4(_t84) + _t45);
					 *((intOrPtr*)(_t113 - 4)) = 0;
					if( *((intOrPtr*)(_t113 - 0x5c)) == 0) {
						L31:
						_t112 = 0x8007000e;
						L46:
						__imp__CoTaskMemFree( *((intOrPtr*)(_t113 - 0x5c)));
						L50:
						return E0045B878(_t84, _t111, _t112);
					}
					 *((char*)(_t113 - 0x53)) = 0;
					 *_t111 = _t84;
					_t112 = E0041884D(_t113 - 0x53);
					if(_t112 < 0) {
						goto L46;
					}
					_t89 = 0;
					_t52 = 0;
					_t108 = 0;
					 *(_t113 - 0x58) = 0;
					 *((char*)(_t113 - 0x52)) = 0;
					 *((char*)(_t113 - 0x51)) = 0;
					if( *_t84 == 0) {
						L43:
						_t109 = 0;
						__eflags = 0;
						L44:
						__eflags = _t112;
						if(_t112 >= 0) {
							 *((intOrPtr*)(_t113 - 0x5c)) = _t109;
							 *((intOrPtr*)( *((intOrPtr*)(_t113 - 0x68)))) =  *((intOrPtr*)(_t113 - 0x5c));
						}
						goto L46;
					}
					_t84 = CharNextW;
					L6:
					while(1) {
						if( *((char*)(_t113 - 0x53)) != 1) {
							L28:
							_t54 =  *_t111;
							_t91 = 0x25;
							if( *_t54 != _t91) {
								_t89 = _t113 - 0x64;
								_t55 = E004186A0(_t113 - 0x64, _t54, 1);
								__eflags = _t55;
								if(_t55 != 0) {
									L39:
									_t56 = CharNextW( *_t111);
									_t109 = 0;
									 *_t111 = _t56;
									__eflags =  *_t56;
									if( *_t56 == 0) {
										goto L44;
									}
									_t52 =  *(_t113 - 0x58);
									_t108 =  *((intOrPtr*)(_t113 - 0x51));
									continue;
								}
								_t112 = 0x8007000e;
								goto L43;
							}
							_t72 = CharNextW(_t54);
							_t100 = 0x25;
							 *_t111 = _t72;
							if( *_t72 != _t100) {
								_t84 = E0042293A(_t72, _t100);
								__eflags = _t84;
								if(_t84 == 0) {
									L48:
									_t112 = 0x80020009;
									goto L46;
								}
								_t105 = _t84 -  *_t111 >> 1;
								__eflags = _t105 - 0x1f;
								if(_t105 > 0x1f) {
									_t112 = 0x80004005;
									goto L46;
								}
								E00418812(_t105, E0045CE08(_t113 - 0x50, 0x20,  *_t111, _t105));
								_t114 = _t114 + 0x14;
								 *((intOrPtr*)(_t113 - 0x6c)) = _t113 - 0x50;
								_t79 = E0041CE58( &(_t111[1][2]), _t113 - 0x6c);
								__eflags = _t79;
								if(__eflags == 0) {
									goto L48;
								}
								_push(_t79);
								_t89 = _t113 - 0x64;
								_t80 = E0041804D(_t84, _t113 - 0x64, _t111, _t112, __eflags);
								__eflags = _t80;
								if(_t80 == 0) {
									goto L31;
								}
								__eflags =  *_t111 - _t84;
								if( *_t111 == _t84) {
									L38:
									_t84 = CharNextW;
									goto L39;
								} else {
									goto L37;
								}
								do {
									L37:
									_t81 = CharNextW( *_t111);
									 *_t111 = _t81;
									__eflags = _t81 - _t84;
								} while (_t81 != _t84);
								goto L38;
							}
							_t89 = _t113 - 0x64;
							if(E004186A0(_t113 - 0x64, _t72, 1) != 0) {
								goto L39;
							}
							goto L31;
						}
						if(_t52 != 0) {
							L13:
							_t92 = 0x27;
							if(_t92 !=  *( *_t111)) {
								L20:
								__eflags = _t108;
								if(_t108 != 0) {
									goto L28;
								}
								L21:
								_t93 =  *( *_t111) & 0x0000ffff;
								_t59 =  *(_t113 - 0x58);
								__eflags = _t93 - 0x7b;
								if(_t93 == 0x7b) {
									_t59 =  &(_t59[0]);
									__eflags = _t59;
									 *(_t113 - 0x58) = _t59;
								}
								__eflags = _t93 - 0x7d;
								if(_t93 == 0x7d) {
									_t60 = _t59 - 1;
									__eflags = _t60;
									 *(_t113 - 0x58) = _t60;
									if(_t60 != 0) {
										goto L28;
									}
									__eflags =  *((char*)(_t113 - 0x52)) - 1;
									if(__eflags != 0) {
										goto L28;
									}
									_push(L"\r\n\t}\r\n}\r\n");
									_t61 = E0041804D(_t84, _t113 - 0x64, _t111, _t112, __eflags);
									__eflags = _t61;
									if(_t61 == 0) {
										goto L31;
									}
									 *((char*)(_t113 - 0x52)) = 0;
								}
								goto L28;
							}
							if(_t108 != 0) {
								_t62 = E00419AE3(_t111);
								__eflags = _t62;
								if(_t62 == 0) {
									 *_t111 = CharNextW( *_t111);
									_t64 = E004186A0(_t113 - 0x64, _t63, 1);
									__eflags = _t64;
									if(_t64 == 0) {
										goto L31;
									}
									_t108 =  *((intOrPtr*)(_t113 - 0x51));
									goto L20;
								}
								 *((char*)(_t113 - 0x51)) = 0;
								goto L21;
							}
							 *((char*)(_t113 - 0x51)) = 1;
							goto L28;
						}
						_push(L"HKCR");
						_push( *_t111);
						_t66 = E0045DDD2(_t89);
						if(_t66 == 0) {
							L12:
							_t108 =  *((intOrPtr*)(_t113 - 0x51));
							goto L13;
						}
						_t124 = _t66 -  *_t111;
						if(_t66 !=  *_t111) {
							goto L12;
						}
						_t67 = CharNextW( *_t111);
						 *_t111 = _t67;
						_t68 = CharNextW(_t67);
						 *_t111 = _t68;
						_t69 = CharNextW(_t68);
						 *_t111 = _t69;
						_t70 = CharNextW(_t69);
						_push(L"HKCU\r\n{\tSoftware\r\n\t{\r\n\t\tClasses");
						 *_t111 = _t70;
						if(E0041804D(_t84, _t113 - 0x64, _t111, _t112, _t124) == 0) {
							goto L31;
						}
						 *((char*)(_t113 - 0x52)) = 1;
						goto L12;
					}
				}
			}

0x0041ddee
0x0041ddee
0x0041ddf5
0x0041ddfa
0x0041ddfc
0x0041ddff
0x0041de02
0x0041de07
0x00000000
0x0041de15
0x0041de18
0x0041de26
0x0041de2d
0x0041de33
0x0041df6b
0x0041df6b
0x0041e029
0x0041e02c
0x0041e049
0x0041e04e
0x0041e04e
0x0041de39
0x0041de40
0x0041de47
0x0041de4b
0x00000000
0x00000000
0x0041de51
0x0041de53
0x0041de55
0x0041de57
0x0041de5a
0x0041de5d
0x0041de63
0x0041e018
0x0041e018
0x0041e018
0x0041e01a
0x0041e01a
0x0041e01c
0x0041e024
0x0041e027
0x0041e027
0x00000000
0x0041e01c
0x0041de69
0x00000000
0x0041de6f
0x0041de73
0x0041df3d
0x0041df3d
0x0041df41
0x0041df45
0x0041e007
0x0041e00a
0x0041e00f
0x0041e011
0x0041dfec
0x0041dfee
0x0041dff0
0x0041dff2
0x0041dff4
0x0041dff7
0x00000000
0x00000000
0x0041dff9
0x0041dffc
0x00000000
0x0041dffc
0x0041e013
0x00000000
0x0041e013
0x0041df4c
0x0041df50
0x0041df51
0x0041df56
0x0041df7c
0x0041df80
0x0041df82
0x0041e03d
0x0041e03d
0x00000000
0x0041e03d
0x0041df8c
0x0041df8e
0x0041df91
0x0041e036
0x00000000
0x0041e036
0x0041dfa6
0x0041dfb1
0x0041dfb4
0x0041dfbe
0x0041dfc3
0x0041dfc5
0x00000000
0x00000000
0x0041dfc7
0x0041dfc8
0x0041dfcb
0x0041dfd0
0x0041dfd2
0x00000000
0x00000000
0x0041dfd4
0x0041dfd6
0x0041dfe6
0x0041dfe6
0x00000000
0x00000000
0x00000000
0x00000000
0x0041dfd8
0x0041dfd8
0x0041dfda
0x0041dfe0
0x0041dfe2
0x0041dfe2
0x00000000
0x0041dfd8
0x0041df5b
0x0041df65
0x00000000
0x00000000
0x00000000
0x0041df65
0x0041de7b
0x0041dec4
0x0041dec8
0x0041decc
0x0041df02
0x0041df02
0x0041df04
0x00000000
0x00000000
0x0041df06
0x0041df08
0x0041df0b
0x0041df0e
0x0041df11
0x0041df13
0x0041df13
0x0041df14
0x0041df14
0x0041df17
0x0041df1a
0x0041df1c
0x0041df1c
0x0041df1d
0x0041df20
0x00000000
0x00000000
0x0041df22
0x0041df26
0x00000000
0x00000000
0x0041df28
0x0041df30
0x0041df35
0x0041df37
0x00000000
0x00000000
0x0041df39
0x0041df39
0x00000000
0x0041df1a
0x0041ded0
0x0041deda
0x0041dedf
0x0041dee1
0x0041def4
0x0041def6
0x0041defb
0x0041defd
0x00000000
0x00000000
0x0041deff
0x00000000
0x0041deff
0x0041dee5
0x00000000
0x0041dee5
0x0041ded2
0x00000000
0x0041ded2
0x0041de7d
0x0041de82
0x0041de84
0x0041de8d
0x0041dec1
0x0041dec1
0x00000000
0x0041dec1
0x0041de8f
0x0041de91
0x00000000
0x00000000
0x0041de95
0x0041de98
0x0041de9a
0x0041de9d
0x0041de9f
0x0041dea2
0x0041dea4
0x0041dea6
0x0041deae
0x0041deb7
0x00000000
0x00000000
0x0041debd
0x00000000
0x0041debd
0x0041de6f

APIs

__EH_prolog3_GS.LIBCMT ref: 0041DDF5
_wcsstr.LIBCMT ref: 0041DE84
CharNextW.USER32(?,?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DE95
CharNextW.USER32(00000000,?,?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DE9A
CharNextW.USER32(00000000,?,?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DE9F
CharNextW.USER32(00000000,?,?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DEA4
CharNextW.USER32(00000000,}},?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DF4C
CharNextW.USER32(?,00000000), ref: 0041DFDA
CharNextW.USER32(?,00000000,00000001,?,00000060,00420044,?,00000000), ref: 0041DFEE
CoTaskMemFree.OLE32(?,00000060,00420044,?,00000000), ref: 0041E02C

Strings

HKCR, xrefs: 0041DE7D
}}, xrefs: 0041DF28
HKCU{Software{Classes, xrefs: 0041DEA6

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CharNext$FreeH_prolog3_Task_wcsstr
String ID: }}$HKCR$HKCU{Software{Classes
API String ID: 2086807494-1142484189
Opcode ID: 8f30e03445809a091b1cffeecd05f48cd9bfb1e696a547fa3020534b9aea9403
Instruction ID: df0c8aa4c098a463b193e25667902a6e3b71f4746cd688b4e961f85f3641d515
Opcode Fuzzy Hash: 8f30e03445809a091b1cffeecd05f48cd9bfb1e696a547fa3020534b9aea9403
Instruction Fuzzy Hash: 3A7185B4D043469EDF159FE5C885AEEBBB4AF19304F14002FE806AB285EB7D9D85C718

Uniqueness

Uniqueness Score: -1.00%

Function 00402DE0, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00402DE0(void* __ecx, intOrPtr* _a4, short _a8) {
				intOrPtr _v8;
				char _v16;
				char _v20;
				signed int _v24;
				long _v28;
				intOrPtr _v32;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				char _v76;
				intOrPtr _v80;
				short _v84;
				char _v88;
				intOrPtr _v96;
				intOrPtr* _v100;
				char _v112;
				intOrPtr _v116;
				intOrPtr _v124;
				intOrPtr _v132;
				char _v136;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t72;
				signed int _t74;
				intOrPtr _t81;
				intOrPtr _t84;
				void* _t85;
				void* _t106;
				void* _t107;
				short* _t110;
				short* _t112;
				intOrPtr* _t121;
				void* _t122;
				void* _t124;
				short _t125;
				intOrPtr* _t126;
				intOrPtr* _t130;
				void* _t131;
				signed int _t132;
				signed int _t134;
				intOrPtr* _t135;
				signed int _t136;

				_push(0xffffffff);
				_push(0x4ac4c0);
				_push( *[fs:0x0]);
				_t134 = (_t132 & 0xfffffff8) - 0x48;
				_t72 =  *0x4d7e88; // 0x9518852c
				_v24 = _t72 ^ _t134;
				_t74 =  *0x4d7e88; // 0x9518852c
				_push(_t74 ^ _t134);
				 *[fs:0x0] =  &_v16;
				_t124 = __ecx;
				_t121 = _a4;
				_t106 = GetLastError;
				_v76 = _t121;
				_v84 = _a8;
				_v80 = 0;
				_v72 = 0x4c2f50;
				_v32 = 0x4c3454;
				_v28 = GetLastError();
				_v8 = 0;
				if(_t124 == 0) {
					_t125 = 0;
				} else {
					_t125 = _t124 + 4;
				}
				_push(0xffffffff);
				_v48 = 7;
				_v52 = 0;
				_v68 = 0;
				E00406630(_t106,  &_v68, _t121, _t125, 0);
				_t81 = _v44;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_t20 = _t81 + 4; // 0x4
				_t22 =  *_t20 + 0x48; // 0x4c3454
				SetLastError( *(_t134 + _t22));
				_push(0x5c);
				_t135 = _t134 - 0x30;
				_t126 = _t135;
				_v20 = 1;
				_v100 = _t126;
				 *_t126 = 0x4c2f50;
				 *((intOrPtr*)(_t126 + 0x28)) = 0x4c3454;
				 *((intOrPtr*)(_t126 + 0x2c)) = GetLastError();
				_t84 = _v96;
				_v20 = 2;
				if(_t84 == 0) {
					_t85 = 0;
				} else {
					_t85 = _t84 + 4;
				}
				_t110 = _t126 + 4;
				 *((intOrPtr*)(_t110 + 0x14)) = 7;
				 *((intOrPtr*)(_t110 + 0x10)) = 0;
				 *_t110 = 0;
				E00406630(_t106, _t110, _t121, _t85, 0);
				 *((intOrPtr*)(_t126 + 0x1c)) = 0;
				 *((intOrPtr*)(_t126 + 0x20)) = 0;
				 *((intOrPtr*)(_t126 + 0x24)) = 0;
				_t36 =  *((intOrPtr*)(_t126 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t36 + _t126 + 0x28));
				_v24 = 1;
				E00404F90( &_v88, 0);
				 *_t121 = 0x4c2f50;
				 *((intOrPtr*)(_t121 + 0x28)) = 0x4c3454;
				 *((intOrPtr*)(_t121 + 0x2c)) = GetLastError();
				_t43 = _t121 + 4; // 0x4
				_t112 = _t43;
				_v76 = 3;
				 *((intOrPtr*)(_t112 + 0x14)) = 7;
				 *((intOrPtr*)(_t112 + 0x10)) = 0;
				 *_t112 = 0;
				E00406630(_t106, _t112, _t121,  &_v136, 0);
				 *((intOrPtr*)(_t121 + 0x1c)) = 0;
				 *((intOrPtr*)(_t121 + 0x20)) = 0;
				 *((intOrPtr*)(_t121 + 0x24)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t121 + 0x28)) + 4)) + _t121 + 0x28));
				 *((intOrPtr*)( &_v112 +  *((intOrPtr*)(_v112 + 4)))) = GetLastError();
				L0045A7D5(_v124);
				_t130 = __imp__#6;
				_t136 = _t135 + 4;
				 *_t130(_v116, 0xffffffff, 0xffffffff);
				if(_v132 >= 8) {
					 *_t130(_v84);
				}
				_v64 = 7;
				_v68 = 0;
				_v84 = 0;
				SetLastError( *(_t136 +  *((intOrPtr*)(_v88 + 4)) + 0x20));
				 *[fs:0x0] = _v32;
				_pop(_t122);
				_pop(_t131);
				_pop(_t107);
				return E0045A457(_t107, _v40 ^ _t136, 0, _t122, _t131);
			}

0x00402de6
0x00402de8
0x00402df3
0x00402df4
0x00402df7
0x00402dfe
0x00402e05
0x00402e0c
0x00402e11
0x00402e17
0x00402e1c
0x00402e1f
0x00402e25
0x00402e29
0x00402e2d
0x00402e35
0x00402e3d
0x00402e47
0x00402e4b
0x00402e55
0x00402e5c
0x00402e57
0x00402e57
0x00402e57
0x00402e60
0x00402e68
0x00402e70
0x00402e78
0x00402e7d
0x00402e82
0x00402e86
0x00402e8e
0x00402e96
0x00402e9e
0x00402ea1
0x00402ea5
0x00402eab
0x00402ead
0x00402eb0
0x00402eb2
0x00402ebd
0x00402ec1
0x00402ec7
0x00402ed0
0x00402ed3
0x00402ed7
0x00402ee1
0x00402ee8
0x00402ee3
0x00402ee3
0x00402ee3
0x00402eea
0x00402ef2
0x00402ef9
0x00402f01
0x00402f04
0x00402f09
0x00402f10
0x00402f17
0x00402f21
0x00402f2e
0x00402f34
0x00402f3c
0x00402f41
0x00402f47
0x00402f50
0x00402f53
0x00402f53
0x00402f56
0x00402f5f
0x00402f66
0x00402f6e
0x00402f76
0x00402f7b
0x00402f82
0x00402f89
0x00402f9a
0x00402fab
0x00402fb1
0x00402fb6
0x00402fbc
0x00402fc3
0x00402fca
0x00402fd0
0x00402fd0
0x00402fd8
0x00402fe0
0x00402fe8
0x00402ff4
0x00403000
0x00403008
0x00403009
0x0040300a
0x00403019

APIs

GetLastError.KERNEL32 ref: 00402E45
SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 00402EA5
GetLastError.KERNEL32 ref: 00402ECE
SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00402F2E
GetLastError.KERNEL32 ref: 00402F4E
SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00402F9A
GetLastError.KERNEL32 ref: 00402FA9
SysFreeString.OLEAUT32(?), ref: 00402FC3
SysFreeString.OLEAUT32(?), ref: 00402FD0
SetLastError.KERNEL32(?), ref: 00402FF4

Strings

T4L, xrefs: 00402DE0
T4L, xrefs: 00402EA1
P/L, xrefs: 00402E35
T4L, xrefs: 00402F47

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: P/L$T4L$T4L$T4L
API String ID: 2425351278-1200131689
Opcode ID: a414d49dc25df6b754e20dce2ff4c519001376e667885f0d4bdf09e3eca5f0ff
Instruction ID: 172fd561f14f619d7ac7ebfe38aa88d87d771699b45606e31d79c9c95792b808
Opcode Fuzzy Hash: a414d49dc25df6b754e20dce2ff4c519001376e667885f0d4bdf09e3eca5f0ff
Instruction Fuzzy Hash: 705129715083419FD710CF29C944B0ABBF4FF89318F104A2EE499976A1D7B6E919CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B30D, Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 125
fileCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040B30D(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t50;
				void* _t58;
				void* _t69;
				void* _t76;
				void* _t77;
				void* _t92;
				intOrPtr* _t109;
				void* _t110;

				_push(0x3c4);
				E0045B8C9(0x4a071f, __ebx, __edi, __esi);
				_t109 =  *((intOrPtr*)(_t110 + 8));
				 *((intOrPtr*)(_t110 - 0x3d0)) = 0;
				_t50 = GetTempPathW(0x104, _t110 - 0x218);
				_t114 = _t50;
				if(_t50 == 0) {
					E0040B827(0, _t110 - 0x234, __edi, _t109, _t114);
					E0045A466(_t110 - 0x234, 0x4c6ab8);
				}
				E0045A4D0(_t110 - 0x3c4, 0, 0x110);
				 *(_t110 - 0x3c8) = 0x114;
				if(GetVersionExW(_t110 - 0x3c8) == 0) {
					L7:
					_push(0);
					_push(_t110 - 0x3c9);
					_push(_t110 - 0x218);
					 *((intOrPtr*)(_t110 - 0x278)) = 0x4ae964;
					 *((intOrPtr*)(_t110 - 0x250)) = 0x4ae96c;
					E00408F6D(0, _t110 - 0x278, 0x4ae964, _t109, __eflags);
					 *(_t110 - 4) = 3;
					_t58 = E0040B9F3(_t110 - 0x278, 0x4ae964, "\\");
					_push(0);
					_push(_t58);
					 *_t109 = 0x4ae964;
					 *((intOrPtr*)(_t109 + 0x28)) = 0x4ae96c;
					E00408E82(0, _t109, 0x4ae964, _t109, __eflags);
					_t92 = _t110 - 0x278;
				} else {
					_t116 =  *((intOrPtr*)(_t110 - 0x3b8)) - 1;
					if( *((intOrPtr*)(_t110 - 0x3b8)) != 1) {
						goto L7;
					} else {
						_push(0);
						_push(_t110 - 0x3c9);
						_push(_t110 - 0x218);
						 *((intOrPtr*)(_t110 - 0x248)) = 0x4ae964;
						 *((intOrPtr*)(_t110 - 0x220)) = 0x4ae96c;
						E00408F6D(0, _t110 - 0x248, 0x4ae964, _t109, _t116);
						 *(_t110 - 4) = 0;
						E0040B9F3(_t110 - 0x248, 0x4ae964, L"123.tmp");
						_t68 =  >=  ?  *((void*)(_t110 - 0x244)) : _t110 - 0x244;
						_t69 = CreateFileW( >=  ?  *((void*)(_t110 - 0x244)) : _t110 - 0x244, 0x40000000, 0, 0, 2, 0x80, 0);
						_t118 = _t69 - 0xffffffff;
						if(_t69 != 0xffffffff) {
							CloseHandle(_t69);
							__eflags =  *((intOrPtr*)(_t110 - 0x230)) - 8;
							_t72 =  >=  ?  *((void*)(_t110 - 0x244)) : _t110 - 0x244;
							DeleteFileW( >=  ?  *((void*)(_t110 - 0x244)) : _t110 - 0x244);
							_t35 = _t110 - 4;
							 *_t35 =  *(_t110 - 4) | 0xffffffff;
							__eflags =  *_t35;
							E00401B80(_t110 - 0x248);
							goto L7;
						} else {
							_push(0);
							_push(_t110 - 0x278);
							_t76 = E0040B51F(0, 0x4ae964, _t109, _t118);
							 *(_t110 - 4) = 1;
							_t77 = E0040DBCC(_t76, _t118, _t110 - 0x2b4);
							 *(_t110 - 4) = 2;
							E004095E2(_t110 - 0x248, _t77);
							E00401B80(_t110 - 0x2b4);
							 *(_t110 - 4) = 0;
							E00401B80(_t110 - 0x278);
							E0040B9F3(_t110 - 0x248, 0x4ae964, L"temp");
							_push(0);
							_push(_t110 - 0x248);
							 *_t109 = 0x4ae964;
							 *((intOrPtr*)(_t109 + 0x28)) = 0x4ae96c;
							E00408E82(0, _t109, 0x4ae964, _t109, _t118);
							_t92 = _t110 - 0x248;
						}
					}
				}
				E00401B80(_t92);
				return E0045B878(0, 0x4ae964, _t109);
			}

0x0040b30d
0x0040b317
0x0040b31c
0x0040b32d
0x0040b333
0x0040b339
0x0040b33b
0x0040b343
0x0040b354
0x0040b354
0x0040b366
0x0040b375
0x0040b38c
0x0040b4b9
0x0040b4b9
0x0040b4c0
0x0040b4c7
0x0040b4ce
0x0040b4d4
0x0040b4de
0x0040b4ee
0x0040b4f5
0x0040b4fa
0x0040b4fb
0x0040b4fe
0x0040b500
0x0040b507
0x0040b50c
0x0040b392
0x0040b392
0x0040b399
0x00000000
0x0040b39f
0x0040b39f
0x0040b3a6
0x0040b3ad
0x0040b3b4
0x0040b3ba
0x0040b3c4
0x0040b3d4
0x0040b3d7
0x0040b3f3
0x0040b400
0x0040b406
0x0040b409
0x0040b489
0x0040b48f
0x0040b49c
0x0040b4a4
0x0040b4aa
0x0040b4aa
0x0040b4aa
0x0040b4b4
0x00000000
0x0040b40b
0x0040b411
0x0040b412
0x0040b413
0x0040b423
0x0040b427
0x0040b433
0x0040b437
0x0040b442
0x0040b44d
0x0040b450
0x0040b460
0x0040b465
0x0040b46c
0x0040b46f
0x0040b471
0x0040b478
0x0040b47d
0x0040b47d
0x0040b409
0x0040b399
0x0040b512
0x0040b51e

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B317
GetTempPathW.KERNEL32(00000104,?,000003C4,0040C1ED,004C2FA0,00000000,setup.log,?,00000000), ref: 0040B333
__CxxThrowException@8.LIBCMT ref: 0040B354

Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7

_memset.LIBCMT ref: 0040B366
GetVersionExW.KERNEL32(?), ref: 0040B37F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,?,00000000), ref: 0040B400

Part of subcall function 0040B827: __EH_prolog3.LIBCMT ref: 0040B82E
Part of subcall function 0040B827: GetLastError.KERNEL32(00000004,00416939,00000008,004238F4,dJ,00000001,?,00000000), ref: 0040B847

CloseHandle.KERNEL32(00000000), ref: 0040B489
DeleteFileW.KERNEL32(?), ref: 0040B4A4

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Strings

temp, xrefs: 0040B455
lJ, xrefs: 0040B3BA
dJ, xrefs: 0040B385
lJ, xrefs: 0040B500
123.tmp, xrefs: 0040B3C9
lJ, xrefs: 0040B4D4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3$FileFreeString$CloseCreateDeleteExceptionException@8H_prolog3_HandlePathRaiseTempThrowVersion_memset
String ID: 123.tmp$dJ$lJ$lJ$lJ$temp
API String ID: 1927143760-843880253
Opcode ID: b5a665bae7ae9f2b096f4a2c8d81f8ae98763cb53e5928ca1e94baa8c5f5bc4c
Instruction ID: b0e988fa00782fed66f8c84524a4ee27f818764413b8e15c68a8f18c2cf504c1
Opcode Fuzzy Hash: b5a665bae7ae9f2b096f4a2c8d81f8ae98763cb53e5928ca1e94baa8c5f5bc4c
Instruction Fuzzy Hash: C1516EB18002189BDB60EBA1CC99BDDB7BCEF14314F5006EBE509B2191DB785B88CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0049A519, Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 206
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0049A519(void* __ecx, signed int* _a4, signed int* _a8) {
				signed int _v8;
				short _v11;
				char _v15;
				char _v16;
				char _v17;
				char _v22;
				char _v23;
				char _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t52;
				signed int _t60;
				int _t62;
				void* _t65;
				signed char _t74;
				signed int _t77;
				signed int _t78;
				void* _t81;
				void* _t95;
				intOrPtr _t99;
				intOrPtr _t110;
				signed int _t115;
				signed int _t116;
				signed int* _t117;
				signed int* _t118;
				signed int _t119;
				void* _t120;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;
				void* _t125;
				void* _t126;
				signed char _t134;

				_t52 =  *0x4d7e88; // 0x9518852c
				_v8 = _t52 ^ _t119;
				_t118 = _a8;
				_t117 = _a4;
				_t95 = __ecx;
				_v16 = 0;
				_v15 = 0;
				_v11 = 0;
				if( *_t118 < 6) {
					L28:
					_push(0xd);
					goto L29;
				} else {
					E0045A8B0( &_v16,  *_t117, 6);
					 *_t118 =  *_t118 + 6;
					 *_t117 =  *_t117 + 6;
					_t121 = _t120 + 0xc;
					_t60 = lstrcmpA( &_v16, "GIF87a");
					if(_t60 != 0) {
						_t62 = lstrcmpA( &_v16, "GIF89a");
						__eflags = _t62;
						if(_t62 != 0) {
							goto L28;
						} else {
							 *(_t95 + 0x2c) = 1;
							goto L5;
						}
					} else {
						 *(_t95 + 0x2c) =  *(_t95 + 0x2c) & _t60;
						L5:
						if( *_t118 < 2) {
							goto L28;
						} else {
							E0045A8B0(_t95 + 0x20,  *_t117, 2);
							_t122 = _t121 + 0xc;
							_t65 = 2;
							 *_t118 =  *_t118 + _t65;
							 *_t117 =  *_t117 + _t65;
							if( *_t118 < _t65) {
								goto L28;
							} else {
								E0045A8B0(_t95 + 0x22,  *_t117, _t65);
								 *_t118 =  *_t118 + 2;
								 *_t117 =  *_t117 + 2;
								_t123 = _t122 + 0xc;
								if( *_t118 < 1) {
									goto L28;
								} else {
									E0045A8B0(_t95 + 0x24,  *_t117, 1);
									_t124 = _t123 + 0xc;
									 *_t118 =  *_t118 + 1;
									 *_t117 =  *_t117 + 1;
									if( *_t118 < 1) {
										goto L28;
									} else {
										E0045A8B0(_t95 + 0x25,  *_t117, 1);
										_t125 = _t124 + 0xc;
										 *_t118 =  *_t118 + 1;
										 *_t117 =  *_t117 + 1;
										if( *_t118 < 1) {
											goto L28;
										} else {
											E0045A8B0(_t95 + 0x26,  *_t117, 1);
											_t126 = _t125 + 0xc;
											 *_t118 =  *_t118 + 1;
											 *_t117 =  *_t117 + 1;
											_t74 =  *((intOrPtr*)(_t95 + 0x24));
											_t134 = _t74;
											if(_t134 >= 0) {
												goto L25;
											} else {
												_t115 = 4;
												 *(_t95 + 8) = 1;
												_t114 = (1 << (_t74 & 7) + 1) * _t115 >> 0x20;
												_push( ~(0 | _t134 > 0x00000000) | 1 * _t115);
												_t110 = E0045C169(_t95, (1 << (_t74 & 7) + 1) * _t115 >> 0x20, _t117, _t134);
												 *((intOrPtr*)(_t95 + 4)) = _t110;
												if(_t110 != 0) {
													E0045A4D0(_t110, 0,  *(_t95 + 8) << 2);
													_v28 = _v28 & 0x00000000;
													_t126 = _t126 + 0xc;
													__eflags =  *(_t95 + 8);
													if( *(_t95 + 8) <= 0) {
														goto L25;
													} else {
														while(1) {
															__eflags =  *_t118 - 3;
															if( *_t118 < 3) {
																goto L28;
															}
															E0045A8B0( &_v24,  *_t117, 3);
															 *_t118 =  *_t118 + 3;
															 *_t117 =  *_t117 + 3;
															_t116 = _v28;
															 *((char*)( *((intOrPtr*)(_t95 + 4)) + 2 + _t116 * 4)) = _v24;
															 *((char*)( *((intOrPtr*)(_t95 + 4)) + 1 + _t116 * 4)) = _v23;
															_t126 = _t126 + 0xc;
															 *((char*)( *((intOrPtr*)(_t95 + 4)) + _t116 * 4)) = _v22;
															_t114 = _t116 + 1;
															_v28 = _t114;
															__eflags = _t114 -  *(_t95 + 8);
															if(_t114 <  *(_t95 + 8)) {
																continue;
															} else {
																while(1) {
																	L25:
																	__eflags =  *_t118;
																	if( *_t118 == 0) {
																		break;
																	}
																	__eflags =  *_t118 - 1;
																	if( *_t118 < 1) {
																		goto L28;
																	} else {
																		E0045A8B0( &_v17,  *_t117, 1);
																		_t99 = _v17;
																		_t126 = _t126 + 0xc;
																		 *_t118 =  *_t118 + 1;
																		 *_t117 =  *_t117 + 1;
																		__eflags = _t99 - 0x21;
																		if(_t99 == 0x21) {
																			_push(_t118);
																			_push(_t117);
																			_t77 = E0049AB4D(_t95);
																			goto L22;
																		} else {
																			__eflags = _t99 - 0x2c;
																			if(__eflags != 0) {
																				_t114 = 0xd;
																				__eflags = _t99 - 0x3b;
																				_t81 =  !=  ? _t114 : 0;
																			} else {
																				_push(_t118);
																				_push(_t117);
																				_t77 = E0049AC7E(_t95, _t95, _t114, _t117, _t118, __eflags);
																				L22:
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t78 =  *_t118;
																					__eflags = _t78 - 1;
																					if(_t78 < 1) {
																						goto L28;
																					} else {
																						 *_t118 = _t78 + 1;
																						 *_t117 =  *_t117 + 1;
																						__eflags =  *_t117;
																						continue;
																					}
																				}
																			}
																		}
																	}
																	goto L30;
																}
																_push(5);
																goto L29;
															}
															goto L30;
														}
														goto L28;
													}
												} else {
													_push(0xe);
													L29:
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L30:
				return E0045A457(_t95, _v8 ^ _t119, _t114, _t117, _t118);
			}

0x0049a51f
0x0049a526
0x0049a52b
0x0049a534
0x0049a537
0x0049a539
0x0049a53c
0x0049a53f
0x0049a543
0x0049a732
0x0049a732
0x00000000
0x0049a549
0x0049a551
0x0049a556
0x0049a559
0x0049a55c
0x0049a568
0x0049a570
0x0049a580
0x0049a586
0x0049a588
0x00000000
0x0049a58e
0x0049a58e
0x00000000
0x0049a58e
0x0049a572
0x0049a572
0x0049a595
0x0049a598
0x00000000
0x0049a59e
0x0049a5a6
0x0049a5ab
0x0049a5b0
0x0049a5b1
0x0049a5b3
0x0049a5b7
0x00000000
0x0049a5bd
0x0049a5c4
0x0049a5c9
0x0049a5cc
0x0049a5cf
0x0049a5d5
0x00000000
0x0049a5db
0x0049a5e3
0x0049a5e8
0x0049a5eb
0x0049a5ed
0x0049a5f2
0x00000000
0x0049a5f8
0x0049a600
0x0049a605
0x0049a608
0x0049a60a
0x0049a60f
0x00000000
0x0049a615
0x0049a61d
0x0049a622
0x0049a625
0x0049a627
0x0049a629
0x0049a62c
0x0049a62e
0x00000000
0x0049a634
0x0049a644
0x0049a645
0x0049a648
0x0049a651
0x0049a658
0x0049a65a
0x0049a65f
0x0049a672
0x0049a677
0x0049a67b
0x0049a67e
0x0049a682
0x00000000
0x0049a688
0x0049a688
0x0049a688
0x0049a68b
0x00000000
0x00000000
0x0049a699
0x0049a69e
0x0049a6a1
0x0049a6a4
0x0049a6ad
0x0049a6b7
0x0049a6c1
0x0049a6c4
0x0049a6c7
0x0049a6c8
0x0049a6cb
0x0049a6ce
0x00000000
0x0049a6d0
0x0049a71c
0x0049a71c
0x0049a71c
0x0049a71f
0x00000000
0x00000000
0x0049a6d2
0x0049a6d5
0x00000000
0x0049a6d7
0x0049a6df
0x0049a6e4
0x0049a6e7
0x0049a6ea
0x0049a6ec
0x0049a6ee
0x0049a6f1
0x0049a703
0x0049a704
0x0049a707
0x00000000
0x0049a6f3
0x0049a6f3
0x0049a6f6
0x0049a729
0x0049a72a
0x0049a72d
0x0049a6f8
0x0049a6f8
0x0049a6f9
0x0049a6fc
0x0049a70c
0x0049a70c
0x0049a70e
0x0049a710
0x0049a712
0x0049a715
0x00000000
0x0049a717
0x0049a718
0x0049a71a
0x0049a71a
0x00000000
0x0049a71a
0x0049a715
0x0049a70e
0x0049a6f6
0x0049a6f1
0x00000000
0x0049a6d5
0x0049a721
0x00000000
0x0049a721
0x00000000
0x0049a6ce
0x00000000
0x0049a688
0x0049a661
0x0049a661
0x0049a734
0x0049a734
0x0049a65f
0x0049a62e
0x0049a60f
0x0049a5f2
0x0049a5d5
0x0049a5b7
0x0049a598
0x0049a570
0x0049a735
0x0049a743

APIs

_memmove.LIBCMT ref: 0049A551
lstrcmpA.KERNEL32(?,GIF87a,?,?,?,76E3D5B0,?,9518852C,?,?,00000000), ref: 0049A568
lstrcmpA.KERNEL32(?,GIF89a), ref: 0049A580
_memmove.LIBCMT ref: 0049A5A6
_memmove.LIBCMT ref: 0049A5C4
_memmove.LIBCMT ref: 0049A5E3
_memmove.LIBCMT ref: 0049A600
_memmove.LIBCMT ref: 0049A61D
_memset.LIBCMT ref: 0049A672
_memmove.LIBCMT ref: 0049A699
_memmove.LIBCMT ref: 0049A6DF

Part of subcall function 0049AC7E: __EH_prolog3.LIBCMT ref: 0049AC85

Strings

GIF89a, xrefs: 0049A577
GIF87a, xrefs: 0049A562

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memmove$lstrcmp$H_prolog3_memset
String ID: GIF87a$GIF89a
API String ID: 3198123400-2918331024
Opcode ID: c8cec6042631a10ec25823f716d04a484a7fdd48b6950b41c4f773c1cdcd2a27
Instruction ID: 91db72cd28c73f0ef1eeb2121f56b187381224a7741448445ea30fbe006bc91b
Opcode Fuzzy Hash: c8cec6042631a10ec25823f716d04a484a7fdd48b6950b41c4f773c1cdcd2a27
Instruction Fuzzy Hash: 25610A71A00205EFDF149FA0D882B66BBF5EF15305F2444BFE885DA142E738C965CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00447884, Relevance: 22.8, APIs: 8, Strings: 5, Instructions: 95
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00447884(void* __ebx, void* __ecx, void* __edi, intOrPtr __esi, void* __eflags) {
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t41;
				_Unknown_base(*)()* _t45;
				intOrPtr _t73;
				void* _t75;

				_t74 = __esi;
				_push(0x2a8);
				E0045B8C9(0x4a7e4d, __ebx, __edi, __esi);
				_t61 = GetModuleHandleW;
				_t73 =  *((intOrPtr*)(_t75 + 8));
				_t33 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "CreateToolhelp32Snapshot");
				_t79 = _t33;
				if(_t33 != 0) {
					_t74 =  *_t33(2, 0);
					 *((intOrPtr*)(_t75 - 0x2b4)) = _t74;
					 *(_t75 - 4) =  *(_t75 - 4) & 0x00000000;
					__eflags = _t74 - 0xffffffff;
					if(__eflags == 0) {
						L11:
						_push(_t73);
						E004479E1(_t61, _t73, _t74, __eflags);
					} else {
						 *(_t75 - 0x2ac) = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "Process32First");
						_t41 = GetProcAddress(GetModuleHandleW(L"Kernel32.dll"), "Process32Next");
						__eflags =  *(_t75 - 0x2ac);
						_t61 = _t41;
						if(__eflags == 0) {
							goto L11;
						} else {
							__eflags = _t61;
							if(__eflags == 0) {
								goto L11;
							} else {
								E0045A4D0(_t75 - 0x2a4, 0, 0x228);
								 *((intOrPtr*)(_t75 - 0x2a8)) = 0x22c;
								_t45 =  *(_t75 - 0x2ac)(_t74, _t75 - 0x2a8);
								while(1) {
									__eflags = _t45;
									if(_t45 == 0) {
										break;
									}
									__eflags =  *(_t75 - 0x2a0);
									if( *(_t75 - 0x2a0) != 0) {
										E0043EB36(_t75 - 0x44);
										 *((intOrPtr*)(_t75 - 0x44)) =  *((intOrPtr*)(_t75 - 0x290));
										 *(_t75 - 4) = 1;
										E00406A00(_t75 - 0x3c, _t73, _t75 - 0x284);
										 *(_t75 - 0x7c) =  *(_t75 - 0x2a0);
										E0043EB07(_t75 - 0x78, _t75 - 0x44);
										 *(_t75 - 4) = 2;
										E00445D30(_t73, _t75 - 0x2b0, _t75 - 0x7c);
										E00401B80(_t75 - 0x74);
										 *(_t75 - 4) = 0;
										E00401B80(_t75 - 0x40);
									}
									_t45 =  *_t61(_t74, _t75 - 0x2a8);
								}
							}
						}
					}
					E00405170(_t75 - 0x2b4);
				} else {
					_push(_t73);
					E004479E1(GetModuleHandleW, _t73, __esi, _t79);
				}
				return E0045B878(_t61, _t73, _t74);
			}

0x00447884
0x00447884
0x0044788e
0x00447893
0x00447899
0x004478a9
0x004478af
0x004478b1
0x004478c5
0x004478c7
0x004478cd
0x004478d1
0x004478d4
0x004479c9
0x004479c9
0x004479ca
0x004478da
0x004478f7
0x00447900
0x00447906
0x0044790d
0x0044790f
0x00000000
0x00447915
0x00447915
0x00447917
0x00000000
0x0044791d
0x0044792b
0x0044793b
0x00447945
0x004479c3
0x004479c3
0x004479c5
0x00000000
0x00000000
0x0044794d
0x00447954
0x00447959
0x00447964
0x00447971
0x00447975
0x00447980
0x0044798a
0x0044799c
0x004479a0
0x004479a8
0x004479b0
0x004479b4
0x004479b4
0x004479c1
0x004479c1
0x004479c7
0x00447917
0x0044790f
0x004479d6
0x004478b3
0x004478b3
0x004478b4
0x004478b9
0x004479e0

APIs

__EH_prolog3_GS.LIBCMT ref: 0044788E
GetModuleHandleW.KERNEL32(kernel32.dll,CreateToolhelp32Snapshot,000002A8,0044412B,0044A131,?,?,0000006C,0044A131,?,?,?), ref: 004478A6
GetProcAddress.KERNEL32(00000000), ref: 004478A9
GetModuleHandleW.KERNEL32(Kernel32.dll,Process32First,?,0000006C,0044A131,?,?,?), ref: 004478E4
GetProcAddress.KERNEL32(00000000), ref: 004478E7
GetModuleHandleW.KERNEL32(Kernel32.dll,Process32Next,?,0000006C,0044A131,?,?,?), ref: 004478FD
GetProcAddress.KERNEL32(00000000), ref: 00447900
_memset.LIBCMT ref: 0044792B

Part of subcall function 004479E1: __EH_prolog3_GS.LIBCMT ref: 004479EB
Part of subcall function 004479E1: GetModuleHandleW.KERNEL32(Ntdll.dll,NtQueryInformationProcess,?,00000400,?,000004A0,004479CF,00000000,?,0000006C,0044A131,?,?,?), ref: 00447A1B
Part of subcall function 004479E1: GetProcAddress.KERNEL32(00000000), ref: 00447A22
Part of subcall function 004479E1: OpenProcess.KERNEL32(00000400,00000000,?,?,0000006C,0044A131,?,?,?), ref: 00447A4E
Part of subcall function 004479E1: _memset.LIBCMT ref: 00447A73

Strings

kernel32.dll, xrefs: 004478A1
Kernel32.dll, xrefs: 004478DF, 004478F2
Process32Next, xrefs: 004478ED
Process32First, xrefs: 004478DA
CreateToolhelp32Snapshot, xrefs: 0044789C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc$H_prolog3__memset$OpenProcess
String ID: CreateToolhelp32Snapshot$Kernel32.dll$Process32First$Process32Next$kernel32.dll
API String ID: 2047754285-1872946363
Opcode ID: f6e6f1460f19e8ca752bb30bc1728fddc268b0b60a8f9313740ed9b488bfef2e
Instruction ID: 4dfc7f0b5ddbb0eed1ff4f92835ec1499f2910106df933c20330d0c0fec2b70a
Opcode Fuzzy Hash: f6e6f1460f19e8ca752bb30bc1728fddc268b0b60a8f9313740ed9b488bfef2e
Instruction Fuzzy Hash: A23153B1905218AFEF10EBA5CC89BDEB77C9F05704F1000ABE415A3182DF785E458F69

Uniqueness

Uniqueness Score: -1.00%

Function 0040ED6A, Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 241
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040ED6A(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t131;
				void* _t135;
				void* _t145;
				void* _t146;
				void* _t153;
				void* _t159;
				void* _t174;
				void* _t180;
				void* _t188;
				signed char _t194;
				void* _t246;
				intOrPtr _t248;
				intOrPtr _t250;
				void* _t251;
				void* _t257;

				_t246 = __edx;
				_push(0x198);
				E0045B8C9(0x4a121b, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t251 - 0x198)) = __ecx;
				_t3 = _t251 + 0xc; // 0x4c2f40
				_t250 =  *((intOrPtr*)(_t251 + 8));
				_t248 =  *((intOrPtr*)(_t251 + 0x10));
				 *(_t251 - 0x19c) =  *(_t251 - 0x19c) & 0x00000000;
				 *((intOrPtr*)(_t251 - 0x1a0)) =  *((intOrPtr*)(_t251 + 0x14));
				_t10 = _t251 - 0x70; // 0x4c2f50
				 *((intOrPtr*)(_t251 - 0x1a4)) =  *_t3;
				 *((intOrPtr*)(_t251 - 0x70)) = 0x4c2fa0;
				 *((intOrPtr*)(_t251 - 0x48)) = 0x4c2f40;
				E00404200(_t10, _t251 - 0x191, 0);
				 *(_t251 - 4) =  *(_t251 - 4) & 0x00000000;
				 *((intOrPtr*)(_t251 - 0xa0)) = 0x4c2f50;
				 *((intOrPtr*)(_t251 - 0x78)) = 0x4c3454;
				E004053A0( *_t3, 0);
				_t194 = 1;
				 *(_t251 - 4) = 1;
				if(_t248 == 0) {
					E0040FAD6(_t250, _t251 - 0x130);
					 *(_t251 - 4) = 2;
					if( *((intOrPtr*)(_t251 - 0x11c)) != _t248) {
						 *((intOrPtr*)(_t251 - 0x100)) = 0x4c2f50;
						 *((intOrPtr*)(_t251 - 0xd8)) = 0x4c3454;
						E00403FB0(L"Default.prq", _t251 - 0x191, _t248);
						 *(_t251 - 4) = 3;
						_t153 = E00412D7A(_t251 - 0x12c, "/", 0xffffffff, E0045B5D4("/"));
						if(_t153 != 0xffffffff && _t153 <  *((intOrPtr*)(_t251 - 0x11c)) - 1) {
							_t257 = _t153 + 1;
							_t30 = _t251 - 0x40; // 0x4c2f50
							_t188 = E00404580(_t30, _t153 + 1, 0xffffffff);
							_t32 = _t251 - 0x100; // 0x4c2f50
							 *(_t251 - 4) = 4;
							E00402B90(_t32, _t188);
							_t34 = _t251 - 0x40; // 0x4c2f50
							 *(_t251 - 4) = 3;
							E00401AC0(_t34);
						}
						_t37 = _t251 - 0xa0; // 0x4c2f50
						E004034E0(_t37, _t251 - 0x190, 0, 0);
						_t38 = _t251 - 0x100; // 0x4c2f50
						 *(_t251 - 4) = 5;
						E00413296(_t251 - 0x190, _t38);
						_t41 = _t251 - 0x40; // 0x4c2f50
						_t159 = E00412A66(_t251 - 0x190, _t41);
						 *(_t251 - 4) = 6;
						E004095E2(_t251 - 0x70, _t159);
						_t45 = _t251 - 0x40; // 0x4c2f50
						 *(_t251 - 4) = 5;
						E00401B80(_t45);
						_push(_t251 - 0x70);
						_t49 = _t251 - 0x100; // 0x4c2f50
						_push(_t251 - 0x130);
						E0040ECC4(_t194,  *((intOrPtr*)(_t251 - 0x198)), _t246, _t248, _t250, _t257);
						 *((intOrPtr*)(_t251 - 0x40)) = 0x4c2f50;
						 *((intOrPtr*)(_t251 - 0x18)) = 0x4c3454;
						E00403FB0(0x4c2d7c, _t251 - 0x191, 0);
						_t258 =  *((intOrPtr*)(_t251 - 0x58)) - 8;
						_t56 = _t251 - 0x40; // 0x4c2f50
						_t169 =  >=  ?  *((void*)(_t251 - 0x6c)) : _t251 - 0x6c;
						_push(0);
						_push( >=  ?  *((void*)(_t251 - 0x6c)) : _t251 - 0x6c);
						 *(_t251 - 4) = 7;
						E004314E3(_t194, _t250, _t248, _t250,  *((intOrPtr*)(_t251 - 0x58)) - 8);
						_t60 = _t251 - 0x40; // 0x4c2f50
						 *(_t251 - 4) = 5;
						E00401AC0(_t60);
						 *((intOrPtr*)( *((intOrPtr*)(_t251 - 0x1a0)))) = E0042EA72(_t250);
						_t64 = _t251 - 0x40; // 0x4c2f50
						_t174 = E004034E0( *((intOrPtr*)(_t251 - 0x1a4)), _t64, 0, 0);
						_t65 = _t251 - 0xa0; // 0x4c2f50
						 *(_t251 - 4) = 8;
						E00402B90(_t65, _t174);
						_t67 = _t251 - 0x40; // 0x4c2f50
						 *(_t251 - 4) = 5;
						E00401AC0(_t67);
						_push(0);
						_t69 = _t251 - 0xd0; // 0x4c2f50
						E0042EB76(_t194, _t250, _t248, _t250,  *((intOrPtr*)(_t251 - 0x58)) - 8);
						_t70 = _t251 - 0x40; // 0x4c2f50
						 *(_t251 - 4) = 9;
						_t72 = _t251 - 0xd0; // 0x4c2f50
						_t180 = E00403080(_t72, _t70);
						_t73 = _t251 - 0xa0; // 0x4c2f50
						 *(_t251 - 4) = 0xa;
						E00413296(_t73, _t180);
						_t75 = _t251 - 0x40; // 0x4c2f50
						E00401AC0(_t75);
						_t76 = _t251 - 0xd0; // 0x4c2f50
						E00401AC0(_t76);
						E00401AC0(_t251 - 0x190);
						_t78 = _t251 - 0x100; // 0x4c2f50
						E00401AC0(_t78);
					}
					 *(_t251 - 4) = _t194;
					E00401AC0(_t251 - 0x130);
				}
				_push(_t248);
				_push(_t251 - 0x160);
				E0042EC5A(_t194, _t250, _t248, _t250, _t258);
				_t259 =  *((intOrPtr*)(_t251 - 0x14c));
				 *(_t251 - 4) = 0xb;
				if( *((intOrPtr*)(_t251 - 0x14c)) == 0) {
					L14:
					_t194 = 0;
				} else {
					_t84 = _t251 - 0xd0; // 0x4c2f50
					_t85 = _t251 - 0xa0; // 0x4c2f50
					_t131 = E00412A66(_t85, _t84);
					 *(_t251 - 4) = 0xc;
					E004095E2(_t251 - 0x70, _t131);
					_t88 = _t251 - 0xd0; // 0x4c2f50
					 *(_t251 - 4) = 0xb;
					E00401B80(_t88);
					_t90 = _t251 - 0xd0; // 0x4c2f50
					_t91 = _t251 - 0xa0; // 0x4c2f50
					_t135 = E00403080(_t91, _t90);
					_push(_t251 - 0x70);
					_push(_t135);
					_push(_t251 - 0x160);
					 *(_t251 - 4) = 0xd;
					E0040ECC4(_t194,  *((intOrPtr*)(_t251 - 0x198)), _t246, _t248, _t250, _t259);
					_t96 = _t251 - 0xd0; // 0x4c2f50
					 *(_t251 - 4) = 0xb;
					E00401AC0(_t96);
					_push(_t248);
					_t98 = _t251 - 0x40; // 0x4c2f50
					E0042E9EC(_t194, _t250, _t248, _t250, _t259);
					_t260 =  *((intOrPtr*)(_t251 - 0x2c));
					 *(_t251 - 4) = 0xe;
					if( *((intOrPtr*)(_t251 - 0x2c)) == 0) {
						L10:
						 *(_t251 - 0x191) = 0;
					} else {
						_t102 = _t251 - 0xa0; // 0x4c2f50
						_t103 = _t251 - 0xd0; // 0x4c2f50
						_t145 = E0040F29E(_t246, _t260, _t103, _t102);
						_t104 = _t251 - 0x40; // 0x4c2f50
						 *(_t251 - 0x19c) = _t194;
						_t146 = E00412ABE(_t104, _t145);
						 *(_t251 - 0x191) = _t194;
						if(_t146 == 0) {
							goto L10;
						}
					}
					if(( *(_t251 - 0x19c) & _t194) != 0) {
						_t111 = _t251 - 0xd0; // 0x4c2f50
						E00401AC0(_t111);
					}
					_t112 = _t251 - 0x40; // 0x4c2f50
					E00401AC0(_t112);
					if( *(_t251 - 0x191) != 0) {
						goto L14;
					}
				}
				E00401AC0(_t251 - 0x160);
				_t115 = _t251 - 0xa0; // 0x4c2f50
				E00401AC0(_t115);
				E00401B80(_t251 - 0x70);
				return E0045B878(_t194, _t248, _t250);
			}

0x0040ed6a
0x0040ed6a
0x0040ed74
0x0040ed79
0x0040ed82
0x0040ed85
0x0040ed88
0x0040ed8b
0x0040ed92
0x0040eda1
0x0040eda4
0x0040edaa
0x0040edb1
0x0040edb8
0x0040edbd
0x0040edca
0x0040edd4
0x0040eddb
0x0040ede2
0x0040ede3
0x0040ede8
0x0040edf7
0x0040edfc
0x0040ee06
0x0040ee1f
0x0040ee29
0x0040ee33
0x0040ee3d
0x0040ee55
0x0040ee5d
0x0040ee6c
0x0040ee6e
0x0040ee78
0x0040ee7e
0x0040ee84
0x0040ee88
0x0040ee8d
0x0040ee90
0x0040ee94
0x0040ee94
0x0040eea4
0x0040eeaa
0x0040eeaf
0x0040eebc
0x0040eec0
0x0040eec5
0x0040eecf
0x0040eed8
0x0040eedc
0x0040eee1
0x0040eee4
0x0040eee8
0x0040eef6
0x0040eef7
0x0040ef04
0x0040ef05
0x0040ef1b
0x0040ef22
0x0040ef29
0x0040ef2e
0x0040ef32
0x0040ef39
0x0040ef3d
0x0040ef3f
0x0040ef42
0x0040ef46
0x0040ef4b
0x0040ef4e
0x0040ef52
0x0040ef66
0x0040ef70
0x0040ef74
0x0040ef7a
0x0040ef80
0x0040ef84
0x0040ef89
0x0040ef8c
0x0040ef90
0x0040ef95
0x0040ef97
0x0040efa0
0x0040efa5
0x0040efa8
0x0040efad
0x0040efb3
0x0040efb9
0x0040efbf
0x0040efc3
0x0040efc8
0x0040efcb
0x0040efd0
0x0040efd6
0x0040efe1
0x0040efe6
0x0040efec
0x0040efec
0x0040eff7
0x0040effa
0x0040effa
0x0040efff
0x0040f006
0x0040f009
0x0040f00e
0x0040f015
0x0040f019
0x0040f0fc
0x0040f0fc
0x0040f01f
0x0040f01f
0x0040f026
0x0040f02c
0x0040f035
0x0040f039
0x0040f03e
0x0040f044
0x0040f048
0x0040f04d
0x0040f054
0x0040f05a
0x0040f062
0x0040f069
0x0040f070
0x0040f071
0x0040f075
0x0040f07a
0x0040f080
0x0040f084
0x0040f089
0x0040f08a
0x0040f090
0x0040f095
0x0040f099
0x0040f09d
0x0040f0d1
0x0040f0d1
0x0040f09f
0x0040f0a5
0x0040f0ac
0x0040f0b3
0x0040f0b9
0x0040f0bc
0x0040f0c2
0x0040f0c7
0x0040f0cf
0x00000000
0x00000000
0x0040f0cf
0x0040f0de
0x0040f0e0
0x0040f0e6
0x0040f0e6
0x0040f0eb
0x0040f0ee
0x0040f0fa
0x00000000
0x00000000
0x0040f0fa
0x0040f104
0x0040f109
0x0040f10f
0x0040f117
0x0040f123

APIs

__EH_prolog3_GS.LIBCMT ref: 0040ED74

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Part of subcall function 00403FB0: GetLastError.KERNEL32(9518852C,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068

Part of subcall function 00404580: GetLastError.KERNEL32(9518852C,?,?,?,00000000,004ACAC8,000000FF,T4L,004050D6,00000000,00000001,000000FF), ref: 004045BE
Part of subcall function 00404580: SetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 0040461A

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

@/L, xrefs: 0040ED82, 0040EDC3
P/L, xrefs: 0040EEA4
@/L, xrefs: 0040EDB1
T4L, xrefs: 0040EF22
Default.prq, xrefs: 0040EE14
T4L, xrefs: 0040EDD4
P/L, xrefs: 0040EDA1
T4L, xrefs: 0040EE29
P/L, xrefs: 0040EE6E, 0040EE71
P/L, xrefs: 0040EE7E
P/L, xrefs: 0040F01F, 0040F03E, 0040F04D, 0040F07A, 0040F0E0, 0040F0AC, 0040EF97, 0040EFAD, 0040EFD0, 0040EF9D, 0040F025, 0040F053, 0040F0B2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3_
String ID: @/L$@/L$Default.prq$P/L$P/L$P/L$P/L$P/L$T4L$T4L$T4L
API String ID: 2549205776-1811379302
Opcode ID: 1494169e6623e3c695926e2afc66fbb9585983f68abb8494659bb1df2b59cc61
Instruction ID: c3b6e30d12c9b4d6e0e48dd07ebc6d8dc93a0164c8c25f8d7421aef05fba5f4b
Opcode Fuzzy Hash: 1494169e6623e3c695926e2afc66fbb9585983f68abb8494659bb1df2b59cc61
Instruction Fuzzy Hash: CBB13A71910258EACB25EBA1CD51BDEB7B8BF15308F1440EEE14A73182DB781B48CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0048FE10, Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0048FE10(void* __edx, void* __eflags, char _a4, char _a8, signed int* _a52) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				short _v64;
				char _v68;
				intOrPtr _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				signed int _t48;
				void* _t60;
				void* _t62;
				short _t77;
				void* _t78;
				void* _t96;
				intOrPtr _t98;
				void* _t99;
				intOrPtr* _t102;
				signed int* _t104;
				void* _t105;
				signed int _t106;
				void* _t107;
				void* _t108;
				void* _t109;

				_t96 = __edx;
				_push(0xffffffff);
				_push(0x4ab660);
				_push( *[fs:0x0]);
				_t108 = _t107 - 0x38;
				_t47 =  *0x4d7e88; // 0x9518852c
				_t48 = _t47 ^ _t106;
				_v20 = _t48;
				_push(_t48);
				 *[fs:0x0] =  &_v16;
				_t104 = _a52;
				_v8 = 0;
				_t98 = E004068B0( &_a8, ",", 0, 1);
				_t77 = 0;
				do {
					E00494EB0( &_v68, _t77, _t98 - _t77);
					_push(0xb);
					_v8 = 1;
					if(E004086E0(_t77,  &_v64, _t98, _t104, 0, _v48, L"TRANSPARENT") != 0) {
						_push(5);
						if(E004086E0(_t77,  &_v64, _t98, _t104, 0, _v48, L"SCALE") != 0) {
							_push(7);
							if(E004086E0(_t77,  &_v64, _t98, _t104, 0, _v48, L"VCENTER") != 0) {
								_push(7);
								if(E004086E0(_t77,  &_v64, _t98, _t104, 0, _v48, L"HCENTER") != 0) {
									_push(0xa);
									if(E004086E0(_t77,  &_v64, _t98, _t104, 0, _v48, L"UPPER_LEFT") != 0) {
										_push(0xb);
										if(E004086E0(_t77,  &_v64, _t98, _t104, 0, _v48, L"UPPER_RIGHT") != 0) {
											_t60 = E00429652( &_v64, L"LOWER_LEFT");
											_t109 = _t108 + 8;
											if(_t60 == 0) {
												_t62 = E00429652( &_v64, L"LOWER_RIGHT");
												_t109 = _t109 + 8;
												if(_t62 != 0) {
													 *_t104 =  *_t104 | 0x00000004;
												}
											} else {
												 *_t104 =  *_t104 | 0x00000008;
											}
										} else {
											 *_t104 =  *_t104 | 0x00000001;
										}
									} else {
										 *_t104 =  *_t104 | 0x00000002;
									}
								} else {
									 *_t104 =  *_t104 | 0x00000200;
								}
							} else {
								 *_t104 =  *_t104 | 0x00000100;
							}
						} else {
							 *_t104 =  *_t104 | 0x00100000;
						}
					} else {
						 *_t104 =  *_t104 | 0x00000020;
					}
					if(_t98 == 0xffffffff) {
						E00401AC0( &_v68);
						L23:
						E00401AC0( &_a4);
						 *[fs:0x0] = _v16;
						_pop(_t99);
						_pop(_t105);
						_pop(_t78);
						return E0045A457(_t78, _v20 ^ _t106, _t96, _t99, _t105);
					}
					_t23 = _t98 + 1; // 0x1
					_t77 = _t23;
					_v72 = E004068B0( &_a8, ",", _t77, 1);
					_v8 = 0;
					 *((intOrPtr*)( &_v28 +  *((intOrPtr*)(_v28 + 4)))) = GetLastError();
					L0045A7D5(_v40);
					_t102 = __imp__#6;
					_t108 = _t109 + 4;
					 *_t102(_v32);
					if(_v44 >= 8) {
						 *_t102(_v64);
					}
					_v64 = 0;
					_v44 = 7;
					_v48 = 0;
					SetLastError( *(_t106 +  *((intOrPtr*)(_v68 + 4)) - 0x40));
					_t98 = _v72;
				} while (_t77 != 0xffffffff);
				goto L23;
			}

0x0048fe10
0x0048fe13
0x0048fe15
0x0048fe20
0x0048fe21
0x0048fe24
0x0048fe29
0x0048fe2b
0x0048fe31
0x0048fe35
0x0048fe3b
0x0048fe4a
0x0048fe56
0x0048fe58
0x0048fe60
0x0048fe6d
0x0048fe72
0x0048fe81
0x0048fe8c
0x0048fe96
0x0048feac
0x0048feb9
0x0048fecf
0x0048fedc
0x0048fef2
0x0048fefc
0x0048ff12
0x0048ff19
0x0048ff2f
0x0048ff3f
0x0048ff44
0x0048ff49
0x0048ff59
0x0048ff5e
0x0048ff63
0x0048ff65
0x0048ff65
0x0048ff4b
0x0048ff4b
0x0048ff4b
0x0048ff31
0x0048ff31
0x0048ff31
0x0048ff14
0x0048ff14
0x0048ff14
0x0048fef4
0x0048fef4
0x0048fef4
0x0048fed1
0x0048fed1
0x0048fed1
0x0048feae
0x0048feae
0x0048feae
0x0048fe8e
0x0048fe8e
0x0048fe8e
0x0048ff6b
0x0048fff4
0x0048fff9
0x0048fffc
0x00490004
0x0049000c
0x0049000d
0x0049000e
0x0049001c
0x0049001c
0x0048ff73
0x0048ff73
0x0048ff84
0x0048ff90
0x0048ff9c
0x0048ffa1
0x0048ffa6
0x0048ffac
0x0048ffb2
0x0048ffb8
0x0048ffbd
0x0048ffbd
0x0048ffc1
0x0048ffc8
0x0048ffcf
0x0048ffdd
0x0048ffe3
0x0048ffe6
0x00000000

APIs

Part of subcall function 00494EB0: GetLastError.KERNEL32(9518852C,73B74D40,00000000,?,?,004ABC58,000000FF,?,004901ED,?,00000000,00000000,004B1A74,00000000), ref: 00494EEE
Part of subcall function 00494EB0: SetLastError.KERNEL32(?,00000000,?,00000000,?,004901ED,?,00000000,00000000,004B1A74,00000000), ref: 00494F4A

GetLastError.KERNEL32(004B16A4,00000001,00000001,?,?,76E3D5B0,00000000,?,?,?,?,?,?,00000000,004AB660,000000FF), ref: 0048FF96
SysFreeString.OLEAUT32(004AB660), ref: 0048FFB2
SysFreeString.OLEAUT32(00000000), ref: 0048FFBD
SetLastError.KERNEL32(76E3D5B0,?,?,?,76E3D5B0,00000000), ref: 0048FFDD

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

TRANSPARENT, xrefs: 0048FE74
UPPER_RIGHT, xrefs: 0048FF1B
VCENTER, xrefs: 0048FEBB
UPPER_LEFT, xrefs: 0048FEFE
SCALE, xrefs: 0048FE98
LOWER_RIGHT, xrefs: 0048FF53
HCENTER, xrefs: 0048FEDE
LOWER_LEFT, xrefs: 0048FF39

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: HCENTER$LOWER_LEFT$LOWER_RIGHT$SCALE$TRANSPARENT$UPPER_LEFT$UPPER_RIGHT$VCENTER
API String ID: 2425351278-1101803390
Opcode ID: acea87e46893785c767785a829ddba2ad1c1ec4f078491fdff4f47eb6f1026b3
Instruction ID: 209d69920c75c58bbb9baabbf5bbf6a4065b2aa3cce23d9b0bf2ad7836802f80
Opcode Fuzzy Hash: acea87e46893785c767785a829ddba2ad1c1ec4f078491fdff4f47eb6f1026b3
Instruction Fuzzy Hash: 3751A531A40209AADF14EFA4CC82BDEBBB4EF15344F20453BF651762E1EB785909CB19

Uniqueness

Uniqueness Score: -1.00%

Function 00444C28, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 87
registrylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00444C28(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				char _v20;
				void* _v24;
				void* _v28;
				int _v32;
				signed int _t17;
				struct HINSTANCE__* _t19;
				_Unknown_base(*)()* _t36;
				void* _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				long _t48;
				signed int _t50;

				_t46 = __esi;
				_t45 = __edi;
				_t44 = __edx;
				_t38 = __ebx;
				_t17 =  *0x4d7e88; // 0x9518852c
				_v8 = _t17 ^ _t50;
				_t19 = GetModuleHandleW(L"Kernel32.dll");
				if(_t19 == 0) {
					L3:
					_push(_t38);
					_push(_t46);
					_v24 = 0;
					_v32 = 0xa;
					if(RegOpenKeyExW(0x80000003, L".Default\\Control Panel\\desktop\\ResourceLocale", 0, 0xf003f,  &_v24) != 0 || RegQueryValueExW(_v24, 0x4c2d7c, 0, 0,  &_v20,  &_v32) != 0) {
						_v28 = 0;
						_t48 = RegOpenKeyExW(0x80000003, L".DEFAULT\\Control Panel\\International", 0, 0xf003f,  &_v28);
						if(_t48 == 0) {
							_t48 = RegQueryValueExW(_v28, L"Locale", 0, 0,  &_v20,  &_v32);
						}
						E00433132( &_v28);
						if(_t48 == 0) {
							goto L9;
						} else {
						}
					} else {
						L9:
						E00461BC2( &_v20, 0, 0x10);
					}
					E00433132( &_v24);
					_pop(_t46);
					_pop(_t38);
				} else {
					_t36 = GetProcAddress(_t19, "GetSystemDefaultUILanguage");
					if(_t36 == 0) {
						goto L3;
					} else {
						 *_t36();
					}
				}
				return E0045A457(_t38, _v8 ^ _t50, _t44, _t45, _t46);
			}

0x00444c28
0x00444c28
0x00444c28
0x00444c28
0x00444c2e
0x00444c35
0x00444c3d
0x00444c45
0x00444c5e
0x00444c5e
0x00444c5f
0x00444c7c
0x00444c7f
0x00444c8a
0x00444cbc
0x00444cc1
0x00444cc5
0x00444cdf
0x00444cdf
0x00444ce4
0x00444ceb
0x00000000
0x00444ced
0x00444ced
0x00444cf4
0x00444cf4
0x00444cfb
0x00444d03
0x00444d09
0x00444d11
0x00444d12
0x00444c47
0x00444c4d
0x00444c55
0x00000000
0x00444c57
0x00444c57
0x00444c57
0x00444c55
0x00444d1e

APIs

GetModuleHandleW.KERNEL32(Kernel32.dll), ref: 00444C3D
GetProcAddress.KERNEL32(00000000,GetSystemDefaultUILanguage), ref: 00444C4D
RegOpenKeyExW.ADVAPI32(80000003,.Default\Control Panel\desktop\ResourceLocale,00000000,000F003F,?), ref: 00444C86
RegQueryValueExW.ADVAPI32(?,004C2D7C,00000000,00000000,?,0000000A), ref: 00444C9E
RegOpenKeyExW.ADVAPI32(80000003,.DEFAULT\Control Panel\International,00000000,000F003F,?), ref: 00444CBF
RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,?,0000000A), ref: 00444CD9
__wcstoi64.LIBCMT ref: 00444CFB

Strings

.Default\Control Panel\desktop\ResourceLocale, xrefs: 00444C72
Kernel32.dll, xrefs: 00444C38
.DEFAULT\Control Panel\International, xrefs: 00444CB2
GetSystemDefaultUILanguage, xrefs: 00444C47
Locale, xrefs: 00444CD1

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: OpenQueryValue$AddressHandleModuleProc__wcstoi64
String ID: .DEFAULT\Control Panel\International$.Default\Control Panel\desktop\ResourceLocale$GetSystemDefaultUILanguage$Kernel32.dll$Locale
API String ID: 2065448255-3798069133
Opcode ID: 0beab6f27266994117a11318befe2c0ba251e351e15b1392993b225ab02f0337
Instruction ID: dec2fee5953cf9e0dbbcb3b0352eb84763cbe800ecd0f804597b60404a3882f0
Opcode Fuzzy Hash: 0beab6f27266994117a11318befe2c0ba251e351e15b1392993b225ab02f0337
Instruction Fuzzy Hash: E9214471E0122EAEFB10DBA1CC81FBF776CEB04745F15003BA911B2181DA689E058BBD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B51F, Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 85
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040B51F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t35;
				struct HINSTANCE__* _t43;
				_Unknown_base(*)()* _t44;
				void* _t45;
				void* _t49;
				void* _t56;
				intOrPtr* _t66;
				void* _t67;

				_t51 = __ebx;
				_push(0x274);
				E0045B8C9(0x4a075d, __ebx, __edi, __esi);
				 *(_t67 - 0x280) =  *(_t67 - 0x280) & 0x00000000;
				_t66 =  *((intOrPtr*)(_t67 + 8));
				if( *((intOrPtr*)(_t67 + 0xc)) != 1) {
					L5:
					__eflags = GetWindowsDirectoryW(_t67 - 0x218, 0x104);
					if(__eflags == 0) {
						E0040B827(_t51, _t67 - 0x234, 0x104, _t66, __eflags);
						E0045A466(_t67 - 0x234, 0x4c6ab8);
					}
					_push(0);
					_push(_t67 - 0x279);
					_t64 = 0x4ae964;
					_t52 = 0x4ae96c;
					_push(_t67 - 0x218);
					 *((intOrPtr*)(_t67 - 0x278)) = 0x4ae964;
					 *((intOrPtr*)(_t67 - 0x250)) = 0x4ae96c;
					E00408F6D(0x4ae96c, _t67 - 0x278, 0x4ae964, _t66, __eflags);
					 *(_t67 - 4) = 1;
					_t35 = E0040B9F3(_t67 - 0x278, 0x4ae964, "\\");
					_push(0);
					_push(_t35);
					 *_t66 = 0x4ae964;
					 *((intOrPtr*)(_t66 + 0x28)) = 0x4ae96c;
					E00408E82(0x4ae96c, _t66, _t64, _t66, __eflags);
					_t56 = _t67 - 0x278;
				} else {
					_t43 = GetModuleHandleW(L"KERNEL32.DLL");
					if(_t43 == 0) {
						goto L5;
					} else {
						_t44 = GetProcAddress(_t43, "GetSystemWindowsDirectoryW");
						 *0x4d7064 = _t44;
						if(_t44 == 0) {
							goto L5;
						} else {
							_t45 =  *_t44(_t67 - 0x218, 0x104);
							_t72 = _t45;
							if(_t45 == 0) {
								goto L5;
							} else {
								_push(0);
								_push(_t67 - 0x279);
								_t64 = 0x4ae964;
								_t52 = 0x4ae96c;
								_push(_t67 - 0x218);
								_t8 = _t67 - 0x248; // 0x4ae964
								 *((intOrPtr*)(_t67 - 0x248)) = 0x4ae964;
								 *((intOrPtr*)(_t67 - 0x220)) = 0x4ae96c;
								E00408F6D(0x4ae96c, _t8, 0x4ae964, _t66, _t72);
								 *(_t67 - 4) =  *(_t67 - 4) & 0x00000000;
								_t13 = _t67 - 0x248; // 0x4ae964
								_t49 = E0040B9F3(_t13, 0x4ae964, "\\");
								_push(0);
								_push(_t49);
								 *_t66 = 0x4ae964;
								 *((intOrPtr*)(_t66 + 0x28)) = 0x4ae96c;
								E00408E82(0x4ae96c, _t66, _t64, _t66, _t72);
								_t15 = _t67 - 0x248; // 0x4ae964
								_t56 = _t15;
							}
						}
					}
				}
				E00401B80(_t56);
				return E0045B878(_t52, _t64, _t66);
			}

0x0040b51f
0x0040b51f
0x0040b529
0x0040b52e
0x0040b539
0x0040b541
0x0040b5dc
0x0040b5ea
0x0040b5ec
0x0040b5f4
0x0040b605
0x0040b605
0x0040b60a
0x0040b612
0x0040b619
0x0040b61e
0x0040b623
0x0040b62a
0x0040b630
0x0040b636
0x0040b646
0x0040b64d
0x0040b652
0x0040b654
0x0040b657
0x0040b659
0x0040b65c
0x0040b661
0x0040b547
0x0040b54c
0x0040b554
0x00000000
0x0040b55a
0x0040b560
0x0040b566
0x0040b56d
0x00000000
0x0040b56f
0x0040b577
0x0040b579
0x0040b57b
0x00000000
0x0040b57d
0x0040b57d
0x0040b585
0x0040b58c
0x0040b591
0x0040b596
0x0040b597
0x0040b59d
0x0040b5a3
0x0040b5a9
0x0040b5ae
0x0040b5b7
0x0040b5bd
0x0040b5c2
0x0040b5c4
0x0040b5c7
0x0040b5c9
0x0040b5cc
0x0040b5d1
0x0040b5d1
0x0040b5d1
0x0040b57b
0x0040b56d
0x0040b554
0x0040b667
0x0040b673

APIs

__EH_prolog3_GS.LIBCMT ref: 0040B529
GetModuleHandleW.KERNEL32(KERNEL32.DLL,00000274,0043AD95,?,00000000), ref: 0040B54C
GetProcAddress.KERNEL32(00000000,GetSystemWindowsDirectoryW), ref: 0040B560

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

GetWindowsDirectoryW.KERNEL32(?,00000104,00000274,0043AD95,?,00000000), ref: 0040B5E4
__CxxThrowException@8.LIBCMT ref: 0040B605

Strings

dJ, xrefs: 0040B58C
GetSystemWindowsDirectoryW, xrefs: 0040B55A
dJ, xrefs: 0040B619
KERNEL32.DLL, xrefs: 0040B547
lJ, xrefs: 0040B591
lJ, xrefs: 0040B61E
dJ, xrefs: 0040B597, 0040B5B7, 0040B5D1

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3$AddressDirectoryException@8H_prolog3_HandleModuleProcThrowWindows
String ID: GetSystemWindowsDirectoryW$KERNEL32.DLL$dJ$dJ$dJ$lJ$lJ
API String ID: 4209068821-3817167310
Opcode ID: b99a8bdcf8f336e0ec6ed0529a9819626f1f7787399facd500bcd07f4a1d03ae
Instruction ID: 683ce8d60a6db0c658658f2cb17ca25fdb16972cdd6cd77333650ab41784f238
Opcode Fuzzy Hash: b99a8bdcf8f336e0ec6ed0529a9819626f1f7787399facd500bcd07f4a1d03ae
Instruction Fuzzy Hash: F03174B19003149ADB60EF62CC49BDEB6B8EF14714F0046AFA549B2291DF789B84CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 0043C3A2, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0043C3A2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t41;
				intOrPtr _t59;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr* _t73;
				void* _t74;

				_push(0x148);
				E0045B8C9(0x4a6750, __ebx, __edi, __esi);
				_t73 =  *((intOrPtr*)(_t74 + 8));
				_t2 = _t74 + 0xc; // 0x4c2f40
				_t70 =  *_t2;
				 *((intOrPtr*)(_t74 - 0x154)) = 0;
				 *(_t74 - 0x114) = 0;
				E0045A4D0(_t74 - 0x113, 0, 0x103);
				 *(_t74 - 0x14c) = 0;
				 *((intOrPtr*)(_t74 - 4)) = 0;
				if(RegOpenKeyW(0x80000002, L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion", _t74 - 0x14c) != 0) {
					_push(0);
					_push(_t74 - 0x145);
					_t71 = 0x4ae964;
					_t59 = 0x4ae96c;
					_push(_t74 - 0x114);
					 *((intOrPtr*)(_t74 - 0x144)) = 0x4ae964;
					 *((intOrPtr*)(_t74 - 0x11c)) = 0x4ae96c;
					E00415AF8(0x4ae96c, _t74 - 0x144, 0x4ae964, _t73, __eflags);
					 *((char*)(_t74 - 4)) = 2;
					_t41 = E0040B9F3(_t74 - 0x144, 0x4ae964, "\\");
				} else {
					_t79 = _t70 - 1;
					_t50 =  !=  ? L"ProgramFilesDir" : L"CommonFilesDir";
					 *(_t74 - 0x150) = 0x104;
					RegQueryValueExW( *(_t74 - 0x14c),  !=  ? L"ProgramFilesDir" : L"CommonFilesDir", 0, 0, _t74 - 0x114, _t74 - 0x150);
					_push(0);
					_push(_t74 - 0x145);
					_t71 = 0x4ae964;
					_t59 = 0x4ae96c;
					_push(_t74 - 0x114);
					 *((intOrPtr*)(_t74 - 0x144)) = 0x4ae964;
					 *((intOrPtr*)(_t74 - 0x11c)) = 0x4ae96c;
					E00415AF8(0x4ae96c, _t74 - 0x144, 0x4ae964, _t73, _t70 - 1);
					 *((char*)(_t74 - 4)) = 1;
					E0040B9F3(_t74 - 0x144, 0x4ae964, "\\");
					E0043C748(_t74 - 0x144, _t70 - 1);
					_t41 = _t74 - 0x144;
				}
				_push(0);
				_push(_t41);
				 *_t73 = _t71;
				 *((intOrPtr*)(_t73 + 0x28)) = _t59;
				E00408E82(_t59, _t73, _t71, _t73, _t79);
				E00401B80(_t74 - 0x144);
				E00433132(_t74 - 0x14c);
				return E0045B878(_t59, _t71, _t73);
			}

0x0043c3a2
0x0043c3ac
0x0043c3b1
0x0043c3b4
0x0043c3b4
0x0043c3c6
0x0043c3cc
0x0043c3d2
0x0043c3da
0x0043c3f1
0x0043c3fc
0x0043c491
0x0043c499
0x0043c4a0
0x0043c4a5
0x0043c4aa
0x0043c4b1
0x0043c4b7
0x0043c4bd
0x0043c4cd
0x0043c4d1
0x0043c402
0x0043c41c
0x0043c41f
0x0043c429
0x0043c433
0x0043c439
0x0043c441
0x0043c448
0x0043c44d
0x0043c452
0x0043c459
0x0043c45f
0x0043c465
0x0043c475
0x0043c479
0x0043c484
0x0043c489
0x0043c489
0x0043c4d6
0x0043c4d8
0x0043c4db
0x0043c4dd
0x0043c4e0
0x0043c4eb
0x0043c4f6
0x0043c502

APIs

__EH_prolog3_GS.LIBCMT ref: 0043C3AC
_memset.LIBCMT ref: 0043C3D2
RegOpenKeyW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,?), ref: 0043C3F4
RegQueryValueExW.ADVAPI32(?,CommonFilesDir,00000000,00000000,?,?), ref: 0043C433

Part of subcall function 00415AF8: __EH_prolog3_GS.LIBCMT ref: 00415AFF
Part of subcall function 00415AF8: GetLastError.KERNEL32(0000003C,00487419,?,?,00000001,?,?,?,?,?,?,?,?,?,00000000), ref: 00415B2A
Part of subcall function 00415AF8: SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00415B5B

Strings

SOFTWARE\Microsoft\Windows\CurrentVersion, xrefs: 0043C3E7
ProgramFilesDir, xrefs: 0043C411
lJ, xrefs: 0043C44D
dJ, xrefs: 0043C448
lJ, xrefs: 0043C4A5
CommonFilesDir, xrefs: 0043C417, 0043C422
@/L, xrefs: 0043C3B4
dJ, xrefs: 0043C4A0

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3_Last$OpenQueryValue_memset
String ID: @/L$CommonFilesDir$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion$dJ$dJ$lJ$lJ
API String ID: 1696510972-2331546588
Opcode ID: 1bd27786b9378dd6905520abf2531d222a44aa79d7a18eb0ca6807fb52d69697
Instruction ID: b406483aece97984e2f67a5298c2128ff1b561336d28c389f68f5baeca76a5df
Opcode Fuzzy Hash: 1bd27786b9378dd6905520abf2531d222a44aa79d7a18eb0ca6807fb52d69697
Instruction Fuzzy Hash: BA313DB19002289BDB24EF56CD91BEDB7B8AF19304F4040EBA50DA3251DB785F848F69

Uniqueness

Uniqueness Score: -1.00%

Function 00437AA3, Relevance: 19.6, APIs: 13, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00437AA3(struct HWND__** __ecx, struct HWND__** __edx, struct HWND__* _a4) {
				signed int _v8;
				int _v12;
				int _v16;
				struct tagPOINT _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				int _v36;
				void _v40;
				struct tagRECT _v56;
				struct HWND__** _v60;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t40;
				struct HWND__* _t75;
				struct HWND__* _t76;
				void* _t78;
				int _t81;
				int _t84;
				struct HWND__** _t88;
				struct HWND__** _t89;
				struct HWND__* _t90;
				signed int _t91;
				int _t95;
				signed int _t98;

				_t88 = __edx;
				_t40 =  *0x4d7e88; // 0x9518852c
				_v8 = _t40 ^ _t98;
				_t76 = _a4;
				_t89 = __ecx;
				_v60 = __ecx;
				_t91 = GetWindowLongW( *__ecx, 0xfffffff0);
				if(_t76 == 0) {
					if((_t91 & 0x40000000) == 0) {
						_t75 = GetWindow( *_t89, 4);
					} else {
						_t75 = GetParent( *_t89);
					}
					_t76 = _t75;
				}
				GetWindowRect( *_t89,  &_v56);
				if((_t91 & 0x40000000) != 0) {
					_t90 = GetParent( *_t89);
					GetClientRect(_t90,  &_v40);
					GetClientRect(_t76,  &_v24);
					MapWindowPoints(_t76, _t90,  &_v24, 2);
					_t81 = _v16;
					_t89 = _v60;
				} else {
					if(_t76 != 0) {
						GetWindowLongW(_t76, 0xfffffff0);
					}
					SystemParametersInfoW(0x30, 0,  &_v40, 0);
					_v24.y = 0;
					_v24.x = 0;
					_v12 = GetSystemMetrics(1);
					_t81 = GetSystemMetrics(0);
					_v16 = _t81;
				}
				_t78 = _v56.right - _v56.left;
				_v60 = _v56.bottom - _v56.top;
				asm("cdq");
				asm("cdq");
				_t95 = (_v24.x + _t81 - _t88 >> 1) - (_t78 - _t88 >> 1);
				asm("cdq");
				asm("cdq");
				_t84 = (_v12 + _v24.y - _t88 >> 1) - (_v60 - _t88 >> 1);
				if(_t95 >= _v40) {
					if(_t95 + _t78 > _v32) {
						_t95 = _v32 - _t78;
					}
				} else {
					_t95 = _v40;
				}
				if(_t84 >= _v36) {
					_t88 = _v60;
					if(_t88 + _t84 > _v28) {
						_t84 = _v28 - _t88;
					}
				} else {
					_t84 = _v36;
				}
				SetWindowPos( *_t89, 0, _t95, _t84, 0xffffffff, 0xffffffff, 0x15);
				return E0045A457(_t78, _v8 ^ _t98, _t88, _t89, _t95);
			}

0x00437aa3
0x00437aa9
0x00437ab0
0x00437ab4
0x00437ab9
0x00437abf
0x00437ac8
0x00437acc
0x00437ad4
0x00437ae4
0x00437ad6
0x00437ad8
0x00437ad8
0x00437aea
0x00437aea
0x00437af2
0x00437afe
0x00437b48
0x00437b4f
0x00437b56
0x00437b60
0x00437b66
0x00437b69
0x00437b00
0x00437b02
0x00437b07
0x00437b07
0x00437b17
0x00437b25
0x00437b28
0x00437b2e
0x00437b33
0x00437b35
0x00437b35
0x00437b75
0x00437b78
0x00437b80
0x00437b87
0x00437b8e
0x00437b96
0x00437b9e
0x00437ba5
0x00437baa
0x00437bb7
0x00437bbc
0x00437bbc
0x00437bac
0x00437bac
0x00437bac
0x00437bc1
0x00437bc8
0x00437bd1
0x00437bd6
0x00437bd6
0x00437bc3
0x00437bc3
0x00437bc3
0x00437be4
0x00437bf8

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00437AC2
GetParent.USER32 ref: 00437AD8
GetWindow.USER32(?,00000004), ref: 00437AE4
GetWindowRect.USER32 ref: 00437AF2
GetWindowLongW.USER32(?,000000F0), ref: 00437B07
SystemParametersInfoW.USER32 ref: 00437B17
GetSystemMetrics.USER32 ref: 00437B2B
GetSystemMetrics.USER32 ref: 00437B31
GetParent.USER32 ref: 00437B3C
GetClientRect.USER32 ref: 00437B4F
GetClientRect.USER32 ref: 00437B56
MapWindowPoints.USER32 ref: 00437B60
SetWindowPos.USER32(?,00000000,?,?,000000FF,000000FF,00000015,?,?,?,?,000000F0), ref: 00437BE4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Window$RectSystem$ClientLongMetricsParent$InfoParametersPoints
String ID:
API String ID: 125675029-0
Opcode ID: 3a1a143f9f2766fa1820a90bb726ea25fce50a5c0061de4e70587d71920ad65e
Instruction ID: a1994a94e485ad5a901164bcccad18befd165f316661fa014ba38c7b29c219ee
Opcode Fuzzy Hash: 3a1a143f9f2766fa1820a90bb726ea25fce50a5c0061de4e70587d71920ad65e
Instruction Fuzzy Hash: F7414F71D00119AFDB10DFA9DD88AEEBFB9EB49314F241169E912B3290DB34AD00CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00436805, Relevance: 19.6, APIs: 13, Instructions: 118
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00436805(void* _a4) {
				signed int _v8;
				struct tagRGBQUAD _v1032;
				struct HDC__* _v1036;
				void* _v1040;
				signed short _v1046;
				signed short _v1048;
				void _v1064;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				void* _t57;
				char _t69;
				BYTE _t72;
				void* _t73;
				struct HDC__* _t74;
				LOGPALETTE* _t75;
				char* _t81;
				PALETTEENTRY* _t82;
				signed int _t83;
				struct HDC__* _t84;
				void* _t85;
				struct HDC__* _t86;
				void* _t87;
				signed int _t88;

				_t43 =  *0x4d7e88; // 0x9518852c
				_v8 = _t43 ^ _t88;
				_t85 = _a4;
				GetObjectW(_t85, 0x18,  &_v1064);
				_t84 = 0;
				if((_v1048 & 0x0000ffff) * (_v1046 & 0x0000ffff) > 8) {
					_t86 = GetDC(0);
					 *0x4d98c8 = CreateHalftonePalette(_t86);
					ReleaseDC(0, _t86);
				} else {
					_push(_t73);
					_t74 = CreateCompatibleDC(0);
					_v1036 = _t74;
					SelectObject(_t74, _t85);
					_t86 = GetDIBColorTable(_t74, 0, 0x100,  &_v1032);
					_t57 = GlobalAlloc(0x42, 0x408);
					_v1040 = _t57;
					_t75 = GlobalLock(_t57);
					_t83 = 0x100;
					_t75->palVersion = 0x1000300;
					if(_t86 != 0x100) {
						_t87 =  >  ? 0xec : _t86;
						_t83 = 0;
						if(_t87 > 0) {
							_t24 = _t75 + 0x2d; // 0x2d
							_t81 = _t24;
							do {
								 *((char*)(_t81 - 1)) =  *((intOrPtr*)(_t88 + _t83 * 4 - 0x402));
								 *_t81 =  *((intOrPtr*)(_t88 + _t83 * 4 - 0x403));
								_t69 =  *((intOrPtr*)(_t88 + _t83 * 4 - 0x404));
								_t83 = _t83 + 1;
								 *((char*)(_t81 + 1)) = _t69;
								 *((char*)(_t81 + 2)) = 4;
								_t81 = _t81 + 4;
							} while (_t83 < _t87);
						}
						_t86 = GetSystemPaletteEntries;
						_t38 =  &(_t75->palPalEntry); // 0x4
						_t84 = _v1036;
						GetSystemPaletteEntries(_t84, _t84, 0xa, _t38);
						_t40 = _t75 + 0x3dc; // 0x3dc
						GetSystemPaletteEntries(_t84, 0xf6, 0xa, _t40);
					} else {
						_t9 =  &(_t75->palPalEntry[0]); // 0x5
						_t82 = _t9;
						do {
							 *((char*)(_t82 - 1)) =  *((intOrPtr*)(_t88 + _t84 * 4 - 0x402));
							_t82->peRed =  *((intOrPtr*)(_t88 + _t84 * 4 - 0x403));
							_t72 =  *((intOrPtr*)(_t88 + _t84 * 4 - 0x404));
							_t84 =  &(_t84->i);
							_t82->peGreen = _t72;
							_t82->peBlue = 4;
							_t82 = _t82 + 4;
						} while (_t84 < 0x100);
						_t84 = _v1036;
					}
					 *0x4d98c8 = CreatePalette(_t75);
					DeleteDC(_t84);
					E00436C21( &_v1040);
					_pop(_t73);
				}
				return E0045A457(_t73, _v8 ^ _t88, _t83, _t84, _t86);
			}

0x0043680e
0x00436815
0x00436819
0x00436827
0x0043683e
0x00436843
0x00436962
0x0043696d
0x00436972
0x00436849
0x00436849
0x00436851
0x00436855
0x0043685b
0x0043687d
0x0043687f
0x00436886
0x00436892
0x00436894
0x00436899
0x004368a1
0x004368de
0x004368e1
0x004368e5
0x004368e7
0x004368e7
0x004368ea
0x004368f1
0x004368fb
0x004368fd
0x00436904
0x00436905
0x00436908
0x0043690c
0x0043690f
0x004368ea
0x00436913
0x00436919
0x00436920
0x00436927
0x00436929
0x00436938
0x004368a3
0x004368a3
0x004368a3
0x004368a6
0x004368ad
0x004368b7
0x004368b9
0x004368c0
0x004368c1
0x004368c4
0x004368c8
0x004368cb
0x004368cf
0x004368cf
0x00436942
0x00436947
0x00436953
0x00436958
0x00436958
0x00436985

APIs

GetObjectW.GDI32(?,00000018,?), ref: 00436827
CreateCompatibleDC.GDI32(00000000), ref: 0043684B
SelectObject.GDI32(00000000,?), ref: 0043685B
GetDIBColorTable.GDI32(00000000,00000000,00000100,?), ref: 00436870
GlobalAlloc.KERNEL32(00000042,00000408), ref: 0043687F
GlobalLock.KERNEL32 ref: 0043688C
GetSystemPaletteEntries.GDI32(?,00000000,0000000A,00000004), ref: 00436927
GetSystemPaletteEntries.GDI32(?,000000F6,0000000A,000003DC), ref: 00436938
CreatePalette.GDI32(00000000), ref: 0043693B
DeleteDC.GDI32(?), ref: 00436947
GetDC.USER32(00000000), ref: 0043695C
CreateHalftonePalette.GDI32(00000000), ref: 00436965
ReleaseDC.USER32 ref: 00436972

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Palette$Create$EntriesGlobalObjectSystem$AllocColorCompatibleDeleteHalftoneLockReleaseSelectTable
String ID:
API String ID: 1699956756-0
Opcode ID: 9fffb9183ea9f75ac36f32c1f257a06a84f546f4a87139108fff568328575c93
Instruction ID: 0e618a48a188d60c81fe0ffe5ce451cc4a34528846e82f1bf0bd46f1c2f94a20
Opcode Fuzzy Hash: 9fffb9183ea9f75ac36f32c1f257a06a84f546f4a87139108fff568328575c93
Instruction Fuzzy Hash: 044159B1500264AFC7118F25DC84BEA7FB8EF5A304F0480FAEB46E7242C6749D46CB28

Uniqueness

Uniqueness Score: -1.00%

Function 00411934, Relevance: 19.6, APIs: 2, Strings: 9, Instructions: 304
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00411934(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t132;
				void* _t146;
				void* _t160;
				void* _t161;
				void* _t163;
				void* _t171;
				intOrPtr _t174;
				void* _t181;
				WCHAR* _t188;
				intOrPtr _t225;
				intOrPtr _t254;
				void* _t267;
				void* _t269;
				void* _t270;
				void* _t296;

				_push(0x144);
				E0045B8C9(0x4a1736, __ebx, __edi, __esi);
				_t269 = __ecx;
				 *(_t270 - 0x138) = 0;
				 *((intOrPtr*)(_t270 - 0x150)) = 0;
				 *((intOrPtr*)(_t270 - 0x14c)) = 0;
				 *((intOrPtr*)(_t270 - 0x148)) = 0;
				_t267 = 0x2001f;
				 *(_t270 - 4) = 0;
				_t132 = E004018F0(_t270 - 0x150, 0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion", 0x2001f);
				_t208 = 2;
				if(_t132 == 0) {
					_t254 =  *0x4d962c; // 0x0
					E0040D1C1(_t254, _t270 - 0xa0);
					 *((intOrPtr*)(_t270 - 0x70)) = 0x4c2fa0;
					 *((intOrPtr*)(_t270 - 0x48)) = 0x4c2f40;
					E00404200(_t270 - 0x70, _t270 - 0x131, 0);
					_t197 =  >=  ?  *((void*)(_t270 - 0x9c)) : _t270 - 0x9c;
					 *(_t270 - 4) = _t208;
					E0040DD64(_t270 - 0x70, L"%%IS_PREREQ%%-%s",  >=  ?  *((void*)(_t270 - 0x9c)) : _t270 - 0x9c);
					_t17 = _t270 - 0x40; // 0x4c2f50
					_push(1);
					_push( *((intOrPtr*)(_t270 + 8)));
					E0040E35C(_t208, _t17, 0x2001f, _t269,  *((intOrPtr*)(_t270 - 0x88)) - 8);
					_t258 =  >=  ?  *((void*)(_t270 - 0x3c)) : _t270 - 0x3c;
					_t202 =  >=  ?  *((void*)(_t270 - 0x6c)) : _t270 - 0x6c;
					E00411F8C(_t270 - 0x150,  >=  ?  *((void*)(_t270 - 0x6c)) : _t270 - 0x6c,  >=  ?  *((void*)(_t270 - 0x3c)) : _t270 - 0x3c, 1);
					_t26 = _t270 - 0x40; // 0x4c2f50
					E00401AC0(_t26);
					E00401B80(_t270 - 0x70);
					 *(_t270 - 4) = 0;
					E00401B80(_t270 - 0xa0);
				}
				if( *((char*)(_t269 + 0x128)) != 0) {
					 *((intOrPtr*)(_t270 - 0x144)) = 0;
					 *((intOrPtr*)(_t270 - 0x140)) = 0;
					 *((intOrPtr*)(_t270 - 0x13c)) = 0;
					 *(_t270 - 4) = 3;
					if(E004018F0(_t270 - 0x144, 0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", _t267) == 0 || E0040E8B4(_t270 - 0x144, 0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", 0, 0, _t267, 0, 0) == 0) {
						_t38 = _t270 - 0x40; // 0x4c2f50
						_t263 = _t38;
						 *((char*)(_t270 - 0x131)) = 0;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t269 + 0xe8)))) + 0x1c))(_t38, 0x12);
						 *(_t270 - 4) = 4;
						if( *((intOrPtr*)(_t270 - 0x2c)) == 0) {
							 *((char*)(_t270 - 0x131)) = 1;
							_t188 = GetCommandLineW();
							_t251 =  !=  ? _t188 : 0x4c2d7c;
							_t263 =  !=  ?  !=  ? _t188 : 0x4c2d7c : 0x4c2d7c;
							E00406A00(_t270 - 0x3c, _t267,  !=  ?  !=  ? _t188 : 0x4c2d7c : 0x4c2d7c);
						}
						_push(1);
						_push(_t270 - 0x132);
						_push(" ");
						E00408F6D(_t208, _t270 - 0xa0, _t267, _t269, 0x4c2d7c);
						_t48 = _t270 - 0x40; // 0x4c2f50
						 *(_t270 - 4) = 5;
						E0041350C(_t208, _t48, _t267, 0x4c2d7c, _t270 - 0xa0);
						 *(_t270 - 4) = 4;
						E00401B80(_t270 - 0xa0);
						_t284 =  *((char*)(_t270 - 0x131));
						if( *((char*)(_t270 - 0x131)) == 0) {
							_push(0);
							_t58 = _t270 - 0x40; // 0x4c2f50
							 *((intOrPtr*)(_t270 - 0xa0)) = 0x4c2fa0;
							 *((intOrPtr*)(_t270 - 0x78)) = 0x4c2f40;
							E00408E82(_t208, _t270 - 0xa0, _t267, _t269, __eflags);
							_t146 = _t270 - 0xa0;
							 *(_t270 - 4) = 7;
						} else {
							_t54 = _t270 - 0x40; // 0x4c2f50
							_t263 = _t270 - 0x130;
							_t146 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t269 + 0xe8)))) + 0x64))(_t270 - 0x130, _t54);
							 *(_t270 - 4) = 6;
							_t208 = 1;
						}
						_push(0);
						_push(_t146);
						 *(_t270 - 0x138) = _t208;
						 *((intOrPtr*)(_t270 - 0x70)) = 0x4c2fa0;
						 *((intOrPtr*)(_t270 - 0x48)) = 0x4c2f40;
						E00408E82(_t208, _t270 - 0x70, _t267, _t269, _t284);
						 *(_t270 - 4) = 8;
						if((_t208 & 0x00000002) != 0) {
							_t208 = _t208 & 0xfffffffd;
							E00401B80(_t270 - 0xa0);
						}
						 *(_t270 - 4) = 0xa;
						if((_t208 & 0x00000001) != 0) {
							E00401B80(_t270 - 0x130);
						}
						_t288 =  *((intOrPtr*)(_t270 - 0x5c));
						if( *((intOrPtr*)(_t270 - 0x5c)) == 0) {
							_t225 =  *0x4d962c; // 0x0
							E0040D131(_t225, _t270 - 0xd0);
							_push(0);
							_push(_t270 - 0x100);
							 *(_t270 - 4) = 0xb;
							E0040E057(0, _t270 - 0xd0, _t263, _t267, _t269, _t288);
							_t159 =  >=  ?  *((void*)(_t270 - 0xcc)) : _t270 - 0xcc;
							 *(_t270 - 4) = 0xc;
							_t160 = E0040A017(_t270 - 0x3c,  >=  ?  *((void*)(_t270 - 0xcc)) : _t270 - 0xcc, 0,  *((intOrPtr*)(_t270 - 0xbc)));
							_t229 =  >=  ?  *((void*)(_t270 - 0xfc)) : _t270 - 0xfc;
							_t267 = _t160;
							_t161 = E0040A017(_t270 - 0x3c,  >=  ?  *((void*)(_t270 - 0xfc)) : _t270 - 0xfc, 0,  *((intOrPtr*)(_t270 - 0xec)));
							_t208 = L".exe";
							_t269 = _t161;
							_t163 = E0040A017(_t270 - 0x3c, L".exe", 0, E0045B5D4(L".exe"));
							_t234 =  >=  ?  *((void*)(_t270 - 0x3c)) : _t270 - 0x3c;
							_t292 =  *((short*)( >=  ?  *((void*)(_t270 - 0x3c)) : _t270 - 0x3c)) - 0x22;
							if( *((short*)( >=  ?  *((void*)(_t270 - 0x3c)) : _t270 - 0x3c)) == 0x22) {
								__eflags = _t267 - 0xffffffff;
								if(_t267 == 0xffffffff) {
									__eflags = _t269 - 1;
									if(_t269 == 1) {
										__eflags =  *((intOrPtr*)(_t270 - 0xbc)) -  *((intOrPtr*)(_t270 - 0xec));
										_t171 = E0040AABC(_t270 - 0xd0, _t270 - 0x130, 0,  *((intOrPtr*)(_t270 - 0xbc)) -  *((intOrPtr*)(_t270 - 0xec)));
										_t113 = _t270 - 0x40; // 0x4c2f50
										 *(_t270 - 4) = 0xe;
										E00412FD5(_t113, _t269, _t171);
										 *(_t270 - 4) = 0xc;
										E00401B80(_t270 - 0x130);
									}
								}
							} else {
								if(_t267 != 0) {
									__eflags = _t269 - 0xffffffff;
									if(_t269 == 0xffffffff) {
										__eflags = _t163 - 0xffffffff;
										if(_t163 == 0xffffffff) {
											_t174 =  *((intOrPtr*)(_t270 - 0x2c));
										} else {
											_t174 = _t163 + 4;
										}
									} else {
										_t174 =  *((intOrPtr*)(_t270 - 0xec)) + _t269;
									}
								} else {
									_t174 =  *((intOrPtr*)(_t270 - 0xbc));
								}
								_t208 = "\"";
								E0041314F("\"", _t270 - 0x3c, _t174, "\"");
								if(_t267 == 0xffffffff && _t269 == 0) {
									_t296 =  *((intOrPtr*)(_t270 - 0xbc)) -  *((intOrPtr*)(_t270 - 0xec));
									_t181 = E0040AABC(_t270 - 0xd0, _t270 - 0x130, _t269,  *((intOrPtr*)(_t270 - 0xbc)) -  *((intOrPtr*)(_t270 - 0xec)));
									_t104 = _t270 - 0x40; // 0x4c2f50
									 *(_t270 - 4) = 0xd;
									E00412FD5(_t104, _t269, _t181);
									 *(_t270 - 4) = 0xc;
									E00401B80(_t270 - 0x130);
								}
								E00413179(_t208, _t270 - 0x3c, _t267, _t269, _t296, 0, _t208, E0045B5D4(_t208));
							}
							_t117 = _t270 - 0x40; // 0x4c2f50
							E004095E2(_t270 - 0x70, _t117);
							E00401B80(_t270 - 0x100);
							E00401B80(_t270 - 0xd0);
						}
						_t149 =  >=  ?  *((void*)(_t270 - 0x6c)) : _t270 - 0x6c;
						E00411F8C(_t270 - 0x144, L"  ISSetupPrerequisistes",  >=  ?  *((void*)(_t270 - 0x6c)) : _t270 - 0x6c, 1);
						E00401B80(_t270 - 0x70);
						_t126 = _t270 - 0x40; // 0x4c2f50
						E00401B80(_t126);
					}
					E004018C0(_t270 - 0x144);
				}
				E004018C0(_t270 - 0x150);
				return E0045B878(_t208, _t267, _t269);
			}

0x00411934
0x0041193e
0x00411943
0x00411947
0x0041194d
0x00411953
0x00411959
0x0041195f
0x00411975
0x00411978
0x0041197f
0x00411982
0x00411988
0x00411995
0x004119a6
0x004119ad
0x004119b4
0x004119c6
0x004119d7
0x004119da
0x004119e2
0x004119e5
0x004119e7
0x004119ea
0x004119f6
0x00411a03
0x00411a0f
0x00411a14
0x00411a17
0x00411a1f
0x00411a2a
0x00411a2e
0x00411a2e
0x00411a3a
0x00411a42
0x00411a48
0x00411a4e
0x00411a65
0x00411a70
0x00411aa0
0x00411aa0
0x00411aa4
0x00411aab
0x00411ab2
0x00411ab6
0x00411ab8
0x00411abf
0x00411ace
0x00411ad3
0x00411ada
0x00411ada
0x00411adf
0x00411ae7
0x00411ae8
0x00411af3
0x00411aff
0x00411b02
0x00411b06
0x00411b11
0x00411b15
0x00411b1a
0x00411b21
0x00411b42
0x00411b44
0x00411b4e
0x00411b58
0x00411b5f
0x00411b64
0x00411b6a
0x00411b23
0x00411b29
0x00411b2f
0x00411b36
0x00411b3b
0x00411b3f
0x00411b3f
0x00411b71
0x00411b73
0x00411b77
0x00411b7d
0x00411b84
0x00411b8b
0x00411b90
0x00411b9a
0x00411ba2
0x00411ba5
0x00411ba5
0x00411baa
0x00411bb1
0x00411bb9
0x00411bb9
0x00411bbe
0x00411bc2
0x00411bc8
0x00411bd5
0x00411bdc
0x00411be3
0x00411bea
0x00411bee
0x00411c06
0x00411c12
0x00411c16
0x00411c2e
0x00411c3a
0x00411c3c
0x00411c41
0x00411c47
0x00411c56
0x00411c62
0x00411c66
0x00411c6a
0x00411d02
0x00411d05
0x00411d07
0x00411d0a
0x00411d12
0x00411d28
0x00411d2f
0x00411d32
0x00411d36
0x00411d41
0x00411d45
0x00411d45
0x00411d0a
0x00411c70
0x00411c72
0x00411c7c
0x00411c7f
0x00411c8b
0x00411c8e
0x00411c95
0x00411c90
0x00411c90
0x00411c90
0x00411c81
0x00411c87
0x00411c87
0x00411c74
0x00411c74
0x00411c74
0x00411c98
0x00411ca2
0x00411caa
0x00411cb6
0x00411ccb
0x00411cd2
0x00411cd5
0x00411cd9
0x00411ce4
0x00411ce8
0x00411ce8
0x00411cfb
0x00411cfb
0x00411d4a
0x00411d51
0x00411d5c
0x00411d67
0x00411d67
0x00411d73
0x00411d85
0x00411d8d
0x00411d92
0x00411d95
0x00411d95
0x00411da0
0x00411da0
0x00411dab
0x00411db5

APIs

__EH_prolog3_GS.LIBCMT ref: 0041193E

Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977

GetCommandLineW.KERNEL32 ref: 00411ABF

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040E35C: __EH_prolog3_GS.LIBCMT ref: 0040E363
Part of subcall function 0040E35C: __itow_s.LIBCMT ref: 0040E39A
Part of subcall function 0040E35C: SetLastError.KERNEL32(?,?,00000000,00000001), ref: 0040E3C9

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0040E057: __EH_prolog3_GS.LIBCMT ref: 0040E061

Part of subcall function 0040A017: __wcsnicmp.LIBCMT ref: 0040A05E

Strings

Software\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 00411A55, 00411A79
@/L, xrefs: 00411B84
P/L, xrefs: 00411AA0, 00411AFF, 00411B44, 00411D92, 00411D4A, 00411D2F, 00411CD2, 00411B29, 004119E2, 00411A14, 00411AA3, 00411B2E, 00411B47, 00411D4D
%%IS_PREREQ%%-%s, xrefs: 004119D1
|-L, xrefs: 00411AC5
.exe, xrefs: 00411C41, 00411C46, 00411C52
Software\Microsoft\Windows\CurrentVersion, xrefs: 00411965
@/L, xrefs: 00411B58
ISSetupPrerequisistes, xrefs: 00411D7A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3_$CloseCommandH_prolog3HandleLineModule__itow_s__wcsnicmp
String ID: ISSetupPrerequisistes$%%IS_PREREQ%%-%s$.exe$@/L$@/L$P/L$Software\Microsoft\Windows\CurrentVersion$Software\Microsoft\Windows\CurrentVersion\RunOnce$|-L
API String ID: 3598051681-2365343915
Opcode ID: 0c3ae8b0be834acae102a682ced43bfc7bbf325d307038ca7f6b2c0a870cee96
Instruction ID: 5ba13f66eb6bf40d1a68d8553a301f3a621067c2fc7de99ce0a8a9dd4e7a0d18
Opcode Fuzzy Hash: 0c3ae8b0be834acae102a682ced43bfc7bbf325d307038ca7f6b2c0a870cee96
Instruction Fuzzy Hash: B8D15F71900218EEDB24EBA5CC95FEDB7B8AF14304F1041AEE509B7191EB746E88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00406A50, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00406A50(void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				char _v16;
				signed int _v24;
				long _v28;
				signed int _v32;
				short _v36;
				short _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				char _v72;
				short _v76;
				char _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				signed int _t57;
				void* _t81;
				intOrPtr* _t82;
				void* _t83;
				short* _t84;
				void* _t91;
				void* _t92;
				void* _t94;
				void* _t95;
				intOrPtr* _t99;
				void* _t100;
				signed int _t101;
				signed int _t103;
				signed int _t105;

				_t91 = __edx;
				_t103 = (_t101 & 0xfffffff8) - 0x40;
				_t55 =  *0x4d7e88; // 0x9518852c
				_v24 = _t55 ^ _t103;
				_t57 =  *0x4d7e88; // 0x9518852c
				 *[fs:0x0] =  &_v16;
				_t82 = _a4;
				_v76 = _t82;
				_v80 = 0;
				_v72 = 0x4c2f50;
				_v32 = 0x4c3454;
				_v28 = GetLastError();
				_v68 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_t14 =  &_v32; // 0x4c3454
				_v48 = 7;
				_v52 = 0;
				_t19 =  *((intOrPtr*)( *_t14 + 4)) + 0x40; // 0x4c3454
				SetLastError( *(_t103 + _t19));
				_v8 = 0;
				E004076B0( &_v72, _a8, _a12, _a16);
				 *_t82 = 0x4c2f50;
				 *((intOrPtr*)(_t82 + 0x28)) = 0x4c3454;
				 *((intOrPtr*)(_t82 + 0x2c)) = GetLastError();
				_t84 = _t82 + 4;
				_v8 = 1;
				 *((intOrPtr*)(_t84 + 0x14)) = 7;
				 *((intOrPtr*)(_t84 + 0x10)) = 0;
				 *_t84 = 0;
				E00406630(_t82, _t84, GetLastError,  &_v68, 0);
				 *((intOrPtr*)(_t82 + 0x1c)) = 0;
				 *((intOrPtr*)(_t82 + 0x20)) = 0;
				 *((intOrPtr*)(_t82 + 0x24)) = 0;
				_t35 =  *((intOrPtr*)(_t82 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t35 + _t82 + 0x28));
				 *((intOrPtr*)( &_v44 +  *((intOrPtr*)(_v44 + 4)))) = GetLastError();
				L0045A7D5(_v56);
				_t99 = __imp__#6;
				_t105 = _t103 + 0x14;
				 *_t99(_v48, 0xffffffff, _t57 ^ _t103, _t92, _t95, _t81,  *[fs:0x0], 0x4ac6d0, 0xffffffff);
				if(_v64 >= 8) {
					 *_t99(_v76);
				}
				_v56 = 7;
				_v60 = 0;
				_v76 = 0;
				SetLastError( *(_t105 +  *((intOrPtr*)(_v80 + 4)) + 0x18));
				 *[fs:0x0] = _v24;
				_pop(_t94);
				_pop(_t100);
				_pop(_t83);
				return E0045A457(_t83, _v32 ^ _t105, _t91, _t94, _t100);
			}

0x00406a50
0x00406a64
0x00406a67
0x00406a6e
0x00406a75
0x00406a81
0x00406a87
0x00406a93
0x00406a97
0x00406a9f
0x00406aa7
0x00406ab1
0x00406ab7
0x00406abc
0x00406ac0
0x00406ac4
0x00406ac8
0x00406acc
0x00406ad4
0x00406adf
0x00406ae3
0x00406af3
0x00406afd
0x00406b05
0x00406b0b
0x00406b14
0x00406b17
0x00406b1a
0x00406b23
0x00406b2a
0x00406b32
0x00406b3a
0x00406b3f
0x00406b46
0x00406b4d
0x00406b57
0x00406b5e
0x00406b73
0x00406b79
0x00406b7e
0x00406b84
0x00406b8b
0x00406b92
0x00406b98
0x00406b98
0x00406ba0
0x00406ba8
0x00406bb0
0x00406bbc
0x00406bc8
0x00406bd0
0x00406bd1
0x00406bd2
0x00406be1

APIs

GetLastError.KERNEL32 ref: 00406AAF
SetLastError.KERNEL32(T4L), ref: 00406AE3

Part of subcall function 004076B0: MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,9518852C,73B74D40,004C2BD0,?), ref: 00407740
Part of subcall function 004076B0: MultiByteToWideChar.KERNEL32(?,00000000,?), ref: 0040777A

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,004AC534,000000FF), ref: 00406B12
SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00406B5E
GetLastError.KERNEL32 ref: 00406B71
SysFreeString.OLEAUT32(?), ref: 00406B8B
SysFreeString.OLEAUT32(?), ref: 00406B98
SetLastError.KERNEL32(?), ref: 00406BBC

Strings

T4L, xrefs: 00406AC8
T4L, xrefs: 00406B0B
P/L, xrefs: 00406A9F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$ByteCharFreeMultiStringWide
String ID: P/L$T4L$T4L
API String ID: 2284902721-3173176628
Opcode ID: 3ae3266bdfdd9d79b83792cf97e8810885b8ec6cf128fde48950cf530916e1f5
Instruction ID: 4c80653b5d897dca7e27edd00cbf094af4f427c3fbf883ec6c6d273dc4d47016
Opcode Fuzzy Hash: 3ae3266bdfdd9d79b83792cf97e8810885b8ec6cf128fde48950cf530916e1f5
Instruction Fuzzy Hash: 9D4115B15083409FC700DF29C884B4ABBE4FF89318F114A6EF8588B2A1D775E819CF86

Uniqueness

Uniqueness Score: -1.00%

Function 0044A200, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 81
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0044A200(void* __ecx, void* __eflags, intOrPtr _a4) {
				char _v8;
				void* __ebx;
				void* __edi;
				void* _t13;
				intOrPtr* _t18;
				_Unknown_base(*)()* _t20;
				signed int _t22;
				signed int _t24;
				WCHAR* _t29;
				signed int _t30;
				signed int _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				void* _t41;

				_push(__ecx);
				_t13 = E0044A300(__ecx);
				if(_t13 != 0) {
					_t29 = L"kernel32";
					_v8 = GetProcAddress(GetModuleHandleW(_t29), "Wow64DisableWow64FsRedirection");
					_t30 = GetProcAddress(GetModuleHandleW(_t29), "Wow64RevertWow64FsRedirection");
					_t18 = _v8;
					if(_t18 == 0 || _t30 == 0) {
						L9:
						_t20 = GetProcAddress(GetModuleHandleW(L"kernel32"), "Wow64EnableWow64FsRedirection");
						if(_t20 != 0) {
							_t22 =  *_t20(_a4) & 0xffffff00 | _t21 != 0x00000000;
						} else {
							_t22 = 0;
						}
					} else {
						if(_a4 != 0) {
							if( *0x4d9b00 == 0) {
								goto L9;
							} else {
								_t24 =  *_t30( *((intOrPtr*)(E004409EE(0x4d9af0))));
								_t35 =  *0x4d9b00; // 0x0
								_t22 = _t24 & 0xffffff00 | _t24 != 0x00000000;
								if(_t35 != 0) {
									 *0x4d9b00 = _t35 - 1;
									_t37 =  *0x4d9afc; // 0x0
									_t41 = 0;
									_t38 =  ==  ? _t41 : _t37;
									 *0x4d9afc =  ==  ? _t41 : _t37;
								}
							}
						} else {
							_t32 = _t30 & 0xffffff00 |  *_t18( &_v8) != 0x00000000;
							E00447B48(_t32, 0x4d9af0, GetProcAddress,  &_v8);
							_t22 = _t32;
						}
					}
					return _t22;
				} else {
					return _t13;
				}
			}

0x0044a203
0x0044a204
0x0044a20b
0x0044a21d
0x0044a234
0x0044a23c
0x0044a23e
0x0044a243
0x0044a2ad
0x0044a2ba
0x0044a2be
0x0044a2cb
0x0044a2c0
0x0044a2c0
0x0044a2c0
0x0044a249
0x0044a24d
0x0044a273
0x00000000
0x0044a275
0x0044a281
0x0044a283
0x0044a28b
0x0044a290
0x0044a293
0x0044a299
0x0044a2a1
0x0044a2a2
0x0044a2a5
0x0044a2a5
0x0044a290
0x0044a24f
0x0044a260
0x0044a263
0x0044a268
0x0044a268
0x0044a24d
0x0044a2d2
0x0044a20e
0x0044a20e
0x0044a20e

APIs

Part of subcall function 0044A300: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,0044A209), ref: 0044A313
Part of subcall function 0044A300: GetProcAddress.KERNEL32(00000000), ref: 0044A31A
Part of subcall function 0044A300: GetCurrentProcess.KERNEL32(00000000,?,?,?,0044A209), ref: 0044A32A

GetModuleHandleW.KERNEL32(kernel32,Wow64DisableWow64FsRedirection), ref: 0044A223
GetProcAddress.KERNEL32(00000000), ref: 0044A22C
GetModuleHandleW.KERNEL32(kernel32,Wow64RevertWow64FsRedirection), ref: 0044A237
GetProcAddress.KERNEL32(00000000), ref: 0044A23A

Strings

Wow64DisableWow64FsRedirection, xrefs: 0044A218
Wow64RevertWow64FsRedirection, xrefs: 0044A22E
ec, xrefs: 0044A25B, 0044A275
Wow64EnableWow64FsRedirection, xrefs: 0044A2AD
kernel32, xrefs: 0044A21D, 0044A222, 0044A233, 0044A2B2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc$CurrentProcess
String ID: ec$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32
API String ID: 565683799-152767020
Opcode ID: a7d460847f7ac47c9885598faf888c97aae771e5c34a54c084e4059b01bf2cde
Instruction ID: 13ad9e053d7390241737b19a12295ca612cefdc63b0c677b9ac50012449135f7
Opcode Fuzzy Hash: a7d460847f7ac47c9885598faf888c97aae771e5c34a54c084e4059b01bf2cde
Instruction Fuzzy Hash: D711C031681209ABEF14AFA69C51B9B379CBF45344B10406BB902D33A0DBFDDC11EA69

Uniqueness

Uniqueness Score: -1.00%

Function 004076B0, Relevance: 18.2, APIs: 6, Strings: 6, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E004076B0(intOrPtr _a4, char* _a8, unsigned int _a12, int _a16) {
				int _v8;
				intOrPtr _v12;
				char _v16;
				signed int _v20;
				signed int _v24;
				long _v28;
				intOrPtr _v32;
				char _v40;
				int _v44;
				int _v48;
				int _v52;
				char _v68;
				intOrPtr _v72;
				short* _v76;
				char* _v80;
				int _v84;
				intOrPtr _v88;
				intOrPtr _v96;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t70;
				signed int _t72;
				short** _t85;
				short** _t102;
				char* _t106;
				signed int _t108;
				char _t115;
				unsigned int _t117;
				void* _t118;
				char* _t119;
				char* _t123;
				int _t124;
				char* _t145;
				char* _t147;
				void* _t148;
				int _t151;
				int _t152;
				void* _t156;
				char* _t157;
				short* _t158;
				signed int _t159;
				signed int _t161;
				void* _t162;
				void* _t163;
				unsigned int _t168;

				_push(0xffffffff);
				_push(0x4ac730);
				_push( *[fs:0x0]);
				_t161 = (_t159 & 0xfffffff8) - 0x48;
				_t70 =  *0x4d7e88; // 0x9518852c
				_v24 = _t70 ^ _t161;
				_t72 =  *0x4d7e88; // 0x9518852c
				_push(_t72 ^ _t161);
				 *[fs:0x0] =  &_v16;
				_t124 = _a16;
				_t147 = _a8;
				_t117 = _a12;
				_v88 = _a4;
				_v80 = _t147;
				_v84 = _t117;
				if(_t124 == 0x4b0 || _t124 == 0x4b1) {
					__eflags = _t117 - 0xffffffff;
					if(_t117 == 0xffffffff) {
						_t119 = _t147;
						_t143 =  &(_t119[2]);
						do {
							_t106 =  *_t119;
							_t119 =  &(_t119[2]);
							__eflags = _t106;
						} while (_t106 != 0);
						_t117 = (_t119 - _t143 >> 1) + (_t119 - _t143 >> 1);
						__eflags = _t117;
					}
					__eflags = _t124 - 0x4b1;
					if(__eflags != 0) {
						__eflags = _t147;
						_v72 = 0x4c2f50;
						_v32 = 0x4c3454;
						_t155 =  !=  ? _t147 : 0x4c2d7c;
						_v28 = GetLastError();
						_v8 = 3;
						_v68 = 0;
						_push(_t117 >> 1);
						__eflags = 0x4c2d7c;
						_t81 =  !=  ? 0x4c2d7c : 0x4c2d7c;
						_push( !=  ? 0x4c2d7c : 0x4c2d7c);
						_v48 = 7;
						_v52 = 0;
						E00406EB0(_t117,  &_v68, _t147,  !=  ? _t147 : 0x4c2d7c);
						_t56 =  &_v40; // 0x4c3454
						_v52 = 0;
						_v48 = 0;
						_v44 = 0;
						_t62 =  *((intOrPtr*)( *_t56 + 4)) + 0x48; // 0x4c3454
						SetLastError( *(_t161 + _t62));
						_t127 = _v96 + 4;
						_t85 =  &_v76;
						_v16 = 4;
						__eflags = _v96 + 4 - _t85;
						if(_v96 + 4 != _t85) {
							_push(0xffffffff);
							E00406630(_t117, _t127, _t147, _t85, 0);
						}
						E00401A60( &_v68);
					} else {
						_t157 = E00459ADF(_t117, _t143, _t147, __eflags);
						_v76 = _t157;
						_v8 = 0;
						E0045A76C(_t147, _t157, _t147, _t157, _t117);
						_t162 = _t161 + 0x10;
						__eflags = _t157;
						_v72 = 0x4c2f50;
						_v32 = 0x4c3454;
						_t150 =  !=  ? _t157 : 0x4c2d7c;
						_v28 = GetLastError();
						_v8 = 1;
						_v68 = 0;
						__eflags = 0x4c2d7c;
						_t98 =  !=  ? 0x4c2d7c : 0x4c2d7c;
						_v48 = 7;
						_v52 = 0;
						E00406EB0(_t117,  &_v68,  !=  ? _t157 : 0x4c2d7c, _t157,  !=  ? 0x4c2d7c : 0x4c2d7c, _t117 >> 1, _t117 + 1);
						_t37 =  &_v40; // 0x4c3454
						_v52 = 0;
						_v48 = 0;
						_v44 = 0;
						_t43 =  *((intOrPtr*)( *_t37 + 4)) + 0x48; // 0x4c3454
						SetLastError( *(_t162 + _t43));
						_t135 = _v96 + 4;
						_t102 =  &_v76;
						_v16 = 2;
						__eflags = _v96 + 4 - _t102;
						if(_v96 + 4 != _t102) {
							_push(0xffffffff);
							E00406630(_t117, _t135, _t150, _t102, 0);
						}
						E00401A60( &_v68);
						L0045A2FE(_t157);
						_t161 = _t162 + 4;
					}
				} else {
					if(_t117 == 0xffffffff) {
						_t123 = _t147;
						_t145 =  &(_t123[1]);
						do {
							_t115 =  *_t123;
							_t123 =  &(_t123[1]);
						} while (_t115 != 0);
						_t117 = _t123 - _t145;
						_t168 = _t117;
						_v84 = _t117;
					}
					_t108 = MultiByteToWideChar(_t124, 0, _t147, _t117 + 1, 0, 0);
					_t151 = _t108;
					_t143 = _t108 * 2 >> 0x20;
					_push( ~(0 | _t168 > 0x00000000) | _t108 * 0x00000002);
					_t158 = E00459ADF(MultiByteToWideChar, _t108 * 2 >> 0x20, _t151, _t168);
					_t163 = _t161 + 4;
					_v76 = _t158;
					_v8 = 5;
					_t152 = MultiByteToWideChar(_a16, 0, _v80, _v84, _t158, _t151);
					if(_t152 > 0) {
						_push(_t152);
						_push(_t158);
						E00406EB0(MultiByteToWideChar, _v88 + 4, _t152, _t158);
					}
					L0045A2FE(_t158);
					_t161 = _t163 + 4;
				}
				 *[fs:0x0] = _v12;
				_pop(_t148);
				_pop(_t156);
				_pop(_t118);
				return E0045A457(_t118, _v20 ^ _t161, _t143, _t148, _t156);
			}

0x004076b6
0x004076b8
0x004076c3
0x004076c4
0x004076c7
0x004076ce
0x004076d5
0x004076dc
0x004076e1
0x004076e7
0x004076ed
0x004076f0
0x004076f3
0x004076f7
0x004076fb
0x00407705
0x004077a0
0x004077a3
0x004077a5
0x004077a7
0x004077b0
0x004077b0
0x004077b3
0x004077b6
0x004077b6
0x004077bf
0x004077bf
0x004077bf
0x004077c1
0x004077c7
0x004078ab
0x004078ad
0x004078b5
0x004078bd
0x004078c6
0x004078cc
0x004078d4
0x004078dd
0x004078de
0x004078e5
0x004078e8
0x004078ed
0x004078f5
0x004078fd
0x00407902
0x00407906
0x0040790e
0x00407916
0x00407921
0x00407925
0x0040792f
0x00407932
0x00407936
0x0040793e
0x00407940
0x00407942
0x00407947
0x00407947
0x00407950
0x004077cd
0x004077d6
0x004077d8
0x004077df
0x004077e7
0x004077ec
0x004077f4
0x004077f6
0x004077fe
0x00407806
0x0040780f
0x00407815
0x0040781a
0x00407824
0x0040782b
0x00407833
0x0040783b
0x00407843
0x00407848
0x0040784c
0x00407854
0x0040785c
0x00407867
0x0040786b
0x00407875
0x00407878
0x0040787c
0x00407881
0x00407883
0x00407885
0x0040788a
0x0040788a
0x00407893
0x00407899
0x0040789e
0x0040789e
0x00407717
0x0040771a
0x0040771c
0x0040771e
0x00407721
0x00407721
0x00407723
0x00407724
0x00407728
0x00407728
0x0040772a
0x0040772a
0x00407740
0x00407744
0x0040774b
0x00407754
0x0040775a
0x0040775c
0x0040775f
0x00407769
0x0040777c
0x00407780
0x00407786
0x0040778a
0x0040778b
0x0040778b
0x00407791
0x00407796
0x00407799
0x0040795b
0x00407963
0x00407964
0x00407965
0x00407974

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,9518852C,73B74D40,004C2BD0,?), ref: 00407740
MultiByteToWideChar.KERNEL32(?,00000000,?), ref: 0040777A
GetLastError.KERNEL32 ref: 00407809
SetLastError.KERNEL32(T4L,004C2D7C,?), ref: 0040786B
GetLastError.KERNEL32 ref: 004078C0
SetLastError.KERNEL32(T4L,004C2D7C,?), ref: 00407925

Strings

P/L, xrefs: 004078AD
T4L, xrefs: 00407848
|-L, xrefs: 004078E0
|-L, xrefs: 00407826
|-L, xrefs: 004077EF
|-L, xrefs: 004078A6

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide
String ID: P/L$T4L$|-L$|-L$|-L$|-L
API String ID: 3361762293-1609406821
Opcode ID: b1129c17b4ca90fff95c6b473b394de8dd18e0d0dda4cba1df37cc2290e5c838
Instruction ID: 0a917cf521e772b58967fe5844428d44fa457d819a2846fc61b680c419a4fc13
Opcode Fuzzy Hash: b1129c17b4ca90fff95c6b473b394de8dd18e0d0dda4cba1df37cc2290e5c838
Instruction Fuzzy Hash: 8E71CFB55083409BD710DF29C885B1BBBE4EF89358F000A2EF955973D1D7B9E908CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00402000, Relevance: 18.2, APIs: 12, Instructions: 160
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00402000(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				struct _OVERLAPPED* _v8;
				char _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				struct _OVERLAPPED* _v48;
				short _v64;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v92;
				struct _OVERLAPPED* _v96;
				short _v112;
				char _v116;
				char _v117;
				void _v124;
				long _v128;
				void _v132;
				long _v136;
				void* __edi;
				void* __esi;
				signed int _t55;
				signed int _t56;
				WCHAR* _t61;
				signed int _t93;
				void* _t99;
				void* _t109;
				intOrPtr* _t113;
				void* _t114;
				void* _t116;
				void* _t119;
				signed int _t120;

				_t109 = __edx;
				_t99 = __ebx;
				_push(0xffffffff);
				_push(0x4ac618);
				_push( *[fs:0x0]);
				_t55 =  *0x4d7e88; // 0x9518852c
				_t56 = _t55 ^ _t120;
				_v20 = _t56;
				_push(_t56);
				 *[fs:0x0] =  &_v16;
				E00402CE0(__ecx,  &_v117, 1);
				_v8 = 0;
				_t61 = E00401CA0( &_v116, _t109) + 4;
				if(_t61[0xa] >= 8) {
					_t61 =  *_t61;
				}
				_t116 = CreateFileW(_t61, 0xc0000000, 1, 0, 4, 0x80, 0);
				 *((intOrPtr*)( &_v76 +  *((intOrPtr*)(_v76 + 4)))) = GetLastError();
				L0045A7D5(_v88);
				_t113 = __imp__#6;
				 *_t113(_v80);
				if(_v92 >= 8) {
					 *_t113(_v112);
				}
				_v112 = 0;
				_v92 = 7;
				_v96 = 0;
				SetLastError( *(_t120 +  *((intOrPtr*)(_v116 + 4)) - 0x70));
				_t71 = SetFilePointer;
				if( *0x4dab27 == 0) {
					_v124 = 0;
					_v128 = 0;
					SetFilePointer(_t116, 0, 0, 0);
					if(ReadFile(_t116,  &_v124, 2,  &_v128, 0) == 0 || _v128 != 2) {
						_t93 =  *0x4dab27; // 0x0
					} else {
						_t93 = 0xfe00 | _v124 == 0x0000feff;
						 *0x4dab27 = _t93;
					}
					if(_t93 == 0) {
						_v132 = 0xfeff;
						WriteFile(_t116,  &_v132, 2,  &_v136, 0);
					}
					_t71 = SetFilePointer;
					 *0x4dab27 = 1;
				}
				 *_t71(_t116, 0, 0, 2);
				_t104 =  >=  ? _v64 :  &_v64;
				WriteFile(_t116,  >=  ? _v64 :  &_v64, _v48 + _v48,  &_v136, 0);
				if(_t116 != 0 && CloseHandle != 0) {
					CloseHandle(_t116);
				}
				 *((intOrPtr*)( &_v28 +  *((intOrPtr*)(_v28 + 4)))) = GetLastError();
				L0045A7D5(_v40);
				 *_t113(_v32);
				if(_v44 >= 8) {
					 *_t113(_v64);
				}
				_v64 = 0;
				_v44 = 7;
				_v48 = 0;
				SetLastError( *(_t120 +  *((intOrPtr*)(_v68 + 4)) - 0x40));
				 *[fs:0x0] = _v16;
				_pop(_t114);
				_pop(_t119);
				return E0045A457(_t99, _v20 ^ _t120, _t109, _t114, _t119);
			}

0x00402000
0x00402000
0x00402003
0x00402005
0x00402010
0x00402014
0x00402019
0x0040201b
0x00402020
0x00402024
0x00402034
0x0040203c
0x00402048
0x0040204f
0x00402051
0x00402051
0x0040206c
0x0040207f
0x00402084
0x00402089
0x00402095
0x0040209b
0x004020a0
0x004020a0
0x004020a4
0x004020ab
0x004020b2
0x004020c0
0x004020cd
0x004020d2
0x004020db
0x004020e2
0x004020e9
0x00402100
0x0040211b
0x00402108
0x00402111
0x00402114
0x00402114
0x00402122
0x00402134
0x0040213b
0x0040213b
0x00402141
0x00402146
0x00402146
0x00402154
0x00402169
0x00402172
0x0040217a
0x00402186
0x00402186
0x00402199
0x0040219e
0x004021a9
0x004021af
0x004021b4
0x004021b4
0x004021b8
0x004021bf
0x004021c6
0x004021d4
0x004021dd
0x004021e5
0x004021e6
0x004021f4

APIs

Part of subcall function 00402CE0: GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8

CreateFileW.KERNEL32(-00000004,C0000000,00000001,00000000,00000004,00000080,00000000,?,?,00000001,9518852C), ref: 00402066
GetLastError.KERNEL32(?,?,00000001,9518852C), ref: 00402079
SysFreeString.OLEAUT32(?), ref: 00402095
SysFreeString.OLEAUT32(?), ref: 004020A0
SetLastError.KERNEL32(?), ref: 004020C0
ReadFile.KERNEL32(00000000,00000000,00000002,00000000,00000000), ref: 004020F8
WriteFile.KERNEL32(00000000,00000000,00000002,?), ref: 0040213B
WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 00402172
GetLastError.KERNEL32 ref: 00402193
SysFreeString.OLEAUT32(?), ref: 004021A9
SysFreeString.OLEAUT32(?), ref: 004021B4
SetLastError.KERNEL32(?), ref: 004021D4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FileFreeString$Write$CreateRead
String ID:
API String ID: 2306213392-0
Opcode ID: 74b8f1236cacd319532d57d6b2d5a616290a54c3b6498e0a95c4e9d8e35ed752
Instruction ID: e106a9f4cbf14f95d49d83af86798c1b7ba84dd5c8c358d7f972cb33e0b1c78b
Opcode Fuzzy Hash: 74b8f1236cacd319532d57d6b2d5a616290a54c3b6498e0a95c4e9d8e35ed752
Instruction Fuzzy Hash: 07514931900208AFEB10DFA5DC49FADBBB8FF09704F10406AEA14BB2E1D774A955CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004070A0, Relevance: 17.9, APIs: 8, Strings: 2, Instructions: 378
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004070A0(void* __ebx, short* __ecx, void* __esi, signed int _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				signed int _v0;
				signed int _v8;
				unsigned int _v12;
				void* __ebp;
				void* _t159;
				int _t163;
				short _t164;
				intOrPtr _t165;
				signed int _t168;
				signed int _t174;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t177;
				signed int _t178;
				intOrPtr _t179;
				signed int _t181;
				intOrPtr* _t182;
				signed int _t185;
				void* _t189;
				intOrPtr _t202;
				intOrPtr _t212;
				intOrPtr _t223;
				intOrPtr _t224;
				signed int _t225;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				intOrPtr* _t262;
				intOrPtr* _t263;
				intOrPtr* _t264;
				intOrPtr* _t265;
				int _t269;
				unsigned int _t270;
				signed int _t271;
				signed int _t275;
				signed int _t276;
				intOrPtr* _t277;
				intOrPtr* _t278;
				intOrPtr* _t279;
				signed int _t280;
				intOrPtr _t283;
				intOrPtr* _t284;
				intOrPtr* _t285;
				intOrPtr _t287;
				intOrPtr* _t288;
				intOrPtr* _t289;
				intOrPtr* _t290;
				signed int _t291;
				intOrPtr _t292;
				intOrPtr* _t293;
				short* _t295;
				signed int _t297;
				int _t298;
				signed int _t302;
				signed int _t303;
				intOrPtr* _t304;
				intOrPtr* _t307;
				intOrPtr* _t308;
				signed int _t310;
				void* _t311;
				signed int _t316;
				intOrPtr* _t320;
				void* _t325;
				void* _t326;

				_t297 = _a4;
				_t326 = _t325 - 8;
				_t320 = __ecx;
				_t269 =  *(__ecx + 0x10);
				if(_t269 < _t297) {
					L111:
					_push("invalid string position");
					E00459FCD(__eflags);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_t298 = _t269;
					_t270 = _v12;
					__eflags = _t270 - 1;
					if(_t270 != 1) {
						__eflags =  *((intOrPtr*)(_t298 + 0x14)) - 8;
						if( *((intOrPtr*)(_t298 + 0x14)) >= 8) {
							_t298 =  *_t298;
						}
						_t159 = _v0;
						_push(_t310);
						_t311 = _t298 + _t159 * 2;
						__eflags = _t270;
						if(_t270 != 0) {
							_t271 = _t270 >> 1;
							__eflags = _t271;
							_t163 = memset(_t311, _a8 & 0x0000ffff | (_a8 & 0x0000ffff) << 0x00000010, _t271 << 2);
							asm("adc ecx, ecx");
							_t159 = memset(_t311 + _t271, _t163, 0);
						}
						return _t159;
					} else {
						__eflags =  *((intOrPtr*)(_t298 + 0x14)) - 8;
						if( *((intOrPtr*)(_t298 + 0x14)) >= 8) {
							_t298 =  *_t298;
						}
						_t164 = _a8;
						 *((short*)(_t298 + _v0 * 2)) = _t164;
						return _t164;
					}
				} else {
					_push(_t310);
					_t165 =  *((intOrPtr*)(_a12 + 0x10));
					if(_t165 < _a16) {
						goto L111;
					} else {
						_t316 = _t269 - _t297;
						_t253 =  <  ? _t316 : _a8;
						_v8 = _t316;
						_t310 =  <  ? _t165 - _a16 : _a20;
						_t168 = _t269 - _t253;
						_a20 = _t168;
						_a8 = _t253;
						_t254 = _a12;
						if((_t168 | 0xffffffff) - _t310 <= _a20) {
							_push("string too long");
							E00459F9F(__eflags);
							goto L110;
						} else {
							_t174 = _v8 - _a8;
							_t302 = _a20 + _t310;
							_a20 = _t302;
							_t303 = _a4;
							_v8 = _t174;
							if(_t269 >= _t302) {
								L13:
								if(_t320 == _t254) {
									_t275 = _a8;
									__eflags = _t310 - _t275;
									if(_t310 > _t275) {
										_t255 = _a16;
										__eflags = _t255 - _t303;
										if(_t255 > _t303) {
											_t276 = _t275 + _t303;
											_a12 = _t276;
											__eflags = _t276 - _t255;
											if(_t276 > _t255) {
												_t175 =  *((intOrPtr*)(_t320 + 0x14));
												__eflags = _t175 - 8;
												if(_t175 < 8) {
													_v12 = _t320;
												} else {
													_v12 =  *_t320;
												}
												__eflags = _t175 - 8;
												if(_t175 < 8) {
													_t277 = _t320;
												} else {
													_t277 =  *_t320;
												}
												_t176 = _a8;
												__eflags = _t176;
												if(_t176 != 0) {
													__eflags = _t176 + _t176;
													E0045AF90(_t277 + _t303 * 2, _v12 + _t255 * 2, _t176 + _t176);
													_t303 = _a4;
													_t326 = _t326 + 0xc;
												}
												_t177 =  *((intOrPtr*)(_t320 + 0x14));
												__eflags = _t177 - 8;
												if(_t177 < 8) {
													_a4 = _t320;
												} else {
													_a4 =  *_t320;
												}
												__eflags = _t177 - 8;
												if(_t177 < 8) {
													_t278 = _t320;
												} else {
													_t278 =  *_t320;
												}
												_t178 = _v8;
												__eflags = _t178;
												if(_t178 != 0) {
													__eflags = _t178 + _t178;
													E0045AF90(_t278 + (_t303 + _t310) * 2, _a4 + _a12 * 2, _t178 + _t178);
													_t255 = _a16;
													_t326 = _t326 + 0xc;
												}
												_t179 =  *((intOrPtr*)(_t320 + 0x14));
												__eflags = _t179 - 8;
												if(_t179 < 8) {
													_t304 = _t320;
												} else {
													_t304 =  *_t320;
												}
												__eflags = _t179 - 8;
												if(_t179 < 8) {
													_t279 = _t320;
												} else {
													_t279 =  *_t320;
												}
												_t181 = _t310 - _a8;
												__eflags = _t181;
												if(_t181 != 0) {
													_t185 = _t181 + _t181;
													__eflags = _t185;
													_push(_t185);
													_push(_t304 + (_t255 + _t310) * 2);
													_t189 = _t279 + _a12 * 2;
													goto L104;
												}
											} else {
												_t283 =  *((intOrPtr*)(_t320 + 0x14));
												__eflags = _t283 - 8;
												if(_t283 < 8) {
													_v12 = _t320;
												} else {
													_v12 =  *_t320;
													_t255 = _a16;
												}
												__eflags = _t283 - 8;
												if(_t283 < 8) {
													_t284 = _t320;
												} else {
													_t284 =  *_t320;
												}
												__eflags = _t174;
												if(_t174 != 0) {
													__eflags = _t174 + _t174;
													E0045AF90(_t284 + (_t303 + _t310) * 2, _v12 + _a12 * 2, _t174 + _t174);
													_t303 = _a4;
													_t255 = _a16;
													_t326 = _t326 + 0xc;
												}
												_t202 =  *((intOrPtr*)(_t320 + 0x14));
												__eflags = _t202 - 8;
												if(_t202 < 8) {
													_a4 = _t320;
												} else {
													_a4 =  *_t320;
												}
												__eflags = _t202 - 8;
												if(_t202 < 8) {
													_t285 = _t320;
												} else {
													_t285 =  *_t320;
												}
												__eflags = _t310;
												if(_t310 != 0) {
													_push(_t310 + _t310);
													_push(_a4 + (_t255 - _a8 + _t310) * 2);
													_t189 = _t285 + _t303 * 2;
													goto L104;
												}
											}
										} else {
											_t287 =  *((intOrPtr*)(_t320 + 0x14));
											__eflags = _t287 - 8;
											if(_t287 < 8) {
												_t262 = _t320;
											} else {
												_t262 =  *_t320;
											}
											__eflags = _t287 - 8;
											if(_t287 < 8) {
												_t288 = _t320;
											} else {
												_t288 =  *_t320;
											}
											__eflags = _t174;
											if(_t174 != 0) {
												__eflags = _a8 + _t303;
												E0045AF90(_t288 + (_t303 + _t310) * 2, _t262 + (_a8 + _t303) * 2, _t174 + _t174);
												_t303 = _a4;
												_t326 = _t326 + 0xc;
											}
											_t212 =  *((intOrPtr*)(_t320 + 0x14));
											__eflags = _t212 - 8;
											if(_t212 < 8) {
												_t263 = _t320;
											} else {
												_t263 =  *_t320;
											}
											__eflags = _t212 - 8;
											if(_t212 < 8) {
												_t289 = _t320;
											} else {
												_t289 =  *_t320;
											}
											__eflags = _t310;
											if(_t310 != 0) {
												_push(_t310 + _t310);
												_push(_t263 + _a16 * 2);
												_t189 = _t289 + _t303 * 2;
												goto L104;
											}
										}
									} else {
										_t223 =  *((intOrPtr*)(_t320 + 0x14));
										__eflags = _t223 - 8;
										if(_t223 < 8) {
											_t264 = _t320;
										} else {
											_t264 =  *_t320;
										}
										__eflags = _t223 - 8;
										if(_t223 < 8) {
											_t290 = _t320;
										} else {
											_t290 =  *_t320;
										}
										__eflags = _t310;
										if(_t310 != 0) {
											E0045AF90(_t290 + _t303 * 2, _t264 + _a16 * 2, _t310 + _t310);
											_t326 = _t326 + 0xc;
										}
										_t224 =  *((intOrPtr*)(_t320 + 0x14));
										__eflags = _t224 - 8;
										if(_t224 < 8) {
											_t265 = _t320;
										} else {
											_t265 =  *_t320;
										}
										__eflags = _t224 - 8;
										if(_t224 < 8) {
											_t307 = _t320;
										} else {
											_t307 =  *_t320;
										}
										_t225 = _v8;
										__eflags = _t225;
										if(_t225 != 0) {
											_t291 = _a4;
											_push(_t225 + _t225);
											_push(_t265 + (_a8 + _t291) * 2);
											_t189 = _t307 + (_t291 + _t310) * 2;
											L104:
											_push(_t189);
											E0045AF90();
											goto L105;
										}
									}
								} else {
									_t292 =  *((intOrPtr*)(_t320 + 0x14));
									if(_t292 < 8) {
										_t174 = _v8;
										_v12 = _t320;
									} else {
										_v12 =  *_t320;
										_t303 = _a4;
									}
									if(_t292 < 8) {
										_t293 = _t320;
									} else {
										_t293 =  *_t320;
									}
									if(_t174 != 0) {
										E0045AF90(_t293 + (_t303 + _t310) * 2, _v12 + (_a8 + _t303) * 2, _t174 + _t174);
										_t254 = _a12;
										_t326 = _t326 + 0xc;
									}
									if( *((intOrPtr*)(_t254 + 0x14)) >= 8) {
										_t254 =  *_t254;
									}
									if( *((intOrPtr*)(_t320 + 0x14)) < 8) {
										_t308 = _t320;
									} else {
										_t308 =  *_t320;
									}
									if(_t310 != 0) {
										E0045A8B0(_t308 + _a4 * 2, _t254 + _a16 * 2, _t310 + _t310);
										L105:
									}
								}
								_t280 = _a20;
								 *(_t320 + 0x10) = _t280;
								if( *((intOrPtr*)(_t320 + 0x14)) < 8) {
									_t182 = _t320;
									__eflags = 0;
									 *((short*)(_t182 + _t280 * 2)) = 0;
									return _t182;
								} else {
									 *((short*)( *_t320 + _t280 * 2)) = 0;
									return _t320;
								}
							} else {
								if(_a20 > 0x7ffffffe) {
									L110:
									_push("string too long");
									E00459F9F(__eflags);
									goto L111;
								} else {
									_t254 = _a12;
									if( *((intOrPtr*)(__ecx + 0x14)) >= _a20) {
										__eflags = _a20;
										if(_a20 == 0) {
											__eflags =  *((intOrPtr*)(__ecx + 0x14)) - 8;
											 *(__ecx + 0x10) = 0;
											if( *((intOrPtr*)(__ecx + 0x14)) < 8) {
												_t295 = __ecx;
											} else {
												_t295 =  *((intOrPtr*)(__ecx));
											}
											__eflags = 0;
											 *_t295 = 0;
											goto L12;
										}
									} else {
										E004079F0(__ecx, _a20, _t269);
										_t303 = _a4;
										L12:
										_t174 = _v8;
									}
									goto L13;
								}
							}
						}
					}
				}
			}

0x004070a3
0x004070a6
0x004070aa
0x004070ac
0x004070b1
0x00407460
0x00407460
0x00407465
0x0040746a
0x0040746b
0x0040746c
0x0040746d
0x0040746e
0x0040746f
0x00407473
0x00407475
0x00407478
0x0040747b
0x00407494
0x00407498
0x0040749a
0x0040749a
0x0040749c
0x0040749f
0x004074a0
0x004074a3
0x004074a5
0x004074b4
0x004074b4
0x004074b6
0x004074b8
0x004074ba
0x004074ba
0x004074bf
0x0040747d
0x0040747d
0x00407481
0x00407483
0x00407483
0x00407488
0x0040748c
0x00407491
0x00407491
0x004070b7
0x004070bb
0x004070bc
0x004070c2
0x00000000
0x004070c8
0x004070cd
0x004070d1
0x004070d7
0x004070df
0x004070e4
0x004070e6
0x004070ee
0x004070f1
0x004070f7
0x0040744c
0x00407451
0x00000000
0x004070fd
0x00407103
0x00407106
0x00407108
0x0040710d
0x00407110
0x00407113
0x0040715e
0x00407160
0x004071e6
0x004071e9
0x004071eb
0x0040725f
0x00407262
0x00407264
0x004072d5
0x004072d7
0x004072da
0x004072dc
0x00407365
0x00407368
0x0040736b
0x00407374
0x0040736d
0x0040736f
0x0040736f
0x00407377
0x0040737a
0x00407380
0x0040737c
0x0040737c
0x0040737c
0x00407382
0x00407385
0x00407387
0x00407389
0x00407397
0x0040739c
0x0040739f
0x0040739f
0x004073a2
0x004073a5
0x004073a8
0x004073b1
0x004073aa
0x004073ac
0x004073ac
0x004073b4
0x004073b7
0x004073bd
0x004073b9
0x004073b9
0x004073b9
0x004073bf
0x004073c2
0x004073c4
0x004073c9
0x004073da
0x004073df
0x004073e2
0x004073e2
0x004073e5
0x004073e8
0x004073eb
0x004073f1
0x004073ed
0x004073ed
0x004073ed
0x004073f3
0x004073f6
0x004073fc
0x004073f8
0x004073f8
0x004073f8
0x00407400
0x00407400
0x00407403
0x00407405
0x00407405
0x00407407
0x0040740e
0x00407412
0x00000000
0x00407412
0x004072e2
0x004072e2
0x004072e5
0x004072e8
0x004072f4
0x004072ea
0x004072ec
0x004072ef
0x004072ef
0x004072f7
0x004072fa
0x00407300
0x004072fc
0x004072fc
0x004072fc
0x00407302
0x00407304
0x00407309
0x0040731a
0x0040731f
0x00407322
0x00407325
0x00407325
0x00407328
0x0040732b
0x0040732e
0x00407337
0x00407330
0x00407332
0x00407332
0x0040733a
0x0040733d
0x00407343
0x0040733f
0x0040733f
0x0040733f
0x00407345
0x00407347
0x00407353
0x0040735c
0x0040735d
0x00000000
0x0040735d
0x00407347
0x00407266
0x00407266
0x00407269
0x0040726c
0x00407272
0x0040726e
0x0040726e
0x0040726e
0x00407274
0x00407277
0x0040727d
0x00407279
0x00407279
0x00407279
0x0040727f
0x00407281
0x00407289
0x00407296
0x0040729b
0x0040729e
0x0040729e
0x004072a1
0x004072a4
0x004072a7
0x004072ad
0x004072a9
0x004072a9
0x004072a9
0x004072af
0x004072b2
0x004072b8
0x004072b4
0x004072b4
0x004072b4
0x004072ba
0x004072bc
0x004072c5
0x004072cc
0x004072cd
0x00000000
0x004072cd
0x004072bc
0x004071ed
0x004071ed
0x004071f0
0x004071f3
0x004071f9
0x004071f5
0x004071f5
0x004071f5
0x004071fb
0x004071fe
0x00407204
0x00407200
0x00407200
0x00407200
0x00407206
0x00407208
0x00407219
0x0040721e
0x0040721e
0x00407221
0x00407224
0x00407227
0x0040722d
0x00407229
0x00407229
0x00407229
0x0040722f
0x00407232
0x00407238
0x00407234
0x00407234
0x00407234
0x0040723a
0x0040723d
0x0040723f
0x00407245
0x0040724a
0x00407253
0x00407257
0x00407415
0x00407415
0x00407416
0x00000000
0x00407416
0x0040723f
0x00407166
0x00407166
0x0040716c
0x00407178
0x0040717b
0x0040716e
0x00407170
0x00407173
0x00407173
0x00407181
0x00407187
0x00407183
0x00407183
0x00407183
0x0040718b
0x004071a3
0x004071a8
0x004071ab
0x004071ab
0x004071b2
0x004071b4
0x004071b4
0x004071ba
0x004071c0
0x004071bc
0x004071bc
0x004071bc
0x004071c4
0x004071dc
0x0040741b
0x0040741b
0x004071c4
0x00407422
0x00407426
0x0040742a
0x0040743d
0x0040743f
0x00407441
0x00407449
0x0040742c
0x00407430
0x0040743a
0x0040743a
0x00407115
0x0040711c
0x00407456
0x00407456
0x0040745b
0x00000000
0x00407122
0x00407128
0x0040712b
0x0040713d
0x00407141
0x00407143
0x00407147
0x0040714e
0x00407154
0x00407150
0x00407150
0x00407150
0x00407156
0x00407158
0x00000000
0x00407158
0x0040712d
0x00407133
0x00407138
0x0040715b
0x0040715b
0x0040715b
0x00000000
0x0040712b
0x0040711c
0x00407113
0x004070f7
0x004070c2

APIs

_memmove.LIBCMT ref: 004071A3
_memmove.LIBCMT ref: 004071DC
_memmove.LIBCMT ref: 00407219
_memmove.LIBCMT ref: 00407416

Part of subcall function 004079F0: SysAllocStringLen.OLEAUT32(00000000,00000001), ref: 00407A39
Part of subcall function 004079F0: _memmove.LIBCMT ref: 00407A61
Part of subcall function 004079F0: SysFreeString.OLEAUT32 ref: 00407A71

_memmove.LIBCMT ref: 00407296
_memmove.LIBCMT ref: 0040731A
_memmove.LIBCMT ref: 00407397
_memmove.LIBCMT ref: 004073DA

Strings

invalid string position, xrefs: 00407460
string too long, xrefs: 0040744C, 00407456

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memmove$String$AllocFree
String ID: invalid string position$string too long
API String ID: 4249169437-4289949731
Opcode ID: 90815fbc67b5856239c2900209ac4e8afdca35c1425b90dd64703804b7f7caab
Instruction ID: df8ccd7968116375229314f54da2fa5da23b8525164534db31e30b66d30ab7f6
Opcode Fuzzy Hash: 90815fbc67b5856239c2900209ac4e8afdca35c1425b90dd64703804b7f7caab
Instruction Fuzzy Hash: 2FD14E70A08109DBCB24CF58C9C08AAB7B6FF84344720457EE845DB395DB38F955CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 004490F5, Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 279
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004490F5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t120;
				intOrPtr* _t121;
				intOrPtr* _t130;
				void* _t140;
				void* _t142;
				void* _t144;
				void* _t148;
				void* _t149;
				void* _t152;
				void* _t153;
				void* _t163;
				intOrPtr* _t166;
				intOrPtr* _t170;
				void* _t175;
				void* _t179;
				void* _t181;
				intOrPtr* _t185;
				intOrPtr* _t188;
				intOrPtr _t193;
				intOrPtr* _t196;
				intOrPtr _t239;
				intOrPtr _t242;
				intOrPtr* _t245;
				void* _t248;
				void* _t250;
				intOrPtr* _t251;
				void* _t252;
				void* _t253;

				E0045B8C9(0x4a8355, __ebx, __edi, __esi);
				_t242 =  *((intOrPtr*)(_t252 + 8));
				_t193 =  *((intOrPtr*)(_t252 + 0x70));
				 *((intOrPtr*)(_t252 - 4)) = 0;
				 *((intOrPtr*)(_t252 - 0x70)) = 0x4c2fa0;
				 *((intOrPtr*)(_t252 - 0x48)) = 0x4c2f40;
				E00404200(_t252 - 0x70, _t252 - 0x251, 0);
				 *((intOrPtr*)(_t252 - 0x258)) = 0;
				__imp__#200(0, _t252 - 0x258, 0x264);
				_t245 =  *((intOrPtr*)(_t252 - 0x258));
				if(_t245 != 0) {
					_t188 = E00417A4B(_t252 - 0x70, _t252 - 0x270);
					 *((char*)(_t252 - 4)) = 4;
					 *((char*)(_t188 + 4)) = 1;
					 *((intOrPtr*)( *_t245 + 0x14))(_t245, E0040A0F0(_t188,  *_t188));
					 *((char*)(_t252 - 4)) = 3;
					if( *((char*)(_t252 - 0x26c)) != 0) {
						E00404260( *((intOrPtr*)(_t252 - 0x270)), _t242,  *((intOrPtr*)( *((intOrPtr*)(_t252 - 0x270)) + 0x24)));
					}
				}
				 *((intOrPtr*)(_t252 - 0x25c)) = 0;
				_t120 = _t252 - 0x25c;
				__imp__#202(_t120);
				if(_t120 < 0) {
					_t121 =  *((intOrPtr*)(_t252 - 0x258));
					__eflags = _t121;
					if(_t121 == 0) {
						L17:
						_t248 =  ==  ? 0x80020009 :  *((intOrPtr*)(_t252 + 0x74));
						_t196 =  *((intOrPtr*)(_t252 - 0x25c));
						 *((char*)(_t252 - 4)) = 3;
						if(_t196 != 0) {
							 *((intOrPtr*)( *_t196 + 8))(_t196);
							_t121 =  *((intOrPtr*)(_t252 - 0x258));
						}
						 *((char*)(_t252 - 4)) = 2;
						if(_t121 != 0) {
							 *((intOrPtr*)( *_t121 + 8))(_t121);
						}
						E00401B80(_t252 - 0x70);
						E00401B80(_t252 + 0xc);
						E00401B80(_t252 + 0x3c);
						return E0045B878(_t193, _t242, _t248);
					}
					__imp__#201(0, _t121);
					L16:
					_t121 =  *((intOrPtr*)(_t252 - 0x258));
					goto L17;
				}
				 *((intOrPtr*)(_t252 - 0x260)) = 0;
				_t130 =  *((intOrPtr*)(_t252 - 0x25c));
				 *((char*)(_t252 - 4)) = 6;
				 *((intOrPtr*)( *_t130 + 0xc))(_t130, _t193);
				__imp__ProgIDFromCLSID(_t242, _t252 - 0x264);
				_t239 =  *((intOrPtr*)(_t252 - 0x264));
				if(_t239 != 0) {
					_t185 =  *((intOrPtr*)(_t252 - 0x25c));
					 *((intOrPtr*)( *_t185 + 0x10))(_t185, _t239);
					_t239 =  *((intOrPtr*)(_t252 - 0x264));
				}
				__imp__CoTaskMemFree(_t239);
				_t193 = 0;
				_t242 = 0x4c2f40;
				 *((intOrPtr*)(_t252 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t252 - 0x18)) = 0x4c2f40;
				E00404200(_t252 - 0x40, _t252 - 0x251, 0);
				 *((char*)(_t252 - 4)) = 7;
				_t263 =  *((intOrPtr*)(_t252 + 0x20));
				if( *((intOrPtr*)(_t252 + 0x20)) != 0) {
					_push(_t252 + 0xc);
					_push("*");
					_push(_t252 - 0xd0);
					_t179 = E0040B2A8(0, 0x4c2f40, 0x4c2fa0, _t263);
					_push(L"\r\n");
					_push(_t179);
					_push(_t252 - 0x130);
					 *((char*)(_t252 - 4)) = 8;
					_t181 = E0040B22B(0, 0x4c2f40, 0x4c2fa0, _t263);
					_t253 = _t253 + 0x18;
					 *((char*)(_t252 - 4)) = 9;
					E004095E2(_t252 - 0x40, _t181);
					E00401B80(_t252 - 0x130);
					E00401B80(_t252 - 0xd0);
				}
				 *((intOrPtr*)(_t252 - 0xa0)) = 0x4c2fa0;
				 *((intOrPtr*)(_t252 - 0x78)) = _t242;
				E00404200(_t252 - 0xa0, _t252 - 0x251, _t193);
				 *((char*)(_t252 - 4)) = 0xa;
				E0040DD64(_t252 - 0xa0, L"%d",  *((intOrPtr*)(_t252 + 0x6c)));
				_push(_t193);
				_push(_t252 - 0x100);
				_t140 = E0040E057(_t193, _t252 + 0x3c, _t239, _t242, 0x4c2fa0, _t263);
				_push(L" (");
				_push(_t140);
				_push(_t252 - 0x1f0);
				 *((char*)(_t252 - 4)) = 0xb;
				_t142 = E0040B22B(_t193, _t242, 0x4c2fa0, _t263);
				_push(_t252 - 0xa0);
				_push(_t142);
				_push(_t252 - 0x220);
				 *((char*)(_t252 - 4)) = 0xc;
				_t144 = E00413C81(_t193, _t242, 0x4c2fa0, _t263);
				_push(L")\r\n");
				_push(_t144);
				_push(_t252 - 0x250);
				 *((char*)(_t252 - 4)) = 0xd;
				_t250 = E0040B22B(_t193, _t242, 0x4c2fa0, _t263);
				_push(_t193);
				_push(_t193);
				_push(_t252 - 0x1c0);
				 *((char*)(_t252 - 4)) = 0xe;
				_t148 = E0040A206(_t193, _t252 + 0x3c, _t239, _t242, _t250, _t263);
				 *((char*)(_t252 - 4)) = 0xf;
				_t149 = E0040A528(_t193, _t148, _t239, _t263, _t252 - 0x190);
				_push(_t193);
				_push(_t252 - 0x160);
				 *((char*)(_t252 - 4)) = 0x10;
				_push(E0040E057(_t193, _t149, _t239, _t242, _t250, _t263));
				_push(">");
				_push(_t252 - 0x130);
				 *((char*)(_t252 - 4)) = 0x11;
				_t152 = E0040B2A8(_t193, _t242, _t250, _t263);
				_push(_t250);
				_push(_t252 - 0xd0);
				 *((char*)(_t252 - 4)) = 0x12;
				_t153 = E0040B91E(_t193, _t152, _t242, _t250, _t263);
				 *((char*)(_t252 - 4)) = 0x13;
				E0040B99A(_t252 - 0x40, _t153);
				E00401B80(_t252 - 0xd0);
				E00401B80(_t252 - 0x130);
				E00401B80(_t252 - 0x160);
				E00401B80(_t252 - 0x190);
				E00401B80(_t252 - 0x1c0);
				E00401B80(_t252 - 0x250);
				E00401B80(_t252 - 0x220);
				E00401B80(_t252 - 0x1f0);
				 *((char*)(_t252 - 4)) = 0xa;
				_t163 = E00401B80(_t252 - 0x100);
				_t264 =  *((intOrPtr*)(_t252 - 0x5c));
				if( *((intOrPtr*)(_t252 - 0x5c)) != 0) {
					_push(_t252 - 0x40);
					_push(_t252 - 0x70);
					_push(_t252 - 0x100);
					_t175 = E00413C81(_t193, _t242, _t250, _t264);
					 *((char*)(_t252 - 4)) = 0x14;
					E004095E2(_t252 - 0x40, _t175);
					 *((char*)(_t252 - 4)) = 0xa;
					_t163 = E00401B80(_t252 - 0x100);
				}
				_t251 =  *((intOrPtr*)(_t252 - 0x25c));
				 *((intOrPtr*)( *_t251 + 0x14))(_t251,  *((intOrPtr*)(E0040A0F0(_t163, _t252 - 0x40))));
				_t166 =  *((intOrPtr*)(_t252 - 0x25c));
				_push(_t252 - 0x260);
				_push(0x4bd7a0);
				_push(_t166);
				if( *((intOrPtr*)( *_t166))() >= 0) {
					__imp__#201(_t193,  *((intOrPtr*)(_t252 - 0x260)));
				}
				E00401B80(_t252 - 0xa0);
				E00401B80(_t252 - 0x40);
				_t170 =  *((intOrPtr*)(_t252 - 0x260));
				 *((char*)(_t252 - 4)) = 5;
				if(_t170 != 0) {
					 *((intOrPtr*)( *_t170 + 8))(_t170);
				}
				goto L16;
			}

0x004490ff
0x00449104
0x00449107
0x0044910c
0x0044911a
0x00449121
0x00449128
0x0044912d
0x0044913b
0x00449141
0x00449149
0x00449155
0x0044915c
0x00449160
0x0044916d
0x00449177
0x0044917b
0x00449186
0x00449186
0x0044917b
0x0044918d
0x00449193
0x0044919a
0x004491a2
0x00449477
0x0044947d
0x0044947f
0x0044948f
0x00449499
0x0044949c
0x004494a2
0x004494a8
0x004494ad
0x004494b0
0x004494b0
0x004494b6
0x004494bc
0x004494c1
0x004494c1
0x004494c7
0x004494cf
0x004494d7
0x004494e3
0x004494e3
0x00449483
0x00449489
0x00449489
0x00000000
0x00449489
0x004491a8
0x004491ae
0x004491b8
0x004491bc
0x004491c7
0x004491cd
0x004491d5
0x004491d7
0x004491e1
0x004491e4
0x004491e4
0x004491eb
0x004491f1
0x004491ff
0x00449208
0x0044920b
0x0044920e
0x00449213
0x00449217
0x0044921a
0x0044921f
0x00449226
0x0044922b
0x0044922c
0x00449231
0x00449236
0x0044923d
0x0044923e
0x00449242
0x00449247
0x0044924e
0x00449252
0x0044925d
0x00449268
0x00449268
0x0044927b
0x00449281
0x00449284
0x00449298
0x0044929c
0x004492aa
0x004492ab
0x004492af
0x004492b4
0x004492b9
0x004492c0
0x004492c1
0x004492c5
0x004492d0
0x004492d1
0x004492d8
0x004492d9
0x004492dd
0x004492e2
0x004492e7
0x004492ee
0x004492ef
0x004492fb
0x004492fd
0x004492fe
0x00449305
0x00449309
0x0044930d
0x0044931b
0x0044931f
0x00449324
0x0044932b
0x0044932e
0x00449337
0x0044933e
0x00449343
0x00449344
0x00449348
0x00449350
0x00449357
0x0044935a
0x0044935e
0x00449367
0x0044936b
0x00449376
0x00449381
0x0044938c
0x00449397
0x004493a2
0x004493ad
0x004493b8
0x004493c3
0x004493ce
0x004493d2
0x004493d7
0x004493db
0x004493e0
0x004493e4
0x004493eb
0x004493ec
0x004493f8
0x004493fc
0x00449407
0x0044940b
0x0044940b
0x00449410
0x00449423
0x00449426
0x00449434
0x00449435
0x0044943a
0x0044943f
0x00449448
0x00449448
0x00449454
0x0044945c
0x00449461
0x00449467
0x0044946d
0x00449472
0x00449472
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 004490FF

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

GetErrorInfo.OLEAUT32(00000000,?,00000264,0043A729,?,?,?,00000001), ref: 0044913B
CreateErrorInfo.OLEAUT32(?), ref: 0044919A
ProgIDFromCLSID.OLE32(?,?), ref: 004491C7
CoTaskMemFree.OLE32(?), ref: 004491EB

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

SetErrorInfo.OLEAUT32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00449448

Strings

@/L, xrefs: 004491FF
@/L, xrefs: 00449121
), xrefs: 004492E2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Error$Info$LastString$AllocCreateFreeFromH_prolog3_ProgTask
String ID: )$@/L$@/L
API String ID: 290475581-2532612753
Opcode ID: c0bd4b3af20aefacb97d58783fba13363f33016cc5667905c6cb5cce283dbbe9
Instruction ID: 21e2d273a3d2f517428eb9d5f3f77e34d1aad62743345aff31db80580862d89f
Opcode Fuzzy Hash: c0bd4b3af20aefacb97d58783fba13363f33016cc5667905c6cb5cce283dbbe9
Instruction Fuzzy Hash: 72C15D71900218AEDB15EBA1CC54BEE7778AF58304F1440EEE409B3292DB785E49DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0044FCBA, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 208
stringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0044FCBA(WCHAR* _a4, WCHAR* _a8, WCHAR* _a12) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				int _t79;
				WCHAR* _t87;
				WCHAR* _t88;
				signed int _t90;
				WCHAR* _t94;
				WCHAR* _t95;
				WCHAR* _t97;
				WCHAR* _t102;
				long _t106;
				signed int _t108;
				int _t109;
				WCHAR* _t112;
				WCHAR* _t114;
				WCHAR* _t115;
				void* _t116;
				WCHAR* _t117;
				WCHAR* _t119;
				signed int _t120;
				WCHAR* _t123;
				intOrPtr _t126;
				signed int _t132;
				WCHAR* _t147;
				void* _t148;
				WCHAR* _t154;
				void* _t158;
				signed int _t159;
				WCHAR* _t161;
				signed int _t163;
				void* _t165;
				WCHAR* _t166;
				void* _t167;
				signed int _t168;
				WCHAR* _t172;
				WCHAR* _t173;
				intOrPtr _t176;
				void* _t178;
				void* _t179;

				_push(_t126);
				_push(_t126);
				_t176 = _t126;
				_push(0x44f731);
				_push( *((intOrPtr*)(_t176 + 0x30)));
				_v12 = _t176;
				if( *0x4d9554() != 0xffffffff) {
					_push(_t116);
					 *((intOrPtr*)(_t176 + 0x50)) = _a12;
					 *((intOrPtr*)(_t176 + 0x54)) = 0;
					 *((intOrPtr*)(_t176 + 0x5c)) = 0;
					 *((intOrPtr*)(_t176 + 0x58)) = 0;
					 *((intOrPtr*)(_t176 + 0x60)) = 0;
					 *((intOrPtr*)(_t176 + 0x68)) = 0;
					 *((intOrPtr*)(_t176 + 0x64)) = 0;
					__eflags =  *(_t176 + 0x94);
					if(__eflags == 0) {
						_push(0x2c);
						_t114 = E0045C169(_t116, _t158, 0, __eflags);
						__eflags = _t114;
						if(_t114 == 0) {
							_t115 = 0;
						} else {
							_t115 = E00416E22(_t114);
						}
						 *(_t176 + 0x94) = _t115;
					}
					_t117 = _a8;
					__eflags = _t117;
					if(__eflags != 0) {
						__eflags =  *_t117;
						if(__eflags != 0) {
							_t109 = lstrlenW(_t117);
							_t168 = 2;
							_t154 =  ~(0 | __eflags > 0x00000000) | (_t109 + 0x00000001) * _t168;
							__eflags = _t154;
							_push(_t154);
							_t112 = E00459ADF(_t117, (_t109 + 1) * _t168 >> 0x20, 0, __eflags);
							 *(_t176 + 0x40) = _t112;
							lstrcpyW(_t112, _t117);
						}
					}
					_t79 = lstrlenW(_t117);
					_t159 = 2;
					_push( ~(0 | __eflags > 0x00000000) | (_t79 + 0x00000028) * _t159);
					 *((intOrPtr*)(_t176 + 0x44)) = E00459ADF(_t117, (_t79 + 0x28) * _t159 >> 0x20, 0, __eflags);
					_t119 = lstrlenW(_a4) + 0x14;
					__eflags = _t119;
					_v8 = _t119;
					_a12 = 0;
					_t132 = 0;
					_t161 = 0;
					_a8 = 0x40;
					if(_t119 == 0) {
						L18:
						_t172 = _a4;
						_t120 = 2;
						while(1) {
							L0045A7D5( *(_t176 + 0x3c));
							_t87 = E00459ADF(_t120, _v8 * _t120 >> 0x20, _t172, __eflags);
							 *(_t176 + 0x3c) = _t87;
							_t88 =  *0x4d9570(_t172, _t87,  &_v8, 0x12000000,  ~(0 | __eflags > 0x00000000) | _v8 * _t120);
							_a8 = _t88;
							__eflags = _t88;
							if(_t88 != 0) {
								break;
							}
							_t106 = GetLastError();
							__eflags = _t106 - 0x7a;
							if(_t106 == 0x7a) {
								continue;
							}
							break;
						}
						_t121 = _a12;
						_t173 = 0;
						__eflags = _a12;
						if(__eflags == 0) {
							L30:
							__eflags = _a8 - 1;
							_t76 = _a8 == 1;
							__eflags = _t76;
							_t90 = 0 | _t76;
							goto L31;
						}
						_t163 = 2;
						_push( ~(0 | __eflags > 0x00000000) | (_v8 + 0x00000032) * _t163);
						_t94 = E00459ADF(_t121, (_v8 + 0x32) * _t163 >> 0x20, _t173, __eflags);
						_t123 = _t94;
						_t165 = 0x40;
						_t95 = _t173;
						_a12 = _t95;
						__eflags =  *( *(_t176 + 0x3c)) - _t165;
						if( *( *(_t176 + 0x3c)) == _t165) {
							L29:
							L0045A7D5(_t123);
							goto L30;
						}
						_t147 = _t173;
						_a4 = _t173;
						do {
							_t166 =  *(_t176 + 0x3c);
							_t178 = 0x2f;
							__eflags =  *((intOrPtr*)(_t147 + _t166)) - _t178;
							_t176 = _v12;
							if( *((intOrPtr*)(_t147 + _t166)) == _t178) {
								_t148 = 2;
								__eflags = _t95 - _t148;
								if(_t95 >= _t148) {
									_t65 = _t173 + 1; // 0x1
									lstrcpynW(_t123, _t166, _t65);
									lstrcatW(_t123, "\\");
									_t102 =  *(_t176 + 0x3c) +  &(_a4[1]);
									__eflags = _t102;
									lstrcatW(_t123, _t102);
									lstrcpyW( *(_t176 + 0x3c), _t123);
								} else {
									_a12 = _t95 + 1;
								}
							}
							_t97 =  *(_t176 + 0x3c);
							_t173 = _t173 + 1;
							_t147 = _t173 + _t173;
							_t167 = 0x40;
							__eflags =  *((intOrPtr*)(_t147 + _t97)) - _t167;
							_t95 = _a12;
							_a4 = _t147;
						} while ( *((intOrPtr*)(_t147 + _t97)) != _t167);
						goto L29;
					} else {
						while(1) {
							_t108 = _a4[_t132] & 0x0000ffff;
							_t179 = 0x2f;
							__eflags = _t108 - _t179;
							_t176 = _v12;
							if(_t108 == _t179) {
								_t161 =  &(_t161[0]);
								__eflags = _t161;
							}
							__eflags = _t108 - _a8;
							if(_t108 == _a8) {
								break;
							}
							__eflags = _t161 - 3;
							if(_t161 == 3) {
								goto L18;
							}
							_t132 = _t132 + 1;
							__eflags = _t132 - _t119;
							if(_t132 < _t119) {
								continue;
							}
							goto L18;
						}
						__eflags = 1;
						_a12 = 1;
						goto L18;
					}
				} else {
					_t90 = 0;
					L31:
					return _t90;
				}
			}

0x0044fcbd
0x0044fcbe
0x0044fcc0
0x0044fcc2
0x0044fcc7
0x0044fcca
0x0044fcd6
0x0044fce2
0x0044fce6
0x0044fce9
0x0044fcec
0x0044fcef
0x0044fcf2
0x0044fcf5
0x0044fcf8
0x0044fcfb
0x0044fd01
0x0044fd03
0x0044fd05
0x0044fd0b
0x0044fd0d
0x0044fd18
0x0044fd0f
0x0044fd11
0x0044fd11
0x0044fd1a
0x0044fd1a
0x0044fd20
0x0044fd23
0x0044fd25
0x0044fd27
0x0044fd2a
0x0044fd2d
0x0044fd38
0x0044fd40
0x0044fd40
0x0044fd42
0x0044fd43
0x0044fd4b
0x0044fd4e
0x0044fd4e
0x0044fd2a
0x0044fd55
0x0044fd62
0x0044fd6c
0x0044fd76
0x0044fd81
0x0044fd81
0x0044fd84
0x0044fd87
0x0044fd8a
0x0044fd8c
0x0044fd8e
0x0044fd95
0x0044fdc2
0x0044fdc2
0x0044fdc7
0x0044fdc8
0x0044fdcb
0x0044fddf
0x0044fdf1
0x0044fdf4
0x0044fdfa
0x0044fdfd
0x0044fdff
0x00000000
0x00000000
0x0044fe01
0x0044fe07
0x0044fe0a
0x00000000
0x00000000
0x00000000
0x0044fe0a
0x0044fe0c
0x0044fe11
0x0044fe12
0x0044fe14
0x0044feba
0x0044febc
0x0044fec1
0x0044fec1
0x0044fec1
0x00000000
0x0044fec4
0x0044fe24
0x0044fe2e
0x0044fe2f
0x0044fe3a
0x0044fe3c
0x0044fe3d
0x0044fe3f
0x0044fe42
0x0044fe45
0x0044feb3
0x0044feb4
0x00000000
0x0044feb9
0x0044fe47
0x0044fe49
0x0044fe4c
0x0044fe4c
0x0044fe51
0x0044fe52
0x0044fe56
0x0044fe59
0x0044fe5d
0x0044fe5e
0x0044fe60
0x0044fe68
0x0044fe6e
0x0044fe7a
0x0044fe89
0x0044fe89
0x0044fe8d
0x0044fe97
0x0044fe62
0x0044fe63
0x0044fe63
0x0044fe60
0x0044fe9d
0x0044fea0
0x0044fea3
0x0044fea6
0x0044fea7
0x0044feab
0x0044feae
0x0044feae
0x00000000
0x0044fd97
0x0044fd97
0x0044fd9c
0x0044fda0
0x0044fda1
0x0044fda4
0x0044fda7
0x0044fda9
0x0044fda9
0x0044fda9
0x0044fdaa
0x0044fdae
0x00000000
0x00000000
0x0044fdb0
0x0044fdb3
0x00000000
0x00000000
0x0044fdb5
0x0044fdb6
0x0044fdb8
0x00000000
0x00000000
0x00000000
0x0044fdba
0x0044fdbe
0x0044fdbf
0x00000000
0x0044fdbf
0x0044fcd8
0x0044fcd8
0x0044fec5
0x0044fec7
0x0044fec7

APIs

lstrlenW.KERNEL32(?,?,00000000,?,000000FF,000000FF,?,00424710,000000FF,00000000,80400100,?,00000000,0044208C,004AFFB8,80000000), ref: 0044FD2D
lstrcpyW.KERNEL32(00000000,?), ref: 0044FD4E
lstrlenW.KERNEL32(?,?,00000000,?,000000FF,000000FF,?,00424710,000000FF,00000000,80400100,?,00000000,0044208C,004AFFB8,80000000), ref: 0044FD55
lstrlenW.KERNEL32(?,?,000000FF,000000FF,?,00424710,000000FF,00000000,80400100,?,00000000,0044208C,004AFFB8,80000000,00000001,00000080), ref: 0044FD79

Strings

@, xrefs: 0044FD8E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: lstrlen$lstrcpy
String ID: @
API String ID: 805584807-2766056989
Opcode ID: f374ccb954cba7b4c6257451c89c89f7881ba4401befa9fa2d504dddd75c3c92
Instruction ID: 6eaf4cd0bc674d137f289127bf5138dc3d188eca8884eb73209e2ad0645ab2d9
Opcode Fuzzy Hash: f374ccb954cba7b4c6257451c89c89f7881ba4401befa9fa2d504dddd75c3c92
Instruction Fuzzy Hash: E96171B2600304AFEB149F69D885A6BB7E8FF54311F10453FF912CA6A1D7B8AC458B14

Uniqueness

Uniqueness Score: -1.00%

Function 004202C0, Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 431
stringregistryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004202C0(void* __ecx, void* __edx, WCHAR* _a4, char _a8, signed int _a12, signed int _a16) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v540;
				short _v8732;
				signed int _v8736;
				char _v8740;
				void* _v8744;
				void* _v8748;
				char _v8752;
				intOrPtr _v8756;
				intOrPtr _v8760;
				char _v8764;
				signed int _v8768;
				signed int _v8772;
				signed int _v8776;
				char _v8780;
				signed int _v8784;
				signed int _v8788;
				char _v8792;
				void* _v8796;
				void* _v8800;
				void* _v8804;
				signed int _v8808;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t109;
				signed int _t110;
				signed int _t115;
				void* _t119;
				signed int _t125;
				signed int _t128;
				signed int _t129;
				void* _t130;
				void* _t136;
				signed int _t142;
				signed int _t143;
				void* _t146;
				signed int _t149;
				void* _t154;
				signed int _t155;
				void* _t159;
				signed int _t165;
				void* _t167;
				signed int _t169;
				void* _t182;
				signed int _t184;
				void* _t190;
				void* _t191;
				signed int _t204;
				char* _t211;
				void* _t242;
				WCHAR* _t244;
				void* _t245;
				void* _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t254;
				void* _t255;

				_t242 = __edx;
				_push(0xffffffff);
				_push(0x4a37d8);
				_push( *[fs:0x0]);
				E0045BDF0(0x2258);
				_t109 =  *0x4d7e88; // 0x9518852c
				_t110 = _t109 ^ _t254;
				_v20 = _t110;
				_push(_t110);
				 *[fs:0x0] =  &_v16;
				_t190 = __ecx;
				_t244 = _a4;
				_v8740 = _a8;
				_t256 = 0;
				_v8752 = 0;
				_v8748 = 0;
				_v8744 = 0;
				_v8 = 0;
				_v8808 = _a16;
				while(1) {
					L1:
					_t115 = E0041D0ED(_t190, _t256, _t244);
					while(1) {
						L2:
						_t247 = _t115;
						if(_t247 < 0) {
							break;
						} else {
							goto L3;
						}
						while(1) {
							L3:
							_t119 = 0x7d;
							if( *_t244 == _t119) {
								goto L75;
							}
							_v8768 = 1;
							lstrcmpiW(_t244, L"Delete");
							asm("sbb esi, esi");
							_t249 = _t247 + 1;
							_v8736 = _t249;
							if(lstrcmpiW(_t244, L"ForceRemove") == 0) {
								L6:
								_t125 = E0041D0ED(_t190, _t260, _t244);
								_t247 = _t125;
								if(_t125 < 0) {
									goto L75;
								}
								_t250 = 0;
								if(_a12 == 0) {
									L18:
									__eflags = lstrcmpiW(_t244, L"NoRemove");
									if(__eflags != 0) {
										L20:
										__eflags = lstrcmpiW(_t244, L"Val");
										if(__eflags != 0) {
											_t128 = E0042293A(_t244, 0x5c);
											_pop(_t201);
											__eflags = _t128;
											if(_t128 != 0) {
												L74:
												_t247 = 0x80020009;
												goto L75;
											}
											__eflags = _a12 - _t128;
											if(_a12 == _t128) {
												_t251 = _a16;
												__eflags = _t251;
												if(_t251 != 0) {
													_t129 = 2;
												} else {
													_t201 =  &_v8752;
													_t129 = E004018F0( &_v8752, _v8740, _t244, 0x20019);
												}
												__eflags = _t129;
												_v8736 = _t129;
												_t130 = 1;
												_t252 =  !=  ? _t130 : _t251;
												_a16 =  !=  ? _t130 : _t251;
												E00418812(_t201, E0045CE08( &_v540, 0x104, _t244, 0xffffffff));
												_t255 = _t255 + 0x14;
												_t247 = E0041D0ED(_t190, __eflags, _t244);
												__eflags = _t247;
												if(_t247 < 0) {
													goto L75;
												} else {
													_t247 = E0042277F(_t190, _t190, _t242, _t244);
													__eflags = _t247;
													if(_t247 < 0) {
														goto L75;
													}
													_t136 = 0x7b;
													__eflags =  *_t244 - _t136;
													if( *_t244 != _t136) {
														L52:
														_t137 = _v8736;
														_t204 = _v8808;
														_a16 = _t204;
														__eflags = _t137 - 2;
														if(__eflags == 0) {
															continue;
														}
														__eflags = _t137;
														if(_t137 == 0) {
															__eflags = _t204;
															if(_t204 == 0) {
																L61:
																_v8736 = E0041B6BD(_t190, _v8752);
																_t137 = E004018C0( &_v8752);
																__eflags = _t137;
																if(_t137 != 0) {
																	L55:
																	_t247 = E00418882(_t137);
																	goto L75;
																}
																__eflags = _v8768 - _t137;
																if(__eflags == 0) {
																	continue;
																}
																__eflags = _v8736 - _t137;
																if(__eflags != 0) {
																	continue;
																}
																_v8776 = _v8776 & 0x00000000;
																_v8772 = _v8772 & 0x00000000;
																_v8780 = _v8740;
																_t142 = E0041992F( &_v8780,  &_v540);
																_v8780 = 0;
																_v8776 = 0;
																_v8772 = 0;
																__eflags = _t142;
																if(_t142 != 0) {
																	_t143 = E00418882(_t142);
																	_t211 =  &_v8780;
																	L77:
																	_t247 = _t143;
																	L78:
																	E004018C0(_t211);
																	goto L75;
																}
																_t211 =  &_v8780;
																L66:
																E004018C0(_t211);
																L67:
																if(_a12 == 0) {
																	continue;
																}
																_t146 = 0x7b;
																if( *_t244 != _t146 || E0045B5D4(_t244) != 1) {
																	continue;
																} else {
																	_t247 = E004202C0(_t190, _t242, _t244, _v8752, _a12, 0);
																	_t256 = _t247;
																	if(_t247 < 0) {
																		goto L75;
																	}
																	goto L1;
																}
															}
															_t149 = E0041B6BD(_t190, _v8752);
															__eflags = _t149;
															if(_t149 == 0) {
																goto L61;
															}
															__eflags = E00418C75( &_v540);
															if(__eflags != 0) {
																__eflags = _v8768;
																if(__eflags != 0) {
																	E0041FEFC( &_v8752, _t242, __eflags,  &_v540);
																}
															}
															continue;
														}
														__eflags = _t204;
														if(__eflags != 0) {
															continue;
														}
														goto L55;
													}
													_t154 = E0045B5D4(_t244);
													__eflags = _t154 - 1;
													if(_t154 != 1) {
														goto L52;
													}
													_t155 = E004202C0(_t190, _t242, _t244, _v8752, 0, _a16);
													_t247 = _t155;
													__eflags = _t155;
													if(__eflags >= 0) {
														L51:
														_t247 = E0041D0ED(_t190, __eflags, _t244);
														__eflags = _t247;
														if(_t247 < 0) {
															goto L75;
														}
														goto L52;
													}
													__eflags = _a16;
													if(__eflags == 0) {
														goto L75;
													}
													goto L51;
												}
											}
											_t253 = _v8740;
											__eflags = E004018F0( &_v8752, _v8740, _t244, 0x2001f);
											if(__eflags == 0) {
												L39:
												_t247 = E0041D0ED(_t190, __eflags, _t244);
												__eflags = _t247;
												if(_t247 < 0) {
													goto L75;
												}
												_t159 = 0x3d;
												__eflags =  *_t244 - _t159;
												if(__eflags != 0) {
													goto L67;
												}
												_t247 = E00418089(_t190, _t242, __eflags,  &_v8752, 0, _t244);
												L14:
												if(_t247 < 0) {
													goto L75;
												}
												goto L67;
											}
											__eflags = E004018F0( &_v8752, _t253, _t244, 0x20019);
											if(__eflags == 0) {
												goto L39;
											}
											__eflags = E0040E8B4( &_v8752, _t253, _t244, 0, 0, 0x2001f, 0, 0);
											if(__eflags != 0) {
												goto L55;
											}
											goto L39;
										}
										_t165 = E0041D0ED(_t190, __eflags,  &_v8732);
										_t247 = _t165;
										__eflags = _t165;
										if(__eflags < 0) {
											goto L75;
										}
										_t247 = E0041D0ED(_t190, __eflags, _t244);
										__eflags = _t247;
										if(_t247 < 0) {
											goto L75;
										}
										_t167 = 0x3d;
										__eflags =  *_t244 - _t167;
										if( *_t244 != _t167) {
											goto L74;
										}
										__eflags = _a12;
										if(__eflags == 0) {
											__eflags = _a16;
											if(_a16 != 0) {
												L33:
												_t115 = E0042277F(_t190, _t190, _t242, _t244);
												goto L2;
											}
											__eflags = _v8768;
											if(_v8768 == 0) {
												goto L33;
											}
											_v8804 = 0;
											_v8800 = 0;
											_v8796 = 0;
											_t169 = E004018F0( &_v8804, _v8740, 0, 0x20006);
											__eflags = _t169;
											if(_t169 != 0) {
												L76:
												_t143 = E00418882(_t169);
												_t211 =  &_v8804;
												goto L77;
											}
											_t169 = RegDeleteValueW(_v8804,  &_v8732);
											__eflags = _t169;
											if(_t169 == 0) {
												L32:
												E004018C0( &_v8804);
												goto L33;
											}
											__eflags = _t169 - 2;
											if(_t169 != 2) {
												goto L76;
											}
											goto L32;
										}
										_v8788 = _v8788 & 0x00000000;
										_v8784 = _v8784 & 0x00000000;
										_v8 = 1;
										_v8792 = _v8740;
										_t247 = E00418089(_t190, _t242, __eflags,  &_v8792,  &_v8732, _t244);
										_v8792 = 0;
										_v8788 = 0;
										_v8784 = 0;
										_t211 =  &_v8792;
										__eflags = _t247;
										if(_t247 < 0) {
											goto L78;
										}
										_v8 = 0;
										goto L66;
									}
									_v8768 = _t250;
									_t247 = E0041D0ED(_t190, __eflags, _t244);
									__eflags = _t247;
									if(_t247 < 0) {
										goto L75;
									}
									goto L20;
								}
								_v8764 = 0;
								_v8760 = 0;
								_v8756 = 0;
								if(E0042293A(_t244, 0x5c) != 0) {
									E004018C0( &_v8764);
									goto L74;
								}
								_t182 = E00418C75(_t244);
								_t264 = _t182;
								if(_t182 != 0) {
									_v8764 = _v8740;
									_v8760 = 0;
									_v8756 = 0;
									E0041FEFC( &_v8764, _t242, _t264, _t244);
									_v8764 = 0;
									_v8760 = 0;
									_v8756 = 0;
								}
								_t265 = _v8736 - _t250;
								if(_v8736 == _t250) {
									E004018C0( &_v8764);
									goto L18;
								}
								_t184 = E0041D0ED(_t190, _t265, _t244);
								_t247 = _t184;
								if(_t184 < 0) {
									_t211 =  &_v8764;
									goto L78;
								}
								_t247 = E0042277F(_t190, _t190, _t242, _t244);
								E004018C0( &_v8764);
								goto L14;
							}
							_t260 = _t249;
							if(_t249 == 0) {
								_t250 = 0;
								__eflags = 0;
								goto L18;
							}
							goto L6;
						}
						break;
					}
					L75:
					E004018C0( &_v8752);
					 *[fs:0x0] = _v16;
					_pop(_t245);
					_pop(_t248);
					_pop(_t191);
					__eflags = _v20 ^ _t254;
					return E0045A457(_t191, _v20 ^ _t254, _t242, _t245, _t248);
				}
			}

0x004202c0
0x004202c3
0x004202c5
0x004202d0
0x004202d6
0x004202db
0x004202e0
0x004202e2
0x004202e8
0x004202ec
0x004202f2
0x004202f7
0x004202fa
0x00420300
0x00420302
0x00420308
0x0042030e
0x00420314
0x0042031a
0x00420320
0x00420320
0x00420323
0x00420328
0x00420328
0x00420328
0x0042032c
0x00000000
0x00000000
0x00000000
0x00000000
0x00420332
0x00420332
0x00420334
0x00420338
0x00000000
0x00000000
0x00420347
0x0042034d
0x00420355
0x0042035c
0x0042035e
0x0042036c
0x00420376
0x00420379
0x0042037e
0x00420382
0x00000000
0x00000000
0x00420388
0x0042038d
0x00420444
0x00420450
0x00420452
0x0042046c
0x00420478
0x0042047a
0x0042059b
0x004205a1
0x004205a2
0x004205a4
0x0042085e
0x0042085e
0x00000000
0x0042085e
0x004205aa
0x004205ad
0x0042063b
0x0042063e
0x00420640
0x0042065d
0x00420642
0x0042064e
0x00420654
0x00420654
0x00420660
0x00420662
0x00420668
0x0042066b
0x0042067b
0x00420684
0x00420689
0x00420694
0x00420696
0x00420698
0x00000000
0x0042069e
0x004206a6
0x004206a8
0x004206aa
0x00000000
0x00000000
0x004206b2
0x004206b3
0x004206b6
0x004206f9
0x004206f9
0x004206ff
0x00420705
0x00420708
0x0042070b
0x00000000
0x00000000
0x00420711
0x00420713
0x0042072b
0x0042072d
0x0042077a
0x0042078d
0x00420793
0x00420798
0x0042079a
0x0042071d
0x00420724
0x00000000
0x00420724
0x0042079c
0x004207a2
0x00000000
0x00000000
0x004207a8
0x004207ae
0x00000000
0x00000000
0x004207ba
0x004207c1
0x004207c8
0x004207db
0x004207e2
0x004207e8
0x004207ee
0x004207f4
0x004207f6
0x004208a3
0x004208a9
0x00420899
0x00420899
0x0042089b
0x0042089b
0x00000000
0x0042089b
0x004207fc
0x00420802
0x00420802
0x00420807
0x0042080b
0x00000000
0x00000000
0x00420813
0x00420817
0x00000000
0x0042082d
0x00420840
0x00420842
0x00420844
0x00000000
0x00000000
0x00000000
0x00420846
0x00420817
0x00420737
0x0042073c
0x0042073e
0x00000000
0x00000000
0x0042074e
0x00420750
0x00420756
0x0042075d
0x00420770
0x00420770
0x0042075d
0x00000000
0x00420750
0x00420715
0x00420717
0x00000000
0x00000000
0x00000000
0x00420717
0x004206b9
0x004206bf
0x004206c2
0x00000000
0x00000000
0x004206d2
0x004206d7
0x004206d9
0x004206db
0x004206e7
0x004206ef
0x004206f1
0x004206f3
0x00000000
0x00000000
0x00000000
0x004206f3
0x004206dd
0x004206e1
0x00000000
0x00000000
0x00000000
0x004206e1
0x00420698
0x004205b3
0x004205cb
0x004205cd
0x00420605
0x0042060d
0x0042060f
0x00420611
0x00000000
0x00000000
0x00420619
0x0042061a
0x0042061d
0x00000000
0x00000000
0x00420634
0x00420428
0x0042042a
0x00000000
0x00000000
0x00000000
0x00420430
0x004205e1
0x004205e3
0x00000000
0x00000000
0x004205fd
0x004205ff
0x00000000
0x00000000
0x00000000
0x004205ff
0x00420489
0x0042048e
0x00420490
0x00420492
0x00000000
0x00000000
0x004204a0
0x004204a2
0x004204a4
0x00000000
0x00000000
0x004204ac
0x004204ad
0x004204b0
0x00000000
0x00000000
0x004204b6
0x004204ba
0x0042051e
0x00420522
0x0042058b
0x0042058e
0x00000000
0x0042058e
0x00420524
0x0042052b
0x00000000
0x00000000
0x00420541
0x00420547
0x0042054d
0x00420553
0x00420558
0x0042055a
0x0042088c
0x0042088d
0x00420893
0x00000000
0x00420893
0x0042056d
0x00420573
0x00420575
0x00420580
0x00420586
0x00000000
0x00420586
0x00420577
0x0042057a
0x00000000
0x00000000
0x00000000
0x0042057a
0x004204bc
0x004204c3
0x004204cd
0x004204d6
0x004204f2
0x004204f6
0x004204fc
0x00420502
0x00420508
0x0042050e
0x00420510
0x00000000
0x00000000
0x00420516
0x00000000
0x00420516
0x00420457
0x00420462
0x00420464
0x00420466
0x00000000
0x00000000
0x00000000
0x00420466
0x00420396
0x0042039c
0x004203a2
0x004203b1
0x00420859
0x00000000
0x00420859
0x004203ba
0x004203bf
0x004203c1
0x004203d0
0x004203d6
0x004203dc
0x004203e2
0x004203e7
0x004203ed
0x004203f3
0x004203f3
0x004203f9
0x004203ff
0x0042043b
0x00000000
0x0042043b
0x00420404
0x00420409
0x0042040d
0x0042084b
0x00000000
0x0042084b
0x00420421
0x00420423
0x00000000
0x00420423
0x0042036e
0x00420370
0x00420442
0x00420442
0x00000000
0x00420442
0x00000000
0x00420370
0x00000000
0x00420332
0x00420863
0x00420869
0x00420873
0x0042087b
0x0042087c
0x0042087d
0x00420881
0x00420889
0x00420889

APIs

lstrcmpiW.KERNEL32(?,Delete,?,9518852C,?,00000000,00000000,?,004A37D8,000000FF,?,00420109,?,00000000,00000000,00000000), ref: 0042034D
lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000,00000000,?,004A37D8,000000FF,?,00420109,?,00000000,00000000,00000000,?,?), ref: 00420364
lstrcmpiW.KERNEL32(?,NoRemove,?,?,00000000,00000000,?,004A37D8,000000FF,?,00420109,?,00000000,00000000,00000000,?), ref: 0042044A
lstrcmpiW.KERNEL32(?,Val,?,00000000,00000000,?,004A37D8,000000FF,?,00420109,?,00000000,00000000,00000000,?,?), ref: 00420472

Part of subcall function 0041D0ED: CharNextW.USER32(?,?,00000000,?,?,?,?,004180FA,?,9518852C,?,?,?,?,?,004A2661), ref: 0041D128
Part of subcall function 0041D0ED: CharNextW.USER32(?,?,?,00000000,?,?,?,?,004180FA,?,9518852C), ref: 0041D1AE

RegDeleteValueW.ADVAPI32(?,?,?,?), ref: 0042056D

Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977

Strings

NoRemove, xrefs: 00420444
ForceRemove, xrefs: 00420357
Delete, xrefs: 00420340
Val, xrefs: 0042046C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: lstrcmpi$CharNext$CloseDeleteHandleModuleValue
String ID: Delete$ForceRemove$NoRemove$Val
API String ID: 1242246611-1781481701
Opcode ID: a1d446e6506353cbc252382d4029f75a5ef42e5710bce3a37fa9218991492181
Instruction ID: 2760f7622405121b3bcfe2dddfac2a0a87bb3b9587d57393e72ef0353ddbb821
Opcode Fuzzy Hash: a1d446e6506353cbc252382d4029f75a5ef42e5710bce3a37fa9218991492181
Instruction Fuzzy Hash: 73E1C931E01235ABCB35EB65AC54AAFB7F4AF14704F4045AFE805E2252D7388F84CE95

Uniqueness

Uniqueness Score: -1.00%

Function 004135B7, Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 245
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E004135B7(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t109;
				void* _t110;
				void* _t141;
				void* _t152;
				intOrPtr* _t156;
				void* _t162;
				intOrPtr* _t175;
				intOrPtr* _t177;
				intOrPtr* _t184;
				intOrPtr* _t185;
				intOrPtr* _t190;
				intOrPtr* _t200;
				void* _t204;
				void* _t205;
				void* _t207;
				void* _t208;
				intOrPtr _t211;
				intOrPtr* _t212;
				intOrPtr _t213;
				intOrPtr* _t214;
				void* _t215;
				intOrPtr _t216;
				intOrPtr* _t217;
				intOrPtr* _t218;
				void* _t219;
				void* _t220;
				intOrPtr _t221;
				intOrPtr* _t222;
				void* _t226;

				_t226 = __eflags;
				_t198 = __edx;
				_push(0x178);
				E0045B8C9(0x4a195c, __ebx, __edi, __esi);
				_t162 = __ecx;
				_t200 =  *((intOrPtr*)(_t207 + 8));
				 *((intOrPtr*)(_t207 - 0x178)) = 0;
				 *((intOrPtr*)(_t207 - 0xd0)) = 0x4c2fa0;
				 *((intOrPtr*)(_t207 - 0xa8)) = 0x4c2f40;
				E00404200(_t207 - 0xd0, _t207 - 0x161, 0);
				 *((intOrPtr*)(_t207 - 4)) = 0;
				_t203 = L"0x%04x";
				E0040DD64(_t207 - 0xd0, L"0x%04x",  *(__ecx + 0x44) & 0x0000ffff);
				 *((intOrPtr*)(_t207 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t207 - 0x18)) = 0x4c2f40;
				E00404200(_t207 - 0x40, _t207 - 0x161, 0);
				 *((char*)(_t207 - 4)) = 1;
				E0040DD64(_t207 - 0x40, L"0x%04x",  *(_t207 + 0xc) & 0x0000ffff);
				_push(L".ini");
				_push(_t207 - 0xd0);
				_push(_t207 - 0xa0);
				_t204 = E0040B22B(_t162, _t200, _t203, _t226);
				 *((char*)(_t207 - 4)) = 2;
				_t109 = E0040D208(_t162, _t207 - 0x130);
				_push(0);
				_push(0);
				_push(_t207 - 0x160);
				 *((char*)(_t207 - 4)) = 3;
				_t110 = E0040A206(_t162, _t109, __edx, _t200, _t204, _t226);
				_push(_t204);
				_push(_t207 - 0x100);
				 *((char*)(_t207 - 4)) = 4;
				E0040B91E(_t162, _t110, _t200, _t204, _t226);
				E00401B80(_t207 - 0x160);
				E00401B80(_t207 - 0x130);
				 *((char*)(_t207 - 4)) = 8;
				E00401B80(_t207 - 0xa0);
				_t211 = _t208 + 0x24 - 0x30;
				 *((intOrPtr*)(_t207 - 0x170)) = _t211;
				E004091B8(_t211, 0x4c2d7c, _t207 - 0x161, 1);
				_t212 = _t211 - 0x30;
				_t175 = _t212;
				 *((intOrPtr*)(_t207 - 0x16c)) = _t212;
				_t205 = 0;
				_push(0);
				_push(_t207 - 0x40);
				 *((char*)(_t207 - 4)) = 9;
				 *_t175 = 0x4c2fa0;
				 *((intOrPtr*)(_t175 + 0x28)) = 0x4c2f40;
				E00408E82(_t162, _t175, _t200, 0, _t226);
				_t213 = _t212 - 0x30;
				 *((intOrPtr*)(_t207 - 0x174)) = _t213;
				 *((char*)(_t207 - 4)) = 0xa;
				E004091B8(_t213, L"Languages", _t207 - 0x161, 1);
				_t214 = _t213 - 0x30;
				_t177 = _t214;
				_push(0);
				_push(_t207 - 0x100);
				 *((char*)(_t207 - 4)) = 0xb;
				 *_t177 = 0x4c2fa0;
				 *((intOrPtr*)(_t177 + 0x28)) = 0x4c2f40;
				E00408E82(_t162, _t177, _t200, 0, _t226);
				_push(_t207 - 0x70);
				 *((char*)(_t207 - 4)) = 8;
				E0044585A(_t162, _t198, _t200, 0, _t226);
				_t215 = _t214 + 0xc4;
				 *((char*)(_t207 - 4)) = 0xc;
				_t227 =  *((intOrPtr*)(_t207 - 0x5c));
				if( *((intOrPtr*)(_t207 - 0x5c)) == 0) {
					_t216 = _t215 - 0x30;
					 *((intOrPtr*)(_t207 - 0x168)) = _t216;
					E004091B8(_t216, 0x4c2d7c, _t207 - 0x161, 1);
					_t217 = _t216 - 0x30;
					_t184 = _t217;
					 *((intOrPtr*)(_t207 - 0x174)) = _t217;
					_push(0);
					_push(_t207 - 0x40);
					 *((char*)(_t207 - 4)) = 0xd;
					 *_t184 = 0x4c2fa0;
					 *((intOrPtr*)(_t184 + 0x28)) = 0x4c2f40;
					E00408E82(_t162, _t184, _t200, 0, _t227);
					_t218 = _t217 - 0x30;
					_t185 = _t218;
					 *((intOrPtr*)(_t207 - 0x16c)) = _t218;
					_push(0);
					_push(_t207 - 0x40);
					 *((char*)(_t207 - 4)) = 0xe;
					 *_t185 = 0x4c2fa0;
					 *((intOrPtr*)(_t185 + 0x28)) = 0x4c2f40;
					E00408E82(_t162, _t185, _t200, 0, _t227);
					_t219 = _t218 - 0x30;
					 *((char*)(_t207 - 4)) = 0xf;
					E0040D208(_t162, _t219);
					_push(_t207 - 0xa0);
					 *((char*)(_t207 - 4)) = 0xc;
					_t141 = E0044585A(_t162, _t198, _t200, 0, _t227);
					_t220 = _t219 + 0xc4;
					 *((char*)(_t207 - 4)) = 0x10;
					E004095E2(_t207 - 0x70, _t141);
					 *((char*)(_t207 - 4)) = 0xc;
					E00401B80(_t207 - 0xa0);
					_t228 =  *((intOrPtr*)(_t207 - 0x5c));
					if( *((intOrPtr*)(_t207 - 0x5c)) == 0) {
						_t221 = _t220 - 0x30;
						 *((intOrPtr*)(_t207 - 0x168)) = _t221;
						E004091B8(_t221, 0x4c2d7c, _t207 - 0x161, 1);
						_t222 = _t221 - 0x30;
						_t190 = _t222;
						 *((intOrPtr*)(_t207 - 0x174)) = _t222;
						_push(0);
						_push(_t207 - 0x40);
						 *((char*)(_t207 - 4)) = 0x11;
						 *_t190 = 0x4c2fa0;
						 *((intOrPtr*)(_t190 + 0x28)) = 0x4c2f40;
						E00408E82(_t162, _t190, _t200, 0, _t228);
						_t223 = _t222 - 0x30;
						 *((intOrPtr*)(_t207 - 0x16c)) = _t222 - 0x30;
						 *((char*)(_t207 - 4)) = 0x12;
						E004091B8(_t223, L"0x0409", _t207 - 0x161, 1);
						 *((char*)(_t207 - 4)) = 0x13;
						E0040D208(_t162, _t223 - 0x30);
						_push(_t207 - 0xa0);
						 *((char*)(_t207 - 4)) = 0xc;
						_t152 = E0044585A(_t162, _t198, _t200, 0, _t228);
						 *((char*)(_t207 - 4)) = 0x14;
						E004095E2(_t207 - 0x70, _t152);
						 *((char*)(_t207 - 4)) = 0xc;
						E00401B80(_t207 - 0xa0);
						_t229 =  *((intOrPtr*)(_t207 - 0x5c));
						if( *((intOrPtr*)(_t207 - 0x5c)) == 0) {
							_t156 = E0040A14B(_t207 - 0x70, _t207 - 0x184, 0x104);
							 *((char*)(_t207 - 4)) = 0x15;
							 *((char*)(_t156 + 4)) = 1;
							VerLanguageNameW( *(_t207 + 0xc) & 0x0000ffff,  *(E0040A0F0(_t156,  *_t156)), 0x104);
							 *((char*)(_t207 - 4)) = 0xc;
							E00409574(_t162, _t207 - 0x184, _t200, 0x104, _t229);
							_t205 = 0;
						}
					}
				}
				_push(_t205);
				_push(_t207 - 0x70);
				 *_t200 = 0x4c2fa0;
				 *((intOrPtr*)(_t200 + 0x28)) = 0x4c2f40;
				E00408E82(_t162, _t200, _t200, _t205, 0);
				E00401B80(_t207 - 0x70);
				E00401B80(_t207 - 0x100);
				E00401B80(_t207 - 0x40);
				E00401B80(_t207 - 0xd0);
				return E0045B878(_t162, _t200, _t205);
			}

0x004135b7
0x004135b7
0x004135b7
0x004135c1
0x004135c6
0x004135c8
0x004135db
0x004135e1
0x004135eb
0x004135f5
0x004135ff
0x00413602
0x0041360f
0x00413623
0x0041362a
0x00413631
0x00413640
0x00413644
0x00413649
0x00413654
0x0041365b
0x00413664
0x0041366f
0x00413673
0x00413678
0x0041367a
0x00413682
0x00413685
0x00413689
0x0041368e
0x00413695
0x00413698
0x0041369c
0x004136a7
0x004136b2
0x004136bd
0x004136c1
0x004136c6
0x004136cb
0x004136df
0x004136e4
0x004136e7
0x004136e9
0x004136ef
0x004136f1
0x004136f5
0x004136f6
0x004136fa
0x00413700
0x00413707
0x0041370c
0x00413711
0x00413725
0x00413729
0x0041372e
0x00413731
0x00413733
0x0041373a
0x0041373b
0x0041373f
0x00413745
0x0041374c
0x00413754
0x00413755
0x00413759
0x0041375e
0x00413764
0x00413768
0x0041376b
0x00413771
0x00413776
0x0041378a
0x0041378f
0x00413792
0x00413794
0x0041379a
0x0041379e
0x0041379f
0x004137a3
0x004137a9
0x004137b0
0x004137b5
0x004137b8
0x004137ba
0x004137c0
0x004137c4
0x004137c5
0x004137c9
0x004137cf
0x004137d6
0x004137db
0x004137e1
0x004137e5
0x004137f0
0x004137f1
0x004137f5
0x004137fa
0x00413804
0x00413808
0x00413813
0x00413817
0x0041381c
0x0041381f
0x00413825
0x0041382a
0x0041383e
0x00413843
0x00413846
0x00413848
0x0041384e
0x00413852
0x00413853
0x00413857
0x0041385d
0x00413864
0x00413869
0x0041386e
0x00413882
0x00413886
0x00413891
0x00413895
0x004138a0
0x004138a1
0x004138a5
0x004138b4
0x004138b8
0x004138c3
0x004138c7
0x004138cc
0x004138cf
0x004138e1
0x004138e8
0x004138ec
0x004138fd
0x00413908
0x0041390c
0x00413911
0x00413911
0x004138cf
0x0041381f
0x00413913
0x00413917
0x0041391a
0x00413920
0x00413927
0x0041392f
0x0041393a
0x00413942
0x0041394d
0x00413959

APIs

__EH_prolog3_GS.LIBCMT ref: 004135C1

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232

Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210

Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0044585A: __EH_prolog3_GS.LIBCMT ref: 00445864

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

VerLanguageNameW.KERNEL32(?,00000000,00000104,?,00000104,00000000), ref: 004138FD

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

Strings

@/L, xrefs: 004135EB
@/L, xrefs: 0041362A
0x%04x, xrefs: 00413602, 0041360D, 0041363E
Languages, xrefs: 00413720
@/L, xrefs: 00413920
.ini, xrefs: 00413649
0x0409, xrefs: 0041387D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$String$Free$AllocH_prolog3LanguageName
String ID: .ini$0x%04x$0x0409$@/L$@/L$@/L$Languages
API String ID: 3290965825-2079055849
Opcode ID: bb04239445c9d2583dccfa89533c170980266900df33f39550263d5b46e12e74
Instruction ID: d496045965e7ead89ff625dcdf29cbcc38a22b1ac8a4592e5ac31b1930ec181e
Opcode Fuzzy Hash: bb04239445c9d2583dccfa89533c170980266900df33f39550263d5b46e12e74
Instruction Fuzzy Hash: 47A1A97190121CEADB10EBA5CD45BDEBBB8AF15308F1440DEF40977182DBB81B49CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00444E82, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 219
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00444E82(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t92;
				WCHAR** _t93;
				void* _t103;
				void* _t117;
				void* _t119;
				void* _t121;
				void* _t139;
				intOrPtr* _t146;
				int _t152;
				intOrPtr* _t160;
				void* _t162;
				intOrPtr* _t167;
				void* _t187;
				int _t189;
				intOrPtr* _t191;
				void* _t192;
				void* _t193;
				void* _t194;
				intOrPtr* _t195;
				intOrPtr* _t196;

				_t188 = __edi;
				_t187 = __edx;
				_push(0x13c);
				E0045B8C9(0x4a77ba, __ebx, __edi, __esi);
				_t191 =  *((intOrPtr*)(_t192 + 8));
				 *(_t192 - 0x148) =  *(_t192 - 0x148) & 0x00000000;
				_t200 =  *((intOrPtr*)(_t192 + 0x54));
				 *((intOrPtr*)(_t192 - 4)) = 1;
				if( *((intOrPtr*)(_t192 + 0x54)) == 0) {
					_t146 = E0040A14B(_t192 + 0x40, _t192 - 0x144, 0x104);
					 *((char*)(_t192 - 4)) = 2;
					 *((char*)(_t146 + 4)) = 1;
					GetTempPathW(0x104,  *(E0040A0F0(_t146,  *_t146)));
					 *((char*)(_t192 - 4)) = 1;
					E00409574(0x104, _t192 - 0x144, __edi, _t191, _t200);
				}
				_t194 = _t193 - 0x30;
				E0040A1AF(0x104, _t192 + 0x40, _t187, _t200, _t194);
				E004470DB(0x104, _t187, _t188, _t191, _t200);
				_t195 = _t194 + 0x30;
				_t154 = _t192 - 0x40;
				 *((intOrPtr*)(_t192 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t192 - 0x18)) = 0x4c2f40;
				E00404200(_t192 - 0x40, _t192 - 0x131, 0);
				_t152 =  *((intOrPtr*)(_t192 + 0xc));
				 *((char*)(_t192 - 4)) = 3;
				_t189 = 0;
				while(1) {
					_t202 = _t152;
					if(_t152 != 0) {
						_t92 = E0040A14B(_t192 - 0x40, _t192 - 0x144, 0x104);
						 *((char*)(_t192 - 4)) = 8;
						 *((char*)(_t92 + 4)) = 1;
						_t93 = E0040A0F0(_t92,  *_t92);
						__eflags =  *((intOrPtr*)(_t192 + 0x58)) - 8;
						_t158 =  >=  ?  *((void*)(_t192 + 0x44)) : _t192 + 0x44;
						GetTempFileNameW( >=  ?  *((void*)(_t192 + 0x44)) : _t192 + 0x44, L"_is", _t189,  *_t93);
						 *((char*)(_t192 - 4)) = 3;
						E00409574(_t152, _t192 - 0x144, _t189, _t191, __eflags);
						__eflags = _t189;
						if(__eflags == 0) {
							__eflags =  *((intOrPtr*)(_t192 - 0x28)) - 8;
							_t143 =  >=  ?  *((void*)(_t192 - 0x3c)) : _t192 - 0x3c;
							DeleteFileW( >=  ?  *((void*)(_t192 - 0x3c)) : _t192 - 0x3c);
						}
					} else {
						_push(E00444791(_t154, _t187, _t202, _t192 - 0xa0));
						_push("{");
						_push(_t192 - 0x100);
						 *((char*)(_t192 - 4)) = 4;
						_t117 = E0040B2A8(_t152, _t189, _t191, _t202);
						_push("}");
						_push(_t117);
						_push(_t192 - 0x130);
						 *((char*)(_t192 - 4)) = 5;
						_t119 = E0040B22B(_t152, _t189, _t191, _t202);
						_t195 = _t195 + 0x1c;
						_push(_t119);
						_push(_t192 - 0xd0);
						 *((char*)(_t192 - 4)) = 6;
						_t121 = E0040B91E(_t152, _t192 + 0x40, _t189, _t191, _t202);
						 *((char*)(_t192 - 4)) = 7;
						E004095E2(_t192 - 0x40, _t121);
						E00401B80(_t192 - 0xd0);
						E00401B80(_t192 - 0x130);
						E00401B80(_t192 - 0x100);
						 *((char*)(_t192 - 4)) = 3;
						E00401B80(_t192 - 0xa0);
					}
					_t203 =  *((intOrPtr*)(_t192 + 0x24));
					if( *((intOrPtr*)(_t192 + 0x24)) != 0) {
						_t195 = _t195 - 0x30;
						_t160 = _t195;
						_push(0);
						_push(_t192 + 0x10);
						 *_t160 = 0x4c2fa0;
						 *((intOrPtr*)(_t160 + 0x28)) = 0x4c2f40;
						E00408E82(_t152, _t160, _t189, _t191, __eflags);
						_push(_t192 - 0xa0);
						E00447769(_t152, _t192 - 0x40, _t187, _t189, _t191, __eflags);
						_t162 = _t192 - 0xa0;
					} else {
						_push(1);
						_push(_t192 - 0x131);
						_push(0x4c2d7c);
						E00408F6D(_t152, _t192 - 0xd0, _t189, _t191, _t203);
						_push(1);
						_push(_t192 - 0x131);
						_push(L".tmp");
						_t50 = _t192 - 0x70; // 0x4c2d7c
						 *((char*)(_t192 - 4)) = 9;
						E00408F6D(_t152, _t50, _t189, _t191, _t203);
						_t132 =  >=  ?  *((void*)(_t192 - 0x6c)) : _t192 - 0x6c;
						 *((char*)(_t192 - 4)) = 0xa;
						if(E0040A017(_t192 - 0x3c,  >=  ?  *((void*)(_t192 - 0x6c)) : _t192 - 0x6c, 0,  *((intOrPtr*)(_t192 - 0x5c))) != 0xffffffff) {
							E0040A6AD(_t192 - 0x40, _t133,  *((intOrPtr*)(_t192 - 0x5c)), _t192 - 0xd0);
						}
						_t61 = _t192 - 0x70; // 0x4c2d7c
						E00401B80(_t61);
						 *((char*)(_t192 - 4)) = 3;
						_t162 = _t192 - 0xd0;
					}
					E00401B80(_t162);
					_t206 = _t152;
					if(_t152 == 0) {
						_t139 = E0040A1AF(_t152, _t192 - 0x40, _t187, _t206, _t192 - 0xa0);
						 *((char*)(_t192 - 4)) = 0xb;
						E004095E2(_t192 - 0x40, _t139);
						 *((char*)(_t192 - 4)) = 3;
						E00401B80(_t192 - 0xa0);
					}
					_push(0xc);
					_t196 = _t195 - 0x30;
					_t154 = _t196;
					_push(0);
					_push(_t192 - 0x40);
					 *_t154 = 0x4c2fa0;
					 *((intOrPtr*)(_t154 + 0x28)) = 0x4c2f40;
					E00408E82(_t152, _t154, _t189, _t191, _t206);
					_t103 = E00441E34(_t152, _t187, _t189, _t191, _t206);
					_t195 = _t196 + 0x34;
					if(_t103 == 0) {
						break;
					}
					_t189 = _t189 + 1;
					if(_t189 >= 0) {
						continue;
					}
					E004091B8(_t191, 0x4c2d7c, _t192 - 0x131, 1);
					L20:
					E00401B80(_t192 - 0x40);
					E00401B80(_t192 + 0x10);
					E00401B80(_t192 + 0x40);
					return E0045B878(_t152, _t189, _t191);
				}
				__eflags = _t152;
				if(__eflags == 0) {
					_t167 = _t195 - 0x30;
					_push(0);
					_push(_t192 - 0x40);
					 *_t167 = 0x4c2fa0;
					 *((intOrPtr*)(_t167 + 0x28)) = 0x4c2f40;
					E00408E82(_t152, _t167, _t189, _t191, __eflags);
					E004470DB(_t152, _t187, _t189, _t191, __eflags);
				}
				_push(0);
				_push(_t192 - 0x40);
				 *_t191 = 0x4c2fa0;
				 *((intOrPtr*)(_t191 + 0x28)) = 0x4c2f40;
				E00408E82(_t152, _t191, _t189, _t191, __eflags);
				goto L20;
			}

0x00444e82
0x00444e82
0x00444e82
0x00444e8c
0x00444e91
0x00444e94
0x00444e9b
0x00444e9f
0x00444eab
0x00444eb8
0x00444ebf
0x00444ec3
0x00444ecf
0x00444edb
0x00444edf
0x00444edf
0x00444ee4
0x00444eeb
0x00444ef0
0x00444ef5
0x00444f01
0x00444f04
0x00444f0b
0x00444f12
0x00444f17
0x00444f1a
0x00444f1e
0x00444f20
0x00444f20
0x00444f22
0x00444fc5
0x00444fcc
0x00444fd0
0x00444fd4
0x00444fdb
0x00444fe3
0x00444fed
0x00444ff9
0x00444ffd
0x00445002
0x00445004
0x00445006
0x0044500d
0x00445012
0x00445012
0x00444f28
0x00444f34
0x00444f3b
0x00444f40
0x00444f41
0x00444f45
0x00444f4a
0x00444f4f
0x00444f56
0x00444f57
0x00444f5b
0x00444f60
0x00444f63
0x00444f6a
0x00444f6e
0x00444f72
0x00444f7b
0x00444f7f
0x00444f8a
0x00444f95
0x00444fa0
0x00444fab
0x00444faf
0x00444faf
0x00445018
0x0044501c
0x0044509a
0x0044509d
0x0044509f
0x004450a4
0x004450a5
0x004450ab
0x004450b2
0x004450bd
0x004450c1
0x004450c6
0x0044501e
0x0044501e
0x00445026
0x00445027
0x00445032
0x00445037
0x0044503f
0x00445040
0x00445045
0x00445048
0x0044504c
0x0044505b
0x00445065
0x00445071
0x00445081
0x00445081
0x00445086
0x00445089
0x0044508e
0x00445092
0x00445092
0x004450cc
0x004450d1
0x004450d3
0x004450df
0x004450e8
0x004450ec
0x004450f7
0x004450fb
0x004450fb
0x00445100
0x00445102
0x00445105
0x00445107
0x0044510c
0x0044510d
0x00445113
0x0044511a
0x0044511f
0x00445124
0x00445129
0x00000000
0x00000000
0x0044512b
0x0044512c
0x00000000
0x00000000
0x00445142
0x0044518c
0x0044518f
0x00445197
0x0044519f
0x004451ab
0x004451ab
0x00445149
0x0044514b
0x00445150
0x00445152
0x00445157
0x00445158
0x0044515e
0x00445165
0x0044516a
0x0044516f
0x00445172
0x00445177
0x0044517a
0x00445180
0x00445187
0x00000000

APIs

GetTempFileNameW.KERNEL32(?,_is,00000000,00000000,?,00000104), ref: 00444FED
GetTempPathW.KERNEL32(00000104,00000000,?,00000104), ref: 00444ECF

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

__EH_prolog3_GS.LIBCMT ref: 00444E8C

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

DeleteFileW.KERNEL32(?), ref: 00445012

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 004470DB: __EH_prolog3.LIBCMT ref: 004470E2

Strings

_is, xrefs: 00444FE7
.tmp, xrefs: 00445040
@/L, xrefs: 00444F0B
|-L, xrefs: 00445045, 00445086
@/L, xrefs: 00445180

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FileH_prolog3H_prolog3_StringTemp$AllocDeleteNamePath
String ID: .tmp$@/L$@/L$_is$|-L
API String ID: 1310056418-130929492
Opcode ID: 307e54b6f1ce569a8636135edd63e9a9a77196123a49d6bb3969441f44d7b24b
Instruction ID: cdc1113ea4c74d231ccbddbdb057c41b85e82c13c8e367bc0be9af636cdf0889
Opcode Fuzzy Hash: 307e54b6f1ce569a8636135edd63e9a9a77196123a49d6bb3969441f44d7b24b
Instruction Fuzzy Hash: 2391AF30900248EFEB05EBA1CD55FDD7778AF15308F5400AEF50967192DBB85B49CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042E711, Relevance: 16.0, APIs: 4, Strings: 5, Instructions: 213
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042E711(void* __ebx, int __edi, char* __esi, void* __eflags) {
				char** _t107;
				short** _t108;
				signed int _t109;
				int _t112;
				char** _t118;
				short** _t119;
				char** _t133;
				int _t138;
				char _t141;
				int _t142;
				int _t157;
				void* _t189;

				_t184 = __esi;
				_t180 = __edi;
				_push(0xb8);
				E0045B8C9(0x4a5317, __ebx, __edi, __esi);
				_t137 =  *((intOrPtr*)(_t189 + 8));
				 *((intOrPtr*)(_t189 - 0x8c)) =  *((intOrPtr*)(_t189 + 8));
				 *((intOrPtr*)(_t189 - 0x90)) =  *((intOrPtr*)(_t189 + 0xc));
				 *((intOrPtr*)(_t189 - 0xac)) = 0;
				 *(_t189 - 0x80) = 0;
				 *((intOrPtr*)(_t189 - 4)) = 0;
				if(RegOpenKeyExW(0x80000002, L"SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", 0, 0x20019, _t189 - 0x80) != 0) {
					L12:
					E00402CE0(0x4c2d7c, _t189 - 0x71, 1);
				} else {
					_t138 = 0;
					 *(_t189 - 0x88) = 0;
					 *(_t189 - 0x84) = 0;
					 *((intOrPtr*)(_t189 - 0x70)) = 0x4c2f50;
					 *((intOrPtr*)(_t189 - 0x48)) = 0x4c3454;
					E00403F50(_t189 - 0x70, _t189 - 0x71, 0);
					_t16 = _t189 - 0x40; // 0x4c2f50
					 *((intOrPtr*)(_t189 - 0x40)) = 0x4c2f50;
					 *((intOrPtr*)(_t189 - 0x18)) = 0x4c3454;
					E00403F50(_t16, _t189 - 0x71, 0);
					_t20 = _t189 - 0x40; // 0x4c2f50
					 *((char*)(_t189 - 4)) = 2;
					 *(_t189 - 0x78) = 0x400;
					 *(_t189 - 0x7c) = 0x400;
					E00403020(_t20, _t189 - 0x9c, 0x400);
					 *((char*)(_t189 - 4)) = 3;
					_t180 = E00403020(_t189 - 0x70, _t189 - 0xa8, 0x400);
					 *((char*)(_t189 - 4)) = 4;
					 *((char*)(_t104 + 4)) = 1;
					_t107 = E004040F0(_t106,  *_t104);
					_t184 =  *_t107;
					 *((char*)(_t106 + 4)) = 1;
					_t108 = E004040F0(_t107,  *_t106);
					_push(_t189 - 0x7c);
					_push( *_t107);
					_push(_t189 - 0x84);
					_push(0);
					while(1) {
						_t109 = RegEnumValueW( *(_t189 - 0x80), _t138,  *_t108, _t189 - 0x78, ??, ??, ??, ??);
						asm("sbb bl, bl");
						 *((char*)(_t189 - 4)) = 3;
						E00403CF0(_t189 - 0xa8);
						 *((char*)(_t189 - 4)) = 2;
						E00403CF0(_t189 - 0x9c);
						_t141 =  ~_t109 + 1;
						if(_t141 == 0) {
							break;
						}
						_t157 =  *(_t189 - 0x78);
						_t112 =  *(_t189 - 0x7c);
						_t180 = 0x400;
						if(_t157 >= 0x400 || _t112 >= 0x400) {
							 *(_t189 - 0x7c) = _t112 + 1;
							 *(_t189 - 0x78) = _t157 + 1;
							_t37 = _t189 - 0x40; // 0x4c2f50
							E00403020(_t37, _t189 - 0xb8, _t112 + 1);
							 *((char*)(_t189 - 4)) = 5;
							E00403020(_t189 - 0x70, _t189 - 0xc4,  *(_t189 - 0x78));
							 *((char*)(_t189 - 4)) = 6;
							 *((char*)(_t115 + 4)) = 1;
							_t118 = E004040F0(_t117,  *_t115);
							_t184 =  *_t118;
							 *((char*)(_t117 + 4)) = 1;
							_t119 = E004040F0(_t118,  *_t117);
							_t142 =  *(_t189 - 0x88);
							RegEnumValueW( *(_t189 - 0x80), _t142,  *_t119, _t189 - 0x78, 0, _t189 - 0x84,  *_t118, _t189 - 0x7c);
							 *((char*)(_t189 - 4)) = 5;
							E00403CF0(_t189 - 0xc4);
							 *((char*)(_t189 - 4)) = 2;
							E00403CF0(_t189 - 0xb8);
							_t180 = 0x400;
						} else {
							_t142 =  *(_t189 - 0x88);
						}
						if( *(_t189 - 0x84) == 2 ||  *(_t189 - 0x84) == 1) {
							if(E00412ABE( *((intOrPtr*)(_t189 - 0x90)), _t189 - 0x70) == 0) {
								_t137 =  *((intOrPtr*)(_t189 - 0x8c));
								_t85 = _t189 - 0x40; // 0x4c2f50
								 *_t137 = 0x4c2f50;
								 *((intOrPtr*)(_t137 + 0x28)) = 0x4c3454;
								E004053A0(_t85, 0);
								_t87 = _t189 - 0x40; // 0x4c2f50
								E00401AC0(_t87);
								E00401AC0(_t189 - 0x70);
							} else {
								goto L9;
							}
						} else {
							L9:
							_t138 = _t142 + 1;
							_t60 = _t189 - 0x40; // 0x4c2f50
							 *(_t189 - 0x78) = _t180;
							 *(_t189 - 0x7c) = _t180;
							 *(_t189 - 0x88) = _t138;
							E00403020(_t60, _t189 - 0x9c, _t180);
							 *((char*)(_t189 - 4)) = 3;
							_t180 = E00403020(_t189 - 0x70, _t189 - 0xa8, _t180);
							 *((char*)(_t130 + 4)) = 1;
							 *((char*)(_t189 - 4)) = 4;
							_t133 = E004040F0(_t132,  *_t130);
							_t184 =  *_t133;
							 *((char*)(_t132 + 4)) = 1;
							_t108 = E004040F0(_t133,  *_t132);
							_push(_t189 - 0x7c);
							_push( *_t133);
							_push(_t189 - 0x84);
							_push(0);
							continue;
						}
						goto L13;
					}
					_t78 = _t189 - 0x40; // 0x4c2f50
					E00401AC0(_t78);
					 *((char*)(_t189 - 4)) = _t141;
					E00401AC0(_t189 - 0x70);
					_t137 =  *((intOrPtr*)(_t189 - 0x8c));
					goto L12;
				}
				L13:
				E00433132(_t189 - 0x80);
				return E0045B878(_t137, _t180, _t184);
			}

0x0042e711
0x0042e711
0x0042e711
0x0042e71b
0x0042e720
0x0042e728
0x0042e72e
0x0042e734
0x0042e73a
0x0042e751
0x0042e75c
0x0042e996
0x0042e9a3
0x0042e762
0x0042e762
0x0042e776
0x0042e77c
0x0042e782
0x0042e785
0x0042e788
0x0042e792
0x0042e795
0x0042e798
0x0042e79b
0x0042e7ad
0x0042e7b0
0x0042e7b4
0x0042e7b7
0x0042e7bf
0x0042e7cc
0x0042e7d5
0x0042e7d9
0x0042e7dd
0x0042e7e1
0x0042e7e6
0x0042e7ea
0x0042e7ee
0x0042e7f6
0x0042e7f7
0x0042e7fe
0x0042e7ff
0x0042e941
0x0042e94b
0x0042e95b
0x0042e95d
0x0042e961
0x0042e96c
0x0042e970
0x0042e975
0x0042e977
0x00000000
0x00000000
0x0042e805
0x0042e808
0x0042e80b
0x0042e812
0x0042e81f
0x0042e828
0x0042e82c
0x0042e834
0x0042e843
0x0042e84c
0x0042e850
0x0042e854
0x0042e858
0x0042e85d
0x0042e861
0x0042e865
0x0042e86a
0x0042e888
0x0042e894
0x0042e898
0x0042e8a3
0x0042e8a7
0x0042e8ac
0x0042e8b3
0x0042e8b3
0x0042e8b3
0x0042e8c0
0x0042e8dc
0x0042e9ba
0x0042e9c2
0x0042e9c8
0x0042e9ce
0x0042e9d5
0x0042e9da
0x0042e9dd
0x0042e9e5
0x00000000
0x00000000
0x00000000
0x0042e8e2
0x0042e8e2
0x0042e8e9
0x0042e8eb
0x0042e8ee
0x0042e8f1
0x0042e8f4
0x0042e8ff
0x0042e90c
0x0042e915
0x0042e917
0x0042e91d
0x0042e921
0x0042e926
0x0042e928
0x0042e92e
0x0042e936
0x0042e937
0x0042e93e
0x0042e93f
0x00000000
0x0042e93f
0x00000000
0x0042e8c0
0x0042e97d
0x0042e980
0x0042e988
0x0042e98b
0x0042e990
0x00000000
0x0042e990
0x0042e9a8
0x0042e9ab
0x0042e9b7

APIs

__EH_prolog3_GS.LIBCMT ref: 0042E71B
RegOpenKeyExW.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\Session Manager\Environment,00000000,00020019,?,000000B8,0042F5CE,?,P/L), ref: 0042E754

Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F

Part of subcall function 004040F0: SysStringLen.OLEAUT32(?), ref: 004040FE
Part of subcall function 004040F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00404118

Part of subcall function 004040F0: _wmemcpy_s.LIBCMT ref: 00404145

RegEnumValueW.ADVAPI32 ref: 0042E888

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

RegEnumValueW.ADVAPI32 ref: 0042E94B

Part of subcall function 00403CF0: GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403D2F
Part of subcall function 00403CF0: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00403DC9
Part of subcall function 00403CF0: SysFreeString.OLEAUT32(?), ref: 00403DE3
Part of subcall function 00403CF0: SysFreeString.OLEAUT32(?), ref: 00403DF0
Part of subcall function 00403CF0: SetLastError.KERNEL32(?), ref: 00403E14
Part of subcall function 00403CF0: SetLastError.KERNEL32(?,?,00000000,73B74C30,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403E1A

Strings

P/L, xrefs: 0042E768
T4L, xrefs: 0042E9CE
P/L, xrefs: 0042E792, 0042E7AD, 0042E82C, 0042E9C2, 0042E9DA, 0042E8EB, 0042E97D, 0042E9C5
SYSTEM\CurrentControlSet\Control\Session Manager\Environment, xrefs: 0042E747
T4L, xrefs: 0042E76D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$Free$EnumValue$AllocH_prolog3_Open_wmemcpy_s
String ID: P/L$P/L$SYSTEM\CurrentControlSet\Control\Session Manager\Environment$T4L$T4L
API String ID: 802081060-1690745742
Opcode ID: 308bb98bd5052a1e19987a0a4844abb24b2a51548811d2477baa7fa36349e06b
Instruction ID: 8cff7c8f36a08ea6961593ecb01b9f7f8e85bfe3ec6f2101e9b3e14620bd614f
Opcode Fuzzy Hash: 308bb98bd5052a1e19987a0a4844abb24b2a51548811d2477baa7fa36349e06b
Instruction Fuzzy Hash: 14916271900258DFDB25DFA5C891BDDBBB8BF18304F1040AEE54AB3282DB741A49DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0049C444, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 142
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E0049C444(void* __ecx, intOrPtr __edx, void* __edi, void* __eflags, WCHAR* _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a20) {
				long _v8;
				intOrPtr _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				void* _v32;
				void* _v36;
				void* __ebx;
				long _t54;
				void* _t55;
				intOrPtr* _t60;
				long _t63;
				signed char _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				signed int _t74;
				intOrPtr _t79;
				intOrPtr _t81;
				long _t83;
				long _t84;
				void* _t100;

				_t79 = __edx;
				_t84 = 0;
				_v28 = 0x7863513;
				_v12 = E0049C5DE(_t68, __ecx, __edx, __eflags, _a8, _a12,  &_v28, 4);
				_t69 = CreateFileW(_a4, 0xc0000000, 1, 0, 3, 0x80, 0);
				_v36 = _t69;
				if(_t69 == 0xffffffff) {
					L21:
					L0045A7D5(_v12);
					return _t84;
				}
				_t81 = _a20;
				_v8 = 0;
				_v16 = 0;
				_v20 = 0;
				E0049C5AF( &_v16,  &_v20, _t81);
				_t54 = GetFileSize(_t69,  &_v8);
				_v28 = _t54;
				_t55 = CreateFileMappingW(_t69, 0, _v16, _v8, _t54, 0);
				_v32 = _t55;
				if(_t55 == 0) {
					L20:
					CloseHandle(_t69);
					goto L21;
				}
				_t70 = MapViewOfFile(_t55, _v20, 0, 0, 0);
				if(_t70 == 0) {
					L19:
					CloseHandle(_v32);
					_t69 = _v36;
					goto L20;
				}
				_t74 = _v8 | _v28;
				_v20 = 0;
				_v28 = _t74;
				if(0 < 0 || 0 <= 0 && _t74 <= 0) {
					L15:
					if(_t81 != 0) {
						_t60 =  *((intOrPtr*)(_t81 + 4));
						if(_t60 != 0) {
							 *((intOrPtr*)(_t81 + 0xc)) =  *_t60(_t70, _t74, _t84,  *((intOrPtr*)(_t81 + 8)));
						}
					}
					_t84 = 1;
					UnmapViewOfFile(_t70);
					goto L19;
				} else {
					asm("cdq");
					_t75 = _a12;
					_v16 = _a12;
					_v24 = _t79;
					_t83 = _t84;
					_t63 = _t84;
					while(1) {
						L8:
						_push( *(E0049C8C0(_t83, _t63, _t75, _t79) + _v12) & 0x000000ff);
						_push( *(_t70 + _t83) & 0x000000ff);
						if(_a16 == _t84) {
							_t67 = E0049C312();
						} else {
							_t67 = E0049C427();
						}
						_t79 = _v24;
						 *(_t70 + _t83) = _t67;
						_t63 = _v20;
						_t83 = _t83 + 1;
						asm("adc eax, esi");
						_t75 = _v16;
						_v20 = _t63;
						_t100 = _t63 - _t84;
						if(_t100 < 0) {
							continue;
						}
						L12:
						_t74 = _v28;
						if(_t100 > 0 || _t83 >= _t74) {
							_t81 = _a20;
							goto L15;
						} else {
							_t75 = _v16;
							do {
								goto L8;
							} while (_t100 < 0);
							goto L12;
						}
						L8:
						_push( *(E0049C8C0(_t83, _t63, _t75, _t79) + _v12) & 0x000000ff);
						_push( *(_t70 + _t83) & 0x000000ff);
						if(_a16 == _t84) {
							_t67 = E0049C312();
						} else {
							_t67 = E0049C427();
						}
						_t79 = _v24;
						 *(_t70 + _t83) = _t67;
						_t63 = _v20;
						_t83 = _t83 + 1;
						asm("adc eax, esi");
						_t75 = _v16;
						_v20 = _t63;
						_t100 = _t63 - _t84;
					}
				}
			}

0x0049c444
0x0049c455
0x0049c45a
0x0049c469
0x0049c485
0x0049c487
0x0049c48d
0x0049c5a0
0x0049c5a3
0x0049c5ae
0x0049c5ae
0x0049c494
0x0049c4a0
0x0049c4a3
0x0049c4a6
0x0049c4a9
0x0049c4b6
0x0049c4c1
0x0049c4c9
0x0049c4cf
0x0049c4d4
0x0049c598
0x0049c599
0x00000000
0x0049c59f
0x0049c4e7
0x0049c4eb
0x0049c58c
0x0049c58f
0x0049c595
0x00000000
0x0049c595
0x0049c4f4
0x0049c4f7
0x0049c4fa
0x0049c4ff
0x0049c569
0x0049c56b
0x0049c56d
0x0049c572
0x0049c57f
0x0049c57f
0x0049c572
0x0049c585
0x0049c586
0x00000000
0x0049c507
0x0049c50a
0x0049c50b
0x0049c50d
0x0049c510
0x0049c513
0x0049c515
0x0049c51c
0x0049c51c
0x0049c52c
0x0049c531
0x0049c535
0x0049c53e
0x0049c537
0x0049c537
0x0049c537
0x0049c543
0x0049c546
0x0049c549
0x0049c54c
0x0049c54f
0x0049c553
0x0049c556
0x0049c559
0x0049c55b
0x00000000
0x00000000
0x0049c55d
0x0049c55d
0x0049c560
0x0049c566
0x00000000
0x0049c519
0x0049c519
0x0049c51c
0x00000000
0x00000000
0x00000000
0x0049c51c
0x0049c51c
0x0049c52c
0x0049c531
0x0049c535
0x0049c53e
0x0049c537
0x0049c537
0x0049c537
0x0049c543
0x0049c546
0x0049c549
0x0049c54c
0x0049c54f
0x0049c553
0x0049c556
0x0049c559
0x0049c559
0x0049c51c

APIs

CreateFileW.KERNEL32(00000000,C0000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?), ref: 0049C47F
GetFileSize.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 0049C4B6
CreateFileMappingW.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,?,?,?,?), ref: 0049C4C9
MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?), ref: 0049C4E1
__allrem.LIBCMT ref: 0049C520
UnmapViewOfFile.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 0049C586
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 0049C58F
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?), ref: 0049C599

Strings

lJ, xrefs: 0049C444

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap__allrem
String ID: lJ
API String ID: 3476395881-496827753
Opcode ID: 922d89501ecbc639f8f6c24e6d568a34c74741d8c3fd3899ce6649435f5c27aa
Instruction ID: 15958081234dcb66c9fc530a50b4672f1d05b3945c41733da6f1a579c2539a87
Opcode Fuzzy Hash: 922d89501ecbc639f8f6c24e6d568a34c74741d8c3fd3899ce6649435f5c27aa
Instruction Fuzzy Hash: 9E4160B1900229BFDF119FA5DC859AFBFB8EF09760F01452AF915E3251D734AA10CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042F4FB, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 142
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0042F4FB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t69;
				WCHAR* _t88;
				intOrPtr* _t93;
				WCHAR* _t95;
				intOrPtr _t106;
				signed int _t117;
				WCHAR* _t124;
				void* _t133;
				signed int _t134;
				intOrPtr _t137;
				WCHAR* _t138;
				void* _t139;

				_push(0xb8);
				E0045B8C9(0x4a5564, __ebx, __edi, __esi);
				_t133 = __ecx;
				_t136 =  *((intOrPtr*)(_t139 + 0xc));
				_t106 =  *((intOrPtr*)(_t139 + 8));
				 *((intOrPtr*)(_t139 - 0xb8)) =  *((intOrPtr*)(_t139 + 0xc));
				 *((intOrPtr*)(_t139 - 0x70)) = 0x4c2f50;
				 *((intOrPtr*)(_t139 - 0x48)) = 0x4c3454;
				E00403F50(_t139 - 0x70, _t139 - 0xa1, 0);
				 *(_t139 - 4) =  *(_t139 - 4) & 0x00000000;
				_t11 = _t139 - 0x70; // 0x4c2f50
				_t69 = E00403020(_t11, _t139 - 0xb0, 0x104);
				 *(_t139 - 4) = 1;
				 *((char*)(_t69 + 4)) = 1;
				GetCurrentDirectoryW(0x104,  *(E004040F0(_t69,  *_t69)));
				 *(_t139 - 4) = 0;
				E00403CF0(_t139 - 0xb0);
				_t141 =  *((intOrPtr*)(_t139 - 0x5c));
				if( *((intOrPtr*)(_t139 - 0x5c)) != 0) {
					E00413296(_t139 - 0x70, _t136);
					_push(_t139 - 0x70);
					E00429345(_t106);
				}
				 *((intOrPtr*)(_t139 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t139 - 0x18)) = 0x4c3454;
				E00403FB0(L"PATH", _t139 - 0xa1, 0);
				_t23 = _t139 - 0x40; // 0x4c2f50
				 *(_t139 - 4) = 2;
				E0042E711(_t106, _t133, _t136, _t141, _t139 - 0xa0, _t23);
				_t26 = _t139 - 0x40; // 0x4c2f50
				E00401AC0(_t26);
				 *((intOrPtr*)(_t139 - 0xb0)) = 0;
				 *((intOrPtr*)(_t139 - 0xac)) = 0;
				 *((intOrPtr*)(_t139 - 0xa8)) = 0;
				_push(1);
				_push(_t139 - 0xb0);
				_push(0);
				_push(0x3b);
				 *(_t139 - 4) = 5;
				E0042A559(_t106, _t139 - 0xa0, _t133, _t136, _t141);
				_t137 =  *((intOrPtr*)(_t139 - 0xb0));
				asm("cdq");
				_t117 = 0x30;
				_t134 = ( *((intOrPtr*)(_t139 - 0xac)) - _t137) / _t117;
				if(_t134 != 0) {
					_t138 = _t137 + 4;
					do {
						if(_t138[0xa] < 8) {
							_t88 = _t138;
						} else {
							_t88 =  *_t138;
						}
						 *(_t139 - 0xb4) = ExpandEnvironmentStringsW(_t88, 0, 0);
						_t42 = _t139 - 0x40; // 0x4c2f50
						 *((intOrPtr*)(_t139 - 0x40)) = 0x4c2f50;
						 *((intOrPtr*)(_t139 - 0x18)) = 0x4c3454;
						E00403F50(_t42, _t139 - 0xa1, 0);
						_t47 = _t139 - 0x40; // 0x4c2f50
						 *(_t139 - 4) = 6;
						_t93 = E00403020(_t47, _t139 - 0xc4,  *(_t139 - 0xb4));
						 *(_t139 - 4) = 7;
						 *((char*)(_t93 + 4)) = 1;
						_t124 =  *(E004040F0(_t93,  *_t93));
						if(_t138[0xa] < 8) {
							_t95 = _t138;
						} else {
							_t95 =  *_t138;
						}
						ExpandEnvironmentStringsW(_t95, _t124,  *(_t139 - 0xb4));
						 *(_t139 - 4) = 6;
						E00403CF0(_t139 - 0xc4);
						if( *((intOrPtr*)(_t139 - 0x2c)) != 0) {
							_t57 = _t139 - 0x40; // 0x4c2f50
							E00413296(_t57,  *((intOrPtr*)(_t139 - 0xb8)));
							_t58 = _t139 - 0x40; // 0x4c2f50
							E00429345(_t106);
						}
						_t59 = _t139 - 0x40; // 0x4c2f50
						 *(_t139 - 4) = 5;
						E00401AC0(_t59);
						_t138 =  &(_t138[0x18]);
						_t134 = _t134 - 1;
					} while (_t134 != 0);
				}
				E00428E3E(_t139 - 0xb0);
				E00401AC0(_t139 - 0xa0);
				E00401AC0(_t139 - 0x70);
				return E0045B878(_t106, _t134, _t137);
			}

0x0042f4fb
0x0042f505
0x0042f50a
0x0042f50c
0x0042f50f
0x0042f51e
0x0042f524
0x0042f52b
0x0042f532
0x0042f537
0x0042f547
0x0042f54a
0x0042f551
0x0042f555
0x0042f565
0x0042f571
0x0042f575
0x0042f57a
0x0042f57e
0x0042f584
0x0042f58c
0x0042f58f
0x0042f58f
0x0042f5a5
0x0042f5ac
0x0042f5b3
0x0042f5b8
0x0042f5c5
0x0042f5c9
0x0042f5ce
0x0042f5d1
0x0042f5d8
0x0042f5de
0x0042f5e4
0x0042f5ea
0x0042f5f2
0x0042f5f3
0x0042f5f4
0x0042f5fc
0x0042f600
0x0042f60b
0x0042f615
0x0042f616
0x0042f619
0x0042f61d
0x0042f623
0x0042f626
0x0042f62a
0x0042f630
0x0042f62c
0x0042f62c
0x0042f62c
0x0042f63d
0x0042f64c
0x0042f64f
0x0042f656
0x0042f65d
0x0042f66f
0x0042f672
0x0042f676
0x0042f67d
0x0042f681
0x0042f68e
0x0042f690
0x0042f696
0x0042f692
0x0042f692
0x0042f692
0x0042f6a0
0x0042f6ac
0x0042f6b0
0x0042f6b9
0x0042f6c1
0x0042f6c4
0x0042f6c9
0x0042f6cf
0x0042f6cf
0x0042f6d4
0x0042f6d7
0x0042f6db
0x0042f6e0
0x0042f6e3
0x0042f6e3
0x0042f626
0x0042f6f0
0x0042f6fb
0x0042f703
0x0042f70d

APIs

__EH_prolog3_GS.LIBCMT ref: 0042F505

Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F

Part of subcall function 004040F0: SysStringLen.OLEAUT32(?), ref: 004040FE
Part of subcall function 004040F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 00404118

GetCurrentDirectoryW.KERNEL32(00000104,00000000,?,00000104,000000B8,0042CBD8,?,?,004AE888,00000000,00000000,?,?,?), ref: 0042F565

Part of subcall function 00403CF0: GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403D2F
Part of subcall function 00403CF0: GetLastError.KERNEL32(?,00000000,000000FF), ref: 00403DC9
Part of subcall function 00403CF0: SysFreeString.OLEAUT32(?), ref: 00403DE3
Part of subcall function 00403CF0: SysFreeString.OLEAUT32(?), ref: 00403DF0
Part of subcall function 00403CF0: SetLastError.KERNEL32(?), ref: 00403E14
Part of subcall function 00403CF0: SetLastError.KERNEL32(?,?,00000000,73B74C30,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403E1A

ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,0000003B,00000000,?,00000001,?,P/L), ref: 0042F637
ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?), ref: 0042F6A0

Strings

T4L, xrefs: 0042F656
P/L, xrefs: 0042F547
P/L, xrefs: 0042F5B8, 0042F5BB
T4L, xrefs: 0042F52B
PATH, xrefs: 0042F59D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$EnvironmentExpandFreeStrings$AllocCurrentDirectoryH_prolog3_
String ID: P/L$P/L$PATH$T4L$T4L
API String ID: 1245459020-2656244831
Opcode ID: cbabdf1a6371ec216106ae88bad27b96967ffc6d7205825a61a253d634bbdc52
Instruction ID: ba179cdb29415cf54a8273fdb3f48d924758216bbd0a600011d6093064fb6b27
Opcode Fuzzy Hash: cbabdf1a6371ec216106ae88bad27b96967ffc6d7205825a61a253d634bbdc52
Instruction Fuzzy Hash: F7517071A00269DEDB14EB95CC45BDDBBB8BF05308F4040AEE10967292DB745A49CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 0042F24F, Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0042F24F(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed short _t71;
				signed int _t101;
				signed int _t103;
				signed short _t130;
				void* _t131;
				void* _t132;

				_t132 = __eflags;
				_push(0xe4);
				E0045B8C9(0x4a54f8, __ebx, __edi, __esi);
				_t130 = 0;
				 *(_t131 - 0xf0) =  *(_t131 + 0xc);
				 *(_t131 - 0xe8) =  *(_t131 + 0x10);
				 *((intOrPtr*)(_t131 - 0xe4)) = 0;
				 *((intOrPtr*)(_t131 - 0xe0)) = 0;
				 *((intOrPtr*)(_t131 - 0xdc)) = 0;
				_push(1);
				_push(_t131 - 0xe4);
				_push(0);
				_push(0x2e);
				 *((intOrPtr*)(_t131 - 4)) = 0;
				E0042A559(__ebx,  *((intOrPtr*)(_t131 + 8)), __edi, 0, _t132);
				_t128 =  *((intOrPtr*)(_t131 - 0xe4));
				asm("cdq");
				_t103 = 0x30;
				 *(_t131 - 0xd4) = 0;
				 *(_t131 - 0xd8) = 0;
				_t101 = ( *((intOrPtr*)(_t131 - 0xe0)) -  *((intOrPtr*)(_t131 - 0xe4))) / _t103;
				_t71 = 0;
				if(_t101 > 0) {
					 *((intOrPtr*)(_t131 - 0x70)) = 0x4c2f50;
					 *((intOrPtr*)(_t131 - 0x48)) = 0x4c3454;
					E004053A0(_t128, 0);
					_t82 =  >=  ?  *((void*)(_t131 - 0x6c)) : _t131 - 0x6c;
					 *((char*)(_t131 - 4)) = 1;
					 *(_t131 - 0xec) = E0045CD32( >=  ?  *((void*)(_t131 - 0x6c)) : _t131 - 0x6c);
					if(_t101 > 1) {
						 *((intOrPtr*)(_t131 - 0x40)) = 0x4c2f50;
						 *((intOrPtr*)(_t131 - 0x18)) = 0x4c3454;
						E004053A0(_t128 + 0x30, 0);
						_t87 =  >=  ?  *((void*)(_t131 - 0x3c)) : _t131 - 0x3c;
						 *((char*)(_t131 - 4)) = 2;
						 *(_t131 - 0xd4) = E0045CD32( >=  ?  *((void*)(_t131 - 0x3c)) : _t131 - 0x3c);
						if(_t101 > 2) {
							 *((intOrPtr*)(_t131 - 0xa0)) = 0x4c2f50;
							 *((intOrPtr*)(_t131 - 0x78)) = 0x4c3454;
							E004053A0(_t128 + 0x60, 0);
							_t92 =  >=  ?  *((void*)(_t131 - 0x9c)) : _t131 - 0x9c;
							 *((char*)(_t131 - 4)) = 3;
							 *(_t131 - 0xd8) = E0045CD32( >=  ?  *((void*)(_t131 - 0x9c)) : _t131 - 0x9c);
							if(_t101 > 3) {
								 *((intOrPtr*)(_t131 - 0xd0)) = 0x4c2f50;
								 *((intOrPtr*)(_t131 - 0xa8)) = 0x4c3454;
								E004053A0(_t128 + 0x90, 0);
								_t97 =  >=  ?  *((void*)(_t131 - 0xcc)) : _t131 - 0xcc;
								_t130 = E0045CD32( >=  ?  *((void*)(_t131 - 0xcc)) : _t131 - 0xcc);
								E00401AC0(_t131 - 0xd0);
							}
							E00401AC0(_t131 - 0xa0);
						}
						_t54 = _t131 - 0x40; // 0x4c2f50
						E00401AC0(_t54);
					}
					E00401AC0(_t131 - 0x70);
					_t71 =  *(_t131 - 0xec);
				}
				 *( *(_t131 - 0xf0)) = (_t71 & 0x0000ffff) << 0x00000010 |  *(_t131 - 0xd4) & 0x0000ffff;
				 *( *(_t131 - 0xe8)) = ( *(_t131 - 0xd8) & 0x0000ffff) << 0x00000010 | _t130 & 0x0000ffff;
				E00428E3E(_t131 - 0xe4);
				return E0045B878(_t101, _t128, _t130);
			}

0x0042f24f
0x0042f24f
0x0042f259
0x0042f264
0x0042f266
0x0042f26f
0x0042f275
0x0042f27b
0x0042f281
0x0042f287
0x0042f28f
0x0042f290
0x0042f291
0x0042f293
0x0042f296
0x0042f2a1
0x0042f2a9
0x0042f2ac
0x0042f2af
0x0042f2b5
0x0042f2bb
0x0042f2bd
0x0042f2c1
0x0042f2cc
0x0042f2d3
0x0042f2da
0x0042f2e6
0x0042f2eb
0x0042f2f5
0x0042f2fe
0x0042f30c
0x0042f313
0x0042f31a
0x0042f326
0x0042f32b
0x0042f335
0x0042f33e
0x0042f34f
0x0042f359
0x0042f360
0x0042f372
0x0042f37a
0x0042f384
0x0042f38d
0x0042f39d
0x0042f3a7
0x0042f3b1
0x0042f3c3
0x0042f3d7
0x0042f3d9
0x0042f3d9
0x0042f3e4
0x0042f3e4
0x0042f3e9
0x0042f3ec
0x0042f3ec
0x0042f3f4
0x0042f3f9
0x0042f3f9
0x0042f416
0x0042f42f
0x0042f437
0x0042f441

APIs

__EH_prolog3_GS.LIBCMT ref: 0042F259

Part of subcall function 0042A559: __EH_prolog3_GS.LIBCMT ref: 0042A560

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

T4L, xrefs: 0042F3A7
T4L, xrefs: 0042F2D3
P/L, xrefs: 0042F2CC
P/L, xrefs: 0042F3E9
T4L, xrefs: 0042F359
P/L, xrefs: 0042F34F
T4L, xrefs: 0042F313
P/L, xrefs: 0042F39D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeH_prolog3_String
String ID: P/L$P/L$P/L$P/L$T4L$T4L$T4L$T4L
API String ID: 2608676048-1424174092
Opcode ID: 1b5317241087700aa1705587a31f7cda9bf7f16ecae7cf26ac93cc17b25ead88
Instruction ID: d835e6112d69e792768aeb3f4e2b5881663389e6ca348960f1f0ba69e91e955f
Opcode Fuzzy Hash: 1b5317241087700aa1705587a31f7cda9bf7f16ecae7cf26ac93cc17b25ead88
Instruction Fuzzy Hash: 93510874900268DECB68DFA9C894BDDBBB4BF18344F5084AFE409B7241DB745A88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00450034, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 116
stringCOMMON

Download Yara Rule

C-Code - Quality: 22%

			E00450034(intOrPtr* __ecx, char _a4) {
				signed char _v8;
				intOrPtr _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				signed int _t49;
				signed int _t50;
				intOrPtr* _t56;
				void** _t73;

				_push(__ecx);
				_push(0);
				_push( &_v8);
				_t56 = __ecx;
				_v8 = 0;
				if( *0x4d953c() != 0 || (_v8 & 0x00000041) == 0) {
					L4:
					 *( *(_t56 + 0x44)) = 0;
					_t39 =  *((intOrPtr*)(_t56 + 0x48));
					if(_t39 != 0) {
						_push(_t39);
						if( *(_t56 + 0x40) == 0) {
							_push(L"Range: bytes=%d-");
						} else {
							_push(L"Range: bytes=%d-\r\n");
						}
						wsprintfW( *(_t56 + 0x44), ??);
					}
					if( *(_t56 + 0x40) != 0) {
						lstrcatW( *(_t56 + 0x44),  *(_t56 + 0x40));
					}
					if( *((intOrPtr*)(_t56 + 4)) != 0) {
						if(_a4 == 0) {
							_t40 = 1;
						} else {
							_t29 = _t56 + 0xc; // 0xe
							_t73 = _t29;
							ResetEvent( *_t73);
							_t43 =  *0x4d9548( *((intOrPtr*)(_t56 + 4)),  *(_t56 + 0x44), E0045B5D4( *(_t56 + 0x44)), 0, 0);
							_t44 =  *_t56;
							if(_t43 == 0) {
								_push(0);
								_push(_t73);
								goto L23;
							} else {
								goto L21;
							}
						}
					} else {
						ResetEvent( *(_t56 + 0xc));
						_push(_t56);
						_push( *(_t56 + 0x50));
						while(1) {
							_push(E0045B5D4( *(_t56 + 0x44)));
							_push( *(_t56 + 0x44));
							_push( *((intOrPtr*)(_t56 + 0x3c)));
							_push( *((intOrPtr*)(_t56 + 0x30)));
							if( *((intOrPtr*)( *_t56 + 0x2c))() != 0) {
								break;
							}
							if(GetLastError() != 0x57) {
								L18:
								_t44 =  *_t56;
								_t27 = _t56 + 0xc; // 0xe
								_push(0);
								L23:
								_t40 =  *((intOrPtr*)(_t44 + 8))( *((intOrPtr*)(_t56 + 0x28)));
							} else {
								_t49 =  *(_t56 + 0x50);
								if((_t49 & 0x00000100) == 0) {
									goto L18;
								} else {
									_t50 = _t49 & 0xfffffeff;
									_push(_t56);
									 *(_t56 + 0x50) = _t50;
									_push(_t50);
									continue;
								}
							}
							goto L25;
						}
						_t44 =  *_t56;
						L21:
						_t40 =  *((intOrPtr*)(_t44 + 0x28))();
					}
					L25:
				} else {
					_push(0);
					_push( *((intOrPtr*)(__ecx + 0x78)));
					if( *0x4d9538() != 0) {
						goto L4;
					} else {
						 *((intOrPtr*)(_t56 + 8)) = GetLastError();
						_t40 = 0;
					}
				}
				return _t40;
			}

0x00450037
0x0045003c
0x00450040
0x00450041
0x00450043
0x0045004e
0x00450074
0x00450079
0x0045007c
0x00450081
0x00450083
0x00450087
0x00450090
0x00450089
0x00450089
0x00450089
0x00450098
0x0045009e
0x004500a4
0x004500ac
0x004500ac
0x004500b6
0x0045011b
0x00450157
0x0045011d
0x0045011d
0x0045011d
0x00450122
0x0045013a
0x00450142
0x00450146
0x0045014d
0x0045014e
0x00000000
0x00000000
0x00000000
0x00000000
0x00450146
0x004500b8
0x004500bb
0x004500c1
0x004500c2
0x004500e6
0x004500f4
0x004500f5
0x004500fa
0x004500fd
0x00450103
0x00000000
0x00000000
0x004500d0
0x0045010b
0x0045010b
0x0045010d
0x00450110
0x0045014f
0x00450152
0x004500d2
0x004500d2
0x004500da
0x00000000
0x004500dc
0x004500dc
0x004500e1
0x004500e2
0x004500e5
0x00000000
0x004500e5
0x004500da
0x00000000
0x004500d0
0x00450105
0x00450148
0x00450148
0x00450148
0x00450159
0x00450056
0x00450056
0x00450057
0x00450062
0x00000000
0x00450064
0x0045006a
0x0045006d
0x0045006d
0x00450062
0x0045015d

APIs

GetLastError.KERNEL32(?,0045028D,?,?,?,00000000,?,00415586,?,?,?,0000010C,004243E8,?,00000003,00000000), ref: 00450064
wsprintfW.USER32 ref: 00450098
lstrcatW.KERNEL32(?,?), ref: 004500AC
ResetEvent.KERNEL32(?,00000002,?,0045028D,?,?,?,00000000,?,00415586,?,?,?,0000010C,004243E8,?), ref: 004500BB
GetLastError.KERNEL32(?,0045028D,?,?,?,00000000,?,00415586,?,?,?,0000010C,004243E8,?,00000003,00000000), ref: 004500C7
ResetEvent.KERNEL32(0000000E,00000002,?,0045028D,?,?,?,00000000,?,00415586,?,?,?,0000010C,004243E8,?), ref: 00450122

Strings

Range: bytes=%d-, xrefs: 00450090
Range: bytes=%d-, xrefs: 00450089
A, xrefs: 00450050

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorEventLastReset$lstrcatwsprintf
String ID: A$Range: bytes=%d-$Range: bytes=%d-
API String ID: 2894917480-4039695729
Opcode ID: 6fcbd3db4730df72ba2ab927a36c7d3a97c1c80cb252543f66662816af8bc60c
Instruction ID: b1e300c78a8eb2fc5f889235aff39914ca9957faf1e2b898e1473a8cb950363b
Opcode Fuzzy Hash: 6fcbd3db4730df72ba2ab927a36c7d3a97c1c80cb252543f66662816af8bc60c
Instruction Fuzzy Hash: DA416E39100100EFDF199F15ECC9A6A7FA8EF45702B1840AAFE05CA267D736DC45DB29

Uniqueness

Uniqueness Score: -1.00%

Function 0043E2D6, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0043E2D6(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t48;
				void* _t60;
				signed int _t76;
				signed int _t79;
				signed int _t81;
				intOrPtr* _t101;
				void* _t102;

				_push(0x78);
				E0045B8C9(0x4a69e5, __ebx, __edi, __esi);
				_t101 =  *((intOrPtr*)(_t102 + 8));
				 *((intOrPtr*)(_t102 - 0x84)) = 0;
				 *((intOrPtr*)(_t102 - 0x70)) = 0x4affb8;
				 *((intOrPtr*)(_t102 - 0x48)) = 0x4affc0;
				E00404200(_t102 - 0x70, _t102 - 0x71, 0);
				 *((intOrPtr*)(_t102 - 4)) = 0;
				_t48 = E00443772(_t102 - 0x70, _t102 - 0x80, 0x104);
				_t104 =  *((intOrPtr*)(_t102 + 0xc)) - 1;
				if( *((intOrPtr*)(_t102 + 0xc)) != 1) {
					__eflags =  *((intOrPtr*)(_t102 + 0xc)) - 2;
					if( *((intOrPtr*)(_t102 + 0xc)) != 2) {
						 *((char*)(_t102 - 4)) = 5;
						 *((char*)(_t48 + 4)) = 1;
						_t76 =  ~(GetSystemDirectoryW( *(E0040A0F0(_t48,  *_t48)), 0x104));
						asm("sbb bl, bl");
						 *((char*)(_t102 - 4)) = 0;
						E00409574(_t76, _t102 - 0x80, 0x104, _t101, __eflags);
						_t77 = _t76 + 1;
						__eflags = _t76 + 1;
						if(__eflags != 0) {
							goto L2;
						}
					} else {
						 *((char*)(_t102 - 4)) = 3;
						 *((char*)(_t48 + 4)) = 1;
						_t79 =  ~(GetWindowsDirectoryW( *(E0040A0F0(_t48,  *_t48)), 0x104));
						asm("sbb bl, bl");
						 *((char*)(_t102 - 4)) = 0;
						E00409574(_t79, _t102 - 0x80, 0x104, _t101, __eflags);
						_t77 = _t79 + 1;
						__eflags = _t79 + 1;
						if(__eflags != 0) {
							goto L2;
						} else {
							_push(0);
							_push(_t102 - 0x71);
							_push(L"syswow64");
							 *((intOrPtr*)(_t102 - 0x40)) = 0x4c2fa0;
							 *((intOrPtr*)(_t102 - 0x18)) = 0x4c2f40;
							E00408F6D(_t77, _t102 - 0x40, 0x104, _t101, __eflags);
							 *((char*)(_t102 - 4)) = 4;
						}
						goto L7;
					}
				} else {
					 *((char*)(_t102 - 4)) = 1;
					 *((char*)(_t48 + 4)) = 1;
					_t81 =  ~(GetWindowsDirectoryW( *(E0040A0F0(_t48,  *_t48)), 0x104));
					asm("sbb bl, bl");
					 *((char*)(_t102 - 4)) = 0;
					E00409574(_t81, _t102 - 0x80, 0x104, _t101, _t104);
					_t77 = _t81 + 1;
					_t105 = _t81 + 1;
					if(_t81 + 1 != 0) {
						L2:
						_t15 = _t102 - 0x2c; // 0x4ae96c
						E0040B827(_t77, _t15, 0x104, _t101, _t105);
						_t16 = _t102 - 0x2c; // 0x4ae96c
						E0045A466(_t16, 0x4c6ab8);
					}
					_push(0);
					_push(_t102 - 0x71);
					_push(L"sysnative");
					 *((intOrPtr*)(_t102 - 0x40)) = 0x4c2fa0;
					 *((intOrPtr*)(_t102 - 0x18)) = 0x4c2f40;
					E00408F6D(_t77, _t102 - 0x40, 0x104, _t101, _t105);
					 *((char*)(_t102 - 4)) = 2;
					L7:
					E0043F429(_t102 - 0x70, _t102 - 0x40);
					 *((char*)(_t102 - 4)) = 0;
					E00401B80(_t102 - 0x40);
				}
				_t60 = E0042C2C4(_t77, _t102 - 0x70, "\\");
				_push(0);
				_push(_t60);
				 *_t101 = 0x4affb8;
				 *((intOrPtr*)(_t101 + 0x28)) = 0x4affc0;
				E00408E82(_t77, _t101, 0x104, _t101, _t105);
				E00401B80(_t102 - 0x70);
				return E0045B878(_t77, 0x104, _t101);
			}

0x0043e2d6
0x0043e2dd
0x0043e2e2
0x0043e2ef
0x0043e2f5
0x0043e2fc
0x0043e303
0x0043e315
0x0043e318
0x0043e31d
0x0043e321
0x0043e38e
0x0043e392
0x0043e403
0x0043e407
0x0043e41b
0x0043e420
0x0043e422
0x0043e426
0x0043e42b
0x0043e42b
0x0043e42d
0x00000000
0x00000000
0x0043e394
0x0043e396
0x0043e39a
0x0043e3ae
0x0043e3b3
0x0043e3b5
0x0043e3b9
0x0043e3be
0x0043e3be
0x0043e3c0
0x00000000
0x0043e3c2
0x0043e3c2
0x0043e3c7
0x0043e3c8
0x0043e3d0
0x0043e3d7
0x0043e3de
0x0043e3e3
0x0043e3e3
0x00000000
0x0043e3c0
0x0043e323
0x0043e325
0x0043e329
0x0043e33d
0x0043e342
0x0043e344
0x0043e348
0x0043e34d
0x0043e34d
0x0043e34f
0x0043e351
0x0043e351
0x0043e354
0x0043e35e
0x0043e362
0x0043e362
0x0043e367
0x0043e36c
0x0043e36d
0x0043e375
0x0043e37c
0x0043e383
0x0043e388
0x0043e3e7
0x0043e3ee
0x0043e3f6
0x0043e3fa
0x0043e3fa
0x0043e43b
0x0043e440
0x0043e442
0x0043e445
0x0043e44b
0x0043e452
0x0043e45a
0x0043e466

APIs

__EH_prolog3_GS.LIBCMT ref: 0043E2DD

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0043E413

Part of subcall function 0040B827: __EH_prolog3.LIBCMT ref: 0040B82E
Part of subcall function 0040B827: GetLastError.KERNEL32(00000004,00416939,00000008,004238F4,dJ,00000001,?,00000000), ref: 0040B847

__CxxThrowException@8.LIBCMT ref: 0043E362

Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7

GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00444282,?,00000000,00000068,00486772,?,004C2FA0,uxtheme.dll,?,00000000), ref: 0043E335

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

GetWindowsDirectoryW.KERNEL32(00000000,00000104,?,00000104,00000078,00444282,?,00000000,00000068,00486772,?,004C2FA0,uxtheme.dll,?,00000000), ref: 0043E3A6

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

Strings

sysnative, xrefs: 0043E36D
@/L, xrefs: 0043E3D7
syswow64, xrefs: 0043E3C8
lJ, xrefs: 0043E351, 0043E35E, 0043E361

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$Directory$H_prolog3_StringWindows$AllocExceptionException@8H_prolog3RaiseSystemThrow
String ID: @/L$lJ$sysnative$syswow64
API String ID: 415710860-2847466861
Opcode ID: b1169733c189efa031160c0b9b46a1e1cd08f4caae934efc77fb6fbfacbe56c9
Instruction ID: 2134382ef336b3a675b4594a16f7ebd393181ec0228d794400fe4d4d7225ed91
Opcode Fuzzy Hash: b1169733c189efa031160c0b9b46a1e1cd08f4caae934efc77fb6fbfacbe56c9
Instruction Fuzzy Hash: A441A231901248DECB10EBE6C885BDDBB74AF1A308F54806FE54177292DFB85A0DDB59

Uniqueness

Uniqueness Score: -1.00%

Function 00486650, Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 115
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00486650(void* __ebx, struct HINSTANCE__** __ecx, void* __edx, void* __eflags) {
				struct HINSTANCE__* _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v28;
				char _v68;
				char _v116;
				char _v117;
				struct HINSTANCE__** _v124;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t56;
				signed int _t57;
				WCHAR* _t71;
				struct HINSTANCE__* _t72;
				struct HINSTANCE__* _t75;
				struct HINSTANCE__* _t86;
				struct HINSTANCE__** _t95;
				void* _t96;
				void* _t97;
				struct HINSTANCE__* _t98;
				void* _t99;
				signed int _t100;
				void* _t104;

				_t104 = __eflags;
				_t93 = __edx;
				_t80 = __ebx;
				_push(0xffffffff);
				_push(0x4ab08f);
				_push( *[fs:0x0]);
				_t56 =  *0x4d7e88; // 0x9518852c
				_t57 = _t56 ^ _t100;
				_v20 = _t57;
				_push(_t97);
				_push(_t57);
				 *[fs:0x0] =  &_v16;
				_t95 = __ecx;
				_v124 = __ecx;
				 *((intOrPtr*)(__ecx + 8)) = 0x4ae964;
				 *((intOrPtr*)(__ecx + 0x30)) = 0x4ae96c;
				_t95[0xd] = GetLastError();
				_t95[8] = 7;
				_t95[7] = 0;
				_t95[3] = 0;
				_t95[9] = 0;
				_t95[0xa] = 0;
				_t95[0xb] = 0;
				SetLastError( *( *((intOrPtr*)(_t95[0xc] + 4)) +  &(_t95[0xc])));
				_t17 =  &(_t95[0xe]); // 0x38
				_v8 = 0;
				_t95[0xe] = 0;
				_t95[0xf] = 0;
				_t95[0xe] = E0048B7C0(__ebx, _t17, _t93, _t95, _t104);
				_t22 =  &(_t95[0x10]); // 0x40
				_v8 = 1;
				_t95[0x10] = 0;
				_t95[0x11] = 0;
				_t95[0x10] = E0048B760(__ebx, _t22, _t93, _t95, _t104);
				_t27 =  &(_t95[0x13]); // 0x4c
				_v8 = 2;
				_t95[0x13] = 0;
				_t95[0x14] = 0;
				_t95[0x13] = E0048B790(__ebx, _t27, _t93, _t95, _t104);
				_t95[0x16] = 0;
				_push(0);
				_push( &_v117);
				_push(L"uxtheme.dll");
				_v8 = 4;
				 *_t95 = 0;
				_t95[1] = 0;
				_t95[0x12] = 1;
				_t95[0x15] = 0;
				_v68 = 0x4c2fa0;
				_v28 = 0x4c2f40;
				E00408F6D(_t80,  &_v68, _t95, _t97, _t104);
				_push( &_v68);
				_push( &_v116);
				_v8 = 5;
				_t71 = E00444261(_t80,  &_v68, _t95, _t97, _t104) + 4;
				if(_t71[0xa] >= 8) {
					_t71 =  *_t71;
				}
				_t72 = LoadLibraryW(_t71);
				_t86 = _t95[0x16];
				_t98 = _t72;
				if(_t86 != _t98) {
					if(_t86 != 0) {
						_t93 = FreeLibrary;
						if(FreeLibrary != 0) {
							FreeLibrary(_t86);
							_t95[0x16] = 0;
						}
					}
					_t95[0x16] = _t98;
				}
				E00401B80( &_v116);
				E00401B80( &_v68);
				_t75 = _t95[0x16];
				if(_t75 == 0) {
					_t95[0x17] = 0;
				} else {
					_t95[0x17] = GetProcAddress(_t75, "SetWindowTheme");
				}
				 *[fs:0x0] = _v16;
				_pop(_t96);
				_pop(_t99);
				return E0045A457(_t80, _v20 ^ _t100, _t93, _t96, _t99);
			}

0x00486650
0x00486650
0x00486650
0x00486653
0x00486655
0x00486660
0x00486664
0x00486669
0x0048666b
0x0048666e
0x00486670
0x00486674
0x0048667a
0x0048667c
0x0048667f
0x00486686
0x00486693
0x00486696
0x0048669d
0x004866a6
0x004866aa
0x004866ad
0x004866b0
0x004866bd
0x004866c3
0x004866c6
0x004866cd
0x004866d4
0x004866e0
0x004866e3
0x004866e6
0x004866ea
0x004866f1
0x004866fd
0x00486700
0x00486703
0x00486707
0x0048670e
0x0048671a
0x0048671d
0x00486724
0x00486729
0x0048672a
0x00486732
0x00486736
0x0048673c
0x00486743
0x0048674a
0x0048674e
0x00486755
0x0048675c
0x00486764
0x00486768
0x00486769
0x00486772
0x0048677c
0x0048677e
0x0048677e
0x00486781
0x00486787
0x0048678a
0x0048678e
0x00486792
0x00486794
0x0048679c
0x0048679f
0x004867a1
0x004867a1
0x0048679c
0x004867a8
0x004867a8
0x004867ae
0x004867b6
0x004867bb
0x004867c0
0x004867d3
0x004867c2
0x004867ce
0x004867ce
0x004867df
0x004867e7
0x004867e8
0x004867f6

APIs

GetLastError.KERNEL32(9518852C,?,?), ref: 0048668D
SetLastError.KERNEL32(?,?,?), ref: 004866BD

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Part of subcall function 00444261: __EH_prolog3_GS.LIBCMT ref: 00444268

LoadLibraryW.KERNEL32(-00000004,?,?), ref: 00486781
GetProcAddress.KERNEL32(?,SetWindowTheme), ref: 004867C8

Strings

SetWindowTheme, xrefs: 004867C2
lJ, xrefs: 00486686
@/L, xrefs: 00486755
uxtheme.dll, xrefs: 0048672A
dJ, xrefs: 0048667F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$AddressH_prolog3H_prolog3_LibraryLoadProc
String ID: @/L$SetWindowTheme$dJ$lJ$uxtheme.dll
API String ID: 2791025668-3152267377
Opcode ID: 080e694ec470413a7758fb0803765529f2587d59405a5ec62694a8ca2ca3b925
Instruction ID: 2397f6712057be68e4de63de1d47c0fb54ab9de82be4cf15e2e5ef4b9476a4ff
Opcode Fuzzy Hash: 080e694ec470413a7758fb0803765529f2587d59405a5ec62694a8ca2ca3b925
Instruction Fuzzy Hash: 925158B090074AEFD744DF66C988B9ABBB4FF04308F10416EE40597A90D7B9A528CFD4

Uniqueness

Uniqueness Score: -1.00%

Function 00427840, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00427840(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t35;
				intOrPtr _t45;
				intOrPtr* _t58;
				void* _t61;

				E0045B8C9(0x4a45be, __ebx, __edi, __esi);
				_t58 = __ecx;
				_t45 =  *((intOrPtr*)(_t61 + 8));
				_t2 = _t61 + 0xc; // 0x4c2f40
				_t60 =  *_t2;
				 *(_t61 - 0xd8) =  *(_t61 - 0xd8) & 0x00000000;
				 *((intOrPtr*)(_t61 - 0x70)) = 0x4c2f50;
				 *((intOrPtr*)(_t61 - 0x48)) = 0x4c3454;
				E00403FB0(0x4c2d7c, _t61 - 0xd1, 0);
				_t9 = _t61 - 4;
				 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
				 *((intOrPtr*)(_t61 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t61 - 0x18)) = 0x4c3454;
				E00403FB0(L"ISSetupPrerequisites", _t61 - 0xd1, 0);
				_t15 = _t61 - 0xd0; // 0x4c2f50
				 *(_t61 - 4) = 1;
				 *(_t61 - 4) = 2;
				_t35 = E0040E23E(_t45, __ecx,  *_t2,  *_t9);
				_t19 = _t61 - 0x70; // 0x4c2f50
				_t20 = _t61 - 0x40; // 0x4c2f50
				 *(_t61 - 4) = 3;
				 *((intOrPtr*)( *_t58 + 0x38))(_t45, _t20, _t35, _t19, _t61 - 0xa0, L"PreReqFeatures", E00415C6B(_t45, _t15, __ecx,  *_t2,  *_t9),  *_t2, 0xa, 1, 0xcc);
				E00401AC0(_t61 - 0xa0);
				_t24 = _t61 - 0xd0; // 0x4c2f50
				E00401AC0(_t24);
				_t25 = _t61 - 0x40; // 0x4c2f50
				E00401AC0(_t25);
				_t26 = _t61 - 0x70; // 0x4c2f50
				E00401AC0(_t26);
				return E0045B878(_t45, _t58, _t60);
			}

0x0042784a
0x0042784f
0x00427851
0x00427854
0x00427854
0x00427857
0x0042786f
0x00427876
0x0042787d
0x00427882
0x00427882
0x00427897
0x0042789e
0x004278a5
0x004278af
0x004278b5
0x004278cb
0x004278cf
0x004278d9
0x004278de
0x004278e5
0x004278e9
0x004278f2
0x004278f7
0x004278fd
0x00427902
0x00427905
0x0042790a
0x0042790d
0x00427919

APIs

__EH_prolog3_GS.LIBCMT ref: 0042784A

Part of subcall function 00403FB0: GetLastError.KERNEL32(9518852C,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068

Part of subcall function 00415C6B: __EH_prolog3_GS.LIBCMT ref: 00415C72
Part of subcall function 00415C6B: __ltow_s.LIBCMT ref: 00415CAA
Part of subcall function 00415C6B: SetLastError.KERNEL32(00000000,?,00000000,00000001), ref: 00415CD9

Part of subcall function 0040E23E: __EH_prolog3_GS.LIBCMT ref: 0040E245

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

P/L, xrefs: 004278AF, 004278F7
T4L, xrefs: 00427876
PreReqFeatures, xrefs: 004278C5
ISSetupPrerequisites, xrefs: 0042788F
P/L, xrefs: 004278DE, 004278E1
T4L, xrefs: 0042789E
P/L, xrefs: 00427854, 004278AE
P/L, xrefs: 0042786C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$FreeString$__ltow_s
String ID: ISSetupPrerequisites$P/L$P/L$P/L$P/L$PreReqFeatures$T4L$T4L
API String ID: 3540359163-559710967
Opcode ID: 7e2e7e9d2bf0ca9a6c2eeb11bb6b2eb67c5a92e57baae1add63ff91d5c6911f6
Instruction ID: 2011de8051b97a9b1e54fb56ed9b528c7bdaf72e1a3c49fc36b4d1d25b8e45e9
Opcode Fuzzy Hash: 7e2e7e9d2bf0ca9a6c2eeb11bb6b2eb67c5a92e57baae1add63ff91d5c6911f6
Instruction Fuzzy Hash: 53213A74910219EADB14EB91CC41FEDB778BF54308F14409EB40A77182DBB81A49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042791C, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042791C(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t35;
				intOrPtr _t45;
				intOrPtr* _t58;
				void* _t61;

				E0045B8C9(0x4a460c, __ebx, __edi, __esi);
				_t58 = __ecx;
				_t45 =  *((intOrPtr*)(_t61 + 8));
				_t2 = _t61 + 0xc; // 0x4c2f40
				_t60 =  *_t2;
				 *(_t61 - 0xd8) =  *(_t61 - 0xd8) & 0x00000000;
				 *((intOrPtr*)(_t61 - 0x70)) = 0x4c2f50;
				 *((intOrPtr*)(_t61 - 0x48)) = 0x4c3454;
				E00403FB0(0x4c2d7c, _t61 - 0xd1, 0);
				_t9 = _t61 - 4;
				 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
				 *((intOrPtr*)(_t61 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t61 - 0x18)) = 0x4c3454;
				E00403FB0(L"ISSetupPrerequisites", _t61 - 0xd1, 0);
				_t15 = _t61 - 0xd0; // 0x4c2f50
				 *(_t61 - 4) = 1;
				 *(_t61 - 4) = 2;
				_t35 = E0040E23E(_t45, __ecx,  *_t2,  *_t9);
				_t19 = _t61 - 0x70; // 0x4c2f50
				_t20 = _t61 - 0x40; // 0x4c2f50
				 *(_t61 - 4) = 3;
				 *((intOrPtr*)( *_t58 + 0x38))(_t45, _t20, _t35, _t19, _t61 - 0xa0, L"PreReq", E00415C6B(_t45, _t15, __ecx,  *_t2,  *_t9),  *_t2, 0xa, 1, 0xcc);
				E00401AC0(_t61 - 0xa0);
				_t24 = _t61 - 0xd0; // 0x4c2f50
				E00401AC0(_t24);
				_t25 = _t61 - 0x40; // 0x4c2f50
				E00401AC0(_t25);
				_t26 = _t61 - 0x70; // 0x4c2f50
				E00401AC0(_t26);
				return E0045B878(_t45, _t58, _t60);
			}

0x00427926
0x0042792b
0x0042792d
0x00427930
0x00427930
0x00427933
0x0042794b
0x00427952
0x00427959
0x0042795e
0x0042795e
0x00427973
0x0042797a
0x00427981
0x0042798b
0x00427991
0x004279a7
0x004279ab
0x004279b5
0x004279ba
0x004279c1
0x004279c5
0x004279ce
0x004279d3
0x004279d9
0x004279de
0x004279e1
0x004279e6
0x004279e9
0x004279f5

APIs

__EH_prolog3_GS.LIBCMT ref: 00427926

Part of subcall function 00403FB0: GetLastError.KERNEL32(9518852C,?,?,?,?,?,004AC2D8,000000FF), ref: 00403FF3
Part of subcall function 00403FB0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,?,?,?,?,004AC2D8,000000FF), ref: 00404068

Part of subcall function 00415C6B: __EH_prolog3_GS.LIBCMT ref: 00415C72
Part of subcall function 00415C6B: __ltow_s.LIBCMT ref: 00415CAA
Part of subcall function 00415C6B: SetLastError.KERNEL32(00000000,?,00000000,00000001), ref: 00415CD9

Part of subcall function 0040E23E: __EH_prolog3_GS.LIBCMT ref: 0040E245

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

T4L, xrefs: 0042797A
PreReq, xrefs: 004279A1
ISSetupPrerequisites, xrefs: 0042796B
P/L, xrefs: 0042798B, 004279D3
T4L, xrefs: 00427952
P/L, xrefs: 00427948
P/L, xrefs: 004279BA, 004279BD
@/L, xrefs: 00427930, 0042798A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$FreeString$__ltow_s
String ID: @/L$ISSetupPrerequisites$P/L$P/L$P/L$PreReq$T4L$T4L
API String ID: 3540359163-2425303439
Opcode ID: 1a36a0d6d34aced9ea95612b33d6fc9fd9cca110fc015c952baa42350b8c1da8
Instruction ID: b4a5aa3d2d7570980d47b8fd15f32b16c2c9964037200b9aa7ebde4b2d012d99
Opcode Fuzzy Hash: 1a36a0d6d34aced9ea95612b33d6fc9fd9cca110fc015c952baa42350b8c1da8
Instruction Fuzzy Hash: D5213A74910219EADB14EB91CC45FEDB778BF54308F14409EF40A77182DBB81A49CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00459FCD, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 58
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 56%

			E00459FCD(void* __eflags, char _a4) {
				char _v16;
				char _v24;
				char _v44;
				intOrPtr _v52;
				char _v76;
				char _v84;
				char _v104;
				void* _t50;
				void* _t51;

				_t51 = _t50 - 0xc;
				E0045C729( &_v16,  &_a4);
				_v16 = 0x4b75fc;
				E0045A466( &_v16, 0x4d0eb4);
				asm("int3");
				_push(_t50);
				E0045C729( &_v44,  &_v24);
				_v44 = 0x4b7614;
				E0045A466( &_v44, 0x4d0ef0);
				asm("int3");
				_push(_t51);
				E00459CA5( &_v76, _v52);
				E0045A466( &_v76, 0x4d0f9c);
				asm("int3");
				_push(_t51 - 0xc);
				E0045C729( &_v104,  &_v84);
				_v104 = 0x4b7608;
				E0045A466( &_v104, 0x4d0f48);
				asm("int3");
				return "bad function call";
			}

0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c

APIs

std::exception::exception.LIBCMT ref: 00459FE0

Part of subcall function 0045C729: std::exception::_Copy_str.LIBCMT ref: 0045C742

__CxxThrowException@8.LIBCMT ref: 00459FF5

Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7

std::exception::exception.LIBCMT ref: 0045A00E
__CxxThrowException@8.LIBCMT ref: 0045A023
std::regex_error::regex_error.LIBCPMT ref: 0045A035

Part of subcall function 00459CA5: std::exception::exception.LIBCMT ref: 00459CBF

__CxxThrowException@8.LIBCMT ref: 0045A043
std::exception::exception.LIBCMT ref: 0045A05C
__CxxThrowException@8.LIBCMT ref: 0045A071

Strings

bad function call, xrefs: 0045A077

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaisestd::exception::_std::regex_error::regex_error
String ID: bad function call
API String ID: 2464034642-3612616537
Opcode ID: 62ec070fb249bad3c887c7cc24faaad3d93d20169f6d5f22a8d7e1168cb87a47
Instruction ID: 1cc90383c1ac0bc67d0b26205239dd79d98d37ed18f989b87122f1707719383f
Opcode Fuzzy Hash: 62ec070fb249bad3c887c7cc24faaad3d93d20169f6d5f22a8d7e1168cb87a47
Instruction Fuzzy Hash: FD11D37580020CBB8B04EFD5D8859CD7BBCAA08344F50C56BFD1597541EB74A7588FD9

Uniqueness

Uniqueness Score: -1.00%

Function 0042CAF6, Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 365
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042CAF6(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t165;
				void* _t170;
				signed int _t175;
				void* _t185;
				signed int _t188;
				signed int _t196;
				signed int _t198;
				struct HINSTANCE__* _t202;
				signed int _t209;
				signed int _t211;
				intOrPtr _t225;
				void* _t231;
				void* _t234;
				void* _t235;
				int _t244;
				void* _t247;
				signed int _t255;
				void* _t259;
				void* _t291;
				WCHAR* _t306;
				void* _t312;
				signed int _t318;
				intOrPtr _t319;
				intOrPtr _t321;
				void* _t323;
				void* _t324;
				void* _t325;
				intOrPtr _t326;
				void* _t327;
				intOrPtr _t341;

				_t312 = __edx;
				_push(0x1c0);
				E0045B8C9(0x4a4f7c, __ebx, __edi, __esi);
				_t321 = __ecx;
				 *((intOrPtr*)(_t323 - 0x198)) = __ecx;
				_t316 =  *((intOrPtr*)(_t323 + 0x14));
				 *((intOrPtr*)(_t323 - 0x194)) =  *((intOrPtr*)(_t323 + 0x18));
				 *((intOrPtr*)(_t323 - 0x70)) = 0x4c2f50;
				 *((intOrPtr*)(_t323 - 0x48)) = 0x4c3454;
				E004053A0( *((intOrPtr*)(_t323 + 0x10)), 0);
				 *(_t323 - 4) =  *(_t323 - 4) & 0x00000000;
				_t329 =  *((intOrPtr*)(_t323 - 0x5c));
				_push( *((intOrPtr*)(_t323 + 0x14)));
				_t259 = _t323 - 0x70;
				if( *((intOrPtr*)(_t323 - 0x5c)) == 0) {
					E00402B90(_t259);
				} else {
					E00413296(_t259);
				}
				E0042B2E7(_t323 - 0x1cc);
				_push(_t323 - 0x1cc);
				_push(_t323 - 0x70);
				_t255 = 1;
				_push(_t323 - 0xa0);
				 *(_t323 - 4) = 1;
				_t165 = L004308F2(1, _t321, _t312, _t316, _t321, _t329);
				 *(_t323 - 4) = 2;
				E00402B90(_t323 - 0x70, _t165);
				E00401AC0(_t323 - 0xa0);
				 *(_t323 - 0x1a8) = 0;
				 *((intOrPtr*)(_t323 - 0x1a4)) = 0;
				 *((intOrPtr*)(_t323 - 0x1a0)) = 0;
				 *(_t323 - 4) = 3;
				_t170 = E004068B0(_t323 - 0x6c, "\\", 0, E0045B5D4("\\"));
				_t330 = _t170 - 0xffffffff;
				_push(_t323 - 0x70);
				if(_t170 != 0xffffffff) {
					E00429345(_t323 - 0x1a8);
				} else {
					_push(_t323 - 0x1a8);
					E0042F4FB(1, _t321, "\\", _t321, _t330);
				}
				_t267 =  *(_t323 - 0x1a8);
				asm("cdq");
				_t318 = 0x30;
				_t175 = ( *((intOrPtr*)(_t323 - 0x1a4)) - _t267) / _t318;
				 *(_t323 - 0x19c) =  *(_t323 - 0x19c) & 0x00000000;
				_t319 =  *((intOrPtr*)(_t323 + 8));
				 *(_t323 - 0x184) = _t267;
				 *(_t323 - 0x188) = _t175;
				if(_t175 == 0) {
					L24:
					if(_t319 != 4) {
						__eflags = _t319 - 0x10;
						if(_t319 != 0x10) {
							L54:
							__eflags = _t319 - 8;
							if(_t319 != 8) {
								L56:
								_t255 = 0;
								__eflags = 0;
							} else {
								__eflags =  *((intOrPtr*)(_t323 + 0xc)) - 2;
								if( *((intOrPtr*)(_t323 + 0xc)) != 2) {
									goto L56;
								}
							}
						} else {
							__eflags =  *((intOrPtr*)(_t323 + 0xc)) - 2;
							if( *((intOrPtr*)(_t323 + 0xc)) != 2) {
								goto L54;
							}
						}
					} else {
						_t255 = _t255 & 0xffffff00 |  *((intOrPtr*)(_t323 + 0xc)) == 0x00000002;
					}
				} else {
					do {
						 *((intOrPtr*)(_t323 - 0x40)) = 0x4c2f50;
						 *((intOrPtr*)(_t323 - 0x18)) = 0x4c3454;
						E004053A0(_t267, 0);
						_push(4);
						_t183 =  >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c;
						_t325 = _t324 - 0x30;
						_t314 = _t323 - 0x17d;
						 *(_t323 - 4) = 4;
						E004091B8(_t325,  >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c, _t323 - 0x17d, _t255);
						_t185 = E00441E34(_t255, _t323 - 0x17d, _t319, _t321,  *((intOrPtr*)(_t323 - 0x28)) - 8);
						_t324 = _t325 + 0x34;
						if(_t185 == 0) {
							goto L23;
						} else {
							if(_t319 == 4) {
								__eflags =  *((intOrPtr*)(_t323 + 0xc)) - _t255;
								_t148 =  *((intOrPtr*)(_t323 + 0xc)) == _t255;
								__eflags = _t148;
								_t255 = _t255 & 0xffffff00 | _t148;
								goto L51;
							} else {
								if(_t319 == 8) {
									__eflags =  *((intOrPtr*)(_t323 - 0x28)) - 8;
									_t191 =  >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c;
									E0042EBFF( >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c, _t323 - 0x18c, _t323 - 0x190);
									_push(_t323 - 0x184);
									_push(_t323 - 0x188);
									_push( *((intOrPtr*)(_t323 - 0x194)));
									E0042E638(_t255, _t319, _t321, __eflags);
									_t196 =  *(_t323 - 0x188);
									__eflags = _t196 -  *((intOrPtr*)(_t323 - 0x18c));
									if(_t196 !=  *((intOrPtr*)(_t323 - 0x18c))) {
										L43:
										asm("sbb eax, eax");
										_t198 = (_t196 & 0x00000002) - 1;
										__eflags = _t198;
									} else {
										_t196 =  *(_t323 - 0x184);
										__eflags = _t196 -  *((intOrPtr*)(_t323 - 0x190));
										if(_t196 !=  *((intOrPtr*)(_t323 - 0x190))) {
											goto L43;
										} else {
											_t198 = 0;
										}
									}
									__eflags =  *((intOrPtr*)(_t323 + 0xc)) - _t255;
									if( *((intOrPtr*)(_t323 + 0xc)) != _t255) {
										__eflags =  *((intOrPtr*)(_t323 + 0xc)) - 2;
										if( *((intOrPtr*)(_t323 + 0xc)) != 2) {
											goto L46;
										} else {
											__eflags = _t198 - 0xffffffff;
											if(_t198 != 0xffffffff) {
												goto L45;
											}
										}
									} else {
										L45:
										__eflags = _t198;
										if(_t198 != 0) {
											L46:
											_t255 = 0;
										}
									}
									goto L51;
								} else {
									if(_t319 != 0x10) {
										goto L23;
									} else {
										E0042B861(_t323 - 0xd0);
										_t201 =  >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c;
										 *(_t323 - 4) = 5;
										_t202 = GetModuleHandleW( >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c);
										_t338 = _t202;
										if(_t202 != 0) {
											E00416831(_t255, _t323 - 0x14c, _t319, _t321, _t338);
											_push(0);
											_t291 =  >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c;
											_push(_t323 - 0x17d);
											_t219 =  !=  ? _t291 : 0x4c2d7c;
											_push( !=  ? _t291 : 0x4c2d7c);
											 *(_t323 - 4) = 6;
											 *((intOrPtr*)(_t323 - 0xa0)) = 0x4affb8;
											 *((intOrPtr*)(_t323 - 0x78)) = 0x4affc0;
											E00408F6D(_t255, _t323 - 0xa0, _t319, _t321, _t291);
											_push(0);
											_push(0);
											_push(3);
											_push(0x80);
											_push(_t255);
											_push(0x80000000);
											_push(_t323 - 0xa0);
											 *(_t323 - 4) = 7;
											E00424632(_t255, _t323 - 0x14c, _t319, _t321, _t291);
											 *(_t323 - 4) = 6;
											E00401B80(_t323 - 0xa0);
											_push(_t323 - 0x1b0);
											_t225 = E00425464(_t255, _t323 - 0x14c, _t319, _t321, _t291);
											_t341 =  *((intOrPtr*)(_t323 - 0x1b0));
											 *((intOrPtr*)(_t323 - 0x1b4)) = _t225;
											if(_t341 <= 0) {
												if(_t341 < 0) {
													L15:
													_push(_t323 - 0xa0);
													_t326 = _t324 - 0x30;
													 *((intOrPtr*)(_t323 - 0x1ac)) = _t326;
													E004091B8(_t326, 0x4c2d7c, _t323 - 0x17d, _t255);
													 *(_t323 - 4) = 8;
													_t231 = E00405AE0(_t323 - 0x40, _t314, _t323 - 0x100);
													_t327 = _t326 - 0x30;
													 *(_t323 - 4) = 9;
													E00412A66(_t231, _t327);
													_push(_t255);
													 *(_t323 - 4) = 0xa;
													_t234 = E00444E82(_t255, _t314, _t319, _t321, _t342);
													_t324 = _t327 + 0x68;
													 *(_t323 - 4) = 0xb;
													_t235 = E00412A38(_t234, _t323 - 0x17c);
													 *(_t323 - 4) = 0xc;
													E00402B90(_t323 - 0xd0, _t235);
													E00401AC0(_t323 - 0xa0);
													E00401B80(_t323 - 0x17c);
													 *(_t323 - 4) = 6;
													E00401AC0(_t323 - 0x100);
													_t89 = E0042F225(_t323 - 0xd0, _t323 - 0x100) + 4; // 0x4
													_t306 = _t89;
													if(_t306[0xa] >= 8) {
														_t306 =  *_t306;
													}
													_t243 =  >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c;
													_t244 = CopyFileW( >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c, _t306, 0);
													E00401AC0(_t323 - 0x100);
													_t345 = _t244;
													if(_t244 != 0) {
														_t247 = E0042F225(_t323 - 0xd0, _t323 - 0x100);
														 *(_t323 - 4) = 0xd;
														E00402B90(_t323 - 0x40, _t247);
														E00401AC0(_t323 - 0x100);
													}
													_t321 =  *((intOrPtr*)(_t323 - 0x198));
												} else {
													_t342 = _t225 - 0xf00000;
													if(_t225 < 0xf00000) {
														goto L15;
													}
												}
											}
											 *(_t323 - 4) = 5;
											E004176D4(_t255, _t323 - 0x14c, _t319, _t321, _t345);
										}
										_t204 =  >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c;
										if(E0042F444( >=  ?  *((void*)(_t323 - 0x3c)) : _t323 - 0x3c, _t323 - 0x190, _t323 - 0x18c) != 0) {
											E0042F24F(_t255, _t319, _t321, __eflags,  *((intOrPtr*)(_t323 - 0x194)), _t323 - 0x188, _t323 - 0x184);
											_t209 =  *(_t323 - 0x188);
											__eflags = _t209 -  *((intOrPtr*)(_t323 - 0x190));
											if(_t209 !=  *((intOrPtr*)(_t323 - 0x190))) {
												L29:
												asm("sbb eax, eax");
												_t211 = (_t209 & 0x00000002) - 1;
												__eflags = _t211;
											} else {
												_t209 =  *(_t323 - 0x184);
												__eflags = _t209 -  *((intOrPtr*)(_t323 - 0x18c));
												if(_t209 !=  *((intOrPtr*)(_t323 - 0x18c))) {
													goto L29;
												} else {
													_t211 = 0;
												}
											}
											__eflags =  *((intOrPtr*)(_t323 + 0xc)) - _t255;
											if( *((intOrPtr*)(_t323 + 0xc)) != _t255) {
												__eflags =  *((intOrPtr*)(_t323 + 0xc)) - 2;
												if( *((intOrPtr*)(_t323 + 0xc)) != 2) {
													__eflags =  *((intOrPtr*)(_t323 + 0xc)) - 4;
													if( *((intOrPtr*)(_t323 + 0xc)) != 4) {
														goto L38;
													} else {
														__eflags = _t211 - _t255;
														if(_t211 != _t255) {
															goto L38;
														}
													}
												} else {
													__eflags = _t211 - 0xffffffff;
													goto L34;
												}
											} else {
												__eflags = _t211;
												L34:
												if(__eflags != 0) {
													L38:
													_t255 = 0;
													__eflags = 0;
												} else {
												}
											}
											E0042C966(_t255, _t323 - 0xd0, _t314);
											E00401AC0(_t323 - 0xd0);
											L51:
											E00401AC0(_t323 - 0x40);
										} else {
											E0042C966(_t255, _t323 - 0xd0, _t314);
											E00401AC0(_t323 - 0xd0);
											goto L23;
										}
									}
								}
							}
						}
						goto L57;
						L23:
						 *(_t323 - 4) = 3;
						E00401AC0(_t323 - 0x40);
						_t188 =  *(_t323 - 0x19c) + 1;
						_t267 =  *(_t323 - 0x184) + 0x30;
						 *(_t323 - 0x19c) = _t188;
						 *(_t323 - 0x184) =  *(_t323 - 0x184) + 0x30;
					} while (_t188 <  *(_t323 - 0x188));
					goto L24;
				}
				L57:
				E00428E3E(_t323 - 0x1a8);
				 *(_t323 - 4) = 0;
				E0043148D(_t323 - 0x1cc);
				E00401AC0(_t323 - 0x70);
				return E0045B878(_t255, _t319, _t321);
			}

0x0042caf6
0x0042caf6
0x0042cb00
0x0042cb05
0x0042cb07
0x0042cb13
0x0042cb18
0x0042cb22
0x0042cb29
0x0042cb30
0x0042cb35
0x0042cb39
0x0042cb3d
0x0042cb3e
0x0042cb41
0x0042cb4a
0x0042cb43
0x0042cb43
0x0042cb43
0x0042cb55
0x0042cb60
0x0042cb64
0x0042cb6d
0x0042cb6e
0x0042cb71
0x0042cb74
0x0042cb7d
0x0042cb81
0x0042cb8c
0x0042cb93
0x0042cb99
0x0042cb9f
0x0042cbab
0x0042cbbc
0x0042cbc1
0x0042cbc7
0x0042cbc8
0x0042cbe0
0x0042cbca
0x0042cbd0
0x0042cbd3
0x0042cbd3
0x0042cbe5
0x0042cbf5
0x0042cbf6
0x0042cbf7
0x0042cbf9
0x0042cc00
0x0042cc03
0x0042cc09
0x0042cc11
0x0042cee5
0x0042cee8
0x0042d004
0x0042d007
0x0042d00f
0x0042d00f
0x0042d012
0x0042d01a
0x0042d01a
0x0042d01a
0x0042d014
0x0042d014
0x0042d018
0x00000000
0x00000000
0x0042d018
0x0042d009
0x0042d009
0x0042d00d
0x00000000
0x00000000
0x0042d00d
0x0042ceee
0x0042cef2
0x0042cef2
0x0042cc17
0x0042cc17
0x0042cc1d
0x0042cc24
0x0042cc2b
0x0042cc34
0x0042cc39
0x0042cc3d
0x0042cc43
0x0042cc4b
0x0042cc4f
0x0042cc54
0x0042cc59
0x0042cc5e
0x00000000
0x0042cc64
0x0042cc67
0x0042cff4
0x0042cff7
0x0042cff7
0x0042cff7
0x00000000
0x0042cc6d
0x0042cc70
0x0042cf78
0x0042cf8c
0x0042cf94
0x0042cf9f
0x0042cfa6
0x0042cfa7
0x0042cfaf
0x0042cfb4
0x0042cfba
0x0042cfc0
0x0042cfd4
0x0042cfd4
0x0042cfd9
0x0042cfd9
0x0042cfc2
0x0042cfc2
0x0042cfc8
0x0042cfce
0x00000000
0x0042cfd0
0x0042cfd0
0x0042cfd0
0x0042cfce
0x0042cfda
0x0042cfdd
0x0042cfe7
0x0042cfeb
0x00000000
0x0042cfed
0x0042cfed
0x0042cff0
0x00000000
0x0042cff2
0x0042cff0
0x0042cfdf
0x0042cfdf
0x0042cfdf
0x0042cfe1
0x0042cfe3
0x0042cfe3
0x0042cfe3
0x0042cfe1
0x00000000
0x0042cc76
0x0042cc79
0x00000000
0x0042cc7f
0x0042cc85
0x0042cc91
0x0042cc96
0x0042cc9a
0x0042cca0
0x0042cca2
0x0042ccae
0x0042ccb7
0x0042ccbc
0x0042ccc6
0x0042ccce
0x0042ccd1
0x0042ccd8
0x0042ccdc
0x0042cce6
0x0042cced
0x0042ccf2
0x0042ccf4
0x0042ccf6
0x0042ccf8
0x0042ccfd
0x0042ccfe
0x0042cd09
0x0042cd10
0x0042cd14
0x0042cd1f
0x0042cd23
0x0042cd2e
0x0042cd35
0x0042cd3a
0x0042cd41
0x0042cd47
0x0042cd4d
0x0042cd5a
0x0042cd60
0x0042cd61
0x0042cd66
0x0042cd79
0x0042cd88
0x0042cd8c
0x0042cd93
0x0042cd96
0x0042cd9b
0x0042cda6
0x0042cda8
0x0042cdac
0x0042cdb1
0x0042cdb6
0x0042cdba
0x0042cdc6
0x0042cdca
0x0042cdd5
0x0042cde0
0x0042cdeb
0x0042cdef
0x0042ce06
0x0042ce06
0x0042ce0d
0x0042ce0f
0x0042ce0f
0x0042ce1a
0x0042ce20
0x0042ce2e
0x0042ce33
0x0042ce35
0x0042ce44
0x0042ce4d
0x0042ce51
0x0042ce5c
0x0042ce5c
0x0042ce61
0x0042cd4f
0x0042cd4f
0x0042cd54
0x00000000
0x00000000
0x0042cd54
0x0042cd4d
0x0042ce6d
0x0042ce71
0x0042ce71
0x0042ce8a
0x0042ce99
0x0042cf10
0x0042cf15
0x0042cf1b
0x0042cf21
0x0042cf35
0x0042cf35
0x0042cf3a
0x0042cf3a
0x0042cf23
0x0042cf23
0x0042cf29
0x0042cf2f
0x00000000
0x0042cf31
0x0042cf31
0x0042cf31
0x0042cf2f
0x0042cf3b
0x0042cf3e
0x0042cf44
0x0042cf48
0x0042cf51
0x0042cf55
0x00000000
0x0042cf57
0x0042cf57
0x0042cf59
0x00000000
0x00000000
0x0042cf59
0x0042cf4a
0x0042cf4a
0x00000000
0x0042cf4a
0x0042cf40
0x0042cf40
0x0042cf4d
0x0042cf4d
0x0042cf5b
0x0042cf5b
0x0042cf5b
0x00000000
0x0042cf4f
0x0042cf4d
0x0042cf63
0x0042cf6e
0x0042cffa
0x0042cffd
0x0042ce9b
0x0042cea1
0x0042ceac
0x00000000
0x0042ceac
0x0042ce99
0x0042cc79
0x0042cc70
0x0042cc67
0x00000000
0x0042ceb1
0x0042ceb4
0x0042ceb8
0x0042cec9
0x0042ceca
0x0042cecd
0x0042ced3
0x0042ced9
0x00000000
0x0042cc17
0x0042d01c
0x0042d022
0x0042d02d
0x0042d031
0x0042d039
0x0042d045

APIs

__EH_prolog3_GS.LIBCMT ref: 0042CB00

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

GetModuleHandleW.KERNEL32(?), ref: 0042CC9A

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00425464: __EH_prolog3_GS.LIBCMT ref: 0042546E
Part of subcall function 00425464: __CxxThrowException@8.LIBCMT ref: 004254D3
Part of subcall function 00425464: GetFileSize.KERNEL32(?,?,00000108,00424345,00000000,00000010,004246AC,?,?,?,?,?,?,00000000), ref: 004254DC
Part of subcall function 00425464: GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004254E9

CopyFileW.KERNEL32(?,00000004,00000000,?), ref: 0042CE20

Strings

T4L, xrefs: 0042CB29
|-L, xrefs: 0042CCC9
T4L, xrefs: 0042CC24
P/L, xrefs: 0042CB22
P/L, xrefs: 0042CC1D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FileFreeH_prolog3H_prolog3_String$CopyException@8HandleModuleSizeThrow
String ID: P/L$P/L$T4L$T4L$|-L
API String ID: 3870862371-422448004
Opcode ID: e224759455620984e1cf0969b0d683e69d64a3587ae83d25bf0b70e126557651
Instruction ID: c36dbe24691370739a9835a1c444a55bb41bf866527fb03aff7f3bd6c98a6da1
Opcode Fuzzy Hash: e224759455620984e1cf0969b0d683e69d64a3587ae83d25bf0b70e126557651
Instruction Fuzzy Hash: DFE17131A00128EEDF24EB65D991BDEB7B4AF15304F9040EEE409A3191DB785B89CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040D268, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0040D268(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t88;
				void* _t89;
				void* _t101;
				void* _t121;
				void* _t125;
				intOrPtr* _t140;
				intOrPtr* _t149;
				intOrPtr* _t150;
				intOrPtr* _t155;
				void* _t158;
				void* _t160;
				void* _t161;
				intOrPtr _t164;
				intOrPtr _t167;
				intOrPtr* _t168;
				void* _t169;

				_t169 = __eflags;
				_t153 = __edx;
				_push(0x25c);
				E0045B8C9(0x4a0d4b, __ebx, __edi, __esi);
				_t125 = __ecx;
				_t155 =  *((intOrPtr*)(_t160 + 8));
				 *((intOrPtr*)(_t160 - 0x25c)) = 0;
				 *((intOrPtr*)(_t160 - 0x264)) = _t155;
				 *((intOrPtr*)(_t160 - 0x70)) = 0x4c2fa0;
				 *((intOrPtr*)(_t160 - 0x48)) = 0x4c2f40;
				E00404200(_t160 - 0x70, _t160 - 0x251, 0);
				 *((intOrPtr*)(_t160 - 4)) = 1;
				E0040DD64(_t160 - 0x70, L"0x%04x",  *(__ecx + 0x44) & 0x0000ffff);
				 *((intOrPtr*)(_t160 - 0xa0)) = 0x4c2fa0;
				 *((intOrPtr*)(_t160 - 0x78)) = 0x4c2f40;
				E00404200(_t160 - 0xa0, _t160 - 0x251, 0);
				 *((char*)(_t160 - 4)) = 2;
				E0040DD64(_t160 - 0xa0, L"%ld",  *((intOrPtr*)(_t160 + 0xc)));
				_push(L".ini");
				_push(_t160 - 0x70);
				_push(_t160 - 0x160);
				_t158 = E0040B22B(_t125, _t155, 0, _t169);
				 *((char*)(_t160 - 4)) = 3;
				_t88 = E0040D208(_t125, _t160 - 0x190);
				_push(0);
				_push(0);
				_push(_t160 - 0x130);
				 *((char*)(_t160 - 4)) = 4;
				_t89 = E0040A206(_t125, _t88, __edx, _t155, _t158, _t169);
				_push(_t158);
				_push(_t160 - 0xd0);
				 *((char*)(_t160 - 4)) = 5;
				E0040B91E(_t125, _t89, _t155, _t158, _t169);
				E00401B80(_t160 - 0x130);
				E00401B80(_t160 - 0x190);
				 *((char*)(_t160 - 4)) = 9;
				E00401B80(_t160 - 0x160);
				E0044BDFA(_t125, _t160 - 0x250, _t155, _t158, _t169);
				 *((intOrPtr*)(_t160 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t160 - 0x18)) = 0x4c2f40;
				E00404200(_t160 - 0x40, _t160 - 0x251, 0);
				_push(0);
				_t164 = _t161 + 0x24 - 0x30;
				 *((intOrPtr*)(_t160 - 0x258)) = _t164;
				 *((char*)(_t160 - 4)) = 0xb;
				E004091B8(_t164, "=", _t160 - 0x251, 1);
				_t165 = _t164 - 0x30;
				_t140 = _t165;
				_push(0);
				_push(_t160 - 0xd0);
				 *((char*)(_t160 - 4)) = 0xc;
				 *_t140 = 0x4c2fa0;
				 *((intOrPtr*)(_t140 + 0x28)) = 0x4c2f40;
				E00408E82(_t125, _t140, _t155, 0, _t169);
				_t141 = _t160 - 0x250;
				 *((char*)(_t160 - 4)) = 0xb;
				_t101 = E0044DA4D(_t125, _t160 - 0x250, _t153, _t155, 0, _t169);
				_t170 = _t101;
				if(_t101 != 0) {
					_t167 = _t165 - 0x30;
					 *((intOrPtr*)(_t160 - 0x260)) = _t167;
					_push(1);
					_push(_t160 - 0x251);
					_push(0x4c2bd0);
					E004090B1(_t125, _t167, _t155, 0, _t170);
					_t168 = _t167 - 0x30;
					_t149 = _t168;
					 *((intOrPtr*)(_t160 - 0x258)) = _t168;
					_push(0);
					_push(_t160 - 0xa0);
					 *((char*)(_t160 - 4)) = 0xd;
					 *_t149 = 0x4c2fa0;
					 *((intOrPtr*)(_t149 + 0x28)) = 0x4c2f40;
					E00408E82(_t125, _t149, _t155, 0, _t170);
					_t165 = _t168 - 0x30;
					_t150 = _t168 - 0x30;
					_push(0);
					_push(_t160 - 0x70);
					 *((char*)(_t160 - 4)) = 0xe;
					 *_t150 = 0x4c2fa0;
					 *((intOrPtr*)(_t150 + 0x28)) = 0x4c2f40;
					E00408E82(_t125, _t150, _t155, 0, _t170);
					_push(_t160 - 0x100);
					 *((char*)(_t160 - 4)) = 0xb;
					_t121 = L0044E255(_t125, _t160 - 0x250, _t155, 0, _t170);
					 *((char*)(_t160 - 4)) = 0xf;
					E004095E2(_t160 - 0x40, _t121);
					_t141 = _t160 - 0x100;
					 *((char*)(_t160 - 4)) = 0xb;
					E00401B80(_t160 - 0x100);
				}
				_t171 =  *((intOrPtr*)(_t160 - 0x2c));
				if( *((intOrPtr*)(_t160 - 0x2c)) == 0) {
					E00446730(_t141, _t160 - 0x40,  *((intOrPtr*)(_t160 + 0xc)),  *(_t125 + 0x44) & 0x0000ffff,  *((intOrPtr*)(_t125 + 0x20)));
				}
				_push(0);
				_push(_t160 - 0x40);
				 *_t155 = 0x4c2fa0;
				 *((intOrPtr*)(_t155 + 0x28)) = 0x4c2f40;
				E00408E82(_t125, _t155, _t155, 0, _t171);
				 *((intOrPtr*)(_t160 - 0x25c)) = 1;
				E00401B80(_t160 - 0x40);
				 *((char*)(_t160 - 4)) = 9;
				E0044BF62(_t160 - 0x250, _t171);
				E00401B80(_t160 - 0xd0);
				E00401B80(_t160 - 0xa0);
				E00401B80(_t160 - 0x70);
				return E0045B878(_t125, _t155, 0);
			}

0x0040d268
0x0040d268
0x0040d268
0x0040d272
0x0040d277
0x0040d279
0x0040d285
0x0040d28f
0x0040d295
0x0040d29c
0x0040d2a3
0x0040d2b6
0x0040d2bd
0x0040d2d3
0x0040d2dd
0x0040d2e4
0x0040d2f8
0x0040d2fc
0x0040d301
0x0040d309
0x0040d310
0x0040d319
0x0040d324
0x0040d328
0x0040d32d
0x0040d32f
0x0040d337
0x0040d33a
0x0040d33e
0x0040d343
0x0040d34a
0x0040d34d
0x0040d351
0x0040d35c
0x0040d367
0x0040d372
0x0040d376
0x0040d381
0x0040d388
0x0040d38f
0x0040d3a1
0x0040d3a6
0x0040d3a7
0x0040d3ac
0x0040d3c0
0x0040d3c4
0x0040d3c9
0x0040d3cc
0x0040d3ce
0x0040d3d5
0x0040d3d6
0x0040d3da
0x0040d3e0
0x0040d3e7
0x0040d3ec
0x0040d3f2
0x0040d3f6
0x0040d3fb
0x0040d3fd
0x0040d403
0x0040d408
0x0040d40e
0x0040d416
0x0040d417
0x0040d41c
0x0040d421
0x0040d424
0x0040d426
0x0040d42c
0x0040d433
0x0040d434
0x0040d438
0x0040d43e
0x0040d445
0x0040d44a
0x0040d44d
0x0040d44f
0x0040d453
0x0040d454
0x0040d458
0x0040d45e
0x0040d465
0x0040d470
0x0040d477
0x0040d47b
0x0040d484
0x0040d488
0x0040d48d
0x0040d493
0x0040d497
0x0040d497
0x0040d49c
0x0040d4a0
0x0040d4b1
0x0040d4b6
0x0040d4b9
0x0040d4bd
0x0040d4c0
0x0040d4c6
0x0040d4cd
0x0040d4d5
0x0040d4df
0x0040d4ea
0x0040d4ee
0x0040d4f9
0x0040d504
0x0040d50c
0x0040d518

APIs

__EH_prolog3_GS.LIBCMT ref: 0040D272

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232

Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210

Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 0044BDFA: __EH_prolog3.LIBCMT ref: 0044BE01

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0044DA4D: __EH_prolog3_GS.LIBCMT ref: 0044DA57

Part of subcall function 004090B1: __EH_prolog3_GS.LIBCMT ref: 004090B8

Strings

@/L, xrefs: 0040D29C
@/L, xrefs: 0040D2DD
@/L, xrefs: 0040D38F
@/L, xrefs: 0040D4C6
%ld, xrefs: 0040D2F2
0x%04x, xrefs: 0040D2B0
.ini, xrefs: 0040D301

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3_Last$FreeH_prolog3String
String ID: %ld$.ini$0x%04x$@/L$@/L$@/L$@/L
API String ID: 80789219-516300192
Opcode ID: d8502fec1fd83111db85eb0d82d4ba8d11a4575654ae016aa7c73600f7d73ff0
Instruction ID: b3cc2b071437a2081222209709ce3d136839505f496cc787cef8989ad92d6d7f
Opcode Fuzzy Hash: d8502fec1fd83111db85eb0d82d4ba8d11a4575654ae016aa7c73600f7d73ff0
Instruction Fuzzy Hash: 0571837180021CEADB10EBA5CD45BDDBBB8AF55308F1440DEE509B3182DBB85B48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004390EA, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004390EA(struct HWND__* _a4, int _a8, struct HDC__* _a12, long _a16) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t20;
				unsigned int _t32;
				unsigned int _t35;
				unsigned int _t42;
				long _t47;
				struct HWND__* _t51;
				int _t54;
				void* _t56;
				void* _t58;
				void* _t60;
				signed int _t61;
				void* _t65;
				void* _t67;
				void* _t70;
				int _t71;
				void* _t72;
				void* _t73;

				_t51 = _a4;
				_t20 = GetPropW(_t51, L"This");
				_t71 = _a12;
				_t72 = _t20;
				_t54 = _a8;
				if(_t54 == 0) {
					 *((intOrPtr*)( *_t72 + 0x28))();
					RemovePropW(_t51, L"This");
					_t16 = _t72 + 4;
					 *_t16 =  *(_t72 + 4) & 0x00000000;
					__eflags =  *_t16;
					L24:
					return DefWindowProcW(_t51, _a8, _t71, _a16);
				}
				_t56 = _t54 - 0xd;
				if(_t56 == 0) {
					E00437C63(_t51, _t72, _t70, _t71, _t72, __eflags);
					goto L24;
				}
				_t58 = _t56 - 0x101;
				if(_t58 == 0) {
					_t73 = _a16;
					 *(_t73 + 4) = _t51;
					SetPropW(_t51, L"This", _t73);
					return  *((intOrPtr*)( *_t73 + 0xc))();
				}
				_t60 = _t58 - 1;
				if(_t60 == 0) {
					__eflags = _t71 >> 0x10;
					if(_t71 >> 0x10 != 0) {
						goto L24;
					}
					_t61 = _t71 & 0x0000ffff;
					_t32 = _t61 - 1;
					__eflags = _t32;
					if(_t32 == 0) {
						return  *((intOrPtr*)( *_t72 + 0x18))();
					}
					_t35 = _t32 - 1;
					__eflags = _t35;
					if(_t35 == 0) {
						L19:
						return  *((intOrPtr*)( *_t72 + 0x14))();
					}
					__eflags = _t35 == 7;
					if(_t35 == 7) {
						goto L19;
					}
					return  *((intOrPtr*)( *_t72 + 0x1c))(_t61);
				}
				_t65 = _t60 - 1;
				if(_t65 == 0) {
					_t42 =  *((intOrPtr*)( *_t72 + 0x2c))(_t71);
					__eflags = _t42;
					if(_t42 == 0) {
						goto L24;
					}
					return 1;
				}
				_t67 = _t65 - 1;
				if(_t67 == 0) {
					 *((intOrPtr*)( *_t72 + 0x10))(_t71);
					goto L24;
				}
				if(_t67 != 0x25) {
					goto L24;
				}
				_t47 = GetWindowLongW(_a16, 0xfffffff4);
				if(_t47 < 0x33 || _t47 > 0x34 && _t47 != 0xd0) {
					goto L24;
				} else {
					SetBkColor(_a12, GetSysColor(5));
					return  *((intOrPtr*)(_t72 + 0x10));
				}
			}

0x004390ee
0x004390f9
0x00439102
0x00439106
0x00439108
0x00439109
0x004391f4
0x004391fd
0x00439203
0x00439203
0x00439203
0x00439207
0x00000000
0x0043920f
0x0043910f
0x00439112
0x004391e9
0x00000000
0x004391e9
0x00439118
0x0043911e
0x004391cb
0x004391d5
0x004391d8
0x00000000
0x004391e2
0x00439124
0x00439125
0x0043919a
0x0043919d
0x00000000
0x00000000
0x0043919f
0x004391a4
0x004391a4
0x004391a5
0x00000000
0x004391c6
0x004391a7
0x004391a7
0x004391a8
0x004391b9
0x00000000
0x004391bd
0x004391aa
0x004391ad
0x00000000
0x00000000
0x00000000
0x004391b4
0x00439127
0x00439128
0x00439186
0x00439189
0x0043918b
0x00000000
0x00000000
0x00000000
0x0043918f
0x0043912a
0x0043912b
0x00439179
0x00000000
0x00439179
0x00439130
0x00000000
0x00000000
0x0043913b
0x00439144
0x00000000
0x0043915a
0x00439166
0x00000000
0x0043916c

APIs

GetPropW.USER32(?,This), ref: 004390F9
GetWindowLongW.USER32(?,000000F4), ref: 0043913B
GetSysColor.USER32(00000005), ref: 0043915C
SetBkColor.GDI32(?,00000000), ref: 00439166
SetPropW.USER32 ref: 004391D8
RemovePropW.USER32 ref: 004391FD
DefWindowProcW.USER32(?,?,?,?), ref: 0043920F

Strings

This, xrefs: 004390F3, 004391CF, 004391F7

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Prop$ColorWindow$LongProcRemove
String ID: This
API String ID: 1744480154-1591487769
Opcode ID: c3b06b085747a868f0557f887ee4b44ee0eb8835c087535afdb5271996f0c7d5
Instruction ID: c734fadf3586be9cfb2d03bb6e43c38dc181511a55f91df0914daf74a3f7053e
Opcode Fuzzy Hash: c3b06b085747a868f0557f887ee4b44ee0eb8835c087535afdb5271996f0c7d5
Instruction Fuzzy Hash: DB31AD34200905BBDB285FA9DD4CD2B7BA8FF0D315F10188AF466D73A1CBB8DD018A69

Uniqueness

Uniqueness Score: -1.00%

Function 00403CF0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00403CF0(intOrPtr* __ecx) {
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v56;
				short _v72;
				long _v76;
				char _v77;
				char _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				signed int _t33;
				intOrPtr _t51;
				intOrPtr _t52;
				void* _t55;
				void* _t56;
				intOrPtr _t66;
				intOrPtr* _t67;
				signed int _t69;
				void* _t75;
				void* _t77;
				intOrPtr* _t79;
				void* _t80;
				intOrPtr* _t83;
				signed int _t84;
				signed int _t86;

				_push(0xffffffff);
				_push(0x4ac478);
				_push( *[fs:0x0]);
				_t86 = (_t84 & 0xfffffff8) - 0x40;
				_t31 =  *0x4d7e88; // 0x9518852c
				_v24 = _t31 ^ _t86;
				_t33 =  *0x4d7e88; // 0x9518852c
				_push(_t33 ^ _t86);
				 *[fs:0x0] =  &_v16;
				_t79 = __ecx;
				_t55 = GetLastError;
				_v76 = GetLastError();
				if( *((char*)(_t79 + 4)) != 0) {
					_t51 =  *_t79;
					_t66 =  *((intOrPtr*)(_t51 + 0x24));
					_t71 =  !=  ? _t66 : 0x4c2d7c;
					_t77 =  !=  ?  !=  ? _t66 : 0x4c2d7c : 0x4c2d7c;
					if( *0x4c2d7c != 0) {
						_t67 = 0x4c2d7c;
						_t6 = _t67 + 2; // 0x4c2d7e
						_t71 = _t6;
						do {
							_t52 =  *_t67;
							_t67 = _t67 + 2;
						} while (_t52 != 0);
						_t51 =  *_t79;
						_t69 = _t67 - _t71 >> 1;
					} else {
						_t69 = 0;
					}
					_push(_t69);
					_push(_t77);
					_t7 = _t51 + 4; // 0x4
					E00406EB0(_t55, _t7, _t77, _t79);
				}
				_t37 =  *((intOrPtr*)(_t79 + 8));
				if( *((intOrPtr*)(_t79 + 8)) != 0) {
					E004043D0( &_v72, _t71, _t37,  &_v77, 1);
					_v20 = 0;
					_t65 =  *_t79 + 4;
					if( *_t79 + 4 !=  &_v80) {
						_push(0xffffffff);
						E00406630(_t55, _t65, SetLastError,  &_v80, 0);
					}
					 *((intOrPtr*)( &_v32 +  *((intOrPtr*)(_v32 + 4)))) = GetLastError();
					L0045A7D5(_v44);
					_t83 = __imp__#6;
					_t86 = _t86 + 4;
					 *_t83(_v36);
					if(_v52 >= 8) {
						 *_t83(_v72);
					}
					_v72 = 0;
					_v52 = 7;
					_v56 = 0;
					SetLastError( *(_t86 +  *((intOrPtr*)(_v76 + 4)) + 0x18));
				}
				SetLastError(_v76);
				 *[fs:0x0] = _v16;
				_pop(_t75);
				_pop(_t80);
				_pop(_t56);
				return E0045A457(_t56, _v24 ^ _t86, _t71, _t75, _t80);
			}

0x00403cf6
0x00403cf8
0x00403d03
0x00403d04
0x00403d07
0x00403d0e
0x00403d15
0x00403d1c
0x00403d21
0x00403d27
0x00403d29
0x00403d35
0x00403d39
0x00403d3b
0x00403d42
0x00403d49
0x00403d4e
0x00403d55
0x00403d5b
0x00403d5d
0x00403d5d
0x00403d60
0x00403d60
0x00403d63
0x00403d66
0x00403d6b
0x00403d6f
0x00403d57
0x00403d57
0x00403d57
0x00403d71
0x00403d72
0x00403d73
0x00403d76
0x00403d76
0x00403d7b
0x00403d86
0x00403d98
0x00403d9d
0x00403da7
0x00403db0
0x00403db2
0x00403db7
0x00403db7
0x00403dcb
0x00403dd1
0x00403dd6
0x00403ddc
0x00403de3
0x00403dea
0x00403df0
0x00403df0
0x00403df4
0x00403dfd
0x00403e05
0x00403e14
0x00403e14
0x00403e1a
0x00403e20
0x00403e28
0x00403e29
0x00403e2a
0x00403e39

APIs

GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403D2F
GetLastError.KERNEL32(?,00000000,000000FF), ref: 00403DC9
SysFreeString.OLEAUT32(?), ref: 00403DE3
SysFreeString.OLEAUT32(?), ref: 00403DF0
SetLastError.KERNEL32(?), ref: 00403E14
SetLastError.KERNEL32(?,?,00000000,73B74C30,?,?,?,?,?,?,?,?,00000000,004AC478,000000FF,T4L), ref: 00403E1A

Strings

|-L, xrefs: 00403D3D
T4L, xrefs: 00403CF0

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: T4L$|-L
API String ID: 2425351278-1709513760
Opcode ID: b386a610bf49104833955f1fef67703429be1eb315cceb1c9f86f1335d1de7bb
Instruction ID: 652478961ff9c1cba68d6ac3a25687269dca0b81cae8225f4072e21b4aecd20c
Opcode Fuzzy Hash: b386a610bf49104833955f1fef67703429be1eb315cceb1c9f86f1335d1de7bb
Instruction Fuzzy Hash: 2F4181756083019FC714DF28D881B2BBBE9EF84714F144A2EF856972A0DB75EC14CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00405950, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00405950(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v8;
				char _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				short _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				signed int _t48;
				void* _t60;
				void* _t61;
				void* _t74;
				void* _t86;
				intOrPtr* _t88;
				void* _t89;
				intOrPtr* _t94;
				void* _t95;
				signed int _t96;

				_t86 = __edx;
				_push(0xffffffff);
				_push(0x4ac3e0);
				_push( *[fs:0x0]);
				_t47 =  *0x4d7e88; // 0x9518852c
				_t48 = _t47 ^ _t96;
				_v20 = _t48;
				_push(_t48);
				 *[fs:0x0] =  &_v16;
				_t88 = __ecx;
				_v76 = _a4;
				_v80 = __ecx;
				_v72 = _a8;
				if(_a16 != 0) {
					 *__ecx = 0x4c2f50;
					 *((intOrPtr*)(__ecx + 0x28)) = 0x4c3454;
				}
				 *( *((intOrPtr*)( *_t88 + 4)) + _t88) = GetLastError();
				 *((intOrPtr*)(_t88 + 0x18)) = 7;
				 *((intOrPtr*)(_t88 + 0x14)) = 0;
				 *((short*)(_t88 + 4)) = 0;
				 *((intOrPtr*)(_t88 + 0x1c)) = 0;
				 *((intOrPtr*)(_t88 + 0x20)) = 0;
				 *((intOrPtr*)(_t88 + 0x24)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t88 + 0x28)) + 4)) + _t88 + 0x28));
				_t58 =  !=  ? _v76 : 0x4c2bd0;
				_v8 = 0;
				_t60 = E00406A50(_t86, _v76,  &_v68,  !=  ? _v76 : 0x4c2bd0, _v72, 0);
				_v8 = 1;
				if(_t60 == 0) {
					_t61 = 0;
					__eflags = 0;
				} else {
					_t61 = _t60 + 4;
				}
				_t27 = _t88 + 4; // 0x5
				E00405670(_t27, _t61);
				 *((intOrPtr*)( &_v28 +  *((intOrPtr*)(_v28 + 4)))) = GetLastError();
				L0045A7D5(_v40);
				_t94 = __imp__#6;
				 *_t94(_v32);
				if(_v44 >= 8) {
					 *_t94(_v64);
				}
				_v44 = 7;
				_v48 = 0;
				_v64 = 0;
				SetLastError( *(_t96 +  *((intOrPtr*)(_v68 + 4)) - 0x40));
				SetLastError( *( *((intOrPtr*)( *_t88 + 4)) + _t88));
				 *[fs:0x0] = _v16;
				_pop(_t89);
				_pop(_t95);
				_pop(_t74);
				return E0045A457(_t74, _v20 ^ _t96, _t86, _t89, _t95);
			}

0x00405950
0x00405953
0x00405955
0x00405960
0x00405964
0x00405969
0x0040596b
0x00405971
0x00405975
0x0040597b
0x00405984
0x0040598a
0x0040598d
0x00405990
0x00405992
0x00405998
0x00405998
0x004059b0
0x004059b3
0x004059ba
0x004059c3
0x004059c7
0x004059ca
0x004059cd
0x004059da
0x004059eb
0x004059f3
0x004059fa
0x00405a02
0x00405a08
0x00405a0f
0x00405a0f
0x00405a0a
0x00405a0a
0x00405a0a
0x00405a12
0x00405a15
0x00405a2b
0x00405a30
0x00405a35
0x00405a41
0x00405a47
0x00405a4c
0x00405a4c
0x00405a53
0x00405a5a
0x00405a61
0x00405a6c
0x00405a76
0x00405a7d
0x00405a85
0x00405a86
0x00405a87
0x00405a95

APIs

GetLastError.KERNEL32(9518852C,?,00000003,00000000,?,?,?,?,?,?,?,?,00000000,004AC3E0,000000FF), ref: 004059A4
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,004AC3E0,000000FF), ref: 004059DA
GetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,004AC3E0,000000FF), ref: 00405A25
SysFreeString.OLEAUT32(000000FF), ref: 00405A41
SysFreeString.OLEAUT32(?), ref: 00405A4C
SetLastError.KERNEL32(?), ref: 00405A6C
SetLastError.KERNEL32(00000003), ref: 00405A76

Strings

T4L, xrefs: 00405998

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: T4L
API String ID: 2425351278-1354015026
Opcode ID: 9c97ba61bc56eddfd076f442ad99ff4f6c67ca2cffa0b5ea2a0af6de39cb4a05
Instruction ID: 1d50ff39d37cd8aa85c9e9d149d21a44b15b42f639968989123202e4cf14c0ac
Opcode Fuzzy Hash: 9c97ba61bc56eddfd076f442ad99ff4f6c67ca2cffa0b5ea2a0af6de39cb4a05
Instruction Fuzzy Hash: 79412A75A00209EFDB00DF69C985B9ABBF4FF08314F14412AE819E7690DB75A911CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDAE, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0040CDAE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t47;
				void* _t48;
				intOrPtr _t67;
				intOrPtr* _t81;
				void* _t86;
				void* _t90;
				void* _t91;
				void* _t92;
				intOrPtr _t94;
				intOrPtr _t95;
				intOrPtr _t96;
				void* _t99;

				_t99 = __eflags;
				_t84 = __edx;
				_push(0x10c);
				E0045B8C9(0x4a0be7, __ebx, __edi, __esi);
				_t86 = __ecx;
				_t67 =  *((intOrPtr*)(_t91 + 8));
				 *((intOrPtr*)(_t91 - 0x110)) = 0;
				 *((intOrPtr*)(_t91 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t91 - 0x18)) = 0x4c2f40;
				E00404200(_t91 - 0x40, _t91 - 0x101, 0);
				 *((intOrPtr*)(_t91 - 4)) = 0;
				E0040DD64(_t91 - 0x40, L"0x%04x",  *(_t91 + 0xc) & 0x0000ffff);
				_push(L".ini");
				_push(_t91 - 0x40);
				_push(_t91 - 0xa0);
				_t90 = E0040B22B(_t67, _t86, 0, _t99);
				 *((char*)(_t91 - 4)) = 1;
				_t47 = E0040D208(_t86, _t91 - 0xd0);
				_push(0);
				_push(0);
				_push(_t91 - 0x100);
				 *((char*)(_t91 - 4)) = 2;
				_t48 = E0040A206(_t67, _t47, __edx, 0, _t90, 0);
				_push(_t90);
				_push(_t91 - 0x70);
				 *((char*)(_t91 - 4)) = 3;
				E0040B91E(_t67, _t48, 0, _t90, 0);
				E00401B80(_t91 - 0x100);
				E00401B80(_t91 - 0xd0);
				 *((char*)(_t91 - 4)) = 7;
				E00401B80(_t91 - 0xa0);
				_t94 = _t92 + 0x18 - 0x30;
				 *((intOrPtr*)(_t91 - 0x118)) = _t94;
				E004091B8(_t94, L"MS Sans Serif", _t91 - 0x101, 1);
				_t95 = _t94 - 0x30;
				 *((intOrPtr*)(_t91 - 0x114)) = _t95;
				 *((char*)(_t91 - 4)) = 8;
				E004091B8(_t95, L"FontName", _t91 - 0x101, 1);
				_t96 = _t95 - 0x30;
				 *((char*)(_t91 - 4)) = 9;
				 *((intOrPtr*)(_t91 - 0x10c)) = _t96;
				E004091B8(_t96, L"Properties", _t91 - 0x101, 1);
				_t81 = _t96 - 0x30;
				_push(0);
				_push(_t91 - 0x70);
				 *((char*)(_t91 - 4)) = 0xa;
				 *_t81 = 0x4c2fa0;
				 *((intOrPtr*)(_t81 + 0x28)) = 0x4c2f40;
				E00408E82(_t67, _t81, 0, _t90, 0);
				_push(_t67);
				 *((char*)(_t91 - 4)) = 7;
				E0044585A(_t67, _t84, 0, _t90, 0);
				E00401B80(_t91 - 0x70);
				E00401B80(_t91 - 0x40);
				return E0045B878(_t67, 0, _t90);
			}

0x0040cdae
0x0040cdae
0x0040cdae
0x0040cdb8
0x0040cdbd
0x0040cdbf
0x0040cdcf
0x0040cdd5
0x0040cddc
0x0040cde3
0x0040cdf6
0x0040cdf9
0x0040cdfe
0x0040ce06
0x0040ce0d
0x0040ce16
0x0040ce21
0x0040ce25
0x0040ce2c
0x0040ce2d
0x0040ce34
0x0040ce37
0x0040ce3b
0x0040ce40
0x0040ce44
0x0040ce47
0x0040ce4b
0x0040ce56
0x0040ce61
0x0040ce6c
0x0040ce70
0x0040ce75
0x0040ce7a
0x0040ce8e
0x0040ce93
0x0040ce98
0x0040ceac
0x0040ceb0
0x0040ceb5
0x0040ceb8
0x0040cebe
0x0040ced2
0x0040ceda
0x0040cedc
0x0040cee0
0x0040cee1
0x0040cee5
0x0040ceeb
0x0040cef2
0x0040cef7
0x0040cef8
0x0040cefc
0x0040cf0a
0x0040cf12
0x0040cf1e

APIs

__EH_prolog3_GS.LIBCMT ref: 0040CDB8

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232

Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210

Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0044585A: __EH_prolog3_GS.LIBCMT ref: 00445864

Strings

FontName, xrefs: 0040CEA7
@/L, xrefs: 0040CEEB
Properties, xrefs: 0040CECD
@/L, xrefs: 0040CDDC
0x%04x, xrefs: 0040CDF0
MS Sans Serif, xrefs: 0040CE89
.ini, xrefs: 0040CDFE

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$FreeString$H_prolog3
String ID: .ini$0x%04x$@/L$@/L$FontName$MS Sans Serif$Properties
API String ID: 1949661404-2396576412
Opcode ID: 3497470fb53890255652dcb6219d41613a2223ebb5d32017a503bbd40baa1afb
Instruction ID: 852665918b4d215c2952b0b1f833bbc88fc080e3296a1f32bd5dd132b01d9c4b
Opcode Fuzzy Hash: 3497470fb53890255652dcb6219d41613a2223ebb5d32017a503bbd40baa1afb
Instruction Fuzzy Hash: 1241B671900218EADB14FBA5CC56BEDB7B8AF55704F0040DFF408A7182DBB81B48CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00404960, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00404960(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v12;
				char _v16;
				signed int _v24;
				intOrPtr _v32;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				short _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				signed int _t40;
				void* _t54;
				void* _t59;
				void* _t60;
				void* _t61;
				short* _t63;
				void* _t71;
				intOrPtr* _t72;
				void* _t73;
				void* _t74;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t83;

				_t82 = (_t80 & 0xfffffff8) - 0x40;
				_t38 =  *0x4d7e88; // 0x9518852c
				_v24 = _t38 ^ _t82;
				_t40 =  *0x4d7e88; // 0x9518852c
				 *[fs:0x0] =  &_v16;
				_t60 = __ecx;
				_t72 = _a4;
				_v76 = _t72;
				_v80 = 0;
				E00405F80( &_v72, 0x5c);
				 *((intOrPtr*)( &_v40 +  *((intOrPtr*)(_v40 + 4)))) = GetLastError();
				L0045A7D5(_v52);
				_t77 = __imp__#6;
				_t83 = _t82 + 4;
				 *_t77(_v44, _t40 ^ _t82, _t71, _t74, _t59,  *[fs:0x0], 0x4ac7c8, 0xffffffff);
				if(_v60 >= 8) {
					 *_t77(_v72);
				}
				_v72 = 0;
				_v52 = 7;
				_v56 = 0;
				SetLastError( *(_t83 +  *((intOrPtr*)(_v76 + 4)) + 0x18));
				 *_t72 = 0x4c2f50;
				 *((intOrPtr*)(_t72 + 0x28)) = 0x4c3454;
				 *((intOrPtr*)(_t72 + 0x2c)) = GetLastError();
				_v12 = 0;
				if(_t60 == 0) {
					_t54 = 0;
				} else {
					_t54 = _t60 + 4;
				}
				_t63 = _t72 + 4;
				 *((intOrPtr*)(_t63 + 0x14)) = 7;
				 *((intOrPtr*)(_t63 + 0x10)) = 0;
				 *_t63 = 0;
				E00406630(_t60, _t63, _t72, _t54, 0);
				 *((intOrPtr*)(_t72 + 0x1c)) = 0;
				 *((intOrPtr*)(_t72 + 0x20)) = 0;
				 *((intOrPtr*)(_t72 + 0x24)) = 0;
				_t32 =  *((intOrPtr*)(_t72 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t32 + _t72 + 0x28));
				 *[fs:0x0] = _v32;
				_t73 = 0xffffffff;
				_pop(_t79);
				_pop(_t61);
				return E0045A457(_t61, _v40 ^ _t83, 0, _t73, _t79);
			}

0x00404974
0x00404977
0x0040497e
0x00404985
0x00404991
0x00404997
0x00404999
0x004049a3
0x004049a7
0x004049af
0x004049c7
0x004049cd
0x004049d2
0x004049d8
0x004049df
0x004049e6
0x004049ec
0x004049ec
0x004049f6
0x004049ff
0x00404a07
0x00404a16
0x00404a18
0x00404a1e
0x00404a2b
0x00404a2e
0x00404a38
0x00404a3f
0x00404a3a
0x00404a3a
0x00404a3a
0x00404a41
0x00404a49
0x00404a50
0x00404a58
0x00404a5b
0x00404a60
0x00404a67
0x00404a6e
0x00404a78
0x00404a7f
0x00404a87
0x00404a8f
0x00404a90
0x00404a91
0x00404aa0

APIs

Part of subcall function 00405F80: GetLastError.KERNEL32(00000001,76E3D5B0,9518852C,?,73B74D40,?,?,004AC698,000000FF,T4L,004049B4), ref: 00405FF4
Part of subcall function 00405F80: SetLastError.KERNEL32(?,00000007,00000000,000000FF), ref: 00406042

GetLastError.KERNEL32 ref: 004049C1
SysFreeString.OLEAUT32(?), ref: 004049DF
SysFreeString.OLEAUT32(?), ref: 004049EC
SetLastError.KERNEL32(?), ref: 00404A16
GetLastError.KERNEL32 ref: 00404A25
SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00404A7F

Strings

T4L, xrefs: 00404A1E
T4L, xrefs: 00404960

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: T4L$T4L
API String ID: 2425351278-3367740000
Opcode ID: 058cff7a5df4e6d868abe48a367cce014fb2891f3a17672302919ae29e5b005f
Instruction ID: 32c3651e55e86741e28abfdec92bbce572763d66b3ad848a02f8ce83922ad317
Opcode Fuzzy Hash: 058cff7a5df4e6d868abe48a367cce014fb2891f3a17672302919ae29e5b005f
Instruction Fuzzy Hash: 64312AB1508741AFD700CF29C845B16BBE4FF88318F104A2EF855976A1D7B5E819CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 00439468, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00439468(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, void* _a16) {
				void* _t13;
				unsigned int _t20;
				int _t23;
				WCHAR* _t28;
				void* _t30;
				void* _t31;
				void* _t33;
				void* _t35;
				struct HWND__* _t36;
				void* _t37;
				void* _t38;

				_t36 = _a4;
				_t28 = L"This";
				_t13 = GetPropW(_t36, _t28);
				_t35 = 2;
				_t37 = _t13;
				_t30 = _a8 - _t35;
				if(_t30 == 0) {
					RemovePropW(_t36, _t28);
					L14:
					return 0;
				}
				_t31 = _t30 - 0x10e;
				if(_t31 == 0) {
					_t38 = _a16;
					 *_t38 = _t36;
					SetPropW(_t36, _t28, _t38);
					return E00438270(_t38, _t35, __eflags);
				}
				_t33 = _t31 - 1;
				if(_t33 == 0) {
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L14;
					}
					__eflags = _a12 - _t35;
					if(_a12 == _t35) {
						L8:
						_t20 =  *(_t37 + 0x288);
						__eflags = _t20;
						if(_t20 != 0) {
							_t23 = IsWindow( *(_t20 + 4));
							__eflags = _t23;
							if(_t23 != 0) {
								SendMessageW( *( *(_t37 + 0x288) + 4), 0x111, 2, 0);
							}
						}
						return 1;
					}
					__eflags = _a12 - 9;
					if(_a12 != 9) {
						goto L14;
					}
					goto L8;
				} else {
					if(_t33 == 5) {
						EnableMenuItem(_a12, 0xf030, 3);
						EnableMenuItem(_a12, 0xf000, 3);
					}
					goto L14;
				}
			}

0x0043946e
0x00439471
0x00439478
0x00439483
0x00439484
0x00439486
0x00439488
0x00439527
0x0043952d
0x00000000
0x0043952d
0x0043948e
0x00439494
0x0043950e
0x00439514
0x00439516
0x00000000
0x0043951e
0x00439496
0x00439497
0x004394c8
0x004394cb
0x00000000
0x00000000
0x004394cd
0x004394d1
0x004394da
0x004394da
0x004394e0
0x004394e2
0x004394e7
0x004394ed
0x004394ef
0x00439503
0x00439503
0x004394ef
0x00000000
0x0043950b
0x004394d3
0x004394d8
0x00000000
0x00000000
0x00000000
0x00439499
0x0043949c
0x004394b2
0x004394be
0x004394be
0x00000000
0x0043949c

APIs

GetPropW.USER32(?,This), ref: 00439478
EnableMenuItem.USER32 ref: 004394B2
EnableMenuItem.USER32 ref: 004394BE
IsWindow.USER32(?), ref: 004394E7
SendMessageW.USER32(?,00000111,00000002,00000000), ref: 00439503
SetPropW.USER32 ref: 00439516
RemovePropW.USER32 ref: 00439527

Strings

This, xrefs: 00439471, 00439476, 00439512, 00439525

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Prop$EnableItemMenu$MessageRemoveSendWindow
String ID: This
API String ID: 2617454859-1591487769
Opcode ID: 8431ab33346b0fbe61acedda2eb80ad25f733ad79c3b441b84b841987ec0a053
Instruction ID: 49fd111743158434b0272aa931994b9fd5ab21aa3a63de756cb8bcf00940d983
Opcode Fuzzy Hash: 8431ab33346b0fbe61acedda2eb80ad25f733ad79c3b441b84b841987ec0a053
Instruction Fuzzy Hash: E1212432200208BBDF265F25EC48F6B7BA8EB09754F045426FA51972A1E7F4DD819B58

Uniqueness

Uniqueness Score: -1.00%

Function 00425464, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00425464(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				DWORD* _t24;
				long _t25;
				void* _t34;
				long _t42;
				void* _t51;
				void* _t54;

				_push(0x108);
				E0045B8C9(0x4a4275, __ebx, __edi, __esi);
				_t51 = __ecx;
				_t24 =  *(_t54 + 8);
				_t42 = 0;
				if( *((intOrPtr*)(__ecx + 4)) == 0) {
					L6:
					_t25 = GetFileSize( *(_t51 + 8), _t24);
					_t53 = _t25;
					if(_t25 == 0xffffffff) {
						_t42 = GetLastError();
						_t60 = _t42;
						if(_t42 != 0) {
							_push(0);
							_push(_t51 + 0xc);
							_t15 = _t54 - 0x40; // 0x4ae964
							 *((intOrPtr*)(_t54 - 0x40)) = 0x4ae964;
							 *((intOrPtr*)(_t54 - 0x18)) = 0x4ae96c;
							E00408E82(_t42, _t15, _t51, _t53, _t60);
							_push(1);
							 *((intOrPtr*)(_t54 - 4)) = 1;
							_push(_t42);
							_t19 = _t54 - 0x40; // 0x4ae964
							E00416974(_t54 - 0xc0, _t53, _t60);
							_push(0x4c9bf0);
							_t34 = _t54 - 0xc0;
							goto L5;
						}
					}
				} else {
					if(_t24 != 0) {
						 *_t24 = 0;
					}
					_t53 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t51 + 4)))) + 0x18))();
					_t58 = _t53 - 0xffffffff;
					if(_t53 == 0xffffffff) {
						_push(_t42);
						_push(_t51 + 0xc);
						 *((intOrPtr*)(_t54 - 0x70)) = 0x4ae964;
						 *((intOrPtr*)(_t54 - 0x48)) = 0x4ae96c;
						E00408E82(_t42, _t54 - 0x70, _t51, _t53, _t58);
						_push(1);
						_t9 = _t54 - 0x70; // 0x4ae964
						 *((intOrPtr*)(_t54 - 4)) = _t42;
						E00416CE9(_t42, _t54 - 0x114, _t51, _t53, _t58);
						_push(0x4c9c64);
						_t34 = _t54 - 0x114;
						L5:
						_push(_t34);
						_t24 = E0045A466();
						goto L6;
					}
				}
				return E0045B878(_t42, _t51, _t53);
			}

0x00425464
0x0042546e
0x00425473
0x00425475
0x00425478
0x0042547d
0x004254d8
0x004254dc
0x004254e2
0x004254e7
0x004254ef
0x004254f1
0x004254f3
0x004254f5
0x004254fa
0x004254fb
0x004254fe
0x00425505
0x0042550c
0x00425514
0x00425515
0x00425518
0x00425519
0x00425523
0x00425528
0x0042552d
0x00000000
0x0042552d
0x004254f3
0x0042547f
0x00425481
0x00425483
0x00425483
0x0042548d
0x0042548f
0x00425492
0x00425498
0x0042549c
0x004254a0
0x004254a7
0x004254ae
0x004254b3
0x004254b5
0x004254bf
0x004254c2
0x004254c7
0x004254cc
0x004254d2
0x004254d2
0x004254d3
0x00000000
0x004254d3
0x00425492
0x0042553c

APIs

__EH_prolog3_GS.LIBCMT ref: 0042546E
__CxxThrowException@8.LIBCMT ref: 004254D3
GetFileSize.KERNEL32(?,?,00000108,00424345,00000000,00000010,004246AC,?,?,?,?,?,?,00000000), ref: 004254DC
GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004254E9

Strings

lJ, xrefs: 00425505
dJ, xrefs: 004254B5, 004254B8
lJ, xrefs: 004254A7
dJ, xrefs: 004254FB

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorException@8FileH_prolog3_LastSizeThrow
String ID: dJ$dJ$lJ$lJ
API String ID: 4197087271-2563680426
Opcode ID: 76ee42e62e10112f8e60142eaba49cefafcabdb8c402dca8384c3a42177a4f5b
Instruction ID: b2082534f39979bccaf32d7e782aa233bb087002ff19d54df1b5e64b96e7a666
Opcode Fuzzy Hash: 76ee42e62e10112f8e60142eaba49cefafcabdb8c402dca8384c3a42177a4f5b
Instruction Fuzzy Hash: 2D21B3B1900218EBC710EFA1DC84AEEB7BCBF14314F40426FE925A3281DB749E44CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B095, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040B095(intOrPtr __ecx, void* __edi, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __ebx;
				void* __esi;
				intOrPtr _t13;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t27;
				intOrPtr _t28;
				signed int _t35;
				void* _t39;
				void* _t41;
				struct HINSTANCE__* _t42;
				void* _t53;

				_t30 = __ecx;
				_t13 =  *((intOrPtr*)(__ecx + 0x10));
				_t35 = _a4;
				if(_t13 < _t35) {
					_push("invalid string position");
					E00459FCD(__eflags);
					asm("int3");
					_push(_t27);
					_push(_t41);
					_t28 = _t30;
					_t42 = GetModuleHandleW(L"KERNEL32");
					_t16 = GetProcAddress(_t42, "SetDllDirectoryW");
					__eflags = _t16;
					if(_t16 != 0) {
						 *_t16(0x4c2d7c);
					}
					_t17 = GetProcAddress(_t42, "SetSearchPathMode");
					__eflags = _t17;
					if(_t17 != 0) {
						 *_t17(0x8001);
					}
					return _t28;
				} else {
					_t39 =  <  ? _t13 - _t35 : _a8;
					if( *((intOrPtr*)(__ecx + 0x14)) >= 8) {
						_t30 =  *((intOrPtr*)(__ecx));
					}
					_t23 =  <  ? _t39 : _a16;
					_t25 = E0045B637(_t27, _t30, _t41, _t30 + _t35 * 2, _a12,  <  ? _t39 : _a16);
					_t53 = _t39 - _a16;
					_t33 =  <  ? _t35 | 0xffffffff : _t53 != 0;
					_t34 =  !=  ? _t25 :  <  ? _t35 | 0xffffffff : _t53 != 0;
					return  !=  ? _t25 :  <  ? _t35 | 0xffffffff : _t53 != 0;
				}
			}

0x0040b095
0x0040b098
0x0040b09b
0x0040b0a0
0x0040b0ea
0x0040b0ef
0x0040b0f4
0x0040b0f5
0x0040b0f6
0x0040b0fc
0x0040b104
0x0040b10c
0x0040b112
0x0040b114
0x0040b11b
0x0040b11b
0x0040b123
0x0040b129
0x0040b12b
0x0040b132
0x0040b132
0x0040b138
0x0040b0a2
0x0040b0aa
0x0040b0b1
0x0040b0b3
0x0040b0b3
0x0040b0ba
0x0040b0c5
0x0040b0cf
0x0040b0dc
0x0040b0e1
0x0040b0e7
0x0040b0e7

APIs

__wcsnicmp.LIBCMT ref: 0040B0C5
GetModuleHandleW.KERNEL32(KERNEL32,?,?,invalid string position,?,0040B091,00000000,?,?,?,?,?,?,0040AB3F,00000000), ref: 0040B0FE
GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0040B10C
GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 0040B123

Strings

SetDllDirectoryW, xrefs: 0040B106
SetSearchPathMode, xrefs: 0040B11D
invalid string position, xrefs: 0040B0EA
KERNEL32, xrefs: 0040B0F7

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressProc$HandleModule__wcsnicmp
String ID: KERNEL32$SetDllDirectoryW$SetSearchPathMode$invalid string position
API String ID: 1419893147-3384542216
Opcode ID: 69ef947cd4a98ee24fc8d9e90236db6eb9bea07c11959dc4b0a618b1e60c00c3
Instruction ID: c32fed0a5104787a3cdc9ff5f825b73f8d62bd87897139d2feafc8a4108a3152
Opcode Fuzzy Hash: 69ef947cd4a98ee24fc8d9e90236db6eb9bea07c11959dc4b0a618b1e60c00c3
Instruction Fuzzy Hash: BE11C2313013055FDF14AE79AC45D6E379AEA85750724443EF821E3281DBBAD8528AEE

Uniqueness

Uniqueness Score: -1.00%

Function 004451AC, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 58
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E004451AC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				struct _FILETIME* _t26;
				int _t27;
				void* _t35;
				void* _t37;
				intOrPtr* _t44;
				struct _FILETIME* _t51;
				void* _t53;
				void* _t54;

				_t42 = __ebx;
				_push(0x108);
				E0045B8C9(0x4a77f2, __ebx, __edi, __esi);
				_t53 = __ecx;
				_t44 =  *((intOrPtr*)(__ecx + 4));
				_t3 = _t54 + 0xc; // 0x4c2f40
				_t26 =  *_t3;
				_t51 =  *(_t54 + 0x10);
				_push( *((intOrPtr*)(_t54 + 8)));
				if(_t44 == 0) {
					L4:
					_t27 = GetFileTime( *(_t53 + 8), _t26, _t51, ??);
					_t59 = _t27;
					if(_t27 == 0) {
						_push(_t27);
						_push(_t53 + 0xc);
						_t17 = _t54 - 0x40; // 0x4ae964
						 *((intOrPtr*)(_t54 - 0x40)) = 0x4ae964;
						 *((intOrPtr*)(_t54 - 0x18)) = 0x4ae96c;
						E00408E82(_t42, _t17, _t51, _t53, _t59);
						_push(1);
						 *(_t54 - 4) = 1;
						_t21 = _t54 - 0x40; // 0x4ae964
						E00416910(_t54 - 0xc0, _t53, _t59);
						_push(0x4c9bf0);
						_t35 = _t54 - 0xc0;
						goto L3;
					}
				} else {
					_t37 =  *((intOrPtr*)( *_t44 + 0x1c))();
					_t57 = _t37;
					if(_t37 == 0) {
						_push(0);
						_push(__ecx + 0xc);
						 *((intOrPtr*)(_t54 - 0x70)) = 0x4ae964;
						 *((intOrPtr*)(_t54 - 0x48)) = 0x4ae96c;
						E00408E82(__ebx, _t54 - 0x70, _t51, __ecx, _t57);
						 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
						_push(1);
						_t12 = _t54 - 0x70; // 0x4ae964
						E00416CE9(__ebx, _t54 - 0x114, _t51, _t53,  *(_t54 - 4));
						_push(0x4c9c64);
						_t35 = _t54 - 0x114;
						L3:
						_push(_t35);
						_t26 = E0045A466();
						goto L4;
					}
				}
				return E0045B878(_t42, _t51, _t53);
			}

0x004451ac
0x004451ac
0x004451b6
0x004451bb
0x004451bd
0x004451c3
0x004451c3
0x004451c6
0x004451c9
0x004451cc
0x0044521d
0x00445222
0x00445228
0x0044522a
0x0044522c
0x00445230
0x00445231
0x00445234
0x0044523b
0x00445242
0x0044524a
0x0044524b
0x0044524e
0x00445258
0x0044525d
0x00445262
0x00000000
0x00445262
0x004451ce
0x004451d0
0x004451d3
0x004451d5
0x004451db
0x004451e0
0x004451e4
0x004451eb
0x004451f2
0x004451f7
0x004451fb
0x004451fd
0x00445207
0x0044520c
0x00445211
0x00445217
0x00445217
0x00445218
0x00000000
0x00445218
0x004451d5
0x0044526f

APIs

__EH_prolog3_GS.LIBCMT ref: 004451B6
__CxxThrowException@8.LIBCMT ref: 00445218
GetFileTime.KERNEL32(?,@/L,?,?,00000108,004417D5,?,?,?,004AFFB8,80000000,00000001,00000080,00000003,00000000,00000000), ref: 00445222

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0

Strings

dJ, xrefs: 00445231
lJ, xrefs: 004451EB
dJ, xrefs: 004451FD, 00445200
@/L, xrefs: 004451C3, 0044521E
lJ, xrefs: 0044523B

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$Exception@8FileH_prolog3_ThrowTime
String ID: @/L$dJ$dJ$lJ$lJ
API String ID: 2876734416-2881729011
Opcode ID: 5cd39d362dc08eda42560986b5ed758ae809d9a615f56a0f14e5b1a66db2cbd4
Instruction ID: 09ae8387e76ab4fe6258251d74e8dc5e22117f4eef0919e0a1f8ca21e18f499a
Opcode Fuzzy Hash: 5cd39d362dc08eda42560986b5ed758ae809d9a615f56a0f14e5b1a66db2cbd4
Instruction Fuzzy Hash: C81138B5910208EBDB20EF91CC45EEEB7B8BF14705F10815FE556A3241DB78AA09CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00443199, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00443199(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t16;
				void* _t22;
				void* _t36;
				intOrPtr _t40;
				signed int _t43;
				void* _t45;

				_t29 = __ebx;
				_push(0x254);
				E0045B8C9(0x4a7165, __ebx, __edi, __esi);
				_t40 =  *((intOrPtr*)(_t45 + 0x38));
				 *(_t45 - 4) =  *(_t45 - 4) & 0x00000000;
				_t16 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "FindFirstFileW");
				if(_t16 == 0) {
					_t43 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "FindFirstFileA");
					__eflags = _t43;
					if(_t43 == 0) {
						_t44 = _t43 | 0xffffffff;
						__eflags = _t43 | 0xffffffff;
					} else {
						_t22 = E00412F8A(__ebx, _t45 + 8, _t36);
						_t44 =  *_t43(_t22, _t45 - 0x150);
						__eflags = _t23 - 0xffffffff;
						if(__eflags != 0) {
							_push(_t45 - 0x150);
							E0043CB63(_t29, _t40, _t40, _t44, __eflags);
						}
					}
				} else {
					_t38 =  >=  ?  *((void*)(_t45 + 0xc)) : _t45 + 0xc;
					_t44 =  *_t16( >=  ?  *((void*)(_t45 + 0xc)) : _t45 + 0xc, _t45 - 0x260);
					if(_t26 != 0xffffffff) {
						E0043CC17(_t40, _t45 - 0x260);
					}
				}
				E00401B80(_t45 + 8);
				return E0045B878(_t29, _t40, _t44);
			}

0x00443199
0x00443199
0x004431a3
0x004431a8
0x004431b1
0x004431c2
0x004431ca
0x0044320b
0x0044320d
0x0044320f
0x0044323a
0x0044323a
0x00443211
0x00443214
0x00443223
0x00443225
0x00443228
0x00443230
0x00443233
0x00443233
0x00443228
0x004431cc
0x004431d9
0x004431e1
0x004431e6
0x004431f1
0x004431f1
0x004431e6
0x00443240
0x0044324c

APIs

__EH_prolog3_GS.LIBCMT ref: 004431A3
GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileW,00000254,00441F34), ref: 004431BF
GetProcAddress.KERNEL32(00000000), ref: 004431C2
GetModuleHandleW.KERNEL32(kernel32.dll,FindFirstFileA), ref: 00443202
GetProcAddress.KERNEL32(00000000), ref: 00443205

Strings

kernel32.dll, xrefs: 004431BA, 004431FD
FindFirstFileA, xrefs: 004431F8
FindFirstFileW, xrefs: 004431B5

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc$H_prolog3_
String ID: FindFirstFileA$FindFirstFileW$kernel32.dll
API String ID: 762132516-163559883
Opcode ID: f1b23fcf92a6bb3cd4703bfa62a8d93addcfbfc229e36ea95363fbeadc7f54b7
Instruction ID: dbdea2827036a6e7fd1e2e601472f997fdff8103fe6eba7395dd5788563c34cc
Opcode Fuzzy Hash: f1b23fcf92a6bb3cd4703bfa62a8d93addcfbfc229e36ea95363fbeadc7f54b7
Instruction Fuzzy Hash: 5811E7319002249BDF14EF79CC89AAE7764AB44765F14029BBC24E71C0DB7C9E458BDD

Uniqueness

Uniqueness Score: -1.00%

Function 00441D3D, Relevance: 14.0, APIs: 5, Strings: 3, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00441D3D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t10;
				intOrPtr _t17;
				void* _t23;
				intOrPtr* _t26;
				intOrPtr _t28;
				void* _t29;

				_t23 = __edx;
				_push(0);
				E0045B896(0x4a6f2a, __ebx, __edi, __esi);
				_t28 = 0;
				 *((intOrPtr*)(_t29 - 4)) = 0;
				_t10 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "DeleteFileW");
				if(_t10 == 0) {
					_t26 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "DeleteFileA");
					if(_t26 != 0) {
						_t17 =  *_t26(E00412F8A(__ebx, _t29 + 8, _t23));
						goto L4;
					}
				} else {
					_t22 =  >=  ?  *((void*)(_t29 + 0xc)) : _t29 + 0xc;
					_t17 =  *_t10( >=  ?  *((void*)(_t29 + 0xc)) : _t29 + 0xc);
					L4:
					_t28 = _t17;
				}
				E00401B80(_t29 + 8);
				return E0045B864(_t28);
			}

0x00441d3d
0x00441d3d
0x00441d44
0x00441d54
0x00441d5b
0x00441d61
0x00441d69
0x00441d8e
0x00441d92
0x00441d9d
0x00000000
0x00441d9d
0x00441d6b
0x00441d72
0x00441d77
0x00441d9f
0x00441d9f
0x00441d9f
0x00441da4
0x00441db0

APIs

__EH_prolog3.LIBCMT ref: 00441D44
GetModuleHandleW.KERNEL32(kernel32.dll,DeleteFileW,00000000,0040E878), ref: 00441D5E
GetProcAddress.KERNEL32(00000000), ref: 00441D61
GetModuleHandleW.KERNEL32(kernel32.dll,DeleteFileA), ref: 00441D85
GetProcAddress.KERNEL32(00000000), ref: 00441D88

Strings

kernel32.dll, xrefs: 00441D56, 00441D80
DeleteFileW, xrefs: 00441D4F
DeleteFileA, xrefs: 00441D7B

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc$H_prolog3
String ID: DeleteFileA$DeleteFileW$kernel32.dll
API String ID: 1623054726-1437360270
Opcode ID: 4b1681924df6c003450726dee01bd950833c4300358f64b5df3b8fbc1bd87e85
Instruction ID: 661ce79cb93eaffdecf0edf13d19ed5daf71837a4785dddfabb2fe5da01197a9
Opcode Fuzzy Hash: 4b1681924df6c003450726dee01bd950833c4300358f64b5df3b8fbc1bd87e85
Instruction Fuzzy Hash: 3BF0CDB1A00314ABCF14BF768C15F8E7B74AF90B40B16452AF81197290DB7CEA45CBAC

Uniqueness

Uniqueness Score: -1.00%

Function 0042B2E7, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 26
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042B2E7(void* __ecx) {
				void* _t10;
				struct HINSTANCE__* _t12;

				_t10 = __ecx;
				 *((char*)(__ecx + 4)) = 0;
				_t12 = GetModuleHandleW(L"kernel32");
				 *((intOrPtr*)(_t10 + 8)) = GetProcAddress(_t12, "Wow64EnableWow64FsRedirection");
				 *((intOrPtr*)(_t10 + 0xc)) = GetProcAddress(_t12, "Wow64DisableWow64FsRedirection");
				 *((intOrPtr*)(_t10 + 0x10)) = GetProcAddress(_t12, "Wow64RevertWow64FsRedirection");
				return _t10;
			}

0x0042b2ea
0x0042b2f1
0x0042b301
0x0042b311
0x0042b31c
0x0042b322
0x0042b329

APIs

GetModuleHandleW.KERNEL32(kernel32,?,00000000,?,0042EEA8,00000AC8,0043184A,[WindowsFolder]Wininit.ini,rename,80000002,SYSTEM\CurrentControlSet\Control\Session Manager,PendingFileRenameOperations,80000002,SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx), ref: 0042B2F5
GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 0042B309
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0042B314
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 0042B31F

Strings

Wow64DisableWow64FsRedirection, xrefs: 0042B30B
Wow64RevertWow64FsRedirection, xrefs: 0042B316
Wow64EnableWow64FsRedirection, xrefs: 0042B303
kernel32, xrefs: 0042B2EC

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32
API String ID: 667068680-3439747844
Opcode ID: 3cceb513bf068515491ea59d74298fdf245ba3e5e7fce36e5ebb40ec472eb11c
Instruction ID: f9ce0d1babf0433d3e24264aff26a09f43d3037cb44e79a480e98de940775e64
Opcode Fuzzy Hash: 3cceb513bf068515491ea59d74298fdf245ba3e5e7fce36e5ebb40ec472eb11c
Instruction Fuzzy Hash: 0DE04871A023106BDF009F6A9C89A97FFACDF55A64754806FFC04D7261D7F898018BB4

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB61, Relevance: 13.6, APIs: 9, Instructions: 82
memoryCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E0040AB61(void* __ebx, void** __ecx, struct HINSTANCE__* _a4, void* _a8, WCHAR* _a12) {
				intOrPtr _v20;
				long _t23;
				void* _t24;
				void* _t30;
				intOrPtr* _t32;
				struct HRSRC__* _t36;
				intOrPtr* _t37;
				void** _t41;

				_t32 = __ecx;
				_t41 = __ecx;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				_t36 = FindResourceW(_a4, _a8, _a12);
				if(_t36 == 0) {
					_push(0);
					_push(0);
					goto L7;
				} else {
					_t30 = LoadResource(_a4, _t36);
					if(_t30 != 0) {
						_t23 = SizeofResource(_a4, _t36);
						_t41[1] = _t23;
						if(_t23 == 0) {
							goto L2;
						} else {
							_t24 = GlobalAlloc(0x40, _t23);
							 *_t41 = _t24;
							if(_t24 == 0) {
								goto L2;
							} else {
								E0045A8B0( *_t41, LockResource(_t30), _t41[1]);
								return _t41;
							}
						}
					} else {
						L2:
						_push(0);
						_push(0);
						L7:
						E0045A466();
						asm("int3");
						_push(_t36);
						_t37 = _t32;
						if(_v20 != 0) {
							_push(_t41);
							_t42 = GlobalLock(_a8);
							E0040B00B(_t37, _t42, E0040ACE9(_t16));
							GlobalUnlock(_a8);
						} else {
							 *_t37 = 0;
							 *((intOrPtr*)(_t37 + 4)) = 0;
							 *((intOrPtr*)(_t37 + 8)) = 0;
						}
						return _t37;
					}
				}
			}

0x0040ab61
0x0040ab6a
0x0040ab74
0x0040ab7d
0x0040ab81
0x0040abd7
0x0040abd8
0x00000000
0x0040ab83
0x0040ab8d
0x0040ab91
0x0040ab9d
0x0040aba3
0x0040aba8
0x00000000
0x0040abaa
0x0040abad
0x0040abb3
0x0040abb7
0x00000000
0x0040abb9
0x0040abc6
0x0040abd4
0x0040abd4
0x0040abb7
0x0040ab93
0x0040ab93
0x0040ab93
0x0040ab95
0x0040abd9
0x0040abd9
0x0040abde
0x0040abe6
0x0040abe7
0x0040abe9
0x0040abf7
0x0040ac01
0x0040ac0e
0x0040ac16
0x0040abeb
0x0040abed
0x0040abef
0x0040abf2
0x0040abf2
0x0040ac21
0x0040ac21
0x0040ab91

APIs

FindResourceW.KERNEL32(?,?,?), ref: 0040AB77
LoadResource.KERNEL32(?,00000000), ref: 0040AB87
SizeofResource.KERNEL32(?,00000000), ref: 0040AB9D
GlobalAlloc.KERNEL32(00000040,00000000), ref: 0040ABAD
LockResource.KERNEL32(00000000,?), ref: 0040ABBD
_memmove.LIBCMT ref: 0040ABC6
__CxxThrowException@8.LIBCMT ref: 0040ABD9
GlobalLock.KERNEL32 ref: 0040ABFB

Part of subcall function 0040B00B: GlobalAlloc.KERNEL32(00000040,?,?,?,0040AC13,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040B01D
Part of subcall function 0040B00B: GlobalLock.KERNEL32 ref: 0040B02B
Part of subcall function 0040B00B: _memmove.LIBCMT ref: 0040B03A
Part of subcall function 0040B00B: GlobalUnlock.KERNEL32 ref: 0040B052

GlobalUnlock.KERNEL32(00000000,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040AC16

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Global$Resource$Lock$AllocUnlock_memmove$Exception@8FindLoadSizeofThrow
String ID:
API String ID: 3630157357-0
Opcode ID: b3ac7c89d0ad56b8803e0228ee336d000094f8f1f3da0ade368464bb3027e991
Instruction ID: c7f850229f26ab8c89ec08d8623358ab84311a0e5543fb62a0df86d93655621e
Opcode Fuzzy Hash: b3ac7c89d0ad56b8803e0228ee336d000094f8f1f3da0ade368464bb3027e991
Instruction Fuzzy Hash: 2C21BE71200305BFE7111F26DC48E6B7FB9EB85350B00443AFA19D62A1DB75D8609AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00422B99, Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 269COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00400000,?,00000104), ref: 00422C1E
GetModuleHandleW.KERNEL32(00000000), ref: 00422C60
GetModuleFileNameW.KERNEL32(00400000,?,00000104), ref: 00422DE2
GetModuleHandleW.KERNEL32(00000000), ref: 00422E25

Strings

Module, xrefs: 00422CDA, 00422E9F
REGISTRY, xrefs: 00422D2B, 00422EF4
Module_Raw, xrefs: 00422CF6, 00422EBB

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Module$FileHandleName
String ID: Module$Module_Raw$REGISTRY
API String ID: 4146042529-549000027
Opcode ID: 8429f2866f5552f817b8c149be51912573b0a6ac29dd5bf9cd3af78f61becb9c
Instruction ID: 30420aecd7543147277c3991299c8c1d56412e60a9aed8bcbeb0202ccdaf3cea
Opcode Fuzzy Hash: 8429f2866f5552f817b8c149be51912573b0a6ac29dd5bf9cd3af78f61becb9c
Instruction Fuzzy Hash: 74A18976B00238AACB20DF55ED45ADE73BCAF59304F5005A7F905E3101DBB8AE85CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E72E, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040E72E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t51;
				intOrPtr* _t52;
				intOrPtr _t60;
				void* _t62;
				char _t63;
				intOrPtr _t76;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t83;
				intOrPtr* _t85;
				void* _t88;
				struct HWND__* _t91;
				intOrPtr* _t95;
				void* _t96;
				void* _t97;
				void* _t99;

				_t88 = __edx;
				_push(0x74);
				E0045B8C9(0x4a10b8, __ebx, __edi, __esi);
				_t93 = __ecx;
				_t91 =  *0x4d9620; // 0x0
				_t76 =  *((intOrPtr*)(_t96 + 8));
				 *((intOrPtr*)(_t96 - 0x80)) =  *((intOrPtr*)(_t96 + 0xc));
				if(IsWindow(_t91) == 0) {
					_t91 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t93 + 0xe8)))) + 0xc))();
				}
				_t105 = _t91;
				if(_t91 == 0) {
					__eflags = 0;
				} else {
					 *((intOrPtr*)(_t96 - 0x40)) = 0x4c2f50;
					 *((intOrPtr*)(_t96 - 0x18)) = 0x4c3454;
					E00403F50(_t96 - 0x40, _t96 - 0x79, 0);
					_t79 =  *0x4d962c; // 0x0
					 *(_t96 - 4) =  *(_t96 - 4) & 0x00000000;
					_t51 = E0040D268(_t76, _t79, _t88, _t91, _t93, _t105, _t96 - 0x70, 0x64e);
					_t80 = _t76 + 4;
					_t76 = 8;
					 *(_t96 - 4) = 1;
					if( *((intOrPtr*)(_t80 + 0x14)) >= _t76) {
						_t80 =  *_t80;
					}
					_t52 = _t51 + 4;
					if( *((intOrPtr*)(_t52 + 0x14)) >= _t76) {
						_t52 =  *_t52;
					}
					E00403B50(_t96 - 0x40, _t52, _t80);
					 *(_t96 - 4) = 0;
					E00401B80(_t96 - 0x70);
					_t57 =  >=  ?  *((void*)(_t96 - 0x3c)) : _t96 - 0x3c;
					_push( >=  ?  *((void*)(_t96 - 0x3c)) : _t96 - 0x3c);
					_push(L"DownloadFiles: %s");
					_push(_t96 - 0x78);
					 *(_t96 - 0x78) = L"..\\..\\Shared\\Setup\\IsPreReqDlg.cpp";
					 *((intOrPtr*)(_t96 - 0x74)) = 0x4e0;
					E0040E66A(_t76, _t91, _t93,  *((intOrPtr*)(_t96 - 0x28)) - _t76);
					_t60 =  *0x4d962c; // 0x0
					_t99 = _t97 + 0x18;
					 *((intOrPtr*)(_t96 - 0x74)) = _t60;
					_push(0);
					_push(_t96 - 0x70);
					_t62 = E0040D72B(_t76, _t96 - 0x74, _t88, _t91, _t93,  *((intOrPtr*)(_t96 - 0x28)) - _t76);
					_t83 =  *0x4d962c; // 0x0
					_t89 =  *(_t83 + 0x44) & 0x0000ffff;
					_t63 = E0040D238(_t83,  *(_t83 + 0x44) & 0x0000ffff);
					_t95 = _t62 + 4;
					 *((char*)(_t96 - 0x74)) = _t63;
					if( *((intOrPtr*)(_t95 + 0x14)) >= _t76) {
						_t95 =  *_t95;
					}
					_t65 =  >=  ?  *((void*)(_t96 - 0x3c)) : _t96 - 0x3c;
					_t93 = E0040D9AC(_t91,  >=  ?  *((void*)(_t96 - 0x3c)) : _t96 - 0x3c, _t95, 5,  *((intOrPtr*)(_t96 - 0x74)));
					E00401B80(_t96 - 0x70);
					_t85 = _t99 + 0x14 - 0x30;
					_push(0);
					_push( *((intOrPtr*)(_t96 - 0x80)));
					 *_t85 = 0x4c2fa0;
					 *((intOrPtr*)(_t85 + 0x28)) = 0x4c2f40;
					E00408E82(_t76, _t85, _t91, _t66,  *((intOrPtr*)(_t96 - 0x28)) - _t76);
					E00441D3D(_t76, _t89, _t91, _t93,  *((intOrPtr*)(_t96 - 0x28)) - _t76);
					E00401AC0(_t96 - 0x40);
				}
				return E0045B878(_t76, _t91, _t93);
			}

0x0040e72e
0x0040e72e
0x0040e735
0x0040e73a
0x0040e73c
0x0040e745
0x0040e749
0x0040e754
0x0040e761
0x0040e761
0x0040e763
0x0040e765
0x0040e88d
0x0040e76b
0x0040e774
0x0040e77b
0x0040e782
0x0040e787
0x0040e78d
0x0040e79a
0x0040e79f
0x0040e7a4
0x0040e7a5
0x0040e7ac
0x0040e7ae
0x0040e7ae
0x0040e7b0
0x0040e7b6
0x0040e7b8
0x0040e7b8
0x0040e7c0
0x0040e7cb
0x0040e7cf
0x0040e7da
0x0040e7de
0x0040e7e2
0x0040e7e7
0x0040e7e8
0x0040e7ef
0x0040e7f6
0x0040e7fb
0x0040e800
0x0040e803
0x0040e806
0x0040e80b
0x0040e80f
0x0040e814
0x0040e81c
0x0040e821
0x0040e826
0x0040e829
0x0040e82f
0x0040e831
0x0040e831
0x0040e83e
0x0040e850
0x0040e852
0x0040e85a
0x0040e85c
0x0040e85e
0x0040e861
0x0040e867
0x0040e86e
0x0040e873
0x0040e87e
0x0040e888
0x0040e894

APIs

__EH_prolog3_GS.LIBCMT ref: 0040E735
IsWindow.USER32(00000000), ref: 0040E74C

Strings

T4L, xrefs: 0040E77B
@/L, xrefs: 0040E867
P/L, xrefs: 0040E774
J, xrefs: 0040E7E8
DownloadFiles: %s, xrefs: 0040E7E2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_Window
String ID: @/L$DownloadFiles: %s$P/L$T4L$J
API String ID: 2696129371-3407581839
Opcode ID: ecb82e952684bb07feb0a449aeddfb08d8b09897805050005903c7cdd6b546ec
Instruction ID: de23dfaef23a451ab727cd009e5c9a7a2e24c9d9a3dbe1c19b831f440d0632a1
Opcode Fuzzy Hash: ecb82e952684bb07feb0a449aeddfb08d8b09897805050005903c7cdd6b546ec
Instruction Fuzzy Hash: 7F41C575D00208DBCB14EFA1C881A9DB7B8BF04304F24457FE905B7292DB799A09CF99

Uniqueness

Uniqueness Score: -1.00%

Function 004043D0, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004043D0(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				signed int _v24;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				short _v68;
				char _v72;
				intOrPtr _v76;
				intOrPtr* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t44;
				void* _t52;
				void* _t53;
				void* _t54;
				intOrPtr _t66;
				void* _t67;
				void* _t77;
				intOrPtr* _t79;
				void* _t80;
				intOrPtr* _t85;
				void* _t86;
				signed int _t87;
				void* _t88;
				void* _t89;

				_t77 = __edx;
				_push(0xffffffff);
				_push(0x4ac3a0);
				_push( *[fs:0x0]);
				_t89 = _t88 - 0x40;
				_t43 =  *0x4d7e88; // 0x9518852c
				_t44 = _t43 ^ _t87;
				_v24 = _t44;
				_push(_t44);
				 *[fs:0x0] =  &_v16;
				_t79 = __ecx;
				_t66 = _a4;
				_v80 = __ecx;
				_v76 = _a8;
				if(_a12 != 0) {
					 *__ecx = 0x4c2f50;
					 *((intOrPtr*)(__ecx + 0x28)) = 0x4c3454;
				}
				 *((intOrPtr*)( *((intOrPtr*)( *_t79 + 4)) + _t79)) = GetLastError();
				 *((intOrPtr*)(_t79 + 0x18)) = 7;
				 *((intOrPtr*)(_t79 + 0x14)) = 0;
				 *((short*)(_t79 + 4)) = 0;
				 *((intOrPtr*)(_t79 + 0x1c)) = 0;
				 *((intOrPtr*)(_t79 + 0x20)) = 0;
				 *((intOrPtr*)(_t79 + 0x24)) = 0;
				_t18 =  *((intOrPtr*)(_t79 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t18 + _t79 + 0x28));
				_v8 = 0;
				if(_t66 == 0) {
					_t52 = 0;
				} else {
					_t52 = E0045A6C3(_t66);
					_t89 = _t89 + 4;
				}
				_t53 = E00405950( &_v72, _t77, _t66, _t52, _v76, 1);
				_v8 = 1;
				if(_t53 == 0) {
					_t54 = 0;
				} else {
					_t54 = _t53 + 4;
				}
				E00405670(_t79 + 4, _t54);
				_t28 = _v32 + 4; // 0x0
				 *((intOrPtr*)( &_v32 +  *_t28)) = GetLastError();
				L0045A7D5(_v44);
				_t85 = __imp__#6;
				 *_t85(_v36);
				if(_v48 >= 8) {
					 *_t85(_v68);
				}
				_v48 = 7;
				_v52 = 0;
				_v68 = 0;
				SetLastError( *(_t87 +  *((intOrPtr*)(_v72 + 4)) - 0x44));
				 *[fs:0x0] = _v16;
				_pop(_t80);
				_pop(_t86);
				_pop(_t67);
				return E0045A457(_t67, _v24 ^ _t87, _t77, _t80, _t86);
			}

0x004043d0
0x004043d3
0x004043d5
0x004043e0
0x004043e1
0x004043e4
0x004043e9
0x004043eb
0x004043f1
0x004043f5
0x004043fb
0x00404404
0x00404407
0x0040440a
0x0040440d
0x0040440f
0x00404415
0x00404415
0x00404427
0x0040442a
0x00404431
0x0040443a
0x0040443e
0x00404441
0x00404444
0x0040444a
0x00404451
0x00404457
0x00404460
0x0040446d
0x00404462
0x00404463
0x00404468
0x00404468
0x00404479
0x0040447e
0x00404484
0x0040448b
0x00404486
0x00404486
0x00404486
0x00404491
0x0040449c
0x004044a7
0x004044ac
0x004044b1
0x004044bd
0x004044c3
0x004044c8
0x004044c8
0x004044cf
0x004044d6
0x004044dd
0x004044e8
0x004044f3
0x004044fb
0x004044fc
0x004044fd
0x0040450b

APIs

GetLastError.KERNEL32(9518852C,73B74C30,?,73B74D40,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404421
SetLastError.KERNEL32(?,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?,?), ref: 00404451
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000001,?,?,?,?,?,?,004AC3A0,000000FF,?,00403D9D,?), ref: 004044A1
SysFreeString.OLEAUT32(?), ref: 004044BD
SysFreeString.OLEAUT32(?), ref: 004044C8
SetLastError.KERNEL32(?), ref: 004044E8

Strings

T4L, xrefs: 00404415

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: T4L
API String ID: 2425351278-1354015026
Opcode ID: 77a5511f58a867ba2974a95759635336675508833ab717c16b0faf72b683717b
Instruction ID: c1a8e6e27e6d95d5599461cddef750d2e346726b17c2bafc7bb77502d4853971
Opcode Fuzzy Hash: 77a5511f58a867ba2974a95759635336675508833ab717c16b0faf72b683717b
Instruction Fuzzy Hash: 4A413AB1900209EFDB00CF65C944B9EFBB4FF48314F14812AE819A7791E779A925CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00404AB0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00404AB0(void* __ecx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v12;
				char _v16;
				signed int _v24;
				intOrPtr _v32;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				short _v72;
				intOrPtr* _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				signed int _t40;
				void* _t54;
				void* _t59;
				void* _t60;
				void* _t61;
				short* _t63;
				void* _t71;
				intOrPtr* _t72;
				void* _t73;
				void* _t74;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				signed int _t82;
				signed int _t83;

				_t82 = (_t80 & 0xfffffff8) - 0x40;
				_t38 =  *0x4d7e88; // 0x9518852c
				_v24 = _t38 ^ _t82;
				_t40 =  *0x4d7e88; // 0x9518852c
				 *[fs:0x0] =  &_v16;
				_t60 = __ecx;
				_t72 = _a4;
				_v76 = _t72;
				_v80 = 0;
				E00406060( &_v72, 0x5c);
				 *((intOrPtr*)( &_v40 +  *((intOrPtr*)(_v40 + 4)))) = GetLastError();
				L0045A7D5(_v52);
				_t77 = __imp__#6;
				_t83 = _t82 + 4;
				 *_t77(_v44, _t40 ^ _t82, _t71, _t74, _t59,  *[fs:0x0], 0x4aca68, 0xffffffff);
				if(_v60 >= 8) {
					 *_t77(_v72);
				}
				_v72 = 0;
				_v52 = 7;
				_v56 = 0;
				SetLastError( *(_t83 +  *((intOrPtr*)(_v76 + 4)) + 0x18));
				 *_t72 = 0x4c2f50;
				 *((intOrPtr*)(_t72 + 0x28)) = 0x4c3454;
				 *((intOrPtr*)(_t72 + 0x2c)) = GetLastError();
				_v12 = 0;
				if(_t60 == 0) {
					_t54 = 0;
				} else {
					_t24 = _t60 + 4; // 0x4
					_t54 = _t24;
				}
				_t63 = _t72 + 4;
				 *((intOrPtr*)(_t63 + 0x14)) = 7;
				 *((intOrPtr*)(_t63 + 0x10)) = 0;
				 *_t63 = 0;
				E00406630(_t60, _t63, _t72, _t54, 0);
				 *((intOrPtr*)(_t72 + 0x1c)) = 0;
				 *((intOrPtr*)(_t72 + 0x20)) = 0;
				 *((intOrPtr*)(_t72 + 0x24)) = 0;
				_t32 =  *((intOrPtr*)(_t72 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t32 + _t72 + 0x28));
				 *[fs:0x0] = _v32;
				_t73 = 0xffffffff;
				_pop(_t79);
				_pop(_t61);
				return E0045A457(_t61, _v40 ^ _t83, 0, _t73, _t79);
			}

0x00404ac4
0x00404ac7
0x00404ace
0x00404ad5
0x00404ae1
0x00404ae7
0x00404ae9
0x00404af3
0x00404af7
0x00404aff
0x00404b17
0x00404b1d
0x00404b22
0x00404b28
0x00404b2f
0x00404b36
0x00404b3c
0x00404b3c
0x00404b46
0x00404b4f
0x00404b57
0x00404b66
0x00404b68
0x00404b6e
0x00404b7b
0x00404b7e
0x00404b88
0x00404b8f
0x00404b8a
0x00404b8a
0x00404b8a
0x00404b8a
0x00404b91
0x00404b99
0x00404ba0
0x00404ba8
0x00404bab
0x00404bb0
0x00404bb7
0x00404bbe
0x00404bc8
0x00404bcf
0x00404bd7
0x00404bdf
0x00404be0
0x00404be1
0x00404bf0

APIs

Part of subcall function 00406060: SysFreeString.OLEAUT32(?), ref: 004060C2
Part of subcall function 00406060: GetLastError.KERNEL32(9518852C,?,73B74D40,00000000,00000000,?,004ACA98,000000FF,T4L,00404B04), ref: 004060ED
Part of subcall function 00406060: SetLastError.KERNEL32(?,00000004,00000000,000000FF), ref: 0040613E

GetLastError.KERNEL32 ref: 00404B11
SysFreeString.OLEAUT32(?), ref: 00404B2F
SysFreeString.OLEAUT32(?), ref: 00404B3C
SetLastError.KERNEL32(?), ref: 00404B66
GetLastError.KERNEL32 ref: 00404B75
SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00404BCF

Strings

T4L, xrefs: 00404B6E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: T4L
API String ID: 2425351278-1354015026
Opcode ID: be714e4bf5fa390a1e12a13b6dba38f14e6c359a4fb5016913e6aa85f2a16c1e
Instruction ID: 09830f44d83ceb23d2da7353d6a015d3463f55c871dcda439cef5f342e7a354a
Opcode Fuzzy Hash: be714e4bf5fa390a1e12a13b6dba38f14e6c359a4fb5016913e6aa85f2a16c1e
Instruction Fuzzy Hash: E63118B1508245AFD700CF69C845B16BBE4FF88328F10462EF855976A1D7B5E815CF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF3D, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040CF3D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t42;
				void* _t43;
				void* _t54;
				intOrPtr* _t73;
				void* _t78;
				void* _t80;
				void* _t82;
				void* _t83;
				intOrPtr _t85;
				intOrPtr _t86;

				_t76 = __edx;
				_push(0x104);
				E0045B8C9(0x4a0c56, __ebx, __edi, __esi);
				_t78 = __ecx;
				 *((intOrPtr*)(_t82 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t82 - 0x18)) = 0x4c2f40;
				E00404200(_t82 - 0x40, _t82 - 0x101, 0);
				 *((intOrPtr*)(_t82 - 4)) = 0;
				E0040DD64(_t82 - 0x40, L"0x%04x",  *(_t82 + 8) & 0x0000ffff);
				_push(L".ini");
				_push(_t82 - 0x40);
				_push(_t82 - 0xd0);
				_t80 = E0040B22B(0, _t78, __esi, 0);
				 *((char*)(_t82 - 4)) = 1;
				_t42 = E0040D208(_t78, _t82 - 0x100);
				_push(0);
				_push(0);
				_push(_t82 - 0xa0);
				 *((char*)(_t82 - 4)) = 2;
				_t43 = E0040A206(0, _t42, __edx, _t78, _t80, 0);
				_push(_t80);
				_push(_t82 - 0x70);
				 *((char*)(_t82 - 4)) = 3;
				E0040B91E(0, _t43, _t78, _t80, 0);
				E00401B80(_t82 - 0xa0);
				E00401B80(_t82 - 0x100);
				 *((char*)(_t82 - 4)) = 7;
				E00401B80(_t82 - 0xd0);
				_push(8);
				_t85 = _t83 + 0x18 - 0x30;
				 *((intOrPtr*)(_t82 - 0x108)) = _t85;
				E004091B8(_t85, L"FontSize", _t82 - 0x101, 1);
				_t86 = _t85 - 0x30;
				 *((intOrPtr*)(_t82 - 0x110)) = _t86;
				 *((char*)(_t82 - 4)) = 8;
				E004091B8(_t86, L"Properties", _t82 - 0x101, 1);
				_t73 = _t86 - 0x30;
				 *((char*)(_t82 - 4)) = 9;
				 *_t73 = 0x4c2fa0;
				 *((intOrPtr*)(_t73 + 0x28)) = 0x4c2f40;
				_push(0);
				_push(_t82 - 0x70);
				E00408E82(0, _t73, _t78, _t80, 0);
				 *((char*)(_t82 - 4)) = 7;
				_t54 = E0044575F(0, _t76, _t78, _t80, 0);
				E00401B80(_t82 - 0x70);
				E00401B80(_t82 - 0x40);
				return E0045B878(0, _t78, _t54);
			}

0x0040cf3d
0x0040cf3d
0x0040cf47
0x0040cf4c
0x0040cf5b
0x0040cf62
0x0040cf69
0x0040cf7c
0x0040cf7f
0x0040cf84
0x0040cf8c
0x0040cf93
0x0040cf9c
0x0040cfa7
0x0040cfab
0x0040cfb0
0x0040cfb1
0x0040cfb8
0x0040cfbb
0x0040cfbf
0x0040cfc4
0x0040cfc8
0x0040cfcb
0x0040cfcf
0x0040cfda
0x0040cfe5
0x0040cff0
0x0040cff4
0x0040cff9
0x0040cffb
0x0040d000
0x0040d014
0x0040d019
0x0040d01e
0x0040d032
0x0040d036
0x0040d03e
0x0040d040
0x0040d044
0x0040d04a
0x0040d051
0x0040d055
0x0040d056
0x0040d05b
0x0040d05f
0x0040d06f
0x0040d077
0x0040d084

APIs

__EH_prolog3_GS.LIBCMT ref: 0040CF47

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232

Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210

Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0044575F: __EH_prolog3_GS.LIBCMT ref: 00445769

Strings

FontSize, xrefs: 0040D00F
@/L, xrefs: 0040CF62
Properties, xrefs: 0040D02D
0x%04x, xrefs: 0040CF76
@/L, xrefs: 0040D04A
.ini, xrefs: 0040CF84

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$FreeString$H_prolog3
String ID: .ini$0x%04x$@/L$@/L$FontSize$Properties
API String ID: 1949661404-2293665164
Opcode ID: d3fc68d9228e65f8b8f5e34e919c4f5d1c5ea8712fe81b29909fa070ed62ed28
Instruction ID: 7b5d863ec8f61f1dcf2dbdbf51602eaf4a1d24238f66e5dda1212ad8cbdd6bc2
Opcode Fuzzy Hash: d3fc68d9228e65f8b8f5e34e919c4f5d1c5ea8712fe81b29909fa070ed62ed28
Instruction Fuzzy Hash: 693175B1900218EADB04F7A5CC56BED7778AF14348F1400EFF54567182DBB85B48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004479E1, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E004479E1(void* __ebx, signed int __edi, void* __esi, void* __eflags) {
				intOrPtr* _t62;
				void* _t72;
				void* _t73;

				_t71 = __esi;
				_t70 = __edi;
				_push(0x4a0);
				E0045B8C9(0x4a7e96, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t72 - 0x488)) =  *((intOrPtr*)(_t72 + 8));
				_push(_t72 - 0x484);
				_push(0x400);
				_push(_t72 - 0x410);
				L0048027C();
				_t62 = GetProcAddress(GetModuleHandleW(L"Ntdll.dll"), "NtQueryInformationProcess");
				if(_t62 == 0) {
					L7:
					return E0045B878(_t62, _t70, _t71);
				}
				_t70 = 0;
				if( *((intOrPtr*)(_t72 - 0x484)) <= 0) {
					goto L7;
				} else {
					goto L2;
				}
				do {
					L2:
					_t71 = OpenProcess(0x400, 0,  *(_t72 + _t70 * 4 - 0x410));
					 *((intOrPtr*)(_t72 - 0x480)) = _t71;
					 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
					if(_t71 != 0) {
						E0045A4D0(_t72 - 0x4a4, 0, 0x18);
						_t73 = _t73 + 0xc;
						_push(_t72 - 0x48c);
						_push(0x18);
						_push(_t72 - 0x4a4);
						_push(0);
						_push(_t71);
						if( *_t62() >= 0 &&  *((intOrPtr*)(_t72 - 0x494)) != 0) {
							E0043EB36(_t72 - 0x444);
							 *(_t72 - 4) = 1;
							 *((intOrPtr*)(_t72 - 0x444)) =  *((intOrPtr*)(_t72 - 0x490));
							E00406A00(_t72 - 0x43c, _t70, 0x4c2d7c);
							 *((intOrPtr*)(_t72 - 0x47c)) =  *((intOrPtr*)(_t72 - 0x494));
							E0043EB07(_t72 - 0x478, _t72 - 0x444);
							 *(_t72 - 4) = 2;
							E00445D30( *((intOrPtr*)(_t72 - 0x488)), _t72 - 0x4ac, _t72 - 0x47c);
							E00401B80(_t72 - 0x474);
							E00401B80(_t72 - 0x440);
						}
					}
					 *(_t72 - 4) =  *(_t72 - 4) | 0xffffffff;
					E00405170(_t72 - 0x480);
					_t70 = _t70 + 1;
				} while (_t70 <  *((intOrPtr*)(_t72 - 0x484)));
				goto L7;
			}

0x004479e1
0x004479e1
0x004479e1
0x004479eb
0x004479f3
0x004479ff
0x00447a00
0x00447a0b
0x00447a0c
0x00447a28
0x00447a2c
0x00447b39
0x00447b3e
0x00447b3e
0x00447a32
0x00447a3a
0x00000000
0x00000000
0x00000000
0x00000000
0x00447a40
0x00447a40
0x00447a54
0x00447a56
0x00447a5c
0x00447a62
0x00447a73
0x00447a78
0x00447a81
0x00447a82
0x00447a8a
0x00447a8b
0x00447a8d
0x00447a92
0x00447aa7
0x00447abd
0x00447ac1
0x00447ac7
0x00447ad2
0x00447ae5
0x00447afe
0x00447b02
0x00447b0d
0x00447b18
0x00447b18
0x00447a92
0x00447b1d
0x00447b27
0x00447b2c
0x00447b2d
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 004479EB
GetModuleHandleW.KERNEL32(Ntdll.dll,NtQueryInformationProcess,?,00000400,?,000004A0,004479CF,00000000,?,0000006C,0044A131,?,?,?), ref: 00447A1B
GetProcAddress.KERNEL32(00000000), ref: 00447A22
OpenProcess.KERNEL32(00000400,00000000,?,?,0000006C,0044A131,?,?,?), ref: 00447A4E
_memset.LIBCMT ref: 00447A73

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

NtQueryInformationProcess, xrefs: 00447A11
Ntdll.dll, xrefs: 00447A16

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorFreeLastString$AddressH_prolog3_HandleModuleOpenProcProcess_memset
String ID: NtQueryInformationProcess$Ntdll.dll
API String ID: 954382961-801751246
Opcode ID: 5f8fa832c6cdf6d3eb2848ca9340f0d5c3770b6fbfa7dfc163aea7dedc95e4a3
Instruction ID: d4dedfc45bac28ba493e5a0d10001653476ca340c4fd1037dfe1a4d7fdff879f
Opcode Fuzzy Hash: 5f8fa832c6cdf6d3eb2848ca9340f0d5c3770b6fbfa7dfc163aea7dedc95e4a3
Instruction Fuzzy Hash: 77313EB19002199BDB20EB61CC45BDDB778AB44348F4044EAA709A7182DB786F89CF5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042C627, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0042C627(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t26;
				intOrPtr _t39;
				void* _t53;
				void* _t54;

				_push(0x38);
				E0045B8C9(0x4a4e39, __ebx, __edi, __esi);
				_t53 = __ecx;
				_t51 = __ecx + 0x408;
				E004064B0(__ecx + 0x408,  *((intOrPtr*)(_t54 + 8)));
				_t56 =  *((char*)(_t54 + 0x10));
				if( *((char*)(_t54 + 0x10)) != 0) {
					_t40 = ",";
					_push(E0045B5D4(","));
					E00412995(",", _t53 + 0x40c, _t51, _t53, _t56, _t40);
				}
				_t5 = _t54 + 0xc; // 0x4c2f40
				_t39 =  *_t5;
				if(_t39 != 0) {
					if( *0x4d9418 != 0 ||  *0x4dab26 != 0) {
						_t7 = _t54 - 0x40; // 0x4c2f50
						 *((intOrPtr*)(_t54 - 0x40)) = 0x4c2f50;
						 *((intOrPtr*)(_t54 - 0x18)) = 0x4c3454;
						E00403FB0(L"..\\..\\Shared\\Setup\\SetupPreRequisite.cpp", _t54 - 0x41, 0);
						 *(_t54 - 4) =  *(_t54 - 4) & 0x00000000;
						_t12 = _t54 - 0x40; // 0x4c2f50
						E00402980(_t7, _t51, _t12, 0x265);
						 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
						_t15 = _t54 - 0x40; // 0x4c2f50
						E00401AC0(_t15);
					}
					E00405460(_t51, _t51, L"PrereqEngine: ");
				}
				if( *(_t53 + 0x404) != 0) {
					_t62 = _t39;
					if(_t39 != 0) {
						_t51 = L"\r\n";
						_push(E0045B5D4(L"\r\n"));
						E00412995(_t39, _t53 + 0x40c, L"\r\n", _t53, _t62, _t51);
					}
					_t26 = _t53 + 0x40c;
					if(_t26[0xa] >= 8) {
						_t26 =  *_t26;
					}
					SetWindowTextW( *(_t53 + 0x404), _t26);
				}
				return E0045B878(_t39, _t51, _t53);
			}

0x0042c627
0x0042c62e
0x0042c633
0x0042c638
0x0042c641
0x0042c646
0x0042c64a
0x0042c64c
0x0042c658
0x0042c660
0x0042c660
0x0042c665
0x0042c665
0x0042c66a
0x0042c673
0x0042c689
0x0042c68c
0x0042c693
0x0042c69a
0x0042c69f
0x0042c6a8
0x0042c6ad
0x0042c6b2
0x0042c6b6
0x0042c6b9
0x0042c6b9
0x0042c6c5
0x0042c6c5
0x0042c6d1
0x0042c6d3
0x0042c6d5
0x0042c6d7
0x0042c6e3
0x0042c6eb
0x0042c6eb
0x0042c6f0
0x0042c6fa
0x0042c6fc
0x0042c6fc
0x0042c705
0x0042c705
0x0042c710

APIs

__EH_prolog3_GS.LIBCMT ref: 0042C62E
SetWindowTextW.USER32(00000000,?), ref: 0042C705

Strings

PrereqEngine: , xrefs: 0042C6BE
P/L, xrefs: 0042C6A8, 0042C6AB
T4L, xrefs: 0042C693
..\..\Shared\Setup\SetupPreRequisite.cpp, xrefs: 0042C684
@/L, xrefs: 0042C665

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_TextWindow
String ID: ..\..\Shared\Setup\SetupPreRequisite.cpp$@/L$P/L$PrereqEngine: $T4L
API String ID: 2928184256-3046138960
Opcode ID: 68a4f8a286727cb4533fdacfe7cb15d6e405c1b421d956392f763aeebacd1dd3
Instruction ID: c3ec2bdf6a7a5a4986fd96f18d36534da28e7fd18ae2f263c25a6e9e12bb549a
Opcode Fuzzy Hash: 68a4f8a286727cb4533fdacfe7cb15d6e405c1b421d956392f763aeebacd1dd3
Instruction Fuzzy Hash: 6121F5B0600244AEC715EB61D885BEF7768AB41308F44411FF6416B1D2DBBC6A4AC76C

Uniqueness

Uniqueness Score: -1.00%

Function 0044328D, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0044328D(void* __ebx, void* __edx, _Unknown_base(*)()* _a4, intOrPtr _a8) {
				signed int _v8;
				char _v328;
				char _v600;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t14;
				_Unknown_base(*)()* _t17;
				_Unknown_base(*)()* _t21;
				void* _t31;
				intOrPtr _t32;
				signed int _t34;

				_t31 = __edx;
				_t24 = __ebx;
				_t9 =  *0x4d7e88; // 0x9518852c
				_v8 = _t9 ^ _t34;
				_t33 = _a4;
				_t32 = _a8;
				_t12 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "FindNextFileW");
				if(_t12 == 0) {
					_t14 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "FindNextFileA");
					__eflags = _t14;
					if(_t14 == 0) {
						__eflags = 0;
						goto L8;
					}
					_t17 =  *_t14(_t33,  &_v328);
					_t33 = _t17;
					__eflags = _t17;
					if(__eflags != 0) {
						_push( &_v328);
						E0043CB63(__ebx, _t32, _t32, _t33, __eflags);
					}
					goto L3;
				} else {
					_t21 =  *_t12(_t33,  &_v600);
					_t33 = _t21;
					if(_t21 != 0) {
						E0043CC17(_t32,  &_v600);
					}
					L3:
					L8:
					return E0045A457(_t24, _v8 ^ _t34, _t31, _t32, _t33);
				}
			}

0x0044328d
0x0044328d
0x00443296
0x0044329d
0x004432a1
0x004432a5
0x004432b9
0x004432c1
0x004432f6
0x004432fc
0x004432fe
0x00443320
0x00000000
0x00443320
0x00443308
0x0044330a
0x0044330c
0x0044330e
0x00443316
0x00443319
0x00443319
0x00000000
0x004432c3
0x004432cb
0x004432cd
0x004432d1
0x004432dc
0x004432dc
0x004432e1
0x00443322
0x0044332f
0x0044332f

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,FindNextFileW), ref: 004432B2
GetProcAddress.KERNEL32(00000000), ref: 004432B9
GetModuleHandleW.KERNEL32(kernel32.dll,FindNextFileA), ref: 004432EF
GetProcAddress.KERNEL32(00000000), ref: 004432F6

Strings

kernel32.dll, xrefs: 004432AD, 004432EA
FindNextFileA, xrefs: 004432E5
FindNextFileW, xrefs: 004432A8

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FindNextFileA$FindNextFileW$kernel32.dll
API String ID: 1646373207-719559652
Opcode ID: b4c9337024ede60de3f42878ff08df68ba7ba4a8dcb57f2310b8ceb2f31ba9df
Instruction ID: c1027bc44a8e213149c23da75219b10b3f882e872acd4293d52a505f9882573c
Opcode Fuzzy Hash: b4c9337024ede60de3f42878ff08df68ba7ba4a8dcb57f2310b8ceb2f31ba9df
Instruction Fuzzy Hash: 9C118C31A016145BEF14DFA9CC56FEEF7A89F48B05B0400AAE915E3140DB7CEE45876D

Uniqueness

Uniqueness Score: -1.00%

Function 0044C4A7, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0044C4A7(void* __ecx) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				intOrPtr* _t45;
				void* _t82;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t95;
				void* _t96;
				void* _t100;
				void* _t101;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t115;

				_push(0x44);
				_t45 = E0045C169(_t82, _t95, _t96, _t115);
				if(_t45 == 0) {
					_t107 = _t106 - 0x10;
					_push(1);
					_t5 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t5,  &_v8);
					_t7 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t7, 0x4d0de8);
					asm("int3");
					_push(_t106);
					_t108 = _t107 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t107);
					_t100 = _t108;
					_t109 = _t108 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t100);
					_t101 = _t109;
					_t110 = _t109 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t101);
					_t111 = _t110 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t110);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t111);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t111 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t1 = _t45 + 4; // 0x4
					_t93 = _t1;
					 *_t45 = _t45;
					if(_t93 != 0) {
						 *_t93 = _t45;
					}
					_t94 = _t45 + 8;
					if(_t94 != 0) {
						 *_t94 = _t45;
					}
					 *((short*)(_t45 + 0xc)) = 0x101;
					return _t45;
				}
			}

0x0044c4a7
0x0044c4a9
0x0044c4b1
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x0044c4b7
0x0044c4b7
0x0044c4b7
0x0044c4ba
0x0044c4be
0x0044c4c0
0x0044c4c0
0x0044c4c2
0x0044c4c7
0x0044c4c9
0x0044c4c9
0x0044c4cb
0x0044c4d1
0x0044c4d1

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: 60ed036e210ecc4fbab883f836a888a84ab4f5caa7e6398b7de5f3fd8963b1a5
Instruction ID: 789974fd95566fa97475cb8d0a5471cb1fd929a59e2e63bdb17a9d95ebafa182
Opcode Fuzzy Hash: 60ed036e210ecc4fbab883f836a888a84ab4f5caa7e6398b7de5f3fd8963b1a5
Instruction Fuzzy Hash: C0118975900209AEC704EFE5C495ADEB7B8AF04304F54815FE91597642D7789708CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0048B6D0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0048B6D0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				void* _t45;
				void* _t97;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;

				_push(0x18);
				_t45 = E0045C169(__ebx, __edx, __edi, __eflags);
				_t104 = _t103 + 4;
				if(_t45 == 0) {
					_t105 = _t104 - 0x10;
					_push(1);
					_t2 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t2,  &_v8);
					_t4 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t4, 0x4d0de8);
					asm("int3");
					_push(_t104);
					_t106 = _t105 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t105);
					_t97 = _t106;
					_t107 = _t106 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t97);
					_t98 = _t107;
					_t108 = _t107 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t98);
					_t109 = _t108 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t108);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t109);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t109 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t42 = __eax + 4; // 0x4
					__ecx = _t42;
					 *__eax = __eax;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					__ecx = __eax + 8;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					 *((short*)(__eax + 0xc)) = 0x101;
					return __eax;
				}
			}

0x0048b6d0
0x0048b6d2
0x0048b6d7
0x0048b6dc
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x0048b6e2
0x0048b6e2
0x0048b6e2
0x0048b6e5
0x0048b6e7
0x0048b6e9
0x0048b6eb
0x0048b6eb
0x0048b6ed
0x0048b6f0
0x0048b6f2
0x0048b6f4
0x0048b6f4
0x0048b6f6
0x0048b6fc
0x0048b6fc

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: aac4728931c66e4bbfabc350f77d419288c41af7014607d6e2543e5d8807a8b7
Instruction ID: 19a4b71ff3e8cc1d2bb0f433e941cc12950c9365ab6a82856de6a64ffdaaef22
Opcode Fuzzy Hash: aac4728931c66e4bbfabc350f77d419288c41af7014607d6e2543e5d8807a8b7
Instruction Fuzzy Hash: 4F114974800209AFCB04EFE5C895ADEB7B8AF04304F54856FAD1597642E778A70CCF99

Uniqueness

Uniqueness Score: -1.00%

Function 0048B6A0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0048B6A0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				void* _t45;
				void* _t97;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;

				_push(0x18);
				_t45 = E0045C169(__ebx, __edx, __edi, __eflags);
				_t104 = _t103 + 4;
				if(_t45 == 0) {
					_t105 = _t104 - 0x10;
					_push(1);
					_t2 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t2,  &_v8);
					_t4 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t4, 0x4d0de8);
					asm("int3");
					_push(_t104);
					_t106 = _t105 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t105);
					_t97 = _t106;
					_t107 = _t106 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t97);
					_t98 = _t107;
					_t108 = _t107 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t98);
					_t109 = _t108 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t108);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t109);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t109 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t42 = __eax + 4; // 0x4
					__ecx = _t42;
					 *__eax = __eax;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					__ecx = __eax + 8;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					 *((short*)(__eax + 0xc)) = 0x101;
					return __eax;
				}
			}

0x0048b6a0
0x0048b6a2
0x0048b6a7
0x0048b6ac
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x0048b6b2
0x0048b6b2
0x0048b6b2
0x0048b6b5
0x0048b6b7
0x0048b6b9
0x0048b6bb
0x0048b6bb
0x0048b6bd
0x0048b6c0
0x0048b6c2
0x0048b6c4
0x0048b6c4
0x0048b6c6
0x0048b6cc
0x0048b6cc

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: aac4728931c66e4bbfabc350f77d419288c41af7014607d6e2543e5d8807a8b7
Instruction ID: f8497bba347d7fe3af2451188434a5e3091d42b22f972d6889eec68102306aa6
Opcode Fuzzy Hash: aac4728931c66e4bbfabc350f77d419288c41af7014607d6e2543e5d8807a8b7
Instruction Fuzzy Hash: 8E114974800209AFCB04EFE5C495ADEB7B8AF04304F54856FA91597652E778A70CCF99

Uniqueness

Uniqueness Score: -1.00%

Function 0048B760, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0048B760(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				void* _t45;
				void* _t97;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;

				_push(0x44);
				_t45 = E0045C169(__ebx, __edx, __edi, __eflags);
				_t104 = _t103 + 4;
				if(_t45 == 0) {
					_t105 = _t104 - 0x10;
					_push(1);
					_t2 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t2,  &_v8);
					_t4 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t4, 0x4d0de8);
					asm("int3");
					_push(_t104);
					_t106 = _t105 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t105);
					_t97 = _t106;
					_t107 = _t106 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t97);
					_t98 = _t107;
					_t108 = _t107 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t98);
					_t109 = _t108 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t108);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t109);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t109 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t42 = __eax + 4; // 0x4
					__ecx = _t42;
					 *__eax = __eax;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					__ecx = __eax + 8;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					 *((short*)(__eax + 0xc)) = 0x101;
					return __eax;
				}
			}

0x0048b760
0x0048b762
0x0048b767
0x0048b76c
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x0048b772
0x0048b772
0x0048b772
0x0048b775
0x0048b777
0x0048b779
0x0048b77b
0x0048b77b
0x0048b77d
0x0048b780
0x0048b782
0x0048b784
0x0048b784
0x0048b786
0x0048b78c
0x0048b78c

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: bba313ca3e740a458308c623b010c1b537f209e208fd59de1459d2a320378c95
Instruction ID: 3cbc7bf26846c2376e934087929962b45013334c21a332f74712c0f627fc3f33
Opcode Fuzzy Hash: bba313ca3e740a458308c623b010c1b537f209e208fd59de1459d2a320378c95
Instruction Fuzzy Hash: 29114974800309AFC704EFE5C495BDEB7B8AF04304F54856FA91597652E778A708CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0048B700, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0048B700(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				void* _t45;
				void* _t97;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;

				_push(0x18);
				_t45 = E0045C169(__ebx, __edx, __edi, __eflags);
				_t104 = _t103 + 4;
				if(_t45 == 0) {
					_t105 = _t104 - 0x10;
					_push(1);
					_t2 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t2,  &_v8);
					_t4 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t4, 0x4d0de8);
					asm("int3");
					_push(_t104);
					_t106 = _t105 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t105);
					_t97 = _t106;
					_t107 = _t106 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t97);
					_t98 = _t107;
					_t108 = _t107 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t98);
					_t109 = _t108 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t108);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t109);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t109 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t42 = __eax + 4; // 0x4
					__ecx = _t42;
					 *__eax = __eax;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					__ecx = __eax + 8;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					 *((short*)(__eax + 0xc)) = 0x101;
					return __eax;
				}
			}

0x0048b700
0x0048b702
0x0048b707
0x0048b70c
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x0048b712
0x0048b712
0x0048b712
0x0048b715
0x0048b717
0x0048b719
0x0048b71b
0x0048b71b
0x0048b71d
0x0048b720
0x0048b722
0x0048b724
0x0048b724
0x0048b726
0x0048b72c
0x0048b72c

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: aac4728931c66e4bbfabc350f77d419288c41af7014607d6e2543e5d8807a8b7
Instruction ID: d85b41f54b15b163e3c2ffe02823d2417382f8979c83a0073eb2e44ba54e2749
Opcode Fuzzy Hash: aac4728931c66e4bbfabc350f77d419288c41af7014607d6e2543e5d8807a8b7
Instruction Fuzzy Hash: 5E114974800309AFCB04EFE5C495ADEB7B8AF04305F54856FA91597642E778A70CCFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0048B730, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0048B730(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				void* _t45;
				void* _t97;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;

				_push(0x18);
				_t45 = E0045C169(__ebx, __edx, __edi, __eflags);
				_t104 = _t103 + 4;
				if(_t45 == 0) {
					_t105 = _t104 - 0x10;
					_push(1);
					_t2 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t2,  &_v8);
					_t4 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t4, 0x4d0de8);
					asm("int3");
					_push(_t104);
					_t106 = _t105 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t105);
					_t97 = _t106;
					_t107 = _t106 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t97);
					_t98 = _t107;
					_t108 = _t107 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t98);
					_t109 = _t108 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t108);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t109);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t109 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t42 = __eax + 4; // 0x4
					__ecx = _t42;
					 *__eax = __eax;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					__ecx = __eax + 8;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					 *((short*)(__eax + 0xc)) = 0x101;
					return __eax;
				}
			}

0x0048b730
0x0048b732
0x0048b737
0x0048b73c
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x0048b742
0x0048b742
0x0048b742
0x0048b745
0x0048b747
0x0048b749
0x0048b74b
0x0048b74b
0x0048b74d
0x0048b750
0x0048b752
0x0048b754
0x0048b754
0x0048b756
0x0048b75c
0x0048b75c

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: aac4728931c66e4bbfabc350f77d419288c41af7014607d6e2543e5d8807a8b7
Instruction ID: 1ea61b33cb80b838d565d4bdd0acd8363137df685e1b71f8a0c1a44ab6de70f8
Opcode Fuzzy Hash: aac4728931c66e4bbfabc350f77d419288c41af7014607d6e2543e5d8807a8b7
Instruction Fuzzy Hash: 9D114974800309AFCB04EFE5C495ADEB7B8AF04305F54856FA91597642E778A70CCF99

Uniqueness

Uniqueness Score: -1.00%

Function 0048B7C0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0048B7C0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				void* _t45;
				void* _t97;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;

				_push(0x44);
				_t45 = E0045C169(__ebx, __edx, __edi, __eflags);
				_t104 = _t103 + 4;
				if(_t45 == 0) {
					_t105 = _t104 - 0x10;
					_push(1);
					_t2 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t2,  &_v8);
					_t4 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t4, 0x4d0de8);
					asm("int3");
					_push(_t104);
					_t106 = _t105 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t105);
					_t97 = _t106;
					_t107 = _t106 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t97);
					_t98 = _t107;
					_t108 = _t107 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t98);
					_t109 = _t108 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t108);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t109);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t109 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t42 = __eax + 4; // 0x4
					__ecx = _t42;
					 *__eax = __eax;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					__ecx = __eax + 8;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					 *((short*)(__eax + 0xc)) = 0x101;
					return __eax;
				}
			}

0x0048b7c0
0x0048b7c2
0x0048b7c7
0x0048b7cc
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x0048b7d2
0x0048b7d2
0x0048b7d2
0x0048b7d5
0x0048b7d7
0x0048b7d9
0x0048b7db
0x0048b7db
0x0048b7dd
0x0048b7e0
0x0048b7e2
0x0048b7e4
0x0048b7e4
0x0048b7e6
0x0048b7ec
0x0048b7ec

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: bba313ca3e740a458308c623b010c1b537f209e208fd59de1459d2a320378c95
Instruction ID: a33d039ea94569bfe0ed5e36129b187f3d7b7dd3518e7a24abcd1656d776186c
Opcode Fuzzy Hash: bba313ca3e740a458308c623b010c1b537f209e208fd59de1459d2a320378c95
Instruction Fuzzy Hash: F8114974800309AFC704EFE5C895BDEB7B8AF04704F54856FA91597642E778A708CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0043F7EF, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0043F7EF(void* __ecx) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				intOrPtr* _t45;
				void* _t82;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t95;
				void* _t96;
				void* _t100;
				void* _t101;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t115;

				_push(0x48);
				_t45 = E0045C169(_t82, _t95, _t96, _t115);
				if(_t45 == 0) {
					_t107 = _t106 - 0x10;
					_push(1);
					_t5 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t5,  &_v8);
					_t7 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t7, 0x4d0de8);
					asm("int3");
					_push(_t106);
					_t108 = _t107 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t107);
					_t100 = _t108;
					_t109 = _t108 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t100);
					_t101 = _t109;
					_t110 = _t109 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t101);
					_t111 = _t110 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t110);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t111);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t111 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t1 = _t45 + 4; // 0x4
					_t93 = _t1;
					 *_t45 = _t45;
					if(_t93 != 0) {
						 *_t93 = _t45;
					}
					_t94 = _t45 + 8;
					if(_t94 != 0) {
						 *_t94 = _t45;
					}
					 *((short*)(_t45 + 0xc)) = 0x101;
					return _t45;
				}
			}

0x0043f7ef
0x0043f7f1
0x0043f7f9
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x0043f7ff
0x0043f7ff
0x0043f7ff
0x0043f802
0x0043f806
0x0043f808
0x0043f808
0x0043f80a
0x0043f80f
0x0043f811
0x0043f811
0x0043f813
0x0043f819
0x0043f819

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: 4c23c7141e72f3090bbc6d1d5bc5a6eb03c9bc70a8a7c4655869d2e9451955b4
Instruction ID: 15e82518eab24ab0a6d6f45e2c043d83d819b003917f1163955c5f7296543226
Opcode Fuzzy Hash: 4c23c7141e72f3090bbc6d1d5bc5a6eb03c9bc70a8a7c4655869d2e9451955b4
Instruction Fuzzy Hash: 65118974800209AEC704EFE5C455ADEB7B8AF04304F50816FE91597642DB78970CCFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0048B7F0, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0048B7F0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				void* _t45;
				void* _t97;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;

				_push(0x18);
				_t45 = E0045C169(__ebx, __edx, __edi, __eflags);
				_t104 = _t103 + 4;
				if(_t45 == 0) {
					_t105 = _t104 - 0x10;
					_push(1);
					_t2 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t2,  &_v8);
					_t4 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t4, 0x4d0de8);
					asm("int3");
					_push(_t104);
					_t106 = _t105 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t105);
					_t97 = _t106;
					_t107 = _t106 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t97);
					_t98 = _t107;
					_t108 = _t107 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t98);
					_t109 = _t108 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t108);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t109);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t109 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t42 = __eax + 4; // 0x4
					__ecx = _t42;
					 *__eax = __eax;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					__ecx = __eax + 8;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					 *((short*)(__eax + 0xc)) = 0x101;
					return __eax;
				}
			}

0x0048b7f0
0x0048b7f2
0x0048b7f7
0x0048b7fc
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x0048b802
0x0048b802
0x0048b802
0x0048b805
0x0048b807
0x0048b809
0x0048b80b
0x0048b80b
0x0048b80d
0x0048b810
0x0048b812
0x0048b814
0x0048b814
0x0048b816
0x0048b81c
0x0048b81c

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: aac4728931c66e4bbfabc350f77d419288c41af7014607d6e2543e5d8807a8b7
Instruction ID: 01ddba90889d7ad54c47319944c9da15711c80b9a375f7ad7e9f1207570a8c45
Opcode Fuzzy Hash: aac4728931c66e4bbfabc350f77d419288c41af7014607d6e2543e5d8807a8b7
Instruction Fuzzy Hash: 0F113674800209AFCB04FFE5C495ADEB7B8AF04304F54856BE91597642E778A708CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0048B790, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0048B790(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				void* _t45;
				void* _t97;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;

				_push(0x44);
				_t45 = E0045C169(__ebx, __edx, __edi, __eflags);
				_t104 = _t103 + 4;
				if(_t45 == 0) {
					_t105 = _t104 - 0x10;
					_push(1);
					_t2 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t2,  &_v8);
					_t4 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t4, 0x4d0de8);
					asm("int3");
					_push(_t104);
					_t106 = _t105 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t105);
					_t97 = _t106;
					_t107 = _t106 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t97);
					_t98 = _t107;
					_t108 = _t107 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t98);
					_t109 = _t108 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t108);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t109);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t109 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t42 = __eax + 4; // 0x4
					__ecx = _t42;
					 *__eax = __eax;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					__ecx = __eax + 8;
					__eflags = __ecx;
					if(__ecx != 0) {
						 *__ecx = __eax;
					}
					 *((short*)(__eax + 0xc)) = 0x101;
					return __eax;
				}
			}

0x0048b790
0x0048b792
0x0048b797
0x0048b79c
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x0048b7a2
0x0048b7a2
0x0048b7a2
0x0048b7a5
0x0048b7a7
0x0048b7a9
0x0048b7ab
0x0048b7ab
0x0048b7ad
0x0048b7b0
0x0048b7b2
0x0048b7b4
0x0048b7b4
0x0048b7b6
0x0048b7bc
0x0048b7bc

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: bba313ca3e740a458308c623b010c1b537f209e208fd59de1459d2a320378c95
Instruction ID: 3a96a31f53df5e09902381b0290711c4c4866189c3feac29198cb1a03e7edc6d
Opcode Fuzzy Hash: bba313ca3e740a458308c623b010c1b537f209e208fd59de1459d2a320378c95
Instruction Fuzzy Hash: 01114974800309AFC704EFE5C495BDEB7B8AF04304F54856FA91597642E778A708CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00428AD4, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00428AD4(void* __ecx) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				intOrPtr* _t45;
				void* _t82;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t95;
				void* _t96;
				void* _t100;
				void* _t101;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t115;

				_push(0x78);
				_t45 = E0045C169(_t82, _t95, _t96, _t115);
				if(_t45 == 0) {
					_t107 = _t106 - 0x10;
					_push(1);
					_t5 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t5,  &_v8);
					_t7 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t7, 0x4d0de8);
					asm("int3");
					_push(_t106);
					_t108 = _t107 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t107);
					_t100 = _t108;
					_t109 = _t108 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t100);
					_t101 = _t109;
					_t110 = _t109 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t101);
					_t111 = _t110 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t110);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t111);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t111 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t1 = _t45 + 4; // 0x4
					_t93 = _t1;
					 *_t45 = _t45;
					if(_t93 != 0) {
						 *_t93 = _t45;
					}
					_t94 = _t45 + 8;
					if(_t94 != 0) {
						 *_t94 = _t45;
					}
					 *((short*)(_t45 + 0xc)) = 0x101;
					return _t45;
				}
			}

0x00428ad4
0x00428ad6
0x00428ade
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x00428ae4
0x00428ae4
0x00428ae4
0x00428ae7
0x00428aeb
0x00428aed
0x00428aed
0x00428aef
0x00428af4
0x00428af6
0x00428af6
0x00428af8
0x00428afe
0x00428afe

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: 5d1474a2c3c44ed6a066f5c5bcc763936be5ca0b48d148e92f15afbee7363b00
Instruction ID: c08fe74c4ff2020f982ad2ac76490017d19278fe576dccc4cab8603ebb60b3a0
Opcode Fuzzy Hash: 5d1474a2c3c44ed6a066f5c5bcc763936be5ca0b48d148e92f15afbee7363b00
Instruction Fuzzy Hash: 1D118974900209AECB04EFE5C495ADEB7B8AF04304F50815FA91597642EBB8A708CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00431EE8, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00431EE8(void* __ecx) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				intOrPtr* _t45;
				void* _t82;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t95;
				void* _t96;
				void* _t100;
				void* _t101;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t115;

				_push(0x40);
				_t45 = E0045C169(_t82, _t95, _t96, _t115);
				if(_t45 == 0) {
					_t107 = _t106 - 0x10;
					_push(1);
					_t5 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t5,  &_v8);
					_t7 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t7, 0x4d0de8);
					asm("int3");
					_push(_t106);
					_t108 = _t107 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t107);
					_t100 = _t108;
					_t109 = _t108 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t100);
					_t101 = _t109;
					_t110 = _t109 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t101);
					_t111 = _t110 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t110);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t111);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t111 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t1 = _t45 + 4; // 0x4
					_t93 = _t1;
					 *_t45 = _t45;
					if(_t93 != 0) {
						 *_t93 = _t45;
					}
					_t94 = _t45 + 8;
					if(_t94 != 0) {
						 *_t94 = _t45;
					}
					 *((short*)(_t45 + 0xc)) = 0x101;
					return _t45;
				}
			}

0x00431ee8
0x00431eea
0x00431ef2
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x00431ef8
0x00431ef8
0x00431ef8
0x00431efb
0x00431eff
0x00431f01
0x00431f01
0x00431f03
0x00431f08
0x00431f0a
0x00431f0a
0x00431f0c
0x00431f12
0x00431f12

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: 6d54f8c2b9aa8ed8dcff50ed4ac7be80dc3ca5bbeb385165aa7131171f81e2d1
Instruction ID: 101c7218b0ad70a17ecada5e6019e606067e8f302c15b8e63c7ed2b541ff5ea4
Opcode Fuzzy Hash: 6d54f8c2b9aa8ed8dcff50ed4ac7be80dc3ca5bbeb385165aa7131171f81e2d1
Instruction Fuzzy Hash: DA118974800209AEC704EFE5C455FDEB7B8AF04305F50815FE91597642D7789708CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00431EBD, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00431EBD(void* __ecx) {
				char* _v8;
				char _v20;
				char _v52;
				char _v56;
				char _v68;
				char _v72;
				char _v76;
				char _v88;
				char _v96;
				char _v116;
				intOrPtr _v124;
				char _v148;
				char _v156;
				char _v176;
				intOrPtr* _t45;
				void* _t82;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t95;
				void* _t96;
				void* _t100;
				void* _t101;
				void* _t106;
				void* _t107;
				void* _t108;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t115;

				_push(0x44);
				_t45 = E0045C169(_t82, _t95, _t96, _t115);
				if(_t45 == 0) {
					_t107 = _t106 - 0x10;
					_push(1);
					_t5 =  &_v20; // 0x4c2d7c
					_v8 = "bad allocation";
					E0045C74E(_t5,  &_v8);
					_t7 =  &_v20; // 0x4c2d7c
					_v20 = 0x4b75bc;
					E0045A466(_t7, 0x4d0de8);
					asm("int3");
					_push(_t106);
					_t108 = _t107 - 0xc;
					E0045C78C( &_v52);
					_v52 = 0x4b7620;
					E0045A466( &_v52, 0x4d0f64);
					asm("int3");
					_push(_t107);
					_t100 = _t108;
					_t109 = _t108 - 0xc;
					E0045C729( &_v76,  &_v56);
					_v76 = 0x4b75e4;
					E0045A466( &_v76, 0x4d0e20);
					asm("int3");
					_push(_t100);
					_t101 = _t109;
					_t110 = _t109 - 0xc;
					E0045C729( &_v72,  &_v52);
					_v72 = 0x4b75f0;
					E0045A466( &_v72, 0x4d0e78);
					asm("int3");
					_push(_t101);
					_t111 = _t110 - 0xc;
					E0045C729( &_v88,  &_v68);
					_v88 = 0x4b75fc;
					E0045A466( &_v88, 0x4d0eb4);
					asm("int3");
					_push(_t110);
					E0045C729( &_v116,  &_v96);
					_v116 = 0x4b7614;
					E0045A466( &_v116, 0x4d0ef0);
					asm("int3");
					_push(_t111);
					E00459CA5( &_v148, _v124);
					E0045A466( &_v148, 0x4d0f9c);
					asm("int3");
					_push(_t111 - 0xc);
					E0045C729( &_v176,  &_v156);
					_v176 = 0x4b7608;
					E0045A466( &_v176, 0x4d0f48);
					asm("int3");
					return "bad function call";
				} else {
					_t1 = _t45 + 4; // 0x4
					_t93 = _t1;
					 *_t45 = _t45;
					if(_t93 != 0) {
						 *_t93 = _t45;
					}
					_t94 = _t45 + 8;
					if(_t94 != 0) {
						 *_t94 = _t45;
					}
					 *((short*)(_t45 + 0xc)) = 0x101;
					return _t45;
				}
			}

0x00431ebd
0x00431ebf
0x00431ec7
0x00459f1f
0x00459f22
0x00459f28
0x00459f2b
0x00459f32
0x00459f3c
0x00459f40
0x00459f47
0x00459f4c
0x00459f4d
0x00459f50
0x00459f56
0x00459f64
0x00459f6b
0x00459f70
0x00459f71
0x00459f72
0x00459f74
0x00459f84
0x00459f92
0x00459f99
0x00459f9e
0x00459f9f
0x00459fa0
0x00459fa2
0x00459fb2
0x00459fc0
0x00459fc7
0x00459fcc
0x00459fcd
0x00459fd0
0x00459fe0
0x00459fee
0x00459ff5
0x00459ffa
0x00459ffb
0x0045a00e
0x0045a01c
0x0045a023
0x0045a028
0x0045a029
0x0045a035
0x0045a043
0x0045a048
0x0045a049
0x0045a05c
0x0045a06a
0x0045a071
0x0045a076
0x0045a07c
0x00431ecd
0x00431ecd
0x00431ecd
0x00431ed0
0x00431ed4
0x00431ed6
0x00431ed6
0x00431ed8
0x00431edd
0x00431edf
0x00431edf
0x00431ee1
0x00431ee7
0x00431ee7

APIs

Part of subcall function 0045C169: _malloc.LIBCMT ref: 0045C181

std::exception::exception.LIBCMT ref: 00459F32
__CxxThrowException@8.LIBCMT ref: 00459F47
__CxxThrowException@8.LIBCMT ref: 00459F6B
std::exception::exception.LIBCMT ref: 00459F84
__CxxThrowException@8.LIBCMT ref: 00459F99

Strings

|-L, xrefs: 00459F28, 00459F3C, 00459F3F
uK, xrefs: 00459F92

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID: |-L$uK
API String ID: 3942750879-472808943
Opcode ID: 60ed036e210ecc4fbab883f836a888a84ab4f5caa7e6398b7de5f3fd8963b1a5
Instruction ID: 526b36643461760f01d76a3ed06622be3f02d2a016b336a421431f81254153db
Opcode Fuzzy Hash: 60ed036e210ecc4fbab883f836a888a84ab4f5caa7e6398b7de5f3fd8963b1a5
Instruction Fuzzy Hash: F9118974800209AEC704EFE5C495EDEB7B8AF04304F50815FE91597692D7789708CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00444840, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 52
libraryloadertimeCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00444840(long _a4, void* _a8, struct _FILETIME* _a12, struct _FILETIME* _a16, struct _FILETIME* _a20, struct _FILETIME* _a24) {
				void* _t8;
				_Unknown_base(*)()* _t11;
				int _t15;
				long _t18;
				void* _t19;
				void* _t20;

				_t20 = _a8;
				_t18 = _a4;
				if(_t18 != 0) {
					L5:
					_t15 = 0;
					if(_t20 != 0) {
						L7:
						_t19 = GetProcessTimes(_t20, _a12, _a16, _a20, _a24);
						if(_t15 != 0) {
							CloseHandle(_t20);
						}
						_t8 = _t19;
						L10:
						return _t8;
					}
					_t15 = 1;
					_t8 = OpenProcess(0x1fffff, 1, _t18);
					_t20 = _t8;
					if(_t20 == 0) {
						goto L10;
					}
					goto L7;
				}
				if(_t20 != 0) {
					_t11 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetProcessId");
					if(_t11 != 0) {
						_t18 =  *_t11(_t20);
					}
					goto L5;
				}
				return 0;
			}

0x00444844
0x00444848
0x0044484d
0x00444877
0x00444878
0x0044487c
0x00444894
0x004448a7
0x004448ab
0x004448ae
0x004448ae
0x004448b4
0x004448b6
0x00000000
0x004448b6
0x00444881
0x00444888
0x0044488e
0x00444892
0x00000000
0x00000000
0x00000000
0x00444892
0x00444851
0x00444868
0x00444870
0x00444875
0x00444875
0x00000000
0x00444870
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId), ref: 00444861
GetProcAddress.KERNEL32(00000000), ref: 00444868
OpenProcess.KERNEL32(001FFFFF,00000001,?), ref: 00444888
GetProcessTimes.KERNEL32(?,?,?,?,?), ref: 004448A1
CloseHandle.KERNEL32(?), ref: 004448AE

Strings

kernel32.dll, xrefs: 0044485C
GetProcessId, xrefs: 00444857

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: HandleProcess$AddressCloseModuleOpenProcTimes
String ID: GetProcessId$kernel32.dll
API String ID: 4254294609-399901964
Opcode ID: d9dd75881622ae1a5251324709c78a041525cfc1c7e314dbfbf79ae1e38753b5
Instruction ID: 70ec993c6545ce782f9c3288f8f2c7a82e84c3b42845133a85a5c509c0c0755a
Opcode Fuzzy Hash: d9dd75881622ae1a5251324709c78a041525cfc1c7e314dbfbf79ae1e38753b5
Instruction Fuzzy Hash: BF01F7376416556F6F125FA59C04AAB7B9DAE8A7A17090036FD20D3200C738DC0147E8

Uniqueness

Uniqueness Score: -1.00%

Function 0043A5E7, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 47
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E0043A5E7(intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				_Unknown_base(*)()* _t16;
				struct HINSTANCE__* _t20;
				_Unknown_base(*)()* _t21;
				_Unknown_base(*)()* _t23;

				_t16 =  *0x4d99e4; // 0x0
				if(_t16 != 0) {
					__imp__DecodePointer(_t16);
					_t23 = _t16;
					L4:
					if(_t23 == 0) {
						L6:
						return LCMapStringW(E0043A559(_a4), _a8, _a12, _a16, _a20, _a24);
					}
					return  *_t23(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
				}
				_t20 = GetModuleHandleW(L"kernel32.dll");
				if(_t20 == 0) {
					goto L6;
				}
				_t21 = GetProcAddress(_t20, "LCMapStringEx");
				_t23 = _t21;
				__imp__EncodePointer(_t23);
				 *0x4d99e4 = _t21;
				goto L4;
			}

0x0043a5ea
0x0043a5f2
0x0043a620
0x0043a626
0x0043a628
0x0043a62a
0x0043a64b
0x00000000
0x0043a664
0x00000000
0x0043a647
0x0043a5f9
0x0043a601
0x00000000
0x00000000
0x0043a609
0x0043a60f
0x0043a612
0x0043a618
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0043A5F9
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0043A609
EncodePointer.KERNEL32(00000000), ref: 0043A612
DecodePointer.KERNEL32(00000000), ref: 0043A620
LCMapStringW.KERNEL32(00000000,?,?,?,?,?), ref: 0043A664

Strings

kernel32.dll, xrefs: 0043A5F4
LCMapStringEx, xrefs: 0043A603

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProcString
String ID: LCMapStringEx$kernel32.dll
API String ID: 405835482-327329431
Opcode ID: b1fd236d22805b4a8d86d6e3e0e7ae531a58f2b2358628097268813cc7cb2d51
Instruction ID: 3ebc672357b0c79b86528f874e75da5eadc0ccec512779a76a81e18060f75be9
Opcode Fuzzy Hash: b1fd236d22805b4a8d86d6e3e0e7ae531a58f2b2358628097268813cc7cb2d51
Instruction Fuzzy Hash: 2A01173244221ABB8F025FA1DD09DDA3F6ABB0C350B044426FE55A1120C73AC831ABA9

Uniqueness

Uniqueness Score: -1.00%

Function 0043A583, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0043A583(struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t12;
				_Unknown_base(*)()* _t13;

				_t6 =  *0x4d99e0; // 0x0
				if(_t6 != 0) {
					__imp__DecodePointer(_t6);
					_t13 = _t6;
					L4:
					if(_t13 == 0) {
						L6:
						InitializeCriticalSectionAndSpinCount(_a4, _a8);
						return 1;
					}
					return  *_t13(_a4, _a8, _a12);
				}
				_t11 = GetModuleHandleW(L"kernel32.dll");
				if(_t11 == 0) {
					goto L6;
				}
				_t12 = GetProcAddress(_t11, "InitializeCriticalSectionEx");
				_t13 = _t12;
				__imp__EncodePointer(_t13);
				 *0x4d99e0 = _t12;
				goto L4;
			}

0x0043a586
0x0043a58e
0x0043a5bc
0x0043a5c2
0x0043a5c4
0x0043a5c6
0x0043a5d5
0x0043a5db
0x00000000
0x0043a5e3
0x00000000
0x0043a5d1
0x0043a595
0x0043a59d
0x00000000
0x00000000
0x0043a5a5
0x0043a5ab
0x0043a5ae
0x0043a5b4
0x00000000

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0043A595
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0043A5A5
EncodePointer.KERNEL32(00000000), ref: 0043A5AE
DecodePointer.KERNEL32(00000000), ref: 0043A5BC
InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 0043A5DB

Strings

kernel32.dll, xrefs: 0043A590
InitializeCriticalSectionEx, xrefs: 0043A59F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Pointer$AddressCountCriticalDecodeEncodeHandleInitializeModuleProcSectionSpin
String ID: InitializeCriticalSectionEx$kernel32.dll
API String ID: 131412094-2762503851
Opcode ID: abac890a2fa14da345cc0afd31ad1f666ba2fd5c609074f4cb34cf5d1db72c27
Instruction ID: 98aa1212746d2abb31ba45571c3b63d748fb16505e8d7a7dcc8baac04e696ada
Opcode Fuzzy Hash: abac890a2fa14da345cc0afd31ad1f666ba2fd5c609074f4cb34cf5d1db72c27
Instruction Fuzzy Hash: 41F09071542315BB8F011F61DC08D9A7FA8AB0D7517044436FC12D2220D739CA219BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00450306, Relevance: 12.2, APIs: 8, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00450306(intOrPtr* __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v24;
				union _LARGE_INTEGER _v28;
				signed int _v32;
				union _LARGE_INTEGER _v36;
				void* _t75;
				void* _t76;
				struct %anon52 _t77;
				void* _t81;
				intOrPtr _t87;
				signed int _t91;
				intOrPtr _t92;
				void* _t94;
				signed int _t97;
				signed int _t99;
				void* _t101;
				signed int* _t109;
				signed int _t110;
				intOrPtr _t113;
				signed int _t118;
				signed int _t123;
				void* _t124;
				struct %anon52 _t126;
				intOrPtr* _t129;
				void* _t142;

				_t118 = __edx;
				_t109 = _a12;
				_t129 = __ecx;
				_t75 = 1;
				 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				 *_t109 =  *_t109 & 0x00000000;
				if(_a8 <= 0) {
					L26:
					return _t75;
				} else {
					goto L1;
				}
				do {
					L1:
					if( *((intOrPtr*)(_t129 + 0x5c)) <= 0x2710 ||  *((intOrPtr*)(_t129 + 0x54)) == 0) {
						_t123 = 0x5dc;
					} else {
						_t123 = E004506A2(_t129) * 0xf;
					}
					_t76 = 1;
					_t124 =  ==  ? _t76 : _t123;
					if( *((char*)(_t129 + 0x90)) == 0) {
						_t77 = GetTickCount();
						_v32 = _v32 & 0x00000000;
						_v36.LowPart = _t77;
					} else {
						QueryPerformanceCounter( &_v36);
					}
					ResetEvent( *(_t129 + 0xc));
					 *((intOrPtr*)(_t129 + 0x24)) =  &_v8;
					_t81 = _a8 -  *_t109;
					_t125 =  <  ? _t81 : _t124;
					_push( &_v8);
					_push( <  ? _t81 : _t124);
					_push(_a4 +  *_t109);
					_push( *((intOrPtr*)(_t129 + 4)));
					if( *0x4d957c() != 0) {
						L10:
						if( *((char*)(_t129 + 0x90)) == 0) {
							_t126 = GetTickCount();
							_t110 = 0;
							_v28.LowPart = _t126;
							_v24 = 0;
						} else {
							QueryPerformanceCounter( &_v28);
							_t110 = _v24;
							_t126 = _v28.LowPart;
						}
						_t87 = _v8;
						if(_t87 == 0) {
							break;
						} else {
							goto L14;
						}
					} else {
						_push(0);
						_t19 = _t129 + 0xc; // 0xe
						_push( *((intOrPtr*)(_t129 + 0x28)));
						if( *((intOrPtr*)( *_t129 + 8))() == 0) {
							_t75 = 0;
							goto L26;
						}
						goto L10;
					}
					L14:
					 *_a12 =  *_a12 + _t87;
					 *((intOrPtr*)(_t129 + 0x4c)) =  *((intOrPtr*)(_t129 + 0x4c)) + _t87;
					 *((intOrPtr*)(_t129 + 0x54)) =  *((intOrPtr*)(_t129 + 0x54)) + _t87;
					 *((intOrPtr*)(_t129 + 0x60)) =  *((intOrPtr*)(_t129 + 0x60)) + _t87;
					_t127 = _t126 - _v36.LowPart;
					asm("sbb ebx, [ebp-0x1c]");
					if((_t126 - _v36.LowPart | _t110) == 0) {
						_t127 = 5;
						_t110 = 0;
					}
					_t91 = E0045E130(_t127, _t110, 0x3e8, 0);
					_t113 =  *((intOrPtr*)(_t129 + 0x8c));
					_v12 = _t91;
					_t92 =  *((intOrPtr*)(_t129 + 0x88));
					_v16 = _t118;
					_t142 = _t118 - _t113;
					if(_t142 >= 0) {
						_t118 = _v12;
						if(_t142 > 0 || _t118 >= _t92) {
							_push(_t113);
							_push(_t92);
							_push(_v16);
							_push(_t118);
							_t101 = E00463060();
							 *((intOrPtr*)(_t129 + 0x5c)) =  *((intOrPtr*)(_t129 + 0x5c)) + _t101;
							 *((intOrPtr*)(_t129 + 0x68)) =  *((intOrPtr*)(_t129 + 0x68)) + _t101;
							_v16 = _t118;
							_t127 = E0045D040(_t113, _t110, 0x3e8, 0);
							_t110 = _t118;
						}
					}
					_t94 = E0045D040(E0045E130(_t127, _t110, 0xf4240, 0), _t118,  *((intOrPtr*)(_t129 + 0x88)),  *((intOrPtr*)(_t129 + 0x8c)));
					 *(_t129 + 0x58) =  *(_t129 + 0x58) + _t94;
					 *(_t129 + 0x64) =  *(_t129 + 0x64) + _t94;
					if( *(_t129 + 0x58) > 0x3e8) {
						_t99 =  *(_t129 + 0x58);
						_t118 = _t99 % 0x3e8;
						 *((intOrPtr*)(_t129 + 0x5c)) =  *((intOrPtr*)(_t129 + 0x5c)) + _t99 / 0x3e8;
						 *(_t129 + 0x58) = _t118;
					}
					if( *(_t129 + 0x64) > 0x3e8) {
						_t97 =  *(_t129 + 0x64);
						_t118 = _t97 % 0x3e8;
						 *((intOrPtr*)(_t129 + 0x68)) =  *((intOrPtr*)(_t129 + 0x68)) + _t97 / 0x3e8;
						 *(_t129 + 0x64) = _t118;
					}
					_t109 = _a12;
				} while ( *_t109 < _a8);
				_t75 = 1;
				goto L26;
			}

0x00450306
0x0045030f
0x00450313
0x00450315
0x00450316
0x0045031a
0x00450322
0x004504c6
0x004504ca
0x00000000
0x00000000
0x00000000
0x00450328
0x00450328
0x0045032f
0x00450345
0x00450337
0x00450340
0x00450340
0x0045034e
0x0045034f
0x00450359
0x00450367
0x0045036d
0x00450371
0x0045035b
0x0045035f
0x0045035f
0x00450377
0x00450380
0x00450386
0x0045038a
0x00450390
0x00450396
0x00450397
0x00450398
0x004503a3
0x004503bd
0x004503c4
0x004503de
0x004503e0
0x004503e2
0x004503e5
0x004503c6
0x004503ca
0x004503d0
0x004503d3
0x004503d3
0x004503e8
0x004503ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004503a5
0x004503a7
0x004503a9
0x004503ad
0x004503b7
0x004504cd
0x00000000
0x004504cd
0x00000000
0x004503b7
0x004503f3
0x004503f6
0x004503f8
0x004503fb
0x004503fe
0x00450401
0x00450404
0x0045040b
0x0045040f
0x00450410
0x00450410
0x0045041b
0x00450420
0x00450426
0x00450429
0x0045042f
0x00450432
0x00450434
0x00450436
0x00450439
0x0045043f
0x00450440
0x00450441
0x00450444
0x00450445
0x0045044a
0x0045044d
0x00450459
0x00450461
0x00450463
0x00450463
0x00450439
0x00450481
0x00450486
0x00450489
0x00450494
0x00450496
0x0045049b
0x0045049d
0x004504a0
0x004504a0
0x004504a6
0x004504a8
0x004504ad
0x004504af
0x004504b2
0x004504b2
0x004504b5
0x004504bb
0x004504c5
0x00000000

APIs

QueryPerformanceCounter.KERNEL32(00000003,00000000,00000002,00000000,00000003,00000000,00000000), ref: 0045035F
GetTickCount.KERNEL32 ref: 00450367
ResetEvent.KERNEL32(?), ref: 00450377
QueryPerformanceCounter.KERNEL32(?), ref: 004503CA
GetTickCount.KERNEL32 ref: 004503D8
__alldvrm.LIBCMT ref: 00450445
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0045045C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00450481

Part of subcall function 004506A2: GetTickCount.KERNEL32 ref: 004506B1
Part of subcall function 004506A2: GetTickCount.KERNEL32 ref: 004506DA

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CountTick$CounterPerformanceQueryUnothrow_t@std@@@__ehfuncinfo$??2@$EventReset__alldvrm
String ID:
API String ID: 3317835756-0
Opcode ID: d16b528da79db4ddab010a0689fe53a8e0c77fd8337804de8dac239bae16cf7a
Instruction ID: 1de5cc299959bb9d8008332be90f542bea3513a19c7deaf59c50281ee03b1f76
Opcode Fuzzy Hash: d16b528da79db4ddab010a0689fe53a8e0c77fd8337804de8dac239bae16cf7a
Instruction Fuzzy Hash: 3F51AF75A007049FDB20DFA5C885BABB7F5BF84316F00882EE986D6252D778A849CF14

Uniqueness

Uniqueness Score: -1.00%

Function 004889A0, Relevance: 12.1, APIs: 4, Strings: 4, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E004889A0(void* __ebx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr* _v76;
				char _v80;
				void* __edi;
				void* __esi;
				signed int _t45;
				signed int _t46;
				intOrPtr _t52;
				void* _t56;
				void* _t61;
				short* _t64;
				intOrPtr _t74;
				short _t75;
				void* _t76;
				void* _t77;
				intOrPtr* _t79;
				void* _t80;
				signed int _t81;

				_t61 = __ebx;
				_push(0xffffffff);
				_push(0x4ab2e8);
				_push( *[fs:0x0]);
				_t45 =  *0x4d7e88; // 0x9518852c
				_t46 = _t45 ^ _t81;
				_v20 = _t46;
				_push(_t46);
				 *[fs:0x0] =  &_v16;
				_t79 = _a4;
				_t74 = _a8;
				_v76 = _t79;
				_v72 = _a12;
				_v80 = 0;
				_v68 = 0x4ae964;
				_v28 = 0x4ae96c;
				_v24 = GetLastError();
				_v8 = 0;
				if(_t74 == 0) {
					_t75 = 0;
				} else {
					_t75 = _t74 + 4;
				}
				_push(0xffffffff);
				_push(0);
				_v44 = 7;
				_v48 = 0;
				_v64 = 0;
				E00407B10(_t61,  &_v64, _t75, _t75);
				_t52 = _v28;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_t21 = _t52 + 4; // 0x4
				SetLastError( *(_t81 +  *_t21 - 0x18));
				_v8 = 1;
				_t76 = E0043B22F( &_v68, _v72);
				 *_t79 = 0x4ae964;
				 *((intOrPtr*)(_t79 + 0x28)) = 0x4ae96c;
				 *((intOrPtr*)(_t79 + 0x2c)) = GetLastError();
				_v8 = 2;
				if(_t76 == 0) {
					_t56 = 0;
				} else {
					_t30 = _t76 + 4; // 0x4
					_t56 = _t30;
				}
				_t64 = _t79 + 4;
				_push(0);
				 *((intOrPtr*)(_t64 + 0x14)) = 7;
				 *((intOrPtr*)(_t64 + 0x10)) = 0;
				 *_t64 = 0;
				E00407B10(_t61, _t64, _t76, _t56);
				 *((intOrPtr*)(_t79 + 0x1c)) = 0;
				 *((intOrPtr*)(_t79 + 0x20)) = 0;
				 *((intOrPtr*)(_t79 + 0x24)) = 0;
				_t38 =  *((intOrPtr*)(_t79 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t38 + _t79 + 0x28));
				E00401B80( &_v68);
				 *[fs:0x0] = _v16;
				_pop(_t77);
				_t80 = 0xffffffff;
				return E0045A457(_t61, _v20 ^ _t81, 0, _t77, _t80);
			}

0x004889a0
0x004889a3
0x004889a5
0x004889b0
0x004889b4
0x004889b9
0x004889bb
0x004889c0
0x004889c4
0x004889cd
0x004889d0
0x004889d3
0x004889d6
0x004889d9
0x004889e0
0x004889e7
0x004889f4
0x004889f7
0x00488a00
0x00488a07
0x00488a02
0x00488a02
0x00488a02
0x00488a0b
0x00488a0d
0x00488a12
0x00488a19
0x00488a20
0x00488a24
0x00488a29
0x00488a2c
0x00488a33
0x00488a3a
0x00488a41
0x00488a48
0x00488a54
0x00488a60
0x00488a62
0x00488a68
0x00488a75
0x00488a78
0x00488a7e
0x00488a85
0x00488a80
0x00488a80
0x00488a80
0x00488a80
0x00488a87
0x00488a8e
0x00488a8f
0x00488a96
0x00488a9e
0x00488aa1
0x00488aa6
0x00488aad
0x00488ab4
0x00488abe
0x00488ac5
0x00488ace
0x00488ad8
0x00488ae0
0x00488ae1
0x00488aef

APIs

GetLastError.KERNEL32 ref: 004889EE
SetLastError.KERNEL32(004AE96C,00000000,00000000,000000FF), ref: 00488A48
GetLastError.KERNEL32(?), ref: 00488A6F
SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00488AC5

Strings

lJ, xrefs: 004889A0
lJ, xrefs: 004889E7
lJ, xrefs: 00488A68
dJ, xrefs: 004889E0

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast
String ID: dJ$lJ$lJ$lJ
API String ID: 1452528299-2128537396
Opcode ID: dee73e4fbed32baa2116eae85850d8993472f4027a078f2ebaf978bafc4a1bf1
Instruction ID: b45a341a48a650650591193acb68afe1818dbe9b5ef5f27e3f1df00c08abf371
Opcode Fuzzy Hash: dee73e4fbed32baa2116eae85850d8993472f4027a078f2ebaf978bafc4a1bf1
Instruction Fuzzy Hash: 0E414BB1900208DFDB14DF95C814B9EBBF4FF49318F20465EE825A7390DB79A905CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0045296F, Relevance: 12.1, APIs: 8, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(?), ref: 0045298D
SysStringLen.OLEAUT32(?), ref: 004529A0
SysStringLen.OLEAUT32(?), ref: 004529AD
SysAllocStringLen.OLEAUT32(00000000,00000000), ref: 004529B8
_memmove.LIBCMT ref: 004529CD
SysStringLen.OLEAUT32(?), ref: 004529DB
_memmove.LIBCMT ref: 004529FB
SysFreeString.OLEAUT32(?), ref: 00452A09

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String$Free_memmove$Alloc
String ID:
API String ID: 2303858246-0
Opcode ID: 32c3540a94ac7d3332d0e6b126292a3c735c7a8770710ef1ca48b6a007623d81
Instruction ID: 0bcce7b9579d7b49f1003866ac9973882b572864251ad808a07724c516ceefa4
Opcode Fuzzy Hash: 32c3540a94ac7d3332d0e6b126292a3c735c7a8770710ef1ca48b6a007623d81
Instruction Fuzzy Hash: A3214A31600304EFCB209F69DD8895ABFB8FF49365B10066AF82693261D771AD189B99

Uniqueness

Uniqueness Score: -1.00%

Function 00486570, Relevance: 12.0, APIs: 4, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00486570(void* __ecx) {
				void* _t36;

				_t36 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = 0x4ae964;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0x4ae96c;
				 *((intOrPtr*)(_t36 + 0x30)) = GetLastError();
				 *((intOrPtr*)(_t36 + 0x1c)) = 7;
				 *((intOrPtr*)(_t36 + 0x18)) = 0;
				 *((short*)(_t36 + 8)) = 0;
				 *((intOrPtr*)(_t36 + 0x20)) = 0;
				 *((intOrPtr*)(_t36 + 0x24)) = 0;
				 *((intOrPtr*)(_t36 + 0x28)) = 0;
				_t13 = _t36 + 0x2c; // 0x53746547
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x2c)) + 4)) + _t13));
				 *((intOrPtr*)(_t36 + 0x34)) = 0x4ae964;
				 *((intOrPtr*)(_t36 + 0x5c)) = 0x4ae96c;
				 *((intOrPtr*)(_t36 + 0x60)) = GetLastError();
				 *((intOrPtr*)(_t36 + 0x4c)) = 7;
				 *((intOrPtr*)(_t36 + 0x48)) = 0;
				 *((short*)(_t36 + 0x38)) = 0;
				 *((intOrPtr*)(_t36 + 0x50)) = 0;
				 *((intOrPtr*)(_t36 + 0x54)) = 0;
				 *((intOrPtr*)(_t36 + 0x58)) = 0;
				_t26 = _t36 + 0x5c; // 0x0
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t36 + 0x5c)) + 4)) + _t26));
				return _t36;
			}

0x00486571
0x00486573
0x0048657a
0x00486587
0x0048658a
0x00486591
0x0048659a
0x0048659e
0x004865a1
0x004865a4
0x004865ad
0x004865b1
0x004865b7
0x004865be
0x004865cb
0x004865ce
0x004865d5
0x004865de
0x004865e2
0x004865e5
0x004865e8
0x004865f1
0x004865f5
0x004865fe

APIs

GetLastError.KERNEL32(00000000,00492C07,?,?,?,?,?,?,?,?,?,9518852C,?,000001A4,00000000), ref: 00486581
SetLastError.KERNEL32(53746547,?,?,?,?,?,?,?,?,?,9518852C,?,000001A4,00000000), ref: 004865B1
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,9518852C,?,000001A4,00000000), ref: 004865C5
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,9518852C,?,000001A4,00000000), ref: 004865F5

Strings

lJ, xrefs: 0048657A
lJ, xrefs: 004865BE
dJ, xrefs: 004865B7
dJ, xrefs: 00486573

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast
String ID: dJ$dJ$lJ$lJ
API String ID: 1452528299-2563680426
Opcode ID: 200ef8c29c30ac6504fc3dfcc34c797f3523c37566ed5c9f370429ceb4e7eaf7
Instruction ID: 769be1a6fd4e13e5598b14c51293e14b84b93e7813666d87a52011dac865fccf
Opcode Fuzzy Hash: 200ef8c29c30ac6504fc3dfcc34c797f3523c37566ed5c9f370429ceb4e7eaf7
Instruction Fuzzy Hash: 32114BB5901240CFDB84CF69D5C87057FE4BF19308B2191AAEC18CB26AE779D854CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00490100, Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00490100(void* __ecx, void* __edx, void* __eflags, char _a4, char _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				long _v24;
				intOrPtr _v28;
				short _v32;
				short _v36;
				short _v40;
				char _v44;
				intOrPtr _v48;
				char _v64;
				char _v68;
				long _v72;
				intOrPtr _v76;
				short _v80;
				short _v84;
				short _v88;
				char _v92;
				intOrPtr _v96;
				char _v112;
				char _v116;
				char _v164;
				char _v212;
				char _v213;
				char _v220;
				char _v224;
				char _v228;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t84;
				signed int _t85;
				intOrPtr _t89;
				intOrPtr _t93;
				void* _t95;
				void* _t107;
				void* _t110;
				intOrPtr* _t112;
				intOrPtr* _t116;
				intOrPtr* _t121;
				void* _t124;
				void* _t129;
				void* _t134;
				void* _t135;
				void* _t163;
				void* _t165;
				void* _t167;
				void* _t173;
				signed int _t175;

				_t163 = __edx;
				_push(0xffffffff);
				_push(0x4ab71f);
				_push( *[fs:0x0]);
				_t84 =  *0x4d7e88; // 0x9518852c
				_t85 = _t84 ^ _t175;
				_v20 = _t85;
				_push(_t85);
				 *[fs:0x0] =  &_v16;
				_t134 = __ecx;
				_t165 = GetLastError;
				_v8 = 0;
				_v116 = 0x4c2f78;
				_v76 = 0x4c2fa8;
				_v72 = GetLastError();
				_v112 = 0;
				_v88 = 0;
				_v84 = 0;
				_v80 = 0;
				_t89 = _v76;
				_v92 = 7;
				_v96 = 0;
				_t14 = _t89 + 4; // 0x4
				SetLastError( *(_t175 +  *_t14 - 0x48));
				_v68 = 0x4c2f78;
				_v28 = 0x4c2fa8;
				_v24 = GetLastError();
				_v64 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_t93 = _v28;
				_v44 = 7;
				_v48 = 0;
				_t27 = _t93 + 4; // 0x4
				SetLastError( *(_t175 +  *_t27 - 0x18));
				_v8 = 2;
				_t95 = E004068B0( &_a8, "-", 0, 1);
				_t170 = _t95;
				if(_t95 != 0xffffffff) {
					_t124 = E00494EB0( &_v164, 0, _t170);
					_v8 = 3;
					if(_t124 == 0) {
						_t125 = 0;
						__eflags = 0;
						goto L5;
					} else {
						_t125 = _t124 + 4;
						if( &_v64 != _t124 + 4) {
							L5:
							_push(0xffffffff);
							E00406630(_t134,  &_v64, _t165, _t125, 0);
						}
					}
					_v8 = 2;
					E00401AC0( &_v164);
					_t129 = E00494EB0( &_v164, _t170, 0xffffffff);
					_v8 = 4;
					if(_t129 == 0) {
						_t130 = 0;
						__eflags = 0;
						goto L10;
					} else {
						_t130 = _t129 + 4;
						if( &_v112 != _t129 + 4) {
							L10:
							_push(0xffffffff);
							E00406630(_t134,  &_v112, _t165, _t130, 0);
						}
					}
					_v8 = 2;
					E00401AC0( &_v164);
				}
				if(_v96 == 0) {
					L19:
					E00403FB0(L"ALL",  &_v213, 1);
					_v8 = 7;
					_t166 =  *((intOrPtr*)(E0048FB40(_t134 + 0x4c,  &_v220,  &_v164)));
					E00401AC0( &_v164);
					__eflags = _t166 -  *((intOrPtr*)(_t134 + 0x4c));
					if(_t166 !=  *((intOrPtr*)(_t134 + 0x4c))) {
						goto L17;
					} else {
						goto L20;
					}
				} else {
					_push(3);
					_t107 = E004086E0(_t134,  &_v64, _t165, _t170, 0, _v48, L"ALL");
					_t186 = _t107;
					if(_t107 == 0) {
						goto L19;
					} else {
						_t49 =  &_v116; // 0x4c2f78
						_t110 = E00480E50(_t186,  &_v212, L"ALL", _t49);
						_v8 = 5;
						_t112 = E0048FB40(_t134 + 0x4c,  &_v228, _t110);
						_t166 =  *_t112;
						_v8 = 2;
						E00401AC0( &_v212);
						if( *_t112 !=  *((intOrPtr*)(_t134 + 0x4c))) {
							L17:
						} else {
							_t57 =  &_v68; // 0x4c2f78
							_t116 = E0048FB40(_t134 + 0x4c,  &_v224, _t57);
							_t166 =  *_t116;
							if( *_t116 !=  *((intOrPtr*)(_t134 + 0x4c))) {
								goto L17;
							} else {
								E00403FB0(L"ALL",  &_v213, 1);
								_v8 = 6;
								_t121 = E0048FB40(_t134 + 0x4c,  &_v220,  &_v164);
								_t166 =  *_t121;
								E00401AC0( &_v164);
								if( *_t121 !=  *((intOrPtr*)(_t134 + 0x4c))) {
									goto L17;
								}
							}
						}
					}
				}
				_t70 =  &_v68; // 0x4c2f78
				E00401AC0(_t70);
				_t71 =  &_v116; // 0x4c2f78
				E00401AC0(_t71);
				E00401AC0( &_a4);
				 *[fs:0x0] = _v16;
				_pop(_t167);
				_pop(_t173);
				_pop(_t135);
				return E0045A457(_t135, _v20 ^ _t175, _t163, _t167, _t173);
			}

0x00490100
0x00490103
0x00490105
0x00490110
0x00490117
0x0049011c
0x0049011e
0x00490124
0x00490128
0x0049012e
0x00490130
0x00490136
0x0049013d
0x00490144
0x00490153
0x00490158
0x0049015c
0x0049015f
0x00490162
0x00490165
0x00490168
0x0049016f
0x00490176
0x0049017d
0x0049017f
0x00490186
0x0049018f
0x00490194
0x00490198
0x0049019b
0x0049019e
0x004901a1
0x004901a4
0x004901ab
0x004901b2
0x004901b9
0x004901c7
0x004901cb
0x004901d0
0x004901d5
0x004901e8
0x004901ed
0x004901f3
0x00490201
0x00490201
0x00000000
0x004901f5
0x004901f5
0x004901fd
0x00490203
0x00490203
0x0049020b
0x0049020b
0x004901fd
0x00490216
0x0049021a
0x0049022c
0x00490231
0x00490237
0x00490245
0x00490245
0x00000000
0x00490239
0x00490239
0x00490241
0x00490247
0x00490247
0x0049024f
0x0049024f
0x00490241
0x0049025a
0x0049025e
0x0049025e
0x00490267
0x0049036b
0x0049037f
0x00490395
0x0049039e
0x004903a9
0x004903ae
0x004903b0
0x00000000
0x00000000
0x00000000
0x00000000
0x0049026d
0x0049026d
0x0049027c
0x00490281
0x00490283
0x00000000
0x00490289
0x00490289
0x00490299
0x004902ac
0x004902b0
0x004902b5
0x004902bd
0x004902c1
0x004902c9
0x00490330
0x004902cb
0x004902cb
0x004902d9
0x004902de
0x004902e3
0x00000000
0x004902e5
0x004902f9
0x0049030f
0x00490313
0x00490318
0x00490323
0x0049032a
0x00000000
0x00000000
0x0049032a
0x004902e3
0x004902c9
0x00490283
0x00490333
0x00490336
0x0049033b
0x0049033e
0x00490346
0x00490350
0x00490358
0x00490359
0x0049035a
0x00490368

APIs

GetLastError.KERNEL32(9518852C,?,00000000,?), ref: 0049014B
SetLastError.KERNEL32(004C2FA8,?,00000000,?), ref: 0049017D
GetLastError.KERNEL32(?,00000000,?), ref: 0049018D
SetLastError.KERNEL32(004C2FA8,?,00000000,?), ref: 004901B9

Part of subcall function 00494EB0: GetLastError.KERNEL32(9518852C,73B74D40,00000000,?,?,004ABC58,000000FF,?,004901ED,?,00000000,00000000,004B1A74,00000000), ref: 00494EEE
Part of subcall function 00494EB0: SetLastError.KERNEL32(?,00000000,?,00000000,?,004901ED,?,00000000,00000000,004B1A74,00000000), ref: 00494F4A

Strings

x/L, xrefs: 00490289, 0049028C
x/L, xrefs: 004902CB, 004902CE
ALL, xrefs: 0049026F, 00490293, 004902EE, 00490374

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast
String ID: ALL$x/L$x/L
API String ID: 1452528299-300393698
Opcode ID: 77f42b1bd8677d11b66f4f2e523c9e19174658048120b00dd2a9d37c1e768aa9
Instruction ID: b426142df9c32a6d7b358cb21288f099e10c7965672089d3627bba96ba26348b
Opcode Fuzzy Hash: 77f42b1bd8677d11b66f4f2e523c9e19174658048120b00dd2a9d37c1e768aa9
Instruction Fuzzy Hash: 6F817B31900258AFCF14DFA4C851BEEBBB8AF14304F1441ABE515B72D1EB786A48CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00497B90, Relevance: 10.7, APIs: 7, Instructions: 187
windowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00497B90(struct HWND__** __ecx, void* __edx, void* __eflags, char _a4, char _a8, char _a12) {
				struct HWND__* _v8;
				char _v16;
				signed int _v20;
				intOrPtr _v80;
				struct HWND__* _v84;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				char _v104;
				signed short _v108;
				signed int _v112;
				struct HWND__** _v116;
				char _v120;
				struct HDC__* _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				void _v168;
				BITMAPINFOHEADER* _v172;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t82;
				signed int _t83;
				struct HWND__* _t91;
				signed int _t96;
				intOrPtr _t99;
				signed int _t100;
				signed int _t104;
				struct HBITMAP__* _t118;
				void* _t129;
				BITMAPINFOHEADER* _t130;
				void* _t131;
				intOrPtr _t136;
				void* _t149;
				signed int _t152;
				struct HWND__** _t156;
				struct HWND__** _t160;
				void* _t161;
				void* _t162;
				signed short _t163;
				struct HDC__* _t167;
				void* _t168;
				signed int _t169;
				void* _t170;
				void* _t171;
				void* _t173;

				_t153 = __edx;
				_push(0xffffffff);
				_push(0x4abfc3);
				_push( *[fs:0x0]);
				_t171 = _t170 - 0x9c;
				_t82 =  *0x4d7e88; // 0x9518852c
				_t83 = _t82 ^ _t169;
				_v20 = _t83;
				_push(_t129);
				_push(_t162);
				_push(_t83);
				 *[fs:0x0] =  &_v16;
				_t156 = __ecx;
				_v116 = __ecx;
				_v128 = _a4;
				E0049A2D7(_t129,  &_v100, __ecx, _t162, __eflags);
				_v8 = 0;
				E0049A4C0( &_v100, __edx, __eflags,  &_v128,  &_a8,  &_v120);
				_t91 = _v84;
				__ecx[2] = _t91;
				if(_t91 != 0) {
					_t151 =  >  ? 0xff : _v80;
					_t152 =  <  ? 0 :  >  ? 0xff : _v80;
					_t179 = _t152 - _v92;
					if(_t152 < _v92) {
						__ecx[1] =  *(_v96 + _t152 * 4);
					}
				}
				E0049A7C1( &_v100, _t153,  &_v104, 1);
				_t163 =  *(_v120 + 0x14) & 0x0000ffff;
				_v108 = _t163;
				_t96 = 0x00000028 + _t163 * 0x00000004 & 0x0000ffff;
				_push(_t96);
				_v124 = _t96;
				_t130 = E0045C169(_t129, _t153, _t156, _t179);
				_v172 = _t130;
				_t136 = _v104;
				_v164 = 0;
				_v160 = 0;
				_v156 = 0;
				_v148 = 0;
				_v136 = 0;
				_v152 = 0;
				_v144 = 0;
				_v140 = 0;
				_v132 = 0;
				_t99 =  *((intOrPtr*)(_t136 + 0x20));
				 *((intOrPtr*)(_t156 + 0xc)) = _t99;
				_v164 = _t99;
				_t100 =  *(_t136 + 0x24);
				 *(_t156 + 0x10) = _t100;
				_v160 = _t100;
				_t104 = ( *((intOrPtr*)(_t136 + 0x20)) + 0x00000003 & 0xfffffffc) *  *(_t136 + 0x24);
				_t154 = _t163 & 0x0000ffff;
				_v168 = 0x28;
				_v156 = 0x80001;
				_v136 = _t163 & 0x0000ffff;
				_v148 = _t104;
				_v8 = 1;
				_v112 = _t104;
				memcpy(_t130,  &_v168, 0xa << 2);
				_t173 = _t171 + 0x10;
				if(_v108 != 0) {
					_t59 = _t130 + 0x28; // 0x28
					E0045A8B0(_t59,  *((intOrPtr*)(_v120 + 0x18)), _t154 * 4);
					_t173 = _t173 + 0xc;
				}
				if(_a12 == 0) {
					_t160 = _v116;
					_t106 = _t160[5];
					__eflags = _t160[5];
					if(__eflags != 0) {
						L0045A7D5(_t106);
						_t173 = _t173 + 4;
					}
					_push(_v112 + _v124 + 0xa);
					_t160[5] = E00459ADF(_t130, _t154, _t160, __eflags);
					E0045A4D0(_t107, 0, _v112 + _v124 + 0xa);
					_t167 = _v124;
					E0045A8B0(_t160[5], _t130, _t167);
					__eflags = _t160[5] + _t167;
					E0045A8B0(_t160[5] + _t167,  *(_v104 + 0x30), _v112);
					_t173 = _t173 + 0x28;
				} else {
					_t167 = GetWindowDC(0);
					_t118 = CreateDIBitmap(_t167, _t130, 4,  *(_v104 + 0x30), _t130, 0);
					_t160 = _v116;
					_v108 = _t118;
					_t149 =  *_t160;
					if(_t149 != _t118) {
						if(_t149 != 0) {
							_t154 = DeleteObject;
							_t184 = DeleteObject;
							if(DeleteObject != 0) {
								DeleteObject(_t149);
								_t118 = _v108;
								 *_t160 = 0;
							}
						}
						 *_t160 = _t118;
					}
					ReleaseDC(0, _t167);
				}
				L0045A2FE(_t130);
				_v8 = 0xffffffff;
				E0049A323(_t130,  &_v100, _t160, _t167, _t184);
				 *[fs:0x0] = _v16;
				_pop(_t161);
				_pop(_t168);
				_pop(_t131);
				return E0045A457(_t131, _v20 ^ _t169, _t154, _t161, _t168);
			}

0x00497b90
0x00497b93
0x00497b95
0x00497ba0
0x00497ba1
0x00497ba7
0x00497bac
0x00497bae
0x00497bb1
0x00497bb2
0x00497bb4
0x00497bb8
0x00497bbe
0x00497bc0
0x00497bc9
0x00497bcc
0x00497be0
0x00497be7
0x00497bec
0x00497bef
0x00497bf4
0x00497c00
0x00497c07
0x00497c0a
0x00497c0d
0x00497c15
0x00497c15
0x00497c0d
0x00497c21
0x00497c29
0x00497c2d
0x00497c37
0x00497c3a
0x00497c3b
0x00497c43
0x00497c48
0x00497c4e
0x00497c53
0x00497c59
0x00497c5f
0x00497c65
0x00497c6b
0x00497c71
0x00497c77
0x00497c7d
0x00497c83
0x00497c86
0x00497c89
0x00497c8c
0x00497c92
0x00497c95
0x00497c98
0x00497ca7
0x00497cb0
0x00497cc0
0x00497cca
0x00497cd4
0x00497cda
0x00497ce0
0x00497ce4
0x00497ce7
0x00497ce7
0x00497ce9
0x00497cf9
0x00497cfd
0x00497d02
0x00497d02
0x00497d09
0x00497d5b
0x00497d5e
0x00497d61
0x00497d63
0x00497d66
0x00497d6b
0x00497d6b
0x00497d79
0x00497d83
0x00497d86
0x00497d8b
0x00497d93
0x00497da4
0x00497da7
0x00497dac
0x00497d0b
0x00497d1c
0x00497d22
0x00497d28
0x00497d2b
0x00497d2e
0x00497d32
0x00497d36
0x00497d38
0x00497d3e
0x00497d40
0x00497d43
0x00497d45
0x00497d48
0x00497d48
0x00497d40
0x00497d4e
0x00497d4e
0x00497d53
0x00497d53
0x00497db0
0x00497dbb
0x00497dc2
0x00497dcc
0x00497dd4
0x00497dd5
0x00497dd6
0x00497de4

APIs

Part of subcall function 0049A2D7: __EH_prolog3.LIBCMT ref: 0049A2DE

_memmove.LIBCMT ref: 00497CFD
GetWindowDC.USER32(00000000), ref: 00497D0D
CreateDIBitmap.GDI32(00000000,00000000,00000004,?,00000000,00000000), ref: 00497D22
ReleaseDC.USER32 ref: 00497D53
_memset.LIBCMT ref: 00497D86
_memmove.LIBCMT ref: 00497D93
_memmove.LIBCMT ref: 00497DA7

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memmove$BitmapCreateH_prolog3ReleaseWindow_memset
String ID:
API String ID: 3696145347-0
Opcode ID: fc38c06a6800de8992d843d7116b01a3c049677594164d0f8dd3cfbd6bea5449
Instruction ID: 387c1363ff40ed714bc0e2b1f27fb54d74400b4f037183cd9c4c18434c65ad37
Opcode Fuzzy Hash: fc38c06a6800de8992d843d7116b01a3c049677594164d0f8dd3cfbd6bea5449
Instruction Fuzzy Hash: 5C7138B1D002189FDB14DFA5C845BAEBBF4FF09314F10426AE809EB242E735A954CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040F29E, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 137
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040F29E(void* __edx, void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				char _v8;
				char _v16;
				signed int _v20;
				signed char _v21;
				signed char _v22;
				signed char _v23;
				signed char _v24;
				signed char _v25;
				signed char _v26;
				signed char _v27;
				signed char _v28;
				signed char _v29;
				signed char _v30;
				signed char _v31;
				signed char _v32;
				signed char _v33;
				signed char _v34;
				signed char _v35;
				signed char _v36;
				void _v4132;
				intOrPtr _v4140;
				char _v4180;
				char _v4268;
				char _v4269;
				signed int _v4276;
				long _v4280;
				struct _OVERLAPPED* _v4284;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t52;
				signed int _t53;
				void* _t96;
				void* _t106;
				void* _t107;
				intOrPtr* _t109;
				void* _t110;
				WCHAR* _t113;
				void* _t114;
				void* _t115;
				signed int _t116;
				void* _t117;

				_t107 = __edx;
				_push(0xffffffff);
				_push(0x4a1259);
				_push( *[fs:0x0]);
				E0045BDF0(0x10ac);
				_t52 =  *0x4d7e88; // 0x9518852c
				_t53 = _t52 ^ _t116;
				_v20 = _t53;
				_push(_t53);
				 *[fs:0x0] =  &_v16;
				_t109 = _a4;
				_v4284 = 0;
				_v4180 = 0x4c2f50;
				_v4140 = 0x4c3454;
				E00403F50( &_v4180,  &_v4269, 0);
				_v4276 = _v4276 | 0xffffffff;
				_v8 = 0;
				_t113 = _a8 + 4;
				_v8 = 1;
				if(_t113[0xa] >= 8) {
					_t113 =  *_t113;
				}
				_t114 = CreateFileW(_t113, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t114 != 0xffffffff) {
					E00412AA4( &_v4276);
					_v4276 = _t114;
					E0044EC8D( &_v4268);
					_pop(_t106);
					while(ReadFile(_t114,  &_v4132, 0x1000,  &_v4280, 0) != 0) {
						E0044F372( &_v4268,  &_v4132, _v4280);
						_t117 = _t117 + 0xc;
						if(_v4280 > 0) {
							continue;
						}
						break;
					}
					E0044EC10(_t106, _t107,  &_v36,  &_v4268);
					_push(_v21 & 0x000000ff);
					_push(_v22 & 0x000000ff);
					_push(_v23 & 0x000000ff);
					_push(_v24 & 0x000000ff);
					_push(_v25 & 0x000000ff);
					_push(_v26 & 0x000000ff);
					_push(_v27 & 0x000000ff);
					_push(_v28 & 0x000000ff);
					_push(_v29 & 0x000000ff);
					_push(_v30 & 0x000000ff);
					_push(_v31 & 0x000000ff);
					_push(_v32 & 0x000000ff);
					_push(_v33 & 0x000000ff);
					_push(_v34 & 0x000000ff);
					_push(_v35 & 0x000000ff);
					E00403B50( &_v4180, L"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", _v36 & 0x000000ff);
				}
				 *_t109 = 0x4c2f50;
				 *((intOrPtr*)(_t109 + 0x28)) = 0x4c3454;
				E004053A0( &_v4180, 0);
				E00412AA4( &_v4276);
				E00401AC0( &_v4180);
				 *[fs:0x0] = _v16;
				_pop(_t110);
				_pop(_t115);
				_pop(_t96);
				return E0045A457(_t96, _v20 ^ _t116, _t107, _t110, _t115);
			}

0x0040f29e
0x0040f2a1
0x0040f2a3
0x0040f2ae
0x0040f2b4
0x0040f2b9
0x0040f2be
0x0040f2c0
0x0040f2c6
0x0040f2ca
0x0040f2d0
0x0040f2e6
0x0040f2ec
0x0040f2f6
0x0040f300
0x0040f305
0x0040f30c
0x0040f30f
0x0040f312
0x0040f31a
0x0040f31c
0x0040f31c
0x0040f335
0x0040f33a
0x0040f346
0x0040f352
0x0040f358
0x0040f35d
0x0040f35e
0x0040f391
0x0040f396
0x0040f3a0
0x00000000
0x00000000
0x00000000
0x0040f3a0
0x0040f3ad
0x0040f3b6
0x0040f3bb
0x0040f3c0
0x0040f3c5
0x0040f3ca
0x0040f3cf
0x0040f3d4
0x0040f3d9
0x0040f3de
0x0040f3e3
0x0040f3e8
0x0040f3ed
0x0040f3f2
0x0040f3f7
0x0040f3fc
0x0040f40e
0x0040f413
0x0040f420
0x0040f426
0x0040f42d
0x0040f438
0x0040f443
0x0040f44d
0x0040f455
0x0040f456
0x0040f457
0x0040f463

APIs

Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0040F32F
ReadFile.KERNEL32(00000000,?,00001000,?,00000000), ref: 0040F373

Strings

%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 0040F408
T4L, xrefs: 0040F2F6
T4L, xrefs: 0040F426
P/L, xrefs: 0040F2EC

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorFileLast$CreateRead
String ID: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X$P/L$T4L$T4L
API String ID: 1307834717-3821760668
Opcode ID: c68d3305725513904932a9c5a94bb67753d60b02da7ee778eb9fc53b26968d09
Instruction ID: 6d56d09942f8a88e8b15e86532899164cf6242e4dabd435f4bd21e01917fc381
Opcode Fuzzy Hash: c68d3305725513904932a9c5a94bb67753d60b02da7ee778eb9fc53b26968d09
Instruction Fuzzy Hash: DD5163728041A96ECB21DB958C40FEFBBBDAF09315F0401ABF599E2181D77C9B848F64

Uniqueness

Uniqueness Score: -1.00%

Function 0049A3D1, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 100
stringCOMMON

Download Yara Rule

C-Code - Quality: 81%

			E0049A3D1(intOrPtr __ecx, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				signed int _v8;
				char _v19;
				char _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				intOrPtr* _t42;
				void* _t49;
				char* _t50;
				intOrPtr* _t51;
				signed int _t52;

				_t23 =  *0x4d7e88; // 0x9518852c
				_v8 = _t23 ^ _t52;
				_t42 = _a8;
				_t51 = _a4;
				_v24 = _a12;
				_v20 = 0;
				_t50 =  &_v19;
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v32 = __ecx;
				_t44 =  *_t51;
				_v28 =  *_t51;
				asm("stosb");
				if( *_t42 >= 1) {
					E0045A8B0( &_v20, _t44, 1);
					 *_t42 =  *_t42 + 1;
					 *_t51 =  *_t51 + 1;
					if(_v20 != 0xb) {
						L10:
						 *_t51 = _v28;
						goto L11;
					} else {
						_t50 = 0xb;
						if( *_t42 < _t50) {
							goto L1;
						} else {
							E0045A8B0( &_v20,  *_t51, _t50);
							 *_t42 =  *_t42 + _t50;
							 *_t51 =  *_t51 + _t50;
							if(lstrcmpA( &_v20, "NETSCAPE2.0") != 0) {
								goto L10;
							} else {
								_t50 = 2;
								if( *_t42 < _t50) {
									goto L1;
								} else {
									E0045A8B0( &_v20,  *_t51, _t50);
									 *_t42 =  *_t42 + _t50;
									 *_t51 =  *_t51 + _t50;
									if(_v20 != 3 || _v19 != 1) {
										goto L10;
									} else {
										if( *_t42 < _t50) {
											goto L1;
										} else {
											_t50 = _v32;
											E0045A8B0(_t50 + 0x48,  *_t51, _t50);
											 *_t42 =  *_t42 + 2;
											 *_t51 =  *_t51 + 2;
											 *((intOrPtr*)(_t50 + 0x4c)) = 1;
											 *_v24 = 1;
											L11:
										}
									}
								}
							}
						}
					}
				} else {
					L1:
					_push(0xd);
				}
				return E0045A457(_t42, _v8 ^ _t52, _t49, _t50, _t51);
			}

0x0049a3d7
0x0049a3de
0x0049a3e5
0x0049a3e9
0x0049a3ed
0x0049a3f5
0x0049a3f9
0x0049a3fc
0x0049a3fd
0x0049a3fe
0x0049a400
0x0049a403
0x0049a405
0x0049a408
0x0049a409
0x0049a41a
0x0049a422
0x0049a424
0x0049a42a
0x0049a4a8
0x0049a4ab
0x00000000
0x0049a42c
0x0049a42e
0x0049a431
0x00000000
0x0049a433
0x0049a43a
0x0049a43f
0x0049a441
0x0049a457
0x00000000
0x0049a459
0x0049a45b
0x0049a45e
0x00000000
0x0049a460
0x0049a467
0x0049a46c
0x0049a46e
0x0049a477
0x00000000
0x0049a47f
0x0049a481
0x00000000
0x0049a483
0x0049a484
0x0049a48d
0x0049a492
0x0049a495
0x0049a4a1
0x0049a4a4
0x0049a4ad
0x0049a4ad
0x0049a481
0x0049a477
0x0049a45e
0x0049a457
0x0049a431
0x0049a40b
0x0049a40b
0x0049a40b
0x0049a40d
0x0049a4bd

APIs

_memmove.LIBCMT ref: 0049A41A
_memmove.LIBCMT ref: 0049A43A
lstrcmpA.KERNEL32(0000000B,NETSCAPE2.0,?,?,?,?,00000000,?,?,0049A70C,0049A70D), ref: 0049A44F
_memmove.LIBCMT ref: 0049A467
_memmove.LIBCMT ref: 0049A48D

Strings

NETSCAPE2.0, xrefs: 0049A449

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memmove$lstrcmp
String ID: NETSCAPE2.0
API String ID: 1993653321-1278374441
Opcode ID: a4fa64b6d87acade666cc8a3977ed79d75b3c52297e1fa9762e53d964d4f5fc1
Instruction ID: 3e520c9362377f432e9dd8ed6ead6f72ff7c9741bbdfae2883ad40be41d2d1ca
Opcode Fuzzy Hash: a4fa64b6d87acade666cc8a3977ed79d75b3c52297e1fa9762e53d964d4f5fc1
Instruction Fuzzy Hash: 9531AD71900219EFCF21DFA8D849AAEBBF8FF59314F10086EE540A7101E3B89555CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00437225, Relevance: 10.6, APIs: 7, Instructions: 96
windowCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E00437225(void* __edx, intOrPtr _a4, int _a8) {
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t31;
				void* _t35;
				signed int _t37;
				int _t40;
				struct HWND__* _t56;
				intOrPtr* _t57;
				void* _t58;
				signed int _t60;
				void* _t63;
				intOrPtr _t66;
				void* _t69;

				_t63 = __edx;
				_t31 = PeekMessageW( &_v32, 0, 0, 0, 1);
				_t66 = _a4;
				if(_t31 != 0 && IsDialogMessageW( *(_t66 + 0x26c),  &_v32) == 0) {
					TranslateMessage( &_v32);
					DispatchMessageW( &_v32);
				}
				_t57 =  *((intOrPtr*)(_t66 + 0x264));
				if(_t57 == 0) {
					 *((intOrPtr*)(_t66 + 0x278)) =  *((intOrPtr*)(_t66 + 0x278)) + _a8;
					asm("adc [edi+0x27c], ebx");
					_t56 =  *(_t66 + 0x26c);
					__eflags = _t56;
					if(_t56 != 0) {
						_t68 =  *((intOrPtr*)(_t66 + 0x3c4));
						_push(0);
						_t35 = 0x64;
						_push(_t35);
						_push( *((intOrPtr*)(_t66 + 0x27c)));
						_push( *((intOrPtr*)(_t66 + 0x278)));
						_t37 = E0045D040(E0045E130(), _t63,  *((intOrPtr*)(_t66 + 0x270)),  *((intOrPtr*)(_t66 + 0x274)));
						_t58 = 0x5f;
						_t60 = 0x64;
						_t40 = _t37 * (_t58 -  *((intOrPtr*)(_t66 + 0x3c4))) / _t60 + _t68;
						_a8 = _t40;
						_pop(_t69);
						__eflags =  *((intOrPtr*)(_t66 + 0x3c8)) - _t40;
						if( *((intOrPtr*)(_t66 + 0x3c8)) != _t40) {
							SendMessageW(GetDlgItem(_t56, 0x12d), 0x402, _t40, 0);
							 *((intOrPtr*)(_t66 + 0x3c8)) = _a8;
							__eflags =  *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t66 + 4)) + 0x2c))() + 0x13));
							if(__eflags != 0) {
								E00436D52(_t56, _t66, _t66, _t69, __eflags);
							}
						}
					}
					__eflags =  *0x4d9754;
					if( *0x4d9754 == 0) {
						__eflags = 0;
						return 0;
					} else {
						 *0x4d9754 = 0;
						return 0x80042000;
					}
				}
				return  *((intOrPtr*)( *_t57 + 0x1c))(_t57, _a8);
			}

0x00437225
0x00437238
0x0043723e
0x00437243
0x0043725d
0x00437267
0x00437267
0x0043726d
0x00437275
0x00437288
0x0043728e
0x00437294
0x0043729a
0x0043729c
0x004372a3
0x004372a9
0x004372ad
0x004372ae
0x004372af
0x004372b5
0x004372ce
0x004372d5
0x004372df
0x004372e2
0x004372e4
0x004372e7
0x004372e8
0x004372ee
0x00437305
0x00437311
0x0043731c
0x00437320
0x00437324
0x00437324
0x00437320
0x004372ee
0x00437329
0x00437330
0x00437340
0x00000000
0x00437332
0x00437332
0x00000000
0x00437339
0x00437330
0x00000000

APIs

PeekMessageW.USER32 ref: 00437238
IsDialogMessageW.USER32(?,?), ref: 0043724F
TranslateMessage.USER32(?), ref: 0043725D
DispatchMessageW.USER32 ref: 00437267
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004372CE
GetDlgItem.USER32 ref: 004372FE
SendMessageW.USER32(00000000,?,?,?), ref: 00437305

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Message$DialogDispatchItemPeekSendTranslateUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3948106488-0
Opcode ID: b38ba0121c574154f58f09e4e680f8f7c7ffef0e1b58573107a759d6a0d81ec0
Instruction ID: 6a8fa3e471088bcfbd5e1e136913d68b32b0bcec980d502d843c92e12e2a8f67
Opcode Fuzzy Hash: b38ba0121c574154f58f09e4e680f8f7c7ffef0e1b58573107a759d6a0d81ec0
Instruction Fuzzy Hash: 103194B1708206BFEB589FB5DC48FA6BB6CFB08704F10912AF918D6191C779A815CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00452B46, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00452B46(void* __ecx, void* __edx) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t28;
				intOrPtr _t32;
				void* _t42;
				intOrPtr _t43;
				void* _t47;
				intOrPtr* _t48;
				intOrPtr _t51;
				void* _t60;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t65;
				void* _t71;

				_t60 = __edx;
				_t65 = __ecx;
				_t28 = E00451F85( *((intOrPtr*)(__ecx + 4)),  *((intOrPtr*)(__ecx + 8)), 0x452599);
				_t63 =  *((intOrPtr*)(_t65 + 8));
				_v12 = _t28;
				_v16 = E00451F33(_t28, _t63, L" \t\n\r=", 0x4d7a14);
				_v8 = 0x22;
				_t47 = E00451F11(_t29, _t63,  &_v8);
				if(_t63 != _t47) {
					_t47 = _t47 + 2;
					_t71 = _t47;
				}
				_v8 = 0x22;
				_t32 = E00451F11(_t47, _t63,  &_v8);
				_t51 = _v12;
				_t64 = _t32;
				E0045277E(_t65 + 0xc, E004521A6(_t47,  &_v44, _t64, _t65, _t71));
				E004171F3();
				E0045277E(_t65 + 0x28, E0045264F(_t47, _t60, _t64, _t65, _t71));
				_t42 = E004171F3();
				__imp__#7( *((intOrPtr*)(_t65 + 0x1c)),  &_v44, _t47, _t64, _v16 - _t51 >> 1, _t51, 1);
				if(_t42 != 0) {
					_t48 = _t65 + 0x38;
					__imp__#7( *_t48);
					if(_t42 != 0) {
						_t58 =  !=  ? _t48 : 0;
						_t46 =  !=  ? _t65 + 0x1c : 0;
						_t42 = E00452449(_t65 + 0x44, _t64, _t65 + 0xc,  !=  ? _t65 + 0x1c : 0,  !=  ? _t48 : 0);
					}
				}
				 *((intOrPtr*)(_t65 + 4)) = _t64;
				if( *((intOrPtr*)(_t65 + 8)) == _t64) {
					return _t42;
				} else {
					_t26 = _t64 + 2; // 0x2
					_t43 = _t26;
					 *((intOrPtr*)(_t65 + 4)) = _t43;
					return _t43;
				}
			}

0x00452b46
0x00452b4f
0x00452b5c
0x00452b61
0x00452b70
0x00452b7e
0x00452b81
0x00452b8d
0x00452b94
0x00452b96
0x00452b96
0x00452b96
0x00452b9f
0x00452ba6
0x00452bab
0x00452bb1
0x00452bca
0x00452bd2
0x00452be9
0x00452bf1
0x00452bf9
0x00452c01
0x00452c03
0x00452c08
0x00452c10
0x00452c19
0x00452c27
0x00452c2e
0x00452c2e
0x00452c10
0x00452c33
0x00452c39
0x00452c45
0x00452c3b
0x00452c3b
0x00452c3b
0x00452c3e
0x00000000
0x00452c3e

APIs

_Find_unchecked1.LIBCPMT ref: 00452B88
_Find_unchecked1.LIBCPMT ref: 00452BA6
SysStringLen.OLEAUT32(00000008), ref: 00452BF9
SysStringLen.OLEAUT32(?), ref: 00452C08

Strings

", xrefs: 00452B9F
=, xrefs: 00452B69

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Find_unchecked1String
String ID: =$"
API String ID: 2433260155-3309281751
Opcode ID: c00b033ee096f04da0e32146f441264523173227b47db7a1fba60bd1695503b9
Instruction ID: 3fc83858c2937884a388f50ba651f122f242fe9cf0c06eb3ecae80430d3f803c
Opcode Fuzzy Hash: c00b033ee096f04da0e32146f441264523173227b47db7a1fba60bd1695503b9
Instruction Fuzzy Hash: 3031A172900604AFC724DFA6CD85DDFB7F8AF48305B04452FE80692152EBB4AA08CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0042EA79, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0042EA79(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t31;
				void* _t38;
				void* _t40;
				void* _t45;
				signed int _t50;
				signed int _t51;
				intOrPtr* _t72;
				void* _t73;

				_push(0x68);
				E0045B8C9(0x4a538a, __ebx, __edi, __esi);
				_t1 = _t73 + 0xc; // 0x4c2f40
				_t70 =  *_t1;
				_t72 =  *((intOrPtr*)(_t73 + 8));
				 *((intOrPtr*)(_t73 - 0x74)) = 0;
				 *((intOrPtr*)(_t73 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t73 - 0x18)) = 0x4c3454;
				E004053A0(_t70, 0);
				 *((intOrPtr*)(_t73 - 4)) = 0;
				_t50 = "\\";
				_t31 = E00412D7A( &(_t70[4]), _t50, 0xffffffff, E0045B5D4(_t50));
				_t51 = _t50 | 0xffffffff;
				if(_t31 != _t51 && _t31 < _t70[0x14] - 1) {
					_t10 = _t73 - 0x70; // 0x4c2f50
					_t45 = E00404580(_t10, _t31 + 1, _t51);
					_t11 = _t73 - 0x40; // 0x4c2f50
					 *((char*)(_t73 - 4)) = 1;
					E00402B90(_t11, _t45);
					_t13 = _t73 - 0x70; // 0x4c2f50
					 *((char*)(_t73 - 4)) = 0;
					E00401AC0(_t13);
				}
				if( *((char*)(_t73 + 0x10)) == 0) {
					_t70 = ".";
					_t38 = E00412D7A(_t73 - 0x3c, ".", _t51, E0045B5D4("."));
					if(_t38 != _t51 && _t38 <  *((intOrPtr*)(_t73 - 0x2c)) - 1) {
						_t18 = _t73 - 0x70; // 0x4c2f50
						_t40 = E00404580(_t18, 0, _t38);
						_t20 = _t73 - 0x40; // 0x4c2f50
						 *((char*)(_t73 - 4)) = 2;
						E00402B90(_t20, _t40);
						_t22 = _t73 - 0x70; // 0x4c2f50
						 *((char*)(_t73 - 4)) = 0;
						E00401AC0(_t22);
					}
				}
				_t24 = _t73 - 0x40; // 0x4c2f50
				 *_t72 = 0x4c2f50;
				 *((intOrPtr*)(_t72 + 0x28)) = 0x4c3454;
				E004053A0(_t24, 0);
				_t26 = _t73 - 0x40; // 0x4c2f50
				E00401AC0(_t26);
				return E0045B878(_t51, _t70, _t72);
			}

0x0042ea79
0x0042ea80
0x0042ea85
0x0042ea85
0x0042ea88
0x0042ea92
0x0042ea95
0x0042ea9c
0x0042eaa3
0x0042eaa8
0x0042eaab
0x0042eabe
0x0042eac3
0x0042eac8
0x0042ead5
0x0042eadb
0x0042eae1
0x0042eae4
0x0042eae8
0x0042eaed
0x0042eaf0
0x0042eaf4
0x0042eaf4
0x0042eafd
0x0042eaff
0x0042eb11
0x0042eb18
0x0042eb25
0x0042eb2c
0x0042eb32
0x0042eb35
0x0042eb39
0x0042eb3e
0x0042eb41
0x0042eb45
0x0042eb45
0x0042eb18
0x0042eb4c
0x0042eb52
0x0042eb58
0x0042eb5f
0x0042eb64
0x0042eb67
0x0042eb73

APIs

__EH_prolog3_GS.LIBCMT ref: 0042EA80

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Part of subcall function 00404580: GetLastError.KERNEL32(9518852C,?,?,?,00000000,004ACAC8,000000FF,T4L,004050D6,00000000,00000001,000000FF), ref: 004045BE
Part of subcall function 00404580: SetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 0040461A

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

P/L, xrefs: 0042EB25, 0042EB3E, 0042EAD5, 0042EAED, 0042EAD8, 0042EB28
P/L, xrefs: 0042EAE1
T4L, xrefs: 0042EB58
T4L, xrefs: 0042EA9C
@/L, xrefs: 0042EA85, 0042EA8E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3_
String ID: @/L$P/L$P/L$T4L$T4L
API String ID: 2549205776-3366291283
Opcode ID: a0839223df54fce8ac764e30c61a9afeb8666f3fc27b386722185cb5de053dba
Instruction ID: 3f91074834dcd0e97f09d1196dd2e61241f0ad89704dba7a0414dd37e54ee9f6
Opcode Fuzzy Hash: a0839223df54fce8ac764e30c61a9afeb8666f3fc27b386722185cb5de053dba
Instruction Fuzzy Hash: A431A671500118EECB04EB91CD81BEEB778EB14318F54412EF402A72C2DBB86A098B69

Uniqueness

Uniqueness Score: -1.00%

Function 0044FECA, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0044FECA(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				char _v2092;
				void* _v2096;
				int _v2100;
				char _v2104;
				intOrPtr _v2108;
				intOrPtr _v2112;
				intOrPtr _v2116;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				intOrPtr _t50;
				void* _t62;
				intOrPtr _t63;
				signed int _t65;

				_t33 =  *0x4d7e88; // 0x9518852c
				_v8 = _t33 ^ _t65;
				_t50 = _a4;
				_t63 = _a12;
				_v2112 = _a16;
				_t62 = __ecx;
				_v2108 = _t63;
				_v2116 = _a20;
				if(E004242D8() == 1) {
					_v2096 = _v2096 & 0x00000000;
					if(RegOpenKeyW(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",  &_v2096) == 0) {
						_v2100 = 4;
						RegQueryValueExW(_v2096, L"ProxyEnable", 0, 0,  &_v2104,  &_v2100);
						_t57 =  !=  ? 0 : _v2104;
						_v2104 =  !=  ? 0 : _v2104;
						_v2100 = 0x824;
						RegQueryValueExW(_v2096, L"AutoConfigURL", 0, 0,  &_v2092,  &_v2100);
						_t63 = _v2108;
						_t59 =  !=  ? 0 : _v2092 & 0x000000ff;
						_v2092 =  !=  ? 0 : _v2092 & 0x000000ff;
					}
					E00433132( &_v2096);
				}
				 *((intOrPtr*)(_t62 + 4)) =  *0x4d956c(_a8, _t63, _v2112, _v2116);
				return E0045A457(_t50, _v8 ^ _t65, 0, _t62, _t63, _t50);
			}

0x0044fed3
0x0044feda
0x0044fee1
0x0044fee5
0x0044fee8
0x0044fef2
0x0044fef4
0x0044fefa
0x0044ff08
0x0044ff0e
0x0044ff2e
0x0044ff57
0x0044ff61
0x0044ff88
0x0044ff8b
0x0044ff91
0x0044ff9b
0x0044ffa4
0x0044ffae
0x0044ffb1
0x0044ffb1
0x0044ffbd
0x0044ffbd
0x0044ffdd
0x0044fff1

APIs

RegOpenKeyW.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000), ref: 0044FF26
RegQueryValueExW.ADVAPI32(00000000,ProxyEnable,00000000,00000000,?,?,?,00000000), ref: 0044FF61
RegQueryValueExW.ADVAPI32(00000000,AutoConfigURL,00000000,00000000,?,00000004,?,00000000), ref: 0044FF9B

Strings

ProxyEnable, xrefs: 0044FF4C
AutoConfigURL, xrefs: 0044FF7D
Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 0044FF1C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: QueryValue$Open
String ID: AutoConfigURL$ProxyEnable$Software\Microsoft\Windows\CurrentVersion\Internet Settings
API String ID: 1606891134-3224623278
Opcode ID: 3227aed024cd1d1ea3d094a196645d2d2e3b50bc001e51e717bbfc32bf2a3665
Instruction ID: b706cc0b97d4dcd0648812c2f2c7d1daefce18612a30d39c06358e141b38b45d
Opcode Fuzzy Hash: 3227aed024cd1d1ea3d094a196645d2d2e3b50bc001e51e717bbfc32bf2a3665
Instruction Fuzzy Hash: 8F31DC71A01229ABDB10DF65CC50BAEB7F9BB88710F0480EAA549A2150DE759E84CFE4

Uniqueness

Uniqueness Score: -1.00%

Function 004442C5, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E004442C5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t39;
				void* _t53;

				E0045B8C9(0x4a7550, __ebx, __edi, __esi);
				_t1 = _t53 + 8; // 0x444f34
				_t39 =  *_t1;
				 *(_t53 - 0x5c) =  *(_t53 - 0x5c) & 0x00000000;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t53 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t53 - 0x18)) = 0x4c2f40;
				E00404200(_t53 - 0x40, _t53 - 0x55, 0);
				 *(_t53 - 4) =  *(_t53 - 4) & 0x00000000;
				__imp__UuidToStringW(_t53 - 0x50, _t53 - 0x54, 0x50);
				_t29 =  !=  ?  *((void*)(_t53 - 0x54)) : 0x4c2d7c;
				_t42 =  !=  ?  !=  ?  *((void*)(_t53 - 0x54)) : 0x4c2d7c : 0x4c2d7c;
				E00406A00(_t53 - 0x3c, 0x4c2fa0,  !=  ?  !=  ?  *((void*)(_t53 - 0x54)) : 0x4c2d7c : 0x4c2d7c);
				E00449C16(_t39, _t53 - 0x40, 0x4c2fa0, 0x4c2f40, 0x4c2d7c);
				__imp__RpcStringFreeW(_t53 - 0x54);
				_push(0);
				_push(_t53 - 0x40);
				 *_t39 = 0x4c2fa0;
				 *((intOrPtr*)(_t39 + 0x28)) = 0x4c2f40;
				E00408E82(_t39, _t39, 0x4c2fa0, 0x4c2f40, 0x4c2d7c);
				E00401B80(_t53 - 0x40);
				return E0045B878(_t39, 0x4c2fa0, 0x4c2f40);
			}

0x004442cc
0x004442d1
0x004442d1
0x004442d4
0x004442de
0x004442df
0x004442e0
0x004442e1
0x004442f5
0x004442f8
0x004442fb
0x00444300
0x0044430c
0x0044431d
0x00444323
0x0044432a
0x00444332
0x0044433b
0x00444341
0x00444346
0x00444349
0x0044434b
0x0044434e
0x00444356
0x00444362

APIs

__EH_prolog3_GS.LIBCMT ref: 004442CC

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

UuidToStringW.RPCRT4(?,?), ref: 0044430C

Part of subcall function 00449C16: __EH_prolog3.LIBCMT ref: 00449C1D
Part of subcall function 00449C16: CharUpperW.USER32(00000000,?,?,0000000C,00444337), ref: 00449C3F

RpcStringFreeW.RPCRT4(00000000), ref: 0044433B

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

|-L, xrefs: 00444316
@/L, xrefs: 004442EC
4OD, xrefs: 004442D1

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$Free$H_prolog3$CharH_prolog3_UpperUuid
String ID: 4OD$@/L$|-L
API String ID: 1620240345-1624138275
Opcode ID: 7413501ce0a506d984526813058e47a664beb516ea88e38bf8437740fe2ce372
Instruction ID: 00656392063dec48de0538246a3a7f9acd77e9e4c82ad09656b3f43602c32f3f
Opcode Fuzzy Hash: 7413501ce0a506d984526813058e47a664beb516ea88e38bf8437740fe2ce372
Instruction Fuzzy Hash: 72113D71A10618DBDB01EFD1C881BDEB7B8BF04305F40402EE506AB195DBB89E09CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043B04C, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0043B04C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				int _t19;
				void* _t30;
				void* _t37;
				void* _t38;

				_t35 = __edi;
				_t28 = __ebx;
				_push(0x88);
				E0045B8C9(0x4a644c, __ebx, __edi, __esi);
				_t37 = __ecx;
				_t1 = _t38 + 0xc; // 0x4c2f40
				_t17 =  *_t1;
				_t30 = 4;
				_t18 =  ==  ? _t30 : _t17;
				_t19 = WriteFile( *(__ecx + 8),  *(_t38 + 8),  ==  ? _t30 : _t17, _t38 - 0x94, 0);
				_t41 = _t19;
				if(_t19 == 0) {
					_push(_t19);
					_push(_t37 + 0xc);
					 *((intOrPtr*)(_t38 - 0x40)) = 0x4ae964;
					 *((intOrPtr*)(_t38 - 0x18)) = 0x4ae96c;
					E00408E82(__ebx, _t38 - 0x40, __edi, _t37, _t41);
					_t9 = _t38 - 4;
					 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
					_push(1);
					_t11 = _t38 - 0x40; // 0x4ae964
					E00416910(_t38 - 0x90, _t37,  *_t9);
					E0045A466(_t38 - 0x90, 0x4c9bf0);
				}
				return E0045B878(_t28, _t35, _t37);
			}

0x0043b04c
0x0043b04c
0x0043b04c
0x0043b056
0x0043b05b
0x0043b05d
0x0043b05d
0x0043b065
0x0043b06b
0x0043b07a
0x0043b080
0x0043b082
0x0043b084
0x0043b088
0x0043b08c
0x0043b093
0x0043b09a
0x0043b09f
0x0043b09f
0x0043b0a3
0x0043b0a5
0x0043b0af
0x0043b0c0
0x0043b0c0
0x0043b0d0

APIs

__EH_prolog3_GS.LIBCMT ref: 0043B056
WriteFile.KERNEL32(?,?,@/L,?,00000000,00000088,0043BED0,?,00000004,004AFFB8,40000000,00000001,00000080,00000004,00000000,00000000), ref: 0043B07A

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00416910: __EH_prolog3.LIBCMT ref: 00416917

__CxxThrowException@8.LIBCMT ref: 0043B0C0

Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7

Strings

@/L, xrefs: 0043B05D, 0043B075
dJ, xrefs: 0043B0A5, 0043B0A8
lJ, xrefs: 0043B093

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$ExceptionException@8FileH_prolog3_RaiseThrowWrite
String ID: @/L$dJ$lJ
API String ID: 3362004152-3790234748
Opcode ID: 8690275d1526d2332ee02e1524a58a659255e8a80e78cf6c481754d69feeab58
Instruction ID: 0a4b124f919e328bd1a347b2eaad7cfb0d66488a83040bb127d7c4cf7af81d52
Opcode Fuzzy Hash: 8690275d1526d2332ee02e1524a58a659255e8a80e78cf6c481754d69feeab58
Instruction Fuzzy Hash: 68011AB1900218EBDB14EBA1CC46FEE7378FB14714F10815EFA19A6191DB74AE49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043AEBA, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0043AEBA(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				int _t19;
				void* _t38;
				void* _t39;

				_t36 = __edi;
				_push(0x88);
				E0045B8C9(0x4a63bc, __ebx, __edi, __esi);
				_t38 = __ecx;
				_t1 = _t39 + 0xc; // 0x4c2f40
				_t17 =  *_t1;
				_t18 =  ==  ? 1 : _t17;
				_t19 = WriteFile( *(__ecx + 8),  *(_t39 + 8),  ==  ? 1 : _t17, _t39 - 0x94, 0);
				_t42 = _t19;
				if(_t19 == 0) {
					_push(_t19);
					_push(_t38 + 0xc);
					 *((intOrPtr*)(_t39 - 0x40)) = 0x4ae964;
					 *((intOrPtr*)(_t39 - 0x18)) = 0x4ae96c;
					E00408E82(1, _t39 - 0x40, __edi, _t38, _t42);
					_t9 = _t39 - 4;
					 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
					_push(1);
					_push(_t39 - 0x40);
					E00416910(_t39 - 0x90, _t38,  *_t9);
					E0045A466(_t39 - 0x90, 0x4c9bf0);
				}
				return E0045B878(1, _t36, _t38);
			}

0x0043aeba
0x0043aeba
0x0043aec4
0x0043aec9
0x0043aecb
0x0043aecb
0x0043aee0
0x0043aee8
0x0043aeee
0x0043aef0
0x0043aef2
0x0043aef6
0x0043aefa
0x0043af01
0x0043af08
0x0043af0d
0x0043af0d
0x0043af11
0x0043af15
0x0043af1c
0x0043af2d
0x0043af2d
0x0043af3d

APIs

__EH_prolog3_GS.LIBCMT ref: 0043AEC4
WriteFile.KERNEL32(?,?,@/L,?,00000000,00000088,0043C98B,00000000,-00000002,00000000,00000000,?,00000000,00000000,?,00000004), ref: 0043AEE8

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00416910: __EH_prolog3.LIBCMT ref: 00416917

__CxxThrowException@8.LIBCMT ref: 0043AF2D

Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7

Strings

@/L, xrefs: 0043AECB, 0043AEE3
dJ, xrefs: 0043AEFA
lJ, xrefs: 0043AF01

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$ExceptionException@8FileH_prolog3_RaiseThrowWrite
String ID: @/L$dJ$lJ
API String ID: 3362004152-3790234748
Opcode ID: a8f0417ea2e5c657c9a82e35426fe8a6fdc38825927a567c845aec040faa607a
Instruction ID: 13aa82d18a60b94b9089ee7ac7efb0d69e340ae776c97e7f09679b6a2e0860a7
Opcode Fuzzy Hash: a8f0417ea2e5c657c9a82e35426fe8a6fdc38825927a567c845aec040faa607a
Instruction Fuzzy Hash: C5011AB1900218EFDB10EBA1CC81FAEB36CFB14314F50856EF559A6191DB74AE49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043AFC6, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0043AFC6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t17;
				int _t19;
				void* _t38;
				void* _t39;

				_t36 = __edi;
				_push(0x88);
				E0045B8C9(0x4a641c, __ebx, __edi, __esi);
				_t38 = __ecx;
				_t1 = _t39 + 0xc; // 0x4c2f40
				_t17 =  *_t1;
				_t18 =  ==  ? 1 : _t17;
				_t19 = WriteFile( *(__ecx + 8),  *(_t39 + 8),  ==  ? 1 : _t17, _t39 - 0x94, 0);
				_t42 = _t19;
				if(_t19 == 0) {
					_push(_t19);
					_push(_t38 + 0xc);
					 *((intOrPtr*)(_t39 - 0x40)) = 0x4ae964;
					 *((intOrPtr*)(_t39 - 0x18)) = 0x4ae96c;
					E00408E82(1, _t39 - 0x40, __edi, _t38, _t42);
					_t9 = _t39 - 4;
					 *(_t39 - 4) =  *(_t39 - 4) & 0x00000000;
					_push(1);
					_t11 = _t39 - 0x40; // 0x4ae964
					E00416910(_t39 - 0x90, _t38,  *_t9);
					E0045A466(_t39 - 0x90, 0x4c9bf0);
				}
				return E0045B878(1, _t36, _t38);
			}

0x0043afc6
0x0043afc6
0x0043afd0
0x0043afd5
0x0043afd7
0x0043afd7
0x0043afec
0x0043aff4
0x0043affa
0x0043affc
0x0043affe
0x0043b002
0x0043b006
0x0043b00d
0x0043b014
0x0043b019
0x0043b019
0x0043b01d
0x0043b01e
0x0043b028
0x0043b039
0x0043b039
0x0043b049

APIs

__EH_prolog3_GS.LIBCMT ref: 0043AFD0
WriteFile.KERNEL32(?,?,@/L,?,00000000,00000088,0043BEE2,00000000,?,?,00000004,004AFFB8,40000000,00000001,00000080,00000004), ref: 0043AFF4

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00416910: __EH_prolog3.LIBCMT ref: 00416917

__CxxThrowException@8.LIBCMT ref: 0043B039

Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7

Strings

@/L, xrefs: 0043AFD7, 0043AFEF
dJ, xrefs: 0043B01E, 0043B021
lJ, xrefs: 0043B00D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$ExceptionException@8FileH_prolog3_RaiseThrowWrite
String ID: @/L$dJ$lJ
API String ID: 3362004152-3790234748
Opcode ID: f3a32dad83c2f702b56260f3fc74c245ebbac3680820d49e7125c89f75880b56
Instruction ID: e225bcadb302f60d76c3a296ef5192234c57af3053a3f56843dda92a47bac3f1
Opcode Fuzzy Hash: f3a32dad83c2f702b56260f3fc74c245ebbac3680820d49e7125c89f75880b56
Instruction Fuzzy Hash: BC011EB1500218EFDB10DBA1CC85FAE7378FB14314F10856EF559A6191DB749E49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004496EA, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004496EA(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				int _t17;
				void* _t31;
				void* _t34;

				_t25 = __ebx;
				_push(0x84);
				E0045B8C9(0x4a8403, __ebx, __edi, __esi);
				_t31 = __ecx;
				_t3 = _t34 + 0xc; // 0x4c2f40
				_t33 =  *_t3;
				_t17 = SetFileTime( *(__ecx + 8),  *_t3,  *(_t34 + 0x10),  *(_t34 + 8));
				_t36 = _t17;
				if(_t17 == 0) {
					_push(_t17);
					_push(_t31 + 0xc);
					 *((intOrPtr*)(_t34 - 0x40)) = 0x4ae964;
					 *((intOrPtr*)(_t34 - 0x18)) = 0x4ae96c;
					E00408E82(__ebx, _t34 - 0x40, _t31, _t33, _t36);
					_t9 = _t34 - 4;
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_push(1);
					_t11 = _t34 - 0x40; // 0x4ae964
					E00416910(_t34 - 0x90, _t33,  *_t9);
					E0045A466(_t34 - 0x90, 0x4c9bf0);
				}
				return E0045B878(_t25, _t31, _t33);
			}

0x004496ea
0x004496ea
0x004496f4
0x004496f9
0x00449701
0x00449701
0x0044970a
0x00449710
0x00449712
0x00449714
0x00449718
0x0044971c
0x00449723
0x0044972a
0x0044972f
0x0044972f
0x00449733
0x00449735
0x0044973f
0x00449750
0x00449750
0x0044975a

APIs

__EH_prolog3_GS.LIBCMT ref: 004496F4
SetFileTime.KERNEL32(?,@/L,?,?,00000084,00441A50,?,?,?,00000000,?,00000000,00000000,?,00000000), ref: 0044970A

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00416910: __EH_prolog3.LIBCMT ref: 00416917

__CxxThrowException@8.LIBCMT ref: 00449750

Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7

Strings

lJ, xrefs: 00449723
dJ, xrefs: 00449735, 00449738
@/L, xrefs: 00449701, 00449706

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$ExceptionException@8FileH_prolog3_RaiseThrowTime
String ID: @/L$dJ$lJ
API String ID: 2956807928-3790234748
Opcode ID: 1a5f5289fd77c0c317e7df027fef9e9c90b9169484537770177ea6aa96869be5
Instruction ID: 4f968d0901fb261016ef6a77dc16ba74f83c660e7ca175533af5cb92d994887a
Opcode Fuzzy Hash: 1a5f5289fd77c0c317e7df027fef9e9c90b9169484537770177ea6aa96869be5
Instruction Fuzzy Hash: 1BF01DB5900209EBDB00EF92CC45FDE777CFB14314F00815AF914A7141DB78AA15CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00418089, Relevance: 9.2, APIs: 6, Instructions: 245
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00418089(intOrPtr __ecx, signed int __edx, void* __eflags, void** _a4, short* _a8, intOrPtr _a12) {
				int _v8;
				char _v16;
				intOrPtr _v20;
				signed int _v24;
				short _v8216;
				char _v8472;
				int _v8476;
				signed int _v8480;
				intOrPtr _v8484;
				char _v8488;
				char _v8492;
				short* _v8496;
				void** _v8500;
				intOrPtr _v8504;
				intOrPtr _v8508;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t79;
				signed int _t80;
				WCHAR* _t91;
				WCHAR* _t93;
				long _t95;
				WCHAR* _t96;
				void* _t97;
				WCHAR* _t99;
				signed char _t101;
				signed char _t111;
				WCHAR* _t117;
				void* _t124;
				WCHAR* _t130;
				WCHAR* _t131;
				int _t135;
				void* _t136;
				char _t137;
				signed int _t154;
				void* _t158;
				signed int _t166;
				signed int _t168;
				void** _t172;
				void* _t173;
				WCHAR* _t174;
				signed int _t176;
				WCHAR* _t177;
				short* _t179;
				void* _t180;
				int _t182;
				char* _t184;
				signed int _t185;
				intOrPtr _t186;
				void* _t188;

				_t188 = __eflags;
				_t168 = __edx;
				_push(0xffffffff);
				_push(0x4a2661);
				_push( *[fs:0x0]);
				_push(__ecx);
				E0045BDF0(0x2128);
				_t79 =  *0x4d7e88; // 0x9518852c
				_t80 = _t79 ^ _t185;
				_v24 = _t80;
				_push(_t80);
				 *[fs:0x0] =  &_v16;
				_v20 = _t186;
				_v8484 = __ecx;
				_t172 = _a4;
				_t179 = _a8;
				_v8508 = _a12;
				_t135 = 0;
				_v8504 = __ecx;
				_v8500 = _t172;
				_v8496 = _t179;
				_v8480 = 0;
				if(E0041D0ED(__ecx, _t188,  &_v8216) < 0) {
					L38:
					 *[fs:0x0] = _v16;
					_pop(_t173);
					_pop(_t180);
					_pop(_t136);
					return E0045A457(_t136, _v24 ^ _t185, _t168, _t173, _t180);
				}
				if(E00422F30( &_v8216,  &_v8480) != 0) {
					E004227E4(_v8484, __eflags);
					_t91 = E0041D0ED(_v8484, __eflags,  &_v8216);
					__eflags = _t91;
					if(_t91 < 0) {
						goto L38;
					}
					_t93 = (_v8480 & 0x0000ffff) - 8;
					__eflags = _t93;
					if(_t93 == 0) {
						_t95 = E00411F8C(_t172, _t179,  &_v8216, 1);
						L34:
						_t174 = _t95;
						L35:
						__eflags = _t174;
						if(__eflags == 0) {
							L37:
							_t96 = E0041D0ED(_v8484, __eflags, _v8508);
							__eflags = _t96;
							_t150 =  <  ? _t96 : 0;
							_t97 =  <  ? _t96 : 0;
							goto L38;
						}
						E00418882(_t174);
						goto L38;
					}
					_t99 = _t93 - 9;
					__eflags = _t99;
					if(_t99 == 0) {
						_t101 = E0045B5D4( &_v8216);
						_v8488 = _t101;
						__eflags = _t101 & 0x00000001;
						if((_t101 & 0x00000001) == 0) {
							asm("cdq");
							_t182 = _t101 - _t168 >> 1;
							_v8492 = _t182;
							_v8476 = 0;
							_v8 = 3;
							_v8 = 4;
							E00418413( &_v8476, _t182);
							__eflags = _v8476;
							if(_v8476 != 0) {
								E0045A4D0(_v8476, 0, _t182);
								__eflags = _v8488;
								_t154 = 0;
								_v8480 = 0;
								if(_v8488 <= 0) {
									L31:
									_t174 = RegSetValueExW( *_v8500, _v8496, _t135, 3, _v8476, _t182);
									__eflags = _v8476 -  &_v8472;
									if(_v8476 !=  &_v8472) {
										E00419EDD( &_v8476);
									}
									goto L35;
								}
								_t137 = _v8488;
								do {
									asm("cdq");
									_t176 = _t154 - _t168 >> 1;
									_t111 = E00418CA4( *(_t185 + _t154 * 2 - 0x2014) & 0x0000ffff);
									_t168 = (_v8480 & 0x00000001) << 2;
									_t158 = 4;
									 *(_t176 + _v8476) =  *(_t176 + _v8476) | _t111 << _t158 - _t168;
									_t154 = _v8480 + 1;
									_v8480 = _t154;
									__eflags = _t154 - _t137;
								} while (_t154 < _t137);
								_t182 = _v8492;
								_t135 = 0;
								__eflags = 0;
								goto L31;
							} else {
								__eflags =  &_v8472;
								if( &_v8472 != 0) {
									E00419EDD( &_v8476);
								}
								goto L22;
							}
						}
						L22:
						goto L38;
					}
					_t117 = _t99;
					__eflags = _t117;
					if(_t117 == 0) {
						__imp__#277( &_v8216, 0, 0,  &_v8492);
						_v8488 = _v8492;
						_t95 = RegSetValueExW( *_t172, _t179, 0, 4,  &_v8488, 4);
						goto L34;
					}
					__eflags = _t117 - 0x3ff5;
					if(__eflags != 0) {
						goto L37;
					}
					_t124 = E0045B5D4( &_v8216);
					_v8476 = 0;
					_v8 = 0;
					_v8 = 1;
					E00418442(0,  &_v8476, _t168, _t172, _t124 + 2);
					_t184 = _v8476;
					__eflags = _t184;
					if(_t184 == 0) {
						_t174 = 0xe;
						goto L18;
					} else {
						__eflags = _v8216;
						_t177 =  &_v8216;
						if(_v8216 == 0) {
							L16:
							 *_t184 = 0;
							_t130 = E00422233(_v8496, _v8476);
							_t184 = _v8476;
							_t174 = _t130;
							L18:
							__eflags = _t184 -  &_v8472;
							if(_t184 !=  &_v8472) {
								E00419EE6( &_v8476);
							}
							goto L35;
						} else {
							goto L11;
						}
						do {
							L11:
							_t131 = CharNextW(_t177);
							_t166 =  *_t177 & 0x0000ffff;
							__eflags = _t166 - 0x5c;
							if(_t166 != 0x5c) {
								L14:
								 *_t184 = _t166;
								_t184 =  &(_t184[2]);
								_t177 =  &(_t177[1]);
								__eflags = _t177;
								goto L15;
							}
							__eflags =  *_t131 - 0x30;
							if( *_t131 != 0x30) {
								goto L14;
							}
							 *_t184 = 0;
							_t184 =  &(_t184[2]);
							_t177 = CharNextW(_t131);
							L15:
							__eflags =  *_t177 - _t135;
						} while ( *_t177 != _t135);
						goto L16;
					}
				}
				goto L38;
			}

0x00418089
0x00418089
0x0041808c
0x0041808e
0x00418099
0x0041809a
0x004180a0
0x004180a5
0x004180aa
0x004180ac
0x004180b2
0x004180b6
0x004180bc
0x004180bf
0x004180c8
0x004180cb
0x004180ce
0x004180da
0x004180dd
0x004180e3
0x004180e9
0x004180ef
0x004180fc
0x004183f7
0x004183fa
0x00418402
0x00418403
0x00418404
0x00418410
0x00418410
0x00418119
0x0041812b
0x0041813d
0x00418142
0x00418144
0x00000000
0x00000000
0x00418151
0x00418151
0x00418154
0x004183c9
0x004183ce
0x004183ce
0x004183d0
0x004183d0
0x004183d2
0x004183dd
0x004183e9
0x004183f0
0x004183f2
0x004183f5
0x00000000
0x004183f5
0x004183d5
0x00000000
0x004183da
0x0041815a
0x0041815a
0x0041815d
0x0041828e
0x00418294
0x0041829a
0x0041829c
0x004182a8
0x004182ad
0x004182af
0x004182b5
0x004182bb
0x004182c9
0x004182cd
0x004182ee
0x004182f5
0x00418316
0x0041831e
0x00418325
0x00418327
0x0041832d
0x00418382
0x004183a0
0x004183a8
0x004183ae
0x004183b6
0x004183b6
0x00000000
0x004183ae
0x0041832f
0x00418335
0x00418345
0x0041834b
0x0041834d
0x0041835c
0x00418361
0x0041836c
0x0041836f
0x00418370
0x00418376
0x00418376
0x0041837a
0x00418380
0x00418380
0x00000000
0x004182f7
0x004182fd
0x004182ff
0x00418307
0x00418307
0x00000000
0x004182ff
0x004182f5
0x0041829e
0x00000000
0x0041829e
0x00418164
0x00418164
0x00418165
0x0041825b
0x00418269
0x0041827c
0x00000000
0x0041827c
0x0041816b
0x00418170
0x00000000
0x00000000
0x0041817d
0x00418186
0x0041818c
0x00418196
0x0041819a
0x004181b5
0x004181bb
0x004181bd
0x0041822c
0x00000000
0x004181bf
0x004181bf
0x004181c7
0x004181cd
0x00418205
0x0041820d
0x0041821b
0x00418220
0x00418226
0x0041822d
0x00418233
0x00418235
0x00418241
0x00418241
0x00000000
0x00000000
0x00000000
0x00000000
0x004181cf
0x004181cf
0x004181d0
0x004181d6
0x004181d9
0x004181dc
0x004181f7
0x004181f7
0x004181fa
0x004181fd
0x004181fd
0x00000000
0x004181fd
0x004181de
0x004181e2
0x00000000
0x00000000
0x004181e6
0x004181ea
0x004181f3
0x00418200
0x00418200
0x00418200
0x00000000
0x004181cf
0x004181bd
0x00000000

APIs

Part of subcall function 00422F30: lstrcmpiW.KERNEL32(?,?,?,00418115,?,?,?,9518852C,?,?,?,?,?,004A2661,000000FF), ref: 00422F9F

CharNextW.USER32(00000000), ref: 004181D0
CharNextW.USER32(00000000), ref: 004181ED

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: 75b86480ff2c86fd2d090e7e758453bfd5abd0492945ca745e44ec5188ac908d
Instruction ID: 6a41891641c1f6e907db44587bebe3775a3a591930b1439f5653ddd4b393185a
Opcode Fuzzy Hash: 75b86480ff2c86fd2d090e7e758453bfd5abd0492945ca745e44ec5188ac908d
Instruction Fuzzy Hash: F191A171900229DADB25CF14CC499EAB7B4EB18714F1500EFEA09A3240DB789ED5CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040ADF4, Relevance: 9.2, APIs: 6, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040ADF4(void* __ebx, void** __ecx, void* __edi, signed int* __esi, void* __eflags) {
				signed short* _t73;
				void* _t78;
				intOrPtr _t80;
				signed int _t84;
				signed int _t86;
				void* _t108;
				void** _t115;
				void* _t119;
				signed short* _t121;
				void* _t131;
				intOrPtr _t135;
				signed int _t138;
				void* _t145;
				void* _t146;
				void* _t147;

				_t143 = __esi;
				_t139 = __edi;
				_push(0xc0);
				E0045B8C9(0x4a0669, __ebx, __edi, __esi);
				_t115 = __ecx;
				 *((intOrPtr*)(_t145 - 0xbc)) =  *((intOrPtr*)(_t145 + 8));
				 *(_t145 - 0xc4) =  *(_t145 + 0x10);
				if(__ecx[1] != 0) {
					_t143 = GlobalLock( *__ecx);
					 *(_t145 - 0xb8) = 0 | _t143[0] == 0x0000ffff;
					 *(_t145 - 0xcc) = E0040AD9F(_t143);
					_t119 = 3;
					_t142 =  !=  ? _t119 : 1;
					_t139 = ( !=  ? _t119 : 1) + ( !=  ? _t119 : 1);
					if( *(_t145 - 0xb8) == 0) {
						 *_t143 =  *_t143 | 0x00000040;
					} else {
						_t143[3] = _t143[3] | 0x00000040;
					}
					_t73 = E0040AC7F(_t143);
					 *(_t145 - 0xc0) = _t73;
					if( *((short*)(_t145 + 0x14)) == 0 || ( *_t73 & 0x0000ffff) ==  *((intOrPtr*)(_t145 + 0x14))) {
						_t74 =  *(_t145 - 0xc4);
						if( *(_t145 - 0xc4) == 0) {
							L11:
							E0045B5ED(_t145 - 0x50,  *((intOrPtr*)(_t145 - 0xbc)), 0x20);
							_t78 = E0045B5D4(_t145 - 0x50);
							_t147 = _t146 + 0x10;
							_t80 = _t139 + (_t78 + 1) * 2;
							 *((intOrPtr*)(_t145 - 0xc8)) = _t80;
							if( *(_t145 - 0xcc) == 0) {
								_t135 = 0;
							} else {
								_t135 = _t139 + (E0045B5D4( *(_t145 - 0xc0) + _t139) + 1) * 2;
								_t80 =  *((intOrPtr*)(_t145 - 0xc8));
							}
							_t121 =  *(_t145 - 0xc0);
							 *((intOrPtr*)(_t145 - 0xbc)) = _t135;
							_t138 = _t135 + 0x00000003 + _t121 & 0xfffffffc;
							 *(_t145 - 0xcc) = _t138;
							 *(_t145 - 0xc4) = _t80 + 0x00000003 + _t121 & 0xfffffffc;
							if( *(_t145 - 0xb8) == 0) {
								_t84 = _t143[2] & 0x0000ffff;
							} else {
								_t84 = _t143[4] & 0x0000ffff;
							}
							 *(_t145 - 0xb8) = _t84;
							_t86 =  *(_t145 - 0xc4);
							if( *((intOrPtr*)(_t145 - 0xc8)) !=  *((intOrPtr*)(_t145 - 0xbc)) &&  *(_t145 - 0xb8) > 0) {
								E0045AF90(_t86, _t138, _t143);
								_t121 =  *(_t145 - 0xc0);
								_t147 = _t147 + 0xc;
							}
							 *_t121 =  *((intOrPtr*)(_t145 + 0xc));
							E0045AF90(_t121 + _t139, _t145 - 0x50,  *((intOrPtr*)(_t145 - 0xc8)) - _t139);
							_t115[1] = _t115[1] +  *(_t145 - 0xc4) -  *(_t145 - 0xcc);
							GlobalUnlock( *_t115);
							_t115[2] = _t115[2] & 0x00000000;
						} else {
							E004091B8(_t145 - 0x80, _t74, _t145 - 0xb1, 1);
							 *(_t145 - 4) =  *(_t145 - 4) & 0x00000000;
							E004091B8(_t145 - 0xb0,  *(_t145 - 0xc0) + _t139, _t145 - 0xb1, 1);
							_t108 = E0040AB22(_t145 - 0x80, _t145 - 0xb0);
							_t131 = _t145 - 0xb0;
							if(_t108 != 0) {
								E00401B80(_t131);
								E00401B80(_t145 - 0x80);
								goto L11;
							} else {
								E00401B80(_t131);
								E00401B80(_t145 - 0x80);
								goto L1;
							}
						}
					} else {
						goto L1;
					}
				} else {
					L1:
				}
				return E0045B878(_t115, _t139, _t143);
			}

0x0040adf4
0x0040adf4
0x0040adf4
0x0040adfe
0x0040ae03
0x0040ae0c
0x0040ae15
0x0040ae1b
0x0040ae2c
0x0040ae3d
0x0040ae4c
0x0040ae5c
0x0040ae5d
0x0040ae60
0x0040ae64
0x0040ae6c
0x0040ae66
0x0040ae66
0x0040ae66
0x0040ae70
0x0040ae7b
0x0040ae81
0x0040ae8c
0x0040ae94
0x0040af04
0x0040af10
0x0040af19
0x0040af1f
0x0040af29
0x0040af2c
0x0040af32
0x0040af4f
0x0040af34
0x0040af44
0x0040af47
0x0040af47
0x0040af51
0x0040af57
0x0040af67
0x0040af74
0x0040af7a
0x0040af80
0x0040af88
0x0040af82
0x0040af82
0x0040af82
0x0040af8c
0x0040af9e
0x0040afa4
0x0040afb8
0x0040afbd
0x0040afc3
0x0040afc3
0x0040afca
0x0040afdd
0x0040aff3
0x0040aff6
0x0040affc
0x0040ae96
0x0040aea3
0x0040aea8
0x0040aec4
0x0040aed4
0x0040aedb
0x0040aee3
0x0040aef7
0x0040aeff
0x00000000
0x0040aee5
0x0040aee5
0x0040aeed
0x00000000
0x0040aeed
0x0040aee3
0x00000000
0x00000000
0x00000000
0x0040ae1d
0x0040ae1d
0x0040ae1d
0x0040b008

APIs

__EH_prolog3_GS.LIBCMT ref: 0040ADFE
GlobalLock.KERNEL32 ref: 0040AE26

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

_wcsncpy.LIBCMT ref: 0040AF10
_memmove.LIBCMT ref: 0040AFB8
_memmove.LIBCMT ref: 0040AFDD
GlobalUnlock.KERNEL32 ref: 0040AFF6

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorFreeGlobalLastString_memmove$H_prolog3_LockUnlock_wcsncpy
String ID:
API String ID: 2730803256-0
Opcode ID: 51d59601fc39af26cc66bc8dbbfd3b0ff48c5f22368105875a3a0bfd4e460f0c
Instruction ID: 6a30a7b4f7439acfd1ae90615c977084f39bd67bc8e3b672b2edd084a0976cad
Opcode Fuzzy Hash: 51d59601fc39af26cc66bc8dbbfd3b0ff48c5f22368105875a3a0bfd4e460f0c
Instruction Fuzzy Hash: D15150719002259BEB24EF65CC45F9AB7B5FF40304F0485AAE409E72C1EB789E94CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00480CE0, Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00480CE0(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr* _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t44;
				intOrPtr _t49;
				intOrPtr* _t51;
				signed int _t52;
				signed int _t53;
				void* _t54;
				intOrPtr* _t62;
				void* _t63;
				signed int _t65;
				short* _t67;
				void* _t75;
				intOrPtr* _t77;
				void* _t78;
				intOrPtr _t80;
				short _t81;
				void* _t83;
				signed int _t84;

				_t75 = __edx;
				_push(0xffffffff);
				_push(0x4aaa08);
				_push( *[fs:0x0]);
				_t43 =  *0x4d7e88; // 0x9518852c
				_t44 = _t43 ^ _t84;
				_v20 = _t44;
				_push(_t44);
				 *[fs:0x0] =  &_v16;
				_t77 = _a4;
				_t80 = _a8;
				_t62 = _a12;
				_v76 = _t77;
				_v72 = 0;
				_v68 = 0x4c2f78;
				_v28 = 0x4c2fa8;
				_v24 = GetLastError();
				_v8 = 0;
				if(_t80 == 0) {
					_t81 = 0;
					__eflags = 0;
				} else {
					_t81 = _t80 + 4;
				}
				_push(0xffffffff);
				_v44 = 7;
				_v48 = 0;
				_v64 = 0;
				E00406630(_t62,  &_v64, _t77, _t81, 0);
				_t49 = _v28;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_t20 = _t49 + 4; // 0x4
				SetLastError( *(_t84 +  *_t20 - 0x18));
				_t88 =  *_t62;
				_v8 = 1;
				if( *_t62 != 0) {
					_t51 = _t62;
					_t24 = _t51 + 2; // 0xa
					_t75 = _t24;
					do {
						_t65 =  *_t51;
						_t51 = _t51 + 2;
						__eflags = _t65;
					} while (_t65 != 0);
					_t52 = _t51 - _t75;
					__eflags = _t52;
					_t53 = _t52 >> 1;
				} else {
					_t53 = 0;
				}
				_t54 = E00412995(_t62,  &_v64, _t77, _t81, _t88, _t62);
				 *_t77 = 0x4c2f78;
				 *((intOrPtr*)(_t77 + 0x28)) = 0x4c2fa8;
				 *((intOrPtr*)(_t77 + 0x2c)) = GetLastError();
				_t28 = _t77 + 4; // 0x4
				_t67 = _t28;
				 *((intOrPtr*)(_t67 + 0x14)) = 7;
				 *((intOrPtr*)(_t67 + 0x10)) = 0;
				_v8 = 2;
				 *_t67 = 0;
				E00406630(_t62, _t67, _t77, _t54, 0);
				 *((intOrPtr*)(_t77 + 0x1c)) = 0;
				 *((intOrPtr*)(_t77 + 0x20)) = 0;
				 *((intOrPtr*)(_t77 + 0x24)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x28)) + 4)) + _t77 + 0x28));
				E00401AC0( &_v68);
				 *[fs:0x0] = _v16;
				_t78 = 0xffffffff;
				_t83 = _t53;
				_pop(_t63);
				return E0045A457(_t63, _v20 ^ _t84, _t75, _t78, _t83);
			}

0x00480ce0
0x00480ce3
0x00480ce5
0x00480cf0
0x00480cf4
0x00480cf9
0x00480cfb
0x00480d01
0x00480d05
0x00480d0b
0x00480d0e
0x00480d11
0x00480d14
0x00480d17
0x00480d1e
0x00480d25
0x00480d32
0x00480d35
0x00480d3e
0x00480d45
0x00480d45
0x00480d40
0x00480d40
0x00480d40
0x00480d49
0x00480d50
0x00480d57
0x00480d5e
0x00480d62
0x00480d67
0x00480d6a
0x00480d71
0x00480d78
0x00480d7f
0x00480d86
0x00480d8c
0x00480d90
0x00480d97
0x00480d9d
0x00480d9f
0x00480d9f
0x00480da2
0x00480da2
0x00480da5
0x00480da8
0x00480da8
0x00480dad
0x00480dad
0x00480daf
0x00480d99
0x00480d99
0x00480d99
0x00480db6
0x00480dbd
0x00480dc3
0x00480dd0
0x00480dd3
0x00480dd3
0x00480ddb
0x00480de2
0x00480dea
0x00480dee
0x00480df1
0x00480df6
0x00480dfd
0x00480e04
0x00480e15
0x00480e1e
0x00480e28
0x00480e30
0x00480e31
0x00480e32
0x00480e40

APIs

GetLastError.KERNEL32(9518852C), ref: 00480D2C
SetLastError.KERNEL32(004C2FA8,00000000,00000000,000000FF), ref: 00480D86
GetLastError.KERNEL32(00000008,00000006), ref: 00480DCA
SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00480E15

Strings

@/L, xrefs: 00480CE0
x/L, xrefs: 00480D1E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast
String ID: @/L$x/L
API String ID: 1452528299-2858065147
Opcode ID: e961a0b0f9d055aa17c2c2ff96e24db3c7e7f9ecbe40eb67382e4c2da16102ce
Instruction ID: 87cbe82e4f6a84a4fc0e74222b28a6edac924dc311e6d795d9505ff1b75f8955
Opcode Fuzzy Hash: e961a0b0f9d055aa17c2c2ff96e24db3c7e7f9ecbe40eb67382e4c2da16102ce
Instruction Fuzzy Hash: D2419F71900219EFDB00DF95C944BAEBBF4FF08318F10466AE815AB7D0D7B9A905CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00497DF0, Relevance: 9.1, APIs: 6, Instructions: 94
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00497DF0(struct HWND__** __ecx, WCHAR* _a4, char _a7, intOrPtr _a8) {
				DWORD* _v8;
				char _v16;
				struct HWND__** _v20;
				void* _v24;
				void* _v28;
				void* _v32;
				signed int _t18;
				void* _t25;
				void* _t26;
				long _t27;
				void* _t32;
				void* _t33;
				void* _t35;
				void* _t40;
				void* _t42;
				signed int _t44;
				void* _t45;
				signed int _t47;

				_push(0xffffffff);
				_push(0x4ac008);
				_push( *[fs:0x0]);
				_push(_t44);
				_t18 =  *0x4d7e88; // 0x9518852c
				_push(_t18 ^ _t47);
				 *[fs:0x0] =  &_v16;
				_v20 = __ecx;
				_t45 = _t44 | 0xffffffff;
				_v8 = 0;
				_t42 = 0;
				_v8 = 2;
				_t32 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0);
				if(_t32 == _t45) {
					L5:
					_a7 = 0;
					L6:
					_t33 = CloseHandle;
					if(_t42 != 0 && CloseHandle != 0) {
						CloseHandle(_t42);
					}
					if(_t45 != 0xffffffff && _t33 != 0) {
						CloseHandle(_t45);
					}
					 *[fs:0x0] = _v16;
					return _a7;
				}
				_t45 = _t32;
				_v24 = _t45;
				_t25 = CreateFileMappingW(_t32, 0, 2, 0, 0, 0);
				if(_t25 == 0) {
					goto L5;
				}
				_t42 = _t25;
				_v28 = _t42;
				_t26 = MapViewOfFile(_t25, 4, 0, 0, 0);
				_a4 = _t26;
				_t52 = _t26;
				if(_t26 == 0) {
					goto L5;
				}
				_v32 = _t26;
				_t27 = GetFileSize(_t32, 0);
				_t35 = _a4;
				E00497B90(_v20, _t40, _t52, _t35, _t27, _a8);
				_a7 = 1;
				if(UnmapViewOfFile != 0) {
					UnmapViewOfFile(_t35);
				}
				goto L6;
			}

0x00497df3
0x00497df5
0x00497e00
0x00497e05
0x00497e07
0x00497e0e
0x00497e12
0x00497e18
0x00497e1b
0x00497e1e
0x00497e25
0x00497e3a
0x00497e44
0x00497e48
0x00497ea9
0x00497ea9
0x00497ead
0x00497ead
0x00497eb5
0x00497ebc
0x00497ebc
0x00497ec1
0x00497ec8
0x00497ec8
0x00497ed0
0x00497ede
0x00497ede
0x00497e50
0x00497e53
0x00497e56
0x00497e5e
0x00000000
0x00000000
0x00497e68
0x00497e6b
0x00497e6e
0x00497e74
0x00497e77
0x00497e79
0x00000000
0x00000000
0x00497e7e
0x00497e84
0x00497e8a
0x00497e92
0x00497e9c
0x00497ea2
0x00497ea5
0x00497ea5
0x00000000

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,9518852C,?,?), ref: 00497E3E
CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,?,?), ref: 00497E56
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,?), ref: 00497E6E
GetFileSize.KERNEL32(00000000,00000000,?,?,?), ref: 00497E84
CloseHandle.KERNEL32(00000000,?,?), ref: 00497EBC
CloseHandle.KERNEL32(?,?,?), ref: 00497EC8

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: File$CloseCreateHandle$MappingSizeView
String ID:
API String ID: 2246244431-0
Opcode ID: 4a123e2b36e09df7ab110c0105e3f64c0c25cf8cd3b5087e04e7625e9548e0b0
Instruction ID: b8c82201c5bfa3cb934f55a732126ecc8f801c4b97a01a59e6aa39fe8782927b
Opcode Fuzzy Hash: 4a123e2b36e09df7ab110c0105e3f64c0c25cf8cd3b5087e04e7625e9548e0b0
Instruction Fuzzy Hash: EB31B175604244BEEF208F66CC85F6BBFACEB45B20F14456AFD20A63C1D7789D008768

Uniqueness

Uniqueness Score: -1.00%

Function 004982E0, Relevance: 9.1, APIs: 6, Instructions: 93
windowCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E004982E0(void* __ecx, intOrPtr _a4, void* _a8, struct HPALETTE__* _a12) {
				struct HWND__* _v8;
				void* _t39;
				BITMAPINFOHEADER* _t63;
				intOrPtr* _t67;

				_t67 = _a8;
				_t63 = _a12;
				_v8 = 0;
				_t4 =  &(_t63->biWidth); // 0x83008b0e
				 *(_t67 + 0x24) =  *_t4;
				_t6 =  &(_t63->biHeight); // 0x41890cc4
				 *(_t67 + 0x28) =  *_t6;
				_t8 =  &(_t63->biBitCount); // 0x840c706
				_t39 = ( *_t8 & 0x0000ffff) - 1;
				if(_t39 > 0x1f) {
					L15:
					return 0;
				} else {
					switch( *((intOrPtr*)(( *(_t39 + 0x49840c) & 0x000000ff) * 4 +  &M004983F8))) {
						case 0:
							 *(_t67 + 0x34) =  *(_t67 + 0x34) | 0x00000800;
							goto L8;
						case 1:
							 *(__esi + 0x34) =  *(__esi + 0x34) | 0x00000400;
							__eax = 0x40;
							goto L8;
						case 2:
							 *(__esi + 0x34) =  *(__esi + 0x34) | 0x00000100;
							_t18 = __edi + 0x20; // 0x1840c706
							__eax =  *_t18;
							if(__eax == 0) {
								__eax = 0x400;
							} else {
								__eax = __eax << 2;
							}
							goto L8;
						case 3:
							__eax = 0;
							 *(__esi + 0x34) =  *(__esi + 0x34) | 0x00000200;
							L8:
							_push(_t54);
							_a8 = _t63->biSize + 8 + _t63;
							_t55 = GetDC(0);
							_t44 = _a4;
							if( *((intOrPtr*)(_t44 + 0xc)) != 0) {
								_t50 =  *(_t44 + 0x24);
								if(_t50 == 0) {
									goto L11;
								} else {
									_v8 = 1;
									_a12 = SelectPalette(_t55, _t50, 0);
									 *(_a4 + 0x20) = 1;
									RealizePalette(_t55);
									 *(_a4 + 0x20) = 0;
								}
							}
							 *_t67 = CreateDIBitmap(_t55, _t63, 4, _a8, _t63, 0);
							if(_v8 != 0) {
								SelectPalette(_t55, _a12, 0);
							}
							ReleaseDC(0, _t55);
							return 1;
							goto L16;
						case 4:
							goto L15;
					}
				}
				L16:
			}

0x004982e5
0x004982e9
0x004982ec
0x004982f3
0x004982f6
0x004982f9
0x004982fc
0x004982ff
0x00498303
0x00498307
0x004983ee
0x004983f5
0x0049830d
0x00498314
0x00000000
0x0049831b
0x00000000
0x00000000
0x00498329
0x00498330
0x00000000
0x00000000
0x00498337
0x0049833e
0x0049833e
0x00498343
0x0049834a
0x00498345
0x00498345
0x00498345
0x00000000
0x00000000
0x00498351
0x00498353
0x0049835a
0x0049835e
0x00498363
0x0049836c
0x0049836e
0x00498375
0x00498377
0x0049837c
0x00000000
0x0049837e
0x00498382
0x00498393
0x00498396
0x0049839d
0x004983a6
0x004983a6
0x0049837c
0x004983c9
0x004983cb
0x004983d3
0x004983d3
0x004983dc
0x004983ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00498314
0x00000000

APIs

GetDC.USER32(00000000), ref: 00498366
SelectPalette.GDI32(00000000,?,00000000), ref: 00498389
RealizePalette.GDI32(00000000), ref: 0049839D
CreateDIBitmap.GDI32(00000000,00490AAE,00000004,?,00490AAE,00000000), ref: 004983BF
SelectPalette.GDI32(00000000,00490AAE,00000000), ref: 004983D3
ReleaseDC.USER32 ref: 004983DC

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Palette$Select$BitmapCreateRealizeRelease
String ID:
API String ID: 1213237138-0
Opcode ID: 5b15afb5b321e723f6070fe6d0f84394cd560d501ca0fa69a53005f137dd0ad7
Instruction ID: ff78eb9a913cebc5bb2bceec31f5aa190bdab4a5028c9e9516796416ac309b9a
Opcode Fuzzy Hash: 5b15afb5b321e723f6070fe6d0f84394cd560d501ca0fa69a53005f137dd0ad7
Instruction Fuzzy Hash: 4E318071200204EFEB208F59CC48B6A7FE8FB09714F04452EF959CB691D7B9E810DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00402CE0, Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00402CE0(intOrPtr _a4, intOrPtr _a12) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t29;
				intOrPtr* _t34;
				intOrPtr* _t37;
				intOrPtr* _t39;
				intOrPtr _t43;
				void* _t45;
				void* _t48;
				signed int _t53;

				_push(0xffffffff);
				_push(0x4ac418);
				_push( *[fs:0x0]);
				_push(_t39);
				_t23 =  *0x4d7e88; // 0x9518852c
				_push(_t23 ^ _t53);
				 *[fs:0x0] =  &_v16;
				_t37 = _t39;
				_v20 = _t37;
				if(_a12 != 0) {
					 *_t37 = 0x4c2f50;
					 *((intOrPtr*)(_t37 + 0x28)) = 0x4c3454;
				}
				_t48 =  !=  ? _a4 : 0x4c2d7c;
				_t51 =  *((intOrPtr*)( *_t37 + 4));
				 *((intOrPtr*)( *((intOrPtr*)( *_t37 + 4)) + _t37)) = GetLastError();
				_v8 = 0;
				_t45 =  !=  ? 0x4c2d7c : 0x4c2d7c;
				_t29 = 0;
				 *((intOrPtr*)(_t37 + 0x18)) = 7;
				 *((intOrPtr*)(_t37 + 0x14)) = 0;
				 *((short*)(_t37 + 4)) = 0;
				if( *0x4c2d7c != 0) {
					_t34 = 0x4c2d7c;
					_t12 = _t34 + 2; // 0x4c2d7e
					_t51 = _t12;
					do {
						_t43 =  *_t34;
						_t34 = _t34 + 2;
					} while (_t43 != 0);
					_t29 = _t34 - _t51 >> 1;
				}
				_push(_t29);
				_push(_t45);
				E00406EB0(_t37, _t37 + 4, _t48, _t51);
				 *((intOrPtr*)(_t37 + 0x1c)) = 0;
				 *((intOrPtr*)(_t37 + 0x20)) = 0;
				 *((intOrPtr*)(_t37 + 0x24)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t37 + 0x28)) + 4)) + _t37 + 0x28));
				 *[fs:0x0] = _v16;
				return _t37;
			}

0x00402ce3
0x00402ce5
0x00402cf0
0x00402cf1
0x00402cf5
0x00402cfc
0x00402d00
0x00402d06
0x00402d08
0x00402d0f
0x00402d11
0x00402d17
0x00402d17
0x00402d28
0x00402d2d
0x00402d36
0x00402d3b
0x00402d47
0x00402d4a
0x00402d4c
0x00402d53
0x00402d5a
0x00402d61
0x00402d63
0x00402d65
0x00402d65
0x00402d70
0x00402d70
0x00402d73
0x00402d76
0x00402d7d
0x00402d7d
0x00402d7f
0x00402d80
0x00402d84
0x00402d89
0x00402d90
0x00402d97
0x00402da8
0x00402db3
0x00402dc1

APIs

GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8

Strings

|-L, xrefs: 00402D42
|-L, xrefs: 00402D23
T4L, xrefs: 00402CE0
T4L, xrefs: 00402D17

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast
String ID: T4L$T4L$|-L$|-L
API String ID: 1452528299-2443933283
Opcode ID: ee7a2875fa979588794b9bd4f5f08187854e702126dccdb8f13b37a514c0ba40
Instruction ID: 3d487a941f4fbf0e10e2e956ba3674c3ee8ea4abc64dc2e3db0120be19dbb5ec
Opcode Fuzzy Hash: ee7a2875fa979588794b9bd4f5f08187854e702126dccdb8f13b37a514c0ba40
Instruction Fuzzy Hash: 96214AB6600210DFCB00CF08C984B96BBF4EF48314F1581AAEC099B395D7B8ED04CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00415BA9, Relevance: 9.1, APIs: 6, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00415BA9(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				char* _t44;
				intOrPtr* _t49;
				short* _t52;
				void* _t53;

				_push(4);
				E0045B896(0x4a1e3d, __ebx, __edi, __esi);
				_t49 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				if( *((intOrPtr*)(_t53 + 0x14)) != 0) {
					 *__ecx = 0x4c346c;
					 *((intOrPtr*)(__ecx + 0x28)) = 0x4c2f90;
				}
				 *( *((intOrPtr*)( *_t49 + 4)) + _t49) = GetLastError();
				_t52 = _t49 + 4;
				_t52[0xa] = 7;
				_t52[8] = 0;
				 *((intOrPtr*)(_t53 - 4)) = 0;
				 *_t52 = 0;
				 *((intOrPtr*)(_t49 + 0x1c)) = 0;
				 *((intOrPtr*)(_t49 + 0x20)) = 0;
				 *((intOrPtr*)(_t49 + 0x24)) = 0;
				_t14 =  *((intOrPtr*)(_t49 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t14 + _t49 + 0x28));
				_t44 =  !=  ?  *(_t53 + 8) : 0x4c2bd0;
				 *((char*)(_t53 - 4)) = 3;
				 *(_t53 + 8) = MultiByteToWideChar(0, 0, 0x4c2bd0,  *(_t53 + 0xc), 0, 0);
				E0040A9F7(_t52, _t35, 0);
				if(_t52[0xa] >= 8) {
					_t52 =  *_t52;
				}
				MultiByteToWideChar(0, 0, _t44,  *(_t53 + 0xc), _t52,  *(_t53 + 8));
				SetLastError( *( *((intOrPtr*)( *_t49 + 4)) + _t49));
				return E0045B864(_t49);
			}

0x00415ba9
0x00415bb0
0x00415bb5
0x00415bb7
0x00415bbe
0x00415bc0
0x00415bc6
0x00415bc6
0x00415bd8
0x00415bdb
0x00415be2
0x00415be9
0x00415bec
0x00415bef
0x00415bf2
0x00415bf5
0x00415bf8
0x00415bfe
0x00415c05
0x00415c14
0x00415c1f
0x00415c31
0x00415c34
0x00415c3d
0x00415c3f
0x00415c3f
0x00415c4d
0x00415c5b
0x00415c68

APIs

__EH_prolog3.LIBCMT ref: 00415BB0
GetLastError.KERNEL32(00000004,00415B83,?,00000000,?,00000001), ref: 00415BD2
SetLastError.KERNEL32(?), ref: 00415C05
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000), ref: 00415C26
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,00000002,00000000,00000000,00000000), ref: 00415C4D
SetLastError.KERNEL32(?), ref: 00415C5B

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide$H_prolog3
String ID:
API String ID: 1573742327-0
Opcode ID: f2d3b0cf66e7c967414c43329dad7f4141967efb014add3b33b19b5fffbd63df
Instruction ID: 0f8399f5b9376ae8944e464de6d227f6b76d96672a4cc19da16e8883afb6f630
Opcode Fuzzy Hash: f2d3b0cf66e7c967414c43329dad7f4141967efb014add3b33b19b5fffbd63df
Instruction Fuzzy Hash: F72135B5600205EFDB149F24D848B9ABBF8FF08305F10852EF9598B660C774EA90CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040FEB1, Relevance: 9.1, APIs: 6, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FEB1(void* __ecx) {
				struct tagMSG _v32;
				void* _t9;
				long _t10;
				int _t11;
				void* _t21;
				HANDLE* _t22;

				_t21 = __ecx;
				_t22 = __ecx + 0x194;
				if( *_t22 != 0) {
					 *((char*)(__ecx + 0x18d)) = 1;
					while(1) {
						L9:
						_t10 = MsgWaitForMultipleObjects(1, _t22, 0, 0xffffffff, 0x4ff);
						if(_t10 == 0) {
							break;
						}
						if(_t10 != 1) {
							break;
						}
						while(PeekMessageW( &_v32, 0, 0, 0, 1) != 0) {
							if(_v32.message == 0xf || _v32.message == 0x113) {
								TranslateMessage( &_v32);
								DispatchMessageW( &_v32);
							}
							if(WaitForSingleObject( *_t22, 0) == 0) {
								goto L9;
							} else {
								continue;
							}
						}
					}
					_t11 = CloseHandle( *_t22);
					 *_t22 =  *_t22 & 0x00000000;
					 *((char*)(_t21 + 0x18d)) = 0;
					return _t11;
				}
				return _t9;
			}

0x0040feb9
0x0040febb
0x0040fec4
0x0040fec6
0x0040ff1c
0x0040ff1c
0x0040ff28
0x0040ff30
0x00000000
0x00000000
0x0040fed2
0x00000000
0x00000000
0x0040ff07
0x0040feda
0x0040fee9
0x0040fef3
0x0040fef3
0x0040ff05
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ff05
0x0040ff07
0x0040ff34
0x0040ff3a
0x0040ff3d
0x00000000
0x0040ff3d
0x0040ff47

APIs

PeekMessageW.USER32 ref: 0040FF12
MsgWaitForMultipleObjects.USER32 ref: 0040FF28
CloseHandle.KERNEL32(?), ref: 0040FF34

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CloseHandleMessageMultipleObjectsPeekWait
String ID:
API String ID: 2837130844-0
Opcode ID: 9fd293e973e1ac82b4328b76c5587ae6c92fa77f9d5122cd4c704caa38892bc2
Instruction ID: 6a689746d991167549c17fa8fe882c184d95f600c90854a8716a15440169a39d
Opcode Fuzzy Hash: 9fd293e973e1ac82b4328b76c5587ae6c92fa77f9d5122cd4c704caa38892bc2
Instruction Fuzzy Hash: 8211A531600217ABEB305F61DC09BEB7FACAB02755F104037E661E55D1D7B8A449C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00439345, Relevance: 9.1, APIs: 6, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00439345(struct HWND__* __ecx) {
				signed int _t28;
				intOrPtr* _t34;
				struct HWND__* _t39;

				_t39 = __ecx;
				_t34 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + 0x288));
				if(_t34 != 0) {
					 *((intOrPtr*)( *_t34 + 8))();
				}
				( *(_t39 + 0xc))[0xa2] = _t39;
				if(IsWindow( *(_t39 + 4)) != 0 || E00437C30(_t39) != 0) {
					 *(_t39 + 0x14) =  *(_t39 + 0x14) & 0x00000000;
					if(IsWindow( *( *(_t39 + 0xc))) != 0) {
						ShowWindow( *( *(_t39 + 0xc)), 1);
						ShowWindow( *( *(_t39 + 0xc)), 1);
					}
					ShowWindow( *(_t39 + 4), 1);
					 *((intOrPtr*)(_t39->i + 0x20))();
					return 0;
				} else {
					_t28 = GetLastError();
					if(_t28 != 0) {
						return _t28 | 0x80070000;
					}
					return 0x8000ffff;
				}
			}

0x00439346
0x0043934c
0x00439354
0x00439358
0x00439358
0x00439364
0x00439371
0x00439399
0x004393a9
0x004393b2
0x004393bb
0x004393bb
0x004393c2
0x004393c8
0x00000000
0x0043937e
0x0043937e
0x00439386
0x00000000
0x0043938f
0x00000000
0x00439388

APIs

IsWindow.USER32(?), ref: 0043936D
GetLastError.KERNEL32(?,004392EC,?), ref: 0043937E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLastWindow
String ID:
API String ID: 3412209079-0
Opcode ID: d27f0231de802d445c3b072352a253c743c9f550ff1ce657ff39b1a739ef6d00
Instruction ID: e688a35ebf01f56fabc1fd3875367781bcaad1d41129e3fba9ba954d3712bcce
Opcode Fuzzy Hash: d27f0231de802d445c3b072352a253c743c9f550ff1ce657ff39b1a739ef6d00
Instruction Fuzzy Hash: B7115E752006019FD720AB16C844F2AB7E5AF4C714F15946EF856CB7B0DBB5EC009F49

Uniqueness

Uniqueness Score: -1.00%

Function 00417173, Relevance: 9.0, APIs: 6, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00417173() {
				intOrPtr* _v8;
				intOrPtr _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr* _t35;
				void* _t39;
				intOrPtr* _t43;

				_t32 = _t35;
				 *_t32 = 0x4b06dc;
				_v8 = _t32;
				 *( *((intOrPtr*)( *((intOrPtr*)(_t32 + 0xc)) + 4)) + _t32 + 0xc) = GetLastError();
				__imp__#6( *(_t32 + 0x10), _t39, _t31, _t35);
				 *(_t32 + 0x10) =  *(_t32 + 0x10) & 0x00000000;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t32 + 0xc)) + 4)) + _t32 + 0xc));
				_t37 = _v8 + 0x14;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x14)) + 4)) + _t37)) = GetLastError();
				_t43 = _v8;
				 *_t43 = 0x4b06c4;
				L0045A7D5( *((intOrPtr*)(_t43 + 4)));
				__imp__#6( *((intOrPtr*)(_t43 + 0x10)));
				_t30 =  *((intOrPtr*)( *((intOrPtr*)(_t43 + 0xc)) + 4));
				SetLastError( *(_t30 + _t43 + 0xc));
				return _t30;
			}

0x00417178
0x0041717e
0x00417187
0x00417190
0x00417197
0x004171a0
0x004171b1
0x004171b6
0x004171c6
0x004171c8
0x004171ce
0x004171d4
0x004171dd
0x004171e6
0x004171ed
0x004171f2

APIs

GetLastError.KERNEL32 ref: 0041718A
SysFreeString.OLEAUT32(?), ref: 00417197
SetLastError.KERNEL32(?), ref: 004171B1
GetLastError.KERNEL32 ref: 004171C0
SysFreeString.OLEAUT32(?), ref: 004171DD
SetLastError.KERNEL32(?), ref: 004171ED

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: c56525a13a5ed24b95ecef286eb569bc427d0de2cf916e592f7303a798699fb6
Instruction ID: f0759b76d1b35ed85d7822369bf03c260df815b6286194e03bc81238233f2a85
Opcode Fuzzy Hash: c56525a13a5ed24b95ecef286eb569bc427d0de2cf916e592f7303a798699fb6
Instruction Fuzzy Hash: 30110E36500210DFCB109F59D888A09BBF4FF0932570584AAEC5A9B362D771EC20DF68

Uniqueness

Uniqueness Score: -1.00%

Function 004171F3, Relevance: 9.0, APIs: 6, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E004171F3() {
				intOrPtr* _v8;
				intOrPtr _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr* _t35;
				void* _t39;
				intOrPtr* _t43;

				_t32 = _t35;
				 *_t32 = 0x4b07b0;
				_v8 = _t32;
				 *( *((intOrPtr*)( *((intOrPtr*)(_t32 + 0xc)) + 4)) + _t32 + 0xc) = GetLastError();
				__imp__#6( *(_t32 + 0x10), _t39, _t31, _t35);
				 *(_t32 + 0x10) =  *(_t32 + 0x10) & 0x00000000;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t32 + 0xc)) + 4)) + _t32 + 0xc));
				_t37 = _v8 + 0x14;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v8 + 0x14)) + 4)) + _t37)) = GetLastError();
				_t43 = _v8;
				 *_t43 = 0x4b06c4;
				L0045A7D5( *((intOrPtr*)(_t43 + 4)));
				__imp__#6( *((intOrPtr*)(_t43 + 0x10)));
				_t30 =  *((intOrPtr*)( *((intOrPtr*)(_t43 + 0xc)) + 4));
				SetLastError( *(_t30 + _t43 + 0xc));
				return _t30;
			}

0x004171f8
0x004171fe
0x00417207
0x00417210
0x00417217
0x00417220
0x00417231
0x00417236
0x00417246
0x00417248
0x0041724e
0x00417254
0x0041725d
0x00417266
0x0041726d
0x00417272

APIs

GetLastError.KERNEL32 ref: 0041720A
SysFreeString.OLEAUT32(?), ref: 00417217
SetLastError.KERNEL32(?), ref: 00417231
GetLastError.KERNEL32 ref: 00417240
SysFreeString.OLEAUT32(?), ref: 0041725D
SetLastError.KERNEL32(?), ref: 0041726D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: f056470200180d7774f81dc767a817fa903a7be65c061ec455edf6c46ff90723
Instruction ID: 8265325dac1cec409e27b224f6eb72ad4bed618cb2e63cb7e0e38c18fdf63a07
Opcode Fuzzy Hash: f056470200180d7774f81dc767a817fa903a7be65c061ec455edf6c46ff90723
Instruction Fuzzy Hash: A3110236500210DFCB109F59D888A09FBF4FF0932570584AAEC5A9B362CB71EC20CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004381E1, Relevance: 9.0, APIs: 6, Instructions: 33
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004381E1(void* __ecx, intOrPtr _a4) {
				void* _t16;

				_t16 = __ecx;
				if(_a4 == 0x3f3) {
					EnableWindow(GetDlgItem( *(__ecx + 4), 0x3ed), 0);
				}
				if(_a4 == 0x3f2) {
					EnableWindow(GetDlgItem( *(_t16 + 4), 0x3ed), 1);
					SetFocus(GetDlgItem( *(_t16 + 4), 0x3ed));
				}
				return 1;
			}

0x004381f3
0x004381f5
0x00438204
0x00438204
0x00438211
0x00438220
0x00438231
0x00438231
0x0043823d

APIs

GetDlgItem.USER32 ref: 00438201
EnableWindow.USER32(00000000), ref: 00438204
GetDlgItem.USER32 ref: 0043821D
EnableWindow.USER32(00000000), ref: 00438220
GetDlgItem.USER32 ref: 0043822E
SetFocus.USER32(00000000), ref: 00438231

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Item$EnableWindow$Focus
String ID:
API String ID: 864471436-0
Opcode ID: 521c9d7ff4334e20008520358b1e2aea969bce8bddf0d41c56acd09bcfa40655
Instruction ID: 98e4fc65aeec09a17ce24f06ce20b163942264de00335bed607774db40b71a55
Opcode Fuzzy Hash: 521c9d7ff4334e20008520358b1e2aea969bce8bddf0d41c56acd09bcfa40655
Instruction Fuzzy Hash: C7F0A731940704BBDB216BA2EC4DF5BBEADEB95712F014435F216950E0DBB49510CA54

Uniqueness

Uniqueness Score: -1.00%

Function 004314E3, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E004314E3(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t79;
				signed char _t81;
				void* _t82;
				intOrPtr* _t86;
				void* _t88;
				intOrPtr _t104;
				void* _t126;
				void* _t127;
				signed char _t160;
				intOrPtr _t165;
				void* _t167;
				void* _t168;
				void* _t169;
				void* _t170;

				_t166 = __esi;
				_push(0xe8);
				E0045B935(0x4a5a05, __ebx, __edi, __esi);
				_t165 = __ecx;
				_t79 =  *((intOrPtr*)(_t167 + 0x10));
				_t162 =  *((intOrPtr*)(_t167 + 8));
				 *((intOrPtr*)(_t167 - 0xe8)) = _t79;
				 *((intOrPtr*)(_t167 - 0xec)) = _t79;
				_t5 = _t167 + 0xc; // 0x4c2f40
				 *((intOrPtr*)(_t167 - 0xe0)) = 0;
				 *((intOrPtr*)(_t167 - 0xf0)) = __ecx;
				 *((intOrPtr*)(_t167 - 0xe4)) =  *((intOrPtr*)(_t167 + 8));
				 *(_t167 - 0xdc) = 0;
				 *((char*)(__ecx + 0x43c)) =  *_t5;
				_t174 =  *((intOrPtr*)(__ecx + 0x3e8));
				if( *((intOrPtr*)(__ecx + 0x3e8)) == 0) {
					L2:
					 *((char*)(_t167 - 0xd5)) = 0;
				} else {
					E00402CE0(_t162, _t167 - 0xd5, 1);
					 *((intOrPtr*)(_t167 - 0xe0)) = 1;
					 *(_t167 - 4) = 0;
					_t166 = E0042EA79(0, __ecx, __esi, _t174, _t167 - 0xa4, _t167 - 0x74, 1);
					 *(_t167 - 4) = 1;
					 *((intOrPtr*)(_t167 - 0xe0)) = 3;
					_t126 = E0042EA79(0, _t165, _t166, _t174, _t167 - 0xd4, _t165 + 4, 1);
					_t160 = 7;
					 *(_t167 - 0xdc) = _t160;
					_t127 = E00412ABE(_t126, _t166);
					 *((char*)(_t167 - 0xd5)) = 1;
					if(_t127 != 0) {
						goto L2;
					}
				}
				_t81 =  *(_t167 - 0xdc);
				if((_t81 & 0x00000004) != 0) {
					 *(_t167 - 0xdc) = _t81 & 0xfffffffb;
					E00401AC0(_t167 - 0xd4);
					_t81 =  *(_t167 - 0xdc);
				}
				if((_t81 & 0x00000002) != 0) {
					 *(_t167 - 0xdc) = _t81 & 0xfffffffd;
					E00401AC0(_t167 - 0xa4);
					_t81 =  *(_t167 - 0xdc);
				}
				 *(_t167 - 4) =  *(_t167 - 4) | 0xffffffff;
				if((_t81 & 0x00000001) != 0) {
					E00401AC0(_t167 - 0x74);
				}
				_t82 = 1;
				_t133 =  !=  ? _t82 : 0;
				 *((intOrPtr*)(_t167 - 0xe0)) =  !=  ? _t82 : 0;
				_t84 =  !=  ?  *((intOrPtr*)(_t167 - 0xe4)) : 0x4c2d7c;
				E00405460(_t165 + 4, _t165,  !=  ?  *((intOrPtr*)(_t167 - 0xe4)) : 0x4c2d7c);
				_t86 = _t165 + 8;
				_push(4);
				_t183 =  *((intOrPtr*)(_t86 + 0x14)) - 8;
				if( *((intOrPtr*)(_t86 + 0x14)) >= 8) {
					_t86 =  *_t86;
				}
				_t169 = _t168 - 0x30;
				_t163 = _t167 - 0xd5;
				E004091B8(_t169, _t86, _t167 - 0xd5, 1);
				_t88 = E00441E34(0, _t167 - 0xd5, _t165, _t166, _t183);
				_t170 = _t169 + 0x34;
				_t184 = _t88;
				if(_t88 != 0) {
					_push(0xfde9);
					E00412A66(_t165 + 4, _t170 - 0x30);
					_push(_t167 - 0x44);
					E00433E81(0, _t163, _t165, _t166, _t184);
					 *(_t167 - 4) = 2;
					E00405460(_t165 + 0x408, _t165, L"PrereqEngine: ");
					 *((short*)(_t165 + 0x264)) = 0;
					 *((char*)(_t165 + 0x266)) = 0;
					 *((char*)(_t165 + 0x268)) = 1;
					E004308B5(_t165 + 0x26c);
					E00406BF0(_t165 + 0x284, 0, _t166);
					E00406BF0(_t165 + 0x2b4, 0, _t166);
					if( *((char*)(_t167 - 0xe0)) == 0) {
						E00406BF0(_t165 + 0x2e4, 0, _t166);
						E00406BF0(_t165 + 0x314, 0, _t166);
					}
					E00406BF0(_t165 + 0x344, 0, _t166);
					E00406BF0(_t165 + 0x374, 0, _t166);
					E00406BF0(_t165 + 0x3d4, 0, _t166);
					E0043087B(_t165 + 0x278);
					_t66 = _t167 - 0x40; // 0x4c2f50
					_t67 = _t167 - 0x40; // 0x4c2f50
					_t102 =  >=  ?  *_t67 : _t66;
					 *(_t167 - 4) = 3;
					 *((intOrPtr*)(_t167 - 0xf4)) = _t165;
					E00452C46(_t167 - 0xf4,  >=  ?  *_t67 : _t66);
					_t104 =  *((intOrPtr*)(_t167 - 0xe8));
					 *(_t167 - 4) = 2;
					if( *((intOrPtr*)(_t104 + 0x14)) != 0) {
						_t166 = _t165 + 0x314;
						E00402B90(_t165 + 0x314, _t104);
						E00402B90(_t165 + 0x2e4, _t165 + 0x314);
					}
					E0042C51A(_t165);
					E00401B80(_t167 - 0x44);
				}
				return E0045B887(0, _t165, _t166);
			}

0x004314e3
0x004314e3
0x004314ed
0x004314f2
0x004314f4
0x004314f7
0x004314fe
0x00431504
0x0043150a
0x0043150d
0x00431513
0x00431519
0x0043151f
0x00431525
0x0043152b
0x00431531
0x004315a5
0x004315a5
0x00431533
0x00431540
0x00431549
0x0043155c
0x00431564
0x0043156d
0x0043157a
0x00431584
0x0043158b
0x0043158c
0x00431595
0x0043159a
0x004315a3
0x00000000
0x00000000
0x004315a3
0x004315ab
0x004315b3
0x004315be
0x004315c4
0x004315c9
0x004315c9
0x004315d1
0x004315dc
0x004315e2
0x004315e7
0x004315e7
0x004315ed
0x004315f3
0x004315f8
0x004315f8
0x00431606
0x0043160a
0x0043160d
0x00431620
0x00431627
0x0043162c
0x0043162f
0x00431631
0x00431635
0x00431637
0x00431637
0x00431639
0x00431640
0x00431648
0x0043164d
0x00431652
0x00431655
0x00431657
0x0043165d
0x00431669
0x00431671
0x00431672
0x00431685
0x0043168c
0x00431697
0x0043169e
0x004316a4
0x004316ab
0x004316bb
0x004316c8
0x004316d4
0x004316de
0x004316eb
0x004316eb
0x004316f8
0x00431705
0x00431712
0x0043171d
0x00431726
0x00431729
0x00431729
0x00431734
0x00431738
0x0043173e
0x00431743
0x0043175f
0x00431769
0x0043176b
0x00431774
0x00431780
0x00431780
0x00431787
0x0043178f
0x0043178f
0x00431799

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 004314ED

Part of subcall function 00402CE0: GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8

Part of subcall function 0042EA79: __EH_prolog3_GS.LIBCMT ref: 0042EA80

Strings

PrereqEngine: , xrefs: 00431680
@/L, xrefs: 0043150A
P/L, xrefs: 00431726, 00431729, 0043172D
|-L, xrefs: 0043161B

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_H_prolog3_catch_
String ID: @/L$P/L$PrereqEngine: $|-L
API String ID: 1178870419-2914931958
Opcode ID: 4cfe5def1d334699c3335f360cf8c957580febc6a299a39545784f2859fc0ebf
Instruction ID: e1fab1a8d7f8bc83cc4d25d4c28cdd714708b1fcc9c5f65e0ec4b13bbffdab30
Opcode Fuzzy Hash: 4cfe5def1d334699c3335f360cf8c957580febc6a299a39545784f2859fc0ebf
Instruction Fuzzy Hash: 5E71B471A00155AFDB18EFA5CD55BDEB7B8AF04304F0042AFE41AB32A1DB746A44CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0043C53C, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 180
memoryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E0043C53C(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t76;
				signed int _t77;
				intOrPtr* _t87;
				signed int _t88;
				intOrPtr* _t89;
				intOrPtr* _t91;
				signed int _t92;
				intOrPtr* _t94;
				signed short* _t97;
				void* _t105;
				intOrPtr _t109;
				signed int _t110;
				intOrPtr* _t118;
				void* _t120;
				void* _t125;
				void* _t128;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				intOrPtr _t133;
				signed int _t135;
				void* _t137;
				intOrPtr* _t138;
				void* _t139;

				_push(0x84);
				E0045B8C9(0x4a678d, __ebx, __edi, __esi);
				_t131 = __ecx;
				 *((intOrPtr*)(_t139 - 0x5c)) = __ecx;
				 *((intOrPtr*)(_t139 - 0x4c)) =  *((intOrPtr*)(__ecx + 0x14));
				 *(_t139 - 0x48) = 0;
				_t76 = __ecx + 4;
				if( *((intOrPtr*)(_t76 + 0x14)) >= 8) {
					_t76 =  *_t76;
				}
				__imp__#2(_t76);
				_t109 = _t76;
				_t77 = 0;
				_t135 = _t131;
				 *((intOrPtr*)(_t139 - 0x54)) = _t109;
				 *((char*)(_t139 - 0x41)) = 0;
				 *((intOrPtr*)(_t139 - 0x50)) = _t135;
				_t142 =  *((intOrPtr*)(_t139 + 0x10));
				if( *((intOrPtr*)(_t139 + 0x10)) == 0) {
					L13:
					_t129 = _t77;
					if( *((intOrPtr*)(_t139 - 0x4c)) <= 0) {
						L44:
						 *((short*)(_t109 +  *(_t139 - 0x48) * 2)) = 0;
						E00404260(_t131, _t131, _t109);
						_t163 =  *((char*)(_t139 - 0x41));
						if( *((char*)(_t139 - 0x41)) != 0) {
							_push(_t139 - 0x40);
							E0043C2FD(_t109, _t131, _t131, _t135, _t163);
							E00401B80(_t139 - 0x40);
						}
						__imp__#6(_t109);
						if( *((char*)(_t139 + 0x10)) != 0 && _t135 != 0) {
							E00401B80(_t135);
							L0045A2FE(_t135);
						}
						return E0045B878(_t109, _t131, _t135);
					}
					_t132 =  *(_t139 - 0x48);
					_t31 = _t135 + 4; // 0x4
					_t118 = _t31;
					L15:
					L15:
					if( *((intOrPtr*)(_t118 + 0x14)) < 8) {
						_t87 = _t118;
					} else {
						_t87 =  *_t118;
					}
					if( *((intOrPtr*)(_t87 + _t129 * 2)) == 0) {
						goto L43;
					}
					_t110 = 0;
					_t88 = 0;
					if( *((intOrPtr*)(_t139 + 0xc)) <= 0) {
						L37:
						if( *((intOrPtr*)(_t118 + 0x14)) < 8) {
							_t89 = _t118;
						} else {
							_t89 =  *_t118;
						}
						_t109 =  *((intOrPtr*)(_t139 - 0x54));
						 *((short*)(_t109 + _t132 * 2)) =  *((intOrPtr*)(_t89 + _t129 * 2));
						_t132 = _t132 + 1;
						 *(_t139 - 0x48) = _t132;
						L42:
						_t129 = _t129 + 1;
						if(_t129 <  *((intOrPtr*)(_t139 - 0x4c))) {
							goto L15;
						}
						goto L43;
					}
					while(_t88 == 0) {
						if( *((intOrPtr*)(_t139 + 0x10)) == _t88) {
							L31:
							__eflags =  *((intOrPtr*)(_t118 + 0x14)) - 8;
							if( *((intOrPtr*)(_t118 + 0x14)) < 8) {
								_t91 = _t118;
							} else {
								_t91 =  *_t118;
							}
							_t133 =  *((intOrPtr*)(_t139 + 8));
							_t92 =  *((intOrPtr*)(_t91 + _t129 * 2));
							__eflags = _t92 -  *((intOrPtr*)(_t133 + _t110 * 2));
							_t132 =  *(_t139 - 0x48);
							_t52 = _t92 ==  *((intOrPtr*)(_t133 + _t110 * 2));
							__eflags = _t52;
							_t88 = _t92 & 0xffffff00 | _t52;
							L35:
							_t110 = _t110 + 1;
							if(_t110 <  *((intOrPtr*)(_t139 + 0xc))) {
								continue;
							}
							if(_t88 != 0) {
								break;
							}
							goto L37;
						}
						_t137 = 0x3a;
						if( *((intOrPtr*)( *((intOrPtr*)(_t139 + 8)) + _t110 * 2)) != _t137) {
							goto L31;
						}
						if( *((intOrPtr*)(_t118 + 0x14)) < 8) {
							_t94 = _t118;
						} else {
							_t94 =  *_t118;
						}
						if( *((intOrPtr*)(_t94 + _t129 * 2)) != _t137) {
							goto L31;
						} else {
							if(_t129 <= 1 || _t129 >=  *((intOrPtr*)(_t139 - 0x4c))) {
								_t88 = 0;
							} else {
								_t88 = 1;
							}
							goto L35;
						}
					}
					_t109 =  *((intOrPtr*)(_t139 - 0x54));
					goto L42;
					L43:
					_t135 =  *((intOrPtr*)(_t139 - 0x50));
					_t131 =  *((intOrPtr*)(_t139 - 0x5c));
					goto L44;
				} else {
					_push(0x30);
					_t138 = E0045C169(_t109, _t128, _t131, _t142);
					 *((intOrPtr*)(_t139 - 0x50)) = _t138;
					 *((intOrPtr*)(_t139 - 0x60)) = _t138;
					 *(_t139 - 4) = 0;
					_t143 = _t138;
					if(_t138 == 0) {
						_t135 = 0;
						 *((intOrPtr*)(_t139 - 0x50)) = 0;
					} else {
						_push(0);
						_push(_t131);
						 *_t138 = 0x4ae964;
						 *((intOrPtr*)(_t138 + 0x28)) = 0x4ae96c;
						E00408E82(_t109, _t138, _t131, _t138, _t143);
					}
					 *(_t139 - 4) =  *(_t139 - 4) | 0xffffffff;
					_t18 = _t135 + 4; // 0x4
					_t97 = _t18;
					if(_t97[0xa] >= 8) {
						_t97 =  *_t97;
					}
					_t120 = 0x22;
					if(( *_t97 & 0x0000ffff) != _t120) {
						L11:
						__eflags = 0;
						 *((char*)(_t139 - 0x41)) = 0;
						goto L12;
					} else {
						_t105 = E0040DE71(_t135);
						_t125 = 0x22;
						_t146 = _t105 - _t125;
						if(_t105 != _t125) {
							goto L11;
						}
						 *((char*)(_t139 - 0x41)) = 1;
						E0043C88B(_t135);
						L12:
						_push(1);
						_push(_t139 - 0x55);
						_push(L"\n\t ");
						E00408F6D(_t109, _t139 - 0x90, _t131, _t135, _t146);
						 *(_t139 - 4) = 1;
						E0041350C(_t109, _t135, _t131, _t146, _t139 - 0x90);
						 *(_t139 - 4) =  *(_t139 - 4) | 0xffffffff;
						E00401B80(_t139 - 0x90);
						_t77 = 0;
						goto L13;
					}
				}
			}

0x0043c53c
0x0043c546
0x0043c54b
0x0043c54d
0x0043c553
0x0043c558
0x0043c55b
0x0043c562
0x0043c564
0x0043c564
0x0043c567
0x0043c56d
0x0043c56f
0x0043c571
0x0043c573
0x0043c576
0x0043c579
0x0043c57c
0x0043c57f
0x0043c632
0x0043c636
0x0043c638
0x0043c6f5
0x0043c6fa
0x0043c701
0x0043c706
0x0043c70a
0x0043c70f
0x0043c712
0x0043c71a
0x0043c71a
0x0043c720
0x0043c72a
0x0043c732
0x0043c738
0x0043c73d
0x0043c745
0x0043c745
0x0043c63e
0x0043c641
0x0043c641
0x00000000
0x0043c644
0x0043c648
0x0043c64e
0x0043c64a
0x0043c64a
0x0043c64a
0x0043c656
0x00000000
0x00000000
0x0043c65c
0x0043c65e
0x0043c663
0x0043c6c5
0x0043c6c9
0x0043c6cf
0x0043c6cb
0x0043c6cb
0x0043c6cb
0x0043c6d1
0x0043c6d8
0x0043c6dc
0x0043c6dd
0x0043c6e5
0x0043c6e5
0x0043c6e9
0x00000000
0x00000000
0x00000000
0x0043c6e9
0x0043c665
0x0043c66c
0x0043c69e
0x0043c69e
0x0043c6a2
0x0043c6a8
0x0043c6a4
0x0043c6a4
0x0043c6a4
0x0043c6aa
0x0043c6ad
0x0043c6b1
0x0043c6b5
0x0043c6b8
0x0043c6b8
0x0043c6b8
0x0043c6bb
0x0043c6bb
0x0043c6bf
0x00000000
0x00000000
0x0043c6c3
0x00000000
0x00000000
0x00000000
0x0043c6c3
0x0043c673
0x0043c678
0x00000000
0x00000000
0x0043c67e
0x0043c684
0x0043c680
0x0043c680
0x0043c680
0x0043c68a
0x00000000
0x0043c68c
0x0043c68f
0x0043c69a
0x0043c696
0x0043c696
0x0043c696
0x00000000
0x0043c68f
0x0043c68a
0x0043c6e2
0x00000000
0x0043c6ef
0x0043c6ef
0x0043c6f2
0x00000000
0x0043c585
0x0043c585
0x0043c58c
0x0043c58f
0x0043c592
0x0043c597
0x0043c59a
0x0043c59c
0x0043c5b6
0x0043c5b8
0x0043c59e
0x0043c59e
0x0043c59f
0x0043c5a2
0x0043c5a8
0x0043c5af
0x0043c5af
0x0043c5bb
0x0043c5bf
0x0043c5bf
0x0043c5c6
0x0043c5c8
0x0043c5c8
0x0043c5cf
0x0043c5d3
0x0043c5f1
0x0043c5f1
0x0043c5f3
0x00000000
0x0043c5d5
0x0043c5d7
0x0043c5de
0x0043c5df
0x0043c5e2
0x00000000
0x00000000
0x0043c5e6
0x0043c5ea
0x0043c5f6
0x0043c5f6
0x0043c5fb
0x0043c5fc
0x0043c607
0x0043c615
0x0043c61c
0x0043c621
0x0043c62b
0x0043c630
0x00000000
0x0043c630
0x0043c5d3

APIs

__EH_prolog3_GS.LIBCMT ref: 0043C546
SysAllocString.OLEAUT32(00000000), ref: 0043C567
SysFreeString.OLEAUT32(00000000), ref: 0043C720

Strings

, xrefs: 0043C5FC
lJ, xrefs: 0043C5A8

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String$AllocFreeH_prolog3_
String ID: $lJ
API String ID: 1289132702-3830903251
Opcode ID: c9156d9f00b50721b89dc02494c41c4585c52647008cb8c257f959e52bcca85d
Instruction ID: ec6441d05a39f0ffc0adcb86b733734612cfa54150e513cac135d75922fbb199
Opcode Fuzzy Hash: c9156d9f00b50721b89dc02494c41c4585c52647008cb8c257f959e52bcca85d
Instruction Fuzzy Hash: 53619170A00214DFCF14EFA8C9816AEB7B5BF09704F14606FE451BB291DB789D46CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00424AC0, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00424AC0(void* __ebx, void* __ecx, void* __edx, void* __edi, intOrPtr __esi, void* __eflags) {
				void* _t76;
				void* _t77;
				intOrPtr* _t84;
				void* _t107;
				intOrPtr* _t110;
				void* _t117;
				intOrPtr* _t122;
				short _t129;
				void* _t152;
				intOrPtr* _t154;
				void* _t155;
				void* _t158;

				_t158 = __eflags;
				_t153 = __esi;
				_push(0xfc);
				E0045B8C9(0x4a41fd, __ebx, __edi, __esi);
				_t152 = __ecx;
				_t122 =  *((intOrPtr*)(_t155 + 8));
				 *(_t155 - 0x108) =  *(_t155 - 0x108) & 0x00000000;
				_t76 = E00424D6D(__ecx, __edx, __ecx, _t158);
				_t159 = _t76;
				if(_t76 != 0) {
					_t77 = E0045B5D4(L"file://");
					_t154 = _t152 + 4;
					__eflags = E0040A017(_t154, L"file://", 0, _t77);
					if(__eflags == 0) {
						_push(1);
						_push(_t155 - 0x101);
						_push(0x4c2d7c);
						E00408F6D(_t122, _t155 - 0x40, _t152, _t154, __eflags);
						 *(_t155 - 4) =  *(_t155 - 4) & 0x00000000;
						_push(1);
						_push(_t155 - 0x101);
						_push(L"file://");
						E00408F6D(_t122, _t155 - 0x70, _t152, _t154, __eflags);
						__eflags =  *((intOrPtr*)(_t155 - 0x58)) - 8;
						_t116 =  >=  ?  *((void*)(_t155 - 0x6c)) : _t155 - 0x6c;
						 *(_t155 - 4) = 1;
						_t117 = E0040A017(_t154,  >=  ?  *((void*)(_t155 - 0x6c)) : _t155 - 0x6c, 0,  *((intOrPtr*)(_t155 - 0x5c)));
						__eflags = _t117 - 0xffffffff;
						if(_t117 != 0xffffffff) {
							E0040A6AD(_t152, _t117,  *((intOrPtr*)(_t155 - 0x5c)), _t155 - 0x40);
						}
						E00401B80(_t155 - 0x70);
						_t20 = _t155 - 4;
						 *_t20 =  *(_t155 - 4) | 0xffffffff;
						__eflags =  *_t20;
						E00401B80(_t155 - 0x40);
					}
					_push(1);
					_push(_t155 - 0x101);
					_push(L"/\\");
					E00408F6D(_t122, _t155 - 0x40, _t152, _t154, __eflags);
					 *(_t155 - 4) = 2;
					E0041350C(_t122, _t152, _t152, __eflags, _t155 - 0x40);
					 *(_t155 - 4) =  *(_t155 - 4) | 0xffffffff;
					E00401B80(_t155 - 0x40);
					__eflags =  *((intOrPtr*)(_t154 + 0x14)) - 8;
					if( *((intOrPtr*)(_t154 + 0x14)) < 8) {
						_t84 = _t154;
					} else {
						_t84 =  *_t154;
					}
					__eflags =  *((short*)(_t84 + 2)) - 0x7c;
					_t129 = 0x3a;
					if( *((short*)(_t84 + 2)) == 0x7c) {
						__eflags =  *((intOrPtr*)(_t154 + 0x14)) - 8;
						if( *((intOrPtr*)(_t154 + 0x14)) < 8) {
							_t110 = _t154;
						} else {
							_t110 =  *_t154;
						}
						 *((short*)(_t110 + 2)) = _t129;
					}
					__eflags =  *((intOrPtr*)(_t154 + 0x14)) - 8;
					if( *((intOrPtr*)(_t154 + 0x14)) >= 8) {
						_t154 =  *_t154;
					}
					__eflags =  *((intOrPtr*)(_t154 + 2)) - _t129;
					if(__eflags != 0) {
						_push(_t152);
						_push(L"\\\\");
						_push(_t155 - 0x40);
						_t107 = E0040B2A8(_t122, _t152, _t154, __eflags);
						 *(_t155 - 4) = 3;
						E004095E2(_t152, _t107);
						_t38 = _t155 - 4;
						 *_t38 =  *(_t155 - 4) | 0xffffffff;
						__eflags =  *_t38;
						E00401B80(_t155 - 0x40);
					}
					_push(0);
					_push(_t155 - 0x101);
					_t153 = 0x4c2f40;
					_push(" ");
					 *((intOrPtr*)(_t155 - 0x40)) = 0x4c2fa0;
					 *((intOrPtr*)(_t155 - 0x18)) = 0x4c2f40;
					E00408F6D(_t122, _t155 - 0x40, _t152, 0x4c2f40, __eflags);
					_push(0);
					_push(_t155 - 0x101);
					_push(L"%20");
					 *(_t155 - 4) = 4;
					 *((intOrPtr*)(_t155 - 0xa0)) = 0x4c2fa0;
					 *((intOrPtr*)(_t155 - 0x78)) = 0x4c2f40;
					E00408F6D(_t122, _t155 - 0xa0, _t152, 0x4c2f40, __eflags);
					 *(_t155 - 4) = 5;
					E00425219(_t152, __eflags, _t155 - 0xa0, _t155 - 0x40);
					E00401B80(_t155 - 0xa0);
					 *(_t155 - 4) =  *(_t155 - 4) | 0xffffffff;
					E00401B80(_t155 - 0x40);
					_push(0);
					_push(_t155 - 0x101);
					_push("\\");
					 *((intOrPtr*)(_t155 - 0x100)) = 0x4c2fa0;
					 *((intOrPtr*)(_t155 - 0xd8)) = 0x4c2f40;
					E00408F6D(_t122, _t155 - 0x100, _t152, 0x4c2f40, __eflags);
					_push(0);
					_push(_t155 - 0x101);
					_push("/");
					 *(_t155 - 4) = 6;
					 *((intOrPtr*)(_t155 - 0xd0)) = 0x4c2fa0;
					 *((intOrPtr*)(_t155 - 0xa8)) = 0x4c2f40;
					E00408F6D(_t122, _t155 - 0xd0, _t152, _t153, __eflags);
					 *(_t155 - 4) = 7;
					E00425219(_t152, __eflags, _t155 - 0xd0, _t155 - 0x100);
					E00401B80(_t155 - 0xd0);
					_t70 = _t155 - 4;
					 *_t70 =  *(_t155 - 4) | 0xffffffff;
					__eflags =  *_t70;
					E00401B80(_t155 - 0x100);
					 *((intOrPtr*)(_t122 + 0x28)) = 0x4c2f40;
				} else {
					 *((intOrPtr*)(_t122 + 0x28)) = 0x4c2f40;
				}
				_push(0);
				_push(_t152);
				 *_t122 = 0x4c2fa0;
				E00408E82(_t122, _t122, _t152, _t153, _t159);
				return E0045B878(_t122, _t152, _t153);
			}

0x00424ac0
0x00424ac0
0x00424ac0
0x00424aca
0x00424acf
0x00424ad1
0x00424ad4
0x00424adb
0x00424ae0
0x00424ae2
0x00424af5
0x00424afe
0x00424b0d
0x00424b0f
0x00424b11
0x00424b19
0x00424b1a
0x00424b22
0x00424b27
0x00424b2b
0x00424b33
0x00424b34
0x00424b3c
0x00424b44
0x00424b4b
0x00424b54
0x00424b58
0x00424b5d
0x00424b60
0x00424b6c
0x00424b6c
0x00424b74
0x00424b79
0x00424b79
0x00424b79
0x00424b80
0x00424b80
0x00424b85
0x00424b8d
0x00424b8e
0x00424b96
0x00424ba1
0x00424ba8
0x00424bad
0x00424bb4
0x00424bb9
0x00424bbd
0x00424bc3
0x00424bbf
0x00424bbf
0x00424bbf
0x00424bc5
0x00424bcc
0x00424bcd
0x00424bcf
0x00424bd3
0x00424bd9
0x00424bd5
0x00424bd5
0x00424bd5
0x00424bdb
0x00424bdb
0x00424bdf
0x00424be3
0x00424be5
0x00424be5
0x00424be7
0x00424beb
0x00424bed
0x00424bf1
0x00424bf6
0x00424bf7
0x00424c02
0x00424c09
0x00424c0e
0x00424c0e
0x00424c0e
0x00424c15
0x00424c15
0x00424c1a
0x00424c22
0x00424c23
0x00424c28
0x00424c30
0x00424c37
0x00424c3a
0x00424c3f
0x00424c47
0x00424c48
0x00424c53
0x00424c5a
0x00424c64
0x00424c67
0x00424c79
0x00424c7d
0x00424c88
0x00424c8d
0x00424c94
0x00424c99
0x00424ca1
0x00424ca2
0x00424cad
0x00424cb7
0x00424cbd
0x00424cc2
0x00424cca
0x00424ccb
0x00424cd6
0x00424cdd
0x00424ce7
0x00424ced
0x00424d02
0x00424d06
0x00424d11
0x00424d16
0x00424d16
0x00424d16
0x00424d20
0x00424d25
0x00424ae4
0x00424ae4
0x00424ae4
0x00424d28
0x00424d2a
0x00424d2d
0x00424d33
0x00424d3f

APIs

__EH_prolog3_GS.LIBCMT ref: 00424ACA

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Strings

@/L, xrefs: 00424C23
@/L, xrefs: 00424AE4
%20, xrefs: 00424C48
file://, xrefs: 00424AF0, 00424B01, 00424B34

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3H_prolog3_
String ID: %20$@/L$@/L$file://
API String ID: 852442433-164781276
Opcode ID: 277cca16ab593a6e333e5421a668aeaab67ce2cae54ba1cf42587bd10cc60393
Instruction ID: 1528c8e5819f77cde185752bd69a75e8e9a6e4fcefa1701a804399f640097435
Opcode Fuzzy Hash: 277cca16ab593a6e333e5421a668aeaab67ce2cae54ba1cf42587bd10cc60393
Instruction Fuzzy Hash: 3F619E70A00218EEDB14EBA1CC42BDDB7B8EF54718F5041AFE045B71D1DBB86A49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043BB71, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0043BB71(intOrPtr __ebx, void* __edx, intOrPtr __edi, char* __esi, void* __eflags) {
				intOrPtr* _t83;
				intOrPtr* _t123;
				intOrPtr* _t144;
				void* _t150;
				void* _t151;
				intOrPtr* _t153;

				_t148 = __esi;
				_t147 = __edi;
				_t146 = __edx;
				_t117 = __ebx;
				_push(0xac);
				E0045B935(0x4a660c, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t150 - 4)) = 1;
				if( *0x4d99f0 != 0) {
					_t147 = 0x4c2fa0;
					_t117 = 0x4c2f40;
					 *((intOrPtr*)(_t150 - 0x74)) = 0x4c2fa0;
					 *((intOrPtr*)(_t150 - 0x4c)) = 0x4c2f40;
					E00404200(_t150 - 0x74, _t150 - 0xa5, 0);
					_t122 =  >=  ?  *((void*)(_t150 + 0x3c)) : _t150 + 0x3c;
					_t161 =  *((intOrPtr*)(_t150 + 0x20)) - 8;
					_push( >=  ?  *((void*)(_t150 + 0x3c)) : _t150 + 0x3c);
					_t10 = _t150 + 0xc; // 0x4c2f40
					_t11 = _t150 + 0xc; // 0x4c2f40
					_t76 =  >=  ?  *_t11 : _t10;
					 *((char*)(_t150 - 4)) = 3;
					E0040DD64(_t150 - 0x74, L"%ls|%ls|",  >=  ?  *_t11 : _t10);
					_t153 = _t151 + 0x10 - 0x30;
					_t123 = _t153;
					_push(0);
					_push(_t150 - 0x74);
					 *_t123 = 0x4c2fa0;
					 *((intOrPtr*)(_t123 + 0x28)) = 0x4c2f40;
					E00408E82(0x4c2f40, _t123, 0x4c2fa0, 0,  *((intOrPtr*)(_t150 + 0x20)) - 8);
					E0043BDD3(0x4c2f40, _t123, __edx, 0x4c2fa0, 0,  *((intOrPtr*)(_t150 + 0x20)) - 8);
					_t83 = E0040A14B(_t150 - 0x74, _t150 - 0xb8, 0x4000);
					 *((char*)(_t150 - 4)) = 4;
					 *((char*)(_t83 + 4)) = 1;
					vswprintf( *(E0040A0F0(_t83,  *_t83)), 0x3ffd,  *(_t150 + 0x68), _t150 + 0x6c);
					 *((char*)(_t150 - 4)) = 3;
					E00409574(0x4c2f40, _t150 - 0xb8, 0x4c2fa0, 0,  *((intOrPtr*)(_t150 + 0x20)) - 8);
					E0040A629(_t117, _t150 - 0x74, _t161, _t150 - 0x44, 0xa);
					E00401B80(_t150 - 0x44);
					E0040A629(_t117, _t150 - 0x74, _t161, _t150 - 0x44, 0xd);
					E00401B80(_t150 - 0x44);
					_push(0);
					_push(_t150 - 0xa5);
					_push("_");
					 *((intOrPtr*)(_t150 - 0x44)) = 0x4c2fa0;
					 *((intOrPtr*)(_t150 - 0x1c)) = 0x4c2f40;
					E00408F6D(_t117, _t150 - 0x44, _t147, 0, _t161);
					 *((char*)(_t150 - 4)) = 5;
					 *((intOrPtr*)(_t150 - 0xa4)) = 0x4c2fa0;
					 *((intOrPtr*)(_t150 - 0x7c)) = 0x4c2f40;
					_push(0);
					_push(_t150 - 0xa5);
					_push("\r");
					E00408F6D(_t117, _t150 - 0xa4, _t147, 0, _t161);
					 *((char*)(_t150 - 4)) = 6;
					E00425219(_t150 - 0x74, _t161, _t150 - 0xa4, _t150 - 0x44);
					E00401B80(_t150 - 0xa4);
					 *((char*)(_t150 - 4)) = 3;
					E00401B80(_t150 - 0x44);
					_push(0);
					_push(_t150 - 0xa5);
					_push("_");
					 *((intOrPtr*)(_t150 - 0xa4)) = 0x4c2fa0;
					 *((intOrPtr*)(_t150 - 0x7c)) = 0x4c2f40;
					E00408F6D(_t117, _t150 - 0xa4, _t147, 0, _t161);
					_push(0);
					_push(_t150 - 0xa5);
					_push("\n");
					 *((char*)(_t150 - 4)) = 7;
					 *((intOrPtr*)(_t150 - 0x44)) = 0x4c2fa0;
					 *((intOrPtr*)(_t150 - 0x1c)) = 0x4c2f40;
					E00408F6D(_t117, _t150 - 0x44, _t147, 0, _t161);
					 *((char*)(_t150 - 4)) = 8;
					E00425219(_t150 - 0x74, _t161, _t150 - 0x44, _t150 - 0xa4);
					E00401B80(_t150 - 0x44);
					 *((char*)(_t150 - 4)) = 3;
					E00401B80(_t150 - 0xa4);
					_t148 = L"\r\n";
					_push(E0045B5D4(L"\r\n"));
					E0040DAD9(_t117, _t150 - 0x70, _t147, _t161, L"\r\n");
					_t144 = _t153 + 0x40 - 0x30;
					_push(0);
					_push(_t150 - 0x74);
					 *_t144 = 0x4c2fa0;
					 *((intOrPtr*)(_t144 + 0x28)) = 0x4c2f40;
					E00408E82(_t117, _t144, _t147, _t148, _t161);
					E0043BDD3(_t117, _t144, _t146, _t147, _t148, _t161);
					E00401B80(_t150 - 0x74);
				}
				E00401B80(_t150 + 8);
				E00401B80(_t150 + 0x38);
				return E0045B887(_t117, _t147, _t148);
			}

0x0043bb71
0x0043bb71
0x0043bb71
0x0043bb71
0x0043bb71
0x0043bb7b
0x0043bb87
0x0043bb8e
0x0043bb9d
0x0043bba2
0x0043bbab
0x0043bbae
0x0043bbb1
0x0043bbbd
0x0043bbc1
0x0043bbc5
0x0043bbc6
0x0043bbc9
0x0043bbc9
0x0043bbd7
0x0043bbdb
0x0043bbe3
0x0043bbe6
0x0043bbe8
0x0043bbec
0x0043bbed
0x0043bbef
0x0043bbf2
0x0043bbf7
0x0043bc0e
0x0043bc15
0x0043bc19
0x0043bc30
0x0043bc3e
0x0043bc42
0x0043bc50
0x0043bc58
0x0043bc66
0x0043bc6e
0x0043bc73
0x0043bc7a
0x0043bc7b
0x0043bc83
0x0043bc86
0x0043bc89
0x0043bc8e
0x0043bc92
0x0043bc98
0x0043bc9b
0x0043bca2
0x0043bca3
0x0043bcae
0x0043bcc1
0x0043bcc5
0x0043bcd0
0x0043bcd8
0x0043bcdc
0x0043bce1
0x0043bce8
0x0043bce9
0x0043bcf4
0x0043bcfa
0x0043bcfd
0x0043bd02
0x0043bd09
0x0043bd0a
0x0043bd12
0x0043bd16
0x0043bd19
0x0043bd1c
0x0043bd2f
0x0043bd33
0x0043bd3b
0x0043bd46
0x0043bd4a
0x0043bd4f
0x0043bd5b
0x0043bd60
0x0043bd68
0x0043bd6a
0x0043bd6f
0x0043bd70
0x0043bd72
0x0043bd75
0x0043bd7a
0x0043bd85
0x0043bd85
0x0043bd8d
0x0043bd95
0x0043bd9f

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0043BB7B

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0043BDD3: __EH_prolog3_catch_GS.LIBCMT ref: 0043BDDD
Part of subcall function 0043BDD3: EnterCriticalSection.KERNEL32(00000090,0043B728,FormatVersion=00000112,?,00000001), ref: 0043BDED
Part of subcall function 0043BDD3: _strncpy.LIBCMT ref: 0043BE1A
Part of subcall function 0043BDD3: lstrlenA.KERNEL32(00000000), ref: 0043BE23
Part of subcall function 0043BDD3: LeaveCriticalSection.KERNEL32(004AFFB8,40000000,00000001,00000080,00000004,00000000,00000000,004D7600,00000000,00000000,00000000,00000021), ref: 0043BEFE

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

vswprintf.LIBCMT ref: 0043BC30

Part of subcall function 0045E7C4: __vsnwprintf_l.LIBCMT ref: 0045E7D5

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Strings

@/L, xrefs: 0043BBA2
%ls|%ls|, xrefs: 0043BBD1
@/L, xrefs: 0043BBC6, 0043BBC9, 0043BBCD

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$CriticalFreeH_prolog3H_prolog3_catch_Section$AllocEnterH_prolog3_Leave__vsnwprintf_l_strncpylstrlenvswprintf
String ID: %ls|%ls|$@/L$@/L
API String ID: 2449541672-2173792148
Opcode ID: 4420259f72032796c9df7a777462d1f89413bbaf9b84895dbd88d817824c9567
Instruction ID: f3f185cffbb50c61da7b08ab4b63b1b1e425d5c42791bed029939e9ff6c97994
Opcode Fuzzy Hash: 4420259f72032796c9df7a777462d1f89413bbaf9b84895dbd88d817824c9567
Instruction Fuzzy Hash: 1C5160719002089EDB15EFA2CD51BDDB7B8AF15304F6001AFF94567192DB786B08CF66

Uniqueness

Uniqueness Score: -1.00%

Function 0040A206, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040A206(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t68;
				intOrPtr _t70;
				intOrPtr* _t83;
				void* _t84;
				void* _t94;
				intOrPtr _t114;
				void* _t126;
				intOrPtr* _t128;
				intOrPtr _t131;
				void* _t132;
				void* _t133;

				_t133 = __eflags;
				_t126 = __edx;
				_push(0x100);
				E0045B8C9(0x4a05fc, __ebx, __edi, __esi);
				_t128 =  *((intOrPtr*)(_t132 + 8));
				_push(0);
				_t99 = 0;
				 *((intOrPtr*)(_t132 - 0x10c)) = 0;
				_push(__ecx);
				 *((intOrPtr*)(_t132 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t132 - 0x18)) = 0x4c2f40;
				E00408E82(0, _t132 - 0x40, _t128, 0, _t133);
				 *((intOrPtr*)(_t132 - 4)) = 0;
				 *((intOrPtr*)(_t132 - 0x108)) = 0x5c;
				 *((intOrPtr*)(_t132 - 0x108)) = E0040AA25(_t132 - 0x3c, _t132 - 0x108, 0xffffffff, 1);
				if(E0040A4F3(_t132 - 0x40) == 0) {
					_push(0);
					_push(_t132 - 0x100);
					_t68 = E0040A3F4(0, _t132 - 0x40, _t126, _t128, 0, __eflags) + 4;
					_t99 = 1;
					__eflags =  *((intOrPtr*)(_t68 + 0x14)) - 8;
					 *((char*)(_t132 - 4)) = 1;
					 *((intOrPtr*)(_t132 - 0x10c)) = 1;
					if( *((intOrPtr*)(_t68 + 0x14)) >= 8) {
						_t68 =  *_t68;
					}
				} else {
					_t68 = 0x4c2d7c;
				}
				E004091B8(_t132 - 0xa0, _t68, _t132 - 0x101, 1);
				 *((intOrPtr*)(_t132 - 4)) = 3;
				if((_t99 & 0x00000001) != 0) {
					E00401B80(_t132 - 0x100);
				}
				_t70 =  *((intOrPtr*)(_t132 - 0x108));
				_t131 =  *((intOrPtr*)(_t132 - 0x8c));
				if(_t70 == 0xffffffff || _t70 < _t131) {
					E004095E2(_t132 - 0x40, _t132 - 0xa0);
				} else {
					_t94 = E0040AABC(_t132 - 0x40, _t132 - 0x70, 0, _t70 + 1);
					 *((char*)(_t132 - 4)) = 4;
					E004095E2(_t132 - 0x40, _t94);
					 *((char*)(_t132 - 4)) = 3;
					E00401B80(_t132 - 0x70);
				}
				if( *((char*)(_t132 + 0xc)) == 0) {
					_t139 =  *((intOrPtr*)(_t132 - 0x2c)) - _t131 + 1;
					if( *((intOrPtr*)(_t132 - 0x2c)) > _t131 + 1) {
						E0040A528(_t99, _t132 - 0x40, _t126, _t139, _t132 - 0x70);
						E00401B80(_t132 - 0x70);
					}
				}
				_t140 =  *((char*)(_t132 + 0x10));
				if( *((char*)(_t132 + 0x10)) != 0) {
					_push(1);
					_push(_t132 - 0x101);
					_push(0x4c2d7c);
					E00408F6D(_t99, _t132 - 0x70, _t128, _t131, _t140);
					_push(0);
					_push(_t132 - 0xd0);
					 *((char*)(_t132 - 4)) = 5;
					_t131 = E0040A3F4(_t99, _t132 - 0x40, _t126, _t128, _t131, _t140);
					 *((char*)(_t132 - 4)) = 6;
					if(_t131 == 0) {
						_t83 = 0;
						__eflags = 0;
					} else {
						_t46 = _t131 + 4; // 0x4
						_t83 = _t46;
					}
					_t114 =  *((intOrPtr*)(_t83 + 0x10));
					if( *((intOrPtr*)(_t83 + 0x14)) >= 8) {
						_t83 =  *_t83;
					}
					_t84 = E0040A017(_t132 - 0x3c, _t83, 0, _t114);
					_t143 = _t84 - 0xffffffff;
					if(_t84 != 0xffffffff) {
						E0040A6AD(_t132 - 0x40, _t84,  *((intOrPtr*)(_t131 + 0x14)), _t132 - 0x70);
					}
					E00401B80(_t132 - 0xd0);
					 *((char*)(_t132 - 4)) = 3;
					E00401B80(_t132 - 0x70);
				}
				_push(0);
				_push(_t132 - 0x40);
				 *_t128 = 0x4c2fa0;
				 *((intOrPtr*)(_t128 + 0x28)) = 0x4c2f40;
				E00408E82(_t99, _t128, _t128, _t131, _t143);
				E00401B80(_t132 - 0xa0);
				E00401B80(_t132 - 0x40);
				return E0045B878(_t99, _t128, _t131);
			}

0x0040a206
0x0040a206
0x0040a206
0x0040a210
0x0040a215
0x0040a21a
0x0040a21b
0x0040a21d
0x0040a223
0x0040a227
0x0040a22e
0x0040a235
0x0040a248
0x0040a24b
0x0040a25d
0x0040a26a
0x0040a273
0x0040a27a
0x0040a285
0x0040a288
0x0040a289
0x0040a28d
0x0040a291
0x0040a297
0x0040a299
0x0040a299
0x0040a26c
0x0040a26c
0x0040a26c
0x0040a2ab
0x0040a2b0
0x0040a2ba
0x0040a2c2
0x0040a2c2
0x0040a2c7
0x0040a2cd
0x0040a2d6
0x0040a311
0x0040a2dc
0x0040a2e7
0x0040a2f0
0x0040a2f4
0x0040a2fc
0x0040a300
0x0040a300
0x0040a31a
0x0040a31f
0x0040a322
0x0040a32b
0x0040a333
0x0040a333
0x0040a322
0x0040a338
0x0040a33c
0x0040a33e
0x0040a346
0x0040a347
0x0040a34f
0x0040a354
0x0040a35c
0x0040a360
0x0040a369
0x0040a36b
0x0040a371
0x0040a378
0x0040a378
0x0040a373
0x0040a373
0x0040a373
0x0040a373
0x0040a37e
0x0040a381
0x0040a383
0x0040a383
0x0040a38c
0x0040a391
0x0040a394
0x0040a3a1
0x0040a3a1
0x0040a3ac
0x0040a3b4
0x0040a3b8
0x0040a3b8
0x0040a3bd
0x0040a3c2
0x0040a3c5
0x0040a3cb
0x0040a3d2
0x0040a3dd
0x0040a3e5
0x0040a3f1

APIs

__EH_prolog3_GS.LIBCMT ref: 0040A210

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

|-L, xrefs: 0040A26C
\, xrefs: 0040A24B
@/L, xrefs: 0040A22E
@/L, xrefs: 0040A3CB

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3H_prolog3_
String ID: @/L$@/L$\$|-L
API String ID: 2488494826-1945259057
Opcode ID: 2ec611a1847be4629c6f6f387f007ec6c5d08452fbeea067d02bd35fad2cea44
Instruction ID: a68700e8c92d30bc852636d4d0c0e4b585e1e741e8c94725aea4fe52d274327e
Opcode Fuzzy Hash: 2ec611a1847be4629c6f6f387f007ec6c5d08452fbeea067d02bd35fad2cea44
Instruction Fuzzy Hash: 2A517B30910218DEDB14EBA1CC51BEEB778BF14304F1441AEE846B72D1DBB86A49CF56

Uniqueness

Uniqueness Score: -1.00%

Function 0043FB73, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0043FB73(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v32;
				void* __ebp;
				intOrPtr _t47;
				intOrPtr _t52;
				void* _t54;
				void* _t65;
				void* _t78;
				signed int _t79;
				intOrPtr* _t82;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				intOrPtr _t94;
				intOrPtr _t97;
				signed int _t102;
				signed int _t104;
				signed int _t106;
				intOrPtr _t107;

				_t97 = __ecx;
				_t82 =  *((intOrPtr*)(__ecx + 8));
				_v12 = __ecx;
				_t78 =  !=  ? _t82 : 1;
				while(_t78 - _t82 < _a4 || _t78 < 8) {
					if(0xfffffff - _t78 < _t78) {
						_push("deque<T> too long");
						E00459F9F(__eflags);
						asm("int3");
						_t47 = _v32;
						__eflags = _t47 -  *((intOrPtr*)(_t82 + 4));
						if(_t47 >=  *((intOrPtr*)(_t82 + 4))) {
							L14:
							__eflags = 0;
							return 0;
						}
						__eflags =  *_t82 - _t47;
						if( *_t82 > _t47) {
							goto L14;
						}
						return 1;
					}
					_t78 = _t78 + _t78;
				}
				_t79 = _t78 - _t82;
				_push(0);
				_t92 =  *(_t97 + 0xc) >> 2;
				_v8 = _t92;
				_t52 = E0043CDD7(_t82 + _t79);
				_t83 =  *((intOrPtr*)(_t97 + 4));
				_t88 = _t92 << 2;
				_t102 = ( *(_t97 + 8) << 0x00000002) -  *((intOrPtr*)(_t97 + 4)) + _t88 + _t83 & 0xfffffffc;
				_a4 = _t52;
				_v16 = _t88;
				_t54 = E0045AF90(_t52 + _t88,  *((intOrPtr*)(_t97 + 4)) + _t88, _t102);
				_t89 = _v8;
				_t94 = _v12;
				_t84 = _t102 + _t54;
				_v20 = _t102 + _t54;
				__eflags = _t89 - _t79;
				if(_t89 > _t79) {
					_t104 = _t79 << 2;
					E0045AF90(_t84,  *((intOrPtr*)(_t94 + 4)), _t104 & 0xfffffffc);
					_t58 =  *((intOrPtr*)(_t94 + 4));
					_v20 = _v20 & 0x00000000;
					_t106 =  *((intOrPtr*)(_t94 + 4)) - _t104 + _t58 + _v16 >> 2 << 2;
					__eflags = E0045AF90(_a4, _t104 + _t58, _t106) + _t106;
					_t65 = E0043D03B(E0045AF90(_a4, _t104 + _t58, _t106) + _t106, _t79,  &_v20);
					_t107 = _a4;
				} else {
					_v16 = _v16 & 0x00000000;
					E0043D03B(E0045AF90(_t84,  *((intOrPtr*)(_t94 + 4)), 0 + (_t89 << 0x00000002) & 0xfffffffc) + (0 + (_t89 << 0x00000002) & 0xfffffffc), _t79 - _t89,  &_v16);
					_t107 = _a4;
					_v20 = _v20 & 0x00000000;
					_t65 = E0043D03B(_t107, _v8,  &_v20);
				}
				__eflags =  *((intOrPtr*)(_t94 + 4));
				if( *((intOrPtr*)(_t94 + 4)) != 0) {
					_t65 = L0045A2FE( *((intOrPtr*)(_t94 + 4)));
				}
				_t37 = _t94 + 8;
				 *_t37 =  *((intOrPtr*)(_t94 + 8)) + _t79;
				__eflags =  *_t37;
				 *((intOrPtr*)(_t94 + 4)) = _t107;
				return _t65;
			}

0x0043fb7b
0x0043fb7f
0x0043fb86
0x0043fb89
0x0043fb8c
0x0043fba3
0x0043fcb2
0x0043fcb7
0x0043fcbc
0x0043fcc0
0x0043fcc3
0x0043fcc6
0x0043fcd1
0x0043fcd1
0x00000000
0x0043fcd1
0x0043fcc8
0x0043fcca
0x00000000
0x00000000
0x00000000
0x0043fcce
0x0043fba9
0x0043fba9
0x0043fbb0
0x0043fbb2
0x0043fbb7
0x0043fbbb
0x0043fbbe
0x0043fbc3
0x0043fbcb
0x0043fbd8
0x0043fbdc
0x0043fbe3
0x0043fbe6
0x0043fbeb
0x0043fbee
0x0043fbf4
0x0043fbf7
0x0043fbfa
0x0043fbfc
0x0043fc4a
0x0043fc57
0x0043fc5c
0x0043fc5f
0x0043fc78
0x0043fc88
0x0043fc8b
0x0043fc90
0x0043fbfe
0x0043fc01
0x0043fc2a
0x0043fc2f
0x0043fc32
0x0043fc3e
0x0043fc43
0x0043fc96
0x0043fc9a
0x0043fc9f
0x0043fca4
0x0043fca5
0x0043fca5
0x0043fca5
0x0043fca8
0x0043fcaf

APIs

_memmove.LIBCMT ref: 0043FBE6
_memmove.LIBCMT ref: 0043FC1F
_memmove.LIBCMT ref: 0043FC57
_memmove.LIBCMT ref: 0043FC80

Part of subcall function 00459F9F: std::exception::exception.LIBCMT ref: 00459FB2
Part of subcall function 00459F9F: __CxxThrowException@8.LIBCMT ref: 00459FC7

Strings

deque<T> too long, xrefs: 0043FCB2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID: deque<T> too long
API String ID: 1300846289-309773918
Opcode ID: 91c3c2f9e800fbc20d8b7484a9ad9ac98018bc116e96ebbd6f360ea588c95be4
Instruction ID: 853ced215d91c47335e7a763301715c714bdf2feb29f449dc5e2c4dbcd07cd9e
Opcode Fuzzy Hash: 91c3c2f9e800fbc20d8b7484a9ad9ac98018bc116e96ebbd6f360ea588c95be4
Instruction Fuzzy Hash: BB41E2B2D00219AFC711DA68CC8299FB7A8FB04358F14863AE824E3241D778ED19C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 00413EEB, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00413EEB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t68;
				signed int _t70;
				void* _t79;
				void* _t95;
				void* _t106;
				signed int _t111;
				signed int _t112;
				intOrPtr* _t113;
				signed int _t116;
				signed int _t136;
				signed int _t137;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;
				void* _t145;

				_t145 = __eflags;
				_push(0xd0);
				E0045B8C9(0x4a1a7c, __ebx, __edi, __esi);
				_t140 = __ecx;
				 *(_t141 - 0xdc) =  *(_t141 - 0xdc) & 0x00000000;
				 *((intOrPtr*)(_t141 - 0xd8)) =  *((intOrPtr*)(_t141 + 8));
				_push(" ");
				_push(__ecx + 0xb4);
				_push(_t141 - 0xd0);
				E0040B22B(__ebx, __edi, __ecx, _t145);
				_t143 = _t142 + 0xc;
				_t68 =  *(_t141 + 0xc);
				 *(_t141 - 4) =  *(_t141 - 4) & 0x00000000;
				_t136 = _t68 / 0xe10;
				_t111 = _t68 % 0xe10;
				_t146 = _t136;
				if(_t136 != 0) {
					 *((intOrPtr*)(_t141 - 0x40)) = 0x4c2fa0;
					 *((intOrPtr*)(_t141 - 0x18)) = 0x4c2f40;
					E00404200(_t141 - 0x40, _t141 - 0xd1, 0);
					 *(_t141 - 4) = 1;
					E0040DD64(_t141 - 0x40, "%d ", _t136);
					_push(_t140 + 0x24);
					_push(_t141 - 0x40);
					_push(_t141 - 0xa0);
					_t106 = E00413C81(_t111, _t136, _t140, _t146);
					_t143 = _t143 + 0x18;
					 *(_t141 - 4) = 2;
					E0040B99A(_t141 - 0xd0, _t106);
					E00401B80(_t141 - 0xa0);
					E00401B80(_t141 - 0x40);
				}
				_t70 = _t111;
				_t116 = 0x3c;
				_t137 = _t70 / _t116;
				_t112 = _t70 % _t116;
				_t147 = _t137;
				if(_t137 != 0) {
					 *((intOrPtr*)(_t141 - 0x40)) = 0x4c2fa0;
					 *((intOrPtr*)(_t141 - 0x18)) = 0x4c2f40;
					E00404200(_t141 - 0x40, _t141 - 0xd1, 0);
					 *(_t141 - 4) = 3;
					E0040DD64(_t141 - 0x40, "%d ", _t137);
					_push(_t140 + 0x54);
					_push(_t141 - 0x40);
					_push(_t141 - 0xa0);
					_t95 = E00413C81(_t112, _t137, _t140, _t147);
					_t143 = _t143 + 0x18;
					 *(_t141 - 4) = 4;
					E0040B99A(_t141 - 0xd0, _t95);
					E00401B80(_t141 - 0xa0);
					E00401B80(_t141 - 0x40);
				}
				 *((intOrPtr*)(_t141 - 0x70)) = 0x4c2fa0;
				 *((intOrPtr*)(_t141 - 0x48)) = 0x4c2f40;
				E00404200(_t141 - 0x70, _t141 - 0xd1, 0);
				 *(_t141 - 4) = 5;
				E0040DD64(_t141 - 0x70, "%d ", _t112);
				_push(_t140 + 0x84);
				_push(_t141 - 0x70);
				_push(_t141 - 0xa0);
				_t79 = E00413C81(_t112, 0x4c2fa0, _t140, _t147);
				 *(_t141 - 4) = 6;
				E0040B99A(_t141 - 0xd0, _t79);
				 *(_t141 - 4) = 5;
				E00401B80(_t141 - 0xa0);
				_t113 =  *((intOrPtr*)(_t141 - 0xd8));
				_push(0);
				_push(_t141 - 0xd0);
				 *_t113 = 0x4c2fa0;
				 *((intOrPtr*)(_t113 + 0x28)) = 0x4c2f40;
				E00408E82(_t113, _t113, 0x4c2fa0, _t140, _t147);
				E00401B80(_t141 - 0x70);
				E00401B80(_t141 - 0xd0);
				return E0045B878(_t113, 0x4c2fa0, _t140);
			}

0x00413eeb
0x00413eeb
0x00413ef5
0x00413efa
0x00413eff
0x00413f06
0x00413f0c
0x00413f17
0x00413f1e
0x00413f1f
0x00413f24
0x00413f27
0x00413f33
0x00413f37
0x00413f39
0x00413f3b
0x00413f3d
0x00413f4b
0x00413f52
0x00413f59
0x00413f68
0x00413f6c
0x00413f74
0x00413f78
0x00413f7f
0x00413f80
0x00413f85
0x00413f8f
0x00413f93
0x00413f9e
0x00413fa6
0x00413fa6
0x00413fad
0x00413fb1
0x00413fb4
0x00413fb6
0x00413fb8
0x00413fba
0x00413fc8
0x00413fcf
0x00413fd6
0x00413fe5
0x00413fe9
0x00413ff1
0x00413ff5
0x00413ffc
0x00413ffd
0x00414002
0x0041400c
0x00414010
0x0041401b
0x00414023
0x00414023
0x00414039
0x0041403c
0x00414043
0x00414052
0x00414056
0x00414061
0x00414065
0x0041406c
0x0041406d
0x0041407c
0x00414080
0x0041408b
0x0041408f
0x00414094
0x0041409a
0x004140a2
0x004140a5
0x004140a7
0x004140ae
0x004140b6
0x004140c1
0x004140cd

APIs

__EH_prolog3_GS.LIBCMT ref: 00413EF5

Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 00413C81: __EH_prolog3_GS.LIBCMT ref: 00413C88

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

@/L, xrefs: 00413FCF
@/L, xrefs: 004140A7
%d , xrefs: 00413F62, 00413FDF, 0041404C
@/L, xrefs: 0041403C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$FreeString
String ID: %d $@/L$@/L$@/L
API String ID: 1274762985-1633878546
Opcode ID: 28f67b66aaf996a2c0e9862a1b98a4afd30942a85b069feb11dc24f5805522c7
Instruction ID: 6f8e94a46b0d7f7da38a94ca8c733f408bb7e466b0c74dd9ad731604fc96a97d
Opcode Fuzzy Hash: 28f67b66aaf996a2c0e9862a1b98a4afd30942a85b069feb11dc24f5805522c7
Instruction Fuzzy Hash: D25122729002189ADB11EBD5CC51FDEB7B8AF54304F5440AFF549B3182EBB85B48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004373CE, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004373CE(signed int __edx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				intOrPtr _v16;
				void* _v32;
				char _v52;
				char _v56;
				char _v104;
				char _v152;
				char _v153;
				intOrPtr _v160;
				signed char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t40;
				intOrPtr _t42;
				signed int _t47;
				long _t48;
				void* _t49;
				signed char _t51;
				signed int _t65;
				void* _t78;
				void* _t79;
				intOrPtr* _t80;
				void* _t85;
				void* _t86;
				void* _t91;
				intOrPtr* _t94;
				intOrPtr* _t100;
				void* _t101;
				signed int _t102;
				signed int _t104;
				signed int _t105;
				signed int _t106;
				void* _t111;

				_t98 = __edx;
				_t40 =  *0x4d7e88; // 0x9518852c
				_v8 = _t40 ^ _t106;
				_t42 = _a4;
				_t100 = _t42 + 4;
				_v160 = _t42;
				if( *((char*)( *((intOrPtr*)( *_t100 + 0x2c))() + 0x13)) != 0) {
					_push(_t101);
					_t102 = _a8;
					if(_t102 != 0) {
						_t111 =  *0x4d991c - _t102; // 0x0
						if(_t111 != 0) {
							_t47 =  *0x4d9924; // 0x0
							_push(_t78);
							_t79 = GetTickCount;
							 *0x4d991c = _t102;
							if((_t47 & 0x00000001) == 0) {
								 *0x4d9924 = _t47 | 0x00000001;
								 *0x4d9920 = GetTickCount();
							}
							_t48 = GetTickCount();
							_t85 = _t48 -  *0x4d9920;
							 *0x4d9920 = _t48;
							if( *0x4d754b != 0 || _t85 >= 0x64) {
								_t49 = 0xa;
								_t86 = 0x14;
								_t50 =  >  ? _t86 : _t49;
								_t51 = ( >  ? _t86 : _t49) & 0x0000ffff;
								_v164 = _t51;
								_t104 = _t102 * 0xa >> _t51;
								 *0x4d754b = 0;
								_v56 = 0x4c2fa0;
								_v16 = 0x4c2f40;
								E00404200( &_v56,  &_v153, 0);
								_t17 = E0040D268(_t79,  *((intOrPtr*)( *_t100 + 0x2c))(), _t98, _t100, _t104, _t102 - 0x100000,  &_v104, 0x758) + 4; // 0x4
								_t80 = _t17;
								if( *((intOrPtr*)(_t80 + 0x14)) >= 8) {
									_t80 =  *_t80;
								}
								_t91 = 0x14;
								_t24 = E0040D268(_t80,  *((intOrPtr*)( *_t100 + 0x2c))(), _t98, _t100, _t104, _v164 - _t91,  &_v152, (0 | _v164 != _t91) + 0x652) + 4; // 0x4
								_t94 = _t24;
								if( *((intOrPtr*)(_t94 + 0x14)) >= 8) {
									_t94 =  *_t94;
								}
								_t65 = _t104;
								_t105 = 0xa;
								_t98 = _t65 % _t105;
								_push(_t80);
								_push(_t94);
								_push(_t65 % _t105);
								E0040DD64( &_v56, L"%01d.%01d %s%s", _t65 / _t105);
								E00401B80( &_v152);
								E00401B80( &_v104);
								_t72 =  >=  ? _v52 :  &_v52;
								SetDlgItemTextW( *(_v160 + 0x26c), 0x134,  >=  ? _v52 :  &_v52);
								E00401B80( &_v56);
							}
							_pop(_t78);
						}
					}
					_pop(_t101);
				}
				return E0045A457(_t78, _v8 ^ _t106, _t98, _t100, _t101);
			}

0x004373ce
0x004373d7
0x004373de
0x004373e1
0x004373e5
0x004373e8
0x004373f9
0x004373ff
0x00437400
0x00437405
0x0043740b
0x00437411
0x00437417
0x0043741c
0x0043741d
0x00437423
0x0043742b
0x00437430
0x00437437
0x00437437
0x0043743c
0x00437440
0x0043744d
0x00437452
0x0043745f
0x00437462
0x00437469
0x0043746f
0x00437474
0x00437482
0x00437488
0x0043748f
0x00437496
0x0043749d
0x004374b9
0x004374b9
0x004374c0
0x004374c2
0x004374c2
0x004374c8
0x004374ee
0x004374ee
0x004374f5
0x004374f7
0x004374f7
0x004374fb
0x004374fd
0x00437500
0x00437502
0x00437503
0x00437504
0x0043750f
0x0043751d
0x00437525
0x00437531
0x00437547
0x00437550
0x00437550
0x00437555
0x00437555
0x00437411
0x00437556
0x00437556
0x00437565

APIs

GetTickCount.KERNEL32 ref: 00437435
GetTickCount.KERNEL32 ref: 0043743C
SetDlgItemTextW.USER32 ref: 00437547

Strings

%01d.%01d %s%s, xrefs: 00437509
@/L, xrefs: 00437496

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CountTick$ItemText
String ID: %01d.%01d %s%s$@/L
API String ID: 2511407410-3359649857
Opcode ID: b4bc7014ce3b23541946a1e1da354cf1cfdc7b13df6f04d4890e1f8274f9c3a4
Instruction ID: 577c397569c722616e663a517ba0c13f9d48bbaefbac9143e455544d63923502
Opcode Fuzzy Hash: b4bc7014ce3b23541946a1e1da354cf1cfdc7b13df6f04d4890e1f8274f9c3a4
Instruction Fuzzy Hash: 2B41CEB1A01214AFCB14DF64DD94FA977F5BB08704F4040AEE505EB291DB74AE04CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00413CE7, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00413CE7(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t63;
				void* _t65;
				void* _t70;
				void* _t72;
				void* _t77;
				void* _t81;
				intOrPtr _t87;
				intOrPtr* _t111;
				intOrPtr* _t113;
				void* _t115;

				_t108 = __edx;
				_push(0x70);
				E0045B8C9(0x4a1a13, __ebx, __edi, __esi);
				_t87 = __ecx;
				 *((intOrPtr*)(_t115 - 0x78)) = __ecx;
				_t113 = __ecx + 0x24;
				 *((intOrPtr*)(__ecx)) = 0x4af448;
				 *((intOrPtr*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((intOrPtr*)(__ecx + 0x10)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(_t115 - 0x7c)) = __ecx;
				 *_t113 = 0x4c2fa0;
				 *((intOrPtr*)(_t113 + 0x28)) = 0x4c2f40;
				E00404200(_t113, _t115 - 0x71, 0);
				 *((intOrPtr*)(_t115 - 4)) = 0;
				_t111 = __ecx + 0x54;
				 *_t111 = 0x4c2fa0;
				 *((intOrPtr*)(_t111 + 0x28)) = 0x4c2f40;
				E00404200(_t111, _t115 - 0x71, 0);
				 *((intOrPtr*)(__ecx + 0x84)) = 0x4c2fa0;
				 *((intOrPtr*)(__ecx + 0xac)) = 0x4c2f40;
				E00404200(__ecx + 0x84, _t115 - 0x71, 0);
				 *((intOrPtr*)(__ecx + 0xb4)) = 0x4c2fa0;
				 *((intOrPtr*)(__ecx + 0xdc)) = 0x4c2f40;
				E00404200(__ecx + 0xb4, _t115 - 0x71, 0);
				 *((intOrPtr*)(__ecx + 0xe4)) =  *((intOrPtr*)(_t115 + 8));
				_t24 = _t115 - 0x40; // 0x4c2f50
				 *((char*)(_t115 - 4)) = 3;
				_t63 = E0040D268(__ecx,  *((intOrPtr*)(_t115 + 8)), __edx, _t111, _t113, 0, _t24, 0x64f);
				_push(" ");
				_push(_t63);
				_push(_t115 - 0x70);
				 *((char*)(_t115 - 4)) = 4;
				_t65 = E0040B22B(_t87, _t111, _t113, 0);
				 *((char*)(_t115 - 4)) = 5;
				E004095E2(_t113, _t65);
				E00401B80(_t115 - 0x70);
				_t30 = _t115 - 0x40; // 0x4c2f50
				 *((char*)(_t115 - 4)) = 3;
				E00401B80(_t30);
				_t114 = _t87;
				_t70 = E0040D268(_t87,  *((intOrPtr*)(_t87 + 0xe4)), _t108, _t111, _t87, 0, _t115 - 0x70, 0x650);
				_push(" ");
				_push(_t70);
				_t34 = _t115 - 0x40; // 0x4c2f50
				 *((char*)(_t115 - 4)) = 6;
				_t72 = E0040B22B(_t87, _t111, _t114, 0);
				 *((char*)(_t115 - 4)) = 7;
				E004095E2(_t111, _t72);
				_t37 = _t115 - 0x40; // 0x4c2f50
				E00401B80(_t37);
				 *((char*)(_t115 - 4)) = 3;
				E00401B80(_t115 - 0x70);
				_t41 = _t115 - 0x40; // 0x4c2f50
				_t77 = E0040D268(_t87,  *((intOrPtr*)(_t114 + 0xe4)), _t108, _t111, _t114, 0, _t41, 0x651);
				 *((char*)(_t115 - 4)) = 8;
				E004095E2(_t87 + 0x84, _t77);
				_t44 = _t115 - 0x40; // 0x4c2f50
				 *((char*)(_t115 - 4)) = 3;
				E00401B80(_t44);
				_t47 = _t115 - 0x40; // 0x4c2f50
				_t81 = E0040D268(_t87,  *((intOrPtr*)(_t114 + 0xe4)), _t108, _t111, _t114, 0, _t47, 0x656);
				 *((char*)(_t115 - 4)) = 9;
				E004095E2(_t114 + 0xb4, _t81);
				_t50 = _t115 - 0x40; // 0x4c2f50
				E00401B80(_t50);
				return E0045B878(_t87, _t111, _t114);
			}

0x00413ce7
0x00413ce7
0x00413cee
0x00413cf3
0x00413cf5
0x00413cfa
0x00413d01
0x00413d07
0x00413d0a
0x00413d0d
0x00413d10
0x00413d16
0x00413d19
0x00413d1f
0x00413d26
0x00413d2b
0x00413d2e
0x00413d39
0x00413d3f
0x00413d46
0x00413d57
0x00413d61
0x00413d6b
0x00413d7e
0x00413d88
0x00413d92
0x00413da1
0x00413da7
0x00413dab
0x00413daf
0x00413db4
0x00413db9
0x00413dbd
0x00413dbe
0x00413dc2
0x00413dcd
0x00413dd1
0x00413dd9
0x00413dde
0x00413de1
0x00413de5
0x00413df2
0x00413dfb
0x00413e00
0x00413e05
0x00413e06
0x00413e09
0x00413e0e
0x00413e19
0x00413e1d
0x00413e22
0x00413e25
0x00413e2d
0x00413e31
0x00413e41
0x00413e45
0x00413e51
0x00413e55
0x00413e5a
0x00413e5d
0x00413e61
0x00413e71
0x00413e75
0x00413e81
0x00413e85
0x00413e8a
0x00413e8d
0x00413e99

APIs

__EH_prolog3_GS.LIBCMT ref: 00413CEE

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272

Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

P/L, xrefs: 00413DA7, 00413DDE, 00413E06, 00413E22, 00413E41, 00413E5A, 00413E71, 00413E8A, 00413DAA, 00413E0D, 00413E44, 00413E74
@/L, xrefs: 00413D3F
@/L, xrefs: 00413D61
@/L, xrefs: 00413D88

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$FreeString
String ID: @/L$@/L$@/L$P/L
API String ID: 1274762985-2520053171
Opcode ID: 70a36282290698aa7a561a304f6f0ca101505abaa14d9e03f3443c261c8efc79
Instruction ID: e6ae9dab9122685db005a450231c5a75040a150dff266dc76bc292c1ed19b799
Opcode Fuzzy Hash: 70a36282290698aa7a561a304f6f0ca101505abaa14d9e03f3443c261c8efc79
Instruction Fuzzy Hash: 48418271900208EEDB05EFA5C951FDEBBB8AF54308F1440AFE505B7283DBB85A08CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00443405, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85
timeCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00443405(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t38;
				intOrPtr* _t45;
				void* _t51;
				intOrPtr _t75;
				struct _SYSTEMTIME* _t77;
				void* _t78;

				_push(0xa8);
				E0045B8C9(0x4a71fb, __ebx, __edi, __esi);
				_t75 =  *((intOrPtr*)(_t78 + 8));
				_t77 =  *(_t78 + 0xc);
				 *((intOrPtr*)(_t78 - 0xb4)) = 0;
				 *((intOrPtr*)(_t78 - 0x70)) = 0x4c2fa0;
				 *((intOrPtr*)(_t78 - 0x48)) = 0x4c2f40;
				E00404200(_t78 - 0x70, _t78 - 0xa1, 0);
				 *((intOrPtr*)(_t78 - 4)) = 0;
				_t38 = E0040A14B(_t78 - 0x70, _t78 - 0xb0, 0x104);
				 *((char*)(_t78 - 4)) = 1;
				 *((char*)(_t38 + 4)) = 1;
				GetDateFormatW(0x400, 1, _t77, 0,  *(E0040A0F0(_t38,  *_t38)), 0x104);
				 *((char*)(_t78 - 4)) = 0;
				E00409574(0x400, _t78 - 0xb0, _t75, _t77, 0);
				 *((intOrPtr*)(_t78 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t78 - 0x18)) = 0x4c2f40;
				E00404200(_t78 - 0x40, _t78 - 0xa1, 0);
				 *((char*)(_t78 - 4)) = 2;
				_t45 = E0040A14B(_t78 - 0x40, _t78 - 0xb0, 0x104);
				 *((char*)(_t78 - 4)) = 3;
				 *((char*)(_t45 + 4)) = 1;
				GetTimeFormatW(0x400, 0, _t77, 0,  *(E0040A0F0(_t45,  *_t45)), 0x104);
				 *((char*)(_t78 - 4)) = 2;
				E00409574(0x400, _t78 - 0xb0, _t75, _t77, 0);
				_push(" ");
				_push(_t78 - 0x70);
				_push(_t78 - 0xa0);
				_t51 = E0040B22B(0x400, _t75, _t77, 0);
				_push(_t78 - 0x40);
				_push(_t51);
				_push(_t75);
				 *((char*)(_t78 - 4)) = 4;
				E00413C81(0x400, _t75, _t77, 0);
				E00401B80(_t78 - 0xa0);
				E00401B80(_t78 - 0x40);
				E00401B80(_t78 - 0x70);
				return E0045B878(0x400, _t75, _t77);
			}

0x00443405
0x0044340f
0x00443414
0x00443417
0x00443427
0x0044342d
0x00443434
0x0044343b
0x00443440
0x00443453
0x0044345a
0x0044345e
0x00443475
0x00443481
0x00443485
0x00443496
0x0044349d
0x004434a4
0x004434b8
0x004434bc
0x004434c3
0x004434c7
0x004434dd
0x004434e9
0x004434ed
0x004434f2
0x004434fa
0x00443501
0x00443502
0x0044350a
0x0044350b
0x0044350c
0x0044350d
0x00443511
0x0044351f
0x00443527
0x0044352f
0x0044353b

APIs

__EH_prolog3_GS.LIBCMT ref: 0044340F

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000104,?,00000104), ref: 00443475

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

GetTimeFormatW.KERNEL32(00000400,00000000,?,00000000,00000000,00000104,?,00000104), ref: 004434DD

Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232

Part of subcall function 00413C81: __EH_prolog3_GS.LIBCMT ref: 00413C88

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

@/L, xrefs: 0044349D
@/L, xrefs: 00443434

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_String$FormatFree$AllocDateTime
String ID: @/L$@/L
API String ID: 4284519732-2149722323
Opcode ID: 635d12e9a96c6764c128d433e6dd3b580955abe047585d871c98b058a9d3b457
Instruction ID: fff7b07122a855201d1590a3f66d2cbf7d9c02d09145ac78d695c552efdaf11c
Opcode Fuzzy Hash: 635d12e9a96c6764c128d433e6dd3b580955abe047585d871c98b058a9d3b457
Instruction Fuzzy Hash: C3316171900258EEDB11EBA1CC85FDDBB78AF15308F50409EF505771D2DBB86A48CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00442017, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00442017(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t44;
				void* _t47;
				void* _t68;
				void* _t75;
				void* _t76;

				_t76 = __eflags;
				_t74 = __esi;
				_t73 = __edi;
				_push(0x13c);
				E0045B935(0x4a6fd9, __ebx, __edi, __esi);
				_t60 = 0;
				 *((intOrPtr*)(_t75 - 4)) = 0;
				_t36 = E00424D42(_t75 + 8, _t76);
				_t77 = _t36;
				if(_t36 == 0) {
					L8:
					E00401B80(_t75 + 8);
					__eflags = 0;
				} else {
					 *((char*)(_t75 - 4)) = 1;
					E00416831(0, _t75 - 0x9c, __edi, __esi, _t77);
					_push(0);
					_push(_t75 + 8);
					 *((char*)(_t75 - 4)) = 2;
					 *((intOrPtr*)(_t75 - 0x50)) = 0x4affb8;
					 *((intOrPtr*)(_t75 - 0x28)) = 0x4affc0;
					E00408E82(0, _t75 - 0x50, _t73, _t74, _t77);
					_push(0);
					_push(0);
					_push(3);
					_push(0x80);
					_push(1);
					_push(0x80000000);
					_push(_t75 - 0x50);
					 *((char*)(_t75 - 4)) = 3;
					_t44 = E00424632(0, _t75 - 0x9c, _t73, _t74, _t77);
					_t74 = _t44;
					 *((char*)(_t75 - 4)) = 2;
					E00401B80(_t75 - 0x50);
					if(_t44 == 0) {
						_t47 = E00415549(0, _t75 - 0x9c, _t73, _t74, __eflags, _t75 - 0x20, 5);
						 *((char*)(_t75 - 4)) = 1;
						_t68 = _t75 - 0x9c;
						__eflags = _t47;
						if(__eflags == 0) {
							E004176D4(0, _t68, _t73, _t74, __eflags);
							goto L8;
						} else {
							E004176D4(0, _t68, _t73, _t74, __eflags);
							_t60 = 1;
							goto L10;
						}
					} else {
						_t79 =  *(_t75 + 0x38) & 0x00000020;
						if(( *(_t75 + 0x38) & 0x00000020) != 0) {
							_push(0);
							_push(_t75 + 8);
							 *((intOrPtr*)(_t75 - 0x50)) = 0x4ae964;
							 *((intOrPtr*)(_t75 - 0x28)) = 0x4ae96c;
							E00408E82(0, _t75 - 0x50, _t73, _t74, _t79);
							_push(1);
							_t22 = _t75 - 0x50; // 0x4ae964
							 *((char*)(_t75 - 4)) = 4;
							E00416CE9(0, _t75 - 0xf0, _t73, _t74, _t79);
							E0045A466(_t75 - 0xf0, 0x4c9c64);
						}
						 *((char*)(_t75 - 4)) = 1;
						E004176D4(_t60, _t75 - 0x9c, _t73, _t74, _t79);
						L10:
						E00401B80(_t75 + 8);
					}
				}
				return E0045B887(_t60, _t73, _t74);
			}

0x00442017
0x00442017
0x00442017
0x00442017
0x00442021
0x00442026
0x0044202b
0x0044202e
0x00442033
0x00442035
0x00442123
0x00442126
0x0044212b
0x0044203b
0x00442041
0x00442045
0x0044204a
0x0044204e
0x00442052
0x00442056
0x0044205d
0x00442064
0x00442069
0x0044206a
0x0044206b
0x0044206d
0x00442072
0x00442074
0x0044207c
0x00442083
0x00442087
0x0044208f
0x00442091
0x00442095
0x0044209c
0x00442102
0x00442107
0x0044210b
0x00442111
0x00442113
0x0044211e
0x00000000
0x00442115
0x00442115
0x0044211a
0x00000000
0x0044211a
0x0044209e
0x0044209e
0x004420a2
0x004420a4
0x004420a8
0x004420ac
0x004420b3
0x004420ba
0x004420bf
0x004420c1
0x004420cb
0x004420cf
0x004420e0
0x004420e0
0x004420eb
0x004420ef
0x0044216c
0x0044216f
0x00442174
0x0044209c
0x00442132

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 00442021

Part of subcall function 00416831: __EH_prolog3.LIBCMT ref: 00416838

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00416CE9: __EH_prolog3.LIBCMT ref: 00416CF0

__CxxThrowException@8.LIBCMT ref: 004420E0

Part of subcall function 0045A466: RaiseException.KERNEL32(?,?,00459FCC,00000000,?,?,?,?,00459FCC,00000000,004D0E78,?), ref: 0045A4B7

Part of subcall function 004176D4: __EH_prolog3.LIBCMT ref: 004176DB

Strings

dJ, xrefs: 00442079
, xrefs: 0044209E
lJ, xrefs: 004420B3

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3$ErrorLast$FreeString$ExceptionException@8H_prolog3_catch_RaiseThrow
String ID: $dJ$lJ
API String ID: 1995314774-4228904431
Opcode ID: d72664996292a832660e258d41729dba9f94cab7d23e73910a39a2347f54ec67
Instruction ID: 2cac7d60a1659bea1cbe3e71f3f451ce9cb96ef96a3828fbbf95e3a3f1390ee8
Opcode Fuzzy Hash: d72664996292a832660e258d41729dba9f94cab7d23e73910a39a2347f54ec67
Instruction Fuzzy Hash: D831D770800258EADB00EBE1C955BDEBB78AF15348F44409FF94577282EBB85B4CC769

Uniqueness

Uniqueness Score: -1.00%

Function 0040B139, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78
libraryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040B139(void* __edi, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v267;
				char _v268;
				void* __ebx;
				void* __esi;
				signed int _t18;
				char* _t27;
				void* _t36;
				char _t37;
				void* _t38;
				intOrPtr* _t40;
				signed int _t41;

				_t38 = __edi;
				_t18 =  *0x4d7e88; // 0x9518852c
				_v8 = _t18 ^ _t41;
				_t40 = _a8;
				if(_a4 == 1 && _t40 != 0 &&  *_t40 >= 0x10 &&  *((intOrPtr*)(_t40 + 0xc)) != 0 && E0045BE20( *((intOrPtr*)(_t40 + 0xc)), "api-ms-win-core-") !=  *((intOrPtr*)(_t40 + 0xc))) {
					_v268 = 0;
					E0045A4D0( &_v267, 0, 0x103);
					if(GetSystemDirectoryA( &_v268, 0x104) == 0) {
						goto L15;
					} else {
						_t27 =  &_v268;
						if(_v268 != 0) {
							do {
								_t27 = _t27 + 1;
							} while ( *_t27 != 0);
						}
						if( *((char*)(_t27 - 1)) != 0x5c) {
							 *_t27 = 0x5c;
							_t27 = _t27 + 1;
						}
						_t40 =  *((intOrPtr*)(_t40 + 0xc));
						_t37 =  *_t40;
						if(_t37 != 0) {
							_t36 = _t27 -  &_v268;
							_t40 = _t40 - _t27;
							_t38 = _t38;
							while(_t36 < 0x103) {
								 *_t27 = _t37;
								_t27 = _t27 + 1;
								_t36 = _t36 + 1;
								_t37 =  *((intOrPtr*)(_t40 + _t27));
								if(_t37 != 0) {
									continue;
								}
								goto L14;
							}
						}
						L14:
						LoadLibraryA( &_v268);
					}
				}
				return E0045A457(0x103, _v8 ^ _t41, _t37, _t38, _t40);
			}

0x0040b139
0x0040b142
0x0040b149
0x0040b152
0x0040b155
0x0040b19d
0x0040b1a4
0x0040b1c0
0x00000000
0x0040b1c2
0x0040b1c9
0x0040b1cf
0x0040b1d1
0x0040b1d1
0x0040b1d2
0x0040b1d1
0x0040b1db
0x0040b1dd
0x0040b1e0
0x0040b1e0
0x0040b1e1
0x0040b1e4
0x0040b1e8
0x0040b1f3
0x0040b1f5
0x0040b1f7
0x0040b1f8
0x0040b1fc
0x0040b1fe
0x0040b1ff
0x0040b200
0x0040b205
0x00000000
0x00000000
0x00000000
0x0040b205
0x0040b1f8
0x0040b207
0x0040b20e
0x0040b20e
0x0040b1c0
0x0040b225

APIs

_strstr.LIBCMT ref: 0040B17E
_memset.LIBCMT ref: 0040B1A4
GetSystemDirectoryA.KERNEL32(00000000,00000104), ref: 0040B1B8
LoadLibraryA.KERNEL32(00000000), ref: 0040B20E

Strings

api-ms-win-core-, xrefs: 0040B176

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: DirectoryLibraryLoadSystem_memset_strstr
String ID: api-ms-win-core-
API String ID: 3657221724-1285793476
Opcode ID: baefbc857145534496bc262e63ba5a7d740bceb2ccb29ed7fe1459e702fd25b5
Instruction ID: 460d6103ab5ec50b90593f2d27363bdae8c85978c84afd4ac41975e1259a8d8f
Opcode Fuzzy Hash: baefbc857145534496bc262e63ba5a7d740bceb2ccb29ed7fe1459e702fd25b5
Instruction Fuzzy Hash: 392105315042549EDB219B648889BEE7BA8DB26304F1448FED8D5B72C1D7B86D88CB9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF46, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040DF46(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t46;
				void* _t51;
				signed char _t53;
				signed char _t58;
				void* _t71;
				intOrPtr* _t73;
				void* _t74;
				void* _t75;

				_t75 = __eflags;
				_push(0xa0);
				E0045B8C9(0x4a0eb4, __ebx, __edi, __esi);
				_t73 =  *((intOrPtr*)(_t74 + 8));
				_t53 = 0;
				_push(0);
				_push(__ecx);
				 *(_t74 - 0xa8) = 0;
				 *((intOrPtr*)(_t74 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t74 - 0x18)) = 0x4c2f40;
				E00408E82(0, _t74 - 0x40, 0x4c2fa0, _t73, _t75);
				 *((intOrPtr*)(_t74 - 4)) = 0;
				 *((intOrPtr*)(_t74 - 0x70)) = 0x4c2fa0;
				 *((intOrPtr*)(_t74 - 0x48)) = 0x4c2f40;
				E00404200(_t74 - 0x70, _t74 - 0xa1, 0);
				 *((char*)(_t74 - 4)) = 1;
				 *((intOrPtr*)(_t74 - 0xac)) = 0x2e;
				_t71 = E0040AA25(_t74 - 0x3c, _t74 - 0xac, 0xffffffff, 1);
				_t76 = _t71 - 0xffffffff;
				if(_t71 == 0xffffffff) {
					_t58 =  *(_t74 - 0xa8);
				} else {
					_t51 = E0040A206(0, _t74 - 0x40, __edx, _t71, _t73, _t76, _t74 - 0xa0, 0, 0);
					_t58 = 1;
					if(_t71 >=  *((intOrPtr*)(_t51 + 0x14))) {
						_t53 = 1;
					}
				}
				if((_t58 & 0x00000001) != 0) {
					E00401B80(_t74 - 0xa0);
				}
				_t79 = _t53;
				if(_t53 != 0) {
					_t46 = E0040AABC(_t74 - 0x40, _t74 - 0xa0, _t71, 0xffffffff);
					 *((char*)(_t74 - 4)) = 2;
					E004095E2(_t74 - 0x70, _t46);
					 *((char*)(_t74 - 4)) = 1;
					E00401B80(_t74 - 0xa0);
				}
				_push(0);
				_push(_t74 - 0x70);
				 *_t73 = 0x4c2fa0;
				 *((intOrPtr*)(_t73 + 0x28)) = 0x4c2f40;
				E00408E82(_t53, _t73, _t71, _t73, _t79);
				E00401B80(_t74 - 0x70);
				E00401B80(_t74 - 0x40);
				return E0045B878(_t53, _t71, _t73);
			}

0x0040df46
0x0040df46
0x0040df50
0x0040df55
0x0040df58
0x0040df5a
0x0040df5b
0x0040df64
0x0040df6a
0x0040df6d
0x0040df74
0x0040df84
0x0040df87
0x0040df8a
0x0040df91
0x0040dfa4
0x0040dfa8
0x0040dfb7
0x0040dfb9
0x0040dfbc
0x0040dfdb
0x0040dfbe
0x0040dfca
0x0040dfd1
0x0040dfd5
0x0040dfd7
0x0040dfd7
0x0040dfd5
0x0040dfe4
0x0040dfec
0x0040dfec
0x0040dff1
0x0040dff3
0x0040e002
0x0040e00b
0x0040e00f
0x0040e01a
0x0040e01e
0x0040e01e
0x0040e023
0x0040e028
0x0040e02b
0x0040e031
0x0040e038
0x0040e040
0x0040e048
0x0040e054

APIs

__EH_prolog3_GS.LIBCMT ref: 0040DF50

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210

Strings

@/L, xrefs: 0040DF6D
@/L, xrefs: 0040DF8A
., xrefs: 0040DFA8
@/L, xrefs: 0040E031

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_$H_prolog3
String ID: .$@/L$@/L$@/L
API String ID: 532146472-1829882848
Opcode ID: f78363ac1fd4950693921e9715f40583ca3c7ac7207f9ec00c014efd490f8519
Instruction ID: 3aaa0816592bffb927c1c55b48c1853e7177ff1124f314acb2e9864149553947
Opcode Fuzzy Hash: f78363ac1fd4950693921e9715f40583ca3c7ac7207f9ec00c014efd490f8519
Instruction Fuzzy Hash: 66319E71A0021CEECB14EB95C891FDEB3B8AF05354F1041AEE446732D2DBB81A49CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00406060, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00406060(intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t34;
				intOrPtr _t41;
				intOrPtr _t44;
				intOrPtr _t48;
				void* _t50;
				signed int _t51;
				short* _t52;
				void* _t60;
				void* _t62;
				intOrPtr* _t63;
				signed int _t65;

				_push(0xffffffff);
				_push(0x4aca98);
				_push( *[fs:0x0]);
				_push(_t50);
				_push(_t62);
				_t34 =  *0x4d7e88; // 0x9518852c
				_push(_t34 ^ _t65);
				 *[fs:0x0] =  &_v16;
				_t60 = _t50;
				_t48 =  *((intOrPtr*)(_t60 + 0x14));
				_v20 = 0;
				_t51 = _t48 - 1;
				if(_t48 != 0 && _t51 < _t48) {
					if( *((intOrPtr*)(_t60 + 0x18)) < 8) {
						_t7 = _t60 + 4; // 0x4
						_t41 = _t7;
					} else {
						_t41 =  *((intOrPtr*)(_t60 + 4));
					}
					if(( *(_t41 + _t51 * 2) & 0xffffff00 |  *(_t41 + _t51 * 2) == _a8) != 0) {
						_t44 =  *((intOrPtr*)(_t60 + 0x24));
						if(_t44 != 0) {
							__imp__#6(_t44);
							 *((intOrPtr*)(_t60 + 0x24)) = 0;
						}
						_t16 = _t60 + 4; // 0x4
						E00406FF0(_t48, _t16, _t62, _t48 - 1, 1);
					}
				}
				_t63 = _a4;
				 *_t63 = 0x4c2f50;
				 *((intOrPtr*)(_t63 + 0x28)) = 0x4c3454;
				 *((intOrPtr*)(_t63 + 0x2c)) = GetLastError();
				_t20 = _t63 + 4; // 0x73b74d44
				_t52 = _t20;
				_push(0xffffffff);
				_v8 = 0;
				_t22 = _t60 + 4; // 0x4
				 *((intOrPtr*)(_t52 + 0x14)) = 7;
				 *((intOrPtr*)(_t52 + 0x10)) = 0;
				 *_t52 = 0;
				E00406630(_t48, _t52, _t60, _t22, 0);
				 *((intOrPtr*)(_t63 + 0x1c)) = 0;
				 *((intOrPtr*)(_t63 + 0x20)) = 0;
				 *((intOrPtr*)(_t63 + 0x24)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t63 + 0x28)) + 4)) + _t63 + 0x28));
				 *[fs:0x0] = _v16;
				return _t63;
			}

0x00406063
0x00406065
0x00406070
0x00406071
0x00406073
0x00406075
0x0040607c
0x00406080
0x00406086
0x00406088
0x0040608b
0x00406092
0x00406097
0x004060a1
0x004060a8
0x004060a8
0x004060a3
0x004060a3
0x004060a3
0x004060b8
0x004060ba
0x004060bf
0x004060c2
0x004060c8
0x004060c8
0x004060d5
0x004060d8
0x004060d8
0x004060b8
0x004060dd
0x004060e0
0x004060e6
0x004060f3
0x004060f6
0x004060f6
0x004060fb
0x004060fd
0x00406104
0x00406108
0x0040610f
0x00406117
0x0040611a
0x0040611f
0x00406126
0x0040612d
0x0040613e
0x00406149
0x00406157

APIs

SysFreeString.OLEAUT32(?), ref: 004060C2
GetLastError.KERNEL32(9518852C,?,73B74D40,00000000,00000000,?,004ACA98,000000FF,T4L,00404B04), ref: 004060ED
SetLastError.KERNEL32(?,00000004,00000000,000000FF), ref: 0040613E

Strings

T4L, xrefs: 004060E6
T4L, xrefs: 00406060

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID: T4L$T4L
API String ID: 2425351278-3367740000
Opcode ID: a6b69ad884260e6fe1279f533801e44a3f4ab40c8d68d46f95a94baddbe35e48
Instruction ID: 629e363ae452715e4872db6da9b6f1349ee8222f95c2eceb5ad296e4585bfe0f
Opcode Fuzzy Hash: a6b69ad884260e6fe1279f533801e44a3f4ab40c8d68d46f95a94baddbe35e48
Instruction Fuzzy Hash: E7318CB5100605AFDB14CF05C984B56FBF8FF09724F10422EE81A9BA90DB79E919CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00444685, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00444685(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t44;
				intOrPtr* _t45;
				void* _t47;
				signed int _t60;
				intOrPtr* _t68;
				intOrPtr* _t74;
				intOrPtr* _t76;
				void* _t78;
				void* _t79;

				_t79 = __eflags;
				_push(0x7c);
				E0045B8C9(0x4a7642, __ebx, __edi, __esi);
				_t74 =  *((intOrPtr*)(_t78 + 8));
				 *((intOrPtr*)(_t78 - 0x7c)) = 0;
				 *((intOrPtr*)(_t78 - 4)) = 0;
				 *((intOrPtr*)(_t78 - 0x78)) = 0x104;
				 *((intOrPtr*)(_t78 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t78 - 0x18)) = 0x4c2f40;
				E00404200(_t78 - 0x40, _t78 - 0x71, 0);
				 *((char*)(_t78 - 4)) = 1;
				_t76 = E0040A14B(_t78 - 0x40, _t78 - 0x88,  *((intOrPtr*)(_t78 - 0x78)));
				_push(0);
				_push(_t78 - 0x71);
				_push(L"InstalledProductName");
				 *((char*)(_t78 - 4)) = 2;
				 *((intOrPtr*)(_t78 - 0x70)) = 0x4c2fa0;
				 *((intOrPtr*)(_t78 - 0x48)) = 0x4c2f40;
				_t44 = E00408F6D(0, _t78 - 0x70, _t74, _t76, _t79);
				 *((char*)(_t78 - 4)) = 3;
				 *((char*)(_t76 + 4)) = 1;
				_t45 = E0040A0F0(_t44,  *_t76);
				_t72 =  >=  ?  *((void*)(_t78 - 0x6c)) : _t78 - 0x6c;
				_t77 = _t78 - 0x78;
				_push(_t78 - 0x78);
				_push( *_t45);
				_t47 =  >=  ?  *((void*)(_t78 + 0x10)) : _t78 + 0x10;
				_push( >=  ?  *((void*)(_t78 - 0x6c)) : _t78 - 0x6c);
				_push(_t47);
				L0049BF0A();
				_t82 = _t47;
				_t60 = 0 | _t47 != 0x00000000;
				E00401B80(_t78 - 0x70);
				 *((char*)(_t78 - 4)) = 1;
				E00409574(_t60, _t78 - 0x88, _t74, _t78 - 0x78, _t82);
				_t68 = _t74;
				if(_t60 == 0) {
					_push(0);
					_push(_t78 - 0x40);
					 *_t74 = 0x4c2fa0;
					 *((intOrPtr*)(_t74 + 0x28)) = 0x4c2f40;
					E00408E82(_t60, _t68, _t74, _t77, __eflags);
				} else {
					E004091B8(_t68, 0x4c2d7c, _t78 - 0x71, 1);
				}
				E00401B80(_t78 - 0x40);
				E00401B80(_t78 + 0xc);
				return E0045B878(_t60, _t74, _t77);
			}

0x00444685
0x00444685
0x0044468c
0x00444691
0x00444696
0x004446a1
0x004446a4
0x004446ab
0x004446b2
0x004446b9
0x004446cb
0x004446d4
0x004446d6
0x004446da
0x004446db
0x004446e3
0x004446e7
0x004446ee
0x004446f5
0x004446fc
0x00444700
0x00444704
0x00444712
0x0044471a
0x0044471d
0x0044471e
0x00444722
0x00444726
0x00444727
0x00444728
0x0044472d
0x00444732
0x00444735
0x00444740
0x00444744
0x00444749
0x0044474d
0x00444761
0x00444766
0x00444767
0x0044476d
0x00444774
0x0044474f
0x0044475a
0x0044475a
0x0044477c
0x00444784
0x00444790

APIs

__EH_prolog3_GS.LIBCMT ref: 0044468C

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

Strings

@/L, xrefs: 004446B2
InstalledProductName, xrefs: 004446DB
@/L, xrefs: 004446EE
@/L, xrefs: 0044476D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$FreeH_prolog3_$AllocH_prolog3
String ID: @/L$@/L$@/L$InstalledProductName
API String ID: 1908522000-464250035
Opcode ID: 429bce9f77b44be8b824fa17475fa514b86466fc4e95814624c943b54bbe1347
Instruction ID: 4ce88fb489b31431c67c6434e6b4d49d01b104afd3fbd7af1a4c8fd3ffeb4cb2
Opcode Fuzzy Hash: 429bce9f77b44be8b824fa17475fa514b86466fc4e95814624c943b54bbe1347
Instruction Fuzzy Hash: 55316D7090020CDFDB10EFA5C981FDDBBB8AF54308F60406EE40567182DBB86A49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00445E5F, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00445E5F(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				void* _t36;
				intOrPtr* _t37;
				signed char _t38;
				void* _t52;
				void* _t53;
				char _t60;
				void* _t67;
				void* _t68;
				void* _t71;
				void* _t72;

				_t72 = __eflags;
				_t70 = __esi;
				_t69 = __edi;
				_t68 = __edx;
				_push(0x110);
				E0045B8C9(0x4a7b65, __ebx, __edi, __esi);
				E0043B19F(_t71 - 0x88);
				_push(1);
				_push(_t71 - 0x119);
				_push("Kernel32.dll");
				 *((intOrPtr*)(_t71 - 4)) = 0;
				E004090B1(0, _t71 - 0xb8, __edi, __esi, _t72);
				_push(1);
				_push(_t71 - 0xe8);
				 *((char*)(_t71 - 4)) = 1;
				_t32 = E0040B51F(0, _t69, _t70, _t72);
				_push(0);
				_push(_t32);
				 *((char*)(_t71 - 4)) = 2;
				 *((intOrPtr*)(_t71 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t71 - 0x18)) = 0x4c2f40;
				E00408E82(0, _t71 - 0x40, _t69, _t70, _t72);
				_push(_t71 - 0xb8);
				_push(_t71 - 0x118);
				 *((char*)(_t71 - 4)) = 3;
				_t36 = E0040B91E(0, _t71 - 0x40, _t69, _t70, _t72);
				_t60 = 4;
				_t37 = _t36 + _t60;
				 *((char*)(_t71 - 4)) = _t60;
				if( *((intOrPtr*)(_t37 + 0x14)) >= 8) {
					_t37 =  *_t37;
				}
				_t38 = E004530B2(_t71 - 0x88, _t68, _t69, _t70, _t37);
				asm("sbb bl, bl");
				E00401B80(_t71 - 0x118);
				E00401B80(_t71 - 0x40);
				E00401B80(_t71 - 0xe8);
				E00401B80(_t71 - 0xb8);
				_t52 =  ~_t38 + 1;
				if(_t52 != 0) {
					L6:
					_t53 = 0;
					__eflags = 0;
				} else {
					_t67 = 4;
					if( *(_t71 - 0x7c) >> 0x10 != _t67 ||  *(_t71 - 0x7c) != 0x5a) {
						goto L6;
					} else {
						_t53 = _t52 + 1;
					}
				}
				 *((intOrPtr*)(_t71 - 0x88)) = 0x4b5d64;
				E0043C503(_t71 - 0x88);
				return E0045B878(_t53, _t69, _t70);
			}

0x00445e5f
0x00445e5f
0x00445e5f
0x00445e5f
0x00445e5f
0x00445e69
0x00445e74
0x00445e79
0x00445e81
0x00445e84
0x00445e8f
0x00445e92
0x00445e9d
0x00445e9f
0x00445ea0
0x00445ea4
0x00445eab
0x00445eac
0x00445eb0
0x00445eb4
0x00445ebb
0x00445ec2
0x00445ecd
0x00445ed4
0x00445ed8
0x00445edc
0x00445ee3
0x00445ee4
0x00445ee6
0x00445eed
0x00445eef
0x00445eef
0x00445ef8
0x00445f07
0x00445f09
0x00445f11
0x00445f1c
0x00445f27
0x00445f2c
0x00445f2e
0x00445f49
0x00445f49
0x00445f49
0x00445f30
0x00445f38
0x00445f3c
0x00000000
0x00445f45
0x00445f45
0x00445f45
0x00445f3c
0x00445f51
0x00445f5b
0x00445f67

APIs

__EH_prolog3_GS.LIBCMT ref: 00445E69

Part of subcall function 0043B19F: _memset.LIBCMT ref: 0043B1C8

Part of subcall function 004090B1: __EH_prolog3_GS.LIBCMT ref: 004090B8

Part of subcall function 0040B51F: __EH_prolog3_GS.LIBCMT ref: 0040B529
Part of subcall function 0040B51F: GetModuleHandleW.KERNEL32(KERNEL32.DLL,00000274,0043AD95,?,00000000), ref: 0040B54C
Part of subcall function 0040B51F: GetProcAddress.KERNEL32(00000000,GetSystemWindowsDirectoryW), ref: 0040B560

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925

Strings

Kernel32.dll, xrefs: 00445E84
@/L, xrefs: 00445EBB
d]K, xrefs: 00445F51
Z, xrefs: 00445F3E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_$ErrorLast$AddressH_prolog3HandleModuleProc_memset
String ID: @/L$Kernel32.dll$Z$d]K
API String ID: 1928657999-3552983298
Opcode ID: 19acca324db21ccbd1ba635798ccbd968111daec21f8e43c2c9d8be41a5d15ce
Instruction ID: cf6786969702b16d9ab89bc759fdb6fa891230425e7a63acc45e68e3e3330f35
Opcode Fuzzy Hash: 19acca324db21ccbd1ba635798ccbd968111daec21f8e43c2c9d8be41a5d15ce
Instruction Fuzzy Hash: BE21A03180021C9EDB54EBA1CC92BDD7378AF11348F5080EEE649A7192DFB85B8DCB59

Uniqueness

Uniqueness Score: -1.00%

Function 00452EBF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00452EBF(void* __ecx, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v528;
				char _v532;
				char _v536;
				void* __ebx;
				void* __edi;
				signed int _t25;
				char* _t28;
				WCHAR* _t41;
				intOrPtr _t45;
				void* _t52;
				void* _t53;
				signed int _t55;
				signed int _t56;
				void* _t57;

				_t54 = __esi;
				_t25 =  *0x4d7e88; // 0x9518852c
				_v8 = _t25 ^ _t56;
				_t45 = _a4;
				_t53 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x40)) != 0) {
					_push( &_v536);
					_t28 =  &_v532;
					_push(_t28);
					_push(_t45);
					_push( *((intOrPtr*)(__ecx + 0x40)));
					L004395DD();
					if(_t28 == 0) {
						_push(__esi);
						_t55 = 0;
						if( *((intOrPtr*)(__ecx + 0x3c)) > 0) {
							while(1) {
								wsprintfW( &_v528, L"\\StringFileInfo\\%04hX%04hX\\",  *( *((intOrPtr*)(_t53 + 0x38)) + _t55 * 4) & 0x0000ffff,  *( *((intOrPtr*)(_t53 + 0x38)) + 2 + _t55 * 4) & 0x0000ffff);
								E0046313F( &_v528, _t45, 0x104 - lstrlenW( &_v528));
								_t57 = _t57 + 0x1c;
								_push( &_v536);
								_push( &_v532);
								_t41 =  &_v528;
								_push(_t41);
								_push( *((intOrPtr*)(_t53 + 0x40)));
								L004395DD();
								if(_t41 != 0) {
									break;
								}
								_t55 = _t55 + 1;
								if(_t55 <  *((intOrPtr*)(_t53 + 0x3c))) {
									continue;
								} else {
									goto L7;
								}
								goto L8;
							}
						}
						L8:
						_pop(_t54);
					} else {
					}
				} else {
				}
				return E0045A457(_t45, _v8 ^ _t56, _t52, _t53, _t54);
			}

0x00452ebf
0x00452ec8
0x00452ecf
0x00452ed3
0x00452ed7
0x00452edd
0x00452eec
0x00452eed
0x00452ef3
0x00452ef4
0x00452ef5
0x00452ef8
0x00452eff
0x00452f09
0x00452f0a
0x00452f0f
0x00452f11
0x00452f2b
0x00452f51
0x00452f56
0x00452f5f
0x00452f66
0x00452f67
0x00452f6d
0x00452f6e
0x00452f71
0x00452f78
0x00000000
0x00000000
0x00452f7a
0x00452f7e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00452f7e
0x00452f93
0x00452f82
0x00452f82
0x00452f01
0x00452f01
0x00452edf
0x00452edf
0x00452f90

Strings

@/L, xrefs: 00452F09
\StringFileInfo\%04hX%04hX\, xrefs: 00452F25

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID:
String ID: @/L$\StringFileInfo\%04hX%04hX\
API String ID: 0-3756859267
Opcode ID: be34571f207fe0e3333b20cedebe9f202869cf00599130624a10bc949d60235f
Instruction ID: 5192fb4285565119777064e988bb2eb4d64c83ec89e6295746a45d13b1053a05
Opcode Fuzzy Hash: be34571f207fe0e3333b20cedebe9f202869cf00599130624a10bc949d60235f
Instruction Fuzzy Hash: BD21A4B260012CEBCB10DB61DD849EBB3BCBB09305F4001A7F915D3541E7B4EE949BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0042E638, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0042E638(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t58;
				signed int _t60;
				intOrPtr* _t73;
				intOrPtr _t75;
				void* _t76;
				void* _t77;

				_t77 = __eflags;
				_push(0x74);
				E0045B8C9(0x4a52ab, __ebx, __edi, __esi);
				_t73 =  *((intOrPtr*)(_t76 + 0xc));
				 *((intOrPtr*)(_t76 - 0x74)) =  *((intOrPtr*)(_t76 + 0x10));
				 *((intOrPtr*)(_t76 - 0x80)) = 0;
				 *((intOrPtr*)(_t76 - 0x7c)) = 0;
				 *((intOrPtr*)(_t76 - 0x78)) = 0;
				_push(1);
				_push(_t76 - 0x80);
				_push(0);
				_push(0x2e);
				 *((intOrPtr*)(_t76 - 4)) = 0;
				E0042A559(__ebx,  *((intOrPtr*)(_t76 + 8)), _t73, __esi, _t77);
				_t75 =  *((intOrPtr*)(_t76 - 0x80));
				asm("cdq");
				_t60 = 0x30;
				 *_t73 = 0;
				_t58 = ( *((intOrPtr*)(_t76 - 0x7c)) - _t75) / _t60;
				 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x74)))) = 0;
				if(_t58 > 0) {
					 *((intOrPtr*)(_t76 - 0x70)) = 0x4c2f50;
					 *((intOrPtr*)(_t76 - 0x48)) = 0x4c3454;
					E004053A0(_t75, 0);
					_t48 =  >=  ?  *((void*)(_t76 - 0x6c)) : _t76 - 0x6c;
					 *((char*)(_t76 - 4)) = 1;
					 *_t73 = E0045CD32( >=  ?  *((void*)(_t76 - 0x6c)) : _t76 - 0x6c);
					if(_t58 > 1) {
						_t24 = _t75 + 0x30; // 0x42cfe4
						 *((intOrPtr*)(_t76 - 0x40)) = 0x4c2f50;
						 *((intOrPtr*)(_t76 - 0x18)) = 0x4c3454;
						E004053A0(_t24, 0);
						_t54 =  >=  ?  *((void*)(_t76 - 0x3c)) : _t76 - 0x3c;
						 *((intOrPtr*)( *((intOrPtr*)(_t76 - 0x74)))) = E0045CD32( >=  ?  *((void*)(_t76 - 0x3c)) : _t76 - 0x3c);
						_t32 = _t76 - 0x40; // 0x4c2f50
						E00401AC0(_t32);
					}
					_t33 = _t76 - 0x70; // 0x4c2f50
					E00401AC0(_t33);
				}
				E00428E3E(_t76 - 0x80);
				return E0045B878(_t58, _t73, _t75);
			}

0x0042e638
0x0042e638
0x0042e63f
0x0042e64a
0x0042e64f
0x0042e652
0x0042e655
0x0042e658
0x0042e65b
0x0042e660
0x0042e661
0x0042e662
0x0042e664
0x0042e667
0x0042e66f
0x0042e674
0x0042e677
0x0042e67c
0x0042e67e
0x0042e683
0x0042e687
0x0042e68e
0x0042e695
0x0042e69c
0x0042e6a8
0x0042e6ad
0x0042e6b7
0x0042e6bc
0x0042e6c0
0x0042e6c7
0x0042e6ce
0x0042e6d5
0x0042e6e1
0x0042e6ef
0x0042e6f1
0x0042e6f4
0x0042e6f4
0x0042e6f9
0x0042e6fc
0x0042e6fc
0x0042e704
0x0042e70e

APIs

__EH_prolog3_GS.LIBCMT ref: 0042E63F

Part of subcall function 0042A559: __EH_prolog3_GS.LIBCMT ref: 0042A560

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

T4L, xrefs: 0042E695
P/L, xrefs: 0042E6F1
T4L, xrefs: 0042E6CE
P/L, xrefs: 0042E6F9

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeH_prolog3_String
String ID: P/L$P/L$T4L$T4L
API String ID: 2608676048-673155060
Opcode ID: 34769bdbd17288f9b187b0de44e4f3ee3bbee69823220b28ae765076dae3336f
Instruction ID: 41ab91050ac571f607761228635aadb25f44560ff2b13d81e0a4351a069aad8b
Opcode Fuzzy Hash: 34769bdbd17288f9b187b0de44e4f3ee3bbee69823220b28ae765076dae3336f
Instruction Fuzzy Hash: 5E210A75E00219DFCB18EFAAD881ADDBBB4FF48304F60812EE415A7242DB749944CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004029F0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E004029F0(void* __edi, intOrPtr _a4, short _a8, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a40, char _a44) {
				intOrPtr _v8;
				char _v16;
				signed int _t23;
				intOrPtr* _t28;
				signed int _t30;
				intOrPtr _t39;
				void* _t42;
				intOrPtr _t43;
				void* _t48;
				void* _t49;
				void* _t51;
				intOrPtr* _t54;
				signed int _t56;

				_t49 = __edi;
				_push(0xffffffff);
				_push(0x4ac648);
				_push( *[fs:0x0]);
				_t23 =  *0x4d7e88; // 0x9518852c
				_push(_t23 ^ _t56);
				 *[fs:0x0] =  &_v16;
				_v8 = 0;
				_t42 =  >=  ? _a8 :  &_a8;
				_t27 =  !=  ? _t42 : 0x4c2d7c;
				_t48 =  !=  ?  !=  ? _t42 : 0x4c2d7c : 0x4c2d7c;
				if( *0x4c2d7c != 0) {
					_t28 = 0x4c2d7c;
					_t6 = _t28 + 2; // 0x4c2d7e
					_t51 = _t6;
					do {
						_t43 =  *_t28;
						_t28 = _t28 + 2;
					} while (_t43 != 0);
					_t30 = _t28 - _t51 >> 1;
				} else {
					_t30 = 0;
				}
				E004075B0(0x4d9420, _t49, _t48, _t30);
				 *((intOrPtr*)( &_a44 +  *((intOrPtr*)(_a44 + 4)))) = GetLastError();
				L0045A7D5(_a32);
				_t54 = __imp__#6;
				 *_t54(_a40);
				if(_a28 >= 8) {
					 *_t54(_a8);
				}
				_a8 = 0;
				_a28 = 7;
				_a24 = 0;
				_t39 =  *((intOrPtr*)(_a4 + 4));
				SetLastError( *(_t56 + _t39 + 8));
				 *[fs:0x0] = _v16;
				return _t39;
			}

0x004029f0
0x004029f3
0x004029f5
0x00402a00
0x00402a02
0x00402a09
0x00402a0d
0x00402a13
0x00402a21
0x00402a2e
0x00402a33
0x00402a3a
0x00402a40
0x00402a42
0x00402a42
0x00402a45
0x00402a45
0x00402a48
0x00402a4b
0x00402a52
0x00402a3c
0x00402a3c
0x00402a3c
0x00402a5b
0x00402a71
0x00402a76
0x00402a7b
0x00402a87
0x00402a8d
0x00402a92
0x00402a92
0x00402a96
0x00402a9d
0x00402aa4
0x00402aab
0x00402ab2
0x00402abb
0x00402ac7

APIs

GetLastError.KERNEL32(004C2D7C,004C2D7A,?,?,?,9518852C,?,?,004AC648,000000FF), ref: 00402A6B
SysFreeString.OLEAUT32(?), ref: 00402A87
SysFreeString.OLEAUT32(?), ref: 00402A92
SetLastError.KERNEL32(?), ref: 00402AB2

Strings

|-L, xrefs: 00402A25

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorFreeLastString
String ID: |-L
API String ID: 3822639702-4259979122
Opcode ID: 987895d5be2378243f9d6cfbfa707d03d8c79b3dcb80ae77b2ddbce1feba218e
Instruction ID: b05d900669560054878857bb2bac45c5a1db51c6aeba0e6297ac2689c2116c44
Opcode Fuzzy Hash: 987895d5be2378243f9d6cfbfa707d03d8c79b3dcb80ae77b2ddbce1feba218e
Instruction Fuzzy Hash: 39214A35A04219EFCB04DF28DD04B9A77E4FF48314F01826AEC19D76A0D778E950CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00411846, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00411846(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t40;
				intOrPtr _t46;
				int _t49;
				intOrPtr _t51;
				void* _t54;
				struct HWND__* _t56;
				void* _t58;
				int _t59;
				void* _t60;

				_t54 = __edx;
				_push(0xa0);
				E0045B8C9(0x4a165a, __ebx, __edi, __esi);
				_t58 = __ecx;
				_t56 =  *(_t60 + 8);
				_t46 =  *((intOrPtr*)(_t60 + 0x14));
				 *((intOrPtr*)(_t60 - 0x78)) =  *((intOrPtr*)(_t60 + 0x18));
				if(_t56 != 0 && IsWindow(_t56) != 0 &&  *((char*)(_t58 + 0x12a)) == 0) {
					_t59 = 0;
					 *((intOrPtr*)(_t60 - 0x40)) = 0x4c2fa0;
					 *((intOrPtr*)(_t60 - 0x18)) = 0x4c2f40;
					E00404200(_t60 - 0x40, _t60 - 0x71, 0);
					 *((intOrPtr*)(_t60 - 4)) = 0;
					_t65 = _t46;
					if(_t46 != 0) {
						 *((intOrPtr*)(_t60 - 0x98)) = _t46;
					} else {
						_t51 =  *0x4d962c; // 0x0
						_t40 = E0040D268(_t46, _t51, _t54, _t56, 0, _t65, _t60 - 0x70,  *((intOrPtr*)(_t60 - 0x78)));
						 *((char*)(_t60 - 4)) = 1;
						E004095E2(_t60 - 0x40, _t40);
						E00401B80(_t60 - 0x70);
						_t44 =  >=  ?  *((void*)(_t60 - 0x3c)) : _t60 - 0x3c;
						 *((intOrPtr*)(_t60 - 0x98)) =  >=  ?  *((void*)(_t60 - 0x3c)) : _t60 - 0x3c;
					}
					_t49 =  *(_t60 + 0xc);
					_t46 = SendMessageW;
					 *((intOrPtr*)(_t60 - 0xa4)) =  *((intOrPtr*)(_t60 + 0x10));
					 *(_t60 - 0xa8) = _t49;
					SendMessageW(_t56, 0x1074, _t49, _t60 - 0xac);
					do {
						SendMessageW(_t56, 0x101e, _t59, 0xfffffffe);
						_t59 = _t59 + 1;
					} while (_t59 < 2);
					E00401B80(_t60 - 0x40);
				}
				return E0045B878(_t46, _t56, _t58);
			}

0x00411846
0x00411846
0x00411850
0x00411855
0x00411857
0x0041185d
0x00411860
0x00411865
0x00411887
0x00411891
0x00411898
0x0041189f
0x004118a4
0x004118a7
0x004118a9
0x004118e5
0x004118ab
0x004118ae
0x004118b8
0x004118c1
0x004118c5
0x004118cd
0x004118d9
0x004118dd
0x004118dd
0x004118ee
0x004118f1
0x004118f7
0x0041190b
0x00411911
0x00411913
0x0041191c
0x0041191e
0x0041191f
0x00411927
0x00411927
0x00411931

APIs

__EH_prolog3_GS.LIBCMT ref: 00411850
IsWindow.USER32(?), ref: 0041186C

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

SendMessageW.USER32(?,00001074,?,?), ref: 00411911
SendMessageW.USER32(?,0000101E,00000000,000000FE), ref: 0041191C

Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

@/L, xrefs: 00411898

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeH_prolog3_MessageSendString$Window
String ID: @/L
API String ID: 2791905285-3803013380
Opcode ID: 3cedaffb465134b779036b10a0e75ce7b998d30634b62b3286c912cf0eed8af3
Instruction ID: 12518d9f41e52af1591d8649f7039d0d8875e44d4071d6e35b2d9060ab8ff554
Opcode Fuzzy Hash: 3cedaffb465134b779036b10a0e75ce7b998d30634b62b3286c912cf0eed8af3
Instruction Fuzzy Hash: A8218374D00218EBCB20EFA1CC81ADEBB78AF59314F10416FE915A3291DB749985CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0041075B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E0041075B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t24;
				intOrPtr* _t25;
				int _t38;
				intOrPtr _t41;
				intOrPtr* _t42;
				void* _t48;
				struct HWND__* _t50;
				void* _t51;
				void* _t54;

				_t54 = __eflags;
				_t46 = __edx;
				_push(0x68);
				E0045B8C9(0x4a1455, __ebx, __edi, __esi);
				_t48 = __ecx;
				_t50 =  *(_t51 + 8);
				_t38 = 0;
				 *((intOrPtr*)(_t51 - 0x40)) = 0x4c2f50;
				 *((intOrPtr*)(_t51 - 0x18)) = 0x4c3454;
				E00403F50(_t51 - 0x40, _t51 - 0x71, 0);
				_t41 =  *0x4d962c; // 0x0
				 *(_t51 - 4) = 0;
				_t24 = E0040D268(0, _t41, __edx, __ecx, _t50, _t54, _t51 - 0x70, 0x676);
				_t42 = _t48 + 0xf4;
				 *(_t51 - 4) = 1;
				if( *((intOrPtr*)(_t42 + 0x14)) >= 8) {
					_t42 =  *_t42;
				}
				_t25 = _t24 + 4;
				if( *((intOrPtr*)(_t25 + 0x14)) >= 8) {
					_t25 =  *_t25;
				}
				_t12 = _t51 - 0x40; // 0x4c2f50
				E00403B50(_t12, _t25, _t42);
				 *(_t51 - 4) = _t38;
				E00401B80(_t51 - 0x70);
				if( *0x4d9625 != 0) {
					L7:
					 *0x4d9624 = 1;
					EnableWindow(GetDlgItem(_t50, 9), _t38);
					_t38 =  *0x4d9624; // 0x0
				} else {
					_t35 =  >=  ?  *((void*)(_t51 - 0x3c)) : _t51 - 0x3c;
					if(E0040F126(_t48, _t46,  >=  ?  *((void*)(_t51 - 0x3c)) : _t51 - 0x3c, 4, 6) == 6) {
						goto L7;
					} else {
						 *0x4d9624 = _t38;
					}
				}
				_t18 = _t51 - 0x40; // 0x4c2f50
				E00401AC0(_t18);
				return E0045B878(_t38, _t48, _t50);
			}

0x0041075b
0x0041075b
0x0041075b
0x00410762
0x00410767
0x00410769
0x0041076c
0x00410776
0x0041077d
0x00410784
0x00410789
0x00410798
0x0041079b
0x004107a0
0x004107a6
0x004107ae
0x004107b0
0x004107b0
0x004107b2
0x004107b9
0x004107bb
0x004107bb
0x004107bf
0x004107c3
0x004107ce
0x004107d1
0x004107dd
0x00410803
0x00410807
0x00410815
0x0041081b
0x004107df
0x004107e8
0x004107f9
0x00000000
0x004107fb
0x004107fb
0x004107fb
0x004107f9
0x00410821
0x00410824
0x00410830

APIs

__EH_prolog3_GS.LIBCMT ref: 00410762

Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F

Part of subcall function 0040D268: __EH_prolog3_GS.LIBCMT ref: 0040D272

GetDlgItem.USER32 ref: 0041080E
EnableWindow.USER32(00000000), ref: 00410815

Strings

P/L, xrefs: 004107BF, 004107C2
T4L, xrefs: 0041077D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3_Last$EnableItemWindow
String ID: P/L$T4L
API String ID: 3351711136-1441100843
Opcode ID: 80099bf43ed76395b9d3c0e38b4b1092d2807debf15ad943e91290ebf2f91982
Instruction ID: 92aafb0a12a64cd0c720c3678079f4b25f9e2631f54a8c95f635e59e36f6dbd3
Opcode Fuzzy Hash: 80099bf43ed76395b9d3c0e38b4b1092d2807debf15ad943e91290ebf2f91982
Instruction Fuzzy Hash: F021C870901104DFCB08EBE4D855ADE77B8AB19308F14406FE101A7292DB789949CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0042307D, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0042307D(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t36;
				void* _t46;
				intOrPtr* _t50;
				void* _t51;

				_t46 = __edx;
				_push(0x68);
				E0045B8C9(0x4a3edc, __ebx, __edi, __esi);
				_t50 = __ecx;
				if( *((char*)(_t51 + 0xc)) != 0) {
					L2:
					_push(0);
					_push(_t51 - 0x71);
					_push(L" This setup was created with a BETA VERSION of %s");
					 *((intOrPtr*)(_t51 - 0x40)) = 0x4c2fa0;
					 *((intOrPtr*)(_t51 - 0x18)) = 0x4c2f40;
					E00408F6D(0x4c2fa0, _t51 - 0x40, 0, _t50, _t54);
					_push(0);
					_push(_t51 - 0x40);
					_push(0x86a);
					 *(_t51 - 4) = 0;
					E0042230A(0x4c2fa0, _t50, _t46, 0, _t50, _t54);
					 *(_t51 - 4) =  *(_t51 - 4) | 0xffffffff;
					E00401B80(_t51 - 0x40);
				} else {
					_t36 =  *__ecx;
					_t54 =  *((char*)(_t36 + 0x19));
					if( *((char*)(_t36 + 0x19)) != 0) {
						goto L2;
					}
				}
				if( *((char*)(_t51 + 8)) != 0) {
					L5:
					_push(0);
					_push(_t51 - 0x71);
					_push(L" This setup was created with a EVALUATION VERSION of %s");
					 *((intOrPtr*)(_t51 - 0x70)) = 0x4c2fa0;
					 *((intOrPtr*)(_t51 - 0x48)) = 0x4c2f40;
					E00408F6D(0x4c2fa0, _t51 - 0x70, 0, _t50, _t57);
					_push(0);
					_push(_t51 - 0x70);
					_push(0x86b);
					 *(_t51 - 4) = 1;
					E0042230A(0x4c2fa0, _t50, _t46, 0, _t50, _t57);
					E00401B80(_t51 - 0x70);
				} else {
					_t35 =  *_t50;
					_t57 =  *((char*)(_t35 + 0x18));
					if( *((char*)(_t35 + 0x18)) != 0) {
						goto L5;
					}
				}
				return E0045B878(0x4c2fa0, 0, _t50);
			}

0x0042307d
0x0042307d
0x00423084
0x00423089
0x00423096
0x004230a0
0x004230a0
0x004230a4
0x004230a5
0x004230ad
0x004230b0
0x004230b7
0x004230bc
0x004230c0
0x004230c1
0x004230c8
0x004230cb
0x004230d0
0x004230d7
0x00423098
0x00423098
0x0042309a
0x0042309e
0x00000000
0x00000000
0x0042309e
0x004230e0
0x004230ea
0x004230ea
0x004230ee
0x004230ef
0x004230f7
0x004230fa
0x00423101
0x00423106
0x0042310a
0x0042310b
0x00423112
0x00423119
0x00423121
0x004230e2
0x004230e2
0x004230e4
0x004230e8
0x00000000
0x00000000
0x004230e8
0x0042312d

APIs

__EH_prolog3_GS.LIBCMT ref: 00423084

Strings

@/L, xrefs: 004230B0
@/L, xrefs: 004230FA
This setup was created with a BETA VERSION of %s, xrefs: 004230A5
This setup was created with a EVALUATION VERSION of %s, xrefs: 004230EF

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_
String ID: This setup was created with a BETA VERSION of %s$ This setup was created with a EVALUATION VERSION of %s$@/L$@/L
API String ID: 2427045233-693270428
Opcode ID: 7ed88284435f6d964d74ae26bda29dc638efa60bba784a1b753562600ec7c521
Instruction ID: c1118a207570be3e01f4bca789a8b7fc1d13da134719a4dc36cbeff2257b49c2
Opcode Fuzzy Hash: 7ed88284435f6d964d74ae26bda29dc638efa60bba784a1b753562600ec7c521
Instruction Fuzzy Hash: CF119375A00218AEEB24EFA5D841FEEB7B4BF44744F50411FE840A7182CBBD5A09CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00443833, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00443833(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t22;
				void* _t42;
				intOrPtr* _t44;
				intOrPtr* _t47;
				void* _t48;

				_t42 = __edx;
				_t33 = __ebx;
				_push(0x84);
				E0045B8C9(0x4a72d9, __ebx, __edi, __esi);
				_t44 =  *((intOrPtr*)(_t48 + 8));
				_t2 = _t48 + 0xc; // 0x4c2f40
				 *(_t48 - 0x90) =  *(_t48 - 0x90) & 0x00000000;
				E0043B19F(_t48 - 0x58);
				 *(_t48 - 4) =  *(_t48 - 4) & 0x00000000;
				_t47 =  *_t2 + 4;
				if( *((intOrPtr*)(_t47 + 0x14)) >= 8) {
					_t47 =  *_t47;
				}
				_t22 = E004530B2(_t48 - 0x58, _t42, _t44, _t47, _t47);
				_push(1);
				_push(_t48 - 0x89);
				if(_t22 != 0) {
					_push(E00452EBF(_t48 - 0x58, _t47, L"ISInternalVersion"));
					E004091B8(_t48 - 0x88);
					_push(0);
					_push(_t48 - 0x88);
					 *(_t48 - 4) = 1;
					 *_t44 = 0x4c2fa0;
					 *((intOrPtr*)(_t44 + 0x28)) = 0x4c2f40;
					E00408E82(_t33, _t44, _t44, _t47, __eflags);
					E00401B80(_t48 - 0x88);
				} else {
					_push(0x4c2d7c);
					E004091B8(_t44);
				}
				 *((intOrPtr*)(_t48 - 0x58)) = 0x4b5d64;
				E0043C503(_t48 - 0x58);
				return E0045B878(_t33, _t44, _t47);
			}

0x00443833
0x00443833
0x00443833
0x0044383d
0x00443842
0x00443845
0x00443848
0x00443852
0x00443857
0x0044385b
0x00443862
0x00443864
0x00443864
0x0044386a
0x00443871
0x00443879
0x0044387a
0x00443897
0x0044389e
0x004438a3
0x004438ab
0x004438ae
0x004438b2
0x004438b8
0x004438bf
0x004438ca
0x0044387c
0x0044387c
0x00443883
0x00443883
0x004438d2
0x004438d9
0x004438e5

APIs

__EH_prolog3_GS.LIBCMT ref: 0044383D

Part of subcall function 0043B19F: _memset.LIBCMT ref: 0043B1C8

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

@/L, xrefs: 004438B8
ISInternalVersion, xrefs: 0044388A
@/L, xrefs: 00443845, 00443866
d]K, xrefs: 004438D2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3H_prolog3__memset
String ID: @/L$@/L$ISInternalVersion$d]K
API String ID: 1048471300-2676023046
Opcode ID: 4b9eb5fc68a48fa0e796bd7b971f77713372154ba3a2707e818fa4df0440fdb1
Instruction ID: 9abc0690162c9a74aeb108eee49c35fdd1b3b48d29c68ca2c98b767a539b545b
Opcode Fuzzy Hash: 4b9eb5fc68a48fa0e796bd7b971f77713372154ba3a2707e818fa4df0440fdb1
Instruction Fuzzy Hash: F41151319002049BDB14FF51C951BDCB378AF5071AF44809EF846AB186DFB86A89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0042757F, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0042757F(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t20;
				void* _t23;
				intOrPtr* _t35;
				intOrPtr* _t47;
				intOrPtr _t49;
				void* _t50;

				_push(0xd4);
				E0045B8C9(0x4a4570, __ebx, __edi, __esi);
				_t35 = __ecx;
				_t47 =  *((intOrPtr*)(_t50 + 8));
				_t49 = E00428C5C(__ecx, _t47);
				if(_t49 ==  *__ecx) {
					L2:
					_t20 = E00427465(_t50 - 0xdc);
					 *(_t50 - 4) =  *(_t50 - 4) & 0x00000000;
					 *((intOrPtr*)(_t50 - 0x78)) =  *_t47;
					_push(_t20);
					E00427403(_t35, _t50 - 0x74, _t47, _t49, _t53);
					_t8 = _t50 - 0x78; // 0x4c3454
					 *(_t50 - 4) = 1;
					_t23 = E0042632B(_t35, _t35, _t47, _t49, _t53);
					_push(_t23);
					_push(_t23 + 0x10);
					_push(_t49);
					_push(_t50 - 0xe0);
					E004264DE(_t35, _t35, _t47, _t49, _t23 + 0x10);
					_t49 =  *((intOrPtr*)(_t50 - 0xe0));
					_t12 = _t50 - 0x40; // 0x4c2f50
					E00401AC0(_t12);
					_t13 = _t50 - 0x70; // 0x4c2f50
					E00401AC0(_t13);
					_t14 = _t50 - 0xa8; // 0x4c3454
					E00401AC0(_t14);
					E00401AC0(_t50 - 0xd8);
				} else {
					_t53 =  *_t47 -  *((intOrPtr*)(_t49 + 0x10));
					if( *_t47 <  *((intOrPtr*)(_t49 + 0x10))) {
						goto L2;
					}
				}
				return E0045B878(_t35, _t47, _t49);
			}

0x0042757f
0x00427589
0x0042758e
0x00427590
0x00427599
0x0042759d
0x004275a6
0x004275ac
0x004275b3
0x004275b7
0x004275ba
0x004275be
0x004275c3
0x004275c9
0x004275cd
0x004275d2
0x004275d6
0x004275d7
0x004275de
0x004275e1
0x004275e6
0x004275ec
0x004275ef
0x004275f4
0x004275f7
0x004275fc
0x00427602
0x0042760d
0x0042759f
0x004275a1
0x004275a4
0x00000000
0x00000000
0x004275a4
0x0042761a

APIs

__EH_prolog3_GS.LIBCMT ref: 00427589

Strings

P/L, xrefs: 004275EC
T4L, xrefs: 004275FC
P/L, xrefs: 004275F4
T4L, xrefs: 004275C3, 004275C6

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_
String ID: P/L$P/L$T4L$T4L
API String ID: 2427045233-673155060
Opcode ID: 2f7f40214789ea8b9282ef9b3ebe8f23b8510eb9b43be173e96c1d3f9715a147
Instruction ID: d4179ee25db72b2691d654b46211b9753ad446bb88ea0279dece89b4e4bd4ab2
Opcode Fuzzy Hash: 2f7f40214789ea8b9282ef9b3ebe8f23b8510eb9b43be173e96c1d3f9715a147
Instruction Fuzzy Hash: 13117031A11128DBCB14FB61D891AEDB3B8AF40304F5404AEE006B7182DB386E49CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00415C6B, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00415C6B(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ecx;
				_t27 = __ebx;
				_push(0x24);
				E0045B8C9(0x4a1e60, __ebx, __edi, __esi);
				_t36 = __ecx;
				 *((intOrPtr*)(_t37 - 0x30)) = __ecx;
				if( *((intOrPtr*)(_t37 + 0x10)) != 0) {
					 *__ecx = 0x4c2f50;
					 *((intOrPtr*)(__ecx + 0x28)) = 0x4c3454;
				}
				_t34 = 0;
				E00403F50(_t28, _t37 - 0x29, 0);
				_t6 = _t37 - 0x28; // 0x4c3454
				 *((intOrPtr*)(_t37 - 4)) = 0;
				E0045CBA5( *((intOrPtr*)(_t37 + 8)), _t6, 0xc,  *((intOrPtr*)(_t37 + 0xc)));
				if( *((intOrPtr*)(_t37 - 0x28)) != 0) {
					_t10 = _t37 - 0x28; // 0x4c3454
					_t34 = E0045B5D4(_t10);
				}
				_push(_t34);
				_push(_t37 - 0x28);
				E00406EB0(_t27, _t36 + 4, _t34, _t36);
				SetLastError( *( *((intOrPtr*)( *_t36 + 4)) + _t36));
				return E0045B878(_t27, _t34, _t36);
			}

0x00415c6b
0x00415c6b
0x00415c6b
0x00415c72
0x00415c77
0x00415c7d
0x00415c80
0x00415c82
0x00415c88
0x00415c88
0x00415c8f
0x00415c96
0x00415c9e
0x00415ca7
0x00415caa
0x00415cb6
0x00415cb8
0x00415cc2
0x00415cc2
0x00415cc4
0x00415cc8
0x00415ccc
0x00415cd9
0x00415ce6

APIs

__EH_prolog3_GS.LIBCMT ref: 00415C72
__ltow_s.LIBCMT ref: 00415CAA
SetLastError.KERNEL32(00000000,?,00000000,00000001), ref: 00415CD9

Strings

T4L, xrefs: 00415C9E, 00415CB8, 00415CA3, 00415CBB
T4L, xrefs: 00415C88

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3_Last__ltow_s
String ID: T4L$T4L
API String ID: 2344196725-3367740000
Opcode ID: ce8571a7f45c33a6dc205b5f7dfbe96753ea443827b73530ae3ad932b8f79a73
Instruction ID: 75c9b1489ebe3ba8daf5c5e16b76b1339e5cbcf910cdae0d049cc33581855a00
Opcode Fuzzy Hash: ce8571a7f45c33a6dc205b5f7dfbe96753ea443827b73530ae3ad932b8f79a73
Instruction Fuzzy Hash: 6801B175800208EBDB11EF91C841DDEBBB9EF48318F04411EF9156B241DB799648CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041992F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041992F(void** __ecx, short* _a4) {
				_Unknown_base(*)()* _t6;
				struct HINSTANCE__* _t9;

				_t13 = __ecx;
				_t12 =  *((intOrPtr*)(__ecx + 8));
				if( *((intOrPtr*)(__ecx + 8)) == 0) {
					if( *0x4d97c8 != 0) {
						_t6 =  *0x4d97c4; // 0x0
					} else {
						_t9 = GetModuleHandleW(L"Advapi32.dll");
						if(_t9 == 0) {
							_t6 =  *0x4d97c4; // 0x0
						} else {
							_t6 = GetProcAddress(_t9, "RegDeleteKeyExW");
							 *0x4d97c4 = _t6;
						}
						 *0x4d97c8 = 1;
					}
					if(_t6 == 0) {
						return RegDeleteKeyW( *_t13, _a4);
					} else {
						return  *_t6( *_t13, _a4, _t13[1], 0);
					}
				}
				return E0041FFBE(_t12,  *((intOrPtr*)(__ecx)), _a4);
			}

0x00419933
0x00419935
0x0041993a
0x0041994f
0x00419981
0x00419951
0x00419956
0x0041995e
0x00419973
0x00419960
0x00419966
0x0041996c
0x0041996c
0x00419978
0x00419978
0x00419988
0x00000000
0x0041998a
0x00000000
0x00419994
0x00419988
0x00000000

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00419956
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00419966

Part of subcall function 0041FFBE: GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00419946,?,?), ref: 0041FFD0
Part of subcall function 0041FFBE: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0041FFE0

Strings

Advapi32.dll, xrefs: 00419951
RegDeleteKeyExW, xrefs: 00419960

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: 98a83dec90ec41d81bd412a0a98b450627653b02796f9c1216922e5379c6364e
Instruction ID: 902e33575af748e3db428ed96261716dfc2668b29adcdf146d10b84daccf405a
Opcode Fuzzy Hash: 98a83dec90ec41d81bd412a0a98b450627653b02796f9c1216922e5379c6364e
Instruction Fuzzy Hash: CB01A274225204EBDF214F52EC51BD57FA4EB05740B10003FF446D6360C6B68CC19B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0042B1C8, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0042B1C8(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t21;
				intOrPtr _t39;
				void* _t40;
				void* _t41;

				_t41 = __eflags;
				_push(0x14);
				E0045B896(0x4a4bc0, __ebx, __edi, __esi);
				_t39 = __ecx;
				 *((intOrPtr*)(_t40 - 0x14)) = __ecx;
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				 *((intOrPtr*)(__ecx)) = 0x4c2fa0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0x4c2f40;
				E00404200(__ecx, _t40 - 0xd, 0);
				 *(_t40 - 4) = 1;
				_t21 = E0040A14B(__ecx, _t40 - 0x20, 0x105);
				 *(_t40 - 4) = 2;
				 *((char*)(_t21 + 4)) = 1;
				GetCurrentDirectoryW(0x104,  *(E0040A0F0(_t21,  *_t21)));
				 *(_t40 - 4) = 1;
				E00409574(__ebx, _t40 - 0x20, __edi, _t39, _t41);
				_t13 = _t40 + 0xc; // 0x4c2f40
				_t14 = _t40 + 0xc; // 0x4c2f40
				_t35 =  >=  ?  *_t14 : _t13;
				SetCurrentDirectoryW( >=  ?  *_t14 : _t13);
				E00401B80(_t40 + 8);
				return E0045B864(_t39);
			}

0x0042b1c8
0x0042b1c8
0x0042b1cf
0x0042b1d4
0x0042b1d6
0x0042b1d9
0x0042b1e3
0x0042b1e9
0x0042b1f0
0x0042b200
0x0042b204
0x0042b20b
0x0042b20f
0x0042b21f
0x0042b228
0x0042b22c
0x0042b235
0x0042b238
0x0042b238
0x0042b23d
0x0042b246
0x0042b252

APIs

__EH_prolog3.LIBCMT ref: 0042B1CF

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040A0F0: SysStringLen.OLEAUT32(?), ref: 0040A0FD
Part of subcall function 0040A0F0: SysReAllocStringLen.OLEAUT32(?,00000001,?), ref: 0040A117

GetCurrentDirectoryW.KERNEL32(00000104,00000000,?,00000105,00000014,0042D5E6,00000008,?,00000001), ref: 0042B21F

Part of subcall function 00409574: __EH_prolog3_GS.LIBCMT ref: 0040957B
Part of subcall function 00409574: GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
Part of subcall function 00409574: SetLastError.KERNEL32(00000000), ref: 004095D6

SetCurrentDirectoryW.KERNEL32(@/L), ref: 0042B23D

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

@/L, xrefs: 0042B235, 0042B238, 0042B23C
@/L, xrefs: 0042B1E9

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$String$CurrentDirectoryFree$AllocH_prolog3H_prolog3_
String ID: @/L$@/L
API String ID: 2542845675-2149722323
Opcode ID: 209e1db5246c3b027deaa9ccacfa7f3ffc714b1b0fca84f9a0283df0a36175c3
Instruction ID: 4118bdd2930b84098270f4a09eaa61e1482a404081c6dff82ee3a09ac2b5a18e
Opcode Fuzzy Hash: 209e1db5246c3b027deaa9ccacfa7f3ffc714b1b0fca84f9a0283df0a36175c3
Instruction Fuzzy Hash: 48015270500248EFDB04EF95C855BCC7BB4AF19308F10809EF545AB292DBF89644DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042E9EC, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0042E9EC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t15;
				intOrPtr* _t34;
				void* _t35;

				_t32 = __edi;
				_t25 = __ebx;
				_push(0x9c);
				E0045B8C9(0x4a534a, __ebx, __edi, __esi);
				_t1 = _t35 + 0xc; // 0x4c2f40
				_t15 =  *_t1;
				 *(_t35 - 0xa8) =  *(_t35 - 0xa8) & 0x00000000;
				_t34 =  *((intOrPtr*)(_t35 + 8));
				_t37 = _t15 -  *((intOrPtr*)(__ecx + 0x270));
				if(_t15 >=  *((intOrPtr*)(__ecx + 0x270))) {
					E00402CE0(0x4c2d7c, _t35 - 0xa1, 1);
				} else {
					_push(E0042BD91(__ecx + 0x26c, _t15));
					_t6 = _t35 - 0xa0; // 0x4c2f50
					E0042B372(__ebx, _t6, __edi, _t34, _t37);
					 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
					_t9 = _t35 - 0x40; // 0x4c2f50
					 *_t34 = 0x4c2f50;
					 *((intOrPtr*)(_t34 + 0x28)) = 0x4c3454;
					E004053A0(_t9, 0);
					_t11 = _t35 - 0xa0; // 0x4c2f50
					E0042BB30(_t11);
				}
				return E0045B878(_t25, _t32, _t34);
			}

0x0042e9ec
0x0042e9ec
0x0042e9ec
0x0042e9f6
0x0042e9fb
0x0042e9fb
0x0042e9fe
0x0042ea05
0x0042ea08
0x0042ea0e
0x0042ea63
0x0042ea10
0x0042ea1c
0x0042ea1d
0x0042ea23
0x0042ea28
0x0042ea2e
0x0042ea34
0x0042ea3a
0x0042ea41
0x0042ea46
0x0042ea4c
0x0042ea4c
0x0042ea6f

APIs

__EH_prolog3_GS.LIBCMT ref: 0042E9F6

Part of subcall function 0042B372: __EH_prolog3.LIBCMT ref: 0042B379

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Strings

P/L, xrefs: 0042EA1D, 0042EA46
@/L, xrefs: 0042E9FB
P/L, xrefs: 0042EA2E, 0042EA31
T4L, xrefs: 0042EA3A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3H_prolog3_
String ID: @/L$P/L$P/L$T4L
API String ID: 852442433-4045655792
Opcode ID: 2eb9e27a6175c0cc18a8aa3bb54f2802edd7e50b53f344d475f7f0a7c50f0ddc
Instruction ID: b8414f3ca670b52286c4911b55eea43125538bfdb0e1b2e6d0a2b2d3f6c164e5
Opcode Fuzzy Hash: 2eb9e27a6175c0cc18a8aa3bb54f2802edd7e50b53f344d475f7f0a7c50f0ddc
Instruction Fuzzy Hash: B0F08170B10228DADB41EB52CC41BED73B8FF10309F90409EF449AA181CBBC5A898B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00450E91, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00450E91(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t14;
				long _t15;
				intOrPtr _t27;
				void* _t28;

				_t25 = __edi;
				_t22 = __ebx;
				_push(0x84);
				E0045B8C9(0x4a961b, __ebx, __edi, __esi);
				_t27 =  *((intOrPtr*)(_t28 + 8));
				_t14 = _t27 + 4;
				if(_t14[0xa] >= 8) {
					_t14 =  *_t14;
				}
				_t15 = GetFileAttributesW(_t14);
				_t31 = _t15 - 0xffffffff;
				if(_t15 == 0xffffffff) {
					_push(0);
					_push(_t27);
					 *((intOrPtr*)(_t28 - 0x40)) = 0x4ae964;
					 *((intOrPtr*)(_t28 - 0x18)) = 0x4ae96c;
					E00408E82(_t22, _t28 - 0x40, _t25, _t27, _t31);
					_t7 = _t28 - 4;
					 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
					_push(1);
					_push(_t28 - 0x40);
					E00416910(_t28 - 0x90, _t27,  *_t7);
					E0045A466(_t28 - 0x90, 0x4c9bf0);
				}
				return E0045B878(_t22, _t25, _t27);
			}

0x00450e91
0x00450e91
0x00450e91
0x00450e9b
0x00450ea0
0x00450ea3
0x00450eaa
0x00450eac
0x00450eac
0x00450eaf
0x00450eb5
0x00450eb8
0x00450eba
0x00450ebc
0x00450ec0
0x00450ec7
0x00450ece
0x00450ed3
0x00450ed3
0x00450ed7
0x00450edc
0x00450ee3
0x00450ef4
0x00450ef4
0x00450efe

APIs

__EH_prolog3_GS.LIBCMT ref: 00450E9B
GetFileAttributesW.KERNEL32(00000000,00000084,00451BE3,?,000002E0,0048B00C,?,00000001), ref: 00450EAF
__CxxThrowException@8.LIBCMT ref: 00450EF4

Strings

dJ, xrefs: 00450EC0
lJ, xrefs: 00450EC7

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AttributesException@8FileH_prolog3_Throw
String ID: dJ$lJ
API String ID: 5089079-817211891
Opcode ID: b6937180b8a45b4674d69da4b71e9fe98ecc86c9883427c513f0f06cf72d3c29
Instruction ID: ffae53588641cf7c41be7d381b956b5c16ae4c834ca872dedd5057a05e3e7f97
Opcode Fuzzy Hash: b6937180b8a45b4674d69da4b71e9fe98ecc86c9883427c513f0f06cf72d3c29
Instruction Fuzzy Hash: C2F06DB0810208DBCB10EBA1CC4AB9E7778BF11319F60459AE554A7192DB78AA48CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044A300, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0044A300(void* __ecx) {
				signed int _v8;
				intOrPtr* _t16;

				_v8 = _v8 & 0x00000000;
				_t16 = GetProcAddress(GetModuleHandleW(L"kernel32"), "IsWow64Process");
				if(_t16 != 0) {
					 *_t16(GetCurrentProcess(),  &_v8);
				}
				return 0 | _v8 != 0x00000000;
			}

0x0044a304
0x0044a320
0x0044a324
0x0044a331
0x0044a331
0x0044a33d

APIs

GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,?,?,?,0044A209), ref: 0044A313
GetProcAddress.KERNEL32(00000000), ref: 0044A31A
GetCurrentProcess.KERNEL32(00000000,?,?,?,0044A209), ref: 0044A32A

Strings

IsWow64Process, xrefs: 0044A309
kernel32, xrefs: 0044A30E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWow64Process$kernel32
API String ID: 4190356694-3789238822
Opcode ID: cd45caf602d2a6247137919ef74e8e603cd873b69f0d460b58ffe72d33558a16
Instruction ID: 3aa68ca420b248d80ddc3eaab1b136185529c8bbfc48f43d21bb5d53c2e2ea19
Opcode Fuzzy Hash: cd45caf602d2a6247137919ef74e8e603cd873b69f0d460b58ffe72d33558a16
Instruction Fuzzy Hash: 89E04F72C52328ABDF109BF19D0DBCE7AACAB05752B114966A801E7140D67899008BA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041B726, Relevance: 7.7, APIs: 5, Instructions: 231
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041B726(signed int __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t96;
				void* _t98;
				intOrPtr _t108;
				intOrPtr _t109;
				void* _t110;
				intOrPtr _t111;
				intOrPtr _t112;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t123;
				intOrPtr _t129;
				intOrPtr _t135;
				intOrPtr _t141;
				intOrPtr _t163;
				intOrPtr _t164;
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t174;
				intOrPtr _t175;
				intOrPtr _t179;
				intOrPtr _t180;
				intOrPtr* _t185;
				intOrPtr* _t187;
				intOrPtr* _t188;
				void* _t189;
				void* _t190;
				void* _t192;

				_t190 = __eflags;
				_t182 = __edx;
				_t144 = __ebx;
				_push(0xc8);
				E0045B935(0x4a2e4d, __ebx, __edi, __esi);
				_t187 = __ecx;
				 *((intOrPtr*)(_t189 - 0xc8)) = __ecx;
				_t185 = 0;
				 *((intOrPtr*)(_t189 - 4)) = 0;
				_t96 =  *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 0x2c))();
				_push(_t189 - 0x90);
				E0041A199(__ebx, _t96, 0, __ecx, _t190);
				 *((char*)(_t189 - 4)) = 1;
				_t98 = E00424D42(_t189 - 0x90, _t190);
				_t191 = _t98;
				if(_t98 != 0) {
					E00416831(__ebx, _t189 - 0x60, 0, _t187, _t191);
					_push(0);
					_push(_t189 - 0x90);
					 *((char*)(_t189 - 4)) = 2;
					 *((intOrPtr*)(_t189 - 0xc0)) = 0x4affb8;
					 *((intOrPtr*)(_t189 - 0x98)) = 0x4affc0;
					E00408E82(__ebx, _t189 - 0xc0, 0, _t187, _t191);
					_push(0);
					_push(0);
					_push(3);
					_push(0x80);
					_push(1);
					_push(0x80000000);
					_push(_t189 - 0xc0);
					 *((char*)(_t189 - 4)) = 3;
					_t192 = E00424632(__ebx, _t189 - 0x60, 0, _t187, _t191);
					_t144 = __ebx & 0xffffff00 | _t192 != 0x00000000;
					 *((char*)(_t189 - 4)) = 2;
					E00401B80(_t189 - 0xc0);
					if((__ebx & 0xffffff00 | _t192 != 0x00000000) == 0) {
						_t108 =  *((intOrPtr*)(_t189 - 0x5c));
						 *(_t189 - 0xc4) = 0;
						if(_t108 == 0) {
							_t109 =  *((intOrPtr*)(_t189 - 0x58));
						} else {
							_t109 =  *((intOrPtr*)(_t108 + 4));
						}
						_t185 =  *0x4d9578; // 0x480282
						_t110 =  *_t185(_t109, 0x1c, _t185, _t189 - 0xc4);
						_t144 = GetLastError;
						if(_t110 == 0 && GetLastError() == 0x7a) {
							_t188 = E0040A14B(_t187 + 0x2fc, _t189 - 0xd4,  *(_t189 - 0xc4));
							 *((char*)(_t189 - 4)) = 4;
							_t141 = E00412F8A(GetLastError,  *_t188, _t182);
							 *((intOrPtr*)(_t188 + 8)) = _t141;
							_t179 =  *((intOrPtr*)(_t189 - 0x5c));
							_t197 = _t179;
							if(_t179 == 0) {
								_t180 =  *((intOrPtr*)(_t189 - 0x58));
							} else {
								_t180 =  *((intOrPtr*)(_t179 + 4));
							}
							_t182 = _t189 - 0xc4;
							 *_t185(_t180, 0x1c, _t141, _t189 - 0xc4);
							 *((char*)(_t189 - 4)) = 2;
							E00409574(_t144, _t189 - 0xd4, _t185, _t188, _t197);
							_t187 =  *((intOrPtr*)(_t189 - 0xc8));
						}
						_t111 =  *((intOrPtr*)(_t189 - 0x5c));
						 *(_t189 - 0xc4) =  *(_t189 - 0xc4) & 0x00000000;
						if(_t111 == 0) {
							_t112 =  *((intOrPtr*)(_t189 - 0x58));
						} else {
							_t112 =  *((intOrPtr*)(_t111 + 4));
						}
						_push(_t189 - 0xc4);
						_push(0);
						_push(0x1d);
						_push(_t112);
						if( *_t185() == 0 && GetLastError() == 0x7a) {
							_t187 = E0040A14B(_t187 + 0x32c, _t189 - 0xd4,  *(_t189 - 0xc4));
							 *((char*)(_t189 - 4)) = 5;
							_t135 = E00412F8A(_t144,  *_t187, _t182);
							 *((intOrPtr*)(_t187 + 8)) = _t135;
							_t174 =  *((intOrPtr*)(_t189 - 0x5c));
							_t201 = _t174;
							if(_t174 == 0) {
								_t175 =  *((intOrPtr*)(_t189 - 0x58));
							} else {
								_t175 =  *((intOrPtr*)(_t174 + 4));
							}
							_t182 = _t189 - 0xc4;
							 *_t185(_t175, 0x1d, _t135, _t189 - 0xc4);
							 *((char*)(_t189 - 4)) = 2;
							E00409574(_t144, _t189 - 0xd4, _t185, _t187, _t201);
						}
						_t114 =  *((intOrPtr*)(_t189 - 0x5c));
						 *(_t189 - 0xc4) =  *(_t189 - 0xc4) & 0x00000000;
						if(_t114 == 0) {
							_t115 =  *((intOrPtr*)(_t189 - 0x58));
						} else {
							_t115 =  *((intOrPtr*)(_t114 + 4));
						}
						_push(_t189 - 0xc4);
						_push(0);
						_push(0x2b);
						_push(_t115);
						if( *_t185() == 0 && GetLastError() == 0x7a) {
							_t187 = E0040A14B( *((intOrPtr*)(_t189 - 0xc8)) + 0x35c, _t189 - 0xd4,  *(_t189 - 0xc4));
							 *((char*)(_t189 - 4)) = 6;
							_t129 = E00412F8A(_t144,  *_t187, _t182);
							 *((intOrPtr*)(_t187 + 8)) = _t129;
							_t169 =  *((intOrPtr*)(_t189 - 0x5c));
							_t205 = _t169;
							if(_t169 == 0) {
								_t170 =  *((intOrPtr*)(_t189 - 0x58));
							} else {
								_t170 =  *((intOrPtr*)(_t169 + 4));
							}
							_t182 = _t189 - 0xc4;
							 *_t185(_t170, 0x2b, _t129, _t189 - 0xc4);
							 *((char*)(_t189 - 4)) = 2;
							E00409574(_t144, _t189 - 0xd4, _t185, _t187, _t205);
						}
						_t117 =  *((intOrPtr*)(_t189 - 0x5c));
						 *(_t189 - 0xc4) =  *(_t189 - 0xc4) & 0x00000000;
						if(_t117 == 0) {
							_t118 =  *((intOrPtr*)(_t189 - 0x58));
						} else {
							_t118 =  *((intOrPtr*)(_t117 + 4));
						}
						_push(_t189 - 0xc4);
						_push(0);
						_push(0x2c);
						_push(_t118);
						if( *_t185() == 0 && GetLastError() == 0x7a) {
							_t187 = E0040A14B( *((intOrPtr*)(_t189 - 0xc8)) + 0x38c, _t189 - 0xd4,  *(_t189 - 0xc4));
							 *((char*)(_t189 - 4)) = 7;
							_t123 = E00412F8A(_t144,  *_t187, _t182);
							 *((intOrPtr*)(_t187 + 8)) = _t123;
							_t163 =  *((intOrPtr*)(_t189 - 0x5c));
							_t209 = _t163;
							if(_t163 == 0) {
								_t164 =  *((intOrPtr*)(_t189 - 0x58));
							} else {
								_t164 =  *((intOrPtr*)(_t163 + 4));
							}
							 *_t185(_t164, 0x2c, _t123, _t189 - 0xc4);
							 *((char*)(_t189 - 4)) = 2;
							E00409574(_t144, _t189 - 0xd4, _t185, _t187, _t209);
						}
					}
					 *((char*)(_t189 - 4)) = 1;
					E004176D4(_t144, _t189 - 0x60, _t185, _t187, _t209);
				}
				E00401B80(_t189 - 0x90);
				return E0045B887(_t144, _t185, _t187);
			}

0x0041b726
0x0041b726
0x0041b726
0x0041b726
0x0041b730
0x0041b735
0x0041b737
0x0041b740
0x0041b744
0x0041b747
0x0041b750
0x0041b753
0x0041b75e
0x0041b762
0x0041b767
0x0041b769
0x0041b772
0x0041b777
0x0041b77e
0x0041b785
0x0041b789
0x0041b793
0x0041b79d
0x0041b7a2
0x0041b7a3
0x0041b7a4
0x0041b7a6
0x0041b7ab
0x0041b7ad
0x0041b7b8
0x0041b7bc
0x0041b7c5
0x0041b7cd
0x0041b7d0
0x0041b7d4
0x0041b7db
0x0041b7e1
0x0041b7e4
0x0041b7ec
0x0041b7f3
0x0041b7ee
0x0041b7ee
0x0041b7ee
0x0041b7fe
0x0041b807
0x0041b809
0x0041b811
0x0041b832
0x0041b836
0x0041b83a
0x0041b83f
0x0041b842
0x0041b845
0x0041b847
0x0041b84e
0x0041b849
0x0041b849
0x0041b849
0x0041b851
0x0041b85c
0x0041b864
0x0041b868
0x0041b86d
0x0041b86d
0x0041b873
0x0041b876
0x0041b87f
0x0041b886
0x0041b881
0x0041b881
0x0041b881
0x0041b88f
0x0041b890
0x0041b892
0x0041b894
0x0041b899
0x0041b8ba
0x0041b8be
0x0041b8c2
0x0041b8c7
0x0041b8ca
0x0041b8cd
0x0041b8cf
0x0041b8d6
0x0041b8d1
0x0041b8d1
0x0041b8d1
0x0041b8d9
0x0041b8e4
0x0041b8ec
0x0041b8f0
0x0041b8f0
0x0041b8f5
0x0041b8f8
0x0041b901
0x0041b908
0x0041b903
0x0041b903
0x0041b903
0x0041b911
0x0041b912
0x0041b914
0x0041b916
0x0041b91b
0x0041b942
0x0041b946
0x0041b94a
0x0041b94f
0x0041b952
0x0041b955
0x0041b957
0x0041b95e
0x0041b959
0x0041b959
0x0041b959
0x0041b961
0x0041b96c
0x0041b974
0x0041b978
0x0041b978
0x0041b97d
0x0041b980
0x0041b989
0x0041b990
0x0041b98b
0x0041b98b
0x0041b98b
0x0041b999
0x0041b99a
0x0041b99c
0x0041b99e
0x0041b9a3
0x0041b9ca
0x0041b9ce
0x0041b9d2
0x0041b9d7
0x0041b9da
0x0041b9dd
0x0041b9df
0x0041b9e6
0x0041b9e1
0x0041b9e1
0x0041b9e1
0x0041b9f4
0x0041b9fc
0x0041ba00
0x0041ba00
0x0041b9a3
0x0041ba08
0x0041ba0c
0x0041ba0c
0x0041ba17
0x0041ba21

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0041B730

Part of subcall function 0041A199: __EH_prolog3_GS.LIBCMT ref: 0041A1A0

Part of subcall function 00416831: __EH_prolog3.LIBCMT ref: 00416838

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

GetLastError.KERNEL32(?,?), ref: 0041B813
GetLastError.KERNEL32(?,?), ref: 0041B89B
GetLastError.KERNEL32(?,?), ref: 0041B91D
GetLastError.KERNEL32(?,?), ref: 0041B9A5

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3$FreeString$H_prolog3_H_prolog3_catch_
String ID:
API String ID: 2296881185-0
Opcode ID: f3c6757de450e2733136d64741f6b174f5e735675bb56a4016024c17ab04ffc4
Instruction ID: 00cfd6361891c70349d708d86d6d4bb2d807d697a5908c9e0bb388cb735cdba5
Opcode Fuzzy Hash: f3c6757de450e2733136d64741f6b174f5e735675bb56a4016024c17ab04ffc4
Instruction Fuzzy Hash: E3919E709002199BEB24DBA5CD91FEEB7B8EF54304F0041DEE50AAB281DB74AE85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0049AB4D, Relevance: 7.6, APIs: 5, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0049AB4D(void* __ecx, signed char** _a4, char _a7, intOrPtr* _a8, signed char _a11) {
				signed char _v5;
				signed char _v6;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t20;
				void* _t21;
				signed int _t22;
				signed int _t38;
				intOrPtr _t39;
				void* _t43;
				void* _t45;
				unsigned int _t48;
				signed int _t49;
				signed int _t50;
				signed char* _t52;
				signed char** _t56;
				intOrPtr* _t59;

				_push(__ecx);
				_t59 = _a8;
				_t43 = __ecx;
				if( *_t59 >= 1) {
					_t56 = _a4;
					E0045A8B0( &_a11,  *_t56, 1);
					 *_t59 =  *_t59 + 1;
					 *_t56 =  &(( *_t56)[1]);
					_t52 =  *_t56;
					_t20 = (_a11 & 0x000000ff) - 1;
					__eflags = _t20;
					if(__eflags == 0) {
						_push(_t59);
						_push(_t56);
						_t21 = E0049AD05(_t43, _t43, _t52, _t56, _t59, __eflags);
					} else {
						_t22 = _t20 - 0xf8;
						__eflags = _t22;
						if(_t22 == 0) {
							__eflags =  *_t59 - 1;
							if( *_t59 < 1) {
								goto L17;
							} else {
								E0045A8B0( &_a7, _t52, 1);
								 *_t59 =  *_t59 + 1;
								 *_t56 =  &(( *_t56)[1]);
								__eflags = _a7 - 4;
								if(_a7 != 4) {
									goto L17;
								} else {
									__eflags =  *_t59 - 1;
									if( *_t59 < 1) {
										goto L17;
									} else {
										E0045A8B0( &_v6,  *_t56, 1);
										 *_t59 =  *_t59 + 1;
										 *_t56 =  &(( *_t56)[1]);
										__eflags =  *_t59 - 2;
										if( *_t59 < 2) {
											goto L17;
										} else {
											E0045A8B0(_t43 + 0xc,  *_t56, 2);
											 *_t59 =  *_t59 + 2;
											 *_t56 =  &(( *_t56)[2]);
											__eflags =  *_t59 - 1;
											if( *_t59 >= 1) {
												E0045A8B0( &_v5,  *_t56, 1);
												_t48 = _v6 & 0x000000ff;
												 *_t59 =  *_t59 + 1;
												 *_t56 =  &(( *_t56)[1]);
												 *(_t43 + 0x14) = _v5 & 0x000000ff;
												 *(_t43 + 0x18) = _t48 >> 0x00000002 & 0x00000007;
												_t49 = _t48 & 1;
												__eflags = _t49;
												 *(_t43 + 0x1c) = _t48 >> 0x00000001 & 1;
												 *(_t43 + 0x10) = _t49;
												 *((intOrPtr*)(_t43 + 0x28)) = 1;
												goto L19;
											} else {
												goto L17;
											}
										}
									}
								}
							}
						} else {
							_t38 = _t22 - 5;
							__eflags = _t38;
							if(_t38 == 0) {
								while(1) {
									L10:
									_t50 =  *_t52 & 0x000000ff;
									__eflags = _t50;
									if(_t50 == 0) {
										break;
									}
									_t45 = 0;
									__eflags = _t50;
									if(_t50 < 0) {
										continue;
									} else {
										while(1) {
											_t39 =  *_t59;
											__eflags = _t39 - 1;
											if(_t39 < 1) {
												goto L17;
											}
											 *_t59 = _t39 + 1;
											 *_t56 =  &(( *_t56)[1]);
											_t52 =  *_t56;
											_t45 = _t45 + 1;
											__eflags = _t45 - _t50;
											if(_t45 <= _t50) {
												continue;
											} else {
												goto L10;
											}
											goto L21;
										}
										goto L17;
									}
									goto L21;
								}
								L19:
								_t21 = 0;
							} else {
								__eflags = _t38 - 1;
								if(__eflags != 0) {
									L17:
									_t21 = 0xd;
								} else {
									_push(_t59);
									_push(_t56);
									_t21 = E0049AACA(_t43, _t43, _t52, _t56, _t59, __eflags);
								}
							}
						}
					}
					L21:
				} else {
					_t21 = 0xd;
				}
				return _t21;
			}

0x0049ab50
0x0049ab53
0x0049ab56
0x0049ab5b
0x0049ab66
0x0049ab71
0x0049ab7d
0x0049ab7f
0x0049ab81
0x0049ab83
0x0049ab83
0x0049ab84
0x0049ac6e
0x0049ac6f
0x0049ac72
0x0049ab8a
0x0049ab8a
0x0049ab8a
0x0049ab8f
0x0049abd0
0x0049abd3
0x00000000
0x0049abd5
0x0049abdc
0x0049abe4
0x0049abe6
0x0049abe8
0x0049abec
0x00000000
0x0049abee
0x0049abee
0x0049abf1
0x00000000
0x0049abf3
0x0049abfb
0x0049ac03
0x0049ac05
0x0049ac07
0x0049ac0a
0x00000000
0x0049ac0c
0x0049ac14
0x0049ac19
0x0049ac1c
0x0049ac22
0x0049ac25
0x0049ac34
0x0049ac3d
0x0049ac44
0x0049ac46
0x0049ac48
0x0049ac53
0x0049ac5f
0x0049ac5f
0x0049ac61
0x0049ac64
0x0049ac67
0x00000000
0x00000000
0x00000000
0x00000000
0x0049ac25
0x0049ac0a
0x0049abf1
0x0049abec
0x0049ab91
0x0049ab91
0x0049ab91
0x0049ab94
0x0049abc4
0x0049abc4
0x0049abc4
0x0049abc7
0x0049abc9
0x00000000
0x00000000
0x0049abab
0x0049abad
0x0049abaf
0x00000000
0x0049abb1
0x0049abb1
0x0049abb1
0x0049abb3
0x0049abb6
0x00000000
0x00000000
0x0049abb9
0x0049abbb
0x0049abbd
0x0049abbf
0x0049abc0
0x0049abc2
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0049abc2
0x00000000
0x0049abb1
0x00000000
0x0049abaf
0x0049ac6a
0x0049ac6a
0x0049ab96
0x0049ab96
0x0049ab97
0x0049ac27
0x0049ac29
0x0049ab9d
0x0049ab9d
0x0049ab9e
0x0049aba1
0x0049aba1
0x0049ab97
0x0049ab94
0x0049ab8f
0x0049ac77
0x0049ab5d
0x0049ab5f
0x0049ab5f
0x0049ac7b

APIs

_memmove.LIBCMT ref: 0049AB71

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e492ff531f7d67d7fd6c3456f23851901824ca9bdbe536ef40dee02e37f8ab7e
Instruction ID: 816c694ad30cc1eb04185ebc458260443ab8160de0ad74e960ab96527e174dee
Opcode Fuzzy Hash: e492ff531f7d67d7fd6c3456f23851901824ca9bdbe536ef40dee02e37f8ab7e
Instruction Fuzzy Hash: 0A41F671A00206ABCF284F54C885A66BBB5FF45309F24487FE991CA242D339C675CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0041D0ED, Relevance: 7.6, APIs: 5, Instructions: 121
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0041D0ED(WCHAR** __ecx, void* __eflags, WCHAR* _a4) {
				short* _v8;
				WCHAR** _v12;
				signed int _t23;
				signed int _t25;
				signed int _t27;
				WCHAR* _t31;
				signed int _t32;
				WCHAR* _t36;
				WCHAR* _t37;
				void* _t42;
				WCHAR* _t43;
				WCHAR* _t45;
				signed int _t47;
				WCHAR* _t48;
				signed int _t50;
				WCHAR* _t52;
				signed int _t63;
				signed int _t65;
				short* _t68;
				WCHAR** _t71;
				signed int _t74;
				signed int _t76;

				_push(__ecx);
				_push(__ecx);
				_t71 = __ecx;
				_v12 = __ecx;
				E004227E4(__ecx, __eflags);
				_t52 =  *__ecx;
				_t23 =  *_t52 & 0x0000ffff;
				if(0 != _t23) {
					_t68 = _a4;
					_t42 = 0x27;
					_v8 = _t68;
					__eflags = _t42 - _t23;
					if(_t42 != _t23) {
						while(1) {
							_t43 =  *_t71;
							_a4 = _t43;
							_t25 = E0041CD74( *_t43 & 0x0000ffff);
							__eflags = _t25;
							if(_t25 != 0) {
								break;
							}
							_t45 = CharNextW(_t43);
							 *_t71 = _t45;
							_t47 = _t45 - _a4 >> 1;
							_t63 = _t47 + 1;
							__eflags = _t68 + _t63 * 2 - _v8 + 0x2000;
							if(_t68 + _t63 * 2 >= _v8 + 0x2000) {
								goto L27;
							} else {
								__eflags = _t47;
								if(_t47 > 0) {
									_t74 = _a4 - _t68;
									__eflags = _t74;
									do {
										 *_t68 =  *((intOrPtr*)(_t74 + _t68));
										_t68 = _t68 + 2;
										_t47 = _t47 - 1;
										__eflags = _t47;
									} while (_t47 != 0);
									_t71 = _v12;
								}
								__eflags = 0 -  *( *_t71);
								if(0 !=  *( *_t71)) {
									continue;
								} else {
									break;
								}
							}
							goto L25;
						}
						__eflags = 0;
						 *_t68 = 0;
						goto L24;
					} else {
						_t31 = CharNextW(_t52);
						 *_t71 = _t31;
						while(1) {
							__eflags = 0 -  *_t31;
							if(0 ==  *_t31) {
								break;
							}
							_t32 = E00419AE3(_t71);
							__eflags = _t32;
							if(_t32 != 0) {
								break;
							} else {
								_t36 =  *_t71;
								__eflags = _t42 -  *_t36;
								if(_t42 ==  *_t36) {
									 *_t71 = CharNextW(_t36);
								}
								_t37 =  *_t71;
								_a4 = _t37;
								_t48 = CharNextW(_t37);
								 *_t71 = _t48;
								_t50 = _t48 - _a4 >> 1;
								_t65 = _t50 + 1;
								__eflags = _t68 + _t65 * 2 - _v8 + 0x2000;
								if(_t68 + _t65 * 2 >= _v8 + 0x2000) {
									L27:
									_t27 = 0x80020009;
								} else {
									__eflags = _t50;
									if(_t50 > 0) {
										_t76 = _a4 - _t68;
										__eflags = _t76;
										do {
											 *_t68 =  *((intOrPtr*)(_t76 + _t68));
											_t68 = _t68 + 2;
											_t50 = _t50 - 1;
											__eflags = _t50;
										} while (_t50 != 0);
										_t71 = _v12;
									}
									_t31 =  *_t71;
									_t42 = 0x27;
									continue;
								}
							}
							goto L25;
						}
						__eflags = 0 -  *( *_t71);
						if(0 ==  *( *_t71)) {
							goto L27;
						} else {
							 *_t68 = 0;
							 *_t71 = CharNextW( *_t71);
							L24:
							_t27 = 0;
							__eflags = 0;
						}
					}
					L25:
				} else {
					_t27 = 0x80020009;
				}
				return _t27;
			}

0x0041d0f0
0x0041d0f1
0x0041d0f3
0x0041d0f5
0x0041d0f8
0x0041d0fd
0x0041d101
0x0041d107
0x0041d115
0x0041d11a
0x0041d11b
0x0041d11e
0x0041d121
0x0041d1b8
0x0041d1b8
0x0041d1c0
0x0041d1c3
0x0041d1c8
0x0041d1ca
0x00000000
0x00000000
0x0041d1d6
0x0041d1d8
0x0041d1e3
0x0041d1e5
0x0041d1eb
0x0041d1ed
0x00000000
0x0041d1ef
0x0041d1ef
0x0041d1f1
0x0041d1f6
0x0041d1f6
0x0041d1f8
0x0041d1fc
0x0041d1ff
0x0041d202
0x0041d202
0x0041d202
0x0041d205
0x0041d205
0x0041d20c
0x0041d20f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041d20f
0x00000000
0x0041d1ed
0x0041d211
0x0041d213
0x00000000
0x0041d127
0x0041d128
0x0041d12e
0x0041d197
0x0041d199
0x0041d19c
0x00000000
0x00000000
0x0041d134
0x0041d139
0x0041d13b
0x00000000
0x0041d13d
0x0041d13d
0x0041d13f
0x0041d142
0x0041d14b
0x0041d14b
0x0041d14d
0x0041d150
0x0041d15c
0x0041d15e
0x0041d169
0x0041d16b
0x0041d171
0x0041d173
0x0041d21f
0x0041d21f
0x0041d179
0x0041d179
0x0041d17b
0x0041d180
0x0041d180
0x0041d182
0x0041d186
0x0041d189
0x0041d18c
0x0041d18c
0x0041d18c
0x0041d18f
0x0041d18f
0x0041d192
0x0041d196
0x00000000
0x0041d196
0x0041d173
0x00000000
0x0041d13b
0x0041d1a2
0x0041d1a5
0x00000000
0x0041d1a7
0x0041d1a9
0x0041d1b4
0x0041d216
0x0041d216
0x0041d216
0x0041d216
0x0041d1a5
0x0041d218
0x0041d109
0x0041d109
0x0041d109
0x0041d21c

APIs

CharNextW.USER32(?,?,00000000,?,?,?,?,004180FA,?,9518852C,?,?,?,?,?,004A2661), ref: 0041D128
CharNextW.USER32(?,?,?,00000000,?,?,?,?,004180FA,?,9518852C), ref: 0041D1AE

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: e90fe34de0c56ef539260235f840a89aeb828c0f6892347de83d64bf835d2955
Instruction ID: 5b03f7e7b6dc4165ddfde88aad88aea70e2b03ac8d79821d352ebacc75d9c403
Opcode Fuzzy Hash: e90fe34de0c56ef539260235f840a89aeb828c0f6892347de83d64bf835d2955
Instruction Fuzzy Hash: AB41D6B5A00206EFCB108F68C8845AAB7F5FF683457A4456FE985D7304E7789D80CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00480F50, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00480F50(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v16;
				signed int _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr* _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t44;
				intOrPtr _t49;
				intOrPtr _t60;
				void* _t61;
				void* _t62;
				short* _t65;
				void* _t73;
				intOrPtr _t75;
				short _t76;
				void* _t77;
				void* _t78;
				intOrPtr* _t80;
				void* _t81;
				signed int _t82;

				_push(0xffffffff);
				_push(0x4aaa88);
				_push( *[fs:0x0]);
				_t43 =  *0x4d7e88; // 0x9518852c
				_t44 = _t43 ^ _t82;
				_v20 = _t44;
				_push(_t44);
				 *[fs:0x0] =  &_v16;
				_t80 = _a4;
				_t75 = _a8;
				_t60 = _a12;
				_v76 = _t80;
				_v72 = 0;
				_v68 = 0x4c346c;
				_v28 = 0x4c2f90;
				_v24 = GetLastError();
				_v8 = 0;
				if(_t75 == 0) {
					_t76 = 0;
				} else {
					_t76 = _t75 + 4;
				}
				_push(0xffffffff);
				_push(0);
				_v44 = 7;
				_v48 = 0;
				_v64 = 0;
				E00407B10(_t60,  &_v64, _t76, _t76);
				_t49 = _v28;
				_t77 = SetLastError;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_t20 = _t49 + 4; // 0x4
				SetLastError( *(_t82 +  *_t20 - 0x18));
				_v8 = 1;
				if(_t60 == 0) {
					_t61 = 0;
				} else {
					_t61 = _t60 + 4;
				}
				E0040DA0C(_t61,  &_v64, _t61, 0);
				 *_t80 = 0x4c346c;
				 *((intOrPtr*)(_t80 + 0x28)) = 0x4c2f90;
				 *((intOrPtr*)(_t80 + 0x2c)) = GetLastError();
				_t27 = _t80 + 4; // 0x8
				_t65 = _t27;
				 *((intOrPtr*)(_t65 + 0x14)) = 7;
				 *((intOrPtr*)(_t65 + 0x10)) = 0;
				_push(0);
				 *_t65 = 0;
				_v8 = 2;
				E00407B10(_t61, _t65, _t77,  &_v64);
				 *((intOrPtr*)(_t80 + 0x1c)) = 0;
				 *((intOrPtr*)(_t80 + 0x20)) = 0;
				 *((intOrPtr*)(_t80 + 0x24)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t80 + 0x28)) + 4)) + _t80 + 0x28));
				E00401B80( &_v68);
				 *[fs:0x0] = _v16;
				_pop(_t78);
				_t81 = 0xffffffff;
				_t62 = 0xffffffff;
				return E0045A457(_t62, _v20 ^ _t82, _t73, _t78, _t81);
			}

0x00480f53
0x00480f55
0x00480f60
0x00480f64
0x00480f69
0x00480f6b
0x00480f71
0x00480f75
0x00480f7b
0x00480f7e
0x00480f81
0x00480f84
0x00480f87
0x00480f8e
0x00480f95
0x00480fa2
0x00480fa5
0x00480fae
0x00480fb5
0x00480fb0
0x00480fb0
0x00480fb0
0x00480fb9
0x00480fbb
0x00480fc0
0x00480fc7
0x00480fce
0x00480fd2
0x00480fd7
0x00480fda
0x00480fe0
0x00480fe7
0x00480fee
0x00480ff5
0x00480ffc
0x00480ffe
0x00481007
0x0048100e
0x00481009
0x00481009
0x00481009
0x00481018
0x0048101d
0x00481023
0x00481030
0x00481033
0x00481033
0x0048103a
0x00481041
0x00481048
0x00481049
0x00481050
0x00481054
0x00481059
0x00481060
0x00481067
0x00481078
0x0048107d
0x00481087
0x0048108f
0x00481090
0x00481091
0x0048109f

APIs

GetLastError.KERNEL32(9518852C,76E3D5B0), ref: 00480F9C
SetLastError.KERNEL32(004C2F90,00000000,00000000,000000FF), ref: 00480FFC
GetLastError.KERNEL32(00000000,00000000,000000FF), ref: 0048102A
SetLastError.KERNEL32(?,?,00000000,000000FF), ref: 00481078

Strings

l4L, xrefs: 00480F8E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast
String ID: l4L
API String ID: 1452528299-2060195098
Opcode ID: b5973da97ed9c19e7ef98f98cf0b86ecd60b36868eb3a0694684b92734cdff23
Instruction ID: f820ac7b94b0dd66d1845ddc3e8f71694ff784bb10c4c77703a22b291f2c1c09
Opcode Fuzzy Hash: b5973da97ed9c19e7ef98f98cf0b86ecd60b36868eb3a0694684b92734cdff23
Instruction Fuzzy Hash: CD414E759002089FDB10DF95C954B9EBBB4FF48328F20462EE815A7790DBB9A905CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0043BDD3, Relevance: 7.6, APIs: 5, Instructions: 87
stringCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E0043BDD3(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t51;
				void* _t67;
				CHAR* _t71;
				void* _t72;
				void* _t75;
				signed int _t77;

				_t75 = __eflags;
				_t67 = __edx;
				_push(0x90);
				E0045B935(0x4a665a, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t72 - 4)) = 0;
				EnterCriticalSection( *0x4d99ec);
				_push(0x4000);
				 *((char*)(_t72 - 4)) = 1;
				_t71 = E00459ADF(0x4000, _t67, 0, _t75);
				 *(_t72 - 0x9c) = _t71;
				 *((char*)(_t72 - 4)) = 3;
				E0045E6A0(_t71, E00412F8A(0x4000, _t72 + 8, _t67), 0x4000);
				 *((intOrPtr*)(_t72 - 0x94)) = lstrlenA(_t71);
				 *((intOrPtr*)(_t72 - 0x98)) = 0;
				E00452E6B(_t72 - 0x98, _t71, _t34, 0x21);
				E00416831(0x4000, _t72 - 0x90, 0, _t71, _t75);
				_push(0);
				_push(0x4d7600);
				 *((char*)(_t72 - 4)) = 4;
				 *((intOrPtr*)(_t72 - 0x44)) = 0x4affb8;
				 *((intOrPtr*)(_t72 - 0x1c)) = 0x4affc0;
				E00408E82(0x4000, _t72 - 0x44, 0, _t71, _t75);
				_push(0);
				_push(0);
				_push(4);
				_push(0x80);
				_push(1);
				_push(0x40000000);
				_push(_t72 - 0x44);
				 *((char*)(_t72 - 4)) = 5;
				_t51 = E00424632(0x4000, _t72 - 0x90, 0, _t71, _t75);
				_t76 = _t51;
				if(_t51 == 0) {
					E004252EC(_t51, _t72 - 0x90, 0, _t71, _t76, 0, 2, 0);
					_t77 = _t51;
				}
				_t52 = _t51 & 0xffffff00 | _t77 == 0x00000000;
				 *((char*)(_t72 - 4)) = 4;
				E00401B80(_t72 - 0x44);
				_t78 = _t51 & 0xffffff00 | _t77 == 0x00000000;
				if((_t51 & 0xffffff00 | _t77 == 0x00000000) != 0) {
					E0043B04C(_t52, _t72 - 0x90, 0, _t71, _t78, _t72 - 0x94, 4);
					E0043AFC6(_t52, _t72 - 0x90, 0, _t71, _t78, _t71,  *((intOrPtr*)(_t72 - 0x94)));
				}
				 *((char*)(_t72 - 4)) = 3;
				E004176D4(_t52, _t72 - 0x90, 0, _t71, _t78);
				L0045A2FE(_t71);
				LeaveCriticalSection( *0x4d99ec);
				E00401B80(_t72 + 8);
				return E0045B887(_t52, 0, _t71);
			}

0x0043bdd3
0x0043bdd3
0x0043bdd3
0x0043bddd
0x0043bdea
0x0043bded
0x0043bdf8
0x0043bdf9
0x0043be02
0x0043be05
0x0043be0e
0x0043be1a
0x0043be33
0x0043be39
0x0043be3f
0x0043be4a
0x0043be4f
0x0043be50
0x0043be58
0x0043be5c
0x0043be63
0x0043be6a
0x0043be6f
0x0043be70
0x0043be71
0x0043be73
0x0043be78
0x0043be7a
0x0043be82
0x0043be89
0x0043be92
0x0043be94
0x0043be96
0x0043bea2
0x0043bea7
0x0043bea7
0x0043beac
0x0043beaf
0x0043beb3
0x0043beb8
0x0043beba
0x0043becb
0x0043bedd
0x0043bedd
0x0043bee8
0x0043beec
0x0043bef2
0x0043befe
0x0043bf07
0x0043bf11

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0043BDDD
EnterCriticalSection.KERNEL32(00000090,0043B728,FormatVersion=00000112,?,00000001), ref: 0043BDED
_strncpy.LIBCMT ref: 0043BE1A
lstrlenA.KERNEL32(00000000), ref: 0043BE23

Part of subcall function 00416831: __EH_prolog3.LIBCMT ref: 00416838

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 00424632: __EH_prolog3.LIBCMT ref: 00424639

LeaveCriticalSection.KERNEL32(004AFFB8,40000000,00000001,00000080,00000004,00000000,00000000,004D7600,00000000,00000000,00000000,00000021), ref: 0043BEFE

Part of subcall function 004252EC: __EH_prolog3_GS.LIBCMT ref: 004252F6
Part of subcall function 004252EC: __CxxThrowException@8.LIBCMT ref: 0042535A
Part of subcall function 004252EC: SetFilePointer.KERNELBASE(?,?,?,?,00000108,0042442C,00000000,00000000,00000000,00000000,00000000,00000010,004246AC), ref: 00425366
Part of subcall function 004252EC: GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004253B9

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$CriticalSection$EnterException@8FileH_prolog3_H_prolog3_catch_LeavePointerThrow_strncpylstrlen
String ID:
API String ID: 817104565-0
Opcode ID: 3aa1dc8dcbbdb62b490d1f3831b9d22b8adb2ddddf8c5faa8220c89b6998f70b
Instruction ID: 995a19f8fd90a0dfb53162eb0189291b7fee4fc74e2d4a2c9a234986c2652cae
Opcode Fuzzy Hash: 3aa1dc8dcbbdb62b490d1f3831b9d22b8adb2ddddf8c5faa8220c89b6998f70b
Instruction Fuzzy Hash: C631B670901254AEEB11EB65CD56FDE7B78EF25308F40409EF60862283DB781F49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0046A8D6, Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0046A8D6(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				long _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				long _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					__eflags = _t31;
					if(_t31 != 0) {
						_push(__ebx);
						while(1) {
							__eflags = _t31 - 0xffffffe0;
							if(_t31 > 0xffffffe0) {
								break;
							}
							__eflags = _t31;
							if(_t31 == 0) {
								_t31 = _t31 + 1;
								__eflags = _t31;
							}
							_t7 = HeapReAlloc( *0x4da6d4, 0, _a4, _t31);
							_t20 = _t7;
							__eflags = _t20;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								__eflags =  *0x4da6d8 - _t7;
								if(__eflags == 0) {
									_t9 = E0045D506(__eflags);
									 *_t9 = E0045D55F(GetLastError());
									goto L17;
								} else {
									__eflags = E00466890(_t7, _t31);
									if(__eflags == 0) {
										_t12 = E0045D506(__eflags);
										 *_t12 = E0045D55F(GetLastError());
										L12:
										_t8 = 0;
										__eflags = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00466890(_t6, _t31);
						 *((intOrPtr*)(E0045D506(__eflags))) = 0xc;
						goto L12;
					} else {
						E0045D646(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E0045D6BB(__ebx, __edx, __edi, _a8);
				}
			}

0x0046a8dd
0x0046a8eb
0x0046a8ee
0x0046a8f0
0x0046a8ff
0x0046a932
0x0046a932
0x0046a935
0x00000000
0x00000000
0x0046a902
0x0046a904
0x0046a906
0x0046a906
0x0046a906
0x0046a913
0x0046a919
0x0046a91b
0x0046a91d
0x0046a97d
0x0046a97d
0x0046a91f
0x0046a91f
0x0046a925
0x0046a967
0x0046a97b
0x00000000
0x0046a927
0x0046a92e
0x0046a930
0x0046a94f
0x0046a963
0x0046a949
0x0046a949
0x0046a949
0x00000000
0x00000000
0x00000000
0x0046a930
0x0046a925
0x00000000
0x0046a94b
0x0046a938
0x0046a943
0x00000000
0x0046a8f2
0x0046a8f5
0x0046a8fb
0x0046a8fb
0x0046a94c
0x0046a94e
0x0046a8df
0x0046a8e9
0x0046a8e9

APIs

_malloc.LIBCMT ref: 0046A8E2

Part of subcall function 0045D6BB: __FF_MSGBANNER.LIBCMT ref: 0045D6D2
Part of subcall function 0045D6BB: __NMSG_WRITE.LIBCMT ref: 0045D6D9
Part of subcall function 0045D6BB: RtlAllocateHeap.NTDLL(00620000,00000000,00000001,00000000,?,00000000,?,00469FAC,00000008,00000008,00000008,?,?,00463326,00000018,004D1140), ref: 0045D6FE

_free.LIBCMT ref: 0046A8F5

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 220bedd117adfc024dcfa8f4f7cdc1ccc7371f18159f582d72fedfa87c4aa4f6
Instruction ID: bacc400861e2c67f57d531eabac997b1c2955910872e5d050c8d85f79984949e
Opcode Fuzzy Hash: 220bedd117adfc024dcfa8f4f7cdc1ccc7371f18159f582d72fedfa87c4aa4f6
Instruction Fuzzy Hash: F3119872901715ABCB313F76A80565A37949F00369B21493BF845A6252FA3CC8698A9F

Uniqueness

Uniqueness Score: -1.00%

Function 004142CB, Relevance: 7.6, APIs: 5, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E004142CB(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a12, signed int* _a16, signed int* _a20) {
				long _t25;
				signed int* _t27;
				signed int _t29;
				signed int _t31;
				signed int* _t36;
				void* _t41;
				void* _t46;

				_t41 = __edx;
				_t33 = _a8;
				_t45 = _a4;
				_t46 = __ecx;
				 *((intOrPtr*)(__ecx + 0x18)) = _a4;
				 *((intOrPtr*)(__ecx + 0x1c)) = _a8;
				 *_a12 =  *_a12 & 0x00000000;
				if(E0045D040( *((intOrPtr*)(__ecx + 0x10)),  *((intOrPtr*)(__ecx + 0x14)), 0x64, 0) != 0) {
					asm("cdq");
					 *_a12 = E0045D040(_t45, _t33, _t24, _t41);
				}
				_t25 = GetTickCount();
				_t26 = _t25 -  *((intOrPtr*)(_t46 + 8));
				if(_t25 -  *((intOrPtr*)(_t46 + 8)) <= 0x3e8) {
					_t36 = _a16;
					 *_t36 =  *_t36 & 0x00000000;
				} else {
					_t31 = E0045D040( *((intOrPtr*)(_t46 + 0x18)),  *((intOrPtr*)(_t46 + 0x1c)), _t26 / 0x3e8, 0);
					_t36 = _a16;
					 *_t36 = _t31;
				}
				_t42 =  *_t36;
				if( *_t36 == 0) {
					_t27 = _a20;
					 *_t27 =  *_t27 & 0x00000000;
					return _t27;
				} else {
					asm("sbb eax, [esi+0x1c]");
					_t29 = E0045D040( *((intOrPtr*)(_t46 + 0x10)) -  *((intOrPtr*)(_t46 + 0x18)),  *((intOrPtr*)(_t46 + 0x14)), _t42, 0);
					 *_a20 = _t29;
					return _t29;
				}
			}

0x004142cb
0x004142d2
0x004142d7
0x004142da
0x004142e0
0x004142e3
0x004142e6
0x004142f6
0x004142f8
0x00414305
0x00414305
0x00414307
0x0041430d
0x00414317
0x00414332
0x00414335
0x00414319
0x00414326
0x0041432b
0x0041432e
0x0041432e
0x00414338
0x0041433c
0x0041435b
0x0041435e
0x00000000
0x0041433e
0x00414347
0x0041434f
0x00414357
0x00000000
0x00414357

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004142EF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004142FD
GetTickCount.KERNEL32 ref: 00414307
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414326
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0041434F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CountTick
String ID:
API String ID: 404621862-0
Opcode ID: f4bc687d1110c110fb7360082256821c0f0a303b3c03fa378aa55a52a6154090
Instruction ID: 2883a0e806b46b5af5fe376a5d6804c938433d3231752d4f6cc73808c672cf93
Opcode Fuzzy Hash: f4bc687d1110c110fb7360082256821c0f0a303b3c03fa378aa55a52a6154090
Instruction Fuzzy Hash: D0215871200305AFEB258F25C881F6B77B9EF84715F10461EA9128B2A1C739AC55CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00437FA4, Relevance: 7.6, APIs: 5, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00437FA4(void* __ebx, struct HWND__** __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t19;
				struct HWND__** _t22;
				int _t26;
				struct HWND__** _t47;
				void* _t48;
				void* _t49;

				_t49 = __eflags;
				_t45 = __edi;
				_t34 = __ebx;
				_push(0x38);
				E0045B8C9(0x4a6099, __ebx, __edi, __esi);
				_t47 = __ecx;
				 *((intOrPtr*)(_t48 - 0x44)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 4)) + 4)) + 0x2c))();
				_push(0);
				_push(_t48 - 0x40);
				_t19 = E0040D72B(__ebx, _t48 - 0x44, __edx, __edi, __ecx, _t49);
				 *(_t48 - 4) =  *(_t48 - 4) & 0x00000000;
				E004095E2( &(_t47[2]), _t19);
				 *(_t48 - 4) =  *(_t48 - 4) | 0xffffffff;
				E00401B80(_t48 - 0x40);
				_t22 =  &(_t47[3]);
				if(_t22[5] >= 8) {
					_t22 =  *_t22;
				}
				E00439295(_t47, _t22);
				if(IsWindow( *_t47) != 0) {
					E004199BF(_t47);
				}
				if(E00437BFB(_t47) != 0) {
					_t26 = IsWindow( *_t47);
					__eflags = _t26;
					if(_t26 != 0) {
						SetForegroundWindow( *_t47);
					}
					__eflags = 0;
				} else {
					if(GetLastError() != 0) {
					}
				}
				return E0045B878(_t34, _t45, _t47);
			}

0x00437fa4
0x00437fa4
0x00437fa4
0x00437fa4
0x00437fab
0x00437fb0
0x00437fbd
0x00437fc0
0x00437fc5
0x00437fc9
0x00437fce
0x00437fd6
0x00437fdb
0x00437fe2
0x00437fe7
0x00437fee
0x00437ff0
0x00437ff0
0x00437ff5
0x00438004
0x00438008
0x00438008
0x00438016
0x00438032
0x00438038
0x0043803a
0x0043803e
0x0043803e
0x00438044
0x00438018
0x00438020
0x00438020
0x00438020
0x0043804b

APIs

__EH_prolog3_GS.LIBCMT ref: 00437FAB

Part of subcall function 0040D72B: __EH_prolog3_GS.LIBCMT ref: 0040D735

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

IsWindow.USER32 ref: 00437FFC
GetLastError.KERNEL32(?,004C2F40,00000000,004C2FA0,00000000), ref: 00438018

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeH_prolog3_String$Window
String ID:
API String ID: 678173169-0
Opcode ID: af26cfe468d581693d34c71179ab4bf57da956b0d0be9cf9038f8e26b2ee2d15
Instruction ID: 32e4841b76d65cc2d111591fc1a5e1fcd368efcc1de0b674295ad58eb36613ea
Opcode Fuzzy Hash: af26cfe468d581693d34c71179ab4bf57da956b0d0be9cf9038f8e26b2ee2d15
Instruction Fuzzy Hash: A5118F70600200DBDB28EF62C845A6EB7B9AF09348F14156EF452D72A1EF39DE09CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00415D9D, Relevance: 7.6, APIs: 5, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00415D9D(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t43;
				intOrPtr _t49;
				intOrPtr* _t52;
				signed int _t56;
				void* _t57;
				intOrPtr _t61;

				_push(4);
				E0045B896(0x4a1eed, __ebx, __edi, __esi);
				_t52 = __ecx;
				 *((intOrPtr*)(_t57 - 0x10)) = __ecx;
				if( *((intOrPtr*)(_t57 + 0x14)) != 0) {
					 *((intOrPtr*)(__ecx + 0xc)) = 0x4b06e0;
					 *((intOrPtr*)(__ecx + 0x14)) = 0x4b06e8;
				}
				_t45 = _t52 + 0xc;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t52 + 0xc)) + 4)) + _t45)) = GetLastError();
				 *(_t57 - 4) =  *(_t57 - 4) & 0x00000000;
				 *(_t52 + 0x10) =  *(_t52 + 0x10) & 0x00000000;
				 *(_t57 - 4) = 1;
				E0041669A(_t52);
				_t13 =  *((intOrPtr*)(_t52 + 0x14)) + 4; // 0x4
				_t35 =  *_t13;
				SetLastError( *(_t35 + _t52 + 0x14));
				_t49 =  *((intOrPtr*)(_t57 + 0x10));
				_t56 =  *(_t57 + 0xc);
				_t43 =  *((intOrPtr*)(_t57 + 8));
				 *_t52 = 0x4b06dc;
				if(_t49 == 0xffffffff) {
					__imp__#7( *((intOrPtr*)(_t43 + 0x10)));
					_t49 = _t35 - _t56;
					_t61 = _t49;
				}
				 *((intOrPtr*)(_t57 + 0x14)) = _t52;
				_push(1);
				_push( *((intOrPtr*)(_t43 + 0x10)) + _t56 * 2);
				_push(_t49);
				 *(_t57 - 4) = 4;
				E00415E4A(_t43, _t52, _t52, _t56, _t61);
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t52 + 0xc)) + 4)) + _t52 + 0xc));
				return E0045B864(_t52);
			}

0x00415d9d
0x00415da4
0x00415da9
0x00415dab
0x00415db2
0x00415db4
0x00415dbb
0x00415dbb
0x00415dc2
0x00415dd2
0x00415dd4
0x00415dd8
0x00415dde
0x00415de2
0x00415dea
0x00415dea
0x00415df1
0x00415df7
0x00415dfa
0x00415dfd
0x00415e00
0x00415e09
0x00415e0e
0x00415e16
0x00415e16
0x00415e16
0x00415e18
0x00415e1e
0x00415e23
0x00415e24
0x00415e27
0x00415e2b
0x00415e3a
0x00415e47

APIs

__EH_prolog3.LIBCMT ref: 00415DA4
GetLastError.KERNEL32(00000004,00416E97,?,?,?,00000000), ref: 00415DCC
SetLastError.KERNEL32(00000000), ref: 00415DF1
SysStringLen.OLEAUT32(00000000), ref: 00415E0E
SetLastError.KERNEL32(?,00000000,00000000,00000001), ref: 00415E3A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3String
String ID:
API String ID: 2160793888-0
Opcode ID: d517fdbc2243c532d8e67b05f02769ec25b5c23ea0d15799a9168d4e0643caa1
Instruction ID: 396adce6e6fbb270940b12cd01ddca4a5a44da954095b05863c7fa30c8363c18
Opcode Fuzzy Hash: d517fdbc2243c532d8e67b05f02769ec25b5c23ea0d15799a9168d4e0643caa1
Instruction Fuzzy Hash: C3216A75600606DFCB00DF25C948B9ABBB5FF84325F04C65AEC14973A2CBB4E960CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00406170, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00406170(void* __ebx, intOrPtr* __ecx, void* __edi, char _a4, intOrPtr* _a8, void _a12) {
				intOrPtr _v24;
				char _v40;
				void* __esi;
				void* __ebp;
				intOrPtr _t42;
				intOrPtr _t46;
				intOrPtr _t57;
				intOrPtr _t68;
				intOrPtr* _t74;
				intOrPtr _t75;
				intOrPtr _t76;
				intOrPtr* _t85;
				char _t89;
				intOrPtr* _t90;
				char _t94;
				intOrPtr _t95;
				intOrPtr* _t108;
				intOrPtr* _t110;
				intOrPtr* _t111;
				void* _t123;
				void* _t125;

				_t74 = _a4;
				_t94 =  *((intOrPtr*)(_t74 + 0x10));
				_t107 = __ecx;
				_t85 = _a8;
				if(_t94 < _t85) {
					_push("invalid string position");
					E00459FCD(__eflags);
					goto L25;
				} else {
					_t94 =  <  ? _a12 : _t94 - _t85;
					if(__ecx != _t74) {
						__eflags = _t94 - 0xfffffffe;
						if(__eflags > 0) {
							goto L26;
						} else {
							_t57 =  *((intOrPtr*)(__ecx + 0x14));
							__eflags = _t57 - _t94;
							if(_t57 >= _t94) {
								__eflags = _t94;
								if(_t94 != 0) {
									goto L9;
								} else {
									 *((intOrPtr*)(__ecx + 0x10)) = _t94;
									__eflags = _t57 - 0x10;
									if(_t57 < 0x10) {
										 *((char*)(__ecx)) = 0;
										return __ecx;
									} else {
										 *((char*)( *__ecx)) = 0;
										return __ecx;
									}
								}
							} else {
								E00406D10(__ecx, _t94,  *((intOrPtr*)(__ecx + 0x10)));
								_t85 = _a8;
								__eflags = _t94;
								if(_t94 == 0) {
									L23:
									return _t107;
								} else {
									L9:
									__eflags =  *((intOrPtr*)(_t74 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t74 + 0x14)) >= 0x10) {
										_t74 =  *_t74;
									}
									__eflags =  *((intOrPtr*)(_t107 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t107 + 0x14)) < 0x10) {
										_t90 = _t107;
									} else {
										_t90 =  *_t107;
									}
									__eflags = _t94;
									if(_t94 != 0) {
										E0045A8B0(_t90, _t74 + _t85, _t94);
									}
									__eflags =  *((intOrPtr*)(_t107 + 0x14)) - 0x10;
									 *((intOrPtr*)(_t107 + 0x10)) = _t94;
									if( *((intOrPtr*)(_t107 + 0x14)) < 0x10) {
										 *((char*)(_t107 + _t94)) = 0;
										goto L23;
									} else {
										 *((char*)( *_t107 + _t94)) = 0;
										return _t107;
									}
								}
							}
						}
					} else {
						_t68 = _t94 + _t85;
						if( *((intOrPtr*)(__ecx + 0x10)) < _t68) {
							L25:
							_push("invalid string position");
							E00459FCD(__eflags);
							L26:
							_push("string too long");
							E00459F9F(__eflags);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t123 = _t125;
							_push(_t107);
							_push(_t94);
							_t95 = _v24;
							_t108 = _t85;
							__eflags = _t95 - 0xfffffffe;
							if(__eflags > 0) {
								_push("string too long");
								E00459F9F(__eflags);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t123);
								_t89 = _v40;
								_push(_t108);
								__eflags = _t89;
								if(_t89 == 0) {
									L53:
									__eflags = 0;
									return 0;
								} else {
									_t42 =  *((intOrPtr*)(_t85 + 0x14));
									__eflags = _t42 - 0x10;
									if(_t42 < 0x10) {
										_t110 = _t85;
									} else {
										_t110 =  *_t85;
									}
									__eflags = _t89 - _t110;
									if(_t89 < _t110) {
										goto L53;
									} else {
										__eflags = _t42 - 0x10;
										if(_t42 < 0x10) {
											_t111 = _t85;
										} else {
											_t111 =  *_t85;
										}
										__eflags =  *((intOrPtr*)(_t85 + 0x10)) + _t111 - _t89;
										if( *((intOrPtr*)(_t85 + 0x10)) + _t111 <= _t89) {
											goto L53;
										} else {
											return 1;
										}
									}
								}
							} else {
								_t46 =  *((intOrPtr*)(_t108 + 0x14));
								__eflags = _t46 - _t95;
								if(_t46 >= _t95) {
									__eflags = _a4;
									if(_a4 == 0) {
										L37:
										__eflags = _t95;
										if(_t95 == 0) {
											 *((intOrPtr*)(_t108 + 0x10)) = _t95;
											__eflags = _t46 - 0x10;
											if(_t46 >= 0x10) {
												_t108 =  *_t108;
											}
											 *_t108 = 0;
										}
										__eflags = 0 - _t95;
										asm("sbb eax, eax");
										return  ~0x00000000;
									} else {
										__eflags = _t95 - 0x10;
										if(_t95 >= 0x10) {
											goto L37;
										} else {
											_push(_t74);
											_t75 =  *((intOrPtr*)(_t108 + 0x10));
											__eflags = _t95 - _t75;
											_t76 =  <  ? _t95 : _t75;
											__eflags = _t46 - 0x10;
											if(_t46 >= 0x10) {
												_t51 =  *_t108;
												_a4 =  *_t108;
												__eflags = _t76;
												if(_t76 != 0) {
													E0045A8B0(_t108, _t51, _t76);
													_t51 = _a4;
													_t125 = _t125 + 0xc;
												}
												L0045A2FE(_t51);
											}
											 *((intOrPtr*)(_t108 + 0x10)) = _t76;
											 *((intOrPtr*)(_t108 + 0x14)) = 0xf;
											 *((char*)(_t76 + _t108)) = 0;
											__eflags = 0 - _t95;
											asm("sbb eax, eax");
											return  ~0x00000000;
										}
									}
								} else {
									E00406D10(_t85, _t95,  *((intOrPtr*)(_t108 + 0x10)));
									__eflags = 0 - _t95;
									asm("sbb eax, eax");
									return  ~0x00000000;
								}
							}
						} else {
							 *((intOrPtr*)(__ecx + 0x10)) = _t68;
							if( *((intOrPtr*)(__ecx + 0x14)) < 0x10) {
								 *((char*)(_t68 + __ecx)) = 0;
								E00406C60(_t74, __ecx, _t94, __ecx, 0, _t85);
								return __ecx;
							} else {
								 *((char*)(_t68 +  *__ecx)) = 0;
								E00406C60(_t74, __ecx, _t94, __ecx, 0, _t85);
								return __ecx;
							}
						}
					}
				}
			}

0x00406174
0x00406179
0x0040617c
0x0040617e
0x00406183
0x00406272
0x00406277
0x00000000
0x00406189
0x0040618e
0x00406194
0x004061dd
0x004061e0
0x00000000
0x004061e6
0x004061e6
0x004061e9
0x004061eb
0x00406211
0x00406213
0x00000000
0x00406215
0x00406215
0x00406218
0x0040621b
0x0040622f
0x00406234
0x0040621d
0x00406220
0x00406228
0x00406228
0x0040621b
0x004061ed
0x004061f3
0x004061f8
0x004061fb
0x004061fd
0x00406269
0x0040626f
0x004061ff
0x004061ff
0x004061ff
0x00406203
0x00406205
0x00406205
0x00406207
0x0040620b
0x00406237
0x0040620d
0x0040620d
0x0040620d
0x00406239
0x0040623b
0x00406243
0x00406248
0x0040624b
0x0040624f
0x00406252
0x00406265
0x00000000
0x00406254
0x00406256
0x00406260
0x00406260
0x00406252
0x004061fd
0x004061eb
0x00406196
0x00406196
0x0040619c
0x0040627c
0x0040627c
0x00406281
0x00406286
0x00406286
0x0040628b
0x00406290
0x00406291
0x00406292
0x00406293
0x00406294
0x00406295
0x00406296
0x00406297
0x00406298
0x00406299
0x0040629a
0x0040629b
0x0040629c
0x0040629d
0x0040629e
0x0040629f
0x004062a1
0x004062a3
0x004062a4
0x004062a5
0x004062a8
0x004062aa
0x004062ad
0x00406346
0x0040634b
0x00406350
0x00406351
0x00406352
0x00406353
0x00406354
0x00406355
0x00406356
0x00406357
0x00406358
0x00406359
0x0040635a
0x0040635b
0x0040635c
0x0040635d
0x0040635e
0x0040635f
0x00406360
0x00406363
0x00406366
0x00406367
0x00406369
0x00406398
0x00406398
0x0040639c
0x0040636b
0x0040636b
0x0040636e
0x00406371
0x00406377
0x00406373
0x00406373
0x00406373
0x00406379
0x0040637b
0x00000000
0x0040637d
0x0040637d
0x00406380
0x00406386
0x00406382
0x00406382
0x00406382
0x0040638d
0x0040638f
0x00000000
0x00406391
0x00406395
0x00406395
0x0040638f
0x0040637b
0x004062b3
0x004062b3
0x004062b6
0x004062b8
0x004062d1
0x004062d5
0x00406327
0x00406327
0x00406329
0x0040632b
0x0040632e
0x00406331
0x00406333
0x00406333
0x00406335
0x00406335
0x0040633a
0x0040633c
0x00406343
0x004062d7
0x004062d7
0x004062da
0x00000000
0x004062dc
0x004062dc
0x004062dd
0x004062e0
0x004062e2
0x004062e5
0x004062e8
0x004062ea
0x004062ec
0x004062ef
0x004062f1
0x004062f6
0x004062fb
0x004062fe
0x004062fe
0x00406302
0x00406307
0x0040630a
0x0040630f
0x00406316
0x0040631a
0x0040631d
0x00406324
0x00406324
0x004062da
0x004062ba
0x004062be
0x004062c5
0x004062c7
0x004062ce
0x004062ce
0x004062b8
0x004061a2
0x004061a6
0x004061a9
0x004061cb
0x004061cf
0x004061da
0x004061ab
0x004061b2
0x004061b6
0x004061c1
0x004061c1
0x004061a9
0x0040619c
0x00406194

APIs

_memmove.LIBCMT ref: 00406243
_memmove.LIBCMT ref: 004062F6

Strings

invalid string position, xrefs: 00406272, 0040627C
string too long, xrefs: 00406286, 00406346

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 2bf6b84ad1247069c9c43e81f4f7787db5ae3b91e2d9c78b1f02cec4828a41b3
Instruction ID: aebcd1addf6b513c7ddc00251f9b454c2f7c249733bcf0be6aee0ed732514433
Opcode Fuzzy Hash: 2bf6b84ad1247069c9c43e81f4f7787db5ae3b91e2d9c78b1f02cec4828a41b3
Instruction Fuzzy Hash: 98610D323043109BD7209E5CE980A5FB7A5EB92720F11497FE846E72C1C775D86587D9

Uniqueness

Uniqueness Score: -1.00%

Function 0044E60F, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0044E60F(void* __ebx, intOrPtr* __ecx, signed int __edi, intOrPtr __esi, void* __eflags) {
				signed int _t97;
				signed int _t103;
				char _t104;
				void* _t117;
				void* _t119;
				void* _t126;
				void* _t129;
				intOrPtr* _t147;
				intOrPtr* _t151;
				void* _t175;
				void* _t176;

				_t174 = __esi;
				_t173 = __edi;
				_push(0xf8);
				E0045B8C9(0x4a931f, __ebx, __edi, __esi);
				_t147 = __ecx;
				 *((intOrPtr*)(_t175 - 0xf4)) = 0;
				 *((intOrPtr*)(_t175 - 4)) = 0;
				if(( *(_t175 + 0x38) & 0x00000002) == 0 ||  *((intOrPtr*)(__ecx + 4)) !=  *((intOrPtr*)(__ecx + 8))) {
					__eflags =  *(_t175 + 0x38) & 0x00000004;
					 *((char*)(_t147 + 0x80)) = 1;
					if(( *(_t175 + 0x38) & 0x00000004) != 0) {
						 *((intOrPtr*)( *_t147 + 0x98))( *((intOrPtr*)(_t175 + 0x3c)));
						_t172 =  *_t147;
						 *((intOrPtr*)( *_t147 + 0x9c))( *(_t175 + 0x40) & 0x000000ff);
					}
					__eflags =  *(_t175 + 0x38) & 0x00000001;
					if(( *(_t175 + 0x38) & 0x00000001) != 0) {
						 *((intOrPtr*)( *_t147 + 0x88))();
					}
					__eflags =  *(_t175 + 0x1c);
					if( *(_t175 + 0x1c) != 0) {
						E004095E2(_t147 + 0x1c, _t175 + 8);
						_t97 = 0;
						 *((intOrPtr*)(_t175 - 0x100)) = 0;
						 *((intOrPtr*)(_t175 - 0xfc)) = 0;
						 *((intOrPtr*)(_t175 - 0xf8)) = 0;
						_t174 =  *((intOrPtr*)(_t147 + 4));
						 *((char*)(_t175 - 4)) = 1;
						__eflags = _t174 -  *((intOrPtr*)(_t147 + 8));
						if(__eflags != 0) {
							while(1) {
								__eflags = _t174 -  *((intOrPtr*)(_t147 + 4));
								if(__eflags != 0) {
									_push(_t97);
									_push(_t175 - 0xed);
									_push(0x4c2d7c);
									 *((intOrPtr*)(_t175 - 0x40)) = 0x4c2fa0;
									 *((intOrPtr*)(_t175 - 0x18)) = 0x4c2f40;
									E00408F6D(_t147, _t175 - 0x40, _t173, _t174, __eflags);
									_push(_t175 - 0x40);
									 *((char*)(_t175 - 4)) = 2;
									E00424FB5(_t147, _t175 - 0x100);
									 *((char*)(_t175 - 4)) = 1;
									E00401B80(_t175 - 0x40);
									_t97 = 0;
									__eflags = 0;
								}
								_push(_t97);
								_push(_t175 - 0xed);
								_push("[");
								 *((intOrPtr*)(_t175 - 0x40)) = 0x4c2fa0;
								 *((intOrPtr*)(_t175 - 0x18)) = 0x4c2f40;
								E00408F6D(_t147, _t175 - 0x40, _t173, _t174, __eflags);
								_push(_t174);
								_push(_t175 - 0x40);
								_push(_t175 - 0x70);
								 *((char*)(_t175 - 4)) = 3;
								_t117 = E00413C81(_t147, _t173, _t174, __eflags);
								_push("]");
								_push(_t117);
								_push(_t175 - 0xa0);
								 *((char*)(_t175 - 4)) = 4;
								_t119 = E0040B22B(_t147, _t173, _t174, __eflags);
								_t176 = _t176 + 0x18;
								_push(_t119);
								 *((char*)(_t175 - 4)) = 5;
								E00424FB5(_t147, _t175 - 0x100);
								E00401B80(_t175 - 0xa0);
								E00401B80(_t175 - 0x70);
								 *((char*)(_t175 - 4)) = 1;
								E00401B80(_t175 - 0x40);
								_t173 =  *(_t174 + 0x34);
								while(1) {
									__eflags = _t173 -  *((intOrPtr*)(_t174 + 0x38));
									if(_t173 ==  *((intOrPtr*)(_t174 + 0x38))) {
										break;
									}
									__eflags =  *((char*)(_t147 + 0x4c));
									if(__eflags == 0) {
										L18:
										_push(_t147 + 0x50);
										_push(_t173);
										_push(_t175 - 0xa0);
										_t126 = E00413C81(_t147, _t173, _t174, __eflags);
										_push(_t173 + 0x30);
										_push(_t126);
										_push(_t175 - 0x70);
										 *((char*)(_t175 - 4)) = 6;
										_t129 = E00413C81(_t147, _t173, _t174, __eflags);
										_t176 = _t176 + 0x18;
										_push(_t129);
										 *((char*)(_t175 - 4)) = 7;
										E00424FB5(_t147, _t175 - 0x100);
										E00401B80(_t175 - 0x70);
										 *((char*)(_t175 - 4)) = 1;
										E00401B80(_t175 - 0xa0);
									} else {
										__eflags =  *(_t173 + 0x44);
										if(__eflags != 0) {
											goto L18;
										} else {
											_push(_t173);
											E00425020(_t147, _t175 - 0x100);
										}
									}
									_t173 = _t173 + 0x60;
									__eflags = _t173;
								}
								_t174 = _t174 + 0x4c;
								__eflags = _t174 -  *((intOrPtr*)(_t147 + 8));
								if(__eflags != 0) {
									_t97 = 0;
									__eflags = 0;
									continue;
								}
								goto L22;
							}
						}
						L22:
						E00416831(_t147, _t175 - 0xec, _t173, _t174, __eflags);
						_push( *(_t147 + 0x88) & 0x000000ff);
						_push( *((intOrPtr*)(_t147 + 0x84)));
						_push(_t175 - 0x100);
						_t151 = _t176 - 0x30;
						_push(0);
						_push(_t175 + 8);
						 *((char*)(_t175 - 4)) = 8;
						 *_t151 = 0x4c2fa0;
						 *((intOrPtr*)(_t151 + 0x28)) = 0x4c2f40;
						E00408E82(_t147, _t151, _t173, _t174, __eflags);
						_t103 = E0044D71A(_t147, _t172, _t173, _t174, __eflags);
						 *(_t147 + 0x8c) = _t103;
						__eflags = _t103;
						if(_t103 == 0) {
							_t104 = 0;
							__eflags = 0;
							 *((char*)(_t147 + 0x4d)) = 0;
							 *((char*)(_t175 - 0xf4)) = 1;
						} else {
							 *(_t147 + 0x8c) = GetLastError();
							E004095E2(_t147 + 0x90, _t175 + 8);
							_t104 = 0;
							 *((intOrPtr*)(_t175 - 0xf4)) = 0;
						}
						 *((char*)(_t147 + 0x80)) = _t104;
						 *((char*)(_t175 - 4)) = 1;
						E004176D4(_t147, _t175 - 0xec, _t173, _t174, __eflags);
						E00409C7E(_t175 - 0x100);
					} else {
						 *((char*)(_t147 + 0x80)) = 0;
					}
				} else {
					 *((char*)(_t175 - 0xf4)) = 1;
				}
				E00401B80(_t175 + 8);
				return E0045B878(_t147, _t173, _t174);
			}

0x0044e60f
0x0044e60f
0x0044e60f
0x0044e619
0x0044e61e
0x0044e626
0x0044e62c
0x0044e62f
0x0044e645
0x0044e649
0x0044e650
0x0044e659
0x0044e663
0x0044e668
0x0044e668
0x0044e66e
0x0044e672
0x0044e678
0x0044e678
0x0044e67e
0x0044e682
0x0044e697
0x0044e69c
0x0044e69e
0x0044e6a4
0x0044e6aa
0x0044e6b0
0x0044e6b3
0x0044e6b7
0x0044e6ba
0x0044e6c4
0x0044e6c4
0x0044e6c7
0x0044e6c9
0x0044e6d0
0x0044e6d1
0x0044e6d9
0x0044e6e0
0x0044e6e7
0x0044e6ef
0x0044e6f6
0x0044e6fa
0x0044e702
0x0044e706
0x0044e70b
0x0044e70b
0x0044e70b
0x0044e70d
0x0044e714
0x0044e715
0x0044e71d
0x0044e724
0x0044e72b
0x0044e730
0x0044e734
0x0044e738
0x0044e739
0x0044e73d
0x0044e742
0x0044e747
0x0044e74e
0x0044e74f
0x0044e753
0x0044e758
0x0044e75b
0x0044e762
0x0044e766
0x0044e771
0x0044e779
0x0044e781
0x0044e785
0x0044e78a
0x0044e7fb
0x0044e7fb
0x0044e7fe
0x00000000
0x00000000
0x0044e78f
0x0044e793
0x0044e7a9
0x0044e7ac
0x0044e7b3
0x0044e7b4
0x0044e7b5
0x0044e7bf
0x0044e7c0
0x0044e7c4
0x0044e7c5
0x0044e7c9
0x0044e7ce
0x0044e7d1
0x0044e7d8
0x0044e7dc
0x0044e7e4
0x0044e7ef
0x0044e7f3
0x0044e795
0x0044e795
0x0044e799
0x00000000
0x0044e79b
0x0044e79b
0x0044e7a2
0x0044e7a2
0x0044e799
0x0044e7f8
0x0044e7f8
0x0044e7f8
0x0044e800
0x0044e803
0x0044e806
0x0044e6c2
0x0044e6c2
0x00000000
0x0044e6c2
0x00000000
0x0044e806
0x0044e6c4
0x0044e80c
0x0044e812
0x0044e81e
0x0044e81f
0x0044e82b
0x0044e82f
0x0044e831
0x0044e836
0x0044e837
0x0044e83b
0x0044e841
0x0044e848
0x0044e84d
0x0044e855
0x0044e85b
0x0044e85d
0x0044e884
0x0044e884
0x0044e886
0x0044e889
0x0044e85f
0x0044e865
0x0044e875
0x0044e87a
0x0044e87c
0x0044e87c
0x0044e896
0x0044e89c
0x0044e8a0
0x0044e8ab
0x0044e684
0x0044e684
0x0044e684
0x0044e639
0x0044e639
0x0044e639
0x0044e8b3
0x0044e8c3

APIs

__EH_prolog3_GS.LIBCMT ref: 0044E619
GetLastError.KERNEL32 ref: 0044E85F

Strings

@/L, xrefs: 0044E841
@/L, xrefs: 0044E724

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3_Last
String ID: @/L$@/L
API String ID: 1018228973-2149722323
Opcode ID: 39669c8c2244ed1fe8184f22d05a4381d5011c05814d6046cde92ca27f65f948
Instruction ID: 96d107957e89ee672848440bf88a5f81ff19480339046cbe6f3af3f1dd4e001a
Opcode Fuzzy Hash: 39669c8c2244ed1fe8184f22d05a4381d5011c05814d6046cde92ca27f65f948
Instruction Fuzzy Hash: 0D81E771800158DEDF15EF65C985BEDBBB8BF14304F4440EFE849A7282DB789A88CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00490930, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00490930(intOrPtr* __ecx, signed int __edx, void* __eflags, signed int* _a4, signed int* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v8;
				char _v16;
				signed int _v20;
				char _v80;
				char _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				signed int _t59;
				void* _t62;
				signed int _t65;
				signed int _t68;
				intOrPtr* _t69;
				signed int _t70;
				signed int _t90;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				void* _t105;
				unsigned int _t106;
				intOrPtr* _t112;
				intOrPtr _t133;
				intOrPtr _t134;
				void* _t135;
				intOrPtr* _t137;
				void* _t138;
				signed int _t139;
				signed int _t152;

				_t128 = __edx;
				_push(0xffffffff);
				_push(0x4ab7e3);
				_push( *[fs:0x0]);
				_t58 =  *0x4d7e88; // 0x9518852c
				_t59 = _t58 ^ _t139;
				_v20 = _t59;
				_push(_t102);
				_push(_t59);
				 *[fs:0x0] =  &_v16;
				_t137 = __ecx;
				_v144 = _a16;
				_v148 = _a12;
				_t62 = E0048F900(_a12, __edx, __eflags,  &_v80);
				if(_t62 == 0) {
					_t112 = 0;
					__eflags = 0;
				} else {
					_t8 = _t62 + 4; // 0x4
					_t112 = _t8;
				}
				_t133 =  *((intOrPtr*)(_t112 + 0x10));
				if( *((intOrPtr*)(_t112 + 0x14)) >= 8) {
					_t112 =  *_t112;
				}
				_t64 =  <  ? _t133 : 4;
				_t65 = E0045B637(_t102, _t112, _t137, _t112, L".gif",  <  ? _t133 : 4);
				if(_t65 == 0) {
					if(_t133 >= 4) {
						__eflags = _t133 - 4;
						_t12 = _t133 != 4;
						__eflags = _t12;
						_t101 = 0 | _t12;
					} else {
						_t101 = _t65 | 0xffffffff;
					}
					_t152 = _t101;
				}
				_t103 = _t102 & 0xffffff00 | _t152 == 0x00000000;
				_v8 = 0xffffffff;
				E00401B80( &_v80);
				_t153 = _t103;
				if(_t103 == 0) {
					_t68 = E0048F900(_v148, _t128, __eflags,  &_v140);
					__eflags = _t68;
					if(_t68 == 0) {
						_t69 = 0;
						__eflags = 0;
					} else {
						_t69 = _t68 + 4;
					}
					__eflags =  *((intOrPtr*)(_t69 + 0x14)) - 8;
					_t134 =  *((intOrPtr*)(_t69 + 0x10));
					if( *((intOrPtr*)(_t69 + 0x14)) >= 8) {
						_t69 =  *_t69;
					}
					__eflags = _t134 - 4;
					_t116 =  <  ? _t134 : 4;
					_t70 = E0045B637(_t103,  <  ? _t134 : 4, _t137, _t69, L".bmp", 4);
					__eflags = _t70;
					if(__eflags == 0) {
						__eflags = _t134 - 4;
						if(_t134 >= 4) {
							__eflags = _t134 - 4;
							_t31 = _t134 != 4;
							__eflags = _t31;
							_t90 = 0 | _t31;
						} else {
							_t90 = _t70 | 0xffffffff;
						}
						__eflags = _t90;
					}
					_t104 = _t103 & 0xffffff00 | __eflags == 0x00000000;
					_v8 = 0xffffffff;
					E00401B80( &_v140);
					__eflags = _t104;
					if(_t104 == 0) {
						__eflags = 0;
					} else {
						E0049A150( *_t137,  *((intOrPtr*)(_t137 + 4)), _v144);
						 *( *_t137 + 0x10) =  *_a4;
						goto L24;
					}
				} else {
					E00497B90( *((intOrPtr*)(_t137 + 8)), _t128, _t153, _v144, _a20, 0);
					E004982E0( *((intOrPtr*)(_t137 + 8)),  *_t137,  *((intOrPtr*)(_t137 + 4)),  *((intOrPtr*)( *((intOrPtr*)(_t137 + 8)) + 0x14)));
					_t106 =  *( *((intOrPtr*)(_t137 + 8)) + 4);
					_t128 = (_t106 >> 0x00000008 & 0x000000ff | (_t106 & 0x000000ff) << 0x00000008) << 0x00000008 | _t106 >> 0x00000010 & 0x000000ff;
					 *( *_t137 + 0x10) = (_t106 >> 0x00000008 & 0x000000ff | (_t106 & 0x000000ff) << 0x00000008) << 0x00000008 | _t106 >> 0x00000010 & 0x000000ff;
					L24:
					 *((intOrPtr*)( *_t137 + 8)) = 1;
					 *((intOrPtr*)( *_t137 + 0x14)) = 0;
					 *((intOrPtr*)( *_t137 + 0x18)) = 0x64;
					 *((intOrPtr*)( *_t137 + 0x1c)) = 0x64;
					 *((intOrPtr*)( *_t137 + 0x20)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)(_t137 + 4)) + 0x18)) = 0;
					 *((intOrPtr*)( *((intOrPtr*)(_t137 + 4)) + 0x1c)) = 1;
					 *( *((intOrPtr*)(_t137 + 4)) + 0x30) =  *( *_t137 + 0x10);
					 *( *((intOrPtr*)(_t137 + 4)) + 0x34) =  *_a8 & 0x0010002f;
				}
				 *[fs:0x0] = _v16;
				_pop(_t135);
				_pop(_t138);
				_pop(_t105);
				return E0045A457(_t105, _v20 ^ _t139, _t128, _t135, _t138);
			}

0x00490930
0x00490933
0x00490935
0x00490940
0x00490947
0x0049094c
0x0049094e
0x00490951
0x00490954
0x00490958
0x0049095e
0x00490966
0x00490972
0x00490978
0x0049097f
0x00490986
0x00490986
0x00490981
0x00490981
0x00490981
0x00490981
0x0049098c
0x0049098f
0x00490991
0x00490991
0x0049099a
0x004909a4
0x004909ae
0x004909b3
0x004909bc
0x004909bf
0x004909bf
0x004909bf
0x004909b5
0x004909b5
0x004909b5
0x004909c2
0x004909c2
0x004909c7
0x004909ca
0x004909d1
0x004909d6
0x004909d8
0x00490a38
0x00490a3d
0x00490a3f
0x00490a46
0x00490a46
0x00490a41
0x00490a41
0x00490a41
0x00490a48
0x00490a4c
0x00490a4f
0x00490a51
0x00490a51
0x00490a53
0x00490a5b
0x00490a65
0x00490a6d
0x00490a6f
0x00490a71
0x00490a74
0x00490a7d
0x00490a80
0x00490a80
0x00490a80
0x00490a76
0x00490a76
0x00490a76
0x00490a83
0x00490a83
0x00490a8b
0x00490a8e
0x00490a95
0x00490a9a
0x00490a9c
0x00490b1c
0x00490a9e
0x00490aa9
0x00490ab8
0x00000000
0x00490ab8
0x004909da
0x004909e8
0x004909f8
0x00490a03
0x00490a1f
0x00490a23
0x00490abb
0x00490abd
0x00490ac6
0x00490acf
0x00490ad8
0x00490ae1
0x00490aeb
0x00490af5
0x00490b04
0x00490b15
0x00490b18
0x00490b21
0x00490b29
0x00490b2a
0x00490b2b
0x00490b39

APIs

__wcsnicmp.LIBCMT ref: 004909A4
__wcsnicmp.LIBCMT ref: 00490A65

Strings

.bmp, xrefs: 00490A5F
.gif, xrefs: 0049099E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: __wcsnicmp
String ID: .bmp$.gif
API String ID: 1038674560-4134359634
Opcode ID: d5ee4679ab97b95a357d9a7390bc0dde59ce169020835a5af1e112e83ac73baa
Instruction ID: 23337b657ad670b4955280bc9165c19bba8a9d854e1dc5dde6e5a49d25f5db86
Opcode Fuzzy Hash: d5ee4679ab97b95a357d9a7390bc0dde59ce169020835a5af1e112e83ac73baa
Instruction Fuzzy Hash: 20518F72A00200DFDB14DF29C984B5A7BF1FF58314F10456EE95A8B392D73AE905CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004140D0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004140D0(void* __ebx, void* __ecx, void* __edi, intOrPtr* __esi, void* __eflags) {
				signed int _t81;
				signed int _t105;
				intOrPtr* _t126;
				signed int _t128;
				signed int _t129;
				void* _t130;
				void* _t132;
				intOrPtr* _t137;
				signed int _t144;
				void* _t145;
				void* _t153;
				signed int _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t155 = __esi;
				_push(0xe4);
				E0045B8C9(0x4a1aca, __ebx, __edi, __esi);
				_t153 = __ecx;
				_t144 =  *(_t159 + 0xc);
				 *(_t159 - 0xf0) =  *(_t159 - 0xf0) & 0x00000000;
				_t126 =  *((intOrPtr*)(_t159 + 8));
				if(_t144 != 0) {
					_t81 =  *(_t159 + 0x14);
					_t128 =  *(_t159 + 0x18);
					 *(_t159 - 0xd8) = _t81;
					__eflags = _t81 | _t128;
					 *(_t159 - 0xdc) = _t128;
					if((_t81 | _t128) == 0) {
						 *(_t159 - 0xd8) =  *(__ecx + 0x10);
						 *(_t159 - 0xdc) =  *(__ecx + 0x14);
					}
					_t129 = 0xa;
					__eflags = 0x100000 - _t144;
					asm("sbb eax, eax");
					_t156 = (0x00100000 & _t129) + _t129 & 0x0000ffff;
					 *(_t159 - 0xe8) = _t129;
					_t130 = 0x14;
					__eflags = _t156 - _t130;
					E0040D268(_t126,  *((intOrPtr*)(_t153 + 0xe4)), _t144, _t153, _t156, _t156 - _t130, _t159 - 0x40, (0 | _t156 != _t130) + 0x652);
					 *(_t159 - 4) =  *(_t159 - 4) & 0x00000000;
					_t132 = 0x14;
					__eflags = _t156 - _t132;
					_t92 =  ==  ? 0x100000 : 0x400;
					 *(_t159 - 0xe0) =  ==  ? 0x100000 : 0x400;
					 *((intOrPtr*)(_t159 - 0x70)) = 0x4c2fa0;
					 *((intOrPtr*)(_t159 - 0x48)) = 0x4c2f40;
					E00404200(_t159 - 0x70, _t159 - 0xd1, 0);
					 *(_t159 - 4) = 1;
					_t157 = E0040D268(_t126,  *((intOrPtr*)(_t153 + 0xe4)), _t144, _t153, _t156, __eflags, _t159 - 0xa0, 0x654);
					 *(_t159 - 4) = 2;
					_t145 = E0040D268(_t126,  *((intOrPtr*)(_t153 + 0xe4)), _t144, _t153, _t157, __eflags, _t159 - 0xd0, 0x657);
					_t32 = _t157 + 4; // 0x4
					_t137 = _t32;
					_t158 = 8;
					 *(_t159 - 4) = 3;
					__eflags =  *((intOrPtr*)(_t137 + 0x14)) - _t158;
					if( *((intOrPtr*)(_t137 + 0x14)) >= _t158) {
						_t137 =  *_t137;
					}
					__eflags =  *((intOrPtr*)(_t159 - 0x28)) - _t158;
					_t100 =  >=  ?  *((void*)(_t159 - 0x3c)) : _t159 - 0x3c;
					 *((intOrPtr*)(_t159 - 0xe4)) =  >=  ?  *((void*)(_t159 - 0x3c)) : _t159 - 0x3c;
					_t153 =  >=  ?  *((void*)(_t159 - 0x3c)) : _t159 - 0x3c;
					_t102 =  >=  ?  *((void*)(_t159 - 0x3c)) : _t159 - 0x3c;
					_t43 = _t145 + 4; // 0x4
					_t155 = _t43;
					 *((intOrPtr*)(_t159 - 0xec)) =  >=  ?  *((void*)(_t159 - 0x3c)) : _t159 - 0x3c;
					__eflags =  *((intOrPtr*)(_t155 + 0x14)) - 8;
					if( *((intOrPtr*)(_t155 + 0x14)) >= 8) {
						_t155 =  *_t155;
					}
					_t105 =  *(_t159 + 0xc) * 0xa /  *(_t159 - 0xe0);
					_push(_t137);
					_push(_t153);
					_push(_t105 %  *(_t159 - 0xe8));
					_push(_t105 /  *(_t159 - 0xe8));
					_push( *((intOrPtr*)(_t159 - 0xe4)));
					asm("cdq");
					_push(E0045D040( *(_t159 - 0xd8),  *(_t159 - 0xdc),  *(_t159 - 0xe0), _t105 %  *(_t159 - 0xe8)));
					__eflags =  *(_t159 + 0x10) %  *(_t159 - 0xe0);
					_push( *((intOrPtr*)(_t159 - 0xec)));
					E0040DD64(_t159 - 0x70, _t155,  *(_t159 + 0x10) /  *(_t159 - 0xe0));
					E00401B80(_t159 - 0xd0);
					 *(_t159 - 4) = 1;
					E00401B80(_t159 - 0xa0);
					_push(0);
					_push(_t159 - 0x70);
					 *_t126 = 0x4c2fa0;
					 *((intOrPtr*)(_t126 + 0x28)) = 0x4c2f40;
					E00408E82(_t126, _t126, _t153, _t155, __eflags);
					E00401B80(_t159 - 0x70);
					E00401B80(_t159 - 0x40);
				} else {
					E004091B8(_t126, 0x4c2d7c, _t159 - 0xd1, 1);
				}
				return E0045B878(_t126, _t153, _t155);
			}

0x004140d0
0x004140d0
0x004140da
0x004140df
0x004140e1
0x004140e4
0x004140eb
0x004140f0
0x0041410c
0x0041410f
0x00414112
0x00414118
0x0041411a
0x00414120
0x00414125
0x0041412e
0x0041412e
0x00414136
0x0041413c
0x0041413e
0x00414144
0x00414149
0x0041414f
0x00414152
0x00414168
0x0041416d
0x00414173
0x00414174
0x00414181
0x00414184
0x00414196
0x0041419d
0x004141a4
0x004141bb
0x004141c4
0x004141d8
0x004141e1
0x004141e3
0x004141e3
0x004141e8
0x004141e9
0x004141ed
0x004141f0
0x004141f2
0x004141f2
0x004141f4
0x004141fa
0x004141fe
0x00414207
0x0041420e
0x00414212
0x00414212
0x00414215
0x0041421b
0x0041421f
0x00414221
0x00414221
0x0041422b
0x00414233
0x00414234
0x0041423b
0x0041423c
0x0041423d
0x00414249
0x0041425d
0x00414263
0x00414269
0x00414275
0x00414283
0x0041428e
0x00414292
0x00414297
0x0041429c
0x0041429f
0x004142a5
0x004142ac
0x004142b4
0x004142bc
0x004140f2
0x00414102
0x00414102
0x004142c8

APIs

__EH_prolog3_GS.LIBCMT ref: 004140DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00414258

Strings

@/L, xrefs: 004142A5
@/L, xrefs: 0041419D

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: @/L$@/L
API String ID: 2661724416-2149722323
Opcode ID: 2e37487fcc0d612c4a4aabad9b4bfa38acc56bc6bdab711d0c5ee56dd30ccd6b
Instruction ID: 7f8b69b7c0cfc839a46880284997a531e60b82fb44abd950f79b84a05636c143
Opcode Fuzzy Hash: 2e37487fcc0d612c4a4aabad9b4bfa38acc56bc6bdab711d0c5ee56dd30ccd6b
Instruction Fuzzy Hash: 3F514B71A00218EFDB14DFA5DC41BDDB7B9BB58704F1084AEE509B7281DB74AA88CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00407F60, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00407F60(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _t25;
				signed int _t30;
				intOrPtr _t34;
				void* _t50;
				intOrPtr* _t56;
				signed int _t62;
				intOrPtr _t63;
				intOrPtr* _t64;
				signed int _t66;

				_t62 = _a8;
				_t72 = __ecx;
				_t56 = _a4;
				_t25 =  *((intOrPtr*)(_t56 + 0x10));
				if(_t25 < _t62) {
					_push("invalid string position");
					E00459FCD(__eflags);
					goto L23;
				} else {
					_t30 = _t25 - _t62;
					_t5 = _t72 + 0x10; // 0xc0
					_t63 =  *_t5;
					_t50 =  <  ? _t30 : _a12;
					if((_t30 | 0xffffffff) - _t63 <= _t50) {
						L23:
						_push("string too long");
						E00459F9F(__eflags);
						goto L24;
					} else {
						if(_t50 == 0) {
							L21:
							return _t72;
						} else {
							_t66 = _t63 + _t50;
							if(_t66 > 0x7ffffffe) {
								L24:
								_push("string too long");
								E00459F9F(__eflags);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								return _t56;
							} else {
								_t7 = _t72 + 0x14; // 0x46000000
								_t34 =  *_t7;
								if(_t34 >= _t66) {
									__eflags = _t66;
									if(_t66 != 0) {
										goto L6;
									} else {
										 *(__ecx + 0x10) = _t66;
										__eflags = _t34 - 8;
										if(_t34 < 8) {
											__eflags = 0;
											 *((short*)(__ecx)) = 0;
											return __ecx;
										} else {
											__eflags = 0;
											 *((short*)( *__ecx)) = 0;
											return __ecx;
										}
									}
								} else {
									E004079F0(__ecx, _t66, _t63);
									_t56 = _a4;
									if(_t66 == 0) {
										L20:
										goto L21;
									} else {
										L6:
										if( *((intOrPtr*)(_t56 + 0x14)) >= 8) {
											_t56 =  *_t56;
										}
										if( *((intOrPtr*)(_t72 + 0x14)) < 8) {
											_t64 = _t72;
										} else {
											_t64 =  *_t72;
										}
										if(_t50 != 0) {
											_t16 = _t72 + 0x10; // 0xc0
											E0045A8B0(_t64 +  *_t16 * 2, _t56 + _a8 * 2, _t50 + _t50);
										}
										 *(_t72 + 0x10) = _t66;
										if( *((intOrPtr*)(_t72 + 0x14)) < 8) {
											__eflags = 0;
											 *((short*)(_t72 + _t66 * 2)) = 0;
											goto L20;
										} else {
											 *((short*)( *_t72 + _t66 * 2)) = 0;
											return _t72;
										}
									}
								}
							}
						}
					}
				}
			}

0x00407f63
0x00407f68
0x00407f6a
0x00407f6d
0x00407f72
0x00408048
0x0040804d
0x00000000
0x00407f78
0x00407f7b
0x00407f7d
0x00407f7d
0x00407f82
0x00407f8c
0x00408052
0x00408052
0x00408057
0x00000000
0x00407f92
0x00407f94
0x00408040
0x00408045
0x00407f9a
0x00407f9b
0x00407fa4
0x0040805c
0x0040805c
0x00408061
0x00408066
0x00408067
0x00408068
0x00408069
0x0040806a
0x0040806b
0x0040806c
0x0040806d
0x0040806e
0x0040806f
0x00408072
0x00407faa
0x00407faa
0x00407faa
0x00407faf
0x00407fd3
0x00407fd5
0x00000000
0x00407fd7
0x00407fd7
0x00407fda
0x00407fdd
0x00407ff2
0x00407ff5
0x00407ffa
0x00407fdf
0x00407fe1
0x00407fe4
0x00407fec
0x00407fec
0x00407fdd
0x00407fb1
0x00407fb5
0x00407fba
0x00407fbf
0x0040803f
0x00000000
0x00407fc1
0x00407fc1
0x00407fc5
0x00407fc7
0x00407fc7
0x00407fcd
0x00407ffd
0x00407fcf
0x00407fcf
0x00407fcf
0x00408001
0x0040800e
0x00408015
0x0040801a
0x00408021
0x00408024
0x00408039
0x0040803b
0x00000000
0x00408026
0x0040802a
0x00408034
0x00408034
0x00408024
0x00407fbf
0x00407faf
0x00407fa4
0x00407f94
0x00407f8c

APIs

Part of subcall function 004079F0: SysAllocStringLen.OLEAUT32(00000000,00000001), ref: 00407A39
Part of subcall function 004079F0: _memmove.LIBCMT ref: 00407A61
Part of subcall function 004079F0: SysFreeString.OLEAUT32 ref: 00407A71

_memmove.LIBCMT ref: 00408015

Strings

invalid string position, xrefs: 00408048
T4L, xrefs: 00407F60
string too long, xrefs: 00408052, 0040805C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String_memmove$AllocFree
String ID: T4L$invalid string position$string too long
API String ID: 105348488-2591669810
Opcode ID: 339023f2a971f2261650c03f17190ba86c800935f6a084528e5201308c866f51
Instruction ID: 17ff3aab98dbe4811a4677aad2bad3e3494406d88393074657bd0fd7bf8d0c0d
Opcode Fuzzy Hash: 339023f2a971f2261650c03f17190ba86c800935f6a084528e5201308c866f51
Instruction Fuzzy Hash: 9731BE323083059BC724DE6CE98091BB3EAEF957143204A3FE441DB691DB75E84987A9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CBA2, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040CBA2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t40;
				intOrPtr _t42;
				intOrPtr* _t52;
				intOrPtr* _t58;
				intOrPtr _t60;
				intOrPtr _t65;
				intOrPtr* _t69;
				void* _t70;

				_push(0x50);
				E0045B935(0x4a0b43, __ebx, __edi, __esi);
				_t58 =  *((intOrPtr*)(_t70 + 0xc));
				_t69 =  *((intOrPtr*)(_t70 + 8));
				 *((intOrPtr*)(_t70 - 0x54)) =  *((intOrPtr*)(_t70 + 0x10));
				 *((intOrPtr*)(_t70 - 0x50)) =  *((intOrPtr*)(_t70 + 0x14));
				_t7 = _t70 + 0x18; // 0x4c2f40
				 *((intOrPtr*)(_t70 - 0x4c)) =  *_t7;
				 *((intOrPtr*)(_t70 - 0x58)) = _t69;
				 *((intOrPtr*)(_t70 - 0x5c)) = 0;
				_t40 = _t70 - 0x45;
				if( *((intOrPtr*)(_t58 + 0x14)) != 0) {
					 *((intOrPtr*)(_t70 - 0x44)) = 0x4c2fa0;
					 *((intOrPtr*)(_t70 - 0x1c)) = 0x4c2f40;
					E00404200(_t70 - 0x44, _t40, 0);
					_t65 =  *((intOrPtr*)(_t70 - 0x54));
					 *((intOrPtr*)(_t70 - 4)) = 0;
					 *((char*)(_t70 - 4)) = 1;
					__eflags = _t65;
					if(_t65 != 0) {
						_t60 =  *((intOrPtr*)(_t70 - 0x50));
						_t42 =  *((intOrPtr*)(_t70 - 0x4c));
						__eflags = _t60;
						if(_t60 != 0) {
							L12:
							_t58 = _t58 + 4;
							__eflags = _t42;
							if(_t42 != 0) {
								__eflags =  *((intOrPtr*)(_t58 + 0x14)) - 8;
								if(__eflags >= 0) {
									_t58 =  *_t58;
								}
								_push(_t42);
								_push(_t60);
								E0040DD64(_t70 - 0x44, _t58, _t65);
							} else {
								__eflags =  *((intOrPtr*)(_t58 + 0x14)) - 8;
								if(__eflags >= 0) {
									_t58 =  *_t58;
								}
								_push(_t60);
								E0040DD64(_t70 - 0x44, _t58, _t65);
							}
							goto L19;
						}
						__eflags = _t42;
						if(_t42 != 0) {
							__eflags = _t60;
							if(__eflags == 0) {
								goto L19;
							}
							goto L12;
						}
						_t52 = _t58 + 4;
						__eflags =  *((intOrPtr*)(_t52 + 0x14)) - 8;
						if(__eflags >= 0) {
							_t52 =  *_t52;
						}
						E0040DD64(_t70 - 0x44, _t52, _t65);
						goto L19;
					} else {
						__eflags =  *((intOrPtr*)(_t70 - 0x50)) - _t65;
						if(__eflags == 0) {
							__eflags =  *((intOrPtr*)(_t70 - 0x4c)) - _t65;
							if(__eflags == 0) {
								E004095E2(_t70 - 0x44, _t58);
							}
						}
						L19:
						_push(0);
						_push(_t70 - 0x44);
						 *((intOrPtr*)(_t70 - 4)) = 0;
						 *_t69 = 0x4c2fa0;
						 *((intOrPtr*)(_t69 + 0x28)) = 0x4c2f40;
						E00408E82(_t58, _t69, 0, _t69, __eflags);
						E00401B80(_t70 - 0x44);
						goto L20;
					}
				} else {
					E004091B8(_t69, 0x4c2d7c, _t40, 1);
					L20:
					return E0045B887(_t58, 0, _t69);
				}
			}

0x0040cba2
0x0040cba9
0x0040cbb1
0x0040cbb4
0x0040cbb7
0x0040cbbd
0x0040cbc0
0x0040cbc5
0x0040cbc8
0x0040cbcb
0x0040cbce
0x0040cbd4
0x0040cbef
0x0040cbf6
0x0040cbfd
0x0040cc02
0x0040cc05
0x0040cc08
0x0040cc0c
0x0040cc0e
0x0040cc29
0x0040cc2c
0x0040cc2f
0x0040cc31
0x0040cc56
0x0040cc56
0x0040cc59
0x0040cc5b
0x0040cc76
0x0040cc7a
0x0040cc7c
0x0040cc7c
0x0040cc7e
0x0040cc7f
0x0040cc86
0x0040cc5d
0x0040cc5d
0x0040cc61
0x0040cc63
0x0040cc63
0x0040cc65
0x0040cc6c
0x0040cc71
0x00000000
0x0040cc5b
0x0040cc33
0x0040cc35
0x0040cc52
0x0040cc54
0x00000000
0x00000000
0x00000000
0x0040cc54
0x0040cc37
0x0040cc3a
0x0040cc3e
0x0040cc40
0x0040cc40
0x0040cc48
0x00000000
0x0040cc10
0x0040cc10
0x0040cc13
0x0040cc19
0x0040cc1c
0x0040cc22
0x0040cc22
0x0040cc1c
0x0040cc9b
0x0040cc9b
0x0040cc9f
0x0040cca2
0x0040cca5
0x0040ccab
0x0040ccb2
0x0040ccba
0x00000000
0x0040ccba
0x0040cbd6
0x0040cbe0
0x0040ccbf
0x0040ccc6
0x0040ccc6

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 0040CBA9

Strings

@/L, xrefs: 0040CBC0
@/L, xrefs: 0040CCAB
@/L, xrefs: 0040CBF6

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_catch_
String ID: @/L$@/L$@/L
API String ID: 1329019490-1531812684
Opcode ID: b4b8d0bccd8865372fee80d71a4fd1f4faf3588b2307c216d6ac2676aa97a12d
Instruction ID: ab691274893ebf0844c0e0d1ad410fcec29b29683fd2bd70487116ea5d299ff9
Opcode Fuzzy Hash: b4b8d0bccd8865372fee80d71a4fd1f4faf3588b2307c216d6ac2676aa97a12d
Instruction Fuzzy Hash: 66316FB0904208DBEF14DF95CA95A9E77B8EF54704F10413FF805AB285E778AE058B69

Uniqueness

Uniqueness Score: -1.00%

Function 0045264F, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0045264F(signed int __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t51;
				signed short* _t54;
				signed int _t64;
				signed int _t70;
				void* _t81;
				void* _t85;
				signed int _t87;
				signed short* _t89;
				void* _t90;
				void* _t91;
				void* _t92;

				_t92 = __eflags;
				_t85 = __edx;
				_t68 = __ebx;
				_push(0x3c);
				E0045B896(0x4a9ae0, __ebx, __edi, __esi);
				_t89 =  *(_t90 + 0xc);
				 *(_t90 - 0x10) =  *(_t90 - 0x10) & 0x00000000;
				_push(1);
				_push( *((intOrPtr*)(_t90 + 0x10)) - _t89 >> 1);
				E00452135(__ebx, _t90 - 0x2c, __edi, _t89, _t92);
				 *(_t90 - 4) =  *(_t90 - 4) & 0x00000000;
				_t87 = 0;
				while(_t89 !=  *((intOrPtr*)(_t90 + 0x10))) {
					_t70 =  *_t89 & 0x0000ffff;
					__eflags = _t70 - 0x26;
					if(_t70 != 0x26) {
						_t51 =  *((intOrPtr*)(_t90 - 0x1c));
						 *(_t51 + _t87 * 2) = _t70;
					} else {
						_t9 =  &(_t89[9]); // 0x12
						 *(_t90 + 0xc) = 0x3b;
						_t54 = E00451F11(_t89, _t9, _t90 + 0xc);
						_t91 = _t91 + 0xc;
						_push(1);
						_push(_t89);
						_push(_t54 - _t89 >> 1);
						 *(_t90 + 0xc) = _t54;
						_t55 = E004521A6(_t68, _t90 - 0x48, _t87, _t89, __eflags);
						 *(_t90 - 4) = 1;
						_t68 = 0;
						__eflags = 0;
						while(1) {
							_t55 = E004523A7(_t55, _t90 - 0x48, __eflags,  *((intOrPtr*)(0x4d7a14 + _t68 * 4)));
							__eflags = _t55;
							if(_t55 != 0) {
								break;
							}
							_t68 = _t68 + 1;
							__eflags = _t68 - 5;
							if(__eflags < 0) {
								continue;
							} else {
							}
							L7:
							__eflags = _t89[1] - 0x23;
							if(_t89[1] == 0x23) {
								__eflags = _t89[2] - 0x78;
								_t81 = _t90 - 0x48;
								if(_t89[2] != 0x78) {
									E00452DB3(_t55, _t68, _t81, _t85);
									_push(0xa);
									_t64 =  *((intOrPtr*)(_t90 - 0x44)) + 2;
									__eflags = _t64;
								} else {
									E00452DB3(_t55, _t68, _t81, _t85);
									_push(0x10);
									_t64 =  *((intOrPtr*)(_t90 - 0x44)) + 3;
								}
								_push(_t64);
								 *((short*)( *((intOrPtr*)(_t90 - 0x1c)) + _t87 * 2)) = E004527BE();
							}
							_t89 =  *(_t90 + 0xc);
							 *(_t90 - 4) = 0;
							_t51 = E004171F3();
							goto L14;
						}
						_t55 =  *((intOrPtr*)(_t90 - 0x1c));
						 *((short*)( *((intOrPtr*)(_t90 - 0x1c)) + _t87 * 2)) =  *((intOrPtr*)(_t68 * 2 + L"&<>\"\'"));
						goto L7;
					}
					L14:
					_t89 =  &(_t89[1]);
					_t87 = _t87 + 1;
					__eflags = _t87;
				}
				__imp__#7( *((intOrPtr*)(_t90 - 0x1c)));
				if(_t51 != 0) {
					 *((short*)( *((intOrPtr*)(_t90 - 0x1c)) + _t87 * 2)) = 0;
				}
				_push(1);
				_push(_t90 - 0x2c);
				E00452040(_t68,  *((intOrPtr*)(_t90 + 8)), _t87, _t89, 0);
				E004171F3();
				return E0045B864( *((intOrPtr*)(_t90 + 8)));
			}

0x0045264f
0x0045264f
0x0045264f
0x0045264f
0x00452656
0x0045265e
0x00452661
0x00452667
0x0045266b
0x0045266f
0x00452674
0x00452678
0x00452740
0x0045267f
0x00452682
0x00452685
0x00452735
0x00452738
0x0045268b
0x0045268f
0x00452694
0x0045269b
0x004526a0
0x004526a5
0x004526ab
0x004526ac
0x004526b0
0x004526b3
0x004526b8
0x004526bc
0x004526bc
0x004526be
0x004526c8
0x004526cd
0x004526cf
0x00000000
0x00000000
0x004526d1
0x004526d2
0x004526d5
0x00000000
0x00000000
0x004526d7
0x004526e8
0x004526e8
0x004526ed
0x004526ef
0x004526f4
0x004526f7
0x00452708
0x00452710
0x00452712
0x00452712
0x004526f9
0x004526f9
0x00452701
0x00452703
0x00452703
0x00452715
0x00452720
0x00452720
0x00452724
0x0045272a
0x0045272e
0x00000000
0x0045272e
0x004526d9
0x004526e4
0x00000000
0x004526e4
0x0045273c
0x0045273c
0x0045273f
0x0045273f
0x0045273f
0x0045274c
0x00452754
0x0045275b
0x0045275b
0x00452762
0x00452767
0x00452768
0x00452770
0x0045277d

APIs

__EH_prolog3.LIBCMT ref: 00452656

Part of subcall function 00452135: __EH_prolog3.LIBCMT ref: 0045213C
Part of subcall function 00452135: GetLastError.KERNEL32(00000004,00452674,00000004,00000001,0000003C,00452BE2,?,00000000,00000000,00000000,00452D7F,00000000,00000001), ref: 00452164
Part of subcall function 00452135: SetLastError.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00452190

_Find_unchecked1.LIBCPMT ref: 0045269B
SysStringLen.OLEAUT32(004522F2), ref: 0045274C

Strings

;, xrefs: 00452694

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3Last$Find_unchecked1String
String ID: ;
API String ID: 637338078-1661535913
Opcode ID: 4b5f2109a4cfafca856feffcd59ac57aade2a2f942d3a31ace33901e6914069a
Instruction ID: 158181cd351aca08523b2fc94ea085efbae1f9dd9860d670ed74b22edaea46a9
Opcode Fuzzy Hash: 4b5f2109a4cfafca856feffcd59ac57aade2a2f942d3a31ace33901e6914069a
Instruction Fuzzy Hash: 1531C531904208ABDF14EF65C941BEE77B5EF19305F10801BEC51A7392EBB89A4DCB59

Uniqueness

Uniqueness Score: -1.00%

Function 0043F577, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
registryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0043F577(void** __ecx, void* __edi, char* _a4, short* _a8, int _a12) {
				char _v24;
				int* _v28;
				int* _v32;
				char _v36;
				void* __ebp;
				signed int _t27;
				void* _t31;
				long _t33;
				void* _t36;
				unsigned int _t41;
				signed int _t44;
				int _t45;
				int* _t47;
				char* _t51;
				char _t66;

				_t47 = _a12;
				if(_t47 == 0) {
					E00408936(__ecx, 0x80004005);
					asm("int3");
					_t36 = 0;
					_v36 = 0;
					_v32 = 0;
					_v28 = 0;
					_t27 = E004018F0( &_v36, 0x80000001, L"Software\\Classes", 0x20006);
					if(_t27 == 0) {
						__imp__RegOverridePredefKey(0x80000000, _v24);
						asm("sbb al, al");
						_t31 =  ~_t27 + 1;
						 *__ecx = _t31;
						_t36 = _t31;
					}
					E004018C0( &_v24);
					return _t36;
				} else {
					_t51 = _a4;
					_a12 = 0;
					_t33 = RegQueryValueExW( *__ecx, _a8, 0,  &_a12, _t51, _t47);
					if(_t51 != 0) {
						_t41 =  *_t47;
						if(_t41 == 0) {
							 *_t51 = 0;
						} else {
							_t45 = _a12;
							if(_t45 == 0) {
								L14:
								 *_t51 = 0;
								_t33 = 0xd;
							} else {
								if(_t45 <= 2) {
									if((_t41 & 0x00000001) != 0) {
										goto L14;
									} else {
										goto L13;
									}
								} else {
									if(_t45 != 7 || (_t41 & 0x00000001) != 0) {
										goto L14;
									} else {
										_t44 = _t41 >> 1;
										if(_t44 < 1 || _t51[_t44 * 2 - 2] != 0) {
											goto L14;
										} else {
											if(_t44 > 1) {
												_t66 = _t51[_t44 * 2 - 4];
												L13:
												if(_t66 != 0) {
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
					return _t33;
				}
			}

0x0043f57d
0x0043f582
0x0043f601
0x0043f606
0x0043f614
0x0043f625
0x0043f628
0x0043f62b
0x0043f62e
0x0043f635
0x0043f63f
0x0043f647
0x0043f649
0x0043f64b
0x0043f64d
0x0043f64d
0x0043f652
0x0043f65c
0x0043f584
0x0043f584
0x0043f593
0x0043f598
0x0043f5a0
0x0043f5a2
0x0043f5a6
0x0043f5f2
0x0043f5a8
0x0043f5a8
0x0043f5ad
0x0043f5e6
0x0043f5ea
0x0043f5ed
0x0043f5af
0x0043f5b2
0x0043f5db
0x00000000
0x0043f5dd
0x00000000
0x0043f5df
0x0043f5b4
0x0043f5b7
0x00000000
0x0043f5be
0x0043f5be
0x0043f5c3
0x00000000
0x0043f5cc
0x0043f5cf
0x0043f5d1
0x0043f5e4
0x0043f5e4
0x00000000
0x00000000
0x0043f5e4
0x0043f5cf
0x0043f5c3
0x0043f5b7
0x0043f5b2
0x0043f5ad
0x0043f5a6
0x0043f5f9
0x0043f5f9

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000,@/L,00448E3A,00000000,?,004C2F40,?,@/L), ref: 0043F598
RegOverridePredefKey.ADVAPI32(80000000,?), ref: 0043F63F

Strings

Software\Classes, xrefs: 0043F616
@/L, xrefs: 0043F577

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: OverridePredefQueryValue
String ID: @/L$Software\Classes
API String ID: 44369052-719921432
Opcode ID: 4112df1046a0d2107d918fcf3b9276114d6d0f477bd2d9725d0bb14e9d78785c
Instruction ID: b33718b7dac71c305aade94ef7c8bd209ba340b88333ae2782230c504194fbce
Opcode Fuzzy Hash: 4112df1046a0d2107d918fcf3b9276114d6d0f477bd2d9725d0bb14e9d78785c
Instruction Fuzzy Hash: 97214732D05308FADB20AF958881AFFBB78EF59784F20907FE91253256D2758D58C758

Uniqueness

Uniqueness Score: -1.00%

Function 00414905, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00414905(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t55;
				signed short _t64;
				signed int _t65;
				void* _t84;
				intOrPtr* _t86;
				intOrPtr _t89;
				void* _t91;
				intOrPtr* _t92;
				void* _t93;

				_t84 = __edx;
				_t71 = __ebx;
				_push(0x84);
				E0045B8C9(0x4a1b7b, __ebx, __edi, __esi);
				_t86 = __ecx;
				_t88 =  *(_t93 + 8);
				 *(_t93 - 0x78) =  *(_t93 + 0xc);
				 *(_t93 - 0x84) =  *(_t93 + 0x10);
				 *(_t93 - 0x80) =  *(_t93 + 0x14);
				if(( *(_t93 + 0x18) & 0x00000002) != 0 || E0040D51B(__ecx) != 0) {
					_push(5);
					_push(_t88);
					E0040AB61(_t71, _t93 - 0x90,  *((intOrPtr*)( *_t86 + 0x20)));
					 *(_t93 - 4) =  *(_t93 - 4) & 0x00000000;
					__eflags =  *(_t93 + 0x18) & 0x00000001;
					if(__eflags == 0) {
						_push(0);
						_push(_t93 - 0x71);
						_push(L"MS Sans Serif");
						 *((intOrPtr*)(_t93 - 0x40)) = 0x4c2fa0;
						 *((intOrPtr*)(_t93 - 0x18)) = 0x4c2f40;
						E00408F6D(_t71, _t93 - 0x40, _t86, _t88, __eflags);
						 *(_t93 - 4) = 1;
						_t91 = E0040CF21( *_t86, _t93 - 0x70);
						__eflags =  *((intOrPtr*)(_t93 - 0x28)) - 8;
						_t71 =  >=  ?  *((void*)(_t93 - 0x3c)) : _t93 - 0x3c;
						 *(_t93 - 4) = 2;
						_t64 = E0040CF3D( >=  ?  *((void*)(_t93 - 0x3c)) : _t93 - 0x3c,  *_t86, _t84, _t86, _t91,  *((intOrPtr*)(_t93 - 0x28)) - 8,  *( *_t86 + 0x44) & 0x0000ffff);
						_t92 = _t91 + 4;
						_t65 = _t64 & 0x0000ffff;
						__eflags =  *((intOrPtr*)(_t92 + 0x14)) - 8;
						if(__eflags >= 0) {
							_t92 =  *_t92;
						}
						E0040ADF4(_t71, _t93 - 0x90, _t86, _t92, __eflags, _t92, _t65, _t71, 8);
						E00401B80(_t93 - 0x70);
						 *(_t93 - 4) = 0;
						E00401B80(_t93 - 0x40);
					}
					_t89 =  *_t86;
					 *((char*)(_t93 - 0x7c)) = E0040D238(_t89,  *(_t89 + 0x44) & 0x0000ffff);
					_t55 = CreateDialogIndirectParamW( *(_t89 + 0x20), E0040ACD1(_t93 - 0x90,  *((intOrPtr*)(_t93 - 0x7c))),  *(_t93 - 0x78),  *(_t93 - 0x84),  *(_t93 - 0x80));
					_t42 = _t93 - 4;
					 *_t42 =  *(_t93 - 4) | 0xffffffff;
					__eflags =  *_t42;
					_t88 = _t55;
					E0040AC57(_t93 - 0x90);
				}
				return E0045B878(_t71, _t86, _t88);
			}

0x00414905
0x00414905
0x00414905
0x0041490f
0x00414914
0x0041491d
0x00414920
0x00414926
0x0041492f
0x00414932
0x00414946
0x00414948
0x00414952
0x00414957
0x0041495b
0x0041495f
0x00414961
0x00414966
0x00414967
0x0041496f
0x00414976
0x0041497d
0x00414988
0x00414991
0x00414995
0x004149a0
0x004149a5
0x004149a9
0x004149ae
0x004149b1
0x004149b4
0x004149b8
0x004149ba
0x004149ba
0x004149c7
0x004149cf
0x004149d7
0x004149db
0x004149db
0x004149e0
0x004149f4
0x00414a10
0x00414a16
0x00414a16
0x00414a16
0x00414a20
0x00414a22
0x00414a27
0x00414a2e

APIs

__EH_prolog3_GS.LIBCMT ref: 0041490F
CreateDialogIndirectParamW.USER32 ref: 00414A10

Strings

MS Sans Serif, xrefs: 00414967
@/L, xrefs: 00414976

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CreateDialogH_prolog3_IndirectParam
String ID: @/L$MS Sans Serif
API String ID: 2249790658-1405392024
Opcode ID: 2278bdbb84537fca3900491a9e54b11ff4fe86ffdb2698ab0bdb43b14a94297a
Instruction ID: 52fb60251a7ffe828c46daecbe5eb3af03773a261b3c7b63d1d1446236159fcf
Opcode Fuzzy Hash: 2278bdbb84537fca3900491a9e54b11ff4fe86ffdb2698ab0bdb43b14a94297a
Instruction Fuzzy Hash: B9317E70900219DFDB10EFA5C941BEDBBB4BF14318F10009EF85473282DB385A48DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D57E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0040D57E(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				int _t53;
				signed short _t62;
				signed int _t63;
				void* _t82;
				intOrPtr* _t84;
				intOrPtr _t87;
				void* _t89;
				intOrPtr* _t90;
				void* _t91;

				_t82 = __edx;
				_t69 = __ebx;
				_push(0x80);
				E0045B8C9(0x4a0d8e, __ebx, __edi, __esi);
				_t84 = __ecx;
				_t86 =  *(_t91 + 8);
				 *(_t91 - 0x7c) =  *(_t91 + 0xc);
				 *(_t91 - 0x80) =  *(_t91 + 0x10);
				if(( *(_t91 + 0x1c) & 0x00000002) != 0 || E0040D51B(__ecx) != 0) {
					_push(5);
					_push(_t86);
					E0040AB61(_t69, _t91 - 0x8c,  *((intOrPtr*)( *_t84 + 0x20)));
					 *(_t91 - 4) =  *(_t91 - 4) & 0x00000000;
					__eflags =  *(_t91 + 0x1c) & 0x00000001;
					if(__eflags == 0) {
						_push(0);
						_push(_t91 - 0x71);
						_push(L"MS Sans Serif");
						 *((intOrPtr*)(_t91 - 0x40)) = 0x4c2fa0;
						 *((intOrPtr*)(_t91 - 0x18)) = 0x4c2f40;
						E00408F6D(_t69, _t91 - 0x40, _t84, _t86, __eflags);
						 *(_t91 - 4) = 1;
						_t89 = E0040CF21( *_t84, _t91 - 0x70);
						__eflags =  *((intOrPtr*)(_t91 - 0x28)) - 8;
						_t69 =  >=  ?  *((void*)(_t91 - 0x3c)) : _t91 - 0x3c;
						 *(_t91 - 4) = 2;
						_t62 = E0040CF3D( >=  ?  *((void*)(_t91 - 0x3c)) : _t91 - 0x3c,  *_t84, _t82, _t84, _t89,  *((intOrPtr*)(_t91 - 0x28)) - 8,  *( *_t84 + 0x44) & 0x0000ffff);
						_t90 = _t89 + 4;
						_t63 = _t62 & 0x0000ffff;
						__eflags =  *((intOrPtr*)(_t90 + 0x14)) - 8;
						if(__eflags >= 0) {
							_t90 =  *_t90;
						}
						E0040ADF4(_t69, _t91 - 0x8c, _t84, _t90, __eflags, _t90, _t63, _t69, 8);
						E00401B80(_t91 - 0x70);
						 *(_t91 - 4) = 0;
						E00401B80(_t91 - 0x40);
					}
					_t87 =  *_t84;
					 *((char*)(_t91 - 0x75)) = E0040D238(_t87,  *(_t87 + 0x44) & 0x0000ffff);
					_t53 = DialogBoxIndirectParamW( *(_t87 + 0x20), E0040ACD1(_t91 - 0x8c,  *((intOrPtr*)(_t91 - 0x75))),  *(_t91 - 0x7c),  *(_t91 - 0x80),  *(_t91 + 0x14));
					_t41 = _t91 - 4;
					 *_t41 =  *(_t91 - 4) | 0xffffffff;
					__eflags =  *_t41;
					_t86 = _t53;
					E0040AC57(_t91 - 0x8c);
				}
				return E0045B878(_t69, _t84, _t86);
			}

0x0040d57e
0x0040d57e
0x0040d57e
0x0040d588
0x0040d58d
0x0040d596
0x0040d599
0x0040d59f
0x0040d5a2
0x0040d5b7
0x0040d5b9
0x0040d5c3
0x0040d5c8
0x0040d5cc
0x0040d5d0
0x0040d5d2
0x0040d5d7
0x0040d5d8
0x0040d5e0
0x0040d5e7
0x0040d5ee
0x0040d5f9
0x0040d602
0x0040d606
0x0040d611
0x0040d616
0x0040d61a
0x0040d61f
0x0040d622
0x0040d625
0x0040d629
0x0040d62b
0x0040d62b
0x0040d638
0x0040d640
0x0040d648
0x0040d64c
0x0040d64c
0x0040d651
0x0040d665
0x0040d67e
0x0040d684
0x0040d684
0x0040d684
0x0040d68e
0x0040d690
0x0040d695
0x0040d69c

APIs

__EH_prolog3_GS.LIBCMT ref: 0040D588
DialogBoxIndirectParamW.USER32 ref: 0040D67E

Strings

@/L, xrefs: 0040D5E7
MS Sans Serif, xrefs: 0040D5D8

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: DialogH_prolog3_IndirectParam
String ID: @/L$MS Sans Serif
API String ID: 1500191164-1405392024
Opcode ID: 0d0015fc87131631afe043bde6195f1c63eb99cf86931cea78689e7b2501d7b6
Instruction ID: 6c97f12c2579d663ac2fa2d2ae49c1a787b4e135a5e0fd399ed3c0006abe2c68
Opcode Fuzzy Hash: 0d0015fc87131631afe043bde6195f1c63eb99cf86931cea78689e7b2501d7b6
Instruction Fuzzy Hash: 1B316D70800219EBDF10EFA5C845BADBBB4BF14318F1040AEF85577282DB799A18DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3F4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040A3F4(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t32;
				void* _t43;
				char _t52;
				void* _t67;
				intOrPtr* _t69;
				void* _t72;

				_t67 = __edx;
				_push(0x70);
				E0045B8C9(0x4a063c, __ebx, __edi, __esi);
				_t71 = __ecx;
				_t69 =  *((intOrPtr*)(_t72 + 8));
				_t52 = 0;
				 *((intOrPtr*)(_t72 - 0x7c)) = 0;
				 *((intOrPtr*)(_t72 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t72 - 0x18)) = 0x4c2f40;
				E00404200(_t72 - 0x40, _t72 - 0x75, 0);
				 *((intOrPtr*)(_t72 - 4)) = 0;
				_t32 = E0040A4F3(__ecx);
				_push(1);
				if(_t32 == 0) {
					_push(0x3a);
					__eflags = E0040A166(__ecx);
					if(__eflags != 0) {
						_t43 = E0040AABC(__ecx, _t72 - 0x70, 0, 2);
						 *((char*)(_t72 - 4)) = 2;
						goto L6;
					}
				} else {
					_push(2);
					_push(_t72 - 0x74);
					 *((intOrPtr*)(_t72 - 0x74)) = 0x5c;
					if(E0040A017(__ecx + 4) != 0xffffffff) {
						 *((intOrPtr*)(_t72 - 0x74)) = 0x5c;
						_t47 = E0040A017(__ecx + 4, _t72 - 0x74, _t47 + 1, 1);
					}
					_t52 = 0;
					_t43 = E0040AABC(_t71, _t72 - 0x70, 0, _t47);
					 *((char*)(_t72 - 4)) = 1;
					L6:
					E004095E2(_t72 - 0x40, _t43);
					 *((char*)(_t72 - 4)) = _t52;
					E00401B80(_t72 - 0x70);
				}
				_t77 =  *((char*)(_t72 + 0xc));
				if( *((char*)(_t72 + 0xc)) != 0) {
					E0040A1AF(_t52, _t72 - 0x40, _t67, _t77, _t72 - 0x70);
					E00401B80(_t72 - 0x70);
				}
				_push(_t52);
				_push(_t72 - 0x40);
				 *_t69 = 0x4c2fa0;
				 *((intOrPtr*)(_t69 + 0x28)) = 0x4c2f40;
				E00408E82(_t52, _t69, _t69, _t71, _t77);
				E00401B80(_t72 - 0x40);
				return E0045B878(_t52, _t69, _t71);
			}

0x0040a3f4
0x0040a3f4
0x0040a3fb
0x0040a400
0x0040a402
0x0040a405
0x0040a40f
0x0040a412
0x0040a419
0x0040a420
0x0040a427
0x0040a42a
0x0040a42f
0x0040a433
0x0040a47b
0x0040a484
0x0040a486
0x0040a491
0x0040a496
0x00000000
0x0040a496
0x0040a435
0x0040a435
0x0040a43a
0x0040a43e
0x0040a44d
0x0040a45a
0x0040a461
0x0040a461
0x0040a467
0x0040a470
0x0040a475
0x0040a49a
0x0040a49e
0x0040a4a6
0x0040a4a9
0x0040a4a9
0x0040a4ae
0x0040a4b2
0x0040a4bb
0x0040a4c3
0x0040a4c3
0x0040a4c8
0x0040a4cc
0x0040a4cf
0x0040a4d5
0x0040a4dc
0x0040a4e4
0x0040a4f0

APIs

__EH_prolog3_GS.LIBCMT ref: 0040A3FB

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Strings

@/L, xrefs: 0040A419
@/L, xrefs: 0040A4D5
\, xrefs: 0040A45A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_
String ID: @/L$@/L$\
API String ID: 3339191932-1296846978
Opcode ID: 7a204939a124c2f9f1a4f9f25c686d009697cb9fd76fae9dab094465814943a2
Instruction ID: 306ac0c9b03c69df38530ff60417970c5a4f7d0040f34b3fa8105968ae412025
Opcode Fuzzy Hash: 7a204939a124c2f9f1a4f9f25c686d009697cb9fd76fae9dab094465814943a2
Instruction Fuzzy Hash: 15317371500208EADB15EFA5C955EDEB378AF14348F14412FF412B72C2DBB85A0ACF5A

Uniqueness

Uniqueness Score: -1.00%

Function 004133E7, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E004133E7(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t29;
				void* _t30;
				void* _t41;
				void* _t45;
				intOrPtr* _t60;
				void* _t63;

				_push(0x98);
				E0045B8C9(0x4a1869, __ebx, __edi, __esi);
				_t45 = __ecx;
				_t60 =  *((intOrPtr*)(_t63 + 8));
				 *(_t63 - 0xa4) =  *(_t63 - 0xa4) & 0x00000000;
				 *(_t63 - 4) =  *(_t63 - 4) & 0x00000000;
				_t6 = _t63 - 0x40; // 0x4c2f50
				_t62 = E00404640(__ecx, __edx, _t6, 1);
				 *(_t63 - 4) = 1;
				_t29 = E004034E0(__ecx, _t63 - 0xa0, 1, 0);
				 *(_t63 - 4) = 2;
				_t30 = E00402DE0(_t29, _t63 - 0x70, _t27);
				 *(_t63 - 4) = 3;
				E00402B90(__ecx, _t30);
				E00401AC0(_t63 - 0x70);
				E00401AC0(_t63 - 0xa0);
				_t14 = _t63 - 0x40; // 0x4c2f50
				 *(_t63 - 4) = 0;
				E00401AC0(_t14);
				_t67 =  *((intOrPtr*)(_t63 + 0x20));
				if( *((intOrPtr*)(_t63 + 0x20)) != 0) {
					_t17 = _t63 + 0xc; // 0x4c2f40
					_t18 = _t63 - 0x40; // 0x4c2f50
					_push(".");
					_t41 = E0040E23E(__ecx, _t60, _t62, _t67);
					 *(_t63 - 4) = 4;
					E004064B0(_t45, _t41);
					_t20 = _t63 - 0x40; // 0x4c2f50
					 *(_t63 - 4) = 0;
					E00401AC0(_t20);
				}
				 *_t60 = 0x4c2f50;
				 *((intOrPtr*)(_t60 + 0x28)) = 0x4c3454;
				E004053A0(_t45, 0);
				_t23 = _t63 + 0xc; // 0x4c2f40
				E00401AC0(_t23);
				return E0045B878(_t45, _t60, _t62);
			}

0x004133e7
0x004133f1
0x004133f6
0x004133f8
0x004133fb
0x00413402
0x00413408
0x00413411
0x00413420
0x00413424
0x00413430
0x00413434
0x0041343c
0x00413440
0x00413448
0x00413453
0x00413458
0x0041345b
0x0041345f
0x00413464
0x00413468
0x0041346a
0x0041346e
0x00413471
0x00413477
0x00413482
0x00413486
0x0041348b
0x0041348e
0x00413492
0x00413492
0x0041349c
0x004134a2
0x004134a9
0x004134ae
0x004134b1
0x004134bd

APIs

__EH_prolog3_GS.LIBCMT ref: 004133F1

Part of subcall function 00404640: GetLastError.KERNEL32 ref: 004046A7
Part of subcall function 00404640: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 0040470A
Part of subcall function 00404640: GetLastError.KERNEL32(00000000,00000000,000000FF,?,00000000,?,?), ref: 00404792
Part of subcall function 00404640: SysFreeString.OLEAUT32(?), ref: 004047AC
Part of subcall function 00404640: SysFreeString.OLEAUT32(?), ref: 004047BC

Part of subcall function 004034E0: GetLastError.KERNEL32 ref: 0040354B
Part of subcall function 004034E0: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 004035B4
Part of subcall function 004034E0: SysFreeString.OLEAUT32(?), ref: 004036A6

Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402E45
Part of subcall function 00402DE0: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 00402EA5
Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402ECE
Part of subcall function 00402DE0: SetLastError.KERNEL32(?,00000000,00000000,000000FF), ref: 00402F2E
Part of subcall function 00402DE0: GetLastError.KERNEL32 ref: 00402F4E

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Part of subcall function 0040E23E: __EH_prolog3_GS.LIBCMT ref: 0040E245

Strings

@/L, xrefs: 004134AE, 0041346A, 0041346D
P/L, xrefs: 00413408, 00413458, 0041346E, 0041348B, 0041340B, 00413476
T4L, xrefs: 004134A2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3_
String ID: @/L$P/L$T4L
API String ID: 2549205776-2391459764
Opcode ID: c9a4a808dfc3cd1adc5ec91d670f605057990aa9c9a4578bc32795e18d5775e1
Instruction ID: 7a9d636790a9a3a160191ea15bc6cf011daa79f96cfe6a656dc8e95c47b48196
Opcode Fuzzy Hash: c9a4a808dfc3cd1adc5ec91d670f605057990aa9c9a4578bc32795e18d5775e1
Instruction Fuzzy Hash: 5E219570A01248EEDB05EBA6CD56BDDB7A86F54308F54406EF509B71C2DBBC1B08CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0043C2FD, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0043C2FD(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t25;
				void* _t26;
				void* _t37;
				void* _t41;
				intOrPtr* _t44;
				void* _t45;
				void* _t46;

				_t46 = __eflags;
				_push(0x3c);
				E0045B8C9(0x4a670a, __ebx, __edi, __esi);
				_t41 = __ecx;
				_t30 =  *((intOrPtr*)(_t45 + 8));
				_push(0);
				_push(__ecx);
				 *((intOrPtr*)(_t45 - 0x48)) = 0;
				 *((intOrPtr*)(_t45 - 0x40)) = 0x4ae964;
				 *((intOrPtr*)(_t45 - 0x18)) = 0x4ae96c;
				E00408E82( *((intOrPtr*)(_t45 + 8)), _t45 - 0x40, __ecx, 0, _t46);
				 *((intOrPtr*)(_t45 - 4)) = 0;
				_t44 = _t41 + 4;
				 *((intOrPtr*)(_t45 - 0x44)) = 0x20;
				if(E0040A017(_t44, _t45 - 0x44, 0, 1) != 0xffffffff) {
					if( *((intOrPtr*)(_t44 + 0x14)) >= 8) {
						_t44 =  *_t44;
					}
					_t25 = 0x22;
					if( *_t44 != _t25) {
						_push(_t25);
						_push(1);
						E0043C209(_t25, _t30, _t45 - 0x3c, 0);
					}
					_t26 = E0040DE71(_t41);
					_t37 = 0x22;
					_t50 = _t26 - _t37;
					if(_t26 != _t37) {
						_push(_t37);
						E00409D00(_t26, _t30, _t45 - 0x3c, _t41, _t44, 1);
					}
				}
				_push(1);
				_t13 = _t45 - 0x40; // 0x4ae964
				E00408E82(_t30, _t30, _t41, _t44, _t50);
				_t14 = _t45 - 0x40; // 0x4ae964
				E00401B80(_t14);
				return E0045B878(_t30, _t41, _t44);
			}

0x0043c2fd
0x0043c2fd
0x0043c304
0x0043c309
0x0043c30b
0x0043c310
0x0043c311
0x0043c315
0x0043c318
0x0043c31f
0x0043c326
0x0043c32d
0x0043c335
0x0043c33b
0x0043c34a
0x0043c350
0x0043c352
0x0043c352
0x0043c356
0x0043c35a
0x0043c35c
0x0043c35d
0x0043c364
0x0043c364
0x0043c36b
0x0043c372
0x0043c373
0x0043c376
0x0043c378
0x0043c37e
0x0043c37e
0x0043c376
0x0043c383
0x0043c385
0x0043c38b
0x0043c390
0x0043c393
0x0043c39f

APIs

__EH_prolog3_GS.LIBCMT ref: 0043C304

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Strings

dJ, xrefs: 0043C385, 0043C388
, xrefs: 0043C33B
lJ, xrefs: 0043C31F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3H_prolog3_
String ID: $dJ$lJ
API String ID: 852442433-4228904431
Opcode ID: 3f0a4861da36dd5a40cbf06b983f3560b0091071b80d416a95a953627830e5ed
Instruction ID: cccd1857e250a2a10cb6b794379f302050849049fab3bff43cad3f7dbb8eaa59
Opcode Fuzzy Hash: 3f0a4861da36dd5a40cbf06b983f3560b0091071b80d416a95a953627830e5ed
Instruction Fuzzy Hash: 6C11C470900314EADB14EBA5C885B9E7674EF04714F10401FF905BB1C1CBB85D49C799

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECC4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040ECC4(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t27;
				intOrPtr* _t28;
				intOrPtr* _t34;
				void* _t37;
				intOrPtr _t39;
				void* _t41;
				void* _t42;
				void* _t43;
				intOrPtr* _t44;
				void* _t47;

				_t47 = __eflags;
				_t37 = __edx;
				_push(0x40);
				E0045B8C9(0x4a1166, __ebx, __edi, __esi);
				_t41 = __ecx;
				_t39 =  *((intOrPtr*)(_t42 + 0x10));
				_t27 =  *((intOrPtr*)(_t42 + 8));
				_push(0);
				_push(_t39);
				_t3 = _t42 - 0x40; // 0x4c2f50
				 *((intOrPtr*)(_t42 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t42 - 0x18)) = 0x4c2f40;
				E00408E82(_t27, _t3, _t39, __ecx, _t47);
				 *(_t42 - 4) =  *(_t42 - 4) & 0x00000000;
				E00449690(E004104AA, _t41);
				_push(0);
				_push(0x8000);
				_t44 = _t43 - 0x30;
				_t34 = _t44;
				 *((intOrPtr*)(_t42 - 0x48)) = _t44;
				_push(0);
				_push(_t39);
				 *_t34 = 0x4c2fa0;
				 *((intOrPtr*)(_t34 + 0x28)) = 0x4c2f40;
				E00408E82(_t27, _t34, _t39, _t41, _t47);
				_t28 = _t27 + 4;
				 *(_t42 - 4) = 1;
				if( *((intOrPtr*)(_t28 + 0x14)) >= 8) {
					_t28 =  *_t28;
				}
				E004091B8(_t44 - 0x30, _t28, _t42 - 0x41, 1);
				 *(_t42 - 4) = 0;
				E0044160B(0, _t37, _t39, _t41, 0);
				E00449690(0, 0);
				E00401B80(_t42 - 0x40);
				return E0045B878(0, _t39, _t41);
			}

0x0040ecc4
0x0040ecc4
0x0040ecc4
0x0040eccb
0x0040ecd0
0x0040ecd2
0x0040ecd5
0x0040ecd8
0x0040ecda
0x0040ecdb
0x0040ecde
0x0040ece5
0x0040ecec
0x0040ecf1
0x0040ecfb
0x0040ed02
0x0040ed04
0x0040ed09
0x0040ed0c
0x0040ed0e
0x0040ed11
0x0040ed13
0x0040ed14
0x0040ed1a
0x0040ed21
0x0040ed26
0x0040ed29
0x0040ed31
0x0040ed33
0x0040ed33
0x0040ed41
0x0040ed48
0x0040ed4b
0x0040ed52
0x0040ed5d
0x0040ed67

APIs

__EH_prolog3_GS.LIBCMT ref: 0040ECCB

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Strings

@/L, xrefs: 0040ECE5
P/L, xrefs: 0040ECDB
@/L, xrefs: 0040ED1A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3H_prolog3_
String ID: @/L$@/L$P/L
API String ID: 852442433-1198209084
Opcode ID: 289f2050963f6e4d349e1214516250e40db24174fc05b1f8f683f16665626690
Instruction ID: 64f20cbb7ca406eb5f937ce8dff2e73f4824b47e1a5ff6823248827a8376c90c
Opcode Fuzzy Hash: 289f2050963f6e4d349e1214516250e40db24174fc05b1f8f683f16665626690
Instruction Fuzzy Hash: D8117375900304EBE700EBA5CD86B9E7B74AF15718F60405EF9042B196DBF85909C7AD

Uniqueness

Uniqueness Score: -1.00%

Function 00401BE0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401BE0(void* __eflags) {
				char _v8;
				int _v12;
				int _v16;
				int* _v20;
				int* _v24;
				void* _v28;
				void* _t15;
				signed int _t22;
				signed int _t23;
				void* _t25;

				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				_t15 = E004018F0( &_v28, 0x80000001, L"SOFTWARE\\InstallShield\\22.0\\Professional", 0x20019);
				_t25 = _v28;
				if(_t15 != 0) {
					L4:
					_t23 = 0;
				} else {
					_v8 = 0;
					_v12 = 4;
					if(RegQueryValueExW(_t25, L"DoVerboseLogging", 0,  &_v16,  &_v8,  &_v12) != 0 || _v16 != 4) {
						goto L4;
					} else {
						_t23 = _t22 & 0xffffff00 | _v8 == 0x00000001;
					}
				}
				if(_t25 != 0) {
					RegCloseKey(_t25);
				}
				return _t23;
			}

0x00401bfa
0x00401c01
0x00401c08
0x00401c0f
0x00401c14
0x00401c19
0x00401c56
0x00401c56
0x00401c1b
0x00401c2f
0x00401c36
0x00401c45
0x00000000
0x00401c4d
0x00401c51
0x00401c51
0x00401c45
0x00401c5a
0x00401c5d
0x00401c5d
0x00401c6a

APIs

Part of subcall function 004018F0: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401914
Part of subcall function 004018F0: RegCloseKey.ADVAPI32(00000000), ref: 00401977

RegQueryValueExW.ADVAPI32(00000000,DoVerboseLogging,00000000,?,?,?), ref: 00401C3D
RegCloseKey.ADVAPI32(00000000), ref: 00401C5D

Strings

SOFTWARE\InstallShield\22.0\Professional, xrefs: 00401BED
DoVerboseLogging, xrefs: 00401C29

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Close$HandleModuleQueryValue
String ID: DoVerboseLogging$SOFTWARE\InstallShield\22.0\Professional
API String ID: 2971604672-398011643
Opcode ID: 8cc20be989dc51849c091718715fdedceaf8bed04bd78701e6e68f63824f9245
Instruction ID: 1cc1df9e7d31757cdd2194b6cee3a3b915efef72443f0914441939a2da38a891
Opcode Fuzzy Hash: 8cc20be989dc51849c091718715fdedceaf8bed04bd78701e6e68f63824f9245
Instruction Fuzzy Hash: 5801D475D85229EBEF10DF90C845BEFBBBCAB00305F10006AE905B2180D3B85B48CBE9

Uniqueness

Uniqueness Score: -1.00%

Function 0040E35C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040E35C(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr* _t35;
				void* _t36;

				_t27 = __ecx;
				_t26 = __ebx;
				_push(0x2c);
				E0045B8C9(0x4a0fb4, __ebx, __edi, __esi);
				_t35 = __ecx;
				 *((intOrPtr*)(_t36 - 0x38)) = __ecx;
				if( *((intOrPtr*)(_t36 + 0xc)) != 0) {
					 *__ecx = 0x4c2f50;
					 *((intOrPtr*)(__ecx + 0x28)) = 0x4c3454;
				}
				_t33 = 0;
				E00403F50(_t27, _t36 - 0x31, 0);
				 *((intOrPtr*)(_t36 - 4)) = 0;
				E0045CB7C( *((intOrPtr*)(_t36 + 8)), _t36 - 0x30, 0x10, 0xa);
				if( *((intOrPtr*)(_t36 - 0x30)) != 0) {
					_t33 = E0045B5D4(_t36 - 0x30);
				}
				_push(_t33);
				_push(_t36 - 0x30);
				E00406EB0(_t26, _t35 + 4, _t33, _t35);
				SetLastError( *( *((intOrPtr*)( *_t35 + 4)) + _t35));
				return E0045B878(_t26, _t33, _t35);
			}

0x0040e35c
0x0040e35c
0x0040e35c
0x0040e363
0x0040e368
0x0040e36e
0x0040e371
0x0040e373
0x0040e379
0x0040e379
0x0040e380
0x0040e387
0x0040e397
0x0040e39a
0x0040e3a6
0x0040e3b2
0x0040e3b2
0x0040e3b4
0x0040e3b8
0x0040e3bc
0x0040e3c9
0x0040e3d6

APIs

__EH_prolog3_GS.LIBCMT ref: 0040E363
__itow_s.LIBCMT ref: 0040E39A
SetLastError.KERNEL32(?,?,00000000,00000001), ref: 0040E3C9

Strings

T4L, xrefs: 0040E379

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3_Last__itow_s
String ID: T4L
API String ID: 3681815494-1354015026
Opcode ID: 93d8a98974931669597e84cf0fe73a075055e349f5b6a5ed09eafe4503104574
Instruction ID: f1ef69440b21ec92f15213ddb203a28be4cea890c84e1ea6b4a8fdf8eb887722
Opcode Fuzzy Hash: 93d8a98974931669597e84cf0fe73a075055e349f5b6a5ed09eafe4503104574
Instruction Fuzzy Hash: E101B175800208ABD710FF92D841EAEB7B8FF44704F10442EF945AB281DB799949CB88

Uniqueness

Uniqueness Score: -1.00%

Function 004108FE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,0040E8EA,?,?,00000000,?,?,?,?,?,?), ref: 0041090E
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 0041091E

Strings

Advapi32.dll, xrefs: 00410909
RegCreateKeyTransactedW, xrefs: 00410918

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: c83e1466f133f5e565ba8414087bb2036b09d6c06009ef89a88353506975e311
Instruction ID: c05c990c2d585fc2824dd3440cc7b36747f037b6809ac8df7c296296ccd00d78
Opcode Fuzzy Hash: c83e1466f133f5e565ba8414087bb2036b09d6c06009ef89a88353506975e311
Instruction Fuzzy Hash: 30F0373211020AEFEF124FA6DC04BDA7FA5AB09751F04442AFA14A1060C2BAC4E0EB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041FFBE, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 18%

			E0041FFBE(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8) {
				struct HINSTANCE__* _t7;
				_Unknown_base(*)()* _t8;
				intOrPtr* _t12;

				_t12 = __ecx;
				if( *__ecx == 0) {
					if( *((intOrPtr*)(__ecx + 4)) == 0) {
						L6:
						return 1;
					}
					return RegDeleteKeyW();
				}
				_t7 = GetModuleHandleW(L"Advapi32.dll");
				if(_t7 == 0) {
					goto L6;
				}
				_t8 = GetProcAddress(_t7, "RegDeleteKeyTransactedW");
				if(_t8 == 0) {
					goto L6;
				}
				return  *_t8(_a4, _a8, 0, 0,  *_t12, 0);
			}

0x0041ffc3
0x0041ffc9
0x0041fffc
0x00420007
0x00000000
0x00420009
0x00420001
0x00420001
0x0041ffd0
0x0041ffd8
0x00000000
0x00000000
0x0041ffe0
0x0041ffe8
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,00419946,?,?), ref: 0041FFD0
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0041FFE0

Strings

Advapi32.dll, xrefs: 0041FFCB
RegDeleteKeyTransactedW, xrefs: 0041FFDA

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: 0ba60a18c799aa4345ffb6d140ba8f83c471c837a2351b3be0247abd72d400ac
Instruction ID: b497e90d21b50c5e3b9b42a160a26c599dc31988882c36d66a68abaf951740e8
Opcode Fuzzy Hash: 0ba60a18c799aa4345ffb6d140ba8f83c471c837a2351b3be0247abd72d400ac
Instruction Fuzzy Hash: E7F08236704215EB9B301EA7FC04E67BFE9EBC2B65310403BB555C1110C6BA8482D7A8

Uniqueness

Uniqueness Score: -1.00%

Function 00401820, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00401830
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 00401840

Strings

Advapi32.dll, xrefs: 0040182B
RegOpenKeyTransactedW, xrefs: 0040183A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: 352e823b9f780ac13da28e5b479450b2374df0ed46c6a572c3d5d0b2c78ddd51
Instruction ID: d0bb64c75dc60e8bd2f98a84e8563cd39cd9bd73ca4ad5fc3a144f34ce47f663
Opcode Fuzzy Hash: 352e823b9f780ac13da28e5b479450b2374df0ed46c6a572c3d5d0b2c78ddd51
Instruction Fuzzy Hash: F4F05B33100219ABDF215FA5DC04FD77BA5EB04751F04843BF910911B0C7B6C5A0D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00409574, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00409574(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t32;
				intOrPtr* _t34;
				void* _t35;

				_t22 = __ebx;
				_push(0x38);
				E0045B8C9(0x4a04b6, __ebx, __edi, __esi);
				_t34 = __ecx;
				_t32 = GetLastError();
				if( *((char*)(_t34 + 4)) != 0) {
					_t28 =  !=  ?  *((void*)( *_t34 + 0x24)) : 0x4c2d7c;
					E00404260( *_t34, _t32,  !=  ?  *((void*)( *_t34 + 0x24)) : 0x4c2d7c);
				}
				_t39 =  *((intOrPtr*)(_t34 + 8));
				if( *((intOrPtr*)(_t34 + 8)) != 0) {
					_push(1);
					_push(_t35 - 0x41);
					_push( *((intOrPtr*)(_t34 + 8)));
					E004090B1(_t22, _t35 - 0x40, _t32, _t34, _t39);
					 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
					E004095E2( *_t34, _t35 - 0x40);
					E00401B80(_t35 - 0x40);
				}
				SetLastError(_t32);
				return E0045B878(_t22, _t32, _t34);
			}

0x00409574
0x00409574
0x0040957b
0x00409580
0x0040958c
0x0040958e
0x0040959b
0x004095a2
0x004095a2
0x004095a7
0x004095ab
0x004095ad
0x004095b2
0x004095b3
0x004095b9
0x004095c0
0x004095c8
0x004095d0
0x004095d0
0x004095d6
0x004095e1

APIs

__EH_prolog3_GS.LIBCMT ref: 0040957B
GetLastError.KERNEL32(00000038,0040DDFB,004492A1,?,004AFFA0), ref: 00409582
SetLastError.KERNEL32(00000000), ref: 004095D6

Strings

|-L, xrefs: 00409592

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3_
String ID: |-L
API String ID: 3339191932-4259979122
Opcode ID: 24f43d2936b3ad16fab0b86d5cca8314c2428bcf3ba4f71db9654ee6d5e40029
Instruction ID: 714b6096e22ced05593d0ab476309d218eb8cdadfdafa15c31b76b9f64aaa364
Opcode Fuzzy Hash: 24f43d2936b3ad16fab0b86d5cca8314c2428bcf3ba4f71db9654ee6d5e40029
Instruction Fuzzy Hash: D8F0DC31500205DBDB15EB62C854B6DB3B8AF84309F00446EE042671D2CB7DEC4ACB48

Uniqueness

Uniqueness Score: -1.00%

Function 0042EB76, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0042EB76(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t15;
				intOrPtr* _t34;
				void* _t35;

				_t32 = __edi;
				_t25 = __ebx;
				_push(0x9c);
				E0045B8C9(0x4a53ba, __ebx, __edi, __esi);
				_t1 = _t35 + 0xc; // 0x4c2f40
				_t15 =  *_t1;
				 *(_t35 - 0xa8) =  *(_t35 - 0xa8) & 0x00000000;
				_t34 =  *((intOrPtr*)(_t35 + 8));
				_t37 = _t15 -  *((intOrPtr*)(__ecx + 0x270));
				if(_t15 >=  *((intOrPtr*)(__ecx + 0x270))) {
					E00402CE0(0x4c2d7c, _t35 - 0xa1, 1);
				} else {
					_push(E0042BD91(__ecx + 0x26c, _t15));
					_t6 = _t35 - 0xa0; // 0x4c2f50
					E0042B372(__ebx, _t6, __edi, _t34, _t37);
					 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
					_t9 = _t35 - 0xa0; // 0x4c2f50
					 *_t34 = 0x4c2f50;
					 *((intOrPtr*)(_t34 + 0x28)) = 0x4c3454;
					E004053A0(_t9, 0);
					_t11 = _t35 - 0xa0; // 0x4c2f50
					E0042BB30(_t11);
				}
				return E0045B878(_t25, _t32, _t34);
			}

0x0042eb76
0x0042eb76
0x0042eb76
0x0042eb80
0x0042eb85
0x0042eb85
0x0042eb88
0x0042eb8f
0x0042eb92
0x0042eb98
0x0042ebf0
0x0042eb9a
0x0042eba6
0x0042eba7
0x0042ebad
0x0042ebb2
0x0042ebb8
0x0042ebc1
0x0042ebc7
0x0042ebce
0x0042ebd3
0x0042ebd9
0x0042ebd9
0x0042ebfc

APIs

__EH_prolog3_GS.LIBCMT ref: 0042EB80

Part of subcall function 0042B372: __EH_prolog3.LIBCMT ref: 0042B379

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Strings

T4L, xrefs: 0042EBC7
@/L, xrefs: 0042EB85
P/L, xrefs: 0042EBA7, 0042EBB8, 0042EBD3, 0042EBBE

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3H_prolog3_
String ID: @/L$P/L$T4L
API String ID: 852442433-2391459764
Opcode ID: b521b9e8a0eb1982a89142fc4228f5c671f80368455959cfe83671b35a8e2059
Instruction ID: af6a2a3d42fc4d4bd8d9ac51efb98c074333b93382f2d28669a15749c97e7c87
Opcode Fuzzy Hash: b521b9e8a0eb1982a89142fc4228f5c671f80368455959cfe83671b35a8e2059
Instruction Fuzzy Hash: 600162307106289ADB51EA51C855BAD7368EB10304F90409EF449AA181CBBC6A498B9D

Uniqueness

Uniqueness Score: -1.00%

Function 0042EC5A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0042EC5A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t15;
				intOrPtr* _t34;
				void* _t35;

				_t32 = __edi;
				_t25 = __ebx;
				_push(0x9c);
				E0045B8C9(0x4a53ed, __ebx, __edi, __esi);
				_t1 = _t35 + 0xc; // 0x4c2f40
				_t15 =  *_t1;
				 *(_t35 - 0xa8) =  *(_t35 - 0xa8) & 0x00000000;
				_t34 =  *((intOrPtr*)(_t35 + 8));
				_t37 = _t15 -  *((intOrPtr*)(__ecx + 0x270));
				if(_t15 >=  *((intOrPtr*)(__ecx + 0x270))) {
					E00402CE0(0x4c2d7c, _t35 - 0xa1, 1);
				} else {
					_push(E0042BD91(__ecx + 0x26c, _t15));
					_t6 = _t35 - 0xa0; // 0x4c2f50
					E0042B372(__ebx, _t6, __edi, _t34, _t37);
					 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
					 *_t34 = 0x4c2f50;
					 *((intOrPtr*)(_t34 + 0x28)) = 0x4c3454;
					E004053A0(_t35 - 0x70, 0);
					_t11 = _t35 - 0xa0; // 0x4c2f50
					E0042BB30(_t11);
				}
				return E0045B878(_t25, _t32, _t34);
			}

0x0042ec5a
0x0042ec5a
0x0042ec5a
0x0042ec64
0x0042ec69
0x0042ec69
0x0042ec6c
0x0042ec73
0x0042ec76
0x0042ec7c
0x0042ecd1
0x0042ec7e
0x0042ec8a
0x0042ec8b
0x0042ec91
0x0042ec96
0x0042eca2
0x0042eca8
0x0042ecaf
0x0042ecb4
0x0042ecba
0x0042ecba
0x0042ecdd

APIs

__EH_prolog3_GS.LIBCMT ref: 0042EC64

Part of subcall function 0042B372: __EH_prolog3.LIBCMT ref: 0042B379

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Strings

T4L, xrefs: 0042ECA8
P/L, xrefs: 0042EC8B, 0042ECB4
@/L, xrefs: 0042EC69

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3H_prolog3_
String ID: @/L$P/L$T4L
API String ID: 852442433-2391459764
Opcode ID: 542b30c6d5f948fddc74e2aff3da8cbf2a4165f0d2189cc3a7cd80ee7877752e
Instruction ID: bdd26f5ffe7693356e215ab822daa22b0cac1f24d1f3de357a84935acf32bc51
Opcode Fuzzy Hash: 542b30c6d5f948fddc74e2aff3da8cbf2a4165f0d2189cc3a7cd80ee7877752e
Instruction Fuzzy Hash: F1F08170B106289ADB51EB52CC41BED73B8FF10708F90409EF449AB181CBBD5A498B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00408FDF, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408FDF(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t34;
				void* _t38;

				_push(4);
				E0045B896(0x4a03d1, __ebx, __edi, __esi);
				_t34 = __ecx;
				 *((intOrPtr*)(_t38 - 0x10)) = __ecx;
				if( *((intOrPtr*)(_t38 + 0x14)) != 0) {
					 *__ecx = 0x4c346c;
					 *((intOrPtr*)(__ecx + 0x28)) = 0x4c2f90;
				}
				 *((intOrPtr*)( *((intOrPtr*)( *_t34 + 4)) + _t34)) = GetLastError();
				_push( *((intOrPtr*)(_t38 + 0x10)));
				_t24 =  !=  ?  *((void*)(_t38 + 8)) : 0x4c2d7c;
				 *((intOrPtr*)(_t38 - 4)) = 0;
				E004092A6(_t34 + 4,  !=  ?  *((void*)(_t38 + 8)) : 0x4c2d7c,  *((intOrPtr*)(_t38 + 0xc)));
				 *((intOrPtr*)(_t34 + 0x1c)) = 0;
				 *((intOrPtr*)(_t34 + 0x20)) = 0;
				 *((intOrPtr*)(_t34 + 0x24)) = 0;
				_t16 =  *((intOrPtr*)(_t34 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t16 + _t34 + 0x28));
				return E0045B864(_t34);
			}

0x00408fdf
0x00408fe6
0x00408feb
0x00408fed
0x00408ff4
0x00408ff6
0x00408ffc
0x00408ffc
0x0040900e
0x00409011
0x00409021
0x00409029
0x0040902c
0x00409031
0x00409034
0x00409037
0x0040903d
0x00409044
0x00409051

APIs

__EH_prolog3.LIBCMT ref: 00408FE6
GetLastError.KERNEL32(00000004,00409224,00000000,?,0043A706,00000000,00000000,?,00409F4E,?,00000000,?,00000001,00000048,00409E02,004C2FA0), ref: 00409008
SetLastError.KERNEL32(?,00000000,?,0043A706,?,00409F4E,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000), ref: 00409044

Strings

|-L, xrefs: 0040901C

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3
String ID: |-L
API String ID: 3502553090-4259979122
Opcode ID: ea055b06ae94e280d7ba610d09059c28fdaebb8ea6135063e608ee3838a4fbef
Instruction ID: 7135aa5b5c6711000976b1a5063b62f77656cbc11f1e0439027cdd843273076e
Opcode Fuzzy Hash: ea055b06ae94e280d7ba610d09059c28fdaebb8ea6135063e608ee3838a4fbef
Instruction Fuzzy Hash: E3014675500616EFCB01DF06C944A59BBF4FF48715B01862AF8189BB62C7B8EA60DFC8

Uniqueness

Uniqueness Score: -1.00%

Function 00408F6D, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00408F6D(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t33;
				void* _t37;

				_push(4);
				E0045B896(0x4a03ae, __ebx, __edi, __esi);
				_t33 = __ecx;
				 *((intOrPtr*)(_t37 - 0x10)) = __ecx;
				if( *((intOrPtr*)(_t37 + 0x10)) != 0) {
					 *__ecx = 0x4c346c;
					 *((intOrPtr*)(__ecx + 0x28)) = 0x4c2f90;
				}
				 *((intOrPtr*)( *((intOrPtr*)( *_t33 + 4)) + _t33)) = GetLastError();
				_push( *((intOrPtr*)(_t37 + 0xc)));
				_t23 =  !=  ?  *((void*)(_t37 + 8)) : 0x4c2d7c;
				 *((intOrPtr*)(_t37 - 4)) = 0;
				E00409281(_t33 + 4,  !=  ?  *((void*)(_t37 + 8)) : 0x4c2d7c);
				 *((intOrPtr*)(_t33 + 0x1c)) = 0;
				 *((intOrPtr*)(_t33 + 0x20)) = 0;
				 *((intOrPtr*)(_t33 + 0x24)) = 0;
				_t15 =  *((intOrPtr*)(_t33 + 0x28)) + 4; // 0x4
				SetLastError( *( *_t15 + _t33 + 0x28));
				return E0045B864(_t33);
			}

0x00408f6d
0x00408f74
0x00408f79
0x00408f7b
0x00408f82
0x00408f84
0x00408f8a
0x00408f8a
0x00408f9c
0x00408f9f
0x00408fac
0x00408fb4
0x00408fb7
0x00408fbc
0x00408fbf
0x00408fc2
0x00408fc8
0x00408fcf
0x00408fdc

APIs

__EH_prolog3.LIBCMT ref: 00408F74
GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Strings

|-L, xrefs: 00408FA7

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3
String ID: |-L
API String ID: 3502553090-4259979122
Opcode ID: cfc2000ee13a5fea6fa1c3e4b53b8b5579969b4e49a6ef0b610d8f3ceed3100f
Instruction ID: 11c2ddc2d380f58d602622aad08fd9f85eeb82a680d69af7e01571d9ba459ec7
Opcode Fuzzy Hash: cfc2000ee13a5fea6fa1c3e4b53b8b5579969b4e49a6ef0b610d8f3ceed3100f
Instruction Fuzzy Hash: 450146B5500612EFCB019F19C944A59BBF4FF18705B01822EF8148BB51C7B8E960CFC8

Uniqueness

Uniqueness Score: -1.00%

Function 00445FB9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00445FB9(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t7;
				intOrPtr* _t11;

				_t11 = _a4;
				if(_t11 == 0) {
					L6:
					return 0;
				}
				_t7 = GetProcAddress(GetModuleHandleW(L"Advapi32.lib"), "IsTextUnicode");
				if(_t7 == 0) {
					L4:
					if(_a8 < 2 ||  *_t11 != 0xfeff) {
						goto L6;
					} else {
						L3:
						return 1;
					}
				}
				_push(_a12);
				_push(_a8);
				_push(_t11);
				if( *_t7() == 0) {
					goto L4;
				}
				goto L3;
			}

0x00445fbd
0x00445fc2
0x00446000
0x00000000
0x00446000
0x00445fd5
0x00445fdd
0x00445ff0
0x00445ff4
0x00000000
0x00445fec
0x00445fec
0x00000000
0x00445fec
0x00445ff4
0x00445fdf
0x00445fe2
0x00445fe5
0x00445fea
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNEL32(Advapi32.lib,IsTextUnicode), ref: 00445FCE
GetProcAddress.KERNEL32(00000000), ref: 00445FD5

Strings

Advapi32.lib, xrefs: 00445FC9
IsTextUnicode, xrefs: 00445FC4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.lib$IsTextUnicode
API String ID: 1646373207-3723215607
Opcode ID: 1e844ae8459809b4531c415c7125214c5ae695be30b9232cf70e5085d4d845a9
Instruction ID: 5890916d41243b8dae1628dc5aed9f08788239c8a3b298eb17c7d36771733127
Opcode Fuzzy Hash: 1e844ae8459809b4531c415c7125214c5ae695be30b9232cf70e5085d4d845a9
Instruction Fuzzy Hash: 62E0ED32200326A7AF308FA59C05AAB3B6C9B027183094027FD1597241CA3DD8449BAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040E23E, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040E23E(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t22;
				void* _t32;

				_push(0x3c);
				E0045B8C9(0x4a0f64, __ebx, __edi, __esi);
				_t1 = _t32 + 0xc; // 0x4c2f40
				_t22 =  *((intOrPtr*)(_t32 + 8));
				 *(_t32 - 0x48) =  *(_t32 - 0x48) & 0x00000000;
				_t31 = E00402CE0( *_t1, _t32 - 0x41, 1);
				 *(_t32 - 4) =  *(_t32 - 4) & 0x00000000;
				E004064B0(_t15,  *((intOrPtr*)(_t32 + 0x10)));
				 *_t22 = 0x4c2f50;
				 *((intOrPtr*)(_t22 + 0x28)) = 0x4c3454;
				E004053A0(_t15, 0);
				_t11 = _t32 - 0x40; // 0x4c2f50
				E00401AC0(_t11);
				return E0045B878(_t22,  *((intOrPtr*)(_t32 + 0x10)), _t31);
			}

0x0040e23e
0x0040e245
0x0040e24a
0x0040e24d
0x0040e253
0x0040e266
0x0040e268
0x0040e26f
0x0040e279
0x0040e27f
0x0040e286
0x0040e28b
0x0040e28e
0x0040e29a

APIs

__EH_prolog3_GS.LIBCMT ref: 0040E245

Part of subcall function 00402CE0: GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

P/L, xrefs: 0040E25E, 0040E28B
@/L, xrefs: 0040E24A, 0040E25D
T4L, xrefs: 0040E27F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3_
String ID: @/L$P/L$T4L
API String ID: 2549205776-2391459764
Opcode ID: 03acca1fd10c74d24323e4ac8bcb1e2e1618de5294f8b1fd4570b5cc9c8217b9
Instruction ID: 0cce9d4a209e61f97a9b47e53ff479a0c066b02d32d24b5715c309192cc3a6ce
Opcode Fuzzy Hash: 03acca1fd10c74d24323e4ac8bcb1e2e1618de5294f8b1fd4570b5cc9c8217b9
Instruction Fuzzy Hash: 3DF03A306102049BDB15AF52CC82B9E73B8EF44319F50402EF801BB2C2CBBC69098B9C

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE4A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040FE4A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t18;
				void* _t34;
				void* _t35;
				void* _t36;

				_t36 = __eflags;
				_push(0x68);
				E0045B8C9(0x4a139f, __ebx, __edi, __esi);
				_t34 = __ecx;
				_t2 = _t35 - 0x40; // 0x4c2f50
				 *((intOrPtr*)(_t35 - 0x40)) = 0x4c2fa0;
				 *((intOrPtr*)(_t35 - 0x18)) = 0x4c2f40;
				E00408F6D(__ebx, _t2, __edi, __ecx, _t36, L".msi", _t35 - 0x71, 0);
				 *(_t35 - 4) =  *(_t35 - 4) & 0x00000000;
				_t18 = E00412B80(E00412A66(_t34 + 0x2b4, _t35 - 0x70),  *(_t35 - 4), _t35 - 0x40);
				E00401B80(_t35 - 0x70);
				E00401B80(_t35 - 0x40);
				return E0045B878(_t18, __edi, _t34);
			}

0x0040fe4a
0x0040fe4a
0x0040fe51
0x0040fe56
0x0040fe63
0x0040fe66
0x0040fe6d
0x0040fe74
0x0040fe79
0x0040fe92
0x0040fe9c
0x0040fea4
0x0040feb0

APIs

__EH_prolog3_GS.LIBCMT ref: 0040FE51

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

.msi, xrefs: 0040FE5E
@/L, xrefs: 0040FE6D
P/L, xrefs: 0040FE63

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3H_prolog3_
String ID: .msi$@/L$P/L
API String ID: 2488494826-2155816099
Opcode ID: fd15ecd826eac210701781a8a2a745f6d5705c00dfd5ed30b3ef55108b61113d
Instruction ID: 3cdf05d3261ec0b94858fc3038958056e2019a3cf048a1bf83050081c13c2f81
Opcode Fuzzy Hash: fd15ecd826eac210701781a8a2a745f6d5705c00dfd5ed30b3ef55108b61113d
Instruction Fuzzy Hash: BFF03074910118DACB14FBA1C952BED73B8BF14748F80015EF41167192DFBC6A0DCB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044378D, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0044378D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				_Unknown_base(*)()* _t6;

				_t6 = GetProcAddress(GetModuleHandleW(L"Kernel32"), "GetDiskFreeSpaceExW");
				if(_t6 == 0) {
					return 0;
				} else {
					return  *_t6(_a4, _a8, _a12, _a16);
				}
			}

0x004437a1
0x004437a9
0x004437be
0x004437ab
0x004437ba
0x004437ba

APIs

GetModuleHandleW.KERNEL32(Kernel32,GetDiskFreeSpaceExW), ref: 0044379A
GetProcAddress.KERNEL32(00000000), ref: 004437A1

Strings

Kernel32, xrefs: 00443795
GetDiskFreeSpaceExW, xrefs: 00443790

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetDiskFreeSpaceExW$Kernel32
API String ID: 1646373207-300760764
Opcode ID: d91d437af47b918228b8eab5f9f107c9f45eabe9f24496bacdefd599c3a852ec
Instruction ID: e2af81fbee1a4222c662d4fb00cc12080ff96f2bc9f21d5b09bcb8d11ae410ab
Opcode Fuzzy Hash: d91d437af47b918228b8eab5f9f107c9f45eabe9f24496bacdefd599c3a852ec
Instruction Fuzzy Hash: E6D05E72144208BBDF015FE9EC08D9A3F69EB44B547044465FD1C91060C77BC520AB68

Uniqueness

Uniqueness Score: -1.00%

Function 00444817, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 16
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00444817(intOrPtr _a4) {
				_Unknown_base(*)()* _t3;

				_t3 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetProcessId");
				if(_t3 == 0) {
					return 0;
				} else {
					return  *_t3(_a4);
				}
			}

0x0044482b
0x00444833
0x0044483f
0x00444835
0x0044483b
0x0044483b

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,GetProcessId), ref: 00444824
GetProcAddress.KERNEL32(00000000), ref: 0044482B

Strings

kernel32.dll, xrefs: 0044481F
GetProcessId, xrefs: 0044481A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetProcessId$kernel32.dll
API String ID: 1646373207-399901964
Opcode ID: f2698d3107329d0d2acceb1f59049789d40aba2147da7d285d87ccfc0c815085
Instruction ID: ee93fd962a4e704cc6191df0c74bc4abb2c3d25071bdf5bb63bce5f2597ed56f
Opcode Fuzzy Hash: f2698d3107329d0d2acceb1f59049789d40aba2147da7d285d87ccfc0c815085
Instruction Fuzzy Hash: 49D012312843086BAE006FF6BC09E567F5C9A91B513040436B81CC1051DA7BD450966C

Uniqueness

Uniqueness Score: -1.00%

Function 00485FB0, Relevance: 6.3, APIs: 5, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00485FB0(intOrPtr _a4, int _a8, char* _a16) {
				int _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ebx;
				void* __ecx;
				void* __edi;
				signed int _t36;
				intOrPtr _t44;
				int _t45;
				int _t55;
				intOrPtr* _t57;
				intOrPtr* _t67;
				short* _t71;
				signed int _t73;

				_push(0xffffffff);
				_push(0x4aafb9);
				_push( *[fs:0x0]);
				_push(_t57);
				_t36 =  *0x4d7e88; // 0x9518852c
				_push(_t36 ^ _t73);
				 *[fs:0x0] =  &_v16;
				_t67 = _t57;
				_v20 = _t67;
				if(_a16 != 0) {
					 *_t67 = 0x4c2f78;
					 *((intOrPtr*)(_t67 + 0x28)) = 0x4c2fa8;
				}
				 *( *((intOrPtr*)( *_t67 + 4)) + _t67) = GetLastError();
				_t71 = _t67 + 4;
				_t71[0xa] = 7;
				_t71[8] = 0;
				_v8 = 0;
				 *_t71 = 0;
				 *((intOrPtr*)(_t67 + 0x1c)) = 0;
				 *((intOrPtr*)(_t67 + 0x20)) = 0;
				 *((intOrPtr*)(_t67 + 0x24)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0x28)) + 4)) + _t67 + 0x28));
				_t44 = _a4;
				_t59 =  !=  ? _t44 : 0x4c2bd0;
				_v8 = 3;
				_a16 =  !=  ? _t44 : 0x4c2bd0;
				_t45 = MultiByteToWideChar(0, 0, 0x4c2bd0, _a8, 0, 0);
				_t60 = _t71[8];
				_t55 = _t45;
				if(_t55 > _t71[8]) {
					_push(0);
					E00406570(_t45 - _t60, _t55, _t71, _t67, _t45 - _t60);
				} else {
					_t71[8] = _t55;
					if(_t71[0xa] < 8) {
						_t71[_t55] = 0;
					} else {
						 *((short*)( *_t71 + _t55 * 2)) = 0;
					}
				}
				if(_t71[0xa] >= 8) {
					_t71 =  *_t71;
				}
				MultiByteToWideChar(0, 0, _a16, _a8, _t71, _t55);
				SetLastError( *( *((intOrPtr*)( *_t67 + 4)) + _t67));
				 *[fs:0x0] = _v16;
				return _t67;
			}

0x00485fb3
0x00485fb5
0x00485fc0
0x00485fc1
0x00485fc5
0x00485fcc
0x00485fd0
0x00485fd6
0x00485fd8
0x00485fdf
0x00485fe1
0x00485fe7
0x00485fe7
0x00485ff9
0x00485ffc
0x00486001
0x00486008
0x0048600f
0x00486016
0x00486019
0x0048601c
0x0048601f
0x0048602c
0x00486032
0x00486043
0x0048604b
0x0048604f
0x00486052
0x00486058
0x0048605b
0x0048605f
0x00486080
0x00486085
0x00486061
0x00486065
0x00486068
0x00486078
0x0048606a
0x0048606e
0x0048606e
0x00486068
0x0048608e
0x00486090
0x00486090
0x0048609e
0x004860ac
0x004860b7
0x004860c5

APIs

GetLastError.KERNEL32(9518852C,?,?,?,?,00000000,004AAFB9,000000FF,?,00485F4A,?,00000000), ref: 00485FF3
SetLastError.KERNEL32(?,?,00485F4A,?,00000000), ref: 0048602C
MultiByteToWideChar.KERNEL32(00000000,00000000,004C2BD0,?,00000000,00000000,?,00485F4A,?,00000000), ref: 00486052
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,00485F4A,?,00000000), ref: 0048609E
SetLastError.KERNEL32(?,?,00485F4A,?,00000000), ref: 004860AC

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$ByteCharMultiWide
String ID:
API String ID: 3361762293-0
Opcode ID: f0bbbf2a11e0f237163f922194f58a55702dddeddcada36f90401c58c9216d03
Instruction ID: cf214800c4b9537dc2f9a1ef72162d9cd2e773d5810633010d7e9cd007b42dfc
Opcode Fuzzy Hash: f0bbbf2a11e0f237163f922194f58a55702dddeddcada36f90401c58c9216d03
Instruction Fuzzy Hash: B6317571600605EFD724CF28D844B5ABBF4FF09710F114A2EE90ADBBA0D7B5A910CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409E2B, Relevance: 6.1, APIs: 4, Instructions: 122
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00409E2B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t42;
				short* _t48;
				void* _t53;
				signed int _t59;
				char* _t62;
				int _t66;
				void* _t88;
				signed int _t89;
				int _t93;
				void* _t96;
				void* _t102;

				_push(0x48);
				E0045B8C9(0x4a0587, __ebx, __edi, __esi);
				_t95 =  *(_t96 + 0x14);
				_t92 =  *(_t96 + 0xc);
				_t68 =  *(_t96 + 0x10);
				 *((intOrPtr*)(_t96 - 0x48)) =  *((intOrPtr*)(_t96 + 8));
				 *(_t96 - 0x54) = _t92;
				 *(_t96 - 0x4c) = _t68;
				if(_t95 == 0x4b0 || _t95 == 0x4b1) {
					__eflags = _t68 - 0xffffffff;
					if(_t68 == 0xffffffff) {
						_t68 = E0045B5D4(_t92) + _t57;
						__eflags = _t68;
					}
					__eflags = _t95 - 0x4b1;
					if(__eflags != 0) {
						__eflags = _t68 >> 1;
						_t42 = E004091F0(_t96 - 0x40, _t92, _t68 >> 1, _t96 - 0x41, 1);
						 *(_t96 - 4) = 2;
						E004095E2( *((intOrPtr*)(_t96 - 0x48)), _t42);
						E00401B80(_t96 - 0x40);
					} else {
						_t22 = _t68 + 1; // 0x1
						_t48 = E00459ADF(_t68, _t88, _t92, __eflags);
						_t95 = _t48;
						 *(_t96 - 0x50) = _t48;
						 *(_t96 - 4) =  *(_t96 - 4) & 0x00000000;
						E0045A76C(_t92, _t48, _t92, _t48, _t68);
						_t53 = E004091F0(_t96 - 0x40, _t95, _t68 >> 1, _t96 - 0x41, 1);
						 *(_t96 - 4) = 1;
						E004095E2( *((intOrPtr*)(_t96 - 0x48)), _t53);
						E00401B80(_t96 - 0x40);
						L0045A2FE(_t95);
					}
				} else {
					_t102 = _t68 - 0xffffffff;
					if(_t102 == 0) {
						_t66 = E0045AF00(_t92);
						_t68 = _t66;
						 *(_t96 - 0x4c) = _t66;
					}
					_t9 = _t68 + 1; // 0x1
					_t68 = MultiByteToWideChar;
					_t59 = MultiByteToWideChar(_t95, 0, _t92, _t9, 0, 0);
					_t89 = 2;
					_t93 = _t59;
					_push( ~(0 | _t102 > 0x00000000) | _t59 * _t89);
					_t95 = E00459ADF(MultiByteToWideChar, _t59 * _t89 >> 0x20, _t93, _t102);
					 *(_t96 - 0x50) = _t95;
					 *(_t96 - 4) = 3;
					_t62 = MultiByteToWideChar( *(_t96 + 0x14), 0,  *(_t96 - 0x54),  *(_t96 - 0x4c), _t95, _t93);
					_t92 = _t62;
					if(_t62 > 0) {
						E004075B0( *((intOrPtr*)(_t96 - 0x48)) + 4, _t92, _t95, _t92);
					}
					L0045A2FE(_t95);
				}
				return E0045B878(_t68, _t92, _t95);
			}

0x00409e2b
0x00409e32
0x00409e37
0x00409e3d
0x00409e40
0x00409e43
0x00409e46
0x00409e49
0x00409e52
0x00409ed3
0x00409ed6
0x00409ee1
0x00409ee1
0x00409ee1
0x00409ee3
0x00409ee9
0x00409f42
0x00409f49
0x00409f52
0x00409f59
0x00409f61
0x00409eeb
0x00409eeb
0x00409eef
0x00409ef4
0x00409ef6
0x00409ef9
0x00409f00
0x00409f17
0x00409f20
0x00409f24
0x00409f2c
0x00409f32
0x00409f37
0x00409e5c
0x00409e5c
0x00409e5f
0x00409e62
0x00409e68
0x00409e6a
0x00409e6a
0x00409e71
0x00409e74
0x00409e7e
0x00409e84
0x00409e85
0x00409e90
0x00409e96
0x00409e99
0x00409ea1
0x00409eb0
0x00409eb2
0x00409eb6
0x00409ec0
0x00409ec0
0x00409ec6
0x00409ecc
0x00409f6d

APIs

__EH_prolog3_GS.LIBCMT ref: 00409E32
_strlen.LIBCMT ref: 00409E62
MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181,?,004C2BD0), ref: 00409E7E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 00409EB0

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ByteCharMultiWide$H_prolog3__strlen
String ID:
API String ID: 708778256-0
Opcode ID: fdb7fbcecc0de35e6bf011b60a946661aab230ed4ba339ae783562993b9cbf67
Instruction ID: c16194bb0586814343e66e998a05e2ed2fd8b15da2402ce4b41418a516c6c1c6
Opcode Fuzzy Hash: fdb7fbcecc0de35e6bf011b60a946661aab230ed4ba339ae783562993b9cbf67
Instruction Fuzzy Hash: 57315F71900218ABDB15EFA9CC91AEFB778EF48314F14012EF905A72C3DB789D058B69

Uniqueness

Uniqueness Score: -1.00%

Function 00404F90, Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00404F90(void* __ecx, intOrPtr __edx, intOrPtr _a4, char _a8, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a40, char _a44, intOrPtr _a52) {
				char _v8;
				char _v16;
				signed int _v24;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				signed int _t46;
				intOrPtr _t48;
				signed int _t59;
				void* _t63;
				signed int _t67;
				signed int _t72;
				void* _t73;
				signed int _t74;
				intOrPtr _t80;
				intOrPtr _t87;
				void* _t88;
				void* _t89;
				signed int _t90;
				void* _t92;
				intOrPtr* _t95;
				void* _t96;
				signed int _t97;

				_t87 = __edx;
				_push(0xffffffff);
				_push(0x4ac800);
				_push( *[fs:0x0]);
				_t45 =  *0x4d7e88; // 0x9518852c
				_t46 = _t45 ^ _t97;
				_v24 = _t46;
				_push(_t72);
				_push(_t88);
				_push(_t46);
				 *[fs:0x0] =  &_v16;
				_t92 = __ecx;
				_v8 = 0;
				_t48 = _a24;
				if(_t48 == 0) {
					L16:
					 *((intOrPtr*)( &_a44 +  *((intOrPtr*)(_a44 + 4)))) = GetLastError();
					L0045A7D5(_a32);
					_t95 = __imp__#6;
					 *_t95(_a40);
					if(_a28 >= 8) {
						 *_t95(_a8);
					}
					_a8 = 0;
					_a28 = 7;
					_a24 = 0;
					SetLastError( *(_t97 +  *((intOrPtr*)(_a4 + 4)) + 8));
					 *[fs:0x0] = _v16;
					_pop(_t89);
					_pop(_t96);
					_pop(_t73);
					return E0045A457(_t73, _v24 ^ _t97, _t87, _t89, _t96);
				}
				_t80 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t80 != 0) {
					_t87 = _a52;
					if(_t48 == 0) {
						_t74 = 0;
					} else {
						_t69 =  >=  ? _a8 :  &_a8;
						__eflags =  *((intOrPtr*)( >=  ? _a8 :  &_a8)) - _t87;
						_t74 = _t72 & 0xffffff00 |  *((intOrPtr*)( >=  ? _a8 :  &_a8)) == _t87;
					}
					_t90 = _t80 - 1;
					if(_t90 >= _t80) {
						_t59 = 0;
					} else {
						_t67 = _t92 + 4;
						if( *((intOrPtr*)(_t92 + 0x18)) >= 8) {
							_t67 =  *_t67;
						}
						_t59 = _t67 & 0xffffff00 |  *((intOrPtr*)(_t67 + _t90 * 2)) == _t87;
					}
					if(_t74 != 0) {
						if(_t59 == 0) {
							goto L15;
						}
						_t63 = E00404580( &_v72, 1, 0xffffffff);
						_v8 = 1;
						E00405AA0(_t92, _t63);
						E00401A60( &_v72);
					} else {
						if(_t59 == 0) {
							_push(_t87);
							E00406570(_t59, _t74, _t92 + 4, _t90, 1);
						}
						L15:
						_push(0xffffffff);
						_push(0);
						E00407F60(_t74, _t92 + 4, _t90, _t92,  &_a8);
					}
				} else {
					_t86 = __ecx + 4;
					if(__ecx + 4 !=  &_a8) {
						_push(0xffffffff);
						E00406630(_t72, _t86, _t88,  &_a8, 0);
					}
				}
			}

0x00404f90
0x00404f93
0x00404f95
0x00404fa0
0x00404fa4
0x00404fa9
0x00404fab
0x00404fae
0x00404fb0
0x00404fb1
0x00404fb5
0x00404fbb
0x00404fbd
0x00404fc4
0x00404fc9
0x00405048
0x00405059
0x0040505e
0x00405063
0x0040506f
0x00405075
0x0040507a
0x0040507a
0x0040507e
0x00405085
0x0040508c
0x0040509a
0x004050a3
0x004050ab
0x004050ac
0x004050ad
0x004050bb
0x004050bb
0x00404fcb
0x00404fd0
0x00404fe8
0x00404fed
0x00405002
0x00404fef
0x00404ff6
0x00404ffa
0x00404ffd
0x00404ffd
0x00405004
0x00405009
0x0040501f
0x0040500b
0x0040500f
0x00405012
0x00405014
0x00405014
0x0040501a
0x0040501a
0x00405023
0x004050c0
0x00000000
0x00000000
0x004050d1
0x004050d9
0x004050dd
0x004050e5
0x00405029
0x0040502b
0x0040502d
0x00405033
0x00405033
0x00405038
0x00405038
0x0040503a
0x00405043
0x00405043
0x00404fd2
0x00404fd2
0x00404fda
0x00404fdc
0x00404fe1
0x00404fe1
0x00404fda

APIs

GetLastError.KERNEL32(9518852C,00000000,73B74C30,73B74D40), ref: 00405053
SysFreeString.OLEAUT32(?), ref: 0040506F
SysFreeString.OLEAUT32(?), ref: 0040507A
SetLastError.KERNEL32(?), ref: 0040509A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorFreeLastString
String ID:
API String ID: 3822639702-0
Opcode ID: 7d9971b677ed3547416a1e96bdc9c8d55c6c6ae2ced54b5d5e6be12a684c2120
Instruction ID: dc07c803cd88c785bac4382bc7a008622eb629c4022d0baeaf30a320184b776a
Opcode Fuzzy Hash: 7d9971b677ed3547416a1e96bdc9c8d55c6c6ae2ced54b5d5e6be12a684c2120
Instruction Fuzzy Hash: 48418C31600609ABCF10DF24C944B9E77A8FF05718F10863AF816A72D1DB39E909CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041AE03, Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0041AE03(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t53;
				signed short* _t57;
				void* _t59;
				void* _t62;
				intOrPtr* _t63;
				void* _t70;
				void* _t71;
				signed int _t73;
				signed int _t74;
				signed int _t78;
				intOrPtr _t85;
				signed int _t94;
				void* _t97;

				_push(0x84);
				E0045B8C9(0x4a2c68, __ebx, __edi, __esi);
				_t96 = __ecx;
				 *((intOrPtr*)(_t97 - 0x78)) = __ecx;
				_t73 = 0;
				 *((intOrPtr*)(_t97 - 0x84)) =  *((intOrPtr*)(_t97 + 8));
				 *((intOrPtr*)(_t97 - 0x8c)) =  *((intOrPtr*)(_t97 + 0xc));
				 *(_t97 - 0x88) = 0;
				_t53 = E0045B5D4( *((intOrPtr*)(_t97 + 8)));
				_t94 = 0;
				 *(_t97 - 0x7c) = _t53;
				if( *((intOrPtr*)(_t96 + 0xc)) <= 0) {
					L16:
					L17:
					return E0045B878(_t73, _t94, _t96);
				} else {
					goto L1;
				}
				do {
					L1:
					_t57 =  *( *((intOrPtr*)(_t96 + 4)) + _t94 * 4);
					_t78 =  *_t57 & 0x0000ffff;
					if(_t78 == 0x2d || _t78 == 0x2f) {
						 *(_t97 - 0x80) =  &(_t57[1]);
						_t59 = E0045B5D4( &(_t57[1]));
						_t80 =  *(_t97 - 0x7c);
						if(_t59 <  *(_t97 - 0x7c)) {
							L5:
							 *((char*)(_t97 - 0x71)) = 0;
							L6:
							if((_t73 & 0x00000002) != 0) {
								_t73 = _t73 & 0xfffffffd;
								E00401B80(_t97 - 0x70);
							}
							 *(_t97 - 4) =  *(_t97 - 4) | 0xffffffff;
							if((_t73 & 0x00000001) != 0) {
								_t73 = _t73 & 0xfffffffe;
								E00401B80(_t97 - 0x40);
							}
							if( *((char*)(_t97 - 0x71)) == 0) {
								L14:
								_t96 =  *((intOrPtr*)(_t97 - 0x78));
								goto L15;
							} else {
								_t62 = E00408892(_t97 - 0x90, _t96,  &(( *(_t97 - 0x80))[ *(_t97 - 0x7c)]));
								_t96 =  *((intOrPtr*)(_t97 - 0x90));
								if( *((char*)(_t97 + 0x10)) == 0) {
									L18:
									_t63 =  *((intOrPtr*)(_t97 - 0x8c));
									if(_t63 != 0) {
										_t85 = _t96;
										_t96 = 0;
										 *_t63 = _t85;
									}
									 *( *((intOrPtr*)( *((intOrPtr*)(_t97 - 0x78)) + 8)) + _t94 * 4) =  *(_t97 + 0x14) & 0x000000ff;
									__imp__#6(_t96);
									goto L17;
								}
								__imp__#7(_t96);
								if(_t62 == 0) {
									goto L18;
								}
								__imp__#6(_t96);
								goto L14;
							}
						}
						_t96 = E004091F0(_t97 - 0x40,  *((intOrPtr*)(_t97 - 0x84)), _t80, _t97 - 0x71, 1);
						 *(_t97 - 4) =  *(_t97 - 4) & 0x00000000;
						_t74 = _t73 | 0x00000001;
						 *(_t97 - 0x88) = _t74;
						_t70 = E004091F0(_t97 - 0x70,  *(_t97 - 0x80),  *(_t97 - 0x7c), _t97 - 0x71, 1);
						_t73 = _t74 | 0x00000002;
						_t71 = E0040AB22(_t70, _t68);
						 *((char*)(_t97 - 0x71)) = 1;
						if(_t71 != 0) {
							goto L6;
						}
						goto L5;
					}
					L15:
					_t94 = _t94 + 1;
				} while (_t94 <  *((intOrPtr*)(_t96 + 0xc)));
				goto L16;
			}

0x0041ae03
0x0041ae0d
0x0041ae12
0x0041ae14
0x0041ae1d
0x0041ae20
0x0041ae26
0x0041ae2c
0x0041ae32
0x0041ae37
0x0041ae3a
0x0041ae40
0x0041af2b
0x0041af2d
0x0041af32
0x00000000
0x00000000
0x00000000
0x0041ae46
0x0041ae46
0x0041ae49
0x0041ae4c
0x0041ae52
0x0041ae61
0x0041ae64
0x0041ae6a
0x0041ae6f
0x0041aebd
0x0041aebd
0x0041aec1
0x0041aec4
0x0041aec9
0x0041aecc
0x0041aecc
0x0041aed1
0x0041aed8
0x0041aedd
0x0041aee0
0x0041aee0
0x0041aee9
0x0041af1e
0x0041af1e
0x00000000
0x0041aeeb
0x0041aefb
0x0041af04
0x0041af0a
0x0041af35
0x0041af35
0x0041af3d
0x0041af3f
0x0041af41
0x0041af43
0x0041af43
0x0041af50
0x0041af53
0x00000000
0x0041af59
0x0041af0d
0x0041af15
0x00000000
0x00000000
0x0041af18
0x00000000
0x0041af18
0x0041aee9
0x0041ae86
0x0041ae88
0x0041ae95
0x0041ae9e
0x0041aea4
0x0041aeab
0x0041aeae
0x0041aeb5
0x0041aebb
0x00000000
0x00000000
0x00000000
0x0041aebb
0x0041af21
0x0041af21
0x0041af22
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0041AE0D
SysStringLen.OLEAUT32(?), ref: 0041AF0D
SysFreeString.OLEAUT32(?), ref: 0041AF18
SysFreeString.OLEAUT32(?), ref: 0041AF53

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String$Free$H_prolog3_
String ID:
API String ID: 332078091-0
Opcode ID: fa41b2fa6883de05a4915d955afbc075bba0642f3450f4b413bf59fddf11f95f
Instruction ID: b783a33f4333fdd3158e52c81d5693e2a89c22754597175a9cd840240cb8459f
Opcode Fuzzy Hash: fa41b2fa6883de05a4915d955afbc075bba0642f3450f4b413bf59fddf11f95f
Instruction Fuzzy Hash: 5941CD709042189EDB24DFB5C885BDE7BB4FF09314F14405EE855A7282DB389989CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004769D9, Relevance: 6.1, APIs: 4, Instructions: 96
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E004769D9(void* __edx, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				void* __ebx;
				int _t35;
				int _t38;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t60;
				char* _t63;

				_t63 = _a8;
				if(_t63 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t63 != 0) {
					E0045A62A(_t50,  &_v20, __edx, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E004649D0( *_t63 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t60 = 1;
							__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t63, 1, _a4, 0 | _a4 != 0x00000000);
							if(__eflags != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t60;
							}
							L20:
							_t44 = E0045D506(__eflags);
							_t60 = _t60 | 0xffffffff;
							__eflags = _t60;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t60 = _v20;
						__eflags =  *(_t60 + 0x74) - 1;
						if( *(_t60 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t60 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t63[1];
							if(__eflags == 0) {
								goto L20;
							}
							L18:
							_t60 =  *(_t60 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t60 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t60 + 4), 9, _t63,  *(_t60 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t60 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t63 & 0x000000ff;
					}
					_t60 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x004769e1
0x004769e6
0x00476a00
0x00000000
0x00476a00
0x004769e8
0x004769ed
0x00000000
0x00000000
0x004769f2
0x00476a0d
0x00476a12
0x00476a15
0x00476a1c
0x00476a3b
0x00476a42
0x00476a44
0x00476a88
0x00476a90
0x00476aa5
0x00476aa7
0x00476ab7
0x00476ab7
0x00476abb
0x00476abd
0x00476ac0
0x00476ac0
0x00476ac0
0x00476ac0
0x00000000
0x00476ac6
0x00476aa9
0x00476aa9
0x00476aae
0x00476aae
0x00476ab1
0x00000000
0x00476ab1
0x00476a46
0x00476a49
0x00476a4d
0x00476a76
0x00476a76
0x00476a79
0x00476a79
0x00000000
0x00000000
0x00476a7b
0x00476a7f
0x00000000
0x00000000
0x00476a81
0x00476a81
0x00000000
0x00476a81
0x00476a4f
0x00476a52
0x00000000
0x00000000
0x00476a56
0x00476a69
0x00476a6f
0x00476a72
0x00476a74
0x00000000
0x00000000
0x00000000
0x00476a74
0x00476a1e
0x00476a21
0x00476a23
0x00476a28
0x00476a28
0x00476a2d
0x00000000
0x00476a2d
0x004769f4
0x004769f9
0x004769fd
0x004769fd
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00476A0D
__isleadbyte_l.LIBCMT ref: 00476A3B
MultiByteToWideChar.KERNEL32(00000080,00000009,0045C3DE,00000001,00000000,00000000), ref: 00476A69
MultiByteToWideChar.KERNEL32(00000080,00000009,0045C3DE,00000001,00000000,00000000), ref: 00476A9F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 84d0bd6e18e5d7c1f56f2491114fc4cece03d38e858d30e4604420fed853033a
Instruction ID: e78fe8d9682492742bd207c8de5f6dc32d279fbcd2b0024742ee790016b23857
Opcode Fuzzy Hash: 84d0bd6e18e5d7c1f56f2491114fc4cece03d38e858d30e4604420fed853033a
Instruction Fuzzy Hash: 4C31E430600A46AFDB218F75C844BEB7BA6FF42310F16C42AE419A7290E734DC51D798

Uniqueness

Uniqueness Score: -1.00%

Function 00411DB8, Relevance: 6.1, APIs: 4, Instructions: 94
windowCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00411DB8(void* __ecx, void* __edx, long _a4, intOrPtr _a8) {
				signed int _v8;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr _v72;
				long _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t28;
				long _t42;
				long _t47;
				void* _t65;
				struct HWND__* _t66;
				void* _t67;
				signed int _t68;

				_t65 = __edx;
				_t28 =  *0x4d7e88; // 0x9518852c
				_v8 = _t28 ^ _t68;
				_t52 = _a4;
				_t66 =  *0x4d9620; // 0x0
				_t67 = __ecx;
				_v76 = _a4;
				_v72 = _a8;
				if(IsWindow(_t66) == 0) {
					_t66 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t67 + 0xe8)))) + 0xc))();
				}
				if(_t66 != 0) {
					_v60 = 0;
					_v64 = 0;
					_v68 = 0;
					E004142CB(_t67, _t65, _t52, _v72,  &_v60,  &_v64,  &_v68);
					_t52 = GetTickCount();
					_t71 = _t52 -  *((intOrPtr*)(_t67 + 0x1a0)) - 0x3e8;
					if(_t52 -  *((intOrPtr*)(_t67 + 0x1a0)) > 0x3e8) {
						_t42 = E00413EEB(_t52, _t67, _t66, _t67, _t71,  &_v56, _v68) + 4;
						_t72 =  *((intOrPtr*)(_t42 + 0x14)) - 8;
						if( *((intOrPtr*)(_t42 + 0x14)) >= 8) {
							_t42 =  *_t42;
						}
						SendDlgItemMessageW(_t66, 0x3ec, 0xc, 0, _t42);
						E00401B80( &_v56);
						_t47 = E004140D0(_t52, _t67, _t66, _t67, _t72,  &_v56, _v64, _v76, 0, 0) + 4;
						if( *((intOrPtr*)(_t47 + 0x14)) >= 8) {
							_t47 =  *_t47;
						}
						SendDlgItemMessageW(_t66, 0x3ed, 0xc, 0, _t47);
						E00401B80( &_v56);
						 *((intOrPtr*)(_t67 + 0x1a0)) = _t52;
					}
					E00411EC5(_t67, _v60);
				}
				return E0045A457(_t52, _v8 ^ _t68, _t65, _t66, _t67);
			}

0x00411db8
0x00411dbe
0x00411dc5
0x00411dcc
0x00411dd1
0x00411dd8
0x00411dda
0x00411ddd
0x00411de8
0x00411df5
0x00411df5
0x00411df9
0x00411e01
0x00411e04
0x00411e07
0x00411e1c
0x00411e27
0x00411e31
0x00411e37
0x00411e47
0x00411e4a
0x00411e4e
0x00411e50
0x00411e50
0x00411e5d
0x00411e66
0x00411e80
0x00411e87
0x00411e89
0x00411e89
0x00411e96
0x00411e9f
0x00411ea4
0x00411ea4
0x00411eaf
0x00411eaf
0x00411ec2

APIs

IsWindow.USER32(00000000), ref: 00411DE0
GetTickCount.KERNEL32 ref: 00411E21
SendDlgItemMessageW.USER32 ref: 00411E5D
SendDlgItemMessageW.USER32 ref: 00411E96

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ItemMessageSend$CountTickWindow
String ID:
API String ID: 373309326-0
Opcode ID: bda43ab3aa73ed3b6580bfb436eff82d05a1d0117a080dd23e6f6f8dd1455ca2
Instruction ID: 4915500c2b095ac1a06dae2888b7d95e742b2d67e67b059be9a7b7c69c46ba4f
Opcode Fuzzy Hash: bda43ab3aa73ed3b6580bfb436eff82d05a1d0117a080dd23e6f6f8dd1455ca2
Instruction Fuzzy Hash: 91316B71A00208AFDB15EFA5DC85FDEBBB9AF49704F00002AF506E72A0DB34A945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004185B0, Relevance: 6.1, APIs: 4, Instructions: 89
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E004185B0(intOrPtr* __ecx, intOrPtr _a4, signed int _a8) {
				char _v8;
				char _v12;
				signed int _v16;
				signed int _t22;
				intOrPtr _t25;
				signed int _t36;
				intOrPtr _t37;
				signed int _t41;
				intOrPtr* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t46;

				_t42 = __ecx;
				if(_a4 == 0) {
					L13:
					return 0;
				}
				_t41 = _a8;
				if( *__ecx != 0 && _t41 == 0) {
					goto L13;
				}
				if(_t41 < 0) {
					return 0x80070057;
				}
				__imp__#7( *_t42);
				_v16 = _t22;
				_v8 = 0;
				_a8 = 0;
				_v12 = 0;
				_t25 = E00414B23( &_a8,  &_a8, _t22, _t41);
				_t44 = _t43 + 0xc;
				if(_t25 >= 0) {
					_t36 = _a8;
					_t25 = E00414B47( &_v12, _t36, 2);
					_t45 = _t44 + 0xc;
					if(_t25 >= 0) {
						_t25 = E00414B47( &_v8, _v16, 2);
						_t46 = _t45 + 0xc;
						if(_t25 >= 0) {
							__imp__#4(0, _t36);
							_t37 = _t25;
							if(_t37 != 0) {
								__imp__#7( *_t42);
								if(_t25 != 0) {
									E004245C7(0, _t37, _v12,  *_t42, _v8);
									_t46 = _t46 + 0x10;
								}
								E004245C7(0, _t37 + _v16 * 2, _t41 + _t41, _a4, _t41 + _t41);
								 *((short*)(_t37 + _a8 * 2)) = 0;
								__imp__#6( *_t42);
								 *_t42 = _t37;
								goto L13;
							}
							return 0x8007000e;
						}
					}
				}
				return _t25;
			}

0x004185bd
0x004185bf
0x00418697
0x00000000
0x00418697
0x004185c8
0x004185cb
0x00000000
0x00000000
0x004185d7
0x00000000
0x004185d9
0x004185e5
0x004185ed
0x004185f6
0x004185f9
0x004185fc
0x004185ff
0x00418604
0x00418609
0x0041860f
0x00418619
0x0041861e
0x00418623
0x0041862e
0x00418633
0x00418638
0x0041863d
0x00418643
0x00418647
0x00418652
0x0041865a
0x00418665
0x0041866a
0x0041866a
0x0041867c
0x00418689
0x0041868f
0x00418695
0x00000000
0x00418695
0x00000000
0x00418649
0x00418638
0x00418623
0x0041869d

APIs

SysStringLen.OLEAUT32 ref: 004185E5
SysAllocStringLen.OLEAUT32(00000000,?), ref: 0041863D
SysStringLen.OLEAUT32 ref: 00418652
SysFreeString.OLEAUT32 ref: 0041868F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: 0f87246907ec6dad1821d0284ee8a40f15c2a80fcf2c218f651bc4d8811b3553
Instruction ID: e2a93df44556aa96fba24b739c68fcf8784a70e1de55fb2db12a4582bbdcab65
Opcode Fuzzy Hash: 0f87246907ec6dad1821d0284ee8a40f15c2a80fcf2c218f651bc4d8811b3553
Instruction Fuzzy Hash: FF218175A00209FBDB109FA5DC45B9E7BACEF44304F10842EFA48D6251EA3ADA94CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00446730, Relevance: 6.1, APIs: 4, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00446730(void* __ecx, intOrPtr _a4, unsigned int _a8, int _a12, struct HINSTANCE__* _a16) {
				WCHAR* _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				WCHAR* _t24;
				struct HRSRC__* _t25;
				struct HRSRC__* _t28;
				struct HRSRC__* _t29;
				struct HRSRC__* _t30;
				struct HRSRC__* _t31;
				struct HRSRC__* _t33;
				struct HRSRC__* _t35;
				struct HRSRC__* _t37;
				void* _t39;
				void* _t40;
				unsigned int _t43;
				struct HINSTANCE__* _t46;
				void* _t48;

				_t46 = _a16;
				_t43 = _a8;
				_t24 = (_t43 >> 0x00000004) + 0x00000001 & 0x0000ffff;
				_v8 = _t24;
				_t25 = FindResourceExW(_t46, 6, _t24, _a12);
				_a8 = _t25;
				_t50 = _t25;
				if(_t25 == 0) {
					L3:
					_t28 = FindResourceExW(_t46, 6, _v8, _a12 | 0x00000400);
					_a8 = _t28;
					__eflags = _t28;
					if(__eflags == 0) {
						L5:
						_t29 = FindResourceExW(_t46, 6, _v8, 0x400);
						_a8 = _t29;
						__eflags = _t29;
						if(__eflags == 0) {
							L7:
							_t30 = FindResourceExW(_t46, 6, _v8, 0);
							_a8 = _t30;
							__eflags = _t30;
							if(__eflags == 0) {
								L9:
								_t31 = 0;
								__eflags = 0;
							} else {
								_push(_t46);
								_push(_t43);
								_push( &_a8);
								_push(_a4);
								_t33 = E004466BC(_t40, _t43, _t46, __eflags);
								__eflags = _t33;
								if(_t33 != 0) {
									goto L2;
								} else {
									goto L9;
								}
							}
						} else {
							_push(_t46);
							_push(_t43);
							_push( &_a8);
							_push(_a4);
							_t35 = E004466BC(_t40, _t43, _t46, __eflags);
							_t48 = _t48 + 0x10;
							__eflags = _t35;
							if(_t35 != 0) {
								goto L2;
							} else {
								goto L7;
							}
						}
					} else {
						_push(_t46);
						_push(_t43);
						_push( &_a8);
						_push(_a4);
						_t37 = E004466BC(_t40, _t43, _t46, __eflags);
						_t48 = _t48 + 0x10;
						__eflags = _t37;
						if(_t37 != 0) {
							goto L2;
						} else {
							goto L5;
						}
					}
				} else {
					_push(_t46);
					_push(_t43);
					_push( &_a8);
					_push(_a4);
					_t39 = E004466BC(_t40, _t43, _t46, _t50);
					_t48 = _t48 + 0x10;
					if(_t39 == 0) {
						goto L3;
					} else {
						L2:
						_t31 = 1;
					}
				}
				return _t31;
			}

0x00446735
0x00446739
0x00446745
0x0044674c
0x0044674f
0x00446755
0x00446758
0x0044675a
0x00446778
0x00446787
0x0044678d
0x00446790
0x00446792
0x004467a9
0x004467b4
0x004467ba
0x004467bd
0x004467bf
0x004467d6
0x004467de
0x004467e4
0x004467e7
0x004467e9
0x00446804
0x00446804
0x00446804
0x004467eb
0x004467eb
0x004467ec
0x004467f0
0x004467f1
0x004467f4
0x004467fc
0x004467fe
0x00000000
0x00000000
0x00000000
0x00000000
0x004467fe
0x004467c1
0x004467c1
0x004467c2
0x004467c6
0x004467c7
0x004467ca
0x004467cf
0x004467d2
0x004467d4
0x00000000
0x00000000
0x00000000
0x00000000
0x004467d4
0x00446794
0x00446794
0x00446795
0x00446799
0x0044679a
0x0044679d
0x004467a2
0x004467a5
0x004467a7
0x00000000
0x00000000
0x00000000
0x00000000
0x004467a7
0x0044675c
0x0044675c
0x0044675d
0x00446761
0x00446762
0x00446765
0x0044676a
0x0044676f
0x00000000
0x00446771
0x00446771
0x00446771
0x00446771
0x0044676f
0x00446809

APIs

FindResourceExW.KERNEL32(?,00000006,?,?,?,00000000,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 0044674F
FindResourceExW.KERNEL32(?,00000006,00000000,?,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 00446787
FindResourceExW.KERNEL32(?,00000006,00000000,00000400,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 004467B4
FindResourceExW.KERNEL32(?,00000006,00000000,00000000,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 004467DE

Part of subcall function 004466BC: __EH_prolog3_GS.LIBCMT ref: 004466C3
Part of subcall function 004466BC: LoadResource.KERNEL32(?,?,00000038,004467F9,?,?,?,?,?,?,0040D4B6,004C2FA0,?,00000002,?), ref: 004466DA

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Resource$Find$H_prolog3_Load
String ID:
API String ID: 4133745404-0
Opcode ID: 2a14182a8ac0c3ba1b6ee19d6025a79b9e32e148616e5c35e7273d5272ec49e1
Instruction ID: c04375f7cb1f775b0624f4cd81cbfe2b65d1f622a7719965cbfa827d9e203ade
Opcode Fuzzy Hash: 2a14182a8ac0c3ba1b6ee19d6025a79b9e32e148616e5c35e7273d5272ec49e1
Instruction Fuzzy Hash: AE219FBA501218BAFF205F55CC05EEB3BBCEF02394F018066FD14E6250E636DA119B65

Uniqueness

Uniqueness Score: -1.00%

Function 0040F126, Relevance: 6.1, APIs: 4, Instructions: 85
windowCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040F126(void* __ecx, char* __edx, long _a4, char _a8, long _a12) {
				signed int _v8;
				char _v56;
				char _v60;
				char _v61;
				long _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t16;
				char _t20;
				long _t28;
				char _t35;
				long _t46;
				void* _t47;
				struct HWND__* _t49;
				signed int _t50;
				void* _t51;

				_t44 = __edx;
				_t16 =  *0x4d7e88; // 0x9518852c
				_v8 = _t16 ^ _t50;
				_t18 = _a4;
				_t33 = __ecx;
				_t35 = _a8;
				_t46 = _a12;
				_v68 = _a4;
				_v60 = _t35;
				if( *0x4d9625 == 0) {
					_push(0);
					_push(_t46);
					_push(_t35);
					_t44 =  &_v61;
					E004091B8(_t51 - 0x30, _t18,  &_v61, 1);
					_t20 =  *0x4d962c; // 0x0
					_push( *0x4d9620);
					_v60 = _t20;
					_t46 = E0040D922(__ecx,  &_v60,  &_v61, _t46, _t49, __eflags);
				} else {
					_t49 = E0040F22B(__ecx, _t46);
					_t54 = _t49;
					if(_t49 != 0) {
						SendMessageW(_t49, 0x111, 0, 0);
						SendMessageW(_t49, 0xc, 0, _v68);
						_t28 = E0040E35C(_t33,  &_v56, SendMessageW, _t49, _t54, _v60, 1) + 4;
						if( *((intOrPtr*)(_t28 + 0x14)) >= 8) {
							_t28 =  *_t28;
						}
						SendMessageW(_t49, 0xc, 0, _t28);
						E00401AC0( &_v56);
						_t46 = SendMessageW(_t49, 0x111, 1, 0);
						_t56 = _t46 - 2;
						if(_t46 == 2) {
							E0041075B(_t33, _t33, _t44, _t46, _t49, _t56, _t49);
						}
					}
				}
				_pop(_t47);
				return E0045A457(_t33, _v8 ^ _t50, _t44, _t47, _t49);
			}

0x0040f126
0x0040f12c
0x0040f133
0x0040f13d
0x0040f142
0x0040f144
0x0040f148
0x0040f14b
0x0040f14e
0x0040f151
0x0040f1c5
0x0040f1c7
0x0040f1c8
0x0040f1d0
0x0040f1d5
0x0040f1da
0x0040f1df
0x0040f1e8
0x0040f1f0
0x0040f153
0x0040f15a
0x0040f15c
0x0040f15e
0x0040f174
0x0040f17e
0x0040f18d
0x0040f194
0x0040f196
0x0040f196
0x0040f19e
0x0040f1a3
0x0040f1b4
0x0040f1b6
0x0040f1b9
0x0040f1be
0x0040f1be
0x0040f1b9
0x0040f15e
0x0040f1f7
0x0040f202

APIs

Part of subcall function 0040F22B: FindWindowExW.USER32 ref: 0040F272

SendMessageW.USER32(00000000,00000111,00000000,00000000), ref: 0040F174
SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 0040F17E

Part of subcall function 0040E35C: __EH_prolog3_GS.LIBCMT ref: 0040E363
Part of subcall function 0040E35C: __itow_s.LIBCMT ref: 0040E39A
Part of subcall function 0040E35C: SetLastError.KERNEL32(?,?,00000000,00000001), ref: 0040E3C9

SendMessageW.USER32(00000000,0000000C,00000000,-00000004), ref: 0040F19E
SendMessageW.USER32(00000000,00000111,00000001,00000000), ref: 0040F1B2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: MessageSend$ErrorFindH_prolog3_LastWindow__itow_s
String ID:
API String ID: 822838590-0
Opcode ID: 5cfbdbc82d689d548a3e28819c7228869d2e0d119e29d93e3cf41c52e64d116f
Instruction ID: 17ae4421929685ed71891ed25a6d985f305d0bf7712a057732ccc6ac72bf7983
Opcode Fuzzy Hash: 5cfbdbc82d689d548a3e28819c7228869d2e0d119e29d93e3cf41c52e64d116f
Instruction Fuzzy Hash: 3421A971701214BBDB24AF65DC42F9E7765AF85714F10043EF601BB2D1DAB4AD098798

Uniqueness

Uniqueness Score: -1.00%

Function 004863B0, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E004863B0() {
				char _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t52;
				void* _t66;
				intOrPtr* _t67;
				void* _t75;
				intOrPtr* _t77;
				signed int _t81;

				_push(0xffffffff);
				_push(0x4ab026);
				_push( *[fs:0x0]);
				_push(_t67);
				_t52 =  *0x4d7e88; // 0x9518852c
				_push(_t52 ^ _t81);
				 *[fs:0x0] =  &_v16;
				_t77 = _t67;
				_v20 = _t77;
				 *_t77 = 0;
				 *((char*)(_t77 + 4)) = 0;
				 *((char*)(_t77 + 0x68)) = 0;
				 *((intOrPtr*)(_t77 + 0xcc)) = 8;
				 *((char*)(_t77 + 0xd0)) = 0;
				 *((intOrPtr*)(_t77 + 0x134)) = 0;
				 *((intOrPtr*)(_t77 + 0x138)) = 2;
				 *((short*)(_t77 + 0x13c)) = 0;
				 *((intOrPtr*)(_t77 + 0x158)) = 0x4c2f78;
				 *((intOrPtr*)(_t77 + 0x180)) = 0x4c2fa8;
				 *((intOrPtr*)(_t77 + 0x184)) = GetLastError();
				 *((intOrPtr*)(_t77 + 0x170)) = 7;
				 *((intOrPtr*)(_t77 + 0x16c)) = 0;
				 *((short*)(_t77 + 0x15c)) = 0;
				 *((intOrPtr*)(_t77 + 0x174)) = 0;
				 *((intOrPtr*)(_t77 + 0x178)) = 0;
				 *((intOrPtr*)(_t77 + 0x17c)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t77 + 0x180)) + 4)) + _t77 + 0x180));
				_t23 = _t77 + 0x18c; // 0x18c
				_v8 = 0;
				 *((intOrPtr*)(_t77 + 0x18c)) = 0;
				 *((intOrPtr*)(_t77 + 0x190)) = 0;
				 *((intOrPtr*)(_t77 + 0x18c)) = E0048B6D0(_t66, _t23, _t75, _t77, 0);
				_t28 = _t77 + 0x194; // 0x194
				_v8 = 1;
				 *((intOrPtr*)(_t77 + 0x194)) = 0;
				 *((intOrPtr*)(_t77 + 0x198)) = 0;
				 *((intOrPtr*)(_t77 + 0x194)) = E0048B730(_t66, _t28, _t75, _t77, 0);
				_t33 = _t77 + 0x19c; // 0x19c
				_v8 = 2;
				 *((intOrPtr*)(_t77 + 0x19c)) = 0;
				 *((intOrPtr*)(_t77 + 0x1a0)) = 0;
				 *((intOrPtr*)(_t77 + 0x19c)) = E0048B700(_t66, _t33, _t75, _t77, 0);
				_t38 = _t77 + 0x1a4; // 0x1a4
				_v8 = 3;
				 *((intOrPtr*)(_t77 + 0x1a4)) = 0;
				 *((intOrPtr*)(_t77 + 0x1a8)) = 0;
				 *((intOrPtr*)(_t77 + 0x1a4)) = E0048B6A0(_t66, _t38, _t75, _t77, 0);
				_t43 = _t77 + 0x1b0; // 0x1b0
				_v8 = 4;
				 *((intOrPtr*)(_t77 + 0x1b0)) = 0;
				 *((intOrPtr*)(_t77 + 0x1b4)) = 0;
				 *((intOrPtr*)(_t77 + 0x1b0)) = E0048B7F0(_t66, _t43, _t75, _t77, 0);
				 *((char*)(_t77 + 0x188)) = 0;
				 *((intOrPtr*)(_t77 + 0x1ac)) = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _t77;
			}

0x004863b3
0x004863b5
0x004863c0
0x004863c1
0x004863c4
0x004863cb
0x004863cf
0x004863d5
0x004863d7
0x004863da
0x004863e0
0x004863e4
0x004863e8
0x004863f2
0x004863fb
0x00486405
0x0048640f
0x00486416
0x00486420
0x00486430
0x00486436
0x00486440
0x0048644c
0x00486453
0x00486459
0x0048645f
0x00486475
0x0048647b
0x00486481
0x00486488
0x00486492
0x004864a1
0x004864a7
0x004864ad
0x004864b1
0x004864bb
0x004864ca
0x004864d0
0x004864d6
0x004864da
0x004864e4
0x004864f3
0x004864f9
0x004864ff
0x00486503
0x0048650d
0x0048651c
0x00486522
0x00486528
0x0048652c
0x00486536
0x00486545
0x0048654b
0x00486552
0x00486561
0x0048656e

APIs

GetLastError.KERNEL32 ref: 0048642A
SetLastError.KERNEL32(?), ref: 00486475

Strings

lJ, xrefs: 004863B0
x/L, xrefs: 00486416

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast
String ID: lJ$x/L
API String ID: 1452528299-2084575886
Opcode ID: 680b3210779487154902a057d0c53d623c99271879db3dc87b7e9dae6b5aa421
Instruction ID: 3a501fbf316c0f788db0ef6a65775761f0142b598b54e12e26dc5a84000f79ba
Opcode Fuzzy Hash: 680b3210779487154902a057d0c53d623c99271879db3dc87b7e9dae6b5aa421
Instruction Fuzzy Hash: 4041C2B0605A46EFE349DF75C5597C6FBA0BF1A308F00835AD46C8B291DBB92128CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0042F444, Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0042F444(intOrPtr _a4, intOrPtr* _a8, intOrPtr* _a12) {
				signed int _v8;
				char _v60;
				char _v64;
				char _v68;
				intOrPtr* _v72;
				intOrPtr* _v76;
				void* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				intOrPtr* _t22;
				char* _t23;
				void* _t27;
				char* _t32;
				intOrPtr _t35;
				intOrPtr* _t36;
				intOrPtr _t40;
				char* _t44;
				void* _t45;
				void* _t47;
				void* _t48;
				signed int _t49;

				_t20 =  *0x4d7e88; // 0x9518852c
				_v8 = _t20 ^ _t49;
				_t22 = _a8;
				_t36 = _a12;
				_t35 = _a4;
				_t42 = 0;
				 *_t22 = 0;
				_v76 = _t22;
				_t23 =  &_v80;
				_push(_t23);
				_push(_t35);
				_v72 = _t36;
				 *_t36 = 0;
				_v80 = 0;
				L004395BD();
				_t44 = _t23;
				if(_t44 != 0) {
					_push(_t47);
					_t48 = E0045D6BB(_t35, 0, _t44, _t44);
					_t27 = E0045A4D0(_t48, 0, _t44);
					_push(_t48);
					_push(_t44);
					_push(0);
					_push(_t35);
					L004395CD();
					if(_t27 != 0) {
						_v64 =  &_v60;
						E0045A4D0( &_v60, 0, 0x34);
						_push( &_v68);
						_t32 =  &_v64;
						_push(_t32);
						_push("\\");
						_push(_t48);
						_v68 = 0;
						L004395DD();
						if(_t32 != 0) {
							_t40 = _v64;
							_t42 = _v76;
							 *_v76 =  *((intOrPtr*)(_t40 + 8));
							 *_v72 =  *((intOrPtr*)(_t40 + 0xc));
						}
					}
					E0045D646(_t48);
					_pop(_t47);
				}
				_pop(_t45);
				return E0045A457(_t35, _v8 ^ _t49, _t42, _t45, _t47);
			}

0x0042f44a
0x0042f451
0x0042f454
0x0042f457
0x0042f45b
0x0042f45e
0x0042f460
0x0042f463
0x0042f466
0x0042f469
0x0042f46a
0x0042f46b
0x0042f46e
0x0042f470
0x0042f473
0x0042f478
0x0042f47c
0x0042f47e
0x0042f486
0x0042f48b
0x0042f493
0x0042f494
0x0042f497
0x0042f498
0x0042f499
0x0042f4a0
0x0042f4a9
0x0042f4ac
0x0042f4b7
0x0042f4b8
0x0042f4bb
0x0042f4bc
0x0042f4c1
0x0042f4c2
0x0042f4c5
0x0042f4cc
0x0042f4ce
0x0042f4d1
0x0042f4d7
0x0042f4df
0x0042f4df
0x0042f4cc
0x0042f4e2
0x0042f4e8
0x0042f4e8
0x0042f4ec
0x0042f4f8

APIs

_malloc.LIBCMT ref: 0042F480

Part of subcall function 0045D6BB: __FF_MSGBANNER.LIBCMT ref: 0045D6D2
Part of subcall function 0045D6BB: __NMSG_WRITE.LIBCMT ref: 0045D6D9
Part of subcall function 0045D6BB: RtlAllocateHeap.NTDLL(00620000,00000000,00000001,00000000,?,00000000,?,00469FAC,00000008,00000008,00000008,?,?,00463326,00000018,004D1140), ref: 0045D6FE

_memset.LIBCMT ref: 0042F48B
_memset.LIBCMT ref: 0042F4AC
_free.LIBCMT ref: 0042F4E2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memset$AllocateHeap_free_malloc
String ID:
API String ID: 585861054-0
Opcode ID: dd63052eea4223f31ad669853e32cfff38f4c13118e9cb229a6613c4eb0af5ee
Instruction ID: dd2d549724a838d1adc2e1abcf49866d811a80e1ddfda18428fe521ec4b3d6bd
Opcode Fuzzy Hash: dd63052eea4223f31ad669853e32cfff38f4c13118e9cb229a6613c4eb0af5ee
Instruction Fuzzy Hash: 93214F72900218ABD715EFAAD881DAFB7FCEF89314F54402EF805D7341DA74A906CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00405F80, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00405F80(intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr _v20;
				void* __ecx;
				void* __edi;
				signed int _t29;
				signed int _t38;
				void* _t39;
				void* _t40;
				short* _t42;
				intOrPtr _t47;
				signed int _t52;
				intOrPtr* _t53;
				signed int _t55;
				void* _t59;

				_push(0xffffffff);
				_push(0x4ac698);
				_push( *[fs:0x0]);
				_push(_t40);
				_t29 =  *0x4d7e88; // 0x9518852c
				_push(_t29 ^ _t55);
				 *[fs:0x0] =  &_v16;
				_t32 =  *(_t40 + 0x14);
				_t47 = _a8;
				_v20 = 0;
				_t52 = _t32 - 1;
				if(_t32 == 0 || _t52 >= _t32) {
					L6:
					_t49 = _t40 + 4;
					_push(_t47);
					E00406570(_t32, _t39, _t40 + 4, _t40 + 4, 1);
				} else {
					_t49 = _t40 + 4;
					if( *((intOrPtr*)(_t40 + 0x18)) < 8) {
						_t38 = _t49;
					} else {
						_t38 =  *_t49;
					}
					_t59 =  *((intOrPtr*)(_t38 + _t52 * 2)) - _t47;
					_t32 = _t38 & 0xffffff00 | _t59 == 0x00000000;
					if((_t38 & 0xffffff00 | _t59 == 0x00000000) == 0) {
						goto L6;
					}
				}
				_t53 = _a4;
				 *_t53 = 0x4c2f50;
				 *((intOrPtr*)(_t53 + 0x28)) = 0x4c3454;
				 *((intOrPtr*)(_t53 + 0x2c)) = GetLastError();
				_t16 = _t53 + 4; // 0x73b74d44
				_t42 = _t16;
				_push(0xffffffff);
				_v8 = 0;
				 *((intOrPtr*)(_t42 + 0x14)) = 7;
				 *((intOrPtr*)(_t42 + 0x10)) = 0;
				 *_t42 = 0;
				E00406630(_t39, _t42, _t49, _t49, 0);
				 *((intOrPtr*)(_t53 + 0x1c)) = 0;
				 *((intOrPtr*)(_t53 + 0x20)) = 0;
				 *((intOrPtr*)(_t53 + 0x24)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t53 + 0x28)) + 4)) + _t53 + 0x28));
				 *[fs:0x0] = _v16;
				return _t53;
			}

0x00405f83
0x00405f85
0x00405f90
0x00405f91
0x00405f94
0x00405f9b
0x00405f9f
0x00405fa5
0x00405fa8
0x00405fab
0x00405fb2
0x00405fb7
0x00405fd7
0x00405fd7
0x00405fda
0x00405fdf
0x00405fbd
0x00405fc1
0x00405fc4
0x00405fca
0x00405fc6
0x00405fc6
0x00405fc6
0x00405fcc
0x00405fd0
0x00405fd5
0x00000000
0x00000000
0x00405fd5
0x00405fe4
0x00405fe7
0x00405fed
0x00405ffa
0x00405ffd
0x00405ffd
0x00406002
0x00406004
0x0040600c
0x00406013
0x0040601b
0x0040601e
0x00406023
0x0040602a
0x00406031
0x00406042
0x0040604d
0x0040605a

APIs

GetLastError.KERNEL32(00000001,76E3D5B0,9518852C,?,73B74D40,?,?,004AC698,000000FF,T4L,004049B4), ref: 00405FF4
SetLastError.KERNEL32(?,00000007,00000000,000000FF), ref: 00406042

Strings

T4L, xrefs: 00405F80
T4L, xrefs: 00405FED

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast
String ID: T4L$T4L
API String ID: 1452528299-3367740000
Opcode ID: 34e76b3064816e2e363bd4b779f942a68d86df45ac07e1a49613212acc1760b3
Instruction ID: 9bed8527b8b7e85d28746ae17e32732ee4bb0f1d43bb12fc2b8a4590157dc814
Opcode Fuzzy Hash: 34e76b3064816e2e363bd4b779f942a68d86df45ac07e1a49613212acc1760b3
Instruction Fuzzy Hash: 28218E71500701AFDB10CF15C904B66BBF4FB49328F20866EE8169B790D7BAE906CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00407D30, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E00407D30(intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _v20;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				signed int _t22;
				intOrPtr* _t37;
				short* _t38;
				intOrPtr _t48;
				signed int _t50;

				_push(0xffffffff);
				_push(0x4ac448);
				_push( *[fs:0x0]);
				_push(_t37);
				_t22 =  *0x4d7e88; // 0x9518852c
				_push(_t22 ^ _t50);
				 *[fs:0x0] =  &_v16;
				_v20 = _t37;
				if(_a16 != 0) {
					 *_t37 = 0x4c2f50;
					 *((intOrPtr*)(_t37 + 0x28)) = 0x4c3454;
				}
				_t43 =  !=  ? _a4 : 0x4c2d7c;
				 *((intOrPtr*)( *((intOrPtr*)( *_t37 + 4)) + _t37)) = GetLastError();
				_push(_a8);
				_v8 = 0;
				_t48 = _v20;
				_t38 = _t48 + 4;
				_t35 =  !=  ? 0x4c2d7c : 0x4c2d7c;
				 *((intOrPtr*)(_t38 + 0x14)) = 7;
				 *((intOrPtr*)(_t38 + 0x10)) = 0;
				_push(0x4c2d7c);
				 *_t38 = 0;
				E00406EB0( !=  ? 0x4c2d7c : 0x4c2d7c, _t38,  !=  ? _a4 : 0x4c2d7c, _t48);
				 *((intOrPtr*)(_t48 + 0x1c)) = 0;
				 *((intOrPtr*)(_t48 + 0x20)) = 0;
				 *((intOrPtr*)(_t48 + 0x24)) = 0;
				SetLastError( *( *((intOrPtr*)( *((intOrPtr*)(_t48 + 0x28)) + 4)) + _t48 + 0x28));
				 *[fs:0x0] = _v16;
				return _t48;
			}

0x00407d33
0x00407d35
0x00407d40
0x00407d41
0x00407d45
0x00407d4c
0x00407d50
0x00407d56
0x00407d5d
0x00407d5f
0x00407d65
0x00407d65
0x00407d78
0x00407d88
0x00407d8a
0x00407d8d
0x00407d94
0x00407d99
0x00407d9e
0x00407da1
0x00407da8
0x00407daf
0x00407db0
0x00407db3
0x00407db8
0x00407dbf
0x00407dc6
0x00407dd7
0x00407de2
0x00407df0

APIs

GetLastError.KERNEL32(9518852C,?,?,?,?,?,004AC448,000000FF), ref: 00407D82
SetLastError.KERNEL32(?,004C2D7C,?,?,?,?,?,?,004AC448,000000FF), ref: 00407DD7

Strings

|-L, xrefs: 00407D6F
T4L, xrefs: 00407D65

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast
String ID: T4L$|-L
API String ID: 1452528299-1709513760
Opcode ID: ccd77fdad4df3803948bde183815683033a4f63aaced9457376245b4926055cf
Instruction ID: 7bc95b8dcabed2d931c3b7e4b09f15c6a9bbfc5d90e807e1d29cf8978f5cf6b9
Opcode Fuzzy Hash: ccd77fdad4df3803948bde183815683033a4f63aaced9457376245b4926055cf
Instruction Fuzzy Hash: 0B2156766007049FD710CF19C844B56BBF8FF08728F11466EE8199B7A0D7BAE904CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404580, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(9518852C,?,?,?,00000000,004ACAC8,000000FF,T4L,004050D6,00000000,00000001,000000FF), ref: 004045BE
SetLastError.KERNEL32(?,00000000,00000000,00000000), ref: 0040461A

Strings

T4L, xrefs: 004045B7
T4L, xrefs: 00404580

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast
String ID: T4L$T4L
API String ID: 1452528299-3367740000
Opcode ID: 028d496f95f1f2086f3ede9ab10eddeccf2bf6aa6fe664a70430d69ee2f9d859
Instruction ID: b61b599f1261bc151d4a2ec42bda8dabf60b11823f162ddbf0e1926f641f9eca
Opcode Fuzzy Hash: 028d496f95f1f2086f3ede9ab10eddeccf2bf6aa6fe664a70430d69ee2f9d859
Instruction Fuzzy Hash: 601149B6504704AFD7248F15C804B56BBF4FF89728F10466EE81A87790D7BAA516CB88

Uniqueness

Uniqueness Score: -1.00%

Function 0048BE20, Relevance: 6.1, APIs: 4, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorFreeLastString
String ID:
API String ID: 3822639702-0
Opcode ID: ea2270cb4d80e7672a98a380bf52c9d96ad9a0459cba85cc0dba8098ddfc5056
Instruction ID: 77ffbead568d06abe6652d9a0f1287e62362a05482a643204ac95c39ff9d30de
Opcode Fuzzy Hash: ea2270cb4d80e7672a98a380bf52c9d96ad9a0459cba85cc0dba8098ddfc5056
Instruction Fuzzy Hash: C4117071500204AFDB009F19DC85A56BFA8FF08318F1541AAED084B367D736EC64CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 00411EFB, Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0040F22B: FindWindowExW.USER32 ref: 0040F272

SendMessageW.USER32(00000000,0000000C,00000000,?), ref: 00411F1E
SendMessageW.USER32(00000000,00000111,00000002,00000000), ref: 00411F2E

Part of subcall function 0041075B: __EH_prolog3_GS.LIBCMT ref: 00410762

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: MessageSend$FindH_prolog3_Window
String ID:
API String ID: 1301945986-0
Opcode ID: f18b38117d297aae988f310ef4ccb808226c6ddcca8c2facf53a6d4395670db9
Instruction ID: dfbab758616002f1ff868f44dc3689de48fde5ebc6277f01b98288258da681dd
Opcode Fuzzy Hash: f18b38117d297aae988f310ef4ccb808226c6ddcca8c2facf53a6d4395670db9
Instruction Fuzzy Hash: 3901F531248200BFE7215B51EC89FAABBA89B59724F10807BF305961F2C7B8C889871C

Uniqueness

Uniqueness Score: -1.00%

Function 00464511, Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00464D84: __getptd_noexit.LIBCMT ref: 00464D85

__lock.LIBCMT ref: 0046454E
InterlockedDecrement.KERNEL32(?), ref: 0046456B
_free.LIBCMT ref: 0046457E
InterlockedIncrement.KERNEL32(0063C290), ref: 00464596

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 2704283638-0
Opcode ID: 782937fa79cac46c835b847dfa571ed9465c5c9dd96271b5550134f1aa65a5b8
Instruction ID: bf1fdb13fa441d3b5f7d7b808489ece3e24e0431c18f9873cc060b2ebeaba5c1
Opcode Fuzzy Hash: 782937fa79cac46c835b847dfa571ed9465c5c9dd96271b5550134f1aa65a5b8
Instruction Fuzzy Hash: DE01C031901621ABDF21AB96980676E7764BF81728F05011FE911A7381EB3C6941CFCF

Uniqueness

Uniqueness Score: -1.00%

Function 004106D7, Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00410714
IsDialogMessageW.USER32(?), ref: 00410728
TranslateMessage.USER32(?), ref: 00410736
DispatchMessageW.USER32 ref: 00410740

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: 37cf7d44ff71bf57da638d2a31faa7f3f316511d44e19188df922172d013981b
Instruction ID: ef94ecf8d492ccd34105d437e9f6e7a53292830c9c4a75a06970bb969660babd
Opcode Fuzzy Hash: 37cf7d44ff71bf57da638d2a31faa7f3f316511d44e19188df922172d013981b
Instruction Fuzzy Hash: 7B015E71905264AEDF258BA1AC08FE77FECAB0E704F044067E465D21E1D2A8E9C4CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004392D9, Relevance: 6.0, APIs: 4, Instructions: 45windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00439345: IsWindow.USER32(?), ref: 0043936D
Part of subcall function 00439345: GetLastError.KERNEL32(?,004392EC,?), ref: 0043937E

IsDialogMessageW.USER32(?,?), ref: 004392FF
TranslateMessage.USER32(?), ref: 0043930D
DispatchMessageW.USER32 ref: 00439317
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00439326

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Message$DialogDispatchErrorLastTranslateWindow
String ID:
API String ID: 2045501086-0
Opcode ID: 452d320890ea895eb21c39f3c21b5f362dd9ceae528e9c8bff2af433555e6cdb
Instruction ID: a29a9e6365f9f5463b6136a44f19e38ddad78f2a771dc12c71ba474efaa5af2b
Opcode Fuzzy Hash: 452d320890ea895eb21c39f3c21b5f362dd9ceae528e9c8bff2af433555e6cdb
Instruction Fuzzy Hash: A10167B2900205AFDB209FB5DC08A6B7BFCDF5D704F004437E921D2150E778E8058A75

Uniqueness

Uniqueness Score: -1.00%

Function 0041253F, Relevance: 6.0, APIs: 4, Instructions: 42windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00412563
GetObjectW.GDI32(00000000,0000005C,?), ref: 00412570

Part of subcall function 004125AD: GetLocaleInfoW.KERNEL32(?,00001004,?,00000014), ref: 004125E1
Part of subcall function 004125AD: TranslateCharsetInfo.GDI32(00000000,?,00000002), ref: 004125FC

CreateFontIndirectW.GDI32(?), ref: 00412587
SendMessageW.USER32(?,00000030,00000000,00000000), ref: 00412597

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: InfoMessageSend$CharsetCreateFontIndirectLocaleObjectTranslate
String ID:
API String ID: 2681337867-0
Opcode ID: 5bac568def4fb8f6399d480c1c020f0039d80205d477515377b8e8dbfbd3dd76
Instruction ID: 4b400925af5f4f3dea7770fe6560f858ec8ba7793cf19f7153a0348d9465aa54
Opcode Fuzzy Hash: 5bac568def4fb8f6399d480c1c020f0039d80205d477515377b8e8dbfbd3dd76
Instruction Fuzzy Hash: 25014F71A05318ABDF10DFA5DC89F9E7BB9AB19700F004029B605AB281D6B49914CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00464E0B, Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00464E4F

Part of subcall function 0046323D: __mtinitlocknum.LIBCMT ref: 0046324F
Part of subcall function 0046323D: EnterCriticalSection.KERNEL32(00000000,?,00464E54,0000000D), ref: 00463268

InterlockedIncrement.KERNEL32(?), ref: 00464E5C
__lock.LIBCMT ref: 00464E70
___addlocaleref.LIBCMT ref: 00464E8E

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
String ID:
API String ID: 1687444384-0
Opcode ID: ca9532e855b8e9cfb49d2282fd7e0ce366c0fa5dd99d25c45af14bab4dc4fccd
Instruction ID: cfaf24bed7775fabcf69b5f8c6870cb7b7f7cb6e127d1a2c1ec12c5ec58681f1
Opcode Fuzzy Hash: ca9532e855b8e9cfb49d2282fd7e0ce366c0fa5dd99d25c45af14bab4dc4fccd
Instruction Fuzzy Hash: 15012171500B409FDB20AF66D80575ABBF0BF50329F20890FE5A5972A1DB78A640CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041480A, Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 00414833
IsDialogMessageW.USER32(?,?), ref: 00414847
TranslateMessage.USER32(?), ref: 00414855
DispatchMessageW.USER32 ref: 0041485F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Message$DialogDispatchPeekTranslate
String ID:
API String ID: 1266772231-0
Opcode ID: d9b35cbb2f76d0bbad690ed724c4705ddf6aba1bbd01c1938827c2e7ddfc1215
Instruction ID: b5c1efe96b76b106ce1e22c38196cde2ee867dc7df8cedafc31724231bce7c88
Opcode Fuzzy Hash: d9b35cbb2f76d0bbad690ed724c4705ddf6aba1bbd01c1938827c2e7ddfc1215
Instruction Fuzzy Hash: 8DF06235A04296ABDB60AFB7AC0CDFBBFBCDBC5B01B004067A461D2151E6689446CB78

Uniqueness

Uniqueness Score: -1.00%

Function 0040B00B, Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,?,?,0040AC13,00000000,00000000,?,00000000,?,00000000,00000000), ref: 0040B01D
GlobalLock.KERNEL32 ref: 0040B02B
_memmove.LIBCMT ref: 0040B03A
GlobalUnlock.KERNEL32 ref: 0040B052

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Global$AllocLockUnlock_memmove
String ID:
API String ID: 660073773-0
Opcode ID: 41207e86ceb74407b5b6f3b1783b172c7f6bcd4b8144584cf18d40e2dd7e1a7b
Instruction ID: 609593f2ed9000f32e7f0d7fef9639914f3ca5f9a658aa3b03474c2a4b03a75f
Opcode Fuzzy Hash: 41207e86ceb74407b5b6f3b1783b172c7f6bcd4b8144584cf18d40e2dd7e1a7b
Instruction Fuzzy Hash: CDF08272540216ABE7017FBADC05956BFECFF493127008532F929D6291E735E42187A9

Uniqueness

Uniqueness Score: -1.00%

Function 004301D4, Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 004301EC
PeekMessageW.USER32 ref: 00430202
TranslateMessage.USER32(?), ref: 00430210
DispatchMessageW.USER32 ref: 0043021A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Message$Peek$DispatchTranslate
String ID:
API String ID: 1795658109-0
Opcode ID: c9655ed3ab55fc17ed093dd39af45d67eaa3e2fe43e73219ab276254281691f0
Instruction ID: 00882ce5cda7ca4ff11e02b86652fa535bfc858a5f3d0f213e65b363a0b21e68
Opcode Fuzzy Hash: c9655ed3ab55fc17ed093dd39af45d67eaa3e2fe43e73219ab276254281691f0
Instruction Fuzzy Hash: 13F01271A0020E7BDB105BB69C9DD9B7FBCDB89F44B004525B521D2145E668E9068678

Uniqueness

Uniqueness Score: -1.00%

Function 004525F9, Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32(00000000), ref: 00452612
SysFreeString.OLEAUT32(00000003), ref: 0045261E
_free.LIBCMT ref: 0045262E
_free.LIBCMT ref: 00452640

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: FreeString_free
String ID:
API String ID: 2157979973-0
Opcode ID: 885f7a036933098c6bd05cd0720d6cd5f0772c77fc0e4d6d597938a08ec789e2
Instruction ID: 8eaf5657c2ebb0a3b13a4a4b11e247605b84b600caf6c3e8d720e6c2d7b118d4
Opcode Fuzzy Hash: 885f7a036933098c6bd05cd0720d6cd5f0772c77fc0e4d6d597938a08ec789e2
Instruction Fuzzy Hash: 34F09076500522EFC7228F56E5C4806FB64FF09752711822BF46883622CB719CA6CFD8

Uniqueness

Uniqueness Score: -1.00%

Function 00452040, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00452047
GetLastError.KERNEL32(00000004,0045276D,?,00000001,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0045206B
SetLastError.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00452098
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004520B8

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3
String ID:
API String ID: 3502553090-0
Opcode ID: 3cb0793151528fdbf7fb8d638dbfa040aa64544f51633d55e62f5a859fcba6c1
Instruction ID: b5f215745daadf949085b08d572f8bfc25a3b09c1719a62bdf3109cbad5f2366
Opcode Fuzzy Hash: 3cb0793151528fdbf7fb8d638dbfa040aa64544f51633d55e62f5a859fcba6c1
Instruction Fuzzy Hash: 5301C5759002108FCB04DF55C995B8ABBA4AB04319F05C4AAAC149F367CBB8E914CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004124C2, Relevance: 6.0, APIs: 4, Instructions: 35windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 004124CB
GetDlgItem.USER32 ref: 004124E4
SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 004124F4
SendMessageW.USER32(00000000,00000402,?,00000000), ref: 00412511

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: MessageSend$ItemWindow
String ID:
API String ID: 591194657-0
Opcode ID: 19d25f7fca834f18e6b0410cbb92cbaff4a1532f9ab004e36beba6a5779aa618
Instruction ID: 9ccfd2c52fb01912edb6e4708ad4e45fa94897539c7573ce4834a409b11aa6f5
Opcode Fuzzy Hash: 19d25f7fca834f18e6b0410cbb92cbaff4a1532f9ab004e36beba6a5779aa618
Instruction Fuzzy Hash: 32F02731200110BBD7101B62BC48EBA3FACEB4AB91F044037F608E10A0C7B8CC50D7AC

Uniqueness

Uniqueness Score: -1.00%

Function 00415D19, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00415D20
GetLastError.KERNEL32(00000004,00416784,?,00000000), ref: 00415D44
SetLastError.KERNEL32(?), ref: 00415D71
SetLastError.KERNEL32(00000000), ref: 00415D91

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3
String ID:
API String ID: 3502553090-0
Opcode ID: eee85745f461b2685e9c6e98c369fc658d764571e3073be2b14e754d92e0c381
Instruction ID: e63c4c50e2579be7de9a440d7405d9f157185e8486bff636422b039b726b374f
Opcode Fuzzy Hash: eee85745f461b2685e9c6e98c369fc658d764571e3073be2b14e754d92e0c381
Instruction Fuzzy Hash: B401C2759002108FCB44DF55D985B9ABBA0EB04319F05C8AAAC189F2A6C7B8D954CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401A60, Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004050EA,00000000,00000000,00000001,000000FF,9518852C,00000000,73B74C30,73B74D40), ref: 00401A6F
SysFreeString.OLEAUT32(?), ref: 00401A8B
SysFreeString.OLEAUT32(?), ref: 00401A96
SetLastError.KERNEL32(?), ref: 00401AB4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorFreeLastString
String ID:
API String ID: 3822639702-0
Opcode ID: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
Instruction ID: e40d49c18025afc5c80985eda0a655243877ccc1a9f4a8e9248b552b5c85207f
Opcode Fuzzy Hash: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
Instruction Fuzzy Hash: 48F0F435500512EFD7009F1AE948A40FBB5FF49329B15826AE41893A31CB35F8B4CFC8

Uniqueness

Uniqueness Score: -1.00%

Function 00401AC0, Relevance: 6.0, APIs: 4, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
SysFreeString.OLEAUT32(?), ref: 00401AEB
SysFreeString.OLEAUT32(?), ref: 00401AF6
SetLastError.KERNEL32(?), ref: 00401B14

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorFreeLastString
String ID:
API String ID: 3822639702-0
Opcode ID: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
Instruction ID: 7fc7d01df612ee2857e001765975f3cb69b0a7a7fc946f931921def550923789
Opcode Fuzzy Hash: de7331677c6d3e50590d67bc66852f29b8a5aae7ee1625df25b9102005008d99
Instruction Fuzzy Hash: CFF0F435500512EFD7009F1AE948A40FBB5FF49329B15826AE41893A31CB75F8B4DFC8

Uniqueness

Uniqueness Score: -1.00%

Function 0049A110, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 0049A119
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0049A12A
GetDeviceCaps.GDI32(00000000,0000000E), ref: 0049A131
ReleaseDC.USER32 ref: 0049A139

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 81fe86409a3509f52eef9bca38f0944fefe36bd2c16e41e9ed11b2d4ab1f9fbc
Instruction ID: cd4101a6f1a76049ecf921f76eabf7e4af3ed02cb3c39424fa35d776e82c472e
Opcode Fuzzy Hash: 81fe86409a3509f52eef9bca38f0944fefe36bd2c16e41e9ed11b2d4ab1f9fbc
Instruction Fuzzy Hash: F7E04F3290022C7FEB202BB7AC89D9B7F5CEB492B4B024432FE1CAB251D5719C4189E0

Uniqueness

Uniqueness Score: -1.00%

Function 00406EB0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00406F6C

Strings

invalid string position, xrefs: 00406FE4
string too long, xrefs: 00406F9F

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 88b1f9d88691737e87b1ba953efcbab96d5f70db9c2c7b12ed9f62561d63ffbc
Instruction ID: 7f1d0454e7487324ddc27808aa15b439cd9e7965796b89f464a162825283b911
Opcode Fuzzy Hash: 88b1f9d88691737e87b1ba953efcbab96d5f70db9c2c7b12ed9f62561d63ffbc
Instruction Fuzzy Hash: 2B41DC323143159BC6249E5CF98086AF3EAFF91725321093FE142E7680D776E86587E9

Uniqueness

Uniqueness Score: -1.00%

Function 004440CF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141timeCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 004440D6
CompareFileTime.KERNEL32(?,00000000,?,?,PSTORES.EXE,00000000,00000000,?,?,0000006C,0044A131,?,?,?), ref: 0044422E

Strings

PSTORES.EXE, xrefs: 004441E1, 004441EE

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: CompareFileH_prolog3Time
String ID: PSTORES.EXE
API String ID: 2703394530-1209905799
Opcode ID: 29c7b6ff1ac3780e10fac1545eeaa9c8dd8d4ebb63912ea0e3e7ec1ea8e39cae
Instruction ID: efd3a5696b197fd5aa3610a333a78fe280904bfb249b72705f77cdf15a1aafa2
Opcode Fuzzy Hash: 29c7b6ff1ac3780e10fac1545eeaa9c8dd8d4ebb63912ea0e3e7ec1ea8e39cae
Instruction Fuzzy Hash: 6E512072C0025DAAEF11DFE4D881AEEBBB8BF58344F14015BE511B7241EB38AA45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00406630, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004066F9

Strings

invalid string position, xrefs: 0040672C, 00406736
string too long, xrefs: 00406740

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: _memmove
String ID: invalid string position$string too long
API String ID: 4104443479-4289949731
Opcode ID: 64848c1ca52122e1e000f17b0e8b8f2014c6846dc759819f29c4771c32755776
Instruction ID: 109d5573d350601dc0c970750d02d2488746e1b4dc6d2f9e7dccea131a2ba069
Opcode Fuzzy Hash: 64848c1ca52122e1e000f17b0e8b8f2014c6846dc759819f29c4771c32755776
Instruction Fuzzy Hash: 0B31CD32304314DBC7249F5CE88082BF3AAFFD17653120A3FE442D7291DB76A86587A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044E0D6, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0044E0E0

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Strings

@/L, xrefs: 0044E166
@/L, xrefs: 0044E123

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3H_prolog3_
String ID: @/L$@/L
API String ID: 852442433-2149722323
Opcode ID: 7fe57c949d83826a8f6a2fe408c0acfb8c0e47dd28769921a04ae39a326201f8
Instruction ID: b69bbfbd7b42d283a4daad3c19d690c11e806ee203c84158451cc76e75080c08
Opcode Fuzzy Hash: 7fe57c949d83826a8f6a2fe408c0acfb8c0e47dd28769921a04ae39a326201f8
Instruction Fuzzy Hash: 7A418071900208EFDB14EFA6C855FDE7B78BF14308F5040AEF905A7192DBB85A49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D72B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040D735

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Part of subcall function 0040CCC9: __EH_prolog3_GS.LIBCMT ref: 0040CCD0

Strings

@/L, xrefs: 0040D88E
@/L, xrefs: 0040D76A

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3_Last
String ID: @/L$@/L
API String ID: 1018228973-2149722323
Opcode ID: 4dc311509f40bace2c19a8ac8a9df2a7a3c13ad40809a4d3032dc15deb272523
Instruction ID: f3e96a9b1c5ee94a017cf984c8580acd192ed533c3d2df712af9e4e8c3a6aa76
Opcode Fuzzy Hash: 4dc311509f40bace2c19a8ac8a9df2a7a3c13ad40809a4d3032dc15deb272523
Instruction Fuzzy Hash: 61416F71D00218DADB14EBE5C895BEDB7B8AF14308F1440AFE509B72C2DB785A48CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004074D0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0040752C
SysFreeString.OLEAUT32 ref: 00407538

Part of subcall function 004079F0: SysAllocStringLen.OLEAUT32(00000000,00000001), ref: 00407A39
Part of subcall function 004079F0: _memmove.LIBCMT ref: 00407A61
Part of subcall function 004079F0: SysFreeString.OLEAUT32 ref: 00407A71

Strings

string too long, xrefs: 0040757C, 00407590

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String$Free_memmove$Alloc
String ID: string too long
API String ID: 2303858246-2556327735
Opcode ID: 391ff6a418e7a9454b4c92d9edae768378548fd1e39286733851d454fa5fb292
Instruction ID: 69e6656aa477ad90876ad05d07542d25fb970cf09ed5044d6587f25be10a540c
Opcode Fuzzy Hash: 391ff6a418e7a9454b4c92d9edae768378548fd1e39286733851d454fa5fb292
Instruction Fuzzy Hash: 93210432604304ABD720DE7CEC809AB73A9EF953207104E3FE445D3A81C734F50887A9

Uniqueness

Uniqueness Score: -1.00%

Function 0045C1D6, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

Strings

M, xrefs: 0045C1D6

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: __getptd_noexit
String ID: M
API String ID: 3074181302-1509087228
Opcode ID: 693cf8f50c2d2ef4c46e0acadafdf68216ba883b9e85146a0b5cf68e6333c65e
Instruction ID: 77f910a3bbcbed8837b8a63f03d3c0a7090191525537260bdd11675789150c04
Opcode Fuzzy Hash: 693cf8f50c2d2ef4c46e0acadafdf68216ba883b9e85146a0b5cf68e6333c65e
Instruction Fuzzy Hash: 40216131D00705AFCB216FE6888255E37549F5237AF21469BFD21462A3E77C984C876A

Uniqueness

Uniqueness Score: -1.00%

Function 00407C30, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407C8C
SysFreeString.OLEAUT32(00000000), ref: 00407C98

Part of subcall function 004081C0: SysAllocStringLen.OLEAUT32(00000000,?), ref: 00408209
Part of subcall function 004081C0: _memmove.LIBCMT ref: 00408231
Part of subcall function 004081C0: SysFreeString.OLEAUT32(004D9420), ref: 00408241

Strings

string too long, xrefs: 00407CDC

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String$Free_memmove$Alloc
String ID: string too long
API String ID: 2303858246-2556327735
Opcode ID: a64afb876ae8022cb1f6437780b26dcb82ceeff2451498644f58ea70fa053f98
Instruction ID: 4cf259cfd9752b6b6172fc5889afb6ca6eb9e8c35ebbce439a321035552155c1
Opcode Fuzzy Hash: a64afb876ae8022cb1f6437780b26dcb82ceeff2451498644f58ea70fa053f98
Instruction Fuzzy Hash: 5811B1326187049BE720DF79E88496B77A9EF95320B104E3FE486D7281D738E9488769

Uniqueness

Uniqueness Score: -1.00%

Function 00419797, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041979E

Strings

@/L, xrefs: 004197DA
0x%04lx.ini, xrefs: 004197EE

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_
String ID: 0x%04lx.ini$@/L
API String ID: 2427045233-110886449
Opcode ID: 3871efbdb603b29ee88f3fbb5cb8359bb8cb663b86de198b21e60d6e5f705e1b
Instruction ID: 493ed48cb11b0250d8142db40f5bd4adf23257ef61bfc5648db907530d0ebf84
Opcode Fuzzy Hash: 3871efbdb603b29ee88f3fbb5cb8359bb8cb663b86de198b21e60d6e5f705e1b
Instruction Fuzzy Hash: 91219E71910104DFCB04FBA5C856AEDBBB8AF14304F04405EF906A7292DB78AE49CBE5

Uniqueness

Uniqueness Score: -1.00%

Function 0044575F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00445769

Part of subcall function 0044BDFA: __EH_prolog3.LIBCMT ref: 0044BE01

Part of subcall function 00408E82: __EH_prolog3.LIBCMT ref: 00408E89
Part of subcall function 00408E82: GetLastError.KERNEL32(00000004,00409E1B,004C2FA0,00000000,0043A706,?,?,00000001), ref: 00408EAB
Part of subcall function 00408E82: SetLastError.KERNEL32(?,00000000), ref: 00408EE3

Part of subcall function 0044DA4D: __EH_prolog3_GS.LIBCMT ref: 0044DA57

Strings

@/L, xrefs: 0044576E
@/L, xrefs: 004457B3

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3H_prolog3_Last
String ID: @/L$@/L
API String ID: 211087501-2149722323
Opcode ID: b8c77ce182d6cc29ba24e5f27f9ff45acb0da7607e22c6178203f7bf8dd4dac2
Instruction ID: 8d5e652a65a50ad8ac5bece7f761bf68b3ca9c2509dd4a4a4be9517cf999955c
Opcode Fuzzy Hash: b8c77ce182d6cc29ba24e5f27f9ff45acb0da7607e22c6178203f7bf8dd4dac2
Instruction Fuzzy Hash: 3E219370801218EAEB00FF66C8567DDBB78AF15348F1000DEE80D67292DB785B4ACBE5

Uniqueness

Uniqueness Score: -1.00%

Function 00447769, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00447773

Part of subcall function 0040E057: __EH_prolog3_GS.LIBCMT ref: 0040E061

Part of subcall function 0040A206: __EH_prolog3_GS.LIBCMT ref: 0040A210

Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Part of subcall function 0040B2A8: __EH_prolog3_GS.LIBCMT ref: 0040B2AF

Strings

|-L, xrefs: 004477AC, 004477C7, 004477AF
@/L, xrefs: 00447824

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_$ErrorFreeLastString
String ID: @/L$|-L
API String ID: 2278686355-2674218661
Opcode ID: bafed663853a54d7c1ecde56c0a9a402c967ffb63c475103f775744a83c66405
Instruction ID: 575e6f0a22ed8dc42c495f66278e05caa96ae6fadfe19154456e58cb72043280
Opcode Fuzzy Hash: bafed663853a54d7c1ecde56c0a9a402c967ffb63c475103f775744a83c66405
Instruction Fuzzy Hash: 3C21A771500248EEDB05FBA6CC56BDD77B8AF14348F5440AEF509B72C2DBB85A08C769

Uniqueness

Uniqueness Score: -1.00%

Function 004266DA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004266E1

Strings

T4L, xrefs: 00426703
P/L, xrefs: 004266FC

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_
String ID: P/L$T4L
API String ID: 2427045233-1441100843
Opcode ID: 87057e83cf87df46517fde2c43e6b5b0270849f5c5455f35a03d1bd60b0c8c0a
Instruction ID: 99304e9055aefa7189c6e55fa4fe9fd6751d5f7ff057b6dc98898bdbee2aa1aa
Opcode Fuzzy Hash: 87057e83cf87df46517fde2c43e6b5b0270849f5c5455f35a03d1bd60b0c8c0a
Instruction Fuzzy Hash: 4F118B71A00125DBDB14FF61EA415FEB779BF90308F91401FE815A7181DB787A05CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAFD, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040BB07

Part of subcall function 0040B2A8: __EH_prolog3_GS.LIBCMT ref: 0040B2AF

Part of subcall function 0040B22B: __EH_prolog3_GS.LIBCMT ref: 0040B232

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

@/L, xrefs: 0040BB0C
@/L, xrefs: 0040BBB2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_$ErrorFreeLastString
String ID: @/L$@/L
API String ID: 2278686355-2149722323
Opcode ID: 594c3621bec88716f7fa08e35dce61c35d16a6fb378e929f358051c3b0055c1b
Instruction ID: 41ceca28e279f213c48d9231f3062bb618ea6570edfb13e556be676d5aac1845
Opcode Fuzzy Hash: 594c3621bec88716f7fa08e35dce61c35d16a6fb378e929f358051c3b0055c1b
Instruction Fuzzy Hash: C1215071900218DFCB00EBA5C955BDDB7B8BF14308F4440AEF409B7192DB78AA09CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004231A8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59timeCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004231AF
GetSystemTimeAsFileTime.KERNEL32(?,00000044,0042317B,?,?,00000005,0000086E,004C2FA0, This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s hours after they were built. Please r,?,00000000,00000038,00418DB4,?,?,?), ref: 004231D1

Strings

@/L, xrefs: 004231BB

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: Time$FileH_prolog3_System
String ID: @/L
API String ID: 477554553-3803013380
Opcode ID: 95a76e4835c22f6e771590ad3086b18bc8e260665385efa4241fd9c9b6c3bd47
Instruction ID: b6d2674ac1b782fd924d4f8a71608278f77efab51b695a9e38f5987bfd46a943
Opcode Fuzzy Hash: 95a76e4835c22f6e771590ad3086b18bc8e260665385efa4241fd9c9b6c3bd47
Instruction Fuzzy Hash: 8F116A71F00224DFDF10EF90D985AAEB775AF04706F5844ABF90167252D33C9E01CA69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3E7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0040E3EE

Part of subcall function 00413CE7: __EH_prolog3_GS.LIBCMT ref: 00413CEE

Part of subcall function 00403F50: GetLastError.KERNEL32 ref: 00403F6F
Part of subcall function 00403F50: SetLastError.KERNEL32(?), ref: 00403F9F

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Strings

T4L, xrefs: 0040E432
@/L, xrefs: 0040E481

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$H_prolog3H_prolog3_
String ID: @/L$T4L
API String ID: 852442433-842787045
Opcode ID: 189de923b5731c57b67700263a07bbfb5ec848b38d539debeb01787c76b193a8
Instruction ID: aa833aaa5e159750d8e343903cd048e7ec7178dce6d6d96115b1263ee4b86a9a
Opcode Fuzzy Hash: 189de923b5731c57b67700263a07bbfb5ec848b38d539debeb01787c76b193a8
Instruction Fuzzy Hash: F62137B5600246AFC749DF79C480A89FBA8BF1C304F10826FE51DC7202DBB46615CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004267A7, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004267AE

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

P/L, xrefs: 004267DF
T4L, xrefs: 004267E6

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3_
String ID: P/L$T4L
API String ID: 2549205776-1441100843
Opcode ID: 5d71adc4a69efa1c4e7f1c7a72b91f46334501242766fc6e634b6ed9963733bf
Instruction ID: 99f1321e1eb8a844e503e0274bc59d6c221d7a79c315cb59c7afcdddbe6a1c2e
Opcode Fuzzy Hash: 5d71adc4a69efa1c4e7f1c7a72b91f46334501242766fc6e634b6ed9963733bf
Instruction Fuzzy Hash: E8014C76D01224DACB14EEA5CD06B9D767CEF80314F55411FF814AB2C2DBB45F098B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E66A, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040E671

Strings

P/L, xrefs: 0040E6B2
T4L, xrefs: 0040E69B

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3_
String ID: P/L$T4L
API String ID: 2427045233-1441100843
Opcode ID: 671a34622b4cc8dc29eb0f103c3bb7e49eef69770c2f160eb7e1f24a4d18657e
Instruction ID: ab0f8c1c0b55e7c4a036ef254d1e4539c3e857128e00ce9911648e7891446c31
Opcode Fuzzy Hash: 671a34622b4cc8dc29eb0f103c3bb7e49eef69770c2f160eb7e1f24a4d18657e
Instruction Fuzzy Hash: 6F115E70814159DEDF11EBA1CC45BED7BB8BB10308F54442FE501731D2CBB96A4ACBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00424095, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00423C2C: __EH_prolog3.LIBCMT ref: 00423C33
Part of subcall function 00423C2C: SysStringLen.OLEAUT32(?), ref: 00423C64

SysStringLen.OLEAUT32(?), ref: 004240AF

Part of subcall function 00417173: GetLastError.KERNEL32 ref: 0041718A
Part of subcall function 00417173: SysFreeString.OLEAUT32(?), ref: 00417197
Part of subcall function 00417173: SetLastError.KERNEL32(?), ref: 004171B1
Part of subcall function 00417173: GetLastError.KERNEL32 ref: 004171C0
Part of subcall function 00417173: SysFreeString.OLEAUT32(?), ref: 004171DD
Part of subcall function 00417173: SetLastError.KERNEL32(?), ref: 004171ED

Part of subcall function 00425270: SysStringLen.OLEAUT32(00000000), ref: 00425280

SysStringLen.OLEAUT32(?), ref: 004240EA

Strings

., xrefs: 004240C9

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: String$ErrorLast$Free$H_prolog3
String ID: .
API String ID: 4143273375-248832578
Opcode ID: 78a252f80f559568b17f0b1fbccfa005552cfa31a7088b8e877c1b98359391f2
Instruction ID: 81ab4b0a7bffd0d075c4cd32ae9a8de5e4199f8fb8b483f49167c83de80620a0
Opcode Fuzzy Hash: 78a252f80f559568b17f0b1fbccfa005552cfa31a7088b8e877c1b98359391f2
Instruction Fuzzy Hash: 1D01A235614224BBCF10EB64EC45FDD7B68EB05328F108617B621A22D1CAB89A84CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040912E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00409135
SetLastError.KERNEL32(00000001,00000000,0043A706,?,?,00000001), ref: 004091A8

Strings

@/L, xrefs: 00409154

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorH_prolog3_Last
String ID: @/L
API String ID: 1018228973-3803013380
Opcode ID: f3ba4dabe57ca79f92caaee907b91a709a4a96ca60966b8a7d5d385bf99e15bd
Instruction ID: 291f87a9b9d090ea03861c90a7dd1aae1d6288a807f080f12fe15fb5645a109e
Opcode Fuzzy Hash: f3ba4dabe57ca79f92caaee907b91a709a4a96ca60966b8a7d5d385bf99e15bd
Instruction Fuzzy Hash: EC01D234600204DBD710EF52C940E9E7BB4EF84344F10406FF8016B392DBB9AD06DB98

Uniqueness

Uniqueness Score: -1.00%

Function 004377A2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetSysColor.USER32(00000005), ref: 004377C2
CreateSolidBrush.GDI32(00000000), ref: 004377C9

Part of subcall function 00404200: GetLastError.KERNEL32 ref: 0040421F
Part of subcall function 00404200: SetLastError.KERNEL32(?), ref: 0040424F

Strings

@/L, xrefs: 004377DF

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$BrushColorCreateSolid
String ID: @/L
API String ID: 1391376083-3803013380
Opcode ID: 9918dc7c84c8f9a36bfa25e08c044a7cf86cd63c3d9c2045943009b35e031c48
Instruction ID: 0f290009044d5cf257484a96d9edb866fd1987fb85950b9a529067a5a08e27e5
Opcode Fuzzy Hash: 9918dc7c84c8f9a36bfa25e08c044a7cf86cd63c3d9c2045943009b35e031c48
Instruction Fuzzy Hash: A2018FB2510704AFD310DF5AD880B96BBF8FB48324F10882EF259CB241DBB5E541CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00444363, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0044436A

Part of subcall function 00448D7A: __EH_prolog3_GS.LIBCMT ref: 00448D81
Part of subcall function 00448D7A: RegQueryValueExW.KERNELBASE(?,?,00000000,00000008,00000000,@/L,0000005C,0041AB68,?,-80000001,?,?), ref: 00448DF6

Strings

Software\Microsoft\Internet Explorer, xrefs: 004443B7
Version, xrefs: 004443A2

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: H_prolog3H_prolog3_QueryValue
String ID: Software\Microsoft\Internet Explorer$Version
API String ID: 120832868-2486530099
Opcode ID: 935af105a3f34fd7b500136501f505a3ca7e55754b12084212923ea7f2258a87
Instruction ID: a89cf1324f751ed43803e79ba480f0b812e60ae89e9ddf8a08daddec77b2df58
Opcode Fuzzy Hash: 935af105a3f34fd7b500136501f505a3ca7e55754b12084212923ea7f2258a87
Instruction Fuzzy Hash: 1501AD75E40208BBFB00EAA5C807BEDBA78DB00B05F50005AF9106A1D2C7B90B0887D6

Uniqueness

Uniqueness Score: -1.00%

Function 00423130, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00423137

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Part of subcall function 004231A8: __EH_prolog3_GS.LIBCMT ref: 004231AF

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

@/L, xrefs: 00423153
This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s hours after they were built. Please r, xrefs: 00423144

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeH_prolog3_String$H_prolog3
String ID: This setup was created with an EVALUATION VERSION of %s. Evaluation setups work for only %s hours after they were built. Please r$@/L
API String ID: 386487564-3451803044
Opcode ID: 0291b9688ed77f3055cdb3bd2a0f117027b27e2da0ad0566fb5caca0a9e5cd68
Instruction ID: 6318af1eb51a871e16069aa508c0218e751df367c3a0dd783ba5e53e3f6fcaf6
Opcode Fuzzy Hash: 0291b9688ed77f3055cdb3bd2a0f117027b27e2da0ad0566fb5caca0a9e5cd68
Instruction Fuzzy Hash: 2AF08134A00218EBDB01AFA1CC06FAE7B35EB44755F40452EF910672D1EBB88E1AD798

Uniqueness

Uniqueness Score: -1.00%

Function 00413370, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00413377

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Part of subcall function 00402CE0: GetLastError.KERNEL32(9518852C,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402D30
Part of subcall function 00402CE0: SetLastError.KERNEL32(?,004C2D7C,00000000,?,00000000,73B74C30,?,?,004AC418,000000FF,T4L,00401EE2,InstallShield.log,?), ref: 00402DA8

Part of subcall function 004133E7: __EH_prolog3_GS.LIBCMT ref: 004133F1

Part of subcall function 00403080: GetLastError.KERNEL32 ref: 004030E5
Part of subcall function 00403080: SetLastError.KERNEL32(T4L,00000000,00000000,000000FF), ref: 0040314E
Part of subcall function 00403080: GetLastError.KERNEL32(?), ref: 004031A4
Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 004031BE
Part of subcall function 00403080: SysFreeString.OLEAUT32(?), ref: 004031CB
Part of subcall function 00403080: SetLastError.KERNEL32(?), ref: 004031EF

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

T4L, xrefs: 00413390
P/L, xrefs: 004133BA

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3_
String ID: P/L$T4L
API String ID: 2549205776-1441100843
Opcode ID: e37bd30d57ceee36bc4b4a87baf15b9ff6287911481c882afddc95a223b8c5c6
Instruction ID: b763208ce278c5f8c03f3cb59054bf6f2fdf53fa33c0287d29a305874c4e7743
Opcode Fuzzy Hash: e37bd30d57ceee36bc4b4a87baf15b9ff6287911481c882afddc95a223b8c5c6
Instruction Fuzzy Hash: 26F06D35A10118DADB15FBA1CC06BEDB778AF10309F10402EF4017B1C2CBB82A098B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A199, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0041A1A0

Part of subcall function 00408F6D: __EH_prolog3.LIBCMT ref: 00408F74
Part of subcall function 00408F6D: GetLastError.KERNEL32(00000004,004091E9,00000000,?,00000000,00000000), ref: 00408F96
Part of subcall function 00408F6D: SetLastError.KERNEL32(?,00000000,?), ref: 00408FCF

Part of subcall function 0040B91E: __EH_prolog3_GS.LIBCMT ref: 0040B925

Part of subcall function 00401B80: GetLastError.KERNEL32(?,00000000,00409F66,00000000,?,00000000,?,00000001,00000048,00409E02,004C2FA0,?,00000000,00000000,0000003C,00409181), ref: 00401B8F
Part of subcall function 00401B80: SysFreeString.OLEAUT32(00000000), ref: 00401BAB
Part of subcall function 00401B80: SysFreeString.OLEAUT32(0000002C), ref: 00401BB6
Part of subcall function 00401B80: SetLastError.KERNEL32(?), ref: 00401BD4

Strings

data1.hdr, xrefs: 0041A1B4
@/L, xrefs: 0041A1C3

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeH_prolog3_String$H_prolog3
String ID: @/L$data1.hdr
API String ID: 386487564-2701889144
Opcode ID: e2de4f68c8c16f9dc4d7d7f4a900c555f842d7c5ee88fd92726dfe01fd6a5e9d
Instruction ID: 44fac2e72bb5965a96635464470d8abd2e796e271420e83698ce917d9ad6b625
Opcode Fuzzy Hash: e2de4f68c8c16f9dc4d7d7f4a900c555f842d7c5ee88fd92726dfe01fd6a5e9d
Instruction Fuzzy Hash: 78F01C71910208DBD710EB91C942FEDB3B8EF54309F50406EF901A7181DFB86A0EDB98

Uniqueness

Uniqueness Score: -1.00%

Function 004269C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 004269C7

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

T4L, xrefs: 004269E2
P/LkB0, xrefs: 004269F4, 004269F7

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3_
String ID: P/LkB0$T4L
API String ID: 2549205776-1181445923
Opcode ID: 2b6a2613d80f628744ec83ae479d4c9eb35b78f78016363fc6b5e580b19f215c
Instruction ID: 2764ccb7cc8d0f3df9624fbe359fb5b201f6d4f4d7c6305ae1cf80716432c1ea
Opcode Fuzzy Hash: 2b6a2613d80f628744ec83ae479d4c9eb35b78f78016363fc6b5e580b19f215c
Instruction Fuzzy Hash: 18F082B5C01124DACB00AA818C01BDE7638EF40318F40402EFD146B282D7786A09DAD9

Uniqueness

Uniqueness Score: -1.00%

Function 00427295, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0042729C

Part of subcall function 004053A0: GetLastError.KERNEL32(9518852C,?,?,?,?,004AC278,000000FF), ref: 004053E2
Part of subcall function 004053A0: SetLastError.KERNEL32(?,00000000,00000000,000000FF,?,?,?,?,004AC278,000000FF), ref: 0040543E

Part of subcall function 00401AC0: GetLastError.KERNEL32(?,?,0040E566), ref: 00401ACF
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AEB
Part of subcall function 00401AC0: SysFreeString.OLEAUT32(?), ref: 00401AF6
Part of subcall function 00401AC0: SetLastError.KERNEL32(?), ref: 00401B14

Strings

P/L, xrefs: 004272CC, 004272CF
T4L, xrefs: 004272B4

Memory Dump Source

Source File: 00000000.00000002.933339828.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.933325079.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933461750.00000000004AE000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933501689.00000000004D7000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.933514591.00000000004DC000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933573616.0000000000509000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.933590377.0000000000519000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SureServoPROInstall_V4_1_0_5_DB2_0_8.jbxd

Similarity

API ID: ErrorLast$FreeString$H_prolog3_
String ID: P/L$T4L
API String ID: 2549205776-1441100843
Opcode ID: 5ea8fdc657a73314386296059046ed5f1981a06cde415b7b2ac2aea186381fe6
Instruction ID: ec96c01256b77d171a0eb5aa7ee8633f23eb00ce26d1f917aee4948139a75d17
Opcode Fuzzy Hash: 5ea8fdc657a73314386296059046ed5f1981a06cde415b7b2ac2aea186381fe6
Instruction Fuzzy Hash: DCE03075900118DBCF05FF928855BAD7378AF84318F40405EF9017B2C2CBB86A099A98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ISBEW64.exe PID: 6544 Parent PID: 6356 ISBEW64.exeCOMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.7%
Total number of Nodes:	434
Total number of Limit Nodes:	10

Executed Functions

Function 00007FF7F3981AD0, Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 350
sleepwindowmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCommandLineW.KERNEL32 ref: 00007FF7F3981B02
CoInitialize.OLE32 ref: 00007FF7F3981B0D
GetCurrentThreadId.KERNEL32 ref: 00007FF7F3981B90
StringFromGUID2.OLE32 ref: 00007FF7F3981BF8
SysAllocString.OLEAUT32 ref: 00007FF7F3981C02
SysStringLen.OLEAUT32 ref: 00007FF7F3981C17
SysStringLen.OLEAUT32 ref: 00007FF7F3981C24
CharUpperBuffW.USER32 ref: 00007FF7F3981C2F
CharNextW.USER32 ref: 00007FF7F3981CD2
CharNextW.USER32 ref: 00007FF7F3981CE0
CharNextW.USER32 ref: 00007FF7F3981CF6
lstrcmpiW.KERNELBASE ref: 00007FF7F3981D1A
lstrcmpiW.KERNEL32 ref: 00007FF7F3981D32
CharNextW.USER32 ref: 00007FF7F3981D60
CharNextW.USER32 ref: 00007FF7F3981D6E
CharNextW.USER32 ref: 00007FF7F3981D81
CreateEventW.KERNEL32 ref: 00007FF7F3981DA2
CreateThread.KERNELBASE ref: 00007FF7F3981DD5
StringFromGUID2.OLE32 ref: 00007FF7F3981DF1
SysAllocString.OLEAUT32 ref: 00007FF7F3981DFB
SysFreeString.OLEAUT32 ref: 00007FF7F3981E0F
SysFreeString.OLEAUT32 ref: 00007FF7F3981E17
SysStringLen.OLEAUT32 ref: 00007FF7F3981E28
SysStringLen.OLEAUT32 ref: 00007FF7F3981E35
CharUpperBuffW.USER32 ref: 00007FF7F3981E40
CreateItemMoniker.OLE32 ref: 00007FF7F3981E94
Sleep.KERNEL32 ref: 00007FF7F3981EA5
GetRunningObjectTable.OLE32 ref: 00007FF7F3981ED9
Sleep.KERNEL32 ref: 00007FF7F3981F14
GetMessageW.USER32 ref: 00007FF7F3981F45
DispatchMessageW.USER32 ref: 00007FF7F3981F55
GetMessageW.USER32 ref: 00007FF7F3981F68
Sleep.KERNEL32 ref: 00007FF7F3981F83
SysFreeString.OLEAUT32 ref: 00007FF7F3981FA4
CoUninitialize.OLE32 ref: 00007FF7F3981FB6
SysFreeString.OLEAUT32 ref: 00007FF7F3981FBF

Strings

RegServer, xrefs: 00007FF7F3981D28
UnregServer, xrefs: 00007FF7F3981D10

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: String$Char$Next$Free$CreateMessageSleep$AllocBuffFromThreadUpperlstrcmpi$CommandCurrentDispatchEventInitializeItemLineMonikerObjectRunningTableUninitialize
String ID: RegServer$UnregServer
API String ID: 1937296366-1360048911
Opcode ID: 5bc4c8443623e7e6876561bb591e32ba5ff234cd11f360b304cdb9faa03ff9cb
Instruction ID: 35c83205de01d8daa56a80fd839d12eef19837fbebcfef504f3e2e42f038779e
Opcode Fuzzy Hash: 5bc4c8443623e7e6876561bb591e32ba5ff234cd11f360b304cdb9faa03ff9cb
Instruction Fuzzy Hash: 72F13E65A09B0381EB94EB25E454279A3A4FF88B9CFC44135DD6E6B6E4DF3CE444C3A0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7F39942FC, Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 460
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__doserrno.LIBCMT ref: 00007FF7F3994352
_errno.LIBCMT ref: 00007FF7F3994359
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F3994364

Strings

U, xrefs: 00007FF7F39948C6

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: __doserrno_errno_invalid_parameter_noinfo
String ID: U
API String ID: 3902385426-4171548499
Opcode ID: e19bac97072c5f6b12ccb88eb5d8fb4586a146a09138471d8271d9c422358717
Instruction ID: b61b6ab2c4298a08eb19a9bd10d2c391031a24177f205be87840ce86ee180a29
Opcode Fuzzy Hash: e19bac97072c5f6b12ccb88eb5d8fb4586a146a09138471d8271d9c422358717
Instruction Fuzzy Hash: 7E12F772A0964286EBA1EF24D44437EE7A8FB8478CF800135DAAD5B6D4DF3DE445CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3984230, Relevance: 10.8, APIs: 7, Instructions: 288COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F3984C50: CharNextW.USER32 ref: 00007FF7F3984C81

Part of subcall function 00007FF7F3984090: lstrcmpiW.KERNEL32 ref: 00007FF7F3984146

CharNextW.USER32(?,?,?,00000000,?,?,00000000,00007FF7F39852EA,?,?,00000000,00007FF7F3985A15), ref: 00007FF7F39842E4
CharNextW.USER32 ref: 00007FF7F39843E8
CharNextW.USER32 ref: 00007FF7F3984408

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: CharNext$lstrcmpi
String ID:
API String ID: 3586774192-0
Opcode ID: 2140f4e05494fa98469b3810e3718b52fdc8c398a8337b0d38eb12e157c72e0d
Instruction ID: 9770322db91431a7ba8dc38331f4bad42dde68228a2f95c4b2804e4ddd2779ad
Opcode Fuzzy Hash: 2140f4e05494fa98469b3810e3718b52fdc8c398a8337b0d38eb12e157c72e0d
Instruction Fuzzy Hash: F4C1A4A2A0D68181EBB0EB15E4503BEE290FFC4798FC44135DAADAB6D5EF3CD4458790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987180, Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 53
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F3987194
GetProcAddress.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F39871B0
GetProcAddress.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F39871C4
GetProcAddress.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F39871D8
GetProcAddress.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F39871EC
GetProcAddress.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F3987200
GetProcAddress.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F3987214
GetProcAddress.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F3987228
GetProcAddress.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F398723C
GetProcAddress.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F3987250
GetProcAddress.KERNEL32(?,?,?,00007FF7F3986330), ref: 00007FF7F3987264

Strings

AllocateAndInitializeSid, xrefs: 00007FF7F398721A
GetNamedSecurityInfoW, xrefs: 00007FF7F39871DE
FreeSid, xrefs: 00007FF7F3987256
advapi32.dll, xrefs: 00007FF7F398718D
LookupAccountNameW, xrefs: 00007FF7F39871A6
SetEntriesInAclW, xrefs: 00007FF7F39871F2
IsValidSid, xrefs: 00007FF7F39871B6
CreateWellKnownSid, xrefs: 00007FF7F398722E
CopySid, xrefs: 00007FF7F3987242
ConvertStringSidToSidW, xrefs: 00007FF7F39871CA
SetNamedSecurityInfoW, xrefs: 00007FF7F3987206

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AllocateAndInitializeSid$ConvertStringSidToSidW$CopySid$CreateWellKnownSid$FreeSid$GetNamedSecurityInfoW$IsValidSid$LookupAccountNameW$SetEntriesInAclW$SetNamedSecurityInfoW$advapi32.dll
API String ID: 667068680-2029814571
Opcode ID: 84e6760860ef51e4eb883a3ce056c1ce833777c9e96e671d10c9c34f4a73f4c6
Instruction ID: 70e3e0ed241f2126ba169e944676a289092b4f9762b47b2dc382addf7cde8b1f
Opcode Fuzzy Hash: 84e6760860ef51e4eb883a3ce056c1ce833777c9e96e671d10c9c34f4a73f4c6
Instruction Fuzzy Hash: D821D964A05B4392EF84EF12F954068A3A4FB4878CB845131C96D1B7A4EF3CE0A8C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3988250, Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7F3988680: GetLastError.KERNEL32 ref: 00007FF7F39886E9
Part of subcall function 00007FF7F3988680: SetLastError.KERNEL32 ref: 00007FF7F3988732

GetLastError.KERNEL32 ref: 00007FF7F39882C5
SetLastError.KERNEL32 ref: 00007FF7F39882F7
LocalFree.KERNEL32 ref: 00007FF7F39884A2
LocalFree.KERNEL32 ref: 00007FF7F39884B2
LocalFree.KERNEL32 ref: 00007FF7F39884EA
LocalFree.KERNEL32 ref: 00007FF7F39884FA
GetLastError.KERNEL32 ref: 00007FF7F3988510
SysFreeString.OLEAUT32 ref: 00007FF7F3988525
SysFreeString.OLEAUT32 ref: 00007FF7F3988536
SetLastError.KERNEL32 ref: 00007FF7F3988559
GetLastError.KERNEL32 ref: 00007FF7F398856F
SysFreeString.OLEAUT32 ref: 00007FF7F3988584
SysFreeString.OLEAUT32 ref: 00007FF7F3988595
SetLastError.KERNEL32 ref: 00007FF7F39885B8

Strings

Failed to set explicit access for new ACL, last error: 0x%08x, xrefs: 00007FF7F39884C3
Getting existing security descriptor for '%s', xrefs: 00007FF7F3988311
Setting new security descriptor for '%s', xrefs: 00007FF7F39883FC
Failed to set new security descriptor, last error: 0x%08x, xrefs: 00007FF7F398847B
Failed to obtain existing security descriptor, last error: 0x%08x, xrefs: 00007FF7F39883A2

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorFreeLast$LocalString
String ID: Failed to obtain existing security descriptor, last error: 0x%08x$Failed to set explicit access for new ACL, last error: 0x%08x$Failed to set new security descriptor, last error: 0x%08x$Getting existing security descriptor for '%s'$Setting new security descriptor for '%s'
API String ID: 2531705008-1991965274
Opcode ID: bcdc3f80537c52efd8b1e5005f2f0d1ed8b14b7b2810b649c61ca880fb6e1029
Instruction ID: 2efab2afac51d6653908d68dd69bdfd73537efb5e7e568b29cf3b2d41f6843fc
Opcode Fuzzy Hash: bcdc3f80537c52efd8b1e5005f2f0d1ed8b14b7b2810b649c61ca880fb6e1029
Instruction Fuzzy Hash: 0CB13E76A08B4285EB50EF65E8842ADB770FB84B8CF854135DE5D6BBA8DF38D444C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987280, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 183
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32 ref: 00007FF7F39872DF
SetLastError.KERNEL32 ref: 00007FF7F3987314
GetLastError.KERNEL32 ref: 00007FF7F3987324
SetLastError.KERNEL32 ref: 00007FF7F3987357
LocalAlloc.KERNEL32 ref: 00007FF7F39873A1
GetLastError.KERNEL32 ref: 00007FF7F3987448
GetLastError.KERNEL32 ref: 00007FF7F3987457
LocalFree.KERNEL32 ref: 00007FF7F3987482
GetLastError.KERNEL32 ref: 00007FF7F398749A
SysFreeString.OLEAUT32 ref: 00007FF7F39874AF
SysFreeString.OLEAUT32 ref: 00007FF7F39874C1
SetLastError.KERNEL32 ref: 00007FF7F39874E6
GetLastError.KERNEL32 ref: 00007FF7F39874FC
SysFreeString.OLEAUT32 ref: 00007FF7F3987511
SysFreeString.OLEAUT32 ref: 00007FF7F3987522
SetLastError.KERNEL32 ref: 00007FF7F3987545

Strings

Failed to lookup account name, SID is invalid, last error: 0x%08x, xrefs: 00007FF7F398744E
ResolveSidForAccountName: looking up account name '%s', xrefs: 00007FF7F3987371
Failed to lookup account name, last error: 0x%08x, xrefs: 00007FF7F398745D

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local$Alloc
String ID: Failed to lookup account name, SID is invalid, last error: 0x%08x$Failed to lookup account name, last error: 0x%08x$ResolveSidForAccountName: looking up account name '%s'
API String ID: 1840678336-906081134
Opcode ID: 1be10ffe9af31c367430b31e67318ac0cae0955967b81c4d1fbb6dbcfb8e04ff
Instruction ID: 49782a8924f18abe9729e5b222b5441615c2d1b3d5c14de623c0f45d66104c38
Opcode Fuzzy Hash: 1be10ffe9af31c367430b31e67318ac0cae0955967b81c4d1fbb6dbcfb8e04ff
Instruction Fuzzy Hash: 02917E32A08B4186EB40EF64E8842ADB7B4FB84B88F954135DE5D6BBA8CF3CD445C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3983BA0, Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wcsstr.LIBCMT ref: 00007FF7F3983C88
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF7F3985A15), ref: 00007FF7F3983C9A
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF7F3985A15), ref: 00007FF7F3983CA6
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF7F3985A15), ref: 00007FF7F3983CB2
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF7F3985A15), ref: 00007FF7F3983CBE
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF7F3985A15), ref: 00007FF7F3983D03
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF7F3985A15), ref: 00007FF7F3983D93
CharNextW.USER32(?,?,?,?,?,?,?,?,?,00000000,00007FF7F3985A15), ref: 00007FF7F3983ED7

Strings

REGISTRY, xrefs: 00007FF7F3983BAA
HKCU{Software{Classes, xrefs: 00007FF7F3983CD0
}}, xrefs: 00007FF7F3983D66
HKCR, xrefs: 00007FF7F3983C7E

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: CharNext$wcsstr
String ID: }}$HKCR$HKCU{Software{Classes$REGISTRY
API String ID: 1366738116-2791478717
Opcode ID: 074a6748b16ed0bfb4cf8bd51e8a3b64cad7256ce1b8570ead8c36fc8906cce4
Instruction ID: 5aacc84dcf846379e75a2f0ddad228ee9bdcf62e0a7f39d236c5ce50ba104ba8
Opcode Fuzzy Hash: 074a6748b16ed0bfb4cf8bd51e8a3b64cad7256ce1b8570ead8c36fc8906cce4
Instruction Fuzzy Hash: E6A1AA6AA0964381FBE0FB11E490279A2A4BFC8758FC84539DE6D6B3D5DF3CD45183A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987EF0, Relevance: 25.7, APIs: 17, Instructions: 223COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F3987580: LocalAlloc.KERNEL32 ref: 00007FF7F3987A94

GetLastError.KERNEL32 ref: 00007FF7F3987F60
SetLastError.KERNEL32 ref: 00007FF7F3987FB0
GetLastError.KERNEL32 ref: 00007FF7F3987FEE
SysFreeString.OLEAUT32 ref: 00007FF7F3988003
SysFreeString.OLEAUT32 ref: 00007FF7F3988015
SetLastError.KERNEL32 ref: 00007FF7F398803C
GetLastError.KERNEL32 ref: 00007FF7F398809E
SetLastError.KERNEL32 ref: 00007FF7F39880CF

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$FreeString$AllocLocal
String ID:
API String ID: 3608337604-0
Opcode ID: 60857f4634bed0177deaa94ad0c8b48c4106235a83ad3e29d2830e47be4e17e8
Instruction ID: 4f5014d5989d1b61c9188fc677981821732f8e0a5891637d01942467e3d794ce
Opcode Fuzzy Hash: 60857f4634bed0177deaa94ad0c8b48c4106235a83ad3e29d2830e47be4e17e8
Instruction Fuzzy Hash: 5DA16F22B19B0185EB90EF60E8402ADA375FB8479CF854135DE6D6BBE4DF38D449C3A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3985A60, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 245COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7F3985B24
free.LIBCMT ref: 00007FF7F3985B38
GetModuleFileNameW.KERNEL32 ref: 00007FF7F3985B75
free.LIBCMT ref: 00007FF7F3985BB5
free.LIBCMT ref: 00007FF7F3985BC9
GetModuleHandleW.KERNEL32 ref: 00007FF7F3985C2F
memcpy_s.LIBCMT ref: 00007FF7F3985C85
free.LIBCMT ref: 00007FF7F3985CB1
free.LIBCMT ref: 00007FF7F3985CC5

Part of subcall function 00007FF7F3983740: _recalloc.LIBCMT ref: 00007FF7F398384E
Part of subcall function 00007FF7F3983740: _recalloc.LIBCMT ref: 00007FF7F398386D

Part of subcall function 00007FF7F398AC3C: __report_securityfailure.LIBCMT ref: 00007FF7F398AC45

free.LIBCMT ref: 00007FF7F3985D84
free.LIBCMT ref: 00007FF7F3985D98

Strings

Module, xrefs: 00007FF7F3985D19
REGISTRY, xrefs: 00007FF7F3985DC2
Module_Raw, xrefs: 00007FF7F3985D4B

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: free$Module_recalloc$FileHandleName__report_securityfailurememcpy_s
String ID: Module$Module_Raw$REGISTRY
API String ID: 4185311596-549000027
Opcode ID: fc6a002382f73909d30991a361c5752ec3cbe02e5570742768dd36661009f56e
Instruction ID: 80d4859f82c5f0680165b1da15a3f0639d46778e4808e6be5b54f7f81ff946b1
Opcode Fuzzy Hash: fc6a002382f73909d30991a361c5752ec3cbe02e5570742768dd36661009f56e
Instruction Fuzzy Hash: 17A192A2A1968281EBD0FB5494802B9E3A0FFC4748FC41535EA6E6E6D5DF3CD449C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39831F0, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 234COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7F39832B4
free.LIBCMT ref: 00007FF7F39832C8
GetModuleFileNameW.KERNEL32 ref: 00007FF7F3983305
free.LIBCMT ref: 00007FF7F3983345
free.LIBCMT ref: 00007FF7F3983359
GetModuleHandleW.KERNEL32 ref: 00007FF7F39833BF
memcpy_s.LIBCMT ref: 00007FF7F3983415
free.LIBCMT ref: 00007FF7F3983441
free.LIBCMT ref: 00007FF7F3983455
free.LIBCMT ref: 00007FF7F3983514
free.LIBCMT ref: 00007FF7F3983528

Strings

Module, xrefs: 00007FF7F39834A9
REGISTRY, xrefs: 00007FF7F3983538
Module_Raw, xrefs: 00007FF7F39834DB

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: free$Module$FileHandleNamememcpy_s
String ID: Module$Module_Raw$REGISTRY
API String ID: 407555004-549000027
Opcode ID: ba9889bf9decb8d578d97dd4d759e3e39ad60c85b520a686f8b4db03afad92e4
Instruction ID: d7a6f509a44f1fb5d2ecff227e64bcfb64a79b1d6634c2820e15e255d0efafe4
Opcode Fuzzy Hash: ba9889bf9decb8d578d97dd4d759e3e39ad60c85b520a686f8b4db03afad92e4
Instruction Fuzzy Hash: 05A184A6A1964285EF90FF60D4802B9E3A0FFC4748FC81539EA6E5E6D5DF3CD44187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3986930, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133memorylibraryloaderCOMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF7F3986962
SysAllocString.OLEAUT32 ref: 00007FF7F3986970
SysFreeString.OLEAUT32 ref: 00007FF7F3986991
SysAllocString.OLEAUT32 ref: 00007FF7F398699F
SysFreeString.OLEAUT32 ref: 00007FF7F39869C0
SysAllocString.OLEAUT32 ref: 00007FF7F39869CE
SysFreeString.OLEAUT32 ref: 00007FF7F39869F1
SysAllocString.OLEAUT32 ref: 00007FF7F39869FF
LoadLibraryW.KERNEL32 ref: 00007FF7F3986A78
GetProcAddress.KERNEL32 ref: 00007FF7F3986AA5
FreeLibrary.KERNEL32 ref: 00007FF7F3986AB3
FreeLibrary.KERNEL32 ref: 00007FF7F3986AE7

Part of subcall function 00007FF7F3985FE0: _CxxThrowException.LIBCMT ref: 00007FF7F3985FF4

Strings

DriverPackagePreinstallW, xrefs: 00007FF7F3986A9B

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: String$Free$Alloc$Library$AddressExceptionLoadProcThrow
String ID: DriverPackagePreinstallW
API String ID: 3942836785-4107050277
Opcode ID: b5f73ccbdd6ec436d716cc2720aee4fe7c3d36d0d683c2ee5eaff0d6718158f5
Instruction ID: 47efe9f382da37efc2db84cd21cd385f2375d642e4ddab181141b9e6aba7f978
Opcode Fuzzy Hash: b5f73ccbdd6ec436d716cc2720aee4fe7c3d36d0d683c2ee5eaff0d6718158f5
Instruction Fuzzy Hash: 14518565B09B4281EB94EF11A54013DE3A4FF84BC8FD44535DA6E2FB98DE3CD8518394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F398EAAC, Relevance: 19.6, APIs: 13, Instructions: 83COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7F398EACB

Part of subcall function 00007FF7F398A4BC: HeapFree.KERNEL32(?,?,00000000,00007FF7F398EC6E,?,?,?,00007FF7F398CA7D,?,?,?,?,00007FF7F398A7EE,?,?,?), ref: 00007FF7F398A4D2
Part of subcall function 00007FF7F398A4BC: _errno.LIBCMT ref: 00007FF7F398A4DC
Part of subcall function 00007FF7F398A4BC: GetLastError.KERNEL32(?,?,00000000,00007FF7F398EC6E,?,?,?,00007FF7F398CA7D,?,?,?,?,00007FF7F398A7EE,?,?,?), ref: 00007FF7F398A4E4

free.LIBCMT ref: 00007FF7F398EAD9
free.LIBCMT ref: 00007FF7F398EAE7
free.LIBCMT ref: 00007FF7F398EAF5
free.LIBCMT ref: 00007FF7F398EB03
free.LIBCMT ref: 00007FF7F398EB11
free.LIBCMT ref: 00007FF7F398EB22
free.LIBCMT ref: 00007FF7F398EB3A
_lock.LIBCMT ref: 00007FF7F398EB46
free.LIBCMT ref: 00007FF7F398EB73
_lock.LIBCMT ref: 00007FF7F398EB85
__freetlocinfo.LIBCMT ref: 00007FF7F398EBBC
free.LIBCMT ref: 00007FF7F398EBCF

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast__freetlocinfo_errno
String ID:
API String ID: 439417960-0
Opcode ID: fa421d6db3a778660406ec41066898428794a47d2a567865574af7303690ffb6
Instruction ID: d706b94221fc7de27759e1737db8a1715d93a73a54d70ed620e766506331d1f3
Opcode Fuzzy Hash: fa421d6db3a778660406ec41066898428794a47d2a567865574af7303690ffb6
Instruction Fuzzy Hash: F831C451F0B50245FFD5FBA690A1278A251BFC4B48FC81935DA7E2A7C6CE2CA84182F5

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987CBD, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 693b532586f308176d3bf9504c91d1c2ec513457d2841a69b1d8d377a0888b53
Instruction ID: d9c7f00f75508f032132fe65622a2d4ed5283bf5afd71ec59f9ec7950409c0b6
Opcode Fuzzy Hash: 693b532586f308176d3bf9504c91d1c2ec513457d2841a69b1d8d377a0888b53
Instruction Fuzzy Hash: 35411772B08B418AEB50DF60E4846AC63B4FB84B8CF854025DE5E6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987C17, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: fed08b9580209316d893bee39cdd5bb29f8a1855689360e9f329db51b5da4fd4
Instruction ID: f28c6a8f8374ecbe1976450ab78188309d0613da163a559a70e26551ca511c9c
Opcode Fuzzy Hash: fed08b9580209316d893bee39cdd5bb29f8a1855689360e9f329db51b5da4fd4
Instruction Fuzzy Hash: 8C410772B08B428AEB50DF60E4446AC73B4FB84B8CF854025DE6D6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987C2F, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 246332e3d8c9c1a2cb36936495cf072ca57cc48215e311b5286cec6add37176a
Instruction ID: 3642613d9def9a7d43accf60045457edc6a681f261eb2d39ed0faf544d73a86e
Opcode Fuzzy Hash: 246332e3d8c9c1a2cb36936495cf072ca57cc48215e311b5286cec6add37176a
Instruction Fuzzy Hash: C3411772B08B418AEB50DF60E4846AC63B4FB84B8CF854025DE5D6BBA8DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987C7E, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: b9990e2c3c67bce92867840fd1c2f645be77ace9138a1ce10f8e994c3d004d8e
Instruction ID: 4d4732ee52c7e949611b93476e645932800b78408257a22f1b8599d47f2f6daa
Opcode Fuzzy Hash: b9990e2c3c67bce92867840fd1c2f645be77ace9138a1ce10f8e994c3d004d8e
Instruction Fuzzy Hash: EC410772B08B428AEB50DF60E4446AC73B4FB84B8CF854025DE6D6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987C93, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 05bdd9d4dfa683bc198153fbb89f0b5f81791e1a92e0d1ca645bfbe30e7aff55
Instruction ID: cb16e8c1f0db1995cc3df458a59ab138ef6cd8942583ff0d864c2ccb7d6ef704
Opcode Fuzzy Hash: 05bdd9d4dfa683bc198153fbb89f0b5f81791e1a92e0d1ca645bfbe30e7aff55
Instruction Fuzzy Hash: A3411772B08B418AEB50DF60E4846AC63B4FB84B8CF854025DE5D6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987C5C, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 1f0040e6e1357d21d9cdba0731e024847ab69b30e52a439d9e5b53f575b1197e
Instruction ID: 1ef8292c161b8646da7022fcc5dc83fd5d629e1d8ea6f477a6bec070b40fccbe
Opcode Fuzzy Hash: 1f0040e6e1357d21d9cdba0731e024847ab69b30e52a439d9e5b53f575b1197e
Instruction Fuzzy Hash: 12411772B08B428AEB50EF60E4446AC63B4FB84B8CF854035DE5D6BBA4DF38D554C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987BBA, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 693c4bd5f7b33fc096f213316133fba76ba750c722dbcfb29a60170a2f216654
Instruction ID: 7ca6752f6e484248ad969b48b0dde9730ef17ddcf9752463c13cdb5ff2e8b812
Opcode Fuzzy Hash: 693c4bd5f7b33fc096f213316133fba76ba750c722dbcfb29a60170a2f216654
Instruction Fuzzy Hash: 83411772B08B418AEB50DF60E4846AC63B4FB84B8CF854025DE5D6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987BFF, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: dcb6e8490fac3f7b4910042abcf1eeafe2ef40816db996d6deee2435cbfb7e2a
Instruction ID: 8fe1c60dea022064f888b61633b3f8d2649e7a920ebf1713999bb76aa41b74ce
Opcode Fuzzy Hash: dcb6e8490fac3f7b4910042abcf1eeafe2ef40816db996d6deee2435cbfb7e2a
Instruction Fuzzy Hash: 04410772B08B428AEB50DF60E4446AC73B4FB84B8CF854025DE6D6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987BE7, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: 30dc27eae12e39a0f4ea31bdaa6e3fe23c65545e337024bd26e94c460bc763d8
Instruction ID: c18f299dbe9e8c6cceb9636b890d919448847e2bceacfc249f2ac835ea6722b3
Opcode Fuzzy Hash: 30dc27eae12e39a0f4ea31bdaa6e3fe23c65545e337024bd26e94c460bc763d8
Instruction Fuzzy Hash: D9410772B08B428AEB50DF60E4446AC73B4FB84B8CF854025DE6D6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987B53, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: fd812567e9577e01c1738429a0f033160fb4034ebf0d87c8d086c1776cf8d419
Instruction ID: 78a187c5752fe3c6d8273ba4d9d53bf1b0975c5343d5835203a7790eb02c0b0e
Opcode Fuzzy Hash: fd812567e9577e01c1738429a0f033160fb4034ebf0d87c8d086c1776cf8d419
Instruction Fuzzy Hash: 4A411772B08B428AEB50EF60E4446AC63B4FB84B8CF854025DE5D6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987B8D, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: fd805d4eeaea8dd29ef65f8dacde4d9d53d41a7380c549beb590abe03af0f113
Instruction ID: 5956af02721d0695250c3759ef06ecedbfa6fefa84ea73fdf8cefbfb10798d21
Opcode Fuzzy Hash: fd805d4eeaea8dd29ef65f8dacde4d9d53d41a7380c549beb590abe03af0f113
Instruction Fuzzy Hash: CB411772B08B418AEB50DF60E4846AC63B4FB84B8CF854025DE5D6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987B75, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: cf3f2168058aecf24eb9c7b669e96b24dad73daa5592df62ebd42dacd0ce913c
Instruction ID: 1c5feb6a3c3ce80b2424cbf7caa93d2be6c44bdc2ea3ed2320370746628e06ec
Opcode Fuzzy Hash: cf3f2168058aecf24eb9c7b669e96b24dad73daa5592df62ebd42dacd0ce913c
Instruction Fuzzy Hash: 03410772B08B428AEB50DF60E4446AC73B4FB84B8CF854025DE6D6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3987CE7, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3987D83
SetLastError.KERNEL32 ref: 00007FF7F3987DB5
GetLastError.KERNEL32 ref: 00007FF7F3987DBC
GetLastError.KERNEL32 ref: 00007FF7F3987DF2
SysFreeString.OLEAUT32 ref: 00007FF7F3987E07
SysFreeString.OLEAUT32 ref: 00007FF7F3987E18
SetLastError.KERNEL32 ref: 00007FF7F3987E3B
LocalFree.KERNEL32 ref: 00007FF7F3987E44

Strings

Failed to lookup wellknown account, last error: 0x%x, xrefs: 00007FF7F3987DC5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$Free$String$Local
String ID: Failed to lookup wellknown account, last error: 0x%x
API String ID: 276242039-1017437273
Opcode ID: ca456e6154c185883a7ab7d204b9b5dee28072816d1342879dafb4ca575ff487
Instruction ID: b5b41179dab86f2f28bf93831183c78aae4606ec384dc4c5f36c13f4bcf890a5
Opcode Fuzzy Hash: ca456e6154c185883a7ab7d204b9b5dee28072816d1342879dafb4ca575ff487
Instruction Fuzzy Hash: B3410872B08B418AEB50DF60E4446AC73B4FB84B8CF854025DE6D6BBA4DF38D555C394

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3994A38, Relevance: 15.1, APIs: 10, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F3994A63

Part of subcall function 00007FF7F398CA74: _getptd_noexit.LIBCMT ref: 00007FF7F398CA78

__doserrno.LIBCMT ref: 00007FF7F3994A5B

Part of subcall function 00007FF7F398CA04: _getptd_noexit.LIBCMT ref: 00007FF7F398CA08

__lock_fhandle.LIBCMT ref: 00007FF7F3994AA7
_lseeki64_nolock.LIBCMT ref: 00007FF7F3994AC0
_unlock_fhandle.LIBCMT ref: 00007FF7F3994AE3

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_lseeki64_nolock_unlock_fhandle
String ID:
API String ID: 2644381645-0
Opcode ID: 5643f2ad640c8eb69d91a1124a95a6ce3e52d5571ae8de93a49c8d10b53f987b
Instruction ID: ec6b095c335e1b73bd6ca68a7c88b454cdd6cb968217ede30d269812ab730958
Opcode Fuzzy Hash: 5643f2ad640c8eb69d91a1124a95a6ce3e52d5571ae8de93a49c8d10b53f987b
Instruction Fuzzy Hash: D421A122A1A14245F786FB5598413BEE5547F80BB9FC94334EA3D2E2D2CE3CA441C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F399421C, Relevance: 13.6, APIs: 9, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F3994247

Part of subcall function 00007FF7F398CA74: _getptd_noexit.LIBCMT ref: 00007FF7F398CA78

__doserrno.LIBCMT ref: 00007FF7F399423F

Part of subcall function 00007FF7F398CA04: _getptd_noexit.LIBCMT ref: 00007FF7F398CA08

__lock_fhandle.LIBCMT ref: 00007FF7F399428B
_unlock_fhandle.LIBCMT ref: 00007FF7F39942C5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_errno_unlock_fhandle
String ID:
API String ID: 2464146582-0
Opcode ID: 7ddf8111dec1d2acb419462a403fd4b886fa9ef18d24a6e5ae1a262345caade3
Instruction ID: 3079376c330118669d685be4fa8386e333871858387d8290c87da57fd0edbfce
Opcode Fuzzy Hash: 7ddf8111dec1d2acb419462a403fd4b886fa9ef18d24a6e5ae1a262345caade3
Instruction Fuzzy Hash: C821CF22E1918245F792FB5598413BDE5507F81BA9FC94234EA3D2E2D6CE7CA441CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39957F8, Relevance: 13.6, APIs: 9, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F3995811

Part of subcall function 00007FF7F398CA74: _getptd_noexit.LIBCMT ref: 00007FF7F398CA78

__lock_fhandle.LIBCMT ref: 00007FF7F3995859
FlushFileBuffers.KERNEL32(00000001,00000000,00000000,00007FF7F3995002,?,?,00000001,00007FF7F399512D,?,?,?,?,?,00007FF7F3994059), ref: 00007FF7F3995874
GetLastError.KERNEL32(?,?,00000001,00007FF7F399512D,?,?,?,?,?,00007FF7F3994059), ref: 00007FF7F399587E
__doserrno.LIBCMT ref: 00007FF7F399588E
_errno.LIBCMT ref: 00007FF7F3995895
_unlock_fhandle.LIBCMT ref: 00007FF7F39958A5

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: _errno$BuffersErrorFileFlushLast__doserrno__lock_fhandle_getptd_noexit_unlock_fhandle
String ID:
API String ID: 2927645455-0
Opcode ID: 5a95f67ae4511fd2b7f7b0cdcb097bcc4a2120927f3b95a3fec189a784014385
Instruction ID: c2cfe40e6a1a56f13e6b73a78fe3ae0fd9b1eea992a0b9d04dc88cec9de3beb0
Opcode Fuzzy Hash: 5a95f67ae4511fd2b7f7b0cdcb097bcc4a2120927f3b95a3fec189a784014385
Instruction Fuzzy Hash: DF21C921E0964645F7D5FFA6948127EE654AF81798FC90234D63D2E3D2CE7CA84187B0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3995A10, Relevance: 13.6, APIs: 9, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F3995A31

Part of subcall function 00007FF7F398CA74: _getptd_noexit.LIBCMT ref: 00007FF7F398CA78

__doserrno.LIBCMT ref: 00007FF7F3995A29

Part of subcall function 00007FF7F398CA04: _getptd_noexit.LIBCMT ref: 00007FF7F398CA08

__lock_fhandle.LIBCMT ref: 00007FF7F3995A75
_close_nolock.LIBCMT ref: 00007FF7F3995A88
_unlock_fhandle.LIBCMT ref: 00007FF7F3995AA1

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: _getptd_noexit$__doserrno__lock_fhandle_close_nolock_errno_unlock_fhandle
String ID:
API String ID: 2140805544-0
Opcode ID: e185883d29ff37fee1d728bcfbeb3caf632dd640ad265a1f8cd7f0636dbe035f
Instruction ID: ee6b3b137baa46f4ad677d4ad3a9c9d6e278521d5c2ee3bc6c1d11de71b9dc31
Opcode Fuzzy Hash: e185883d29ff37fee1d728bcfbeb3caf632dd640ad265a1f8cd7f0636dbe035f
Instruction Fuzzy Hash: 73110522A0A28245F785FF24988027EE654BF817A8FD50234D53E1F2D2CE7CA84187B4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3984B90, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F3984B05
GetProcAddress.KERNEL32 ref: 00007FF7F3984B1A
GetModuleHandleW.KERNEL32 ref: 00007FF7F3984BCE
GetProcAddress.KERNEL32 ref: 00007FF7F3984BE3

Strings

RegDeleteKeyTransactedW, xrefs: 00007FF7F3984B10
RegDeleteKeyExW, xrefs: 00007FF7F3984BD9
Advapi32.dll, xrefs: 00007FF7F3984AFE, 00007FF7F3984BC7

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW$RegDeleteKeyTransactedW
API String ID: 1646373207-1053001802
Opcode ID: eea277f1f71c6c2489efe69601a21584980abdb915dae3f5316235e355755337
Instruction ID: 249b4222042a2e5175b429bdeb9e853e4de8a66b575949b64da3cb9b840fd7d3
Opcode Fuzzy Hash: eea277f1f71c6c2489efe69601a21584980abdb915dae3f5316235e355755337
Instruction Fuzzy Hash: B3315C61A0DA4281EB90DB06E440369A360FF88BC8F984131CE6D5B7E4DF3CE49587A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39920FF, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBCMT ref: 00007FF7F399212A
RaiseException.KERNEL32 ref: 00007FF7F3992153
__DestructExceptionObject.LIBCMT ref: 00007FF7F39921B4
_getptd.LIBCMT ref: 00007FF7F3992107

Part of subcall function 00007FF7F398EBE0: _getptd_noexit.LIBCMT ref: 00007FF7F398EBE6

_getptd.LIBCMT ref: 00007FF7F39921B9
_getptd.LIBCMT ref: 00007FF7F39921C5

Strings

csm, xrefs: 00007FF7F3992187

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: Exception_getptd$DestructObject$Raise_getptd_noexit
String ID: csm
API String ID: 2851507484-1018135373
Opcode ID: b5695b636a9301137933f94334d950e4a84ce6f1cca4a2e6f0b5ad8dad319add
Instruction ID: 67410f51afd3d3f6857466be789603a280f36e3d2a1dfd4b545d7c004f84506a
Opcode Fuzzy Hash: b5695b636a9301137933f94334d950e4a84ce6f1cca4a2e6f0b5ad8dad319add
Instruction Fuzzy Hash: 40211C7650964686E770EB16E04036EB364F785BA8F844232DFAD17B95CF38E4468B90

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F398A04C, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F398A07B
GetProcAddress.KERNEL32 ref: 00007FF7F398A090
EncodePointer.KERNEL32 ref: 00007FF7F398A09C
DecodePointer.KERNEL32 ref: 00007FF7F398A0AB
InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 00007FF7F398A0CA

Strings

kernel32.dll, xrefs: 00007FF7F398A074
InitializeCriticalSectionEx, xrefs: 00007FF7F398A086

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: Pointer$AddressCountCriticalDecodeEncodeHandleInitializeModuleProcSectionSpin
String ID: InitializeCriticalSectionEx$kernel32.dll
API String ID: 131412094-2762503851
Opcode ID: f228baa645d9034c08075660ba394ddcedfefc4a093bf15476359028fb448dad
Instruction ID: 4ae3236c40f729b2c71cc4181a4dea29180469ac1fb7a6eb9cb6a8abbc778e26
Opcode Fuzzy Hash: f228baa645d9034c08075660ba394ddcedfefc4a093bf15476359028fb448dad
Instruction Fuzzy Hash: E2015E20B0AA4282EB94EF02B410139E3A4FF89BC8FD84034DD6E1B794DE3CE44187A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39813D0, Relevance: 12.2, APIs: 8, Instructions: 221COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7F398143A
GetModuleFileNameW.KERNEL32 ref: 00007FF7F39814BC
GetModuleFileNameW.KERNEL32 ref: 00007FF7F39814E9
LoadTypeLib.OLEAUT32 ref: 00007FF7F39814F9
new.LIBCMT ref: 00007FF7F3981668
EnterCriticalSection.KERNEL32 ref: 00007FF7F398168E
LeaveCriticalSection.KERNEL32 ref: 00007FF7F39816A4
LeaveCriticalSection.KERNEL32 ref: 00007FF7F3981715

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: CriticalSection$EnterFileLeaveModuleName$LoadType
String ID:
API String ID: 1214901732-0
Opcode ID: f4cbecc4a7ccbc3adac25dfa60ba73628258adb59bb4a2edbefa53881256ea69
Instruction ID: 01030bca48701a1558cba039bba4a1d9132bb5a1c857684aed8cb31b59d46435
Opcode Fuzzy Hash: f4cbecc4a7ccbc3adac25dfa60ba73628258adb59bb4a2edbefa53881256ea69
Instruction Fuzzy Hash: 7EB17072A09B4682EFA0EF15E440279B3A0FB84B98FD44136DAAD5B7A4DF3CD444C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3988760, Relevance: 12.1, APIs: 8, Instructions: 107COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F39887BA
SetLastError.KERNEL32 ref: 00007FF7F3988808
GetLastError.KERNEL32 ref: 00007FF7F398883A
SetLastError.KERNEL32 ref: 00007FF7F398887F
GetLastError.KERNEL32 ref: 00007FF7F3988895
SysFreeString.OLEAUT32 ref: 00007FF7F39888AA
SysFreeString.OLEAUT32 ref: 00007FF7F39888BB
SetLastError.KERNEL32 ref: 00007FF7F39888DE

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 4125032da62b5756a030140f559538396ea528ba8c92d6de4d55c944487ee5c0
Instruction ID: d0e065f97851ea07e9f465836b66080702d58102224c69b0bd7e2012711d6d1c
Opcode Fuzzy Hash: 4125032da62b5756a030140f559538396ea528ba8c92d6de4d55c944487ee5c0
Instruction Fuzzy Hash: 1E516C32B14B419AE750EF64E8802AC7375FB4476CF804225DE6D2BAE8CF38D52AC354

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3989420, Relevance: 12.1, APIs: 8, Instructions: 95COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3989477
SetLastError.KERNEL32 ref: 00007FF7F39894A9

Part of subcall function 00007FF7F3989670: MultiByteToWideChar.KERNEL32 ref: 00007FF7F39896BF
Part of subcall function 00007FF7F3989670: MultiByteToWideChar.KERNEL32 ref: 00007FF7F39896F7

GetLastError.KERNEL32 ref: 00007FF7F39894C6
SetLastError.KERNEL32 ref: 00007FF7F398950B
GetLastError.KERNEL32 ref: 00007FF7F3989521
SysFreeString.OLEAUT32 ref: 00007FF7F3989536
SysFreeString.OLEAUT32 ref: 00007FF7F3989547
SetLastError.KERNEL32 ref: 00007FF7F398956A

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$ByteCharFreeMultiStringWide
String ID:
API String ID: 2284902721-0
Opcode ID: 71c7a5411cd3f7243ce6a693d568e214949771d1b599ac70f8f2d65f723928cd
Instruction ID: 151416fae5199ac464ca860dccb605372584f13024ed81d0eacf550db1fd4ca4
Opcode Fuzzy Hash: 71c7a5411cd3f7243ce6a693d568e214949771d1b599ac70f8f2d65f723928cd
Instruction Fuzzy Hash: 81413832B14B41CAE750DF65E8406ACB375FB4476CF804225DE6E6BAA4CF38D515C344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3985870, Relevance: 10.6, APIs: 7, Instructions: 130libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF7F39858C3
LoadLibraryExW.KERNEL32 ref: 00007FF7F39858DF
FindResourceW.KERNEL32 ref: 00007FF7F3985907
LoadResource.KERNEL32 ref: 00007FF7F3985925

Part of subcall function 00007FF7F3983990: GetLastError.KERNEL32 ref: 00007FF7F3983994

FreeLibrary.KERNEL32 ref: 00007FF7F3985A1F

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: LibraryLoad$Resource$ErrorFindFreeLast
String ID:
API String ID: 328770362-0
Opcode ID: 83fff9b73e1520b67942c86f64d3f9012a5179035259967cec8d8829c2d5b1f2
Instruction ID: 47508d22d7bae278e6eedf7ebf4146254965d1679c1059b92b3bb0b58048a23d
Opcode Fuzzy Hash: 83fff9b73e1520b67942c86f64d3f9012a5179035259967cec8d8829c2d5b1f2
Instruction Fuzzy Hash: 4A51B761A1974282FB90EB25A48037DE290BFC47E8FD04135DA6E6BBD4EF3CD8068750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3984C50, Relevance: 10.6, APIs: 7, Instructions: 125COMMON

Download Yara Rule

APIs

CharNextW.USER32 ref: 00007FF7F3984C81
CharNextW.USER32 ref: 00007FF7F3984CCE
CharNextW.USER32 ref: 00007FF7F3984CEA
CharNextW.USER32 ref: 00007FF7F3984CFF
CharNextW.USER32 ref: 00007FF7F3984D0E
CharNextW.USER32 ref: 00007FF7F3984D6A

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: CharNext
String ID:
API String ID: 3213498283-0
Opcode ID: ef4bb7b09230f5b24fc89cf32076482d06b0a936b85f5278b4b737d4ff19c5ca
Instruction ID: f7300b756bae085562bdf49a5e04cefd3e2001531793b37657052e3ce5134351
Opcode Fuzzy Hash: ef4bb7b09230f5b24fc89cf32076482d06b0a936b85f5278b4b737d4ff19c5ca
Instruction Fuzzy Hash: 9E514C63609A4281EB90EF51E44017DA3A4FF98B9CBC58431DB5D5B794EF3CE861C364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3988F70, Relevance: 10.6, APIs: 7, Instructions: 96COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3988FC5
SetLastError.KERNEL32 ref: 00007FF7F3988FFE

Part of subcall function 00007FF7F3989420: GetLastError.KERNEL32 ref: 00007FF7F3989477
Part of subcall function 00007FF7F3989420: SetLastError.KERNEL32 ref: 00007FF7F39894A9
Part of subcall function 00007FF7F3989420: GetLastError.KERNEL32 ref: 00007FF7F39894C6
Part of subcall function 00007FF7F3989420: SetLastError.KERNEL32 ref: 00007FF7F398950B
Part of subcall function 00007FF7F3989420: GetLastError.KERNEL32 ref: 00007FF7F3989521
Part of subcall function 00007FF7F3989420: SysFreeString.OLEAUT32 ref: 00007FF7F3989536
Part of subcall function 00007FF7F3989420: SysFreeString.OLEAUT32 ref: 00007FF7F3989547
Part of subcall function 00007FF7F3989420: SetLastError.KERNEL32 ref: 00007FF7F398956A

GetLastError.KERNEL32 ref: 00007FF7F398906D
SysFreeString.OLEAUT32 ref: 00007FF7F3989084
SysFreeString.OLEAUT32 ref: 00007FF7F3989097
SetLastError.KERNEL32 ref: 00007FF7F39890BD
SetLastError.KERNEL32 ref: 00007FF7F39890CE

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 5b1844774a3730a4c401fcdd7eb98e2674964bcd42cd8f461641e1d433cd3978
Instruction ID: 91a0b58c0138418d3b20700160f70ced2f8b317170b40743176dd402ca63da5f
Opcode Fuzzy Hash: 5b1844774a3730a4c401fcdd7eb98e2674964bcd42cd8f461641e1d433cd3978
Instruction Fuzzy Hash: E8418B32609B41C2DB90DF15E88872DB3A8FB84B99F864235DAAE577A4CF38D055C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39921FC, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F399221D
_getptd.LIBCMT ref: 00007FF7F399222B
_getptd.LIBCMT ref: 00007FF7F399223D

Strings

MOC, xrefs: 00007FF7F399220B
RCC, xrefs: 00007FF7F3992203
csm, xrefs: 00007FF7F3992213

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: _getptd
String ID: MOC$RCC$csm
API String ID: 3186804695-2671469338
Opcode ID: 52a676c318d9f561739adc68f3d1ab0a26b7cd326f18b110937b7493f301e68e
Instruction ID: bb317a7defd462adaa95679b1808c310551f1c438676d5fdade088bfbd1ee533
Opcode Fuzzy Hash: 52a676c318d9f561739adc68f3d1ab0a26b7cd326f18b110937b7493f301e68e
Instruction Fuzzy Hash: A7F0FE35D0A10BC6E7E9BB5580153BCA194BB95B1DFD58571D2A81E3C28B7C64808AB2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39848B0, Relevance: 9.1, APIs: 6, Instructions: 95registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00007FF7F3984911
RegCloseKey.ADVAPI32 ref: 00007FF7F398492B
RegEnumKeyExW.ADVAPI32 ref: 00007FF7F398497D
RegEnumKeyExW.ADVAPI32 ref: 00007FF7F39849D5
RegCloseKey.ADVAPI32 ref: 00007FF7F39849E9
RegCloseKey.ADVAPI32 ref: 00007FF7F3984A11

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: Close$Enum$Open
String ID:
API String ID: 4245071059-0
Opcode ID: 1f91b833b11f9de3fa471eaad69c4379b7c5c87b41c04ef34b25923a1bd4efb5
Instruction ID: ae3b33af678f91d15e317dbcf2668c16ce99f2dfdb86875cf9f65a364fad0138
Opcode Fuzzy Hash: 1f91b833b11f9de3fa471eaad69c4379b7c5c87b41c04ef34b25923a1bd4efb5
Instruction Fuzzy Hash: C7416D72609B8286E760DB55F4802AEB7E4FBC8788F800135EA9D57A98DF3CD455CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3988B10, Relevance: 9.1, APIs: 6, Instructions: 95COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3988B60
SetLastError.KERNEL32 ref: 00007FF7F3988B98
GetLastError.KERNEL32 ref: 00007FF7F3988C15
SysFreeString.OLEAUT32 ref: 00007FF7F3988C2C
SysFreeString.OLEAUT32 ref: 00007FF7F3988C3F
SetLastError.KERNEL32 ref: 00007FF7F3988C66

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 4169383aa1a8b917174be489ab6bb9fdcfaa1ed987afccb29234c8c0d2333da4
Instruction ID: 2bdbf746e4084c4351d36af79f64e840e8756861d6fbd7229ccc7c083320aa59
Opcode Fuzzy Hash: 4169383aa1a8b917174be489ab6bb9fdcfaa1ed987afccb29234c8c0d2333da4
Instruction Fuzzy Hash: BB416A72609B8182DB50DF25E88026DB364FB84B94F944135DFAD57BA4CF38E451C390

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39867D0, Relevance: 9.1, APIs: 6, Instructions: 94libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32 ref: 00007FF7F3986810
WideCharToMultiByte.KERNEL32 ref: 00007FF7F39868A1
GetProcAddress.KERNEL32 ref: 00007FF7F39868BF
FreeLibrary.KERNEL32 ref: 00007FF7F39868CD
GetLastError.KERNEL32 ref: 00007FF7F39868D3
FreeLibrary.KERNEL32 ref: 00007FF7F39868EE

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: Library$Free$AddressByteCharErrorLastLoadMultiProcWide
String ID:
API String ID: 835772407-0
Opcode ID: 4ab0e06239e2a50f8aaadb0ff52f6e927b76035c8d3fb4fcef584dd5444a6b9a
Instruction ID: 5da533e108b44c17a1dfe72d45850d2398dbc9156da02d56a4a11a4f69a82215
Opcode Fuzzy Hash: 4ab0e06239e2a50f8aaadb0ff52f6e927b76035c8d3fb4fcef584dd5444a6b9a
Instruction Fuzzy Hash: 5031C561B05B5285EB90EF619840169A3A4FF44BB8BC84335EA7E5F7D4DF3CE445C250

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3988910, Relevance: 9.1, APIs: 6, Instructions: 83COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7F3988940
GetLastError.KERNEL32 ref: 00007FF7F39889E2
SysFreeString.OLEAUT32 ref: 00007FF7F39889F9
SysFreeString.OLEAUT32 ref: 00007FF7F3988A0C
SetLastError.KERNEL32 ref: 00007FF7F3988A32
SetLastError.KERNEL32 ref: 00007FF7F3988A3A

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast$FreeString
String ID:
API String ID: 2425351278-0
Opcode ID: 9213b2f951795fd8961727634d81daab6bb791b9985ae766bdb774ed669523d7
Instruction ID: d0d4d421908a45422ac6504343e204545ea10f1d844ca77aec3fda8282aef852
Opcode Fuzzy Hash: 9213b2f951795fd8961727634d81daab6bb791b9985ae766bdb774ed669523d7
Instruction Fuzzy Hash: 85316462619B8282EB90EB24E45026DE760FBC4BE4F855231EA7E5B7E4CF3CD445C790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3983F70, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F3983F99
GetProcAddress.KERNEL32 ref: 00007FF7F3983FB2
RegCreateKeyExW.ADVAPI32 ref: 00007FF7F3984058

Strings

Advapi32.dll, xrefs: 00007FF7F3983F92
RegCreateKeyTransactedW, xrefs: 00007FF7F3983FA8

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: d8f9a0690667604f5e7e6616951a74f0432b9bedd44cc4415e60f933078260b4
Instruction ID: a3142d915fc71e2664620a0f5e6e6706ea2e25267b7ce04eb571d77155b39f79
Opcode Fuzzy Hash: d8f9a0690667604f5e7e6616951a74f0432b9bedd44cc4415e60f933078260b4
Instruction Fuzzy Hash: 0D21EB72A19B9082EBA0DB15F44036AB7A5FBC8BD4F944125EB9D57B68DF3CC0918B00

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3986C00, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF7F3986C20
GetProcAddress.KERNEL32 ref: 00007FF7F3986C42
FreeLibrary.KERNEL32 ref: 00007FF7F3986C53

Strings

DriverPackageUninstallW, xrefs: 00007FF7F3986C38

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DriverPackageUninstallW
API String ID: 145871493-4209722632
Opcode ID: c35b6b632d625778d604cef2a0bfc001af9ceecfd90e17d9dd12296e960a03a8
Instruction ID: 0062a53481d1c075fb4c362732ee9bbc10512a0b0516a230f9697793eb8f32e5
Opcode Fuzzy Hash: c35b6b632d625778d604cef2a0bfc001af9ceecfd90e17d9dd12296e960a03a8
Instruction Fuzzy Hash: 13214F71609B8686DB90DF26A45026AB3E0FB88BD8F944135EF9D9BB54EF3CD4448780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3986B00, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF7F3986B20
GetProcAddress.KERNEL32 ref: 00007FF7F3986B42
FreeLibrary.KERNEL32 ref: 00007FF7F3986B53

Strings

DriverPackageInstallW, xrefs: 00007FF7F3986B38

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DriverPackageInstallW
API String ID: 145871493-1557024896
Opcode ID: 46a9f5c091c78e9100da48e87d155cb43ed0e1788d4e547d9361f219d0cc8f2a
Instruction ID: f5f33e0c3c3d4a955d8b2e835189a3a7ee21a1e9218b566d38ae66fc1d14e0e9
Opcode Fuzzy Hash: 46a9f5c091c78e9100da48e87d155cb43ed0e1788d4e547d9361f219d0cc8f2a
Instruction Fuzzy Hash: 3521717160DB4682DB90DF29A450269B3E4FB88BD8F944135EE9D9BB54EF3CD4448780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3986D00, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 00007FF7F3986D18
GetProcAddress.KERNEL32 ref: 00007FF7F3986D45
FreeLibrary.KERNEL32 ref: 00007FF7F3986D53

Strings

DriverPackageGetPathW, xrefs: 00007FF7F3986D3B

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: DriverPackageGetPathW
API String ID: 145871493-341743864
Opcode ID: 8c31dcc0c099f1c29c279d6c039478cd4cf80fd7e32c813887a9d067727bb84c
Instruction ID: 061622f9855b1cb970c54500812f487aa61a5f77903f7f4e4259df80159dd6ab
Opcode Fuzzy Hash: 8c31dcc0c099f1c29c279d6c039478cd4cf80fd7e32c813887a9d067727bb84c
Instruction Fuzzy Hash: ED01C851B09B8281EB84DB17B55023D9350FB88FC8F885035EE6E6B758DE3CD4954790

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3986440, Relevance: 7.6, APIs: 6, Instructions: 58COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7F3986210), ref: 00007FF7F398646C
SetLastError.KERNEL32(?,?,?,00007FF7F3986210), ref: 00007FF7F398649F
GetLastError.KERNEL32(?,?,?,00007FF7F3986210), ref: 00007FF7F39864B0
SetLastError.KERNEL32(?,?,?,00007FF7F3986210), ref: 00007FF7F39864F3
GetLastError.KERNEL32(?,?,?,00007FF7F3986210), ref: 00007FF7F3986507
SetLastError.KERNEL32(?,?,?,00007FF7F3986210), ref: 00007FF7F3986553

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: d3c9cf2c124d86abc4f4bf1603bc844c388b4e375f4936e04eb0160b51d84189
Instruction ID: 35cf80f3187f1205eb55199a3fb387140bf1abaab805ea5daa1ebce8c2499a79
Opcode Fuzzy Hash: d3c9cf2c124d86abc4f4bf1603bc844c388b4e375f4936e04eb0160b51d84189
Instruction Fuzzy Hash: A1319032504B81CAD380DF24E88035C77A8F744F98F998239CA9D5B758CF38E499C368

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39953CC, Relevance: 7.5, APIs: 5, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F39953DD

Part of subcall function 00007FF7F398CA74: _getptd_noexit.LIBCMT ref: 00007FF7F398CA78

__doserrno.LIBCMT ref: 00007FF7F39953D5

Part of subcall function 00007FF7F398CA04: _getptd_noexit.LIBCMT ref: 00007FF7F398CA08

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: _getptd_noexit$__doserrno_errno
String ID:
API String ID: 2964073243-0
Opcode ID: 4d4a87c527eaa8e6bcec8b312dd761cc2aa443e3d2d32b2ae408f33aa7fcd5b4
Instruction ID: 5d1e50403e652eedaba22aa0f35606d7af87f123e1fdf3748d479730a6bf4bcf
Opcode Fuzzy Hash: 4d4a87c527eaa8e6bcec8b312dd761cc2aa443e3d2d32b2ae408f33aa7fcd5b4
Instruction Fuzzy Hash: B7018FA1A2964281FBC4FB5584813B8E6516F91B6AFD14334D63E1A3E1CE2C70418AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F398C3E0, Relevance: 7.5, APIs: 5, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

_getptd.LIBCMT ref: 00007FF7F398C3ED

Part of subcall function 00007FF7F398EBE0: _getptd_noexit.LIBCMT ref: 00007FF7F398EBE6

_inconsistency.LIBCMT ref: 00007FF7F398C3FB

Part of subcall function 00007FF7F398C8BC: DecodePointer.KERNEL32(?,?,?,?,00007FF7F3992805,?,?,?,00007FF7F398C046), ref: 00007FF7F398C8C7

_getptd.LIBCMT ref: 00007FF7F398C400
_inconsistency.LIBCMT ref: 00007FF7F398C41C
_getptd.LIBCMT ref: 00007FF7F398C42C

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: _getptd$_inconsistency$DecodePointer_getptd_noexit
String ID:
API String ID: 3566995948-0
Opcode ID: e34250745d6eefdc1ac350af60d0ba6f7176c573dac5c3d1f4a00cbf0f445cfc
Instruction ID: fcd93c61d839b051d701e59a67d64c5b1b6ca2173028346e231d6a49fc7ab3e5
Opcode Fuzzy Hash: e34250745d6eefdc1ac350af60d0ba6f7176c573dac5c3d1f4a00cbf0f445cfc
Instruction Fuzzy Hash: F7F0D65290D54380E7D1FB65D0511B9F250BFC8788FDC4431E66A2F2C79D28D49086B4

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39847E0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7F3984805
GetProcAddress.KERNEL32 ref: 00007FF7F398481E

Strings

RegOpenKeyTransactedW, xrefs: 00007FF7F3984814
Advapi32.dll, xrefs: 00007FF7F39847FE

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: d8a62a8aef20563de6babe65901e6294006a460ff679ece6a4f445639764ce31
Instruction ID: 21d9a1d7ff1e1a46cd64a494cff2e8d248a6b5d4a2da2d2dd02f5bcedc9024d3
Opcode Fuzzy Hash: d8a62a8aef20563de6babe65901e6294006a460ff679ece6a4f445639764ce31
Instruction Fuzzy Hash: A3114F72A19A8182EB50DB16F44032AE7A0FB88BD4F844531EF9D27BA8DF7CD4458B40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3995F51, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7F398C3E0: _getptd.LIBCMT ref: 00007FF7F398C3ED
Part of subcall function 00007FF7F398C3E0: _inconsistency.LIBCMT ref: 00007FF7F398C3FB
Part of subcall function 00007FF7F398C3E0: _getptd.LIBCMT ref: 00007FF7F398C400
Part of subcall function 00007FF7F398C3E0: _inconsistency.LIBCMT ref: 00007FF7F398C41C

__DestructExceptionObject.LIBCMT ref: 00007FF7F3995F9E
_getptd.LIBCMT ref: 00007FF7F3995FA4
_getptd.LIBCMT ref: 00007FF7F3995FB7

Part of subcall function 00007FF7F398C470: _getptd.LIBCMT ref: 00007FF7F398C479

Strings

csm, xrefs: 00007FF7F3995F71

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: _getptd$_inconsistency$DestructExceptionObject
String ID: csm
API String ID: 2821275340-1018135373
Opcode ID: 4ac1e4b1013697ec0e9eee3f9e9a02559197c655822a339b97b8ae9ef60c21a0
Instruction ID: 690b46504cdb89dc35014ffefbb40880da3f6145569ce55b6f5aff5dd9523747
Opcode Fuzzy Hash: 4ac1e4b1013697ec0e9eee3f9e9a02559197c655822a339b97b8ae9ef60c21a0
Instruction Fuzzy Hash: EC01846290614385EBA0FF3194953BD6364FF8975CF840031E91D5E786DF28D480C391

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F398B410, Relevance: 6.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F398B43B
_errno.LIBCMT ref: 00007FF7F398B430

Part of subcall function 00007FF7F398CA74: _getptd_noexit.LIBCMT ref: 00007FF7F398CA78

_errno.LIBCMT ref: 00007FF7F398B4DE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F398B4E9

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo$_getptd_noexit
String ID:
API String ID: 1573762532-0
Opcode ID: 9f486efa1b8314dfa2aab75535de57ab10477b20cf78fdbde7df630c2b174037
Instruction ID: 94f599da4b08c74ec9fb37dddd8b0dd372e49982e288cd959462a81c86563eb1
Opcode Fuzzy Hash: 9f486efa1b8314dfa2aab75535de57ab10477b20cf78fdbde7df630c2b174037
Instruction Fuzzy Hash: 4341E8E2E0929681EBE4FB2190412B9E290FF8079CFCC4135DEAC2B6C5DE2CE5518760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3988D30, Relevance: 6.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b90ce4dfac01c2fc7f3f23f229081737ed7b3ce6534e3892517164148f36f33f
Instruction ID: 56dcfb69e9583c35d10de0f641ddb6c25d02423277bba47481199efa3d2e2eea
Opcode Fuzzy Hash: b90ce4dfac01c2fc7f3f23f229081737ed7b3ce6534e3892517164148f36f33f
Instruction Fuzzy Hash: 09415B6260CA4281EB90EB14D48067DA3A1FFD1B98FD44131DA7E6B6E5DF3CE845C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3994DF4, Relevance: 6.1, APIs: 4, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

_isleadbyte_l.LIBCMT ref: 00007FF7F3994E86
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7F398F8CA), ref: 00007FF7F3994EC5
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000000,00007FF7F398F8CA), ref: 00007FF7F3994F13
_errno.LIBCMT ref: 00007FF7F3994F1D

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ByteCharMultiWide$_errno_isleadbyte_l
String ID:
API String ID: 693119720-0
Opcode ID: f9ef63f5f9393c33ad6ec1b55359d4d65aae5a494d22769d944872ef39a9e64e
Instruction ID: 33e20b8a6ca6bf2a1e3f2a190c147e54eb133f5a9441e23fa3862caab03709e3
Opcode Fuzzy Hash: f9ef63f5f9393c33ad6ec1b55359d4d65aae5a494d22769d944872ef39a9e64e
Instruction Fuzzy Hash: 0441D53160A78286E7A1DF159140239F7A9FB44B88F944135EBAD6BBD5CF3CD841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3983640, Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7F39836A2
free.LIBCMT ref: 00007FF7F39836B7
RaiseException.KERNEL32(?,?,?,?,?,?,?,00007FF7F39832A0), ref: 00007FF7F39836EC
RaiseException.KERNEL32(?,?,?,00007FF7F39832A0), ref: 00007FF7F3983702

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ExceptionRaisefree
String ID:
API String ID: 501637548-0
Opcode ID: 6091e4866e5df5ec72efa5c9ea70e5436eb9a164a20f27cf849220055c386ae6
Instruction ID: 5006754a04d9776d0c6cf360756bfb83789f401b8ad9aeab4d244d801c04fc31
Opcode Fuzzy Hash: 6091e4866e5df5ec72efa5c9ea70e5436eb9a164a20f27cf849220055c386ae6
Instruction Fuzzy Hash: 4D217132A0854182EB94EF64E09173DB360FBC4B48F848539CA2A1B695CF3CD45287D0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F3982820, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF7F3982860
SysFreeString.OLEAUT32 ref: 00007FF7F398286A
SysFreeString.OLEAUT32 ref: 00007FF7F3982874
SysFreeString.OLEAUT32 ref: 00007FF7F398287E

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 71332804fb799d93ff3c92b5373d027f535b9761171e135ce507182e18860e2f
Instruction ID: dc152369c84d6c8c081936a9a560b0883f4b760f2f1f805acade8714868f5900
Opcode Fuzzy Hash: 71332804fb799d93ff3c92b5373d027f535b9761171e135ce507182e18860e2f
Instruction Fuzzy Hash: C5012C31619A0282DB80EB15EA5416CB324FB84BE8B944631DFBD5BBF0CF3DE4A58344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39822F0, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

SysFreeString.OLEAUT32 ref: 00007FF7F3982330
SysFreeString.OLEAUT32 ref: 00007FF7F398233A
SysFreeString.OLEAUT32 ref: 00007FF7F3982344
SysFreeString.OLEAUT32 ref: 00007FF7F398234E

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: FreeString
String ID:
API String ID: 3341692771-0
Opcode ID: 9400c879f395e8e1041e99f399ca43ef3155b5eea99d28c3571ed665674c8d41
Instruction ID: e66644e013cb830e04f8291ce9f4f6215b923cf00f25ee3833ac562115218a62
Opcode Fuzzy Hash: 9400c879f395e8e1041e99f399ca43ef3155b5eea99d28c3571ed665674c8d41
Instruction Fuzzy Hash: 95010C31615A0182DB50EB15E55412CB364FB84BA8B544331DEBD5BBF0CF38D4958344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F39817A0, Relevance: 6.0, APIs: 4, Instructions: 29synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32 ref: 00007FF7F39817B7
WaitForSingleObject.KERNEL32 ref: 00007FF7F39817CA
CloseHandle.KERNEL32 ref: 00007FF7F39817E4
PostThreadMessageW.USER32 ref: 00007FF7F39817F7

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: ObjectSingleWait$CloseHandleMessagePostThread
String ID:
API String ID: 3386540786-0
Opcode ID: 79500c9f6d63bc6a94024569c830735f4b117551e5a17f7cb2fa18f5661a4629
Instruction ID: 1646764d5544bc2b31520c08b7b6c4379bd0267c6e3b7dbd4cc00da05a5a07ad
Opcode Fuzzy Hash: 79500c9f6d63bc6a94024569c830735f4b117551e5a17f7cb2fa18f5661a4629
Instruction Fuzzy Hash: CFF03C72A0458586E790EF3AD40473D77A2FB9EBADF845174CA295A2D4CF3C9484C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7F398B684, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_errno.LIBCMT ref: 00007FF7F398B6D5

Part of subcall function 00007FF7F398CA74: _getptd_noexit.LIBCMT ref: 00007FF7F398CA78

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7F398B6E0

Strings

B, xrefs: 00007FF7F398B70C

Memory Dump Source

Source File: 00000002.00000002.934549278.00007FF7F3981000.00000020.00020000.sdmp, Offset: 00007FF7F3980000, based on PE: true

Associated: 00000002.00000002.934531331.00007FF7F3980000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934618756.00007FF7F3997000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.934639046.00007FF7F39A6000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934653500.00007FF7F39AA000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.934661300.00007FF7F39AB000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_7ff7f3980000_ISBEW64.jbxd

Similarity

API ID: _errno_getptd_noexit_invalid_parameter_noinfo
String ID: B
API String ID: 1812809483-1255198513
Opcode ID: bbb8f773bab51e8e522d642ffc497e4c7d030a58199116e91c1ffc0167e66120
Instruction ID: c0872a35c7aaa74326cc6245d1b305a1f32f1c453acb3d77d63047847c6ca65c
Opcode Fuzzy Hash: bbb8f773bab51e8e522d642ffc497e4c7d030a58199116e91c1ffc0167e66120
Instruction Fuzzy Hash: D7115EB2A1464085EB10EB12E4403A9B661BB98BA8FD84234EE6C1BBD5CF3CD1448A50

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SureServoPROInstall_V4_1_0_5_DB2_0_8.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

Compliance:

Spreading:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: SureServoPROInstall_V4_1_0_5_DB2_0_8.exe PID: 6312 Parent PID: 5872

General

Analysis Process: setup.exe PID: 6356 Parent PID: 6312

Function 0043B52C, Relevance: 38.8, APIs: 5, Strings: 17, Instructions: 290
timeCOMMON

Function 0041BFB9, Relevance: 25.7, APIs: 17, Instructions: 234
COMMON

Function 00450887, Relevance: 18.1, APIs: 12, Instructions: 138
threadmemoryCOMMON

Function 0041A1F5, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 128
fileCOMMON

Function 0041E830, Relevance: 42.6, APIs: 1, Strings: 23, Instructions: 572
COMMON

Function 00418E75, Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 229
stringCOMMON

Function 00425FCC, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 101
COMMON

Function 00441B01, Relevance: 17.5, APIs: 6, Strings: 4, Instructions: 40
libraryloaderCOMMON

Function 004437BF, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 37
libraryloaderCOMMON

Function 00441E34, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 129
COMMON

Function 004252EC, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 83
COMMON

Function 00441B7A, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 51
libraryloaderfileCOMMON

Function 0041CF22, Relevance: 13.6, APIs: 9, Instructions: 144
fileCOMMON

Function 004425A8, Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 116
COMMON

Function 00415549, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 67
fileCOMMON

Function 0042AB1A, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 67
fileCOMMON

Function 0041AA5A, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 185
COMMON

Function 004018F0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67
registrylibraryloaderCOMMON

Function 00423878, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 45
COMMONLIBRARYCODE

Function 0044A2D3, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 16
libraryloaderCOMMON

Function 0044160B, Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 291
COMMON

Function 0044DA4D, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 234
COMMON

Function 00448D7A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91
registryCOMMON

Function 0043AF40, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39
fileCOMMON

Function 00421F5D, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 133
COMMON