Edit tour

Windows Analysis Report
apprun.exe

Overview

General Information

Sample Name:	apprun.exe
Analysis ID:	635356
MD5:	7e13c6a35ac8ce03ece66e1d65b0601e
SHA1:	a7c70afdd8ca0aae7fb7689d01c0c574aee85875
SHA256:	d189bd389b7b442c31e1d009f958ab67d1361b75383b4dcdd53944970cf3fe0f

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Uses 32bit PE files

PE file contains strange resources

Tries to load missing DLLs

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a connection to the internet is available

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

apprun.exe (PID: 5160 cmdline: "C:\Users\user\Desktop\apprun.exe" MD5: 7E13C6A35AC8CE03ECE66E1D65B0601E)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: apprun.exe	Virustotal: Detection: 42%			Perma Link
Source: apprun.exe	ReversingLabs: Detection: 29%

Source: apprun.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: apprun.exe

Static PE information: certificate valid

Source: apprun.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\git\modular-installer\Release\kernel.pdbVV$2GCTL source: apprun.exe
Source:	Binary string: C:\git\modular-installer\Release\kernel.pdb source: apprun.exe

Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_011449B5 ___std_fs_close_handle@4,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,		0_2_011449B5
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_01144A15 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,___std_fs_close_handle@4,		0_2_01144A15

Source: C:\Users\user\Desktop\apprun.exe

Code function: 0_2_0113193D __EH_prolog3_GS,memset,InternetCheckConnectionW,MessageBoxW,

0_2_0113193D

Source: apprun.exe	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: apprun.exe	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: apprun.exe	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: apprun.exe	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: apprun.exe	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: apprun.exe	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: apprun.exe	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: apprun.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: apprun.exe	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: apprun.exe	String found in binary or memory: http://www.google.com
Source: apprun.exe	String found in binary or memory: http://www.google.comUninstallUninstall
Source: apprun.exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: apprun.exe	String found in binary or memory: https://www.globalsign.com/repository/06

Source: apprun.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: apprun.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\apprun.exe

Section loaded: libcurl.dll

Jump to behavior

Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_01139394	0_2_01139394
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_01127275	0_2_01127275
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_01135533	0_2_01135533
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_0113C562	0_2_0113C562
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_0113A4AA	0_2_0113A4AA
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_0112EF1A	0_2_0112EF1A

Source: C:\Users\user\Desktop\apprun.exe	Code function: String function: 01143D5D appears 107 times
Source: C:\Users\user\Desktop\apprun.exe	Code function: String function: 011298AC appears 261 times
Source: C:\Users\user\Desktop\apprun.exe	Code function: String function: 011436A0 appears 53 times
Source: C:\Users\user\Desktop\apprun.exe	Code function: String function: 01143D91 appears 103 times
Source: C:\Users\user\Desktop\apprun.exe	Code function: String function: 0112BA2B appears 52 times

Source: apprun.exe

Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: apprun.exe	Virustotal: Detection: 42%
Source: apprun.exe	ReversingLabs: Detection: 29%

Source: apprun.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\apprun.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\apprun.exe

Code function: 0_2_01142060 __EH_prolog3_GS,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_01142060

Source: C:\Users\user\Desktop\apprun.exe	Command line argument: -tasks	0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe	Command line argument: -install	0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe	Command line argument: -updatesched	0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe	Command line argument: -updatestartup	0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe	Command line argument: -uninstall	0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe	Command line argument: -resetsearch	0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe	Command line argument: -version	0_2_011323FF
Source: C:\Users\user\Desktop\apprun.exe	Command line argument: -install	0_2_011323FF

Source: apprun.exe	String found in binary or memory: C:\git\modular-installer\kernel\kernel.cpp
Source: apprun.exe	String found in binary or memory: C:\git\modular-installer\kernel\InstallerConfiguration.cpp
Source: apprun.exe	String found in binary or memory: api/report/install
Source: apprun.exe	String found in binary or memory: C:\git\modular-installer\kernel\IPCService.cpp
Source: apprun.exe	String found in binary or memory: C:\git\modular-installer\kernel\Action.cpp
Source: apprun.exe	String found in binary or memory: -install
Source: apprun.exe	String found in binary or memory: v2/install
Source: apprun.exe	String found in binary or memory: C:\git\modular-installer\kernel\Action.cpp
Source: apprun.exe	String found in binary or memory: space673ae6306d8266a780df868d6772aab3b9662e0f1248KernelActionmimeTypedefaultJumpconfigurationfile\$cwdidcustomJumpjumpTableFailed to split URL "Downloading DLL "int __thiscall InstPC::Action::run(void)C:\git\modular-installer\kernel\Action.cppError occurred creating unique filenamewb+Could not open new temporary file
Source: apprun.exe	String found in binary or memory: api/report/install
Source: apprun.exe	String found in binary or memory: @Unknown exceptioninvalid string positionstring too longcodelabeldescription: "", "create_directorytemp_directory_pathreport_urlaipcrepcsearch_offerupdate_logupdate_actionuninstall_logUpdateisUpdatedfalseupdateUrlzoremov.combi.api/report/installapplift.exewb+UPDATEEntered updateStart (update_log) - -installunordered_map/set too longinvalid hash bucket count
Source: apprun.exe	String found in binary or memory: @Unknown exceptioninvalid string positionstring too longcodelabeldescription: "", "create_directorytemp_directory_pathreport_urlaipcrepcsearch_offerupdate_logupdate_actionuninstall_logUpdateisUpdatedfalseupdateUrlzoremov.combi.api/report/installapplift.exewb+UPDATEEntered updateStart (update_log) - -installunordered_map/set too longinvalid hash bucket count
Source: apprun.exe	String found in binary or memory: C:\git\modular-installer\kernel\InstallerConfiguration.cpp
Source: apprun.exe	String found in binary or memory: @UNKNOWNedgeInstallerConfigurationactionsRunning actions - startvoid __thiscall InstPC::InstallerConfiguration::run(void)C:\git\modular-installer\kernel\InstallerConfiguration.cppRunning actions - module Running actions - module Running actions - module finished with return code Running actions - module finished with return code nextRunning actions - next module Running actions - next module Running actions - finishinvalid vector<T> subscript
Source: apprun.exe	String found in binary or memory: C:\git\modular-installer\kernel\IPCService.cpp
Source: apprun.exe	String found in binary or memory: v2/install
Source: apprun.exe	String found in binary or memory: -install
Source: apprun.exe	String found in binary or memory: C:\git\modular-installer\kernel\kernel.cpp
Source: apprun.exe	String found in binary or memory: !A\.directory_iterator::directory_iteratordirectory_iterator::operator++copy_fileexistsstatusIPCService1582447612575780--Failed to acquire size of buffer needed to store network adapters. Error: Failed to Network adapters data. Error: Select ProcessorId From Win32_processorProcessorIdSELECT Caption FROM Win32_OperatingSystemCaptionSOFTWARE\WOW6432Node\Clients\StartMenuInternetSOFTWARE\Clients\StartMenuInternetabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789. ,AppDirectoryAppX3xxs313wwkfjhythsb8q46xdsq8d2cvvAppX7rm9drdg8sk7vqndwj3sdjw11x96jc0yFriendlyTypeNameffSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exeedge_chromeSoftware\Microsoft\Edge\BlBeaconversionSoftware\Microsoft\Edge\PreferenceMACs\DefaultGS_ABE_LABS_LTD_SIGNATUREzoremov-updateinstallerEMPTYUpdate was triggered from: Requesting class Networking::Response __thiscall InstPC::IPCService::configurationImplementation(class Networking::Request)C:\git\modular-installer\kernel\IPCService.cpptotalTimenameLookupTimeconnectTimeappConnectTimepreTransferTimestartTransferTimeredirectTimeredirectCountResponse Info /emidapp_idv2/installinstall.jsonv2/uninstalluninstall.jsonCould not fetch installation configurationapplift.exeFinalizing update flowvoid __thiscall InstPC::IPCService::install(void)Entered updateComplete (update_log) - Fetching install actionsalg.Got install configuration Installer configuration readyFinished running configuration No install actions waitingFetching update actionsvoid __thiscall InstPC::IPCService::update(void)srv.up/update/checkeacbnEntered Check update needed (update_log) - Got update configuration Starting updateUpdate completedNo update actions waitingFetching tasksvoid __thiscall InstPC::IPCService::tasks(void)CHECK_TASKEntered 'Check task' flowEntered ReportUpdateAction - task-forSOME_ACTIONGot task configuration No tasks found.No task actions waitingFetching uninstall actionsvoid __thiscall InstPC::IPCService::uninstall(void)Got unintall configuration Uninstall configuration readyNo uninstall actions waitinghttp://www.google.comUninstallUninstall requires an internet connection. Please check your network connection and retry uninstall.Version Is >>>>>><<<<<< Start of program. Process ID: -tasks-install-updatesched-updatestartup-uninstall-resetsearch-versionElapsed run time: int __stdcall wWinMain(struct HINSTANCE__ ,struct HINSTANCE__ ,wchar_t ,int)C:\git\modular-installer\kernel\kernel.cppMFC error: exception: %fFailed to initialize cURLMETHOD not supported://curl_multi_wait() failed, code %d.
Source: apprun.exe	String found in binary or memory: !A\.directory_iterator::directory_iteratordirectory_iterator::operator++copy_fileexistsstatusIPCService1582447612575780--Failed to acquire size of buffer needed to store network adapters. Error: Failed to Network adapters data. Error: Select ProcessorId From Win32_processorProcessorIdSELECT Caption FROM Win32_OperatingSystemCaptionSOFTWARE\WOW6432Node\Clients\StartMenuInternetSOFTWARE\Clients\StartMenuInternetabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789. ,AppDirectoryAppX3xxs313wwkfjhythsb8q46xdsq8d2cvvAppX7rm9drdg8sk7vqndwj3sdjw11x96jc0yFriendlyTypeNameffSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exeedge_chromeSoftware\Microsoft\Edge\BlBeaconversionSoftware\Microsoft\Edge\PreferenceMACs\DefaultGS_ABE_LABS_LTD_SIGNATUREzoremov-updateinstallerEMPTYUpdate was triggered from: Requesting class Networking::Response __thiscall InstPC::IPCService::configurationImplementation(class Networking::Request)C:\git\modular-installer\kernel\IPCService.cpptotalTimenameLookupTimeconnectTimeappConnectTimepreTransferTimestartTransferTimeredirectTimeredirectCountResponse Info /emidapp_idv2/installinstall.jsonv2/uninstalluninstall.jsonCould not fetch installation configurationapplift.exeFinalizing update flowvoid __thiscall InstPC::IPCService::install(void)Entered updateComplete (update_log) - Fetching install actionsalg.Got install configuration Installer configuration readyFinished running configuration No install actions waitingFetching update actionsvoid __thiscall InstPC::IPCService::update(void)srv.up/update/checkeacbnEntered Check update needed (update_log) - Got update configuration Starting updateUpdate completedNo update actions waitingFetching tasksvoid __thiscall InstPC::IPCService::tasks(void)CHECK_TASKEntered 'Check task' flowEntered ReportUpdateAction - task-forSOME_ACTIONGot task configuration No tasks found.No task actions waitingFetching uninstall actionsvoid __thiscall InstPC::IPCService::uninstall(void)Got unintall configuration Uninstall configuration readyNo uninstall actions waitinghttp://www.google.comUninstallUninstall requires an internet connection. Please check your network connection and retry uninstall.Version Is >>>>>><<<<<< Start of program. Process ID: -tasks-install-updatesched-updatestartup-uninstall-resetsearch-versionElapsed run time: int __stdcall wWinMain(struct HINSTANCE__ ,struct HINSTANCE__ ,wchar_t ,int)C:\git\modular-installer\kernel\kernel.cppMFC error: exception: %fFailed to initialize cURLMETHOD not supported://curl_multi_wait() failed, code %d.
Source: apprun.exe	String found in binary or memory: C:\git\modular-installer\Release\kernel.pdb
Source: apprun.exe	String found in binary or memory: C:\git\modular-installer\Release\kernel.pdbVV$2GCTL

Source: classification engine

Classification label: mal48.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\apprun.exe

Code function: 0_2_01142822 __ehhandler$?_Init@?$_Mpunct@D@std@@IAEXABV_Locinfo@2@_N@Z,__EH_prolog3,CoInitializeEx,CoInitializeSecurity,#1511,CoCreateInstance,#1511,#2,#6,#1511,#1511,_CxxThrowException,

0_2_01142822

Source: apprun.exe

Static PE information: certificate valid

Source: apprun.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: apprun.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: apprun.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: apprun.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: apprun.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: apprun.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: apprun.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: apprun.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\git\modular-installer\Release\kernel.pdbVV$2GCTL source: apprun.exe
Source:	Binary string: C:\git\modular-installer\Release\kernel.pdb source: apprun.exe

Source: apprun.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: apprun.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: apprun.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: apprun.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: apprun.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_01143D26 push ecx; ret	0_2_01143D39
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_01144F78 push ecx; ret	0_2_01144F9B
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_01143E86 push ecx; ret	0_2_01143E99

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_011449B5 ___std_fs_close_handle@4,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,		0_2_011449B5
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_01144A15 GetFileAttributesExW,GetLastError,___std_fs_open_handle@16,GetLastError,GetFileInformationByHandle,FindFirstFileExW,FindClose,___std_fs_close_handle@4,		0_2_01144A15

Source: C:\Users\user\Desktop\apprun.exe

Code function: 0_2_01144036 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_01144036

Source: C:\Users\user\Desktop\apprun.exe

Code function: 0_2_0112E69C __EH_prolog3_GS,GetAdaptersAddresses,GetAdaptersAddresses,GetProcessHeap,HeapAlloc,GetAdaptersAddresses,GetProcessHeap,HeapFree,#1511,GetProcessHeap,HeapFree,#1511,_CxxThrowException,

0_2_0112E69C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_011441C9 SetUnhandledExceptionFilter,	0_2_011441C9
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_01144036 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_01144036
Source: C:\Users\user\Desktop\apprun.exe	Code function: 0_2_01143B2B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_01143B2B

Source: C:\Users\user\Desktop\apprun.exe

Code function: 0_2_01144276 cpuid

0_2_01144276

Source: C:\Users\user\Desktop\apprun.exe

Code function: 0_2_01143F29 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_01143F29

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	1 System Network Connections Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
apprun.exe	42%	Virustotal		Browse
apprun.exe	5%	Metadefender		Browse
apprun.exe	29%	ReversingLabs	Win32.Adware.Zoremov

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.google.comUninstallUninstall	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.google.com	apprun.exe	false		high
http://www.google.comUninstallUninstall	apprun.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635356
Start date and time: 27/05/202220:05:34	2022-05-27 20:05:34 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	apprun.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 90.5%) Quality average: 48.6% Quality standard deviation: 29.1%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 114
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target apprun.exe, PID 5160 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.803912712702834
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	apprun.exe
File size:	447688
MD5:	7e13c6a35ac8ce03ece66e1d65b0601e
SHA1:	a7c70afdd8ca0aae7fb7689d01c0c574aee85875
SHA256:	d189bd389b7b442c31e1d009f958ab67d1361b75383b4dcdd53944970cf3fe0f
SHA512:	942387b39722a0984e0c2b612f8aebd5e115dc424d74f3ed800ee7e2c5a8013251f5eec488f554b95e6b4a301c6c8f0874e2afa912943478ad853fa701dba567
SSDEEP:	12288:GQT0zUhy5R+ESoDVI+8/S0fBmymkh5k9E5kJk7H:GQsR+Em+8/5fBvhnH
TLSH:	B7949E23BB43C8FAD633D276269F16B4A9BE69361531004333D3531A9C6D5F38836A27
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........./.F.A.F.A.F.A.O...R.A...G.D.A...E.H.A...B.J.A...D.d.A...@.@.A...@.T.A.F.@...A.p.@.E.A.p.H.b.A.p...G.A.F...G.A.p.C.G.A.RichF.A

File Icon


Icon Hash:	f8e2f0b83c8ecce0

Static PE Info

General

Entrypoint:	0x423685
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5E562496 [Wed Feb 26 07:56:06 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0bd9b07a33347e2b039b76c20ede51ba

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	3/21/2019 5:29:15 AM 3/21/2022 5:29:15 AM
Subject Chain	CN=ABE Labs LTD, O=ABE Labs LTD, L=Tel Aviv, S=Tel Aviv, C=IL, OID.1.3.6.1.4.1.311.60.2.1.3=IL, SERIALNUMBER=515530624, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	3A64583937F31A6298780405E2FFC24A
Thumbprint SHA-1:	7EBF03C1556ABCEBF72822D370A72314CFA8E717
Thumbprint SHA-256:	C897A6CBEFCCD1802AA8591A5C3BCAA862BEFDCD7E2B086EEA88FB0CDBED64CE
Serial:	65D62F620FE9922CF2891D2C

Entrypoint Preview

Instruction
call 00007FA020C3B231h
jmp 00007FA020C3A7BFh
cmp ecx, dword ptr [0043A014h]
jne 00007FA020C3A945h
ret
jmp 00007FA020C3ADF9h
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007FA020C3A5F3h
pop ecx
pop ebp
ret
push ebp
mov ebp, esp
test byte ptr [ebp+08h], 00000001h
push esi
mov esi, ecx
mov dword ptr [esi], 0042B5F0h
je 00007FA020C3A94Ch
push 0000000Ch
push esi
call 00007FA020C3A91Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
call 00007FA020C3A967h
push 00000000h
call 00007FA020C3ABF1h
pop ecx
test al, al
je 00007FA020C3A950h
push 0042377Ah
call 00007FA020C3AD6Fh
pop ecx
xor eax, eax
ret
push 00000007h
call 00007FA020C3B284h
int3
push esi
push edi
push 00000FA0h
push 0043B04Ch
call dword ptr [0042B0BCh]
push 0042EE88h
call dword ptr [0042B070h]
mov esi, eax
test esi, esi
jne 00007FA020C3A953h
push 0042B5F4h
call dword ptr [0042B070h]
mov esi, eax
test esi, esi
je 00007FA020C3A988h
push 0042B610h
push esi
call dword ptr [0042B050h]
push 0042B62Ch
push esi
mov edi, eax
call dword ptr [0042B050h]
test edi, edi
je 00007FA020C3A954h
test eax, eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36174	0x1cc	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x304a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x6b800	0x1cc8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x6d000	0x29a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2f970	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2fa84	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2f9e0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x51c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x291c4	0x29200	False	0.586186835106	data	6.58926946423	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x2b000	0xe0a6	0xe200	False	0.392180586283	data	5.12026048955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x1660	0x1000	False	0.186767578125	data	4.28770125555	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x3c000	0x304a0	0x30600	False	0.543079780362	data	6.68559108831	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x6d000	0x29a0	0x2a00	False	0.741164434524	data	6.61714684998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3c280	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3c6e8	0x988	data	English	United States
RT_ICON	0x3d070	0x10a8	data	English	United States
RT_ICON	0x3e118	0x25a8	data	English	United States
RT_ICON	0x406c0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x448e8	0x94a8	data	English	United States
RT_ICON	0x4dd90	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x5e5b8	0xd98a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_GROUP_ICON	0x6bf48	0x76	data	English	United States
RT_VERSION	0x6bfc0	0x2b8	COM executable for DOS	English	United States
RT_MANIFEST	0x6c278	0x224	XML 1.0 document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators	English	United States

Imports

DLL	Import
libcurl.dll	curl_easy_cleanup, curl_global_init, curl_global_cleanup, curl_multi_remove_handle, curl_easy_setopt, curl_multi_perform, curl_multi_wait, curl_easy_init, curl_multi_add_handle, curl_easy_perform, curl_easy_strerror, curl_easy_getinfo, curl_slist_free_all, curl_slist_append, curl_multi_init
VERSION.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
mfc140u.dll
KERNEL32.dll	AreFileApisANSI, CopyFileW, GetFileInformationByHandle, GetFileAttributesExW, GetFileAttributesW, FindNextFileW, FindFirstFileExW, FindClose, CreateFileW, CreateDirectoryW, LoadLibraryW, GetLastError, GetProcAddress, FreeLibrary, GetModuleFileNameW, ExitProcess, HeapAlloc, GetProcessHeap, HeapFree, GetCommandLineW, GetModuleHandleW, MultiByteToWideChar, DeleteCriticalSection, GetCurrentProcessId, LocalFree, WideCharToMultiByte, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, OutputDebugStringW, Process32FirstW, TerminateProcess, CloseHandle, Process32NextW, CreateProcessW, GetCurrentProcess, LocalAlloc, SetLastError, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetTempPathW, InitializeCriticalSectionEx, CreateToolhelp32Snapshot
USER32.dll	MessageBoxW
ADVAPI32.dll	RegOpenKeyExW, RegEnumKeyExW, RegQueryInfoKeyW, RegCloseKey, RegGetValueW
SHELL32.dll	SHGetFolderPathW, CommandLineToArgvW, SHGetKnownFolderPath
ole32.dll	CoCreateInstance, CoUninitialize, CoTaskMemFree, CoInitializeSecurity, CoInitializeEx
OLEAUT32.dll	VariantClear, VariantInit, SysFreeString, SysAllocString
MSVCP140.dll	?_Gndec@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEPA_WXZ, ?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ, ??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ, ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ, ?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z, ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z, ?clear@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@J@Z, ?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?unshift@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z, ?always_noconv@codecvt_base@std@@QBE_NXZ, ??1?$basic_istream@_WU?$char_traits@_W@std@@@std@@UAE@XZ, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ, ?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ, ?_Xlength_error@std@@YAXPBD@Z, ?_Xout_of_range@std@@YAXPBD@Z, ?_Xbad_alloc@std@@YAXXZ, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ, ?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ, ??1facet@locale@std@@MAE@XZ, ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z, ??1?$basic_ostream@_WU?$char_traits@_W@std@@@std@@UAE@XZ, ?gbump@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXH@Z, ?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEPA_WXZ, ??1?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAE@XZ, ?_Incref@facet@locale@std@@UAEXXZ, ??1_Locinfo@std@@QAE@XZ, ??1_Lockit@std@@QAE@XZ, ??0_Locinfo@std@@QAE@PBD@Z, ??0_Lockit@std@@QAE@H@Z, ??0facet@locale@std@@IAE@I@Z, ?uncaught_exception@std@@YA_NXZ, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ??Bid@locale@std@@QAEIXZ, ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?_Unlock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ, ?_Lock@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@UAEXXZ, ?sync@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEHXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?id@?$collate@D@std@@2V0locale@2@A, ?xsputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JPB_W_J@Z, _Strxfrm, _Strcoll, ?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ, ?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z, ?tolower@?$ctype@D@std@@QBEDD@Z, ?tolower@?$ctype@D@std@@QBEPBDPADPBD@Z, ?showmanyc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JXZ, ?uflow@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEGXZ, ?xsgetn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAE_JPA_W_J@Z, ?setbuf@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEPAV12@PA_W_J@Z, ?imbue@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@MAEXABVlocale@2@@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@_W@Z, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QBE_WD@Z, ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEXXZ, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV12@XZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z, ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ, ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z, ?_Syserror_map@std@@YAPBDH@Z, ?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z, ?_Winerror_map@std@@YAHH@Z, ?_Winerror_message@std@@YAKKPADK@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAI@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z, _Query_perf_frequency, _Query_perf_counter, ?__ExceptionPtrCreate@@YAXPAX@Z, ?__ExceptionPtrDestroy@@YAXPAX@Z, ?__ExceptionPtrToBool@@YA_NPBX@Z, ?__ExceptionPtrAssign@@YAXPAXPBX@Z, ?__ExceptionPtrCopy@@YAXPAXPBX@Z, ?__ExceptionPtrCurrentException@@YAXPAX@Z, ?__ExceptionPtrRethrow@@YAXPBX@Z, _Xtime_get_ticks, _Thrd_sleep, ?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?id@?$ctype@_W@std@@2V0locale@2@A, ?getloc@ios_base@std@@QBE?AVlocale@2@XZ, ?widen@?$ctype@_W@std@@QBE_WD@Z, ??1?$basic_iostream@_WU?$char_traits@_W@std@@@std@@UAE@XZ, ??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z, ??1?$codecvt@_WDU_Mbstatet@@@std@@MAE@XZ, ?out@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PB_W1AAPB_WPAD3AAPAD@Z, ?in@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPA_W3AAPA_W@Z, ??0?$codecvt@_WDU_Mbstatet@@@std@@QAE@I@Z, ??4?$_Yarn@D@std@@QAEAAV01@PBD@Z, ?_New_Locimp@_Locimp@locale@std@@CAPAV123@ABV123@@Z, ?_Addfac@_Locimp@locale@std@@AAEXPAVfacet@23@I@Z
WININET.dll	InternetCrackUrlW, InternetCheckConnectionW
IPHLPAPI.DLL	GetAdaptersAddresses
VCRUNTIME140.dll	memset, _except_handler4_common, memmove, __CxxFrameHandler3, strchr, __std_terminate, __std_exception_destroy, __std_exception_copy, _CxxThrowException, memchr, memcmp, memcpy
api-ms-win-crt-runtime-l1-1-0.dll	_crt_atexit, exit, _invalid_parameter_noinfo_noreturn, _register_thread_local_exe_atexit_callback, _c_exit, _cexit, _exit, _initterm_e, _initterm, _get_wide_winmain_command_line, _initialize_wide_environment, _configure_wide_argv, _set_app_type, _seh_filter_exe, terminate, _initialize_onexit_table, _controlfp_s, _register_onexit_function
api-ms-win-crt-stdio-l1-1-0.dll	fclose, _wfopen_s, fwrite, fputwc, fopen_s, ungetwc, ungetc, fgetc, fgetwc, fgetpos, _fseeki64, _set_fmode, fsetpos, setvbuf, fflush, tmpnam_s, __stdio_common_vsprintf_s, __p__commode, __stdio_common_vsprintf
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _lock_file, remove
api-ms-win-crt-heap-l1-1-0.dll	_set_new_mode, realloc, free, calloc, malloc, _recalloc
api-ms-win-crt-time-l1-1-0.dll	_time64
api-ms-win-crt-string-l1-1-0.dll	_wcsnicmp, isspace, tolower, towupper
api-ms-win-crt-utility-l1-1-0.dll	srand, rand
api-ms-win-crt-math-l1-1-0.dll	ceil, __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale, ___lc_codepage_func

Version Infos

Description	Data
LegalCopyright	Copyright (C) 2019
InternalName	kernel.exe
FileVersion	1.0.0.2
CompanyName	TODO: <Company name>
ProductName	AppRun
ProductVersion	1.0.0.2
FileDescription	AppRun
OriginalFilename	AppRun.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: apprun.exePID: 5160, Parent PID: 5604

General

Target ID:	0
Start time:	20:06:35
Start date:	27/05/2022
Path:	C:\Users\user\Desktop\apprun.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\apprun.exe"
Imagebase:	0x1120000
File size:	447688 bytes
MD5 hash:	7E13C6A35AC8CE03ECE66E1D65B0601E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: apprun.exePID: 5160, Parent PID: 5604COMMON

Non-executed Functions

Function 011323FF Relevance: 44.1, APIs: 13, Strings: 12, Instructions: 350
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E011323FF(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				void* _t147;
				intOrPtr* _t150;
				intOrPtr* _t153;
				intOrPtr* _t157;
				intOrPtr* _t161;
				intOrPtr* _t165;
				intOrPtr* _t169;
				intOrPtr* _t173;
				intOrPtr* _t177;
				void* _t187;
				void* _t205;
				void* _t211;
				struct HINSTANCE__* _t224;
				struct HINSTANCE__* _t238;
				void* _t248;
				void* _t269;
				void* _t282;
				void* _t286;
				void* _t321;
				void* _t322;
				void* _t329;
				intOrPtr _t330;
				intOrPtr* _t331;
				void* _t332;
				void* _t333;
				void* _t334;
				intOrPtr _t337;

				_t340 = __eflags;
				_t323 = __edi;
				E01143DFF(E01147D13, __ebx, __edi, 0x374);
				_t238 = 0;
				 *((intOrPtr*)(_t333 - 0x2fc)) = 0;
				__imp__#324(E011433F7());
				 *((intOrPtr*)(_t333 - 4)) = 0;
				 *((char*)(_t333 - 4)) = 1;
				E011322FA(_t141, _t333 - 0x324, __edx, __eflags);
				E0113F710(0, 0x115b578, __edi);
				memset(_t333 - 0x2f8, 0, 0x98);
				E01122ED0(0, _t333 - 0x2f8, __edi);
				 *((char*)(_t333 - 4)) = 2;
				_t147 = E01123A5E(0, _t333 - 0x2f8, L"<<<<<< Start of program. Process ID: ", __edi);
				__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z(GetCurrentProcessId());
				_t317 = L" >>>>>>";
				E01123A5E(0, _t148, L" >>>>>>", __edi);
				__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x224], xmm0");
				_t248 = 0x2c;
				 *((intOrPtr*)(_t333 - 0x224)) = 0;
				 *((intOrPtr*)(_t333 - 0x220)) = 0;
				_t150 = E01129B1B(_t248, L" >>>>>>");
				 *_t150 = _t150;
				 *((intOrPtr*)(_t150 + 4)) = _t150;
				 *((intOrPtr*)(_t150 + 8)) = _t150;
				 *((short*)(_t150 + 0xc)) = 0x101;
				 *((intOrPtr*)(_t333 - 0x224)) = _t150;
				 *((char*)(_t333 - 4)) = 3;
				E011298AC(_t333 - 0x31c, "-tasks");
				 *((char*)(_t333 - 4)) = 4;
				_t153 = E01132BE4(0, _t333 - 0x224, L" >>>>>>", _t323, _t147, _t333 - 0x31c);
				 *((char*)(_t333 - 4)) = 3;
				 *_t153 = E011314C6;
				E01129AC1(_t333 - 0x31c);
				E011298AC(_t333 - 0x31c, "-install");
				 *((char*)(_t333 - 4)) = 5;
				_t157 = E01132BE4(0, _t333 - 0x224, L" >>>>>>", _t323, _t147, _t333 - 0x31c);
				 *((char*)(_t333 - 4)) = 3;
				 *_t157 = 0x11309df;
				E01129AC1(_t333 - 0x31c);
				E011298AC(_t333 - 0x31c, "-updatesched");
				 *((char*)(_t333 - 4)) = 6;
				_t161 = E01132BE4(0, _t333 - 0x224, L" >>>>>>", _t323, _t147, _t333 - 0x31c);
				 *((char*)(_t333 - 4)) = 3;
				 *_t161 = E01130EE6;
				E01129AC1(_t333 - 0x31c);
				E011298AC(_t333 - 0x31c, "-updatestartup");
				 *((char*)(_t333 - 4)) = 7;
				_t165 = E01132BE4(0, _t333 - 0x224, _t317, _t323, E01130EE6, _t333 - 0x31c);
				 *((char*)(_t333 - 4)) = 3;
				 *_t165 = E01130EE6;
				E01129AC1(_t333 - 0x31c);
				E011298AC(_t333 - 0x31c, "-uninstall");
				 *((char*)(_t333 - 4)) = 8;
				_t169 = E01132BE4(0, _t333 - 0x224, _t317, _t323, E01130EE6, _t333 - 0x31c);
				 *((char*)(_t333 - 4)) = 3;
				 *_t169 = E0113193D;
				E01129AC1(_t333 - 0x31c);
				E011298AC(_t333 - 0x31c, "-resetsearch");
				 *((char*)(_t333 - 4)) = 9;
				_t173 = E01132BE4(0, _t333 - 0x224, _t317, _t323, E0113193D, _t333 - 0x31c);
				 *((char*)(_t333 - 4)) = 3;
				 *_t173 = E0113193D;
				E01129AC1(_t333 - 0x31c);
				E011298AC(_t333 - 0x31c, "-version");
				 *((char*)(_t333 - 4)) = 0xa;
				_t177 = E01132BE4(0, _t333 - 0x224, _t317, _t323, E0113193D, _t333 - 0x31c);
				_t269 = _t333 - 0x31c;
				 *_t177 = E01131BCE;
				E01129AC1(_t269);
				_t329 = CommandLineToArgvW(GetCommandLineW(), _t333 - 0x228);
				 *((intOrPtr*)(_t333 - 0x230)) = 0;
				 *((intOrPtr*)(_t333 - 0x22c)) = 0xf;
				 *((char*)(_t333 - 0x240)) = 0;
				 *((char*)(_t333 - 4)) = 0xb;
				GetModuleFileNameW(0, _t333 - 0x21c, 0x104);
				_push(_t269);
				E01131FBA(_t333 - 0x368, _t333 - 0x21c);
				 *((char*)(_t333 - 4)) = 0xd;
				_t187 = E0112DD7B(_t333 - 0x368, _t333 - 0x380);
				_push(_t333 - 0x260);
				_t325 = 1;
				 *((intOrPtr*)(_t333 - 0x2fc)) = 1;
				E0113236C(0, _t187, 1, _t340);
				E01129A96(_t333 - 0x380);
				 *((char*)(_t333 - 4)) = 0x10;
				E01129A96(_t333 - 0x368);
				if(E01142060(0, _t333 - 0x260, 1) == 0) {
					__eflags =  *(_t333 - 0x228) - 1;
					if( *(_t333 - 0x228) != 1) {
						E0112BA52(_t333 - 0x31c,  *((intOrPtr*)(_t329 + 4)));
						_t317 = _t333 - 0x31c;
						 *((char*)(_t333 - 4)) = 0x11;
						E011293B6(_t333 - 0x240, _t329, E01136693(0, _t333 - 0x350, _t333 - 0x31c, 1));
						E01129AC1(_t333 - 0x350);
						 *((char*)(_t333 - 4)) = 0x10;
						E01129A96(_t333 - 0x31c);
					} else {
						E01129863(_t333 - 0x240, "-install", 8);
					}
					LocalFree(_t329);
					 *((intOrPtr*)(_t333 - 0x2fc)) = _t238;
					_t282 = _t333 - 0x224;
					E01132D80(_t282, _t333 - 0x2fc, _t333 - 0x240);
					_t330 =  *((intOrPtr*)(_t333 - 0x2fc));
					__eflags = _t330 -  *((intOrPtr*)(_t333 - 0x224));
					if(__eflags == 0) {
						L7:
						_push(_t282);
						 *((intOrPtr*)(_t333 - 0x2fc)) = _t333 - 0x240;
						_push(_t333 - 0x2fc);
						_push(_t282);
						_push(_t330);
						_push(_t333 - 0x328);
						_t330 =  *((intOrPtr*)(E01132E24(_t238, _t333 - 0x224, _t317, _t325, __eflags)));
					} else {
						__eflags = E0112409E(_t333 - 0x240, _t330 + 0x10);
						if(__eflags != 0) {
							goto L7;
						}
					}
					_t331 =  *((intOrPtr*)(_t330 + 0x28));
					__eflags = _t331;
					if(__eflags != 0) {
						_t109 = E011214A8(_t238, _t325) + 0xe4; // 0xe4
						E01122E78(_t109, _t333 - 0x240);
						_t204 =  *_t331();
					}
					_t205 = E011322FA(_t204, _t333 - 0x304, _t317, __eflags);
					_t286 =  *((intOrPtr*)(_t333 - 0x304)) -  *((intOrPtr*)(_t333 - 0x324));
					asm("sbb edx, [ebp-0x320]");
					E01145610(_t205, _t286);
					asm("divsd xmm0, [0x114f8f8]");
					_t325 =  *0x115b580;
					asm("movsd [esp], xmm0");
					asm("movsd [ebp-0x324], xmm0");
					_t332 = E011332B4("%f", _t286);
					E0112BCCF(_t333 - 0x31c, _t332);
					__eflags =  *((intOrPtr*)(_t333 - 0x308)) - 0x10;
					asm("movsd xmm0, [ebp-0x324]");
					_t117 = _t332 + 1; // 0x1
					_t289 =  >=  ?  *(_t333 - 0x31c) : _t333 - 0x31c;
					asm("movsd [esp], xmm0");
					E011332EA( >=  ?  *(_t333 - 0x31c) : _t333 - 0x31c, _t117, "%f",  >=  ?  *(_t333 - 0x31c) : _t333 - 0x31c);
					 *((char*)(_t333 - 4)) = 0x12;
					_t211 = E011298AC(_t333 - 0x350, "Elapsed run time: ");
					_t337 = _t334 + 0x1c - 0x18;
					 *((char*)(_t333 - 4)) = 0x13;
					 *((intOrPtr*)(_t333 - 0x328)) = _t337;
					E0112DA56(_t337, _t211, _t333 - 0x31c);
					 *((char*)(_t333 - 4)) = 0x14;
					 *((intOrPtr*)(_t333 - 0x2fc)) = _t337 - 0x18;
					E011298AC(_t337 - 0x18, "int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)");
					 *((char*)(_t333 - 4)) = 0x15;
					E011298AC(_t337, "C:\\git\\modular-installer\\kernel\\kernel.cpp");
					 *((char*)(_t333 - 4)) = 0x13;
					E0113765F(_t238,  *0x115b580,  *0x115b580);
					E01129AC1(_t333 - 0x350);
					E01129AC1(_t333 - 0x31c);
					E01129A96(_t333 - 0x260);
					E01129AC1(_t333 - 0x240);
					E011244D7(_t333 - 0x224, _t333 - 0x224,  *((intOrPtr*)( *((intOrPtr*)(_t333 - 0x224)) + 4)));
					_t321 = 0x2c;
					E01129B5C( *((intOrPtr*)(_t333 - 0x224)), _t321, _t332);
					E01122EA0();
					__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ(0xb6, 2,  >=  ?  *(_t333 - 0x31c) : _t333 - 0x31c, _t286);
				} else {
					E01129A96(_t333 - 0x260);
					E01129AC1(_t333 - 0x240);
					E011244D7(_t333 - 0x224, _t333 - 0x224,  *((intOrPtr*)( *((intOrPtr*)(_t333 - 0x224)) + 4)));
					_t322 = 0x2c;
					E01129B5C( *((intOrPtr*)(_t333 - 0x224)), _t322, _t329);
					E01122EA0();
					__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ();
					_t238 = 0xffffffff;
				}
				__imp__#1052();
				_t224 = _t238;
				return E01143D4C(_t224, _t238, _t325);
			}

0x011323ff
0x011323ff
0x01132409
0x0113240e
0x01132410
0x01132422
0x01132428
0x01132431
0x01132435
0x0113243f
0x01132451
0x0113245d
0x01132467
0x01132471
0x01132481
0x01132487
0x0113248e
0x0113249a
0x011324a0
0x011324a3
0x011324ad
0x011324ae
0x011324b4
0x011324ba
0x011324bf
0x011324c1
0x011324c4
0x011324c7
0x011324cd
0x011324de
0x011324e2
0x011324ed
0x011324f8
0x01132503
0x01132507
0x0113250d
0x0113251d
0x01132528
0x01132533
0x0113253e
0x01132542
0x01132548
0x01132558
0x01132563
0x0113256e
0x01132578
0x01132582
0x01132584
0x01132594
0x0113259f
0x011325aa
0x011325b5
0x011325b9
0x011325bb
0x011325cb
0x011325d6
0x011325e1
0x011325eb
0x011325f5
0x011325f7
0x01132607
0x01132612
0x0113261d
0x01132628
0x0113262c
0x0113262e
0x0113263e
0x01132649
0x01132654
0x01132659
0x0113265f
0x01132665
0x0113267e
0x01132680
0x01132686
0x01132690
0x011326a1
0x011326a7
0x011326ad
0x011326bb
0x011326c6
0x011326d1
0x011326de
0x011326df
0x011326e2
0x011326e8
0x011326f3
0x011326fe
0x01132702
0x01132714
0x01132770
0x01132776
0x01132795
0x0113279a
0x011327a0
0x011327b6
0x011327c1
0x011327cc
0x011327d0
0x01132778
0x01132785
0x01132785
0x011327d6
0x011327e2
0x011327f0
0x011327f6
0x011327fb
0x01132801
0x01132807
0x0113281d
0x0113281d
0x01132824
0x01132830
0x01132831
0x01132832
0x01132839
0x01132845
0x01132809
0x01132819
0x0113281b
0x00000000
0x00000000
0x0113281b
0x01132847
0x0113284a
0x0113284c
0x0113285a
0x01132860
0x0113286a
0x0113286a
0x01132872
0x0113287d
0x01132889
0x0113288f
0x01132894
0x0113289c
0x011328a4
0x011328ae
0x011328c4
0x011328c7
0x011328cc
0x011328d9
0x011328e1
0x011328e4
0x011328ed
0x011328f9
0x0113290c
0x01132910
0x01132915
0x01132918
0x01132922
0x0113292d
0x0113293d
0x01132943
0x0113294e
0x01132956
0x01132961
0x01132968
0x0113296c
0x01132977
0x01132982
0x0113298d
0x01132998
0x011329af
0x011329bc
0x011329bd
0x011329c8
0x011329d3
0x01132716
0x0113271c
0x01132727
0x0113273e
0x0113274b
0x0113274c
0x01132757
0x01132762
0x01132768
0x01132768
0x011329df
0x011329e5
0x01132bb2

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 01132409
#324.MFC140U(00000000,00000374), ref: 01132422

Part of subcall function 011322FA: _Query_perf_frequency.MSVCP140(00000001,?,00000000,00000001,00000000,00000000), ref: 01132306
Part of subcall function 011322FA: _Query_perf_counter.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,011339B2), ref: 01132313
Part of subcall function 011322FA: __alldvrm.LIBCMT ref: 0113231E
Part of subcall function 011322FA: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01132340

Part of subcall function 0113F710: __EH_prolog3.LIBCMT ref: 0113F717
Part of subcall function 0113F710: #1511.MFC140U(000000D0,00000004,0112C22B,000000FC,?,0112A166,?), ref: 0113F729
Part of subcall function 0113F710: memset.VCRUNTIME140(00000000,00000000,000000D0,0112A166,?), ref: 0113F743

memset.VCRUNTIME140(?,00000000,00000098), ref: 01132451

Part of subcall function 01122ED0: __EH_prolog3.LIBCMT ref: 01122ED7
Part of subcall function 01122ED0: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(00000008,011401C3,00000000,00000098,000000A8,0112EC1E,?), ref: 01122EEE
Part of subcall function 01122ED0: ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP140(00000000,00000000,00000000), ref: 01122F08
Part of subcall function 01122ED0: ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 01122F2B

Part of subcall function 01123A5E: __EH_prolog3_catch.LIBCMT ref: 01123A65
Part of subcall function 01123A5E: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123BD0

GetCurrentProcessId.KERNEL32(00000000,00000098), ref: 01132478
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(00000000), ref: 01132481

Part of subcall function 01123A5E: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B10
Part of subcall function 01123A5E: ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z.MSVCP140(?,?,00000000,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B41
Part of subcall function 01123A5E: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B6C

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6), ref: 0113249A

Part of subcall function 01129B1B: #1511.MFC140U(00000001,01129A1D,?,01129A6B,00000001,?,?,?,?,?,0112149C), ref: 01129B2F

GetCommandLineW.KERNEL32(?,-version,-resetsearch,-uninstall,-updatestartup,-updatesched,-install,-tasks), ref: 01132671
CommandLineToArgvW.SHELL32(00000000), ref: 01132678
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 011326A7

Part of subcall function 0113236C: __EH_prolog3.LIBCMT ref: 01132373

Part of subcall function 01142060: __EH_prolog3_GS.LIBCMT ref: 0114206A
Part of subcall function 01142060: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0114207C
Part of subcall function 01142060: Process32FirstW.KERNEL32 ref: 0114209A
Part of subcall function 01142060: Process32NextW.KERNEL32(?,0000022C), ref: 01142109
Part of subcall function 01142060: CloseHandle.KERNEL32(?,?,?,00000000,?), ref: 01142124

??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140 ref: 01132762
LocalFree.KERNEL32(00000000,00000000,?), ref: 011327D6
#1052.MFC140U ref: 011329DF

Strings

Elapsed run time: , xrefs: 01132901
<<<<<< Start of program. Process ID: , xrefs: 01132462
-resetsearch, xrefs: 011325FC
C:\git\modular-installer\kernel\kernel.cpp, xrefs: 0113295C
int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int), xrefs: 01132949
-uninstall, xrefs: 011325C0
-updatestartup, xrefs: 01132589
-install, xrefs: 01132512, 0113277A
-version, xrefs: 01132633
-updatesched, xrefs: 0113254D
-tasks, xrefs: 011324D3
>>>>>>, xrefs: 01132487

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_$W@std@@@std@@$H_prolog3V01@$#1511??6?$basic_ostream@_?sputc@?$basic_streambuf@_CommandLineProcess32memset$#1052#324??0?$basic_ios@_??0?$basic_ostream@_??0?$basic_streambuf@_??1?$basic_ios@_?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_ArgvCloseCreateCurrentFileFirstFreeH_prolog3_H_prolog3_catchH_prolog3_catch_HandleLocalModuleNameNextProcessQuery_perf_counterQuery_perf_frequencySnapshotToolhelp32Unothrow_t@std@@@V01@@V?$basic_streambuf@_W@std@@@1@___alldvrm__ehfuncinfo$??2@
String ID: >>>>>>$-install$-resetsearch$-tasks$-uninstall$-updatesched$-updatestartup$-version$<<<<<< Start of program. Process ID: $C:\git\modular-installer\kernel\kernel.cpp$Elapsed run time: $int __stdcall wWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,wchar_t *,int)
API String ID: 1775986270-3053198885
Opcode ID: a20e120ce314270f0464732c675ee8a2dd8052bec0a3e3d242fae09356728c6d
Instruction ID: 75106ddd0beaf82b9dfb626cc5754d385077420681a7ef74fef02f7857a91758
Opcode Fuzzy Hash: a20e120ce314270f0464732c675ee8a2dd8052bec0a3e3d242fae09356728c6d
Instruction Fuzzy Hash: 29F1387094426EABCF2AEB64DD98BDDB7B8AF28308F4441E9D40963190DB705F89CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0113A4AA Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 206
COMMONCrypto

Download Yara Rule

C-Code - Quality: 42%

			E0113A4AA(void* __ebx, void* __edi) {
				signed int _t96;
				void* _t97;
				intOrPtr* _t108;
				void* _t109;
				signed char _t120;
				signed char _t122;
				signed char _t124;
				signed char _t126;
				signed char _t128;
				signed int _t130;
				signed char _t131;
				int _t133;
				signed char _t146;
				unsigned int _t149;
				signed int* _t150;
				signed int* _t154;
				signed char _t158;
				signed int _t159;
				void* _t161;
				signed int _t174;
				signed char _t179;
				signed int* _t180;
				void* _t182;
				void* _t183;

				_t96 = E01143D91(E01148D0A, __ebx, __edi, 0x48);
				_t169 =  *((intOrPtr*)(_t182 + 0xc));
				_t179 =  *(_t182 + 8);
				 *(_t182 - 0x54) = _t179;
				_t149 =  *( *((intOrPtr*)(_t182 + 0xc)) + 0xe) & 0x0000ffff;
				_t174 = 4;
				 *(_t182 - 0x50) = _t179;
				if(_t149 == _t174) {
					__imp__#1511();
					_t150 = 0x18;
					 *(_t182 - 0x54) = _t96;
					_t146 = 0;
					 *(_t182 - 4) = 0;
					__eflags = _t96;
					if(_t96 != 0) {
						_t150 = _t96;
						_t146 = E011298AC(_t150, "Not supported yet (array)");
					}
					_t69 = _t182 - 4;
					 *_t69 =  *(_t182 - 4) | 0xffffffff;
					__eflags =  *_t69;
					 *(_t182 - 0x50) = _t146;
					goto L39;
				} else {
					_t120 = _t149 >> 3;
					_t146 = 1;
					if((1 & _t120) == 0) {
						_t122 = _t149 >> 9;
						__eflags = 1 & _t122;
						if((1 & _t122) == 0) {
							__eflags = _t149 & 0x00000200;
							if(__eflags == 0) {
								L15:
								_t124 = _t149 >> 5;
								__eflags = _t146 & _t124;
								if((_t146 & _t124) == 0) {
									_t126 = _t149 >> 7;
									__eflags = _t146 & _t126;
									if((_t146 & _t126) == 0) {
										__eflags = _t149 - 3;
										if(_t149 != 3) {
											_t128 = _t149 >> 0xa;
											_push(0x18);
											__eflags = _t146 & _t128;
											if((_t146 & _t128) == 0) {
												_t128 = _t149 >> 6;
												__eflags = _t146 & _t128;
												if((_t146 & _t128) == 0) {
													_t158 = _t149 >> 8;
													__eflags = _t146 & _t158;
													if((_t146 & _t158) == 0) {
														__imp__#1511();
														_pop(_t150);
														 *(_t182 - 0x50) = _t128;
														 *(_t182 - 4) = 0xb;
														__eflags = _t128;
														if(_t128 == 0) {
															_t130 = 0;
															__eflags = 0;
														} else {
															_t150 = _t128;
															_t130 = E011298AC(_t150, "Should not get here");
														}
														 *(_t182 - 4) =  *(_t182 - 4) | 0xffffffff;
														 *(_t182 - 0x54) = _t130;
														_t97 = _t182 - 0x54;
														_push(0x1156040);
													} else {
														__imp__#1511();
														_pop(_t150);
														 *(_t182 - 0x54) = _t128;
														 *(_t182 - 4) = 0xa;
														__eflags = _t128;
														if(_t128 == 0) {
															goto L5;
														} else {
															_push("Not supported yet (uint64)");
															goto L4;
														}
													}
												} else {
													__imp__#1511();
													_pop(_t150);
													 *(_t182 - 0x54) = _t128;
													 *(_t182 - 4) = 9;
													__eflags = _t128;
													if(_t128 == 0) {
														goto L5;
													} else {
														_push("Not supported yet (uint)");
														goto L4;
													}
												}
											} else {
												__imp__#1511();
												_pop(_t150);
												 *(_t182 - 0x54) = _t128;
												 *(_t182 - 4) = 8;
												__eflags = _t128;
												if(_t128 == 0) {
													goto L5;
												} else {
													_push("Not supported yet (string)");
													goto L4;
												}
											}
											goto L40;
										} else {
											_t159 = 6;
											_t133 = memset(_t182 - 0x28, 0, _t159 << 2);
											asm("xorps xmm0, xmm0");
											 *((intOrPtr*)(_t182 - 0x14)) = 0x100;
											__eflags = 0;
											asm("movups [ebp-0x28], xmm0");
											 *((intOrPtr*)(_t182 - 0x18)) = 0;
											 *(_t182 - 4) = 6;
											_t177 = _t182 - 0x4c;
											_t161 = 9;
											memset(_t182 - 0x4c, _t133, 0 << 2);
											 *((intOrPtr*)(_t182 - 0x38)) = 0;
											 *(_t182 - 0x4c) = _t182 - 0x28;
											asm("movups [ebp-0x48], xmm0");
											 *((intOrPtr*)(_t182 - 0x34)) = 0x100;
											 *((intOrPtr*)(_t182 - 0x30)) = 0x144;
											 *((char*)(_t182 - 0x2c)) = 0;
											 *(_t182 - 4) = 7;
											E0113B01D(0, _t169, _t177 + _t161, _t179, _t182 - 0x4c);
											 *_t179 = 0;
											E011298AC(_t183 + 0x18 - 0x18, E0113AC58(_t182 - 0x28));
											E0113A86F(0,  *(_t182 - 0x50), _t177 + _t161);
											E0113AC3D(_t182 - 0x48);
											E0113AC3D(_t182 - 0x28);
											return E01143D3B( *(_t182 - 0x50), 0, _t177 + _t161);
										}
									} else {
										__imp__#1511();
										_t150 = 0x18;
										 *(_t182 - 0x54) = _t126;
										 *(_t182 - 4) = 5;
										__eflags = _t126;
										if(_t126 == 0) {
											goto L5;
										} else {
											_push("Not supported yet (int64)");
											goto L4;
										}
										goto L40;
									}
								} else {
									__imp__#1511();
									_t150 = 0x18;
									 *(_t182 - 0x54) = _t124;
									 *(_t182 - 4) = _t174;
									__eflags = _t124;
									if(_t124 == 0) {
										goto L5;
									} else {
										_push("Not supported yet (int)");
										goto L4;
									}
									goto L40;
								}
							} else {
								asm("movsd xmm1, [edx]");
								asm("comisd xmm1, [0x114f928]");
								if(__eflags < 0) {
									goto L15;
								} else {
									asm("movsd xmm0, [0x114f908]");
									asm("comisd xmm0, xmm1");
									if(__eflags < 0) {
										goto L15;
									} else {
										__imp__#1511();
										_t150 = 0x18;
										 *(_t182 - 0x54) = _t122;
										 *(_t182 - 4) = 3;
										__eflags = _t122;
										if(_t122 == 0) {
											goto L5;
										} else {
											_push("Not supported yet (float)");
											goto L4;
										}
										goto L40;
									}
								}
							}
						} else {
							__imp__#1511();
							_t150 = 0x18;
							 *(_t182 - 0x54) = _t122;
							 *(_t182 - 4) = 2;
							__eflags = _t122;
							if(_t122 == 0) {
								goto L5;
							} else {
								_push("Not supported yet (double)");
								goto L4;
							}
							goto L40;
						}
					} else {
						__imp__#1511();
						_t150 = 0x18;
						 *(_t182 - 0x54) = _t120;
						 *(_t182 - 4) = 1;
						if(_t120 == 0) {
							L5:
							_t131 = 0;
							__eflags = 0;
						} else {
							_push("Not supported yet (bool)");
							L4:
							_t150 = _t128;
							_t131 = E011298AC(_t150);
						}
						 *(_t182 - 4) =  *(_t182 - 4) | 0xffffffff;
						 *(_t182 - 0x50) = _t131;
						L39:
						_push(0x1156040);
						_t97 = _t182 - 0x50;
						L40:
						_push(_t97);
						L01145637();
						asm("int3");
						E01143D91(E01148D49, _t146, _t174, 0x28);
						_t180 = _t150;
						 *(_t182 - 4) = 1;
						_t101 =  >=  ?  *(_t182 + 8) : _t182 + 8;
						E0113AE1B(_t182 - 0x20,  >=  ?  *(_t182 + 8) : _t182 + 8, _t180[4]);
						 *(_t182 - 4) = 2;
						_t104 =  >=  ?  *((void*)(_t182 + 0x20)) : _t182 + 0x20;
						E0113AE1B(_t182 - 0x30,  >=  ?  *((void*)(_t182 + 0x20)) : _t182 + 0x20, _t180[4]);
						 *(_t182 - 4) = 3;
						_t108 = E0113B892(_t146, _t180, _t174, _t180, _t182 - 0x34, _t182 - 0x20);
						_t154 = _t180;
						_t192 =  *_t108 - ( *_t180 << 5) + _t180[2];
						_t109 = _t182 - 0x30;
						if( *_t108 == ( *_t180 << 5) + _t180[2]) {
							E0113AD58(_t154, _t182 - 0x20, _t109, _t180[4]);
						} else {
							E0113ADD5(E0113B3B9(_t146, _t154, _t174, _t180, _t192, _t182 - 0x20), _t109);
						}
						E01129AC1(_t182 + 8);
						return E01143D3B(E01129AC1(_t182 + 0x20), _t146, _t174);
					}
				}
			}

0x0113a4b1
0x0113a4b6
0x0113a4b9
0x0113a4be
0x0113a4c1
0x0113a4c5
0x0113a4c6
0x0113a4cc
0x0113a726
0x0113a72c
0x0113a72d
0x0113a730
0x0113a732
0x0113a735
0x0113a737
0x0113a73e
0x0113a745
0x0113a745
0x0113a747
0x0113a747
0x0113a747
0x0113a74b
0x00000000
0x0113a4d2
0x0113a4d6
0x0113a4d9
0x0113a4dc
0x0113a50f
0x0113a512
0x0113a514
0x0113a534
0x0113a53a
0x0113a576
0x0113a578
0x0113a57b
0x0113a57d
0x0113a5a2
0x0113a5a5
0x0113a5a7
0x0113a5ce
0x0113a5d1
0x0113a66c
0x0113a66f
0x0113a671
0x0113a673
0x0113a69a
0x0113a69d
0x0113a69f
0x0113a6c4
0x0113a6c7
0x0113a6c9
0x0113a6ee
0x0113a6f4
0x0113a6f5
0x0113a6f8
0x0113a6ff
0x0113a701
0x0113a711
0x0113a711
0x0113a703
0x0113a708
0x0113a70a
0x0113a70a
0x0113a713
0x0113a717
0x0113a71a
0x0113a71d
0x0113a6cb
0x0113a6cb
0x0113a6d1
0x0113a6d2
0x0113a6d5
0x0113a6dc
0x0113a6de
0x00000000
0x0113a6e4
0x0113a6e4
0x00000000
0x0113a6e4
0x0113a6de
0x0113a6a1
0x0113a6a1
0x0113a6a7
0x0113a6a8
0x0113a6ab
0x0113a6b2
0x0113a6b4
0x00000000
0x0113a6ba
0x0113a6ba
0x00000000
0x0113a6ba
0x0113a6b4
0x0113a675
0x0113a675
0x0113a67b
0x0113a67c
0x0113a67f
0x0113a686
0x0113a688
0x00000000
0x0113a68e
0x0113a68e
0x00000000
0x0113a68e
0x0113a688
0x00000000
0x0113a5d7
0x0113a5d9
0x0113a5df
0x0113a5e1
0x0113a5e4
0x0113a5eb
0x0113a5ed
0x0113a5f1
0x0113a5f4
0x0113a5fb
0x0113a600
0x0113a601
0x0113a606
0x0113a609
0x0113a60c
0x0113a610
0x0113a617
0x0113a61e
0x0113a624
0x0113a62b
0x0113a633
0x0113a642
0x0113a64a
0x0113a652
0x0113a65a
0x0113a667
0x0113a667
0x0113a5a9
0x0113a5ab
0x0113a5b1
0x0113a5b2
0x0113a5b5
0x0113a5bc
0x0113a5be
0x00000000
0x0113a5c4
0x0113a5c4
0x00000000
0x0113a5c4
0x00000000
0x0113a5be
0x0113a57f
0x0113a581
0x0113a587
0x0113a588
0x0113a58b
0x0113a58e
0x0113a590
0x00000000
0x0113a596
0x0113a596
0x00000000
0x0113a596
0x00000000
0x0113a590
0x0113a53c
0x0113a53c
0x0113a540
0x0113a548
0x00000000
0x0113a54a
0x0113a54a
0x0113a552
0x0113a556
0x00000000
0x0113a558
0x0113a55a
0x0113a560
0x0113a561
0x0113a564
0x0113a56b
0x0113a56d
0x00000000
0x0113a56f
0x0113a56f
0x00000000
0x0113a56f
0x00000000
0x0113a56d
0x0113a556
0x0113a548
0x0113a516
0x0113a518
0x0113a51e
0x0113a51f
0x0113a522
0x0113a529
0x0113a52b
0x00000000
0x0113a52d
0x0113a52d
0x00000000
0x0113a52d
0x00000000
0x0113a52b
0x0113a4de
0x0113a4e0
0x0113a4e6
0x0113a4e7
0x0113a4ea
0x0113a4ef
0x0113a4ff
0x0113a4ff
0x0113a4ff
0x0113a4f1
0x0113a4f1
0x0113a4f6
0x0113a4f6
0x0113a4f8
0x0113a4f8
0x0113a501
0x0113a505
0x0113a74e
0x0113a74e
0x0113a753
0x0113a756
0x0113a756
0x0113a757
0x0113a75c
0x0113a764
0x0113a769
0x0113a76b
0x0113a77f
0x0113a784
0x0113a789
0x0113a79a
0x0113a79f
0x0113a7a7
0x0113a7b2
0x0113a7b9
0x0113a7c1
0x0113a7c3
0x0113a7c6
0x0113a7e3
0x0113a7c8
0x0113a7d4
0x0113a7d4
0x0113a7eb
0x0113a7fd
0x0113a7fd
0x0113a4dc

APIs

__EH_prolog3_GS.LIBCMT ref: 0113A4B1
#1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A4E0
#1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A518
#1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A55A
#1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A581
#1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A5AB
#1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A675
#1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A6A1
#1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A6CB
#1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A6EE
#1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A726
_CxxThrowException.VCRUNTIME140(?,01156040), ref: 0113A757

Strings

Not supported yet (int), xrefs: 0113A596
Not supported yet (uint64), xrefs: 0113A6E4
Not supported yet (array), xrefs: 0113A739
Not supported yet (string), xrefs: 0113A68E
Not supported yet (double), xrefs: 0113A52D
Not supported yet (float), xrefs: 0113A56F
Not supported yet (bool), xrefs: 0113A4F1
Not supported yet (uint), xrefs: 0113A6BA
Should not get here, xrefs: 0113A703
Not supported yet (int64), xrefs: 0113A5C4

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511$ExceptionH_prolog3_Throw
String ID: Not supported yet (array)$Not supported yet (bool)$Not supported yet (double)$Not supported yet (float)$Not supported yet (int)$Not supported yet (int64)$Not supported yet (string)$Not supported yet (uint)$Not supported yet (uint64)$Should not get here
API String ID: 1915794326-4064176178
Opcode ID: 3c0086169aeffa50572a58fd1e8c124c6607f423968be4ea5f32a7e1f143be02
Instruction ID: 79a75b6acab6c0c3bf1838dacd8f9e31520f90fb985780cc69fe113f1034c698
Opcode Fuzzy Hash: 3c0086169aeffa50572a58fd1e8c124c6607f423968be4ea5f32a7e1f143be02
Instruction Fuzzy Hash: CB719070A04349DBEF1CDFE8A5487DDBBB1AF94720F1881299956EB1C8DB748688CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0113193D Relevance: 29.9, APIs: 4, Strings: 13, Instructions: 190
windownetworkCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0113193D(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags) {
				void* _t67;
				intOrPtr _t98;
				intOrPtr _t107;
				intOrPtr _t134;
				intOrPtr _t136;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				intOrPtr _t142;
				void* _t143;
				intOrPtr _t144;
				intOrPtr _t145;
				void* _t146;
				intOrPtr _t147;
				intOrPtr _t150;
				void* _t151;
				void* _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				void* _t156;
				intOrPtr _t157;

				_t98 = __ecx;
				E01143D91(E01147A91, __ebx, __edi, 0x74);
				_t134 = _t98;
				_t141 = _t140 - 0x18;
				 *((intOrPtr*)(_t139 - 0x68)) = _t141;
				E011298AC(_t141, "Fetching uninstall actions");
				_push(2);
				_push(0x28c);
				_t142 = _t141 - 0x18;
				_t97 = 0;
				 *(_t139 - 4) = 0;
				 *((intOrPtr*)(_t139 - 0x60)) = _t142;
				E011298AC(_t142, "void __thiscall InstPC::IPCService::uninstall(void)");
				_t143 = _t142 - 0x18;
				 *(_t139 - 4) = 1;
				E011298AC(_t143, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
				 *(_t139 - 4) =  *(_t139 - 4) | 0xffffffff;
				E0113765F(0,  *((intOrPtr*)(_t134 + 8)), _t134);
				_t144 = _t143 - 0x18;
				 *((intOrPtr*)(_t139 - 0x64)) = _t144;
				E011298AC(_t144, "v2/uninstall");
				_t145 = _t144 - 0x18;
				 *(_t139 - 4) = 2;
				 *((intOrPtr*)(_t139 - 0x60)) = _t145;
				E011298AC(_t145, "zoremov.com");
				_t146 = _t145 - 0x18;
				 *(_t139 - 4) = 3;
				E011298AC(_t146, "alg.");
				 *(_t139 - 4) =  *(_t139 - 4) | 0xffffffff;
				_push(_t139 - 0x28);
				E0113082A(0, _t134, _t134);
				 *(_t139 - 4) = 4;
				_t147 = _t146 - 0x18;
				_t107 = _t147;
				_t136 =  *((intOrPtr*)(_t134 + 8));
				 *((intOrPtr*)(_t139 - 0x64)) = _t147;
				_t161 =  *((intOrPtr*)(_t139 - 0x18));
				if( *((intOrPtr*)(_t139 - 0x18)) == 0) {
					E011298AC(_t107, "No uninstall actions waiting");
					_t148 = _t147 - 0x18;
					 *(_t139 - 4) = 0xd;
					 *((intOrPtr*)(_t139 - 0x60)) = _t147 - 0x18;
					E011298AC(_t148, "void __thiscall InstPC::IPCService::uninstall(void)");
					 *(_t139 - 4) = 0xe;
					E011298AC(_t148 - 0x18, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t139 - 4) = 4;
					_t67 = E0113765F(0, _t136, _t134);
					__imp__InternetCheckConnectionW(L"http://www.google.com", 1, 0, 0x29c, 2);
					__eflags = _t67;
					if(_t67 == 0) {
						MessageBoxW(0, L"Uninstall requires an internet connection. Please check your network connection and retry uninstall.", L"Uninstall", 0);
					}
				} else {
					_t132 = "Got unintall configuration ";
					_push(_t139 - 0x28);
					E011237FA(0, _t107, "Got unintall configuration ", _t134);
					_push(2);
					_push(0x291);
					_t150 = _t147 - 0x18;
					 *(_t139 - 4) = 5;
					 *((intOrPtr*)(_t139 - 0x60)) = _t150;
					E011298AC(_t150, "void __thiscall InstPC::IPCService::uninstall(void)");
					_t151 = _t150 - 0x18;
					 *(_t139 - 4) = 6;
					E011298AC(_t151, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t139 - 4) = 4;
					E0113765F(0, _t136, _t134);
					memset(_t139 - 0x5c, 0, 0x34);
					_push(0);
					_t153 = _t151 + 0xc - 0x18;
					E011298E1(_t153, _t139 - 0x28);
					E0112CC5B(0, _t139 - 0x5c, "Got unintall configuration ", _t134, _t136, _t161);
					_t154 = _t153 - 0x18;
					 *(_t139 - 4) = 7;
					 *((intOrPtr*)(_t139 - 0x64)) = _t154;
					E011298AC(_t154, "Uninstall configuration ready");
					_push(2);
					_push(0x295);
					_t155 = _t154 - 0x18;
					 *(_t139 - 4) = 8;
					 *((intOrPtr*)(_t139 - 0x60)) = _t155;
					_t97 = "void __thiscall InstPC::IPCService::uninstall(void)";
					E011298AC(_t155, "void __thiscall InstPC::IPCService::uninstall(void)");
					_t156 = _t155 - 0x18;
					 *(_t139 - 4) = 9;
					E011298AC(_t156, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t139 - 4) = 7;
					E0113765F(_t97,  *((intOrPtr*)(_t134 + 8)), _t134);
					E0112FC67(_t97, _t134, _t134, _t161);
					E0112CE12(_t97, _t139 - 0x5c, _t134, _t161);
					_t134 =  *((intOrPtr*)(_t134 + 8));
					_t124 = _t139 - 0x80;
					E011298E1(_t139 - 0x80, _t139 - 0x50);
					_t157 = _t156 - 0x18;
					 *(_t139 - 4) = 0xa;
					_t138 = _t157;
					 *((intOrPtr*)(_t139 - 0x64)) = _t157;
					 *((intOrPtr*)(_t139 - 0x60)) = _t157;
					E011299A0(_t138, E01124262(_t139 - 0x80, _t138, _t124, "Finished running configuration ", 0x1f));
					_push(2);
					_push(0x299);
					_t158 = _t157 - 0x18;
					 *(_t139 - 4) = 0xb;
					 *((intOrPtr*)(_t139 - 0x60)) = _t157 - 0x18;
					E011298AC(_t158, _t97);
					 *(_t139 - 4) = 0xc;
					E011298AC(_t158 - 0x18, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t139 - 4) = 0xa;
					E0113765F(_t97, _t134, _t134);
					E01129AC1(_t139 - 0x80);
					E0112CDC0(_t97, _t139 - 0x5c, _t132, _t134);
				}
				return E01143D3B(E01129AC1(_t139 - 0x28), _t97, _t134);
			}

0x0113193d
0x01131944
0x01131949
0x0113194e
0x01131953
0x0113195b
0x01131960
0x01131962
0x01131967
0x0113196a
0x0113196c
0x01131971
0x01131979
0x0113197e
0x01131981
0x0113198c
0x01131991
0x01131997
0x0113199c
0x011319a1
0x011319a9
0x011319ae
0x011319b1
0x011319ba
0x011319c2
0x011319c7
0x011319ca
0x011319d5
0x011319da
0x011319e1
0x011319e4
0x011319e9
0x011319f0
0x011319f3
0x011319f5
0x011319f8
0x011319fb
0x011319fe
0x01131b5c
0x01131b68
0x01131b6b
0x01131b71
0x01131b79
0x01131b81
0x01131b8c
0x01131b93
0x01131b97
0x01131ba4
0x01131baa
0x01131bac
0x01131bba
0x01131bba
0x01131a04
0x01131a07
0x01131a0c
0x01131a0d
0x01131a13
0x01131a15
0x01131a1a
0x01131a1d
0x01131a23
0x01131a2b
0x01131a30
0x01131a33
0x01131a3e
0x01131a45
0x01131a49
0x01131a55
0x01131a60
0x01131a61
0x01131a67
0x01131a6f
0x01131a74
0x01131a77
0x01131a80
0x01131a88
0x01131a8d
0x01131a8f
0x01131a94
0x01131a97
0x01131a9d
0x01131aa0
0x01131aa6
0x01131aab
0x01131aae
0x01131ab9
0x01131ac0
0x01131ac4
0x01131acb
0x01131ad3
0x01131ad8
0x01131adf
0x01131ae2
0x01131ae7
0x01131aea
0x01131aee
0x01131af0
0x01131af3
0x01131b09
0x01131b0e
0x01131b10
0x01131b15
0x01131b18
0x01131b1e
0x01131b22
0x01131b2a
0x01131b35
0x01131b3c
0x01131b40
0x01131b48
0x01131b50
0x01131b50
0x01131bcd

APIs

__EH_prolog3_GS.LIBCMT ref: 01131944

Part of subcall function 0113765F: __EH_prolog3_GS.LIBCMT ref: 01137669
Part of subcall function 0113765F: #1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
Part of subcall function 0113765F: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

Part of subcall function 0113082A: __EH_prolog3_GS.LIBCMT ref: 01130834
Part of subcall function 0113082A: memset.VCRUNTIME140(?,00000000,000000B0,000000E0,01131679,?,alg.), ref: 01130864

memset.VCRUNTIME140(?,00000000,00000034,C:\git\modular-installer\kernel\IPCService.cpp), ref: 01131A55

Part of subcall function 0112CC5B: __EH_prolog3_GS.LIBCMT ref: 0112CC65
Part of subcall function 0112CC5B: memset.VCRUNTIME140(?,00000000,000000A8,?,?,actions), ref: 0112CD31

Part of subcall function 0112FC67: __EH_prolog3_GS.LIBCMT ref: 0112FC71
Part of subcall function 0112FC67: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,edge), ref: 0112FDAA

Part of subcall function 0112CE12: __EH_prolog3_GS.LIBCMT ref: 0112CE1C
Part of subcall function 0112CE12: memset.VCRUNTIME140(?,00000000,00000098,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112CEA5
Part of subcall function 0112CE12: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z.MSVCP140(00000000,00000000,00000098,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112CED0
Part of subcall function 0112CE12: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6), ref: 0112CEDD

Part of subcall function 011298E1: memcpy.VCRUNTIME140(00000000,?,00000001,?,00000000,?,00000014,?,01138843,?,00000018,011386DC,?,?,?,00000008), ref: 01129935

Part of subcall function 01124262: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,0112DA8D,?,?,?,?,00000000,?,?), ref: 011242B5
Part of subcall function 01124262: memcpy.VCRUNTIME140(?,01133C49,000000EC,?,?,?,?,?,?,?,?,0112DA8D,?,?,?,?), ref: 011242BF
Part of subcall function 01124262: memcpy.VCRUNTIME140(01133C49,01133C49,000000EC,?,01133C49,000000EC,?,?,?,?,?,?,?,?,0112DA8D,?), ref: 011242D5

InternetCheckConnectionW.WININET(http://www.google.com,00000001,00000000), ref: 01131BA4
MessageBoxW.USER32(00000000,Uninstall requires an internet connection. Please check your network connection and retry uninstall.,Uninstall,00000000), ref: 01131BBA

Part of subcall function 011237FA: __EH_prolog3.LIBCMT ref: 01123801

Part of subcall function 0113765F: _Xtime_get_ticks.MSVCP140 ref: 011376CA
Part of subcall function 0113765F: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011376D8

Strings

zoremov.com, xrefs: 011319BD
Finished running configuration , xrefs: 01131AF8
Uninstall, xrefs: 01131BAF
Uninstall configuration ready, xrefs: 01131A83
Fetching uninstall actions, xrefs: 01131956
Got unintall configuration , xrefs: 01131A07
void __thiscall InstPC::IPCService::uninstall(void), xrefs: 01131974, 01131A26, 01131AA0, 01131AA5, 01131B21, 01131B74
C:\git\modular-installer\kernel\IPCService.cpp, xrefs: 01131987, 01131A39, 01131AB4, 01131B30, 01131B87
v2/uninstall, xrefs: 011319A4
http://www.google.com, xrefs: 01131B9F
No uninstall actions waiting, xrefs: 01131B57
alg., xrefs: 011319D0
Uninstall requires an internet connection. Please check your network connection and retry uninstall., xrefs: 01131BB4

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_$memset$V01@memcpy$??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$#1511CheckConnectionExceptionFileH_prolog3InternetMessageModuleNameThrowUnothrow_t@std@@@V01@@Xtime_get_ticks__ehfuncinfo$??2@memmove
String ID: C:\git\modular-installer\kernel\IPCService.cpp$Fetching uninstall actions$Finished running configuration $Got unintall configuration $No uninstall actions waiting$Uninstall$Uninstall configuration ready$Uninstall requires an internet connection. Please check your network connection and retry uninstall.$alg.$http://www.google.com$v2/uninstall$void __thiscall InstPC::IPCService::uninstall(void)$zoremov.com
API String ID: 1961058380-322957057
Opcode ID: f70664981d70259d7dccde9663958189c9d693f1c101bef587e965673ffee2ec
Instruction ID: 38af144c8d6f0e0d003ba3988fb81b52099380ad316a92cbeb325478938062a7
Opcode Fuzzy Hash: f70664981d70259d7dccde9663958189c9d693f1c101bef587e965673ffee2ec
Instruction Fuzzy Hash: 09619F60E0036DEBDF0CB7BDC91AB9C7E756B61B58F94418CE2013B285DBB51A1487D2

Uniqueness

Uniqueness Score: -1.00%

Function 01142822 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 139comCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01142829
CoInitializeEx.OLE32(00000000,00000000,00000010,01142D31,00000074,0112E986), ref: 0114284E
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 01142867
#1511.MFC140U(00000018), ref: 01142873
CoCreateInstance.OLE32(0114B714,00000000,00000001,0114B704,?), ref: 011428A1
#1511.MFC140U(00000018), ref: 011428AD
#1511.MFC140U(00000018), ref: 01142957
_CxxThrowException.VCRUNTIME140(?,01156040), ref: 01142987

Strings

Couldn't connect to service, xrefs: 0114292D
COM initialization failed, xrefs: 01142969
Security initialization failed, xrefs: 01142889
Instantiation of IWbemLocator failed, xrefs: 011428C3
root\cimv2, xrefs: 011428D2

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511$Initialize$CreateExceptionH_prolog3InstanceSecurityThrow
String ID: COM initialization failed$Couldn't connect to service$Instantiation of IWbemLocator failed$Security initialization failed$root\cimv2
API String ID: 3323686253-3174161079
Opcode ID: 6464e56e81ed77ad9f1489234ca65b782683e5324215fca69c59e4682cc6a668
Instruction ID: cc1c23c2e0bbe215bbbefc0f953f6eb7d901d4a85a916f9005857dd5747fc692
Opcode Fuzzy Hash: 6464e56e81ed77ad9f1489234ca65b782683e5324215fca69c59e4682cc6a668
Instruction Fuzzy Hash: C741A274A0431AEFEB18DBB9D948BAE7AE8AF04B54F144069F544F7281D7B08E40C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 0112E69C Relevance: 18.1, APIs: 12, Instructions: 108
memoryCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E0112E69C(intOrPtr* __ebx, void* __edx, void* __edi) {
				int _t75;
				void* _t78;
				long _t89;
				long _t95;
				void* _t115;
				void* _t131;
				void* _t137;
				int _t141;
				int _t142;
				void* _t145;
				intOrPtr _t146;
				void* _t148;
				long* _t149;

				_t139 = __edi;
				_t137 = __edx;
				_t114 = __ebx;
				_t72 = E01143D91(E01146E99, __ebx, __edi, 0xbc);
				if( *0x115a034 != 0) {
					L14:
					return E01143D3B(_t72, _t114, _t139);
				} else {
					_t114 = __imp__GetAdaptersAddresses;
					_t139 = 0;
					_t75 =  *_t114(0, 7, 0, 0, _t148 - 0x14);
					_t142 = _t75;
					if(_t142 != 0x6f) {
						__imp__#1511(0x18);
						 *(_t148 - 0xc4) = _t75;
						 *(_t148 - 4) = 0;
						__eflags = _t75;
						if(_t75 != 0) {
							_t25 = _t142 + "Failed to acquire size of buffer needed to store network adapters. Error: "; // 0x114c668
							_t131 = _t25;
							goto L17;
						}
						goto L18;
					} else {
						_t145 = HeapAlloc(GetProcessHeap(), 8,  *(_t148 - 0x14));
						 *(_t148 - 0xc0) = _t145;
						if(_t145 == 0) {
							goto L14;
						} else {
							_t114 =  *_t114(0, 7, 0, _t145, _t148 - 0x14);
							if(_t114 == 0) {
								asm("xorps xmm0, xmm0");
								_t115 = _t145;
								asm("movlpd [ebp-0xc8], xmm0");
								_t141 =  *(_t148 - 0xc4);
								_t146 =  *((intOrPtr*)(_t148 - 0xc8));
								do {
									E01142590(_t148 - 0xbc);
									_push(_t115);
									 *(_t148 - 4) = 2;
									E01142668(_t115, _t148 - 0xbc, _t141);
									__eflags =  *(_t148 - 0x40);
									if(__eflags != 0) {
										__eflags =  *(_t148 - 0x18) - _t141;
										if(__eflags >= 0) {
											if(__eflags > 0) {
												L11:
												_t146 =  *((intOrPtr*)(_t148 - 0x1c));
												_t141 =  *(_t148 - 0x18);
												E01122E78(0x115a024, _t148 - 0x50);
											} else {
												__eflags =  *((intOrPtr*)(_t148 - 0x1c)) - _t146;
												if(__eflags > 0) {
													goto L11;
												}
											}
										}
									}
									_t115 =  *(_t115 + 8);
									 *(_t148 - 4) =  *(_t148 - 4) | 0xffffffff;
									E01142636(_t148 - 0xbc, _t137, __eflags);
									__eflags = _t115;
								} while (_t115 != 0);
								_t139 = 0;
								__eflags = 0;
								_t72 = HeapFree(GetProcessHeap(), 0,  *(_t148 - 0xc0));
								goto L14;
							} else {
								_t75 = HeapFree(GetProcessHeap(), 0, _t145);
								__imp__#1511(0x18);
								 *(_t148 - 0xc4) = _t75;
								 *(_t148 - 4) = 1;
								if(_t75 != 0) {
									_t7 = _t114 + "Failed to Network adapters data. Error: "; // 0x114c6b4
									_t131 = _t7;
									L17:
									_t139 = E011298AC(_t75, _t131);
								}
								L18:
								 *(_t148 - 4) =  *(_t148 - 4) | 0xffffffff;
								_push(0x1156040);
								_push(_t148 - 0xc0);
								 *(_t148 - 0xc0) = _t139;
								L01145637();
								asm("int3");
								_t78 = E01143D91(E01146EE9, _t114, _t139, 0x4c);
								if( *0x115a04c == 0) {
									asm("stosd");
									asm("stosd");
									asm("stosd");
									E01142822(_t114, _t148 - 0x3c, _t148 - 0x3c);
									 *(_t148 - 4) = 0;
									 *(_t148 - 0x14) = 0;
									_t139 = 7;
									 *(_t148 - 4) = 1;
									 *((intOrPtr*)(_t148 - 0x1c)) = 0;
									 *(_t148 - 0x18) = _t139;
									 *((short*)(_t148 - 0x2c)) = 0;
									E0112BA2B(L"Select ProcessorId From Win32_processor");
									 *(_t148 - 4) = 2;
									_push(_t148 - 0x30);
									_push(_t148 - 0x14);
									_push(_t148 - 0x2c);
									E01142A4D(_t114, _t148 - 0x3c, _t139);
									E01129A96(_t148 - 0x2c);
									if( *((intOrPtr*)(_t148 - 0x30)) > 0) {
										 *((intOrPtr*)(_t148 - 0x1c)) = 0;
										 *(_t148 - 0x18) = _t139;
										 *((short*)(_t148 - 0x2c)) = 0;
										 *(_t148 - 4) = 3;
										 *((intOrPtr*)(_t148 - 0x44)) = 0;
										 *(_t148 - 0x40) = _t139;
										 *((short*)(_t148 - 0x54)) = 0;
										E0112BA2B(L"ProcessorId");
										_push(_t148 - 0x2c);
										_push(_t148 - 0x54);
										_push(_t148 - 0x54);
										 *(_t148 - 4) = 5;
										_t95 =  *(_t148 - 0x14);
										 *_t149 = _t95;
										if(_t95 != 0) {
											 *((intOrPtr*)( *_t95 + 4))(_t95);
										}
										 *(_t148 - 4) = 4;
										E01142BA1(_t114, _t139);
										 *(_t148 - 4) = 3;
										E01129A96(_t148 - 0x54);
										if( *((intOrPtr*)(_t148 - 0x1c)) != 0) {
											E011293B6(0x115a03c, 0, E01136693(_t114, _t148 - 0x54, _t148 - 0x2c, _t139));
											E01129AC1(_t148 - 0x54);
										}
										E01129A96(_t148 - 0x2c);
									}
									 *(_t148 - 4) = 6;
									_t89 =  *(_t148 - 0x14);
									if(_t89 != 0) {
										 *((intOrPtr*)( *_t89 + 8))(_t89);
									}
									_t78 = E011429B9(_t148 - 0x3c);
								}
								return E01143D3B(_t78, _t114, _t139);
							}
						}
					}
				}
			}

0x0112e69c
0x0112e69c
0x0112e69c
0x0112e6a6
0x0112e6b2
0x0112e7c6
0x0112e7cb
0x0112e6b8
0x0112e6b8
0x0112e6c2
0x0112e6c9
0x0112e6cb
0x0112e6d0
0x0112e7ce
0x0112e7d5
0x0112e7db
0x0112e7de
0x0112e7e0
0x0112e7e2
0x0112e7e2
0x00000000
0x0112e7e2
0x00000000
0x0112e6d6
0x0112e6e9
0x0112e6eb
0x0112e6f3
0x00000000
0x0112e6f9
0x0112e704
0x0112e708
0x0112e742
0x0112e745
0x0112e747
0x0112e74f
0x0112e755
0x0112e75b
0x0112e761
0x0112e766
0x0112e767
0x0112e76e
0x0112e773
0x0112e777
0x0112e779
0x0112e77c
0x0112e77e
0x0112e785
0x0112e785
0x0112e78b
0x0112e794
0x0112e780
0x0112e780
0x0112e783
0x00000000
0x00000000
0x0112e783
0x0112e77e
0x0112e77c
0x0112e799
0x0112e7a2
0x0112e7a6
0x0112e7ab
0x0112e7ab
0x0112e7b5
0x0112e7b5
0x0112e7c0
0x00000000
0x0112e70a
0x0112e713
0x0112e71b
0x0112e722
0x0112e728
0x0112e731
0x0112e737
0x0112e737
0x0112e7e8
0x0112e7f0
0x0112e7f0
0x0112e7f2
0x0112e7f2
0x0112e7fc
0x0112e801
0x0112e802
0x0112e808
0x0112e80d
0x0112e815
0x0112e821
0x0112e82c
0x0112e830
0x0112e831
0x0112e832
0x0112e839
0x0112e83c
0x0112e841
0x0112e842
0x0112e84b
0x0112e853
0x0112e856
0x0112e85a
0x0112e862
0x0112e866
0x0112e86a
0x0112e86e
0x0112e872
0x0112e87a
0x0112e882
0x0112e88a
0x0112e88d
0x0112e890
0x0112e894
0x0112e8a0
0x0112e8a3
0x0112e8a6
0x0112e8aa
0x0112e8b2
0x0112e8b6
0x0112e8b7
0x0112e8ba
0x0112e8be
0x0112e8c1
0x0112e8c5
0x0112e8ca
0x0112e8ca
0x0112e8cd
0x0112e8d1
0x0112e8d9
0x0112e8dd
0x0112e8e6
0x0112e8f9
0x0112e901
0x0112e901
0x0112e909
0x0112e909
0x0112e90e
0x0112e912
0x0112e917
0x0112e91c
0x0112e91c
0x0112e922
0x0112e922
0x0112e92c
0x0112e92c
0x0112e708
0x0112e6f3
0x0112e6d0

APIs

__EH_prolog3_GS.LIBCMT ref: 0112E6A6
GetAdaptersAddresses.IPHLPAPI(00000000,00000007,00000000,00000000,?), ref: 0112E6C9
GetProcessHeap.KERNEL32(?,?,?,?,?,00000050,0112117A,?,01156040), ref: 0112E6D9
HeapAlloc.KERNEL32(00000000,00000008,?,?,?,?,?,?,00000050,0112117A,?,01156040), ref: 0112E6E3
GetAdaptersAddresses.IPHLPAPI(00000000,00000007,00000000,00000000,?), ref: 0112E702
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,00000050,0112117A,?,01156040), ref: 0112E70C
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000050,0112117A,?,01156040), ref: 0112E713
#1511.MFC140U(00000018,?,?,?,?,?,00000050,0112117A,?,01156040), ref: 0112E71B
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,?,00000050,0112117A,?), ref: 0112E7B9
HeapFree.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000050,0112117A,?,01156040), ref: 0112E7C0
#1511.MFC140U(00000018,?,?,?,?,?,00000050,0112117A,?,01156040), ref: 0112E7CE
_CxxThrowException.VCRUNTIME140(?,01156040,?,?,?,?,00000050,0112117A,?,01156040), ref: 0112E808

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Heap$Process$#1511AdaptersAddressesFree$AllocExceptionH_prolog3_Throw
String ID:
API String ID: 4024415447-0
Opcode ID: 06c0c6fd5e796d99d9fc62ba8d3f90fafec35ff3f0aa9b6b22073fc5b40895e8
Instruction ID: 5d4cad97be66368070d0ac368c102b61c666cde8192721c6d36f672881da05bc
Opcode Fuzzy Hash: 06c0c6fd5e796d99d9fc62ba8d3f90fafec35ff3f0aa9b6b22073fc5b40895e8
Instruction Fuzzy Hash: BE419631C02329DBEB38DBA4DC48FAE7BB8BF58B11F144159E629A3180D7345985CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0112EF1A Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 323
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0112EF1A(void* __ebx, signed int __edi, void* __eflags) {
				void* _t147;
				signed int _t148;
				signed int _t149;
				intOrPtr _t159;
				signed int _t173;
				intOrPtr _t176;
				signed int _t193;
				void* _t197;
				intOrPtr _t211;
				signed int _t216;
				signed int _t230;
				intOrPtr _t233;
				signed int _t234;
				short* _t265;
				void* _t276;
				signed int _t291;
				intOrPtr _t292;
				signed int _t295;
				intOrPtr _t297;
				signed int* _t300;
				void* _t303;

				_t294 = __edi;
				E01143D91(E01147086, __ebx, __edi, 0x90);
				_t233 =  *((intOrPtr*)(_t303 + 8));
				 *((intOrPtr*)(_t303 - 0x9c)) = _t233;
				 *((intOrPtr*)(_t303 - 0x40)) = _t233;
				 *(_t303 - 4) = 0;
				_t147 = E0112DA20(_t303 + 0xc, "edge");
				_t305 = _t147;
				if(_t147 == 0) {
					_t148 = E0112DA20(_t303 + 0xc, "ff");
					__eflags = _t148;
					if(_t148 == 0) {
						_t149 = E0112DA20(_t303 + 0xc, "edge_chrome");
						__eflags = _t149;
						if(_t149 == 0) {
							E0112BA52(_t233, 0x114bf44);
						} else {
							asm("xorps xmm0, xmm0");
							_t297 = 0x114f834;
							asm("movlpd [ebp-0x44], xmm0");
							_t294 = 0;
							 *((intOrPtr*)(_t303 - 0x44)) = 0x114f834;
							 *((intOrPtr*)(_t303 - 0x40)) = 0;
							 *(_t303 - 4) = 0xb;
							 *(_t303 - 0x4c) = 0;
							 *((intOrPtr*)(_t303 - 0x48)) = 7;
							 *((short*)(_t303 - 0x5c)) = 0;
							E0112BA2B(L"Software\\Microsoft\\Edge\\BlBeacon");
							_push(_t303 - 0x5c);
							E01142F52(_t303 - 0x44, __eflags, 0x80000001, _t303 - 0x5c);
							E01129A96(_t303 - 0x5c);
							_t159 = 7;
							 *(_t303 - 0x70) = 0;
							 *((intOrPtr*)(_t303 - 0x6c)) = _t159;
							 *((short*)(_t303 - 0x80)) = 0;
							 *(_t303 - 4) = 0xc;
							 *((intOrPtr*)(_t303 - 0x48)) = _t159;
							 *(_t303 - 0x4c) = 0;
							 *((short*)(_t303 - 0x5c)) = 0;
							E0112BA2B(L"version");
							 *(_t303 - 4) = 0xd;
							E01142F9F(_t233, _t303 - 0x44, 0, 0x114f834, __eflags, _t303 - 0x5c, _t303 - 0x80);
							E01129A96(_t303 - 0x5c);
							E011299D1(_t233, _t303 - 0x80);
							E01129A96(_t303 - 0x80);
							goto L10;
						}
					} else {
						asm("xorps xmm0, xmm0");
						_t294 = 0x114f834;
						asm("movlpd [ebp-0x44], xmm0");
						 *((intOrPtr*)(_t303 - 0x44)) = 0x114f834;
						 *((intOrPtr*)(_t303 - 0x40)) = 0;
						 *(_t303 - 4) = 5;
						 *((intOrPtr*)(_t303 - 0x88)) = 0;
						 *((intOrPtr*)(_t303 - 0x84)) = 7;
						 *((short*)(_t303 - 0x98)) = 0;
						E0112BA2B(L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\\firefox.exe");
						_push(_t303 - 0x98);
						_t173 = E01142F52(_t303 - 0x44, __eflags, 0x80000002, _t303 - 0x98);
						E01129A96(_t303 - 0x98);
						__eflags = _t173;
						if(_t173 == 0) {
							goto L3;
						} else {
							_t176 = 7;
							 *(_t303 - 0x70) = 0;
							 *((intOrPtr*)(_t303 - 0x6c)) = _t176;
							 *((short*)(_t303 - 0x80)) = 0;
							 *(_t303 - 4) = 6;
							 *((intOrPtr*)(_t303 - 0x84)) = _t176;
							 *((intOrPtr*)(_t303 - 0x88)) = 0;
							 *((short*)(_t303 - 0x98)) = 0;
							E0112BA2B(0x114bf44);
							 *(_t303 - 4) = 7;
							E01142F9F(_t233, _t303 - 0x44, 0x114f834, 0, __eflags, _t303 - 0x98, _t303 - 0x80);
							 *(_t303 - 4) = 6;
							E01129A96(_t303 - 0x98);
							__eflags =  *(_t303 - 0x70);
							if( *(_t303 - 0x70) == 0) {
								goto L7;
							} else {
								_t294 = _t303 - 0x68;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								 *(_t303 - 0x68) = 0;
								 *((intOrPtr*)(_t303 - 0x64)) = 0;
								 *((intOrPtr*)(_t303 - 0x60)) = 0;
								 *(_t303 - 4) = 8;
								E0113D01B(_t233, _t303 - 0x80, _t303 - 0x68, _t303 - 0x68);
								 *(_t303 - 0x4c) = 0;
								 *((intOrPtr*)(_t303 - 0x48)) = 7;
								 *((short*)(_t303 - 0x5c)) = 0;
								 *(_t303 - 4) = 9;
								_t300 =  *(_t303 - 0x68);
								__eflags = _t300 -  *((intOrPtr*)(_t303 - 0x64));
								if(_t300 !=  *((intOrPtr*)(_t303 - 0x64))) {
									_t234 = 0xa;
									do {
										_t295 =  *_t300;
										_t265 = _t303 - 0x12;
										do {
											_t193 = _t295;
											_t291 = _t193 % _t234;
											_t265 = _t265 + 0xfffffffe;
											_t295 = _t193 / _t234;
											_t98 = _t291 + 0x30; // 0x30
											 *_t265 = _t98;
											__eflags = _t295;
										} while (_t295 != 0);
										_t292 = 0;
										 *((short*)(_t303 - 0x98)) = 0;
										_t197 = _t303 - 0x12;
										 *((intOrPtr*)(_t303 - 0x88)) = 0;
										_t294 = 7;
										 *((intOrPtr*)(_t303 - 0x84)) = _t294;
										__eflags = _t265 - _t197;
										if(_t265 != _t197) {
											__eflags = _t197 - _t265;
											E01129245(_t303 - 0x98, _t265, _t197 - _t265 >> 1);
											_t294 =  *((intOrPtr*)(_t303 - 0x84));
											_t292 =  *((intOrPtr*)(_t303 - 0x88));
										}
										__eflags = _t294 - 8;
										 *(_t303 - 4) = _t234;
										_t199 =  >=  ?  *((void*)(_t303 - 0x98)) : _t303 - 0x98;
										E011295CD(_t303 - 0x5c,  >=  ?  *((void*)(_t303 - 0x98)) : _t303 - 0x98, _t292);
										 *(_t303 - 4) = 9;
										E01129A96(_t303 - 0x98);
										E01122E0F(0x114c5d4);
										_t300 =  &(_t300[1]);
										__eflags = _t300 -  *((intOrPtr*)(_t303 - 0x64));
									} while (_t300 !=  *((intOrPtr*)(_t303 - 0x64)));
									_t233 =  *((intOrPtr*)(_t303 - 0x9c));
								}
								E011299D1(_t233, _t303 - 0x5c);
								E01129A96(_t303 - 0x5c);
								E011242FB(_t303 - 0x68);
								goto L9;
							}
						}
						goto L27;
					}
				} else {
					asm("xorps xmm0, xmm0");
					_t294 = 0x114f834;
					asm("movlpd [ebp-0x44], xmm0");
					 *((intOrPtr*)(_t303 - 0x44)) = 0x114f834;
					 *((intOrPtr*)(_t303 - 0x40)) = 0;
					 *(_t303 - 4) = 1;
					 *(_t303 - 0x4c) = 0;
					 *((intOrPtr*)(_t303 - 0x48)) = 7;
					 *((short*)(_t303 - 0x5c)) = 0;
					E0112BA2B(L"AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv");
					_push(_t303 - 0x5c);
					_t301 = E01142F52(_t303 - 0x44, _t305, 0x80000000, _t303 - 0x5c);
					E01129A96(_t303 - 0x5c);
					_t306 = _t301;
					if(_t301 != 0) {
						L6:
						 *(_t303 - 0x70) =  *(_t303 - 0x70) & 0x00000000;
						_t211 = 7;
						 *((intOrPtr*)(_t303 - 0x6c)) = _t211;
						 *((short*)(_t303 - 0x80)) = 0;
						 *(_t303 - 4) = 2;
						 *(_t303 - 0x4c) =  *(_t303 - 0x4c) & 0;
						 *((intOrPtr*)(_t303 - 0x48)) = _t211;
						 *((short*)(_t303 - 0x5c)) = 0;
						E0112BA2B(L"FriendlyTypeName");
						 *(_t303 - 4) = 3;
						_t216 = E01142F9F(_t233, _t303 - 0x44, _t294, _t301, __eflags, _t303 - 0x5c, _t303 - 0x80);
						_t276 = _t303 - 0x5c;
						 *(_t303 - 4) = 2;
						E01129A96(_t276);
						__eflags = _t216;
						if(__eflags != 0) {
							_t294 = _t303 - 0x68;
							asm("stosd");
							_push(_t276);
							asm("stosd");
							asm("stosd");
							E0113FB87(_t233, _t303 - 0x68, _t303 - 0x80, _t303 - 0x68, __eflags);
							 *(_t303 - 4) = 4;
							__eflags =  &(( *(_t303 - 0x68))[6]);
							E01129A21(_t303 - 0x5c,  &(( *(_t303 - 0x68))[6]));
							E011299D1(_t233, _t303 - 0x5c);
							E01129A96(_t303 - 0x5c);
							E01131C43(_t303 - 0x68, _t303 - 0x80);
							L9:
							E01129A96(_t303 - 0x80);
							_t297 = 0x114f834;
							L10:
							 *((intOrPtr*)(_t303 - 0x44)) = _t297;
							goto L5;
						} else {
							L7:
							E0112BA52(_t233, 0x114bf44);
							E01129A96(_t303 - 0x80);
							goto L4;
						}
						L27:
					} else {
						 *(_t303 - 0x4c) =  *(_t303 - 0x4c) & _t301;
						 *((intOrPtr*)(_t303 - 0x48)) = 7;
						 *((short*)(_t303 - 0x5c)) = 0;
						E0112BA2B(L"AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y");
						_push(_t303 - 0x5c);
						_t230 = E01142F52(_t303 - 0x44, _t306, 0x80000000, _t303 - 0x5c);
						_t301 = _t230;
						E01129A96(_t303 - 0x5c);
						if(_t230 != 0) {
							goto L6;
						} else {
							L3:
							E0112BA52(_t233, 0x114bf44);
							L4:
							 *((intOrPtr*)(_t303 - 0x44)) = _t294;
						}
					}
					L5:
					E01142F87(_t303 - 0x44);
				}
				E01129AC1(_t303 + 0xc);
				return E01143D3B(_t233, _t233, _t294);
				goto L27;
			}

0x0112ef1a
0x0112ef24
0x0112ef29
0x0112ef2c
0x0112ef32
0x0112ef3f
0x0112ef42
0x0112ef47
0x0112ef49
0x0112f0c5
0x0112f0ca
0x0112f0cc
0x0112f2b3
0x0112f2b8
0x0112f2ba
0x0112f377
0x0112f2c0
0x0112f2c0
0x0112f2c3
0x0112f2c8
0x0112f2cd
0x0112f2cf
0x0112f2d2
0x0112f2d5
0x0112f2de
0x0112f2e6
0x0112f2ed
0x0112f2f1
0x0112f2f6
0x0112f303
0x0112f30b
0x0112f312
0x0112f315
0x0112f318
0x0112f31b
0x0112f31f
0x0112f326
0x0112f330
0x0112f333
0x0112f337
0x0112f33f
0x0112f34b
0x0112f353
0x0112f35e
0x0112f366
0x00000000
0x0112f366
0x0112f0d2
0x0112f0d2
0x0112f0d5
0x0112f0da
0x0112f0df
0x0112f0e2
0x0112f0e5
0x0112f0f1
0x0112f0fc
0x0112f106
0x0112f10d
0x0112f112
0x0112f122
0x0112f12f
0x0112f134
0x0112f136
0x00000000
0x0112f13c
0x0112f142
0x0112f143
0x0112f146
0x0112f149
0x0112f14d
0x0112f157
0x0112f164
0x0112f16a
0x0112f171
0x0112f179
0x0112f188
0x0112f193
0x0112f197
0x0112f19c
0x0112f19f
0x00000000
0x0112f1a5
0x0112f1a7
0x0112f1aa
0x0112f1ab
0x0112f1ac
0x0112f1ad
0x0112f1b0
0x0112f1b3
0x0112f1b9
0x0112f1c0
0x0112f1c7
0x0112f1ca
0x0112f1d1
0x0112f1d5
0x0112f1d9
0x0112f1dc
0x0112f1df
0x0112f1e7
0x0112f1e8
0x0112f1e8
0x0112f1ea
0x0112f1ed
0x0112f1ed
0x0112f1f1
0x0112f1f3
0x0112f1f6
0x0112f1f8
0x0112f1fb
0x0112f1fe
0x0112f1fe
0x0112f204
0x0112f208
0x0112f20f
0x0112f212
0x0112f218
0x0112f219
0x0112f21f
0x0112f221
0x0112f223
0x0112f22f
0x0112f234
0x0112f23a
0x0112f23a
0x0112f240
0x0112f243
0x0112f24c
0x0112f258
0x0112f263
0x0112f267
0x0112f274
0x0112f279
0x0112f27c
0x0112f27c
0x0112f285
0x0112f285
0x0112f291
0x0112f299
0x0112f2a1
0x00000000
0x0112f2a1
0x0112f19f
0x00000000
0x0112f136
0x0112ef4f
0x0112ef4f
0x0112ef52
0x0112ef57
0x0112ef5c
0x0112ef5f
0x0112ef62
0x0112ef6b
0x0112ef73
0x0112ef7a
0x0112ef7e
0x0112ef83
0x0112ef98
0x0112ef9a
0x0112ef9f
0x0112efa1
0x0112effc
0x0112effc
0x0112f004
0x0112f005
0x0112f008
0x0112f00c
0x0112f010
0x0112f016
0x0112f020
0x0112f024
0x0112f02c
0x0112f038
0x0112f03d
0x0112f040
0x0112f046
0x0112f04b
0x0112f04d
0x0112f067
0x0112f06a
0x0112f06e
0x0112f072
0x0112f073
0x0112f074
0x0112f07a
0x0112f084
0x0112f088
0x0112f093
0x0112f09b
0x0112f0a3
0x0112f0a8
0x0112f0ab
0x0112f0b0
0x0112f0b5
0x0112f0b5
0x00000000
0x0112f04f
0x0112f04f
0x0112f056
0x0112f05e
0x00000000
0x0112f05e
0x00000000
0x0112efa3
0x0112efa3
0x0112efab
0x0112efb7
0x0112efbb
0x0112efc0
0x0112efcd
0x0112efd5
0x0112efd7
0x0112efde
0x00000000
0x0112efe0
0x0112efe0
0x0112efe7
0x0112efec
0x0112efec
0x0112efec
0x0112efde
0x0112efef
0x0112eff2
0x0112eff2
0x0112f37f
0x0112f38b
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0112EF24

Part of subcall function 0112DA20: memcmp.VCRUNTIME140(?,0114EC3C,?,0113D567,00000000,?,00000000), ref: 0112DA44

Part of subcall function 01142F52: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 01142F77

Part of subcall function 01142F9F: memset.VCRUNTIME140(?,00000000,0000020A,0114BF44), ref: 01142FE1
Part of subcall function 01142F9F: RegGetValueW.ADVAPI32(?,00000000,?,20000002,?,?,00000208), ref: 01143011

Strings

edge, xrefs: 0112EF3A
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe, xrefs: 0112F0F7
edge_chrome, xrefs: 0112F2AB
version, xrefs: 0112F32B
AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y, xrefs: 0112EFB2
FriendlyTypeName, xrefs: 0112F01B
AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv, xrefs: 0112EF6E
Software\Microsoft\Edge\BlBeacon, xrefs: 0112F2E1

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_OpenValuememcmpmemset
String ID: AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv$AppX7rm9drdg8sk7vqndwj3sdjw11x96jc0y$FriendlyTypeName$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe$Software\Microsoft\Edge\BlBeacon$edge$edge_chrome$version
API String ID: 4180142445-4239074135
Opcode ID: 46ba38e1a3a9d546a62bf86eb202dbbe34968929795f97dfb26e3401328c37ab
Instruction ID: e1c8570f2c61dea8abb7d1bb9a4f3da52eb1c87c0dfa16798a5a88c3acc054e6
Opcode Fuzzy Hash: 46ba38e1a3a9d546a62bf86eb202dbbe34968929795f97dfb26e3401328c37ab
Instruction Fuzzy Hash: 72D14D71D1126E9BDF18EFE8C850AEDFBB4BF64708F50815AD419B7240EB706A4ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 01142060 Relevance: 7.6, APIs: 5, Instructions: 54
processCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E01142060(void* __ebx, intOrPtr __ecx, void* __edi) {
				void* _t21;
				int _t22;
				void* _t29;
				int _t34;
				intOrPtr _t35;
				signed int _t42;
				void* _t46;

				_t35 = __ecx;
				E01143D91(E01149C64, __ebx, __edi, 0x250);
				_t44 = _t35;
				 *((intOrPtr*)(_t46 - 0x244)) = _t35;
				_t42 = 0;
				_t21 = CreateToolhelp32Snapshot(0xf, 0);
				 *(_t46 - 0x240) = _t21;
				_push(_t46 - 0x23c);
				 *(_t46 - 0x23c) = 0x22c;
				_t22 = Process32FirstW(_t21);
				_t34 = 0;
				if(_t22 != 0) {
					while(1) {
						 *(_t46 - 0x24c) = _t42;
						 *((short*)(_t46 - 0x25c)) = 0;
						 *((intOrPtr*)(_t46 - 0x248)) = 7;
						E0112BA2B(_t46 - 0x218);
						 *(_t46 - 4) = _t42;
						_t29 = E0113FA6A(_t46 - 0x25c, _t44);
						 *(_t46 - 4) =  *(_t46 - 4) | 0xffffffff;
						E01129A96(_t46 - 0x25c);
						if(_t29 == 0) {
							goto L3;
						}
						_t34 = _t34 + 1;
						if(_t34 > 1) {
							_t42 = 1;
						} else {
							goto L3;
						}
						goto L6;
						L3:
						if(Process32NextW( *(_t46 - 0x240), _t46 - 0x23c) != 0) {
							_t44 =  *((intOrPtr*)(_t46 - 0x244));
							continue;
						}
						goto L6;
					}
				}
				L6:
				CloseHandle( *(_t46 - 0x240));
				return E01143D3B(_t42, _t34, _t42);
			}

0x01142060
0x0114206a
0x0114206f
0x01142071
0x01142077
0x0114207c
0x01142088
0x0114208e
0x01142090
0x0114209a
0x011420a0
0x011420a4
0x011420a6
0x011420a8
0x011420ae
0x011420c1
0x011420cc
0x011420d3
0x011420dc
0x011420e1
0x011420ed
0x011420f4
0x00000000
0x00000000
0x011420f6
0x011420fa
0x0114211d
0x00000000
0x00000000
0x00000000
0x00000000
0x011420fc
0x01142111
0x01142113
0x00000000
0x01142113
0x00000000
0x01142111
0x011420a6
0x0114211e
0x01142124
0x01142131

APIs

__EH_prolog3_GS.LIBCMT ref: 0114206A
CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000), ref: 0114207C
Process32FirstW.KERNEL32 ref: 0114209A
Process32NextW.KERNEL32(?,0000022C), ref: 01142109
CloseHandle.KERNEL32(?,?,?,00000000,?), ref: 01142124

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Process32$CloseCreateFirstH_prolog3_HandleNextSnapshotToolhelp32
String ID:
API String ID: 4130213905-0
Opcode ID: a60d55db32610f266c5476689a935de4f8e857e25c8b747db4f9dd5f3607560e
Instruction ID: 834a69f4dd6f8e49fd9f1fd82eb7c43319bb419ba46b16e469b02f68ad640a7c
Opcode Fuzzy Hash: a60d55db32610f266c5476689a935de4f8e857e25c8b747db4f9dd5f3607560e
Instruction Fuzzy Hash: 76113A78D0126A9BDB389B659C8CAADBBB4EF94B05F2441D5A92DA3240DB304E81CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01139394 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 371
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E01139394(signed int __ecx, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				signed int _t265;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				char* _t283;
				signed int _t284;
				intOrPtr _t298;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t331;
				signed int _t332;
				signed int _t334;
				signed int _t343;
				signed int _t346;
				signed int _t348;
				signed int _t350;
				char* _t351;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t358;
				char* _t359;
				signed int _t366;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				char* _t370;
				signed int _t371;
				signed int _t376;
				signed int _t377;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t388;
				signed int _t403;
				signed int _t416;
				signed int _t417;
				signed int _t418;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				signed int _t428;
				signed int _t430;
				signed int _t432;
				signed int _t433;
				signed int _t434;

				_t427 = _a8;
				_t346 = __ecx;
				_v8 = __ecx;
				_t424 = _a4;
				_t434 = _t427;
				if(_t434 > 0 || _t434 >= 0 && _t424 >= 0x5f5e100) {
					__eflags = _t427 - 0x2386f2;
					if(__eflags > 0) {
						L57:
						_push(_t346);
						_t265 = E01145290(_t424, _t427, 0x6fc10000, 0x2386f2);
						_v32 = _t346;
						_v28 = 0x2386f2;
						_t348 = _t265;
						_t358 = _v8;
						_a8 = 0x5f5e100;
						_t425 = 0x64;
						_t388 = _t358 + 1;
						_a8 = _t388;
						__eflags = _t348 - 0xa;
						if(_t348 >= 0xa) {
							__eflags = _t348 - _t425;
							if(_t348 >= _t425) {
								_t428 = _t265 / _t425;
								_t388 = _t348 % _t425;
								_v40 = _t428;
								__eflags = _t348 - 0x3e8;
								if(_t348 >= 0x3e8) {
									 *_t358 =  *((intOrPtr*)(_t428 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
									_t359 = _a8;
									 *_t359 =  *((intOrPtr*)(_t428 * 2 +  &M0114DD49));
									 *((char*)(_t359 + 1)) =  *((intOrPtr*)(_t388 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
									 *((char*)(_t359 + 2)) =  *((intOrPtr*)(_t388 * 2 +  &M0114DD49));
									_t358 = _t359 + 3;
									__eflags = _t358;
								} else {
									 *_t358 = _t428 + 0x30;
									_t370 = _a8;
									 *_t370 =  *((intOrPtr*)(_t388 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
									 *((char*)(_t370 + 1)) =  *((intOrPtr*)(_t388 * 2 +  &M0114DD49));
									_t358 = _t370 + 2;
								}
							} else {
								 *_t358 =  *((intOrPtr*)(_t348 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
								_t371 = _t388;
								 *_t371 =  *((intOrPtr*)(_t348 * 2 +  &M0114DD49));
								_t358 = _t371 + 1;
							}
							_v8 = _t358;
						} else {
							_t348 = _t348 + 0x30;
							_v8 = _t388;
							 *_t358 = _t348;
						}
						_push(_t348);
						_t273 = E01145290(_v28, _v32, 0x5f5e100, 0);
						_a8 = _t348;
						_a8 = _t388;
						_t274 = _t273 / 0x2710;
						_t350 = _t274 / _t425;
						_a8 = _t274 % _t425;
						_t276 = _t273 % 0x2710;
						_v40 = _t276 / _t425;
						_t278 = _t358;
						_v32 = _t276 % _t425;
						_t279 = _t278 / 0x2710;
						_t430 = _t279 / _t425;
						_v28 = _t279 % _t425;
						_t281 = _t278 % 0x2710;
						_t403 = _t281 % _t425;
						_t426 = _t281 / _t425;
						_t283 = _v8;
						 *_t283 =  *((intOrPtr*)(_t350 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
						_t284 = _t283 + 1;
						_t351 = _t284;
						_v8 = _t284;
						 *_t351 =  *((intOrPtr*)(_t350 * 2 +  &M0114DD49));
						_t366 = _a8;
						 *((char*)(_t351 + 1)) =  *((intOrPtr*)(_t366 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
						_t367 = _v40;
						 *((char*)(_t351 + 2)) =  *((intOrPtr*)(_t366 * 2 +  &M0114DD49));
						 *((char*)(_t351 + 3)) =  *((intOrPtr*)(_t367 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
						_t368 = _v32;
						 *((char*)(_t351 + 4)) =  *((intOrPtr*)(_t367 * 2 +  &M0114DD49));
						 *((char*)(_t351 + 5)) =  *((intOrPtr*)(_t368 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
						_t369 = _v28;
						 *((char*)(_t351 + 6)) =  *((intOrPtr*)(_t368 * 2 +  &M0114DD49));
						 *((char*)(_t351 + 7)) =  *((intOrPtr*)(_t430 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
						 *((char*)(_t351 + 8)) =  *((intOrPtr*)(_t430 * 2 +  &M0114DD49));
						 *((char*)(_t351 + 9)) =  *((intOrPtr*)(_t369 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
						 *((char*)(_t351 + 0xa)) =  *((intOrPtr*)(_t369 * 2 +  &M0114DD49));
						 *((char*)(_t351 + 0xb)) =  *((intOrPtr*)(_t426 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
						 *((char*)(_t351 + 0xc)) =  *((intOrPtr*)(_t426 * 2 +  &M0114DD49));
						 *((char*)(_t351 + 0xd)) =  *((intOrPtr*)(_t403 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
						_t346 = _t351 + 0xe;
						__eflags = _t346;
						goto L66;
					}
					if(__eflags < 0) {
						L25:
						_push(_t346);
						_t306 = E01145290(_t424, _t427, 0x5f5e100, 0);
						_v40 = _t346;
						_v40 = 0x5f5e100;
						_t307 = _t306 / 0x2710;
						_t353 = 0x64;
						_v16 = _t307 % _t353;
						_v12 = _t307 / _t353;
						_t309 = _t306 % 0x2710;
						_v24 = _t309 % _t353;
						_v20 = _t309 / _t353;
						_t432 = 0xe8 % _t353;
						_v28 = 0xe8 / _t353;
						_t376 = _a8;
						_v40 = 0x2072 % _t353;
						_v32 = 0x2072 / _t353;
						__eflags = _t376 - 0x38d7e;
						if(__eflags < 0) {
							L29:
							_t416 = _v12;
							_t354 = _v8;
							L30:
							__eflags = _t376 - 0x5af3;
							if(__eflags < 0) {
								L34:
								__eflags = _t376 - 0x918;
								if(__eflags < 0) {
									L38:
									_t417 = _v16;
									L39:
									__eflags = _t376 - 0xe8;
									if(__eflags < 0) {
										L43:
										__eflags = _t376 - 0x17;
										if(__eflags < 0) {
											L47:
											_t418 = _v20;
											L48:
											__eflags = _t376 - 2;
											if(__eflags < 0) {
												L52:
												__eflags = _t376;
												if(_t376 != 0) {
													L54:
													_t377 = _v24;
													 *_t354 =  *((intOrPtr*)(_t377 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
													_t354 = _t354 + 1;
													L56:
													_t378 = _v28;
													 *_t354 =  *((intOrPtr*)(_t377 * 2 +  &M0114DD49));
													 *(_t354 + 1) =  *((intOrPtr*)(_t378 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
													_t379 = _v32;
													 *((char*)(_t354 + 2)) =  *((intOrPtr*)(_t378 * 2 +  &M0114DD49));
													 *((char*)(_t354 + 3)) =  *((intOrPtr*)(_t432 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
													 *((char*)(_t354 + 4)) =  *((intOrPtr*)(_t432 * 2 +  &M0114DD49));
													 *((char*)(_t354 + 5)) =  *((intOrPtr*)(_t379 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
													_t380 = _v40;
													 *((char*)(_t354 + 6)) =  *((intOrPtr*)(_t379 * 2 +  &M0114DD49));
													 *((char*)(_t354 + 7)) =  *((intOrPtr*)(_t380 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
													_t346 = _t354 + 8;
													_t298 =  *((intOrPtr*)(_t380 * 2 +  &M0114DD49));
													goto L67;
												}
												__eflags = _t424 - 0x3b9aca00;
												if(_t424 < 0x3b9aca00) {
													_t377 = _v24;
													goto L56;
												}
												goto L54;
											}
											if(__eflags > 0) {
												L51:
												 *_t354 =  *((intOrPtr*)(_t418 * 2 +  &M0114DD49));
												_t354 = _t354 + 1;
												__eflags = _t354;
												goto L52;
											}
											__eflags = _t424 - 0x540be400;
											if(_t424 < 0x540be400) {
												goto L52;
											}
											goto L51;
										}
										if(__eflags > 0) {
											L46:
											_t418 = _v20;
											 *_t354 =  *((intOrPtr*)(_t418 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
											_t354 = _t354 + 1;
											goto L48;
										}
										__eflags = _t424 - 0x4876e800;
										if(_t424 < 0x4876e800) {
											goto L47;
										}
										goto L46;
									}
									if(__eflags > 0) {
										L42:
										 *_t354 =  *((intOrPtr*)(_t417 * 2 +  &M0114DD49));
										_t354 = _t354 + 1;
										__eflags = _t354;
										goto L43;
									}
									__eflags = _t424 - 0xd4a51000;
									if(_t424 < 0xd4a51000) {
										goto L43;
									}
									goto L42;
								}
								if(__eflags > 0) {
									L37:
									_t417 = _v16;
									 *_t354 =  *((intOrPtr*)(_t417 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
									_t354 = _t354 + 1;
									goto L39;
								}
								__eflags = _t424 - 0x4e72a000;
								if(_t424 < 0x4e72a000) {
									goto L38;
								}
								goto L37;
							}
							if(__eflags > 0) {
								L33:
								 *_t354 =  *((intOrPtr*)(_t416 * 2 +  &M0114DD49));
								_t354 = _t354 + 1;
								__eflags = _t354;
								goto L34;
							}
							__eflags = _t424 - 0x107a4000;
							if(_t424 < 0x107a4000) {
								goto L34;
							}
							goto L33;
						}
						if(__eflags > 0) {
							L28:
							_t416 = _v12;
							_t355 = _v8;
							 *_t355 =  *((intOrPtr*)(_t416 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
							_t354 = _t355 + 1;
							goto L30;
						}
						__eflags = _t424 - 0xa4c68000;
						if(_t424 < 0xa4c68000) {
							goto L29;
						}
						goto L28;
					}
					__eflags = _t424 - 0x6fc10000;
					if(_t424 >= 0x6fc10000) {
						goto L57;
					}
					goto L25;
				} else {
					_t331 = _t424;
					if(_t424 >= 0x2710) {
						_t332 = _t331 / 0x2710;
						_a8 = 0x64;
						_v16 = _t332 % _a8;
						_v20 = _t332 / _a8;
						_t334 = _t331 % 0x2710;
						_t403 = _t334 % _a8;
						_a8 = _t334 / _a8;
						__eflags = _t427;
						if(_t427 != 0) {
							L12:
							_t383 = _v20;
							 *_t346 =  *((intOrPtr*)(_t383 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
							_t346 = _t346 + 1;
							L14:
							__eflags = _t427;
							if(_t427 != 0) {
								L16:
								 *_t346 =  *((intOrPtr*)(_t383 * 2 +  &M0114DD49));
								_t346 = _t346 + 1;
								__eflags = _t346;
								L17:
								__eflags = _t427;
								if(_t427 != 0) {
									L19:
									_t384 = _v16;
									 *_t346 =  *((intOrPtr*)(_t384 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
									_t346 = _t346 + 1;
									L21:
									_t385 = _a8;
									 *_t346 =  *((intOrPtr*)(_t384 * 2 +  &M0114DD49));
									 *(_t346 + 1) =  *((intOrPtr*)(_t385 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
									 *((char*)(_t346 + 2)) =  *((intOrPtr*)(_t385 * 2 +  &M0114DD49));
									 *((char*)(_t346 + 3)) =  *((intOrPtr*)(_t403 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
									_t346 = _t346 + 4;
									L66:
									_t298 =  *((intOrPtr*)(_t403 * 2 +  &M0114DD49));
									L67:
									 *_t346 = _t298;
									return _t346 + 1;
								}
								__eflags = _t424 - 0x186a0;
								if(_t424 < 0x186a0) {
									_t384 = _v16;
									goto L21;
								}
								goto L19;
							}
							__eflags = _t424 - 0xf4240;
							if(_t424 < 0xf4240) {
								goto L17;
							}
							goto L16;
						}
						__eflags = _t424 - 0x989680;
						if(_t424 < 0x989680) {
							_t383 = _v20;
							goto L14;
						}
						goto L12;
					}
					_t433 = 0x64;
					_t343 = _t331 / _t433;
					_t403 = _t331 % _t433;
					if(_t424 >= 0x3e8) {
						 *_t346 =  *((intOrPtr*)(_t343 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
						_t346 = _t346 + 1;
					}
					if(_t424 >= _t433) {
						 *_t346 =  *((intOrPtr*)(_t343 * 2 +  &M0114DD49));
						_t346 = _t346 + 1;
					}
					if(_t424 >= 0xa) {
						 *_t346 =  *((intOrPtr*)(_t403 * 2 + "00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899"));
						_t346 = _t346 + 1;
					}
					goto L66;
				}
			}

0x0113939c
0x0113939f
0x011393a1
0x011393aa
0x011393ad
0x011393af
0x011394b7
0x011394b9
0x0113966b
0x0113966b
0x01139670
0x01139675
0x01139679
0x0113967c
0x0113967e
0x01139681
0x01139686
0x01139687
0x0113968a
0x0113968d
0x01139690
0x0113969f
0x011396a1
0x011396c0
0x011396c4
0x011396c6
0x011396c9
0x011396cf
0x011396f9
0x011396fb
0x01139705
0x0113970e
0x01139718
0x0113971b
0x0113971b
0x011396d1
0x011396d5
0x011396d7
0x011396e1
0x011396ea
0x011396ed
0x011396ed
0x011396a3
0x011396aa
0x011396ac
0x011396b5
0x011396b7
0x011396b7
0x0113971e
0x01139692
0x01139692
0x01139695
0x01139698
0x01139698
0x01139721
0x0113972f
0x01139734
0x01139738
0x01139744
0x0113974c
0x0113974e
0x01139751
0x0113975c
0x0113975f
0x01139761
0x01139766
0x0113976e
0x01139770
0x01139773
0x01139777
0x01139780
0x01139782
0x01139785
0x01139787
0x0113978f
0x01139791
0x01139794
0x01139796
0x011397a0
0x011397aa
0x011397ad
0x011397b7
0x011397c1
0x011397c4
0x011397ce
0x011397d8
0x011397db
0x011397e5
0x011397ef
0x011397f9
0x01139803
0x0113980d
0x01139817
0x01139821
0x01139824
0x01139824
0x00000000
0x01139824
0x011394bf
0x011394c9
0x011394c9
0x011394cf
0x011394d4
0x011394d8
0x011394e4
0x011394ec
0x011394ef
0x011394f4
0x011394f7
0x01139500
0x01139505
0x01139512
0x01139514
0x0113951d
0x01139520
0x01139523
0x01139526
0x0113952c
0x0113954a
0x0113954a
0x0113954d
0x01139550
0x01139550
0x01139556
0x0113956c
0x0113956c
0x01139572
0x0113958d
0x0113958d
0x01139590
0x01139590
0x01139596
0x011395ac
0x011395ac
0x011395af
0x011395ca
0x011395ca
0x011395cd
0x011395cd
0x011395d0
0x011395e6
0x011395e6
0x011395e8
0x011395f2
0x011395f2
0x011395fc
0x011395fe
0x01139604
0x0113960b
0x0113960e
0x01139617
0x01139621
0x01139624
0x0113962e
0x01139638
0x01139642
0x0113964c
0x0113964f
0x01139659
0x0113965c
0x0113965f
0x00000000
0x0113965f
0x011395ea
0x011395f0
0x01139601
0x00000000
0x01139601
0x00000000
0x011395f0
0x011395d2
0x011395dc
0x011395e3
0x011395e5
0x011395e5
0x00000000
0x011395e5
0x011395d4
0x011395da
0x00000000
0x00000000
0x00000000
0x011395da
0x011395b1
0x011395bb
0x011395bb
0x011395c5
0x011395c7
0x00000000
0x011395c7
0x011395b3
0x011395b9
0x00000000
0x00000000
0x00000000
0x011395b9
0x01139598
0x011395a2
0x011395a9
0x011395ab
0x011395ab
0x00000000
0x011395ab
0x0113959a
0x011395a0
0x00000000
0x00000000
0x00000000
0x011395a0
0x01139574
0x0113957e
0x0113957e
0x01139588
0x0113958a
0x00000000
0x0113958a
0x01139576
0x0113957c
0x00000000
0x00000000
0x00000000
0x0113957c
0x01139558
0x01139562
0x01139569
0x0113956b
0x0113956b
0x00000000
0x0113956b
0x0113955a
0x01139560
0x00000000
0x00000000
0x00000000
0x01139560
0x0113952e
0x01139538
0x01139538
0x0113953b
0x01139545
0x01139547
0x00000000
0x01139547
0x01139530
0x01139536
0x00000000
0x00000000
0x00000000
0x01139536
0x011394c1
0x011394c3
0x00000000
0x00000000
0x00000000
0x011393bf
0x011393c6
0x011393ca
0x01139409
0x0113940b
0x01139419
0x0113941e
0x01139421
0x01139423
0x01139426
0x01139429
0x0113942b
0x01139435
0x01139435
0x0113943f
0x01139441
0x01139447
0x01139447
0x01139449
0x01139453
0x0113945a
0x0113945c
0x0113945c
0x0113945d
0x0113945d
0x0113945f
0x01139469
0x01139469
0x01139473
0x01139475
0x0113947b
0x01139482
0x01139485
0x0113948e
0x01139498
0x011394a2
0x011394a5
0x01139827
0x01139827
0x0113982f
0x0113982f
0x01139837
0x01139837
0x01139461
0x01139467
0x01139478
0x00000000
0x01139478
0x00000000
0x01139467
0x0113944b
0x01139451
0x00000000
0x00000000
0x00000000
0x01139451
0x0113942d
0x01139433
0x01139444
0x00000000
0x01139444
0x00000000
0x01139433
0x011393ce
0x011393cf
0x011393cf
0x011393d7
0x011393e0
0x011393e2
0x011393e2
0x011393e5
0x011393ee
0x011393f0
0x011393f0
0x011393f4
0x01139401
0x01139403
0x01139403
0x00000000
0x011393f4

APIs

__aulldvrm.LIBCMT ref: 011394CF
__aulldvrm.LIBCMT ref: 01139670
__aulldvrm.LIBCMT ref: 0113972F

Strings

d, xrefs: 0113940B

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: __aulldvrm
String ID: d
API String ID: 1302938615-2564639436
Opcode ID: 4e23a88c7eb515550e0382415c5f5b82f20b3b17bf449f27eb0ae1294ee944fe
Instruction ID: 4d5a73c74e3a98aec5823ef449aaca81748d5d491446f704254eafa56ebbb9c1
Opcode Fuzzy Hash: 4e23a88c7eb515550e0382415c5f5b82f20b3b17bf449f27eb0ae1294ee944fe
Instruction Fuzzy Hash: B9E1742DA092C48FDF1ECF6DA0A01ED7FB25BEA614B0CC0BAC5E55B35AC6704951CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0113C562 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 530
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E0113C562(void* __ebx, intOrPtr __ecx) {
				signed int _t219;
				signed int _t220;
				signed int* _t222;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				char _t228;
				unsigned int _t232;
				char _t238;
				void* _t250;
				signed int _t257;
				signed int _t260;
				void* _t262;
				void* _t263;
				void* _t265;
				void* _t271;
				signed int _t274;
				signed int _t279;
				void* _t285;
				signed int* _t287;
				void* _t290;
				intOrPtr _t291;
				signed int _t294;
				signed int _t295;
				signed int _t296;
				void* _t297;
				intOrPtr _t298;
				unsigned int* _t300;
				intOrPtr _t301;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				void* _t321;
				intOrPtr _t328;
				void* _t329;
				signed int _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t335;
				signed int _t337;
				signed int _t339;
				signed int _t340;
				signed int _t342;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				intOrPtr _t354;
				intOrPtr _t356;
				intOrPtr _t357;
				signed int _t359;
				signed int _t360;
				signed int _t367;
				signed int _t368;
				signed int _t369;
				signed int _t370;
				signed int _t372;
				void* _t374;
				void* _t382;
				void* _t420;

				_t285 = __ebx;
				_push(8);
				_push(0x50);
				E01144F9D(E01149067, __ebx, __ecx);
				_t328 = __ecx;
				 *((intOrPtr*)(_t374 - 0x54)) = __ecx;
				_t287 =  *(__ebx + 8);
				 *((intOrPtr*)(_t374 - 0x50)) =  *((intOrPtr*)(__ebx + 0xc));
				 *(_t374 - 0x18) = _t287;
				_t219 = _t287[1];
				_t367 =  *_t287;
				 *(_t374 - 0x3c) = _t219;
				 *(_t374 - 0x1c) = _t219;
				 *(_t374 - 4) =  *(_t374 - 4) & 0x00000000;
				asm("xorps xmm1, xmm1");
				 *((intOrPtr*)(_t374 - 0x5c)) = _t367 - _t219;
				if( *_t367 != 0x2d) {
					 *((char*)(_t374 - 0x23)) = 0;
				} else {
					_t367 = _t367 + 1;
					 *((char*)(_t374 - 0x23)) = 1;
				}
				_t220 = _t367;
				 *((char*)(_t374 - 0x22)) = 0;
				_t349 = 0;
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x48], xmm0");
				 *((intOrPtr*)(_t374 - 0x34)) = 0;
				_t290 =  *_t220;
				if(_t290 != 0x30) {
					__eflags = _t290 - 0x31;
					if(_t290 < 0x31) {
						L135:
						_push(3);
						goto L136;
					}
					__eflags = _t290 - 0x39;
					if(_t290 > 0x39) {
						goto L135;
					}
					_t368 = _t220 + 1;
					_t329 =  *_t368;
					_t294 = _t290 - 0x30;
					__eflags =  *((char*)(_t374 - 0x23));
					_t224 = _t368;
					 *(_t374 - 0x30) = _t368;
					 *(_t374 - 0x20) = _t368;
					 *(_t374 - 0x38) = _t294;
					if( *((char*)(_t374 - 0x23)) == 0) {
						__eflags = _t329 - 0x30;
						if(_t329 < 0x30) {
							goto L6;
						}
						_t224 = _t368;
						while(1) {
							__eflags = _t329 - 0x39;
							if(_t329 > 0x39) {
								goto L6;
							}
							__eflags = _t294 - 0x19999999;
							if(__eflags < 0) {
								L39:
								_t368 = _t224 + 1;
								_t329 =  *_t368;
								 *(_t374 - 0x30) = _t368;
								 *(_t374 - 0x20) = _t368;
								_t294 = _t294 * 0xa +  *_t224 + 0xffffffd0;
								_t349 = _t349 + 1;
								 *(_t374 - 0x38) = _t294;
								_t224 = _t368;
								 *((intOrPtr*)(_t374 - 0x34)) = _t349;
								__eflags = _t329 - 0x30;
								if(_t329 >= 0x30) {
									continue;
								}
								goto L5;
							}
							if(__eflags != 0) {
								L41:
								_t330 = _t294;
								 *((char*)(_t374 - 0x22)) = 1;
								_t295 = 0;
								goto L7;
							}
							__eflags = _t329 - 0x35;
							if(_t329 > 0x35) {
								goto L41;
							}
							goto L39;
						}
						goto L6;
					}
					__eflags = _t329 - 0x30;
					if(_t329 < 0x30) {
						L30:
						 *(_t374 - 0x2c) =  *(_t374 - 0x44);
						_t294 =  *(_t374 - 0x48);
						L31:
						 *(_t374 - 0x28) = _t294;
						_t295 =  *(_t374 - 0x2c);
						goto L8;
					} else {
						goto L25;
					}
					while(1) {
						L25:
						__eflags = _t329 - 0x39;
						if(_t329 > 0x39) {
							goto L30;
						}
						__eflags = _t294 - 0xccccccc;
						if(__eflags < 0) {
							L29:
							_t368 = _t224 + 1;
							_t329 =  *_t368;
							 *(_t374 - 0x30) = _t368;
							 *(_t374 - 0x20) = _t368;
							_t294 = _t294 * 0xa +  *_t224 + 0xffffffd0;
							_t349 = _t349 + 1;
							 *(_t374 - 0x38) = _t294;
							_t224 = _t368;
							 *((intOrPtr*)(_t374 - 0x34)) = _t349;
							__eflags = _t329 - 0x30;
							if(_t329 >= 0x30) {
								continue;
							}
							goto L30;
						}
						if(__eflags != 0) {
							L32:
							 *(_t374 - 0x2c) =  *(_t374 - 0x2c) & 0x00000000;
							 *((char*)(_t374 - 0x22)) = 1;
							goto L31;
						}
						__eflags = _t329 - 0x38;
						if(_t329 > 0x38) {
							goto L32;
						}
						goto L29;
					}
					goto L30;
				} else {
					 *(_t374 - 0x38) =  *(_t374 - 0x38) & 0;
					_t368 = _t220 + 1;
					 *(_t374 - 0x30) = _t368;
					 *(_t374 - 0x20) = _t368;
					L5:
					_t224 = _t368;
					L6:
					_t295 =  *(_t374 - 0x44);
					_t330 =  *(_t374 - 0x48);
					L7:
					 *(_t374 - 0x28) = _t330;
					 *(_t374 - 0x2c) = _t295;
					L8:
					_t351 = _t224;
					 *((char*)(_t374 - 0x21)) = 0;
					 *(_t374 - 0x44) = 0xa;
					if( *((char*)(_t374 - 0x22)) == 0) {
						L54:
						_t225 = _t351;
						if( *((intOrPtr*)(_t374 - 0x21)) == 0 ||  *_t351 < 0x30) {
							L59:
							 *(_t374 - 0x4c) =  *(_t374 - 0x4c) & 0x00000000;
							if( *_t225 != 0x2e) {
								_t367 =  *(_t374 - 0x30);
								_t352 =  *(_t374 - 0x38);
								L74:
								_t332 =  *_t225;
								_t296 = 0;
								if(_t332 == 0x65 || _t332 == 0x45) {
									_t367 = _t225 + 1;
									 *(_t374 - 0x30) = _t367;
									if(_t332 == 0) {
										if( *((intOrPtr*)(_t374 - 0x22)) == _t296) {
											_t337 = 0;
											__eflags = 0;
										} else {
											_t352 =  *(_t374 - 0x28);
											_t337 =  *(_t374 - 0x2c);
										}
										E011455D0(_t225, _t352, _t337);
										asm("movaps xmm1, xmm0");
										 *((char*)(_t374 - 0x21)) = 1;
									}
									_t226 =  *(_t374 - 0x30);
									_t333 = 0;
									_t297 =  *_t226;
									if(_t297 == 0x2b) {
										L86:
										_t367 = _t226 + 1;
										_t297 =  *_t367;
										_t226 = _t367;
										goto L87;
									} else {
										if(_t297 != 0x2d) {
											L87:
											if(_t297 < 0x30 || _t297 > 0x39) {
												_t298 =  *((intOrPtr*)(_t374 - 0x54));
												_t350 =  *(_t374 - 0x3c);
												 *((intOrPtr*)(_t298 + 0x18)) = 0xf;
												 *((intOrPtr*)(_t298 + 0x1c)) = _t226 - _t350;
												goto L112;
											} else {
												_t367 = _t226 + 1;
												_t228 =  *_t367;
												_t296 = _t297 - 0x30;
												 *(_t374 - 0x20) = _t367;
												 *((char*)(_t374 - 0x24)) = _t228;
												if(_t333 == 0) {
													_t353 =  *(_t374 - 0x4c);
													_t332 = 0x134 - _t353;
													__eflags = _t228 - 0x30;
													if(_t228 < 0x30) {
														goto L102;
													}
													_t257 = _t367;
													while(1) {
														__eflags =  *_t367 - 0x39;
														if( *_t367 > 0x39) {
															goto L102;
														}
														_t367 = _t257 + 1;
														 *(_t374 - 0x20) = _t367;
														_t296 = 0xffffffd0 + _t296 * 0xa +  *_t257;
														__eflags = _t296 - _t332;
														if(_t296 > _t332) {
															goto L119;
														}
														__eflags =  *_t367 - 0x30;
														_t257 = _t367;
														if( *_t367 >= 0x30) {
															continue;
														}
														goto L102;
													}
													goto L102;
												}
												_t260 =  *(_t374 - 0x4c) + 0x7ffffff7;
												asm("cdq");
												_t332 = _t260 %  *(_t374 - 0x44);
												_t359 = _t260 /  *(_t374 - 0x44);
												 *(_t374 - 0x44) = _t359;
												if( *((char*)(_t374 - 0x24)) < 0x30) {
													L100:
													_t296 =  ~_t296;
													goto L101;
												}
												_t332 = _t367;
												while( *_t367 <= 0x39) {
													_t262 =  *_t332;
													_t367 = _t332 + 1;
													_t332 = _t367;
													 *(_t374 - 0x20) = _t367;
													_t296 = 0xffffffd0 + _t296 * 0xa + _t262;
													if(_t296 <= _t359) {
														L99:
														if( *_t367 >= 0x30) {
															continue;
														}
														goto L100;
													}
													_t263 =  *_t367;
													if(_t263 < 0x30) {
														goto L99;
													}
													_t360 = _t367;
													while(1) {
														_t332 = _t360;
														if(_t263 > 0x39) {
															break;
														}
														_t367 = _t360 + 1;
														_t263 =  *_t367;
														_t360 = _t367;
														 *(_t374 - 0x20) = _t367;
														_t332 = _t367;
														if(_t263 >= 0x30) {
															continue;
														}
														break;
													}
													_t359 =  *(_t374 - 0x44);
													goto L99;
												}
												goto L100;
											}
										}
										_t333 = 1;
										goto L86;
									}
								} else {
									L101:
									_t353 =  *(_t374 - 0x4c);
									L102:
									if( *((char*)(_t374 - 0x21)) == 0) {
										__eflags =  *((char*)(_t374 - 0x22));
										if( *((char*)(_t374 - 0x22)) == 0) {
											__eflags =  *((char*)(_t374 - 0x23));
											if( *((char*)(_t374 - 0x23)) == 0) {
												_t354 =  *((intOrPtr*)(_t374 - 0x50));
												_t300 =  *(_t354 + 0x24);
												_t229 =  &(_t300[4]);
												__eflags =  &(_t300[4]) -  *((intOrPtr*)(_t354 + 0x28));
												if( &(_t300[4]) >  *((intOrPtr*)(_t354 + 0x28))) {
													E0113CFD2(_t229, _t354 + 0x18, _t300);
													_t300 =  *(_t354 + 0x24);
												}
												 *(_t354 + 0x24) =  &(_t300[4]);
												asm("stosd");
												asm("stosd");
												asm("stosd");
												asm("stosd");
												_t232 =  *(_t374 - 0x38);
												_t300[1] = _t300[1] & 0x00000000;
												 *_t300 = _t232;
												_t300[3] =  !(_t232 >> 0x1a) & 0x00000020 | 0x000001d6;
												_t238 = 1;
												__eflags = 1;
											} else {
												_t238 = E0113CD78( *((intOrPtr*)(_t374 - 0x50)), _t332,  !( *(_t374 - 0x38)) + 1);
											}
											L133:
											__eflags = _t238;
											if(_t238 != 0) {
												L111:
												_t350 =  *(_t374 - 0x3c);
												L112:
												_t222 =  *(_t285 + 8);
												 *_t222 = _t367;
												_t222[1] = _t350;
												return E01144F78(_t222, _t285,  *((intOrPtr*)(_t374 - 0x14)));
											}
											_t301 =  *((intOrPtr*)(_t374 - 0x54));
											 *((intOrPtr*)(_t301 + 0x18)) = 0x10;
											L120:
											 *((intOrPtr*)(_t301 + 0x1c)) =  *((intOrPtr*)(_t374 - 0x5c));
											goto L111;
										}
										__eflags =  *((char*)(_t374 - 0x23));
										if( *((char*)(_t374 - 0x23)) == 0) {
											_t238 = E0113CCF7( *((intOrPtr*)(_t374 - 0x50)),  *(_t374 - 0x28),  *(_t374 - 0x2c));
											goto L133;
										}
										_t356 =  *((intOrPtr*)(_t374 - 0x50));
										_t335 =  *((intOrPtr*)(_t356 + 0x24));
										_t244 = _t335 + 0x10;
										__eflags = _t335 + 0x10 -  *((intOrPtr*)(_t356 + 0x28));
										if(_t335 + 0x10 >  *((intOrPtr*)(_t356 + 0x28))) {
											E0113CFD2(_t244, _t356 + 0x18, _t296);
											_t335 =  *((intOrPtr*)(_t356 + 0x24));
										}
										 *((intOrPtr*)(_t356 + 0x24)) = _t335 + 0x10;
										asm("adc eax, 0x0");
										E0113B9E0(_t335,  !( *(_t374 - 0x28)) + 1,  !( *(_t374 - 0x2c)));
										goto L111;
									}
									_t250 = _t296 + _t353;
									_t420 = _t250 - 0xfffffecc;
									if(_t420 < 0) {
										asm("divsd xmm1, [0x114f910]");
									}
									asm("movaps xmm0, xmm1");
									_t311 =  >=  ? _t250 : _t250 + 0x134;
									E011391D0(_t250,  >=  ? _t250 : _t250 + 0x134);
									asm("comisd xmm0, [0x114f918]");
									if(_t420 > 0) {
										L119:
										_t301 =  *((intOrPtr*)(_t374 - 0x54));
										 *((intOrPtr*)(_t301 + 0x18)) = 0xd;
										goto L120;
									} else {
										if( *((char*)(_t374 - 0x23)) != 0) {
											asm("xorps xmm0, [0x114f940]");
										}
										_t357 =  *((intOrPtr*)(_t374 - 0x50));
										asm("movsd [ebp-0x60], xmm0");
										_t312 =  *((intOrPtr*)(_t357 + 0x24));
										_t252 = _t312 + 0x10;
										if(_t312 + 0x10 >  *((intOrPtr*)(_t357 + 0x28))) {
											E0113CFD2(_t252, _t357 + 0x18, _t312);
											_t312 =  *((intOrPtr*)(_t357 + 0x24));
											asm("movsd xmm0, [ebp-0x60]");
										}
										 *((intOrPtr*)(_t357 + 0x24)) = _t312 + 0x10;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("stosd");
										asm("movsd [ecx], xmm0");
										 *((short*)(_t312 + 0xe)) = 0x216;
										goto L111;
									}
								}
							}
							_t367 = _t225 + 1;
							_t265 =  *_t367;
							 *(_t374 - 0x20) = _t367;
							if(_t265 < 0x30 || _t265 > 0x39) {
								_t328 =  *((intOrPtr*)(_t374 - 0x54));
								_t220 = _t367;
								_push(0xe);
								L136:
								_t350 =  *(_t374 - 0x3c);
								_pop(_t291);
								 *((intOrPtr*)(_t328 + 0x18)) = _t291;
								 *((intOrPtr*)(_t328 + 0x1c)) = _t220 - _t350;
								goto L112;
							} else {
								_t352 =  *(_t374 - 0x38);
								if( *((char*)(_t374 - 0x21)) == 0) {
									if( *((char*)(_t374 - 0x22)) == 0) {
										_t320 = _t352;
										_t340 = 0;
										__eflags = 0;
									} else {
										_t320 =  *(_t374 - 0x28);
										_t340 =  *(_t374 - 0x2c);
									}
									E011455D0(_t265, _t320, _t340);
									asm("movaps xmm1, xmm0");
									 *((char*)(_t374 - 0x21)) = 1;
								}
								_t319 = _t367;
								do {
									_t225 = _t319;
									if( *_t367 > 0x39) {
										break;
									}
									_t339 = _t319 + 1;
									_t367 = _t339;
									 *(_t374 - 0x20) = _t367;
									if( *((intOrPtr*)(_t374 - 0x34)) < 0x11) {
										asm("mulsd xmm1, [0x114f8e8]");
										_t119 = _t374 - 0x4c;
										 *_t119 =  *(_t374 - 0x4c) - 1;
										asm("movd xmm0, eax");
										asm("cvtdq2pd xmm0, xmm0");
										asm("addsd xmm1, xmm0");
										asm("comisd xmm1, [0x114f8c8]");
										if( *_t119 > 0) {
											 *((intOrPtr*)(_t374 - 0x34)) =  *((intOrPtr*)(_t374 - 0x34)) + 1;
										}
									}
									_t319 = _t339;
									_t225 = _t319;
								} while ( *_t367 >= 0x30);
								goto L74;
							}
						} else {
							_t321 =  *_t368;
							while(1) {
								_t225 = _t351;
								if(_t321 > 0x39) {
									goto L59;
								}
								_t369 = _t351 + 1;
								asm("mulsd xmm1, [0x114f8e8]");
								_t321 =  *_t369;
								_t351 = _t369;
								 *(_t374 - 0x30) = _t369;
								 *(_t374 - 0x20) = _t369;
								asm("movd xmm0, eax");
								_t225 = _t369;
								asm("cvtdq2pd xmm0, xmm0");
								asm("addsd xmm1, xmm0");
								if(_t321 >= 0x30) {
									continue;
								}
								goto L59;
							}
							goto L59;
						}
					}
					 *((char*)(_t374 - 0x24)) =  *_t224;
					_t342 =  *(_t374 - 0x28);
					if( *((char*)(_t374 - 0x23)) == 0) {
						__eflags =  *((char*)(_t374 - 0x24)) - 0x30;
						if( *((char*)(_t374 - 0x24)) < 0x30) {
							goto L54;
						}
						_t351 = _t224;
						_t271 =  *_t368;
						while(1) {
							__eflags = _t271 - 0x39;
							if(_t271 > 0x39) {
								goto L54;
							}
							__eflags = _t295 - 0x19999999;
							if(__eflags < 0) {
								L51:
								_t370 = _t351 + 1;
								 *(_t374 - 0x30) = _t370;
								_t274 =  *(_t374 - 0x28);
								 *(_t374 - 0x20) = _t370;
								_t295 = _t295 *  *(_t374 - 0x44) + (_t274 *  *(_t374 - 0x44) >> 0x20);
								_t342 =  *_t351 - 0x30 + _t274 *  *(_t374 - 0x44);
								asm("adc ecx, esi");
								 *(_t374 - 0x28) = _t342;
								_t368 =  *(_t374 - 0x30);
								_t351 = _t368;
								 *((intOrPtr*)(_t374 - 0x34)) =  *((intOrPtr*)(_t374 - 0x34)) + 1;
								 *(_t374 - 0x2c) = _t295;
								_t271 =  *_t368;
								__eflags = _t271 - 0x30;
								if(_t271 >= 0x30) {
									continue;
								}
								goto L54;
							}
							if(__eflags > 0) {
								L48:
								__eflags = _t342 - 0x99999999;
								if(_t342 != 0x99999999) {
									L53:
									E011455D0(_t271,  *(_t374 - 0x28), _t295);
									 *((char*)(_t374 - 0x21)) = 1;
									asm("movaps xmm1, xmm0");
									goto L54;
								}
								__eflags = _t295 - 0x19999999;
								if(_t295 != 0x19999999) {
									goto L53;
								}
								__eflags = _t271 - 0x35;
								if(_t271 > 0x35) {
									goto L53;
								}
								goto L51;
							}
							__eflags = _t342 - 0x99999999;
							if(_t342 < 0x99999999) {
								goto L51;
							}
							goto L48;
						}
						goto L54;
					}
					if( *((char*)(_t374 - 0x24)) < 0x30) {
						goto L54;
					}
					_t271 =  *_t368;
					while(_t271 <= 0x39) {
						_t382 = _t295 - 0xccccccc;
						if(_t382 < 0 || _t382 <= 0 && _t342 < 0xcccccccc || _t342 == 0xcccccccc && _t295 == 0xccccccc && _t271 <= 0x38) {
							_t372 = _t351 + 1;
							 *(_t374 - 0x30) = _t372;
							_t279 =  *(_t374 - 0x28);
							 *(_t374 - 0x20) = _t372;
							_t295 = _t295 *  *(_t374 - 0x44) + (_t279 *  *(_t374 - 0x44) >> 0x20);
							_t342 =  *_t351 - 0x30 + _t279 *  *(_t374 - 0x44);
							asm("adc ecx, esi");
							 *(_t374 - 0x28) = _t342;
							_t368 =  *(_t374 - 0x30);
							_t351 = _t368;
							 *((intOrPtr*)(_t374 - 0x34)) =  *((intOrPtr*)(_t374 - 0x34)) + 1;
							 *(_t374 - 0x2c) = _t295;
							_t271 =  *_t368;
							if(_t271 >= 0x30) {
								continue;
							}
							goto L54;
						} else {
							goto L53;
						}
					}
					goto L54;
				}
			}

0x0113c562
0x0113c562
0x0113c564
0x0113c56b
0x0113c570
0x0113c572
0x0113c575
0x0113c57b
0x0113c57e
0x0113c581
0x0113c584
0x0113c586
0x0113c589
0x0113c58c
0x0113c594
0x0113c59a
0x0113c59d
0x0113c5a6
0x0113c59f
0x0113c59f
0x0113c5a0
0x0113c5a0
0x0113c5aa
0x0113c5ac
0x0113c5b0
0x0113c5b2
0x0113c5b5
0x0113c5ba
0x0113c5bd
0x0113c5c2
0x0113c690
0x0113c693
0x0113cb96
0x0113cb96
0x00000000
0x0113cb96
0x0113c699
0x0113c69c
0x00000000
0x00000000
0x0113c6a2
0x0113c6a8
0x0113c6aa
0x0113c6ad
0x0113c6b1
0x0113c6b3
0x0113c6b6
0x0113c6b9
0x0113c6bc
0x0113c71c
0x0113c71f
0x00000000
0x00000000
0x0113c725
0x0113c727
0x0113c727
0x0113c72a
0x00000000
0x00000000
0x0113c730
0x0113c736
0x0113c73f
0x0113c73f
0x0113c748
0x0113c74d
0x0113c750
0x0113c753
0x0113c755
0x0113c756
0x0113c759
0x0113c75b
0x0113c75e
0x0113c761
0x00000000
0x00000000
0x00000000
0x0113c763
0x0113c738
0x0113c768
0x0113c768
0x0113c76a
0x0113c76e
0x00000000
0x0113c76e
0x0113c73a
0x0113c73d
0x00000000
0x00000000
0x00000000
0x0113c73d
0x00000000
0x0113c727
0x0113c6be
0x0113c6c1
0x0113c6fb
0x0113c6fe
0x0113c701
0x0113c704
0x0113c704
0x0113c707
0x00000000
0x00000000
0x00000000
0x00000000
0x0113c6c3
0x0113c6c3
0x0113c6c3
0x0113c6c6
0x00000000
0x00000000
0x0113c6c8
0x0113c6ce
0x0113c6d7
0x0113c6d7
0x0113c6e0
0x0113c6e5
0x0113c6e8
0x0113c6eb
0x0113c6ed
0x0113c6ee
0x0113c6f1
0x0113c6f3
0x0113c6f6
0x0113c6f9
0x00000000
0x00000000
0x00000000
0x0113c6f9
0x0113c6d0
0x0113c712
0x0113c712
0x0113c716
0x00000000
0x0113c716
0x0113c6d2
0x0113c6d5
0x00000000
0x00000000
0x00000000
0x0113c6d5
0x00000000
0x0113c5c8
0x0113c5c8
0x0113c5cb
0x0113c5ce
0x0113c5d1
0x0113c5d4
0x0113c5d4
0x0113c5d6
0x0113c5d6
0x0113c5d9
0x0113c5dc
0x0113c5dc
0x0113c5df
0x0113c5e2
0x0113c5e6
0x0113c5e8
0x0113c5ec
0x0113c5f3
0x0113c7f6
0x0113c7f9
0x0113c7fd
0x0113c83b
0x0113c83b
0x0113c842
0x0113c909
0x0113c90c
0x0113c8d4
0x0113c8d4
0x0113c8d6
0x0113c8db
0x0113c8e6
0x0113c8e9
0x0113c8ee
0x0113c8f3
0x0113c911
0x0113c911
0x0113c8f5
0x0113c8f5
0x0113c8f8
0x0113c8f8
0x0113c915
0x0113c91a
0x0113c91d
0x0113c91d
0x0113c921
0x0113c924
0x0113c926
0x0113c92b
0x0113c934
0x0113c934
0x0113c937
0x0113c939
0x00000000
0x0113c92d
0x0113c930
0x0113c93b
0x0113c93e
0x0113cab5
0x0113cab8
0x0113cabd
0x0113cac4
0x00000000
0x0113c94d
0x0113c94d
0x0113c953
0x0113c955
0x0113c958
0x0113c95b
0x0113c960
0x0113ca65
0x0113ca6d
0x0113ca6f
0x0113ca71
0x00000000
0x00000000
0x0113ca77
0x0113ca79
0x0113ca79
0x0113ca7c
0x00000000
0x00000000
0x0113ca85
0x0113ca8b
0x0113ca91
0x0113ca93
0x0113ca95
0x00000000
0x00000000
0x0113ca97
0x0113ca9a
0x0113ca9c
0x00000000
0x00000000
0x00000000
0x0113ca9e
0x00000000
0x0113ca79
0x0113c969
0x0113c96e
0x0113c96f
0x0113c976
0x0113c978
0x0113c97b
0x0113c9c1
0x0113c9c1
0x00000000
0x0113c9c1
0x0113c97d
0x0113c97f
0x0113c984
0x0113c987
0x0113c98d
0x0113c98f
0x0113c995
0x0113c999
0x0113c9bc
0x0113c9bf
0x00000000
0x00000000
0x00000000
0x0113c9bf
0x0113c99b
0x0113c99f
0x00000000
0x00000000
0x0113c9a1
0x0113c9a3
0x0113c9a3
0x0113c9a7
0x00000000
0x00000000
0x0113c9a9
0x0113c9ac
0x0113c9ae
0x0113c9b0
0x0113c9b3
0x0113c9b7
0x00000000
0x00000000
0x00000000
0x0113c9b7
0x0113c9b9
0x00000000
0x0113c9b9
0x00000000
0x0113c97f
0x0113c93e
0x0113c932
0x00000000
0x0113c932
0x0113c9c3
0x0113c9c3
0x0113c9c3
0x0113c9c6
0x0113c9ca
0x0113cac9
0x0113cacd
0x0113cb23
0x0113cb27
0x0113cb3a
0x0113cb3d
0x0113cb40
0x0113cb43
0x0113cb46
0x0113cb4c
0x0113cb51
0x0113cb51
0x0113cb57
0x0113cb5e
0x0113cb5f
0x0113cb60
0x0113cb61
0x0113cb62
0x0113cb65
0x0113cb69
0x0113cb78
0x0113cb7e
0x0113cb7e
0x0113cb29
0x0113cb33
0x0113cb33
0x0113cb7f
0x0113cb7f
0x0113cb81
0x0113ca4f
0x0113ca4f
0x0113ca52
0x0113ca52
0x0113ca55
0x0113ca57
0x0113ca62
0x0113ca62
0x0113cb87
0x0113cb8a
0x0113caad
0x0113cab0
0x00000000
0x0113cab0
0x0113cacf
0x0113cad3
0x0113cb1c
0x00000000
0x0113cb1c
0x0113cad5
0x0113cad8
0x0113cadb
0x0113cade
0x0113cae1
0x0113cae7
0x0113caec
0x0113caec
0x0113caf5
0x0113cb02
0x0113cb09
0x00000000
0x0113cb09
0x0113c9d0
0x0113c9d8
0x0113c9da
0x0113c9dc
0x0113c9dc
0x0113c9ea
0x0113c9ed
0x0113c9f0
0x0113c9f5
0x0113c9fd
0x0113caa3
0x0113caa3
0x0113caa6
0x00000000
0x0113ca03
0x0113ca07
0x0113ca09
0x0113ca09
0x0113ca10
0x0113ca13
0x0113ca18
0x0113ca1b
0x0113ca21
0x0113ca27
0x0113ca2c
0x0113ca2f
0x0113ca2f
0x0113ca37
0x0113ca3e
0x0113ca3f
0x0113ca40
0x0113ca41
0x0113ca47
0x0113ca4b
0x00000000
0x0113ca4b
0x0113c9fd
0x0113c8db
0x0113c848
0x0113c84b
0x0113c84d
0x0113c852
0x0113c8fd
0x0113c900
0x0113c902
0x0113cb98
0x0113cb98
0x0113cb9d
0x0113cb9e
0x0113cba1
0x00000000
0x0113c860
0x0113c864
0x0113c867
0x0113c86d
0x0113c877
0x0113c879
0x0113c879
0x0113c86f
0x0113c86f
0x0113c872
0x0113c872
0x0113c87b
0x0113c880
0x0113c883
0x0113c883
0x0113c887
0x0113c889
0x0113c88c
0x0113c88e
0x00000000
0x00000000
0x0113c894
0x0113c897
0x0113c899
0x0113c89c
0x0113c8a1
0x0113c8ac
0x0113c8ac
0x0113c8af
0x0113c8b3
0x0113c8b7
0x0113c8bb
0x0113c8c3
0x0113c8c5
0x0113c8c5
0x0113c8c3
0x0113c8cb
0x0113c8cd
0x0113c8cd
0x00000000
0x0113c8d1
0x0113c804
0x0113c804
0x0113c806
0x0113c806
0x0113c80b
0x00000000
0x00000000
0x0113c810
0x0113c813
0x0113c81e
0x0113c820
0x0113c822
0x0113c825
0x0113c828
0x0113c82c
0x0113c82e
0x0113c832
0x0113c839
0x00000000
0x00000000
0x00000000
0x0113c839
0x00000000
0x0113c806
0x0113c7fd
0x0113c5ff
0x0113c602
0x0113c605
0x0113c775
0x0113c779
0x00000000
0x00000000
0x0113c77b
0x0113c77d
0x0113c77f
0x0113c77f
0x0113c781
0x00000000
0x00000000
0x0113c783
0x0113c789
0x0113c7a9
0x0113c7ab
0x0113c7b6
0x0113c7b9
0x0113c7c2
0x0113c7c7
0x0113c7cb
0x0113c7cd
0x0113c7cf
0x0113c7d2
0x0113c7d5
0x0113c7d7
0x0113c7da
0x0113c7dd
0x0113c7df
0x0113c7e1
0x00000000
0x00000000
0x00000000
0x0113c7e3
0x0113c78b
0x0113c795
0x0113c795
0x0113c79b
0x0113c7e5
0x0113c7ea
0x0113c7ef
0x0113c7f3
0x00000000
0x0113c7f3
0x0113c79d
0x0113c7a3
0x00000000
0x00000000
0x0113c7a5
0x0113c7a7
0x00000000
0x00000000
0x00000000
0x0113c7a7
0x0113c78d
0x0113c793
0x00000000
0x00000000
0x00000000
0x0113c793
0x00000000
0x0113c77f
0x0113c60f
0x00000000
0x00000000
0x0113c615
0x0113c617
0x0113c61f
0x0113c625
0x0113c653
0x0113c65e
0x0113c661
0x0113c66a
0x0113c66f
0x0113c673
0x0113c675
0x0113c677
0x0113c67a
0x0113c67d
0x0113c67f
0x0113c682
0x0113c685
0x0113c689
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0113c625
0x00000000
0x0113c617

APIs

__EH_prolog3_GS_align.LIBCMT ref: 0113C56B

Strings

0, xrefs: 0113C972

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_S_align
String ID: 0
API String ID: 2882963835-4108050209
Opcode ID: c73df6eda8c9134ece1ba2268bdcaa4589fe372ea249346b6b864eebd08bc114
Instruction ID: 8b654dd209735cdb88a89e1b4b67f6b4a489c3542c3dd02e1aa388cf85ed6a4e
Opcode Fuzzy Hash: c73df6eda8c9134ece1ba2268bdcaa4589fe372ea249346b6b864eebd08bc114
Instruction Fuzzy Hash: BF228875E046998FDB1ECFA8C4543ECBBB2AF89314F28414BD481B7259D734A886CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 01135533 Relevance: 3.3, APIs: 2, Instructions: 335
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E01135533(void* __ebx, signed int* __ecx, void* __edi) {
				signed int _t160;
				signed char _t162;
				signed int* _t164;
				signed int _t165;
				signed int* _t169;
				signed int _t170;
				void* _t171;

				_t164 = __ecx;
				E01143D91(E0114831A, __ebx, __edi, 0x30);
				_t169 = _t164;
				 *(_t171 - 0x34) = _t169;
				_t165 = _t169[0x1f];
				_t170 =  *(_t171 + 8);
				 *(_t171 - 0x2c) = _t170;
				if(_t165 > 0) {
					_t165 = _t165 - 1;
					_t169[0x1f] = _t165;
					if(_t165 <= 0) {
						_push(0xc);
						L3:
						__imp__?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z();
					}
				}
				_t157 = _t169[0x1e];
				if(_t157 > 0) {
					_t157 = _t157 - 1;
					_t169[0x1e] = _t157;
					if(_t157 <= 0) {
						_push(0xb);
						goto L3;
					}
				}
				_t162 = 0;
				 *(_t171 - 0x28) = 0;
				__eflags = _t170;
				if(_t170 != 0) {
					while(1) {
						L8:
						_t165 =  *(_t170 + 4);
						_t160 = _t165 - 1;
						__eflags = _t160 - 0x14;
						if(__eflags > 0) {
							break;
						}
						switch( *((intOrPtr*)(_t160 * 4 +  &M011358DB))) {
							case 0:
								L49:
								__eflags = _t162;
								if(_t162 != 0) {
									goto L83;
								} else {
									goto L50;
								}
								goto L84;
							case 1:
								__eflags = _t169[0x18] & 0x00000100;
								if((_t169[0x18] & 0x00000100) != 0) {
									L14:
									_t157 =  *_t169;
									__eflags =  *((char*)( *_t169 - 1)) - 0xa;
									goto L15;
								} else {
									_t157 =  *_t169;
									__eflags = _t157 - _t169[0x13];
									if(_t157 != _t169[0x13]) {
										goto L14;
									} else {
										_t163 = _t169[0x18];
										goto L13;
									}
								}
								goto L16;
							case 2:
								__eax =  *__edi;
								__eflags = __eax -  *((intOrPtr*)(__edi + 0x50));
								if(__eax !=  *((intOrPtr*)(__edi + 0x50))) {
									__eflags =  *__eax - 0xa;
									L15:
									_t20 = __eflags != 0;
									__eflags = _t20;
									_t162 = _t162 & 0xffffff00 | _t20;
								} else {
									__ebx =  *(__edi + 0x60);
									__ebx =  *(__edi + 0x60) >> 1;
									L13:
									_t162 = _t163 & 1;
								}
								goto L16;
							case 3:
								__eax =  *(__edi + 0x60);
								__eflags = __eax & 0x00000100;
								if((__eax & 0x00000100) != 0) {
									L26:
									__ecx =  *__edi;
									__eflags = __ecx -  *((intOrPtr*)(__edi + 0x50));
									if(__ecx !=  *((intOrPtr*)(__edi + 0x50))) {
										_t40 = __ecx - 1; // 0xb04d8d00
										__eax =  *_t40 & 0x000000ff;
										__edx = 0;
										__ecx =  *__ecx & 0x000000ff;
										__al =  *((intOrPtr*)(( *_t40 & 0x000000ff) + 0x114bf98));
										__eflags = __al -  *((intOrPtr*)(__ecx + 0x114bf98));
										_t44 = __al !=  *((intOrPtr*)(__ecx + 0x114bf98));
										__eflags = _t44;
										__edx = 0 | _t44;
									} else {
										__eflags = __al & 0x00000008;
										if((__al & 0x00000008) != 0) {
											goto L30;
										} else {
											_t38 = __ecx - 1; // 0xb04d8d00
											__eax =  *_t38 & 0x000000ff;
											goto L29;
										}
									}
								} else {
									__ecx =  *__edi;
									__eflags = __ecx -  *(__edi + 0x4c);
									if(__ecx !=  *(__edi + 0x4c)) {
										goto L26;
									} else {
										__eflags = __ecx -  *((intOrPtr*)(__edi + 0x50));
										if(__ecx !=  *((intOrPtr*)(__edi + 0x50))) {
											__eflags = __al & 0x00000004;
											if((__al & 0x00000004) != 0) {
												L30:
												__edx = 0;
											} else {
												__eax =  *__ecx & 0x000000ff;
												L29:
												__eflags =  *((char*)(__eax + 0x114bf98));
												if( *((char*)(__eax + 0x114bf98)) == 0) {
													goto L30;
												}
											}
										} else {
											_push(0);
											__eflags = __al & 0x0000000c;
											_pop(__edx);
											__edx = __edx & 0xffffff00 | (__al & 0x0000000c) == 0x00000000;
										}
									}
								}
								__eax =  *(__esi + 8);
								__ecx = 0;
								__ecx = 1;
								__eax =  *(__esi + 8) & 1;
								__eflags = __edx - __eax;
								__ebx = __ebx & 0xffffff00 | __edx == __eax;
								goto L16;
							case 4:
								__eax =  *__edi;
								__eflags = __eax -  *((intOrPtr*)(__edi + 0x50));
								if(__eax ==  *((intOrPtr*)(__edi + 0x50))) {
									L38:
									__bl = __dl;
									goto L16;
								} else {
									__cl =  *__eax;
									__eflags = __cl - 0xa;
									if(__cl == 0xa) {
										goto L38;
									} else {
										__eflags = __cl - 0xd;
										if(__cl == 0xd) {
											goto L38;
										} else {
											__eax = __eax + 1;
											__eflags = __eax;
											goto L37;
										}
									}
								}
								goto L49;
							case 5:
								__eax =  *(__esi + 0x18);
								__ecx = __ebp - 0x38;
								__edx =  *(__esi + 0x1c);
								__eax =  *(__esi + 0x18) + __edx;
								__eax = E01135D74(__ebx, __ecx, __edx, __edi, __esi,  *__edi,  *((intOrPtr*)(__edi + 0x50)),  *(__esi + 0x18) + __edx,  *(__edi + 0x70),  *((intOrPtr*)(__edi + 0x5c)));
								__eax =  *__eax;
								__eflags = __eax -  *__edi;
								if(__eax !=  *__edi) {
									L37:
									 *__edi = __eax;
								} else {
									__eax = 0;
									_t55 = __eax + 1; // 0x1
									__ebx = _t55;
									L16:
									 *(_t171 - 0x28) = _t162;
								}
								goto L49;
							case 6:
								__eax =  *__edi;
								__eflags = __eax -  *((intOrPtr*)(__edi + 0x50));
								if(__eax ==  *((intOrPtr*)(__edi + 0x50))) {
									L81:
									__bl = __dl;
									goto L83;
								} else {
									__ecx = __edi;
									__eax = E01135BA6(__ebx, __ecx, __edi, __esi, __esi);
									__eflags = __al;
									if(__al == 0) {
										0 = 1;
										__eflags = 1;
										goto L81;
									} else {
										__bl = 0;
										 *(__ebp - 0x28) = __ebx;
										L50:
										__eflags = _t170;
										if(_t170 == 0) {
											goto L83;
										} else {
											_t170 =  *(_t170 + 0xc);
											 *(_t171 - 0x2c) = _t170;
											__eflags = _t170;
											if(_t170 == 0) {
												goto L83;
											} else {
												goto L8;
											}
										}
									}
								}
								goto L84;
							case 7:
								__esi =  *__edi;
								__eflags = __ecx - 0xb;
								__edi = __ebp - 0x24;
								__ebx = __ebx & 0xffffff00 | __ecx == 0x0000000b;
								__ecx = __ebp - 0x20;
								__eax = 0;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								__edi =  *(__ebp - 0x34);
								 *(__ebp - 0x24) = __esi;
								_t64 = __edi + 4; // 0x104
								_t64 = E01127A41(__ebp - 0x20, _t64);
								__eax =  *(__ebp - 0x2c);
								__ecx = __edi;
								 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
								__eax = E01135533(__ebx, __edi, __edi,  *((intOrPtr*)( *(__ebp - 0x2c) + 0x14)));
								__eflags = __al - __bl;
								if(__al != __bl) {
									__ebx =  *(__ebp - 0x28);
									 *__edi = __esi;
								} else {
									__eax = __ebp - 0x24;
									__ecx = __edi;
									__eax = E011279DB(__edi, __ebp - 0x24);
									_t70 = 1; // 0x1
									__ebx = 1;
									 *(__ebp - 0x28) = __ebx;
								}
								_t73 = __ebp - 4;
								 *_t73 =  *(__ebp - 4) | 0xffffffff;
								__eflags =  *_t73;
								__ecx = __ebp - 0x20;
								__eax = E011242FB(__ecx);
								goto L48;
							case 8:
								L67:
								__esi = 0;
								goto L49;
							case 9:
								__edx =  *(__esi + 0x14);
								__ecx =  *(__edi + 0x14);
								__eax =  *__edi;
								 *(__ecx + __edx * 8) =  *__edi;
								__eax =  *(__edi + 0x10);
								__eflags =  *(__esi + 0x14) - __eax;
								if( *(__esi + 0x14) >= __eax) {
									goto L49;
								} else {
									__ebx =  *(__ebp - 0x2c);
									do {
										__edx =  *(__edi + 4);
										__eax = __eax - 1;
										__esi = __eax;
										 *(__ebp - 0x30) = __eax;
										__esi = __eax >> 5;
										__ecx = __eax;
										__ecx = __eax & 0x0000001f;
										__eax =  *(__edx + __esi * 4);
										asm("btr eax, ecx");
										__eax =  *(__ebp - 0x30);
										__eflags =  *((intOrPtr*)(__ebx + 0x14)) - __eax;
									} while ( *((intOrPtr*)(__ebx + 0x14)) < __eax);
									__ebx =  *(__ebp - 0x28);
									goto L48;
								}
								goto L88;
							case 0xa:
								__eflags =  *((char*)(__edi + 0x65));
								__eax =  *(__esi + 0x14);
								 *(__ebp - 0x30) = __eax;
								if( *((char*)(__edi + 0x65)) != 0) {
									L59:
									__esi =  *(__eax + 0x14);
									__edx = __esi;
									__ecx =  *(__edi + 4);
									__esi = __esi & 0x0000001f;
									__edx = __edx >> 5;
									__eax =  *(__ecx + __edx * 4);
									asm("bts eax, esi");
									__edx =  *(__ebp - 0x30);
									__ecx =  *(__edi + 0x14);
									__eax =  *__edi;
									__edx =  *( *(__ebp - 0x30) + 0x14);
									 *(__ecx + 4 + __edx * 8) = __eax;
									goto L48;
								} else {
									__eflags =  *(__eax + 0x14);
									if( *(__eax + 0x14) == 0) {
										goto L49;
									} else {
										goto L59;
									}
								}
								L88:
							case 0xb:
								__eax =  *(__esi + 0x14);
								__esi = __eax;
								__edx =  *(__edi + 4);
								__ecx = __eax;
								 *(__ebp - 0x30) = __eax;
								__ecx = __eax & 0x0000001f;
								__eax = 0;
								__esi = __esi >> 5;
								__eax = 1;
								__eax = 1 << __cl;
								__eflags =  *(__edx + __esi * 4) & 1;
								if(( *(__edx + __esi * 4) & 1) == 0) {
									L48:
									__esi =  *(__ebp - 0x2c);
									goto L49;
								} else {
									__edx =  *(__edi + 0x14);
									__esi =  *(__ebp - 0x30);
									__eax =  *__edi;
									__ecx =  *(__edx + 4 + __esi * 8);
									__eflags =  *((intOrPtr*)(__edx + __esi * 8)) - __ecx;
									if( *((intOrPtr*)(__edx + __esi * 8)) == __ecx) {
										L63:
										 *__edi = __eax;
										goto L48;
									} else {
										__edx =  *(__edi + 0x70);
										__ecx = __ebp - 0x3c;
										__eax = E01135E76(__ebx, __ecx, __edx, __edi, __esi, __eax,  *((intOrPtr*)(__edi + 0x50)),  *((intOrPtr*)(__edx + __esi * 8)), __ecx,  *((intOrPtr*)(__edi + 0x5c)));
										__eax =  *__eax;
										__eflags = __eax -  *__edi;
										if(__eax ==  *__edi) {
											__eax = 0;
											__eflags = 0;
											_t149 = __eax + 1; // 0x1
											__ebx = _t149;
											L83:
											_t165 = _t169[0x1f];
										} else {
											goto L63;
										}
									}
								}
								goto L84;
							case 0xc:
								_push(__esi);
								__ecx = __edi;
								__eax = E0113592F(__ebx, __ecx, __edx, __edi, __eflags);
								goto L65;
							case 0xd:
								 *(__esi + 8) =  *(__esi + 8) >> 1;
								__al = __al & __dl;
								__eflags = __al;
								_push(0);
								__eax = __al & 0x000000ff;
								_push(__al & 0x000000ff);
								_push(__esi);
								goto L69;
							case 0xe:
								__ecx =  *(__esi + 0x14);
								__edx =  *(__edi + 0x40);
								__eflags =  *(__ecx + 0x24);
								__eax =  *(__ecx + 0x20);
								if( *(__ecx + 0x24) == 0) {
									_push( *((intOrPtr*)(__edx + __eax * 8)));
									 *(__ecx + 8) =  *(__ecx + 8) >> 1;
									__al = __al & 0x00000001;
									__eax = __al & 0x000000ff;
									_push(__al & 0x000000ff);
									_push(__ecx);
									L69:
									__ecx = __edi;
									__eax = E01135A28(__ebx, __ecx, __edx, __edi);
									L65:
									__eflags = __al;
									__ebx = __bl & 0x000000ff;
									_push(1);
									_pop(__eax);
									__ebx =  ==  ? __eax : __bl & 0x000000ff;
									goto L66;
								}
								goto L67;
							case 0xf:
								__eflags =  *(__edi + 0x60) & 0x00002020;
								if(( *(__edi + 0x60) & 0x00002020) == 0) {
									L74:
									__eflags =  *((char*)(__edi + 0x74));
									if( *((char*)(__edi + 0x74)) == 0) {
										L77:
										__eflags =  *(__edi + 0x64);
										if( *(__edi + 0x64) == 0) {
											L79:
											__ecx = __edi + 0x20;
											E01127974(__ecx, __edi) = 0;
											__eax = 1;
											 *(__edi + 0x64) = __al;
										} else {
											__ecx = __edi;
											__eax = E01135CDB(__ebx, __ecx, __edi, __esi);
											__eflags = __al;
											if(__al != 0) {
												goto L79;
											}
										}
									} else {
										__eax =  *__edi;
										__eflags = __eax -  *((intOrPtr*)(__edi + 0x50));
										if(__eax ==  *((intOrPtr*)(__edi + 0x50))) {
											goto L77;
										} else {
											goto L76;
										}
									}
								} else {
									__eax =  *(__edi + 0x4c);
									__eflags = __eax -  *__edi;
									if(__eax ==  *__edi) {
										L76:
										__bl = __dl;
										L66:
										 *(__ebp - 0x28) = __ebx;
									} else {
										goto L74;
									}
								}
								goto L67;
						}
					}
					_push(0xd);
					goto L3;
				}
				L84:
				__eflags = _t165;
				if(_t165 > 0) {
					_t151 = _t165 + 1; // 0x31
					_t157 = _t151;
					_t169[0x1f] = _t151;
				}
				__eflags = _t162;
				_t154 = _t162 == 0;
				__eflags = _t162 == 0;
				return E01143D3B(_t157 & 0xffffff00 | _t154, _t162, _t169);
				goto L88;
			}

0x01135533
0x0113553a
0x0113553f
0x01135541
0x01135544
0x01135547
0x0113554a
0x0113554f
0x01135551
0x01135552
0x01135557
0x01135559
0x0113555b
0x0113555b
0x0113555b
0x01135557
0x01135561
0x01135566
0x01135568
0x01135569
0x0113556e
0x01135570
0x00000000
0x01135570
0x0113556e
0x01135574
0x01135576
0x01135579
0x0113557b
0x01135581
0x01135581
0x01135581
0x01135587
0x0113558a
0x0113558d
0x00000000
0x00000000
0x01135593
0x00000000
0x01135719
0x01135719
0x0113571b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0113559a
0x011355a1
0x011355b1
0x011355b1
0x011355b3
0x00000000
0x011355a3
0x011355a3
0x011355a5
0x011355a8
0x00000000
0x011355aa
0x011355aa
0x00000000
0x011355aa
0x011355a8
0x00000000
0x00000000
0x011355c2
0x011355c4
0x011355c7
0x011355d0
0x011355b7
0x011355b7
0x011355b7
0x011355b7
0x011355c9
0x011355c9
0x011355cc
0x011355ad
0x011355ad
0x011355ad
0x00000000
0x00000000
0x011355d5
0x011355d8
0x011355dd
0x011355fe
0x011355fe
0x01135600
0x01135603
0x0113561a
0x0113561a
0x0113561e
0x01135620
0x01135623
0x01135629
0x0113562f
0x0113562f
0x0113562f
0x01135605
0x01135605
0x01135607
0x00000000
0x01135609
0x01135609
0x01135609
0x00000000
0x01135609
0x01135607
0x011355df
0x011355df
0x011355e1
0x011355e4
0x00000000
0x011355e6
0x011355e6
0x011355e9
0x011355f5
0x011355f7
0x01135616
0x01135616
0x011355f9
0x011355f9
0x0113560d
0x0113560d
0x01135614
0x00000000
0x00000000
0x01135614
0x011355eb
0x011355eb
0x011355ed
0x011355ef
0x011355f0
0x011355f0
0x011355e9
0x011355e4
0x01135632
0x01135635
0x01135637
0x01135638
0x0113563a
0x0113563c
0x00000000
0x00000000
0x01135644
0x01135646
0x01135649
0x0113565f
0x0113565f
0x00000000
0x0113564b
0x0113564b
0x0113564d
0x01135650
0x00000000
0x01135652
0x01135652
0x01135655
0x00000000
0x01135657
0x01135657
0x01135657
0x00000000
0x01135657
0x01135655
0x01135650
0x00000000
0x00000000
0x01135669
0x0113566c
0x01135672
0x01135675
0x0113567d
0x01135685
0x01135687
0x01135689
0x01135658
0x01135658
0x0113568b
0x0113568b
0x0113568d
0x0113568d
0x011355ba
0x011355ba
0x011355ba
0x00000000
0x00000000
0x01135695
0x01135697
0x0113569a
0x011358af
0x011358af
0x00000000
0x011356a0
0x011356a1
0x011356a3
0x011356a8
0x011356aa
0x011358ae
0x011358ae
0x00000000
0x011356b0
0x011356b0
0x011356b2
0x01135721
0x01135721
0x01135723
0x00000000
0x01135729
0x01135729
0x0113572c
0x0113572f
0x01135731
0x00000000
0x01135737
0x00000000
0x01135737
0x01135731
0x01135723
0x011356aa
0x00000000
0x00000000
0x011356b7
0x011356b9
0x011356bc
0x011356bf
0x011356c2
0x011356c5
0x011356c7
0x011356c8
0x011356c9
0x011356ca
0x011356cb
0x011356cc
0x011356cf
0x011356d2
0x011356d6
0x011356db
0x011356de
0x011356e0
0x011356e7
0x011356ec
0x011356ee
0x01135705
0x01135708
0x011356f0
0x011356f0
0x011356f3
0x011356f6
0x011356fd
0x011356fd
0x01135700
0x01135700
0x0113570a
0x0113570a
0x0113570a
0x0113570e
0x01135711
0x00000000
0x00000000
0x01135828
0x01135828
0x00000000
0x00000000
0x0113573c
0x0113573f
0x01135742
0x01135744
0x01135747
0x0113574a
0x0113574d
0x00000000
0x0113574f
0x0113574f
0x01135752
0x01135752
0x01135755
0x01135756
0x01135758
0x0113575b
0x0113575e
0x01135760
0x01135763
0x01135766
0x0113576c
0x0113576f
0x0113576f
0x01135774
0x00000000
0x01135774
0x00000000
0x00000000
0x01135779
0x0113577d
0x01135780
0x01135783
0x0113578b
0x0113578b
0x0113578e
0x01135790
0x01135793
0x01135796
0x01135799
0x0113579c
0x011357a2
0x011357a5
0x011357a8
0x011357aa
0x011357ad
0x00000000
0x01135785
0x01135785
0x01135789
0x00000000
0x00000000
0x00000000
0x00000000
0x01135789
0x00000000
0x00000000
0x011357b6
0x011357b9
0x011357bb
0x011357be
0x011357c0
0x011357c3
0x011357c6
0x011357c8
0x011357cb
0x011357cc
0x011357ce
0x011357d1
0x01135716
0x01135716
0x00000000
0x011357d7
0x011357d7
0x011357da
0x011357dd
0x011357df
0x011357e3
0x011357e6
0x0113580b
0x0113580b
0x00000000
0x011357e8
0x011357ef
0x011357f2
0x011357f9
0x01135801
0x01135803
0x01135805
0x011358b3
0x011358b3
0x011358b5
0x011358b5
0x011358b8
0x011358b8
0x00000000
0x00000000
0x00000000
0x01135805
0x011357e6
0x00000000
0x00000000
0x01135812
0x01135813
0x01135815
0x00000000
0x00000000
0x01135832
0x01135834
0x01135834
0x01135836
0x01135838
0x0113583b
0x0113583c
0x00000000
0x00000000
0x01135846
0x01135849
0x0113584c
0x01135850
0x01135853
0x01135855
0x0113585b
0x0113585d
0x0113585f
0x01135862
0x01135863
0x0113583d
0x0113583d
0x0113583f
0x0113581a
0x0113581a
0x0113581c
0x0113581f
0x01135821
0x01135822
0x00000000
0x01135822
0x00000000
0x00000000
0x01135866
0x0113586d
0x01135876
0x01135876
0x0113587a
0x01135887
0x01135887
0x0113588b
0x01135898
0x01135899
0x011358a1
0x011358a3
0x011358a4
0x0113588d
0x0113588d
0x0113588f
0x01135894
0x01135896
0x00000000
0x00000000
0x01135896
0x0113587c
0x0113587c
0x0113587e
0x01135881
0x00000000
0x00000000
0x00000000
0x00000000
0x01135881
0x0113586f
0x0113586f
0x01135872
0x01135874
0x01135883
0x01135883
0x01135825
0x01135825
0x00000000
0x00000000
0x00000000
0x01135874
0x00000000
0x00000000
0x01135593
0x011358d2
0x00000000
0x011358d2
0x011358bb
0x011358bb
0x011358bd
0x011358bf
0x011358bf
0x011358c2
0x011358c2
0x011358c5
0x011358c7
0x011358c7
0x011358cf
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0113553A
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(0000000B,00000030,01135448,?,?,?,?,?,?,?,?,?,01135202,?,?,?), ref: 0113555B

Part of subcall function 01127A41: memmove.VCRUNTIME140(?,?,?,?,?,?,3FFFFFFF,?,?,?,01128687,?,00000008,?,?,?), ref: 01127A83

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_W4error_type@regex_constants@1@@Xregex_error@std@@memmove
String ID:
API String ID: 901649593-0
Opcode ID: 7cd785505fc08e59f762df5ad505f92202cd4abb5708e77708c1d2b487b7d986
Instruction ID: 1f693ef9cff6777c0e90cda952702edab10fabd3c5ad89b3db393a7c54b6401a
Opcode Fuzzy Hash: 7cd785505fc08e59f762df5ad505f92202cd4abb5708e77708c1d2b487b7d986
Instruction Fuzzy Hash: CAC1AC71A01612EFDB9DCF28C090AA9BBF3FF88B04B544159D842DB699D731F861CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01127275 Relevance: 3.3, APIs: 2, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E01127275(void* __ebx, signed int* __ecx, void* __edi) {
				signed int _t160;
				signed char _t162;
				signed int* _t164;
				signed int _t165;
				signed int* _t169;
				signed int _t170;
				void* _t171;

				_t164 = __ecx;
				E01143D91(E01145FAC, __ebx, __edi, 0x28);
				_t169 = _t164;
				 *(_t171 - 0x34) = _t169;
				_t165 = _t169[0x1f];
				_t170 =  *(_t171 + 8);
				 *(_t171 - 0x2c) = _t170;
				if(_t165 > 0) {
					_t165 = _t165 - 1;
					_t169[0x1f] = _t165;
					if(_t165 <= 0) {
						_push(0xc);
						L3:
						__imp__?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z();
					}
				}
				_t157 = _t169[0x1e];
				if(_t157 > 0) {
					_t157 = _t157 - 1;
					_t169[0x1e] = _t157;
					if(_t157 <= 0) {
						_push(0xb);
						goto L3;
					}
				}
				_t162 = 0;
				 *(_t171 - 0x28) = 0;
				__eflags = _t170;
				if(_t170 != 0) {
					while(1) {
						L8:
						_t165 =  *(_t170 + 4);
						_t160 = _t165 - 1;
						__eflags = _t160 - 0x14;
						if(__eflags > 0) {
							break;
						}
						switch( *((intOrPtr*)(_t160 * 4 +  &M01127615))) {
							case 0:
								L53:
								__eflags = _t162;
								if(_t162 != 0) {
									goto L83;
								} else {
									goto L54;
								}
								goto L84;
							case 1:
								__eflags = _t169[0x18] & 0x00000100;
								if((_t169[0x18] & 0x00000100) != 0) {
									L14:
									_t157 =  *_t169;
									__eflags =  *((char*)( *_t169 - 1)) - 0xa;
									goto L15;
								} else {
									_t157 =  *_t169;
									__eflags = _t157 - _t169[0x13];
									if(_t157 != _t169[0x13]) {
										goto L14;
									} else {
										_t163 = _t169[0x18];
										goto L13;
									}
								}
								goto L16;
							case 2:
								__eax =  *__edi;
								__eflags = __eax -  *(__edi + 0x50);
								if(__eax !=  *(__edi + 0x50)) {
									__eflags =  *__eax - 0xa;
									L15:
									_t20 = __eflags != 0;
									__eflags = _t20;
									_t162 = _t162 & 0xffffff00 | _t20;
								} else {
									__ebx =  *(__edi + 0x60);
									__ebx =  *(__edi + 0x60) >> 1;
									L13:
									_t162 = _t163 & 1;
								}
								goto L16;
							case 3:
								__eax =  *(__edi + 0x60);
								__eflags = __eax & 0x00000100;
								if((__eax & 0x00000100) != 0) {
									L26:
									__ecx =  *__edi;
									__eflags = __ecx -  *(__edi + 0x50);
									if(__ecx !=  *(__edi + 0x50)) {
										__eax =  *(__ecx - 1) & 0x000000ff;
										__edx = 0;
										__ecx =  *__ecx & 0x000000ff;
										__al =  *((intOrPtr*)(__eax + 0x114bf98));
										__eflags = __al -  *((intOrPtr*)(__ecx + 0x114bf98));
										_t44 = __al !=  *((intOrPtr*)(__ecx + 0x114bf98));
										__eflags = _t44;
										__edx = 0 | _t44;
									} else {
										__eflags = __al & 0x00000008;
										if((__al & 0x00000008) != 0) {
											goto L30;
										} else {
											__eax =  *(__ecx - 1) & 0x000000ff;
											goto L29;
										}
									}
								} else {
									__ecx =  *__edi;
									__eflags = __ecx -  *(__edi + 0x4c);
									if(__ecx !=  *(__edi + 0x4c)) {
										goto L26;
									} else {
										__eflags = __ecx -  *(__edi + 0x50);
										if(__ecx !=  *(__edi + 0x50)) {
											__eflags = __al & 0x00000004;
											if((__al & 0x00000004) != 0) {
												L30:
												__edx = 0;
											} else {
												__eax =  *__ecx & 0x000000ff;
												L29:
												__eflags =  *((char*)(__eax + 0x114bf98));
												if( *((char*)(__eax + 0x114bf98)) == 0) {
													goto L30;
												}
											}
										} else {
											_push(0);
											__eflags = __al & 0x0000000c;
											_pop(__edx);
											__edx = __edx & 0xffffff00 | (__al & 0x0000000c) == 0x00000000;
										}
									}
								}
								__eax =  *(__esi + 8);
								__ecx = 0;
								__ecx = 1;
								__eax =  *(__esi + 8) & 1;
								__eflags = __edx - __eax;
								__ebx = __ebx & 0xffffff00 | __edx == __eax;
								goto L16;
							case 4:
								__eax =  *__edi;
								__eflags = __eax -  *(__edi + 0x50);
								if(__eax ==  *(__edi + 0x50)) {
									L38:
									__bl = __dl;
									goto L16;
								} else {
									__cl =  *__eax;
									__eflags = __cl - 0xa;
									if(__cl == 0xa) {
										goto L38;
									} else {
										__eflags = __cl - 0xd;
										if(__cl == 0xd) {
											goto L38;
										} else {
											__eax = __eax + 1;
											__eflags = __eax;
											goto L37;
										}
									}
								}
								goto L53;
							case 5:
								__eax =  *(__esi + 0x18);
								__esi =  *(__esi + 0x1c);
								__eax = __eax + __esi;
								__edx =  *(__edi + 0x50);
								__ecx =  *__edi;
								__eax = E01127669(__ebx, __ecx, __edx, __edi, __esi, __esi, __eax,  *((intOrPtr*)(__edi + 0x70)),  *((intOrPtr*)(__edi + 0x5c)));
								__esi =  *(__ebp - 0x2c);
								__eflags = __eax -  *__edi;
								if(__eax !=  *__edi) {
									L37:
									 *__edi = __eax;
								} else {
									__eax = 0;
									_t55 = __eax + 1; // 0x1
									__ebx = _t55;
									L16:
									 *(_t171 - 0x28) = _t162;
								}
								goto L53;
							case 6:
								__eax =  *__edi;
								__eflags = __eax -  *(__edi + 0x50);
								if(__eax ==  *(__edi + 0x50)) {
									L81:
									__bl = __dl;
									goto L83;
								} else {
									__ecx = __edi;
									__eax = E011281FC(__ecx, __esi);
									__eflags = __al;
									if(__al == 0) {
										0 = 1;
										__eflags = 1;
										goto L81;
									} else {
										__bl = 0;
										 *(__ebp - 0x28) = __ebx;
										L54:
										__eflags = _t170;
										if(_t170 == 0) {
											goto L83;
										} else {
											_t170 =  *(_t170 + 0xc);
											 *(_t171 - 0x2c) = _t170;
											__eflags = _t170;
											if(_t170 == 0) {
												goto L83;
											} else {
												goto L8;
											}
										}
									}
								}
								goto L84;
							case 7:
								__edx =  *__edi;
								__eflags = __ecx - 0xb;
								__edi = __ebp - 0x24;
								 *(__ebp - 0x2c) = __edx;
								__ebx = __ebx & 0xffffff00 | __ecx == 0x0000000b;
								__ecx = __ebp - 0x20;
								__eax = 0;
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								asm("stosd");
								__edi =  *(__ebp - 0x34);
								 *(__ebp - 0x24) = __edx;
								__edi + 4 = E01127A41(__ebp - 0x20, __edi + 4);
								 *(__ebp - 4) =  *(__ebp - 4) & 0x00000000;
								__ecx = __edi;
								__eax = E01127275(__ebx, __edi, __edi,  *(__esi + 0x14));
								__eflags = __al - __bl;
								if(__al != __bl) {
									__eax =  *(__ebp - 0x2c);
									__ebx =  *(__ebp - 0x28);
									 *__edi =  *(__ebp - 0x2c);
								} else {
									__eax = __ebp - 0x24;
									__ecx = __edi;
									__eax = E011279DB(__edi, __ebp - 0x24);
									_t70 = 1; // 0x1
									__ebx = 1;
									 *(__ebp - 0x28) = __ebx;
								}
								 *(__ebp - 4) =  *(__ebp - 4) | 0xffffffff;
								__ecx = __ebp - 0x20;
								__eax = E011242FB(__ecx);
								goto L53;
							case 8:
								L67:
								__esi = 0;
								goto L53;
							case 9:
								__edx =  *(__esi + 0x14);
								__ecx =  *(__edi + 0x14);
								__eax =  *__edi;
								 *(__ecx + __edx * 8) =  *__edi;
								__eax =  *(__edi + 0x10);
								__eflags =  *(__esi + 0x14) - __eax;
								if( *(__esi + 0x14) < __eax) {
									__ebx =  *(__ebp - 0x2c);
									do {
										__edx =  *(__edi + 4);
										__eax = __eax - 1;
										__esi = __eax;
										 *(__ebp - 0x30) = __eax;
										__esi = __eax >> 5;
										__ecx = __eax;
										__ecx = __eax & 0x0000001f;
										__eax =  *(__edx + __esi * 4);
										asm("btr eax, ecx");
										__eax =  *(__ebp - 0x30);
										__eflags =  *((intOrPtr*)(__ebx + 0x14)) - __eax;
									} while ( *((intOrPtr*)(__ebx + 0x14)) < __eax);
									__ebx =  *(__ebp - 0x28);
									goto L52;
								}
								goto L53;
							case 0xa:
								__eflags =  *((char*)(__edi + 0x65));
								__eax =  *(__esi + 0x14);
								 *(__ebp - 0x30) = __eax;
								if( *((char*)(__edi + 0x65)) != 0) {
									L59:
									__esi =  *(__eax + 0x14);
									__edx = __esi;
									__ecx =  *(__edi + 4);
									__esi = __esi & 0x0000001f;
									__edx = __edx >> 5;
									__eax =  *(__ecx + __edx * 4);
									asm("bts eax, esi");
									__edx =  *(__ebp - 0x30);
									__ecx =  *(__edi + 0x14);
									__eax =  *__edi;
									__edx =  *( *(__ebp - 0x30) + 0x14);
									 *(__ecx + 4 + __edx * 8) = __eax;
									goto L52;
								} else {
									__eflags =  *(__eax + 0x14);
									if( *(__eax + 0x14) == 0) {
										goto L53;
									} else {
										goto L59;
									}
								}
								L88:
							case 0xb:
								__eax =  *(__esi + 0x14);
								__esi = __eax;
								__edx =  *(__edi + 4);
								__ecx = __eax;
								 *(__ebp - 0x30) = __eax;
								__ecx = __eax & 0x0000001f;
								__eax = 0;
								__esi = __esi >> 5;
								__eax = 1;
								__eax = 1 << __cl;
								__eflags =  *(__edx + __esi * 4) & 1;
								if(( *(__edx + __esi * 4) & 1) == 0) {
									L52:
									__esi =  *(__ebp - 0x2c);
									goto L53;
								} else {
									__eax =  *(__edi + 0x14);
									__edx =  *(__ebp - 0x30);
									__ecx =  *__edi;
									__esi =  *(__eax + 4 + __edx * 8);
									__eflags =  *((intOrPtr*)(__eax + __edx * 8)) - __esi;
									if( *((intOrPtr*)(__eax + __edx * 8)) == __esi) {
										L63:
										 *__edi = __ecx;
										goto L52;
									} else {
										__edx =  *(__edi + 0x50);
										__eax = E01127669(__ebx, __ecx, __edx, __edi, __esi,  *((intOrPtr*)(__eax + __edx * 8)), __esi,  *((intOrPtr*)(__edi + 0x70)),  *((intOrPtr*)(__edi + 0x5c)));
										__ecx = __eax;
										__eflags = __ecx -  *__edi;
										if(__ecx ==  *__edi) {
											__eax = 0;
											__eflags = 0;
											_t149 = __eax + 1; // 0x1
											__ebx = _t149;
											L83:
											_t165 = _t169[0x1f];
										} else {
											goto L63;
										}
									}
								}
								goto L84;
							case 0xc:
								_push(__esi);
								__ecx = __edi;
								__eax = E01127F85(__ebx, __ecx, __edx, __edi, __eflags);
								goto L65;
							case 0xd:
								 *(__esi + 8) =  *(__esi + 8) >> 1;
								__al = __al & __dl;
								__eflags = __al;
								_push(0);
								__eax = __al & 0x000000ff;
								_push(__al & 0x000000ff);
								_push(__esi);
								goto L69;
							case 0xe:
								__ecx =  *(__esi + 0x14);
								__edx =  *(__edi + 0x40);
								__eflags =  *(__ecx + 0x24);
								__eax =  *(__ecx + 0x20);
								if( *(__ecx + 0x24) == 0) {
									_push( *((intOrPtr*)(__edx + __eax * 8)));
									 *(__ecx + 8) =  *(__ecx + 8) >> 1;
									__al = __al & 0x00000001;
									__eax = __al & 0x000000ff;
									_push(__al & 0x000000ff);
									_push(__ecx);
									L69:
									__ecx = __edi;
									__eax = E0112807E(__ebx, __ecx, __edx, __edi);
									L65:
									__eflags = __al;
									__ebx = __bl & 0x000000ff;
									_push(1);
									_pop(__eax);
									__ebx =  ==  ? __eax : __bl & 0x000000ff;
									goto L66;
								}
								goto L67;
							case 0xf:
								__eflags =  *(__edi + 0x60) & 0x00002020;
								if(( *(__edi + 0x60) & 0x00002020) == 0) {
									L74:
									__eflags =  *((char*)(__edi + 0x74));
									if( *((char*)(__edi + 0x74)) == 0) {
										L77:
										__eflags =  *(__edi + 0x64);
										if( *(__edi + 0x64) == 0) {
											L79:
											__ecx = __edi + 0x20;
											E01127974(__ecx, __edi) = 0;
											__eax = 1;
											 *(__edi + 0x64) = __al;
										} else {
											__ecx = __edi;
											__eax = E011282D0(__ecx);
											__eflags = __al;
											if(__al != 0) {
												goto L79;
											}
										}
									} else {
										__eax =  *__edi;
										__eflags = __eax -  *(__edi + 0x50);
										if(__eax ==  *(__edi + 0x50)) {
											goto L77;
										} else {
											goto L76;
										}
									}
								} else {
									__eax =  *(__edi + 0x4c);
									__eflags = __eax -  *__edi;
									if(__eax ==  *__edi) {
										L76:
										__bl = __dl;
										L66:
										 *(__ebp - 0x28) = __ebx;
									} else {
										goto L74;
									}
								}
								goto L67;
						}
					}
					_push(0xd);
					goto L3;
				}
				L84:
				__eflags = _t165;
				if(_t165 > 0) {
					_t157 = _t165 + 1;
					_t169[0x1f] = _t165 + 1;
				}
				__eflags = _t162;
				_t154 = _t162 == 0;
				__eflags = _t162 == 0;
				return E01143D3B(_t157 & 0xffffff00 | _t154, _t162, _t169);
				goto L88;
			}

0x01127275
0x0112727c
0x01127281
0x01127283
0x01127286
0x01127289
0x0112728c
0x01127291
0x01127293
0x01127294
0x01127299
0x0112729b
0x0112729d
0x0112729d
0x0112729d
0x01127299
0x011272a3
0x011272a8
0x011272aa
0x011272ab
0x011272b0
0x011272b2
0x00000000
0x011272b2
0x011272b0
0x011272b6
0x011272b8
0x011272bb
0x011272bd
0x011272c3
0x011272c3
0x011272c3
0x011272c9
0x011272cc
0x011272cf
0x00000000
0x00000000
0x011272d5
0x00000000
0x0112749d
0x0112749d
0x0112749f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011272dc
0x011272e3
0x011272f3
0x011272f3
0x011272f5
0x00000000
0x011272e5
0x011272e5
0x011272e7
0x011272ea
0x00000000
0x011272ec
0x011272ec
0x00000000
0x011272ec
0x011272ea
0x00000000
0x00000000
0x01127304
0x01127306
0x01127309
0x01127312
0x011272f9
0x011272f9
0x011272f9
0x011272f9
0x0112730b
0x0112730b
0x0112730e
0x011272ef
0x011272ef
0x011272ef
0x00000000
0x00000000
0x01127317
0x0112731a
0x0112731f
0x01127340
0x01127340
0x01127342
0x01127345
0x0112735c
0x01127360
0x01127362
0x01127365
0x0112736b
0x01127371
0x01127371
0x01127371
0x01127347
0x01127347
0x01127349
0x00000000
0x0112734b
0x0112734b
0x00000000
0x0112734b
0x01127349
0x01127321
0x01127321
0x01127323
0x01127326
0x00000000
0x01127328
0x01127328
0x0112732b
0x01127337
0x01127339
0x01127358
0x01127358
0x0112733b
0x0112733b
0x0112734f
0x0112734f
0x01127356
0x00000000
0x00000000
0x01127356
0x0112732d
0x0112732d
0x0112732f
0x01127331
0x01127332
0x01127332
0x0112732b
0x01127326
0x01127374
0x01127377
0x01127379
0x0112737a
0x0112737c
0x0112737e
0x00000000
0x00000000
0x01127386
0x01127388
0x0112738b
0x011273a1
0x011273a1
0x00000000
0x0112738d
0x0112738d
0x0112738f
0x01127392
0x00000000
0x01127394
0x01127394
0x01127397
0x00000000
0x01127399
0x01127399
0x01127399
0x00000000
0x01127399
0x01127397
0x01127392
0x00000000
0x00000000
0x011273ab
0x011273ae
0x011273b1
0x011273b6
0x011273b9
0x011273bd
0x011273c2
0x011273c8
0x011273ca
0x0112739a
0x0112739a
0x011273cc
0x011273cc
0x011273ce
0x011273ce
0x011272fc
0x011272fc
0x011272fc
0x00000000
0x00000000
0x011273d6
0x011273d8
0x011273db
0x011275eb
0x011275eb
0x00000000
0x011273e1
0x011273e2
0x011273e4
0x011273e9
0x011273eb
0x011275ea
0x011275ea
0x00000000
0x011273f1
0x011273f1
0x011273f3
0x011274a5
0x011274a5
0x011274a7
0x00000000
0x011274ad
0x011274ad
0x011274b0
0x011274b3
0x011274b5
0x00000000
0x011274bb
0x00000000
0x011274bb
0x011274b5
0x011274a7
0x011273eb
0x00000000
0x00000000
0x011273fb
0x011273fd
0x01127400
0x01127403
0x01127406
0x01127409
0x0112740c
0x0112740e
0x0112740f
0x01127410
0x01127411
0x01127412
0x01127413
0x01127416
0x0112741d
0x01127422
0x01127426
0x0112742b
0x01127430
0x01127432
0x01127449
0x0112744c
0x0112744f
0x01127434
0x01127434
0x01127437
0x0112743a
0x01127441
0x01127441
0x01127444
0x01127444
0x01127451
0x01127455
0x01127458
0x00000000
0x00000000
0x01127564
0x01127564
0x00000000
0x00000000
0x0112745f
0x01127462
0x01127465
0x01127467
0x0112746a
0x0112746d
0x01127470
0x01127472
0x01127475
0x01127475
0x01127478
0x01127479
0x0112747b
0x0112747e
0x01127481
0x01127483
0x01127486
0x01127489
0x0112748f
0x01127492
0x01127492
0x01127497
0x00000000
0x01127497
0x00000000
0x00000000
0x011274c0
0x011274c4
0x011274c7
0x011274ca
0x011274d2
0x011274d2
0x011274d5
0x011274d7
0x011274da
0x011274dd
0x011274e0
0x011274e3
0x011274e9
0x011274ec
0x011274ef
0x011274f1
0x011274f4
0x00000000
0x011274cc
0x011274cc
0x011274d0
0x00000000
0x00000000
0x00000000
0x00000000
0x011274d0
0x00000000
0x00000000
0x011274fa
0x011274fd
0x011274ff
0x01127502
0x01127504
0x01127507
0x0112750a
0x0112750c
0x0112750f
0x01127510
0x01127512
0x01127515
0x0112749a
0x0112749a
0x00000000
0x01127517
0x01127517
0x0112751a
0x0112751d
0x0112751f
0x01127523
0x01127526
0x01127547
0x01127547
0x00000000
0x01127528
0x01127532
0x01127535
0x0112753a
0x0112753f
0x01127541
0x011275ef
0x011275ef
0x011275f1
0x011275f1
0x011275f4
0x011275f4
0x00000000
0x00000000
0x00000000
0x01127541
0x01127526
0x00000000
0x00000000
0x0112754e
0x0112754f
0x01127551
0x00000000
0x00000000
0x0112756e
0x01127570
0x01127570
0x01127572
0x01127574
0x01127577
0x01127578
0x00000000
0x00000000
0x01127582
0x01127585
0x01127588
0x0112758c
0x0112758f
0x01127591
0x01127597
0x01127599
0x0112759b
0x0112759e
0x0112759f
0x01127579
0x01127579
0x0112757b
0x01127556
0x01127556
0x01127558
0x0112755b
0x0112755d
0x0112755e
0x00000000
0x0112755e
0x00000000
0x00000000
0x011275a2
0x011275a9
0x011275b2
0x011275b2
0x011275b6
0x011275c3
0x011275c3
0x011275c7
0x011275d4
0x011275d5
0x011275dd
0x011275df
0x011275e0
0x011275c9
0x011275c9
0x011275cb
0x011275d0
0x011275d2
0x00000000
0x00000000
0x011275d2
0x011275b8
0x011275b8
0x011275ba
0x011275bd
0x00000000
0x00000000
0x00000000
0x00000000
0x011275bd
0x011275ab
0x011275ab
0x011275ae
0x011275b0
0x011275bf
0x011275bf
0x01127561
0x01127561
0x00000000
0x00000000
0x00000000
0x011275b0
0x00000000
0x00000000
0x011272d5
0x0112760e
0x00000000
0x0112760e
0x011275f7
0x011275f7
0x011275f9
0x011275fb
0x011275fe
0x011275fe
0x01127601
0x01127603
0x01127603
0x0112760b
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0112727C
?_Xregex_error@std@@YAXW4error_type@regex_constants@1@@Z.MSVCP140(0000000B,00000028,01125E10), ref: 0112729D

Part of subcall function 01127A41: memmove.VCRUNTIME140(?,?,?,?,?,?,3FFFFFFF,?,?,?,01128687,?,00000008,?,?,?), ref: 01127A83

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_W4error_type@regex_constants@1@@Xregex_error@std@@memmove
String ID:
API String ID: 901649593-0
Opcode ID: bab2e539172fc084fc9dd7680cd8406a49e97f39d771ad898562b15a8ae636ad
Instruction ID: d6ec1022a91057b9cf62af57cc259704888a5f2525b12dec033fb6ad611c56d7
Opcode Fuzzy Hash: bab2e539172fc084fc9dd7680cd8406a49e97f39d771ad898562b15a8ae636ad
Instruction Fuzzy Hash: D7C1AE30A04666DFDB2DCF28C090AAAFBF2FF69304B184559E8519B691D731F871CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011441C9 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011441C9() {

				return SetUnhandledExceptionFilter(E011441D5);
			}

0x011441d4

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000241D5,011434FC), ref: 011441CE

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 229265520d0cbaced06fef3ba5016de80ccf0a27f1af58638ee2762c389216c4
Instruction ID: f9ed257a86e256eb20d9f0ef071f5108f944218b196b9f1f5e1935621fb0d0aa
Opcode Fuzzy Hash: 229265520d0cbaced06fef3ba5016de80ccf0a27f1af58638ee2762c389216c4
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0113082A Relevance: 60.0, APIs: 14, Strings: 20, Instructions: 454
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0113082A(void* __ebx, intOrPtr __ecx, void* __edi) {
				intOrPtr _t150;
				void* _t152;
				void* _t155;
				struct HINSTANCE__* _t169;
				void* _t180;
				struct HINSTANCE__* _t183;
				WCHAR* _t188;
				struct HINSTANCE__* _t189;
				void* _t237;
				void* _t241;
				void* _t245;
				int _t259;
				intOrPtr _t261;
				struct HINSTANCE__* _t282;
				struct HINSTANCE__* _t296;
				void* _t337;
				void* _t338;
				void* _t339;
				struct HINSTANCE__* _t356;
				char* _t357;
				struct HINSTANCE__* _t360;
				void* _t363;
				void* _t364;
				void* _t365;
				void* _t366;
				intOrPtr _t367;
				intOrPtr _t368;
				void* _t369;
				struct HINSTANCE__* _t372;
				void* _t373;
				struct HINSTANCE__* _t374;
				struct HINSTANCE__* _t375;
				void* _t376;
				struct HINSTANCE__* _t377;
				struct HINSTANCE__* _t380;
				void* _t381;
				void* _t383;
				struct HINSTANCE__* _t384;
				struct HINSTANCE__* _t385;
				void* _t386;
				struct HINSTANCE__* _t387;
				struct HINSTANCE__* _t390;
				void* _t391;
				void* _t392;
				struct HINSTANCE__* _t394;

				_t261 = __ecx;
				E01143D91(E01147600, __ebx, __edi, 0xe0);
				 *((intOrPtr*)(_t363 - 0xdc)) = _t261;
				_t357 =  *((intOrPtr*)(_t363 + 8));
				_t259 = 0;
				 *((intOrPtr*)(_t363 - 0xec)) = _t357;
				 *((intOrPtr*)(_t363 - 0xe0)) = 0;
				 *((intOrPtr*)(_t363 - 4)) = 3;
				memset(_t363 - 0xd8, 0, 0xb0);
				_t365 = _t364 + 0xc;
				E01140250(0, _t363 - 0xd8, __edi);
				_t150 = 0xf;
				 *((intOrPtr*)(_t357 + 0x10)) = 0;
				 *((intOrPtr*)(_t357 + 0x14)) = _t150;
				 *_t357 = 0;
				 *((intOrPtr*)(_t363 - 0xe0)) = 1;
				 *((intOrPtr*)(_t363 - 0x18)) = 0;
				 *((intOrPtr*)(_t363 - 0x14)) = _t150;
				 *((char*)(_t363 - 0x28)) = 0;
				 *((char*)(_t363 - 4)) = 5;
				_t264 =  >=  ?  *((void*)(_t363 + 0x3c)) : _t363 + 0x3c;
				if(E01128F02( >=  ?  *((void*)(_t363 + 0x3c)) : _t363 + 0x3c,  *((intOrPtr*)(_t363 + 0x4c)), "v2/install", 0xa) == 0) {
					E01129863(_t363 - 0x28, "install.json", 0xc);
				}
				_t347 =  *((intOrPtr*)(_t363 + 0x4c));
				_t268 =  >=  ?  *((void*)(_t363 + 0x3c)) : _t363 + 0x3c;
				_t152 = E01128F02( >=  ?  *((void*)(_t363 + 0x3c)) : _t363 + 0x3c,  *((intOrPtr*)(_t363 + 0x4c)), "v2/uninstall", 0xc);
				_t398 = _t152;
				if(_t152 == 0) {
					E01129863(_t363 - 0x28, "uninstall.json", 0xe);
				}
				_t366 = _t365 - 0x18;
				E011298E1(_t366, _t363 - 0x28);
				_t355 =  *((intOrPtr*)(_t363 - 0xdc));
				_push(_t357);
				_t155 = E01130539(_t259,  *((intOrPtr*)(_t363 - 0xdc)),  *((intOrPtr*)(_t363 - 0xdc)), _t398);
				_t399 = _t155;
				if(_t155 != 0) {
					L6:
					E01129AC1(_t363 - 0x28);
					E011403B6(_t363 - 0xd8, _t347);
					E01129AC1(_t363 + 0xc);
					E01129AC1(_t363 + 0x24);
					E01129AC1(_t363 + 0x3c);
					return E01143D3B(_t357, _t259, _t355);
				} else {
					_t367 = _t366 - 0x18;
					 *((intOrPtr*)(_t363 - 0xe4)) = _t367;
					E011298E1(_t367, _t363 + 0x3c);
					_t368 = _t367 - 0x18;
					 *((char*)(_t363 - 4)) = 6;
					 *((intOrPtr*)(_t363 - 0xdc)) = _t368;
					E011298E1(_t368, _t363 + 0x24);
					_t369 = _t368 - 0x18;
					 *((char*)(_t363 - 4)) = 7;
					E011298E1(_t369, _t363 + 0xc);
					_push(_t357);
					 *((char*)(_t363 - 4)) = 5;
					_t169 = E011306A7(_t259, _t355, _t355, _t399);
					if(_t169 == 0) {
						__imp__#1511();
						_t282 = 0x18;
						 *(_t363 - 0xe8) = _t169;
						 *((char*)(_t363 - 4)) = 8;
						__eflags = _t169;
						if(_t169 != 0) {
							_t282 = _t169;
							_t259 = E011298AC(_t282, "Could not fetch installation configuration");
						}
						_push(0x1156040);
						 *((char*)(_t363 - 4)) = 5;
						_push(_t363 - 0xdc);
						 *((intOrPtr*)(_t363 - 0xdc)) = _t259;
						L01145637();
						asm("int3");
						E01143D91(E0114775C, _t259, _t355, 0x29c);
						_t356 = _t282;
						_t260 = 0;
						memset(_t363 - 0x110, 0, 0xfe);
						GetModuleFileNameW(0, _t363 - 0x110, 0x7f);
						_push(_t282);
						E01131FBA(_t363 - 0x158, _t363 - 0x110);
						 *((intOrPtr*)(_t363 - 4)) = 0;
						_t180 = E0112DD7B(_t363 - 0x158, _t363 - 0x290);
						 *((char*)(_t363 - 4)) = 1;
						E01129A21(_t363 - 0x140, _t180);
						 *((char*)(_t363 - 4)) = 3;
						E01129A96(_t363 - 0x290);
						_t358 =  *(_t356 + 8);
						_t183 = E0112431D(_t363 - 0x140, L"applift.exe");
						_t371 = _t369 + 0xc - 0x18;
						_t288 = _t371;
						__eflags = _t183;
						if(_t183 != 0) {
							 *(_t363 - 0x278) = _t371;
							E011298AC(_t288, "Finalizing update flow");
							_push(2);
							_push(0x209);
							_t390 = _t371 - 0x18;
							 *((char*)(_t363 - 4)) = 4;
							 *(_t363 - 0x274) = _t390;
							E011298AC(_t390, "void __thiscall InstPC::IPCService::install(void)");
							_t391 = _t390 - 0x18;
							 *((char*)(_t363 - 4)) = 5;
							E011298AC(_t391, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
							 *((char*)(_t363 - 4)) = 3;
							E0113765F(0, _t358, _t356);
							E0112F38E(0, _t356, L"applift.exe", _t356, __eflags);
							_t358 =  *(_t356 + 0x2c);
							_push(1);
							_t392 = _t391 - 0x18;
							E011298AC(_t392, "has_updated");
							E0113ABD1(0,  *(_t356 + 0x2c) + 0xc, _t356);
							memset(_t363 - 0x26c, 0, 0xb0);
							E0112A5E2(0, _t363 - 0x26c, _t356);
							 *((char*)(_t363 - 4)) = 6;
							_push( *(_t356 + 0x2c));
							_t237 = E011298AC(_t363 - 0x2a8, "zoremov.com");
							_t394 = _t392 + 0xc - 0x18;
							 *((char*)(_t363 - 4)) = 7;
							 *(_t363 - 0x270) = _t394;
							E011237C8(_t394, "bi.", _t237);
							_t371 = _t394 - 0x14;
							 *((char*)(_t363 - 4)) = 8;
							E011298AC(_t394 - 0x14, "api/report/install");
							 *((char*)(_t363 - 4)) = 7;
							_push(_t363 - 0x290);
							_t241 = E01141F3F(0, _t363 - 0x26c, "bi.", _t356);
							 *((char*)(_t363 - 4)) = 9;
							E011237C8(_t363 - 0x1bc, "Entered updateComplete (update_log) - ", _t241);
							E01129AC1(_t363 - 0x290);
							 *((char*)(_t363 - 4)) = 0xc;
							E01129AC1(_t363 - 0x2a8);
							_t245 = E011432B4(0, _t363 - 0x2a8, "Entered updateComplete (update_log) - ", _t356);
							_t337 = _t363 - 0x1a4;
							E01129A21(_t337, _t245);
							_push(_t337);
							 *((char*)(_t363 - 4)) = 0xd;
							_t338 = _t363 - 0x290;
							E01123714(_t338, _t363 - 0x1a4);
							_push(_t338);
							 *((char*)(_t363 - 4)) = 0xe;
							_t339 = _t363 - 0x2a8;
							E01131FBA(_t339, _t363 - 0x110);
							_push(_t339);
							 *((char*)(_t363 - 4)) = 0xf;
							E0112E1F9(0, _t363 - 0x2a8, _t363 - 0x290, _t356,  *(_t356 + 0x2c));
							E011214A3(_t363 - 0x2a8);
							 *((char*)(_t363 - 4)) = 0xd;
							E011214A3(_t363 - 0x290);
							_t288 = _t356;
							E011314C6(0, _t356, _t363 - 0x290, _t356, __eflags);
							ExitProcess(0);
						}
						 *(_t363 - 0x270) = _t371;
						E011298AC(_t288, "Fetching install actions");
						_t372 = _t371 - 0x18;
						 *((char*)(_t363 - 4)) = 0x10;
						 *(_t363 - 0x274) = _t372;
						E011298AC(_t372, "void __thiscall InstPC::IPCService::install(void)");
						_t373 = _t372 - 0x18;
						 *((char*)(_t363 - 4)) = 0x11;
						E011298AC(_t373, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
						 *((char*)(_t363 - 4)) = 3;
						E0113765F(0, _t358, _t356);
						_t188 = GetCommandLineW();
						_t189 = GetModuleHandleW(0);
						__imp__#2408(_t189, 0, _t188, 0, 0x218, 2);
						__eflags = _t189;
						if(_t189 == 0) {
							exit(0);
						}
						_t374 = _t373 - 0x18;
						 *(_t363 - 0x270) = _t374;
						E011298AC(_t374, "v2/install");
						_t375 = _t374 - 0x18;
						 *((char*)(_t363 - 4)) = 0x12;
						 *(_t363 - 0x274) = _t375;
						E011298AC(_t375, "zoremov.com");
						_t376 = _t375 - 0x18;
						 *((char*)(_t363 - 4)) = 0x13;
						E011298AC(_t376, "alg.");
						 *((char*)(_t363 - 4)) = 3;
						_push(_t363 - 0x128);
						E0113082A(_t260, _t356, _t356);
						 *((char*)(_t363 - 4)) = 0x14;
						_t377 = _t376 - 0x18;
						__eflags =  *(_t363 - 0x118);
						_t296 = _t377;
						_t360 =  *(_t356 + 8);
						 *(_t363 - 0x270) = _t377;
						if( *(_t363 - 0x118) == 0) {
							E011298AC(_t296, "No install actions waiting");
							_push(2);
							_push(0x22e);
							 *((char*)(_t363 - 4)) = 0x1d;
							 *(_t363 - 0x274) = _t377 - 0x18;
							E011298AC(_t377 - 0x18, "void __thiscall InstPC::IPCService::install(void)");
							 *((char*)(_t363 - 4)) = 0x1e;
							E011298AC(_t377, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
							 *((char*)(_t363 - 4)) = 0x14;
							E0113765F(_t260, _t360, _t356);
						} else {
							_push(_t363 - 0x128);
							E011237FA(_t260, _t296, "Got install configuration ", _t356);
							_push(2);
							_push(0x224);
							_t380 = _t377 - 0x18;
							 *((char*)(_t363 - 4)) = 0x15;
							 *(_t363 - 0x274) = _t380;
							E011298AC(_t380, "void __thiscall InstPC::IPCService::install(void)");
							_t381 = _t380 - 0x18;
							 *((char*)(_t363 - 4)) = 0x16;
							E011298AC(_t381, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
							 *((char*)(_t363 - 4)) = 0x14;
							E0113765F(_t260, _t360, _t356);
							memset(_t363 - 0x18c, _t260, 0x34);
							_push(_t260);
							_t383 = _t381 + 0xc - 0x18;
							E011298E1(_t383, _t363 - 0x128);
							E0112CC5B(_t260, _t363 - 0x18c, "Got install configuration ", _t356, _t360, __eflags);
							_t384 = _t383 - 0x18;
							 *((char*)(_t363 - 4)) = 0x17;
							 *(_t363 - 0x270) = _t384;
							E011298AC(_t384, "Installer configuration ready");
							_push(2);
							_push(0x228);
							_t385 = _t384 - 0x18;
							 *((char*)(_t363 - 4)) = 0x18;
							 *(_t363 - 0x274) = _t385;
							_t260 = "void __thiscall InstPC::IPCService::install(void)";
							E011298AC(_t385, "void __thiscall InstPC::IPCService::install(void)");
							_t386 = _t385 - 0x18;
							 *((char*)(_t363 - 4)) = 0x19;
							E011298AC(_t386, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
							 *((char*)(_t363 - 4)) = 0x17;
							E0113765F("void __thiscall InstPC::IPCService::install(void)",  *(_t356 + 8), _t356);
							E0112CE12("void __thiscall InstPC::IPCService::install(void)", _t363 - 0x18c, _t356, __eflags);
							_t356 =  *(_t356 + 8);
							E011298E1(_t363 - 0x290, _t363 - 0x180);
							_t387 = _t386 - 0x18;
							 *((char*)(_t363 - 4)) = 0x1a;
							 *(_t363 - 0x270) = _t387;
							 *(_t363 - 0x274) = _t387;
							E011299A0(_t387, E01124262(_t363 - 0x290, _t387, _t363 - 0x290, "Finished running configuration ", 0x1f));
							_push(2);
							_push(0x22b);
							 *((char*)(_t363 - 4)) = 0x1b;
							 *(_t363 - 0x274) = _t387 - 0x18;
							E011298AC(_t387 - 0x18, "void __thiscall InstPC::IPCService::install(void)");
							 *((char*)(_t363 - 4)) = 0x1c;
							E011298AC(_t387, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
							 *((char*)(_t363 - 4)) = 0x1a;
							E0113765F(_t260, _t356, _t356);
							E01129AC1(_t363 - 0x290);
							E0112CDC0(_t260, _t363 - 0x18c, "Got install configuration ", _t356);
						}
						E01129AC1(_t363 - 0x128);
						E01129A96(_t363 - 0x140);
						return E01143D3B(E01129A96(_t363 - 0x158), _t260, _t356);
					} else {
						goto L6;
					}
				}
			}

0x0113082a
0x01130834
0x01130839
0x0113083f
0x01130842
0x01130844
0x0113084a
0x0113085b
0x01130864
0x01130869
0x01130872
0x01130879
0x0113087a
0x0113087d
0x01130880
0x01130882
0x0113088c
0x0113088f
0x01130892
0x01130895
0x011308a5
0x011308b9
0x011308c5
0x011308ca
0x011308cd
0x011308d8
0x011308e1
0x011308e8
0x011308ea
0x011308f6
0x011308f6
0x011308fb
0x01130904
0x01130909
0x01130911
0x01130912
0x01130917
0x01130919
0x01130969
0x0113096c
0x01130977
0x0113097f
0x01130987
0x0113098f
0x0113099b
0x0113091b
0x0113091b
0x01130923
0x0113092a
0x0113092f
0x01130932
0x01130939
0x01130942
0x01130947
0x0113094a
0x01130954
0x01130959
0x0113095c
0x01130960
0x01130967
0x011309a0
0x011309a6
0x011309a7
0x011309ad
0x011309b1
0x011309b3
0x011309ba
0x011309c1
0x011309c1
0x011309c3
0x011309ce
0x011309d2
0x011309d3
0x011309d9
0x011309de
0x011309e9
0x011309ee
0x011309f5
0x011309ff
0x01130a11
0x01130a17
0x01130a25
0x01130a30
0x01130a3a
0x01130a46
0x01130a4a
0x01130a55
0x01130a59
0x01130a5e
0x01130a6c
0x01130a71
0x01130a74
0x01130a76
0x01130a78
0x01130a7e
0x01130a89
0x01130a8e
0x01130a90
0x01130a95
0x01130a98
0x01130a9e
0x01130aa9
0x01130aae
0x01130ab1
0x01130abc
0x01130ac3
0x01130ac7
0x01130ace
0x01130ad3
0x01130ad6
0x01130ad8
0x01130ae2
0x01130aea
0x01130afc
0x01130b0a
0x01130b0f
0x01130b19
0x01130b21
0x01130b26
0x01130b29
0x01130b2f
0x01130b3b
0x01130b40
0x01130b43
0x01130b4e
0x01130b59
0x01130b5d
0x01130b64
0x01130b6f
0x01130b79
0x01130b85
0x01130b90
0x01130b94
0x01130b99
0x01130b9f
0x01130ba5
0x01130baa
0x01130bb1
0x01130bb6
0x01130bbc
0x01130bc1
0x01130bc8
0x01130bcd
0x01130bd3
0x01130bd8
0x01130bdf
0x01130be9
0x01130bf5
0x01130c00
0x01130c04
0x01130c09
0x01130c0b
0x01130c11
0x01130c11
0x01130c17
0x01130c22
0x01130c2e
0x01130c31
0x01130c37
0x01130c42
0x01130c47
0x01130c4a
0x01130c55
0x01130c5c
0x01130c60
0x01130c65
0x01130c6e
0x01130c78
0x01130c7e
0x01130c80
0x01130c83
0x01130c83
0x01130c89
0x01130c8e
0x01130c99
0x01130c9e
0x01130ca1
0x01130ca7
0x01130cb2
0x01130cb7
0x01130cba
0x01130cc5
0x01130cd0
0x01130cd4
0x01130cd7
0x01130cdc
0x01130ce0
0x01130ce3
0x01130cea
0x01130cec
0x01130cef
0x01130cf5
0x01130e7c
0x01130e81
0x01130e83
0x01130e8b
0x01130e91
0x01130e9c
0x01130ea4
0x01130eaf
0x01130eb6
0x01130eba
0x01130cfb
0x01130d06
0x01130d07
0x01130d0d
0x01130d0f
0x01130d14
0x01130d17
0x01130d1d
0x01130d28
0x01130d2d
0x01130d30
0x01130d3b
0x01130d42
0x01130d46
0x01130d55
0x01130d63
0x01130d64
0x01130d6a
0x01130d75
0x01130d7a
0x01130d7d
0x01130d86
0x01130d91
0x01130d96
0x01130d98
0x01130d9d
0x01130da0
0x01130da6
0x01130dac
0x01130db2
0x01130db7
0x01130dba
0x01130dc5
0x01130dcc
0x01130dd0
0x01130ddb
0x01130de0
0x01130df0
0x01130df5
0x01130df8
0x01130dfe
0x01130e04
0x01130e20
0x01130e25
0x01130e27
0x01130e2f
0x01130e35
0x01130e3c
0x01130e44
0x01130e4f
0x01130e56
0x01130e5a
0x01130e65
0x01130e70
0x01130e70
0x01130ec5
0x01130ed0
0x01130ee5
0x00000000
0x00000000
0x00000000
0x01130967

APIs

__EH_prolog3_GS.LIBCMT ref: 01130834
memset.VCRUNTIME140(?,00000000,000000B0,000000E0,01131679,?,alg.), ref: 01130864

Part of subcall function 01140250: __EH_prolog3.LIBCMT ref: 01140257

Part of subcall function 01128F02: memcmp.VCRUNTIME140(?,?,?,?,?,011240C5,?,?,?,?,01132D98,?,?,00000000), ref: 01128F16

Part of subcall function 01129863: memmove.VCRUNTIME140(?,00000010,?,?,?,?,?,?), ref: 01129885

#1511.MFC140U(00000018,?,?), ref: 011309A0
_CxxThrowException.VCRUNTIME140(?,01156040), ref: 011309D9
__EH_prolog3_GS.LIBCMT ref: 011309E9
memset.VCRUNTIME140(?,00000000,000000FE,0000029C,?,01156040), ref: 011309FF
GetModuleFileNameW.KERNEL32(00000000,?,0000007F,?,0000029C,?,01156040), ref: 01130A11
memset.VCRUNTIME140(?,00000000,000000B0,has_updated), ref: 01130AFC

Part of subcall function 01141F3F: __EH_prolog3.LIBCMT ref: 01141F46

Part of subcall function 011432B4: __EH_prolog3_GS.LIBCMT ref: 011432BB

Part of subcall function 0112E1F9: ___std_fs_copy_file@12.LIBCPMT ref: 0112E21D

Part of subcall function 011314C6: __EH_prolog3_GS.LIBCMT ref: 011314D0
Part of subcall function 011314C6: memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,bi.,00000003,zoremov.com,Entered 'Check task' flow), ref: 011315AB

ExitProcess.KERNEL32 ref: 01130C11

Strings

zoremov.com, xrefs: 01130B1C, 01130CAD
Got install configuration , xrefs: 01130D01
Finished running configuration , xrefs: 01130E0C
applift.exe, xrefs: 01130A67
install.json, xrefs: 011308BD
Could not fetch installation configuration, xrefs: 011309B5
Finalizing update flow, xrefs: 01130A84
Entered updateComplete (update_log) - , xrefs: 01130B6A
Fetching install actions, xrefs: 01130C1D
uninstall.json, xrefs: 011308EE
v2/install, xrefs: 011308AB, 01130C94
C:\git\modular-installer\kernel\IPCService.cpp, xrefs: 01130AB7, 01130C50, 01130D36, 01130DC0, 01130E4A, 01130EAA
No install actions waiting, xrefs: 01130E77
void __thiscall InstPC::IPCService::install(void), xrefs: 01130AA4, 01130C3D, 01130D23, 01130DAC, 01130DB1, 01130E3B, 01130E97
has_updated, xrefs: 01130ADD
v2/uninstall, xrefs: 011308DC
alg., xrefs: 01130CC0
Installer configuration ready, xrefs: 01130D8C
api/report/install, xrefs: 01130B49
bi., xrefs: 01130B35

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_memset$H_prolog3$#1511ExceptionExitFileModuleNameProcessThrow___std_fs_copy_file@12memcmpmemmove
String ID: C:\git\modular-installer\kernel\IPCService.cpp$Could not fetch installation configuration$Entered updateComplete (update_log) - $Fetching install actions$Finalizing update flow$Finished running configuration $Got install configuration $Installer configuration ready$No install actions waiting$alg.$api/report/install$applift.exe$bi.$has_updated$install.json$uninstall.json$v2/install$v2/uninstall$void __thiscall InstPC::IPCService::install(void)$zoremov.com
API String ID: 2544058801-1991798303
Opcode ID: 1dea4576ac1e910ff5467818ad88fba848e2237ee4d5081897b64982d1796d97
Instruction ID: 4e105431f6ca9ce08713474f65f9b6cc5084ebbe21d09e5bd6a7718839ea9c54
Opcode Fuzzy Hash: 1dea4576ac1e910ff5467818ad88fba848e2237ee4d5081897b64982d1796d97
Instruction Fuzzy Hash: B402BF70A0126EEBDF1CFB68CC55BDD7B74AF25708F4440C9E40967281DBB45B588BA2

Uniqueness

Uniqueness Score: -1.00%

Function 0113765F Relevance: 56.5, APIs: 7, Strings: 25, Instructions: 486
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0113765F(void* __ebx, intOrPtr __ecx, void* __edi) {
				signed int _t213;
				void* _t229;
				void* _t230;
				void* _t301;
				void* _t302;
				void* _t309;
				void* _t310;
				signed int _t316;
				void* _t317;
				void* _t318;
				void* _t337;
				void* _t340;
				void* _t342;
				signed int _t363;
				void* _t364;
				intOrPtr _t367;
				signed int _t368;
				signed int _t487;
				void* _t488;
				intOrPtr _t489;
				signed int* _t495;
				void* _t500;
				void* _t501;
				intOrPtr _t502;
				void* _t503;
				intOrPtr _t504;
				void* _t505;
				intOrPtr _t506;
				void* _t507;
				intOrPtr _t508;
				void* _t509;
				intOrPtr _t510;
				void* _t511;
				intOrPtr _t512;
				void* _t513;
				void* _t514;
				intOrPtr _t515;
				void* _t516;
				intOrPtr _t517;
				void* _t518;
				intOrPtr _t519;
				void* _t520;
				intOrPtr _t521;
				void* _t522;
				void* _t523;
				intOrPtr _t524;
				void* _t525;
				void* _t526;
				intOrPtr _t527;
				void* _t528;
				void* _t530;
				void* _t531;
				intOrPtr _t533;
				void* _t534;

				_t486 = __edi;
				_t367 = __ecx;
				E01143D91(E011488A1, __ebx, __edi, 0x1c8);
				_t489 = _t367;
				 *((intOrPtr*)(_t500 - 0x124)) = _t489;
				_t213 =  *(_t500 + 0x3c);
				 *(_t500 - 0x18) = _t213;
				_t362 = 0;
				 *((intOrPtr*)(_t500 - 4)) = 2;
				if( *((intOrPtr*)(_t489 + 0x18)) == 0) {
					__imp__#1511();
					_t368 = 0x18;
					 *(_t500 - 0x18) = _t213;
					 *((char*)(_t500 - 4)) = 3;
					__eflags = _t213;
					if(_t213 != 0) {
						_push("missing component name, use REGISTER_COMPONENT() to register");
						goto L10;
					}
					goto L11;
				} else {
					if( *((intOrPtr*)(_t489 + 0x30)) != 0) {
						 *(_t500 - 0x14) = 0;
						_t229 = E0113A80D(0, _t500 - 0x14, __edi);
						 *((char*)(_t500 - 4)) = 5;
						 *((intOrPtr*)(_t489 + 0xc4)) =  *((intOrPtr*)(_t489 + 0xc4)) + 1;
						__imp___Xtime_get_ticks();
						_t230 = E01145070(_t229, _t480, 0x989680, 0);
						_t502 = _t501 - 0x18;
						_t364 = _t230;
						 *((intOrPtr*)(_t500 - 0x120)) = _t502;
						_t488 = _t480;
						E011298E1(_t502, _t489 + 0x20);
						_t503 = _t502 - 0x18;
						 *((char*)(_t500 - 4)) = 6;
						E011298AC(_t503, "componentType");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						_t504 = _t503 - 0x18;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t504;
						E011298E1(_t504, _t489 + 8);
						_t505 = _t504 - 0x18;
						 *((char*)(_t500 - 4)) = 7;
						E011298AC(_t505, "name");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						_t506 = _t505 - 0x18;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t506;
						E011298E1(_t506, _t489 + 0x38);
						_t507 = _t506 - 0x18;
						 *((char*)(_t500 - 4)) = 8;
						E011298AC(_t507, "appId");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						_t508 = _t507 - 0x18;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t508;
						E011298E1(_t508, _t489 + 0x50);
						_t509 = _t508 - 0x18;
						 *((char*)(_t500 - 4)) = 9;
						E011298AC(_t509, "emid");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						_t510 = _t509 - 0x18;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t510;
						E011298E1(_t510, _t489 + 0x68);
						_t511 = _t510 - 0x18;
						 *((char*)(_t500 - 4)) = 0xa;
						E011298AC(_t511, "version");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						_t512 = _t511 - 0x18;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t512;
						E011298E1(_t512, _t489 + 0x80);
						_t513 = _t512 - 0x18;
						 *((char*)(_t500 - 4)) = 0xb;
						E011298AC(_t513, "hash");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						E011298AC(_t500 - 0x154, "messageNumber");
						 *((char*)(_t500 - 4)) = 0xc;
						E011298E1(_t500 - 0x13c, _t500 - 0x154);
						_push( *((intOrPtr*)(_t489 + 0xc4)));
						_t514 = _t513 - 0x18;
						 *((char*)(_t500 - 4)) = 0xd;
						E011298E1(_t514, _t500 - 0x13c);
						E0113B4B5(_t364,  *(_t500 - 0x14), _t488);
						E01129AC1(_t500 - 0x13c);
						 *((char*)(_t500 - 4)) = 5;
						E01129AC1(_t500 - 0x154);
						_t515 = _t514 - 0x18;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t515;
						E011298E1(_t515,  *((intOrPtr*)(_t500 - 0x124)) + 0x98);
						_t516 = _t515 - 0x18;
						 *((char*)(_t500 - 4)) = 0xe;
						E011298AC(_t516, "sessionId");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						_t517 = _t516 - 0x18;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t517;
						 *((intOrPtr*)(_t500 - 0x120)) = _t517;
						E011298AC(_t517,  *((intOrPtr*)(0x114d504 +  *(_t500 - 0x18) * 4)));
						_t518 = _t517 - 0x18;
						 *((char*)(_t500 - 4)) = 0xf;
						E011298AC(_t518, "level");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						_t519 = _t518 - 0x18;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t519;
						E011298E1(_t519, _t500 + 8);
						_t520 = _t519 - 0x18;
						 *((char*)(_t500 - 4)) = 0x10;
						E011298AC(_t520, "file");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						_t521 = _t520 - 0x18;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t521;
						E011298E1(_t521, _t500 + 0x20);
						_t522 = _t521 - 0x18;
						 *((char*)(_t500 - 4)) = 0x11;
						E011298AC(_t522, "func");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						_push( *((intOrPtr*)(_t500 + 0x38)));
						_t523 = _t522 - 0x18;
						E011298AC(_t523, "line");
						E0113AB26(_t364, _t500 - 0x14, _t480, _t488);
						_t524 = _t523 - 0x18;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t524;
						E011298E1(_t524, _t500 + 0x40);
						_t525 = _t524 - 0x18;
						 *((char*)(_t500 - 4)) = 0x12;
						E011298AC(_t525, "message");
						 *((char*)(_t500 - 4)) = 5;
						E0113AACB(_t364, _t500 - 0x14, _t488, __eflags);
						E011298AC(_t500 - 0x13c, "clientTimestamp");
						 *((char*)(_t500 - 4)) = 0x13;
						E011298E1(_t500 - 0x154, _t500 - 0x13c);
						_push(_t488);
						_push(_t364);
						_t526 = _t525 - 0x18;
						 *((char*)(_t500 - 4)) = 0x14;
						E011298E1(_t526, _t500 - 0x154);
						E0113B686(_t364,  *(_t500 - 0x14), _t488);
						E01129AC1(_t500 - 0x154);
						 *((char*)(_t500 - 4)) = 5;
						E01129AC1(_t500 - 0x13c);
						_push( *(_t500 - 0x14));
						_push(_t500 - 0x68);
						E01139FED(_t364, _t488);
						_t527 = _t526 - 0x18;
						 *((char*)(_t500 - 4)) = 0x15;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t527;
						E011298E1(_t527, 0x115b5a8);
						_t528 = _t527 - 0x18;
						 *((char*)(_t500 - 4)) = 0x16;
						E011298E1(_t528, _t500 - 0x68);
						 *((char*)(_t500 - 4)) = 0x15;
						E01138223(_t364, _t500 - 0x50, _t488, __eflags);
						asm("xorps xmm0, xmm0");
						 *((char*)(_t500 - 4)) = 0x17;
						asm("movlpd [ebp-0x20], xmm0");
						E011383DA();
						 *((char*)(_t500 - 4)) = 0x18;
						_t301 = E011298AC(_t500 - 0x13c, "installer_reports");
						 *((char*)(_t500 - 4)) = 0x19;
						_t302 = E011298AC(_t500 - 0x154, "event_name");
						 *((char*)(_t500 - 4)) = 0x1a;
						E011293B6(E01138374(_t364, _t500 - 0x20, _t480, _t488, _t301, _t302), _t301, _t301);
						E01129AC1(_t500 - 0x154);
						 *((char*)(_t500 - 4)) = 0x18;
						E01129AC1(_t500 - 0x13c);
						_t530 = _t528 + 0x30 - 0x18;
						E011298E1(_t530, _t500 - 0x50);
						_t309 = E0113800D(_t364, _t500 - 0x13c, _t488);
						_t531 = _t530 + 0x18;
						 *((char*)(_t500 - 4)) = 0x1b;
						_t310 = E011298AC(_t500 - 0x154, "infoJson");
						 *((char*)(_t500 - 4)) = 0x1c;
						E011293B6(E01138374(_t364, _t500 - 0x20, _t480, _t488, _t309, _t310), _t309, _t309);
						E01129AC1(_t500 - 0x154);
						 *((char*)(_t500 - 4)) = 0x18;
						E01129AC1(_t500 - 0x13c);
						E011298AC(_t500 - 0x38, 0x114c098);
						 *((char*)(_t500 - 4)) = 0x1d;
						_t495 =  *(_t500 - 0x20);
						_t316 =  *_t495;
						 *(_t500 - 0x18) = _t316;
						while(1) {
							__eflags = _t316 - _t495;
							if(_t316 == _t495) {
								break;
							}
							_t127 = _t316 + 0x10; // 0x10
							_t488 = _t127;
							_push("=");
							_t317 = E01134CA3(1, _t500 - 0x16c, _t488, _t488);
							_t129 = _t488 + 0x18; // 0x28
							 *((char*)(_t500 - 4)) = 0x1e;
							_t480 = _t317;
							_t318 = E01131F14(_t500 - 0x154, _t317, _t129);
							 *((char*)(_t500 - 4)) = 0x1f;
							E011299A0(_t500 - 0x13c, E01129C57(_t318, "&", 1));
							 *((char*)(_t500 - 4)) = 0x20;
							__eflags =  *((intOrPtr*)(_t500 - 0x128)) - 0x10;
							_t322 =  >=  ?  *((void*)(_t500 - 0x13c)) : _t500 - 0x13c;
							E01129C57(_t500 - 0x38,  >=  ?  *((void*)(_t500 - 0x13c)) : _t500 - 0x13c,  *((intOrPtr*)(_t500 - 0x12c)));
							E01129AC1(_t500 - 0x13c);
							E01129AC1(_t500 - 0x154);
							 *((char*)(_t500 - 4)) = 0x1d;
							E01129AC1(_t500 - 0x16c);
							E01134B8F(_t500 - 0x18);
							_t316 =  *(_t500 - 0x18);
						}
						E011293B6(_t500 - 0x38, 0, E01131C95(1, _t500 - 0x38, _t488, 0, _t500 - 0x16c, 0,  *((intOrPtr*)(_t500 - 0x28)) - 1));
						E01129AC1(_t500 - 0x16c);
						memset(_t500 - 0x118, 0, 0xb0);
						E01140250(1, _t500 - 0x118, _t488);
						 *((char*)(_t500 - 4)) = 0x21;
						 *((intOrPtr*)(_t500 - 0x114)) = 1;
						_t337 = E011298AC(_t500 - 0x16c, "zoremov.com");
						_t533 = _t531 + 0xc - 0x18;
						 *((char*)(_t500 - 4)) = 0x22;
						 *((intOrPtr*)(_t500 - 0x11c)) = _t533;
						E011299A0(_t533, E01124262(_t337, _t533, _t500 - 0x16c, "bi.", 3));
						_t340 = E01140401(1, _t500 - 0x118, _t488);
						_t534 = _t533 - 0x18;
						E011298AC(_t534, "api/report/install");
						_t342 = E01140431(1, _t340, _t488);
						 *((intOrPtr*)(_t500 - 0x11c)) = _t534 - 0x18;
						E011298AC(_t534 - 0x18, "application/x-www-form-urlencoded");
						 *((char*)(_t500 - 4)) = 0x23;
						E011298AC(_t534, "Content-Type");
						 *((char*)(_t500 - 4)) = 0x22;
						 *((char*)(E01140514(1, _t342, _t480, _t488, __eflags) + 0x94)) = 1;
						__eflags =  *((intOrPtr*)(_t500 - 0x24)) - 0x10;
						_t466 =  >=  ?  *((void*)(_t500 - 0x38)) : _t500 - 0x38;
						E01140461(_t345, _t345,  >=  ?  *((void*)(_t500 - 0x38)) : _t500 - 0x38,  *((intOrPtr*)(_t500 - 0x28)));
						 *((char*)(_t500 - 4)) = 0x21;
						E01129AC1(_t500 - 0x16c);
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t500 - 0x124)))) + 4))(_t500 - 0x118);
						E01140BCF(_t500 - 0x1d4, _t500 - 0x1d4);
						E011403B6(_t500 - 0x118, _t500 - 0x1d4);
						E01129AC1(_t500 - 0x38);
						E0113410D(_t500 - 0x20, _t500 - 0x1d4, _t342);
						E01129AC1(_t500 - 0x50);
						E01129AC1(_t500 - 0x68);
						E0113AC23(_t500 - 0x14);
						E01129AC1(_t500 + 8);
						E01129AC1(_t500 + 0x20);
						return E01143D3B(E01129AC1(_t500 + 0x40), 1, _t488, _t500 - 0x1d4);
					} else {
						__imp__#1511();
						_t368 = 0x18;
						 *(_t500 - 0x18) = _t213;
						 *((char*)(_t500 - 4)) = 4;
						if(_t213 != 0) {
							_push("missing component type, use REGISTER_COMPONENT() to register");
							L10:
							_t368 = _t213;
							_t362 = E011298AC(_t368);
						}
						L11:
						_push(0x1156040);
						 *((char*)(_t500 - 4)) = 2;
						_push(_t500 - 0x124);
						 *((intOrPtr*)(_t500 - 0x124)) = _t362;
						L01145637();
						asm("int3");
						E01143D5D(E011488F2, _t362, _t486, 0xc);
						_t487 = _t368;
						 *(_t500 - 0x14) = _t487;
						_t363 = 0;
						 *(_t500 - 0x18) = _t487;
						 *((intOrPtr*)(_t500 - 0x10)) = 0;
						 *((intOrPtr*)(_t500 - 4)) = 2;
						E011298AC(_t368, 0x114c098);
						 *((intOrPtr*)(_t500 - 0x10)) = 1;
						if( *((intOrPtr*)(_t500 + 0x18)) > 0) {
							do {
								_t491 =  >=  ?  *((void*)(_t500 + 8)) : _t500 + 8;
								_t372 =  >=  ?  *((void*)(_t500 + 0x20)) : _t500 + 0x20;
								E011294AE(_t487, ( *(_t363 %  *(_t500 + 0x30) + ( >=  ?  *((void*)(_t500 + 0x20)) : _t500 + 0x20)) ^  *(( >=  ?  *((void*)(_t500 + 8)) : _t500 + 8) + _t363)) & 0x000000ff);
								_t363 = _t363 + 1;
							} while (_t363 <  *((intOrPtr*)(_t500 + 0x18)));
						}
						E01129AC1(_t500 + 8);
						E01129AC1(_t500 + 0x20);
						return E01143D26(_t487);
					}
				}
			}

0x0113765f
0x0113765f
0x01137669
0x0113766e
0x01137670
0x01137676
0x01137679
0x0113767c
0x0113767e
0x01137688
0x01137d6a
0x01137d70
0x01137d71
0x01137d74
0x01137d78
0x01137d7a
0x01137d7c
0x00000000
0x01137d7c
0x00000000
0x0113768e
0x01137691
0x011376b8
0x011376bb
0x011376c0
0x011376c4
0x011376ca
0x011376d8
0x011376dd
0x011376e0
0x011376e5
0x011376ed
0x011376f0
0x011376f5
0x011376f8
0x01137703
0x0113770b
0x0113770f
0x01137714
0x0113771c
0x01137723
0x01137728
0x0113772b
0x01137736
0x0113773e
0x01137742
0x01137747
0x0113774f
0x01137756
0x0113775b
0x0113775e
0x01137769
0x01137771
0x01137775
0x0113777a
0x01137782
0x01137789
0x0113778e
0x01137791
0x0113779c
0x011377a4
0x011377a8
0x011377ad
0x011377b5
0x011377bc
0x011377c1
0x011377c4
0x011377cf
0x011377d7
0x011377db
0x011377e0
0x011377eb
0x011377f2
0x011377f7
0x011377fa
0x01137805
0x0113780d
0x01137811
0x01137827
0x01137832
0x0113783d
0x01137842
0x01137843
0x01137846
0x01137853
0x0113785b
0x01137866
0x01137871
0x01137875
0x01137880
0x01137888
0x01137891
0x01137896
0x01137899
0x011378a4
0x011378ac
0x011378b0
0x011378b5
0x011378ba
0x011378c0
0x011378d0
0x011378d5
0x011378d8
0x011378e3
0x011378eb
0x011378ef
0x011378f4
0x011378fa
0x01137903
0x01137908
0x0113790b
0x01137916
0x0113791e
0x01137922
0x01137927
0x0113792f
0x01137936
0x0113793b
0x0113793e
0x01137949
0x01137951
0x01137955
0x0113795a
0x0113795d
0x01137967
0x0113796f
0x01137974
0x0113797c
0x01137983
0x01137988
0x0113798b
0x01137996
0x0113799e
0x011379a2
0x011379b2
0x011379bd
0x011379c8
0x011379cd
0x011379ce
0x011379cf
0x011379d2
0x011379df
0x011379e7
0x011379f2
0x011379fd
0x01137a01
0x01137a06
0x01137a0c
0x01137a0d
0x01137a12
0x01137a15
0x01137a1b
0x01137a26
0x01137a2b
0x01137a2e
0x01137a38
0x01137a40
0x01137a44
0x01137a4c
0x01137a4f
0x01137a56
0x01137a5b
0x01137a6b
0x01137a6f
0x01137a81
0x01137a85
0x01137a8f
0x01137a9a
0x01137aa5
0x01137ab0
0x01137ab4
0x01137ab9
0x01137ac2
0x01137acd
0x01137ad2
0x01137ae2
0x01137ae6
0x01137af0
0x01137afb
0x01137b06
0x01137b11
0x01137b15
0x01137b22
0x01137b27
0x01137b2b
0x01137b2e
0x01137b32
0x01137bdb
0x01137bdb
0x01137bdd
0x00000000
0x00000000
0x01137b3b
0x01137b3b
0x01137b3e
0x01137b4b
0x01137b50
0x01137b53
0x01137b58
0x01137b60
0x01137b6f
0x01137b7f
0x01137b84
0x01137b8e
0x01137b9e
0x01137ba6
0x01137bb1
0x01137bbc
0x01137bc7
0x01137bcb
0x01137bd3
0x01137bd8
0x01137bd8
0x01137bfe
0x01137c09
0x01137c1b
0x01137c29
0x01137c2e
0x01137c3d
0x01137c43
0x01137c48
0x01137c4b
0x01137c51
0x01137c69
0x01137c74
0x01137c79
0x01137c85
0x01137c8c
0x01137c98
0x01137ca3
0x01137cab
0x01137cb6
0x01137cbd
0x01137cc9
0x01137ccf
0x01137cd6
0x01137cdd
0x01137ce8
0x01137cec
0x01137d07
0x01137d10
0x01137d1b
0x01137d23
0x01137d2b
0x01137d33
0x01137d3b
0x01137d43
0x01137d4b
0x01137d53
0x01137d65
0x01137693
0x01137695
0x0113769b
0x0113769c
0x0113769f
0x011376a5
0x011376ab
0x01137d81
0x01137d81
0x01137d88
0x01137d88
0x01137d8a
0x01137d8a
0x01137d95
0x01137d99
0x01137d9a
0x01137da0
0x01137da5
0x01137dad
0x01137db2
0x01137db4
0x01137db7
0x01137db9
0x01137dbc
0x01137dc4
0x01137dcb
0x01137dd0
0x01137dda
0x01137ddc
0x01137de8
0x01137df0
0x01137e05
0x01137e0a
0x01137e0b
0x01137ddc
0x01137e13
0x01137e1b
0x01137e27
0x01137e27
0x01137691

APIs

__EH_prolog3_GS.LIBCMT ref: 01137669
#1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
_Xtime_get_ticks.MSVCP140 ref: 011376CA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011376D8
#1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137D6A
_CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

Strings

zoremov.com, xrefs: 01137C38
level, xrefs: 011378DE
emid, xrefs: 01137797
line, xrefs: 01137962
missing component name, use REGISTER_COMPONENT() to register, xrefs: 01137D7C
application/x-www-form-urlencoded, xrefs: 01137C9E
messageNumber, xrefs: 01137822
clientTimestamp, xrefs: 011379A7
sessionId, xrefs: 0113789F
file, xrefs: 01137911
name, xrefs: 01137731
appId, xrefs: 01137764
!, xrefs: 01137CE8
api/report/install, xrefs: 01137C80
message, xrefs: 01137991
event_name, xrefs: 01137A76
installer_reports, xrefs: 01137A60
version, xrefs: 011377CA
infoJson, xrefs: 01137AD7
missing component type, use REGISTER_COMPONENT() to register, xrefs: 011376AB
Content-Type, xrefs: 01137CB1
hash, xrefs: 01137800
bi., xrefs: 01137C59
func, xrefs: 01137944
componentType, xrefs: 011376FE

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511$ExceptionH_prolog3_ThrowUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@
String ID: !$Content-Type$api/report/install$appId$application/x-www-form-urlencoded$bi.$clientTimestamp$componentType$emid$event_name$file$func$hash$infoJson$installer_reports$level$line$message$messageNumber$missing component name, use REGISTER_COMPONENT() to register$missing component type, use REGISTER_COMPONENT() to register$name$sessionId$version$zoremov.com
API String ID: 739770641-3562240208
Opcode ID: bc790b4da2485d6fbb1b23f80bb4b22937d86f1d0801874dc1c4b00466ebb03a
Instruction ID: 7e20724c4078e9dce22ea224d83c07b5ccd1c8b2efd3741bc6ed05c9d11ca68b
Opcode Fuzzy Hash: bc790b4da2485d6fbb1b23f80bb4b22937d86f1d0801874dc1c4b00466ebb03a
Instruction Fuzzy Hash: 3D126A3090026DEBDF1CFBA8C955BEDBBB4AF65308F54409CE44567281DBB41B58CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0112AB52 Relevance: 42.3, APIs: 13, Strings: 11, Instructions: 271
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E0112AB52() {
				int _t117;
				signed int _t121;
				intOrPtr _t125;
				void* _t136;
				void* _t142;
				intOrPtr _t149;
				void* _t156;
				void* _t158;
				void* _t160;
				void* _t173;
				void* _t177;
				void* _t189;
				void* _t191;
				char* _t193;
				int _t194;
				intOrPtr _t195;
				void* _t196;
				signed int _t200;
				signed int _t202;
				void* _t248;
				void* _t260;
				void* _t263;
				void* _t265;
				intOrPtr _t266;
				void* _t269;
				void* _t270;
				intOrPtr* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t282;

				E01143D91(E01146653, _t191, _t260, 0x570);
				 *((intOrPtr*)(_t269 - 0x530)) = _t195;
				_t196 = _t269 - 0x2a8;
				 *((intOrPtr*)(_t269 - 0x52c)) =  *((intOrPtr*)(_t269 + 8));
				E0112A53A(_t191, _t196, _t248, _t260, _t282);
				 *((intOrPtr*)(_t269 - 4)) = 0;
				_t117 = E0112BCCF(_t269 - 0x290, 6);
				__imp___time64(0, _t196);
				srand(_t117);
				_t119 =  >=  ?  *((void*)(_t269 - 0x290)) : _t269 - 0x290;
				 *((intOrPtr*)(_t269 - 0x534)) = 6;
				_t193 =  >=  ?  *((void*)(_t269 - 0x290)) : _t269 - 0x290;
				do {
					_t200 = 9;
					_t265 = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
					memcpy(_t269 - 0x38, _t265, _t200 << 2);
					_t270 = _t270 + 0xc;
					_t263 = _t265 + _t200 + _t200;
					asm("movsb");
					_t121 = rand();
					_t202 = 0x24;
					_t250 = _t121 % _t202;
					 *_t193 =  *((intOrPtr*)(_t269 + _t121 % _t202 - 0x38));
					_t125 =  *((intOrPtr*)(_t269 - 0x534)) - 1;
					_t193 = _t193 + 1;
					 *((intOrPtr*)(_t269 - 0x534)) = _t125;
				} while (_t125 != 0);
				 *((char*)(_t269 - 4)) = 1;
				E011298AC(_t269 - 0x2c0, "applift.exe");
				 *((char*)(_t269 - 4)) = 2;
				E01129A21(_t269 - 0x278, _t269 - 0x2a8);
				 *((char*)(_t269 - 4)) = 3;
				E0112B15A(_t193, _t269 - 0x278, _t263);
				E0112B15A(_t193, _t269 - 0x278, _t263);
				_t194 = 0;
				memset(_t269 - 0x240, 0, 0x208);
				_t136 = E0112A1C9(_t269 - 0x278, _t269 - 0x260);
				 *((char*)(_t269 - 4)) = 4;
				E0112A50B(0, _t136, _t250, _t263, _t265);
				 *((char*)(_t269 - 4)) = 3;
				E01129A96(_t269 - 0x260);
				GetModuleFileNameW(0, _t269 - 0x240, 0x104);
				_t142 = E0112A1C9(_t269 - 0x278, _t269 - 0x260);
				 *((char*)(_t269 - 4)) = 5;
				E01129A21(_t269 - 0x54c, _t142);
				 *((char*)(_t269 - 4)) = 6;
				E0113D490(0, _t269 - 0x54c, _t263);
				E01129A96(_t269 - 0x54c);
				 *((char*)(_t269 - 4)) = 3;
				E01129A96(_t269 - 0x260);
				_t148 =  >=  ?  *((void*)(_t269 - 0x278)) : _t269 - 0x278;
				_t149 = _t269 - 0x528;
				 *(_t269 - 0x528) = 0;
				__imp___wfopen_s(_t149,  >=  ?  *((void*)(_t269 - 0x278)) : _t269 - 0x278, L"wb+", _t269 - 0x2c0, _t269 - 0x290);
				_t272 = _t270 + 0x18;
				if(_t149 == 0) {
					L7:
					E0113F89F(_t269 - 0x35c);
					_t266 =  *((intOrPtr*)(_t269 - 0x52c));
					 *((char*)(_t269 - 4)) = 8;
					if(E0113F962(_t269 - 0x35c, _t263, _t266, _t266) != 0) {
						memset(_t269 - 0x40c, _t194, 0xb0);
						E01140250(_t194, _t269 - 0x40c, _t263);
						_t274 = _t272 + 0xc - 0x18;
						 *((char*)(_t269 - 4)) = 0xa;
						E0113FAA4(_t194, _t274, _t269 - 0x33c, _t263);
						_t156 = E01140401(_t194, _t269 - 0x40c, _t263);
						_t158 = E01122D52(_t269 - 0x2f0, _t269 - 0x260, 1);
						_t275 = _t274 - 0x18;
						 *((char*)(_t269 - 4)) = 0xb;
						E0113FAA4(_t194, _t275, _t158, _t263);
						_t160 = E01140431(_t194, _t156, _t263);
						 *((char*)(_t269 - 4)) = 0xa;
						 *(_t160 + 0x90) =  *(_t269 - 0x528);
						E01129A96(_t269 - 0x260);
						asm("xorps xmm0, xmm0");
						asm("movlpd [ebp-0x248], xmm0");
						E0113416D(_t194, _t269 - 0x248, _t263);
						 *((char*)(_t269 - 4)) = 0xc;
						memset(_t269 - 0x474, _t194, 0x68);
						 *((intOrPtr*)( *( *(_t269 - 0x244)) + 4))(_t269 - 0x474, _t269 - 0x40c, 0xffffffff);
						 *((char*)(_t269 - 4)) = 0xd;
						fclose( *(_t269 - 0x528));
						_t264 =  *((intOrPtr*)(_t269 - 0x530));
						_t277 = _t275 + 0xc - 0x14;
						E011298AC(_t277, "UPDATE");
						E01141B09(_t194,  *((intOrPtr*)( *((intOrPtr*)(_t269 - 0x530)) + 0x10)) + 0xc,  *((intOrPtr*)(_t269 - 0x530)));
						E0112AB20(_t269 - 0x524,  *((intOrPtr*)( *((intOrPtr*)(_t269 - 0x530)) + 0x10)) + 0xc);
						E0112A5E2(_t194, _t269 - 0x524,  *((intOrPtr*)(_t269 - 0x530)));
						 *((char*)(_t269 - 4)) = 0xe;
						_push(E0112A6C6(_t264));
						_t173 = E011298AC(_t269 - 0x57c, "zoremov.com");
						_t278 = _t277 - 0x18;
						 *((char*)(_t269 - 4)) = 0xf;
						 *((intOrPtr*)(_t269 - 0x530)) = _t277 - 0x18;
						E011237C8(_t277 - 0x18, "bi.", _t173);
						 *((char*)(_t269 - 4)) = 0x10;
						E011298AC(_t278 - 0x14, "api/report/install");
						 *((char*)(_t269 - 4)) = 0xf;
						_push(_t269 - 0x564);
						_t177 = E01141F3F(_t194, _t269 - 0x524, "bi.", _t264);
						 *((char*)(_t269 - 4)) = 0x11;
						E011237C8(_t269 - 0x2c, "Entered updateStart (update_log) - ", _t177);
						E01129AC1(_t269 - 0x564);
						 *((char*)(_t269 - 4)) = 0x14;
						E01129AC1(_t269 - 0x57c);
						E0112BA52(_t269 - 0x260, L"-install");
						 *((char*)(_t269 - 4)) = 0x15;
						E01121490(_t269 - 0x278, _t269 - 0x54c);
						 *((char*)(_t269 - 4)) = 0x16;
						E01142132(_t194, _t269 - 0x54c, _t269 - 0x260, _t264);
						E011214A3(_t269 - 0x54c);
						E011214A3(_t269 - 0x260);
						ExitProcess(_t194);
					}
					_push(_t266);
					E0112374F(_t194, _t269 - 0x260, L"Failed to split URL ", _t263);
					 *((char*)(_t269 - 4)) = 9;
					E0113FAA4(_t194, _t269 - 0x54c, _t269 - 0x260, _t263);
					 *_t272 = 0x1156050;
					_t189 = _t269 - 0x54c;
					L6:
					_push(_t189);
					L01145637();
					goto L7;
				}
				__imp__#1511(0x18);
				 *((intOrPtr*)(_t269 - 0x530)) = _t149;
				 *((char*)(_t269 - 4)) = 7;
				if(_t149 != 0) {
					_t194 = E011298AC(_t149, "Could not open new temporary file\n");
				}
				 *((char*)(_t269 - 4)) = 3;
				_t189 = _t269 - 0x244;
				 *(_t269 - 0x244) = _t194;
				_push(0x1156040);
				goto L6;
			}

0x0112ab5c
0x0112ab61
0x0112ab6a
0x0112ab70
0x0112ab76
0x0112ab86
0x0112ab89
0x0112ab8f
0x0112ab96
0x0112abaa
0x0112abb2
0x0112abbc
0x0112abbe
0x0112abc0
0x0112abc1
0x0112abc9
0x0112abc9
0x0112abc9
0x0112abcb
0x0112abcc
0x0112abd6
0x0112abd7
0x0112abdd
0x0112abe5
0x0112abe6
0x0112abe7
0x0112abed
0x0112abfc
0x0112ac00
0x0112ac0b
0x0112ac16
0x0112ac21
0x0112ac2c
0x0112ac3e
0x0112ac48
0x0112ac52
0x0112ac67
0x0112ac6e
0x0112ac72
0x0112ac7d
0x0112ac81
0x0112ac93
0x0112aca6
0x0112acb2
0x0112acb6
0x0112acc1
0x0112acc5
0x0112acd0
0x0112acdb
0x0112acdf
0x0112acf6
0x0112acfe
0x0112ad04
0x0112ad0b
0x0112ad11
0x0112ad16
0x0112ad58
0x0112ad5e
0x0112ad63
0x0112ad6a
0x0112ad75
0x0112adb9
0x0112adc7
0x0112adcc
0x0112adcf
0x0112addb
0x0112ade6
0x0112adfe
0x0112ae03
0x0112ae06
0x0112ae0e
0x0112ae15
0x0112ae20
0x0112ae24
0x0112ae30
0x0112ae35
0x0112ae3e
0x0112ae46
0x0112ae53
0x0112ae59
0x0112ae77
0x0112ae7a
0x0112ae84
0x0112ae8a
0x0112ae90
0x0112ae9d
0x0112aea5
0x0112aeb1
0x0112aebc
0x0112aec3
0x0112aecc
0x0112aed8
0x0112aedd
0x0112aee0
0x0112aee6
0x0112aef2
0x0112aefa
0x0112af05
0x0112af10
0x0112af14
0x0112af1b
0x0112af26
0x0112af2d
0x0112af39
0x0112af44
0x0112af48
0x0112af58
0x0112af63
0x0112af6e
0x0112af76
0x0112af86
0x0112af94
0x0112af9f
0x0112afa5
0x0112afa5
0x0112ad77
0x0112ad83
0x0112ad8e
0x0112ad98
0x0112ad9d
0x0112ada4
0x0112ad52
0x0112ad52
0x0112ad53
0x00000000
0x0112ad53
0x0112ad1a
0x0112ad21
0x0112ad27
0x0112ad2d
0x0112ad3b
0x0112ad3b
0x0112ad3d
0x0112ad41
0x0112ad47
0x0112ad4d
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0112AB5C

Part of subcall function 0112A53A: __EH_prolog3_GS.LIBCMT ref: 0112A541
Part of subcall function 0112A53A: ___std_fs_get_temp_path@4.LIBCPMT ref: 0112A592

Part of subcall function 0112BCCF: memset.VCRUNTIME140(?,00000000,?,?,?,?), ref: 0112BCF1

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000006,?,00000570,0112AB1A,?,00000000,updateUrl,false,?,isUpdated), ref: 0112AB8F
srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,?,00000570,0112AB1A,?,00000000,updateUrl,false,?,isUpdated), ref: 0112AB96
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 0112ABCC
memset.VCRUNTIME140(?,00000000,00000208,?,?,?,applift.exe), ref: 0112AC52
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0112AC93
_wfopen_s.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,wb+), ref: 0112AD0B
#1511.MFC140U(00000018,?,?,00000000), ref: 0112AD1A
memset.VCRUNTIME140(?,00000000,000000B0,?,?,00000000), ref: 0112ADB9

Part of subcall function 01140250: __EH_prolog3.LIBCMT ref: 01140257

Part of subcall function 01140401: __EH_prolog3.LIBCMT ref: 01140408

Part of subcall function 01140431: __EH_prolog3.LIBCMT ref: 01140438

Part of subcall function 0113416D: __EH_prolog3.LIBCMT ref: 01134174
Part of subcall function 0113416D: #1511.MFC140U(00000010,00000004,011364A5,0000000C,011214FC), ref: 0113418F
Part of subcall function 0113416D: #1511.MFC140U(0000000C), ref: 011341B7
Part of subcall function 0113416D: curl_multi_init.LIBCURL ref: 011341D4

_CxxThrowException.VCRUNTIME140(?,?,?,?,00000000), ref: 0112AD53

Part of subcall function 0113FAA4: __EH_prolog3_GS.LIBCMT ref: 0113FAAB
Part of subcall function 0113FAA4: memset.VCRUNTIME140(?,00000000,00000050,00000058,0113D3A4,?), ref: 0113FAC2

memset.VCRUNTIME140(?,00000000,00000068), ref: 0112AE59
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 0112AE84

Part of subcall function 01141B09: __EH_prolog3.LIBCMT ref: 01141B10

Part of subcall function 0112AB20: memset.VCRUNTIME140(?,00000000,000000B0,0112AEB6,?,UPDATE), ref: 0112AB28

Part of subcall function 0112A5E2: __EH_prolog3.LIBCMT ref: 0112A5E9

Part of subcall function 01141F3F: __EH_prolog3.LIBCMT ref: 01141F46

Part of subcall function 01142132: __EH_prolog3_GS.LIBCMT ref: 0114213C
Part of subcall function 01142132: memset.VCRUNTIME140(?,00000000,00000044,00000000,00000000,?,0000017C,0112AF8B), ref: 0114228E

ExitProcess.KERNEL32 ref: 0112AFA5

Strings

zoremov.com, xrefs: 0112AECD
-install, xrefs: 0112AF4D
applift.exe, xrefs: 0112ABF1
Entered updateStart (update_log) - , xrefs: 0112AF21
UPDATE, xrefs: 0112AE98
Failed to split URL , xrefs: 0112AD78
ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789, xrefs: 0112ABC1
api/report/install, xrefs: 0112AF00
bi., xrefs: 0112AEEC
Could not open new temporary file, xrefs: 0112AD2F
wb+, xrefs: 0112ACF1

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3memset$H_prolog3_$#1511$ExceptionExitFileModuleNameProcessThrow___std_fs_get_temp_path@4_time64_wfopen_scurl_multi_initfcloserandsrand
String ID: -install$ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$Could not open new temporary file$Entered updateStart (update_log) - $Failed to split URL $UPDATE$api/report/install$applift.exe$bi.$wb+$zoremov.com
API String ID: 275469501-2534391753
Opcode ID: dd9072bd46f25d3e09a09fed14c3715c29a71b7bc72ca1b4e50e2378cd3dda1f
Instruction ID: 99491b2231ddb042a116ccde67acb3043709a0e93a5562cc62a93efd7e62afe9
Opcode Fuzzy Hash: dd9072bd46f25d3e09a09fed14c3715c29a71b7bc72ca1b4e50e2378cd3dda1f
Instruction Fuzzy Hash: 5AC15730904269DBDF28EB64DD98BDEBBB8AF24308F0441E9D509A3181EB745B88CF51

Uniqueness

Uniqueness Score: -1.00%

Function 01130EE6 Relevance: 40.6, APIs: 6, Strings: 17, Instructions: 390
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01130EE6(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* _t137;
				intOrPtr _t146;
				void* _t148;
				void* _t150;
				void* _t153;
				void* _t157;
				void* _t161;
				void* _t165;
				void* _t185;
				void* _t190;
				void* _t208;
				void* _t224;
				void* _t234;
				void* _t235;
				signed int _t322;
				void* _t338;
				void* _t339;
				intOrPtr _t340;
				intOrPtr _t341;
				void* _t342;
				intOrPtr _t344;
				void* _t345;
				intOrPtr _t346;
				void* _t347;
				intOrPtr _t348;
				void* _t349;
				intOrPtr _t350;
				void* _t351;
				intOrPtr _t352;
				void* _t353;
				intOrPtr _t354;
				void* _t355;
				void* _t356;
				intOrPtr _t358;
				void* _t359;
				intOrPtr _t360;
				intOrPtr _t363;
				intOrPtr _t364;
				void* _t365;
				intOrPtr _t366;
				intOrPtr _t367;
				void* _t368;
				intOrPtr _t369;
				void* _t372;

				_t372 = __eflags;
				_t235 = __ecx;
				E01143D91(E011478D8, __ebx, __edi, 0x38c);
				_t234 = _t235;
				_t340 = _t339 - 0x18;
				 *((intOrPtr*)(_t338 - 0x368)) = _t340;
				E011298AC(_t340, "Fetching update actions");
				 *(_t338 - 4) =  *(_t338 - 4) & 0x00000000;
				_t322 = 2;
				_push(_t322);
				_push(0x234);
				_t341 = _t340 - 0x18;
				 *((intOrPtr*)(_t338 - 0x364)) = _t341;
				E011298AC(_t341, "void __thiscall InstPC::IPCService::update(void)");
				_t342 = _t341 - 0x18;
				 *(_t338 - 4) = 1;
				E011298AC(_t342, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
				 *(_t338 - 4) =  *(_t338 - 4) | 0xffffffff;
				E0113765F(_t234,  *((intOrPtr*)(_t234 + 8)), _t322);
				memset(_t338 - 0x2ac, 0, 0xb0);
				E01131CE4(_t234, _t338 - 0x2ac, _t322);
				 *(_t338 - 4) = _t322;
				_t137 = E011238AC(_t234, _t338 - 0x29c, "srv.", _t322);
				_t323 = "zoremov.com";
				_t319 = "zoremov.com";
				E011238AC(_t234, _t137, "zoremov.com", "zoremov.com");
				E011298E1(_t338 - 0xb4, 0x115a0cc);
				 *(_t338 - 4) = 3;
				E011298AC(_t338 - 0x9c, "1248");
				 *(_t338 - 4) = 4;
				E011298AC(_t338 - 0x84, "GS_ABE_LABS_LTD_SIGNATURE");
				 *(_t338 - 4) = 5;
				E011298AC(_t338 - 0x6c, "zoremov");
				 *(_t338 - 4) = 6;
				memset(_t338 - 0x1fc, 0, 0xb0);
				E01140250(_t234, _t338 - 0x1fc, "zoremov.com");
				_t344 = _t342 + 0xc - 0x18;
				 *(_t338 - 4) = 7;
				_t146 = _t344;
				 *((intOrPtr*)(_t338 - 0x360)) = _t146;
				_push(_t146);
				E01131D62(_t234, _t338 - 0x294, "zoremov.com");
				_t148 = E01140401(_t234, _t338 - 0x1fc, _t323);
				_t345 = _t344 - 0x18;
				E011298AC(_t345, "up/update/check");
				_t150 = E01140431(_t234, _t148, _t323);
				_t346 = _t345 - 0x18;
				 *((intOrPtr*)(_t338 - 0x360)) = _t346;
				 *((intOrPtr*)(_t338 - 0x364)) = _t346;
				E011298E1(_t346, 0x115a0b4);
				_t347 = _t346 - 0x18;
				 *(_t338 - 4) = 8;
				E011298AC(_t347, "e");
				 *(_t338 - 4) = 7;
				_t153 = E0114048D(_t234, _t150, "zoremov.com", _t323);
				_t348 = _t347 - 0x18;
				 *((intOrPtr*)(_t338 - 0x360)) = _t348;
				E011298E1(_t348, _t338 - 0xb4);
				_t349 = _t348 - 0x18;
				 *(_t338 - 4) = 9;
				E011298AC(_t349, "a");
				 *(_t338 - 4) = 7;
				_t157 = E0114048D(_t234, _t153, "zoremov.com", _t323);
				_t350 = _t349 - 0x18;
				 *((intOrPtr*)(_t338 - 0x360)) = _t350;
				E011298E1(_t350, _t338 - 0x9c);
				_t351 = _t350 - 0x18;
				 *(_t338 - 4) = 0xa;
				E011298AC(_t351, "c");
				 *(_t338 - 4) = 7;
				_t161 = E0114048D(_t234, _t157, "zoremov.com", _t323);
				_t352 = _t351 - 0x18;
				 *((intOrPtr*)(_t338 - 0x360)) = _t352;
				E011298E1(_t352, _t338 - 0x6c);
				_t353 = _t352 - 0x18;
				 *(_t338 - 4) = 0xb;
				E011298AC(_t353, "bn");
				 *(_t338 - 4) = 7;
				_t165 = E0114048D(_t234, _t161, "zoremov.com", _t323);
				_t354 = _t353 - 0x18;
				 *((intOrPtr*)(_t338 - 0x360)) = _t354;
				E011298E1(_t354, _t338 - 0x84);
				 *(_t338 - 4) = 0xc;
				_t355 = _t354 - 0x18;
				E011298AC(_t355, "s");
				 *(_t338 - 4) = 7;
				E0114048D(_t234, _t165, "zoremov.com", _t323);
				_push(_t338 - 0x1fc);
				_push(_t338 - 0xe4);
				E011336CD(_t234, _t323);
				 *(_t338 - 4) = 0xd;
				memset(_t338 - 0x14c, 0, 0x68);
				_t356 = _t355 - 0xa4;
				_push(_t338 - 0x1fc);
				E011402FB(_t234, _t356, _t319, _t323);
				_push(_t338 - 0x14c);
				L01130292(_t234, _t234, _t323);
				 *(_t338 - 4) = 0xe;
				E011298E1(_t338 - 0x54, _t338 - 0x148);
				 *(_t338 - 4) = 0xf;
				E0112F38E(_t234, _t234, _t319, _t323, _t372);
				memset(_t338 - 0x35c, 0, 0xb0);
				E0112A5E2(_t234, _t338 - 0x35c, _t323);
				 *(_t338 - 4) = 0x10;
				_push( *((intOrPtr*)(_t234 + 0x2c)));
				_t185 = E011298AC(_t338 - 0x380, _t323);
				_t358 = _t356 + 0xc - 0x18;
				 *(_t338 - 4) = 0x11;
				 *((intOrPtr*)(_t338 - 0x360)) = _t358;
				 *((intOrPtr*)(_t338 - 0x364)) = _t358;
				E011299A0(_t358, E01124262(_t185, _t358, _t338 - 0x380, "bi.", 3));
				_t359 = _t358 - 0x18;
				 *(_t338 - 4) = 0x12;
				E011298AC(_t359, "api/report/install");
				 *(_t338 - 4) = 0x11;
				_push(_t338 - 0x398);
				_t190 = E01141F3F(_t234, _t338 - 0x35c, _t319, _t323);
				 *(_t338 - 4) = 0x13;
				E011299A0(_t338 - 0xcc, E01124262(_t190, _t358, _t338 - 0x35c, "Entered Check update needed (update_log) - ", 0x2b));
				E01129AC1(_t338 - 0x398);
				 *(_t338 - 4) = 0x16;
				E01129AC1(_t338 - 0x380);
				_t373 =  *((intOrPtr*)(_t338 - 0x44));
				if( *((intOrPtr*)(_t338 - 0x44)) == 0) {
					_t360 = _t359 - 0x18;
					 *((intOrPtr*)(_t338 - 0x360)) = _t360;
					E011298AC(_t360, "No update actions waiting");
					_push(2);
					_push(0x262);
					 *(_t338 - 4) = 0x20;
					 *((intOrPtr*)(_t338 - 0x364)) = _t360 - 0x18;
					E011298AC(_t360 - 0x18, "void __thiscall InstPC::IPCService::update(void)");
					 *(_t338 - 4) = 0x21;
					E011298AC(_t360, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t338 - 4) = 0x16;
					E0113765F(_t234,  *((intOrPtr*)(_t234 + 8)), _t323);
				} else {
					E011298E1(_t338 - 0x3c, _t338 - 0x54);
					_t363 = _t359 - 0x18;
					 *(_t338 - 4) = 0x17;
					 *((intOrPtr*)(_t338 - 0x360)) = _t363;
					_push(_t338 - 0x3c);
					E011237FA(_t234, _t363, "Got update configuration ", _t323);
					_push(2);
					_push(0x258);
					_t364 = _t363 - 0x18;
					 *(_t338 - 4) = 0x18;
					 *((intOrPtr*)(_t338 - 0x364)) = _t364;
					E011298AC(_t364, "void __thiscall InstPC::IPCService::update(void)");
					_t365 = _t364 - 0x18;
					 *(_t338 - 4) = 0x19;
					E011298AC(_t365, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t338 - 4) = 0x17;
					E0113765F(_t234,  *((intOrPtr*)(_t234 + 8)), _t323);
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					E0112A6CA(_t234, _t338 - 0x24, "Got update configuration ", _t338 - 0x24);
					_t366 = _t365 - 0x18;
					 *(_t338 - 4) = 0x1a;
					 *((intOrPtr*)(_t338 - 0x360)) = _t366;
					 *((intOrPtr*)(_t338 - 0x14)) =  *((intOrPtr*)(_t234 + 0x2c));
					E011298AC(_t366, "Starting update");
					_t367 = _t366 - 0x18;
					 *(_t338 - 4) = 0x1b;
					 *((intOrPtr*)(_t338 - 0x364)) = _t367;
					_t323 = "void __thiscall InstPC::IPCService::update(void)";
					E011298AC(_t367, "void __thiscall InstPC::IPCService::update(void)");
					_t368 = _t367 - 0x18;
					 *(_t338 - 4) = 0x1c;
					E011298AC(_t368, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t338 - 4) = 0x1a;
					E0113765F(_t234,  *((intOrPtr*)(_t234 + 8)), "void __thiscall InstPC::IPCService::update(void)");
					_t319 = _t338 - 0x3c;
					_t224 = E01136637(_t234, _t338 - 0x380, _t338 - 0x3c, "void __thiscall InstPC::IPCService::update(void)");
					 *(_t338 - 4) = 0x1d;
					E0112A80E(_t234, _t338 - 0x24, _t338 - 0x3c, "void __thiscall InstPC::IPCService::update(void)", _t224, 0x25c, 2);
					 *(_t338 - 4) = 0x1a;
					E01129A96(_t338 - 0x380);
					_t369 = _t368 - 0x18;
					 *((intOrPtr*)(_t338 - 0x360)) = _t369;
					E011298AC(_t369, "Update completed");
					_push(2);
					_push(0x25f);
					 *(_t338 - 4) = 0x1e;
					 *((intOrPtr*)(_t338 - 0x364)) = _t369 - 0x18;
					E011298AC(_t369 - 0x18, "void __thiscall InstPC::IPCService::update(void)");
					 *(_t338 - 4) = 0x1f;
					E011298AC(_t369, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t338 - 4) = 0x1a;
					E0113765F(_t234,  *((intOrPtr*)(_t234 + 8)), _t323);
					E0112A7C5(_t234, _t338 - 0x24, _t338 - 0x3c, _t323);
					E01129AC1(_t338 - 0x3c);
				}
				E01129AC1(_t338 - 0xcc);
				E0112A67D(_t234, _t338 - 0x35c, _t319, _t323, _t373);
				E01129AC1(_t338 - 0x54);
				E01140BCF(_t338 - 0x14c, _t319);
				E01129AC1(_t338 - 0xe4);
				E011403B6(_t338 - 0x1fc, _t319);
				E01129AC1(_t338 - 0x6c);
				E01129AC1(_t338 - 0x84);
				E01129AC1(_t338 - 0x9c);
				_t208 = E01129AC1(_t338 - 0xb4);
				E0112D3A9();
				__imp__??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ();
				return E01143D3B(_t208, _t234, _t323);
			}

0x01130ee6
0x01130ee6
0x01130ef0
0x01130ef5
0x01130efa
0x01130eff
0x01130f0a
0x01130f0f
0x01130f15
0x01130f16
0x01130f17
0x01130f1c
0x01130f21
0x01130f2c
0x01130f31
0x01130f34
0x01130f3f
0x01130f44
0x01130f4a
0x01130f5e
0x01130f6a
0x01130f74
0x01130f7d
0x01130f82
0x01130f89
0x01130f8b
0x01130f9b
0x01130fab
0x01130faf
0x01130fbf
0x01130fc3
0x01130fd0
0x01130fd4
0x01130fe0
0x01130fe7
0x01130ff5
0x01130ffa
0x01130ffd
0x01131001
0x01131009
0x0113100f
0x01131010
0x0113101b
0x01131020
0x0113102c
0x01131033
0x01131038
0x0113103f
0x01131045
0x01131050
0x01131055
0x01131058
0x01131063
0x0113106a
0x0113106e
0x01131073
0x0113107e
0x01131087
0x0113108c
0x0113108f
0x0113109a
0x011310a1
0x011310a5
0x011310aa
0x011310b5
0x011310be
0x011310c3
0x011310c6
0x011310d1
0x011310d8
0x011310dc
0x011310e1
0x011310e9
0x011310f2
0x011310f7
0x011310fa
0x01131105
0x0113110c
0x01131110
0x01131115
0x01131120
0x01131129
0x0113112e
0x01131132
0x0113113c
0x01131143
0x01131147
0x01131152
0x01131159
0x0113115a
0x01131167
0x0113116e
0x01131173
0x01131181
0x01131182
0x0113118f
0x01131190
0x0113119b
0x011311a3
0x011311aa
0x011311ae
0x011311c1
0x011311cf
0x011311d4
0x011311de
0x011311e2
0x011311e7
0x011311ea
0x011311f0
0x011311f6
0x0113120e
0x01131213
0x01131216
0x01131221
0x0113122c
0x01131230
0x01131237
0x0113123e
0x01131256
0x01131261
0x0113126c
0x01131270
0x01131275
0x01131279
0x011313ee
0x011313f3
0x011313fe
0x01131403
0x01131405
0x0113140d
0x01131413
0x0113141e
0x01131426
0x01131431
0x01131438
0x0113143c
0x0113127f
0x01131286
0x0113128b
0x0113128e
0x0113129a
0x011312a5
0x011312a6
0x011312ac
0x011312ae
0x011312b3
0x011312b6
0x011312bc
0x011312c7
0x011312cc
0x011312cf
0x011312da
0x011312e1
0x011312e5
0x011312ef
0x011312f3
0x011312f4
0x011312f5
0x011312f6
0x011312f7
0x011312fc
0x011312ff
0x0113130b
0x01131316
0x01131319
0x01131325
0x01131328
0x0113132e
0x01131334
0x0113133a
0x0113133f
0x01131342
0x0113134d
0x01131354
0x01131358
0x0113135d
0x01131366
0x0113136f
0x01131373
0x01131378
0x01131382
0x0113138a
0x0113138f
0x0113139a
0x0113139f
0x011313a1
0x011313a9
0x011313af
0x011313b6
0x011313be
0x011313c9
0x011313d0
0x011313d4
0x011313dc
0x011313e4
0x011313e4
0x01131447
0x01131452
0x0113145a
0x01131465
0x01131470
0x0113147b
0x01131483
0x0113148e
0x01131499
0x011314a4
0x011314af
0x011314ba
0x011314c5

APIs

__EH_prolog3_GS.LIBCMT ref: 01130EF0

Part of subcall function 0113765F: __EH_prolog3_GS.LIBCMT ref: 01137669
Part of subcall function 0113765F: #1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
Part of subcall function 0113765F: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

memset.VCRUNTIME140(?,00000000,000000B0,C:\git\modular-installer\kernel\IPCService.cpp), ref: 01130F5E

Part of subcall function 01131CE4: __EH_prolog3.LIBCMT ref: 01131CEB
Part of subcall function 01131CE4: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000008,00000010,?,?,?,01140643,?,00000000,?,?,?,00000000,0114D684,00000001,0114F384,00000068), ref: 01131D09
Part of subcall function 01131CE4: ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000,?,01140643,?,00000000,?,?,?,00000000,0114D684,00000001,0114F384,00000068,01133809,?), ref: 01131D21
Part of subcall function 01131CE4: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,01140643,?,00000000,?,?,?,00000000,0114D684,00000001,0114F384,00000068,01133809,?,?), ref: 01131D44

Part of subcall function 011238AC: __EH_prolog3_catch.LIBCMT ref: 011238B3
Part of subcall function 011238AC: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123A06

Part of subcall function 011238AC: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123957
Part of subcall function 011238AC: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123980
Part of subcall function 011238AC: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 011239AA

memset.VCRUNTIME140(?,00000000,000000B0,zoremov,GS_ABE_LABS_LTD_SIGNATURE,1248,0115A0CC,00000000,000000B0,C:\git\modular-installer\kernel\IPCService.cpp), ref: 01130FE7

Part of subcall function 01140250: __EH_prolog3.LIBCMT ref: 01140257

Part of subcall function 01131D62: __EH_prolog3.LIBCMT ref: 01131D69

Part of subcall function 01140401: __EH_prolog3.LIBCMT ref: 01140408

Part of subcall function 01140431: __EH_prolog3.LIBCMT ref: 01140438

Part of subcall function 011298E1: memcpy.VCRUNTIME140(00000000,?,00000001,?,00000000,?,00000014,?,01138843,?,00000018,011386DC,?,?,?,00000008), ref: 01129935

Part of subcall function 0114048D: __EH_prolog3.LIBCMT ref: 01140494

Part of subcall function 011336CD: __EH_prolog3.LIBCMT ref: 011336D7

memset.VCRUNTIME140(?,00000000,00000068,?,?,0114BD58), ref: 0113116E

Part of subcall function 011402FB: __EH_prolog3.LIBCMT ref: 01140302

Part of subcall function 0112F38E: __EH_prolog3_GS.LIBCMT ref: 0112F398

memset.VCRUNTIME140(?,00000000,000000B0,?,?,?), ref: 011311C1

Part of subcall function 0112A5E2: __EH_prolog3.LIBCMT ref: 0112A5E9

Part of subcall function 01124262: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,0112DA8D,?,?,?,?,00000000,?,?), ref: 011242B5
Part of subcall function 01124262: memcpy.VCRUNTIME140(?,01133C49,000000EC,?,?,?,?,?,?,?,?,0112DA8D,?,?,?,?), ref: 011242BF
Part of subcall function 01124262: memcpy.VCRUNTIME140(01133C49,01133C49,000000EC,?,01133C49,000000EC,?,?,?,?,?,?,?,?,0112DA8D,?), ref: 011242D5

Part of subcall function 01141F3F: __EH_prolog3.LIBCMT ref: 01141F46

??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(C:\git\modular-installer\kernel\IPCService.cpp), ref: 011314BA

Part of subcall function 011237FA: __EH_prolog3.LIBCMT ref: 01123801

Part of subcall function 0113765F: _Xtime_get_ticks.MSVCP140 ref: 011376CA
Part of subcall function 0113765F: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011376D8

Part of subcall function 0112A6CA: __EH_prolog3.LIBCMT ref: 0112A6D1

Part of subcall function 01136637: __EH_prolog3_GS.LIBCMT ref: 0113663E
Part of subcall function 01136637: memset.VCRUNTIME140(?,00000000,00000050,00000058,01121E5A), ref: 01136655

Part of subcall function 0112A80E: __EH_prolog3_GS.LIBCMT ref: 0112A818
Part of subcall function 0112A80E: memset.VCRUNTIME140(?,00000000,000000B0,has_updated), ref: 0112A97C

Strings

zoremov.com, xrefs: 01130F82, 011311E1
!, xrefs: 01131426
zoremov, xrefs: 01130FC8
Update completed, xrefs: 01131395
up/update/check, xrefs: 01131027
Starting update, xrefs: 01131311
Fetching update actions, xrefs: 01130F05
No update actions waiting, xrefs: 011313F9
1248, xrefs: 01130FA0
Got update configuration , xrefs: 011312A0
void __thiscall InstPC::IPCService::update(void), xrefs: 01130F27, 011312C2, 01131334, 01131339, 011313B5, 01131419
C:\git\modular-installer\kernel\IPCService.cpp, xrefs: 01130F3A, 011312D5, 01131348, 011313C4, 0113142C
Entered Check update needed (update_log) - , xrefs: 01131242
GS_ABE_LABS_LTD_SIGNATURE, xrefs: 01130FB4
api/report/install, xrefs: 0113121C
bi., xrefs: 011311FE
srv., xrefs: 01130F6F

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3$U?$char_traits@$D@std@@@std@@$memset$H_prolog3_$memcpy$?sputc@?$basic_streambuf@$#1511??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@?setstate@?$basic_ios@?sputn@?$basic_streambuf@D@std@@@1@@ExceptionH_prolog3_catchThrowUnothrow_t@std@@@V?$basic_streambuf@Xtime_get_ticks__ehfuncinfo$??2@memmove
String ID: !$1248$C:\git\modular-installer\kernel\IPCService.cpp$Entered Check update needed (update_log) - $Fetching update actions$GS_ABE_LABS_LTD_SIGNATURE$Got update configuration $No update actions waiting$Starting update$Update completed$api/report/install$bi.$srv.$up/update/check$void __thiscall InstPC::IPCService::update(void)$zoremov$zoremov.com
API String ID: 1536577114-3931974969
Opcode ID: 65dce7b92519052f7551a726c81fa93d87d30776d73044a178996545765434d8
Instruction ID: 1e3eba2df51691b3afee567128d26fded759b11a54ff894fc42743b4545c76a0
Opcode Fuzzy Hash: 65dce7b92519052f7551a726c81fa93d87d30776d73044a178996545765434d8
Instruction Fuzzy Hash: F3E1AA20E0126DEBCF1DF7A8C916BDCBB74AB65B08F5480D8E00577281DBB51F189B92

Uniqueness

Uniqueness Score: -1.00%

Function 0112CE12 Relevance: 40.6, APIs: 12, Strings: 11, Instructions: 353
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0112CE12(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags) {
				void* _t159;
				signed int _t167;
				void* _t175;
				void* _t176;
				void* _t185;
				void* _t196;
				signed int _t199;
				intOrPtr _t211;
				intOrPtr* _t212;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr _t220;
				void* _t281;
				void* _t288;
				intOrPtr _t290;
				intOrPtr _t309;
				void* _t315;
				intOrPtr _t318;
				intOrPtr _t320;
				void* _t321;
				void* _t322;
				void* _t323;
				intOrPtr _t324;
				intOrPtr _t325;
				void* _t326;
				intOrPtr _t327;
				intOrPtr _t330;
				intOrPtr _t331;
				void* _t332;
				intOrPtr _t333;
				intOrPtr _t334;
				void* _t335;
				intOrPtr _t336;
				intOrPtr _t337;

				_t220 = __ecx;
				E01143D91(E01146BE2, __ebx, __edi, 0x1a8);
				_t307 = _t220;
				 *((intOrPtr*)(_t322 - 0x16c)) = _t307;
				_t313 =  *((intOrPtr*)(_t307 + 8));
				_t324 = _t323 - 0x18;
				 *((intOrPtr*)(_t322 - 0x14)) = _t324;
				E011298AC(_t324, "Running actions - start");
				 *(_t322 - 4) =  *(_t322 - 4) & 0x00000000;
				_push(2);
				_push(0x59);
				_t325 = _t324 - 0x18;
				 *((intOrPtr*)(_t322 - 0x170)) = _t325;
				E011298AC(_t325, "void __thiscall InstPC::InstallerConfiguration::run(void)");
				_t326 = _t325 - 0x18;
				 *(_t322 - 4) = 1;
				E011298AC(_t326, "C:\\git\\modular-installer\\kernel\\InstallerConfiguration.cpp");
				 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
				E0113765F(__ebx,  *((intOrPtr*)(_t307 + 8)), _t307);
				_t216 = 0;
				asm("cdq");
				 *(_t322 - 0x168) = 0;
				if(( *((intOrPtr*)(_t307 + 0x28)) -  *((intOrPtr*)(_t307 + 0x24))) / 0xa8 != 0) {
					while(1) {
						memset(_t322 - 0xb4, 0, 0x98);
						E01122ED0(_t216, _t322 - 0xb4, _t307);
						 *(_t322 - 4) = 2;
						E01123A5E(_t216, _t322 - 0xb4, L"Running actions - module ", _t307);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z(_t216);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
						_t315 = E0112DCE1(_t322 - 0x1b4, _t216,  *((intOrPtr*)(_t307 + 8)), _t313);
						 *(_t322 - 4) = 3;
						_t159 = E011298AC(_t322 - 0x194, "Running actions - module ");
						_t330 = _t326 - 0x18;
						 *(_t322 - 4) = 4;
						 *((intOrPtr*)(_t322 - 0x14)) = _t330;
						E0112DA56(_t330, _t159, _t315);
						_push(2);
						_push(0x60);
						_t331 = _t330 - 0x18;
						 *(_t322 - 4) = 5;
						 *((intOrPtr*)(_t322 - 0x170)) = _t331;
						E011298AC(_t331, "void __thiscall InstPC::InstallerConfiguration::run(void)");
						_t332 = _t331 - 0x18;
						 *(_t322 - 4) = 6;
						E011298AC(_t332, "C:\\git\\modular-installer\\kernel\\InstallerConfiguration.cpp");
						 *(_t322 - 4) = 4;
						E0113765F(_t216,  *((intOrPtr*)(_t307 + 8)),  *((intOrPtr*)(_t307 + 8)));
						E01129AC1(_t322 - 0x194);
						 *(_t322 - 4) = 2;
						E01129AC1(_t322 - 0x1b4);
						_t309 =  *((intOrPtr*)(_t322 - 0x16c));
						_t167 =  *((intOrPtr*)(_t309 + 0x28)) -  *((intOrPtr*)(_t309 + 0x24));
						asm("cdq");
						_t168 = _t167 / 0xa8;
						_t340 = _t167 / 0xa8 - _t216;
						if(_t167 / 0xa8 <= _t216) {
							break;
						}
						 *((intOrPtr*)(_t322 - 0x170)) = _t216 * 0xa8 +  *((intOrPtr*)(_t309 + 0x24));
						_t318 = E01121DDD(_t216, _t216 * 0xa8 +  *((intOrPtr*)(_t309 + 0x24)), _t309, _t340);
						 *((intOrPtr*)(_t322 - 0x14)) = _t318;
						E01123A5E(_t216, _t322 - 0xb4, L"Running actions - module finished with return code ", _t309);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z(_t318);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
						_t310 =  *((intOrPtr*)(_t309 + 8));
						_t175 = E0112934F(_t322 - 0x194, _t318,  *((intOrPtr*)(_t309 + 8)), _t318);
						 *(_t322 - 4) = 7;
						_t176 = E011298AC(_t322 - 0x1b4, "Running actions - module finished with return code ");
						_t333 = _t332 - 0x18;
						 *(_t322 - 4) = 8;
						 *((intOrPtr*)(_t322 - 0x174)) = _t333;
						_t299 = _t176;
						E0112DA56(_t333, _t176, _t175);
						_push(2);
						_push(0x65);
						_t334 = _t333 - 0x18;
						 *(_t322 - 4) = 9;
						 *((intOrPtr*)(_t322 - 0x178)) = _t334;
						E011298AC(_t334, "void __thiscall InstPC::InstallerConfiguration::run(void)");
						_t335 = _t334 - 0x18;
						 *(_t322 - 4) = 0xa;
						E011298AC(_t335, "C:\\git\\modular-installer\\kernel\\InstallerConfiguration.cpp");
						 *(_t322 - 4) = 8;
						E0113765F(_t216,  *((intOrPtr*)(_t309 + 8)),  *((intOrPtr*)(_t309 + 8)));
						E01129AC1(_t322 - 0x1b4);
						 *(_t322 - 4) = 2;
						E01129AC1(_t322 - 0x194);
						_t320 =  *((intOrPtr*)(_t322 - 0x170));
						if( *((char*)(_t320 + 0x84)) == 0) {
							L12:
							_t216 = _t216 + 1;
							__eflags = _t216;
							goto L13;
						} else {
							_t217 =  *((intOrPtr*)(_t322 - 0x14));
							_t310 = _t320 + 0x94;
							 *((intOrPtr*)(_t322 - 0x14)) = _t217;
							_t196 = E01123CD1(_t310, _t322 - 0x14);
							if(_t196 ==  *_t310 || _t217 <  *((intOrPtr*)(_t196 + 0x10))) {
								E011298E1(_t322 - 0x194, _t320);
								 *(_t322 - 4) = 0xc;
								_t199 = E0112DA20(E0113FB01(_t217, _t322 - 0x1b4, _t322 - 0x194, _t310, __eflags), "next");
								_t218 = _t199;
								E01129AC1(_t322 - 0x1b4);
								 *(_t322 - 4) = 2;
								E01129AC1(_t322 - 0x194);
								__eflags = _t199;
								if(_t199 != 0) {
									_t216 =  *(_t322 - 0x168);
									goto L12;
								} else {
									 *(_t322 - 0x18) =  *(_t322 - 0x18) & 0x00000000;
									memset(_t322 - 0x164, 0, 0xb0);
									_t335 = _t335 + 0xc;
									_t281 = _t322 - 0x194;
									E011298E1(_t281, _t320);
									 *(_t322 - 4) = 0xd;
									E0112D3D9(_t218, _t322 - 0x164, "next", _t310);
									 *(_t322 - 4) = 0xf;
									E01129AC1(_t322 - 0x194);
									__imp__??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAI@Z(_t322 - 0x18, _t322 - 0x194, _t281, _t281);
									_t216 =  *(_t322 - 0x18);
									 *(_t322 - 0x168) = _t216;
									 *(_t322 - 4) = 2;
									E0112D3A9();
									__imp__??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ();
								}
							} else {
								 *((intOrPtr*)(_t322 - 0x1c)) = _t217;
								_t321 = E01123CD1(_t310, _t322 - 0x1c);
								_t211 =  *_t310;
								 *((intOrPtr*)(_t322 - 0x14)) = _t211;
								if(_t321 == _t211 || _t217 <  *((intOrPtr*)(_t321 + 0x10))) {
									 *((intOrPtr*)(_t322 - 0x19c)) = _t310;
									 *(_t322 - 4) = 0xb;
									_t288 = 0x18;
									 *((intOrPtr*)(_t322 - 0x198)) = 0;
									_t212 = E01129B1B(_t288, _t299);
									_push(_t212);
									 *((intOrPtr*)(_t322 - 0x198)) = 0;
									 *((intOrPtr*)(_t212 + 0x10)) =  *((intOrPtr*)(_t322 - 0x1c));
									_t290 =  *((intOrPtr*)(_t322 - 0x14));
									 *((intOrPtr*)(_t212 + 0x14)) = 0;
									 *_t212 = _t290;
									 *((intOrPtr*)(_t212 + 4)) = _t290;
									 *((intOrPtr*)(_t212 + 8)) = _t290;
									 *((short*)(_t212 + 0xc)) = 0;
									_push(_t212 + 0x10);
									_push(_t321);
									 *(_t322 - 4) = 2;
									_t320 = E011253A4(0, _t310, _t310);
								}
								_t216 =  *(_t320 + 0x14);
								L13:
								 *(_t322 - 0x168) = _t216;
							}
						}
						E01123A5E(_t216, _t322 - 0xb4, L"Running actions - next module ", _t310);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z(_t216);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
						_t313 = E0112DCE1(_t322 - 0x194, _t216,  *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x16c)) + 8)), _t320);
						 *(_t322 - 4) = 0x10;
						_t185 = E011298AC(_t322 - 0x1b4, "Running actions - next module ");
						_t336 = _t335 - 0x18;
						 *(_t322 - 4) = 0x11;
						 *((intOrPtr*)(_t322 - 0x17c)) = _t336;
						E0112DA56(_t336, _t185, _t184);
						_t337 = _t336 - 0x18;
						 *(_t322 - 4) = 0x12;
						 *((intOrPtr*)(_t322 - 0x178)) = _t337;
						E011298AC(_t337, "void __thiscall InstPC::InstallerConfiguration::run(void)");
						_t326 = _t337 - 0x18;
						 *(_t322 - 4) = 0x13;
						E011298AC(_t326, "C:\\git\\modular-installer\\kernel\\InstallerConfiguration.cpp");
						 *(_t322 - 4) = 0x11;
						E0113765F(_t216,  *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x16c)) + 8)),  *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x16c)) + 8)));
						E01129AC1(_t322 - 0x1b4);
						E01129AC1(_t322 - 0x194);
						 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
						E01122EA0();
						__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ(0x7e, 2);
						_t307 =  *((intOrPtr*)(_t322 - 0x16c));
						asm("cdq");
						if(_t216 < ( *((intOrPtr*)( *((intOrPtr*)(_t322 - 0x16c)) + 0x28)) -  *((intOrPtr*)(_t307 + 0x24))) / 0xa8) {
							continue;
						}
						goto L15;
					}
					E0112D92B(_t168);
					asm("int3");
					E0112D3A9();
					return __imp__??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ(_t315);
				}
				L15:
				_t327 = _t326 - 0x18;
				 *((intOrPtr*)(_t322 - 0x17c)) = _t327;
				E011298AC(_t327, "Running actions - finish");
				_push(2);
				 *(_t322 - 4) = 0x14;
				 *((intOrPtr*)(_t322 - 0x178)) = _t327 - 0x18;
				E011298AC(_t327 - 0x18, "void __thiscall InstPC::InstallerConfiguration::run(void)");
				 *(_t322 - 4) = 0x15;
				E011298AC(_t327, "C:\\git\\modular-installer\\kernel\\InstallerConfiguration.cpp");
				 *(_t322 - 4) =  *(_t322 - 4) | 0xffffffff;
				return E01143D3B(E0113765F(_t216,  *((intOrPtr*)(_t307 + 8)), _t307), _t216, _t307, 0x80);
			}

0x0112ce12
0x0112ce1c
0x0112ce21
0x0112ce23
0x0112ce29
0x0112ce2c
0x0112ce31
0x0112ce39
0x0112ce3e
0x0112ce42
0x0112ce44
0x0112ce46
0x0112ce4b
0x0112ce56
0x0112ce5b
0x0112ce5e
0x0112ce69
0x0112ce6e
0x0112ce74
0x0112ce84
0x0112ce86
0x0112ce89
0x0112ce91
0x0112ce97
0x0112cea5
0x0112ceb1
0x0112cebb
0x0112cec8
0x0112ced0
0x0112cedd
0x0112cef3
0x0112cf00
0x0112cf04
0x0112cf09
0x0112cf0c
0x0112cf12
0x0112cf18
0x0112cf1e
0x0112cf20
0x0112cf22
0x0112cf25
0x0112cf2b
0x0112cf36
0x0112cf3b
0x0112cf3e
0x0112cf49
0x0112cf50
0x0112cf54
0x0112cf5f
0x0112cf6a
0x0112cf6e
0x0112cf73
0x0112cf81
0x0112cf84
0x0112cf85
0x0112cf87
0x0112cf89
0x00000000
0x00000000
0x0112cf9a
0x0112cfa5
0x0112cfb2
0x0112cfb5
0x0112cfbd
0x0112cfca
0x0112cfd0
0x0112cfdb
0x0112cfed
0x0112cff1
0x0112cff6
0x0112cff9
0x0112cfff
0x0112d005
0x0112d008
0x0112d00e
0x0112d010
0x0112d012
0x0112d015
0x0112d01b
0x0112d026
0x0112d02b
0x0112d02e
0x0112d039
0x0112d040
0x0112d044
0x0112d04f
0x0112d05a
0x0112d05e
0x0112d063
0x0112d070
0x0112d1e4
0x0112d1e4
0x0112d1e4
0x00000000
0x0112d076
0x0112d076
0x0112d07c
0x0112d082
0x0112d088
0x0112d08f
0x0112d111
0x0112d11c
0x0112d132
0x0112d13d
0x0112d13f
0x0112d14a
0x0112d14e
0x0112d153
0x0112d155
0x0112d1de
0x00000000
0x0112d15b
0x0112d15b
0x0112d16d
0x0112d172
0x0112d175
0x0112d17c
0x0112d189
0x0112d194
0x0112d19f
0x0112d1a3
0x0112d1b2
0x0112d1b8
0x0112d1c1
0x0112d1c7
0x0112d1cb
0x0112d1d6
0x0112d1d6
0x0112d096
0x0112d099
0x0112d0a4
0x0112d0a6
0x0112d0a8
0x0112d0ad
0x0112d0b4
0x0112d0bc
0x0112d0c2
0x0112d0c3
0x0112d0c9
0x0112d0d1
0x0112d0d2
0x0112d0d8
0x0112d0db
0x0112d0de
0x0112d0e1
0x0112d0e3
0x0112d0e6
0x0112d0eb
0x0112d0f2
0x0112d0f3
0x0112d0f4
0x0112d0fd
0x0112d0fd
0x0112d0ff
0x0112d1e5
0x0112d1e5
0x0112d1e5
0x0112d08f
0x0112d1f6
0x0112d1fe
0x0112d20b
0x0112d227
0x0112d234
0x0112d238
0x0112d23d
0x0112d240
0x0112d246
0x0112d24f
0x0112d259
0x0112d25c
0x0112d262
0x0112d26d
0x0112d272
0x0112d275
0x0112d280
0x0112d287
0x0112d28b
0x0112d296
0x0112d2a1
0x0112d2a6
0x0112d2ad
0x0112d2b5
0x0112d2bb
0x0112d2cc
0x0112d2d1
0x00000000
0x00000000
0x00000000
0x0112d2d1
0x0112d336
0x0112d33b
0x0112d342
0x0112d34a
0x0112d34a
0x0112d2d7
0x0112d2da
0x0112d2df
0x0112d2ea
0x0112d2ef
0x0112d2f9
0x0112d302
0x0112d30d
0x0112d315
0x0112d320
0x0112d325
0x0112d335

APIs

__EH_prolog3_GS.LIBCMT ref: 0112CE1C

Part of subcall function 0113765F: __EH_prolog3_GS.LIBCMT ref: 01137669
Part of subcall function 0113765F: #1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
Part of subcall function 0113765F: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

memset.VCRUNTIME140(?,00000000,00000098,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112CEA5

Part of subcall function 01122ED0: __EH_prolog3.LIBCMT ref: 01122ED7
Part of subcall function 01122ED0: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(00000008,011401C3,00000000,00000098,000000A8,0112EC1E,?), ref: 01122EEE
Part of subcall function 01122ED0: ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP140(00000000,00000000,00000000), ref: 01122F08
Part of subcall function 01122ED0: ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 01122F2B

Part of subcall function 01123A5E: __EH_prolog3_catch.LIBCMT ref: 01123A65
Part of subcall function 01123A5E: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123BD0

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z.MSVCP140(00000000,00000000,00000098,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112CED0
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6), ref: 0112CEDD

Part of subcall function 0113765F: _Xtime_get_ticks.MSVCP140 ref: 011376CA
Part of subcall function 0113765F: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011376D8

Part of subcall function 01121DDD: __EH_prolog3_catch_GS.LIBCMT ref: 01121DE7
Part of subcall function 01121DDD: memset.VCRUNTIME140(?,00000000,00000104), ref: 01121E3B

Part of subcall function 01123A5E: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B10
Part of subcall function 01123A5E: ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z.MSVCP140(?,?,00000000,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B41
Part of subcall function 01123A5E: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B6C

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z.MSVCP140(00000000,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112CFBD
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6), ref: 0112CFCA
memset.VCRUNTIME140(?,00000000,000000B0,?,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112D16D
??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAI@Z.MSVCP140(00000000,?,?,?,?,?,?,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112D1B2
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,?,?,?,?,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112D1D6
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z.MSVCP140(00000001,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112D1FE
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6), ref: 0112D20B
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140(C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112D2B5

Strings

Running actions - module finished with return code , xrefs: 0112CFAD
Running actions - next module , xrefs: 0112D229
Running actions - module , xrefs: 0112CEF5
Running actions - start, xrefs: 0112CE34
Running actions - next module , xrefs: 0112D1EB
next, xrefs: 0112D12B
Running actions - module , xrefs: 0112CEB6
Running actions - module finished with return code , xrefs: 0112CFE2
Running actions - finish, xrefs: 0112D2E5
C:\git\modular-installer\kernel\InstallerConfiguration.cpp, xrefs: 0112CE64, 0112CF44, 0112D034, 0112D27B, 0112D31B
void __thiscall InstPC::InstallerConfiguration::run(void), xrefs: 0112CE51, 0112CF31, 0112D021, 0112D268, 0112D308

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_$W@std@@@std@@$V01@$??6?$basic_ostream@_$V01@@memset$?sputc@?$basic_streambuf@_D@std@@@std@@H_prolog3_U?$char_traits@$#1511??0?$basic_ios@_??0?$basic_ostream@_??0?$basic_streambuf@_??1?$basic_ios@??1?$basic_ios@_??5?$basic_istream@?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_ExceptionH_prolog3H_prolog3_catchH_prolog3_catch_ThrowUnothrow_t@std@@@V?$basic_streambuf@_W@std@@@1@_Xtime_get_ticks__ehfuncinfo$??2@
String ID: C:\git\modular-installer\kernel\InstallerConfiguration.cpp$Running actions - finish$Running actions - module $Running actions - module $Running actions - module finished with return code $Running actions - module finished with return code $Running actions - next module $Running actions - next module $Running actions - start$next$void __thiscall InstPC::InstallerConfiguration::run(void)
API String ID: 3775226899-3680832135
Opcode ID: abb77aa5c81bbc5d85e85db42b26c8d7a1d5ee29fa6d505e4b712dc6e898450f
Instruction ID: d17ec4e59d53ff3d9bcbe03b3b029d18d742386acd6301af08aadf16ffda364c
Opcode Fuzzy Hash: abb77aa5c81bbc5d85e85db42b26c8d7a1d5ee29fa6d505e4b712dc6e898450f
Instruction Fuzzy Hash: A5E1CE30A04229DBDF1CEBB8C955BECBBB1AF25708F54409CD50967281DB746F54CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01121DDD Relevance: 37.2, APIs: 11, Strings: 10, Instructions: 467
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E01121DDD(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags) {
				intOrPtr _t225;
				void* _t236;
				WCHAR* _t246;
				void* _t259;
				struct _IO_FILE* _t270;
				struct _IO_FILE* _t271;
				intOrPtr _t276;
				void* _t281;
				signed int _t289;
				void* _t290;
				intOrPtr _t299;
				intOrPtr _t308;
				void* _t313;
				intOrPtr _t320;
				intOrPtr _t322;
				void* _t329;
				intOrPtr _t333;
				void* _t344;
				void* _t347;
				void* _t358;
				void* _t364;
				intOrPtr _t377;
				intOrPtr _t383;
				intOrPtr* _t428;
				void* _t471;
				void* _t492;
				long _t504;
				intOrPtr* _t505;
				intOrPtr _t508;
				intOrPtr _t509;
				intOrPtr _t510;
				void* _t514;
				void* _t515;
				void* _t516;
				intOrPtr _t517;
				intOrPtr _t518;
				void* _t519;
				intOrPtr _t520;
				intOrPtr _t523;
				intOrPtr _t524;
				void* _t525;
				intOrPtr _t526;
				intOrPtr _t527;
				intOrPtr _t528;
				void* _t529;
				intOrPtr _t531;
				intOrPtr _t534;
				intOrPtr _t535;
				void* _t537;
				void* _t538;
				intOrPtr _t540;

				_t377 = __ecx;
				E01143DFF(E011459DC, __ebx, __edi, 0x3b8);
				_t225 = _t377;
				 *((intOrPtr*)(_t514 - 0x338)) = _t225;
				 *(_t514 - 0x33c) =  *(_t514 - 0x33c) | 0xffffffff;
				_t374 = 0;
				 *(_t514 - 0x318) = 0;
				_t508 = _t225;
				 *(_t514 - 4) = 0;
				 *((intOrPtr*)(_t514 - 0x328)) = _t225;
				 *((intOrPtr*)(_t514 - 0x330)) = _t508;
				 *((intOrPtr*)(_t514 - 0x138)) = 0;
				 *((intOrPtr*)(_t514 - 0x134)) = 0xf;
				 *((char*)(_t514 - 0x148)) = 0;
				 *(_t514 - 4) = 1;
				memset(_t514 - 0x118, 0, 0x104);
				_t516 = _t515 + 0xc;
				E0113F710(0, _t508, __edi);
				_t502 = _t508 + 0x24;
				_t482 = _t502;
				E01136637(0, _t514 - 0x160, _t502, _t502);
				E0113F89F(_t514 - 0x1fc);
				 *(_t514 - 4) = 3;
				if(E0113F962(_t514 - 0x1fc, _t502, _t508, _t514 - 0x160) == 0) {
					_push(_t514 - 0x160);
					E0112374F(0, _t514 - 0x130, L"Failed to split URL ", _t502);
					 *(_t514 - 4) = 4;
					_t383 = _t514 - 0x3c4;
					E0113FAA4(0, _t383, _t514 - 0x130, _t502);
					_push(0x1156050);
					_t236 = _t514 - 0x3c4;
					goto L35;
				} else {
					if( *((intOrPtr*)(_t508 + 4)) != 0) {
						_t471 = _t514 - 0x130;
						E01129A21(_t471, _t514 - 0x190);
						_push(_t471);
						 *(_t514 - 4) = 5;
						E01123714(_t514 - 0x37c, _t514 - 0x130);
						 *(_t514 - 4) = 7;
						_t364 = E0112DD7B(_t514 - 0x37c, _t514 - 0x35c);
						 *(_t514 - 0x318) = 1;
						E01129A21(_t514 - 0x3ac, _t364);
						 *(_t514 - 0x318) = 3;
						_t482 = _t514 - 0x3ac;
						 *(_t514 - 4) = 8;
						E011293B6(_t514 - 0x148, _t508, E01136693(0, _t514 - 0x394, _t514 - 0x3ac, _t502));
						E01129AC1(_t514 - 0x394);
						E01129A96(_t514 - 0x3ac);
						E01129A96(_t514 - 0x35c);
						E01129A96(_t514 - 0x37c);
						 *(_t514 - 4) = 3;
						E01129A96(_t514 - 0x130);
					}
					 *((intOrPtr*)(_t514 - 0x334)) = _t502;
					 *((intOrPtr*)(_t514 - 0x32c)) = _t502;
					_t270 = E011244A0(_t502);
					 *(_t514 - 0x318) = _t270;
					if(_t270 ==  *0x115b56c) {
						L5:
						_t271 =  *0x115b56c;
					} else {
						_t43 = _t270 + 0x10; // 0x10
						_t358 = E0112409E(_t502, _t43);
						_t271 =  *(_t514 - 0x318);
						if(_t358 != 0) {
							goto L5;
						}
					}
					if(_t271 !=  *0x115b56c) {
						_push(_t502);
						_push(_t514 - 0x324);
						E011245E6(_t374, _t482, _t502);
						 *((intOrPtr*)(_t508 + 0x9c)) =  *((intOrPtr*)( *((intOrPtr*)(_t514 - 0x324)) + 0x28));
						goto L26;
					} else {
						if( *((intOrPtr*)(_t508 + 4)) != 0) {
							_t516 = _t516 - 0x18;
							 *(_t514 - 4) = 9;
							E011298E1(_t516, _t514 - 0x148);
							L36();
							 *(_t514 - 4) = 3;
						}
						_t308 =  *((intOrPtr*)(_t508 + 0x9c));
						 *((intOrPtr*)(_t514 - 0x328)) = _t308;
						if(_t308 != 0) {
							_t502 =  *((intOrPtr*)(_t514 - 0x328));
							goto L24;
						} else {
							 *((intOrPtr*)(_t514 - 0x328)) =  *((intOrPtr*)(_t508 + 8));
							_t313 = E011237FA(_t374, _t514 - 0x35c, "Downloading DLL \"", _t502);
							_t534 = _t516 - 0x18;
							 *(_t514 - 4) = 0xb;
							_t502 = _t534;
							 *((intOrPtr*)(_t514 - 0x334)) = _t534;
							 *((intOrPtr*)(_t514 - 0x31c)) = _t534;
							E011299A0(_t534, E01129C57(_t313, "\"", 1));
							_t535 = _t534 - 0x18;
							 *(_t514 - 4) = 0xc;
							 *((intOrPtr*)(_t514 - 0x31c)) = _t535;
							E011298AC(_t535, "int __thiscall InstPC::Action::run(void)");
							_t516 = _t535 - 0x18;
							 *(_t514 - 4) = 0xd;
							E011298AC(_t516, "C:\\git\\modular-installer\\kernel\\Action.cpp");
							 *(_t514 - 4) = 0xb;
							E0113765F(_t374,  *((intOrPtr*)(_t514 - 0x328)), _t534);
							 *(_t514 - 4) = 3;
							E01129AC1(_t514 - 0x35c);
							_t320 = _t514 - 0x118;
							__imp__tmpnam_s(_t320, 0x104, 0x72, 2, _t502);
							if(_t320 == 0) {
								 *(_t514 - 0x318) = _t374;
								_t322 = _t514 - 0x318;
								__imp__fopen_s(_t322, _t514 - 0x118, "wb+");
								_t516 = _t516 + 0xc;
								__eflags = _t322;
								if(_t322 == 0) {
									memset(_t514 - 0x2ac, _t374, 0xb0);
									E01140250(_t374, _t514 - 0x2ac, _t502);
									_t537 = _t516 + 0xc - 0x18;
									 *(_t514 - 4) = 0x10;
									E01136693(_t374, _t537, _t514 - 0x1dc, _t502);
									 *(E01140401(_t374, _t514 - 0x2ac, _t502) + 0x90) =  *(_t514 - 0x318);
									__eflags =  *((intOrPtr*)(_t514 - 0x1e0)) - 5;
									if( *((intOrPtr*)(_t514 - 0x1e0)) != 5) {
										_push(0xffffffff);
										_t329 = E01122D52(_t514 - 0x190, _t514 - 0x35c, 1);
										_t538 = _t537 - 0x18;
										 *(_t514 - 4) = 0x11;
										E01136693(_t374, _t538, _t329, _t502);
										E01140431(_t374, _t514 - 0x2ac, _t502);
										 *(_t514 - 4) = 0x10;
										E01129A96(_t514 - 0x35c);
										_t333 = E0112431D(_t514 - 0x178, 0x114bf44);
										__eflags = _t333;
										if(_t333 == 0) {
											_push(0xffffffff);
											_t344 = E01122D52(_t514 - 0x178, _t514 - 0x394, 0xb);
											_t540 = _t538 - 0x18;
											 *(_t514 - 4) = 0x12;
											 *((intOrPtr*)(_t514 - 0x320)) = _t540;
											E01136693(_t374, _t540, _t344, _t502);
											_push(9);
											 *(_t514 - 4) = 0x13;
											_t347 = E01122D52(_t514 - 0x178, _t514 - 0x35c, 1);
											_t538 = _t540 - 0x18;
											 *(_t514 - 4) = 0x14;
											E01136693(_t374, _t538, _t347, _t502);
											 *(_t514 - 4) = 0x15;
											E0114048D(_t374, _t514 - 0x2ac, _t347, _t502);
											E01129A96(_t514 - 0x35c);
											 *(_t514 - 4) = 0x10;
											E01129A96(_t514 - 0x394);
										}
									} else {
										_t538 = _t537 - 0x18;
										 *(_t514 - 0x2ac) = 2;
										E01136693(_t374, _t538, _t514 - 0x190, _t502);
										E01140431(_t374, _t514 - 0x2ac, _t502);
									}
									memset(_t514 - 0x314, _t374, 0x68);
									_t482 = _t514 - 0x314;
									 *((intOrPtr*)( *((intOrPtr*)(_t508 + 0xa0))))(_t514 - 0x314, _t514 - 0x2ac);
									 *(_t514 - 4) = 0x16;
									fclose( *(_t514 - 0x318));
									_t516 = _t538 + 0xc - 0x14;
									E011298AC(_t516, _t514 - 0x118);
									L36();
									E01140BCF(_t514 - 0x314, _t514 - 0x314);
									 *(_t514 - 4) = 3;
									E011403B6(_t514 - 0x2ac, _t514 - 0x314);
									_t502 =  *((intOrPtr*)( *((intOrPtr*)(_t514 - 0x338)) + 0x9c));
									L24:
									_push( *((intOrPtr*)(_t514 - 0x32c)));
									_push(_t514 - 0x324);
									E011245E6(_t374, _t482, _t502);
									 *((intOrPtr*)( *((intOrPtr*)(_t514 - 0x324)) + 0x28)) = _t502;
									L26:
									_t276 = E01122A18(_t374, _t508, _t502, __eflags);
									_t505 = _t508 + 0x6c;
									_t523 = _t516 - 0x18;
									 *((intOrPtr*)(_t514 - 0x32c)) = _t276;
									 *((intOrPtr*)(_t514 - 0x320)) = _t523;
									_push(_t505);
									E011237FA( *((intOrPtr*)(_t508 + 8)), _t523, "Executing runner with configuration ", _t505);
									_push(2);
									_push(0x9c);
									_t524 = _t523 - 0x18;
									 *(_t514 - 4) = 0x17;
									 *((intOrPtr*)(_t514 - 0x31c)) = _t524;
									E011298AC(_t524, "int __thiscall InstPC::Action::run(void)");
									_t525 = _t524 - 0x18;
									 *(_t514 - 4) = 0x18;
									E011298AC(_t525, "C:\\git\\modular-installer\\kernel\\Action.cpp");
									 *(_t514 - 4) = 3;
									E0113765F( *((intOrPtr*)(_t508 + 8)),  *((intOrPtr*)(_t508 + 8)), _t505);
									_t281 = E011214A8( *((intOrPtr*)(_t508 + 8)), _t505);
									_t376 =  *((intOrPtr*)(_t508 + 8));
									_push(_t281);
									_t526 = _t525 - 0x18;
									 *((intOrPtr*)(_t514 - 0x320)) = _t526;
									 *((intOrPtr*)(_t514 - 0x31c)) = _t526;
									E011298E1(_t526,  *((intOrPtr*)(_t508 + 8)) + 0x98);
									_t527 = _t526 - 0x18;
									 *(_t514 - 4) = 0x19;
									 *((intOrPtr*)(_t514 - 0x31c)) = _t527;
									 *((intOrPtr*)(_t514 - 0x328)) = _t527;
									E011298E1(_t527,  *((intOrPtr*)(_t508 + 8)) + 0x50);
									_t528 = _t527 - 0x18;
									 *(_t514 - 4) = 0x1a;
									 *((intOrPtr*)(_t514 - 0x328)) = _t528;
									 *((intOrPtr*)(_t514 - 0x334)) = _t528;
									E011298E1(_t528,  *((intOrPtr*)(_t508 + 8)) + 0x38);
									 *(_t514 - 4) = 0x1b;
									__eflags =  *((intOrPtr*)(_t505 + 0x14)) - 0x10;
									if( *((intOrPtr*)(_t505 + 0x14)) >= 0x10) {
										_t505 =  *_t505;
									}
									_t529 = _t528 - 0x18;
									E011298AC(_t529, _t505);
									 *(_t514 - 4) = 3;
									_t289 =  *((intOrPtr*)(_t514 - 0x32c))();
									_t506 = _t289;
									 *(_t514 - 0x33c) = _t289;
									_t290 = E0112934F(_t514 - 0x35c, _t289, _t289, _t508);
									 *(_t514 - 4) = 0x1c;
									E011299A0(_t514 - 0x130, E01124262(_t290, _t508, _t514 - 0x35c, "Runner execution returned ", 0x1a));
									 *(_t514 - 4) = 0x1e;
									E01129AC1(_t514 - 0x35c);
									_t531 = _t529 + 0x64 - 0x18;
									 *((intOrPtr*)(_t514 - 0x320)) = _t531;
									E011298E1(_t531, _t514 - 0x130);
									_push(2);
									_push(0xa4);
									 *(_t514 - 4) = 0x1f;
									 *((intOrPtr*)(_t514 - 0x31c)) = _t531 - 0x18;
									E011298AC(_t531 - 0x18, "int __thiscall InstPC::Action::run(void)");
									 *(_t514 - 4) = 0x20;
									E011298AC(_t531, "C:\\git\\modular-installer\\kernel\\Action.cpp");
									 *(_t514 - 4) = 0x1e;
									E0113765F(_t376,  *((intOrPtr*)(_t508 + 8)), _t289);
									_t428 = _t514 - 0x118;
									_t492 = _t428 + 1;
									do {
										_t299 =  *_t428;
										_t428 = _t428 + 1;
										__eflags = _t299;
									} while (_t299 != 0);
									__eflags = _t428 != _t492;
									if(_t428 != _t492) {
										remove(_t514 - 0x118);
									}
									E01129AC1(_t514 - 0x130);
									E0113F925(_t514 - 0x1fc);
									E01129A96(_t514 - 0x160);
									E01129AC1(_t514 - 0x148);
									return E01143D4C(_t506, _t376, _t506);
								} else {
									__imp__#1511();
									_t383 = 0x18;
									 *((intOrPtr*)(_t514 - 0x320)) = _t322;
									 *(_t514 - 4) = 0xf;
									__eflags = _t322;
									if(_t322 != 0) {
										_t383 = _t322;
										_t374 = E011298AC(_t383, "Could not open new temporary file\n");
									}
									 *(_t514 - 4) = 3;
									_t236 = _t514 - 0x344;
									 *(_t514 - 0x344) = _t374;
									_push(0x1156040);
									goto L35;
								}
							} else {
								__imp__#1511();
								_t383 = 0x18;
								 *((intOrPtr*)(_t514 - 0x320)) = _t320;
								 *(_t514 - 4) = 0xe;
								if(_t320 != 0) {
									_t383 = _t320;
									_t374 = E011298AC(_t383, "Error occurred creating unique filename");
								}
								 *(_t514 - 4) = 3;
								_t236 = _t514 - 0x340;
								 *(_t514 - 0x340) = _t374;
								_push(0x1156040);
								L35:
								_push(_t236);
								L01145637();
								asm("int3");
								E01143DFF(E01145A5E, _t374, _t502, 0x110);
								_t509 = _t383;
								 *(_t514 - 4) =  *(_t514 - 4) & 0x00000000;
								_push(_t514 + 8);
								 *(_t514 - 4) = 1;
								E011237FA(_t374, _t514 - 0x44, "Loading library ", _t502);
								_t517 = _t516 - 0x18;
								 *(_t514 - 4) = 2;
								_t503 =  *((intOrPtr*)(_t509 + 8));
								 *((intOrPtr*)(_t514 - 0xe0)) = _t517;
								E011298E1(_t517, _t514 - 0x44);
								_push(2);
								_push(0xc3);
								_t518 = _t517 - 0x18;
								 *(_t514 - 4) = 3;
								 *((intOrPtr*)(_t514 - 0xe4)) = _t518;
								E011298AC(_t518, "void __thiscall InstPC::Action::loadLib(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >)");
								_t519 = _t518 - 0x18;
								 *(_t514 - 4) = 4;
								E011298AC(_t519, "C:\\git\\modular-installer\\kernel\\Action.cpp");
								 *(_t514 - 4) = 2;
								E0113765F(_t374,  *((intOrPtr*)(_t509 + 8)),  *((intOrPtr*)(_t509 + 8)));
								_t246 = E01136637(_t374, _t514 - 0x2c, _t514 + 8,  *((intOrPtr*)(_t509 + 8)));
								if(_t246[0xa] >= 8) {
									_t246 =  *_t246;
								}
								 *((intOrPtr*)(_t509 + 0x9c)) = LoadLibraryW(_t246);
								E01129A96(_t514 - 0x2c);
								if( *((intOrPtr*)(_t509 + 0x9c)) == 0) {
									_t504 = GetLastError();
									E011298AC(_t514 - 0x2c, "Failed to load library");
									 *(_t514 - 4) = 5;
									memset(_t514 - 0xdc, 0, 0x98);
									E01122ED0(_t374, _t514 - 0xdc, _t504);
									_t520 = _t519 - 0x18;
									 *(_t514 - 4) = 6;
									_t510 =  *((intOrPtr*)(_t509 + 8));
									 *((intOrPtr*)(_t514 - 0xe8)) = _t520;
									E011298E1(_t520, _t514 - 0x2c);
									 *(_t514 - 4) = 7;
									 *((intOrPtr*)(_t514 - 0xe4)) = _t520 - 0x18;
									E011298AC(_t520 - 0x18, "void __thiscall InstPC::Action::loadLib(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >)");
									 *(_t514 - 4) = 8;
									E011298AC(_t520, "C:\\git\\modular-installer\\kernel\\Action.cpp");
									 *(_t514 - 4) = 6;
									E0113765F(_t374, _t510, _t504);
									_t259 = E01136637(_t374, _t514 - 0x100, _t514 - 0x2c, _t504);
									 *(_t514 - 4) = 9;
									E01123A5E(_t374, E01123A4B(_t514 - 0xdc, _t259), L". Error: ", _t504);
									__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z(_t504, 0xcc, 5);
									__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
									 *(_t514 - 4) = 6;
									E011214A3(_t514 - 0x100);
									E011299A0(_t514 - 0x118, _t514 - 0x2c);
									L01145637();
									asm("int3");
									E01122EA0();
									return __imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ(_t510, _t514 - 0x118, 0x1156050);
								}
								E01129AC1(_t514 - 0x44);
								return E01143D4C(E01129AC1(_t514 + 8), _t374, _t503);
							}
						}
					}
				}
			}

0x01121ddd
0x01121de7
0x01121dec
0x01121dee
0x01121df4
0x01121dfb
0x01121dfd
0x01121e03
0x01121e05
0x01121e08
0x01121e0e
0x01121e14
0x01121e1a
0x01121e24
0x01121e35
0x01121e3b
0x01121e40
0x01121e45
0x01121e4a
0x01121e4d
0x01121e55
0x01121e60
0x01121e6b
0x01121e77
0x011227fb
0x01122802
0x0112280e
0x01122812
0x01122818
0x0112281d
0x01122822
0x00000000
0x01121e7d
0x01121e80
0x01121e8d
0x01121e93
0x01121e98
0x01121e9f
0x01121eaa
0x01121eb5
0x01121ec0
0x01121ecc
0x01121ed6
0x01121edb
0x01121ee5
0x01121eeb
0x01121f01
0x01121f0c
0x01121f17
0x01121f22
0x01121f2d
0x01121f38
0x01121f3c
0x01121f3c
0x01121f42
0x01121f48
0x01121f4e
0x01121f53
0x01121f5f
0x01121f75
0x01121f75
0x01121f61
0x01121f61
0x01121f66
0x01121f6d
0x01121f73
0x00000000
0x00000000
0x01121f73
0x01121f80
0x01122326
0x0112232d
0x0112232e
0x0112233c
0x00000000
0x01121f86
0x01121f8a
0x01121f8c
0x01121f8f
0x01121f9c
0x01121fa3
0x01121fa8
0x01121fa8
0x01121fd4
0x01121fda
0x01121fe2
0x01122303
0x00000000
0x01121fe8
0x01121ff7
0x01121ffd
0x01122003
0x01122006
0x0112200a
0x0112200c
0x01122014
0x01122029
0x01122032
0x01122035
0x0112203b
0x01122046
0x0112204b
0x0112204e
0x01122059
0x01122064
0x01122068
0x01122073
0x01122077
0x0112207c
0x01122088
0x01122092
0x011220de
0x011220e5
0x011220ec
0x011220f2
0x011220f5
0x011220f7
0x01122145
0x01122153
0x01122158
0x0112215b
0x01122167
0x0112217d
0x01122183
0x0112218a
0x011221b6
0x011221c7
0x011221cc
0x011221cf
0x011221d7
0x011221e2
0x011221ed
0x011221f1
0x01122201
0x01122206
0x01122208
0x0112220a
0x0112221b
0x01122220
0x01122223
0x01122229
0x01122231
0x01122236
0x01122240
0x0112224b
0x01122250
0x01122253
0x0112225b
0x01122266
0x0112226a
0x01122275
0x01122280
0x01122284
0x01122284
0x0112218c
0x0112218c
0x0112218f
0x011221a1
0x011221ac
0x011221ac
0x01122293
0x011222aa
0x011222b1
0x011222b3
0x011222bd
0x011222c3
0x011222cf
0x011222d6
0x011222e1
0x011222ec
0x011222f0
0x011222fb
0x01122309
0x01122309
0x01122315
0x01122316
0x01122321
0x01122342
0x01122344
0x0112234c
0x0112234f
0x01122352
0x0112235a
0x01122365
0x01122366
0x0112236c
0x0112236e
0x01122373
0x01122376
0x0112237c
0x01122387
0x0112238c
0x0112238f
0x0112239a
0x011223a1
0x011223a5
0x011223aa
0x011223af
0x011223b2
0x011223b3
0x011223b8
0x011223c4
0x011223cb
0x011223d0
0x011223d3
0x011223d9
0x011223e2
0x011223e9
0x011223ee
0x011223f1
0x011223f7
0x01122400
0x01122407
0x0112240c
0x01122410
0x01122414
0x01122416
0x01122416
0x01122418
0x0112241e
0x01122423
0x01122427
0x0112242d
0x01122438
0x01122440
0x0112244f
0x0112245f
0x0112246a
0x0112246e
0x0112247c
0x01122481
0x01122488
0x0112248d
0x0112248f
0x01122497
0x0112249d
0x011224a8
0x011224b0
0x011224bb
0x011224c2
0x011224c6
0x011224cb
0x011224d1
0x011224d4
0x011224d4
0x011224d6
0x011224d7
0x011224d7
0x011224db
0x011224dd
0x011224e6
0x011224ec
0x011224f3
0x011224fe
0x01122509
0x01122514
0x011227ef
0x011220f9
0x011220fb
0x01122101
0x01122102
0x01122108
0x0112210c
0x0112210e
0x01122115
0x0112211c
0x0112211c
0x0112211e
0x01122122
0x01122128
0x0112212e
0x00000000
0x0112212e
0x01122094
0x01122096
0x0112209c
0x0112209d
0x011220a3
0x011220a9
0x011220b0
0x011220b7
0x011220b7
0x011220b9
0x011220bd
0x011220c3
0x011220c9
0x01122828
0x01122828
0x01122829
0x0112282e
0x01122839
0x0112283e
0x01122840
0x01122847
0x0112284d
0x01122854
0x0112285a
0x0112285d
0x01122861
0x01122869
0x01122870
0x01122875
0x01122877
0x0112287c
0x0112287f
0x01122885
0x01122890
0x01122895
0x01122898
0x011228a3
0x011228aa
0x011228ae
0x011228b9
0x011228c2
0x011228c4
0x011228c4
0x011228d0
0x011228d6
0x011228e2
0x01122910
0x01122912
0x01122922
0x01122929
0x01122935
0x0112293a
0x0112293d
0x01122941
0x01122949
0x01122950
0x0112295f
0x01122965
0x01122970
0x01122978
0x01122983
0x0112298a
0x0112298e
0x0112299c
0x011229a3
0x011229b9
0x011229c1
0x011229ce
0x011229da
0x011229de
0x011229ed
0x011229fe
0x01122a03
0x01122a0a
0x01122a12
0x01122a12
0x011228e7
0x011228f9
0x011228f9
0x01122092
0x01121fe2
0x01121f80

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 01121DE7
memset.VCRUNTIME140(?,00000000,00000104), ref: 01121E3B

Part of subcall function 0113F710: __EH_prolog3.LIBCMT ref: 0113F717
Part of subcall function 0113F710: #1511.MFC140U(000000D0,00000004,0112C22B,000000FC,?,0112A166,?), ref: 0113F729
Part of subcall function 0113F710: memset.VCRUNTIME140(00000000,00000000,000000D0,0112A166,?), ref: 0113F743

Part of subcall function 01136637: __EH_prolog3_GS.LIBCMT ref: 0113663E
Part of subcall function 01136637: memset.VCRUNTIME140(?,00000000,00000050,00000058,01121E5A), ref: 01136655

tmpnam_s.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000104,C:\git\modular-installer\kernel\Action.cpp), ref: 01122088
#1511.MFC140U(00000018), ref: 01122096

Part of subcall function 01129A21: memcpy.VCRUNTIME140(00000000,?,?,00000001,?,?,?,?,?,0112149C), ref: 01129A7C

Part of subcall function 01136693: __EH_prolog3_GS.LIBCMT ref: 0113669A
Part of subcall function 01136693: memset.VCRUNTIME140(?,00000000,00000050,0000005C,0113458E,?,?), ref: 011366B1

_CxxThrowException.VCRUNTIME140(?,01156050), ref: 01122829

Strings

Runner execution returned , xrefs: 01122447
Failed to split URL , xrefs: 011227F6
wb+, xrefs: 011220D3
Executing runner with configuration , xrefs: 01122360
Error occurred creating unique filename, xrefs: 011220AB
Could not open new temporary file, xrefs: 01122110
int __thiscall InstPC::Action::run(void), xrefs: 01122041, 01122382, 011224A3
C:\git\modular-installer\kernel\Action.cpp, xrefs: 01122054, 01122395, 011224B6
, xrefs: 011224B0
Downloading DLL ", xrefs: 01121FF2

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: memset$#1511H_prolog3_$ExceptionH_prolog3H_prolog3_catch_Throwmemcpytmpnam_s
String ID: $C:\git\modular-installer\kernel\Action.cpp$Could not open new temporary file$Downloading DLL "$Error occurred creating unique filename$Executing runner with configuration $Failed to split URL $Runner execution returned $int __thiscall InstPC::Action::run(void)$wb+
API String ID: 3938117506-1933280115
Opcode ID: f518a514dbfdc2d9b8cadcc777bf53c304fc89ffde5fe55cf9189be2f28063a2
Instruction ID: d0e659477fa6627c11285bd3938744b567d806c7b16d0d221c8fa0af96a87b71
Opcode Fuzzy Hash: f518a514dbfdc2d9b8cadcc777bf53c304fc89ffde5fe55cf9189be2f28063a2
Instruction Fuzzy Hash: 9F129A7090026DDFDF2AEB68C854BDCBBB8AF69708F5440D9D40967281DB745B88CF92

Uniqueness

Uniqueness Score: -1.00%

Function 0113D01B Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0113D01B(void* __ebx, short* __ecx, intOrPtr* __edx, void* __edi) {
				short* _t65;
				void* _t66;
				short* _t67;
				void* _t88;
				int _t105;
				short* _t107;
				short _t117;
				char* _t144;
				intOrPtr* _t148;
				void* _t149;
				void* _t151;
				intOrPtr* _t152;

				_t107 = __ecx;
				E01143D91(E011490B5, __ebx, __edi, 0xe4);
				_t148 = __edx;
				 *((intOrPtr*)(_t151 - 0xc0)) = __edx;
				_t147 = _t107;
				_t105 = 0;
				memset(_t151 - 0xb0, 0, 0x98);
				E01122ED0(0, _t151 - 0xb0, _t147);
				 *((intOrPtr*)(_t151 - 4)) = 0;
				 *((intOrPtr*)(_t148 + 4)) =  *_t148;
				_t65 = _t147;
				if(_t147[0xa] >= 8) {
					_t65 =  *_t147;
				}
				_t66 = GetFileVersionInfoSizeW(_t65, _t151 - 0x14);
				 *(_t151 - 0xb8) = _t66;
				if(_t66 != 0) {
					__imp__#265(_t66);
					_t149 = _t66;
					 *(_t151 - 0x18) = _t149;
					 *((char*)(_t151 - 4)) = 1;
					_t67 = _t147;
					if(_t147[0xa] >= 8) {
						_t67 =  *_t147;
					}
					if(GetFileVersionInfoW(_t67,  *(_t151 - 0x14),  *(_t151 - 0xb8), _t149) != 0) {
						 *(_t151 - 0xb8) = 0x34;
						if(VerQueryValueW(_t149, 0x114c5d0, _t151 - 0xb4, _t151 - 0xb8) != 0) {
							 *(_t151 - 0xbc) =  *( *(_t151 - 0xb4) + 0x12) & 0x0000ffff;
							E0113E6BB( *((intOrPtr*)(_t151 - 0xc0)), _t151 - 0xbc);
							 *(_t151 - 0xbc) =  *( *(_t151 - 0xb4) + 8) & 0x0000ffff;
							E0113E6BB( *((intOrPtr*)(_t151 - 0xc0)), _t151 - 0xbc);
							 *(_t151 - 0xbc) =  *( *(_t151 - 0xb4) + 0xe) & 0x0000ffff;
							E0113E6BB( *((intOrPtr*)(_t151 - 0xc0)), _t151 - 0xbc);
							 *(_t151 - 0xbc) =  *( *(_t151 - 0xb4) + 0xc) & 0x0000ffff;
							E0113E6BB( *((intOrPtr*)(_t151 - 0xc0)), _t151 - 0xbc);
							_t88 = E01123A5E(_t105, _t151 - 0xb0, L"Version of file ", _t147);
							_t117 = _t147[8];
							if(_t147[0xa] >= 8) {
								_t147 =  *_t147;
							}
							_t147 = E01123A5E(_t105, E01124358(_t105, _t88, _t147, _t147), L" is ", _t147);
							 *((intOrPtr*)(_t151 - 0xe0)) = _t105;
							 *((intOrPtr*)(_t151 - 0xdc)) = 7;
							 *((short*)(_t151 - 0xf0)) = 0;
							 *_t152 = 0x114c5d4;
							E0112BA2B(_t117);
							 *((char*)(_t151 - 4)) = 2;
							E011400AF(_t105, _t151 - 0xd8,  *((intOrPtr*)(_t151 - 0xc0)), _t90);
							 *((char*)(_t151 - 4)) = 3;
							_t143 =  >=  ?  *((void*)(_t151 - 0xd8)) : _t151 - 0xd8;
							E01124358(_t105, _t90,  >=  ?  *((void*)(_t151 - 0xd8)) : _t151 - 0xd8, _t147);
							__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6,  *((intOrPtr*)(_t151 - 0xc8)), _t151 - 0xf0);
							E01129A96(_t151 - 0xd8);
							E01129A96(_t151 - 0xf0);
							_t105 = 1;
							goto L14;
						}
						_t144 = L"VerQueryValue() failed. Error: ";
						goto L10;
					} else {
						_t144 = L"GetFileVersionInfo() failed. Error: ";
						L10:
						_t147 = E01123A5E(_t105, _t151 - 0xb0, _t144, _t147);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z(GetLastError());
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
						L14:
						if(_t149 != 0) {
							__imp__#266(_t149);
						}
						goto L16;
					}
				} else {
					E01123A5E(_t105, _t151 - 0xb0, L"GetFileVersionInfoSize() failed. Error: ", _t147);
					__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z(GetLastError());
					__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
					L16:
					E01122EA0();
					__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ();
					return E01143D3B(_t105, _t105, _t147);
				}
			}

0x0113d01b
0x0113d025
0x0113d02a
0x0113d02c
0x0113d032
0x0113d039
0x0113d043
0x0113d04f
0x0113d054
0x0113d059
0x0113d05c
0x0113d062
0x0113d064
0x0113d064
0x0113d06b
0x0113d071
0x0113d079
0x0113d0af
0x0113d0b5
0x0113d0b8
0x0113d0bb
0x0113d0bf
0x0113d0c5
0x0113d0c7
0x0113d0c7
0x0113d0dc
0x0113d0eb
0x0113d10b
0x0113d150
0x0113d15d
0x0113d172
0x0113d17f
0x0113d194
0x0113d1a1
0x0113d1b6
0x0113d1c3
0x0113d1d3
0x0113d1dc
0x0113d1df
0x0113d1e1
0x0113d1e1
0x0113d1f9
0x0113d1fb
0x0113d203
0x0113d213
0x0113d21a
0x0113d221
0x0113d239
0x0113d23d
0x0113d242
0x0113d25b
0x0113d262
0x0113d270
0x0113d27c
0x0113d287
0x0113d28e
0x00000000
0x0113d28e
0x0113d10d
0x00000000
0x0113d0de
0x0113d0de
0x0113d112
0x0113d11d
0x0113d128
0x0113d135
0x0113d28f
0x0113d291
0x0113d294
0x0113d29a
0x00000000
0x0113d291
0x0113d07b
0x0113d086
0x0113d096
0x0113d0a3
0x0113d29b
0x0113d29e
0x0113d2a6
0x0113d2b3
0x0113d2b3

APIs

__EH_prolog3_GS.LIBCMT ref: 0113D025
memset.VCRUNTIME140(?,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC,00000380,01130AD3), ref: 0113D043

Part of subcall function 01122ED0: __EH_prolog3.LIBCMT ref: 01122ED7
Part of subcall function 01122ED0: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(00000008,011401C3,00000000,00000098,000000A8,0112EC1E,?), ref: 01122EEE
Part of subcall function 01122ED0: ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP140(00000000,00000000,00000000), ref: 01122F08
Part of subcall function 01122ED0: ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 01122F2B

GetFileVersionInfoSizeW.VERSION(?,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC,00000380), ref: 0113D06B
GetLastError.KERNEL32(?,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC,00000380), ref: 0113D08D
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(00000000,?,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC), ref: 0113D096
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6,?,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC), ref: 0113D0A3
#265.MFC140U(00000000,?,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC), ref: 0113D0AF
GetFileVersionInfoW.VERSION(?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248), ref: 0113D0D4
VerQueryValueW.VERSION(00000000,0114C5D0,?,?,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090), ref: 0113D103
GetLastError.KERNEL32(?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248), ref: 0113D11F
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(00000000,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0), ref: 0113D128
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0), ref: 0113D135
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6,?,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?), ref: 0113D270
#266.MFC140U(00000000,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0), ref: 0113D294
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140(?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248), ref: 0113D2A6

Strings

GetFileVersionInfoSize() failed. Error: , xrefs: 0113D07B
4, xrefs: 0113D0EB
is , xrefs: 0113D1ED
VerQueryValue() failed. Error: , xrefs: 0113D10D
GetFileVersionInfo() failed. Error: , xrefs: 0113D0DE
Version of file , xrefs: 0113D1C8

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_$W@std@@@std@@$V01@$??6?$basic_ostream@_$V01@@$ErrorFileInfoLastVersion$#265#266??0?$basic_ios@_??0?$basic_ostream@_??0?$basic_streambuf@_??1?$basic_ios@_H_prolog3H_prolog3_QuerySizeV?$basic_streambuf@_ValueW@std@@@1@_memset
String ID: is $4$GetFileVersionInfo() failed. Error: $GetFileVersionInfoSize() failed. Error: $VerQueryValue() failed. Error: $Version of file
API String ID: 3235605066-3312640279
Opcode ID: 8981d06b67a60edaf5cfd6eccbb3f59b5f892c46cfcb42bbd4884b954d47aaab
Instruction ID: 55f0bce31b41c891750115deb73f113281177c50ea23e6bbe8cf3698969e9ddc
Opcode Fuzzy Hash: 8981d06b67a60edaf5cfd6eccbb3f59b5f892c46cfcb42bbd4884b954d47aaab
Instruction Fuzzy Hash: 17617031905329CBDF28DFA5DC48BADB7B6BF54604F4040E9E41AA7244EB349E84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 011314C6 Relevance: 35.3, APIs: 3, Strings: 17, Instructions: 302
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E011314C6(void* __ebx, void* __ecx, char* __edx, void* __edi, void* __eflags) {
				void* _t109;
				void* _t120;
				void* _t139;
				void* _t178;
				void* _t179;
				void* _t203;
				intOrPtr _t249;
				void* _t253;
				void* _t254;
				intOrPtr _t255;
				signed int _t256;
				void* _t257;
				void* _t258;
				void* _t259;
				signed int _t261;
				void* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				void* _t266;
				signed int _t267;
				signed int _t268;
				void* _t269;
				signed int _t272;
				signed int _t273;
				void* _t274;
				void* _t276;
				signed int _t277;
				signed int _t278;
				void* _t279;
				signed int _t280;
				signed int _t281;

				_t242 = __edx;
				_t179 = __ecx;
				E01143D91(E011479F1, __ebx, __edi, 0x16c);
				_t178 = _t179;
				E0113F710(_t178, _t179, __edi);
				_t255 = _t254 - 0x18;
				 *((intOrPtr*)(_t253 - 0x148)) = _t255;
				E011298AC(_t255, "Fetching tasks");
				 *(_t253 - 4) =  *(_t253 - 4) & 0x00000000;
				_t244 = 2;
				_push(_t244);
				_push(0x269);
				_t256 = _t255 - 0x18;
				 *(_t253 - 0x144) = _t256;
				E011298AC(_t256, "void __thiscall InstPC::IPCService::tasks(void)");
				_t257 = _t256 - 0x18;
				 *(_t253 - 4) = 1;
				E011298AC(_t257, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
				 *(_t253 - 4) =  *(_t253 - 4) | 0xffffffff;
				E0113765F(_t178,  *(_t178 + 8), _t244);
				_t258 = _t257 - 0x18;
				E011298AC(_t258, "CHECK_TASK");
				E01141B09(_t178,  *((intOrPtr*)(_t178 + 0x2c)) + 0xc, _t244);
				_t259 = _t258 - 0x18;
				E011298AC(_t259, "Entered \'Check task\' flow");
				E01141B5A(_t178,  *((intOrPtr*)(_t178 + 0x2c)) + 0xc, _t244);
				_t109 = E011298AC(_t253 - 0x40, "zoremov.com");
				 *(_t253 - 4) = _t244;
				E011299A0(_t253 - 0x58, E01124262(_t109, "zoremov.com", _t253 - 0x40, "bi.", 3));
				 *(_t253 - 4) = 4;
				E01129AC1(_t253 - 0x40);
				memset(_t253 - 0x13c, 0, 0xb0);
				E0112A5E2(_t178, _t253 - 0x13c, _t244);
				 *(_t253 - 4) = 5;
				_push( *((intOrPtr*)(_t178 + 0x2c)));
				_t261 = _t259 + 0xc - 0x18;
				 *(_t253 - 0x140) = _t261;
				E011298E1(_t261, _t253 - 0x58);
				_t262 = _t261 - 0x18;
				 *(_t253 - 4) = 6;
				E011298AC(_t262, "api/report/install");
				 *(_t253 - 4) = 5;
				_push(_t253 - 0x160);
				_t120 = E01141FCE(_t178, _t253 - 0x13c, _t242, _t244);
				 *(_t253 - 4) = 7;
				E011299A0(_t253 - 0x40, E01124262(_t120, "zoremov.com", _t253 - 0x13c, "Entered ReportUpdateAction - ", 0x1d));
				 *(_t253 - 4) = 9;
				E01129AC1(_t253 - 0x160);
				_t263 = _t262 - 0x18;
				 *(_t253 - 0x140) = _t263;
				E011298AC(_t263, "task-for");
				_t264 = _t263 - 0x18;
				 *(_t253 - 4) = 0xa;
				 *(_t253 - 0x144) = _t264;
				E011298AC(_t264, "zoremov.com");
				_t265 = _t264 - 0x18;
				 *(_t253 - 4) = 0xb;
				E011298AC(_t265, "alg.");
				 *(_t253 - 4) = 9;
				_push(_t253 - 0x28);
				E0113082A(_t178, _t178, _t244);
				 *(_t253 - 4) = 0xc;
				_t266 = _t265 - 0x18;
				_t283 =  *((intOrPtr*)(_t253 - 0x18));
				_t203 = _t266;
				_t249 =  *((intOrPtr*)(_t178 + 0x2c));
				if( *((intOrPtr*)(_t253 - 0x18)) == 0) {
					E011298AC(_t203, "No tasks found.");
					E01141B5A(_t178, _t249 + 0xc, _t244);
					_t250 =  *(_t178 + 8);
					_t267 = _t266 - 0x18;
					 *(_t253 - 0x140) = _t267;
					E011298AC(_t267, "No task actions waiting");
					_push(_t244);
					_push(0x283);
					_t268 = _t267 - 0x18;
					 *(_t253 - 4) = 0x15;
					 *(_t253 - 0x144) = _t268;
					E011298AC(_t268, "void __thiscall InstPC::IPCService::tasks(void)");
					_t269 = _t268 - 0x18;
					 *(_t253 - 4) = 0x16;
					E011298AC(_t269, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t253 - 4) = 0xc;
					E0113765F(_t178,  *(_t178 + 8), _t244);
				} else {
					E011298AC(_t203, "SOME_ACTION");
					E01141B09(_t178, _t249 + 0xc, _t244);
					_t272 = _t266 - 0x18;
					_t242 = "Got task configuration ";
					 *(_t253 - 0x140) = _t272;
					_push(_t253 - 0x28);
					E011237FA(_t178, _t272, "Got task configuration ", _t244);
					_push(_t244);
					_push(0x277);
					_t273 = _t272 - 0x18;
					 *(_t253 - 4) = 0xd;
					 *(_t253 - 0x144) = _t273;
					E011298AC(_t273, "void __thiscall InstPC::IPCService::tasks(void)");
					_t274 = _t273 - 0x18;
					 *(_t253 - 4) = 0xe;
					E011298AC(_t274, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t253 - 4) = 0xc;
					E0113765F(_t178,  *(_t178 + 8), _t244);
					memset(_t253 - 0x8c, 0, 0x34);
					_push(0);
					_t276 = _t274 + 0xc - 0x18;
					E011298E1(_t276, _t253 - 0x28);
					E0112CC5B(_t178, _t253 - 0x8c, "Got task configuration ", _t244,  *(_t178 + 8), _t283);
					_t277 = _t276 - 0x18;
					 *(_t253 - 4) = 0xf;
					 *(_t253 - 0x140) = _t277;
					E011298AC(_t277, "Installer configuration ready");
					_push(_t244);
					_push(0x27b);
					_t278 = _t277 - 0x18;
					 *(_t253 - 4) = 0x10;
					 *(_t253 - 0x144) = _t278;
					E011298AC(_t278, "void __thiscall InstPC::IPCService::tasks(void)");
					_t279 = _t278 - 0x18;
					 *(_t253 - 4) = 0x11;
					E011298AC(_t279, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t253 - 4) = 0xf;
					E0113765F(_t178,  *(_t178 + 8), _t244);
					E0112CE12(_t178, _t253 - 0x8c, _t244, _t283);
					_t244 =  *(_t178 + 8);
					E011298E1(_t253 - 0x160, _t253 - 0x80);
					 *(_t253 - 4) = 0x12;
					_t280 = _t279 - 0x18;
					_t250 = _t280;
					 *(_t253 - 0x140) = _t280;
					 *(_t253 - 0x144) = _t280;
					E011299A0(_t280, E01124262(_t253 - 0x160, _t280, _t253 - 0x160, "Finished running configuration ", 0x1f));
					_push(2);
					_push(0x27e);
					_t281 = _t280 - 0x18;
					 *(_t253 - 4) = 0x13;
					 *(_t253 - 0x144) = _t281;
					E011298AC(_t281, "void __thiscall InstPC::IPCService::tasks(void)");
					_t269 = _t281 - 0x18;
					 *(_t253 - 4) = 0x14;
					E011298AC(_t269, "C:\\git\\modular-installer\\kernel\\IPCService.cpp");
					 *(_t253 - 4) = 0x12;
					E0113765F(_t178,  *(_t178 + 8),  *(_t178 + 8));
					E01129AC1(_t253 - 0x160);
					 *(_t253 - 4) = 0xc;
					E0112CDC0(_t178, _t253 - 0x8c, "Got task configuration ",  *(_t178 + 8));
				}
				_push( *((intOrPtr*)(_t178 + 0x2c)));
				 *(_t253 - 0x140) = _t269 - 0x18;
				E011298E1(_t269 - 0x18, _t253 - 0x58);
				 *(_t253 - 4) = 0x17;
				E011298AC(_t269, "api/report/install");
				 *(_t253 - 4) = 0xc;
				_t139 = E01141FCE(_t178, _t253 - 0x13c, _t242, _t244);
				 *(_t253 - 4) = 0x18;
				E011299A0(_t253 - 0x160, E01124262(_t139, _t250, _t253 - 0x13c, "Entered ReportUpdateAction - ", 0x1d));
				E011293B6(_t253 - 0x40, _t250, _t253 - 0x160);
				E01129AC1(_t253 - 0x160);
				E01129AC1(_t253 - 0x178);
				E01129AC1(_t253 - 0x28);
				E01129AC1(_t253 - 0x40);
				E0112A67D(_t178, _t253 - 0x13c, _t242, _t244, _t283);
				return E01143D3B(E01129AC1(_t253 - 0x58), _t178, _t244, _t253 - 0x178);
			}

0x011314c6
0x011314c6
0x011314d0
0x011314d5
0x011314d7
0x011314df
0x011314e4
0x011314ef
0x011314f4
0x011314fa
0x011314fb
0x011314fc
0x01131501
0x01131506
0x01131511
0x01131516
0x01131519
0x01131524
0x01131529
0x0113152f
0x01131537
0x01131541
0x01131549
0x01131551
0x0113155b
0x01131563
0x01131571
0x01131580
0x0113158c
0x01131594
0x01131598
0x011315ab
0x011315b9
0x011315be
0x011315c5
0x011315c8
0x011315cd
0x011315d4
0x011315d9
0x011315dc
0x011315e7
0x011315f2
0x011315f6
0x011315fd
0x0113160c
0x01131619
0x01131624
0x01131628
0x0113162d
0x01131632
0x0113163d
0x01131642
0x01131645
0x0113164b
0x01131652
0x01131657
0x0113165a
0x01131665
0x0113166d
0x01131671
0x01131674
0x01131679
0x0113167d
0x01131680
0x01131684
0x01131686
0x01131689
0x0113182e
0x01131836
0x0113183b
0x0113183e
0x01131843
0x0113184e
0x01131853
0x01131854
0x01131859
0x0113185c
0x01131862
0x0113186d
0x01131872
0x01131875
0x01131880
0x01131887
0x0113188b
0x0113168f
0x01131694
0x0113169c
0x011316a7
0x011316aa
0x011316b1
0x011316b7
0x011316b8
0x011316be
0x011316bf
0x011316c4
0x011316c7
0x011316cd
0x011316d8
0x011316dd
0x011316e0
0x011316eb
0x011316f2
0x011316f6
0x01131706
0x01131711
0x01131713
0x01131719
0x01131724
0x01131729
0x0113172c
0x01131735
0x01131740
0x01131745
0x01131746
0x0113174b
0x0113174e
0x01131754
0x0113175f
0x01131764
0x01131767
0x01131772
0x01131779
0x0113177d
0x01131788
0x0113178d
0x0113179a
0x0113179f
0x011317a3
0x011317a6
0x011317a8
0x011317bc
0x011317ca
0x011317cf
0x011317d1
0x011317d6
0x011317d9
0x011317df
0x011317ea
0x011317ef
0x011317f2
0x011317fd
0x01131804
0x01131808
0x01131813
0x0113181e
0x01131822
0x01131822
0x01131890
0x0113189b
0x011318a2
0x011318aa
0x011318b5
0x011318c0
0x011318cb
0x011318da
0x011318ea
0x011318f9
0x01131904
0x0113190f
0x01131917
0x0113191f
0x0113192a
0x0113193c

APIs

__EH_prolog3_GS.LIBCMT ref: 011314D0

Part of subcall function 0113F710: __EH_prolog3.LIBCMT ref: 0113F717
Part of subcall function 0113F710: #1511.MFC140U(000000D0,00000004,0112C22B,000000FC,?,0112A166,?), ref: 0113F729
Part of subcall function 0113F710: memset.VCRUNTIME140(00000000,00000000,000000D0,0112A166,?), ref: 0113F743

Part of subcall function 0113765F: __EH_prolog3_GS.LIBCMT ref: 01137669
Part of subcall function 0113765F: #1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
Part of subcall function 0113765F: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

Part of subcall function 01141B09: __EH_prolog3.LIBCMT ref: 01141B10

Part of subcall function 01141B5A: __EH_prolog3.LIBCMT ref: 01141B61

Part of subcall function 01124262: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,0112DA8D,?,?,?,?,00000000,?,?), ref: 011242B5
Part of subcall function 01124262: memcpy.VCRUNTIME140(?,01133C49,000000EC,?,?,?,?,?,?,?,?,0112DA8D,?,?,?,?), ref: 011242BF
Part of subcall function 01124262: memcpy.VCRUNTIME140(01133C49,01133C49,000000EC,?,01133C49,000000EC,?,?,?,?,?,?,?,?,0112DA8D,?), ref: 011242D5

memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,bi.,00000003,zoremov.com,Entered 'Check task' flow), ref: 011315AB

Part of subcall function 0112A5E2: __EH_prolog3.LIBCMT ref: 0112A5E9

Part of subcall function 01141FCE: __EH_prolog3.LIBCMT ref: 01141FD5

Part of subcall function 0113082A: __EH_prolog3_GS.LIBCMT ref: 01130834
Part of subcall function 0113082A: memset.VCRUNTIME140(?,00000000,000000B0,000000E0,01131679,?,alg.), ref: 01130864

Part of subcall function 011237FA: __EH_prolog3.LIBCMT ref: 01123801

Part of subcall function 0113765F: _Xtime_get_ticks.MSVCP140 ref: 011376CA
Part of subcall function 0113765F: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011376D8

memset.VCRUNTIME140(?,00000000,00000034,C:\git\modular-installer\kernel\IPCService.cpp), ref: 01131706

Part of subcall function 011298E1: memcpy.VCRUNTIME140(00000000,?,00000001,?,00000000,?,00000014,?,01138843,?,00000018,011386DC,?,?,?,00000008), ref: 01129935

Part of subcall function 0112CC5B: __EH_prolog3_GS.LIBCMT ref: 0112CC65
Part of subcall function 0112CC5B: memset.VCRUNTIME140(?,00000000,000000A8,?,?,actions), ref: 0112CD31

Part of subcall function 0112CE12: __EH_prolog3_GS.LIBCMT ref: 0112CE1C
Part of subcall function 0112CE12: memset.VCRUNTIME140(?,00000000,00000098,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112CEA5
Part of subcall function 0112CE12: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@I@Z.MSVCP140(00000000,00000000,00000098,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112CED0
Part of subcall function 0112CE12: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6), ref: 0112CEDD

Strings

zoremov.com, xrefs: 01131568, 01131570, 01131651
Finished running configuration , xrefs: 011317B0
Fetching tasks, xrefs: 011314EA
No tasks found., xrefs: 01131829
task-for, xrefs: 01131638
SOME_ACTION, xrefs: 0113168F
C:\git\modular-installer\kernel\IPCService.cpp, xrefs: 0113151F, 011316E6, 0113176D, 011317F8, 0113187B
Got task configuration , xrefs: 011316AA
void __thiscall InstPC::IPCService::tasks(void), xrefs: 0113150C, 011316D3, 0113175A, 011317E5, 01131868
alg., xrefs: 01131660
Entered ReportUpdateAction - , xrefs: 01131604, 011318D2
Installer configuration ready, xrefs: 0113173B
api/report/install, xrefs: 011315E2, 011318B0
bi., xrefs: 01131578
No task actions waiting, xrefs: 01131849
CHECK_TASK, xrefs: 0113153C
Entered 'Check task' flow, xrefs: 01131556

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3memset$H_prolog3_$V01@memcpy$#1511??6?$basic_ostream@_U?$char_traits@_W@std@@@std@@$ExceptionThrowUnothrow_t@std@@@V01@@Xtime_get_ticks__ehfuncinfo$??2@memmove
String ID: C:\git\modular-installer\kernel\IPCService.cpp$CHECK_TASK$Entered 'Check task' flow$Entered ReportUpdateAction - $Fetching tasks$Finished running configuration $Got task configuration $Installer configuration ready$No task actions waiting$No tasks found.$SOME_ACTION$alg.$api/report/install$bi.$task-for$void __thiscall InstPC::IPCService::tasks(void)$zoremov.com
API String ID: 1977236018-2544440031
Opcode ID: 207e8b865f3d1507aefe13ecb810bdc42f33773fc450357b1b4b34cdb4f1c866
Instruction ID: 89a89d7472d8c1c23eafc76eb47058cb6e7d1a6065fec7ab5f69b407d19a242b
Opcode Fuzzy Hash: 207e8b865f3d1507aefe13ecb810bdc42f33773fc450357b1b4b34cdb4f1c866
Instruction Fuzzy Hash: C6C17A30A0026DEBDF1CF7ADCD16BDD7A74AB65B18F4440CCD1096B181DBB51A189BE2

Uniqueness

Uniqueness Score: -1.00%

Function 0112FC67 Relevance: 33.6, APIs: 2, Strings: 17, Instructions: 375
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0112FC67(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* _t277;
				void* _t368;
				intOrPtr _t372;
				void* _t393;
				void* _t394;
				void* _t395;
				void* _t396;
				intOrPtr _t397;
				void* _t398;
				intOrPtr _t399;
				void* _t400;
				intOrPtr _t401;
				void* _t402;
				intOrPtr _t403;
				void* _t404;
				intOrPtr _t405;
				void* _t406;
				intOrPtr _t407;
				void* _t408;
				intOrPtr _t409;
				void* _t410;
				void* _t411;
				void* _t412;
				void* _t415;

				_t415 = __eflags;
				_t277 = __ecx;
				E01143D91(E0114741A, __ebx, __edi, 0x388);
				_t276 = _t277;
				E011298E1(_t393 - 0x2fc, 0x115a0cc);
				 *(_t393 - 4) =  *(_t393 - 4) & 0x00000000;
				E011298E1(_t393 - 0x2e4, 0x115a0b4);
				 *(_t393 - 4) = 1;
				E011298AC(_t393 - 0x374, "1248");
				 *(_t393 - 4) = 2;
				E011298AC(_t393 - 0x254, "UNKNOWN");
				 *(_t393 - 4) = 3;
				E011298AC(_t393 - 0x23c, "UNKNOWN");
				 *(_t393 - 4) = 4;
				E011298AC(_t393 - 0x2cc, "GS_ABE_LABS_LTD_SIGNATURE");
				 *(_t393 - 4) = 5;
				E011298AC(_t393 - 0x2b4, "zoremov");
				 *(_t393 - 4) = 6;
				E011298AC(_t393 - 0x29c, "edge");
				 *(_t393 - 4) = 7;
				E011298E1(_t393 - 0x394, 0x115a06c);
				E011293B6(_t393 - 0x254, "edge", _t393 - 0x394);
				E01129AC1(_t393 - 0x394);
				E011293B6(_t393 - 0x23c, "edge", E011345E9(_t277, _t393 - 0x394, __edi));
				E01129AC1(_t393 - 0x394);
				_t395 = _t394 - 0x18;
				E011298AC(_t395, "ff");
				_push(_t393 - 0x35c);
				E0112EF1A(_t277, __edi, _t415);
				_t396 = _t395 - 0x18;
				 *(_t393 - 4) = 8;
				E011298AC(_t396, "edge");
				_push(_t393 - 0x344);
				E0112EF1A(_t277, __edi, _t415);
				GetModuleFileNameW(0, _t393 - 0x218, 0x104);
				asm("stosd");
				asm("stosd");
				asm("stosd");
				 *((intOrPtr*)(_t393 - 0x224)) = 0;
				 *((intOrPtr*)(_t393 - 0x220)) = 0;
				 *((intOrPtr*)(_t393 - 0x21c)) = 0;
				 *(_t393 - 4) = 0xa;
				 *(_t393 - 0x384) = 0;
				_t372 = 7;
				 *((short*)(_t393 - 0x394)) = 0;
				 *((intOrPtr*)(_t393 - 0x380)) = 0;
				E0112BA2B(_t393 - 0x218);
				 *(_t393 - 4) = 0xb;
				E0113D01B(_t276, _t393 - 0x394, _t393 - 0x224, _t393 - 0x224);
				 *(_t393 - 4) = 0xa;
				E01129A96(_t393 - 0x394);
				 *(_t393 - 0x384) =  *(_t393 - 0x384) & 0x00000000;
				 *((intOrPtr*)(_t393 - 0x380)) = _t372;
				 *((short*)(_t393 - 0x394)) = 0;
				E0112BA2B(0x114c5d4);
				 *(_t393 - 4) = 0xc;
				_push(_t393 - 0x394);
				E011400AF(_t276, _t393 - 0x284, _t393 - 0x224, _t393 - 0x224);
				 *(_t393 - 4) = 0xe;
				E01129A96(_t393 - 0x394);
				E01136693(_t276, _t393 - 0x32c, _t393 - 0x284, _t393 - 0x224);
				 *(_t393 - 4) = 0xf;
				E011298AC(_t393 - 0x26c, "-update");
				 *(_t393 - 4) = 0x10;
				_t61 = E011214A8(_t276, _t393 - 0x224) + 0xe4; // 0xe4
				E01131C95(_t276, _t61, _t393 - 0x224, _t372, _t393 - 0x314,  *((intOrPtr*)(_t393 - 0x25c)), 0xffffffff);
				_t368 = 0x10;
				 *(_t393 - 4) = 0x11;
				E011298E1(_t393 - 0x394, _t393 - 0x2fc);
				_t397 = _t396 - 0x18;
				 *(_t393 - 4) = 0x12;
				 *((intOrPtr*)(_t393 - 0x378)) = _t397;
				E011298E1(_t397, _t393 - 0x394);
				_t398 = _t397 - 0x18;
				 *(_t393 - 4) = 0x13;
				E011298AC(_t398, "apl_id");
				 *(_t393 - 4) = 0x12;
				E0113AACB(_t276,  *((intOrPtr*)(_t276 + 0x2c)) + _t368, _t368, _t415);
				 *(_t393 - 4) = 0x11;
				E01129AC1(_t393 - 0x394);
				E011298E1(_t393 - 0x394, _t393 - 0x2e4);
				_t399 = _t398 - 0x18;
				 *(_t393 - 4) = 0x14;
				 *((intOrPtr*)(_t393 - 0x37c)) = _t399;
				E011298E1(_t399, _t393 - 0x394);
				_t400 = _t399 - 0x18;
				 *(_t393 - 4) = 0x15;
				E011298AC(_t400, "suid");
				 *(_t393 - 4) = 0x14;
				E0113AACB(_t276,  *((intOrPtr*)(_t276 + 0x2c)) + _t368, _t368, _t415);
				 *(_t393 - 4) = 0x11;
				E01129AC1(_t393 - 0x394);
				E011298E1(_t393 - 0x394, _t393 - 0x23c);
				_t401 = _t400 - 0x18;
				 *(_t393 - 4) = 0x16;
				 *((intOrPtr*)(_t393 - 0x37c)) = _t401;
				E011298E1(_t401, _t393 - 0x394);
				_t402 = _t401 - 0x18;
				 *(_t393 - 4) = 0x17;
				E011298AC(_t402, "operating_sys_version");
				 *(_t393 - 4) = 0x16;
				E0113AACB(_t276,  *((intOrPtr*)(_t276 + 0x2c)) + _t368, _t368, _t415);
				 *(_t393 - 4) = 0x11;
				E01129AC1(_t393 - 0x394);
				E011298E1(_t393 - 0x394, _t393 - 0x254);
				_t403 = _t402 - 0x18;
				 *(_t393 - 4) = 0x18;
				 *((intOrPtr*)(_t393 - 0x37c)) = _t403;
				E011298E1(_t403, _t393 - 0x394);
				_t404 = _t403 - 0x18;
				 *(_t393 - 4) = 0x19;
				E011298AC(_t404, "operating_sys_kind");
				 *(_t393 - 4) = 0x18;
				E0113AACB(_t276,  *((intOrPtr*)(_t276 + 0x2c)) + _t368, _t368, _t415);
				 *(_t393 - 4) = 0x11;
				E01129AC1(_t393 - 0x394);
				E011298E1(_t393 - 0x394, _t393 - 0x2cc);
				_t405 = _t404 - 0x18;
				 *(_t393 - 4) = 0x1a;
				 *((intOrPtr*)(_t393 - 0x37c)) = _t405;
				E011298E1(_t405, _t393 - 0x394);
				_t406 = _t405 - 0x18;
				 *(_t393 - 4) = 0x1b;
				E011298AC(_t406, "signed");
				 *(_t393 - 4) = 0x1a;
				E0113AACB(_t276,  *((intOrPtr*)(_t276 + 0x2c)) + _t368, _t368, _t415);
				 *(_t393 - 4) = 0x11;
				E01129AC1(_t393 - 0x394);
				E011298E1(_t393 - 0x394, _t393 - 0x2b4);
				_t407 = _t406 - 0x18;
				 *(_t393 - 4) = 0x1c;
				 *((intOrPtr*)(_t393 - 0x37c)) = _t407;
				E011298E1(_t407, _t393 - 0x394);
				_t408 = _t407 - 0x18;
				 *(_t393 - 4) = 0x1d;
				E011298AC(_t408, "ident");
				 *(_t393 - 4) = 0x1c;
				E0113AACB(_t276,  *((intOrPtr*)(_t276 + 0x2c)) + _t368, _t368, _t415);
				 *(_t393 - 4) = 0x11;
				E01129AC1(_t393 - 0x394);
				E0112EC7C(_t276, _t393 - 0x394, _t393 - 0x284, _t368, _t415);
				_t409 = _t408 - 0x18;
				 *(_t393 - 4) = 0x1e;
				 *((intOrPtr*)(_t393 - 0x37c)) = _t409;
				E011298E1(_t409, _t393 - 0x394);
				_t410 = _t409 - 0x18;
				 *(_t393 - 4) = 0x1f;
				E011298AC(_t410, "apl_name");
				 *(_t393 - 4) = 0x1e;
				E0113AACB(_t276,  *((intOrPtr*)(_t276 + 0x2c)) + _t368, _t368, _t415);
				 *(_t393 - 4) = 0x11;
				E01129AC1(_t393 - 0x394);
				_push(1);
				_t411 = _t410 - 0x18;
				E011298AC(_t411, "has_started");
				E0113ABD1(_t276,  *((intOrPtr*)(_t276 + 0x2c)) + _t368, _t368);
				_t412 = _t411 - 0x18;
				E011298AC(_t412, "has_completed");
				E0113ABD1(_t276,  *((intOrPtr*)(_t276 + 0x2c)) + _t368, _t368);
				E011298E1(_t393 - 0x394, _t393 - 0x29c);
				 *(_t393 - 4) = 0x20;
				 *((intOrPtr*)(_t393 - 0x37c)) = _t412 - 0x18;
				E011298E1(_t412 - 0x18, _t393 - 0x394);
				 *(_t393 - 4) = 0x21;
				E011298AC(_t412, "browser");
				 *(_t393 - 4) = 0x20;
				E0113AACB(_t276,  *((intOrPtr*)(_t276 + 0x2c)) + _t368, _t368,  *((intOrPtr*)(_t276 + 0x2c)) + _t368);
				E01129AC1(_t393 - 0x394);
				E01129AC1(_t393 - 0x314);
				E01129AC1(_t393 - 0x26c);
				E01129AC1(_t393 - 0x32c);
				E01129A96(_t393 - 0x284);
				E011242FB(_t393 - 0x224);
				E01129A96(_t393 - 0x344);
				E01129A96(_t393 - 0x35c);
				E01129AC1(_t393 - 0x29c);
				E01129AC1(_t393 - 0x2b4);
				E01129AC1(_t393 - 0x2cc);
				E01129AC1(_t393 - 0x23c);
				E01129AC1(_t393 - 0x254);
				E01129AC1(_t393 - 0x374);
				E01129AC1(_t393 - 0x2e4);
				return E01143D3B(E01129AC1(_t393 - 0x2fc), _t276, _t368, 0);
			}

0x0112fc67
0x0112fc67
0x0112fc71
0x0112fc76
0x0112fc83
0x0112fc88
0x0112fc97
0x0112fca7
0x0112fcab
0x0112fcb5
0x0112fcc0
0x0112fccc
0x0112fcd0
0x0112fce0
0x0112fce4
0x0112fcf4
0x0112fcf8
0x0112fd02
0x0112fd0d
0x0112fd1d
0x0112fd21
0x0112fd33
0x0112fd3e
0x0112fd55
0x0112fd60
0x0112fd65
0x0112fd6f
0x0112fd7a
0x0112fd7b
0x0112fd80
0x0112fd83
0x0112fd8a
0x0112fd95
0x0112fd96
0x0112fdaa
0x0112fdb8
0x0112fdb9
0x0112fdba
0x0112fdbb
0x0112fdc1
0x0112fdc7
0x0112fdcd
0x0112fdd9
0x0112fde1
0x0112fde2
0x0112fdf0
0x0112fdf6
0x0112fe01
0x0112fe0b
0x0112fe16
0x0112fe1a
0x0112fe1f
0x0112fe2e
0x0112fe39
0x0112fe40
0x0112fe4b
0x0112fe4f
0x0112fe5c
0x0112fe68
0x0112fe6c
0x0112fe7d
0x0112fe8d
0x0112fe91
0x0112fe96
0x0112fea7
0x0112feb4
0x0112febb
0x0112febc
0x0112fed2
0x0112fed7
0x0112feda
0x0112fee0
0x0112feed
0x0112fef2
0x0112fef5
0x0112ff00
0x0112ff07
0x0112ff0b
0x0112ff16
0x0112ff1a
0x0112ff31
0x0112ff36
0x0112ff39
0x0112ff43
0x0112ff4c
0x0112ff51
0x0112ff54
0x0112ff5f
0x0112ff66
0x0112ff6a
0x0112ff75
0x0112ff79
0x0112ff90
0x0112ff95
0x0112ff98
0x0112ffa2
0x0112ffab
0x0112ffb0
0x0112ffb3
0x0112ffbe
0x0112ffc5
0x0112ffc9
0x0112ffd4
0x0112ffd8
0x0112ffef
0x0112fff4
0x0112fff7
0x01130001
0x0113000a
0x0113000f
0x01130012
0x0113001d
0x01130024
0x01130028
0x01130033
0x01130037
0x0113004e
0x01130053
0x01130056
0x01130060
0x01130069
0x0113006e
0x01130071
0x0113007c
0x01130083
0x01130087
0x01130092
0x01130096
0x011300ad
0x011300b2
0x011300b5
0x011300bf
0x011300c8
0x011300cd
0x011300d0
0x011300db
0x011300e2
0x011300e6
0x011300f1
0x011300f5
0x01130105
0x0113010a
0x0113010d
0x01130117
0x01130120
0x01130125
0x01130128
0x01130133
0x0113013a
0x0113013e
0x01130149
0x0113014d
0x01130155
0x01130157
0x01130163
0x0113016a
0x01130174
0x01130180
0x01130187
0x0113019e
0x011301a6
0x011301b0
0x011301b9
0x011301c1
0x011301cc
0x011301d3
0x011301d7
0x011301e2
0x011301ed
0x011301f8
0x01130203
0x0113020e
0x01130219
0x01130224
0x0113022f
0x0113023a
0x01130245
0x01130250
0x0113025b
0x01130266
0x01130271
0x0113027c
0x01130291

APIs

__EH_prolog3_GS.LIBCMT ref: 0112FC71

Part of subcall function 011298E1: memcpy.VCRUNTIME140(00000000,?,00000001,?,00000000,?,00000014,?,01138843,?,00000018,011386DC,?,?,?,00000008), ref: 01129935

Part of subcall function 011345E9: __EH_prolog3_GS.LIBCMT ref: 011345F3
Part of subcall function 011345E9: memset.VCRUNTIME140(?,00000000,000000B0,00000134,0112C2EE,?,0115A06C,edge,1248,0115A0CC,0115A09C,0115A0B4,UNKNOWN,UNKNOWN,000000FC), ref: 01134667
Part of subcall function 011345E9: ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140(0115B5F8), ref: 011347C2

Part of subcall function 0112EF1A: __EH_prolog3_GS.LIBCMT ref: 0112EF24

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,edge), ref: 0112FDAA

Part of subcall function 0113D01B: __EH_prolog3_GS.LIBCMT ref: 0113D025
Part of subcall function 0113D01B: memset.VCRUNTIME140(?,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC,00000380,01130AD3), ref: 0113D043
Part of subcall function 0113D01B: GetFileVersionInfoSizeW.VERSION(?,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC,00000380), ref: 0113D06B
Part of subcall function 0113D01B: GetLastError.KERNEL32(?,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC,00000380), ref: 0113D08D
Part of subcall function 0113D01B: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(00000000,?,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC), ref: 0113D096
Part of subcall function 0113D01B: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6,?,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC), ref: 0113D0A3
Part of subcall function 0113D01B: ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140(?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5,0114BF44,SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe,00000090,0112F492,?,0114C9C0,1248), ref: 0113D2A6

Part of subcall function 011400AF: __EH_prolog3_GS.LIBCMT ref: 011400B9
Part of subcall function 011400AF: memset.VCRUNTIME140(?,00000000,00000098,000000A8,0113D242,?,?,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5), ref: 011400EB
Part of subcall function 011400AF: ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(?,00000000,00000098,000000A8,0113D242,?,?,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5), ref: 0114013A
Part of subcall function 011400AF: ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140(?,00000000,00000098,000000A8,0113D242,?,?,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5), ref: 01140168

Part of subcall function 01136693: __EH_prolog3_GS.LIBCMT ref: 0113669A
Part of subcall function 01136693: memset.VCRUNTIME140(?,00000000,00000050,0000005C,0113458E,?,?), ref: 011366B1

Part of subcall function 011214A8: __EH_prolog3.LIBCMT ref: 011214AF
Part of subcall function 011214A8: memset.VCRUNTIME140(0115B430,00000000,000000FC,00000000,01136624,00000004,0112C1FD,000000FC,?,0112A166,?), ref: 011214EF

Part of subcall function 0113AACB: __EH_prolog3.LIBCMT ref: 0113AAD2

Part of subcall function 0112EC7C: __EH_prolog3_GS.LIBCMT ref: 0112EC86
Part of subcall function 0112EC7C: memset.VCRUNTIME140(?,00000000,00000208,0114C098,00000280,0112FA68,browser_on_pc), ref: 0112ECCE
Part of subcall function 0112EC7C: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,00000280,0112FA68,browser_on_pc), ref: 0112ECE2

Part of subcall function 0113ABD1: __EH_prolog3.LIBCMT ref: 0113ABD8

Strings

zoremov, xrefs: 0112FCE9
operating_sys_kind, xrefs: 01130018
, xrefs: 011301D3
operating_sys_version, xrefs: 0112FFB9
apl_id, xrefs: 0112FEFB
1248, xrefs: 0112FC9C
UNKNOWN, xrefs: 0112FCB0, 0112FCB9, 0112FCC5
edge, xrefs: 0112FCFD, 0112FD06, 0112FD89
apl_name, xrefs: 0113012E
browser, xrefs: 011301C7
GS_ABE_LABS_LTD_SIGNATURE, xrefs: 0112FCD5
signed, xrefs: 01130077
ident, xrefs: 011300D6
has_completed, xrefs: 0113017B
suid, xrefs: 0112FF5A
-update, xrefs: 0112FE82
has_started, xrefs: 0113015E

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_$U?$char_traits@_W@std@@@std@@memset$V01@$??1?$basic_ios@_??6?$basic_ostream@_H_prolog3$File$ErrorFolderInfoLastModuleNamePathSizeV01@@Versionmemcpy
String ID: $-update$1248$GS_ABE_LABS_LTD_SIGNATURE$UNKNOWN$apl_id$apl_name$browser$edge$has_completed$has_started$ident$operating_sys_kind$operating_sys_version$signed$suid$zoremov
API String ID: 1605650935-462808059
Opcode ID: b31913a53f4c7984c084cac058b5e4978c353d005ff2b132a2ba55cd8bf33e62
Instruction ID: 97aaa72207e30fddd56aada551f9263761cfa80294e586ccb8345c8e838f1c00
Opcode Fuzzy Hash: b31913a53f4c7984c084cac058b5e4978c353d005ff2b132a2ba55cd8bf33e62
Instruction Fuzzy Hash: 55F16B3190027EDBDF2AFB68C954BDCBBB89F2530CF5840D8D40967281DBB41B599B92

Uniqueness

Uniqueness Score: -1.00%

Function 01134250 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E01134250(void* __ebx, intOrPtr __ecx, intOrPtr* __edi) {
				signed int _t60;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;
				intOrPtr* _t70;
				void* _t72;
				void* _t82;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;
				void* _t99;
				int _t110;
				signed char _t111;
				intOrPtr _t112;
				intOrPtr _t128;
				void* _t199;
				intOrPtr _t202;
				void* _t203;

				_t197 = __edi;
				_t112 = __ecx;
				E01143D91(E01148159, __ebx, __edi, 0x220);
				_t202 = _t112;
				 *((intOrPtr*)(_t203 - 0x1fc)) = _t202;
				_t110 = 0;
				 *((intOrPtr*)(_t203 - 0x1fc)) = _t202;
				 *(_t203 - 0x1f8) = 0;
				_t56 =  *0x115b5d8;
				if( *0x115b5d8 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					_t197 = 0x115b5d8;
					E01143804(_t56, 0x115b5d8);
					_t205 =  *0x115b5d8 - 0xffffffff;
					if( *0x115b5d8 == 0xffffffff) {
						 *0x115b5ec = 0;
						 *0x115b5f0 = 0xf;
						 *0x115b5dc = 0;
						E01143B16(_t205, E0114A0CA);
						E011437BA(0x115b5d8);
					}
				}
				memset(_t203 - 0xd8, _t110, 0xb0);
				E01134AD8(_t110, _t203 - 0xd8, _t197);
				 *(_t203 - 4) = _t110;
				if( *0x115b5ec == 0) {
					_t60 = E0113420D(_t203 - 0x1f4);
					__eflags = _t60;
					if(_t60 != 0) {
						 *(_t203 - 0x18) = _t110;
						 *((short*)(_t203 - 0x28)) = 0;
						 *((intOrPtr*)(_t203 - 0x14)) = 7;
						E0112BA2B(_t203 - 0x1e0);
						 *(_t203 - 4) = 1;
						_t64 = E01123A5E(_t110, _t203 - 0xc8, L"Windows ", _t197);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z( *((intOrPtr*)(_t203 - 0x1f0)));
						_t65 = E01123A5E(_t110, _t64, 0x114c5d4, 0x114c5d4);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z( *((intOrPtr*)(_t203 - 0x1ec)));
						_t66 = E01123A5E(_t110, _t65, 0x114c5d4, 0x114c5d4);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z( *((intOrPtr*)(_t203 - 0x1e4)));
						_t67 = E01134DB8(_t110, _t66, "/", 0x114c5d4);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z( *((intOrPtr*)(_t203 - 0x1e8)));
						_t68 = E01123A5E(_t110, _t67, L" (", 0x114c5d4);
						__eflags =  *(_t203 - 0x18);
						_t199 = _t68;
						if( *(_t203 - 0x18) != 0) {
							_t70 = E01129A21(_t203 - 0x22c, _t203 - 0x28);
							 *(_t203 - 4) = 3;
							_t111 = 4;
						} else {
							 *(_t203 - 0x204) = _t110;
							 *((intOrPtr*)(_t203 - 0x200)) = 7;
							 *((short*)(_t203 - 0x214)) = 0;
							E0112BA2B(0x114bf44);
							_t111 = 2;
							_t70 = _t203 - 0x214;
							 *(_t203 - 4) = _t111;
						}
						__eflags =  *((intOrPtr*)(_t70 + 0x14)) - 8;
						_t128 =  *((intOrPtr*)(_t70 + 0x10));
						 *(_t203 - 0x1f8) = _t111;
						if( *((intOrPtr*)(_t70 + 0x14)) >= 8) {
							_t70 =  *_t70;
						}
						_push(_t128);
						_t72 = E01134DB8(_t111, E01124358(_t111, _t199, _t70, _t199), ")", _t199);
						_t200 = " ";
						E01134DB8(_t111, E01123A5E(_t111, E01134DB8(_t111, E01123A5E(_t111, E01134DB8(_t111, E01123A5E(_t111, _t72, " ", " "), "673ae6306d8266a780df868d6772aab3b9662e0f", _t200), _t200, _t200), "1248", _t200), _t200, _t200), "1582447612575780", _t200);
						__eflags = _t111 & 0x00000004;
						if((_t111 & 0x00000004) != 0) {
							_t111 = _t111 & 0xfffffffb;
							__eflags = _t111;
							E01129A96(_t203 - 0x22c);
						}
						 *(_t203 - 4) = 1;
						__eflags = _t111 & 0x00000002;
						if((_t111 & 0x00000002) != 0) {
							E01129A96(_t203 - 0x214);
						}
						_t110 = 0;
						__eflags = 0;
						 *(_t203 - 4) = 0;
						E01129A96(_t203 - 0x28);
					} else {
						_t93 = E01123A5E(_t110, _t203 - 0xc8, L"Windows ", _t197);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z(_t110);
						_t94 = E01123A5E(_t110, _t93, 0x114c5d4, 0x114c5d4);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z(_t110);
						_t95 = E01123A5E(_t110, _t94, 0x114c5d4, 0x114c5d4);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z(_t110);
						_t96 = E01134DB8(_t110, _t95, "/", 0x114c5d4);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z(_t110);
						_t99 = E01134DB8(_t110, E01123A5E(_t110, E01123A5E(_t110, _t96, L" (", 0x114c5d4), 0x114bf44, 0x114c5d4), ")", 0x114c5d4);
						_t200 = " ";
						E01134DB8(_t110, E01123A5E(_t110, E01134DB8(_t110, E01123A5E(_t110, E01134DB8(_t110, E01123A5E(_t110, _t99, " ", " "), "673ae6306d8266a780df868d6772aab3b9662e0f", _t200), _t200, _t200), "1248", _t200), _t200, _t200), "1582447612575780", _t200);
					}
					_push(_t203 - 0x214);
					E01134C1E(_t110, _t203 - 0xc0, _t200);
					 *(_t203 - 4) = 4;
					_t82 = E01136693(_t110, _t203 - 0x22c, _t203 - 0x214, _t200);
					_t197 = 0x115b5dc;
					E011293B6(0x115b5dc, _t202, _t82);
					E01129AC1(_t203 - 0x22c);
					 *(_t203 - 4) = _t110;
					E01129A96(_t203 - 0x214);
					_push(0x115b5dc);
				} else {
					_push(0x115b5dc);
				}
				E011298E1(_t202);
				E01134AA8();
				__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ();
				return E01143D3B(_t202, _t110, _t197);
			}

0x01134250
0x01134250
0x0113425a
0x0113425f
0x01134261
0x01134267
0x01134269
0x0113426f
0x0113427d
0x01134288
0x0113428a
0x01134290
0x01134295
0x0113429d
0x011342a4
0x011342aa
0x011342b4
0x011342ba
0x011342c0
0x011342c6
0x0113429d
0x011342d4
0x011342e0
0x011342e5
0x011342ef
0x01134301
0x01134306
0x01134308
0x011343d4
0x011343d7
0x011343e4
0x011343ec
0x011343f6
0x01134400
0x0113440d
0x0113441c
0x01134429
0x01134433
0x01134440
0x0113444d
0x0113445a
0x01134467
0x0113446c
0x01134470
0x01134472
0x011344b5
0x011344bc
0x011344c3
0x01134474
0x01134476
0x01134487
0x01134491
0x01134498
0x0113449f
0x011344a0
0x011344a6
0x011344a6
0x011344c4
0x011344c8
0x011344cb
0x011344d1
0x011344d3
0x011344d3
0x011344d5
0x011344e7
0x011344ec
0x0113452b
0x01134530
0x01134533
0x0113453b
0x0113453b
0x0113453e
0x0113453e
0x01134543
0x0113454a
0x0113454d
0x01134555
0x01134555
0x0113455a
0x0113455a
0x0113455f
0x01134562
0x0113430e
0x01134319
0x01134321
0x01134330
0x01134338
0x01134342
0x0113434a
0x01134357
0x0113435f
0x01134384
0x01134389
0x011343c8
0x011343c8
0x0113456d
0x01134574
0x0113457f
0x01134589
0x0113458e
0x01134596
0x011345a1
0x011345ac
0x011345af
0x011345b4
0x011342f1
0x011342f1
0x011342f1
0x011345b7
0x011345bf
0x011345c7
0x011345d4

APIs

__EH_prolog3_GS.LIBCMT ref: 0113425A
memset.VCRUNTIME140(?,00000000,000000B0,00000220,01133C34), ref: 011342D4
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140(0115B5DC,00000000,?,?), ref: 011345C7

Part of subcall function 01143804: EnterCriticalSection.KERNEL32(0115B04C,0115B5D8,?,?,01134295,0115B5D8,00000220,01133C34), ref: 0114380F
Part of subcall function 01143804: LeaveCriticalSection.KERNEL32(0115B04C,?,?,01134295,0115B5D8,00000220,01133C34), ref: 0114384C

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z.MSVCP140(00000000,00000000,000000B0,00000220,01133C34), ref: 01134321
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z.MSVCP140(00000000), ref: 01134338
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z.MSVCP140(00000000), ref: 0113434A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@H@Z.MSVCP140(00000000), ref: 0113435F

Part of subcall function 011437BA: EnterCriticalSection.KERNEL32(0115B04C,?,?,011342C5,0115B5D8,0114A0CA,00000220,01133C34), ref: 011437C4
Part of subcall function 011437BA: LeaveCriticalSection.KERNEL32(0115B04C,?,?,011342C5,0115B5D8,0114A0CA,00000220,01133C34), ref: 011437F7

Part of subcall function 01123A5E: __EH_prolog3_catch.LIBCMT ref: 01123A65
Part of subcall function 01123A5E: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123BD0

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(?,?,00000000,000000B0,00000220,01133C34), ref: 0113440D

Part of subcall function 01123A5E: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B10
Part of subcall function 01123A5E: ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z.MSVCP140(?,?,00000000,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B41
Part of subcall function 01123A5E: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B6C

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(?), ref: 01134429
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(?), ref: 01134440

Part of subcall function 01134DB8: __EH_prolog3_catch.LIBCMT ref: 01134DBF
Part of subcall function 01134DB8: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,0000003C,01134452), ref: 01134FC9

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(?), ref: 0113445A

Strings

Windows , xrefs: 0113430E, 011343F1
673ae6306d8266a780df868d6772aab3b9662e0f, xrefs: 01134397, 011344FA
1582447612575780, xrefs: 011343C1, 01134524
1248, xrefs: 011343AC, 0113450F

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_V01@$CriticalSection$?setstate@?$basic_ios@_?sputc@?$basic_streambuf@_EnterH_prolog3_catchLeave$??1?$basic_ios@_?sputn@?$basic_streambuf@_H_prolog3_memset
String ID: 1248$1582447612575780$673ae6306d8266a780df868d6772aab3b9662e0f$Windows
API String ID: 3082650916-919791293
Opcode ID: df91168788a75ace97bbdc30a701c3b4a252b2270c2b509c11a591100d255951
Instruction ID: 5a67530bea634b57561f029f125309a99e8933f85c0a8a04dbf57f94d2d53328
Opcode Fuzzy Hash: df91168788a75ace97bbdc30a701c3b4a252b2270c2b509c11a591100d255951
Instruction Fuzzy Hash: DB81B730F0421A8BCF1CEBB4D558AED76E2BFE4608F5484A9D425A7784DF348E458B54

Uniqueness

Uniqueness Score: -1.00%

Function 01142132 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 209
processCOMMON

Download Yara Rule

C-Code - Quality: 63%

			E01142132(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi) {
				intOrPtr _t79;
				void* _t80;
				void* _t100;
				void* _t102;
				intOrPtr* _t106;
				int _t117;
				intOrPtr _t119;
				intOrPtr _t138;
				intOrPtr _t142;
				intOrPtr _t152;
				intOrPtr* _t163;
				intOrPtr* _t171;
				intOrPtr* _t173;
				int _t176;
				intOrPtr* _t177;
				void* _t181;

				_t119 = __ecx;
				E01143D91(E01149D01, __ebx, __edi, 0x17c);
				 *((intOrPtr*)(_t181 - 0x140)) = __edx;
				 *((intOrPtr*)(_t181 - 0x13c)) = _t119;
				_t117 = 0;
				 *(_t181 - 0x130) = 0;
				if( *((intOrPtr*)(__edx + 0x10)) != 0) {
					_push(__edx);
					_t171 = E0112374F(0, _t181 - 0x170, L" with args ", __edi);
					_push(2);
					 *((intOrPtr*)(_t181 - 4)) = 1;
					_pop(1);
				} else {
					 *((intOrPtr*)(_t181 - 0x148)) = 0;
					 *((intOrPtr*)(_t181 - 0x144)) = 7;
					 *((short*)(_t181 - 0x158)) = 0;
					E0112BA2B(0x114bf44);
					 *((intOrPtr*)(_t181 - 4)) = 0;
					_t171 = _t181 - 0x158;
				}
				_push( *((intOrPtr*)(_t181 - 0x13c)));
				 *(_t181 - 0x130) = 1;
				_t163 = E0112374F(_t117, _t181 - 0x188, L"Launching process ", _t171);
				 *((intOrPtr*)(_t181 - 4)) = 2;
				_t79 =  *((intOrPtr*)(_t171 + 0x10));
				 *((intOrPtr*)(_t181 - 0x134)) =  *((intOrPtr*)(_t163 + 0x10));
				 *((intOrPtr*)(_t181 - 0x138)) = _t79;
				if(_t79 <=  *((intOrPtr*)(_t163 + 0x14)) -  *((intOrPtr*)(_t181 - 0x134))) {
					L9:
					if( *((intOrPtr*)(_t171 + 0x14)) >= 8) {
						_t171 =  *_t171;
					}
					_t80 = E011295CD(_t163, _t171, _t79);
				} else {
					_t157 =  *((intOrPtr*)(_t181 - 0x134));
					if( *((intOrPtr*)(_t171 + 0x14)) -  *((intOrPtr*)(_t181 - 0x138)) <  *((intOrPtr*)(_t181 - 0x134))) {
						_t79 =  *((intOrPtr*)(_t181 - 0x138));
						goto L9;
					} else {
						if( *((intOrPtr*)(_t163 + 0x14)) >= 8) {
							_t163 =  *_t163;
						}
						_t80 = E01142411(_t171, _t171, _t157, _t163, _t157);
					}
				}
				E011299D1(_t181 - 0x40, _t80);
				 *(_t181 - 0x130) = 5;
				E01129A96(_t181 - 0x188);
				_t83 = 5;
				if(0 != 0) {
					 *(_t181 - 0x130) = 5;
					E01129A96(_t181 - 0x170);
					_t83 =  *(_t181 - 0x130);
				}
				 *((char*)(_t181 - 4)) = 6;
				if((_t83 & 0x00000001) != 0) {
					E01129A96(_t181 - 0x158);
				}
				_t176 = 0x44;
				memset(_t181 - 0x84, _t117, _t176);
				 *(_t181 - 0x84) = _t176;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t173 =  *((intOrPtr*)(_t181 - 0x13c));
				E01129A21(_t181 - 0x28, _t173);
				_t177 =  *((intOrPtr*)(_t181 - 0x140));
				 *((char*)(_t181 - 4)) = 7;
				if( *((intOrPtr*)(_t177 + 0x10)) != _t117) {
					_push(_t177);
					_t106 = E0112374F(_t117, _t181 - 0x170, " ", _t173);
					 *((char*)(_t181 - 4)) = 8;
					_t152 =  *((intOrPtr*)(_t106 + 0x10));
					if( *((intOrPtr*)(_t106 + 0x14)) >= 8) {
						_t106 =  *_t106;
					}
					E011295CD(_t181 - 0x28, _t106, _t152);
					 *((char*)(_t181 - 4)) = 7;
					E01129A96(_t181 - 0x170);
				}
				_t89 =  >=  ?  *((void*)(_t181 - 0x28)) : _t181 - 0x28;
				if(CreateProcessW(_t117,  >=  ?  *((void*)(_t181 - 0x28)) : _t181 - 0x28, _t117, _t117, _t117, 0x8000000, _t117, _t117, _t181 - 0x84, _t181 - 0x12c) != 0) {
					CloseHandle( *(_t181 - 0x128));
					CloseHandle( *(_t181 - 0x12c));
					_t117 = 1;
				} else {
					memset(_t181 - 0x11c, _t117, 0x98);
					E01122ED0(_t117, _t181 - 0x11c, _t173);
					 *((char*)(_t181 - 4)) = 9;
					_t100 = E01123A5E(_t117, _t181 - 0x11c, L"Failed to launch process ", _t173);
					_t138 =  *((intOrPtr*)(_t173 + 0x10));
					if( *((intOrPtr*)(_t173 + 0x14)) >= 8) {
						_t173 =  *_t173;
					}
					_push(_t138);
					_t102 = E01123A5E(_t117, E01124358(_t117, _t100, _t173, _t173), L" with command line args ", _t173);
					_t142 =  *((intOrPtr*)(_t177 + 0x10));
					if( *((intOrPtr*)(_t177 + 0x14)) >= 8) {
						_t177 =  *_t177;
					}
					E01123A5E(_t117, E01124358(_t117, _t102, _t177, _t173), L". Error: ", _t173);
					__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z(GetLastError(), _t142);
					__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
					E01122EA0();
					__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ();
				}
				E01129A96(_t181 - 0x28);
				E01129A96(_t181 - 0x40);
				return E01143D3B(_t117, _t117, _t173);
			}

0x01142132
0x0114213c
0x01142141
0x01142147
0x0114214d
0x0114214f
0x01142158
0x01142191
0x011421a3
0x011421a5
0x011421a7
0x011421ae
0x0114215a
0x0114215c
0x0114216d
0x01142177
0x0114217e
0x01142185
0x01142188
0x0114218e
0x011421af
0x011421ba
0x011421cc
0x011421ce
0x011421d8
0x011421db
0x011421ea
0x011421f2
0x01142221
0x01142225
0x01142227
0x01142227
0x0114222d
0x011421f4
0x011421fd
0x01142205
0x0114221b
0x00000000
0x01142207
0x0114220b
0x0114220d
0x0114220d
0x01142214
0x01142214
0x01142205
0x01142236
0x01142244
0x0114224a
0x0114224f
0x01142253
0x0114225e
0x01142264
0x01142269
0x01142269
0x0114226f
0x01142275
0x0114227d
0x0114227d
0x01142284
0x0114228e
0x01142295
0x011422a4
0x011422a8
0x011422a9
0x011422aa
0x011422ab
0x011422b2
0x011422b7
0x011422bd
0x011422c4
0x011422c6
0x011422d2
0x011422d8
0x011422e0
0x011422e3
0x011422e5
0x011422e5
0x011422ec
0x011422f7
0x011422fb
0x011422fb
0x0114231e
0x0114232d
0x011423ec
0x011423f4
0x011423f8
0x01142333
0x01142340
0x0114234c
0x01142356
0x01142360
0x01142369
0x0114236c
0x0114236e
0x0114236e
0x01142370
0x01142382
0x0114238b
0x0114238e
0x01142390
0x01142390
0x011423a4
0x011423b4
0x011423c1
0x011423cd
0x011423d8
0x011423d8
0x011423fc
0x01142404
0x01142410

APIs

__EH_prolog3_GS.LIBCMT ref: 0114213C
memset.VCRUNTIME140(?,00000000,00000044,00000000,00000000,?,0000017C,0112AF8B), ref: 0114228E
CreateProcessW.KERNEL32 ref: 01142325
memset.VCRUNTIME140(?,00000000,00000098), ref: 01142340
GetLastError.KERNEL32(00000000,00000098), ref: 011423AB
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(00000000), ref: 011423B4
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6), ref: 011423C1
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140 ref: 011423D8
CloseHandle.KERNEL32(?), ref: 011423EC
CloseHandle.KERNEL32(?), ref: 011423F4

Strings

. Error: , xrefs: 0114239D
Launching process , xrefs: 011421B5
with args , xrefs: 01142192
with command line args , xrefs: 0114237B
Failed to launch process , xrefs: 01142351

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_V01@W@std@@@std@@$??6?$basic_ostream@_CloseHandlememset$??1?$basic_ios@_CreateErrorH_prolog3_LastProcessV01@@
String ID: with args $ with command line args $. Error: $Failed to launch process $Launching process
API String ID: 2976640525-445417678
Opcode ID: b232931325d4621e06470a9a4ac806060ba1910dbe20633f687fd466bdb63d1f
Instruction ID: 04c3eaeee58c251f5f853d657151a6620e0b655be6f32838bbbe0b4ad56e58b4
Opcode Fuzzy Hash: b232931325d4621e06470a9a4ac806060ba1910dbe20633f687fd466bdb63d1f
Instruction Fuzzy Hash: F3818F71904229DFDB2CDF68EC94ADDB7B5BF58704F1041A9E109A7240DB34AE85CF60

Uniqueness

Uniqueness Score: -1.00%

Function 01122A18 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 133
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E01122A18(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				_Unknown_base(*)()* _t48;
				void* _t58;
				void* _t64;
				void* _t74;
				void* _t75;
				long _t106;
				void* _t110;
				void* _t111;
				intOrPtr _t112;
				intOrPtr _t113;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t118;

				_t75 = __ecx;
				E01143D91(E01145AEE, __ebx, __edi, 0xf0);
				_t74 = _t75;
				E011298AC(_t110 - 0x28, "Fetching runner address");
				 *(_t110 - 4) =  *(_t110 - 4) & 0x00000000;
				_t112 = _t111 - 0x18;
				 *((intOrPtr*)(_t110 - 0xdc)) = _t112;
				E011298E1(_t112, _t110 - 0x28);
				_push(2);
				_push(0xda);
				_t113 = _t112 - 0x18;
				 *(_t110 - 4) = 1;
				 *((intOrPtr*)(_t110 - 0xe0)) = _t113;
				E011298AC(_t113, "int (__cdecl *__thiscall InstPC::Action::fetchRunner(void))(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,void *)");
				_t114 = _t113 - 0x18;
				 *(_t110 - 4) = 2;
				E011298AC(_t114, "C:\\git\\modular-installer\\kernel\\Action.cpp");
				 *(_t110 - 4) = 0;
				E0113765F(_t74,  *((intOrPtr*)(_t74 + 8)), __edi);
				_t48 = GetProcAddress( *(_t74 + 0x9c), "run");
				_t105 = _t48;
				if(_t48 == 0) {
					_t106 = GetLastError();
					E011298AC(_t110 - 0x40, "Failed to load DLL runner");
					 *(_t110 - 4) = 3;
					memset(_t110 - 0xd8, 0, 0x98);
					E01122ED0(_t74, _t110 - 0xd8, _t106);
					_t115 = _t114 - 0x18;
					 *(_t110 - 4) = 4;
					 *((intOrPtr*)(_t110 - 0xe4)) = _t115;
					E011298AC(_t115, "Failed to load DLL runner");
					_t116 = _t115 - 0x18;
					 *(_t110 - 4) = 5;
					 *((intOrPtr*)(_t110 - 0xe0)) = _t115 - 0x18;
					E011298AC(_t115 - 0x18, "int (__cdecl *__thiscall InstPC::Action::fetchRunner(void))(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,void *)");
					 *(_t110 - 4) = 6;
					E011298AC(_t116 - 0x18, "C:\\git\\modular-installer\\kernel\\Action.cpp");
					 *(_t110 - 4) = 4;
					E0113765F(_t74,  *((intOrPtr*)(_t74 + 8)), _t106);
					_t58 = E01136637(_t74, _t110 - 0xfc, _t110 - 0x40, _t106);
					 *(_t110 - 4) = 7;
					E01123A5E(_t74, E01123A4B(_t110 - 0xd8, _t58), L". Error: ", _t106);
					__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z(_t106, 0xe3, 4);
					__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
					 *(_t110 - 4) = 4;
					E011214A3(_t110 - 0xfc);
					E011299A0(_t110 - 0xfc, _t110 - 0x40);
					_push(0x1156050);
					_t64 = _t110 - 0xfc;
					_push(_t64);
					L01145637();
					asm("int3");
					return _t64;
				}
				E01129863(_t110 - 0x28, "DLL runner loaded", 0x11);
				_t118 = _t114 - 0x18;
				 *((intOrPtr*)(_t110 - 0xe4)) = _t118;
				E011298AC(_t118, "DLL runner loaded");
				_push(2);
				_t119 = _t118 - 0x18;
				 *(_t110 - 4) = 8;
				 *((intOrPtr*)(_t110 - 0xe0)) = _t118 - 0x18;
				E011298AC(_t118 - 0x18, "int (__cdecl *__thiscall InstPC::Action::fetchRunner(void))(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,void *)");
				 *(_t110 - 4) = 9;
				E011298AC(_t119 - 0x18, "C:\\git\\modular-installer\\kernel\\Action.cpp");
				 *(_t110 - 4) = 0;
				E0113765F(_t74,  *((intOrPtr*)(_t74 + 8)), _t105);
				E01129AC1(_t110 - 0x28);
				return E01143D3B(_t105, _t74, _t105, 0xea);
			}

0x01122a18
0x01122a22
0x01122a27
0x01122a31
0x01122a36
0x01122a40
0x01122a45
0x01122a4c
0x01122a51
0x01122a53
0x01122a58
0x01122a5b
0x01122a61
0x01122a6c
0x01122a71
0x01122a74
0x01122a7f
0x01122a86
0x01122a8a
0x01122a9a
0x01122aa0
0x01122aa4
0x01122b29
0x01122b2b
0x01122b3b
0x01122b42
0x01122b4e
0x01122b53
0x01122b56
0x01122b5f
0x01122b6a
0x01122b76
0x01122b79
0x01122b7f
0x01122b8a
0x01122b92
0x01122b9d
0x01122ba4
0x01122ba8
0x01122bb6
0x01122bbd
0x01122bd3
0x01122bdb
0x01122be8
0x01122bf4
0x01122bf8
0x01122c07
0x01122c0c
0x01122c11
0x01122c17
0x01122c18
0x01122c1d
0x00000000
0x01122c1d
0x01122ab0
0x01122ab8
0x01122abd
0x01122ac8
0x01122acd
0x01122ad4
0x01122ad7
0x01122add
0x01122ae8
0x01122af0
0x01122afb
0x01122b02
0x01122b06
0x01122b0e
0x01122b1a

APIs

__EH_prolog3_GS.LIBCMT ref: 01122A22

Part of subcall function 0113765F: __EH_prolog3_GS.LIBCMT ref: 01137669
Part of subcall function 0113765F: #1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
Part of subcall function 0113765F: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

GetProcAddress.KERNEL32(?,run), ref: 01122A9A
GetLastError.KERNEL32 ref: 01122B1B
memset.VCRUNTIME140(?,00000000,00000098,Failed to load DLL runner), ref: 01122B42
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(00000000,C:\git\modular-installer\kernel\Action.cpp), ref: 01122BDB
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003BE6), ref: 01122BE8
_CxxThrowException.VCRUNTIME140(?,01156050,?), ref: 01122C18

Part of subcall function 01129863: memmove.VCRUNTIME140(?,00000010,?,?,?,?,?,?), ref: 01129885

Part of subcall function 0113765F: _Xtime_get_ticks.MSVCP140 ref: 011376CA
Part of subcall function 0113765F: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011376D8

Strings

run, xrefs: 01122A8F
. Error: , xrefs: 01122BCC
DLL runner loaded, xrefs: 01122AA8, 01122AC3
int (__cdecl *__thiscall InstPC::Action::fetchRunner(void))(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<, xrefs: 01122A67, 01122AE3, 01122B85
Fetching runner address, xrefs: 01122A29
C:\git\modular-installer\kernel\Action.cpp, xrefs: 01122A7A, 01122AF6, 01122B98
Failed to load DLL runner, xrefs: 01122B21, 01122B65

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@_ExceptionH_prolog3_ThrowU?$char_traits@_W@std@@@std@@$#1511AddressErrorLastProcUnothrow_t@std@@@V01@@Xtime_get_ticks__ehfuncinfo$??2@memmovememset
String ID: . Error: $C:\git\modular-installer\kernel\Action.cpp$DLL runner loaded$Failed to load DLL runner$Fetching runner address$int (__cdecl *__thiscall InstPC::Action::fetchRunner(void))(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<$run
API String ID: 1341930383-2254911189
Opcode ID: 5a3cb719d77f0a77eee4b68e8d44bf4bb371648f001ee1fea183a477dd73b4ca
Instruction ID: 00c34fa2a6023bc8e793f9443ef35f6d0d4b87ecde83547ba9d7f8b625883c05
Opcode Fuzzy Hash: 5a3cb719d77f0a77eee4b68e8d44bf4bb371648f001ee1fea183a477dd73b4ca
Instruction Fuzzy Hash: AE51C030E4426EEBDF1CF7BCC956B9C7A706B61B08F58409CD1053B282DBB55A448BA6

Uniqueness

Uniqueness Score: -1.00%

Function 011436F8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E011436F8(_Unknown_base(*)()* __edi, void* __esi) {
				void* _t4;
				void* _t7;
				void* _t10;
				struct HINSTANCE__* _t14;

				_t11 = __edi;
				_push(__edi);
				InitializeCriticalSectionAndSpinCount(0x115b04c, 0xfa0);
				_t14 = GetModuleHandleW(L"api-ms-win-core-synch-l1-2-0.dll");
				if(_t14 != 0) {
					L2:
					_t11 = GetProcAddress(_t14, "SleepConditionVariableCS");
					_t4 = GetProcAddress(_t14, "WakeAllConditionVariable");
					if(_t11 == 0 || _t4 == 0) {
						_t4 = CreateEventW(0, 1, 0, 0);
						 *0x115b048 = _t4;
						if(_t4 != 0) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						 *0x115b064 = _t11;
						 *0x115b068 = _t4;
						L5:
						return _t4;
					}
				} else {
					_t14 = GetModuleHandleW(L"kernel32.dll");
					if(_t14 == 0) {
						L7:
						E01144036(_t10, _t11, _t14, 7);
						asm("int3");
						DeleteCriticalSection(0x115b04c);
						_t7 =  *0x115b048;
						if(_t7 != 0) {
							return CloseHandle(_t7);
						}
						return _t7;
					} else {
						goto L2;
					}
				}
			}

0x011436f8
0x011436f9
0x01143704
0x01143715
0x01143719
0x0114372c
0x0114373e
0x01143740
0x01143748
0x01143763
0x01143769
0x01143770
0x00000000
0x00000000
0x00000000
0x00000000
0x0114374e
0x0114374e
0x01143754
0x01143759
0x0114375b
0x0114375b
0x0114371b
0x01143726
0x0114372a
0x01143772
0x01143774
0x01143779
0x0114377f
0x01143785
0x0114378c
0x00000000
0x0114378f
0x01143795
0x00000000
0x00000000
0x00000000
0x0114372a

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0115B04C,00000FA0,?,?,011436D6), ref: 01143704
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,011436D6), ref: 0114370F
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,011436D6), ref: 01143720
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 01143732
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 01143740
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,011436D6), ref: 01143763
___scrt_fastfail.LIBCMT ref: 01143774
DeleteCriticalSection.KERNEL32(0115B04C,00000007,?,?,011436D6), ref: 0114377F
CloseHandle.KERNEL32(?,?,?,011436D6), ref: 0114378F

Strings

api-ms-win-core-synch-l1-2-0.dll, xrefs: 0114370A
kernel32.dll, xrefs: 0114371B
WakeAllConditionVariable, xrefs: 01143738
SleepConditionVariableCS, xrefs: 0114372C

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: 6801cde7dc4b3e1d5bf45143925bdd1dc86e3358bd6207123522bff710c2b3eb
Instruction ID: 58f4768b9838077463d655a6ea61121e75f2fbb9eacdf4c436705e1a6875dc23
Opcode Fuzzy Hash: 6801cde7dc4b3e1d5bf45143925bdd1dc86e3358bd6207123522bff710c2b3eb
Instruction Fuzzy Hash: E10192B9618721DBE73D9BB9A809B2A7E79AB44E527040524F934D3148EB64C4808768

Uniqueness

Uniqueness Score: -1.00%

Function 0112282F Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 121
libraryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E0112282F(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				WCHAR* _t53;
				void* _t66;
				void* _t78;
				long _t112;
				void* _t113;
				intOrPtr _t114;
				void* _t117;
				void* _t118;
				intOrPtr _t119;
				intOrPtr _t120;
				void* _t121;
				intOrPtr _t122;

				_t78 = __ecx;
				_t77 = __ebx;
				E01143DFF(E01145A5E, __ebx, __edi, 0x110);
				_t113 = _t78;
				 *(_t117 - 4) =  *(_t117 - 4) & 0x00000000;
				_push(_t117 + 8);
				 *(_t117 - 4) = 1;
				E011237FA(__ebx, _t117 - 0x44, "Loading library ", __edi);
				_t119 = _t118 - 0x18;
				 *(_t117 - 4) = 2;
				_t111 =  *((intOrPtr*)(_t113 + 8));
				 *((intOrPtr*)(_t117 - 0xe0)) = _t119;
				E011298E1(_t119, _t117 - 0x44);
				_push(2);
				_push(0xc3);
				_t120 = _t119 - 0x18;
				 *(_t117 - 4) = 3;
				 *((intOrPtr*)(_t117 - 0xe4)) = _t120;
				E011298AC(_t120, "void __thiscall InstPC::Action::loadLib(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >)");
				_t121 = _t120 - 0x18;
				 *(_t117 - 4) = 4;
				E011298AC(_t121, "C:\\git\\modular-installer\\kernel\\Action.cpp");
				 *(_t117 - 4) = 2;
				E0113765F(__ebx,  *((intOrPtr*)(_t113 + 8)),  *((intOrPtr*)(_t113 + 8)));
				_t53 = E01136637(__ebx, _t117 - 0x2c, _t117 + 8,  *((intOrPtr*)(_t113 + 8)));
				if(_t53[0xa] >= 8) {
					_t53 =  *_t53;
				}
				 *((intOrPtr*)(_t113 + 0x9c)) = LoadLibraryW(_t53);
				E01129A96(_t117 - 0x2c);
				if( *((intOrPtr*)(_t113 + 0x9c)) == 0) {
					_t112 = GetLastError();
					E011298AC(_t117 - 0x2c, "Failed to load library");
					 *(_t117 - 4) = 5;
					memset(_t117 - 0xdc, 0, 0x98);
					E01122ED0(_t77, _t117 - 0xdc, _t112);
					_t122 = _t121 - 0x18;
					 *(_t117 - 4) = 6;
					_t114 =  *((intOrPtr*)(_t113 + 8));
					 *((intOrPtr*)(_t117 - 0xe8)) = _t122;
					E011298E1(_t122, _t117 - 0x2c);
					 *(_t117 - 4) = 7;
					 *((intOrPtr*)(_t117 - 0xe4)) = _t122 - 0x18;
					E011298AC(_t122 - 0x18, "void __thiscall InstPC::Action::loadLib(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >)");
					 *(_t117 - 4) = 8;
					E011298AC(_t122, "C:\\git\\modular-installer\\kernel\\Action.cpp");
					 *(_t117 - 4) = 6;
					E0113765F(_t77, _t114, _t112);
					_t66 = E01136637(_t77, _t117 - 0x100, _t117 - 0x2c, _t112);
					 *(_t117 - 4) = 9;
					E01123A5E(_t77, E01123A4B(_t117 - 0xdc, _t66), L". Error: ", _t112);
					__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z(_t112, 0xcc, 5);
					__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
					 *(_t117 - 4) = 6;
					E011214A3(_t117 - 0x100);
					E011299A0(_t117 - 0x118, _t117 - 0x2c);
					L01145637();
					asm("int3");
					E01122EA0();
					return __imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ(_t114, _t117 - 0x118, 0x1156050);
				}
				E01129AC1(_t117 - 0x44);
				return E01143D4C(E01129AC1(_t117 + 8), _t77, _t111);
			}

0x0112282f
0x0112282f
0x01122839
0x0112283e
0x01122840
0x01122847
0x0112284d
0x01122854
0x0112285a
0x0112285d
0x01122861
0x01122869
0x01122870
0x01122875
0x01122877
0x0112287c
0x0112287f
0x01122885
0x01122890
0x01122895
0x01122898
0x011228a3
0x011228aa
0x011228ae
0x011228b9
0x011228c2
0x011228c4
0x011228c4
0x011228d0
0x011228d6
0x011228e2
0x01122910
0x01122912
0x01122922
0x01122929
0x01122935
0x0112293a
0x0112293d
0x01122941
0x01122949
0x01122950
0x0112295f
0x01122965
0x01122970
0x01122978
0x01122983
0x0112298a
0x0112298e
0x0112299c
0x011229a3
0x011229b9
0x011229c1
0x011229ce
0x011229da
0x011229de
0x011229ed
0x011229fe
0x01122a03
0x01122a0a
0x01122a12
0x01122a12
0x011228e7
0x011228f9

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 01122839

Part of subcall function 011237FA: __EH_prolog3.LIBCMT ref: 01123801

Part of subcall function 0113765F: __EH_prolog3_GS.LIBCMT ref: 01137669
Part of subcall function 0113765F: #1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
Part of subcall function 0113765F: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

Part of subcall function 01136637: __EH_prolog3_GS.LIBCMT ref: 0113663E
Part of subcall function 01136637: memset.VCRUNTIME140(?,00000000,00000050,00000058,01121E5A), ref: 01136655

LoadLibraryW.KERNEL32(00000000,C:\git\modular-installer\kernel\Action.cpp), ref: 011228C7

Strings

Loading library , xrefs: 01122848
. Error: , xrefs: 011229B2
Failed to load library, xrefs: 01122908
void __thiscall InstPC::Action::loadLib(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >), xrefs: 0112288B, 0112296B
C:\git\modular-installer\kernel\Action.cpp, xrefs: 0112289E, 0112297E

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_$#1511ExceptionH_prolog3H_prolog3_catch_LibraryLoadThrowmemset
String ID: . Error: $C:\git\modular-installer\kernel\Action.cpp$Failed to load library$Loading library $void __thiscall InstPC::Action::loadLib(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >)
API String ID: 109690738-898471576
Opcode ID: f73873290567526ce94a777d4f14b9995fb3dcc78b17d8017b62f6c072fd9e62
Instruction ID: 05c3699ff2eaa37100b6d567635862e3e81ff916e233ffcf3e1a71c3d2264c97
Opcode Fuzzy Hash: f73873290567526ce94a777d4f14b9995fb3dcc78b17d8017b62f6c072fd9e62
Instruction Fuzzy Hash: D141A030D0026EEBDF0CFBB8C959BCD7BB4AB25708F548099D00567181EBB45B48CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0112A80E Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0112A80E(void* __ebx, void* __ecx, char* __edx, signed int __edi, char _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _v0;
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr* _v24;
				signed int _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v52;
				signed int _v56;
				char _v80;
				char _v104;
				void _v152;
				void _v328;
				signed int _v332;
				signed int _v336;
				char _v352;
				signed int _v356;
				char _v360;
				void* _t157;
				void* _t159;
				signed int _t163;
				signed int _t170;
				intOrPtr* _t182;
				intOrPtr* _t184;
				intOrPtr _t186;
				signed int _t188;
				intOrPtr _t189;
				void* _t203;
				void* _t223;
				intOrPtr* _t224;
				intOrPtr _t225;
				void* _t228;
				signed int _t231;
				char* _t235;
				char* _t246;
				void* _t250;
				intOrPtr* _t254;
				intOrPtr* _t255;
				intOrPtr _t256;
				signed int _t263;
				intOrPtr _t284;
				void* _t289;
				intOrPtr* _t291;
				intOrPtr _t293;
				intOrPtr _t294;
				signed int _t298;
				intOrPtr _t299;
				void* _t300;
				intOrPtr _t301;
				void* _t302;
				intOrPtr _t305;
				void* _t310;
				void* _t314;
				void* _t320;
				signed int _t322;

				_t288 = __edi;
				_t282 = __edx;
				_t228 = __ecx;
				E01143D91(E01146542, __ebx, __edi, 0x15c);
				_t223 = _t228;
				_t297 = _a8;
				_t229 = _t223 + 4;
				_t146 = E0113F710(_t223, _t223 + 4, __edi);
				if( *((intOrPtr*)(_a8 + 0x14)) >= 8) {
					__esi =  *__esi;
				}
				_t298 = E01140C59(_t223, _t297, _t282, _t288, _t297, __eflags);
				_v56 = _t298;
				_v4 = _v4 & 0x00000000;
				__eflags = _t298;
				if(__eflags == 0) {
					L26:
					return E01143D3B(_t147, _t223, _t288);
				} else {
					_t231 = 8;
					_t289 =  &_v52;
					memset(_t289, 0, _t231 << 2);
					_t314 = _t314 + 0xc;
					_t290 = _t289 + _t231;
					_push( *((intOrPtr*)(_t298 + 8)));
					E0112AFDB(_t223,  &_v52, _t282, _t289 + _t231, __eflags);
					_v4 = 1;
					_v336 = _v336 & 0x00000000;
					_v332 = 7;
					_v352 = 0;
					E0112BA2B(L"isUpdated");
					_v4 = 2;
					_v20 = _v20 & 0x00000000;
					_t235 =  &_v52;
					E0112B2BE(_t235,  &_v20,  &_v352);
					_t157 = _v20;
					__eflags = _t157 - _v48;
					if(__eflags == 0) {
						_push(_t235);
						_v20 =  &_v352;
						_push( &_v20);
						_push(_t235);
						_push( &_v360);
						E0112B3BB(_t223,  &_v52, _t282, _t290, __eflags);
						_t157 = _v360;
					}
					_t288 =  *(_t157 + 0x20);
					_v4 = 1;
					E01129A96( &_v352);
					__eflags = _t288;
					if(_t288 == 0) {
						L25:
						L31();
						_t159 = E01141824(_t298, _t282);
						_push(0x10);
						_t147 = E011436A0(_t159, _t298);
						goto L26;
					} else {
						E01129A21( &_v104,  *((intOrPtr*)(_t288 + 8)));
						_v4 = 3;
						_v336 = _v336 & 0x00000000;
						_v332 = 7;
						_v352 = 0;
						E0112BA2B(L"false");
						_t282 =  &_v352;
						_v4 = 4;
						_t163 = E0113FA6A( &_v104,  &_v352);
						_v4 = 3;
						_t288 = _t163;
						E01129A96( &_v352);
						__eflags = _t288;
						if(_t288 != 0) {
							_v336 = _v336 & 0x00000000;
							_v332 = 7;
							_v352 = 0;
							E0112BA2B(L"updateUrl");
							_v4 = 5;
							_v20 = _v20 & 0x00000000;
							_t246 =  &_v52;
							E0112B2BE(_t246,  &_v20,  &_v352);
							_t170 = _v20;
							__eflags = _t170 - _v48;
							if(__eflags == 0) {
								_push(_t246);
								_v20 =  &_v352;
								_push( &_v20);
								_push(_t246);
								_push( &_v360);
								E0112B3BB(_t223,  &_v52,  &_v352, _t288, __eflags);
								_t170 = _v360;
							}
							_t299 =  *((intOrPtr*)(_t170 + 0x20));
							_v4 = 3;
							E01129A96( &_v352);
							E01129A21( &_v80, E011418B6(_t299));
							_v4 = 6;
							_push( &_v80);
							_t250 = _t223;
							E0112AB52();
							asm("int3");
							_t300 = _t250;
							E011242FB(_t300 + 0xc);
							_t146 = E0112B19E( *((intOrPtr*)(_t300 + 4)));
							_t229 =  *((intOrPtr*)(_t300 + 4));
							_t282 = 0x24;
							_t297 = _t299;
							if(_t282 < 0x1000) {
								L4:
								_push(_t282);
								return E011436A0(_t146, _t229);
							} else {
								_push(_t297);
								_t301 =  *((intOrPtr*)(_t229 - 4));
								_t282 = _t282 + 0x23;
								_t254 = _t229 - _t301;
								_t146 = _t254 - 4;
								if(_t254 - 4 > 0x1f) {
									__imp___invalid_parameter_noinfo_noreturn();
									asm("int3");
									_t310 = _t314;
									_t284 = _v12;
									_push(_t223);
									_t224 = _t254;
									_v32 = _v4;
									_push(_t301);
									_push(_t288);
									_t255 =  *((intOrPtr*)(_t224 + 0x10));
									_v24 = _t255;
									__eflags = 0x7fffffff - _t255 - _t284;
									if(0x7fffffff - _t255 < _t284) {
										E0112995D(_t255);
										asm("int3");
										_push(_t310);
										_push(_t224);
										_t225 = _v40;
										_push(_t288);
										_t291 = _t255;
										_t256 =  *((intOrPtr*)(_t291 + 0x10));
										_t182 =  *((intOrPtr*)(_t291 + 0x14)) - _t256;
										__eflags = _t225 - _t182;
										if(_t225 > _t182) {
											_push(_t225);
											_push(_v0);
											_a4 = 0;
											_push(_a4);
											_push(_t225);
											L6();
										} else {
											__eflags =  *((intOrPtr*)(_t291 + 0x14)) - 0x10;
											 *((intOrPtr*)(_t291 + 0x10)) = _t256 + _t225;
											_t184 = _t291;
											if( *((intOrPtr*)(_t291 + 0x14)) >= 0x10) {
												_t184 =  *_t291;
											}
											_push(_t301);
											_push(_t225);
											_push(_v0);
											_t302 = _t184 + _t256;
											_push(_t302);
											L01144E52();
											 *((char*)(_t302 + _t225)) = 0;
											_t182 = _t291;
										}
										return _t182;
									} else {
										_t293 = _t255 + _t284;
										_v12 =  *((intOrPtr*)(_t224 + 0x14));
										_t186 = E01129AE4(_t224, _t293);
										_t188 = E01129B1B( ~(0 | __eflags > 0x00000000) | _t186 + 0x00000001, _t284);
										__eflags = _v12 - 0x10;
										_t263 = _t188;
										_t189 = _v8;
										 *((intOrPtr*)(_t224 + 0x14)) = _t186;
										 *((intOrPtr*)(_t224 + 0x10)) = _t293;
										_t294 = _a16;
										_t305 = _t263 + _t189;
										_v20 = _t263;
										_v24 = _t305;
										_v8 = _t263 + _t189;
										_push(_t189);
										if(_v12 < 0x10) {
											_push(_t224);
											_push(_t263);
											L01145649();
											_push(_t294);
											_push(_v16);
											_push(_t305);
											L01145649();
											 *((char*)(_v8 + _t294)) = 0;
										} else {
											_push( *_t224);
											_push(_t263);
											L01145649();
											_push(_t294);
											_push(_v16);
											_push(_v24);
											L01145649();
											 *((char*)(_v8 + _t294)) = 0;
											L1();
										}
										 *_t224 = _v20;
										return _t224;
									}
								} else {
									_t229 = _t301;
									goto L4;
								}
							}
						} else {
							_push(1);
							_t320 = _t314 - 0x18;
							E011298AC(_t320, "has_updated");
							E0113ABD1(_t223,  *((intOrPtr*)(_t223 + 0x10)) + 0xc,  *((intOrPtr*)(_t223 + 0x10)));
							memset( &_v328, 0, 0xb0);
							E0112A5E2(_t223,  &_v328,  *((intOrPtr*)(_t223 + 0x10)));
							_v4 = 7;
							_push( *((intOrPtr*)(_t223 + 0x10)));
							_t203 = E011298AC( &_v352, "zoremov.com");
							_t322 = _t320 + 0xc - 0x18;
							_v4 = 8;
							_t288 = _t322;
							_v20 = _t322;
							_v356 = _t322;
							E011299A0(_t322, E01124262(_t203, _t298,  &_v352, "bi.", 3));
							_v4 = 9;
							E011298AC(_t322 - 0x18, "api/report/install");
							_v4 = 8;
							_push( &_v80);
							E01141F3F(_t223,  &_v328,  &_v352, _t322);
							E01129AC1( &_v80);
							_v4 = 7;
							E01129AC1( &_v352);
							memset( &_v152, 0, 0x30);
							E0112E35A(_t223,  &_v152,  &_v352, _t322, __eflags);
							_v4 = 0xa;
							E011314C6(_t223,  &_v152,  &_v352, _t288, __eflags);
							E0112E4EE(_t223,  &_v152,  &_v352, _t288);
							E0112A67D(_t223,  &_v328, _t282, _t288, __eflags);
							E01129A96( &_v104);
							goto L25;
						}
					}
				}
			}

0x0112a80e
0x0112a80e
0x0112a80e
0x0112a818
0x0112a81d
0x0112a81f
0x0112a822
0x0112a825
0x0112a82e
0x0112a830
0x0112a830
0x0112a839
0x0112a83b
0x0112a83e
0x0112a842
0x0112a844
0x0112aa70
0x0112aa75
0x0112a84a
0x0112a84c
0x0112a84f
0x0112a852
0x0112a852
0x0112a852
0x0112a854
0x0112a85a
0x0112a85f
0x0112a869
0x0112a877
0x0112a881
0x0112a888
0x0112a893
0x0112a897
0x0112a89b
0x0112a8a3
0x0112a8a8
0x0112a8ab
0x0112a8ae
0x0112a8b6
0x0112a8b7
0x0112a8bd
0x0112a8be
0x0112a8c5
0x0112a8c9
0x0112a8ce
0x0112a8ce
0x0112a8d4
0x0112a8dd
0x0112a8e1
0x0112a8e6
0x0112a8e8
0x0112aa57
0x0112aa5a
0x0112aa61
0x0112aa66
0x0112aa69
0x00000000
0x0112a8ee
0x0112a8f4
0x0112a8f9
0x0112a903
0x0112a911
0x0112a91b
0x0112a922
0x0112a927
0x0112a92d
0x0112a934
0x0112a93f
0x0112a943
0x0112a945
0x0112a94a
0x0112a94c
0x0112aa78
0x0112aa87
0x0112aa96
0x0112aa9d
0x0112aaa8
0x0112aaac
0x0112aab0
0x0112aab8
0x0112aabd
0x0112aac0
0x0112aac3
0x0112aacb
0x0112aacc
0x0112aad2
0x0112aad3
0x0112aada
0x0112aade
0x0112aae3
0x0112aae3
0x0112aae9
0x0112aaf2
0x0112aaf6
0x0112ab06
0x0112ab0e
0x0112ab12
0x0112ab13
0x0112ab15
0x0112ab1a
0x0112ab34
0x0112ab39
0x0112ab41
0x0112ab46
0x0112ab4b
0x0112ab4c
0x01129b62
0x01129b78
0x01129b78
0x01129b81
0x01129b64
0x01129b64
0x01129b65
0x01129b68
0x01129b6b
0x01129b6d
0x01129b73
0x01129b82
0x01129b88
0x01129b8a
0x01129b92
0x01129b95
0x01129b96
0x01129b98
0x01129ba0
0x01129ba1
0x01129ba2
0x01129ba7
0x01129baa
0x01129bac
0x01129c51
0x01129c56
0x01129c57
0x01129c5a
0x01129c5b
0x01129c5e
0x01129c5f
0x01129c64
0x01129c67
0x01129c69
0x01129c6b
0x01129c97
0x01129c98
0x01129c9b
0x01129ca1
0x01129ca4
0x01129ca5
0x01129c6d
0x01129c6d
0x01129c74
0x01129c77
0x01129c79
0x01129c7b
0x01129c7b
0x01129c7d
0x01129c7e
0x01129c7f
0x01129c82
0x01129c85
0x01129c86
0x01129c8e
0x01129c92
0x01129c94
0x01129cad
0x01129bb2
0x01129bb5
0x01129bbb
0x01129bbe
0x01129bd1
0x01129bd6
0x01129bda
0x01129bdc
0x01129bdf
0x01129be2
0x01129be5
0x01129be8
0x01129beb
0x01129bf1
0x01129bf4
0x01129bf7
0x01129bf8
0x01129c28
0x01129c29
0x01129c2a
0x01129c2f
0x01129c30
0x01129c33
0x01129c34
0x01129c3f
0x01129bfa
0x01129bfc
0x01129bfd
0x01129bfe
0x01129c03
0x01129c04
0x01129c07
0x01129c0a
0x01129c1a
0x01129c21
0x01129c21
0x01129c47
0x01129c4e
0x01129c4e
0x01129b75
0x01129b75
0x00000000
0x01129b77
0x01129b73
0x0112a952
0x0112a955
0x0112a957
0x0112a961
0x0112a969
0x0112a97c
0x0112a98a
0x0112a98f
0x0112a999
0x0112a9a1
0x0112a9a6
0x0112a9a9
0x0112a9ad
0x0112a9af
0x0112a9b2
0x0112a9ca
0x0112a9d2
0x0112a9dd
0x0112a9e5
0x0112a9e9
0x0112a9f0
0x0112a9f8
0x0112aa03
0x0112aa07
0x0112aa17
0x0112aa25
0x0112aa30
0x0112aa34
0x0112aa3f
0x0112aa4a
0x0112aa52
0x00000000
0x0112aa52
0x0112a94c
0x0112a8e8

APIs

__EH_prolog3_GS.LIBCMT ref: 0112A818

Part of subcall function 0113F710: __EH_prolog3.LIBCMT ref: 0113F717
Part of subcall function 0113F710: #1511.MFC140U(000000D0,00000004,0112C22B,000000FC,?,0112A166,?), ref: 0113F729
Part of subcall function 0113F710: memset.VCRUNTIME140(00000000,00000000,000000D0,0112A166,?), ref: 0113F743

memset.VCRUNTIME140(?,00000000,000000B0,has_updated), ref: 0112A97C

Part of subcall function 01124262: memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,0112DA8D,?,?,?,?,00000000,?,?), ref: 011242B5
Part of subcall function 01124262: memcpy.VCRUNTIME140(?,01133C49,000000EC,?,?,?,?,?,?,?,?,0112DA8D,?,?,?,?), ref: 011242BF
Part of subcall function 01124262: memcpy.VCRUNTIME140(01133C49,01133C49,000000EC,?,01133C49,000000EC,?,?,?,?,?,?,?,?,0112DA8D,?), ref: 011242D5

Part of subcall function 01141F3F: __EH_prolog3.LIBCMT ref: 01141F46

memset.VCRUNTIME140(?,00000000,00000030,?,api/report/install), ref: 0112AA17

Part of subcall function 0112E35A: __EH_prolog3.LIBCMT ref: 0112E361

Part of subcall function 011314C6: __EH_prolog3_GS.LIBCMT ref: 011314D0
Part of subcall function 011314C6: memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,bi.,00000003,zoremov.com,Entered 'Check task' flow), ref: 011315AB

Part of subcall function 011436A0: #1513.MFC140U(00000001,?,01121530,?,00000014), ref: 011436A6

Strings

zoremov.com, xrefs: 0112A99C
has_updated, xrefs: 0112A95C
isUpdated, xrefs: 0112A872
api/report/install, xrefs: 0112A9D8
bi., xrefs: 0112A9BA
false, xrefs: 0112A90C
updateUrl, xrefs: 0112AA91

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: memset$H_prolog3$H_prolog3_memcpy$#1511#1513memmove
String ID: api/report/install$bi.$false$has_updated$isUpdated$updateUrl$zoremov.com
API String ID: 2079125609-2212315163
Opcode ID: e1761d2687465bc7d6c0224fbc58a5e7b72cfb346c5f0dca03dca260d719cfd0
Instruction ID: fec9189ca6e3a130b3f71cdbc2729e6ab381bea31e7b06ec4c1ef3655a97776f
Opcode Fuzzy Hash: e1761d2687465bc7d6c0224fbc58a5e7b72cfb346c5f0dca03dca260d719cfd0
Instruction Fuzzy Hash: 24916E31D1426EEBDF19EBA4DD40BEEB775BF25308F500098D40967280EB756B58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01142A4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E01142A4D(void* __ebx, intOrPtr __ecx, void* __edi) {
				intOrPtr* _t77;
				intOrPtr* _t80;
				intOrPtr _t81;
				intOrPtr _t82;
				void* _t83;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr _t93;
				void* _t96;
				intOrPtr* _t107;
				intOrPtr* _t109;
				intOrPtr _t110;
				intOrPtr* _t111;
				short _t117;
				intOrPtr* _t118;
				intOrPtr _t119;
				intOrPtr* _t124;
				intOrPtr _t125;
				intOrPtr* _t133;
				intOrPtr* _t134;
				intOrPtr* _t136;
				intOrPtr* _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				intOrPtr* _t145;
				void* _t146;

				_t119 = __ecx;
				E01143D91(E01149E16, __ebx, __edi, 0x20);
				 *((intOrPtr*)(_t146 - 0x18)) = _t119;
				_t77 =  *((intOrPtr*)(_t146 + 0xc));
				_t117 = 0;
				_t136 =  *((intOrPtr*)(_t146 + 0x10));
				_t142 =  *((intOrPtr*)(_t146 + 8));
				 *((intOrPtr*)(_t146 - 0x20)) = _t77;
				_t133 =  *_t77;
				 *((intOrPtr*)(_t146 - 0x2c)) = _t136;
				if(_t133 != 0) {
					 *_t77 = 0;
					 *((intOrPtr*)(_t146 - 4)) = 1;
					 *((intOrPtr*)( *_t133 + 8))(_t133);
				}
				 *_t136 = _t117;
				 *((intOrPtr*)(_t146 - 0x14)) = _t117;
				 *((intOrPtr*)(_t146 - 4)) = 2;
				_t138 =  *((intOrPtr*)( *((intOrPtr*)(_t146 - 0x18)) + 8));
				 *((intOrPtr*)(_t146 - 0x28)) =  *((intOrPtr*)( *_t138 + 0x50));
				if( *((intOrPtr*)(_t142 + 0x14)) >= 8) {
					_t142 =  *_t142;
				}
				_t120 = _t146 - 0x1c;
				_t80 = E01142CC5(_t117, _t146 - 0x1c, _t133, _t138, _t142, _t142);
				 *((char*)(_t146 - 4)) = 3;
				_t81 =  *_t80;
				 *((intOrPtr*)(_t146 - 0x18)) = _t81;
				__imp__#2(L"WQL");
				_t143 = _t81;
				 *((intOrPtr*)(_t146 - 0x24)) = _t143;
				if(_t143 == 0) {
					_t82 = E01137215(_t120, 0x8007000e);
					goto L14;
				} else {
					 *((char*)(_t146 - 4)) = 4;
					_t107 =  *((intOrPtr*)(_t146 - 0x28))(_t138, _t143,  *((intOrPtr*)(_t146 - 0x18)), 0x20, _t117, _t146 - 0x14);
					_t145 = __imp__#6;
					_t138 = _t107;
					 *_t145(_t143);
					 *((char*)(_t146 - 4)) = 2;
					_t82 =  *_t145( *((intOrPtr*)(_t146 - 0x1c)));
					if(_t107 < 0) {
						L14:
						__imp__#1511(0x18);
						 *((intOrPtr*)(_t146 - 0x24)) = _t82;
						 *((char*)(_t146 - 4)) = 5;
						if(_t82 != 0) {
							_t117 = E011298AC(_t82, "Failed to run WMI query");
						}
						 *((char*)(_t146 - 4)) = 2;
						_t83 = _t146 - 0x1c;
						 *((intOrPtr*)(_t146 - 0x1c)) = _t117;
						_push(0x1156040);
						goto L17;
					} else {
						_t109 =  *((intOrPtr*)(_t146 - 0x14));
						_t110 =  *((intOrPtr*)( *_t109 + 0x10))(_t109, 0xffffffff, 1,  *((intOrPtr*)(_t146 - 0x20)),  *((intOrPtr*)(_t146 - 0x2c)));
						if(_t110 >= 0) {
							 *((intOrPtr*)(_t146 - 4)) = 7;
							_t111 =  *((intOrPtr*)(_t146 - 0x14));
							if(_t111 != 0) {
								_t111 =  *((intOrPtr*)( *_t111 + 8))(_t111);
							}
							return E01143D3B(_t111, _t117, _t138);
						} else {
							__imp__#1511(0x18);
							 *((intOrPtr*)(_t146 - 0x24)) = _t110;
							 *((char*)(_t146 - 4)) = 6;
							if(_t110 != 0) {
								_t117 = E011298AC(_t110, "Failed to get enumerator for query results");
							}
							 *((char*)(_t146 - 4)) = 2;
							_t83 = _t146 - 0x20;
							 *((intOrPtr*)(_t146 - 0x20)) = _t117;
							_push(0x1156040);
							L17:
							_push(_t83);
							L01145637();
							asm("int3");
							E01143D91(E01149E65, _t117, _t138, 0x28);
							_t118 =  *((intOrPtr*)(_t146 + 0x10));
							 *((intOrPtr*)(_t146 - 0x30)) =  *((intOrPtr*)(_t146 + 0xc));
							_t144 = 0;
							_t87 = _t118;
							 *((intOrPtr*)(_t146 - 4)) = 0;
							if( *((intOrPtr*)(_t118 + 0x14)) >= 8) {
								_t87 =  *_t118;
							}
							 *((intOrPtr*)(_t118 + 0x10)) = _t144;
							 *_t87 = 0;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							__imp__#8(_t146 - 0x2c);
							 *((char*)(_t146 - 4)) = 1;
							_t92 =  *((intOrPtr*)(_t146 + 8));
							_t134 =  *((intOrPtr*)( *_t92 + 0x10));
							_t124 =  *((intOrPtr*)(_t146 - 0x30));
							if( *((intOrPtr*)(_t124 + 0x14)) >= 8) {
								_t124 =  *_t124;
							}
							_t141 = _t146 - 0x2c;
							_t93 =  *_t134(_t92, _t124, _t144, _t146 - 0x2c, _t146 - 0x18, _t144);
							if(_t93 < 0) {
								__imp__#1511();
								_t125 = 0x18;
								 *((intOrPtr*)(_t146 - 0x34)) = _t93;
								 *((char*)(_t146 - 4)) = 2;
								if(_t93 != 0) {
									_push("Failed to get WMI query results");
									goto L33;
								}
								goto L34;
							} else {
								if( *((intOrPtr*)(_t146 - 0x18)) == 0) {
									L29:
									__imp__#9(_t146 - 0x2c);
									 *((intOrPtr*)(_t146 - 4)) = 3;
									goto L30;
								} else {
									_t93 = 1;
									if( *((intOrPtr*)(_t146 - 0x2c)) == 1) {
										goto L29;
									} else {
										if( *((intOrPtr*)(_t146 - 0x18)) == 8) {
											E0112BA2B( *((intOrPtr*)(_t146 - 0x24)));
											__imp__#9(_t146 - 0x2c);
											 *((intOrPtr*)(_t146 - 4)) = 5;
											L30:
											return E01143D3B( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)))) + 8))(), _t118, _t141,  *((intOrPtr*)(_t146 + 8)));
										} else {
											__imp__#1511();
											_t125 = 0x18;
											 *((intOrPtr*)(_t146 - 0x34)) = 1;
											 *((char*)(_t146 - 4)) = 4;
											if(1 != 0) {
												_push("Wrong value type in WMI query");
												L33:
												_t125 = _t93;
												_t144 = E011298AC(_t125);
											}
											L34:
											 *((char*)(_t146 - 4)) = 1;
											_t96 = _t146 - 0x30;
											 *((intOrPtr*)(_t146 - 0x30)) = _t144;
											L01145637();
											asm("int3");
											__imp__#9(_t125, _t96, 0x1156040);
											return _t96;
										}
									}
								}
							}
						}
					}
				}
			}

0x01142a4d
0x01142a54
0x01142a59
0x01142a5c
0x01142a5f
0x01142a61
0x01142a64
0x01142a67
0x01142a6a
0x01142a6c
0x01142a71
0x01142a73
0x01142a75
0x01142a7f
0x01142a7f
0x01142a82
0x01142a84
0x01142a8a
0x01142a95
0x01142a9d
0x01142aa0
0x01142aa2
0x01142aa2
0x01142aa5
0x01142aa8
0x01142aad
0x01142ab1
0x01142ab8
0x01142abb
0x01142ac1
0x01142ac3
0x01142ac8
0x01142b64
0x00000000
0x01142ace
0x01142ad1
0x01142ade
0x01142ae2
0x01142ae8
0x01142aea
0x01142aec
0x01142af3
0x01142af7
0x01142b69
0x01142b6b
0x01142b72
0x01142b75
0x01142b7b
0x01142b89
0x01142b89
0x01142b8b
0x01142b8f
0x01142b92
0x01142b95
0x00000000
0x01142af9
0x01142afc
0x01142b09
0x01142b0e
0x01142b43
0x01142b4a
0x01142b4f
0x01142b54
0x01142b54
0x01142b5c
0x01142b10
0x01142b12
0x01142b19
0x01142b1c
0x01142b22
0x01142b30
0x01142b30
0x01142b32
0x01142b36
0x01142b39
0x01142b3c
0x01142b9a
0x01142b9a
0x01142b9b
0x01142ba0
0x01142ba8
0x01142bb0
0x01142bb3
0x01142bb6
0x01142bb8
0x01142bba
0x01142bc1
0x01142bc3
0x01142bc3
0x01142bc7
0x01142bca
0x01142bd2
0x01142bd3
0x01142bd4
0x01142bd5
0x01142bda
0x01142be3
0x01142be6
0x01142beb
0x01142bee
0x01142bf5
0x01142bf7
0x01142bf7
0x01142bfe
0x01142c05
0x01142c09
0x01142c7c
0x01142c82
0x01142c83
0x01142c86
0x01142c8c
0x01142c8e
0x00000000
0x01142c8e
0x00000000
0x01142c0b
0x01142c0f
0x01142c58
0x01142c5c
0x01142c62
0x00000000
0x01142c11
0x01142c13
0x01142c18
0x00000000
0x01142c1a
0x01142c1e
0x01142c40
0x01142c49
0x01142c4f
0x01142c69
0x01142c77
0x01142c20
0x01142c22
0x01142c28
0x01142c29
0x01142c2c
0x01142c32
0x01142c34
0x01142c93
0x01142c93
0x01142c9a
0x01142c9a
0x01142c9c
0x01142c9f
0x01142ca2
0x01142cab
0x01142cae
0x01142cb3
0x01142cb5
0x01142cbb
0x01142cbb
0x01142c1e
0x01142c18
0x01142c0f
0x01142c09
0x01142b0e
0x01142af7

APIs

__EH_prolog3_GS.LIBCMT ref: 01142A54
#2.OLEAUT32(WQL,?,00000020,01142D74,?,?,0112E986,SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0'), ref: 01142ABB
#6.OLEAUT32(00000000), ref: 01142AEA
#6.OLEAUT32(0112E986), ref: 01142AF3
#1511.MFC140U(00000018), ref: 01142B12
_CxxThrowException.VCRUNTIME140(0112E986,01156040,0112E986), ref: 01142B9B

Part of subcall function 01137215: #2385.MFC140U(?,01137171,80070057,?,?,?,0113704A,00000001,?,?,?,?,?,?,?,01156164), ref: 01137221
Part of subcall function 01137215: #2389.MFC140U(8007000E,?,01137171,80070057,?,?,?,0113704A,00000001,?,?,?,?,?,?,?), ref: 0113722A

#1511.MFC140U(00000018,8007000E), ref: 01142B6B

Strings

WQL, xrefs: 01142AB3
Failed to get enumerator for query results, xrefs: 01142B24
Failed to run WMI query, xrefs: 01142B7D

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511$#2385#2389ExceptionH_prolog3_Throw
String ID: Failed to get enumerator for query results$Failed to run WMI query$WQL
API String ID: 1685279502-1898776152
Opcode ID: ed8a7a59c12bd1801eda9e869d71e3ce41065fe571f438b4601c9c24562e7180
Instruction ID: 18b30fd61bef275d6008b637812bacf16d88480d7e1df17815905dba9b7adde4
Opcode Fuzzy Hash: ed8a7a59c12bd1801eda9e869d71e3ce41065fe571f438b4601c9c24562e7180
Instruction Fuzzy Hash: 58414970E0130ADFDF14CFA8D848B9EBBB4BF58B18F248069E914BB241D7749A41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 01142BA1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 01142BA8
#8.OLEAUT32(?,00000028,01142DD6,?,?,00000074,SerialNumber,00000074,?,01142D74,SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0',00000074,8007000E,?,01142AAD,?), ref: 01142BDA
#1511.MFC140U(00000018,?,?,00000074,SerialNumber,00000074,?,01142D74,SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0',00000074,8007000E,?,01142AAD,?), ref: 01142C22
#9.OLEAUT32(?,?,?,?,00000074,SerialNumber,00000074,?,01142D74,SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0',00000074,8007000E,?,01142AAD,?), ref: 01142C49
_CxxThrowException.VCRUNTIME140(8007000E,01156040,?,00000074,SerialNumber,00000074,?,01142D74,SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0',00000074,8007000E,?,01142AAD,?), ref: 01142CAE
#9.OLEAUT32(?,8007000E,01156040,?,00000074,SerialNumber,00000074,?,01142D74,SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0',00000074,8007000E,?,01142AAD,?), ref: 01142CB5

Strings

Failed to get WMI query results, xrefs: 01142C8E
Wrong value type in WMI query, xrefs: 01142C34

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511ExceptionH_prolog3_Throw
String ID: Failed to get WMI query results$Wrong value type in WMI query
API String ID: 4251535614-1388483379
Opcode ID: 351c77de0818923634997b3e608e7eb5109eca2db0f39061c56179c22a6173e4
Instruction ID: 15a5f4b52defdbf7125c1426c1c31bbad92a16dc7d715013d1c3506fd3f99e80
Opcode Fuzzy Hash: 351c77de0818923634997b3e608e7eb5109eca2db0f39061c56179c22a6173e4
Instruction Fuzzy Hash: 87318D71A00219EBDF18DFB8E848ADEBBB5AF0CB04F008469F515E7250C730DA85CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0112195B Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 287
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0112195B(void* __ebx, intOrPtr __ecx, short __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t143;
				void* _t145;
				char _t151;
				void* _t156;
				intOrPtr _t163;
				signed int _t169;
				intOrPtr* _t170;
				signed int _t190;
				void* _t192;
				intOrPtr _t201;
				void* _t202;
				intOrPtr _t203;
				intOrPtr _t228;
				intOrPtr _t235;
				void* _t236;
				intOrPtr _t238;
				void* _t253;
				intOrPtr* _t255;
				void* _t265;
				intOrPtr* _t267;
				void* _t270;
				void* _t271;
				void* _t272;
				void* _t273;
				void* _t274;
				void* _t275;
				void* _t276;
				void* _t277;
				void* _t278;
				void* _t279;

				_t279 = __eflags;
				_t265 = __esi;
				_t262 = __edx;
				_t203 = __ecx;
				E01143D91(E011457C0, __ebx, __edi, 0xa0);
				_t201 = _t203;
				 *((intOrPtr*)(_t271 - 0x70)) = _t201;
				 *((intOrPtr*)(_t271 - 0x5c)) = _t201;
				_push( *((intOrPtr*)(_t271 + 0xc)));
				_t264 =  *(_t271 + 8);
				 *((intOrPtr*)(_t271 - 0x94)) = _t201;
				 *(_t271 - 0x64) =  *(_t271 - 0x64) & 0x00000000;
				 *(_t271 - 0x14) =  *(_t271 + 8);
				E01121706(_t201, _t203, __edx, _t264);
				 *(_t271 - 4) =  *(_t271 - 4) & 0x00000000;
				_t273 = _t272 - 0x18;
				E011298AC(_t273, "mimeType");
				_push(_t271 - 0x30);
				E011293B6(_t201 + 0x3c, _t265, E0113A922(_t201, _t264, _t264, _t279));
				E01129AC1(_t271 - 0x30);
				_t274 = _t273 - 0x18;
				E011298AC(_t274, "defaultJump");
				_push(_t271 - 0x30);
				E011293B6(_t201 + 0x54, _t265, E0113A922(_t201, _t264, _t264, _t279));
				E01129AC1(_t271 - 0x30);
				 *(_t271 - 0x18) =  *(_t271 - 0x18) & 0x00000000;
				E011298AC(_t271 - 0xac, "configuration");
				_t275 = _t274 - 0x18;
				 *(_t271 - 4) = 1;
				E011298E1(_t275, _t271 - 0xac);
				_push(_t271 - 0x18);
				E0113A2C7(_t201,  *_t264, _t264);
				E01129AC1(_t271 - 0xac);
				 *(_t271 - 4) = 2;
				_push( *(_t271 - 0x18));
				_push(_t271 - 0x88);
				E01139FED(_t201, _t264);
				E011293B6(_t201 + 0x6c,  *_t264, _t271 - 0x88);
				E01129AC1(_t271 - 0x88);
				_t267 = _t201 + 0x24;
				E01129863(_t267, 0x114c098, 0);
				_t143 = E0113A1DD(_t201,  *_t264, _t264, _t267, "file");
				_t280 = _t143;
				if(_t143 != 0) {
					_t278 = _t275 - 0x18;
					E011298AC(_t278, "file");
					_push(_t271 - 0x88);
					E011293B6(_t267, _t267, E0113A922(_t201, _t264, _t264, _t280));
					E01129AC1(_t271 - 0x88);
					_t253 = _t271 - 0x30;
					E0113D2C8(_t201, _t253, _t264);
					_push(_t253);
					_push("\\$cwd");
					 *(_t271 - 4) = 3;
					 *((intOrPtr*)(_t271 - 0x60)) = E01122C68(_t201, _t271 - 0x58, _t264);
					 *(_t271 - 4) = 5;
					_t255 = _t267;
					 *(_t271 - 0x78) =  *(_t271 - 0x78) & 0x00000000;
					_t190 = 0xf;
					 *(_t271 - 0x74) = _t190;
					 *((char*)(_t271 - 0x88)) = 0;
					 *(_t271 - 0x64) = _t190;
					if( *((intOrPtr*)(_t267 + 0x14)) >= 0x10) {
						_t255 =  *_t267;
					}
					_t262 = _t267;
					_t192 =  *((intOrPtr*)(_t267 + 0x10)) + _t255;
					if( *((intOrPtr*)(_t267 + 0x14)) >= 0x10) {
						_t262 =  *_t267;
					}
					_push(_t255);
					_push(_t271 - 0x30);
					_push( *((intOrPtr*)(_t271 - 0x60)));
					_push(_t192);
					_push(_t271 - 0x88);
					E01124CFF(_t201, _t271 - 0x5c, _t262, _t264);
					_t275 = _t278 + 0x14;
					E011293B6(_t267, _t267, _t271 - 0x88);
					E01122C40(E01129AC1(_t271 - 0x88), _t271 - 0x58);
					 *(_t271 - 4) = 2;
					E01129AC1(_t271 - 0x30);
				}
				E01129863(_t201 + 0xc, 0x114c098, 0);
				_t145 = E0113A1DD(_t201,  *_t264, _t264, _t267, "id");
				_t283 = _t145;
				if(_t145 != 0) {
					_t275 = _t275 - 0x18;
					E011298AC(_t275, "id");
					_push(_t271 - 0x30);
					E011293B6(_t201 + 0xc, _t267, E0113A922(_t201, _t264, _t264, _t283));
					E01129AC1(_t271 - 0x30);
				}
				 *((char*)(_t201 + 0x84)) = 0;
				_t268 = "customJump";
				if(E0113A1DD(_t201,  *_t264, _t264, "customJump", "customJump") != 0) {
					_t276 = _t275 - 0x18;
					E011298AC(_t276, _t268);
					_t151 = E0113AA50(_t201, _t264, _t264);
					 *((char*)(_t201 + 0x84)) = _t151;
					if(_t151 != 0) {
						_t264 = _t271 - 0x50;
						asm("stosd");
						_t277 = _t276 - 0x18;
						asm("stosd");
						asm("stosd");
						E011298AC(_t277, "jumpTable");
						_push(_t271 - 0x50);
						E0113AA8B(_t201,  *(_t271 - 0x14), _t271 - 0x50);
						 *(_t271 - 4) = 6;
						_t228 =  *((intOrPtr*)(_t271 - 0x4c));
						_t156 =  *(_t271 - 0x50);
						 *((intOrPtr*)(_t271 - 0x5c)) = _t228;
						if(_t156 != _t228) {
							_t269 = _t201 + 0x94;
							_t264 = _t201 + 0x88;
							 *(_t271 - 0x64) = _t201 + 0x94;
							_t202 = _t156;
							do {
								 *(_t271 - 0x14) =  *(_t271 - 0x14) & 0x00000000;
								_push(_t202);
								E0113A8D2(_t202, _t271 - 0x14, _t264);
								 *(_t271 - 4) = 7;
								memset(_t271 - 0x44, 0, 0x2c);
								_t277 = _t277 + 0xc;
								_push(_t271 - 0x14);
								E01129D11(_t202, _t271 - 0x44, _t264, _t269);
								 *(_t271 - 4) = 8;
								_t163 =  *((intOrPtr*)(_t264 + 4));
								_push(_t271 - 0x44);
								if(_t163 ==  *((intOrPtr*)(_t264 + 8))) {
									_push(_t163);
									E01123CFE(_t202, _t264, _t264);
								} else {
									E01129CC3(_t202, _t163, _t264);
									 *((intOrPtr*)(_t264 + 4)) =  *((intOrPtr*)(_t264 + 4)) + 0x2c;
								}
								 *((intOrPtr*)(_t271 - 0x6c)) =  *((intOrPtr*)(_t271 - 0x34));
								 *((intOrPtr*)(_t271 - 0x60)) =  *((intOrPtr*)(_t271 - 0x38));
								_t270 = E01123CD1(_t269, _t271 - 0x60);
								_t169 =  *(_t271 - 0x64);
								_t235 =  *_t169;
								 *((intOrPtr*)(_t271 - 0x68)) = _t235;
								if(_t270 == _t235 ||  *((intOrPtr*)(_t271 - 0x38)) <  *((intOrPtr*)(_t270 + 0x10))) {
									 *(_t271 - 0x90) = _t169;
									 *(_t271 - 4) = 9;
									 *(_t271 - 0x8c) =  *(_t271 - 0x8c) & 0x00000000;
									_t236 = 0x18;
									_t170 = E01129B1B(_t236, _t262);
									_t262 = 0;
									_push(_t170);
									 *(_t271 - 0x8c) = 0;
									 *((intOrPtr*)(_t170 + 0x10)) =  *((intOrPtr*)(_t271 - 0x60));
									_t238 =  *((intOrPtr*)(_t271 - 0x68));
									 *((intOrPtr*)(_t170 + 0x14)) = 0;
									 *_t170 = _t238;
									 *((intOrPtr*)(_t170 + 4)) = _t238;
									 *((intOrPtr*)(_t170 + 8)) = _t238;
									 *((short*)(_t170 + 0xc)) = 0;
									_push(_t170 + 0x10);
									 *(_t271 - 4) = 8;
									_push(_t270);
									_t270 = E011253A4(_t202,  *(_t271 - 0x64), _t264);
								}
								 *((intOrPtr*)(_t270 + 0x14)) =  *((intOrPtr*)(_t271 - 0x6c));
								E01129AC1(_t271 - 0x30);
								E0113F69A(_t271 - 0x44);
								 *(_t271 - 4) = 6;
								E0113AC23(_t271 - 0x14);
								_t269 =  *(_t271 - 0x64);
								_t202 = _t202 + 4;
							} while (_t202 !=  *((intOrPtr*)(_t271 - 0x5c)));
							_t201 =  *((intOrPtr*)(_t271 - 0x70));
						}
						E01122D13(_t271 - 0x50);
					}
				}
				E0113AC23(_t271 - 0x18);
				return E01143D3B(_t201, _t201, _t264);
			}

0x0112195b
0x0112195b
0x0112195b
0x0112195b
0x01121965
0x0112196a
0x0112196c
0x0112196f
0x01121972
0x01121975
0x01121978
0x0112197e
0x01121982
0x01121985
0x0112198a
0x0112198e
0x01121998
0x011219a2
0x011219ac
0x011219b4
0x011219b9
0x011219c3
0x011219cd
0x011219d7
0x011219df
0x011219e4
0x011219f3
0x011219f8
0x011219fb
0x01121a0a
0x01121a14
0x01121a15
0x01121a20
0x01121a25
0x01121a2f
0x01121a32
0x01121a33
0x01121a42
0x01121a4d
0x01121a54
0x01121a5e
0x01121a6a
0x01121a6f
0x01121a71
0x01121a77
0x01121a81
0x01121a8e
0x01121a97
0x01121aa2
0x01121aa7
0x01121aaa
0x01121aaf
0x01121ab0
0x01121ab8
0x01121ac1
0x01121ac4
0x01121ac8
0x01121aca
0x01121ad4
0x01121ad5
0x01121ad8
0x01121adf
0x01121ae2
0x01121ae4
0x01121ae4
0x01121ae9
0x01121aeb
0x01121af1
0x01121af3
0x01121af3
0x01121af5
0x01121af9
0x01121afa
0x01121b00
0x01121b07
0x01121b08
0x01121b0d
0x01121b19
0x01121b2c
0x01121b34
0x01121b38
0x01121b38
0x01121b47
0x01121b53
0x01121b58
0x01121b5a
0x01121b5c
0x01121b66
0x01121b70
0x01121b7a
0x01121b82
0x01121b82
0x01121b87
0x01121b8e
0x01121b9d
0x01121ba3
0x01121ba9
0x01121bb0
0x01121bb5
0x01121bbd
0x01121bc5
0x01121bc8
0x01121bc9
0x01121bce
0x01121bd4
0x01121bd5
0x01121be0
0x01121be1
0x01121be6
0x01121bea
0x01121bed
0x01121bf0
0x01121bf5
0x01121bfb
0x01121c01
0x01121c07
0x01121c0a
0x01121c0c
0x01121c0c
0x01121c13
0x01121c14
0x01121c1e
0x01121c25
0x01121c2a
0x01121c33
0x01121c34
0x01121c39
0x01121c40
0x01121c43
0x01121c47
0x01121c56
0x01121c59
0x01121c49
0x01121c4b
0x01121c50
0x01121c50
0x01121c63
0x01121c69
0x01121c75
0x01121c77
0x01121c7a
0x01121c7c
0x01121c81
0x01121c8b
0x01121c93
0x01121c97
0x01121c9e
0x01121c9f
0x01121ca7
0x01121ca9
0x01121caa
0x01121cb0
0x01121cb3
0x01121cb6
0x01121cb9
0x01121cbb
0x01121cbe
0x01121cc1
0x01121cc8
0x01121cc9
0x01121cd0
0x01121cd6
0x01121cd6
0x01121cde
0x01121ce1
0x01121ce9
0x01121cf1
0x01121cf5
0x01121cfa
0x01121cfd
0x01121d00
0x01121d09
0x01121d09
0x01121d0f
0x01121d0f
0x01121bbd
0x01121d17
0x01121d23

APIs

__EH_prolog3_GS.LIBCMT ref: 01121965

Part of subcall function 01121706: __EH_prolog3.LIBCMT ref: 0112170D

Part of subcall function 0113A922: __EH_prolog3_GS.LIBCMT ref: 0113A929

Part of subcall function 0113A2C7: __EH_prolog3_GS.LIBCMT ref: 0113A2CE
Part of subcall function 0113A2C7: memset.VCRUNTIME140(?,00000000,00000038,0000005C,01121A1A,00000000,?), ref: 0113A305

Part of subcall function 01139FED: __EH_prolog3_GS.LIBCMT ref: 01139FF4

Part of subcall function 01129863: memmove.VCRUNTIME140(?,00000010,?,?,?,?,?,?), ref: 01129885

memset.VCRUNTIME140(?,00000000,0000002C,?,?,jumpTable), ref: 01121C25

Part of subcall function 0113D2C8: __EH_prolog3_GS.LIBCMT ref: 0113D2D2

Part of subcall function 01122C68: __EH_prolog3.LIBCMT ref: 01122C6F
Part of subcall function 01122C68: ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001,00000008,011346B9,(\w+) (\w+\.\w+\.\w+\/\w+) $(.*?)$ (\w+) (\w*) (\w+).*,?,00000000,000000B0,00000134,0112C2EE,?,0115A06C,edge,1248,0115A0CC,0115A09C,0115A0B4), ref: 01122C88

Strings

configuration, xrefs: 011219EE
file, xrefs: 01121A65, 01121A7C
jumpTable, xrefs: 01121BCF
\$cwd, xrefs: 01121AB0
defaultJump, xrefs: 011219BE
mimeType, xrefs: 01121993
customJump, xrefs: 01121B8E, 01121B95, 01121BA8

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_$H_prolog3memset$Init@locale@std@@Locimp@12@_memmove
String ID: \$cwd$configuration$customJump$defaultJump$file$jumpTable$mimeType
API String ID: 1804594850-2104999683
Opcode ID: dff54b547877f1f65982dc02b0c27b61cb103b4713bf805d216d70af6907eea3
Instruction ID: 650384ad9dd68caedb8e413f4d7c2ed230d7b1a61659631cd975848509872437
Opcode Fuzzy Hash: dff54b547877f1f65982dc02b0c27b61cb103b4713bf805d216d70af6907eea3
Instruction Fuzzy Hash: 1CB18170E0022DEBDF1CEBA8C894BEDBBB5AF64308F54405DD445AB281DB746A19CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01141BDD Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01141BDD(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr _t97;
				void* _t105;
				void* _t108;
				void* _t112;
				void* _t143;
				void* _t149;
				intOrPtr* _t171;
				intOrPtr* _t172;
				void* _t193;
				void* _t226;
				void* _t238;
				void* _t239;
				void* _t241;
				void* _t242;
				intOrPtr _t243;
				void* _t244;
				intOrPtr _t245;
				void* _t250;

				_t250 = __eflags;
				_t232 = __edi;
				_t226 = __edx;
				_t172 = __ecx;
				E01143D91(E01149BEE, __ebx, __edi, 0x204);
				_t171 = _t172;
				_t97 =  *((intOrPtr*)(_t238 + 8));
				 *((intOrPtr*)(_t238 - 0x1c0)) = _t97;
				 *((intOrPtr*)(_t238 - 0x1bc)) = _t97;
				 *((intOrPtr*)(_t238 - 4)) = 3;
				E01139FED(_t171, __edi);
				 *((char*)(_t238 - 4)) = 4;
				memset(_t238 - 0x1b8, 0, 0xb0);
				E01140250(_t171, _t238 - 0x1b8, __edi);
				_t241 = _t239 + 0xc - 0x18;
				 *((char*)(_t238 - 4)) = 5;
				 *((intOrPtr*)(_t238 - 0x1b4)) = 1;
				E011298E1(_t241, _t238 + 0x3c);
				_t105 = E01140401(_t171, _t238 - 0x1b8, __edi);
				_t242 = _t241 - 0x18;
				E011298E1(_t242, _t238 + 0x24);
				_t108 = E01140431(_t171, _t105, __edi);
				_t243 = _t242 - 0x18;
				 *((intOrPtr*)(_t238 - 0x1bc)) = _t243;
				E011298E1(_t243, _t238 + 0xc);
				_t244 = _t243 - 0x18;
				 *((char*)(_t238 - 4)) = 6;
				E011298AC(_t244, "event_name");
				 *((char*)(_t238 - 4)) = 5;
				_t112 = E0114048D(_t171, _t108, _t226, _t232);
				_t245 = _t244 - 0x18;
				_t233 = _t112;
				 *((intOrPtr*)(_t238 - 0x1c4)) = _t245;
				_t246 = _t245 - 0x18;
				 *((intOrPtr*)(_t238 - 0x1bc)) = _t245 - 0x18;
				E011298E1(_t246, 0x115b5a8);
				 *((char*)(_t238 - 4)) = 7;
				E011298E1(_t246 - 0x18, _t238 - 0xa0);
				 *((char*)(_t238 - 4)) = 5;
				E01138223(_t171, _t245, _t112, _t250);
				 *((char*)(_t238 - 4)) = 8;
				E011298AC(_t246 - 0x18 + 0x18, "infoJson");
				 *((char*)(_t238 - 4)) = 5;
				E0114048D(_t171, _t112, _t226, _t112);
				memset(_t238 - 0x108, 0, 0x68);
				 *((intOrPtr*)( *_t171))(_t238 - 0x108, _t238 - 0x1b8, _t238 - 0xa0,  *((intOrPtr*)(_t238 + 0x54)));
				 *((char*)(_t238 - 4)) = 9;
				E011298AC(_t238 - 0x58, "Code: ");
				 *((char*)(_t238 - 4)) = 0xa;
				E011298AC(_t238 - 0x40, " Body: ");
				 *(_t238 - 0x18) =  *(_t238 - 0x18) & 0x00000000;
				 *((intOrPtr*)(_t238 - 0x14)) = 0xf;
				 *((char*)(_t238 - 0x28)) = 0;
				 *((char*)(_t238 - 4)) = 0xc;
				E011298E1(_t238 - 0x1e0, _t238 - 0x104);
				_t237 =  *((intOrPtr*)(_t238 - 0x1d0));
				E01129AC1(_t238 - 0x1e0);
				_t193 = _t238 - 0x1f8;
				if( *((intOrPtr*)(_t238 - 0x1d0)) != 0) {
					E011298E1(_t193, _t238 - 0x104);
					 *((char*)(_t238 - 4)) = 0xd;
					__eflags =  *((intOrPtr*)(_t238 - 0x2c)) - 0x10;
					_t131 =  >=  ?  *((void*)(_t238 - 0x40)) : _t238 - 0x40;
					__eflags =  >=  ?  *((void*)(_t238 - 0x40)) : _t238 - 0x40;
					E011299A0(_t238 - 0x1e0, E01124262(_t238 - 0x1f8, _t237, _t193,  >=  ?  *((void*)(_t238 - 0x40)) : _t238 - 0x40,  *((intOrPtr*)(_t238 - 0x30))));
					E011293B6(_t238 - 0x28, _t237, _t238 - 0x1e0);
					E01129AC1(_t238 - 0x1e0);
					 *((char*)(_t238 - 4)) = 0xc;
				} else {
					_push("empty");
					E011293B6(_t238 - 0x28, _t237, E01134CA3(_t171, _t193, _t238 - 0x40, _t233));
				}
				E01129AC1(_t238 - 0x1f8);
				_push(_t238 - 0x1b8);
				_push(_t238 - 0x88);
				E011336CD(_t171, _t233);
				 *((char*)(_t238 - 4)) = 0xe;
				E011237FA(_t171, _t238 - 0x70, " Url: ", _t233);
				 *((char*)(_t238 - 4)) = 0xf;
				_t143 = E0112934F(_t238 - 0x210,  *(_t238 - 0x108), _t233, _t237);
				 *((char*)(_t238 - 4)) = 0x10;
				_t145 =  >=  ?  *((void*)(_t238 - 0x58)) : _t238 - 0x58;
				E011299A0(_t238 - 0x1f8, E01124262(_t143, _t237, _t143,  >=  ?  *((void*)(_t238 - 0x58)) : _t238 - 0x58,  *((intOrPtr*)(_t238 - 0x48))));
				 *((char*)(_t238 - 4)) = 0x11;
				_t149 = E01131F14(_t238 - 0x1e0, _t238 - 0x1f8, _t238 - 0x28);
				 *((char*)(_t238 - 4)) = 0x12;
				E01131F14( *((intOrPtr*)(_t238 - 0x1c0)), _t149, _t238 - 0x70);
				E01129AC1(_t238 - 0x1e0);
				E01129AC1(_t238 - 0x1f8);
				E01129AC1(_t238 - 0x210);
				E01129AC1(_t238 - 0x70);
				E01129AC1(_t238 - 0x88);
				E01129AC1(_t238 - 0x28);
				E01129AC1(_t238 - 0x40);
				E01129AC1(_t238 - 0x58);
				E01140BCF(_t238 - 0x108, _t149);
				E011403B6(_t238 - 0x1b8, _t149);
				E01129AC1(_t238 - 0xa0);
				E01129AC1(_t238 + 0xc);
				E01129AC1(_t238 + 0x24);
				E01129AC1(_t238 + 0x3c);
				E0113AC23(_t238 + 0x54);
				return E01143D3B( *((intOrPtr*)(_t238 - 0x1c0)), _t171, _t233, _t238 - 0x88);
			}

0x01141bdd
0x01141bdd
0x01141bdd
0x01141bdd
0x01141be7
0x01141bec
0x01141bee
0x01141bf1
0x01141bf7
0x01141bfd
0x01141c0e
0x01141c1e
0x01141c25
0x01141c33
0x01141c38
0x01141c3b
0x01141c42
0x01141c4f
0x01141c5a
0x01141c5f
0x01141c6a
0x01141c71
0x01141c76
0x01141c7e
0x01141c87
0x01141c8c
0x01141c8f
0x01141c9a
0x01141ca1
0x01141ca5
0x01141caa
0x01141cad
0x01141caf
0x01141cb7
0x01141cbc
0x01141cc7
0x01141ccf
0x01141cdc
0x01141ce3
0x01141ce7
0x01141cef
0x01141cfa
0x01141d01
0x01141d05
0x01141d15
0x01141d2f
0x01141d39
0x01141d3d
0x01141d4a
0x01141d4e
0x01141d53
0x01141d57
0x01141d5e
0x01141d68
0x01141d73
0x01141d78
0x01141d84
0x01141d89
0x01141d91
0x01141db3
0x01141db8
0x01141dbf
0x01141dc6
0x01141dc6
0x01141dde
0x01141ded
0x01141df8
0x01141dfd
0x01141d93
0x01141d93
0x01141da5
0x01141da5
0x01141e07
0x01141e12
0x01141e19
0x01141e1a
0x01141e25
0x01141e32
0x01141e38
0x01141e48
0x01141e4f
0x01141e5d
0x01141e6f
0x01141e77
0x01141e88
0x01141e90
0x01141e9d
0x01141eaa
0x01141eb5
0x01141ec0
0x01141ec8
0x01141ed3
0x01141edb
0x01141ee3
0x01141eeb
0x01141ef6
0x01141f01
0x01141f0c
0x01141f14
0x01141f1c
0x01141f24
0x01141f2c
0x01141f3c

APIs

__EH_prolog3_GS.LIBCMT ref: 01141BE7

Part of subcall function 01139FED: __EH_prolog3_GS.LIBCMT ref: 01139FF4

memset.VCRUNTIME140(?,00000000,000000B0,?,?,00000204,01141FB4,?,?), ref: 01141C25

Part of subcall function 01140250: __EH_prolog3.LIBCMT ref: 01140257

Part of subcall function 01140401: __EH_prolog3.LIBCMT ref: 01140408

Part of subcall function 011298E1: memcpy.VCRUNTIME140(00000000,?,00000001,?,00000000,?,00000014,?,01138843,?,00000018,011386DC,?,?,?,00000008), ref: 01129935

Part of subcall function 01140431: __EH_prolog3.LIBCMT ref: 01140438

Part of subcall function 0114048D: __EH_prolog3.LIBCMT ref: 01140494

Part of subcall function 01138223: __EH_prolog3_GS.LIBCMT ref: 0113822A

memset.VCRUNTIME140(?,00000000,00000068,infoJson), ref: 01141D15

Part of subcall function 01134CA3: __EH_prolog3.LIBCMT ref: 01134CAA

Strings

event_name, xrefs: 01141C95
Url: , xrefs: 01141E2A
Body: , xrefs: 01141D42
Code: , xrefs: 01141D31
empty, xrefs: 01141D93
infoJson, xrefs: 01141CF5

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3$H_prolog3_$memset$memcpy
String ID: Body: $ Url: $Code: $empty$event_name$infoJson
API String ID: 3180666697-1689024057
Opcode ID: 27a26848e8e4290aa92ee247b1b02f0ab509fe23977f0f6c0fed95d3a87edb98
Instruction ID: 82f77f9b511836917e1ec517e193723209272507d7d6db75587aa7b45e887fe4
Opcode Fuzzy Hash: 27a26848e8e4290aa92ee247b1b02f0ab509fe23977f0f6c0fed95d3a87edb98
Instruction Fuzzy Hash: 7391287190426EDBCF19EBA8CC60BDDBB78AF24308F584099E445A7181EFB45F98CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01143444 Relevance: 15.1, APIs: 10, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01143444(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t2;
				void* _t3;
				void* _t9;
				void* _t18;
				void* _t28;

				_t25 = __edi;
				_t24 = __edx;
				_push(2);
				L01144E70();
				_push(E01143FC5());
				L01144EA0();
				_t2 = E011322F7();
				L01144EC4();
				 *_t2 = _t2;
				_t3 = E01143989(__ebx, __edx, __edi, 1);
				_pop(_t28);
				_t32 = _t3;
				if(_t3 == 0) {
					L8:
					E01144036(_t24, _t25, _t28, 7);
					asm("int3");
					E01144001();
					__eflags = 0;
					return 0;
				} else {
					asm("fclex");
					E0114421E();
					E01143B16(_t32, E0114424A);
					_t9 = E01143FC1();
					_push(_t9);
					L01144E7C();
					if(_t9 != 0) {
						goto L8;
					} else {
						E01143FCB(_t9);
						if(E0114401E() != 0) {
							_push(E011322F7);
							L01144E76();
						}
						E01143FDA(E01122C1E(E01122C1E(_t11)));
						_push(E011322F7());
						L01144EB8();
						if(E01143FD7() != 0) {
							L01144E82();
						}
						E011322F7();
						_t18 = L01144181();
						if(_t18 != 0) {
							goto L8;
						} else {
							return _t18;
						}
					}
				}
			}

0x01143444
0x01143444
0x01143445
0x01143447
0x01143451
0x01143452
0x01143457
0x0114345e
0x01143465
0x01143467
0x0114346f
0x01143470
0x01143472
0x011434e7
0x011434e9
0x011434ee
0x011434ef
0x011434f4
0x011434f6
0x01143474
0x01143474
0x01143476
0x01143480
0x01143485
0x0114348a
0x0114348b
0x01143494
0x00000000
0x01143496
0x01143496
0x011434a2
0x011434a4
0x011434a9
0x011434ae
0x011434b9
0x011434c3
0x011434c4
0x011434d1
0x011434d3
0x011434d3
0x011434d8
0x011434dd
0x011434e4
0x00000000
0x011434e6
0x011434e6
0x011434e6
0x011434e4
0x01143494

APIs

_set_app_type.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002), ref: 01143447
_set_fmode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 01143452
__p__commode.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000002), ref: 0114345E
__RTC_Initialize.LIBCMT ref: 01143476
_configure_wide_argv.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,0114424A), ref: 0114348B

Part of subcall function 01143FCB: InitializeSListHead.KERNEL32(0115B3B0,0114349B), ref: 01143FD0

__setusermatherr.API-MS-WIN-CRT-MATH-L1-1-0(Function_000122F7), ref: 011434A9
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(00000000), ref: 011434C4
_initialize_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 011434D3
___scrt_fastfail.LIBCMT ref: 011434E9
___scrt_initialize_default_local_stdio_options.LIBCMT ref: 011434EF

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Initialize$HeadList___scrt_fastfail___scrt_initialize_default_local_stdio_options__p__commode__setusermatherr_configthreadlocale_configure_wide_argv_initialize_wide_environment_set_app_type_set_fmode
String ID:
API String ID: 3921786053-0
Opcode ID: 4342009d07d5bf78183a3fc5e715d050eaf7081b8d9a2ff3837973f99162b7c0
Instruction ID: 1c72ff0fc3302dfd6480f07d1c614a31c10a2c9a7c783b5610597f2b9f5f0f45
Opcode Fuzzy Hash: 4342009d07d5bf78183a3fc5e715d050eaf7081b8d9a2ff3837973f99162b7c0
Instruction Fuzzy Hash: A901494566863333ED3D77F92C0AB9E19482F71D7CF180814D960BB985EF7A84559073

Uniqueness

Uniqueness Score: -1.00%

Function 01132ABD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E01132ABD(char _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _v0;
				char _v4;
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v548;
				char _v772;
				char* _t71;
				intOrPtr* _t84;
				intOrPtr* _t86;
				intOrPtr _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				char* _t96;
				intOrPtr* _t97;
				intOrPtr _t98;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t105;
				intOrPtr* _t106;
				intOrPtr _t107;
				intOrPtr _t114;
				void* _t116;
				intOrPtr _t117;
				intOrPtr* _t122;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr* _t127;
				intOrPtr* _t128;
				intOrPtr* _t129;
				intOrPtr _t130;
				void* _t131;
				intOrPtr _t134;
				intOrPtr* _t139;
				intOrPtr _t143;
				intOrPtr* _t144;

				_v16 = _t143;
				asm("movlpd [ebp-0x224], xmm0");
				_v4 = 0x19;
				_t127 = __imp__?__ExceptionPtrCreate@@YAXPAX@Z;
				 *_t127( &_v548);
				asm("xorps xmm0, xmm0");
				asm("movlpd [ebp-0x304], xmm0");
				_v4 = 0x1c;
				 *_t127( &_v772);
				_v4 = 0x1b;
				__imp__?__ExceptionPtrCurrentException@@YAXPAX@Z( &_v772);
				_v4 = 0x1d;
				__imp__?__ExceptionPtrAssign@@YAXPAXPBX@Z( &_v548,  &_v772);
				_t71 =  &_v548;
				_v4 = 0x1e;
				__imp__?__ExceptionPtrToBool@@YA_NPBX@Z(_t71);
				_t96 = _t71;
				_v4 = 0x1f;
				_t128 = __imp__?__ExceptionPtrDestroy@@YAXPAX@Z;
				_t73 =  *_t128( &_v772);
				_t144 = _t143 + 0x1c;
				_v4 = 0x1a;
				if(_t96 != 0) {
					_t102 = _t144;
					E0113323A(_t102,  &_v548);
					E01133221(__eflags, _t101, _t101);
					asm("int3");
					_t129 = _t102;
					_t73 = E011244D7(_t102, _t129,  *((intOrPtr*)( *_t129 + 4)));
					_t101 =  *_t129;
					_t116 = 0x2c;
					_t128 = _t128;
					if(_t116 < 0x1000) {
						L4:
						_push(_t116);
						return E011436A0(_t73, _t101);
					} else {
						_push(_t128);
						_t130 =  *((intOrPtr*)(_t101 - 4));
						_t116 = _t116 + 0x23;
						_t105 = _t101 - _t130;
						_t73 = _t105 - 4;
						if(_t105 - 4 > 0x1f) {
							__imp___invalid_parameter_noinfo_noreturn();
							asm("int3");
							_t139 = _t144;
							_t117 = _v0;
							_push(_t96);
							_t97 = _t105;
							_v20 = _a8;
							_push(_t130);
							_t106 =  *((intOrPtr*)(_t97 + 0x10));
							_v12 = _t106;
							__eflags = 0x7fffffff - _t106 - _t117;
							if(0x7fffffff - _t106 < _t117) {
								E0112995D(_t106);
								asm("int3");
								_push(_t139);
								_push(_t97);
								_t98 = _v28;
								_push(_t121);
								_t122 = _t106;
								_t107 =  *((intOrPtr*)(_t122 + 0x10));
								_t84 =  *((intOrPtr*)(_t122 + 0x14)) - _t107;
								__eflags = _t98 - _t84;
								if(_t98 > _t84) {
									_push(_t98);
									_push(_v0);
									_a4 = 0;
									_push(_a4);
									_push(_t98);
									L6();
								} else {
									__eflags =  *((intOrPtr*)(_t122 + 0x14)) - 0x10;
									 *((intOrPtr*)(_t122 + 0x10)) = _t107 + _t98;
									_t86 = _t122;
									if( *((intOrPtr*)(_t122 + 0x14)) >= 0x10) {
										_t86 =  *_t122;
									}
									_push(_t130);
									_push(_t98);
									_push(_v0);
									_t131 = _t86 + _t107;
									_push(_t131);
									L01144E52();
									 *((char*)(_t131 + _t98)) = 0;
									_t84 = _t122;
								}
								return _t84;
							} else {
								_t124 = _t106 + _t117;
								_v12 =  *((intOrPtr*)(_t97 + 0x14));
								_t88 = E01129AE4(_t97, _t124);
								_t90 = E01129B1B( ~(0 | __eflags > 0x00000000) | _t88 + 0x00000001, _t117);
								__eflags = _v12 - 0x10;
								_t114 = _t90;
								_t91 = _v8;
								 *((intOrPtr*)(_t97 + 0x14)) = _t88;
								 *((intOrPtr*)(_t97 + 0x10)) = _t124;
								_t125 = _a16;
								_t134 = _t114 + _t91;
								_v20 = _t114;
								_v24 = _t134;
								_v8 = _t114 + _t91;
								_push(_t91);
								if(_v12 < 0x10) {
									_push(_t97);
									_push(_t114);
									L01145649();
									_push(_t125);
									_push(_v16);
									_push(_t134);
									L01145649();
									 *((char*)(_v8 + _t125)) = 0;
								} else {
									_push( *_t97);
									_push(_t114);
									L01145649();
									_push(_t125);
									_push(_v16);
									_push(_v24);
									L01145649();
									 *((char*)(_v8 + _t125)) = 0;
									L1();
								}
								 *_t97 = _v20;
								return _t97;
							}
						} else {
							_t101 = _t130;
							goto L4;
						}
					}
				} else {
					__eax =  &_v548;
					_v4 = 0x20;
					__eax =  *__esi( &_v548);
					_pop(__ecx);
					__eax = E01132B9E;
					return E01132B9E;
				}
			}

0x01132abd
0x01132ac0
0x01132ace
0x01132ad2
0x01132ad9
0x01132adb
0x01132ade
0x01132aec
0x01132af1
0x01132af9
0x01132afe
0x01132b0a
0x01132b16
0x01132b1c
0x01132b22
0x01132b27
0x01132b2d
0x01132b35
0x01132b39
0x01132b40
0x01132b42
0x01132b45
0x01132b4b
0x01132bbd
0x01132bc0
0x01132bc5
0x01132bca
0x01132bcc
0x01132bd4
0x01132bd9
0x01132bdd
0x01132bde
0x01129b62
0x01129b78
0x01129b78
0x01129b81
0x01129b64
0x01129b64
0x01129b65
0x01129b68
0x01129b6b
0x01129b6d
0x01129b73
0x01129b82
0x01129b88
0x01129b8a
0x01129b92
0x01129b95
0x01129b96
0x01129b98
0x01129ba0
0x01129ba2
0x01129ba7
0x01129baa
0x01129bac
0x01129c51
0x01129c56
0x01129c57
0x01129c5a
0x01129c5b
0x01129c5e
0x01129c5f
0x01129c64
0x01129c67
0x01129c69
0x01129c6b
0x01129c97
0x01129c98
0x01129c9b
0x01129ca1
0x01129ca4
0x01129ca5
0x01129c6d
0x01129c6d
0x01129c74
0x01129c77
0x01129c79
0x01129c7b
0x01129c7b
0x01129c7d
0x01129c7e
0x01129c7f
0x01129c82
0x01129c85
0x01129c86
0x01129c8e
0x01129c92
0x01129c94
0x01129cad
0x01129bb2
0x01129bb5
0x01129bbb
0x01129bbe
0x01129bd1
0x01129bd6
0x01129bda
0x01129bdc
0x01129bdf
0x01129be2
0x01129be5
0x01129be8
0x01129beb
0x01129bf1
0x01129bf4
0x01129bf7
0x01129bf8
0x01129c28
0x01129c29
0x01129c2a
0x01129c2f
0x01129c30
0x01129c33
0x01129c34
0x01129c3f
0x01129bfa
0x01129bfc
0x01129bfd
0x01129bfe
0x01129c03
0x01129c04
0x01129c07
0x01129c0a
0x01129c1a
0x01129c21
0x01129c21
0x01129c47
0x01129c4e
0x01129c4e
0x01129b75
0x01129b75
0x00000000
0x01129b77
0x01129b73
0x01132b4d
0x01132b8a
0x01132b90
0x01132b95
0x01132b97
0x01132b98
0x01132b9d
0x01132b9d

APIs

?__ExceptionPtrCreate@@YAXPAX@Z.MSVCP140(?), ref: 01132AD9
?__ExceptionPtrCreate@@YAXPAX@Z.MSVCP140(?), ref: 01132AF1
?__ExceptionPtrCurrentException@@YAXPAX@Z.MSVCP140(?), ref: 01132AFE
?__ExceptionPtrAssign@@YAXPAXPBX@Z.MSVCP140(?,?), ref: 01132B16
?__ExceptionPtrToBool@@YA_NPBX@Z.MSVCP140(?), ref: 01132B27
?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCP140(?), ref: 01132B40
?__ExceptionPtrDestroy@@YAXPAX@Z.MSVCP140(?), ref: 01132B95

Strings

, xrefs: 01132B90

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Exception$Create@@Destroy@@$Assign@@Bool@@CurrentException@@
String ID:
API String ID: 1879565299-3916222277
Opcode ID: 62af4ac09344bc71f264d342ccaa0081fc75d2861c01882de6745f12256e0d26
Instruction ID: 2ac64085712cd29fa16a15cd530a3843fd6810c4e1b25e70f1d6824a73533791
Opcode Fuzzy Hash: 62af4ac09344bc71f264d342ccaa0081fc75d2861c01882de6745f12256e0d26
Instruction Fuzzy Hash: 3E212A75C0526DEBDB25EBA4DA08ECDBBECAF1D304F1440DAA444A3206D774AB849F51

Uniqueness

Uniqueness Score: -1.00%

Function 01143180 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E01143180(void* __ebx, int __edi) {
				void* _t13;
				void* _t18;
				void* _t32;
				void* _t33;

				_t31 = __edi;
				_t21 = __ebx;
				E01143D91(E01149F4A, __ebx, __edi, 0xa0);
				if( *0x115a1e4 <= 0) {
					_t13 = _t33 - 0xac;
					_t31 = 0;
					 *((intOrPtr*)(_t33 - 0xac)) = 0;
					__imp__SHGetKnownFolderPath(0x114f8b4, 0, 0, _t13);
					_t32 = _t13;
					_t21 = 0x115a1d4;
					if(_t32 < 0) {
						memset(_t33 - 0xa8, 0, 0x98);
						E01122ED0(0x115a1d4, _t33 - 0xa8, 0);
						 *((intOrPtr*)(_t33 - 4)) = 0;
						E01123A5E(0x115a1d4, _t33 - 0xa8, L"Failed to retrieve AppData path. Error: ", 0);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@J@Z(_t32);
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
						E01122EA0();
						__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ();
					} else {
						E0112BA2B( *((intOrPtr*)(_t33 - 0xac)));
					}
					__imp__CoTaskMemFree( *((intOrPtr*)(_t33 - 0xac)));
					_t18 = _t21;
				} else {
					_t18 = 0x115a1d4;
				}
				return E01143D3B(_t18, _t21, _t31);
			}

0x01143180
0x01143180
0x0114318a
0x01143196
0x011431a2
0x011431a8
0x011431b2
0x011431b8
0x011431be
0x011431c0
0x011431c7
0x011431e5
0x011431f1
0x011431fb
0x01143204
0x0114320c
0x01143219
0x01143222
0x0114322a
0x011431c9
0x011431d1
0x011431d1
0x01143236
0x0114323c
0x01143198
0x01143198
0x01143198
0x01143243

APIs

__EH_prolog3_GS.LIBCMT ref: 0114318A
SHGetKnownFolderPath.SHELL32(0114F8B4,00000000,00000000,?,000000A0,01143266,?,00000034,011432D6,?,00000064,01130B9E,?,api/report/install), ref: 011431B8
CoTaskMemFree.OLE32(?,?,00000034,011432D6,?,00000064,01130B9E,?,api/report/install), ref: 01143236

Strings

Failed to retrieve AppData path. Error: , xrefs: 011431F6

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: FolderFreeH_prolog3_KnownPathTask
String ID: Failed to retrieve AppData path. Error:
API String ID: 3461574932-3348661675
Opcode ID: 48e2c48140c4a38953d5a4c0d4d97f44d56464685fb2531bb4b5657835d8a274
Instruction ID: 8dd2262462a7aae9eb74490f03a1c5e77624fb447416920d2e955e36cee82b6e
Opcode Fuzzy Hash: 48e2c48140c4a38953d5a4c0d4d97f44d56464685fb2531bb4b5657835d8a274
Instruction Fuzzy Hash: A911C634A14279DBDB2CAB71DC48F9E7774FF55F00F404065A965A7240CB344985CF11

Uniqueness

Uniqueness Score: -1.00%

Function 0112A5E2 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0112A5E2(void* __ebx, intOrPtr __ecx, void* __edi) {
				intOrPtr _t30;
				void* _t40;

				_t30 = __ecx;
				E01143D5D(E0114644C, __ebx, __edi, 4);
				_t39 = _t30;
				 *((intOrPtr*)(_t40 - 0x10)) = _t30;
				E0113416D(__ebx, _t30, __edi);
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				E0112BA52(_t30 + 8, L"report_url");
				 *(_t40 - 4) = 1;
				E011298AC(_t39 + 0x20, "aipc");
				 *(_t40 - 4) = 2;
				E011298AC(_t39 + 0x38, "repc");
				 *(_t40 - 4) = 3;
				E011298AC(_t39 + 0x50, "search_offer");
				 *(_t40 - 4) = 4;
				E011298AC(_t39 + 0x68, "update_log");
				 *(_t40 - 4) = 5;
				E011298AC(_t39 + 0x80, "update_action");
				 *(_t40 - 4) = 6;
				E011298AC(_t39 + 0x98, "uninstall_log");
				return E01143D26(_t39);
			}

0x0112a5e2
0x0112a5e9
0x0112a5ee
0x0112a5f0
0x0112a5f3
0x0112a5f8
0x0112a604
0x0112a60c
0x0112a615
0x0112a61d
0x0112a626
0x0112a62e
0x0112a637
0x0112a63f
0x0112a648
0x0112a653
0x0112a65c
0x0112a66c
0x0112a670
0x0112a67c

APIs

__EH_prolog3.LIBCMT ref: 0112A5E9

Part of subcall function 0113416D: __EH_prolog3.LIBCMT ref: 01134174
Part of subcall function 0113416D: #1511.MFC140U(00000010,00000004,011364A5,0000000C,011214FC), ref: 0113418F
Part of subcall function 0113416D: #1511.MFC140U(0000000C), ref: 011341B7
Part of subcall function 0113416D: curl_multi_init.LIBCURL ref: 011341D4

Strings

repc, xrefs: 0112A621
update_log, xrefs: 0112A643
aipc, xrefs: 0112A610
search_offer, xrefs: 0112A632
report_url, xrefs: 0112A5FF
update_action, xrefs: 0112A657
uninstall_log, xrefs: 0112A661

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511H_prolog3$curl_multi_init
String ID: aipc$repc$report_url$search_offer$uninstall_log$update_action$update_log
API String ID: 446020026-919081856
Opcode ID: 67d1b7fc01b83f78eff6720440ba64a24bdb44310ceed8ebeeb37da65ba14a9a
Instruction ID: 608eacc937a693a24395b41de20d6cd235f27abb7ff4e0a606f7408ba9e834cd
Opcode Fuzzy Hash: 67d1b7fc01b83f78eff6720440ba64a24bdb44310ceed8ebeeb37da65ba14a9a
Instruction Fuzzy Hash: 170188205467A9DBDB1CE7A9C41579D77A06F35F0CF48448CD18623280DBF91708C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01121FB7 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01121FB7() {
				intOrPtr _t169;
				intOrPtr _t170;
				intOrPtr _t174;
				void* _t179;
				intOrPtr _t187;
				void* _t188;
				intOrPtr _t197;
				void* _t207;
				intOrPtr _t214;
				intOrPtr _t216;
				void* _t223;
				intOrPtr _t227;
				void* _t238;
				void* _t241;
				void* _t248;
				WCHAR* _t258;
				void* _t271;
				int _t284;
				intOrPtr* _t305;
				intOrPtr _t345;
				void* _t375;
				intOrPtr _t389;
				intOrPtr _t390;
				intOrPtr* _t391;
				long _t396;
				intOrPtr _t397;
				intOrPtr _t399;
				intOrPtr _t400;
				void* _t403;
				void* _t404;
				intOrPtr _t405;
				intOrPtr _t406;
				void* _t407;
				intOrPtr _t408;
				intOrPtr _t409;
				intOrPtr _t410;
				void* _t411;
				intOrPtr _t413;
				intOrPtr _t416;
				intOrPtr _t417;
				void* _t418;
				void* _t420;
				void* _t421;
				intOrPtr _t423;
				intOrPtr _t424;
				intOrPtr _t425;
				void* _t426;
				intOrPtr _t427;

				 *(_t403 - 4) = 3;
				_t284 = 0;
				_t169 =  *((intOrPtr*)(_t403 - 0x328));
				_t397 = _t169;
				_t389 =  *((intOrPtr*)(_t403 - 0x334));
				 *((intOrPtr*)(_t403 - 0x338)) = _t169;
				_t170 =  *((intOrPtr*)(_t397 + 0x9c));
				 *((intOrPtr*)(_t403 - 0x328)) = _t170;
				if(_t170 != 0) {
					_t390 =  *((intOrPtr*)(_t403 - 0x328));
					goto L16;
				} else {
					 *((intOrPtr*)(_t403 - 0x328)) =  *((intOrPtr*)(_t397 + 8));
					_t207 = E011237FA(0, _t403 - 0x35c, "Downloading DLL \"", _t389);
					_t416 = _t404 - 0x18;
					 *(_t403 - 4) = 0xb;
					_t393 = _t416;
					 *((intOrPtr*)(_t403 - 0x334)) = _t416;
					 *((intOrPtr*)(_t403 - 0x31c)) = _t416;
					E011299A0(_t416, E01129C57(_t207, "\"", 1));
					_t417 = _t416 - 0x18;
					 *(_t403 - 4) = 0xc;
					 *((intOrPtr*)(_t403 - 0x31c)) = _t417;
					E011298AC(_t417, "int __thiscall InstPC::Action::run(void)");
					_t418 = _t417 - 0x18;
					 *(_t403 - 4) = 0xd;
					E011298AC(_t418, "C:\\git\\modular-installer\\kernel\\Action.cpp");
					 *(_t403 - 4) = 0xb;
					E0113765F(0,  *((intOrPtr*)(_t403 - 0x328)), _t416);
					 *(_t403 - 4) = 3;
					E01129AC1(_t403 - 0x35c);
					_t214 = _t403 - 0x118;
					__imp__tmpnam_s(_t214, 0x104, 0x72, 2, _t389);
					if(_t214 == 0) {
						 *(_t403 - 0x318) = 0;
						_t216 = _t403 - 0x318;
						__imp__fopen_s(_t216, _t403 - 0x118, "wb+");
						_t418 = _t418 + 0xc;
						__eflags = _t216;
						if(_t216 == 0) {
							memset(_t403 - 0x2ac, 0, 0xb0);
							E01140250(0, _t403 - 0x2ac, _t393);
							_t420 = _t418 + 0xc - 0x18;
							 *(_t403 - 4) = 0x10;
							E01136693(0, _t420, _t403 - 0x1dc, _t393);
							 *(E01140401(0, _t403 - 0x2ac, _t393) + 0x90) =  *(_t403 - 0x318);
							__eflags =  *((intOrPtr*)(_t403 - 0x1e0)) - 5;
							if( *((intOrPtr*)(_t403 - 0x1e0)) != 5) {
								_push(0xffffffff);
								_t223 = E01122D52(_t403 - 0x190, _t403 - 0x35c, 1);
								_t421 = _t420 - 0x18;
								 *(_t403 - 4) = 0x11;
								E01136693(0, _t421, _t223, _t393);
								E01140431(0, _t403 - 0x2ac, _t393);
								 *(_t403 - 4) = 0x10;
								E01129A96(_t403 - 0x35c);
								_t227 = E0112431D(_t403 - 0x178, 0x114bf44);
								__eflags = _t227;
								if(_t227 == 0) {
									_push(0xffffffff);
									_t238 = E01122D52(_t403 - 0x178, _t403 - 0x394, 0xb);
									_t423 = _t421 - 0x18;
									 *(_t403 - 4) = 0x12;
									 *((intOrPtr*)(_t403 - 0x320)) = _t423;
									E01136693(0, _t423, _t238, _t393);
									_push(9);
									 *(_t403 - 4) = 0x13;
									_t241 = E01122D52(_t403 - 0x178, _t403 - 0x35c, 1);
									_t421 = _t423 - 0x18;
									 *(_t403 - 4) = 0x14;
									E01136693(0, _t421, _t241, _t393);
									 *(_t403 - 4) = 0x15;
									E0114048D(0, _t403 - 0x2ac, _t241, _t393);
									E01129A96(_t403 - 0x35c);
									 *(_t403 - 4) = 0x10;
									E01129A96(_t403 - 0x394);
								}
							} else {
								_t421 = _t420 - 0x18;
								 *(_t403 - 0x2ac) = 2;
								E01136693(0, _t421, _t403 - 0x190, _t393);
								E01140431(0, _t403 - 0x2ac, _t393);
							}
							memset(_t403 - 0x314, _t284, 0x68);
							_t372 = _t403 - 0x314;
							 *((intOrPtr*)( *((intOrPtr*)(_t397 + 0xa0))))(_t403 - 0x314, _t403 - 0x2ac);
							 *(_t403 - 4) = 0x16;
							fclose( *(_t403 - 0x318));
							_t404 = _t421 + 0xc - 0x14;
							E011298AC(_t404, _t403 - 0x118);
							L26();
							E01140BCF(_t403 - 0x314, _t403 - 0x314);
							 *(_t403 - 4) = 3;
							E011403B6(_t403 - 0x2ac, _t403 - 0x314);
							_t390 =  *((intOrPtr*)( *((intOrPtr*)(_t403 - 0x338)) + 0x9c));
							L16:
							_push( *((intOrPtr*)(_t403 - 0x32c)));
							_push(_t403 - 0x324);
							E011245E6(_t284, _t372, _t390);
							 *((intOrPtr*)( *((intOrPtr*)(_t403 - 0x324)) + 0x28)) = _t390;
							_t174 = E01122A18(_t284, _t397, _t390, __eflags);
							_t391 = _t397 + 0x6c;
							_t405 = _t404 - 0x18;
							 *((intOrPtr*)(_t403 - 0x32c)) = _t174;
							 *((intOrPtr*)(_t403 - 0x320)) = _t405;
							_push(_t391);
							E011237FA( *((intOrPtr*)(_t397 + 8)), _t405, "Executing runner with configuration ", _t391);
							_push(2);
							_push(0x9c);
							_t406 = _t405 - 0x18;
							 *(_t403 - 4) = 0x17;
							 *((intOrPtr*)(_t403 - 0x31c)) = _t406;
							E011298AC(_t406, "int __thiscall InstPC::Action::run(void)");
							_t407 = _t406 - 0x18;
							 *(_t403 - 4) = 0x18;
							E011298AC(_t407, "C:\\git\\modular-installer\\kernel\\Action.cpp");
							 *(_t403 - 4) = 3;
							E0113765F( *((intOrPtr*)(_t397 + 8)),  *((intOrPtr*)(_t397 + 8)), _t391);
							_t179 = E011214A8( *((intOrPtr*)(_t397 + 8)), _t391);
							_t286 =  *((intOrPtr*)(_t397 + 8));
							_push(_t179);
							_t408 = _t407 - 0x18;
							 *((intOrPtr*)(_t403 - 0x320)) = _t408;
							 *((intOrPtr*)(_t403 - 0x31c)) = _t408;
							E011298E1(_t408,  *((intOrPtr*)(_t397 + 8)) + 0x98);
							_t409 = _t408 - 0x18;
							 *(_t403 - 4) = 0x19;
							 *((intOrPtr*)(_t403 - 0x31c)) = _t409;
							 *((intOrPtr*)(_t403 - 0x328)) = _t409;
							E011298E1(_t409,  *((intOrPtr*)(_t397 + 8)) + 0x50);
							_t410 = _t409 - 0x18;
							 *(_t403 - 4) = 0x1a;
							 *((intOrPtr*)(_t403 - 0x328)) = _t410;
							 *((intOrPtr*)(_t403 - 0x334)) = _t410;
							E011298E1(_t410,  *((intOrPtr*)(_t397 + 8)) + 0x38);
							 *(_t403 - 4) = 0x1b;
							__eflags =  *((intOrPtr*)(_t391 + 0x14)) - 0x10;
							if( *((intOrPtr*)(_t391 + 0x14)) >= 0x10) {
								_t391 =  *_t391;
							}
							_t411 = _t410 - 0x18;
							E011298AC(_t411, _t391);
							 *(_t403 - 4) = 3;
							_t187 =  *((intOrPtr*)(_t403 - 0x32c))();
							_t392 = _t187;
							 *((intOrPtr*)(_t403 - 0x33c)) = _t187;
							_t188 = E0112934F(_t403 - 0x35c, _t187, _t187, _t397);
							 *(_t403 - 4) = 0x1c;
							E011299A0(_t403 - 0x130, E01124262(_t188, _t397, _t403 - 0x35c, "Runner execution returned ", 0x1a));
							 *(_t403 - 4) = 0x1e;
							E01129AC1(_t403 - 0x35c);
							_t413 = _t411 + 0x64 - 0x18;
							 *((intOrPtr*)(_t403 - 0x320)) = _t413;
							E011298E1(_t413, _t403 - 0x130);
							_push(2);
							_push(0xa4);
							 *(_t403 - 4) = 0x1f;
							 *((intOrPtr*)(_t403 - 0x31c)) = _t413 - 0x18;
							E011298AC(_t413 - 0x18, "int __thiscall InstPC::Action::run(void)");
							 *(_t403 - 4) = 0x20;
							E011298AC(_t413, "C:\\git\\modular-installer\\kernel\\Action.cpp");
							 *(_t403 - 4) = 0x1e;
							E0113765F(_t286,  *((intOrPtr*)(_t397 + 8)), _t187);
							_t305 = _t403 - 0x118;
							_t375 = _t305 + 1;
							do {
								_t197 =  *_t305;
								_t305 = _t305 + 1;
								__eflags = _t197;
							} while (_t197 != 0);
							__eflags = _t305 != _t375;
							if(_t305 != _t375) {
								remove(_t403 - 0x118);
							}
							E01129AC1(_t403 - 0x130);
							E0113F925(_t403 - 0x1fc);
							E01129A96(_t403 - 0x160);
							E01129AC1(_t403 - 0x148);
							return E01143D4C(_t392, _t286, _t392);
						} else {
							__imp__#1511();
							_t345 = 0x18;
							 *((intOrPtr*)(_t403 - 0x320)) = _t216;
							 *(_t403 - 4) = 0xf;
							__eflags = _t216;
							if(_t216 != 0) {
								_t345 = _t216;
								_t284 = E011298AC(_t345, "Could not open new temporary file\n");
							}
							 *(_t403 - 4) = 3;
							_t248 = _t403 - 0x344;
							 *(_t403 - 0x344) = _t284;
							_push(0x1156040);
							goto L25;
						}
					} else {
						__imp__#1511();
						_t345 = 0x18;
						 *((intOrPtr*)(_t403 - 0x320)) = _t214;
						 *(_t403 - 4) = 0xe;
						if(_t214 != 0) {
							_t345 = _t214;
							_t284 = E011298AC(_t345, "Error occurred creating unique filename");
						}
						 *(_t403 - 4) = 3;
						_t248 = _t403 - 0x340;
						 *(_t403 - 0x340) = _t284;
						_push(0x1156040);
						L25:
						_push(_t248);
						L01145637();
						asm("int3");
						E01143DFF(E01145A5E, _t284, _t393, 0x110);
						_t399 = _t345;
						 *(_t403 - 4) =  *(_t403 - 4) & 0x00000000;
						_push(_t403 + 8);
						 *(_t403 - 4) = 1;
						E011237FA(_t284, _t403 - 0x44, "Loading library ", _t393);
						_t424 = _t418 - 0x18;
						 *(_t403 - 4) = 2;
						_t395 =  *((intOrPtr*)(_t399 + 8));
						 *((intOrPtr*)(_t403 - 0xe0)) = _t424;
						E011298E1(_t424, _t403 - 0x44);
						_push(2);
						_push(0xc3);
						_t425 = _t424 - 0x18;
						 *(_t403 - 4) = 3;
						 *((intOrPtr*)(_t403 - 0xe4)) = _t425;
						E011298AC(_t425, "void __thiscall InstPC::Action::loadLib(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >)");
						_t426 = _t425 - 0x18;
						 *(_t403 - 4) = 4;
						E011298AC(_t426, "C:\\git\\modular-installer\\kernel\\Action.cpp");
						 *(_t403 - 4) = 2;
						E0113765F(_t284,  *((intOrPtr*)(_t399 + 8)),  *((intOrPtr*)(_t399 + 8)));
						_t258 = E01136637(_t284, _t403 - 0x2c, _t403 + 8,  *((intOrPtr*)(_t399 + 8)));
						if(_t258[0xa] >= 8) {
							_t258 =  *_t258;
						}
						 *((intOrPtr*)(_t399 + 0x9c)) = LoadLibraryW(_t258);
						E01129A96(_t403 - 0x2c);
						if( *((intOrPtr*)(_t399 + 0x9c)) == 0) {
							_t396 = GetLastError();
							E011298AC(_t403 - 0x2c, "Failed to load library");
							 *(_t403 - 4) = 5;
							memset(_t403 - 0xdc, 0, 0x98);
							E01122ED0(_t284, _t403 - 0xdc, _t396);
							_t427 = _t426 - 0x18;
							 *(_t403 - 4) = 6;
							_t400 =  *((intOrPtr*)(_t399 + 8));
							 *((intOrPtr*)(_t403 - 0xe8)) = _t427;
							E011298E1(_t427, _t403 - 0x2c);
							 *(_t403 - 4) = 7;
							 *((intOrPtr*)(_t403 - 0xe4)) = _t427 - 0x18;
							E011298AC(_t427 - 0x18, "void __thiscall InstPC::Action::loadLib(class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >)");
							 *(_t403 - 4) = 8;
							E011298AC(_t427, "C:\\git\\modular-installer\\kernel\\Action.cpp");
							 *(_t403 - 4) = 6;
							E0113765F(_t284, _t400, _t396);
							_t271 = E01136637(_t284, _t403 - 0x100, _t403 - 0x2c, _t396);
							 *(_t403 - 4) = 9;
							E01123A5E(_t284, E01123A4B(_t403 - 0xdc, _t271), L". Error: ", _t396);
							__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z(_t396, 0xcc, 5);
							__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123BE6);
							 *(_t403 - 4) = 6;
							E011214A3(_t403 - 0x100);
							E011299A0(_t403 - 0x118, _t403 - 0x2c);
							L01145637();
							asm("int3");
							E01122EA0();
							return __imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ(_t400, _t403 - 0x118, 0x1156050);
						}
						E01129AC1(_t403 - 0x44);
						return E01143D4C(E01129AC1(_t403 + 8), _t284, _t395);
					}
				}
			}

0x01121fb7
0x01121fbe
0x01121fc0
0x01121fc6
0x01121fc8
0x01121fce
0x01121fd4
0x01121fda
0x01121fe2
0x01122303
0x00000000
0x01121fe8
0x01121ff7
0x01121ffd
0x01122003
0x01122006
0x0112200a
0x0112200c
0x01122014
0x01122029
0x01122032
0x01122035
0x0112203b
0x01122046
0x0112204b
0x0112204e
0x01122059
0x01122064
0x01122068
0x01122073
0x01122077
0x0112207c
0x01122088
0x01122092
0x011220de
0x011220e5
0x011220ec
0x011220f2
0x011220f5
0x011220f7
0x01122145
0x01122153
0x01122158
0x0112215b
0x01122167
0x0112217d
0x01122183
0x0112218a
0x011221b6
0x011221c7
0x011221cc
0x011221cf
0x011221d7
0x011221e2
0x011221ed
0x011221f1
0x01122201
0x01122206
0x01122208
0x0112220a
0x0112221b
0x01122220
0x01122223
0x01122229
0x01122231
0x01122236
0x01122240
0x0112224b
0x01122250
0x01122253
0x0112225b
0x01122266
0x0112226a
0x01122275
0x01122280
0x01122284
0x01122284
0x0112218c
0x0112218c
0x0112218f
0x011221a1
0x011221ac
0x011221ac
0x01122293
0x011222aa
0x011222b1
0x011222b3
0x011222bd
0x011222c3
0x011222cf
0x011222d6
0x011222e1
0x011222ec
0x011222f0
0x011222fb
0x01122309
0x01122309
0x01122315
0x01122316
0x01122321
0x01122344
0x0112234c
0x0112234f
0x01122352
0x0112235a
0x01122365
0x01122366
0x0112236c
0x0112236e
0x01122373
0x01122376
0x0112237c
0x01122387
0x0112238c
0x0112238f
0x0112239a
0x011223a1
0x011223a5
0x011223aa
0x011223af
0x011223b2
0x011223b3
0x011223b8
0x011223c4
0x011223cb
0x011223d0
0x011223d3
0x011223d9
0x011223e2
0x011223e9
0x011223ee
0x011223f1
0x011223f7
0x01122400
0x01122407
0x0112240c
0x01122410
0x01122414
0x01122416
0x01122416
0x01122418
0x0112241e
0x01122423
0x01122427
0x0112242d
0x01122438
0x01122440
0x0112244f
0x0112245f
0x0112246a
0x0112246e
0x0112247c
0x01122481
0x01122488
0x0112248d
0x0112248f
0x01122497
0x0112249d
0x011224a8
0x011224b0
0x011224bb
0x011224c2
0x011224c6
0x011224cb
0x011224d1
0x011224d4
0x011224d4
0x011224d6
0x011224d7
0x011224d7
0x011224db
0x011224dd
0x011224e6
0x011224ec
0x011224f3
0x011224fe
0x01122509
0x01122514
0x011227ef
0x011220f9
0x011220fb
0x01122101
0x01122102
0x01122108
0x0112210c
0x0112210e
0x01122115
0x0112211c
0x0112211c
0x0112211e
0x01122122
0x01122128
0x0112212e
0x00000000
0x0112212e
0x01122094
0x01122096
0x0112209c
0x0112209d
0x011220a3
0x011220a9
0x011220b0
0x011220b7
0x011220b7
0x011220b9
0x011220bd
0x011220c3
0x011220c9
0x01122828
0x01122828
0x01122829
0x0112282e
0x01122839
0x0112283e
0x01122840
0x01122847
0x0112284d
0x01122854
0x0112285a
0x0112285d
0x01122861
0x01122869
0x01122870
0x01122875
0x01122877
0x0112287c
0x0112287f
0x01122885
0x01122890
0x01122895
0x01122898
0x011228a3
0x011228aa
0x011228ae
0x011228b9
0x011228c2
0x011228c4
0x011228c4
0x011228d0
0x011228d6
0x011228e2
0x01122910
0x01122912
0x01122922
0x01122929
0x01122935
0x0112293a
0x0112293d
0x01122941
0x01122949
0x01122950
0x0112295f
0x01122965
0x01122970
0x01122978
0x01122983
0x0112298a
0x0112298e
0x0112299c
0x011229a3
0x011229b9
0x011229c1
0x011229ce
0x011229da
0x011229de
0x011229ed
0x011229fe
0x01122a03
0x01122a0a
0x01122a12
0x01122a12
0x011228e7
0x011228f9
0x011228f9
0x01122092

APIs

Part of subcall function 011237FA: __EH_prolog3.LIBCMT ref: 01123801

Part of subcall function 0113765F: __EH_prolog3_GS.LIBCMT ref: 01137669
Part of subcall function 0113765F: #1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
Part of subcall function 0113765F: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

tmpnam_s.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000104,C:\git\modular-installer\kernel\Action.cpp), ref: 01122088
#1511.MFC140U(00000018), ref: 01122096
fopen_s.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,wb+), ref: 011220EC
#1511.MFC140U(00000018), ref: 011220FB
_CxxThrowException.VCRUNTIME140(?,01156050), ref: 01122829

Strings

Error occurred creating unique filename, xrefs: 011220AB
int __thiscall InstPC::Action::run(void), xrefs: 01122041
C:\git\modular-installer\kernel\Action.cpp, xrefs: 01122054
Downloading DLL ", xrefs: 01121FF2

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511$ExceptionThrow$H_prolog3H_prolog3_fopen_stmpnam_s
String ID: C:\git\modular-installer\kernel\Action.cpp$Downloading DLL "$Error occurred creating unique filename$int __thiscall InstPC::Action::run(void)
API String ID: 4052321204-2335537139
Opcode ID: 8896fcbd86e4bc7cf7cceb7f801deefee53ce6871850be317fc67f8918fccf35
Instruction ID: e4a2af028781fe4756b352d8dad0527a6d655a1acc206279310b7566cdbf6864
Opcode Fuzzy Hash: 8896fcbd86e4bc7cf7cceb7f801deefee53ce6871850be317fc67f8918fccf35
Instruction Fuzzy Hash: 1631AE30E0436DDBDF29EB7C8845B8CBBF8AB18B18F1440D8D108A7280DBB49B848F55

Uniqueness

Uniqueness Score: -1.00%

Function 011367EE Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 011367F5
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001,0000000C,011366C1,0113458E,?,?), ref: 0113680D
#1511.MFC140U(00000034), ref: 01136845
??0?$codecvt@_WDU_Mbstatet@@@std@@QAE@I@Z.MSVCP140(00000000), ref: 0113685D
?_New_Locimp@_Locimp@locale@std@@CAPAV123@ABV123@@Z.MSVCP140(?), ref: 0113687D
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 01136893
?_Addfac@_Locimp@locale@std@@AAEXPAVfacet@23@I@Z.MSVCP140(00000000,00000000), ref: 0113689D
??4?$_Yarn@D@std@@QAEAAV01@PBD@Z.MSVCP140(0114D4C0), ref: 011368AF

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Locimp@locale@std@@$#1511??0?$codecvt@_??4?$_Addfac@_Bid@locale@std@@D@std@@H_prolog3Init@locale@std@@Locimp@12@_Locimp@_Mbstatet@@@std@@New_V01@V123@V123@@Vfacet@23@Yarn@
String ID:
API String ID: 11881512-0
Opcode ID: 99b248b1a3d38aafbb71d7b603cc4e3845f0281b158f9c4bfb679eed83474738
Instruction ID: a1a79744d7bfbb3b88bdf67c469ae1688d4d09f450f92ea5176e67863ab304b2
Opcode Fuzzy Hash: 99b248b1a3d38aafbb71d7b603cc4e3845f0281b158f9c4bfb679eed83474738
Instruction Fuzzy Hash: 1221DBB0808701CFDB28CFAAD08476EFBF0BF58B24F10442ED1AA93690CB70A640CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0113FC94 Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0113FC9B
?_Init@locale@std@@CAPAV_Locimp@12@_N@Z.MSVCP140(00000001,0000000C,0113FAD2,?,?,?,?,?,?,?,?,?), ref: 0113FCB3
#1511.MFC140U(00000034,?,?,?,?,?,?,?,?,?), ref: 0113FCEB
??0?$codecvt@_WDU_Mbstatet@@@std@@QAE@I@Z.MSVCP140(00000000,?,?,?,?,?,?,?), ref: 0113FD03
?_New_Locimp@_Locimp@locale@std@@CAPAV123@ABV123@@Z.MSVCP140(?,?,?,?,?,?,?,?), ref: 0113FD23
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,?), ref: 0113FD39
?_Addfac@_Locimp@locale@std@@AAEXPAVfacet@23@I@Z.MSVCP140(00000000,00000000,?,?,?,?,?,?), ref: 0113FD43
??4?$_Yarn@D@std@@QAEAAV01@PBD@Z.MSVCP140(0114D4C0,?,?,?,?,?,?), ref: 0113FD55

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Locimp@locale@std@@$#1511??0?$codecvt@_??4?$_Addfac@_Bid@locale@std@@D@std@@H_prolog3Init@locale@std@@Locimp@12@_Locimp@_Mbstatet@@@std@@New_V01@V123@V123@@Vfacet@23@Yarn@
String ID:
API String ID: 11881512-0
Opcode ID: 84f139bf48921ad23875ad1f5dd93ed0f34b781d7d752c95e82e6389dd10d0fc
Instruction ID: 759deb68ad3e3b0bb564c72241a988d294164317c15eadcd0b19101cf1f26630
Opcode Fuzzy Hash: 84f139bf48921ad23875ad1f5dd93ed0f34b781d7d752c95e82e6389dd10d0fc
Instruction Fuzzy Hash: E321AD71808701CFD728DF6AD58876EFBF0BF58B14F50442ED1AA93654CB70A645CB45

Uniqueness

Uniqueness Score: -1.00%

Function 01126FDA Relevance: 10.7, APIs: 7, Instructions: 245
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E01126FDA(intOrPtr* __ecx, void* _a4, void* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				intOrPtr* _v16;
				void* _v20;
				void* __ebx;
				void* _t112;
				void* _t117;
				void* _t128;
				void* _t132;
				void* _t134;
				void* _t143;
				intOrPtr* _t144;
				void* _t145;
				void* _t150;
				signed int _t151;
				intOrPtr _t153;
				signed int _t154;
				void* _t157;
				void* _t161;
				signed int _t166;
				signed int _t168;
				signed int _t171;
				intOrPtr _t174;
				void* _t177;
				intOrPtr _t178;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t188;
				void* _t189;
				intOrPtr* _t198;
				void* _t199;
				void* _t200;
				void* _t201;
				void* _t202;

				_t198 = __ecx;
				_v16 = __ecx;
				_t2 = _t198 + 4; // 0x7c4c7b83
				_t112 =  *_t2;
				_t143 = _t112;
				_v8 = _t143;
				if( *((intOrPtr*)(_t112 + 4)) == 6) {
					_t174 =  *((intOrPtr*)(_t112 + 0x18));
					_v8 = _t112;
					if(_t174 != 1) {
						 *((intOrPtr*)(_t112 + 0x18)) = _t174 - 1;
						_t112 = E01125AEE(_t143, __ecx,  *( *((intOrPtr*)(_t112 + 0x1c)) + _t174 - 1) & 0x000000ff);
						_t10 = _t198 + 4; // 0x7c4c7b83
						_t143 =  *_t10;
						_v8 = _t143;
					}
				}
				if( *((intOrPtr*)(_t143 + 4)) == 9 ||  *((intOrPtr*)(_t143 + 4)) == 0xe) {
					_t143 =  *(_t143 + 0x14);
					_v8 = _t143;
				}
				if(_a4 != 0 || _a8 != 1) {
					_t144 = __imp__#1511;
					_t177 =  *_t144(0x18);
					_v12 = _t177;
					if(_t177 == 0) {
						_t199 = 0;
						_t183 = 0;
						_v12 = 0;
					} else {
						_t199 = 0;
						_t154 = 6;
						memset(_t177, 0, _t154 << 2);
						_t202 = _t202 + 0xc;
						 *((intOrPtr*)(_t177 + 4)) = 0x13;
						_t183 = _t177;
						 *((intOrPtr*)(_t177 + 8)) = 0;
						 *((intOrPtr*)(_t177 + 0xc)) = 0;
						 *((intOrPtr*)(_t177 + 0x10)) = 0;
						 *_t177 = 0x114bf54;
						 *((intOrPtr*)(_t177 + 0x14)) = 0;
					}
					_t145 =  *_t144(0x28);
					_v20 = _t145;
					if(_t145 == 0) {
						_t145 = _t199;
					} else {
						_t151 = 0xa;
						memset(_t145, 0, _t151 << 2);
						_t183 = _v12;
						_t153 =  *_v16;
						_t178 =  *((intOrPtr*)(_t153 + 0x18));
						 *((intOrPtr*)(_t153 + 0x18)) = _t178 + 1;
						 *((intOrPtr*)(_t145 + 4)) = 0x12;
						 *(_t145 + 0x24) =  *(_t145 + 0x24) | 0xffffffff;
						 *((intOrPtr*)(_t145 + 8)) = (_a12 & 0x000000ff) + (_a12 & 0x000000ff);
						 *((intOrPtr*)(_t145 + 0x14)) = _a4;
						 *(_t145 + 0xc) = _t199;
						 *(_t145 + 0x10) = _t199;
						 *_t145 = 0x114bf4c;
						 *((intOrPtr*)(_t145 + 0x18)) = _a8;
						 *(_t145 + 0x1c) = _t183;
						 *((intOrPtr*)(_t145 + 0x20)) = _t178;
					}
					 *(_t183 + 0x14) = _t145;
					E011251B5(_v16, _t183);
					_t150 = _v8;
					 *( *(_t150 + 0x10) + 0xc) = _t145;
					_t117 =  *(_t150 + 0x10);
					 *(_t145 + 0x10) = _t117;
					 *(_t150 + 0x10) = _t145;
					 *(_t145 + 0xc) = _t150;
					return _t117;
				} else {
					__imp__#1511(0x14);
					_t157 = _t112;
					_a4 = _t157;
					if(_t157 == 0) {
						_t200 = 0;
						_a4 = 0;
					} else {
						_t112 = 0;
						_t200 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						 *((intOrPtr*)(_t157 + 4)) = 0x11;
						 *((intOrPtr*)(_t157 + 8)) = 0;
						 *((intOrPtr*)(_t157 + 0xc)) = 0;
						 *((intOrPtr*)(_t157 + 0x10)) = 0;
						 *_t157 = 0x114bf64;
					}
					__imp__#1511(0x1c);
					_t179 = _t112;
					_a8 = _t179;
					if(_t179 == 0) {
						_v12 = _t200;
					} else {
						_t171 = 7;
						memset(_t179, 0, _t171 << 2);
						_t202 = _t202 + 0xc;
						_t112 = E011215D5(_t179, _a4);
						_v12 = _t112;
					}
					__imp__#1511(0x1c);
					_t180 = _t112;
					_a8 = _t180;
					if(_t180 == 0) {
						_v8 = _t200;
					} else {
						_t168 = 7;
						memset(_t180, 0, _t168 << 2);
						_t202 = _t202 + 0xc;
						_t112 = E011215D5(_t180, _a4);
						_v8 = _t112;
					}
					__imp__#1511(0x14);
					_t161 = _t112;
					_a8 = _t161;
					if(_t161 == 0) {
						_t188 = _t200;
						_a8 = _t188;
					} else {
						_t112 = 0;
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						asm("stosd");
						 *_t161 = 0x114bf94;
						_t188 = _t161;
						 *((intOrPtr*)(_t161 + 4)) = 8;
						 *(_t161 + 8) = _t200;
						 *(_t161 + 0xc) = _t200;
						 *(_t161 + 0x10) = _t200;
					}
					__imp__#1511(0x18);
					_t181 = _t112;
					_v20 = _t181;
					if(_t181 == 0) {
						_t181 = _t200;
					} else {
						_t166 = 6;
						memset(_t181, 0, _t166 << 2);
						_t188 = _a8;
						 *((intOrPtr*)(_t181 + 4)) = 9;
						 *(_t181 + 8) = _t200;
						 *(_t181 + 0xc) = _t200;
						 *(_t181 + 0x10) = _t200;
						 *_t181 = 0x114bf84;
						 *(_t181 + 0x14) = _t188;
					}
					_t128 = _v8;
					_t201 = _v12;
					 *(_t128 + 0xc) = _t188;
					 *((intOrPtr*)(_t188 + 0x10)) = _t128;
					 *(_t188 + 0xc) = _t181;
					 *(_t181 + 0x10) = _t188;
					_t189 = _v8;
					 *(_t181 + 0xc) = _a4;
					 *(_t201 + 0x18) = _t189;
					E011251B5(_v16, _a4);
					 *( *(_t143 + 0x10) + 0xc) = _t201;
					_t132 =  *(_t143 + 0x10);
					 *(_t201 + 0x10) = _t132;
					 *(_t143 + 0x10) = _t201;
					 *(_t201 + 0xc) = _t143;
					if(_a12 != 0) {
						return _t132;
					} else {
						_t182 =  *(_t189 + 0xc);
						 *(_t143 + 0x10) =  *(_t182 + 0x10);
						 *(_t182 + 0x10) =  *(_t143 + 0x10);
						_t134 =  *(_t189 + 0xc);
						 *(_t201 + 0xc) = _t134;
						 *(_t189 + 0xc) =  *(_t201 + 0xc);
						return _t134;
					}
				}
			}

0x01126fe2
0x01126fe5
0x01126fe8
0x01126fe8
0x01126feb
0x01126fed
0x01126ff4
0x01126ff6
0x01126ff9
0x01126fff
0x01127002
0x0112700f
0x01127014
0x01127014
0x01127017
0x01127017
0x01126fff
0x0112701e
0x01127026
0x01127029
0x01127029
0x01127030
0x011271ac
0x011271b6
0x011271b8
0x011271be
0x011271e8
0x011271ea
0x011271ec
0x011271c0
0x011271c6
0x011271c8
0x011271c9
0x011271c9
0x011271cb
0x011271d2
0x011271d4
0x011271d7
0x011271da
0x011271dd
0x011271e3
0x011271e3
0x011271f3
0x011271f5
0x011271fb
0x0112724b
0x011271fd
0x01127203
0x01127204
0x01127209
0x0112720c
0x0112720e
0x01127214
0x0112721d
0x01127224
0x01127228
0x0112722e
0x01127234
0x01127237
0x0112723a
0x01127240
0x01127243
0x01127246
0x01127246
0x01127251
0x01127254
0x01127259
0x0112725f
0x01127262
0x01127265
0x01127268
0x0112726b
0x00000000
0x01127040
0x01127042
0x01127049
0x0112704b
0x01127050
0x01127075
0x01127077
0x01127052
0x01127052
0x01127056
0x01127058
0x01127059
0x0112705a
0x0112705b
0x0112705c
0x0112705d
0x01127064
0x01127067
0x0112706a
0x0112706d
0x0112706d
0x0112707c
0x01127082
0x01127084
0x0112708a
0x011270a4
0x0112708c
0x0112708e
0x01127096
0x01127096
0x0112709a
0x0112709f
0x0112709f
0x011270a9
0x011270af
0x011270b1
0x011270b7
0x011270d1
0x011270b9
0x011270bb
0x011270c3
0x011270c3
0x011270c7
0x011270cc
0x011270cc
0x011270d6
0x011270dd
0x011270df
0x011270e4
0x01127109
0x0112710b
0x011270e6
0x011270e6
0x011270ea
0x011270eb
0x011270ec
0x011270ed
0x011270ee
0x011270ef
0x011270f5
0x011270f7
0x011270fe
0x01127101
0x01127104
0x01127104
0x01127110
0x01127116
0x01127118
0x0112711e
0x01127147
0x01127120
0x01127122
0x01127127
0x01127129
0x0112712c
0x01127133
0x01127136
0x01127139
0x0112713c
0x01127142
0x01127142
0x01127149
0x0112714c
0x01127152
0x01127155
0x0112715b
0x0112715e
0x01127161
0x01127164
0x01127168
0x0112716b
0x01127177
0x0112717a
0x0112717d
0x01127180
0x01127183
0x01127186
0x01127272
0x0112718c
0x0112718c
0x01127195
0x01127198
0x0112719e
0x011271a1
0x011271a4
0x00000000
0x011271a4
0x01127186

APIs

#1511.MFC140U(00000014,?,?,00000000,01124B6B), ref: 01127042
#1511.MFC140U(0000001C,00000000,01124B6B), ref: 0112707C
#1511.MFC140U(0000001C), ref: 011270A9
#1511.MFC140U(00000014), ref: 011270D6
#1511.MFC140U(00000018), ref: 01127110

Part of subcall function 01125AEE: #1511.MFC140U(00000020,?,?,01124B6B,?,011250BE,?,?,?,?,01124B6B), ref: 01125B07
Part of subcall function 01125AEE: ?tolower@?$ctype@D@std@@QBEDD@Z.MSVCP140(?,00000000,01124B6B,?,011250BE,?,?), ref: 01125B5D

#1511.MFC140U(00000018,?,?,00000000,01124B6B), ref: 011271B4
#1511.MFC140U(00000028,00000000,01124B6B), ref: 011271F1

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511$?tolower@?$ctype@D@std@@
String ID:
API String ID: 1395772731-0
Opcode ID: 5734a2db1930074bb44fdfc3ad945e40c9ecff2128c3c167fecc35852c2d8763
Instruction ID: c4eb0a882a456406b224c221444bd91966615957789ca555c79f53111add6011
Opcode Fuzzy Hash: 5734a2db1930074bb44fdfc3ad945e40c9ecff2128c3c167fecc35852c2d8763
Instruction Fuzzy Hash: A9A112B4A043259FDB58CF19C48065ABBE1FF49720B24C5AEE9198B382D7B1D951CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01134DB8 Relevance: 10.7, APIs: 7, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E01134DB8(void* __ebx, intOrPtr* __ecx, signed char* __edx, void* __edi) {
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t83;
				intOrPtr _t91;
				intOrPtr _t93;
				intOrPtr _t98;
				signed int _t101;
				signed short _t107;
				signed short _t108;
				void* _t110;
				intOrPtr _t112;
				signed int _t115;
				intOrPtr _t119;
				intOrPtr* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t129;
				intOrPtr _t132;
				intOrPtr _t136;
				intOrPtr _t142;
				intOrPtr* _t146;
				intOrPtr _t147;
				signed char* _t148;
				intOrPtr* _t151;
				void* _t153;
				intOrPtr _t156;
				void* _t158;

				_t146 = __edx;
				_t120 = __ecx;
				E01143DC8(E011482C4, __ebx, __edi, 0x3c);
				 *(_t153 - 0x24) = __edx;
				_t151 = _t120;
				 *((intOrPtr*)(_t153 - 0x2c)) = _t151;
				_t121 = __edx + 1;
				_t119 = 0;
				 *((intOrPtr*)(_t153 - 0x28)) = 0;
				do {
					_t80 =  *_t146;
					_t146 = _t146 + 1;
				} while (_t80 != 0);
				_t147 = _t146 - _t121;
				 *((intOrPtr*)(_t153 - 0x1c)) = _t147;
				 *((intOrPtr*)(_t153 - 0x20)) = 0;
				_t82 =  *((intOrPtr*)( *_t151 + 4));
				_t122 =  *((intOrPtr*)(_t82 + _t151 + 0x20));
				_t83 =  *((intOrPtr*)(_t82 + _t151 + 0x24));
				_t156 = _t83;
				if(_t156 < 0 || _t156 <= 0 && _t122 <= 0) {
					L9:
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x38], xmm0");
					 *((intOrPtr*)(_t153 - 0x18)) =  *((intOrPtr*)(_t153 - 0x34));
					 *((intOrPtr*)(_t153 - 0x14)) =  *((intOrPtr*)(_t153 - 0x38));
				} else {
					_t158 = _t83 - _t119;
					if(_t158 < 0 || _t158 <= 0 && _t122 <= _t147) {
						goto L9;
					} else {
						 *((intOrPtr*)(_t153 - 0x14)) = _t122 - _t147;
						asm("sbb eax, esi");
						 *((intOrPtr*)(_t153 - 0x18)) = _t83;
					}
				}
				_push(_t151);
				E011234A5(_t153 - 0x40, _t151);
				 *((intOrPtr*)(_t153 - 4)) = 0;
				if( *((char*)(_t153 - 0x3c)) != 0) {
					 *((char*)(_t153 - 4)) = 1;
					__imp__?getloc@ios_base@std@@QBE?AVlocale@2@XZ(_t153 - 0x48);
					 *((char*)(_t153 - 4)) = 2;
					 *((intOrPtr*)(_t153 - 0x30)) = E0113628C(_t119, _t153 - 0x48, _t151);
					 *((char*)(_t153 - 4)) = 1;
					E01129306(_t153 - 0x48);
					_t129 =  *((intOrPtr*)( *_t151 + 4));
					__eflags = ( *(_t129 + _t151 + 0x14) & 0x000001c0) - 0x40;
					if(( *(_t129 + _t151 + 0x14) & 0x000001c0) != 0x40) {
						_t112 =  *((intOrPtr*)(_t153 - 0x14));
						_t142 =  *((intOrPtr*)(_t153 - 0x18));
						while(1) {
							__eflags = _t142;
							if(__eflags < 0) {
								goto L19;
							}
							if(__eflags > 0) {
								L17:
								_t115 =  *( *((intOrPtr*)( *_t151 + 4)) + _t151 + 0x40) & 0x0000ffff;
								__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t115);
								__eflags = 0xffff - _t115;
								if(0xffff != _t115) {
									_t142 =  *((intOrPtr*)(_t153 - 0x18));
									_t112 =  *((intOrPtr*)(_t153 - 0x14)) + 0xffffffff;
									 *((intOrPtr*)(_t153 - 0x14)) = _t112;
									asm("adc ecx, 0xffffffff");
									 *((intOrPtr*)(_t153 - 0x18)) = _t142;
									continue;
								} else {
									_t119 = 4;
									 *((intOrPtr*)(_t153 - 0x28)) = _t119;
								}
							} else {
								__eflags = _t112;
								if(_t112 > 0) {
									goto L17;
								}
							}
							goto L19;
						}
					}
					L19:
					_t91 =  *((intOrPtr*)(_t153 - 0x1c));
					_t132 = 0;
					_t148 =  *(_t153 - 0x24);
					while(1) {
						__eflags = _t119;
						if(_t119 != 0) {
							break;
						}
						__eflags = _t132;
						if(__eflags < 0) {
							L26:
							_t98 =  *((intOrPtr*)(_t153 - 0x14));
							_t136 =  *((intOrPtr*)(_t153 - 0x18));
							while(1) {
								__eflags = _t136;
								if(__eflags < 0) {
									goto L32;
								}
								if(__eflags > 0) {
									L30:
									_t101 =  *( *((intOrPtr*)( *_t151 + 4)) + _t151 + 0x40) & 0x0000ffff;
									__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t101);
									__eflags = 0xffff - _t101;
									if(0xffff != _t101) {
										_t136 =  *((intOrPtr*)(_t153 - 0x18));
										_t98 =  *((intOrPtr*)(_t153 - 0x14)) + 0xffffffff;
										 *((intOrPtr*)(_t153 - 0x14)) = _t98;
										asm("adc ecx, 0xffffffff");
										 *((intOrPtr*)(_t153 - 0x18)) = _t136;
										continue;
									} else {
										__eflags = _t119;
									}
								} else {
									__eflags = _t98;
									if(_t98 > 0) {
										goto L30;
									}
								}
								goto L32;
							}
						} else {
							if(__eflags > 0) {
								L24:
								 *((intOrPtr*)(_t153 - 0x34)) =  *((intOrPtr*)( *((intOrPtr*)( *_t151 + 4)) + _t151 + 0x38));
								_t107 =  *_t148 & 0x000000ff;
								__imp__?widen@?$ctype@_W@std@@QBE_WD@Z(_t107);
								_t108 = _t107 & 0x0000ffff;
								__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t108);
								__eflags = 0xffff - (_t108 & 0x0000ffff);
								_t132 =  *((intOrPtr*)(_t153 - 0x20));
								_t110 = 4;
								_t119 =  ==  ? _t110 : _t119;
								_t91 =  *((intOrPtr*)(_t153 - 0x1c)) + 0xffffffff;
								 *((intOrPtr*)(_t153 - 0x28)) = _t119;
								 *((intOrPtr*)(_t153 - 0x1c)) = _t91;
								asm("adc ecx, 0xffffffff");
								_t148 =  &(( *(_t153 - 0x24))[1]);
								 *((intOrPtr*)(_t153 - 0x20)) = _t132;
								 *(_t153 - 0x24) = _t148;
								continue;
							} else {
								__eflags = _t91;
								if(_t91 <= 0) {
									goto L26;
								} else {
									goto L24;
								}
							}
						}
						break;
					}
					L32:
					_t93 =  *((intOrPtr*)( *_t151 + 4));
					 *((intOrPtr*)(_t93 + _t151 + 0x20)) = 0;
					 *((intOrPtr*)(_t93 + _t151 + 0x24)) = 0;
					 *((intOrPtr*)(_t153 - 4)) = 0;
				} else {
					_t119 = 4;
				}
				__imp__?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z(0);
				E01123448(_t153 - 0x40);
				return E01143D26(_t151, _t119);
			}

0x01134db8
0x01134db8
0x01134dbf
0x01134dc6
0x01134dc9
0x01134dcb
0x01134dd0
0x01134dd3
0x01134dd5
0x01134dd8
0x01134dd8
0x01134dda
0x01134ddb
0x01134de1
0x01134de3
0x01134de6
0x01134de9
0x01134dec
0x01134df0
0x01134df4
0x01134df6
0x01134e14
0x01134e14
0x01134e17
0x01134e1f
0x01134e25
0x01134dfe
0x01134dfe
0x01134e00
0x00000000
0x01134e08
0x01134e0a
0x01134e0d
0x01134e0f
0x01134e0f
0x01134e00
0x01134e28
0x01134e2c
0x01134e31
0x01134e38
0x01134e42
0x01134e51
0x01134e59
0x01134e65
0x01134e68
0x01134e6c
0x01134e73
0x01134e80
0x01134e83
0x01134e85
0x01134e88
0x01134e8b
0x01134e8b
0x01134e8d
0x00000000
0x00000000
0x01134e8f
0x01134e95
0x01134e9e
0x01134ea4
0x01134eb2
0x01134eb5
0x01134f2f
0x01134f32
0x01134f35
0x01134f38
0x01134f3b
0x00000000
0x01134eb7
0x01134eb9
0x01134eba
0x01134eba
0x01134e91
0x01134e91
0x01134e93
0x00000000
0x00000000
0x01134e93
0x00000000
0x01134e8f
0x01134e8b
0x01134ebd
0x01134ebd
0x01134ec0
0x01134ec2
0x01134ec5
0x01134ec5
0x01134ec7
0x00000000
0x00000000
0x01134ecd
0x01134ecf
0x01134f43
0x01134f43
0x01134f46
0x01134f49
0x01134f49
0x01134f4b
0x00000000
0x00000000
0x01134f4d
0x01134f53
0x01134f5c
0x01134f62
0x01134f70
0x01134f73
0x01134f8a
0x01134f8d
0x01134f90
0x01134f93
0x01134f96
0x00000000
0x01134f75
0x01134f75
0x01134f75
0x01134f4f
0x01134f4f
0x01134f51
0x00000000
0x00000000
0x01134f51
0x00000000
0x01134f4d
0x01134ed1
0x01134ed1
0x01134ed7
0x01134ee3
0x01134ee6
0x01134eea
0x01134ef3
0x01134ef7
0x01134f08
0x01134f0b
0x01134f10
0x01134f11
0x01134f17
0x01134f1a
0x01134f1d
0x01134f20
0x01134f23
0x01134f24
0x01134f27
0x00000000
0x01134ed3
0x01134ed3
0x01134ed5
0x00000000
0x00000000
0x00000000
0x00000000
0x01134ed5
0x01134ed1
0x00000000
0x01134ecf
0x01134f78
0x01134f7a
0x01134f7d
0x01134f81
0x01134fbd
0x01134e3a
0x01134e3c
0x01134e3c
0x01134fc9
0x01134fd2
0x01134fde

APIs

__EH_prolog3_catch.LIBCMT ref: 01134DBF
?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,0000003C,01134452), ref: 01134E51

Part of subcall function 0113628C: __EH_prolog3_GS.LIBCMT ref: 01136293
Part of subcall function 0113628C: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,0000001C,01134E62,?,0000003C,01134452), ref: 0113629F
Part of subcall function 0113628C: ??Bid@locale@std@@QAEIXZ.MSVCP140(?,0000003C,01134452), ref: 011362B7
Part of subcall function 0113628C: ?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000,?,0000003C,01134452), ref: 011362D7
Part of subcall function 0113628C: std::_Facet_Register.LIBCPMT ref: 011362EF
Part of subcall function 0113628C: ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000,?,0000003C,01134452), ref: 01136308

?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,0000003C,01134452), ref: 01134EA4
?widen@?$ctype@_W@std@@QBE_WD@Z.MSVCP140(?,?,0000003C,01134452), ref: 01134EEA
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,0000003C,01134452), ref: 01134EF7
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,0000003C,01134452), ref: 01134F62
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,0000003C,01134452), ref: 01134FC9

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$Lockit@std@@W@std@@$??0_??1_?getloc@ios_base@std@@?setstate@?$basic_ios@_?widen@?$ctype@_Bid@locale@std@@Facet_Getcat@?$ctype@_H_prolog3_H_prolog3_catchRegisterV42@@Vfacet@locale@2@Vlocale@2@std::_
String ID:
API String ID: 952152681-0
Opcode ID: 8680054caf956347a580a78344b9c70a8cab8f60e0dab5cb3e8dfcb2fea9348c
Instruction ID: 3f7aab878e5f81b1a8cd6c25a6c27992240a2828925ee4ed536bc885a9b6da70
Opcode Fuzzy Hash: 8680054caf956347a580a78344b9c70a8cab8f60e0dab5cb3e8dfcb2fea9348c
Instruction Fuzzy Hash: 87716B74A042568FCB28CFACC4949BDBBF1FF88714B644269E525E7785C7349940CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0112E35A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0112E35A(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				void* _t63;
				intOrPtr _t73;
				intOrPtr _t97;
				void* _t101;
				intOrPtr* _t102;
				intOrPtr _t103;
				intOrPtr _t104;
				intOrPtr _t105;
				intOrPtr _t106;
				intOrPtr _t107;

				_t94 = __edx;
				_t73 = __ecx;
				E01143D5D(E01146DEA, __ebx, __edi, 0x50);
				_t97 = _t73;
				 *((intOrPtr*)(_t101 - 0x10)) = _t97;
				E01136604(_t73);
				 *((intOrPtr*)(_t101 - 4)) = 0;
				E0113416D(0, _t97 + 0xc, _t97);
				 *((intOrPtr*)(_t97 + 0x24)) = 0;
				 *((intOrPtr*)(_t97 + 0x28)) = 0xf;
				 *((char*)(_t97 + 0x14)) = 0;
				 *((char*)(_t101 - 4)) = 2;
				 *((intOrPtr*)(_t97 + 0x2c)) = E011214A8(0, _t97);
				E011298E1(_t101 - 0x44, 0x115a0cc);
				_t98 =  *((intOrPtr*)(_t101 - 0x34));
				E01129AC1(_t101 - 0x44);
				_t111 =  *((intOrPtr*)(_t101 - 0x34));
				if( *((intOrPtr*)(_t101 - 0x34)) == 0) {
					E01129863(0x115a0cc, "1582447612575780", 0x10);
				}
				E0112E540(0x115a0cc, _t94, _t97, _t111);
				E0112E69C(0x115a0cc, _t94, _t97);
				E0112E80E(0x115a0cc, _t94, _t97);
				E0112E96C(0x115a0cc, _t97, _t98);
				E011298E1(_t101 - 0x44, 0x115a0b4);
				_t99 =  *((intOrPtr*)(_t101 - 0x34));
				E01129AC1(_t101 - 0x44);
				_t112 =  *((intOrPtr*)(_t101 - 0x34));
				if( *((intOrPtr*)(_t101 - 0x34)) == 0) {
					_t63 = E01131F42(0x115a0b4, _t101 - 0x5c, 0x115a03c, _t97, _t112);
					 *((char*)(_t101 - 4)) = 3;
					_t94 = _t63;
					 *_t102 = 0x115a024;
					E011293B6(0x115a0b4, _t99, E01131F14(_t101 - 0x44, _t63, 0x115a054));
					E01129AC1(_t101 - 0x44);
					 *((char*)(_t101 - 4)) = 2;
					E01129AC1(_t101 - 0x5c);
				}
				E0112E99D(0x115a0b4, _t94, _t97);
				E0112EABC(0x115a0b4, _t94, _t97);
				_t103 = _t102 - 0x18;
				 *((intOrPtr*)(_t101 - 0x14)) = _t103;
				 *((intOrPtr*)(_t101 - 0x18)) = _t103;
				E011298E1(_t103, 0x115a09c);
				_t104 = _t103 - 0x18;
				 *((char*)(_t101 - 4)) = 4;
				 *((intOrPtr*)(_t101 - 0x18)) = _t104;
				 *((intOrPtr*)(_t101 - 0x1c)) = _t104;
				E011298E1(_t104, 0x115a0b4);
				_t105 = _t104 - 0x18;
				 *((char*)(_t101 - 4)) = 5;
				 *((intOrPtr*)(_t101 - 0x1c)) = _t105;
				 *((intOrPtr*)(_t101 - 0x20)) = _t105;
				E011298E1(_t105, 0x115a0cc);
				_t106 = _t105 - 0x18;
				 *((char*)(_t101 - 4)) = 6;
				 *((intOrPtr*)(_t101 - 0x20)) = _t106;
				E011298AC(_t106, "673ae6306d8266a780df868d6772aab3b9662e0f");
				_t107 = _t106 - 0x18;
				 *((char*)(_t101 - 4)) = 7;
				 *((intOrPtr*)(_t101 - 0x24)) = _t107;
				E011298AC(_t107, "1248");
				_t108 = _t107 - 0x18;
				 *((char*)(_t101 - 4)) = 8;
				 *((intOrPtr*)(_t101 - 0x28)) = _t107 - 0x18;
				E011298AC(_t107 - 0x18, "Kernel");
				 *((char*)(_t101 - 4)) = 9;
				E011298AC(_t108 - 0x18, "IPCService");
				 *((char*)(_t101 - 4)) = 2;
				L011374D1(0x115a0b4,  *((intOrPtr*)(_t97 + 8)), _t94, _t97, _t112);
				return E01143D26(_t97);
			}

0x0112e35a
0x0112e35a
0x0112e361
0x0112e366
0x0112e368
0x0112e36b
0x0112e375
0x0112e378
0x0112e37d
0x0112e380
0x0112e387
0x0112e38a
0x0112e398
0x0112e39f
0x0112e3a4
0x0112e3aa
0x0112e3af
0x0112e3b1
0x0112e3bc
0x0112e3bc
0x0112e3c1
0x0112e3c6
0x0112e3cb
0x0112e3d0
0x0112e3de
0x0112e3e3
0x0112e3e9
0x0112e3ee
0x0112e3f0
0x0112e3ff
0x0112e404
0x0112e40b
0x0112e40d
0x0112e41d
0x0112e425
0x0112e42d
0x0112e431
0x0112e431
0x0112e436
0x0112e43b
0x0112e443
0x0112e448
0x0112e44b
0x0112e453
0x0112e458
0x0112e45b
0x0112e461
0x0112e464
0x0112e468
0x0112e46d
0x0112e470
0x0112e476
0x0112e479
0x0112e481
0x0112e486
0x0112e489
0x0112e48f
0x0112e497
0x0112e49c
0x0112e49f
0x0112e4a5
0x0112e4ad
0x0112e4b2
0x0112e4b5
0x0112e4bb
0x0112e4c3
0x0112e4cb
0x0112e4d6
0x0112e4dd
0x0112e4e1
0x0112e4ed

APIs

__EH_prolog3.LIBCMT ref: 0112E361

Part of subcall function 01136604: __EH_prolog3.LIBCMT ref: 0113660B

Part of subcall function 0113416D: __EH_prolog3.LIBCMT ref: 01134174
Part of subcall function 0113416D: #1511.MFC140U(00000010,00000004,011364A5,0000000C,011214FC), ref: 0113418F
Part of subcall function 0113416D: #1511.MFC140U(0000000C), ref: 011341B7
Part of subcall function 0113416D: curl_multi_init.LIBCURL ref: 011341D4

Part of subcall function 011214A8: __EH_prolog3.LIBCMT ref: 011214AF
Part of subcall function 011214A8: memset.VCRUNTIME140(0115B430,00000000,000000FC,00000000,01136624,00000004,0112C1FD,000000FC,?,0112A166,?), ref: 011214EF

Part of subcall function 01129863: memmove.VCRUNTIME140(?,00000010,?,?,?,?,?,?), ref: 01129885

Strings

673ae6306d8266a780df868d6772aab3b9662e0f, xrefs: 0112E492
IPCService, xrefs: 0112E4D1
1582447612575780, xrefs: 0112E3B5
1248, xrefs: 0112E4A8
Kernel, xrefs: 0112E4BE

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3$#1511$curl_multi_initmemmovememset
String ID: 1248$1582447612575780$673ae6306d8266a780df868d6772aab3b9662e0f$IPCService$Kernel
API String ID: 1721345441-2827731071
Opcode ID: fc993ae6f1f944467e3e1373cd3fd00a6c1d2f60c33cace74bcd3229b32a9ac5
Instruction ID: 5b05355a30d7c1720d23fb952db9077b14915ec3a4f3d38b2021c4f900e869b9
Opcode Fuzzy Hash: fc993ae6f1f944467e3e1373cd3fd00a6c1d2f60c33cace74bcd3229b32a9ac5
Instruction Fuzzy Hash: FC417E70E0126EEBCF0CFBBCC5566ACBA70AF6560CF54415DD4413B281DBB46A2487A2

Uniqueness

Uniqueness Score: -1.00%

Function 01142668 Relevance: 10.6, APIs: 7, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E01142668(void* __ebx, intOrPtr __ecx, void* __edi) {
				void* _t70;
				intOrPtr* _t74;
				intOrPtr* _t80;
				intOrPtr _t84;
				int _t85;
				intOrPtr _t86;
				intOrPtr _t106;
				void* _t108;
				void* _t109;

				_t86 = __ecx;
				E01143D91(E01149D34, __ebx, __edi, 0xd4);
				_t84 = _t86;
				 *((intOrPtr*)(_t108 - 0xc8)) = _t84;
				_t106 =  *((intOrPtr*)(_t108 + 8));
				if(_t106 != 0) {
					 *((intOrPtr*)(_t84 + 8)) =  *((intOrPtr*)(_t106 + 4));
					E01129658( *((intOrPtr*)(_t106 + 0xc)));
					E0112BA2B( *((intOrPtr*)(_t106 + 0x20)));
					E0112BA2B( *((intOrPtr*)(_t106 + 0x24)));
					E0112BA2B( *((intOrPtr*)(_t106 + 0x28)));
					_t107 = 0;
					if( *((intOrPtr*)(_t106 + 0x34)) > 0) {
						memset(_t108 - 0xc0, 0, 0xb0);
						_t74 = E01131CE4(_t84, _t108 - 0xc0, _t106);
						 *((intOrPtr*)(_t108 - 4)) = 0;
						 *((intOrPtr*)(_t108 - 0xc4)) = 0;
						if( *((intOrPtr*)(_t106 + 0x34)) > 0) {
							_t85 = 0;
							do {
								__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z(E01142808);
								_t107 = _t74;
								_t80 = _t108 - 0xd8;
								__imp__?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z(_t80, 2, 0);
								 *_t80( *((intOrPtr*)( *_t107 + 4)) + _t107,  *((intOrPtr*)(_t80 + 8)),  *((intOrPtr*)(_t80 + 0xc)));
								_t109 = _t109 + 0x18;
								_t74 =  *((intOrPtr*)( *_t107 + 4));
								 *((char*)(_t74 + _t107 + 0x40)) = 0x30;
								__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z(E011427FC);
								__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z( *(_t106 + _t85 + 0x2c) & 0x000000ff);
								_t85 = _t85 + 1;
							} while (_t85 <  *((intOrPtr*)(_t106 + 0x34)));
							_t84 =  *((intOrPtr*)(_t108 - 0xc8));
						}
						E01131D62(_t84, _t108 - 0xa8, _t106);
						E011293B6(_t84 + 0x6c, _t107, _t108 - 0xe0);
						E01129AC1(_t108 - 0xe0);
						E0112D3A9();
						__imp__??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ(_t108 - 0xe0);
					}
					 *((intOrPtr*)(_t84 + 0x84)) =  *((intOrPtr*)(_t106 + 0x38));
					 *((intOrPtr*)(_t84 + 0x88)) =  *((intOrPtr*)(_t106 + 0x3c));
					 *((intOrPtr*)(_t84 + 0x8c)) =  *((intOrPtr*)(_t106 + 0x40));
					 *((intOrPtr*)(_t84 + 0x90)) =  *((intOrPtr*)(_t106 + 0x44));
					 *((intOrPtr*)(_t84 + 0x98)) =  *((intOrPtr*)(_t106 + 0x90));
					 *((intOrPtr*)(_t84 + 0x9c)) =  *((intOrPtr*)(_t106 + 0x94));
					 *((intOrPtr*)(_t84 + 0xa0)) =  *((intOrPtr*)(_t106 + 0x98));
					 *((intOrPtr*)(_t84 + 0xa4)) =  *((intOrPtr*)(_t106 + 0x9c));
					_t70 = 1;
				} else {
					_t70 = 0;
				}
				return E01143D3B(_t70, _t84, _t106);
			}

0x01142668
0x01142672
0x01142677
0x01142679
0x0114267f
0x01142684
0x01142693
0x01142699
0x011426a4
0x011426af
0x011426ba
0x011426bf
0x011426c4
0x011426d7
0x011426e3
0x011426e8
0x011426eb
0x011426f4
0x011426f6
0x011426f8
0x01142703
0x0114270b
0x0114270d
0x01142716
0x0114272a
0x0114272e
0x01142733
0x0114273b
0x01142740
0x0114274e
0x01142754
0x01142755
0x0114275a
0x0114275a
0x0114276d
0x0114277c
0x01142787
0x0114278f
0x01142797
0x01142797
0x011427a0
0x011427a9
0x011427b2
0x011427bb
0x011427c7
0x011427d3
0x011427df
0x011427eb
0x011427f3
0x01142686
0x01142686
0x01142686
0x011427f9

APIs

__EH_prolog3_GS.LIBCMT ref: 01142672
memset.VCRUNTIME140(?,00000000,000000B0,0000000F,?,?,000000D4,0112E773,00000000,?,?,?,?,?,00000050,0112117A), ref: 011426D7
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(Function_00022808,00000000,000000B0,0000000F,?,?,000000D4,0112E773,00000000,?,?,?,?,?,00000050,0112117A), ref: 01142703
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000002,00000000,?,?,?,?,?,00000050,0112117A,?,01156040), ref: 01142716
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,0112117A,?,01156040), ref: 01142740
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,0112117A,?,01156040), ref: 0114274E
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,?,00000000,000000B0,0000000F,?,?,000000D4,0112E773,00000000,?,?,?,?,?,00000050), ref: 01142797

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$??6?$basic_ostream@V01@$V21@@Vios_base@1@$??1?$basic_ios@?setw@std@@H_prolog3_J@1@_Smanip@_U?$_memset
String ID:
API String ID: 688910114-0
Opcode ID: 01550e29bf4dfd4e8046023b45117dfbe6a29efa18ef923cdd503cd955234337
Instruction ID: 4198ad880099845a1ac1136afcac4d9e231013bb7a934c0a9f0eecd8940c5311
Opcode Fuzzy Hash: 01550e29bf4dfd4e8046023b45117dfbe6a29efa18ef923cdd503cd955234337
Instruction Fuzzy Hash: 4F417C74601226EFCB58DF68C894F99BBB0FF18704F4481A9E94DDB651DB30A9A4CF90

Uniqueness

Uniqueness Score: -1.00%

Function 011290E3 Relevance: 10.6, APIs: 7, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E011290E3(void* __ebx, void* __ecx, void* __edi) {
				signed int _v4;
				signed int _v16;
				void* _v20;
				intOrPtr* _v24;
				void* _v28;
				char _v40;
				char _t27;
				char* _t30;
				intOrPtr _t33;
				void* _t40;
				char* _t47;
				intOrPtr _t48;
				void* _t52;
				intOrPtr _t53;
				signed int _t56;
				intOrPtr* _t58;

				_t40 = __ecx;
				_t39 = __ebx;
				E01143D91(E011461EA, __ebx, __edi, 0x1c);
				_t52 = _t40;
				__imp__??0_Lockit@std@@QAE@H@Z(0);
				_v4 = _v4 & 0x00000000;
				_t27 =  *0x115b428;
				_v28 = _t27;
				__imp__??Bid@locale@std@@QAEIXZ();
				_push(_t27);
				L6();
				_t55 = _t27;
				if(_t27 != 0) {
					L4:
					__imp__??1_Lockit@std@@QAE@XZ();
					return E01143D3B(_t55, _t39, _t52);
				} else {
					_t55 = _v28;
					if(_t55 != 0) {
						goto L4;
					} else {
						_t30 =  &_v28;
						__imp__?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z(_t30, _t52);
						if(_t30 == 0xffffffff) {
							_t47 =  &_v40;
							E01129293(_t47);
							_push(0x1155fc8);
							_push(_t47);
							L01145637();
							asm("int3");
							_t48 =  *((intOrPtr*)(_t47 + 4));
							_push(_t55);
							_t56 = _v16;
							_push(_t52);
							_t53 = 0;
							if(_t56 >=  *((intOrPtr*)(_t48 + 0xc))) {
								_t33 = 0;
							} else {
								_t33 =  *((intOrPtr*)( *((intOrPtr*)(_t48 + 8)) + _t56 * 4));
							}
							if(_t33 == 0 &&  *((intOrPtr*)(_t48 + 0x14)) != _t33) {
								__imp__?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ();
								if(_t56 <  *((intOrPtr*)(_t33 + 0xc))) {
									_t53 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 8)) + _t56 * 4));
								}
								_t33 = _t53;
							}
							return _t33;
						} else {
							_t58 = _v28;
							_v24 = _t58;
							_v4 = 1;
							E0114452C(_t30, _t58);
							 *((intOrPtr*)( *_t58 + 4))();
							_t55 = _v28;
							 *0x115b428 = _v28;
							goto L4;
						}
					}
				}
			}

0x011290e3
0x011290e3
0x011290ea
0x011290ef
0x011290f6
0x011290fc
0x01129100
0x0112910b
0x0112910e
0x01129114
0x01129117
0x0112911c
0x01129120
0x0112915c
0x0112915f
0x0112916c
0x01129122
0x01129122
0x01129127
0x00000000
0x01129129
0x01129129
0x0112912e
0x01129139
0x0112916d
0x01129170
0x01129175
0x0112917c
0x0112917d
0x01129182
0x01129186
0x01129189
0x0112918a
0x0112918d
0x0112918e
0x01129193
0x0112919d
0x01129195
0x01129198
0x01129198
0x011291a1
0x011291a8
0x011291b1
0x011291b6
0x011291b6
0x011291b9
0x011291b9
0x011291be
0x0112913b
0x0112913b
0x0112913e
0x01129142
0x01129146
0x01129150
0x01129153
0x01129156
0x00000000
0x01129156
0x01129139
0x01129127

APIs

__EH_prolog3_GS.LIBCMT ref: 011290EA
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,0000001C,01122CAB,00000000,000000B0,00000134,0112C2EE,?,0115A06C,edge,1248,0115A0CC,0115A09C,0115A0B4,UNKNOWN,UNKNOWN), ref: 011290F6
??Bid@locale@std@@QAEIXZ.MSVCP140(?,0112A166,?), ref: 0112910E

Part of subcall function 01129183: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,01123F7B,00000000,?,000368C8,00000008), ref: 011291A8

?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000,?,0112A166,?), ref: 0112912E
std::_Facet_Register.LIBCPMT ref: 01129146

Part of subcall function 0114452C: #1511.MFC140U(00000008,?,?,01123FA8,?,00000000,?,000368C8,00000008), ref: 01144532

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000,?,0112A166,?), ref: 0112915F
_CxxThrowException.VCRUNTIME140(?,01155FC8,?,0112A166,?), ref: 0112917D

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Lockit@std@@$#1511??0_??1_Bid@locale@std@@D@std@@ExceptionFacet_Getcat@?$ctype@Getgloballocale@locale@std@@H_prolog3_Locimp@12@RegisterThrowV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 3379795999-0
Opcode ID: ddd888dcb0550791c3ffa685b459dc11787901de1f22e924d8314dcd8be2d443
Instruction ID: c617531980ec8a85fe61b622a42421bf2f277482e093542dcd2f000033965133
Opcode Fuzzy Hash: ddd888dcb0550791c3ffa685b459dc11787901de1f22e924d8314dcd8be2d443
Instruction Fuzzy Hash: 1C118635D04229DFDB2DDB68E80C6AD7B74BF58F24F144019E421A7380DB74AD41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0113628C Relevance: 10.6, APIs: 7, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E0113628C(void* __ebx, void* __ecx, void* __edi) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v20;
				intOrPtr* _v24;
				void* _v28;
				char _v40;
				char _t22;
				char* _t25;
				void* _t34;
				char* _t41;
				void* _t45;
				char* _t47;
				intOrPtr* _t49;

				_t34 = __ecx;
				_t33 = __ebx;
				E01143D91(E011461EA, __ebx, __edi, 0x1c);
				_t45 = _t34;
				__imp__??0_Lockit@std@@QAE@H@Z(0);
				_v4 = _v4 & 0x00000000;
				_v28 =  *0x115b558;
				__imp__??Bid@locale@std@@QAEIXZ();
				_t22 = E01129183(_t45,  *0x115b558);
				_t46 = _t22;
				if(_t22 != 0) {
					L4:
					__imp__??1_Lockit@std@@QAE@XZ();
					return E01143D3B(_t46, _t33, _t45);
				} else {
					_t46 = _v28;
					if(_t46 != 0) {
						goto L4;
					} else {
						_t25 =  &_v28;
						__imp__?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z(_t25, _t45);
						if(_t25 == 0xffffffff) {
							_t41 =  &_v40;
							E01129293(_t41);
							_push(0x1155fc8);
							_push(_t41);
							L01145637();
							asm("int3");
							_push(_t46);
							_t47 = _t41;
							 *(_t47 + 0x10) =  *(_t47 + 0x10) & 0x00000000;
							 *((intOrPtr*)(_t47 + 0x14)) = 0xf;
							 *_t47 = 0;
							E01129863(_t41, _v12, _v8);
							return _t47;
						} else {
							_t49 = _v28;
							_v24 = _t49;
							_v4 = 1;
							E0114452C(_t25, _t49);
							 *((intOrPtr*)( *_t49 + 4))();
							_t46 = _v28;
							 *0x115b558 = _v28;
							goto L4;
						}
					}
				}
			}

0x0113628c
0x0113628c
0x01136293
0x01136298
0x0113629f
0x011362a5
0x011362b4
0x011362b7
0x011362c0
0x011362c5
0x011362c9
0x01136305
0x01136308
0x01136315
0x011362cb
0x011362cb
0x011362d0
0x00000000
0x011362d2
0x011362d2
0x011362d7
0x011362e2
0x01136316
0x01136319
0x0113631e
0x01136325
0x01136326
0x0113632b
0x0113632f
0x01136333
0x01136338
0x0113633c
0x01136343
0x01136346
0x0113634f
0x011362e4
0x011362e4
0x011362e7
0x011362eb
0x011362ef
0x011362f9
0x011362fc
0x011362ff
0x00000000
0x011362ff
0x011362e2
0x011362d0

APIs

__EH_prolog3_GS.LIBCMT ref: 01136293
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,0000001C,01134E62,?,0000003C,01134452), ref: 0113629F
??Bid@locale@std@@QAEIXZ.MSVCP140(?,0000003C,01134452), ref: 011362B7

Part of subcall function 01129183: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,01123F7B,00000000,?,000368C8,00000008), ref: 011291A8

?_Getcat@?$ctype@_W@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,00000000,?,0000003C,01134452), ref: 011362D7
std::_Facet_Register.LIBCPMT ref: 011362EF

Part of subcall function 0114452C: #1511.MFC140U(00000008,?,?,01123FA8,?,00000000,?,000368C8,00000008), ref: 01144532

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000,?,0000003C,01134452), ref: 01136308
_CxxThrowException.VCRUNTIME140(?,01155FC8,?,0000003C,01134452), ref: 01136326

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Lockit@std@@$#1511??0_??1_Bid@locale@std@@ExceptionFacet_Getcat@?$ctype@_Getgloballocale@locale@std@@H_prolog3_Locimp@12@RegisterThrowV42@@Vfacet@locale@2@W@std@@std::_
String ID:
API String ID: 2753791471-0
Opcode ID: e96074b3a385a55f1dea6860e81c730a3fb95c73292d1703808d467fab7fb936
Instruction ID: 95521435976e2d609e5d3144b9512bfa141397b5c406506b0fe2a7c5f814c293
Opcode Fuzzy Hash: e96074b3a385a55f1dea6860e81c730a3fb95c73292d1703808d467fab7fb936
Instruction Fuzzy Hash: 9011C235D04229DFCB1DDBA8E508AAE7770BF54B24F140019E821A7284DB34AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0113EF8F Relevance: 10.6, APIs: 7, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0113EF8F(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				intOrPtr _t22;
				void* _t25;
				void* _t30;
				void* _t31;
				void* _t39;
				void* _t46;
				void* _t54;
				intOrPtr* _t58;
				void* _t59;

				_t39 = __ecx;
				_t38 = __ebx;
				E01143D91(E011461EA, __ebx, __edi, 0x1c);
				_t54 = _t39;
				__imp__??0_Lockit@std@@QAE@H@Z(0);
				 *(_t59 - 4) =  *(_t59 - 4) & 0x00000000;
				 *((intOrPtr*)(_t59 - 0x1c)) =  *0x115b55c;
				__imp__??Bid@locale@std@@QAEIXZ();
				_t22 = E01129183(_t54,  *0x115b55c);
				_t55 = _t22;
				if(_t22 != 0) {
					L4:
					__imp__??1_Lockit@std@@QAE@XZ();
					return E01143D3B(_t55, _t38, _t54);
				} else {
					_t55 =  *((intOrPtr*)(_t59 - 0x1c));
					if( *((intOrPtr*)(_t59 - 0x1c)) != 0) {
						goto L4;
					} else {
						_t25 = _t59 - 0x1c;
						__imp__?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z(_t25, _t54);
						if(_t25 == 0xffffffff) {
							_t46 = _t59 - 0x28;
							E01129293(_t46);
							_push(0x1155fc8);
							_push(_t46);
							L01145637();
							asm("int3");
							E01143D5D(E011494E0, __ebx, _t54, 0x18);
							_t30 = E01123714(_t59 - 0x24,  *((intOrPtr*)(_t59 + 8)));
							 *(_t59 - 4) =  *(_t59 - 4) & 0x00000000;
							_t31 = E0112A054(_t46, _t30);
							E01129A96(_t59 - 0x24);
							return E01143D26(_t31, _t46);
						} else {
							_t58 =  *((intOrPtr*)(_t59 - 0x1c));
							 *((intOrPtr*)(_t59 - 0x18)) = _t58;
							 *(_t59 - 4) = 1;
							E0114452C(_t25, _t58);
							 *((intOrPtr*)( *_t58 + 4))();
							_t55 =  *((intOrPtr*)(_t59 - 0x1c));
							 *0x115b55c =  *((intOrPtr*)(_t59 - 0x1c));
							goto L4;
						}
					}
				}
			}

0x0113ef8f
0x0113ef8f
0x0113ef96
0x0113ef9b
0x0113efa2
0x0113efa8
0x0113efb7
0x0113efba
0x0113efc3
0x0113efc8
0x0113efcc
0x0113f008
0x0113f00b
0x0113f018
0x0113efce
0x0113efce
0x0113efd3
0x00000000
0x0113efd5
0x0113efd5
0x0113efda
0x0113efe5
0x0113f019
0x0113f01c
0x0113f021
0x0113f028
0x0113f029
0x0113f02e
0x0113f036
0x0113f044
0x0113f049
0x0113f050
0x0113f05a
0x0113f066
0x0113efe7
0x0113efe7
0x0113efea
0x0113efee
0x0113eff2
0x0113effc
0x0113efff
0x0113f002
0x00000000
0x0113f002
0x0113efe5
0x0113efd3

APIs

__EH_prolog3_GS.LIBCMT ref: 0113EF96
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,0000001C,0113F7A8), ref: 0113EFA2
??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 0113EFBA

Part of subcall function 01129183: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,01123F7B,00000000,?,000368C8,00000008), ref: 011291A8

?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 0113EFDA
std::_Facet_Register.LIBCPMT ref: 0113EFF2

Part of subcall function 0114452C: #1511.MFC140U(00000008,?,?,01123FA8,?,00000000,?,000368C8,00000008), ref: 01144532

??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 0113F00B
_CxxThrowException.VCRUNTIME140(?,01155FC8), ref: 0113F029

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Lockit@std@@$#1511??0_??1_Bid@locale@std@@ExceptionFacet_Getcat@?$codecvt@_Getgloballocale@locale@std@@H_prolog3_Locimp@12@Mbstatet@@@std@@RegisterThrowV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 1392984753-0
Opcode ID: 3accdfedf8792c0e34e3bc84b36a23cec121065c442d27d9e32e166803649f41
Instruction ID: a4ab846e11d8c06d751c53b8c2eea098026d4963934ca7e70fa75f581f590366
Opcode Fuzzy Hash: 3accdfedf8792c0e34e3bc84b36a23cec121065c442d27d9e32e166803649f41
Instruction Fuzzy Hash: 9811C235D04226DFDB1DEBA8E408AADBBB1BF44B24F144019E821A7280DB34AD01CF95

Uniqueness

Uniqueness Score: -1.00%

Function 011366F0 Relevance: 10.6, APIs: 7, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E011366F0(void* __ebx, intOrPtr __ecx, intOrPtr* __edx, void* __edi, void* __eflags) {
				intOrPtr _t37;
				intOrPtr _t49;
				void* _t51;

				_t37 = __ecx;
				_t36 = __ebx;
				E01143D91(E0114852B, __ebx, __edi, 0x290);
				_t49 = _t37;
				 *((intOrPtr*)(_t51 - 0x214)) = _t49;
				 *((intOrPtr*)(_t51 - 0x214)) = _t49;
				__imp__#296();
				 *(_t51 - 4) =  *(_t51 - 4) & 0x00000000;
				 *((intOrPtr*)( *__edx + 0x14))();
				__imp__#286(_t51 - 0x210, _t51 - 0x210, 0xff, 0);
				 *(_t51 - 4) = 1;
				memset(_t51 - 0x29c, 0, 0x84);
				 *(_t51 - 0x29c) = _t51 - 0x298;
				E01137003(_t51 - 0x298, __ebx, _t51 - 0x29c, _t49,  *((intOrPtr*)(_t51 - 0x218)), 3);
				 *(_t51 - 4) = 2;
				E011298AC(_t49,  *(_t51 - 0x29c));
				if( *(_t51 - 0x29c) != _t51 - 0x298) {
					free( *(_t51 - 0x29c));
				}
				__imp__#1045();
				__imp__#1045();
				return E01143D3B(_t49, _t36, _t49);
			}

0x011366f0
0x011366f0
0x011366fa
0x01136701
0x01136703
0x0113670f
0x01136715
0x0113671b
0x01136731
0x01136741
0x01136752
0x01136759
0x0113676d
0x0113677b
0x01136780
0x0113678c
0x0113679d
0x011367a5
0x011367ab
0x011367b2
0x011367be
0x011367cb

APIs

__EH_prolog3_GS.LIBCMT ref: 011366FA
#296.MFC140U(00000290,01132A0F), ref: 01136715
#286.MFC140U(?), ref: 01136741
memset.VCRUNTIME140(?,00000000,00000084), ref: 01136759
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000003), ref: 011367A5
#1045.MFC140U(?,?,00000003), ref: 011367B2
#1045.MFC140U ref: 011367BE

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1045$#286#296H_prolog3_freememset
String ID:
API String ID: 4130296893-0
Opcode ID: 624f70dbba82fd6998bc33d9203979523a0530efaeda1aa1f5a8177af9dcf6bc
Instruction ID: e4c943cdb1d7cc3c462984a6dbd7ef1b4a5bf16447808859ba016d03839539c1
Opcode Fuzzy Hash: 624f70dbba82fd6998bc33d9203979523a0530efaeda1aa1f5a8177af9dcf6bc
Instruction Fuzzy Hash: F521067494412E9BDB29EB10DC8CBECB7B5AF24704F1440E9E41EA6190DB709F84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0113E97F Relevance: 9.1, APIs: 6, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0113E97F(char __ebx, void* __ecx, signed int __edi) {
				FILE* _t54;
				signed int _t56;
				void* _t63;
				intOrPtr* _t77;
				void* _t79;
				intOrPtr _t80;
				intOrPtr _t92;
				signed int _t100;
				signed int* _t104;
				intOrPtr* _t105;
				void* _t109;
				signed int _t110;
				void* _t111;

				_t106 = __edi;
				_t79 = __ecx;
				_t78 = __ebx;
				E01143D91(E0114948F, __ebx, __edi, 0x28);
				_t109 = _t79;
				_t80 =  *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x1c))));
				if(_t80 == 0) {
					L3:
					_t78 = 0;
					if( *(_t109 + 0x4c) != 0) {
						E0113EDD8(_t109);
						_t54 =  *(_t109 + 0x4c);
						if( *((intOrPtr*)(_t109 + 0x38)) != 0) {
							 *((intOrPtr*)(_t111 - 0x1c)) = 0;
							 *((intOrPtr*)(_t111 - 0x18)) = 0xf;
							 *((char*)(_t111 - 0x2c)) = 0;
							 *((intOrPtr*)(_t111 - 4)) = 0;
							_t106 = fgetc;
							if(fgetc(_t54) == 0xffffffff) {
								L14:
								_t56 = 0xffff;
								L15:
								_t110 = _t56 & 0xffff;
								L16:
								E01129AC1(_t111 - 0x2c);
								_t59 = _t110;
								L17:
								return E01143D3B(_t59, _t78, _t106);
							}
							_t78 = _t109 + 0x40;
							while(1) {
								E011294AE(_t111 - 0x2c, _t55);
								_t86 =  >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c;
								_t103 =  *((intOrPtr*)(_t111 - 0x1c)) + ( >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c);
								_t63 =  >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c;
								__imp__?in@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPA_W3AAPA_W@Z(_t78, _t63,  *((intOrPtr*)(_t111 - 0x1c)) + ( >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c), _t111 - 0x30, _t111 - 0x14, _t111 - 0x12, _t111 - 0x34);
								if(_t63 < 0) {
									break;
								}
								if(_t63 > 1) {
									if(_t63 != 3) {
										break;
									}
									_t65 =  >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c;
									_t56 =  *((char*)( >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c));
									goto L15;
								}
								if( *((intOrPtr*)(_t111 - 0x34)) != _t111 - 0x14) {
									_t68 =  >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c;
									_t92 =  *((intOrPtr*)(_t111 - 0x30));
									_t106 =  *((intOrPtr*)(_t111 - 0x1c)) - _t92 + ( >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c);
									if(_t106 <= 0) {
										L21:
										_t56 =  *(_t111 - 0x14) & 0x0000ffff;
										goto L15;
									} else {
										goto L19;
									}
									while(1) {
										L19:
										_t106 = _t106 - 1;
										ungetc( *(_t106 + _t92),  *(_t109 + 0x4c));
										if(_t106 <= 0) {
											goto L21;
										}
										_t92 =  *((intOrPtr*)(_t111 - 0x30));
									}
									goto L21;
								}
								_t96 =  >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c;
								_t72 =  *((intOrPtr*)(_t111 - 0x30)) - ( >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c);
								E01134BCE(_t78, _t111 - 0x2c, _t106, _t109, 0,  *((intOrPtr*)(_t111 - 0x30)) - ( >=  ?  *((void*)(_t111 - 0x2c)) : _t111 - 0x2c));
								if(fgetc( *(_t109 + 0x4c)) != 0xffffffff) {
									continue;
								}
								goto L14;
							}
							_t110 = 0xffff;
							goto L16;
						}
						_t100 = fgetwc(_t54) & 0x0000ffff;
						_t59 = 0xffff;
						if(_t100 != 0xffff) {
							_t59 = _t100;
						}
						goto L17;
					}
					_t59 = 0xffff;
					goto L17;
				}
				_t104 =  *(_t109 + 0x2c);
				_t106 =  *_t104;
				if(_t80 >= _t80 + _t106 * 2) {
					goto L3;
				}
				 *_t104 = _t106 - 1;
				_t105 =  *((intOrPtr*)(_t109 + 0x1c));
				_t77 =  *_t105;
				 *_t105 = _t77 + 2;
				_t59 =  *_t77;
				goto L17;
			}

0x0113e97f
0x0113e97f
0x0113e97f
0x0113e986
0x0113e98b
0x0113e990
0x0113e994
0x0113e9b9
0x0113e9b9
0x0113e9be
0x0113e9cc
0x0113e9d1
0x0113e9d7
0x0113e9f9
0x0113e9fc
0x0113ea03
0x0113ea06
0x0113ea09
0x0113ea16
0x0113ea9e
0x0113ea9e
0x0113eaa3
0x0113eaa6
0x0113eaa9
0x0113eaac
0x0113eab1
0x0113eab4
0x0113eab9
0x0113eab9
0x0113ea1c
0x0113ea1f
0x0113ea23
0x0113ea35
0x0113ea39
0x0113ea42
0x0113ea59
0x0113ea61
0x00000000
0x00000000
0x0113ea6a
0x0113eaf6
0x00000000
0x00000000
0x0113eaff
0x0113eb03
0x00000000
0x0113eb03
0x0113ea76
0x0113eac4
0x0113eac8
0x0113eacd
0x0113ead1
0x0113eaed
0x0113eaed
0x00000000
0x00000000
0x00000000
0x00000000
0x0113ead3
0x0113ead3
0x0113ead6
0x0113eadc
0x0113eae6
0x00000000
0x00000000
0x0113eae8
0x0113eae8
0x00000000
0x0113ead3
0x0113ea82
0x0113ea86
0x0113ea8e
0x0113ea9c
0x00000000
0x00000000
0x00000000
0x0113ea9c
0x0113eb09
0x00000000
0x0113eb09
0x0113e9e1
0x0113e9e4
0x0113e9ec
0x0113e9f2
0x0113e9f2
0x00000000
0x0113e9ec
0x0113e9c0
0x00000000
0x0113e9c0
0x0113e996
0x0113e999
0x0113e9a0
0x00000000
0x00000000
0x0113e9a5
0x0113e9a7
0x0113e9aa
0x0113e9af
0x0113e9b1
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0113E986
fgetwc.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000028), ref: 0113E9DA
ungetc.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,00000028), ref: 0113EADC

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_fgetwcungetc
String ID:
API String ID: 3107860115-0
Opcode ID: 93ebf3b3a40d521ca29a81271949b7fcfac3f5ab715256f5f469426f212d1878
Instruction ID: f76c0ee070febce0ab31735f33249d6bff48920a1da1486572ebe0577f352c83
Opcode Fuzzy Hash: 93ebf3b3a40d521ca29a81271949b7fcfac3f5ab715256f5f469426f212d1878
Instruction Fuzzy Hash: 16516F3590121ACFDB1DDFA8C4908FEB7B5FF98300B60852DE562A7684DB30E949CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0113F464 Relevance: 9.1, APIs: 6, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0113F464(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi) {
				signed short _t40;
				signed short _t48;
				signed int _t49;
				signed int _t56;
				intOrPtr* _t57;
				intOrPtr* _t58;
				intOrPtr* _t63;
				signed int _t74;
				intOrPtr* _t76;
				void* _t77;

				_t57 = __ecx;
				E01143DC8(E01149526, __ebx, __edi, 0x1c);
				 *((intOrPtr*)(_t77 - 0x18)) = __edx;
				_t76 = _t57;
				_t74 = 0;
				_t56 = 0;
				 *((intOrPtr*)(_t77 - 0x1c)) = _t76;
				 *((intOrPtr*)(_t77 - 0x20)) = 0;
				 *((char*)(_t77 - 0x11)) = 0;
				_t40 =  *( *_t76 + 4);
				 *((intOrPtr*)(_t77 - 0x28)) = _t76;
				_t58 =  *((intOrPtr*)(_t40 + _t76 + 0x38));
				if(_t58 != 0) {
					_t40 =  *((intOrPtr*)( *_t58 + 4))();
				}
				 *(_t77 - 4) =  *(_t77 - 4) & 0x00000000;
				__imp__?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z(1);
				 *(_t77 - 0x24) = _t40;
				 *(_t77 - 4) = 1;
				if(_t40 == 0) {
					L12:
					_t74 = _t74 | 0x00000002;
				} else {
					 *(_t77 - 4) = 2;
					E0112C1AF(_t56,  *((intOrPtr*)(_t77 - 0x18)), _t74, _t76, 0);
					_t48 =  *( *_t76 + 4);
					__imp__?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ();
					while(1) {
						_t49 = _t48 & 0x0000ffff;
						if(0xffff == _t49) {
							break;
						}
						if(_t49 != 0x5f) {
							_t67 =  *((intOrPtr*)(_t77 - 0x18));
							if( *((intOrPtr*)( *((intOrPtr*)(_t77 - 0x18)) + 0x10)) < 0x7ffffffe) {
								E0112BB3B(_t67, _t49);
								_t56 = 1;
								 *((char*)(_t77 - 0x11)) = 1;
								_t48 =  *( *_t76 + 4);
								__imp__?snextc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ();
								continue;
							} else {
								_t74 = 2;
							}
						} else {
							_t56 = 1;
							 *((char*)(_t77 - 0x11)) = 1;
							__imp__?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ();
						}
						L11:
						 *(_t77 - 4) = 1;
						if(_t56 == 0) {
							goto L12;
						}
						goto L13;
					}
					_t74 = 1;
					goto L11;
				}
				L13:
				__imp__?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z(_t74, 0);
				 *(_t77 - 4) = 4;
				_t63 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t77 - 0x28)))) + 4)) +  *((intOrPtr*)(_t77 - 0x28)) + 0x38));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 8))();
				}
				return E01143D26(_t76);
			}

0x0113f464
0x0113f46b
0x0113f470
0x0113f473
0x0113f477
0x0113f479
0x0113f47b
0x0113f47e
0x0113f481
0x0113f484
0x0113f487
0x0113f48a
0x0113f490
0x0113f494
0x0113f494
0x0113f497
0x0113f49f
0x0113f4a5
0x0113f4a8
0x0113f4b1
0x0113f55d
0x0113f55d
0x0113f4b7
0x0113f4bc
0x0113f4c0
0x0113f4c7
0x0113f4ce
0x0113f4d4
0x0113f4d4
0x0113f4df
0x00000000
0x00000000
0x0113f4ea
0x0113f502
0x0113f50c
0x0113f514
0x0113f51b
0x0113f51d
0x0113f520
0x0113f527
0x00000000
0x0113f50e
0x0113f510
0x0113f510
0x0113f4ec
0x0113f4ee
0x0113f4f0
0x0113f4fa
0x0113f4fa
0x0113f552
0x0113f552
0x0113f55b
0x00000000
0x00000000
0x00000000
0x0113f55b
0x0113f4e3
0x00000000
0x0113f4e3
0x0113f560
0x0113f56a
0x0113f570
0x0113f57f
0x0113f585
0x0113f589
0x0113f589
0x0113f593

APIs

__EH_prolog3_catch.LIBCMT ref: 0113F46B
?_Ipfx@?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,0000001C,0113FC2E,?,?,00000000,000000A8,000000D0,0112F079,?,FriendlyTypeName,AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv,00000090,0112F492,?,0114C9C0), ref: 0113F49F
?sgetc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP140(00000000,?,?,00000000,000000A8,000000D0,0112F079,?,FriendlyTypeName,AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv,00000090,0112F492,?,0114C9C0,1248,0115A0B4), ref: 0113F4CE
?sbumpc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEGXZ.MSVCP140(?,?,00000000,000000A8,000000D0,0112F079,?,FriendlyTypeName,AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC), ref: 0113F4FA
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,?,00000000,000000A8,000000D0,0112F079,?,FriendlyTypeName,AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv,00000090,0112F492,?,0114C9C0,1248), ref: 0113F56A

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sbumpc@?$basic_streambuf@_?setstate@?$basic_ios@_?sgetc@?$basic_streambuf@_H_prolog3_catchIpfx@?$basic_istream@_
String ID:
API String ID: 4195152866-0
Opcode ID: efc8f5786e1f7cd693637e2833727ff6c6101352a404ffc0d2aef908fee9c189
Instruction ID: ff1e538f567af016f83993e6145af295eeb9cfcaf324b979a78d2b7e0274de5c
Opcode Fuzzy Hash: efc8f5786e1f7cd693637e2833727ff6c6101352a404ffc0d2aef908fee9c189
Instruction Fuzzy Hash: C731A034A05206CFDB28CF58D558BADBBF0BF98704F554098E5469B396CB70ED42CB45

Uniqueness

Uniqueness Score: -1.00%

Function 011240CF Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 011240D6
#1511.MFC140U(00000010,00000060,01123F93,00000000,?,000368C8,00000008), ref: 011240F9
??1_Locinfo@std@@QAE@XZ.MSVCP140(000368C8,00000008), ref: 01124183

Part of subcall function 0112906C: __EH_prolog3.LIBCMT ref: 01129073

??0_Locinfo@std@@QAE@PBD@Z.MSVCP140(00000000,?), ref: 0112412E
??0facet@locale@std@@IAE@I@Z.MSVCP140(00000000), ref: 01124147
?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ.MSVCP140(?), ref: 0112415C

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Locinfo@std@@$H_prolog3$#1511??0_??0facet@locale@std@@??1_Collvec@@Getcoll@_
String ID:
API String ID: 685814326-0
Opcode ID: 521beda6f4594aeaae50f57b43f685cc495e12b972d6d23947f8b630b141913a
Instruction ID: dcc35cd6ca5db0ce73084ff5833b24b10965e7a4ed87a70819d5fbe9f11ff871
Opcode Fuzzy Hash: 521beda6f4594aeaae50f57b43f685cc495e12b972d6d23947f8b630b141913a
Instruction Fuzzy Hash: 1C218E74A0032ADFEB18DFA8D8587ADBBB5FF54B10F244029D525E7290D7719A40CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01123F41 Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E01123F41(void* __ebx, void* __ecx, void* __edi) {
				signed int _v4;
				intOrPtr* _v8;
				intOrPtr _v12;
				void* _v20;
				void* _v24;
				char _v36;
				void* _t17;
				char* _t23;
				void* _t28;
				intOrPtr _t29;
				void* _t31;
				char* _t37;
				intOrPtr* _t39;
				void* _t43;
				void* _t45;
				intOrPtr* _t48;
				intOrPtr* _t49;

				_t31 = __ecx;
				_t17 = E01143D91(E01145CF3, __ebx, __edi, 0x18);
				_t28 = _t31;
				__imp__??0_Lockit@std@@QAE@H@Z(0);
				_v4 = _v4 & 0x00000000;
				_t45 =  *0x115b424;
				_v20 = _t45;
				__imp__??Bid@locale@std@@QAEIXZ();
				_t48 = E01129183(_t28, _t17);
				if(_t48 != 0) {
					L5:
					__imp__??1_Lockit@std@@QAE@XZ();
					return E01143D3B(_t48, _t28, _t45);
				} else {
					if(_t45 == 0) {
						if(E011240CF(_t28,  &_v20, _t28, _t45) == 0xffffffff) {
							_t37 =  &_v36;
							E01129293(_t37);
							_push(0x1155fc8);
							_t23 = _t37;
							_push(_t23);
							L01145637();
							asm("int3");
							_push(_t28);
							_t29 = _v12;
							_push(_t48);
							_t49 = _v8;
							_push(_t45);
							while( *((char*)(_t49 + 0xd)) == 0) {
								_push( *((intOrPtr*)(_t49 + 8)));
								_push(_t29);
								L7();
								_t39 = _t49;
								_t49 =  *_t49;
								_t43 = 0x18;
								_t23 = E01129B5C(_t39, _t43, _t49);
							}
							return _t23;
						} else {
							_t48 = _v20;
							_v20 = _t48;
							_v4 = 1;
							E0114452C(_t21, _t48);
							 *((intOrPtr*)( *_t48 + 4))();
							 *0x115b424 = _t48;
							goto L5;
						}
					} else {
						_t48 = _t45;
						goto L5;
					}
				}
			}

0x01123f41
0x01123f48
0x01123f4d
0x01123f54
0x01123f5a
0x01123f5e
0x01123f6a
0x01123f6d
0x01123f7b
0x01123f7f
0x01123fb6
0x01123fb9
0x01123fc6
0x01123f81
0x01123f83
0x01123f96
0x01123fc7
0x01123fca
0x01123fcf
0x01123fd4
0x01123fd6
0x01123fd7
0x01123fdc
0x01123fe0
0x01123fe1
0x01123fe4
0x01123fe5
0x01123fe8
0x01124004
0x01123fed
0x01123ff2
0x01123ff3
0x01123ffa
0x01123ffc
0x01123ffe
0x01123fff
0x01123fff
0x0112400e
0x01123f98
0x01123f98
0x01123f9b
0x01123f9f
0x01123fa3
0x01123fad
0x01123fb0
0x00000000
0x01123fb0
0x01123f85
0x01123f85
0x00000000
0x01123f85
0x01123f83

APIs

__EH_prolog3_GS.LIBCMT ref: 01123F48
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,00000018,00000001,?,000368C8,00000008), ref: 01123F54
??Bid@locale@std@@QAEIXZ.MSVCP140(?,000368C8,00000008), ref: 01123F6D

Part of subcall function 01129183: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,01123F7B,00000000,?,000368C8,00000008), ref: 011291A8

std::_Facet_Register.LIBCPMT ref: 01123FA3
??1_Lockit@std@@QAE@XZ.MSVCP140(00000000,?,000368C8,00000008), ref: 01123FB9
_CxxThrowException.VCRUNTIME140(?,01155FC8,00000000,?,000368C8,00000008), ref: 01123FD7

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@ExceptionFacet_Getgloballocale@locale@std@@H_prolog3_Locimp@12@RegisterThrowstd::_
String ID:
API String ID: 875811182-0
Opcode ID: b488d5e8b53e7c90cf0bb808c61d15e123b29fb6bb68529fd3614d91cbbe966c
Instruction ID: 41adf99b48edac19929846de85ffe2cd70d2ec2deb8ca78ee0fb9ee4adce9dcd
Opcode Fuzzy Hash: b488d5e8b53e7c90cf0bb808c61d15e123b29fb6bb68529fd3614d91cbbe966c
Instruction Fuzzy Hash: 10110835904225DFC71DDB68E5086AD7BB1BF58B14F10002CE421A72C0DF749E44CB96

Uniqueness

Uniqueness Score: -1.00%

Function 01142CC5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E01142CC5(void* __ebx, signed int* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v56;
				char _v68;
				signed int _v72;
				char _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v100;
				signed int* _v104;
				char _v108;
				char _v132;
				signed int _t67;
				signed int _t89;
				void* _t92;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t107;
				signed int* _t108;
				signed int _t113;
				intOrPtr _t115;
				signed int _t121;
				void* _t122;
				signed int* _t140;
				signed int* _t142;
				signed int* _t146;

				_t108 = __ecx;
				_t140 = __ecx;
				if(_a4 != 0) {
					__imp__#2(_a4);
					 *__ecx = _t67;
					__eflags = _t67;
					if(_t67 != 0) {
						goto L2;
					} else {
						E01137215(__ecx, 0x8007000e);
						asm("int3");
						E01143D91(E01149EE4, __ebx, __edi, 0x74);
						_t142 = _t108;
						_v32 = _t142;
						_v104 = _t142;
						_v72 = 0;
						_t142[4] = 0;
						_t142[5] = 0xf;
						 *_t142 = 0;
						_v8 = 0;
						asm("stosd");
						_v72 = 1;
						asm("stosd");
						asm("stosd");
						E01142822(1,  &_v68,  &_v68);
						_t138 = 0;
						_v8 = 1;
						_v28 = 0;
						_v8 = 2;
						_v40 = 0;
						_v36 = 7;
						_v56 = 0;
						E0112BA2B(L"SELECT * FROM Win32_PhysicalMedia WHERE Tag = \'\\\\\\\\.\\\\PHYSICALDRIVE0\'");
						_t107 = 3;
						_v8 = _t107;
						E01142A4D(_t107,  &_v68, 0,  &_v56,  &_v28,  &_v32);
						E01129A96( &_v56);
						__eflags = _v32;
						if(_v32 > 0) {
							_t115 = 7;
							_v40 = 0;
							_v36 = _t115;
							_v56 = 0;
							_v8 = 4;
							_v80 = _t115;
							_v84 = 0;
							_v100 = 0;
							E0112BA2B(L"SerialNumber");
							_push( &_v56);
							_push( &_v100);
							_push( &_v100);
							_v8 = 6;
							_t89 = _v28;
							 *_t146 = _t89;
							__eflags = _t89;
							if(_t89 != 0) {
								 *((intOrPtr*)( *_t89 + 4))(_t89);
							}
							_v8 = 5;
							E01142BA1(_t107, _t138);
							_v8 = 4;
							E01129A96( &_v100);
							__eflags = _v40;
							if(_v40 != 0) {
								_t92 = E01136693(_t107,  &_v100,  &_v56, _t138);
								_t107 = 5;
							} else {
								_t92 = E011298AC( &_v132, "None");
							}
							_v72 = _t107;
							E011293B6(_t142, _t142, _t92);
							__eflags = _t107 & 0x00000004;
							if((_t107 & 0x00000004) != 0) {
								_t107 = _t107 & 0xfffffffb;
								__eflags = _t107;
								_v72 = _t107;
								E01129AC1( &_v100);
							}
							_v8 = 4;
							__eflags = _t107 & 0x00000002;
							if((_t107 & 0x00000002) != 0) {
								_t107 = _t107 & 0xfffffffd;
								__eflags = _t107;
								_v72 = _t107;
								E01129AC1( &_v132);
							}
							__eflags = _t142[5] - 0x10;
							_t94 = _t142;
							if(__eflags >= 0) {
								_t94 =  *_t142;
							}
							_t121 = _t142[4];
							_t138 = _t121 + _t94;
							_t95 = _t142;
							if(__eflags >= 0) {
								_t95 =  *_t142;
							}
							_t122 = _t121 + _t95;
							__eflags = _t142[5] - 0x10;
							_t96 = _t142;
							if(_t142[5] >= 0x10) {
								_t96 =  *_t142;
							}
							E01134A6B(_t142,  &_v108,  *((intOrPtr*)(E01142EA8( &_v76, __imp__isspace, _t96, _t122))), _t138);
							E01129A96( &_v56);
						}
						_v8 = 8;
						_t113 = _v28;
						__eflags = _t113;
						if(_t113 != 0) {
							 *((intOrPtr*)( *_t113 + 8))(_t113);
						}
						E011429B9( &_v68);
						return E01143D3B(_t142, _t107, _t138);
					}
				} else {
					 *__ecx =  *__ecx & 0x00000000;
					L2:
					return _t140;
				}
			}

0x01142cc5
0x01142ccd
0x01142ccf
0x01142cde
0x01142ce4
0x01142ce6
0x01142ce8
0x00000000
0x01142cea
0x01142cef
0x01142cf4
0x01142cfc
0x01142d01
0x01142d03
0x01142d06
0x01142d0b
0x01142d0e
0x01142d11
0x01142d18
0x01142d1a
0x01142d20
0x01142d27
0x01142d2a
0x01142d2b
0x01142d2c
0x01142d31
0x01142d33
0x01142d36
0x01142d39
0x01142d42
0x01142d4a
0x01142d51
0x01142d55
0x01142d5c
0x01142d60
0x01142d6f
0x01142d77
0x01142d7c
0x01142d7f
0x01142d87
0x01142d8a
0x01142d8d
0x01142d90
0x01142d94
0x01142d98
0x01142da3
0x01142da6
0x01142daa
0x01142db2
0x01142db6
0x01142db7
0x01142dba
0x01142dbe
0x01142dc1
0x01142dc3
0x01142dc5
0x01142dca
0x01142dca
0x01142dcd
0x01142dd1
0x01142dd9
0x01142ddd
0x01142de2
0x01142de6
0x01142dfd
0x01142e04
0x01142de8
0x01142df0
0x01142df0
0x01142e08
0x01142e0b
0x01142e10
0x01142e13
0x01142e15
0x01142e15
0x01142e1b
0x01142e1e
0x01142e1e
0x01142e23
0x01142e2a
0x01142e2d
0x01142e2f
0x01142e2f
0x01142e35
0x01142e38
0x01142e38
0x01142e3d
0x01142e41
0x01142e43
0x01142e45
0x01142e45
0x01142e47
0x01142e4a
0x01142e4d
0x01142e4f
0x01142e51
0x01142e51
0x01142e53
0x01142e55
0x01142e59
0x01142e5b
0x01142e5d
0x01142e5d
0x01142e7a
0x01142e82
0x01142e82
0x01142e87
0x01142e8b
0x01142e8e
0x01142e90
0x01142e95
0x01142e95
0x01142e9b
0x01142ea7
0x01142ea7
0x01142cd1
0x01142cd1
0x01142cd4
0x01142cd8
0x01142cd8

APIs

#2.OLEAUT32(00000000,?,?,01142AAD,?,00000020,01142D74,?,?,0112E986,SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0'), ref: 01142CDE
__EH_prolog3_GS.LIBCMT ref: 01142CFC

Strings

None, xrefs: 01142DE8
SerialNumber, xrefs: 01142D9E
SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0', xrefs: 01142D45

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_
String ID: None$SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0'$SerialNumber
API String ID: 2427045233-44562505
Opcode ID: 26fc1a4fdbf941e15178e24ecee0d8d99217e78b7163c7e71945e1e4cdf9b0b7
Instruction ID: 87ba20decfd5ad1356df6774f0ec1596b34730411320bb5b1d33020ecea3a57b
Opcode Fuzzy Hash: 26fc1a4fdbf941e15178e24ecee0d8d99217e78b7163c7e71945e1e4cdf9b0b7
Instruction Fuzzy Hash: 17518E7090136ADFDF28DFA8D944ADEFBB5BF28708F10051EE145A7290DB706A45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 011345E9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E011345E9(void* __ebx, intOrPtr __ecx, signed int __edi) {
				char _t67;
				signed int _t75;
				void* _t78;
				intOrPtr _t90;
				void* _t94;
				intOrPtr _t107;
				void* _t109;
				intOrPtr* _t119;
				intOrPtr _t121;
				void* _t122;

				_t120 = __edi;
				_t90 = __ecx;
				E01143D91(E011481A4, __ebx, __edi, 0x134);
				_t121 = _t90;
				 *((intOrPtr*)(_t122 - 0x128)) = _t121;
				 *((intOrPtr*)(_t122 - 0x128)) = _t121;
				_t56 =  *0x115b5f4;
				if( *0x115b5f4 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					_t120 = 0x115b5f4;
					E01143804(_t56, 0x115b5f4);
					_t127 =  *0x115b5f4 - 0xffffffff;
					if( *0x115b5f4 == 0xffffffff) {
						 *0x115b608 = 0;
						 *0x115b60c = 0xf;
						 *0x115b5f8 = 0;
						E01143B16(_t127, E0114A0D4);
						E011437BA(0x115b5f4);
					}
				}
				memset(_t122 - 0x124, 0, 0xb0);
				E01134AD8(0, _t122 - 0x124, _t120);
				 *((intOrPtr*)(_t122 - 4)) = 0;
				if( *0x115b608 == 0) {
					_t94 = _t122 - 0x28;
					E01134250(0, _t94, _t120);
					 *((char*)(_t122 - 4)) = 1;
					_t120 = _t122 - 0x74;
					asm("stosd");
					_push(_t94);
					_push("(\\w+) (\\w+\\.\\w+\\.\\w+\\/\\w+) \\((.*?)\\) (\\w+) (\\w*) (\\w+).*");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					E01122C68(0, _t122 - 0x74, _t122 - 0x74);
					memset(_t122 - 0x60, 0, 0x38);
					asm("xorps xmm0, xmm0");
					 *(_t122 - 0x60) = 0;
					 *((char*)(_t122 - 0x5c)) = 0;
					asm("movups [ebp-0x58], xmm0");
					 *((intOrPtr*)(_t122 - 0x48)) = 0;
					 *((char*)(_t122 - 0x44)) = 0;
					 *((intOrPtr*)(_t122 - 0x40)) = 0;
					 *((intOrPtr*)(_t122 - 0x3c)) = 0;
					 *((char*)(_t122 - 0x38)) = 0;
					 *((intOrPtr*)(_t122 - 0x34)) = 0;
					 *((intOrPtr*)(_t122 - 0x30)) = 0;
					 *((char*)(_t122 - 0x2c)) = 0;
					 *((char*)(_t122 - 4)) = 3;
					__eflags =  *((intOrPtr*)(_t122 - 0x14)) - 0x10;
					_t97 =  >=  ?  *((void*)(_t122 - 0x28)) : _t122 - 0x28;
					_t66 =  *((intOrPtr*)(_t122 - 0x18)) + ( >=  ?  *((void*)(_t122 - 0x28)) : _t122 - 0x28);
					__eflags =  *((intOrPtr*)(_t122 - 0x14)) - 0x10;
					_t99 =  >=  ?  *((void*)(_t122 - 0x28)) : _t122 - 0x28;
					_push( *((intOrPtr*)(_t122 - 0x18)) + ( >=  ?  *((void*)(_t122 - 0x28)) : _t122 - 0x28));
					_push( >=  ?  *((void*)(_t122 - 0x28)) : _t122 - 0x28);
					_t67 = E011351A2(0, _t122 - 0x60, _t122 - 0x74, _t122 - 0x74);
					__eflags = _t67;
					if(_t67 != 0) {
						_t107 =  *((intOrPtr*)(_t122 - 0x58));
						_t75 =  *((intOrPtr*)(_t122 - 0x54)) - _t107;
						asm("cdq");
						_t120 = 0xc;
						_t119 = _t122 - 0x34;
						__eflags = _t75 / _t120 - 2;
						if(_t75 / _t120 > 2) {
							_t119 = _t107 + 0x18;
						}
						__eflags =  *((char*)(_t119 + 8));
						_t109 =  ==  ? 0 :  *_t119;
						_t78 =  ==  ? 0 :  *((intOrPtr*)(_t119 + 4));
						 *((intOrPtr*)(_t122 - 0x130)) = 0;
						 *((intOrPtr*)(_t122 - 0x12c)) = 0xf;
						 *((char*)(_t122 - 0x140)) = 0;
						__eflags = _t109 - _t78;
						if(_t109 != _t78) {
							__eflags = _t78 - _t109;
							E01129863(_t122 - 0x140, _t109, _t78 - _t109);
						}
						E011293B6(0x115b5f8, _t121, _t122 - 0x140);
						E01129AC1(_t122 - 0x140);
					}
					E011298E1(_t121, 0x115b5f8);
					E01122C40(E01124E72(_t122 - 0x58), _t122 - 0x74);
					E01129AC1(_t122 - 0x28);
				} else {
					E011298E1(_t121, 0x115b5f8);
				}
				E01134AA8();
				__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ();
				return E01143D3B(_t121, 0, _t120);
			}

0x011345e9
0x011345e9
0x011345f3
0x011345f8
0x011345fa
0x01134608
0x01134610
0x0113461b
0x0113461d
0x01134623
0x01134628
0x01134630
0x01134637
0x0113463d
0x01134647
0x0113464d
0x01134653
0x01134659
0x01134630
0x01134667
0x01134673
0x01134678
0x01134682
0x01134695
0x01134698
0x0113469d
0x011346a1
0x011346a6
0x011346a7
0x011346a8
0x011346b0
0x011346b1
0x011346b2
0x011346b3
0x011346b4
0x011346c0
0x011346c5
0x011346c8
0x011346cb
0x011346ce
0x011346d2
0x011346d5
0x011346d8
0x011346db
0x011346de
0x011346e1
0x011346e4
0x011346e7
0x011346ea
0x011346f1
0x011346fb
0x011346ff
0x01134701
0x01134708
0x0113470f
0x01134710
0x01134714
0x0113471c
0x0113471e
0x01134723
0x01134726
0x0113472a
0x0113472b
0x0113472e
0x01134731
0x01134734
0x01134736
0x01134736
0x01134739
0x01134742
0x01134745
0x01134748
0x0113474e
0x01134758
0x0113475e
0x01134760
0x01134762
0x0113476c
0x0113476c
0x0113477d
0x01134788
0x01134788
0x01134794
0x011347a4
0x011347ac
0x01134684
0x0113468b
0x0113468b
0x011347b7
0x011347c2
0x011347cf

APIs

__EH_prolog3_GS.LIBCMT ref: 011345F3
memset.VCRUNTIME140(?,00000000,000000B0,00000134,0112C2EE,?,0115A06C,edge,1248,0115A0CC,0115A09C,0115A0B4,UNKNOWN,UNKNOWN,000000FC), ref: 01134667
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140(0115B5F8), ref: 011347C2

Part of subcall function 01143804: EnterCriticalSection.KERNEL32(0115B04C,0115B5D8,?,?,01134295,0115B5D8,00000220,01133C34), ref: 0114380F
Part of subcall function 01143804: LeaveCriticalSection.KERNEL32(0115B04C,?,?,01134295,0115B5D8,00000220,01133C34), ref: 0114384C

memset.VCRUNTIME140(?,00000000,00000038,(\w+) (\w+\.\w+\.\w+\/\w+) $(.*?)$ (\w+) (\w*) (\w+).*,?,00000000,000000B0,00000134,0112C2EE,?,0115A06C,edge,1248,0115A0CC,0115A09C,0115A0B4), ref: 011346C0

Part of subcall function 011437BA: EnterCriticalSection.KERNEL32(0115B04C,?,?,011342C5,0115B5D8,0114A0CA,00000220,01133C34), ref: 011437C4
Part of subcall function 011437BA: LeaveCriticalSection.KERNEL32(0115B04C,?,?,011342C5,0115B5D8,0114A0CA,00000220,01133C34), ref: 011437F7

Strings

(\w+) (\w+\.\w+\.\w+\/\w+) $(.*?)$ (\w+) (\w*) (\w+).*, xrefs: 011346A8

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: CriticalSection$EnterLeavememset$??1?$basic_ios@_H_prolog3_U?$char_traits@_W@std@@@std@@
String ID: (\w+) (\w+\.\w+\.\w+\/\w+) $(.*?)$ (\w+) (\w*) (\w+).*
API String ID: 3535368594-1622472603
Opcode ID: 85bb835c2c54bfc9b72b9c811cfa65ce1c231be968d66c93f70d24b6b4a55514
Instruction ID: 6a210bd9b31137db11ac1886985fcf2e960efa85ddcf5e28783d85ee948c0fb0
Opcode Fuzzy Hash: 85bb835c2c54bfc9b72b9c811cfa65ce1c231be968d66c93f70d24b6b4a55514
Instruction Fuzzy Hash: BC518D71904259DFDB1DDFA9C890AECFBB5BF68308FA401ADD125A7241DB705A84CB11

Uniqueness

Uniqueness Score: -1.00%

Function 011384AF Relevance: 8.9, APIs: 7, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E011384AF(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr* _v0;
				signed int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void** _v24;
				void** _v28;
				intOrPtr _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _t73;
				intOrPtr _t76;
				intOrPtr _t88;
				void _t89;
				unsigned int _t91;
				char* _t94;
				void* _t95;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t114;
				void* _t123;
				void* _t125;
				void* _t126;
				void** _t130;
				void* _t131;
				void* _t132;
				void _t135;
				intOrPtr _t136;
				unsigned int _t138;
				void* _t142;
				void* _t149;
				signed int _t150;
				signed int _t156;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t162;
				void* _t165;
				void** _t166;
				void** _t167;
				void* _t169;
				int _t171;
				void* _t172;
				int _t175;
				void* _t176;
				intOrPtr* _t178;
				void _t179;
				void* _t181;
				signed int _t184;
				int _t188;
				void* _t189;
				void* _t190;
				int _t192;
				void* _t195;
				void* _t199;

				_t176 = __esi;
				_t165 = __edi;
				_t195 = _t199;
				_push(__ebx);
				_t123 = __ecx;
				_push(__esi);
				_push(__edi);
				_t130 =  *(__ecx + 8);
				_t156 =  !=  ? _t130 : 1;
				while(1) {
					_t73 = _t156 - _t130;
					_v16 = _t73;
					if(_t73 >= 1 && _t156 >= 8) {
						break;
					}
					if(0xfffffff - _t156 < _t156) {
						L12();
						asm("int3");
						__imp__?_Xlength_error@std@@YAXPBD@Z("deque<T> too long");
						asm("int3");
						_push(_t195);
						_t76 = _v32;
						_push(_t123);
						_push(_t176);
						_push(_t165);
						_t166 = _t130;
						_v48 = _t76;
						_t125 = _t166[1] -  *_t166;
						_v44 = _t76 -  *_t166;
						if(_t125 == 0x7fffffff) {
							E0112401E(_t130);
							asm("int3");
							E01143D5D(E011489CF, _t125, _t166, 8);
							_t167 = _t130;
							_v28 = _t167;
							_t131 = 0x2c;
							 *_t167 = 0;
							_t167[1] = 0;
							_v24 = _t167;
							_t132 = E01129B1B(_t131, 0x7fffffff);
							 *_t132 = _t132;
							 *(_t132 + 4) = _t132;
							 *(_t132 + 8) = _t132;
							 *((short*)(_t132 + 0xc)) = 0x101;
							 *_t167 = _t132;
							_v12 = 0;
							_t178 = _v0;
							_push(_v0);
							_push(_t132);
							_push( *((intOrPtr*)( *_t178 + 4)));
							 *((intOrPtr*)( *_t167 + 4)) = E011387F4(_t125, _t167, 0x7fffffff, _t167);
							_t158 =  *_t167;
							_t167[1] =  *(_t178 + 4);
							_t179 =  *(_t158 + 4);
							if( *((char*)(_t179 + 0xd)) != 0) {
								 *_t158 = _t158;
								 *( *_t167 + 8) =  *_t167;
							} else {
								_t135 =  *_t179;
								if( *((char*)(_t135 + 0xd)) == 0) {
									do {
										_t89 =  *_t135;
										_t179 = _t135;
										_t135 = _t89;
									} while ( *((char*)(_t89 + 0xd)) == 0);
								}
								 *_t158 = _t179;
								_t159 =  *_t167;
								_t88 =  *((intOrPtr*)(_t159 + 4));
								while(1) {
									_t136 =  *((intOrPtr*)(_t88 + 8));
									if( *((char*)(_t136 + 0xd)) != 0) {
										break;
									}
									_t88 = _t136;
								}
								 *((intOrPtr*)(_t159 + 8)) = _t88;
							}
							return E01143D26(_t167);
						} else {
							_t126 = _t125 + 1;
							_t91 = _t166[2] -  *_t166;
							_t138 = _t91 >> 1;
							_t160 = 0x7fffffff - _t138;
							if(_t91 <= 0x7fffffff) {
								_t181 =  <  ? _t126 : _t138 + _t91;
							} else {
								_t181 = _t126;
							}
							_t161 = E01129B1B(_t181, _t160);
							_t94 = _v12 + _t161;
							_v20 = _t161;
							_v12 = _t94;
							 *_t94 =  *_a4;
							_t142 = _t166[1];
							_t95 = _v16;
							if(_t95 != _t142) {
								memmove(_t161,  *_t166, _t95 -  *_t166);
								memmove(_v12 + 1, _v16, _t166[1] - _v16);
							} else {
								memmove(_t161,  *_t166, _t142 -  *_t166);
							}
							E01138753(_t166, _v20, _t126, _t181);
							return _v12;
						}
					} else {
						_t156 = _t156 + _t156;
						continue;
					}
					L31:
				}
				_t184 =  *(_t123 + 0xc) >> 1;
				_v8 = _t184;
				_t148 =  >  ? _t73 | 0xffffffff : _t156 << 2;
				_t107 = E01129B1B( >  ? _t73 | 0xffffffff : _t156 << 2, _t156);
				_t149 =  *(_t123 + 4);
				_v12 = _t107;
				_t169 = _t107 + _t184 * 4;
				_t162 = _t149 + _t184 * 4;
				_t188 = ( *(_t123 + 8) << 2) - _t162 + _t149;
				memmove(_t169, _t162, _t188);
				_t150 = _v8;
				_t109 = _t169 + _t188;
				_t189 = _v16;
				_v20 = _t109;
				if(_t150 > _t189) {
					_t171 = _t189 << 2;
					memmove(_t109,  *(_t123 + 4), _t171);
					_t190 =  *(_t123 + 4);
					_t111 = _t190 + _t171;
					_t192 = _t190 - _t111 + (_v8 << 2);
					memmove(_v12, _t111, _t192);
					_t172 = _v12;
					_t114 = memset(_t172 + _t192, 0, _t171);
					_t189 = _v16;
				} else {
					_t175 = _t150 << 2;
					memmove(_t109,  *(_t123 + 4), _t175);
					memset(_v20 + _t175, 0, _t189 - _v8 << 2);
					_t172 = _v12;
					_t114 = memset(_t172, 0, _t175);
				}
				_t153 =  *(_t123 + 4);
				if( *(_t123 + 4) != 0) {
					_t114 = E01129B5C(_t153,  *(_t123 + 8) << 2, _t189);
				}
				 *(_t123 + 8) = _t189 +  *(_t123 + 8);
				 *(_t123 + 4) = _t172;
				return _t114;
				goto L31;
			}

0x011384af
0x011384af
0x011384b0
0x011384b8
0x011384b9
0x011384bb
0x011384bc
0x011384bd
0x011384c2
0x011384c5
0x011384c7
0x011384c9
0x011384cf
0x00000000
0x00000000
0x011384df
0x011385c8
0x011385cd
0x011385d3
0x011385d9
0x011385da
0x011385e0
0x011385e8
0x011385e9
0x011385ea
0x011385eb
0x011385ed
0x011385f5
0x011385f7
0x011385fc
0x0113868b
0x01138690
0x01138698
0x0113869d
0x011386a1
0x011386a6
0x011386a7
0x011386a9
0x011386ac
0x011386b4
0x011386b6
0x011386b8
0x011386bb
0x011386be
0x011386c4
0x011386c6
0x011386c9
0x011386cc
0x011386cf
0x011386d4
0x011386de
0x011386e1
0x011386e6
0x011386e9
0x011386f0
0x0113871f
0x01138723
0x011386f2
0x011386f2
0x011386f8
0x011386fa
0x011386fa
0x011386fc
0x011386fe
0x01138700
0x011386fa
0x01138706
0x01138708
0x0113870a
0x01138711
0x01138711
0x01138718
0x00000000
0x00000000
0x0113870f
0x0113870f
0x0113871a
0x0113871a
0x0113872d
0x01138602
0x01138605
0x01138606
0x0113860a
0x0113860c
0x01138610
0x0113861b
0x01138612
0x01138612
0x01138612
0x01138628
0x0113862d
0x0113862f
0x01138632
0x01138637
0x01138639
0x0113863c
0x01138641
0x01138659
0x0113866d
0x01138643
0x01138649
0x0113864e
0x0113867c
0x01138688
0x01138688
0x011384e5
0x011384e5
0x00000000
0x011384e5
0x00000000
0x011384df
0x011384f4
0x011384fc
0x011384ff
0x01138502
0x01138507
0x0113850a
0x0113850d
0x01138510
0x0113851b
0x01138520
0x01138525
0x01138528
0x0113852b
0x01138531
0x01138536
0x0113856d
0x01138575
0x0113857a
0x01138583
0x01138588
0x0113858f
0x01138595
0x0113859e
0x011385a3
0x01138538
0x0113853a
0x01138542
0x01138558
0x0113855e
0x01138564
0x01138564
0x011385a6
0x011385ae
0x011385b6
0x011385b6
0x011385bb
0x011385be
0x011385c5
0x00000000

APIs

memmove.VCRUNTIME140(?,?,?,?,?,00000006,?,00000010,0112CC07,InstallerConfiguration), ref: 01138520
memmove.VCRUNTIME140(00000000,?,?,?,?,00000006,?,00000010,0112CC07,InstallerConfiguration), ref: 01138542
memset.VCRUNTIME140(?,00000000,?,00000000,?,?,?,?,00000006,?,00000010,0112CC07,InstallerConfiguration), ref: 01138558
memset.VCRUNTIME140(0112CC07,00000000,?,?,00000000,?,00000000,?,?,?,?,00000006,?,00000010,0112CC07,InstallerConfiguration), ref: 01138564
memmove.VCRUNTIME140(00000000,?,00000010,?,?,00000006,?,00000010,0112CC07,InstallerConfiguration), ref: 01138575
memmove.VCRUNTIME140(0112CC07,00000000,?,00000000,?,00000010,?,?,00000006,?,00000010,0112CC07,InstallerConfiguration), ref: 0113858F
memset.VCRUNTIME140(00000000,00000000,00000010,0112CC07,00000000,?,00000000,?,00000010,?,?,00000006,?,00000010,0112CC07,InstallerConfiguration), ref: 0113859E

Part of subcall function 011385CE: ?_Xlength_error@std@@YAXPBD@Z.MSVCP140(deque<T> too long,011385CD,?,?,00000006,?,00000010,0112CC07,InstallerConfiguration), ref: 011385D3

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: memmove$memset$Xlength_error@std@@
String ID:
API String ID: 928027356-0
Opcode ID: a83b77220ee5dfd1a045fb30bacf15442aaa9b04183d743dbd910fb3d87edf99
Instruction ID: 35eb4aab126a69fa803452992dbcae00960c67374ae6e605fbf47a0a2aa91fa5
Opcode Fuzzy Hash: a83b77220ee5dfd1a045fb30bacf15442aaa9b04183d743dbd910fb3d87edf99
Instruction Fuzzy Hash: 75310931A00125EBCF28DFA8C88495EB779EFC4714B19826DE915BB289D770ED01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 011306A7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E011306A7(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* _t41;
				void* _t44;
				void* _t47;
				void* _t72;
				void* _t102;
				void* _t103;
				void* _t105;
				void* _t106;
				intOrPtr _t107;
				void* _t108;
				intOrPtr _t109;
				void* _t112;

				_t112 = __eflags;
				_t72 = __ecx;
				E01143D91(E01147565, __ebx, __edi, 0x13c);
				_t97 = _t72;
				_t71 =  *((intOrPtr*)(_t102 + 8));
				 *((intOrPtr*)(_t102 - 4)) = 2;
				memset(_t102 - 0x128, 0, 0xb0);
				E01140250( *((intOrPtr*)(_t102 + 8)), _t102 - 0x128, _t72);
				_t105 = _t103 + 0xc - 0x18;
				 *((char*)(_t102 - 4)) = 3;
				_t95 = _t102 + 0xc;
				_push(_t102 + 0x24);
				E01131F42( *((intOrPtr*)(_t102 + 8)), _t105, _t102 + 0xc, _t72, _t112);
				_t41 = E01140401( *((intOrPtr*)(_t102 + 8)), _t102 - 0x128, _t72);
				_t106 = _t105 - 0x18;
				E011298E1(_t106, _t102 + 0x3c);
				_t44 = E01140431(_t71, _t41, _t97);
				_t107 = _t106 - 0x18;
				 *((intOrPtr*)(_t102 - 0x12c)) = _t107;
				 *((intOrPtr*)(_t102 - 0x130)) = _t107;
				E011298E1(_t107, 0x115a0b4);
				_t108 = _t107 - 0x18;
				 *((char*)(_t102 - 4)) = 4;
				E011298AC(_t108, "emid");
				 *((char*)(_t102 - 4)) = 3;
				_t47 = E0114048D(_t71, _t44, _t102 + 0xc, _t97);
				_t109 = _t108 - 0x18;
				 *((intOrPtr*)(_t102 - 0x130)) = _t109;
				 *((intOrPtr*)(_t102 - 0x12c)) = _t109;
				E011298E1(_t109, 0x115a0cc);
				 *((char*)(_t102 - 4)) = 5;
				E011298AC(_t109 - 0x18, "app_id");
				 *((char*)(_t102 - 4)) = 3;
				E0114048D(_t71, _t47, _t102 + 0xc, _t97);
				memset(_t102 - 0x78, 0, 0x68);
				_push(_t102 - 0x128);
				E011402FB(_t71, _t109 - 0xffffffffffffff74, _t102 + 0xc, _t97);
				L01130292(_t71, _t97, _t97);
				 *((char*)(_t102 - 4)) = 6;
				E011298E1(_t102 - 0x148, _t102 - 0x74);
				E011293B6(_t71, _t47, _t102 - 0x148);
				E01129AC1(_t102 - 0x148);
				E01140BCF(_t102 - 0x78, _t95);
				E011403B6(_t102 - 0x128, _t95);
				E01129AC1(_t102 + 0xc);
				E01129AC1(_t102 + 0x24);
				E01129AC1(_t102 + 0x3c);
				return E01143D3B(0 |  *(_t102 - 0x78) == 0x000000c8, _t71, _t97, _t102 - 0x78);
			}

0x011306a7
0x011306a7
0x011306b1
0x011306b6
0x011306b8
0x011306c6
0x011306d0
0x011306de
0x011306e3
0x011306e6
0x011306ef
0x011306f2
0x011306f3
0x011306ff
0x01130704
0x0113070f
0x01130716
0x0113071b
0x01130722
0x01130728
0x01130733
0x01130738
0x0113073b
0x01130746
0x0113074d
0x01130751
0x01130756
0x0113075d
0x01130763
0x0113076e
0x01130776
0x01130781
0x01130788
0x0113078c
0x01130799
0x011307ac
0x011307ad
0x011307b8
0x011307bd
0x011307cb
0x011307d9
0x011307e4
0x011307ef
0x011307fa
0x01130802
0x0113080a
0x01130812
0x01130827

APIs

__EH_prolog3_GS.LIBCMT ref: 011306B1
memset.VCRUNTIME140(?,00000000,000000B0,0000013C,01130965,?,?), ref: 011306D0

Part of subcall function 01140250: __EH_prolog3.LIBCMT ref: 01140257

Part of subcall function 01131F42: __EH_prolog3.LIBCMT ref: 01131F49

Part of subcall function 01140401: __EH_prolog3.LIBCMT ref: 01140408

Part of subcall function 01140431: __EH_prolog3.LIBCMT ref: 01140438

Part of subcall function 011298E1: memcpy.VCRUNTIME140(00000000,?,00000001,?,00000000,?,00000014,?,01138843,?,00000018,011386DC,?,?,?,00000008), ref: 01129935

Part of subcall function 0114048D: __EH_prolog3.LIBCMT ref: 01140494

memset.VCRUNTIME140(?,00000000,00000068,app_id), ref: 01130799

Part of subcall function 011402FB: __EH_prolog3.LIBCMT ref: 01140302

Strings

app_id, xrefs: 0113077C
emid, xrefs: 01130741

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3$memset$H_prolog3_memcpy
String ID: app_id$emid
API String ID: 2108466700-2066528352
Opcode ID: 2a4930c769308e71af43027a699a4aa7da8aa12e40178fdaf62ea4325807661e
Instruction ID: 41a038b5c5acbcaeb79e96f52d5ae1a5082e789dc5b696165b65b489770d22b9
Opcode Fuzzy Hash: 2a4930c769308e71af43027a699a4aa7da8aa12e40178fdaf62ea4325807661e
Instruction Fuzzy Hash: 5B418D31A0022E9BDF1CFB78C855BDC7BB4AF68708F444198E94567280EF745F588B82

Uniqueness

Uniqueness Score: -1.00%

Function 01121706 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E01121706(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi) {
				intOrPtr _t56;
				intOrPtr* _t57;
				intOrPtr _t71;
				void* _t72;
				intOrPtr _t84;
				intOrPtr* _t85;
				void* _t87;
				void* _t88;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t91;
				intOrPtr _t92;
				intOrPtr _t93;

				_t82 = __edx;
				_t71 = __ecx;
				E01143D5D(E01145715, __ebx, __edi, 0x1c);
				_t84 = _t71;
				 *((intOrPtr*)(_t87 - 0x10)) = _t84;
				E01136604(_t71);
				 *((intOrPtr*)(_t84 + 4)) =  *((intOrPtr*)(_t87 + 8));
				 *((intOrPtr*)(_t87 - 4)) = 0;
				_t56 = 0xf;
				 *((intOrPtr*)(_t84 + 0x1c)) = 0;
				 *((intOrPtr*)(_t84 + 0x20)) = _t56;
				 *((char*)(_t84 + 0xc)) = 0;
				 *((intOrPtr*)(_t84 + 0x34)) = 0;
				 *((intOrPtr*)(_t84 + 0x38)) = _t56;
				 *((char*)(_t84 + 0x24)) = 0;
				 *((intOrPtr*)(_t84 + 0x4c)) = 0;
				 *((intOrPtr*)(_t84 + 0x50)) = _t56;
				 *((char*)(_t84 + 0x3c)) = 0;
				 *((intOrPtr*)(_t84 + 0x64)) = 0;
				 *((intOrPtr*)(_t84 + 0x68)) = _t56;
				 *((char*)(_t84 + 0x54)) = 0;
				 *((intOrPtr*)(_t84 + 0x7c)) = 0;
				 *((intOrPtr*)(_t84 + 0x80)) = _t56;
				 *((char*)(_t84 + 0x6c)) = 0;
				 *((char*)(_t84 + 0x84)) = 0;
				 *((intOrPtr*)(_t84 + 0x88)) = 0;
				 *((intOrPtr*)(_t84 + 0x8c)) = 0;
				 *((intOrPtr*)(_t84 + 0x90)) = 0;
				 *((char*)(_t87 - 4)) = 6;
				_t85 = _t84 + 0x94;
				 *((intOrPtr*)(_t87 + 8)) = _t85;
				_t72 = 0x18;
				 *_t85 = 0;
				 *((intOrPtr*)(_t85 + 4)) = 0;
				_t57 = E01129B1B(_t72, __edx);
				 *_t57 = _t57;
				 *((intOrPtr*)(_t57 + 4)) = _t57;
				 *((intOrPtr*)(_t57 + 8)) = _t57;
				 *((short*)(_t57 + 0xc)) = 0x101;
				 *_t85 = _t57;
				 *((char*)(_t87 - 4)) = 7;
				 *((intOrPtr*)(_t84 + 0x9c)) = 0;
				E0113416D(0, _t84 + 0xa0, _t84);
				_t89 = _t88 - 0x18;
				 *((char*)(_t87 - 4)) = 8;
				 *((intOrPtr*)(_t87 + 8)) = _t89;
				 *((intOrPtr*)(_t87 - 0x14)) = _t89;
				E011298E1(_t89, 0x115a09c);
				_t90 = _t89 - 0x18;
				 *((char*)(_t87 - 4)) = 9;
				 *((intOrPtr*)(_t87 - 0x14)) = _t90;
				 *((intOrPtr*)(_t87 - 0x18)) = _t90;
				E011298E1(_t90, 0x115a0b4);
				_t91 = _t90 - 0x18;
				 *((char*)(_t87 - 4)) = 0xa;
				 *((intOrPtr*)(_t87 - 0x18)) = _t91;
				 *((intOrPtr*)(_t87 - 0x1c)) = _t91;
				E011298E1(_t91, 0x115a0cc);
				_t92 = _t91 - 0x18;
				 *((char*)(_t87 - 4)) = 0xb;
				 *((intOrPtr*)(_t87 - 0x1c)) = _t92;
				E011298AC(_t92, "673ae6306d8266a780df868d6772aab3b9662e0f");
				_t93 = _t92 - 0x18;
				 *((char*)(_t87 - 4)) = 0xc;
				 *((intOrPtr*)(_t87 - 0x20)) = _t93;
				E011298AC(_t93, "1248");
				_t94 = _t93 - 0x18;
				 *((char*)(_t87 - 4)) = 0xd;
				 *((intOrPtr*)(_t87 - 0x24)) = _t93 - 0x18;
				E011298AC(_t93 - 0x18, "Kernel");
				 *((char*)(_t87 - 4)) = 0xe;
				E011298AC(_t94 - 0x18, "Action");
				 *((char*)(_t87 - 4)) = 8;
				L011374D1(0,  *((intOrPtr*)(_t84 + 8)), _t82, _t84, 0);
				return E01143D26(_t84);
			}

0x01121706
0x01121706
0x0112170d
0x01121712
0x01121714
0x01121717
0x0112171f
0x01121726
0x01121729
0x0112172a
0x0112172d
0x01121730
0x01121733
0x01121736
0x01121739
0x0112173c
0x0112173f
0x01121742
0x01121745
0x01121748
0x0112174b
0x0112174e
0x01121751
0x01121757
0x0112175a
0x01121760
0x01121766
0x0112176c
0x01121772
0x01121776
0x0112177c
0x01121781
0x01121782
0x01121784
0x01121787
0x0112178c
0x0112178e
0x01121791
0x01121794
0x0112179a
0x0112179c
0x011217a6
0x011217ac
0x011217b1
0x011217b4
0x011217bd
0x011217c0
0x011217c8
0x011217cd
0x011217d0
0x011217d6
0x011217d9
0x011217e1
0x011217e6
0x011217e9
0x011217ef
0x011217f2
0x011217fa
0x011217ff
0x01121802
0x01121808
0x01121810
0x01121815
0x01121818
0x0112181e
0x01121826
0x0112182b
0x0112182e
0x01121834
0x0112183c
0x01121844
0x0112184f
0x01121856
0x0112185a
0x01121866

APIs

__EH_prolog3.LIBCMT ref: 0112170D

Part of subcall function 01136604: __EH_prolog3.LIBCMT ref: 0113660B

Part of subcall function 01129B1B: #1511.MFC140U(00000001,01129A1D,?,01129A6B,00000001,?,?,?,?,?,0112149C), ref: 01129B2F

Part of subcall function 0113416D: __EH_prolog3.LIBCMT ref: 01134174
Part of subcall function 0113416D: #1511.MFC140U(00000010,00000004,011364A5,0000000C,011214FC), ref: 0113418F
Part of subcall function 0113416D: #1511.MFC140U(0000000C), ref: 011341B7
Part of subcall function 0113416D: curl_multi_init.LIBCURL ref: 011341D4

Part of subcall function 011298E1: memcpy.VCRUNTIME140(00000000,?,00000001,?,00000000,?,00000014,?,01138843,?,00000018,011386DC,?,?,?,00000008), ref: 01129935

Strings

Action, xrefs: 0112184A
673ae6306d8266a780df868d6772aab3b9662e0f, xrefs: 0112180B
1248, xrefs: 01121821
Kernel, xrefs: 01121837

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511H_prolog3$curl_multi_initmemcpy
String ID: 1248$673ae6306d8266a780df868d6772aab3b9662e0f$Action$Kernel
API String ID: 3974677141-2327289893
Opcode ID: 7b39f652e77992150cacce34f7ddd6417ef850a8436052a1d74d78a849227b94
Instruction ID: c41e0727e85a6e7ca992f86ee0f856fec842ed2d78a8094ebaf23261d0f9a28d
Opcode Fuzzy Hash: 7b39f652e77992150cacce34f7ddd6417ef850a8436052a1d74d78a849227b94
Instruction Fuzzy Hash: C14126B0A0579AEECB08EF7D854139CFFA0BF29604F94819ED09897641C7746624DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0113A2C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0113A2C7(void* __ebx, void* __ecx, void* __edi) {
				void* _t154;
				signed int _t155;
				signed char _t156;
				signed int _t163;
				signed int _t166;
				void* _t167;
				intOrPtr* _t178;
				void* _t179;
				signed char _t190;
				signed char _t192;
				signed char _t194;
				signed char _t196;
				signed char _t198;
				signed int _t200;
				signed char _t201;
				int _t203;
				signed int _t219;
				intOrPtr _t224;
				intOrPtr _t247;
				signed char _t248;
				void* _t251;
				signed int* _t253;
				unsigned int _t255;
				signed int* _t256;
				signed int* _t260;
				signed char _t264;
				signed int _t265;
				void* _t267;
				void* _t281;
				signed int _t296;
				signed int _t302;
				signed char _t303;
				signed char _t304;
				signed char _t305;
				signed int* _t306;
				void* _t308;
				void* _t309;

				_t251 = __ecx;
				E01143D91(E01148BF8, __ebx, __edi, 0x5c);
				_t303 =  *(_t308 + 8);
				 *(_t308 - 0x64) = _t303;
				 *(_t308 - 4) = 0;
				_t153 =  >=  ?  *((void*)(_t308 + 0xc)) : _t308 + 0xc;
				_t154 = E0113B365(0, _t251, __edi, _t303,  >=  ?  *((void*)(_t308 + 0xc)) : _t308 + 0xc);
				_t295 = _t154;
				_t155 = 3;
				if( *((intOrPtr*)(_t154 + 0xe)) != _t155) {
					__imp__#1511();
					_t252 = 0x18;
					 *(_t308 - 0x68) = _t155;
					 *(_t308 - 4) = 1;
					__eflags = _t155;
					if(_t155 == 0) {
						_t156 = 0;
					} else {
						_t252 = _t155;
						_t156 = E011298AC(_t155, "Not an object");
					}
					 *(_t308 - 4) = 0;
					 *(_t308 - 0x64) = _t156;
					_push(0x1156040);
					_push(_t308 - 0x64);
					L01145637();
					asm("int3");
					E01143D91(E01148C53, 0, _t295, 0x14);
					_t304 =  *(_t308 + 8);
					_t247 = 0;
					 *(_t308 - 0x20) = _t304;
					 *(_t308 - 0x1c) = 0;
					 *(_t308 - 4) = 1;
					__eflags =  *((intOrPtr*)(_t308 + 0x20)) - 0x10;
					_t161 =  >=  ?  *((void*)(_t308 + 0xc)) : _t308 + 0xc;
					_t253 = E0113B365(0, _t252, _t295, _t304,  >=  ?  *((void*)(_t308 + 0xc)) : _t308 + 0xc);
					_t163 = 4;
					__eflags = _t253[3] - _t163;
					if(_t253[3] != _t163) {
						__imp__#1511(0x18);
						 *(_t308 - 0x18) = _t163;
						 *(_t308 - 4) = 2;
						__eflags = _t163;
						if(_t163 != 0) {
							_t247 = E011298AC(_t163, "Not an array");
						}
						_push(0x1156040);
						 *(_t308 - 4) = 1;
						_push(_t308 - 0x14);
						 *((intOrPtr*)(_t308 - 0x14)) = _t247;
						L01145637();
						asm("int3");
						_t166 = E01143D91(E01148D0A, _t247, _t295, 0x48);
						_t289 =  *((intOrPtr*)(_t308 + 0xc));
						_t305 =  *(_t308 + 8);
						 *(_t308 - 0x54) = _t305;
						_t255 =  *( *((intOrPtr*)(_t308 + 0xc)) + 0xe) & 0x0000ffff;
						_t296 = 4;
						 *(_t308 - 0x50) = _t305;
						__eflags = _t255 - _t296;
						if(_t255 == _t296) {
							__imp__#1511();
							_t256 = 0x18;
							 *(_t308 - 0x54) = _t166;
							_t248 = 0;
							 *(_t308 - 4) = 0;
							__eflags = _t166;
							if(_t166 != 0) {
								_t256 = _t166;
								_t248 = E011298AC(_t256, "Not supported yet (array)");
							}
							_t124 = _t308 - 4;
							 *_t124 =  *(_t308 - 4) | 0xffffffff;
							__eflags =  *_t124;
							 *(_t308 - 0x50) = _t248;
							goto L57;
						} else {
							_t190 = _t255 >> 3;
							_t248 = 1;
							__eflags = 1 & _t190;
							if((1 & _t190) == 0) {
								_t192 = _t255 >> 9;
								__eflags = 1 & _t192;
								if((1 & _t192) == 0) {
									__eflags = _t255 & 0x00000200;
									if(__eflags == 0) {
										L33:
										_t194 = _t255 >> 5;
										__eflags = _t248 & _t194;
										if((_t248 & _t194) == 0) {
											_t196 = _t255 >> 7;
											__eflags = _t248 & _t196;
											if((_t248 & _t196) == 0) {
												__eflags = _t255 - 3;
												if(_t255 != 3) {
													_t198 = _t255 >> 0xa;
													_push(0x18);
													__eflags = _t248 & _t198;
													if((_t248 & _t198) == 0) {
														_t198 = _t255 >> 6;
														__eflags = _t248 & _t198;
														if((_t248 & _t198) == 0) {
															_t264 = _t255 >> 8;
															__eflags = _t248 & _t264;
															if((_t248 & _t264) == 0) {
																__imp__#1511();
																_pop(_t256);
																 *(_t308 - 0x50) = _t198;
																 *(_t308 - 4) = 0xb;
																__eflags = _t198;
																if(_t198 == 0) {
																	_t200 = 0;
																	__eflags = 0;
																} else {
																	_t256 = _t198;
																	_t200 = E011298AC(_t256, "Should not get here");
																}
																 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
																 *(_t308 - 0x54) = _t200;
																_t167 = _t308 - 0x54;
																_push(0x1156040);
															} else {
																__imp__#1511();
																_pop(_t256);
																 *(_t308 - 0x54) = _t198;
																 *(_t308 - 4) = 0xa;
																__eflags = _t198;
																if(_t198 == 0) {
																	goto L23;
																} else {
																	_push("Not supported yet (uint64)");
																	goto L22;
																}
															}
														} else {
															__imp__#1511();
															_pop(_t256);
															 *(_t308 - 0x54) = _t198;
															 *(_t308 - 4) = 9;
															__eflags = _t198;
															if(_t198 == 0) {
																goto L23;
															} else {
																_push("Not supported yet (uint)");
																goto L22;
															}
														}
													} else {
														__imp__#1511();
														_pop(_t256);
														 *(_t308 - 0x54) = _t198;
														 *(_t308 - 4) = 8;
														__eflags = _t198;
														if(_t198 == 0) {
															goto L23;
														} else {
															_push("Not supported yet (string)");
															goto L22;
														}
													}
													goto L58;
												} else {
													_t265 = 6;
													_t203 = memset(_t308 - 0x28, 0, _t265 << 2);
													asm("xorps xmm0, xmm0");
													 *((intOrPtr*)(_t308 - 0x14)) = 0x100;
													__eflags = 0;
													asm("movups [ebp-0x28], xmm0");
													 *(_t308 - 0x18) = 0;
													 *(_t308 - 4) = 6;
													_t299 = _t308 - 0x4c;
													_t267 = 9;
													memset(_t308 - 0x4c, _t203, 0 << 2);
													 *((intOrPtr*)(_t308 - 0x38)) = 0;
													 *(_t308 - 0x4c) = _t308 - 0x28;
													asm("movups [ebp-0x48], xmm0");
													 *((intOrPtr*)(_t308 - 0x34)) = 0x100;
													 *((intOrPtr*)(_t308 - 0x30)) = 0x144;
													 *((char*)(_t308 - 0x2c)) = 0;
													 *(_t308 - 4) = 7;
													E0113B01D(0, _t289, _t299 + _t267, _t305, _t308 - 0x4c);
													 *_t305 = 0;
													E011298AC(_t309 + 0x18 - 0x18, E0113AC58(_t308 - 0x28));
													E0113A86F(0,  *(_t308 - 0x50), _t299 + _t267);
													E0113AC3D(_t308 - 0x48);
													E0113AC3D(_t308 - 0x28);
													return E01143D3B( *(_t308 - 0x50), 0, _t299 + _t267);
												}
											} else {
												__imp__#1511();
												_t256 = 0x18;
												 *(_t308 - 0x54) = _t196;
												 *(_t308 - 4) = 5;
												__eflags = _t196;
												if(_t196 == 0) {
													goto L23;
												} else {
													_push("Not supported yet (int64)");
													goto L22;
												}
												goto L58;
											}
										} else {
											__imp__#1511();
											_t256 = 0x18;
											 *(_t308 - 0x54) = _t194;
											 *(_t308 - 4) = _t296;
											__eflags = _t194;
											if(_t194 == 0) {
												goto L23;
											} else {
												_push("Not supported yet (int)");
												goto L22;
											}
											goto L58;
										}
									} else {
										asm("movsd xmm1, [edx]");
										asm("comisd xmm1, [0x114f928]");
										if(__eflags < 0) {
											goto L33;
										} else {
											asm("movsd xmm0, [0x114f908]");
											asm("comisd xmm0, xmm1");
											if(__eflags < 0) {
												goto L33;
											} else {
												__imp__#1511();
												_t256 = 0x18;
												 *(_t308 - 0x54) = _t192;
												 *(_t308 - 4) = 3;
												__eflags = _t192;
												if(_t192 == 0) {
													goto L23;
												} else {
													_push("Not supported yet (float)");
													goto L22;
												}
												goto L58;
											}
										}
									}
								} else {
									__imp__#1511();
									_t256 = 0x18;
									 *(_t308 - 0x54) = _t192;
									 *(_t308 - 4) = 2;
									__eflags = _t192;
									if(_t192 == 0) {
										goto L23;
									} else {
										_push("Not supported yet (double)");
										goto L22;
									}
									goto L58;
								}
							} else {
								__imp__#1511();
								_t256 = 0x18;
								 *(_t308 - 0x54) = _t190;
								 *(_t308 - 4) = 1;
								__eflags = _t190;
								if(_t190 == 0) {
									L23:
									_t201 = 0;
									__eflags = 0;
								} else {
									_push("Not supported yet (bool)");
									L22:
									_t256 = _t198;
									_t201 = E011298AC(_t256);
								}
								 *(_t308 - 4) =  *(_t308 - 4) | 0xffffffff;
								 *(_t308 - 0x50) = _t201;
								L57:
								_push(0x1156040);
								_t167 = _t308 - 0x50;
								L58:
								_push(_t167);
								L01145637();
								asm("int3");
								E01143D91(E01148D49, _t248, _t296, 0x28);
								_t306 = _t256;
								 *(_t308 - 4) = 1;
								__eflags =  *((intOrPtr*)(_t308 + 0x1c)) - 0x10;
								_t171 =  >=  ?  *(_t308 + 8) : _t308 + 8;
								E0113AE1B(_t308 - 0x20,  >=  ?  *(_t308 + 8) : _t308 + 8, _t306[4]);
								 *(_t308 - 4) = 2;
								__eflags =  *((intOrPtr*)(_t308 + 0x34)) - 0x10;
								_t174 =  >=  ?  *((void*)(_t308 + 0x20)) : _t308 + 0x20;
								E0113AE1B(_t308 - 0x30,  >=  ?  *((void*)(_t308 + 0x20)) : _t308 + 0x20, _t306[4]);
								 *(_t308 - 4) = 3;
								_t178 = E0113B892(_t248, _t306, _t296, _t306, _t308 - 0x34, _t308 - 0x20);
								_t260 = _t306;
								__eflags =  *_t178 - ( *_t306 << 5) + _t306[2];
								_t179 = _t308 - 0x30;
								if(__eflags == 0) {
									E0113AD58(_t260, _t308 - 0x20, _t179, _t306[4]);
								} else {
									E0113ADD5(E0113B3B9(_t248, _t260, _t296, _t306, __eflags, _t308 - 0x20), _t179);
								}
								E01129AC1(_t308 + 8);
								return E01143D3B(E01129AC1(_t308 + 0x20), _t248, _t296);
							}
						}
					} else {
						asm("stosd");
						asm("stosd");
						asm("stosd");
						 *_t304 = 0;
						 *((intOrPtr*)(_t304 + 4)) = 0;
						 *((intOrPtr*)(_t304 + 8)) = 0;
						_t302 = _t253[2];
						_t219 = ( *_t253 << 4) + _t302;
						 *(_t308 - 0x1c) = 1;
						 *(_t308 - 0x18) = _t219;
						__eflags = _t302 - _t219;
						if(_t302 != _t219) {
							do {
								_push(_t302);
								 *((intOrPtr*)(_t308 - 0x14)) = _t247;
								_push(_t308 - 0x14);
								L18();
								 *(_t308 - 4) = 3;
								_t224 =  *((intOrPtr*)(_t304 + 4));
								_push(_t308 - 0x14);
								__eflags = _t224 -  *((intOrPtr*)(_t304 + 8));
								if(_t224 ==  *((intOrPtr*)(_t304 + 8))) {
									_push(_t224);
									E0113B711(_t247, _t304, _t302);
								} else {
									E0113A8D2(_t247, _t224, _t302);
									 *((intOrPtr*)(_t304 + 4)) =  *((intOrPtr*)(_t304 + 4)) + 4;
								}
								 *(_t308 - 4) = 1;
								E0113AC23(_t308 - 0x14);
								_t302 = _t302 + 0x10;
								__eflags = _t302 -  *(_t308 - 0x18);
							} while (_t302 !=  *(_t308 - 0x18));
						}
						E01129AC1(_t308 + 0xc);
						return E01143D3B(_t304, _t247, _t302);
					}
				} else {
					memset(_t308 - 0x60, 0, 0x38);
					_t281 = _t308 - 0x60;
					E0113ACC8(0, _t281, _t295);
					 *(_t308 - 4) = 2;
					E0113AE01(_t281);
					_push(_t281);
					E0113BC5C(_t308 - 0x60, _t295,  *(_t308 - 0x50));
					_push(_t308 - 0x60);
					_push(_t308 - 0x28);
					E01139FED(0, _t295);
					 *(_t308 - 4) = 3;
					 *_t303 = 0;
					E011298E1(_t309 - 0x18, _t308 - 0x28);
					E0113A86F(0, _t303, _t295);
					E01129AC1(_t308 - 0x28);
					_t286 =  *(_t308 - 0x4c);
					if( *(_t308 - 0x4c) != 0) {
						E0113AEB0(_t286, _t295, _t286);
					}
					E0113AC3D(_t308 - 0x48);
					E01129AC1(_t308 + 0xc);
					return E01143D3B(_t303, 0, _t295);
				}
			}

0x0113a2c7
0x0113a2ce
0x0113a2d3
0x0113a2d6
0x0113a2de
0x0113a2e5
0x0113a2ea
0x0113a2ef
0x0113a2f3
0x0113a2f8
0x0113a382
0x0113a388
0x0113a389
0x0113a38c
0x0113a390
0x0113a392
0x0113a3a2
0x0113a394
0x0113a399
0x0113a39b
0x0113a39b
0x0113a3a4
0x0113a3a7
0x0113a3ad
0x0113a3b2
0x0113a3b3
0x0113a3b8
0x0113a3c0
0x0113a3c5
0x0113a3c8
0x0113a3ca
0x0113a3cd
0x0113a3d0
0x0113a3da
0x0113a3de
0x0113a3e8
0x0113a3ec
0x0113a3ed
0x0113a3f1
0x0113a474
0x0113a47b
0x0113a47e
0x0113a482
0x0113a484
0x0113a492
0x0113a492
0x0113a494
0x0113a49c
0x0113a4a0
0x0113a4a1
0x0113a4a4
0x0113a4a9
0x0113a4b1
0x0113a4b6
0x0113a4b9
0x0113a4be
0x0113a4c1
0x0113a4c5
0x0113a4c6
0x0113a4c9
0x0113a4cc
0x0113a726
0x0113a72c
0x0113a72d
0x0113a730
0x0113a732
0x0113a735
0x0113a737
0x0113a73e
0x0113a745
0x0113a745
0x0113a747
0x0113a747
0x0113a747
0x0113a74b
0x00000000
0x0113a4d2
0x0113a4d6
0x0113a4d9
0x0113a4da
0x0113a4dc
0x0113a50f
0x0113a512
0x0113a514
0x0113a534
0x0113a53a
0x0113a576
0x0113a578
0x0113a57b
0x0113a57d
0x0113a5a2
0x0113a5a5
0x0113a5a7
0x0113a5ce
0x0113a5d1
0x0113a66c
0x0113a66f
0x0113a671
0x0113a673
0x0113a69a
0x0113a69d
0x0113a69f
0x0113a6c4
0x0113a6c7
0x0113a6c9
0x0113a6ee
0x0113a6f4
0x0113a6f5
0x0113a6f8
0x0113a6ff
0x0113a701
0x0113a711
0x0113a711
0x0113a703
0x0113a708
0x0113a70a
0x0113a70a
0x0113a713
0x0113a717
0x0113a71a
0x0113a71d
0x0113a6cb
0x0113a6cb
0x0113a6d1
0x0113a6d2
0x0113a6d5
0x0113a6dc
0x0113a6de
0x00000000
0x0113a6e4
0x0113a6e4
0x00000000
0x0113a6e4
0x0113a6de
0x0113a6a1
0x0113a6a1
0x0113a6a7
0x0113a6a8
0x0113a6ab
0x0113a6b2
0x0113a6b4
0x00000000
0x0113a6ba
0x0113a6ba
0x00000000
0x0113a6ba
0x0113a6b4
0x0113a675
0x0113a675
0x0113a67b
0x0113a67c
0x0113a67f
0x0113a686
0x0113a688
0x00000000
0x0113a68e
0x0113a68e
0x00000000
0x0113a68e
0x0113a688
0x00000000
0x0113a5d7
0x0113a5d9
0x0113a5df
0x0113a5e1
0x0113a5e4
0x0113a5eb
0x0113a5ed
0x0113a5f1
0x0113a5f4
0x0113a5fb
0x0113a600
0x0113a601
0x0113a606
0x0113a609
0x0113a60c
0x0113a610
0x0113a617
0x0113a61e
0x0113a624
0x0113a62b
0x0113a633
0x0113a642
0x0113a64a
0x0113a652
0x0113a65a
0x0113a667
0x0113a667
0x0113a5a9
0x0113a5ab
0x0113a5b1
0x0113a5b2
0x0113a5b5
0x0113a5bc
0x0113a5be
0x00000000
0x0113a5c4
0x0113a5c4
0x00000000
0x0113a5c4
0x00000000
0x0113a5be
0x0113a57f
0x0113a581
0x0113a587
0x0113a588
0x0113a58b
0x0113a58e
0x0113a590
0x00000000
0x0113a596
0x0113a596
0x00000000
0x0113a596
0x00000000
0x0113a590
0x0113a53c
0x0113a53c
0x0113a540
0x0113a548
0x00000000
0x0113a54a
0x0113a54a
0x0113a552
0x0113a556
0x00000000
0x0113a558
0x0113a55a
0x0113a560
0x0113a561
0x0113a564
0x0113a56b
0x0113a56d
0x00000000
0x0113a56f
0x0113a56f
0x00000000
0x0113a56f
0x00000000
0x0113a56d
0x0113a556
0x0113a548
0x0113a516
0x0113a518
0x0113a51e
0x0113a51f
0x0113a522
0x0113a529
0x0113a52b
0x00000000
0x0113a52d
0x0113a52d
0x00000000
0x0113a52d
0x00000000
0x0113a52b
0x0113a4de
0x0113a4e0
0x0113a4e6
0x0113a4e7
0x0113a4ea
0x0113a4ed
0x0113a4ef
0x0113a4ff
0x0113a4ff
0x0113a4ff
0x0113a4f1
0x0113a4f1
0x0113a4f6
0x0113a4f6
0x0113a4f8
0x0113a4f8
0x0113a501
0x0113a505
0x0113a74e
0x0113a74e
0x0113a753
0x0113a756
0x0113a756
0x0113a757
0x0113a75c
0x0113a764
0x0113a769
0x0113a76b
0x0113a775
0x0113a77f
0x0113a784
0x0113a789
0x0113a790
0x0113a79a
0x0113a79f
0x0113a7a7
0x0113a7b2
0x0113a7b9
0x0113a7c1
0x0113a7c3
0x0113a7c6
0x0113a7e3
0x0113a7c8
0x0113a7d4
0x0113a7d4
0x0113a7eb
0x0113a7fd
0x0113a7fd
0x0113a4dc
0x0113a3f3
0x0113a3f7
0x0113a3f8
0x0113a3f9
0x0113a3fa
0x0113a3fc
0x0113a3ff
0x0113a404
0x0113a40a
0x0113a40c
0x0113a413
0x0113a416
0x0113a418
0x0113a41a
0x0113a41a
0x0113a41e
0x0113a421
0x0113a422
0x0113a427
0x0113a42e
0x0113a431
0x0113a432
0x0113a435
0x0113a444
0x0113a447
0x0113a437
0x0113a439
0x0113a43e
0x0113a43e
0x0113a44f
0x0113a453
0x0113a458
0x0113a45b
0x0113a45b
0x0113a41a
0x0113a463
0x0113a46f
0x0113a46f
0x0113a2fe
0x0113a305
0x0113a30a
0x0113a30d
0x0113a312
0x0113a319
0x0113a31e
0x0113a324
0x0113a32c
0x0113a330
0x0113a331
0x0113a339
0x0113a340
0x0113a345
0x0113a34c
0x0113a354
0x0113a359
0x0113a35e
0x0113a361
0x0113a361
0x0113a369
0x0113a371
0x0113a37d
0x0113a37d

APIs

__EH_prolog3_GS.LIBCMT ref: 0113A2CE
memset.VCRUNTIME140(?,00000000,00000038,0000005C,01121A1A,00000000,?), ref: 0113A305

Part of subcall function 0113ACC8: __EH_prolog3.LIBCMT ref: 0113ACCF
Part of subcall function 0113ACC8: #1511.MFC140U(00000014,00000004,0113A848,00000000,00000000), ref: 0113AD19

Part of subcall function 01139FED: __EH_prolog3_GS.LIBCMT ref: 01139FF4

Part of subcall function 0113A86F: __EH_prolog3.LIBCMT ref: 0113A876
Part of subcall function 0113A86F: #1511.MFC140U(00000038,00000008,0113A64F,00000000), ref: 0113A88A
Part of subcall function 0113A86F: memset.VCRUNTIME140(00000000,00000000,00000038), ref: 0113A8A2

Part of subcall function 0113AEB0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,0113ACBF,?,?,0113AC31,?,0112367B), ref: 0113AEC5

#1511.MFC140U(00000018,0000005C,01121A1A,00000000,?), ref: 0113A382
_CxxThrowException.VCRUNTIME140(?,01156040), ref: 0113A3B3

Strings

Not an object, xrefs: 0113A394

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511$H_prolog3H_prolog3_memset$ExceptionThrowfree
String ID: Not an object
API String ID: 1209492604-1272192764
Opcode ID: 7ef00a519c84b08cfd921bd87fa4af6bc184d93d0e77ebbf9fbe1a823f95a9d3
Instruction ID: c9ad5428f9194df1f04a0d0543bf3ec500051f972b32dc19fbef1f059a7f552e
Opcode Fuzzy Hash: 7ef00a519c84b08cfd921bd87fa4af6bc184d93d0e77ebbf9fbe1a823f95a9d3
Instruction Fuzzy Hash: 7B21AD30A0432DEBDF0CEFA4D854ADD7BB8BF64718F548429E445EB140DB749A04CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01122529 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01122529(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				void* _t23;
				void* _t27;
				void* _t28;
				void* _t31;
				intOrPtr* _t68;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t23 = E011238AC(__ebx, __ecx, __edx, __edi);
				_t68 =  *((intOrPtr*)(_t73 - 0x360));
				E011238AC(__ebx, _t23,  *((intOrPtr*)( *_t68 + 4))(), _t68);
				__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123A1C);
				_t71 =  *((intOrPtr*)(_t73 - 0x330));
				_t27 =  *((intOrPtr*)( *_t68 + 4))();
				_push( *((intOrPtr*)(_t73 - 0x330)) + 0x24);
				_t28 = E011237FA( *((intOrPtr*)(_t71 + 8)), _t73 - 0x394, "Runtime exception thrown from InstallerModule ", _t27);
				 *((char*)(_t73 - 4)) = 0x22;
				E011299A0(_t73 - 0x130, E01129C57(_t28, " (", 2));
				 *((char*)(_t73 - 4)) = 0x23;
				_t31 = E01123879(_t73 - 0x35c, _t73 - 0x130, _t27);
				_t75 = _t74 - 0x14;
				 *((char*)(_t73 - 4)) = 0x24;
				 *((intOrPtr*)(_t73 - 0x320)) = _t75;
				 *((intOrPtr*)(_t73 - 0x31c)) = _t75;
				E011299A0(_t75, E01129C57(_t31, ")", 1));
				_push(5);
				_push(0xae);
				 *((char*)(_t73 - 4)) = 0x25;
				 *((intOrPtr*)(_t73 - 0x31c)) = _t75 - 0x18;
				E011298AC(_t75 - 0x18, "int __thiscall InstPC::Action::run(void)");
				 *((char*)(_t73 - 4)) = 0x26;
				E011298AC(_t75, "C:\\git\\modular-installer\\kernel\\Action.cpp");
				 *((char*)(_t73 - 4)) = 0x24;
				E0113765F( *((intOrPtr*)(_t71 + 8)),  *((intOrPtr*)(_t71 + 8)), _t27);
				E01129AC1(_t73 - 0x35c);
				E01129AC1(_t73 - 0x130);
				E01129AC1(_t73 - 0x394);
				return E011227E2;
			}

0x01122529
0x0112252e
0x01122541
0x0112254d
0x01122553
0x01122560
0x0112256b
0x01122574
0x01122583
0x01122593
0x0112259f
0x011225a9
0x011225ae
0x011225b1
0x011225b7
0x011225bf
0x011225d4
0x011225d9
0x011225db
0x011225e3
0x011225e9
0x011225f4
0x011225fc
0x01122607
0x0112260e
0x01122612
0x0112261d
0x01122628
0x01122633
0x0112263d

APIs

Part of subcall function 011238AC: __EH_prolog3_catch.LIBCMT ref: 011238B3
Part of subcall function 011238AC: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123A06

Part of subcall function 011238AC: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123957
Part of subcall function 011238AC: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123980
Part of subcall function 011238AC: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 011239AA

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003A1C), ref: 0112254D

Part of subcall function 011237FA: __EH_prolog3.LIBCMT ref: 01123801

Part of subcall function 0113765F: __EH_prolog3_GS.LIBCMT ref: 01137669
Part of subcall function 0113765F: #1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
Part of subcall function 0113765F: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

Strings

$, xrefs: 0112260E
Runtime exception thrown from InstallerModule , xrefs: 01122566
int __thiscall InstPC::Action::run(void), xrefs: 011225EF
C:\git\modular-installer\kernel\Action.cpp, xrefs: 01122602

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@V01@$#1511??6?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@ExceptionH_prolog3H_prolog3_H_prolog3_catchThrowV01@@
String ID: $$C:\git\modular-installer\kernel\Action.cpp$Runtime exception thrown from InstallerModule $int __thiscall InstPC::Action::run(void)
API String ID: 1930254013-4226011493
Opcode ID: 9fb7e30e274822063bfbe1b0ab92111293f9c914a1bb0131bf5a768b65ed203d
Instruction ID: b81cca3484c1663d7508b807828c727a03921678c9d292c55a8cdd0a609a812f
Opcode Fuzzy Hash: 9fb7e30e274822063bfbe1b0ab92111293f9c914a1bb0131bf5a768b65ed203d
Instruction Fuzzy Hash: 40218B74A1026A9BCF1DE728C919B9DBBF5AB68708F5440D8D00AA7281EBB45F648B41

Uniqueness

Uniqueness Score: -1.00%

Function 01122649 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01122649(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				void* _t23;
				void* _t27;
				void* _t28;
				void* _t31;
				intOrPtr* _t68;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t23 = E011238AC(__ebx, __ecx, __edx, __edi);
				_t68 =  *((intOrPtr*)(_t73 - 0x364));
				E011238AC(__ebx, _t23,  *((intOrPtr*)( *_t68 + 4))(), _t68);
				__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123A1C);
				_t71 =  *((intOrPtr*)(_t73 - 0x330));
				_t27 =  *((intOrPtr*)( *_t68 + 4))();
				_push( *((intOrPtr*)(_t73 - 0x330)) + 0x24);
				_t28 = E011237FA( *((intOrPtr*)(_t71 + 8)), _t73 - 0x160, "std::exception thrown from InstallerModule ", _t27);
				 *((char*)(_t73 - 4)) = 0x27;
				E011299A0(_t73 - 0x37c, E01129C57(_t28, " (", 2));
				 *((char*)(_t73 - 4)) = 0x28;
				_t31 = E01123879(_t73 - 0x3ac, _t73 - 0x37c, _t27);
				_t75 = _t74 - 0x14;
				 *((char*)(_t73 - 4)) = 0x29;
				 *((intOrPtr*)(_t73 - 0x320)) = _t75;
				 *((intOrPtr*)(_t73 - 0x31c)) = _t75;
				E011299A0(_t75, E01129C57(_t31, ")", 1));
				_push(5);
				_push(0xb4);
				 *((char*)(_t73 - 4)) = 0x2a;
				 *((intOrPtr*)(_t73 - 0x31c)) = _t75 - 0x18;
				E011298AC(_t75 - 0x18, "int __thiscall InstPC::Action::run(void)");
				 *((char*)(_t73 - 4)) = 0x2b;
				E011298AC(_t75, "C:\\git\\modular-installer\\kernel\\Action.cpp");
				 *((char*)(_t73 - 4)) = 0x29;
				E0113765F( *((intOrPtr*)(_t71 + 8)),  *((intOrPtr*)(_t71 + 8)), _t27);
				E01129AC1(_t73 - 0x3ac);
				E01129AC1(_t73 - 0x37c);
				E01129AC1(_t73 - 0x160);
				return E011227E2;
			}

0x01122649
0x0112264e
0x01122661
0x0112266d
0x01122673
0x01122680
0x0112268b
0x01122694
0x011226a3
0x011226b3
0x011226bf
0x011226c9
0x011226ce
0x011226d1
0x011226d7
0x011226df
0x011226f4
0x011226f9
0x011226fb
0x01122703
0x01122709
0x01122714
0x0112271c
0x01122727
0x0112272e
0x01122732
0x0112273d
0x01122748
0x01122753
0x0112275d

APIs

Part of subcall function 011238AC: __EH_prolog3_catch.LIBCMT ref: 011238B3
Part of subcall function 011238AC: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123A06

Part of subcall function 011238AC: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123957
Part of subcall function 011238AC: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123980
Part of subcall function 011238AC: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 011239AA

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003A1C), ref: 0112266D

Part of subcall function 011237FA: __EH_prolog3.LIBCMT ref: 01123801

Part of subcall function 0113765F: __EH_prolog3_GS.LIBCMT ref: 01137669
Part of subcall function 0113765F: #1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
Part of subcall function 0113765F: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

Strings

), xrefs: 0112272E
std::exception thrown from InstallerModule , xrefs: 01122686
int __thiscall InstPC::Action::run(void), xrefs: 0112270F
C:\git\modular-installer\kernel\Action.cpp, xrefs: 01122722

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@V01@$#1511??6?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@ExceptionH_prolog3H_prolog3_H_prolog3_catchThrowV01@@
String ID: )$C:\git\modular-installer\kernel\Action.cpp$int __thiscall InstPC::Action::run(void)$std::exception thrown from InstallerModule
API String ID: 1930254013-2382871579
Opcode ID: 85adbe22a27e8c333c5f659da009ed18f7d0ff0dfbd2f6853a6cb50fcadb0d7a
Instruction ID: bfd9c5de1429714f657642f25e659d806b79a1404df9d664961f41a2fc7e62cf
Opcode Fuzzy Hash: 85adbe22a27e8c333c5f659da009ed18f7d0ff0dfbd2f6853a6cb50fcadb0d7a
Instruction Fuzzy Hash: 4D219174B102299FCF1DE728C859B9DBBF5AB69708F5480DCD00A67281DBB45F548B41

Uniqueness

Uniqueness Score: -1.00%

Function 0112A6CA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0112A6CA(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				intOrPtr* _t38;
				void* _t48;
				intOrPtr* _t50;
				void* _t52;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t57;
				intOrPtr _t58;

				_t48 = __edx;
				_t38 = __ecx;
				E01143D5D(E011464A2, __ebx, __edi, 0x20);
				_t50 = _t38;
				 *((intOrPtr*)(_t52 - 0x10)) = _t50;
				E01136604(_t50 + 4);
				 *(_t52 - 4) =  *(_t52 - 4) & 0x00000000;
				_t54 = _t53 - 0x18;
				 *(_t50 + 0x10) =  *(_t50 + 0x10) & 0x00000000;
				 *((intOrPtr*)(_t52 - 0x14)) = _t54;
				 *_t50 = 0x114c288;
				 *((intOrPtr*)(_t52 - 0x18)) = _t54;
				E011298E1(_t54, 0x115a09c);
				_t55 = _t54 - 0x18;
				 *(_t52 - 4) = 1;
				 *((intOrPtr*)(_t52 - 0x18)) = _t55;
				 *((intOrPtr*)(_t52 - 0x1c)) = _t55;
				E011298E1(_t55, 0x115a0b4);
				_t56 = _t55 - 0x18;
				 *(_t52 - 4) = 2;
				 *((intOrPtr*)(_t52 - 0x1c)) = _t56;
				 *((intOrPtr*)(_t52 - 0x20)) = _t56;
				E011298E1(_t56, 0x115a0cc);
				_t57 = _t56 - 0x18;
				 *(_t52 - 4) = 3;
				 *((intOrPtr*)(_t52 - 0x20)) = _t57;
				E011298AC(_t57, "673ae6306d8266a780df868d6772aab3b9662e0f");
				_t58 = _t57 - 0x18;
				 *(_t52 - 4) = 4;
				 *((intOrPtr*)(_t52 - 0x24)) = _t58;
				E011298AC(_t58, "1248");
				 *(_t52 - 4) = 5;
				 *((intOrPtr*)(_t52 - 0x28)) = _t58 - 0x18;
				E011298AC(_t58 - 0x18, "Kernel");
				 *(_t52 - 4) = 6;
				E011298AC(_t58, "Update");
				 *(_t52 - 4) = 0;
				L011374D1(__ebx,  *((intOrPtr*)(_t50 + 0xc)), _t48, _t50,  *(_t50 + 0x10));
				return E01143D26(_t50);
			}

0x0112a6ca
0x0112a6ca
0x0112a6d1
0x0112a6d6
0x0112a6d8
0x0112a6de
0x0112a6e3
0x0112a6e7
0x0112a6ea
0x0112a6f3
0x0112a6fb
0x0112a701
0x0112a704
0x0112a709
0x0112a70c
0x0112a712
0x0112a715
0x0112a71d
0x0112a722
0x0112a725
0x0112a72b
0x0112a72e
0x0112a736
0x0112a73b
0x0112a73e
0x0112a744
0x0112a74c
0x0112a751
0x0112a754
0x0112a75a
0x0112a762
0x0112a76a
0x0112a770
0x0112a778
0x0112a780
0x0112a78b
0x0112a792
0x0112a796
0x0112a7a2

APIs

__EH_prolog3.LIBCMT ref: 0112A6D1

Part of subcall function 01136604: __EH_prolog3.LIBCMT ref: 0113660B

Part of subcall function 011298E1: memcpy.VCRUNTIME140(00000000,?,00000001,?,00000000,?,00000014,?,01138843,?,00000018,011386DC,?,?,?,00000008), ref: 01129935

Strings

Update, xrefs: 0112A786
673ae6306d8266a780df868d6772aab3b9662e0f, xrefs: 0112A747
1248, xrefs: 0112A75D
Kernel, xrefs: 0112A773

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3$memcpy
String ID: 1248$673ae6306d8266a780df868d6772aab3b9662e0f$Kernel$Update
API String ID: 332758194-1195413737
Opcode ID: dc08eae0d293aafd8c88d62919e522fac78b5d17b5cc2fabf7e8c707c88c6aaa
Instruction ID: ba33627e384f41f627bf463438eee99ce8133ae9def454f9b1d65a347b80e901
Opcode Fuzzy Hash: dc08eae0d293aafd8c88d62919e522fac78b5d17b5cc2fabf7e8c707c88c6aaa
Instruction Fuzzy Hash: D1212C60E1435EEBDF0CBBBD85163ADBEB0AB55A18F58418CE54027281C7B51A1497D2

Uniqueness

Uniqueness Score: -1.00%

Function 011445C6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E011445C6(void* __ebx, void* __edi, void* __esi, void* _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v48;
				intOrPtr _v76;
				struct _BY_HANDLE_FILE_INFORMATION _v100;
				signed int _t12;
				intOrPtr* _t14;
				intOrPtr _t23;
				void* _t26;
				intOrPtr* _t31;
				signed int _t34;

				_t12 =  *0x115a014; // 0x2648a249
				_v8 = _t12 ^ _t34;
				_t26 = _a4;
				_t31 = _a8;
				_t14 = E0114458E(0x115b418, L"kernel32.dll", "GetFileInformationByHandleEx", E0114465B);
				 *0x114b51c(_t26, 0,  &_v48, 0x28);
				if( *_t14() == 0) {
					if(GetLastError() == 0x32) {
						if(GetFileInformationByHandle(_t26,  &_v100) == 0) {
							_t18 = GetLastError();
						} else {
							 *_t31 = _v100.ftLastWriteTime;
							_t23 = _v76;
							goto L2;
						}
					}
				} else {
					 *_t31 = _v32;
					_t23 = _v28;
					L2:
					 *((intOrPtr*)(_t31 + 4)) = _t23;
					_t18 = 0;
				}
				return E0114368F(_t18, _v8 ^ _t34);
			}

0x011445cc
0x011445d3
0x011445d7
0x011445dc
0x011445f3
0x01144605
0x0114460f
0x01144629
0x01144638
0x01144644
0x0114463a
0x0114463d
0x0114463f
0x00000000
0x0114463f
0x01144638
0x01144611
0x01144614
0x01144616
0x01144619
0x01144619
0x0114461c
0x0114461c
0x01144658

APIs

Part of subcall function 0114458E: GetModuleHandleW.KERNEL32(2648A249,00000000,?,01144B7C,0115B418,kernel32.dll,GetFileInformationByHandleEx,0114465B,000000B7,?,00000080,0114A00A,2648A249,?,000000B7), ref: 0114459E
Part of subcall function 0114458E: GetProcAddress.KERNEL32(00000000,0114A00A), ref: 011445AC

GetLastError.KERNEL32 ref: 01144620
GetFileInformationByHandle.KERNEL32(?,?), ref: 01144630
GetLastError.KERNEL32 ref: 01144644

Strings

kernel32.dll, xrefs: 011445E9
GetFileInformationByHandleEx, xrefs: 011445E4

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: ErrorHandleLast$AddressFileInformationModuleProc
String ID: GetFileInformationByHandleEx$kernel32.dll
API String ID: 1948868563-1782754588
Opcode ID: 1c23021d861f4570f1280364ae8c03ad0925d2cf0a2f79788d8368b6a2444854
Instruction ID: 391c3bc7e9ee1a360dbfe3959f83a87ed273f8447d0a40fa42209f0840875832
Opcode Fuzzy Hash: 1c23021d861f4570f1280364ae8c03ad0925d2cf0a2f79788d8368b6a2444854
Instruction Fuzzy Hash: 0B115E75A04209EBDB28DF69D845EAEBBB8AF18E11F104036E921D7240DB30D9448BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0112110F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0112110F(void* __ebx, void* __edx, void* __edi) {
				signed int _t8;
				signed int _t9;
				signed int _t18;
				void* _t22;
				void* _t24;

				_t23 = __edi;
				_t22 = __edx;
				_t15 = __ebx;
				_t8 = E01143D5D(E01147BF9, __ebx, __edi, 8);
				__imp__curl_global_init(3);
				_t25 = _t8;
				if(_t8 != 0) {
					__imp__#1511(0x18);
					_t18 = _t8;
					 *(_t24 - 0x14) = _t18;
					_t9 = 0;
					 *(_t24 - 4) = 0;
					__eflags = _t18;
					if(_t18 != 0) {
						_t9 = E011298AC(_t18, "Failed to initialize cURL");
					}
					_t3 = _t24 - 4;
					 *_t3 =  *(_t24 - 4) | 0xffffffff;
					__eflags =  *_t3;
					 *((intOrPtr*)(_t24 - 0x10)) = _t9;
					_push(0x1156040);
					_push(_t24 - 0x10);
					L01145637();
					asm("int3");
					E0112E35A(_t15, 0x115b578, _t22, _t23, __eflags);
					return E01143B16(__eflags, E0114A0C0);
				} else {
					return E01143D26(E01143B16(_t25, 0x114a0ba));
				}
			}

0x0112110f
0x0112110f
0x0112110f
0x01121116
0x0112111d
0x01121124
0x01121126
0x0112113b
0x01121142
0x01121144
0x01121147
0x01121149
0x0112114c
0x0112114e
0x01121155
0x01121155
0x0112115a
0x0112115a
0x0112115a
0x0112115e
0x01121164
0x01121169
0x0112116a
0x0112116f
0x01121175
0x01121185
0x01121128
0x01121138
0x01121138

APIs

__EH_prolog3.LIBCMT ref: 01121116
curl_global_init.LIBCURL(00000003,00000008), ref: 0112111D
#1511.MFC140U(00000018), ref: 0112113B
_CxxThrowException.VCRUNTIME140(?,01156040), ref: 0112116A

Strings

Failed to initialize cURL, xrefs: 01121150

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511ExceptionH_prolog3Throwcurl_global_init
String ID: Failed to initialize cURL
API String ID: 485453258-1253288522
Opcode ID: cce8da4382ce98c9622d7909ef49a7ce8c9a67d072d53b004c2881d2e4316d00
Instruction ID: 219078b1907e89b6ecebaedb040a7741061c48d902d0cb3c62837d9497ae53ba
Opcode Fuzzy Hash: cce8da4382ce98c9622d7909ef49a7ce8c9a67d072d53b004c2881d2e4316d00
Instruction Fuzzy Hash: 6BF09035A9432BA7DF6CBBB96811B9D3665BF24F29F64411DE222E32C0DF7086008721

Uniqueness

Uniqueness Score: -1.00%

Function 01122769 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E01122769(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				void* _t28;
				void* _t29;
				intOrPtr _t30;

				E011238AC(__ebx, __ecx, __edx, __edi);
				__imp__??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z(E01123A1C);
				_t30 = _t29 - 0x18;
				 *((intOrPtr*)(_t28 - 0x320)) = _t30;
				_push( *((intOrPtr*)(_t28 - 0x330)) + 0x24);
				E011237FA(__ebx, _t30, "Unknown failure occurred while running ", __edi);
				_push(5);
				_push(0xb9);
				 *((char*)(_t28 - 4)) = 0x2c;
				 *((intOrPtr*)(_t28 - 0x31c)) = _t30 - 0x18;
				E011298AC(_t30 - 0x18, "int __thiscall InstPC::Action::run(void)");
				 *((char*)(_t28 - 4)) = 0x2d;
				E011298AC(_t30, "C:\\git\\modular-installer\\kernel\\Action.cpp");
				 *((char*)(_t28 - 4)) = 0x21;
				E0113765F(__ebx,  *((intOrPtr*)( *((intOrPtr*)(_t28 - 0x330)) + 8)), __edi);
				return E011227E2;
			}

0x01122769
0x01122775
0x01122781
0x01122786
0x01122797
0x01122798
0x0112279e
0x011227a0
0x011227a8
0x011227ae
0x011227b9
0x011227c1
0x011227cc
0x011227d3
0x011227d7
0x011227e1

APIs

Part of subcall function 011238AC: __EH_prolog3_catch.LIBCMT ref: 011238B3
Part of subcall function 011238AC: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123A06

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z.MSVCP140(Function_00003A1C), ref: 01122775

Part of subcall function 011237FA: __EH_prolog3.LIBCMT ref: 01123801

Part of subcall function 0113765F: __EH_prolog3_GS.LIBCMT ref: 01137669
Part of subcall function 0113765F: #1511.MFC140U(00000018,000001C8,011228B3,C:\git\modular-installer\kernel\Action.cpp), ref: 01137695
Part of subcall function 0113765F: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01137DA0

Strings

!, xrefs: 011227D3
Unknown failure occurred while running , xrefs: 0112278C
int __thiscall InstPC::Action::run(void), xrefs: 011227B4
C:\git\modular-installer\kernel\Action.cpp, xrefs: 011227C7

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@V01@$#1511??6?$basic_ostream@?setstate@?$basic_ios@ExceptionH_prolog3H_prolog3_H_prolog3_catchThrowV01@@
String ID: !$C:\git\modular-installer\kernel\Action.cpp$Unknown failure occurred while running $int __thiscall InstPC::Action::run(void)
API String ID: 974155615-3910229750
Opcode ID: 7f6fca8ae02564a526a0c11ce56d527716a967caa927210964734b601d80149a
Instruction ID: df7089274612d53f664dd4c5de2a8948169e25da13858c1355df5ed304311ef3
Opcode Fuzzy Hash: 7f6fca8ae02564a526a0c11ce56d527716a967caa927210964734b601d80149a
Instruction Fuzzy Hash: 3DF09660B14269EBDF0CB77C890A75C7AA16B59A08F4440CCE1017B282DBB49E508B96

Uniqueness

Uniqueness Score: -1.00%

Function 0113420D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0113420D(intOrPtr* __ecx) {
				_Unknown_base(*)()* _t5;
				signed int _t6;
				intOrPtr* _t10;

				_t10 = __ecx;
				memset(__ecx + 4, 0, 0x118);
				 *_t10 = 0x11c;
				_t5 = GetProcAddress(GetModuleHandleW(L"ntdll.dll"), "RtlGetVersion");
				if(_t5 != 0) {
					_t6 =  *_t5(_t10);
					asm("sbb eax, eax");
					return  ~_t6 + 1;
				} else {
					return _t5;
				}
			}

0x0113420e
0x0113421b
0x01134223
0x0113423a
0x01134242
0x01134247
0x0113424c
0x0113424f
0x01134245
0x01134245
0x01134245

APIs

memset.VCRUNTIME140(?,00000000,00000118,?,01134306,00000000,000000B0,00000220,01133C34), ref: 0113421B
GetModuleHandleW.KERNEL32(ntdll.dll,000000B0,00000220,01133C34), ref: 0113422E
GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 0113423A

Strings

RtlGetVersion, xrefs: 01134234
ntdll.dll, xrefs: 01134229

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: RtlGetVersion$ntdll.dll
API String ID: 3137504439-1489217083
Opcode ID: 37e8c0ba3cab0cd4b63d026e67e579f5d4b8712be02a309573445f16052aab4e
Instruction ID: 0ae48e8997f533c14b4b0cd56af8224ebbdd00b5b855711ee76f944c2611f6a6
Opcode Fuzzy Hash: 37e8c0ba3cab0cd4b63d026e67e579f5d4b8712be02a309573445f16052aab4e
Instruction Fuzzy Hash: B8E086B268421597DA286AB4BC06BD6375C9B50F02F004429F161D7545EBA894414795

Uniqueness

Uniqueness Score: -1.00%

Function 01123A5E Relevance: 7.6, APIs: 5, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E01123A5E(void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi) {
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t67;
				signed int _t70;
				intOrPtr _t72;
				signed int _t75;
				intOrPtr _t78;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr* _t81;
				signed int _t83;
				intOrPtr _t85;
				intOrPtr _t87;
				intOrPtr _t96;
				intOrPtr* _t98;
				void* _t100;
				intOrPtr _t103;
				intOrPtr _t105;

				_t80 = __ecx;
				E01143DC8(E01145C77, __ebx, __edi, 0x20);
				 *((intOrPtr*)(_t100 - 0x20)) = __edx;
				_t98 = _t80;
				 *((intOrPtr*)(_t100 - 0x1c)) = _t98;
				_t81 = __edx;
				_t96 = __edx + 2;
				do {
					_t52 =  *_t81;
					_t81 = _t81 + 2;
				} while (_t52 != 0);
				_t83 = _t81 - _t96 >> 1;
				 *(_t100 - 0x18) = _t83;
				_t54 =  *((intOrPtr*)( *_t98 + 4));
				_t78 =  *((intOrPtr*)(_t54 + _t98 + 0x20));
				_t55 =  *((intOrPtr*)(_t54 + _t98 + 0x24));
				_t103 = _t55;
				if(_t103 < 0) {
					L9:
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x2c], xmm0");
					_t55 =  *((intOrPtr*)(_t100 - 0x28));
					_t79 =  *((intOrPtr*)(_t100 - 0x2c));
				} else {
					if(_t103 > 0) {
						L8:
						_t79 = _t78 - _t83;
						asm("sbb eax, esi");
					} else {
						if(_t78 <= 0) {
							goto L9;
						} else {
							_t105 = _t55;
							if(_t105 < 0 || _t105 <= 0 && _t78 <= _t83) {
								goto L9;
							} else {
								goto L8;
							}
						}
					}
				}
				_push(_t98);
				 *((intOrPtr*)(_t100 - 0x14)) = _t55;
				E011234A5(_t100 - 0x2c, _t98);
				 *((intOrPtr*)(_t100 - 4)) = 0;
				if( *((char*)(_t100 - 0x28)) != 0) {
					 *((char*)(_t100 - 4)) = 1;
					_t85 =  *_t98;
					_t57 =  *((intOrPtr*)(_t85 + 4));
					__eflags = ( *(_t57 + _t98 + 0x14) & 0x000001c0) - 0x40;
					if(( *(_t57 + _t98 + 0x14) & 0x000001c0) == 0x40) {
						L20:
						_t60 =  *((intOrPtr*)(_t85 + 4));
						__imp__?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z( *((intOrPtr*)(_t100 - 0x20)),  *(_t100 - 0x18), 0);
						__eflags = _t60 -  *(_t100 - 0x18);
						if(_t60 !=  *(_t100 - 0x18)) {
							goto L27;
						} else {
							__eflags = _t96;
							if(_t96 != 0) {
								goto L27;
							} else {
								_t67 =  *((intOrPtr*)(_t100 - 0x14));
								while(1) {
									__eflags = _t67;
									if(__eflags < 0) {
										break;
									}
									if(__eflags > 0) {
										L26:
										_t70 =  *( *((intOrPtr*)( *_t98 + 4)) + _t98 + 0x40) & 0x0000ffff;
										__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t70);
										__eflags = 0xffff - _t70;
										if(0xffff != _t70) {
											_t67 =  *((intOrPtr*)(_t100 - 0x14));
											_t79 = _t79 + 0xffffffff;
											asm("adc eax, 0xffffffff");
											 *((intOrPtr*)(_t100 - 0x14)) = _t67;
											continue;
										} else {
											goto L27;
										}
									} else {
										__eflags = _t79;
										if(_t79 <= 0) {
											break;
										} else {
											goto L26;
										}
									}
									goto L30;
								}
								_t87 = 0;
							}
						}
					} else {
						_t72 =  *((intOrPtr*)(_t100 - 0x14));
						while(1) {
							__eflags = _t72;
							if(__eflags < 0) {
								break;
							}
							if(__eflags > 0) {
								L17:
								_t75 =  *( *((intOrPtr*)( *_t98 + 4)) + _t98 + 0x40) & 0x0000ffff;
								__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t75);
								__eflags = 0xffff - _t75;
								if(0xffff == _t75) {
									L27:
									_t87 = 4;
								} else {
									_t72 =  *((intOrPtr*)(_t100 - 0x14));
									_t79 = _t79 + 0xffffffff;
									asm("adc eax, 0xffffffff");
									 *((intOrPtr*)(_t100 - 0x14)) = _t72;
									continue;
								}
							} else {
								__eflags = _t79;
								if(_t79 <= 0) {
									break;
								} else {
									goto L17;
								}
							}
							goto L30;
						}
						_t85 =  *_t98;
						goto L20;
					}
					L30:
					_t62 =  *((intOrPtr*)( *_t98 + 4));
					 *((intOrPtr*)(_t62 + _t98 + 0x20)) = 0;
					 *((intOrPtr*)(_t62 + _t98 + 0x24)) = 0;
					 *((intOrPtr*)(_t100 - 4)) = 0;
				} else {
					_t87 = 4;
				}
				__imp__?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z(0);
				E01123448(_t100 - 0x2c);
				return E01143D26(_t98, _t87);
			}

0x01123a5e
0x01123a65
0x01123a6a
0x01123a6d
0x01123a6f
0x01123a72
0x01123a76
0x01123a79
0x01123a79
0x01123a7c
0x01123a7f
0x01123a88
0x01123a8a
0x01123a8d
0x01123a90
0x01123a94
0x01123a98
0x01123a9a
0x01123ab2
0x01123ab2
0x01123ab5
0x01123aba
0x01123abd
0x01123a9c
0x01123a9c
0x01123aac
0x01123aac
0x01123aae
0x01123a9e
0x01123aa0
0x00000000
0x01123aa2
0x01123aa2
0x01123aa4
0x00000000
0x00000000
0x00000000
0x00000000
0x01123aa4
0x01123aa0
0x01123a9c
0x01123ac0
0x01123ac4
0x01123ac7
0x01123acc
0x01123ad3
0x01123add
0x01123ae1
0x01123ae3
0x01123aef
0x01123af2
0x01123b33
0x01123b33
0x01123b41
0x01123b47
0x01123b4a
0x00000000
0x01123b4c
0x01123b4c
0x01123b4e
0x00000000
0x01123b50
0x01123b50
0x01123b53
0x01123b53
0x01123b55
0x00000000
0x00000000
0x01123b57
0x01123b5d
0x01123b66
0x01123b6c
0x01123b7a
0x01123b7d
0x01123b84
0x01123b87
0x01123b8a
0x01123b8d
0x00000000
0x00000000
0x00000000
0x00000000
0x01123b59
0x01123b59
0x01123b5b
0x00000000
0x00000000
0x00000000
0x00000000
0x01123b5b
0x00000000
0x01123b57
0x01123b92
0x01123b92
0x01123b4e
0x01123af4
0x01123af4
0x01123af7
0x01123af7
0x01123af9
0x00000000
0x00000000
0x01123afb
0x01123b01
0x01123b0a
0x01123b10
0x01123b1e
0x01123b21
0x01123b7f
0x01123b81
0x01123b23
0x01123b23
0x01123b26
0x01123b29
0x01123b2c
0x00000000
0x01123b2c
0x01123afd
0x01123afd
0x01123aff
0x00000000
0x00000000
0x00000000
0x00000000
0x01123aff
0x00000000
0x01123afb
0x01123b31
0x00000000
0x01123b31
0x01123b94
0x01123b96
0x01123b99
0x01123b9d
0x01123bc4
0x01123ad5
0x01123ad7
0x01123ad7
0x01123bd0
0x01123bd9
0x01123be5

APIs

__EH_prolog3_catch.LIBCMT ref: 01123A65
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B10
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z.MSVCP140(?,?,00000000,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B41
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123B6C
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,00000020,01134405,?,00000000,000000B0,00000220,01133C34), ref: 01123BD0

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_H_prolog3_catch
String ID:
API String ID: 1687759287-0
Opcode ID: 0990ae033dcc0f1485401bd8dab6b2f7f05dde824222f9b8510c2abec194db95
Instruction ID: b481f8c105542dbd9663e01a0756cfb0284d9102047851cc45c742b3339576d1
Opcode Fuzzy Hash: 0990ae033dcc0f1485401bd8dab6b2f7f05dde824222f9b8510c2abec194db95
Instruction Fuzzy Hash: A841B035A201268FCB2DCF5CC4809ADBBB1FF0C714B144269E521DB781D738D9A0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 011238AC Relevance: 7.6, APIs: 5, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 30%

			E011238AC(void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, void* __edi) {
				intOrPtr _t52;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t67;
				intOrPtr _t70;
				intOrPtr _t71;
				intOrPtr _t74;
				intOrPtr _t76;
				intOrPtr _t77;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr _t80;
				intOrPtr _t82;
				intOrPtr _t84;
				intOrPtr _t91;
				intOrPtr* _t93;
				void* _t95;
				intOrPtr _t98;
				intOrPtr _t100;

				_t78 = __ecx;
				E01143DC8(E01145C54, __ebx, __edi, 0x20);
				 *((intOrPtr*)(_t95 - 0x20)) = __edx;
				_t93 = _t78;
				 *((intOrPtr*)(_t95 - 0x1c)) = _t93;
				_t79 = __edx;
				_t91 = __edx + 1;
				do {
					_t52 =  *_t79;
					_t79 = _t79 + 1;
				} while (_t52 != 0);
				_t80 = _t79 - _t91;
				 *((intOrPtr*)(_t95 - 0x18)) = _t80;
				_t54 =  *((intOrPtr*)( *_t93 + 4));
				_t76 =  *((intOrPtr*)(_t54 + _t93 + 0x20));
				_t55 =  *((intOrPtr*)(_t54 + _t93 + 0x24));
				_t98 = _t55;
				if(_t98 < 0) {
					L9:
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x2c], xmm0");
					_t55 =  *((intOrPtr*)(_t95 - 0x28));
					_t77 =  *((intOrPtr*)(_t95 - 0x2c));
				} else {
					if(_t98 > 0) {
						L8:
						_t77 = _t76 - _t80;
						asm("sbb eax, esi");
					} else {
						if(_t76 <= 0) {
							goto L9;
						} else {
							_t100 = _t55;
							if(_t100 < 0 || _t100 <= 0 && _t76 <= _t80) {
								goto L9;
							} else {
								goto L8;
							}
						}
					}
				}
				_push(_t93);
				 *((intOrPtr*)(_t95 - 0x14)) = _t55;
				E011241FC(_t95 - 0x2c, _t93);
				 *((intOrPtr*)(_t95 - 4)) = 0;
				if( *((char*)(_t95 - 0x28)) != 0) {
					 *((char*)(_t95 - 4)) = 1;
					_t82 =  *_t93;
					_t57 =  *((intOrPtr*)(_t82 + 4));
					__eflags = ( *(_t57 + _t93 + 0x14) & 0x000001c0) - 0x40;
					if(( *(_t57 + _t93 + 0x14) & 0x000001c0) == 0x40) {
						L20:
						_t60 =  *((intOrPtr*)(_t82 + 4));
						__imp__?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z( *((intOrPtr*)(_t95 - 0x20)),  *((intOrPtr*)(_t95 - 0x18)), 0);
						__eflags = _t60 -  *((intOrPtr*)(_t95 - 0x18));
						if(_t60 !=  *((intOrPtr*)(_t95 - 0x18))) {
							goto L27;
						} else {
							__eflags = _t91;
							if(_t91 != 0) {
								goto L27;
							} else {
								_t67 =  *((intOrPtr*)(_t95 - 0x14));
								while(1) {
									__eflags = _t67;
									if(__eflags < 0) {
										break;
									}
									if(__eflags > 0) {
										L26:
										_t70 =  *((intOrPtr*)( *((intOrPtr*)( *_t93 + 4)) + _t93 + 0x40));
										__imp__?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z(_t70);
										__eflags = _t70 - 0xffffffff;
										if(_t70 != 0xffffffff) {
											_t67 =  *((intOrPtr*)(_t95 - 0x14));
											_t77 = _t77 + 0xffffffff;
											asm("adc eax, 0xffffffff");
											 *((intOrPtr*)(_t95 - 0x14)) = _t67;
											continue;
										} else {
											goto L27;
										}
									} else {
										__eflags = _t77;
										if(_t77 <= 0) {
											break;
										} else {
											goto L26;
										}
									}
									goto L30;
								}
								_t84 = 0;
							}
						}
					} else {
						_t71 =  *((intOrPtr*)(_t95 - 0x14));
						while(1) {
							__eflags = _t71;
							if(__eflags < 0) {
								break;
							}
							if(__eflags > 0) {
								L17:
								_t74 =  *((intOrPtr*)( *((intOrPtr*)( *_t93 + 4)) + _t93 + 0x40));
								__imp__?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z(_t74);
								__eflags = _t74 - 0xffffffff;
								if(_t74 == 0xffffffff) {
									L27:
									_t84 = 4;
								} else {
									_t71 =  *((intOrPtr*)(_t95 - 0x14));
									_t77 = _t77 + 0xffffffff;
									asm("adc eax, 0xffffffff");
									 *((intOrPtr*)(_t95 - 0x14)) = _t71;
									continue;
								}
							} else {
								__eflags = _t77;
								if(_t77 <= 0) {
									break;
								} else {
									goto L17;
								}
							}
							goto L30;
						}
						_t82 =  *_t93;
						goto L20;
					}
					L30:
					_t62 =  *((intOrPtr*)( *_t93 + 4));
					 *((intOrPtr*)(_t62 + _t93 + 0x20)) = 0;
					 *((intOrPtr*)(_t62 + _t93 + 0x24)) = 0;
					 *((intOrPtr*)(_t95 - 4)) = 0;
				} else {
					_t84 = 4;
				}
				__imp__?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z(0);
				E0112419F(_t95 - 0x2c);
				return E01143D26(_t93, _t84);
			}

0x011238ac
0x011238b3
0x011238b8
0x011238bb
0x011238bd
0x011238c0
0x011238c4
0x011238c7
0x011238c7
0x011238c9
0x011238ca
0x011238d0
0x011238d2
0x011238d5
0x011238d8
0x011238dc
0x011238e0
0x011238e2
0x011238fa
0x011238fa
0x011238fd
0x01123902
0x01123905
0x011238e4
0x011238e4
0x011238f4
0x011238f4
0x011238f6
0x011238e6
0x011238e8
0x00000000
0x011238ea
0x011238ea
0x011238ec
0x00000000
0x00000000
0x00000000
0x00000000
0x011238ec
0x011238e8
0x011238e4
0x01123908
0x0112390c
0x0112390f
0x01123914
0x0112391b
0x01123925
0x01123929
0x0112392b
0x01123937
0x0112393a
0x01123972
0x01123972
0x01123980
0x01123986
0x01123989
0x00000000
0x0112398b
0x0112398b
0x0112398d
0x00000000
0x0112398f
0x0112398f
0x01123992
0x01123992
0x01123994
0x00000000
0x00000000
0x01123996
0x0112399c
0x011239a5
0x011239aa
0x011239b0
0x011239b3
0x011239ba
0x011239bd
0x011239c0
0x011239c3
0x00000000
0x00000000
0x00000000
0x00000000
0x01123998
0x01123998
0x0112399a
0x00000000
0x00000000
0x00000000
0x00000000
0x0112399a
0x00000000
0x01123996
0x011239c8
0x011239c8
0x0112398d
0x0112393c
0x0112393c
0x0112393f
0x0112393f
0x01123941
0x00000000
0x00000000
0x01123943
0x01123949
0x01123952
0x01123957
0x0112395d
0x01123960
0x011239b5
0x011239b7
0x01123962
0x01123962
0x01123965
0x01123968
0x0112396b
0x00000000
0x0112396b
0x01123945
0x01123945
0x01123947
0x00000000
0x00000000
0x00000000
0x00000000
0x01123947
0x00000000
0x01123943
0x01123970
0x00000000
0x01123970
0x011239ca
0x011239cc
0x011239cf
0x011239d3
0x011239fa
0x0112391d
0x0112391f
0x0112391f
0x01123a06
0x01123a0f
0x01123a1b

APIs

__EH_prolog3_catch.LIBCMT ref: 011238B3
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123957
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123980
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 011239AA
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,?,?,?,?,?,?,?,?,00000020,0112252E), ref: 01123A06

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?setstate@?$basic_ios@?sputn@?$basic_streambuf@H_prolog3_catch
String ID:
API String ID: 1934335076-0
Opcode ID: e803778125bfc8ff9d337a785cf85790f4730ac49995f10ab5940fd10144c830
Instruction ID: 66fc2dfe30b464a2748c09be3d22c1dc02f954ee0cca8b1b0a526bb3d9ff49be
Opcode Fuzzy Hash: e803778125bfc8ff9d337a785cf85790f4730ac49995f10ab5940fd10144c830
Instruction Fuzzy Hash: D2418F34B142269FCF2DCB6CC4848ACBBB1BF0E724B244659E175AB391E774D960CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01124358 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E01124358(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi) {
				intOrPtr _t47;
				intOrPtr _t54;
				signed int _t61;
				signed int _t65;
				signed int _t67;
				intOrPtr _t68;
				intOrPtr _t70;
				signed int _t71;
				intOrPtr* _t72;
				intOrPtr _t74;
				signed int _t76;
				intOrPtr _t85;
				intOrPtr* _t88;
				void* _t89;
				intOrPtr _t90;

				_t85 = __edx;
				_t72 = __ecx;
				E01143DC8(E01145DB1, __ebx, __edi, 0x18);
				 *((intOrPtr*)(_t89 - 0x1c)) = __edx;
				_t88 = _t72;
				 *((intOrPtr*)(_t89 - 0x18)) = _t88;
				 *(_t89 - 0x14) = 0;
				_t47 =  *((intOrPtr*)( *_t88 + 4));
				_t70 =  *((intOrPtr*)(_t47 + _t88 + 0x20));
				_t90 =  *((intOrPtr*)(_t47 + _t88 + 0x24));
				if(_t90 < 0 || _t90 <= 0 && _t70 <= 0) {
					L5:
					_t71 = 0;
				} else {
					_t68 =  *((intOrPtr*)(_t89 + 8));
					if(_t70 <= _t68) {
						goto L5;
					} else {
						_t71 = _t70 - _t68;
					}
				}
				_push(_t88);
				E011234A5(_t89 - 0x24, 0);
				 *((intOrPtr*)(_t89 - 4)) = 0;
				if( *((char*)(_t89 - 0x20)) != 0) {
					 *((char*)(_t89 - 4)) = 1;
					_t74 =  *_t88;
					if(( *( *((intOrPtr*)(_t74 + 4)) + _t88 + 0x14) & 0x000001c0) == 0x40) {
						L14:
						__imp__?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z( *((intOrPtr*)(_t89 - 0x1c)),  *((intOrPtr*)(_t89 + 8)), 0);
						if( *((intOrPtr*)(_t74 + 4)) !=  *((intOrPtr*)(_t89 + 8)) || _t85 != 0) {
							_t76 = 4;
						} else {
							goto L16;
						}
					} else {
						while(_t71 != 0) {
							_t65 =  *( *((intOrPtr*)( *_t88 + 4)) + _t88 + 0x40) & 0x0000ffff;
							__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t65);
							if(0xffff != _t65) {
								_t71 = _t71 - 1;
								continue;
							} else {
								_t67 = 4;
								 *(_t89 - 0x14) = _t67;
								L16:
								while(_t71 != 0) {
									_t61 =  *( *((intOrPtr*)( *_t88 + 4)) + _t88 + 0x40) & 0x0000ffff;
									__imp__?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z(_t61);
									if(0xffff != _t61) {
										_t71 = _t71 - 1;
										continue;
									} else {
										_t76 =  *(_t89 - 0x14) | 0x00000004;
									}
									goto L22;
								}
								_t76 =  *(_t89 - 0x14);
							}
							goto L22;
						}
						_t74 =  *_t88;
						goto L14;
					}
					L22:
					_t54 =  *((intOrPtr*)( *_t88 + 4));
					 *((intOrPtr*)(_t54 + _t88 + 0x20)) = 0;
					 *((intOrPtr*)(_t54 + _t88 + 0x24)) = 0;
					 *((intOrPtr*)(_t89 - 4)) = 0;
				} else {
					_t76 = 4;
				}
				__imp__?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z(0);
				E01123448(_t89 - 0x24);
				return E01143D26(_t88, _t76);
			}

0x01124358
0x01124358
0x0112435f
0x01124364
0x01124367
0x01124369
0x01124370
0x01124373
0x01124376
0x0112437a
0x0112437e
0x01124391
0x01124391
0x01124386
0x01124386
0x0112438b
0x00000000
0x0112438d
0x0112438d
0x0112438d
0x0112438b
0x01124393
0x01124397
0x0112439c
0x011243a3
0x011243ad
0x011243b1
0x011243c2
0x011243f7
0x01124405
0x0112440e
0x01124447
0x00000000
0x00000000
0x00000000
0x011243c4
0x011243c4
0x011243d1
0x011243d7
0x011243e8
0x011243f2
0x00000000
0x011243ea
0x011243ec
0x011243ed
0x00000000
0x01124414
0x01124421
0x01124427
0x01124438
0x01124442
0x00000000
0x0112443a
0x0112443d
0x0112443d
0x00000000
0x01124438
0x0112444a
0x0112444a
0x00000000
0x011243e8
0x011243f5
0x00000000
0x011243f5
0x0112444d
0x0112444f
0x01124452
0x01124456
0x0112447e
0x011243a5
0x011243a7
0x011243a7
0x0112448a
0x01124493
0x0112449f

APIs

__EH_prolog3_catch.LIBCMT ref: 0112435F
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,00000018,011344DF,?,?), ref: 011243D7
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAE_JPB_W_J@Z.MSVCP140(?,?,00000000,?,00000018,011344DF,?,?), ref: 01124405
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QAEG_W@Z.MSVCP140(?,?,00000018,011344DF,?,?), ref: 01124427
?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,00000018,011344DF,?,?), ref: 0112448A

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?sputc@?$basic_streambuf@_$?setstate@?$basic_ios@_?sputn@?$basic_streambuf@_H_prolog3_catch
String ID:
API String ID: 1687759287-0
Opcode ID: 130e93a6dcb437895f2ed187f9b6ec282aed7eb5f5172d38ac63aa3fab8302bb
Instruction ID: ae54b52dff5fb92b52bc0e2ad37bf6c381c483bfd1c286e60ec90536a60219f9
Opcode Fuzzy Hash: 130e93a6dcb437895f2ed187f9b6ec282aed7eb5f5172d38ac63aa3fab8302bb
Instruction Fuzzy Hash: CE41AB74A042A1CFDB29CF98C580D6DBBF1FF58704B918069E6869BA51CB31DE50CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01132C4A Relevance: 7.6, APIs: 5, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E01132C4A(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi) {
				intOrPtr _t47;
				intOrPtr _t54;
				intOrPtr _t61;
				intOrPtr _t64;
				signed int _t65;
				intOrPtr _t66;
				intOrPtr _t68;
				signed int _t69;
				intOrPtr* _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t81;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr _t86;

				_t81 = __edx;
				_t70 = __ecx;
				E01143DC8(E01147D43, __ebx, __edi, 0x18);
				 *((intOrPtr*)(_t85 - 0x1c)) = __edx;
				_t84 = _t70;
				 *((intOrPtr*)(_t85 - 0x18)) = _t84;
				 *(_t85 - 0x14) = 0;
				_t47 =  *((intOrPtr*)( *_t84 + 4));
				_t68 =  *((intOrPtr*)(_t47 + _t84 + 0x20));
				_t86 =  *((intOrPtr*)(_t47 + _t84 + 0x24));
				if(_t86 < 0 || _t86 <= 0 && _t68 <= 0) {
					L5:
					_t69 = 0;
				} else {
					_t66 =  *((intOrPtr*)(_t85 + 8));
					if(_t68 <= _t66) {
						goto L5;
					} else {
						_t69 = _t68 - _t66;
					}
				}
				_push(_t84);
				E011241FC(_t85 - 0x24, 0);
				 *((intOrPtr*)(_t85 - 4)) = 0;
				if( *((char*)(_t85 - 0x20)) != 0) {
					 *((char*)(_t85 - 4)) = 1;
					_t72 =  *_t84;
					if(( *( *((intOrPtr*)(_t72 + 4)) + _t84 + 0x14) & 0x000001c0) == 0x40) {
						L14:
						__imp__?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z( *((intOrPtr*)(_t85 - 0x1c)),  *((intOrPtr*)(_t85 + 8)), 0);
						if( *((intOrPtr*)(_t72 + 4)) !=  *((intOrPtr*)(_t85 + 8)) || _t81 != 0) {
							_t74 = 4;
						} else {
							goto L16;
						}
					} else {
						while(_t69 != 0) {
							_t64 =  *((intOrPtr*)( *((intOrPtr*)( *_t84 + 4)) + _t84 + 0x40));
							__imp__?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z(_t64);
							if(_t64 != 0xffffffff) {
								_t69 = _t69 - 1;
								continue;
							} else {
								_t65 = 4;
								 *(_t85 - 0x14) = _t65;
								L16:
								while(_t69 != 0) {
									_t61 =  *((intOrPtr*)( *((intOrPtr*)( *_t84 + 4)) + _t84 + 0x40));
									__imp__?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z(_t61);
									if(_t61 != 0xffffffff) {
										_t69 = _t69 - 1;
										continue;
									} else {
										_t74 =  *(_t85 - 0x14) | 0x00000004;
									}
									goto L22;
								}
								_t74 =  *(_t85 - 0x14);
							}
							goto L22;
						}
						_t72 =  *_t84;
						goto L14;
					}
					L22:
					_t54 =  *((intOrPtr*)( *_t84 + 4));
					 *((intOrPtr*)(_t54 + _t84 + 0x20)) = 0;
					 *((intOrPtr*)(_t54 + _t84 + 0x24)) = 0;
					 *((intOrPtr*)(_t85 - 4)) = 0;
				} else {
					_t74 = 4;
				}
				__imp__?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z(0);
				E0112419F(_t85 - 0x24);
				return E01143D26(_t84, _t74);
			}

0x01132c4a
0x01132c4a
0x01132c51
0x01132c56
0x01132c59
0x01132c5b
0x01132c62
0x01132c65
0x01132c68
0x01132c6c
0x01132c70
0x01132c83
0x01132c83
0x01132c78
0x01132c78
0x01132c7d
0x00000000
0x01132c7f
0x01132c7f
0x01132c7f
0x01132c7d
0x01132c85
0x01132c89
0x01132c8e
0x01132c95
0x01132c9f
0x01132ca3
0x01132cb4
0x01132ce0
0x01132cee
0x01132cf7
0x01132d27
0x00000000
0x00000000
0x00000000
0x01132cb6
0x01132cb6
0x01132cc3
0x01132cc8
0x01132cd1
0x01132cdb
0x00000000
0x01132cd3
0x01132cd5
0x01132cd6
0x00000000
0x01132cfd
0x01132d0a
0x01132d0f
0x01132d18
0x01132d22
0x00000000
0x01132d1a
0x01132d1d
0x01132d1d
0x00000000
0x01132d18
0x01132d2a
0x01132d2a
0x00000000
0x01132cd1
0x01132cde
0x00000000
0x01132cde
0x01132d2d
0x01132d2f
0x01132d32
0x01132d36
0x01132d5e
0x01132c97
0x01132c99
0x01132c99
0x01132d6a
0x01132d73
0x01132d7f

APIs

__EH_prolog3_catch.LIBCMT ref: 01132C51
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,00000018,01132A28,?), ref: 01132CC8
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,00000018,01132A28,?), ref: 01132CEE
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,00000018,01132A28,?), ref: 01132D0F
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000004,00000000,?,00000018,01132A28,?), ref: 01132D6A

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?setstate@?$basic_ios@?sputn@?$basic_streambuf@H_prolog3_catch
String ID:
API String ID: 1934335076-0
Opcode ID: 6940e4ffda7c0b8189ebdac25092d4df97a64fae0e2fa72f5ab23fa2aeaa1633
Instruction ID: 9a728545f020e8b08cf60ef440977b24e4d35a21983a25268b4b588b33513f42
Opcode Fuzzy Hash: 6940e4ffda7c0b8189ebdac25092d4df97a64fae0e2fa72f5ab23fa2aeaa1633
Instruction Fuzzy Hash: 7841EE34A00606DFCB2DEFA8C584D6CBBF1BF98724B654149E6469B399CB70EE40CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0113F75C Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0113F75C(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				void* _t11;
				intOrPtr _t12;
				intOrPtr* _t21;
				intOrPtr* _t31;
				signed int _t32;
				void* _t33;

				_t21 = __ecx;
				_t11 = E01143D5D(E011495DB, __ebx, __edi, 8);
				_t31 = _t21;
				_t32 = _t31 + 4;
				if( *((intOrPtr*)(_t32 + 0x4c)) != 0) {
					L3:
					_t32 = 0;
				} else {
					__imp__?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z( *((intOrPtr*)(_t33 + 8)), 0xa, 0x40);
					if(_t11 == 0) {
						goto L3;
					} else {
						E0113EEC4(_t11, _t32, _t11, 1);
						_t15 = _t33 - 0x14;
						__imp__?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ();
						 *(_t33 - 4) = 0;
						E0113EDFD(E0113EF8F(0, _t33 - 0x14, __edx, _t31, _t15), _t32, _t16);
						 *(_t33 - 4) =  *(_t33 - 4) | 0xffffffff;
						E01129306(_t33 - 0x14);
					}
				}
				_t12 =  *_t31;
				_push(0);
				if(_t32 != 0) {
					__imp__?clear@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z(0);
				} else {
					__imp__?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z(2);
				}
				return E01143D26(_t12);
			}

0x0113f75c
0x0113f763
0x0113f768
0x0113f76a
0x0113f772
0x0113f7be
0x0113f7be
0x0113f774
0x0113f77b
0x0113f786
0x00000000
0x0113f788
0x0113f78d
0x0113f792
0x0113f798
0x0113f7a0
0x0113f7ab
0x0113f7b0
0x0113f7b7
0x0113f7b7
0x0113f786
0x0113f7c0
0x0113f7c2
0x0113f7ca
0x0113f7d7
0x0113f7cc
0x0113f7ce
0x0113f7ce
0x0113f7e2

APIs

__EH_prolog3.LIBCMT ref: 0113F763
?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(?,0000000A,00000040,00000008,0113F671,0115A174), ref: 0113F77B
?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001), ref: 0113F798

Part of subcall function 0113EF8F: __EH_prolog3_GS.LIBCMT ref: 0113EF96
Part of subcall function 0113EF8F: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,0000001C,0113F7A8), ref: 0113EFA2
Part of subcall function 0113EF8F: ??Bid@locale@std@@QAEIXZ.MSVCP140 ref: 0113EFBA
Part of subcall function 0113EF8F: ?_Getcat@?$codecvt@_WDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(00000000,?,00000000), ref: 0113EFDA
Part of subcall function 0113EF8F: std::_Facet_Register.LIBCPMT ref: 0113EFF2
Part of subcall function 0113EF8F: ??1_Lockit@std@@QAE@XZ.MSVCP140(00000000), ref: 0113F00B

Part of subcall function 0113EDFD: ?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP140(?,?,?,0113F7B0,00000000), ref: 0113EE09

?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,00000008,0113F671,0115A174), ref: 0113F7CE
?clear@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,00000008,0113F671,0115A174), ref: 0113F7D7

Part of subcall function 0113EEC4: ?_Init@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEXXZ.MSVCP140(?,?,?,0113EF85,00000000), ref: 0113EEDC

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?clear@?$basic_ios@_?getloc@?$basic_streambuf@_?setstate@?$basic_ios@_Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@_H_prolog3H_prolog3_Init@?$basic_streambuf@_Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@std::_
String ID:
API String ID: 3807499614-0
Opcode ID: 9cef5c7272bd78bcaf8a974ae7f23c3aede3283b24e7b2c27eea7470f1618b86
Instruction ID: d3d958e0df67733ae7e66885f1b702712489dabc1ced64705189faaf6e635508
Opcode Fuzzy Hash: 9cef5c7272bd78bcaf8a974ae7f23c3aede3283b24e7b2c27eea7470f1618b86
Instruction Fuzzy Hash: 6F01D871A00726DBCB2DEB64CD85B2D7665BF54B04F404129E516F72C8DB308D02CB66

Uniqueness

Uniqueness Score: -1.00%

Function 0112EC7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0112EC7C(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr _t63;
				intOrPtr _t68;
				intOrPtr _t69;
				void _t70;
				void* _t72;
				void* _t74;
				intOrPtr* _t97;
				intOrPtr _t107;
				signed int _t108;
				intOrPtr* _t136;
				void* _t138;
				void* _t141;
				intOrPtr _t142;
				void* _t143;

				_t107 = __ecx;
				E01143D91(E01146FE8, __ebx, __edi, 0x280);
				_t63 = _t107;
				 *((intOrPtr*)(_t143 - 0x234)) = _t63;
				 *((intOrPtr*)(_t143 - 0x21c)) = _t63;
				 *((intOrPtr*)(_t143 - 4)) = 0;
				 *((intOrPtr*)(_t143 - 0x254)) = _t63;
				 *((intOrPtr*)(_t143 - 0x238)) = 0;
				E011298AC(_t107, 0x114c098);
				 *((intOrPtr*)(_t143 - 4)) = 0;
				 *((intOrPtr*)(_t143 - 0x238)) = 1;
				memset(_t143 - 0x218, 0, 0x208);
				__imp__SHGetFolderPathW(0, 0x1a, 0, 0, _t143 - 0x218);
				_t136 = _t143 - 0x216;
				do {
					_t68 =  *((intOrPtr*)(_t136 + 2));
					_t136 = _t136 + 2;
				} while (_t68 != 0);
				_t69 =  *0x114c5d0; // 0x5c
				 *_t136 = _t69;
				_t138 = _t143 - 0x216;
				do {
					_t70 =  *(_t138 + 2);
					_t138 = _t138 + 2;
				} while (_t70 != 0);
				_t108 = 6;
				_t141 = L"AppDirectory";
				_t72 = memcpy(_t138, _t141, _t108 << 2);
				_t140 = _t141 + _t108 + _t108;
				_push(0);
				asm("movsw");
				E01131FBA(_t143 - 0x250, _t72);
				 *((intOrPtr*)(_t143 - 4)) = 1;
				_t74 = E0112E234(0, _t143 - 0x250, _t141 + _t108 + _t108, _t141);
				_t112 = _t143 - 0x250;
				 *((char*)(_t143 - 4)) = 0;
				_t106 = _t74;
				E01129A96(_t143 - 0x250);
				_t152 = _t74;
				if(_t74 == 0) {
					_t142 =  *((intOrPtr*)(_t143 - 0x234));
				} else {
					E01131FBA(_t143 - 0x250, _t143 - 0x218);
					 *((intOrPtr*)(_t143 - 4)) = 2;
					E0112E132(_t106, _t143 - 0x230, _t140, _t152, _t143 - 0x250, _t112);
					E01129A96(_t143 - 0x250);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x228], xmm0");
					E0112EEF2(_t143 - 0x220, _t143 - 0x230);
					_t140 =  *((intOrPtr*)(_t143 - 0x220));
					_t106 = 0;
					 *((intOrPtr*)(_t143 - 0x228)) = _t140;
					 *((intOrPtr*)(_t143 - 0x224)) =  *((intOrPtr*)(_t143 - 0x21c));
					 *((intOrPtr*)(_t143 - 0x220)) = 0;
					 *((intOrPtr*)(_t143 - 0x21c)) = 0;
					E01131C14(_t143 - 0x220);
					E0112EEF2(_t143 - 0x25c, _t143 - 0x230);
					asm("xorps xmm0, xmm0");
					asm("movlpd [ebp-0x220], xmm0");
					 *((intOrPtr*)(_t143 - 0x220)) = 0;
					 *((intOrPtr*)(_t143 - 0x21c)) = 0;
					E01131C14(_t143 - 0x25c);
					 *((char*)(_t143 - 4)) = 6;
					_t142 =  *((intOrPtr*)(_t143 - 0x234));
					while(_t140 != 0 && E0112DA20(_t142, 0x114c098) != 0) {
						_t42 = _t140 + 0x20; // 0x20
						if(E0112E2B5(_t106, _t42, _t140, _t142) != 0) {
							_t44 = _t140 + 0x20; // 0x20
							_t97 = E0112DD7B(_t44, _t143 - 0x28c);
							 *((char*)(_t143 - 4)) = 7;
							if( *((intOrPtr*)(_t97 + 0x14)) >= 8) {
								_t97 =  *_t97;
							}
							E0112BA52(_t143 - 0x250, _t97);
							 *((char*)(_t143 - 4)) = 8;
							E011293B6(_t142, _t142, E01136693(_t106, _t143 - 0x274, _t143 - 0x250, _t140));
							E01129AC1(_t143 - 0x274);
							E01129A96(_t143 - 0x250);
							 *((char*)(_t143 - 4)) = 6;
							E01129A96(_t143 - 0x28c);
						}
						E0112E175(_t106, _t143 - 0x228);
						_t140 =  *((intOrPtr*)(_t143 - 0x228));
					}
					E01131C14(_t143 - 0x220);
					E01131C14(_t143 - 0x228);
					E01131C14(_t143 - 0x230);
				}
				return E01143D3B(_t142, _t106, _t140);
			}

0x0112ec7c
0x0112ec86
0x0112ec8b
0x0112ec8d
0x0112ec93
0x0112ec9b
0x0112ec9e
0x0112eca9
0x0112ecaf
0x0112ecbf
0x0112ecc4
0x0112ecce
0x0112ece2
0x0112ecee
0x0112ecf1
0x0112ecf1
0x0112ecf5
0x0112ecf8
0x0112ecfd
0x0112ed02
0x0112ed0a
0x0112ed0d
0x0112ed0d
0x0112ed11
0x0112ed14
0x0112ed1b
0x0112ed1c
0x0112ed27
0x0112ed27
0x0112ed29
0x0112ed31
0x0112ed33
0x0112ed3e
0x0112ed45
0x0112ed4a
0x0112ed50
0x0112ed54
0x0112ed56
0x0112ed5b
0x0112ed5d
0x0112eee4
0x0112ed63
0x0112ed71
0x0112ed7c
0x0112ed8a
0x0112ed95
0x0112eda0
0x0112edaa
0x0112edb2
0x0112edb7
0x0112edbd
0x0112edc5
0x0112edcb
0x0112edd1
0x0112edd7
0x0112eddd
0x0112edef
0x0112edf4
0x0112edf7
0x0112edff
0x0112ee05
0x0112ee0b
0x0112ee10
0x0112ee14
0x0112ee1a
0x0112ee36
0x0112ee40
0x0112ee49
0x0112ee4c
0x0112ee51
0x0112ee59
0x0112ee5b
0x0112ee5b
0x0112ee64
0x0112ee6f
0x0112ee81
0x0112ee8c
0x0112ee97
0x0112eea2
0x0112eea6
0x0112eea6
0x0112eeb1
0x0112eeb6
0x0112eeb6
0x0112eec7
0x0112eed2
0x0112eedd
0x0112eedd
0x0112eef1

APIs

__EH_prolog3_GS.LIBCMT ref: 0112EC86
memset.VCRUNTIME140(?,00000000,00000208,0114C098,00000280,0112FA68,browser_on_pc), ref: 0112ECCE
SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,00000280,0112FA68,browser_on_pc), ref: 0112ECE2

Part of subcall function 0112E175: ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0112E19D

Strings

AppDirectory, xrefs: 0112ED1C

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: FolderH_prolog3_Path___std_fs_directory_iterator_advance@8memset
String ID: AppDirectory
API String ID: 3549355733-4210571340
Opcode ID: c2925040a3c92516ac083efeaea5311065daab7c263c7a23eab40a9baba472d1
Instruction ID: aa50fd73c20b66f92e1188dc4c15e0d0a162bf17ac8c86ee9d85f1820890cfda
Opcode Fuzzy Hash: c2925040a3c92516ac083efeaea5311065daab7c263c7a23eab40a9baba472d1
Instruction Fuzzy Hash: 2B513A7194223EAACB28EB64CC98BDDB775BF64308F5042E9D40967250EB306F99CF54

Uniqueness

Uniqueness Score: -1.00%

Function 01142CF5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01142CF5(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr* _t84;
				void* _t87;
				intOrPtr* _t89;
				intOrPtr* _t90;
				intOrPtr* _t91;
				signed char _t102;
				intOrPtr* _t103;
				intOrPtr* _t108;
				intOrPtr _t110;
				intOrPtr _t116;
				void* _t117;
				intOrPtr* _t134;
				void* _t135;
				intOrPtr* _t136;
				void* _t145;

				_t103 = __ecx;
				E01143D91(E01149EE4, __ebx, __edi, 0x74);
				_t134 = _t103;
				 *((intOrPtr*)(_t135 - 0x1c)) = _t134;
				 *((intOrPtr*)(_t135 - 0x64)) = _t134;
				 *(_t135 - 0x44) = 0;
				 *((intOrPtr*)(_t134 + 0x10)) = 0;
				 *((intOrPtr*)(_t134 + 0x14)) = 0xf;
				 *_t134 = 0;
				 *(_t135 - 4) = 0;
				asm("stosd");
				 *(_t135 - 0x44) = 1;
				asm("stosd");
				asm("stosd");
				E01142822(1, _t135 - 0x40, _t135 - 0x40);
				_t133 = 0;
				 *(_t135 - 4) = 1;
				 *((intOrPtr*)(_t135 - 0x18)) = 0;
				 *(_t135 - 4) = 2;
				 *((intOrPtr*)(_t135 - 0x24)) = 0;
				 *((intOrPtr*)(_t135 - 0x20)) = 7;
				 *((short*)(_t135 - 0x34)) = 0;
				E0112BA2B(L"SELECT * FROM Win32_PhysicalMedia WHERE Tag = \'\\\\\\\\.\\\\PHYSICALDRIVE0\'");
				_t102 = 3;
				 *(_t135 - 4) = _t102;
				E01142A4D(_t102, _t135 - 0x40, 0, _t135 - 0x34, _t135 - 0x18, _t135 - 0x1c);
				E01129A96(_t135 - 0x34);
				if( *((intOrPtr*)(_t135 - 0x1c)) > 0) {
					_t110 = 7;
					 *((intOrPtr*)(_t135 - 0x24)) = 0;
					 *((intOrPtr*)(_t135 - 0x20)) = _t110;
					 *((short*)(_t135 - 0x34)) = 0;
					 *(_t135 - 4) = 4;
					 *((intOrPtr*)(_t135 - 0x4c)) = _t110;
					 *((intOrPtr*)(_t135 - 0x50)) = 0;
					 *((short*)(_t135 - 0x60)) = 0;
					E0112BA2B(L"SerialNumber");
					_push(_t135 - 0x34);
					_push(_t135 - 0x60);
					_push(_t135 - 0x60);
					 *(_t135 - 4) = 6;
					_t84 =  *((intOrPtr*)(_t135 - 0x18));
					 *_t136 = _t84;
					if(_t84 != 0) {
						 *((intOrPtr*)( *_t84 + 4))(_t84);
					}
					 *(_t135 - 4) = 5;
					E01142BA1(_t102, _t133);
					 *(_t135 - 4) = 4;
					E01129A96(_t135 - 0x60);
					if( *((intOrPtr*)(_t135 - 0x24)) != 0) {
						_t87 = E01136693(_t102, _t135 - 0x60, _t135 - 0x34, _t133);
						_t102 = 5;
					} else {
						_t87 = E011298AC(_t135 - 0x80, "None");
					}
					 *(_t135 - 0x44) = _t102;
					E011293B6(_t134, _t134, _t87);
					if((_t102 & 0x00000004) != 0) {
						_t102 = _t102 & 0xfffffffb;
						 *(_t135 - 0x44) = _t102;
						E01129AC1(_t135 - 0x60);
					}
					 *(_t135 - 4) = 4;
					if((_t102 & 0x00000002) != 0) {
						 *(_t135 - 0x44) = _t102;
						E01129AC1(_t135 - 0x80);
					}
					_t145 =  *((intOrPtr*)(_t134 + 0x14)) - 0x10;
					_t89 = _t134;
					if(_t145 >= 0) {
						_t89 =  *_t134;
					}
					_t116 =  *((intOrPtr*)(_t134 + 0x10));
					_t133 = _t116 + _t89;
					_t90 = _t134;
					if(_t145 >= 0) {
						_t90 =  *_t134;
					}
					_t117 = _t116 + _t90;
					_t91 = _t134;
					if( *((intOrPtr*)(_t134 + 0x14)) >= 0x10) {
						_t91 =  *_t134;
					}
					E01134A6B(_t134, _t135 - 0x68,  *((intOrPtr*)(E01142EA8(_t135 - 0x48, __imp__isspace, _t91, _t117))), _t133);
					E01129A96(_t135 - 0x34);
				}
				 *(_t135 - 4) = 8;
				_t108 =  *((intOrPtr*)(_t135 - 0x18));
				if(_t108 != 0) {
					 *((intOrPtr*)( *_t108 + 8))(_t108);
				}
				E011429B9(_t135 - 0x40);
				return E01143D3B(_t134, _t102, _t133);
			}

0x01142cf5
0x01142cfc
0x01142d01
0x01142d03
0x01142d06
0x01142d0b
0x01142d0e
0x01142d11
0x01142d18
0x01142d1a
0x01142d20
0x01142d27
0x01142d2a
0x01142d2b
0x01142d2c
0x01142d31
0x01142d33
0x01142d36
0x01142d39
0x01142d42
0x01142d4a
0x01142d51
0x01142d55
0x01142d5c
0x01142d60
0x01142d6f
0x01142d77
0x01142d7f
0x01142d87
0x01142d8a
0x01142d8d
0x01142d90
0x01142d94
0x01142d98
0x01142da3
0x01142da6
0x01142daa
0x01142db2
0x01142db6
0x01142db7
0x01142dba
0x01142dbe
0x01142dc1
0x01142dc5
0x01142dca
0x01142dca
0x01142dcd
0x01142dd1
0x01142dd9
0x01142ddd
0x01142de6
0x01142dfd
0x01142e04
0x01142de8
0x01142df0
0x01142df0
0x01142e08
0x01142e0b
0x01142e13
0x01142e15
0x01142e1b
0x01142e1e
0x01142e1e
0x01142e23
0x01142e2d
0x01142e35
0x01142e38
0x01142e38
0x01142e3d
0x01142e41
0x01142e43
0x01142e45
0x01142e45
0x01142e47
0x01142e4a
0x01142e4d
0x01142e4f
0x01142e51
0x01142e51
0x01142e53
0x01142e59
0x01142e5b
0x01142e5d
0x01142e5d
0x01142e7a
0x01142e82
0x01142e82
0x01142e87
0x01142e8b
0x01142e90
0x01142e95
0x01142e95
0x01142e9b
0x01142ea7

APIs

__EH_prolog3_GS.LIBCMT ref: 01142CFC

Part of subcall function 01142822: __EH_prolog3.LIBCMT ref: 01142829
Part of subcall function 01142822: CoInitializeEx.OLE32(00000000,00000000,00000010,01142D31,00000074,0112E986), ref: 0114284E
Part of subcall function 01142822: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 01142867
Part of subcall function 01142822: #1511.MFC140U(00000018), ref: 01142873
Part of subcall function 01142822: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01142987

Part of subcall function 01142A4D: __EH_prolog3_GS.LIBCMT ref: 01142A54
Part of subcall function 01142A4D: #2.OLEAUT32(WQL,?,00000020,01142D74,?,?,0112E986,SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0'), ref: 01142ABB
Part of subcall function 01142A4D: #6.OLEAUT32(00000000), ref: 01142AEA
Part of subcall function 01142A4D: #6.OLEAUT32(0112E986), ref: 01142AF3
Part of subcall function 01142A4D: #1511.MFC140U(00000018), ref: 01142B12
Part of subcall function 01142A4D: _CxxThrowException.VCRUNTIME140(0112E986,01156040,0112E986), ref: 01142B9B

Strings

None, xrefs: 01142DE8
SerialNumber, xrefs: 01142D9E
SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0', xrefs: 01142D45

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511ExceptionH_prolog3_InitializeThrow$H_prolog3Security
String ID: None$SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0'$SerialNumber
API String ID: 2786062156-44562505
Opcode ID: 4b32854e60a3ad14ee7a660387609db0b0fa169ede87dd43752d4b27cdd15d6c
Instruction ID: 6f0f5cf07829b8cd3b862152592391cb2449b625d991473349d6fee41830fa45
Opcode Fuzzy Hash: 4b32854e60a3ad14ee7a660387609db0b0fa169ede87dd43752d4b27cdd15d6c
Instruction Fuzzy Hash: 09517B70D0136ADFDF28DFA8D944ADEBBB5BF28708F10055EE145A7290DB706A45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0112EABC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0112EABC(short __ebx, void* __edx, intOrPtr __edi) {
				void* _t59;
				void* _t64;
				void* _t72;
				void* _t73;
				intOrPtr* _t100;
				void* _t118;
				intOrPtr _t123;
				intOrPtr* _t126;
				void* _t127;
				void* _t128;

				_t122 = __edi;
				_t118 = __edx;
				_t94 = __ebx;
				_t59 = E01143D91(E01146F51, __ebx, __edi, 0x78);
				_t129 =  *0x115a094;
				if( *0x115a094 == 0) {
					asm("xorps xmm0, xmm0");
					_t94 = 0;
					asm("movlpd [ebp-0x18], xmm0");
					 *((intOrPtr*)(_t127 - 0x18)) = 0x114f834;
					 *((intOrPtr*)(_t127 - 0x14)) = 0;
					_t123 = 7;
					 *((intOrPtr*)(_t127 - 4)) = 0;
					 *((intOrPtr*)(_t127 - 0x5c)) = 0;
					 *((intOrPtr*)(_t127 - 0x58)) = _t123;
					 *((short*)(_t127 - 0x6c)) = 0;
					E0112BA2B(L"SOFTWARE\\WOW6432Node\\Clients\\StartMenuInternet");
					_push(_t127 - 0x6c);
					_t64 = E01142F52(_t127 - 0x18, _t129, 0x80000002, _t127 - 0x6c);
					E01129A96(_t127 - 0x6c);
					if(_t64 == 0) {
						 *((intOrPtr*)(_t127 - 0x5c)) = 0;
						 *((intOrPtr*)(_t127 - 0x58)) = _t123;
						 *((short*)(_t127 - 0x6c)) = 0;
						E0112BA2B(L"SOFTWARE\\Clients\\StartMenuInternet");
						_push(_t127 - 0x6c);
						E01142F52(_t127 - 0x18, 0, 0x80000002, _t127 - 0x6c);
						E01129A96(_t127 - 0x6c);
					}
					 *((intOrPtr*)(_t127 - 0x2c)) = _t94;
					 *((intOrPtr*)(_t127 - 0x28)) = _t123;
					 *((short*)(_t127 - 0x3c)) = 0;
					E0112BA2B(L"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789. ");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					 *((intOrPtr*)(_t127 - 0x24)) = _t94;
					 *((intOrPtr*)(_t127 - 0x20)) = _t94;
					 *((intOrPtr*)(_t127 - 0x1c)) = _t94;
					 *((char*)(_t127 - 4)) = 2;
					_push(_t127 - 0x24);
					E01143043(_t94, _t127 - 0x18, _t118, _t127 - 0x24);
					_t122 =  *((intOrPtr*)(_t127 - 0x20));
					_t126 =  *((intOrPtr*)(_t127 - 0x24));
					while(_t126 != _t122) {
						__eflags =  *((intOrPtr*)(_t127 - 0x28)) - 8;
						_t100 = _t126;
						_t72 =  >=  ?  *((void*)(_t127 - 0x3c)) : _t127 - 0x3c;
						__eflags =  *((intOrPtr*)(_t126 + 0x14)) - 8;
						if( *((intOrPtr*)(_t126 + 0x14)) >= 8) {
							_t100 =  *_t126;
						}
						_push( *((intOrPtr*)(_t127 - 0x14)));
						_t73 = E01132001(_t94, _t100,  *((intOrPtr*)(_t126 + 0x10)), _t122, _t126, _t100, _t72,  *((intOrPtr*)(_t127 - 0x2c)));
						_t128 = _t128 + 0x10;
						__eflags = _t73 - 0xffffffff;
						if(_t73 != 0xffffffff) {
							_push(_t73);
							E01132298(_t126, E01122D52(_t126, _t127 - 0x6c, _t94));
							E01129A96(_t127 - 0x6c);
						}
						_t126 = _t126 + 0x18;
						__eflags = _t126;
					}
					 *((intOrPtr*)(_t127 - 0x5c)) = _t94;
					 *((intOrPtr*)(_t127 - 0x58)) = 7;
					 *((short*)(_t127 - 0x6c)) = 0;
					E0112BA2B(",");
					 *((char*)(_t127 - 4)) = 3;
					_push(_t127 - 0x6c);
					E01140176(_t94, _t127 - 0x54, _t127 - 0x24, _t122);
					 *((char*)(_t127 - 4)) = 5;
					E01129A96(_t127 - 0x6c);
					E011293B6(0x115a084, _t126, E01136693(_t94, _t127 - 0x84, _t127 - 0x54, _t122));
					E01129AC1(_t127 - 0x84);
					E01129A96(_t127 - 0x54);
					E01131C43(_t127 - 0x24, _t127 - 0x54);
					E01129A96(_t127 - 0x3c);
					 *((intOrPtr*)(_t127 - 0x18)) = 0x114f834;
					_t59 = E01142F87(_t127 - 0x18);
				}
				return E01143D3B(_t59, _t94, _t122);
			}

0x0112eabc
0x0112eabc
0x0112eabc
0x0112eac3
0x0112eac8
0x0112eacf
0x0112ead5
0x0112ead8
0x0112eada
0x0112eadf
0x0112eae6
0x0112eaeb
0x0112eaec
0x0112eaf4
0x0112eafc
0x0112eaff
0x0112eb03
0x0112eb08
0x0112eb15
0x0112eb1f
0x0112eb26
0x0112eb2a
0x0112eb35
0x0112eb38
0x0112eb3c
0x0112eb41
0x0112eb4e
0x0112eb56
0x0112eb56
0x0112eb5d
0x0112eb68
0x0112eb6b
0x0112eb6f
0x0112eb79
0x0112eb7a
0x0112eb7b
0x0112eb7c
0x0112eb7f
0x0112eb82
0x0112eb88
0x0112eb8c
0x0112eb90
0x0112eb95
0x0112eb98
0x0112ebea
0x0112eb9d
0x0112eba4
0x0112eba6
0x0112ebaa
0x0112ebae
0x0112ebb0
0x0112ebb0
0x0112ebb2
0x0112ebbd
0x0112ebc2
0x0112ebc5
0x0112ebc8
0x0112ebca
0x0112ebda
0x0112ebe2
0x0112ebe2
0x0112ebe7
0x0112ebe7
0x0112ebe7
0x0112ebf0
0x0112ebfb
0x0112ec02
0x0112ec06
0x0112ec0e
0x0112ec12
0x0112ec19
0x0112ec22
0x0112ec26
0x0112ec3f
0x0112ec4a
0x0112ec52
0x0112ec5a
0x0112ec62
0x0112ec6a
0x0112ec71
0x0112ec71
0x0112ec7b

APIs

__EH_prolog3_GS.LIBCMT ref: 0112EAC3

Part of subcall function 01142F52: RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?), ref: 01142F77

Strings

SOFTWARE\Clients\StartMenuInternet, xrefs: 0112EB2D
SOFTWARE\WOW6432Node\Clients\StartMenuInternet, xrefs: 0112EAF7
abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789. , xrefs: 0112EB60

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_Open
String ID: SOFTWARE\Clients\StartMenuInternet$SOFTWARE\WOW6432Node\Clients\StartMenuInternet$abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.
API String ID: 3480169260-2562780492
Opcode ID: e7e8b78c3b667c8d754575bcae1eccbbd08c583f22ab68a30c051774ff7ddb75
Instruction ID: 64a1423f230012ddee775c3c9ecf9cdb6d782eda5a30b72ae3c0f01ea072c3e9
Opcode Fuzzy Hash: e7e8b78c3b667c8d754575bcae1eccbbd08c583f22ab68a30c051774ff7ddb75
Instruction Fuzzy Hash: 20513B70C0126E9BDF09EFE9C890AEDF7B8BF28308F50851AD515B7250EB305A59CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0112CC5B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0112CC5B(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t59;
				intOrPtr _t70;
				signed int _t76;
				intOrPtr _t77;
				signed int _t78;
				intOrPtr _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_t108 = __eflags;
				_t101 = __esi;
				_t98 = __edi;
				_t97 = __edx;
				_t78 = __ecx;
				E01143D91(E01146AD9, __ebx, __edi, 0xe0);
				_t76 = _t78;
				 *(_t103 - 0xd0) = _t76;
				 *(_t103 - 0x14) = _t76;
				 *(_t103 - 0xd4) = _t76;
				 *(_t103 - 4) =  *(_t103 - 4) & 0x00000000;
				E0112C1DB(_t76, _t78, __edx, __edi, __eflags);
				_t105 = _t104 - 0x18;
				 *(_t103 - 4) = 1;
				 *(_t103 - 0x18) =  *(_t103 - 0x18) & 0x00000000;
				E011298E1(_t105, _t103 + 8);
				E0113A86F(_t76, _t103 - 0x18, _t98);
				_t106 = _t105 - 0x18;
				 *(_t103 - 4) = 2;
				E011298AC(_t106, "configuration");
				_push(_t103 - 0xec);
				E011293B6(_t76 + 0xc, _t101, E0113A922(_t76, _t103 - 0x18, _t98, _t108));
				E01129AC1(_t103 - 0xec);
				asm("stosd");
				_t107 = _t106 - 0x18;
				asm("stosd");
				asm("stosd");
				E011298AC(_t107, "actions");
				_push(_t103 - 0x24);
				E0113AA8B(_t76, _t103 - 0x18, _t103 - 0x24);
				 *(_t103 - 4) = 3;
				_t100 =  *((intOrPtr*)(_t103 - 0x24));
				_t59 =  *((intOrPtr*)(_t103 - 0x20));
				_t109 = _t100 - _t59;
				if(_t100 != _t59) {
					_t102 = _t76 + 0x24;
					_t77 = _t59;
					do {
						 *(_t103 - 0x14) =  *(_t103 - 0x14) & 0x00000000;
						_push(_t100);
						E0113A8D2(_t77, _t103 - 0x14, _t100);
						 *(_t103 - 4) = 4;
						memset(_t103 - 0xcc, 0, 0xa8);
						_t107 = _t107 + 0xc;
						E0112195B(_t77, _t103 - 0xcc, _t97, _t100, _t102, _t109, _t103 - 0x14,  *((intOrPtr*)(_t103 + 0x20)));
						 *(_t103 - 4) = 5;
						_t70 =  *((intOrPtr*)(_t102 + 4));
						_push(_t103 - 0xcc);
						if(_t70 ==  *((intOrPtr*)(_t102 + 8))) {
							_push(_t70);
							E0112DAAF(_t77, _t102, _t100);
						} else {
							E01121882(_t77, _t70, _t97, _t100);
							 *((intOrPtr*)(_t102 + 4)) =  *((intOrPtr*)(_t102 + 4)) + 0xa8;
						}
						E01121D26(_t77, _t103 - 0xcc, _t97);
						 *(_t103 - 4) = 3;
						E0113AC23(_t103 - 0x14);
						_t100 = _t100 + 4;
					} while (_t100 != _t77);
					_t76 =  *(_t103 - 0xd0);
				}
				E01122D13(_t103 - 0x24);
				E0113AC23(_t103 - 0x18);
				E01129AC1(_t103 + 8);
				return E01143D3B(_t76, _t76, _t100);
			}

0x0112cc5b
0x0112cc5b
0x0112cc5b
0x0112cc5b
0x0112cc5b
0x0112cc65
0x0112cc6a
0x0112cc6c
0x0112cc72
0x0112cc75
0x0112cc7b
0x0112cc7f
0x0112cc84
0x0112cc87
0x0112cc8b
0x0112cc95
0x0112cc9d
0x0112cca2
0x0112cca5
0x0112ccb0
0x0112ccbb
0x0112ccc8
0x0112ccd3
0x0112ccdd
0x0112ccde
0x0112cce3
0x0112cce9
0x0112ccea
0x0112ccf2
0x0112ccf6
0x0112ccfb
0x0112ccff
0x0112cd02
0x0112cd05
0x0112cd07
0x0112cd0d
0x0112cd10
0x0112cd12
0x0112cd12
0x0112cd19
0x0112cd1a
0x0112cd2a
0x0112cd31
0x0112cd36
0x0112cd46
0x0112cd4b
0x0112cd55
0x0112cd58
0x0112cd5c
0x0112cd6e
0x0112cd71
0x0112cd5e
0x0112cd60
0x0112cd65
0x0112cd65
0x0112cd7c
0x0112cd84
0x0112cd88
0x0112cd8d
0x0112cd90
0x0112cd98
0x0112cd98
0x0112cda1
0x0112cda9
0x0112cdb1
0x0112cdbd

APIs

__EH_prolog3_GS.LIBCMT ref: 0112CC65

Part of subcall function 0112C1DB: __EH_prolog3_GS.LIBCMT ref: 0112C1E5

Part of subcall function 0113A86F: __EH_prolog3.LIBCMT ref: 0113A876
Part of subcall function 0113A86F: #1511.MFC140U(00000038,00000008,0113A64F,00000000), ref: 0113A88A
Part of subcall function 0113A86F: memset.VCRUNTIME140(00000000,00000000,00000038), ref: 0113A8A2

Part of subcall function 0113A922: __EH_prolog3_GS.LIBCMT ref: 0113A929

Part of subcall function 0113AA8B: __EH_prolog3.LIBCMT ref: 0113AA92

Part of subcall function 0113A8D2: __EH_prolog3.LIBCMT ref: 0113A8D9
Part of subcall function 0113A8D2: #1511.MFC140U(00000038,00000004,0113B7AF,?,00000038,0113A44C,?,?,?,?,00000014,?,01156040), ref: 0113A8ED
Part of subcall function 0113A8D2: memset.VCRUNTIME140(00000000,00000000,00000038), ref: 0113A906

memset.VCRUNTIME140(?,00000000,000000A8,?,?,actions), ref: 0112CD31

Part of subcall function 0112195B: __EH_prolog3_GS.LIBCMT ref: 01121965

Part of subcall function 01121882: __EH_prolog3.LIBCMT ref: 01121889

Strings

configuration, xrefs: 0112CCAB
actions, xrefs: 0112CCE4

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3H_prolog3_$memset$#1511
String ID: actions$configuration
API String ID: 2590815879-1995396150
Opcode ID: 37e12ab9c40671c6a1e15942dd5ce1061ff578aaece2bf749da42db667513fad
Instruction ID: 1789d8f51d23d7e6b1a20f4581e547e0b0690d8608f89168b533bc00b5a7d866
Opcode Fuzzy Hash: 37e12ab9c40671c6a1e15942dd5ce1061ff578aaece2bf749da42db667513fad
Instruction Fuzzy Hash: 3741857190026EDBDF1CEBA4C991BEDBBB4AF24308F504098D545B7180EB749F59CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0112E540 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0112E540(void* __ebx, void* __edx, intOrPtr __edi, void* __eflags) {
				void* _t39;
				void* _t42;
				void* _t43;
				void* _t46;
				void* _t86;
				signed int _t89;
				void* _t94;
				void* _t95;

				_t90 = __edi;
				_t86 = __edx;
				_t62 = __ebx;
				E01143D91(E01146E46, __ebx, __edi, 0xc4);
				E011298E1(_t95 - 0x28, 0x115a09c);
				_t91 =  *((intOrPtr*)(_t95 - 0x18));
				_t39 = E01129AC1(_t95 - 0x28);
				if( *((intOrPtr*)(_t95 - 0x18)) == 0) {
					_t90 = 0;
					__imp___time64(0);
					E01132230(_t95 - 0x40, _t86, _t91, _t39, _t86);
					 *((intOrPtr*)(_t95 - 4)) = 0;
					_t42 = E011298AC(_t95 - 0xb8, "673ae6306d8266a780df868d6772aab3b9662e0f");
					 *((char*)(_t95 - 4)) = 1;
					_t43 = E011298AC(_t95 - 0xa0, "1248");
					_t62 = "--";
					 *((char*)(_t95 - 4)) = 2;
					E011299A0(_t95 - 0x70, E01129C57(_t43, "--", 2));
					 *((char*)(_t95 - 4)) = 3;
					_t46 = E0112DA56(_t95 - 0x88, _t95 - 0x70, _t42);
					 *((char*)(_t95 - 4)) = 4;
					E011299A0(_t95 - 0x58, E01129C57(_t46, _t62, 2));
					 *((char*)(_t95 - 4)) = 5;
					E01131F14(_t95 - 0x28, _t95 - 0x58, _t95 - 0x40);
					E01129AC1(_t95 - 0x58);
					E01129AC1(_t95 - 0x88);
					E01129AC1(_t95 - 0x70);
					E01129AC1(_t95 - 0xa0);
					 *((char*)(_t95 - 4)) = 0xb;
					E01129AC1(_t95 - 0xb8);
					_t89 = 0x811c9dc5;
					_t94 =  >=  ?  *((void*)(_t95 - 0x28)) : _t95 - 0x28;
					if( *((intOrPtr*)(_t95 - 0x18)) > 0) {
						do {
							_t89 = ( *(_t90 + _t94) & 0x000000ff ^ _t89) * 0x1000193;
							_t90 = _t90 + 1;
						} while (_t90 <  *((intOrPtr*)(_t95 - 0x18)));
					}
					E011293B6(0x115a09c, _t94, E0112DCE1(_t95 - 0xd0, _t89, _t90, _t94));
					E01129AC1(_t95 - 0xd0);
					E01129AC1(_t95 - 0x28);
					_t39 = E01129AC1(_t95 - 0x40);
				}
				return E01143D3B(_t39, _t62, _t90);
			}

0x0112e540
0x0112e540
0x0112e540
0x0112e54a
0x0112e557
0x0112e55c
0x0112e562
0x0112e569
0x0112e56f
0x0112e572
0x0112e57d
0x0112e590
0x0112e593
0x0112e5a5
0x0112e5a9
0x0112e5b0
0x0112e5b5
0x0112e5c5
0x0112e5ce
0x0112e5d8
0x0112e5e3
0x0112e5f0
0x0112e5f8
0x0112e603
0x0112e60c
0x0112e617
0x0112e61f
0x0112e62a
0x0112e635
0x0112e639
0x0112e645
0x0112e64a
0x0112e651
0x0112e653
0x0112e659
0x0112e65f
0x0112e660
0x0112e653
0x0112e676
0x0112e681
0x0112e689
0x0112e691
0x0112e691
0x0112e69b

APIs

__EH_prolog3_GS.LIBCMT ref: 0112E54A
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,0115A09C,000000C4,0112E3C6,0115A0CC,?,?,?,?,?,00000050,0112117A,?,01156040), ref: 0112E572

Strings

673ae6306d8266a780df868d6772aab3b9662e0f, xrefs: 0112E585
1248, xrefs: 0112E59A

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3__time64
String ID: 1248$673ae6306d8266a780df868d6772aab3b9662e0f
API String ID: 2832537541-1631817560
Opcode ID: 950850996c562fd0046da8d89e5714674fb2e7b3aa6e8f096b6b9d26c7867f91
Instruction ID: e914e60b80fd8eb08e328f3e2d9a5e3209415c509d7c64a17b2fa1905ee72903
Opcode Fuzzy Hash: 950850996c562fd0046da8d89e5714674fb2e7b3aa6e8f096b6b9d26c7867f91
Instruction Fuzzy Hash: 12311831A402BEDECF1DE7A8C860BEDBB74AF74718F584098C44577191EB701A99CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0113A3B9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E0113A3B9(void* __ebx, void* __ecx, void* __edi) {
				signed int _t130;
				signed int _t133;
				void* _t134;
				intOrPtr* _t145;
				void* _t146;
				signed char _t157;
				signed char _t159;
				signed char _t161;
				signed char _t163;
				signed char _t165;
				signed int _t167;
				signed char _t168;
				int _t170;
				signed int _t186;
				intOrPtr _t191;
				int _t196;
				signed char _t197;
				void* _t200;
				signed int* _t201;
				unsigned int _t203;
				signed int* _t204;
				signed int* _t208;
				signed char _t212;
				signed int _t213;
				void* _t215;
				signed int _t234;
				signed int _t240;
				signed char _t241;
				signed char _t242;
				signed int* _t243;
				void* _t245;
				void* _t246;

				_t233 = __edi;
				_t200 = __ecx;
				E01143D91(E01148C53, __ebx, __edi, 0x14);
				_t241 =  *(_t245 + 8);
				_t196 = 0;
				 *(_t245 - 0x20) = _t241;
				 *(_t245 - 0x1c) = 0;
				 *(_t245 - 4) = 1;
				_t128 =  >=  ?  *((void*)(_t245 + 0xc)) : _t245 + 0xc;
				_t201 = E0113B365(0, _t200, __edi, _t241,  >=  ?  *((void*)(_t245 + 0xc)) : _t245 + 0xc);
				_t130 = 4;
				if(_t201[3] != _t130) {
					__imp__#1511(0x18);
					 *(_t245 - 0x18) = _t130;
					 *(_t245 - 4) = 2;
					__eflags = _t130;
					if(_t130 != 0) {
						_t196 = E011298AC(_t130, "Not an array");
					}
					_push(0x1156040);
					 *(_t245 - 4) = 1;
					_push(_t245 - 0x14);
					 *((intOrPtr*)(_t245 - 0x14)) = _t196;
					L01145637();
					asm("int3");
					_t133 = E01143D91(E01148D0A, _t196, _t233, 0x48);
					_t229 =  *((intOrPtr*)(_t245 + 0xc));
					_t242 =  *(_t245 + 8);
					 *(_t245 - 0x54) = _t242;
					_t203 =  *( *((intOrPtr*)(_t245 + 0xc)) + 0xe) & 0x0000ffff;
					_t234 = 4;
					 *(_t245 - 0x50) = _t242;
					__eflags = _t203 - _t234;
					if(_t203 == _t234) {
						__imp__#1511();
						_t204 = 0x18;
						 *(_t245 - 0x54) = _t133;
						_t197 = 0;
						 *(_t245 - 4) = 0;
						__eflags = _t133;
						if(_t133 != 0) {
							_t204 = _t133;
							_t197 = E011298AC(_t204, "Not supported yet (array)");
						}
						_t99 = _t245 - 4;
						 *_t99 =  *(_t245 - 4) | 0xffffffff;
						__eflags =  *_t99;
						 *(_t245 - 0x50) = _t197;
						goto L49;
					} else {
						_t157 = _t203 >> 3;
						_t197 = 1;
						__eflags = 1 & _t157;
						if((1 & _t157) == 0) {
							_t159 = _t203 >> 9;
							__eflags = 1 & _t159;
							if((1 & _t159) == 0) {
								__eflags = _t203 & 0x00000200;
								if(__eflags == 0) {
									L25:
									_t161 = _t203 >> 5;
									__eflags = _t197 & _t161;
									if((_t197 & _t161) == 0) {
										_t163 = _t203 >> 7;
										__eflags = _t197 & _t163;
										if((_t197 & _t163) == 0) {
											__eflags = _t203 - 3;
											if(_t203 != 3) {
												_t165 = _t203 >> 0xa;
												_push(0x18);
												__eflags = _t197 & _t165;
												if((_t197 & _t165) == 0) {
													_t165 = _t203 >> 6;
													__eflags = _t197 & _t165;
													if((_t197 & _t165) == 0) {
														_t212 = _t203 >> 8;
														__eflags = _t197 & _t212;
														if((_t197 & _t212) == 0) {
															__imp__#1511();
															_pop(_t204);
															 *(_t245 - 0x50) = _t165;
															 *(_t245 - 4) = 0xb;
															__eflags = _t165;
															if(_t165 == 0) {
																_t167 = 0;
																__eflags = 0;
															} else {
																_t204 = _t165;
																_t167 = E011298AC(_t204, "Should not get here");
															}
															 *(_t245 - 4) =  *(_t245 - 4) | 0xffffffff;
															 *(_t245 - 0x54) = _t167;
															_t134 = _t245 - 0x54;
															_push(0x1156040);
														} else {
															__imp__#1511();
															_pop(_t204);
															 *(_t245 - 0x54) = _t165;
															 *(_t245 - 4) = 0xa;
															__eflags = _t165;
															if(_t165 == 0) {
																goto L15;
															} else {
																_push("Not supported yet (uint64)");
																goto L14;
															}
														}
													} else {
														__imp__#1511();
														_pop(_t204);
														 *(_t245 - 0x54) = _t165;
														 *(_t245 - 4) = 9;
														__eflags = _t165;
														if(_t165 == 0) {
															goto L15;
														} else {
															_push("Not supported yet (uint)");
															goto L14;
														}
													}
												} else {
													__imp__#1511();
													_pop(_t204);
													 *(_t245 - 0x54) = _t165;
													 *(_t245 - 4) = 8;
													__eflags = _t165;
													if(_t165 == 0) {
														goto L15;
													} else {
														_push("Not supported yet (string)");
														goto L14;
													}
												}
												goto L50;
											} else {
												_t213 = 6;
												_t170 = memset(_t245 - 0x28, 0, _t213 << 2);
												asm("xorps xmm0, xmm0");
												 *((intOrPtr*)(_t245 - 0x14)) = 0x100;
												__eflags = 0;
												asm("movups [ebp-0x28], xmm0");
												 *(_t245 - 0x18) = 0;
												 *(_t245 - 4) = 6;
												_t237 = _t245 - 0x4c;
												_t215 = 9;
												memset(_t245 - 0x4c, _t170, 0 << 2);
												 *((intOrPtr*)(_t245 - 0x38)) = 0;
												 *(_t245 - 0x4c) = _t245 - 0x28;
												asm("movups [ebp-0x48], xmm0");
												 *((intOrPtr*)(_t245 - 0x34)) = 0x100;
												 *((intOrPtr*)(_t245 - 0x30)) = 0x144;
												 *((char*)(_t245 - 0x2c)) = 0;
												 *(_t245 - 4) = 7;
												E0113B01D(0, _t229, _t237 + _t215, _t242, _t245 - 0x4c);
												 *_t242 = 0;
												E011298AC(_t246 + 0x18 - 0x18, E0113AC58(_t245 - 0x28));
												E0113A86F(0,  *(_t245 - 0x50), _t237 + _t215);
												E0113AC3D(_t245 - 0x48);
												E0113AC3D(_t245 - 0x28);
												return E01143D3B( *(_t245 - 0x50), 0, _t237 + _t215);
											}
										} else {
											__imp__#1511();
											_t204 = 0x18;
											 *(_t245 - 0x54) = _t163;
											 *(_t245 - 4) = 5;
											__eflags = _t163;
											if(_t163 == 0) {
												goto L15;
											} else {
												_push("Not supported yet (int64)");
												goto L14;
											}
											goto L50;
										}
									} else {
										__imp__#1511();
										_t204 = 0x18;
										 *(_t245 - 0x54) = _t161;
										 *(_t245 - 4) = _t234;
										__eflags = _t161;
										if(_t161 == 0) {
											goto L15;
										} else {
											_push("Not supported yet (int)");
											goto L14;
										}
										goto L50;
									}
								} else {
									asm("movsd xmm1, [edx]");
									asm("comisd xmm1, [0x114f928]");
									if(__eflags < 0) {
										goto L25;
									} else {
										asm("movsd xmm0, [0x114f908]");
										asm("comisd xmm0, xmm1");
										if(__eflags < 0) {
											goto L25;
										} else {
											__imp__#1511();
											_t204 = 0x18;
											 *(_t245 - 0x54) = _t159;
											 *(_t245 - 4) = 3;
											__eflags = _t159;
											if(_t159 == 0) {
												goto L15;
											} else {
												_push("Not supported yet (float)");
												goto L14;
											}
											goto L50;
										}
									}
								}
							} else {
								__imp__#1511();
								_t204 = 0x18;
								 *(_t245 - 0x54) = _t159;
								 *(_t245 - 4) = 2;
								__eflags = _t159;
								if(_t159 == 0) {
									goto L15;
								} else {
									_push("Not supported yet (double)");
									goto L14;
								}
								goto L50;
							}
						} else {
							__imp__#1511();
							_t204 = 0x18;
							 *(_t245 - 0x54) = _t157;
							 *(_t245 - 4) = 1;
							__eflags = _t157;
							if(_t157 == 0) {
								L15:
								_t168 = 0;
								__eflags = 0;
							} else {
								_push("Not supported yet (bool)");
								L14:
								_t204 = _t165;
								_t168 = E011298AC(_t204);
							}
							 *(_t245 - 4) =  *(_t245 - 4) | 0xffffffff;
							 *(_t245 - 0x50) = _t168;
							L49:
							_push(0x1156040);
							_t134 = _t245 - 0x50;
							L50:
							_push(_t134);
							L01145637();
							asm("int3");
							E01143D91(E01148D49, _t197, _t234, 0x28);
							_t243 = _t204;
							 *(_t245 - 4) = 1;
							__eflags =  *((intOrPtr*)(_t245 + 0x1c)) - 0x10;
							_t138 =  >=  ?  *(_t245 + 8) : _t245 + 8;
							E0113AE1B(_t245 - 0x20,  >=  ?  *(_t245 + 8) : _t245 + 8, _t243[4]);
							 *(_t245 - 4) = 2;
							__eflags =  *((intOrPtr*)(_t245 + 0x34)) - 0x10;
							_t141 =  >=  ?  *((void*)(_t245 + 0x20)) : _t245 + 0x20;
							E0113AE1B(_t245 - 0x30,  >=  ?  *((void*)(_t245 + 0x20)) : _t245 + 0x20, _t243[4]);
							 *(_t245 - 4) = 3;
							_t145 = E0113B892(_t197, _t243, _t234, _t243, _t245 - 0x34, _t245 - 0x20);
							_t208 = _t243;
							__eflags =  *_t145 - ( *_t243 << 5) + _t243[2];
							_t146 = _t245 - 0x30;
							if(__eflags == 0) {
								E0113AD58(_t208, _t245 - 0x20, _t146, _t243[4]);
							} else {
								E0113ADD5(E0113B3B9(_t197, _t208, _t234, _t243, __eflags, _t245 - 0x20), _t146);
							}
							E01129AC1(_t245 + 8);
							return E01143D3B(E01129AC1(_t245 + 0x20), _t197, _t234);
						}
					}
				} else {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					 *_t241 = 0;
					 *((intOrPtr*)(_t241 + 4)) = 0;
					 *((intOrPtr*)(_t241 + 8)) = 0;
					_t240 = _t201[2];
					_t186 = ( *_t201 << 4) + _t240;
					 *(_t245 - 0x1c) = 1;
					 *(_t245 - 0x18) = _t186;
					if(_t240 != _t186) {
						do {
							_push(_t240);
							 *((intOrPtr*)(_t245 - 0x14)) = _t196;
							_push(_t245 - 0x14);
							L10();
							 *(_t245 - 4) = 3;
							_t191 =  *((intOrPtr*)(_t241 + 4));
							_push(_t245 - 0x14);
							if(_t191 ==  *((intOrPtr*)(_t241 + 8))) {
								_push(_t191);
								E0113B711(_t196, _t241, _t240);
							} else {
								E0113A8D2(_t196, _t191, _t240);
								 *((intOrPtr*)(_t241 + 4)) =  *((intOrPtr*)(_t241 + 4)) + 4;
							}
							 *(_t245 - 4) = 1;
							E0113AC23(_t245 - 0x14);
							_t240 = _t240 + 0x10;
						} while (_t240 !=  *(_t245 - 0x18));
					}
					E01129AC1(_t245 + 0xc);
					return E01143D3B(_t241, _t196, _t240);
				}
			}

0x0113a3b9
0x0113a3b9
0x0113a3c0
0x0113a3c5
0x0113a3c8
0x0113a3ca
0x0113a3cd
0x0113a3d0
0x0113a3de
0x0113a3e8
0x0113a3ec
0x0113a3f1
0x0113a474
0x0113a47b
0x0113a47e
0x0113a482
0x0113a484
0x0113a492
0x0113a492
0x0113a494
0x0113a49c
0x0113a4a0
0x0113a4a1
0x0113a4a4
0x0113a4a9
0x0113a4b1
0x0113a4b6
0x0113a4b9
0x0113a4be
0x0113a4c1
0x0113a4c5
0x0113a4c6
0x0113a4c9
0x0113a4cc
0x0113a726
0x0113a72c
0x0113a72d
0x0113a730
0x0113a732
0x0113a735
0x0113a737
0x0113a73e
0x0113a745
0x0113a745
0x0113a747
0x0113a747
0x0113a747
0x0113a74b
0x00000000
0x0113a4d2
0x0113a4d6
0x0113a4d9
0x0113a4da
0x0113a4dc
0x0113a50f
0x0113a512
0x0113a514
0x0113a534
0x0113a53a
0x0113a576
0x0113a578
0x0113a57b
0x0113a57d
0x0113a5a2
0x0113a5a5
0x0113a5a7
0x0113a5ce
0x0113a5d1
0x0113a66c
0x0113a66f
0x0113a671
0x0113a673
0x0113a69a
0x0113a69d
0x0113a69f
0x0113a6c4
0x0113a6c7
0x0113a6c9
0x0113a6ee
0x0113a6f4
0x0113a6f5
0x0113a6f8
0x0113a6ff
0x0113a701
0x0113a711
0x0113a711
0x0113a703
0x0113a708
0x0113a70a
0x0113a70a
0x0113a713
0x0113a717
0x0113a71a
0x0113a71d
0x0113a6cb
0x0113a6cb
0x0113a6d1
0x0113a6d2
0x0113a6d5
0x0113a6dc
0x0113a6de
0x00000000
0x0113a6e4
0x0113a6e4
0x00000000
0x0113a6e4
0x0113a6de
0x0113a6a1
0x0113a6a1
0x0113a6a7
0x0113a6a8
0x0113a6ab
0x0113a6b2
0x0113a6b4
0x00000000
0x0113a6ba
0x0113a6ba
0x00000000
0x0113a6ba
0x0113a6b4
0x0113a675
0x0113a675
0x0113a67b
0x0113a67c
0x0113a67f
0x0113a686
0x0113a688
0x00000000
0x0113a68e
0x0113a68e
0x00000000
0x0113a68e
0x0113a688
0x00000000
0x0113a5d7
0x0113a5d9
0x0113a5df
0x0113a5e1
0x0113a5e4
0x0113a5eb
0x0113a5ed
0x0113a5f1
0x0113a5f4
0x0113a5fb
0x0113a600
0x0113a601
0x0113a606
0x0113a609
0x0113a60c
0x0113a610
0x0113a617
0x0113a61e
0x0113a624
0x0113a62b
0x0113a633
0x0113a642
0x0113a64a
0x0113a652
0x0113a65a
0x0113a667
0x0113a667
0x0113a5a9
0x0113a5ab
0x0113a5b1
0x0113a5b2
0x0113a5b5
0x0113a5bc
0x0113a5be
0x00000000
0x0113a5c4
0x0113a5c4
0x00000000
0x0113a5c4
0x00000000
0x0113a5be
0x0113a57f
0x0113a581
0x0113a587
0x0113a588
0x0113a58b
0x0113a58e
0x0113a590
0x00000000
0x0113a596
0x0113a596
0x00000000
0x0113a596
0x00000000
0x0113a590
0x0113a53c
0x0113a53c
0x0113a540
0x0113a548
0x00000000
0x0113a54a
0x0113a54a
0x0113a552
0x0113a556
0x00000000
0x0113a558
0x0113a55a
0x0113a560
0x0113a561
0x0113a564
0x0113a56b
0x0113a56d
0x00000000
0x0113a56f
0x0113a56f
0x00000000
0x0113a56f
0x00000000
0x0113a56d
0x0113a556
0x0113a548
0x0113a516
0x0113a518
0x0113a51e
0x0113a51f
0x0113a522
0x0113a529
0x0113a52b
0x00000000
0x0113a52d
0x0113a52d
0x00000000
0x0113a52d
0x00000000
0x0113a52b
0x0113a4de
0x0113a4e0
0x0113a4e6
0x0113a4e7
0x0113a4ea
0x0113a4ed
0x0113a4ef
0x0113a4ff
0x0113a4ff
0x0113a4ff
0x0113a4f1
0x0113a4f1
0x0113a4f6
0x0113a4f6
0x0113a4f8
0x0113a4f8
0x0113a501
0x0113a505
0x0113a74e
0x0113a74e
0x0113a753
0x0113a756
0x0113a756
0x0113a757
0x0113a75c
0x0113a764
0x0113a769
0x0113a76b
0x0113a775
0x0113a77f
0x0113a784
0x0113a789
0x0113a790
0x0113a79a
0x0113a79f
0x0113a7a7
0x0113a7b2
0x0113a7b9
0x0113a7c1
0x0113a7c3
0x0113a7c6
0x0113a7e3
0x0113a7c8
0x0113a7d4
0x0113a7d4
0x0113a7eb
0x0113a7fd
0x0113a7fd
0x0113a4dc
0x0113a3f3
0x0113a3f7
0x0113a3f8
0x0113a3f9
0x0113a3fa
0x0113a3fc
0x0113a3ff
0x0113a404
0x0113a40a
0x0113a40c
0x0113a413
0x0113a418
0x0113a41a
0x0113a41a
0x0113a41e
0x0113a421
0x0113a422
0x0113a427
0x0113a42e
0x0113a431
0x0113a435
0x0113a444
0x0113a447
0x0113a437
0x0113a439
0x0113a43e
0x0113a43e
0x0113a44f
0x0113a453
0x0113a458
0x0113a45b
0x0113a41a
0x0113a463
0x0113a46f
0x0113a46f

APIs

__EH_prolog3_GS.LIBCMT ref: 0113A3C0
#1511.MFC140U(00000018,00000014,?,01156040), ref: 0113A474
_CxxThrowException.VCRUNTIME140(?,01156040), ref: 0113A4A4

Part of subcall function 0113A4AA: __EH_prolog3_GS.LIBCMT ref: 0113A4B1
Part of subcall function 0113A4AA: #1511.MFC140U(00000018,00000048,?,01156040), ref: 0113A4E0
Part of subcall function 0113A4AA: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 0113A757

Part of subcall function 0113A8D2: __EH_prolog3.LIBCMT ref: 0113A8D9
Part of subcall function 0113A8D2: #1511.MFC140U(00000038,00000004,0113B7AF,?,00000038,0113A44C,?,?,?,?,00000014,?,01156040), ref: 0113A8ED
Part of subcall function 0113A8D2: memset.VCRUNTIME140(00000000,00000000,00000038), ref: 0113A906

Strings

Not an array, xrefs: 0113A486

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511$ExceptionH_prolog3_Throw$H_prolog3memset
String ID: Not an array
API String ID: 3751555718-3149065279
Opcode ID: 8cd4a2b929ea18c2a7b9666098285aa030f7b338e46f376043df31eff5a17d3c
Instruction ID: f7d761d76af76869fbf5a96095faf8f77df46c0cf49e3d67c1f11fc15c757641
Opcode Fuzzy Hash: 8cd4a2b929ea18c2a7b9666098285aa030f7b338e46f376043df31eff5a17d3c
Instruction Fuzzy Hash: 6631C170A00209EFEF18DFA8C4446AEBBF1BFA8718F68842DD545E7241D7749A40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0112BD14 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0112BD14(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				void* _t19;
				signed int _t33;
				void* _t35;
				void* _t36;
				void** _t37;
				void* _t43;
				void** _t47;
				void* _t49;
				void* _t50;

				_t43 = __edx;
				_t36 = __ecx;
				E01143D5D(E01145C31, __ebx, __edi, 8);
				_t47 =  *(_t50 + 8);
				_push(_t36);
				 *((intOrPtr*)(_t50 - 4)) = 0;
				 *(_t50 - 0x14) = _t47;
				_t37 = _t47;
				 *((intOrPtr*)(_t50 - 0x10)) = 0;
				E0112BCCF(_t37, 0x7fff);
				 *((intOrPtr*)(_t50 - 4)) = 0;
				_t19 = _t47;
				 *((intOrPtr*)(_t50 - 0x10)) = 1;
				if(_t47[5] >= 0x10) {
					_t19 =  *_t47;
				}
				__imp__?_Winerror_message@std@@YAKKPADK@Z( *((intOrPtr*)(_t50 + 0xc)), _t19, 0x7fff);
				if(_t19 != 0) {
					_push(_t37);
					E01129795(_t47, _t19);
				} else {
					E01129863(_t47, "unknown error", 0xd);
				}
				if(_t47[5] >= 0x10) {
					_t33 = _t47[4];
					if(_t33 >= 0x10) {
						_t35 =  >  ? 0x7fffffff : _t33 | 0x0000000f;
						if(_t35 < _t47[5]) {
							_t12 = _t35 + 1; // 0x11
							_t49 = E01129B1B(_t12, _t43);
							memcpy(_t49,  *_t47, _t47[4] + 1);
							E01129B5C( *_t47, _t47[5] + 1, _t49);
							 *_t47 = _t49;
							_t47[5] = _t35;
						}
					} else {
						E011297BF(_t47);
					}
				}
				return E01143D26(_t47);
			}

0x0112bd14
0x0112bd14
0x0112bd1b
0x0112bd20
0x0112bd25
0x0112bd26
0x0112bd2e
0x0112bd31
0x0112bd34
0x0112bd37
0x0112bd3c
0x0112bd3f
0x0112bd45
0x0112bd4c
0x0112bd4e
0x0112bd4e
0x0112bd55
0x0112bd60
0x0112bd72
0x0112bd76
0x0112bd62
0x0112bd6b
0x0112bd6b
0x0112bd7f
0x0112bd81
0x0112bd87
0x0112bd9c
0x0112bda2
0x0112bda4
0x0112bdac
0x0112bdb6
0x0112bdc4
0x0112bdc9
0x0112bdcb
0x0112bdcb
0x0112bd89
0x0112bd8b
0x0112bd8b
0x0112bd87
0x0112bdd5

APIs

__EH_prolog3.LIBCMT ref: 0112BD1B

Part of subcall function 0112BCCF: memset.VCRUNTIME140(?,00000000,?,?,?,?), ref: 0112BCF1

?_Winerror_message@std@@YAKKPADK@Z.MSVCP140(?,?,00007FFF,?,?,?,00007FFF,?,00000008), ref: 0112BD55

Part of subcall function 01129B1B: #1511.MFC140U(00000001,01129A1D,?,01129A6B,00000001,?,?,?,?,?,0112149C), ref: 01129B2F

memcpy.VCRUNTIME140(00000000,?,?,?,?,?,00007FFF,?,00000008), ref: 0112BDB6

Strings

unknown error, xrefs: 0112BD64

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511H_prolog3Winerror_message@std@@memcpymemset
String ID: unknown error
API String ID: 83186329-3078798498
Opcode ID: 4a10cd3a8f4ef555b7101945f0735096bf5bfa61c2c1e7c7262ab2c0e8d622e7
Instruction ID: 2be5a4cdb23b578306e8a1c1a58fddaaea624481b541a6003d57ddad0e6df3bb
Opcode Fuzzy Hash: 4a10cd3a8f4ef555b7101945f0735096bf5bfa61c2c1e7c7262ab2c0e8d622e7
Instruction Fuzzy Hash: 9421DF7060062AAFD70CAF68C8C0A6EB776FF54708B444519E4158B280DB70AD608BEA

Uniqueness

Uniqueness Score: -1.00%

Function 0113A9BB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E0113A9BB(void* __ebx, intOrPtr* __ecx, void* __edi, void* __eflags) {
				intOrPtr* _t28;
				void* _t34;
				intOrPtr* _t45;
				signed int _t57;
				void* _t61;
				void* _t62;

				_t45 = __ecx;
				_t43 = __ebx;
				E01143D5D(E01148E18, __ebx, __edi, 0x20);
				_t57 = 0;
				 *(_t61 - 4) = 0;
				E011298E1(_t61 - 0x2c, _t61 + 8);
				 *(_t61 - 4) = 1;
				_t27 =  >=  ?  *((void*)(_t61 - 0x2c)) : _t61 - 0x2c;
				_t28 = E0113B365(__ebx,  *_t45, 0,  *_t45,  >=  ?  *((void*)(_t61 - 0x2c)) : _t61 - 0x2c);
				if(( *(_t28 + 0xe) >> 0x00000005 & 0x00000001) == 0) {
					__imp__#1511();
					_t50 = 0x18;
					 *((intOrPtr*)(_t61 - 0x14)) = _t28;
					 *(_t61 - 4) = 2;
					if(_t28 != 0) {
						_t50 = _t28;
						_t57 = E011298AC(_t28, "Not a integer");
					}
					_push(0x1156040);
					 *(_t61 - 4) = 1;
					_push(_t61 - 0x10);
					 *((intOrPtr*)(_t61 - 0x10)) = _t57;
					L01145637();
					asm("int3");
					E01143D5D(E01148E3B, _t43, _t57, 4);
					 *(_t61 - 4) =  *(_t61 - 4) & 0x00000000;
					E011298E1(_t62 - 0x18, _t61 + 8);
					_t34 = E0113A249(_t43,  *_t50, _t57,  *_t50);
					E01129AC1(_t61 + 8);
					return E01143D26(_t34);
				} else {
					E01129AC1(_t61 - 0x2c);
					E01129AC1(_t61 + 8);
					return E01143D26( *_t28);
				}
			}

0x0113a9bb
0x0113a9bb
0x0113a9c2
0x0113a9c7
0x0113a9cc
0x0113a9d5
0x0113a9da
0x0113a9e7
0x0113a9ec
0x0113a9fa
0x0113aa1a
0x0113aa20
0x0113aa21
0x0113aa24
0x0113aa2a
0x0113aa31
0x0113aa38
0x0113aa38
0x0113aa3a
0x0113aa42
0x0113aa46
0x0113aa47
0x0113aa4a
0x0113aa4f
0x0113aa57
0x0113aa5c
0x0113aa6b
0x0113aa72
0x0113aa7c
0x0113aa88
0x0113a9fc
0x0113aa01
0x0113aa09
0x0113aa15
0x0113aa15

APIs

__EH_prolog3.LIBCMT ref: 0113A9C2
#1511.MFC140U(00000018,?,00000020,01129D50,code), ref: 0113AA1A
_CxxThrowException.VCRUNTIME140(?,01156040), ref: 0113AA4A

Strings

Not a integer, xrefs: 0113AA2C

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511ExceptionH_prolog3Throw
String ID: Not a integer
API String ID: 877088943-1718782341
Opcode ID: 292b53ccf505bcaa6c8d05044b9a64269353c03eef12ee8938c82c4610046909
Instruction ID: 5c9c8b7e7785e9c19b6a19c74eee19a7f1f8bf0d442edc8f8851069e9e4dddc5
Opcode Fuzzy Hash: 292b53ccf505bcaa6c8d05044b9a64269353c03eef12ee8938c82c4610046909
Instruction Fuzzy Hash: 9A11A13190422EDFDF08EBACC4547DD7BB4AF64718F588058D451FB281DBB49A04C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01129D11 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01129D11(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi) {
				intOrPtr _t19;
				intOrPtr _t30;
				intOrPtr _t40;
				void* _t41;
				void* _t42;
				void* _t43;
				void* _t44;

				_t41 = __esi;
				_t30 = __ecx;
				_t29 = __ebx;
				E01143D5D(E01146245, __ebx, __edi, 0x20);
				_t40 = _t30;
				 *((intOrPtr*)(_t42 - 0x10)) = _t40;
				E01136604(_t30);
				 *((intOrPtr*)(_t40 + 0x28)) = 0xf;
				 *((intOrPtr*)(_t40 + 0x24)) = 0;
				 *((char*)(_t40 + 0x14)) = 0;
				_t44 = _t43 - 0x18;
				 *((intOrPtr*)(_t42 - 4)) = 0;
				E011298AC(_t44, "code");
				_t19 = E0113A9BB(__ebx,  *((intOrPtr*)(_t42 + 8)), _t40, 0);
				_t45 = _t44 - 0x18;
				 *((intOrPtr*)(_t40 + 0xc)) = _t19;
				E011298AC(_t44 - 0x18, "label");
				 *((intOrPtr*)(_t40 + 0x10)) = E0113A9BB(_t29,  *((intOrPtr*)(_t42 + 8)), _t40, 0);
				E011298AC(_t45 - 0x18, "description");
				E011293B6(_t40 + 0x14, _t41, E0113A922(_t29,  *((intOrPtr*)(_t42 + 8)), _t40, 0));
				E01129AC1(_t42 - 0x2c);
				return E01143D26(_t40, _t42 - 0x2c);
			}

0x01129d11
0x01129d11
0x01129d11
0x01129d18
0x01129d1d
0x01129d1f
0x01129d22
0x01129d29
0x01129d30
0x01129d33
0x01129d36
0x01129d39
0x01129d43
0x01129d4b
0x01129d50
0x01129d53
0x01129d5d
0x01129d6d
0x01129d77
0x01129d8c
0x01129d94
0x01129da0

APIs

__EH_prolog3.LIBCMT ref: 01129D18

Part of subcall function 01136604: __EH_prolog3.LIBCMT ref: 0113660B

Part of subcall function 0113A9BB: __EH_prolog3.LIBCMT ref: 0113A9C2

Part of subcall function 0113A9BB: #1511.MFC140U(00000018,?,00000020,01129D50,code), ref: 0113AA1A
Part of subcall function 0113A9BB: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 0113AA4A

Part of subcall function 0113A922: __EH_prolog3_GS.LIBCMT ref: 0113A929

Strings

code, xrefs: 01129D3E
description, xrefs: 01129D72
label, xrefs: 01129D58

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3$#1511ExceptionH_prolog3_Throw
String ID: code$description$label
API String ID: 2339385289-574400994
Opcode ID: e15498d43757879eb974db2fe78877203138daf79341f819ccc556f9558ba935
Instruction ID: 08a669c2ee54a4ae87b3df9a841b3c2ef5f1106654780982fdb7c7a28242e238
Opcode Fuzzy Hash: e15498d43757879eb974db2fe78877203138daf79341f819ccc556f9558ba935
Instruction Fuzzy Hash: F6018470A0021BABCB0CFF79C851A5C7A71BFA5618F44811DD015EB680DB709954CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0113A249 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0113A249(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t170;
				signed int _t172;
				int _t173;
				signed int _t180;
				signed char _t181;
				signed int _t188;
				signed int _t191;
				void* _t192;
				intOrPtr* _t203;
				void* _t204;
				signed char _t215;
				signed char _t217;
				signed char _t219;
				signed char _t221;
				signed char _t223;
				signed int _t225;
				signed char _t226;
				int _t228;
				signed int _t244;
				intOrPtr _t249;
				signed int _t276;
				signed char _t277;
				void* _t280;
				signed int* _t283;
				unsigned int _t285;
				signed int* _t286;
				signed int* _t290;
				signed char _t294;
				signed int _t295;
				void* _t297;
				void* _t311;
				void _t316;
				void* _t326;
				signed int _t327;
				signed int _t333;
				signed char _t335;
				signed char _t336;
				signed char _t337;
				signed int* _t338;
				void* _t340;
				void* _t341;

				_t325 = __edi;
				_t280 = __ecx;
				E01143D5D(E01148BB8, __ebx, __edi, 8);
				 *(_t340 - 4) =  *(_t340 - 4) & 0x00000000;
				_t169 =  >=  ?  *(_t340 + 8) : _t340 + 8;
				_t170 = E0113B365(__ebx, _t280, __edi, __esi,  >=  ?  *(_t340 + 8) : _t340 + 8);
				_t274 =  *(_t170 + 0xe) & 0x0000ffff;
				_t172 = ( *(_t170 + 0xe) & 0x0000ffff) >> 3;
				if((_t172 & 0x00000001) == 0) {
					__imp__#1511();
					_t281 = 0x18;
					 *(_t340 - 0x14) = _t172;
					 *(_t340 - 4) = 1;
					__eflags = _t172;
					if(_t172 == 0) {
						_t173 = 0;
						__eflags = 0;
					} else {
						_t281 = _t172;
						_t173 = E011298AC(_t172, "Not a boolean");
					}
					 *(_t340 - 4) = 0;
					 *((intOrPtr*)(_t340 - 0x10)) = _t173;
					_push(0x1156040);
					_push(_t340 - 0x10);
					L01145637();
					asm("int3");
					E01143D91(E01148BF8, _t274, _t325, 0x5c);
					_t335 =  *(_t340 + 8);
					 *(_t340 - 0x64) = _t335;
					 *(_t340 - 4) = 0;
					__eflags =  *((intOrPtr*)(_t340 + 0x20)) - 0x10;
					_t178 =  >=  ?  *((void*)(_t340 + 0xc)) : _t340 + 0xc;
					_t326 = E0113B365(0, _t281, _t325, _t335,  >=  ?  *((void*)(_t340 + 0xc)) : _t340 + 0xc);
					_t180 = 3;
					__eflags =  *((intOrPtr*)(_t326 + 0xe)) - _t180;
					if( *((intOrPtr*)(_t326 + 0xe)) != _t180) {
						__imp__#1511();
						_t282 = 0x18;
						 *(_t340 - 0x68) = _t180;
						 *(_t340 - 4) = 1;
						__eflags = _t180;
						if(_t180 == 0) {
							_t181 = 0;
						} else {
							_t282 = _t180;
							_t181 = E011298AC(_t180, "Not an object");
						}
						 *(_t340 - 4) = 0;
						 *(_t340 - 0x64) = _t181;
						_push(0x1156040);
						_push(_t340 - 0x64);
						L01145637();
						asm("int3");
						E01143D91(E01148C53, 0, _t326, 0x14);
						_t336 =  *(_t340 + 8);
						_t276 = 0;
						 *(_t340 - 0x20) = _t336;
						 *(_t340 - 0x1c) = 0;
						 *(_t340 - 4) = 1;
						__eflags =  *((intOrPtr*)(_t340 + 0x20)) - 0x10;
						_t186 =  >=  ?  *((void*)(_t340 + 0xc)) : _t340 + 0xc;
						_t283 = E0113B365(0, _t282, _t326, _t336,  >=  ?  *((void*)(_t340 + 0xc)) : _t340 + 0xc);
						_t188 = 4;
						__eflags = _t283[3] - _t188;
						if(_t283[3] != _t188) {
							__imp__#1511(0x18);
							 *(_t340 - 0x18) = _t188;
							 *(_t340 - 4) = 2;
							__eflags = _t188;
							if(_t188 != 0) {
								_t276 = E011298AC(_t188, "Not an array");
							}
							_push(0x1156040);
							 *(_t340 - 4) = 1;
							_push(_t340 - 0x14);
							 *(_t340 - 0x14) = _t276;
							L01145637();
							asm("int3");
							_t191 = E01143D91(E01148D0A, _t276, _t326, 0x48);
							_t320 =  *((intOrPtr*)(_t340 + 0xc));
							_t337 =  *(_t340 + 8);
							 *(_t340 - 0x54) = _t337;
							_t285 =  *( *((intOrPtr*)(_t340 + 0xc)) + 0xe) & 0x0000ffff;
							_t327 = 4;
							 *(_t340 - 0x50) = _t337;
							__eflags = _t285 - _t327;
							if(_t285 == _t327) {
								__imp__#1511();
								_t286 = 0x18;
								 *(_t340 - 0x54) = _t191;
								_t277 = 0;
								 *(_t340 - 4) = 0;
								__eflags = _t191;
								if(_t191 != 0) {
									_t286 = _t191;
									_t277 = E011298AC(_t286, "Not supported yet (array)");
								}
								_t140 = _t340 - 4;
								 *_t140 =  *(_t340 - 4) | 0xffffffff;
								__eflags =  *_t140;
								 *(_t340 - 0x50) = _t277;
								goto L63;
							} else {
								_t215 = _t285 >> 3;
								_t277 = 1;
								__eflags = 1 & _t215;
								if((1 & _t215) == 0) {
									_t217 = _t285 >> 9;
									__eflags = 1 & _t217;
									if((1 & _t217) == 0) {
										__eflags = _t285 & 0x00000200;
										if(__eflags == 0) {
											L39:
											_t219 = _t285 >> 5;
											__eflags = _t277 & _t219;
											if((_t277 & _t219) == 0) {
												_t221 = _t285 >> 7;
												__eflags = _t277 & _t221;
												if((_t277 & _t221) == 0) {
													__eflags = _t285 - 3;
													if(_t285 != 3) {
														_t223 = _t285 >> 0xa;
														_push(0x18);
														__eflags = _t277 & _t223;
														if((_t277 & _t223) == 0) {
															_t223 = _t285 >> 6;
															__eflags = _t277 & _t223;
															if((_t277 & _t223) == 0) {
																_t294 = _t285 >> 8;
																__eflags = _t277 & _t294;
																if((_t277 & _t294) == 0) {
																	__imp__#1511();
																	_pop(_t286);
																	 *(_t340 - 0x50) = _t223;
																	 *(_t340 - 4) = 0xb;
																	__eflags = _t223;
																	if(_t223 == 0) {
																		_t225 = 0;
																		__eflags = 0;
																	} else {
																		_t286 = _t223;
																		_t225 = E011298AC(_t286, "Should not get here");
																	}
																	 *(_t340 - 4) =  *(_t340 - 4) | 0xffffffff;
																	 *(_t340 - 0x54) = _t225;
																	_t192 = _t340 - 0x54;
																	_push(0x1156040);
																} else {
																	__imp__#1511();
																	_pop(_t286);
																	 *(_t340 - 0x54) = _t223;
																	 *(_t340 - 4) = 0xa;
																	__eflags = _t223;
																	if(_t223 == 0) {
																		goto L29;
																	} else {
																		_push("Not supported yet (uint64)");
																		goto L28;
																	}
																}
															} else {
																__imp__#1511();
																_pop(_t286);
																 *(_t340 - 0x54) = _t223;
																 *(_t340 - 4) = 9;
																__eflags = _t223;
																if(_t223 == 0) {
																	goto L29;
																} else {
																	_push("Not supported yet (uint)");
																	goto L28;
																}
															}
														} else {
															__imp__#1511();
															_pop(_t286);
															 *(_t340 - 0x54) = _t223;
															 *(_t340 - 4) = 8;
															__eflags = _t223;
															if(_t223 == 0) {
																goto L29;
															} else {
																_push("Not supported yet (string)");
																goto L28;
															}
														}
														goto L64;
													} else {
														_t295 = 6;
														_t228 = memset(_t340 - 0x28, 0, _t295 << 2);
														asm("xorps xmm0, xmm0");
														 *(_t340 - 0x14) = 0x100;
														__eflags = 0;
														asm("movups [ebp-0x28], xmm0");
														 *(_t340 - 0x18) = 0;
														 *(_t340 - 4) = 6;
														_t330 = _t340 - 0x4c;
														_t297 = 9;
														memset(_t340 - 0x4c, _t228, 0 << 2);
														 *((intOrPtr*)(_t340 - 0x38)) = 0;
														 *(_t340 - 0x4c) = _t340 - 0x28;
														asm("movups [ebp-0x48], xmm0");
														 *(_t340 - 0x34) = 0x100;
														 *((intOrPtr*)(_t340 - 0x30)) = 0x144;
														 *((char*)(_t340 - 0x2c)) = 0;
														 *(_t340 - 4) = 7;
														E0113B01D(0, _t320, _t330 + _t297, _t337, _t340 - 0x4c);
														 *_t337 = 0;
														E011298AC(_t341 + 0x18 - 0x18, E0113AC58(_t340 - 0x28));
														E0113A86F(0,  *(_t340 - 0x50), _t330 + _t297);
														E0113AC3D(_t340 - 0x48);
														E0113AC3D(_t340 - 0x28);
														return E01143D3B( *(_t340 - 0x50), 0, _t330 + _t297);
													}
												} else {
													__imp__#1511();
													_t286 = 0x18;
													 *(_t340 - 0x54) = _t221;
													 *(_t340 - 4) = 5;
													__eflags = _t221;
													if(_t221 == 0) {
														goto L29;
													} else {
														_push("Not supported yet (int64)");
														goto L28;
													}
													goto L64;
												}
											} else {
												__imp__#1511();
												_t286 = 0x18;
												 *(_t340 - 0x54) = _t219;
												 *(_t340 - 4) = _t327;
												__eflags = _t219;
												if(_t219 == 0) {
													goto L29;
												} else {
													_push("Not supported yet (int)");
													goto L28;
												}
												goto L64;
											}
										} else {
											asm("movsd xmm1, [edx]");
											asm("comisd xmm1, [0x114f928]");
											if(__eflags < 0) {
												goto L39;
											} else {
												asm("movsd xmm0, [0x114f908]");
												asm("comisd xmm0, xmm1");
												if(__eflags < 0) {
													goto L39;
												} else {
													__imp__#1511();
													_t286 = 0x18;
													 *(_t340 - 0x54) = _t217;
													 *(_t340 - 4) = 3;
													__eflags = _t217;
													if(_t217 == 0) {
														goto L29;
													} else {
														_push("Not supported yet (float)");
														goto L28;
													}
													goto L64;
												}
											}
										}
									} else {
										__imp__#1511();
										_t286 = 0x18;
										 *(_t340 - 0x54) = _t217;
										 *(_t340 - 4) = 2;
										__eflags = _t217;
										if(_t217 == 0) {
											goto L29;
										} else {
											_push("Not supported yet (double)");
											goto L28;
										}
										goto L64;
									}
								} else {
									__imp__#1511();
									_t286 = 0x18;
									 *(_t340 - 0x54) = _t215;
									 *(_t340 - 4) = 1;
									__eflags = _t215;
									if(_t215 == 0) {
										L29:
										_t226 = 0;
										__eflags = 0;
									} else {
										_push("Not supported yet (bool)");
										L28:
										_t286 = _t223;
										_t226 = E011298AC(_t286);
									}
									 *(_t340 - 4) =  *(_t340 - 4) | 0xffffffff;
									 *(_t340 - 0x50) = _t226;
									L63:
									_push(0x1156040);
									_t192 = _t340 - 0x50;
									L64:
									_push(_t192);
									L01145637();
									asm("int3");
									E01143D91(E01148D49, _t277, _t327, 0x28);
									_t338 = _t286;
									 *(_t340 - 4) = 1;
									__eflags =  *((intOrPtr*)(_t340 + 0x1c)) - 0x10;
									_t196 =  >=  ?  *(_t340 + 8) : _t340 + 8;
									E0113AE1B(_t340 - 0x20,  >=  ?  *(_t340 + 8) : _t340 + 8, _t338[4]);
									 *(_t340 - 4) = 2;
									__eflags =  *((intOrPtr*)(_t340 + 0x34)) - 0x10;
									_t199 =  >=  ?  *((void*)(_t340 + 0x20)) : _t340 + 0x20;
									E0113AE1B(_t340 - 0x30,  >=  ?  *((void*)(_t340 + 0x20)) : _t340 + 0x20, _t338[4]);
									 *(_t340 - 4) = 3;
									_t203 = E0113B892(_t277, _t338, _t327, _t338, _t340 - 0x34, _t340 - 0x20);
									_t290 = _t338;
									__eflags =  *_t203 - ( *_t338 << 5) + _t338[2];
									_t204 = _t340 - 0x30;
									if(__eflags == 0) {
										E0113AD58(_t290, _t340 - 0x20, _t204, _t338[4]);
									} else {
										E0113ADD5(E0113B3B9(_t277, _t290, _t327, _t338, __eflags, _t340 - 0x20), _t204);
									}
									E01129AC1(_t340 + 8);
									return E01143D3B(E01129AC1(_t340 + 0x20), _t277, _t327);
								}
							}
						} else {
							asm("stosd");
							asm("stosd");
							asm("stosd");
							 *_t336 = 0;
							 *((intOrPtr*)(_t336 + 4)) = 0;
							 *((intOrPtr*)(_t336 + 8)) = 0;
							_t333 = _t283[2];
							_t244 = ( *_t283 << 4) + _t333;
							 *(_t340 - 0x1c) = 1;
							 *(_t340 - 0x18) = _t244;
							__eflags = _t333 - _t244;
							if(_t333 != _t244) {
								do {
									_push(_t333);
									 *(_t340 - 0x14) = _t276;
									_push(_t340 - 0x14);
									L24();
									 *(_t340 - 4) = 3;
									_t249 =  *((intOrPtr*)(_t336 + 4));
									_push(_t340 - 0x14);
									__eflags = _t249 -  *((intOrPtr*)(_t336 + 8));
									if(_t249 ==  *((intOrPtr*)(_t336 + 8))) {
										_push(_t249);
										E0113B711(_t276, _t336, _t333);
									} else {
										E0113A8D2(_t276, _t249, _t333);
										 *((intOrPtr*)(_t336 + 4)) =  *((intOrPtr*)(_t336 + 4)) + 4;
									}
									 *(_t340 - 4) = 1;
									E0113AC23(_t340 - 0x14);
									_t333 = _t333 + 0x10;
									__eflags = _t333 -  *(_t340 - 0x18);
								} while (_t333 !=  *(_t340 - 0x18));
							}
							E01129AC1(_t340 + 0xc);
							return E01143D3B(_t336, _t276, _t333);
						}
					} else {
						memset(_t340 - 0x60, 0, 0x38);
						_t311 = _t340 - 0x60;
						E0113ACC8(0, _t311, _t326);
						 *(_t340 - 4) = 2;
						E0113AE01(_t311);
						_push(_t311);
						E0113BC5C(_t340 - 0x60, _t326,  *(_t340 - 0x50));
						_push(_t340 - 0x60);
						_push(_t340 - 0x28);
						E01139FED(0, _t326);
						 *(_t340 - 4) = 3;
						 *_t335 = 0;
						E011298E1(_t341 - 0x18, _t340 - 0x28);
						E0113A86F(0, _t335, _t326);
						E01129AC1(_t340 - 0x28);
						_t316 =  *(_t340 - 0x4c);
						__eflags = _t316;
						if(_t316 != 0) {
							E0113AEB0(_t316, _t326, _t316);
						}
						E0113AC3D(_t340 - 0x48);
						E01129AC1(_t340 + 0xc);
						return E01143D3B(_t335, 0, _t326);
					}
				} else {
					return E01143D26(E01129AC1(_t340 + 8) & 0xffffff00 | _t274 == 0x0000000a);
				}
			}

0x0113a249
0x0113a249
0x0113a250
0x0113a255
0x0113a260
0x0113a265
0x0113a26a
0x0113a270
0x0113a275
0x0113a28f
0x0113a295
0x0113a296
0x0113a299
0x0113a29d
0x0113a29f
0x0113a2af
0x0113a2af
0x0113a2a1
0x0113a2a6
0x0113a2a8
0x0113a2a8
0x0113a2b1
0x0113a2b5
0x0113a2bb
0x0113a2c0
0x0113a2c1
0x0113a2c6
0x0113a2ce
0x0113a2d3
0x0113a2d6
0x0113a2de
0x0113a2e1
0x0113a2e5
0x0113a2ef
0x0113a2f3
0x0113a2f4
0x0113a2f8
0x0113a382
0x0113a388
0x0113a389
0x0113a38c
0x0113a390
0x0113a392
0x0113a3a2
0x0113a394
0x0113a399
0x0113a39b
0x0113a39b
0x0113a3a4
0x0113a3a7
0x0113a3ad
0x0113a3b2
0x0113a3b3
0x0113a3b8
0x0113a3c0
0x0113a3c5
0x0113a3c8
0x0113a3ca
0x0113a3cd
0x0113a3d0
0x0113a3da
0x0113a3de
0x0113a3e8
0x0113a3ec
0x0113a3ed
0x0113a3f1
0x0113a474
0x0113a47b
0x0113a47e
0x0113a482
0x0113a484
0x0113a492
0x0113a492
0x0113a494
0x0113a49c
0x0113a4a0
0x0113a4a1
0x0113a4a4
0x0113a4a9
0x0113a4b1
0x0113a4b6
0x0113a4b9
0x0113a4be
0x0113a4c1
0x0113a4c5
0x0113a4c6
0x0113a4c9
0x0113a4cc
0x0113a726
0x0113a72c
0x0113a72d
0x0113a730
0x0113a732
0x0113a735
0x0113a737
0x0113a73e
0x0113a745
0x0113a745
0x0113a747
0x0113a747
0x0113a747
0x0113a74b
0x00000000
0x0113a4d2
0x0113a4d6
0x0113a4d9
0x0113a4da
0x0113a4dc
0x0113a50f
0x0113a512
0x0113a514
0x0113a534
0x0113a53a
0x0113a576
0x0113a578
0x0113a57b
0x0113a57d
0x0113a5a2
0x0113a5a5
0x0113a5a7
0x0113a5ce
0x0113a5d1
0x0113a66c
0x0113a66f
0x0113a671
0x0113a673
0x0113a69a
0x0113a69d
0x0113a69f
0x0113a6c4
0x0113a6c7
0x0113a6c9
0x0113a6ee
0x0113a6f4
0x0113a6f5
0x0113a6f8
0x0113a6ff
0x0113a701
0x0113a711
0x0113a711
0x0113a703
0x0113a708
0x0113a70a
0x0113a70a
0x0113a713
0x0113a717
0x0113a71a
0x0113a71d
0x0113a6cb
0x0113a6cb
0x0113a6d1
0x0113a6d2
0x0113a6d5
0x0113a6dc
0x0113a6de
0x00000000
0x0113a6e4
0x0113a6e4
0x00000000
0x0113a6e4
0x0113a6de
0x0113a6a1
0x0113a6a1
0x0113a6a7
0x0113a6a8
0x0113a6ab
0x0113a6b2
0x0113a6b4
0x00000000
0x0113a6ba
0x0113a6ba
0x00000000
0x0113a6ba
0x0113a6b4
0x0113a675
0x0113a675
0x0113a67b
0x0113a67c
0x0113a67f
0x0113a686
0x0113a688
0x00000000
0x0113a68e
0x0113a68e
0x00000000
0x0113a68e
0x0113a688
0x00000000
0x0113a5d7
0x0113a5d9
0x0113a5df
0x0113a5e1
0x0113a5e4
0x0113a5eb
0x0113a5ed
0x0113a5f1
0x0113a5f4
0x0113a5fb
0x0113a600
0x0113a601
0x0113a606
0x0113a609
0x0113a60c
0x0113a610
0x0113a617
0x0113a61e
0x0113a624
0x0113a62b
0x0113a633
0x0113a642
0x0113a64a
0x0113a652
0x0113a65a
0x0113a667
0x0113a667
0x0113a5a9
0x0113a5ab
0x0113a5b1
0x0113a5b2
0x0113a5b5
0x0113a5bc
0x0113a5be
0x00000000
0x0113a5c4
0x0113a5c4
0x00000000
0x0113a5c4
0x00000000
0x0113a5be
0x0113a57f
0x0113a581
0x0113a587
0x0113a588
0x0113a58b
0x0113a58e
0x0113a590
0x00000000
0x0113a596
0x0113a596
0x00000000
0x0113a596
0x00000000
0x0113a590
0x0113a53c
0x0113a53c
0x0113a540
0x0113a548
0x00000000
0x0113a54a
0x0113a54a
0x0113a552
0x0113a556
0x00000000
0x0113a558
0x0113a55a
0x0113a560
0x0113a561
0x0113a564
0x0113a56b
0x0113a56d
0x00000000
0x0113a56f
0x0113a56f
0x00000000
0x0113a56f
0x00000000
0x0113a56d
0x0113a556
0x0113a548
0x0113a516
0x0113a518
0x0113a51e
0x0113a51f
0x0113a522
0x0113a529
0x0113a52b
0x00000000
0x0113a52d
0x0113a52d
0x00000000
0x0113a52d
0x00000000
0x0113a52b
0x0113a4de
0x0113a4e0
0x0113a4e6
0x0113a4e7
0x0113a4ea
0x0113a4ed
0x0113a4ef
0x0113a4ff
0x0113a4ff
0x0113a4ff
0x0113a4f1
0x0113a4f1
0x0113a4f6
0x0113a4f6
0x0113a4f8
0x0113a4f8
0x0113a501
0x0113a505
0x0113a74e
0x0113a74e
0x0113a753
0x0113a756
0x0113a756
0x0113a757
0x0113a75c
0x0113a764
0x0113a769
0x0113a76b
0x0113a775
0x0113a77f
0x0113a784
0x0113a789
0x0113a790
0x0113a79a
0x0113a79f
0x0113a7a7
0x0113a7b2
0x0113a7b9
0x0113a7c1
0x0113a7c3
0x0113a7c6
0x0113a7e3
0x0113a7c8
0x0113a7d4
0x0113a7d4
0x0113a7eb
0x0113a7fd
0x0113a7fd
0x0113a4dc
0x0113a3f3
0x0113a3f7
0x0113a3f8
0x0113a3f9
0x0113a3fa
0x0113a3fc
0x0113a3ff
0x0113a404
0x0113a40a
0x0113a40c
0x0113a413
0x0113a416
0x0113a418
0x0113a41a
0x0113a41a
0x0113a41e
0x0113a421
0x0113a422
0x0113a427
0x0113a42e
0x0113a431
0x0113a432
0x0113a435
0x0113a444
0x0113a447
0x0113a437
0x0113a439
0x0113a43e
0x0113a43e
0x0113a44f
0x0113a453
0x0113a458
0x0113a45b
0x0113a45b
0x0113a41a
0x0113a463
0x0113a46f
0x0113a46f
0x0113a2fe
0x0113a305
0x0113a30a
0x0113a30d
0x0113a312
0x0113a319
0x0113a31e
0x0113a324
0x0113a32c
0x0113a330
0x0113a331
0x0113a339
0x0113a340
0x0113a345
0x0113a34c
0x0113a354
0x0113a359
0x0113a35c
0x0113a35e
0x0113a361
0x0113a361
0x0113a369
0x0113a371
0x0113a37d
0x0113a37d
0x0113a277
0x0113a28a
0x0113a28a

APIs

__EH_prolog3.LIBCMT ref: 0113A250
#1511.MFC140U(00000018,00000008,0113AA77,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 0113A28F
_CxxThrowException.VCRUNTIME140(?,01156040,?,?,?,?,?,?,?,?,00000000,00000000,?), ref: 0113A2C1

Strings

Not a boolean, xrefs: 0113A2A1

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511ExceptionH_prolog3Throw
String ID: Not a boolean
API String ID: 877088943-3069749990
Opcode ID: e20ff58b7c9e1419321c2f939b2393ed4bc15ef585a2367f28e246c88cfe2848
Instruction ID: fec2c50df0847e641f90e4dde2451def8b100c00350481fe8bf04c215212c0c4
Opcode Fuzzy Hash: e20ff58b7c9e1419321c2f939b2393ed4bc15ef585a2367f28e246c88cfe2848
Instruction Fuzzy Hash: 2501AD30904229DBEF48EFA8D4047DD3BA4AF20B14F448055E851E7180DB798204CB60

Uniqueness

Uniqueness Score: -1.00%

Function 01131BCE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25
windowCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E01131BCE() {
				signed int _v8;
				short _v20;
				signed int _t5;
				signed int _t14;

				_t5 =  *0x115a014; // 0x2648a249
				_v8 = _t5 ^ _t14;
				MultiByteToWideChar(0, 0, "1248", 5,  &_v20, 6);
				return E0114368F(MessageBoxW(0,  &_v20, L"Version Is", 0x40), _v8 ^ _t14);
			}

0x01131bd4
0x01131bdb
0x01131bef
0x01131c13

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,1248,00000005,?,00000006), ref: 01131BEF
MessageBoxW.USER32(00000000,?,Version Is,00000040), ref: 01131C02

Strings

Version Is, xrefs: 01131BF7
1248, xrefs: 01131BE6

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: ByteCharMessageMultiWide
String ID: 1248$Version Is
API String ID: 1279612236-2768633978
Opcode ID: 317ae5ab82eb841a4d8f018f4b31025be05a4aa8014e4dd3ef41ec53ddcbe304
Instruction ID: b6c1ffa76e2aeccd19e7f184b263e1ed34b7a241f939f84b270a0e8881ba2e6a
Opcode Fuzzy Hash: 317ae5ab82eb841a4d8f018f4b31025be05a4aa8014e4dd3ef41ec53ddcbe304
Instruction Fuzzy Hash: C2E01270784309BBE718DBA59D4AF7E73B8AB18F01F400429BB21AA1C0D6B0E5048755

Uniqueness

Uniqueness Score: -1.00%

Function 01128F33 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

?_Xout_of_range@std@@YAXPBD@Z.MSVCP140(invalid string position,01131CE3,00000010,?,?,?,01140643,?,00000000,?,?,?,00000000,0114D684,00000001,0114F384), ref: 01128F38
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,01140643,?,00000000,?,?,?,00000000,0114D684,00000001,0114F384,00000068,01133809), ref: 01128F4E
??1facet@locale@std@@MAE@XZ.MSVCP140(?,01140643,?,00000000,?,?,?,00000000,0114D684,00000001,0114F384,00000068,01133809,?,?,000000EC), ref: 01128F57

Part of subcall function 011436A0: #1513.MFC140U(00000001,?,01121530,?,00000014), ref: 011436A6

Strings

invalid string position, xrefs: 01128F33

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1513??1facet@locale@std@@Xout_of_range@std@@free
String ID: invalid string position
API String ID: 2967603577-1799206989
Opcode ID: 732f84fb64977a30fcbaa5bfdb8cf652fac912470d1bee109c1289b8edf1eec4
Instruction ID: f89dcd2007d599e53c0b5aed1713a119e8f6e500f18fa38e0827de8ae676a190
Opcode Fuzzy Hash: 732f84fb64977a30fcbaa5bfdb8cf652fac912470d1bee109c1289b8edf1eec4
Instruction Fuzzy Hash: 22E0803524C2345FD32D2F59B40DB857BD8DF05F65F10401EFA5591280DFB19590479D

Uniqueness

Uniqueness Score: -1.00%

Function 01139D2E Relevance: 6.4, APIs: 5, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E01139D2E(void* __ecx, int __edx, int _a4, signed int _a8) {
				void* _v8;
				int _t35;
				void* _t42;
				void* _t43;
				int _t44;
				void* _t45;
				int _t47;
				void* _t51;
				void* _t52;
				int _t66;
				void* _t69;
				signed int _t71;
				char* _t73;
				signed int _t77;
				void* _t79;
				void* _t81;
				void* _t83;

				_push(__ecx);
				_t35 = _a4;
				_t66 = __edx;
				_t83 = __ecx;
				_t79 = __edx + _t35;
				if(_t35 < 0 || _t79 > 0x15) {
					if(_t79 - 1 > 0x14) {
						_t69 = _t83 + 1;
						if(_t79 + 5 > 5) {
							_t75 = _t83 + 2;
							if(_t79 >=  ~_a8) {
								if(_t66 != 1) {
									memmove(_t75, _t69, _t66 - 1);
									 *(_t83 + 1) = 0x2e;
									 *((char*)(_t83 + _t66 + 1)) = 0x65;
									_t75 = _t66 + 2 + _t83;
								} else {
									 *_t69 = 0x65;
								}
								_t42 = E01139CCF(_t79 - 1, _t75);
							} else {
								 *_t83 = 0x30;
								 *_t69 = 0x2e;
								 *_t75 = 0x30;
								goto L23;
							}
						} else {
							_t43 = 2;
							_t44 = _t43 - _t79;
							_a4 = _t44;
							_t45 = _t44 + _t83;
							_v8 = _t45;
							memmove(_t45, _t83, _t66);
							_t47 = _a4;
							 *_t83 = 0x2e30;
							if(_t47 > 2) {
								memset(_t83 + 2, 0x30, _t47 + 0xfffffffe);
							}
							_t71 = _a8;
							if(_t66 - _t79 <= _t71) {
								_t42 = _v8 + _t66;
							} else {
								_t51 = _t71 + 1;
								while(_t51 > 2) {
									if( *((char*)(_t51 + _t83)) != 0x30) {
										goto L12;
									} else {
										_t51 = _t51 - 1;
										continue;
									}
									goto L31;
								}
								L23:
								_t42 = _t83 + 3;
							}
						}
					} else {
						memmove(_t79 + _t83 + 1, _t79 + _t83, _t66 - _t79);
						_t73 = _t79 + _t83;
						_t77 = _a8;
						 *_t73 = 0x2e;
						if(_a4 + _t77 >= 0) {
							_t52 = _t66 + 1;
							goto L13;
						} else {
							_t51 = _t79 + _t77;
							_t81 = _t79 + 1;
							while(_t51 > _t81) {
								if( *((char*)(_t51 + _t83)) != 0x30) {
									L12:
									_t52 = _t51 + 1;
									L13:
									_t42 = _t52 + _t83;
								} else {
									_t51 = _t51 - 1;
									continue;
								}
								goto L31;
							}
							_t42 = _t73 + 2;
						}
					}
				} else {
					if(__edx < _t79) {
						memset(__ecx + __edx, 0x30, _t35);
					}
					 *(_t79 + _t83) = 0x302e;
					_t42 = _t83 + 2 + _t79;
				}
				L31:
				return _t42;
			}

0x01139d31
0x01139d32
0x01139d36
0x01139d39
0x01139d3c
0x01139d41
0x01139d71
0x01139dc1
0x01139dc7
0x01139e2b
0x01139e32
0x01139e42
0x01139e4f
0x01139e57
0x01139e5e
0x01139e63
0x01139e44
0x01139e44
0x01139e44
0x01139e68
0x01139e34
0x01139e34
0x01139e37
0x01139e3a
0x00000000
0x01139e3a
0x01139dc9
0x01139dcb
0x01139dcc
0x01139dcf
0x01139dd2
0x01139dd6
0x01139dd9
0x01139dde
0x01139de4
0x01139dec
0x01139df8
0x01139dfd
0x01139e00
0x01139e09
0x01139e24
0x01139e0b
0x01139e0b
0x01139e17
0x01139e14
0x00000000
0x01139e16
0x01139e16
0x00000000
0x01139e16
0x00000000
0x01139e14
0x01139e1c
0x01139e1c
0x01139e1c
0x01139e09
0x01139d73
0x01139d80
0x01139d88
0x01139d8b
0x01139d93
0x01139d96
0x01139db9
0x00000000
0x01139d98
0x01139d98
0x01139d9b
0x01139da5
0x01139da2
0x01139db1
0x01139db1
0x01139db2
0x01139db2
0x01139da4
0x01139da4
0x00000000
0x01139da4
0x00000000
0x01139da2
0x01139da9
0x01139da9
0x01139d96
0x01139d48
0x01139d4a
0x01139d53
0x01139d58
0x01139d5e
0x01139d64
0x01139d64
0x01139e6d
0x01139e71

APIs

memset.VCRUNTIME140(?,00000030,?), ref: 01139D53
memmove.VCRUNTIME140(?), ref: 01139D80
memmove.VCRUNTIME140(00000002), ref: 01139DD9
memset.VCRUNTIME140(?,00000030,?), ref: 01139DF8
memmove.VCRUNTIME140(?,?,?), ref: 01139E4F

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: memmove$memset
String ID:
API String ID: 3790616698-0
Opcode ID: 3a5033c07b543f18418601b010258023465cb055a7cad6a5e71f8b31eb42cd6c
Instruction ID: f55aada382752760ccf18955b738317fef6239a87c48da24f77bb302976cf06a
Opcode Fuzzy Hash: 3a5033c07b543f18418601b010258023465cb055a7cad6a5e71f8b31eb42cd6c
Instruction Fuzzy Hash: BE41337210461AABD72DCF5CCCC5AAAB7A9AF9031CF544439D406CB209E3B5E644C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 011294E9 Relevance: 6.4, APIs: 5, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E011294E9(void* __ebx, void* __ecx, void* __edi, char _a4, void* _a12, intOrPtr _a16) {
				void* _v0;
				void* _v8;
				signed int _v12;
				signed int _v16;
				void* _v20;
				int _v24;
				void* __esi;
				intOrPtr* _t60;
				intOrPtr _t66;
				void* _t68;
				intOrPtr _t69;
				signed int _t81;
				intOrPtr* _t85;
				int _t86;
				signed int _t93;
				char _t98;
				signed int _t99;
				void* _t100;
				intOrPtr* _t103;
				intOrPtr _t105;
				void* _t106;
				intOrPtr* _t109;
				int _t114;

				_t98 = _a4;
				_push(__ebx);
				_t80 = __ecx;
				_v20 = _a12;
				_push(__edi);
				_t85 =  *((intOrPtr*)(__ecx + 0x10));
				_v12 = _t85;
				_t123 = 0x7ffffffe - _t85 - _t98;
				if(0x7ffffffe - _t85 < _t98) {
					E0112995D(_t85);
					asm("int3");
					_push(_t108);
					_t109 = _t85;
					_t86 = _v24;
					_t99 =  *(_t109 + 0x10);
					if(_t86 >  *((intOrPtr*)(_t109 + 0x14)) - _t99) {
						_push(_t86);
						_push(_v0);
						_a4 = 0;
						_t60 = E011294E9(__ecx, _t109, __edi, _t86, _a4);
					} else {
						_push(__ecx);
						_t81 = _t99 + _t86;
						_push(__edi);
						 *(_t109 + 0x10) = _t81;
						_t103 = _t109;
						if( *((intOrPtr*)(_t109 + 0x14)) >= 8) {
							_t103 =  *_t109;
						}
						memmove(_t103 + _t99 * 2, _v0, _t86 + _t86);
						 *((short*)(_t103 + _t81 * 2)) = 0;
						_t60 = _t109;
					}
					return _t60;
				} else {
					_t105 = _t85 + _t98;
					_v16 =  *((intOrPtr*)(__ecx + 0x14));
					_t66 = E01129969(__ecx, _t105);
					_t68 = E01129A04(_t98,  ~(0 | _t123 > 0x00000000) | _t66 + 0x00000001);
					_t93 = _v12;
					_v8 = _t68;
					_t69 = _a16;
					 *((intOrPtr*)(_t80 + 0x10)) = _t105;
					_t106 = _v8;
					_t100 = _t93 + _t93;
					 *((intOrPtr*)(_t80 + 0x14)) = _t66;
					_v24 = _t69 + _t69;
					_v12 = _t93 + _t69;
					_v8 = _t100 + _t106;
					_t114 = _t69 + _t69;
					_push(_t100);
					if(_v16 < 8) {
						memcpy(_t106, _t80, ??);
						memcpy(_v8, _v20, _t114);
						 *((short*)(_t106 + _v12 * 2)) = 0;
					} else {
						memcpy(_t106,  *_t80, ??);
						memcpy(_v8, _v20, _v24);
						 *((short*)(_t106 + _v12 * 2)) = 0;
						E01129B5C( *_t80, 2 + _v16 * 2,  *_t80);
					}
					 *_t80 = _t106;
					return _t80;
				}
			}

0x011294f2
0x011294f5
0x011294f6
0x011294f8
0x01129501
0x01129502
0x01129507
0x0112950a
0x0112950c
0x011295c7
0x011295cc
0x011295d0
0x011295d1
0x011295d3
0x011295d9
0x011295e0
0x01129613
0x01129614
0x01129617
0x01129621
0x011295e2
0x011295e6
0x011295e7
0x011295ea
0x011295eb
0x011295ee
0x011295f0
0x011295f2
0x011295f2
0x011295ff
0x01129609
0x0112960d
0x01129610
0x01129628
0x01129512
0x01129515
0x0112951b
0x0112951e
0x01129532
0x01129537
0x0112953a
0x0112953d
0x01129540
0x01129543
0x01129546
0x01129549
0x01129555
0x0112955b
0x0112955e
0x01129561
0x01129564
0x01129565
0x0112959f
0x011295ab
0x011295b8
0x01129567
0x0112956b
0x01129579
0x01129586
0x01129596
0x01129596
0x011295bc
0x011295c4
0x011295c4

APIs

memcpy.VCRUNTIME140(?,00000000,?,00000000,?,?,?,?,?), ref: 0112956B
memcpy.VCRUNTIME140(?,?,?,?,00000000,?,00000000,?,?,?,?,?), ref: 01129579
memcpy.VCRUNTIME140(?,?,?,00000000,?,?,?,?,?), ref: 0112959F
memcpy.VCRUNTIME140(?,?,00000000,?,?,?,00000000,?,?,?,?,?), ref: 011295AB
memmove.VCRUNTIME140(00000008,?,00000008,?,?,?,?,?,?,?,?), ref: 011295FF

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: memcpy$memmove
String ID:
API String ID: 1283327689-0
Opcode ID: 179b0a8d4869cecf03f5a0022e8f2cd3c801d6fe56901a54041151d19907bdc9
Instruction ID: 7cc1eb6b1f9c8fceceb5263e397dab707a80494fcb182f1fd117ab67b88ed46e
Opcode Fuzzy Hash: 179b0a8d4869cecf03f5a0022e8f2cd3c801d6fe56901a54041151d19907bdc9
Instruction Fuzzy Hash: B2417671A0022AEFCF18DFACD88089EBBB9FF55718B10456EE505E7310D770AA25CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01129679 Relevance: 6.4, APIs: 5, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E01129679(void* __ecx, void* __esi, intOrPtr _a4, int _a12) {
				char _v0;
				intOrPtr* _v8;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				int _v24;
				intOrPtr* _t42;
				intOrPtr* _t44;
				intOrPtr _t47;
				intOrPtr _t50;
				int _t61;
				intOrPtr* _t63;
				intOrPtr _t64;
				void* _t71;
				intOrPtr _t73;
				intOrPtr* _t78;
				intOrPtr _t80;
				int _t81;
				void* _t84;
				void* _t87;

				_t83 = __esi;
				_t73 = _a4;
				_t60 = __ecx;
				_push(__esi);
				_t63 =  *((intOrPtr*)(__ecx + 0x10));
				_v8 = _t63;
				_t96 = 0x7fffffff - _t63 - _t73;
				if(0x7fffffff - _t63 < _t73) {
					E0112995D(_t63);
					asm("int3");
					_push(__ecx);
					_t61 = _v24;
					_push(_t77);
					_t78 = _t63;
					_t64 =  *((intOrPtr*)(_t78 + 0x10));
					if(_t61 >  *((intOrPtr*)(_t78 + 0x14)) - _t64) {
						_push(_t64);
						_push(_t61);
						_v0 = 0;
						_t42 = E01129679(_t78, __esi, _t61, _v0);
					} else {
						 *((intOrPtr*)(_t78 + 0x10)) = _t64 + _t61;
						_t44 = _t78;
						if( *((intOrPtr*)(_t78 + 0x14)) >= 0x10) {
							_t44 =  *_t78;
						}
						_t84 = _t44 + _t64;
						memset(_t84, 0, _t61);
						 *((char*)(_t84 + _t61)) = 0;
						_t42 = _t78;
					}
					return _t42;
				} else {
					_t80 = _t63 + _t73;
					_v12 =  *((intOrPtr*)(__ecx + 0x14));
					_t47 = E01129AE4(__ecx, _t80);
					_t71 = E01129B1B( ~(0 | _t96 > 0x00000000) | _t47 + 0x00000001, _t73);
					_t50 = _v8;
					 *((intOrPtr*)(__ecx + 0x14)) = _t47;
					 *((intOrPtr*)(__ecx + 0x10)) = _t80;
					_t81 = _a12;
					_t87 = _t71 + _t50;
					_v16 = _t71;
					_v20 = _t87;
					_v8 = _t71 + _t50;
					_push(_t50);
					if(_v12 < 0x10) {
						memcpy(_t71, __ecx, ??);
						memset(_t87, 0, _t81);
						 *((char*)(_v8 + _t81)) = 0;
					} else {
						_t89 =  *__ecx;
						memcpy(_t71,  *__ecx, ??);
						memset(_v20, 0, _t81);
						 *((char*)(_v8 + _t81)) = 0;
						E01129B5C(_t89, _v12 + 1, _t89);
					}
					 *_t60 = _v16;
					return _t60;
				}
			}

0x01129679
0x0112967f
0x01129688
0x0112968a
0x0112968c
0x01129691
0x01129694
0x01129696
0x01129739
0x0112973e
0x01129742
0x01129743
0x01129746
0x01129747
0x0112974c
0x01129753
0x0112977e
0x0112977f
0x01129780
0x0112978a
0x01129755
0x0112975c
0x0112975f
0x01129761
0x01129763
0x01129763
0x01129767
0x0112976d
0x01129775
0x01129779
0x0112977b
0x01129792
0x0112969c
0x0112969f
0x011296a5
0x011296a8
0x011296c4
0x011296c6
0x011296c9
0x011296cc
0x011296cf
0x011296d2
0x011296d5
0x011296db
0x011296de
0x011296e1
0x011296e2
0x01129713
0x0112971c
0x01129727
0x011296e4
0x011296e4
0x011296e8
0x011296f3
0x01129703
0x0112970a
0x0112970a
0x0112972f
0x01129736
0x01129736

APIs

memset.VCRUNTIME140(?,00000000,?,?,?,?,?,?,?,?,011366E0), ref: 0112976D

Part of subcall function 01129B1B: #1511.MFC140U(00000001,01129A1D,?,01129A6B,00000001,?,?,?,?,?,0112149C), ref: 01129B2F

memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,011366E0), ref: 011296E8
memset.VCRUNTIME140(011366E0,00000000,011366E0,00000000,00000000,?,?,?,?,?,011366E0), ref: 011296F3
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?,011366E0), ref: 01129713
memset.VCRUNTIME140(00000000,00000000,011366E0,00000000,?,?,?,?,?,?,011366E0), ref: 0112971C

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: memset$memcpy$#1511
String ID:
API String ID: 118993903-0
Opcode ID: 91f7ff6ddbfceb731eb50e48baccf47080963611d7f52d23426dcb85429b42f5
Instruction ID: 63be27a6a21ff585e1d88d377c5398c7e89cf45d1b90f7f83fe76eefe253f818
Opcode Fuzzy Hash: 91f7ff6ddbfceb731eb50e48baccf47080963611d7f52d23426dcb85429b42f5
Instruction Fuzzy Hash: D431803160022AABCB18DF6CD880A9EBBA9FF55714F10056AE505DB241E771A911CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01137003 Relevance: 6.1, APIs: 4, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E01137003(signed int __eax, void* __ebx, char** __ecx, void* __edi, short* _a4, int _a8) {
				int _v8;
				signed int _t18;
				short _t19;
				signed int _t20;
				short* _t34;
				signed int _t36;
				int _t38;
				short* _t42;
				signed int _t44;
				void* _t47;
				intOrPtr* _t49;
				short* _t52;
				int _t62;
				intOrPtr* _t65;
				int _t67;

				_t18 = __eax;
				_push(__ecx);
				_t34 = _a4;
				_t57 = __ecx;
				if(_t34 != 0) {
					_t42 = _t34;
					_t52 =  &(_t42[1]);
					do {
						_t19 =  *_t42;
						_t42 =  &(_t42[1]);
					} while (_t19 != 0);
					_t44 = _t42 - _t52 >> 1;
					_t20 = _t44 + 1;
					_v8 = _t20;
					_t62 = _t20 << 2;
					E011370FD( &(__ecx[1]), __ecx, _t62,  &(__ecx[1]));
					_t47 = _t44;
					_t18 = WideCharToMultiByte(_a8, 0, _t34, _v8,  *__ecx, _t62, 0, 0);
					_t36 = 0 | _t18 == 0x00000000;
					if(_t18 == 0) {
						_t18 = GetLastError();
						if(_t18 == 0x7a) {
							_t38 = _v8;
							_t67 = WideCharToMultiByte(_a8, 0, _a4, _t38, 0, 0, 0, 0);
							E011370FD( &(_t57[1]), _t57, _t67,  &(_t57[1]));
							_t47 = _t47;
							_t18 = WideCharToMultiByte(_a8, 0, _a4, _t38,  *_t57, _t67, 0, 0);
							asm("sbb ebx, ebx");
							_t36 =  ~_t18 + 1;
						}
					}
					_pop(_t64);
					if(_t36 == 0) {
						goto L2;
					} else {
						E011370F0(_t18,  *_t57,  &(_t57[1]));
						_t49 = _t47;
						E01137172();
						asm("int3");
						_t65 = _t49;
						E0112962B(_t49, _v8);
						 *_t65 = 0x114d4c8;
						return _t65;
					}
				} else {
					 *__ecx =  *__ecx & _t34;
					L2:
					return _t18;
				}
			}

0x01137003
0x01137006
0x01137008
0x0113700c
0x01137010
0x0113701a
0x0113701f
0x01137022
0x01137022
0x01137025
0x01137028
0x0113702f
0x01137032
0x01137039
0x0113703f
0x01137045
0x0113704b
0x01137061
0x01137067
0x0113706c
0x0113706e
0x01137077
0x01137079
0x0113708c
0x01137097
0x0113709d
0x011370ad
0x011370b7
0x011370b9
0x011370b9
0x01137077
0x011370ba
0x011370bd
0x00000000
0x011370c3
0x011370c9
0x011370ce
0x011370cf
0x011370d4
0x011370dc
0x011370de
0x011370e3
0x011370ed
0x011370ed
0x01137012
0x01137012
0x01137014
0x01137017
0x01137017

APIs

WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,?,?,?,?,?,01156164), ref: 01137061
GetLastError.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,01156164,?,?,?,?,?), ref: 0113706E
WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 0113708A
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,00000000,00000000,00000000,?,?,00000000,00000000,?,?,?), ref: 011370AD

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 921053a333aae0b3a183c52baba3b75027d54f351e2f6230a6d5947d1980da40
Instruction ID: 4422906fe6c9e1c5f8b7131cf8a41a842f6a4c258dfbb27da4efe0261d221327
Opcode Fuzzy Hash: 921053a333aae0b3a183c52baba3b75027d54f351e2f6230a6d5947d1980da40
Instruction Fuzzy Hash: A831E9F620011ABFAB195F68DC80CBBBBAEEF45254310423AFD15D7144EB71DD108BA0

Uniqueness

Uniqueness Score: -1.00%

Function 01127CF4 Relevance: 6.1, APIs: 4, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 31%

			E01127CF4(intOrPtr __ecx, int _a4, signed int _a8) {
				intOrPtr _v8;
				void* _v12;
				int _t39;
				void* _t42;
				void* _t45;
				signed int _t52;
				signed char _t55;
				signed int _t65;
				unsigned int _t70;
				void* _t71;
				intOrPtr _t73;
				unsigned int _t78;
				void* _t80;

				_push(__ecx);
				_push(__ecx);
				_t73 = __ecx;
				_v8 = __ecx;
				if(( *(__ecx + 8) & 0x00000100) == 0) {
					_t78 = _a4 & 0x000000ff;
					_t52 = _a8 & 0x000000ff;
				} else {
					_t5 = _t73 + 0xc; // 0x86a0000
					__imp__?tolower@?$ctype@D@std@@QBEDD@Z(_a4);
					_t78 =  *_t5;
					_t9 = _t73 + 0xc; // 0x86a0000
					_t39 =  *_t9;
					__imp__?tolower@?$ctype@D@std@@QBEDD@Z(_a8);
					_t52 = _t39;
				}
				_t13 = _t73 + 4; // 0x7c4c7b83
				_t55 =  *_t13;
				_a8 = _t55;
				if(_t78 <= _t52) {
					while(_t52 <  *((intOrPtr*)(_t73 + 0x10))) {
						_t45 =  *(_t55 + 0x18);
						_a4 = _t45;
						if(_t45 == 0) {
							__imp__#1511(0x20);
							_t71 = _t45;
							_a4 = _t45;
							_v12 = _t71;
							if(_t71 == 0) {
								_t71 = 0;
								_a4 = 0;
							} else {
								_t65 = 8;
								memset(_t71, 0, _t65 << 2);
								_t80 = _t80 + 0xc;
								_t73 = _v8;
							}
							_t45 = _a4;
							 *(_a8 + 0x18) = _t71;
						}
						_t70 = _t78 >> 3;
						asm("bts ecx, eax");
						_t39 = _a4;
						_t78 = _t78 + 1;
						 *((char*)(_t70 + _t39)) =  *(_t45 + _t70) & 0x000000ff;
						_t55 = _a8;
						if(_t78 <= _t52) {
							continue;
						}
						break;
					}
					if(_t52 >= _t78) {
						if(_t52 - _t78 >=  *((intOrPtr*)(_t73 + 0x14))) {
							_t42 =  *(_t55 + 0x20);
							if(_t42 == 0) {
								__imp__#1511(0xc);
								_a4 = _t42;
								if(_t42 == 0) {
									_t42 = 0;
								} else {
									 *_t42 = 0;
									 *((intOrPtr*)(_t42 + 4)) = 0;
									 *((intOrPtr*)(_t42 + 8)) = 0;
								}
								 *(_a8 + 0x20) = _t42;
							}
							E0112653F(_t42, _t78);
							_t39 = E0112653F( *(_a8 + 0x20), _t52);
						} else {
							do {
								_t39 = E01127F29(_t73, _t78);
								_t78 = _t78 + 1;
							} while (_t78 <= _t52);
						}
					}
				}
				return _t39;
			}

0x01127cf7
0x01127cf8
0x01127cfc
0x01127cfe
0x01127d08
0x01127d30
0x01127d34
0x01127d0a
0x01127d0a
0x01127d13
0x01127d1c
0x01127d1f
0x01127d1f
0x01127d25
0x01127d2b
0x01127d2b
0x01127d38
0x01127d38
0x01127d3b
0x01127d40
0x01127d46
0x01127d4b
0x01127d4e
0x01127d53
0x01127d57
0x01127d5d
0x01127d5f
0x01127d62
0x01127d68
0x01127d78
0x01127d7a
0x01127d6a
0x01127d6c
0x01127d71
0x01127d71
0x01127d73
0x01127d73
0x01127d80
0x01127d83
0x01127d83
0x01127d88
0x01127d94
0x01127d97
0x01127d9a
0x01127d9b
0x01127d9e
0x01127da3
0x00000000
0x00000000
0x00000000
0x01127da3
0x01127da7
0x01127db0
0x01127dc1
0x01127dc6
0x01127dca
0x01127dd0
0x01127dd6
0x01127de4
0x01127dd8
0x01127dda
0x01127ddc
0x01127ddf
0x01127ddf
0x01127de9
0x01127de9
0x01127def
0x01127dfb
0x01127db2
0x01127db2
0x01127db5
0x01127dba
0x01127dbb
0x01127dbf
0x01127db0
0x01127da7
0x01127e04

APIs

?tolower@?$ctype@D@std@@QBEDD@Z.MSVCP140(?,?,?,00000000,01124B6B,01124B6B,?,01126D30,?,00000000,?,?,?,?,?,01125043), ref: 01127D13
?tolower@?$ctype@D@std@@QBEDD@Z.MSVCP140(?,?,?,00000000,01124B6B,01124B6B,?,01126D30,?,00000000,?,?,?,?,?,01125043), ref: 01127D25
#1511.MFC140U(00000020,?,?,00000000,01124B6B,01124B6B,?,01126D30,?,00000000,?,?,?,?,?,01125043), ref: 01127D57
#1511.MFC140U(0000000C,?,?,00000000,01124B6B,01124B6B,?,01126D30,?,00000000,?,?,?,?,?,01125043), ref: 01127DCA

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511?tolower@?$ctype@D@std@@
String ID:
API String ID: 3697817171-0
Opcode ID: 9c7aa0ab808cfaa3c336ab55f4f3bf29779aa74e51c69a24761bacd2d1050d9c
Instruction ID: 67a617572c6c25f4ba81d6195f6516246b6fc0114936c1fbf888ea50a8d26cf9
Opcode Fuzzy Hash: 9c7aa0ab808cfaa3c336ab55f4f3bf29779aa74e51c69a24761bacd2d1050d9c
Instruction Fuzzy Hash: B1319176604229AFDB1DCF2CD49097EBBE5FF58310B14C06AE8598B381D730E961CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0113EC05 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

?_Pninc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAEPA_WXZ.MSVCP140 ref: 0113EC45

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Pninc@?$basic_streambuf@_U?$char_traits@_W@std@@@std@@
String ID:
API String ID: 2830299734-0
Opcode ID: b9d6bedd3be11774a884a144790674fe67c4bab3aa870018f92552c3dc0719ae
Instruction ID: 4212bc6598518bfd3219b0afde28ceb04ca9c5cd90fc35d29948df4c15311b84
Opcode Fuzzy Hash: b9d6bedd3be11774a884a144790674fe67c4bab3aa870018f92552c3dc0719ae
Instruction Fuzzy Hash: 9D31A275A01319DFDF29DFA8C5449EEB7B9BF48304B54052AE603E3244E731EA45CB24

Uniqueness

Uniqueness Score: -1.00%

Function 01143043 Relevance: 6.1, APIs: 4, Instructions: 94
registryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E01143043(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi) {
				void* _t41;
				long _t47;
				intOrPtr _t51;
				intOrPtr _t57;
				long _t58;
				intOrPtr _t59;
				intOrPtr* _t68;
				intOrPtr _t69;
				int _t70;
				void* _t71;

				_t59 = __ecx;
				E01143D91(E01149F17, __ebx, __edi, 0x230);
				 *((intOrPtr*)(_t71 - 0x224)) = _t59;
				_t68 =  *((intOrPtr*)(_t71 + 8));
				_t57 =  *((intOrPtr*)(_t68 + 4));
				_t69 =  *_t68;
				if(_t69 != _t57) {
					do {
						E01129A96(_t69);
						_t69 = _t69 + 0x18;
					} while (_t69 != _t57);
					_t69 =  *_t68;
				}
				 *((intOrPtr*)(_t68 + 4)) = _t69;
				_t70 = 0;
				memset(_t71 - 0x218, 0, 0x208);
				 *(_t71 - 0x21c) = 0;
				_t58 = RegQueryInfoKeyW( *( *((intOrPtr*)(_t71 - 0x224)) + 4), 0, 0, 0, _t71 - 0x21c, 0, 0, 0, 0, 0, 0, 0);
				if(_t58 == 0) {
					if( *(_t71 - 0x21c) > 0) {
						while(_t58 == 0) {
							 *(_t71 - 0x220) = 0x104;
							_t47 = RegEnumKeyExW( *( *((intOrPtr*)(_t71 - 0x224)) + 4), _t70, _t71 - 0x218, _t71 - 0x220, 0, 0, 0, 0);
							 *(_t71 - 0x22c) =  *(_t71 - 0x22c) & 0x00000000;
							_t58 = _t47;
							 *((intOrPtr*)(_t71 - 0x228)) = 7;
							 *((short*)(_t71 - 0x23c)) = 0;
							E0112BA2B(_t71 - 0x218);
							 *(_t71 - 4) =  *(_t71 - 4) & 0x00000000;
							_t51 =  *((intOrPtr*)(_t68 + 4));
							_push(_t71 - 0x23c);
							if(_t51 ==  *((intOrPtr*)(_t68 + 8))) {
								_push(_t51);
								E0113F069(_t58, _t68, _t68, _t70);
							} else {
								E011299D1(_t51);
								 *((intOrPtr*)(_t68 + 4)) =  *((intOrPtr*)(_t68 + 4)) + 0x18;
							}
							 *(_t71 - 4) =  *(_t71 - 4) | 0xffffffff;
							E01129A96(_t71 - 0x23c);
							_t70 = _t70 + 1;
							if(_t70 <  *(_t71 - 0x21c)) {
								continue;
							}
							goto L11;
						}
					}
					L11:
					_t41 = 1;
				} else {
					_t41 = 0;
				}
				return E01143D3B(_t41, _t58, _t68);
			}

0x01143043
0x0114304d
0x01143052
0x01143058
0x0114305b
0x0114305e
0x01143062
0x01143064
0x01143066
0x0114306b
0x0114306e
0x01143072
0x01143072
0x01143074
0x01143082
0x01143086
0x0114308e
0x011430b4
0x011430b8
0x011430c7
0x011430cd
0x011430d7
0x011430fd
0x01143103
0x01143110
0x01143112
0x0114311e
0x0114312c
0x01143131
0x0114313b
0x0114313e
0x01143142
0x01143151
0x01143154
0x01143144
0x01143146
0x0114314b
0x0114314b
0x01143159
0x01143163
0x01143168
0x0114316f
0x00000000
0x00000000
0x00000000
0x0114316f
0x011430cd
0x01143175
0x01143177
0x011430ba
0x011430ba
0x011430ba
0x0114317d

APIs

__EH_prolog3_GS.LIBCMT ref: 0114304D
memset.VCRUNTIME140(?,00000000,00000208,00000230,0112EB95,?,abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789. ,SOFTWARE\WOW6432Node\Clients\StartMenuInternet,00000078,0112E440,0115A0B4,0115A0CC), ref: 01143086
RegQueryInfoKeyW.ADVAPI32(00000002,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 011430AE
RegEnumKeyExW.ADVAPI32 ref: 011430FD

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: EnumH_prolog3_InfoQuerymemset
String ID:
API String ID: 2870005409-0
Opcode ID: aa63e8e2f6a39e3c220aaef9e4698afc68ae677d883958c5f3791c73941c2ec8
Instruction ID: 524c5a15f8bf5e6a1f1b78a230d975ea5aeccb2faf5b65ca9164d79022eb2de3
Opcode Fuzzy Hash: aa63e8e2f6a39e3c220aaef9e4698afc68ae677d883958c5f3791c73941c2ec8
Instruction Fuzzy Hash: 763154B6911239ABDB29DB58CC88ADABBB8BF18714F1041A5D52DA3140D7349E90CF94

Uniqueness

Uniqueness Score: -1.00%

Function 011400AF Relevance: 6.1, APIs: 4, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E011400AF(void* __ebx, intOrPtr __ecx, intOrPtr* __edx, void* __edi) {
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr _t35;
				intOrPtr* _t45;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				void* _t50;

				_t35 = __ecx;
				E01143D91(E0114970C, __ebx, __edi, 0xa8);
				_t48 = __edx;
				 *((intOrPtr*)(_t50 - 0xb0)) = __edx;
				_t33 = _t35;
				 *((intOrPtr*)(_t50 - 0xb4)) = _t33;
				 *((intOrPtr*)(_t50 - 0xac)) = _t33;
				_t47 =  *((intOrPtr*)(_t50 + 8));
				 *((intOrPtr*)(_t50 - 0xac)) = _t33;
				memset(_t50 - 0xa8, 0, 0x98);
				E01122ED0(_t33, _t50 - 0xa8, _t47);
				 *(_t50 - 4) =  *(_t50 - 4) & 0x00000000;
				_t27 =  *((intOrPtr*)(_t48 + 4));
				_t49 =  *_t48;
				 *((intOrPtr*)(_t50 - 0xac)) = _t27;
				if(_t49 != _t27) {
					_t34 =  *((intOrPtr*)(_t50 - 0xb0));
					do {
						if(_t49 !=  *_t34) {
							_t45 = _t47;
							if( *((intOrPtr*)(_t47 + 0x14)) >= 8) {
								_t45 =  *_t47;
							}
							_push( *((intOrPtr*)(_t47 + 0x10)));
							E01124358(_t34, _t50 - 0xa8, _t45, _t47);
						}
						__imp__??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z( *_t49);
						_t49 = _t49 + 4;
					} while (_t49 !=  *((intOrPtr*)(_t50 - 0xac)));
					_t33 =  *((intOrPtr*)(_t50 - 0xb4));
				}
				E01134C1E(_t33, _t50 - 0xa4, _t47);
				E01122EA0();
				__imp__??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ();
				return E01143D3B(_t33, _t33, _t47, _t33);
			}

0x011400af
0x011400b9
0x011400be
0x011400c0
0x011400c6
0x011400c8
0x011400ce
0x011400d4
0x011400e5
0x011400eb
0x011400f7
0x011400fc
0x01140100
0x01140103
0x01140105
0x0114010d
0x0114010f
0x01140115
0x01140117
0x0114011d
0x0114011f
0x01140121
0x01140121
0x01140123
0x0114012c
0x01140131
0x0114013a
0x01140140
0x01140143
0x0114014b
0x0114014b
0x01140158
0x01140160
0x01140168
0x01140175

APIs

__EH_prolog3_GS.LIBCMT ref: 011400B9
memset.VCRUNTIME140(?,00000000,00000098,000000A8,0113D242,?,?,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5), ref: 011400EB

Part of subcall function 01122ED0: __EH_prolog3.LIBCMT ref: 01122ED7
Part of subcall function 01122ED0: ??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(00000008,011401C3,00000000,00000098,000000A8,0112EC1E,?), ref: 01122EEE
Part of subcall function 01122ED0: ??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP140(00000000,00000000,00000000), ref: 01122F08
Part of subcall function 01122ED0: ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 01122F2B

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAEAAV01@K@Z.MSVCP140(?,00000000,00000098,000000A8,0113D242,?,?,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5), ref: 0114013A
??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140(?,00000000,00000098,000000A8,0113D242,?,?,?,00000008,?,00000000,00000008,00000000,00000098,000000E4,0112F1C5), ref: 01140168

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_$W@std@@@std@@$??0?$basic_ios@_??0?$basic_ostream@_??0?$basic_streambuf@_??1?$basic_ios@_??6?$basic_ostream@_H_prolog3H_prolog3_V01@V?$basic_streambuf@_W@std@@@1@_memset
String ID:
API String ID: 1376832676-0
Opcode ID: 57f9a372bc741c7e8c78e3181afe972cbe78841e8d7b16a631ca5a953ea91a17
Instruction ID: 972f23cc6d5fd703aff8c5397ef5a4419394e842c0bde1c0e5debed51cbeb0bf
Opcode Fuzzy Hash: 57f9a372bc741c7e8c78e3181afe972cbe78841e8d7b16a631ca5a953ea91a17
Instruction Fuzzy Hash: 4B110731A00229DFDB28EF58CC84B8DB771BF19B04F4544A9E69967241DB30AE85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 011322FA Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

_Query_perf_frequency.MSVCP140(00000001,?,00000000,00000001,00000000,00000000), ref: 01132306
_Query_perf_counter.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,011339B2), ref: 01132313
__alldvrm.LIBCMT ref: 0113231E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01132340

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: Query_perf_counterQuery_perf_frequencyUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 3135650852-0
Opcode ID: dfd74b44d4dfe843230750f677b7940c551ec843144ef72a48718cbc97b1317e
Instruction ID: d4f17c5eed4eeedb69860897cdca9d47bedf9c9d03ff6754ba846c4cd2fba1be
Opcode Fuzzy Hash: dfd74b44d4dfe843230750f677b7940c551ec843144ef72a48718cbc97b1317e
Instruction Fuzzy Hash: 710162B1B002047FD7189BAD5C84E5FBBFDDB88A94B158179B50DD7310D5359C004760

Uniqueness

Uniqueness Score: -1.00%

Function 0113F5E3 Relevance: 6.0, APIs: 4, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0113F5E3(void* __ebx, intOrPtr* __ecx, void* __edi) {
				intOrPtr* _t38;
				intOrPtr* _t45;
				void* _t46;
				void* _t47;

				_t38 = __ecx;
				E01143D5D(E01149572, __ebx, __edi, 0xc);
				_t45 = _t38;
				 *((intOrPtr*)(_t47 - 0x14)) = _t45;
				 *(_t47 - 0x10) =  *(_t47 - 0x10) & 0x00000000;
				 *((intOrPtr*)(_t47 - 0x18)) = _t45;
				 *_t45 = 0x114c5ac;
				__imp__??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ();
				 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
				_t46 = _t45 + 4;
				 *(_t47 - 0x10) = 1;
				__imp__??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z(_t46, 0, 0);
				 *(_t47 - 4) = 1;
				_push(_t45);
				_t41 = _t46;
				 *((intOrPtr*)(_t45 +  *((intOrPtr*)( *_t45 + 4)))) = 0x114f2ac;
				_t43 =  *((intOrPtr*)( *_t45 + 4));
				 *((intOrPtr*)( *((intOrPtr*)( *_t45 + 4)) + _t45 - 4)) =  *((intOrPtr*)( *_t45 + 4)) - 0x68;
				E0113EF5A(1, _t46, _t45);
				 *(_t47 - 4) = 2;
				if( *((intOrPtr*)(_t45 + 0x50)) == 0) {
					_t32 =  >=  ?  *0x115a174 : 0x115a174;
					E0113F75C(1, _t45, _t43, _t45,  >=  ?  *0x115a174 : 0x115a174, _t41, _t41);
					 *((intOrPtr*)(_t45 + 0xc8)) = 6;
					 *((intOrPtr*)(_t45 + 0xcc)) = 3;
					InitializeCriticalSection(_t45 + 0xb0);
				}
				return E01143D26(_t45);
			}

0x0113f5e3
0x0113f5ea
0x0113f5ef
0x0113f5f1
0x0113f5f4
0x0113f5fb
0x0113f5fe
0x0113f604
0x0113f60a
0x0113f60e
0x0113f61b
0x0113f61e
0x0113f624
0x0113f629
0x0113f62a
0x0113f62f
0x0113f638
0x0113f63e
0x0113f642
0x0113f647
0x0113f652
0x0113f661
0x0113f66c
0x0113f677
0x0113f682
0x0113f68c
0x0113f68c
0x0113f699

APIs

__EH_prolog3.LIBCMT ref: 0113F5EA
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(0000000C), ref: 0113F604
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP140(?,00000000,00000000), ref: 0113F61E

Part of subcall function 0113EF5A: __EH_prolog3.LIBCMT ref: 0113EF61
Part of subcall function 0113EF5A: ??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(00000004,0113F647), ref: 0113EF6B

Part of subcall function 0113F75C: __EH_prolog3.LIBCMT ref: 0113F763
Part of subcall function 0113F75C: ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(?,0000000A,00000040,00000008,0113F671,0115A174), ref: 0113F77B
Part of subcall function 0113F75C: ?getloc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001), ref: 0113F798
Part of subcall function 0113F75C: ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,00000008,0113F671,0115A174), ref: 0113F7CE

InitializeCriticalSection.KERNEL32(?), ref: 0113F68C

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_$W@std@@@std@@$H_prolog3$??0?$basic_ios@_??0?$basic_ostream@_??0?$basic_streambuf@_?getloc@?$basic_streambuf@_?setstate@?$basic_ios@_CriticalFiopen@std@@InitializeSectionU_iobuf@@V?$basic_streambuf@_Vlocale@2@W@std@@@1@_
String ID:
API String ID: 1978948392-0
Opcode ID: e1358b2a04fa1a9f1f2c764746a762441ae0b8cfcd46049854404d2bc3363cdd
Instruction ID: 6eae59078103a82dff927546a0461a184b3c8bf51a9cb73c9f7b856a5b041568
Opcode Fuzzy Hash: e1358b2a04fa1a9f1f2c764746a762441ae0b8cfcd46049854404d2bc3363cdd
Instruction Fuzzy Hash: F41119B4A10706DFDB18CF68D588BADBBB4FF48704F508219E12997280C7B4AA55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0113FF62 Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E0113FF62(void* __ebx, intOrPtr* __ecx, void* __edi, void* __eflags) {
				void* _t25;
				intOrPtr* _t32;
				intOrPtr _t37;
				intOrPtr* _t40;
				intOrPtr* _t42;
				intOrPtr* _t43;
				void* _t44;

				_t32 = __ecx;
				E01143D5D(E011496E6, __ebx, __edi, 0xc);
				_t43 = _t32;
				 *((intOrPtr*)(_t44 - 0x14)) = _t43;
				 *((intOrPtr*)(_t44 - 0x10)) = 0;
				 *_t43 = 0x114f2f0;
				__imp__??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ();
				_t42 = _t43 + 0x10;
				 *((intOrPtr*)(_t44 - 4)) = 0;
				 *((intOrPtr*)(_t44 - 0x10)) = 1;
				__imp__??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z(_t42, 0, 0);
				 *((intOrPtr*)(_t44 - 4)) = 1;
				 *((intOrPtr*)(_t44 - 0x18)) = _t42;
				 *((intOrPtr*)(_t43 +  *((intOrPtr*)( *_t43 + 4)))) = 0x114f2fc;
				_t12 =  *((intOrPtr*)( *_t43 + 4)) - 0x60; // -94
				 *((intOrPtr*)( *((intOrPtr*)( *_t43 + 4)) + _t43 - 4)) = _t12;
				__imp__??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ();
				 *((char*)(_t44 - 4)) = 2;
				 *_t42 = 0x114bef8;
				_t25 = E011236E0(1);
				_t40 =  *((intOrPtr*)(_t44 + 8));
				_t37 =  *((intOrPtr*)(_t40 + 0x10));
				if( *((intOrPtr*)(_t40 + 0x14)) >= 8) {
					_t40 =  *_t40;
				}
				E0113F7E5(_t42, _t40, _t40, _t37, _t25);
				return E01143D26(_t43);
			}

0x0113ff62
0x0113ff69
0x0113ff6e
0x0113ff70
0x0113ff78
0x0113ff7b
0x0113ff81
0x0113ff89
0x0113ff8c
0x0113ff92
0x0113ff99
0x0113ffa2
0x0113ffa7
0x0113ffad
0x0113ffb9
0x0113ffbc
0x0113ffc0
0x0113ffc6
0x0113ffcc
0x0113ffd2
0x0113ffd7
0x0113ffde
0x0113ffe1
0x0113ffe3
0x0113ffe3
0x0113ffea
0x0113fff6

APIs

__EH_prolog3.LIBCMT ref: 0113FF69
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(0000000C,0113FBF8,?,00000000,000000A8,000000D0,0112F079,?,FriendlyTypeName,AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv,00000090,0112F492,?,0114C9C0,1248,0115A0B4), ref: 0113FF81
??0?$basic_istream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP140(?,00000000,00000000,?,00000000,000000A8,000000D0,0112F079,?,FriendlyTypeName,AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv,00000090,0112F492,?,0114C9C0,1248), ref: 0113FF99
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(?,00000000,000000A8,000000D0,0112F079,?,FriendlyTypeName,AppX3xxs313wwkfjhythsb8q46xdsq8d2cvv,00000090,0112F492,?,0114C9C0,1248,0115A0B4,0115A0CC,00000380), ref: 0113FFC0

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_$W@std@@@std@@$??0?$basic_ios@_??0?$basic_istream@_??0?$basic_streambuf@_H_prolog3V?$basic_streambuf@_W@std@@@1@_
String ID:
API String ID: 3209980553-0
Opcode ID: 6af1ced8e9d7fe3e9712499aec30737863ed589516c00a5b289fd45e143f65c6
Instruction ID: 12fb724039091e6c945af6927e44540f81f5dabe2c13a4d7d842c37cfe135de0
Opcode Fuzzy Hash: 6af1ced8e9d7fe3e9712499aec30737863ed589516c00a5b289fd45e143f65c6
Instruction Fuzzy Hash: A7115AB4A0020ADFC718DF99C58486EFBF5FF99704B50845DE055AB340C770EA81CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0112D3D9 Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E0112D3D9(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi) {
				intOrPtr* _t28;
				intOrPtr* _t35;
				intOrPtr _t40;
				void* _t42;
				intOrPtr* _t44;
				intOrPtr* _t45;
				void* _t46;

				_t42 = __edx;
				_t35 = __ecx;
				E01143D5D(E01146C3C, __ebx, __edi, 0xc);
				_t45 = _t35;
				 *((intOrPtr*)(_t46 - 0x14)) = _t45;
				 *(_t46 - 0x10) =  *(_t46 - 0x10) & 0x00000000;
				 *_t45 = 0x114c5ac;
				 *((intOrPtr*)(_t45 + 0x10)) = 0x114c5a4;
				__imp__??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ();
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				_t44 = _t45 + 0x18;
				 *(_t46 - 0x10) = 1;
				__imp__??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z(_t44, 0);
				 *(_t46 - 4) = 1;
				 *((intOrPtr*)(_t46 - 0x18)) = _t44;
				 *((intOrPtr*)(_t45 +  *((intOrPtr*)( *_t45 + 4)))) = 0x114c5b8;
				_t15 =  *((intOrPtr*)( *_t45 + 4)) - 0x68; // -104
				 *((intOrPtr*)( *((intOrPtr*)( *_t45 + 4)) + _t45 - 4)) = _t15;
				__imp__??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ();
				_t28 =  *((intOrPtr*)(_t46 + 8));
				 *(_t46 - 4) = 2;
				 *_t44 = 0x114c568;
				_t40 =  *((intOrPtr*)(_t28 + 0x10));
				if( *((intOrPtr*)(_t28 + 0x14)) >= 0x10) {
					_t28 =  *_t28;
				}
				E0112D96D(_t44, _t42, _t28, _t40, 0);
				return E01143D26(_t45);
			}

0x0112d3d9
0x0112d3d9
0x0112d3e0
0x0112d3e5
0x0112d3e7
0x0112d3ea
0x0112d3f1
0x0112d3f7
0x0112d3fe
0x0112d404
0x0112d408
0x0112d413
0x0112d416
0x0112d41c
0x0112d421
0x0112d427
0x0112d433
0x0112d436
0x0112d43c
0x0112d442
0x0112d445
0x0112d449
0x0112d453
0x0112d456
0x0112d458
0x0112d458
0x0112d460
0x0112d46c

APIs

__EH_prolog3.LIBCMT ref: 0112D3E0
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(0000000C,0112D199,?,?,?,?,?,?,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112D3FE
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(00000000,00000000,?,?,?,?,?,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112D416
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,?,C:\git\modular-installer\kernel\InstallerConfiguration.cpp), ref: 0112D43C

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@D@std@@@1@@H_prolog3V?$basic_streambuf@
String ID:
API String ID: 3520252885-0
Opcode ID: 9c4e2ffff4e92076e23d3695cd09ef20bcbd2220300efbbe161e555966993166
Instruction ID: 9c8d6435ff54352046c489581aca56031277018fdbb24f8315b4bd4f256f82f4
Opcode Fuzzy Hash: 9c4e2ffff4e92076e23d3695cd09ef20bcbd2220300efbbe161e555966993166
Instruction Fuzzy Hash: 801110B4600305CFDB28CF58C588B6EBBF0BB59B04F50855DE0A6AB281C7B1AA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0113416D Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 01134174
#1511.MFC140U(00000010,00000004,011364A5,0000000C,011214FC), ref: 0113418F
#1511.MFC140U(0000000C), ref: 011341B7
curl_multi_init.LIBCURL ref: 011341D4

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511$H_prolog3curl_multi_init
String ID:
API String ID: 146540404-0
Opcode ID: 461d95ab8ac8f986a9db746b0f6c1ceec6e3e751eb1d494bb7d545abdf039545
Instruction ID: 7f52485732762071efa9d001a727d7f32bce28db6b2bac0ee2930ff1b5754e6d
Opcode Fuzzy Hash: 461d95ab8ac8f986a9db746b0f6c1ceec6e3e751eb1d494bb7d545abdf039545
Instruction Fuzzy Hash: 1601D4B5A14721DFEB28CFB8C804359BBF0BF18B22F058869D65ADB695D3B4D840CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01134AD8 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E01134AD8(void* __ebx, intOrPtr* __ecx, void* __edi) {
				intOrPtr* _t32;
				void* _t37;
				intOrPtr* _t39;
				intOrPtr* _t40;
				void* _t41;

				_t32 = __ecx;
				E01143D5D(E01148265, __ebx, __edi, 8);
				_t39 = _t32;
				 *((intOrPtr*)(_t41 - 0x14)) = _t39;
				 *(_t41 - 0x10) =  *(_t41 - 0x10) & 0x00000000;
				 *_t39 = 0x114c5ac;
				 *((intOrPtr*)(_t39 + 0x10)) = 0x114c5a4;
				__imp__??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ();
				 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
				_t40 = _t39 + 0x18;
				 *(_t41 - 0x10) = 1;
				__imp__??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z(_t40, 0);
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t39 +  *((intOrPtr*)( *_t39 + 4)))) = 0x114d484;
				_t14 =  *((intOrPtr*)( *_t39 + 4)) - 0x68; // -104
				 *((intOrPtr*)( *((intOrPtr*)( *_t39 + 4)) + _t39 - 4)) = _t14;
				__imp__??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ();
				 *(_t40 + 0x38) =  *(_t40 + 0x38) & 0x00000000;
				_t37 = 3;
				 *_t40 = 0x114bef8;
				 *((intOrPtr*)(_t40 + 0x3c)) = E011236E0(_t37);
				return E01143D26(_t39);
			}

0x01134ad8
0x01134adf
0x01134ae4
0x01134ae6
0x01134ae9
0x01134af0
0x01134af6
0x01134afd
0x01134b03
0x01134b07
0x01134b12
0x01134b15
0x01134b1b
0x01134b23
0x01134b2f
0x01134b32
0x01134b38
0x01134b3e
0x01134b44
0x01134b45
0x01134b50
0x01134b5a

APIs

__EH_prolog3.LIBCMT ref: 01134ADF
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(00000008,011342E5,00000000,000000B0,00000220,01133C34), ref: 01134AFD
??0?$basic_iostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@@Z.MSVCP140(?,00000000), ref: 01134B15
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 01134B38

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_$W@std@@@std@@$??0?$basic_ios@_??0?$basic_iostream@_??0?$basic_streambuf@_H_prolog3V?$basic_streambuf@_W@std@@@1@@
String ID:
API String ID: 32132887-0
Opcode ID: 7c2b2e7868765be6410b4cea9dbd45e05363ea1a471bd0ebefd44296f42cc52a
Instruction ID: 71c824b592080eecc5ffe3b363e057f510ce8896bf264906cacb9a9bdafe8cd0
Opcode Fuzzy Hash: 7c2b2e7868765be6410b4cea9dbd45e05363ea1a471bd0ebefd44296f42cc52a
Instruction Fuzzy Hash: 710165746107028FCB18CF59C684B6CBBF0BF48718F60801CD025AB680CB70AA54CF95

Uniqueness

Uniqueness Score: -1.00%

Function 01122ED0 Relevance: 6.0, APIs: 4, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E01122ED0(void* __ebx, intOrPtr* __ecx, void* __edi) {
				intOrPtr* _t31;
				void* _t36;
				intOrPtr* _t38;
				intOrPtr* _t39;
				void* _t40;

				_t31 = __ecx;
				E01143D5D(E01145B70, __ebx, __edi, 8);
				_t38 = _t31;
				 *((intOrPtr*)(_t40 - 0x14)) = _t38;
				 *(_t40 - 0x10) =  *(_t40 - 0x10) & 0x00000000;
				 *_t38 = 0x114bf34;
				__imp__??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ();
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t39 = _t38 + 4;
				 *(_t40 - 0x10) = 1;
				__imp__??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z(_t39, 0, 0);
				 *(_t40 - 4) = 1;
				 *((intOrPtr*)(_t38 +  *((intOrPtr*)( *_t38 + 4)))) = 0x114bf40;
				_t13 =  *((intOrPtr*)( *_t38 + 4)) - 0x50; // -80
				 *((intOrPtr*)( *((intOrPtr*)( *_t38 + 4)) + _t38 - 4)) = _t13;
				__imp__??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ();
				 *(_t39 + 0x38) =  *(_t39 + 0x38) & 0x00000000;
				_t36 = 2;
				 *_t39 = 0x114bef8;
				 *((intOrPtr*)(_t39 + 0x3c)) = E011236E0(_t36);
				return E01143D26(_t38);
			}

0x01122ed0
0x01122ed7
0x01122edc
0x01122ede
0x01122ee1
0x01122ee8
0x01122eee
0x01122ef4
0x01122ef8
0x01122f05
0x01122f08
0x01122f0e
0x01122f16
0x01122f22
0x01122f25
0x01122f2b
0x01122f31
0x01122f37
0x01122f38
0x01122f43
0x01122f4d

APIs

__EH_prolog3.LIBCMT ref: 01122ED7
??0?$basic_ios@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140(00000008,011401C3,00000000,00000098,000000A8,0112EC1E,?), ref: 01122EEE
??0?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QAE@PAV?$basic_streambuf@_WU?$char_traits@_W@std@@@1@_N@Z.MSVCP140(00000000,00000000,00000000), ref: 01122F08
??0?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@IAE@XZ.MSVCP140 ref: 01122F2B

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@_$W@std@@@std@@$??0?$basic_ios@_??0?$basic_ostream@_??0?$basic_streambuf@_H_prolog3V?$basic_streambuf@_W@std@@@1@_
String ID:
API String ID: 240363066-0
Opcode ID: ec93043db8b2605a6b9e4bc50d5e9cca20ad2f86281754d47bb3ba2bb4ca8061
Instruction ID: 92132fd8649936c034d8c9778a242ef42df07baa29831245ac6ba7e378eaefeb
Opcode Fuzzy Hash: ec93043db8b2605a6b9e4bc50d5e9cca20ad2f86281754d47bb3ba2bb4ca8061
Instruction Fuzzy Hash: 210148746143069FD718DF58C688B6DBBF0BF48714F508019E165AB280CB70AA14CF95

Uniqueness

Uniqueness Score: -1.00%

Function 011437BA Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E011437BA(intOrPtr* _a4) {
				intOrPtr _t7;
				intOrPtr _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t19;
				intOrPtr* _t20;

				EnterCriticalSection(0x115b04c);
				_t12 =  *0x115a000; // 0x80000000
				_t13 = _t12 + 1;
				 *0x115a000 = _t13;
				 *_a4 = _t13;
				_t7 =  *0x115a000; // 0x80000000
				 *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c] +  *0x115b3c4 * 4)) + 4)) = _t7;
				LeaveCriticalSection(0x115b04c);
				_t19 = _t17;
				_push(_t19);
				_t20 =  *0x115b068;
				if(_t20 == 0) {
					SetEvent( *0x115b048);
					return ResetEvent( *0x115b048);
				} else {
					 *0x114b51c(0x115b044);
					return  *_t20();
				}
			}

0x011437c4
0x011437ca
0x011437d3
0x011437d4
0x011437db
0x011437ec
0x011437f1
0x011437f7
0x011437fd
0x01143856
0x01143857
0x0114385f
0x01143878
0x0114388b
0x01143861
0x01143868
0x01143871
0x01143871

APIs

EnterCriticalSection.KERNEL32(0115B04C,?,?,011342C5,0115B5D8,0114A0CA,00000220,01133C34), ref: 011437C4
LeaveCriticalSection.KERNEL32(0115B04C,?,?,011342C5,0115B5D8,0114A0CA,00000220,01133C34), ref: 011437F7
SetEvent.KERNEL32(?,011342C5,0115B5D8,0114A0CA,00000220,01133C34), ref: 01143878
ResetEvent.KERNEL32(?,011342C5,0115B5D8,0114A0CA,00000220,01133C34), ref: 01143884

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: CriticalEventSection$EnterLeaveReset
String ID:
API String ID: 3553466030-0
Opcode ID: e3e9caeadbf995031469c6b88e2cce3c901a5ef16b8230b6758b5cbbab974d6e
Instruction ID: aec5902e1ee6bc571013a8636e72f4696a36e9292e9b7dbea208eb41fa892e71
Opcode Fuzzy Hash: e3e9caeadbf995031469c6b88e2cce3c901a5ef16b8230b6758b5cbbab974d6e
Instruction Fuzzy Hash: 6D018135548320DBC72D9F18F808A997BB6FF08B017014079E93597348DB345C81CB88

Uniqueness

Uniqueness Score: -1.00%

Function 01131CE4 Relevance: 6.0, APIs: 4, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E01131CE4(void* __ebx, intOrPtr* __ecx, void* __edi) {
				intOrPtr* _t32;
				intOrPtr* _t38;
				intOrPtr* _t39;
				void* _t40;

				_t32 = __ecx;
				E01143D5D(E01147AE2, __ebx, __edi, 8);
				_t38 = _t32;
				 *((intOrPtr*)(_t40 - 0x14)) = _t38;
				 *(_t40 - 0x10) =  *(_t40 - 0x10) & 0x00000000;
				 *_t38 = 0x114c5ac;
				 *((intOrPtr*)(_t38 + 0x10)) = 0x114c5a4;
				__imp__??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ();
				 *(_t40 - 4) =  *(_t40 - 4) & 0x00000000;
				_t39 = _t38 + 0x18;
				 *(_t40 - 0x10) = 1;
				__imp__??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z(0);
				 *(_t40 - 4) = 1;
				 *((intOrPtr*)(_t38 +  *((intOrPtr*)( *_t38 + 4)))) = 0x114c5b8;
				_t14 =  *((intOrPtr*)( *_t38 + 4)) - 0x68; // -104
				 *((intOrPtr*)( *((intOrPtr*)( *_t38 + 4)) + _t38 - 4)) = _t14;
				__imp__??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ();
				 *(_t39 + 0x38) =  *(_t39 + 0x38) & 0x00000000;
				 *(_t39 + 0x3c) =  *(_t39 + 0x3c) & 0x00000000;
				 *_t39 = 0x114c568;
				return E01143D26(_t38, _t39);
			}

0x01131ce4
0x01131ceb
0x01131cf0
0x01131cf2
0x01131cf5
0x01131cfc
0x01131d02
0x01131d09
0x01131d0f
0x01131d13
0x01131d1e
0x01131d21
0x01131d27
0x01131d2f
0x01131d3b
0x01131d3e
0x01131d44
0x01131d4a
0x01131d50
0x01131d54
0x01131d5f

APIs

__EH_prolog3.LIBCMT ref: 01131CEB
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(00000008,00000010,?,?,?,01140643,?,00000000,?,?,?,00000000,0114D684,00000001,0114F384,00000068), ref: 01131D09
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000,?,01140643,?,00000000,?,?,?,00000000,0114D684,00000001,0114F384,00000068,01133809,?), ref: 01131D21
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,01140643,?,00000000,?,?,?,00000000,0114D684,00000001,0114F384,00000068,01133809,?,?), ref: 01131D44

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@D@std@@@1@@H_prolog3V?$basic_streambuf@
String ID:
API String ID: 3520252885-0
Opcode ID: 7435394eae8202401778075fa144477e2cd9d7db19b24ca7f75f6ea32804344d
Instruction ID: 17e271e7720e5f81f252e9a7cb7c919f6d9eb4d98159266b4ea720b7019f9e47
Opcode Fuzzy Hash: 7435394eae8202401778075fa144477e2cd9d7db19b24ca7f75f6ea32804344d
Instruction Fuzzy Hash: 9301E2746117068FC718CF59C688B9DBBF0BF48B19FA08519D065AB680CBB0AA54CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 01143371 Relevance: 6.0, APIs: 4, Instructions: 25
memoryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E01143371(intOrPtr _a8) {
				void* _t5;
				void* _t6;

				if(_a8 != 1) {
					if(_a8 == 0 &&  *0x115b040 == 0) {
						_push( *0x115b03c);
						L01144EF4();
					}
					L6:
					return 1;
				}
				_t5 = LocalAlloc(0, 0x2000);
				if(_t5 == 0) {
					return _t5;
				}
				_t6 = LocalFree(_t5);
				_push(0x115afa0);
				L01144EF4();
				 *0x115b03c = _t6;
				goto L6;
			}

0x01143378
0x011433a7
0x011433b2
0x011433b8
0x011433b8
0x011433bd
0x00000000
0x011433bf
0x01143381
0x01143389
0x011433c1
0x011433c1
0x0114338c
0x01143392
0x01143397
0x0114339c
0x00000000

APIs

LocalAlloc.KERNEL32(00000000,00002000), ref: 01143381
LocalFree.KERNEL32(00000000), ref: 0114338C
#2365.MFC140U(0115AFA0), ref: 01143397
#2365.MFC140U ref: 011433B8

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #2365Local$AllocFree
String ID:
API String ID: 3610521006-0
Opcode ID: 4b021299fee30b0d0beac0e66bea8b453029de6bb8582b75a6bfe4a7ce59a3bf
Instruction ID: c709d4512bf5364ccf5ca0805729e11b9328c3c6f1136e7c9181e8c99d35f430
Opcode Fuzzy Hash: 4b021299fee30b0d0beac0e66bea8b453029de6bb8582b75a6bfe4a7ce59a3bf
Instruction Fuzzy Hash: 24E0923055C318EBDB3CAF65A809B293779BB10F26F108035E53591585DB789084CF25

Uniqueness

Uniqueness Score: -1.00%

Function 011433FD Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E011433FD() {
				void* _t11;
				void* _t14;
				void* _t17;
				void* _t19;

				E01143D5D(E01149FE4, _t14, _t17, 8);
				_t11 = E011322F7();
				_push(0x115afa0);
				L01143365();
				_push( *((intOrPtr*)(_t19 + 0x14)));
				 *(_t19 - 4) =  *(_t19 - 4) & 0x00000000;
				_push( *((intOrPtr*)(_t19 + 0x10)));
				_push( *((intOrPtr*)(_t19 + 0xc)));
				L01144EFA();
				L0114336B();
				return E01143D26(_t11,  *((intOrPtr*)(_t19 + 8)));
			}

0x01143404
0x01143409
0x0114340e
0x01143416
0x0114341b
0x0114341e
0x01143422
0x01143425
0x0114342b
0x01143435
0x01143441

APIs

__EH_prolog3.LIBCMT ref: 01143404
#324.MFC140U(0115AFA0,00000008), ref: 01143416
#2411.MFC140U(?,?,?,?,0115AFA0,00000008), ref: 0114342B
#1052.MFC140U(?,?,?,?,0115AFA0,00000008), ref: 01143435

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1052#2411#324H_prolog3
String ID:
API String ID: 3272271180-0
Opcode ID: 0568eace6d8b65f05ca98536aca019f2405edb3d74ee9625653a45df069709ca
Instruction ID: 76ca8c947aa0a81a42fe9049e9accf5afef12c87916c8a054cf1131bd0d53cf6
Opcode Fuzzy Hash: 0568eace6d8b65f05ca98536aca019f2405edb3d74ee9625653a45df069709ca
Instruction Fuzzy Hash: 80E04F3151451BABCF19FFA0CD00B9D3721BF20A18F408004A8513A190CF754A25AB22

Uniqueness

Uniqueness Score: -1.00%

Function 0113800D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0113800D(void* __ebx, unsigned char __ecx, void* __edi) {
				unsigned char* _t69;
				signed char _t78;
				signed char _t81;
				unsigned char _t84;
				void* _t91;
				unsigned char _t96;
				signed char _t97;
				unsigned char _t98;
				void* _t99;
				unsigned char _t108;
				intOrPtr _t114;
				signed int _t115;
				int _t119;
				unsigned char _t120;
				signed int _t121;
				void* _t123;

				_t98 = __ecx;
				E01143D91(E0114895D, __ebx, __edi, 0x20);
				_t120 = _t98;
				 *(_t123 - 0x2c) = _t120;
				 *(_t123 - 0x28) = _t120;
				 *(_t123 - 0x28) = _t120;
				 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
				_t96 =  >=  ?  *((void*)(_t123 + 8)) : _t123 + 8;
				asm("stosd");
				_t99 = 0;
				_t114 = 0;
				 *(_t123 - 0x28) = _t96;
				asm("stosd");
				asm("stosd");
				_t119 =  *(_t123 + 0x18);
				 *(_t123 - 0x1c) =  *(_t123 - 0x1c) & 0;
				 *(_t123 - 0x20) = 0;
				 *((intOrPtr*)(_t123 - 0x18)) = 0;
				if(_t119 != 0) {
					_push(_t119);
					E01128CBE(_t123 - 0x20);
					_t91 =  *(_t123 - 0x20);
					memset(_t91, 0, _t119);
					 *(_t123 - 0x24) =  *(_t123 - 0x24) & 0x00000000;
					 *(_t123 - 0x1c) = _t91 + _t119;
					E01128C9B(_t123 - 0x24);
					_t119 =  *(_t123 + 0x18);
					_t114 =  *((intOrPtr*)(_t123 - 0x18));
					_t99 =  *(_t123 - 0x20);
					_t120 =  *(_t123 - 0x2c);
				}
				 *(_t123 - 4) = 1;
				_t69 = _t99;
				 *(_t123 - 0x24) =  *(_t123 - 0x24) & 0x00000000;
				 *(_t123 - 0x1c) = _t69;
				if(_t119 != 0) {
					_t121 =  *(_t123 - 0x24);
					while(1) {
						_t96 =  *((intOrPtr*)(_t96 + _t121));
						 *(_t123 - 0x11) = _t96;
						if(_t96 < 0x30 || _t96 > 0x39) {
							goto L6;
						}
						L30:
						__eflags = _t69 - _t114;
						L31:
						if(__eflags == 0) {
							E011385DA(_t96, _t123 - 0x20, _t119, _t121, _t69, _t123 - 0x11);
							L35:
							_t69 =  *(_t123 - 0x1c);
						} else {
							 *_t69 = _t96;
							L33:
							_t69 =  *(_t123 - 0x1c) + 1;
							 *(_t123 - 0x1c) = _t69;
						}
						L36:
						_t121 = _t121 + 1;
						if(_t121 < _t119) {
							_t114 =  *((intOrPtr*)(_t123 - 0x18));
							_t96 =  *(_t123 - 0x28);
							continue;
						}
						_t99 =  *(_t123 - 0x20);
						_t120 =  *(_t123 - 0x2c);
						goto L39;
						L6:
						if(_t96 < 0x61 || _t96 > 0x7a) {
							if(_t96 < 0x41 || _t96 > 0x5a) {
								if(_t96 == 0x2d || _t96 == 0x5f || _t96 == 0x2e || _t96 == 0x21 || _t96 == 0x7e || _t96 == 0x2a || _t96 == 0x27 || _t96 == 0x28 || _t96 == 0x29) {
									goto L30;
								} else {
									if(_t96 != 0x20) {
										 *(_t123 - 0x11) = 0x25;
										__eflags = _t69 - _t114;
										if(_t69 == _t114) {
											E011385DA(_t96, _t123 - 0x20, _t119, _t121, _t69, _t123 - 0x11);
											_t115 =  *(_t123 - 0x1c);
										} else {
											 *_t69 = 0x25;
											_t115 =  *(_t123 - 0x1c) + 1;
											 *(_t123 - 0x1c) = _t115;
										}
										_t97 = _t96 & 0x0000000f;
										_t78 = 9;
										_t108 = _t96 >> 4;
										__eflags = _t78 - _t97;
										asm("sbb al, al");
										_t96 = _t97 + (_t78 & 0x00000027) + 0x30;
										_t81 = 9;
										__eflags = _t81 - _t108;
										asm("sbb al, al");
										_t84 = (_t81 & 0x00000027) + 0x30 + _t108;
										 *(_t123 - 0x11) = _t84;
										__eflags = _t115 -  *((intOrPtr*)(_t123 - 0x18));
										if(_t115 ==  *((intOrPtr*)(_t123 - 0x18))) {
											E011385DA(_t96, _t123 - 0x20, _t119, _t121, _t115, _t123 - 0x11);
											_t69 =  *(_t123 - 0x1c);
										} else {
											 *_t115 = _t84;
											_t69 =  *(_t123 - 0x1c) + 1;
											 *(_t123 - 0x1c) = _t69;
										}
										__eflags = _t69 -  *((intOrPtr*)(_t123 - 0x18));
										 *(_t123 - 0x11) = _t96;
										goto L31;
									} else {
										 *(_t123 - 0x11) = 0x2b;
										if(_t69 == _t114) {
											E011385DA(_t96, _t123 - 0x20, _t119, _t121, _t69, _t123 - 0x11);
											goto L35;
										} else {
											 *_t69 = 0x2b;
											goto L33;
										}
									}
								}
							} else {
								goto L30;
							}
						} else {
							goto L30;
						}
						goto L36;
					}
				}
				L39:
				 *(_t120 + 0x10) =  *(_t120 + 0x10) & 0x00000000;
				 *((intOrPtr*)(_t120 + 0x14)) = 0xf;
				 *_t120 = 0;
				__eflags = _t99 - _t69;
				if(_t99 != _t69) {
					__eflags = _t69 - _t99;
					E01129863(_t120, _t99, _t69 - _t99);
				}
				E011286EB(_t123 - 0x20);
				E01129AC1(_t123 + 8);
				return E01143D3B(_t120, _t96, _t119);
			}

0x0113800d
0x01138014
0x01138019
0x0113801b
0x0113801e
0x01138021
0x01138024
0x01138032
0x01138038
0x01138039
0x0113803b
0x0113803d
0x01138040
0x01138041
0x01138042
0x01138045
0x01138048
0x0113804b
0x01138050
0x01138052
0x01138056
0x0113805b
0x01138065
0x0113806a
0x01138074
0x01138077
0x0113807c
0x0113807f
0x01138082
0x01138085
0x01138085
0x01138088
0x0113808c
0x0113808e
0x01138092
0x01138097
0x0113809d
0x011380a0
0x011380a0
0x011380a3
0x011380a9
0x00000000
0x00000000
0x011381b9
0x011381b9
0x011381bb
0x011381bb
0x011381d0
0x011381d5
0x011381d5
0x011381bd
0x011381bd
0x011381bf
0x011381c2
0x011381c3
0x011381c3
0x011381d8
0x011381d8
0x011381db
0x011381dd
0x011381e0
0x00000000
0x011381e0
0x011381e8
0x011381eb
0x00000000
0x011380b4
0x011380b7
0x011380c5
0x011380d3
0x00000000
0x01138121
0x01138124
0x01138148
0x0113814c
0x0113814e
0x01138164
0x01138169
0x01138150
0x01138150
0x01138156
0x01138157
0x01138157
0x01138170
0x01138173
0x01138174
0x01138177
0x0113817b
0x01138181
0x01138183
0x01138184
0x01138186
0x0113818c
0x0113818e
0x01138191
0x01138194
0x011381a9
0x011381ae
0x01138196
0x01138196
0x0113819b
0x0113819c
0x0113819c
0x011381b1
0x011381b4
0x00000000
0x01138126
0x01138126
0x0113812c
0x0113813e
0x00000000
0x0113812e
0x0113812e
0x00000000
0x0113812e
0x0113812c
0x01138124
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x011380b7
0x011380a0
0x011381ee
0x011381ee
0x011381f2
0x011381f9
0x011381fc
0x011381fe
0x01138200
0x01138206
0x01138206
0x0113820e
0x01138216
0x01138222

APIs

__EH_prolog3_GS.LIBCMT ref: 01138014
memset.VCRUNTIME140(?,00000000,?,?,00000020,011404C1,?), ref: 01138065

Part of subcall function 011385DA: memmove.VCRUNTIME140(00000000,?,?,?,00000000,?,00000020,011404C1,?), ref: 01138649

Strings

%, xrefs: 01138148

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_memmovememset
String ID: %
API String ID: 2822191081-2567322570
Opcode ID: 5c7bd698269c6405050119491ac3706df01688390b65162cd605fe83a300f8fd
Instruction ID: 82c1c43f19992a77910a38811ddb382cd57ed02223c26ac196578166e502b1bb
Opcode Fuzzy Hash: 5c7bd698269c6405050119491ac3706df01688390b65162cd605fe83a300f8fd
Instruction Fuzzy Hash: 6961B331E5021ACFEF1ECF98C8657EEBBB1AB98300F584609E50177295D7385946CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01134885 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01134885(void* __ebx, void* __edi, void* __eflags) {
				signed int _t48;
				void* _t77;
				void* _t83;
				signed int _t96;
				signed int _t98;
				signed int _t100;
				signed int _t101;
				void* _t102;
				void* _t103;

				E01143D91(E01148217, __ebx, __edi, 0x58);
				_t48 =  *(_t102 + 0xc);
				_t98 =  *(_t102 + 0x10);
				_t100 =  *(_t102 + 8);
				 *(_t102 - 0x5c) = _t48;
				_t96 = _t48 * _t98 >> 0x20;
				 *((intOrPtr*)(_t102 - 0x14)) = 0xf;
				 *(_t102 - 0x18) = 0;
				 *((char*)(_t102 - 0x28)) = 0;
				E01129863(_t102 - 0x28, _t100,  ~(0 | __eflags > 0x00000000) | _t48 * _t98);
				 *((intOrPtr*)(_t102 - 4)) = 0;
				_t77 =  >=  ?  *((void*)(_t102 - 0x28)) : _t102 - 0x28;
				if( *(_t102 - 0x18) <= 0) {
					L3:
					_t101 = _t100 | 0xffffffff;
					__eflags = _t101;
					L4:
					_t83 = _t102 - 0x28;
					if(_t101 != 0xffffffff) {
						E01131C95(_t77, _t83, _t98, _t101, _t102 - 0x58, 0, _t101);
						 *((char*)(_t102 - 4)) = 2;
						E011349C2(_t102 - 0x58);
						E01131C95(_t77, _t102 - 0x28, _t98, _t101, _t102 - 0x40, _t101 + 1, 0xffffffff);
						 *((char*)(_t102 - 4)) = 3;
						E011349C2(_t102 - 0x40);
						_t104 = _t103 - 0x18;
						 *((intOrPtr*)(_t102 - 0x64)) = _t103 - 0x18;
						E011298E1(_t104, _t102 - 0x40);
						 *((char*)(_t102 - 4)) = 4;
						E011298E1(_t104 - 0x18, _t102 - 0x58);
						 *((char*)(_t102 - 4)) = 3;
						E01140C13(_t77,  *((intOrPtr*)(_t102 + 0x14)), _t96, _t98, __eflags);
						E01129AC1(_t102 - 0x40);
						E01129AC1(_t102 - 0x58);
					} else {
						E011349C2(_t83);
						_t113 =  *(_t102 - 0x18);
						if( *(_t102 - 0x18) != 0) {
							_t106 = _t103 - 0x18;
							 *((intOrPtr*)(_t102 - 0x60)) = _t103 - 0x18;
							E011298AC(_t106, "present");
							 *((char*)(_t102 - 4)) = 1;
							E011298E1(_t106 - 0x18, _t102 - 0x28);
							 *((char*)(_t102 - 4)) = 0;
							E01140C13(_t77,  *((intOrPtr*)(_t102 + 0x14)), _t96, _t98, _t113);
						}
					}
					_t99 = _t98 *  *(_t102 - 0x5c);
					E01129AC1(_t102 - 0x28);
					return E01143D3B(_t98 *  *(_t102 - 0x5c), _t77, _t99);
				}
				_t100 = memchr(_t77, 0x3a,  *(_t102 - 0x18));
				_t103 = _t103 + 0xc;
				if(_t100 == 0) {
					goto L3;
				}
				_t101 = _t100 - _t77;
				goto L4;
			}

0x0113488c
0x01134891
0x01134896
0x01134899
0x0113489c
0x0113489f
0x011348a1
0x011348af
0x011348b4
0x011348bc
0x011348c1
0x011348cb
0x011348d3
0x011348ed
0x011348ed
0x011348ed
0x011348f0
0x011348f0
0x011348f6
0x01134940
0x01134948
0x0113494c
0x0113495e
0x01134966
0x0113496a
0x0113496f
0x01134977
0x0113497b
0x01134983
0x0113498d
0x01134995
0x01134999
0x011349a1
0x011349a9
0x011348f8
0x011348f8
0x011348fd
0x01134901
0x01134907
0x0113490c
0x01134914
0x0113491c
0x01134926
0x0113492e
0x01134932
0x01134932
0x01134901
0x011349ae
0x011349b5
0x011349c1
0x011349c1
0x011348e0
0x011348e2
0x011348e7
0x00000000
0x00000000
0x011348e9
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 0113488C

Part of subcall function 01129863: memmove.VCRUNTIME140(?,00000010,?,?,?,?,?,?), ref: 01129885

memchr.VCRUNTIME140(?,0000003A,00000000,?,00000000,?,?,?,?,?,00000058), ref: 011348DB

Strings

present, xrefs: 0113490F

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_memchrmemmove
String ID: present
API String ID: 2809845974-4257000983
Opcode ID: 9d26dde7016b24f3f4e8da9229cf6874c0ad61a7d444d025495445b27ae2e528
Instruction ID: ae161eaebcba2fdaab83e5b2dc92f678d630caa6195d189c34fef1248da8400f
Opcode Fuzzy Hash: 9d26dde7016b24f3f4e8da9229cf6874c0ad61a7d444d025495445b27ae2e528
Instruction Fuzzy Hash: 57416F31D0026EDBCF08EBE8C855AEDBBB4AF69318F540159D9517B284DB701A49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01125236 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E01125236(void* __ebx, signed int __ecx, intOrPtr __edx, void* __edi) {
				int _t53;
				signed int _t56;
				void* _t61;
				intOrPtr _t62;
				int _t67;
				signed int _t68;
				intOrPtr _t69;
				void* _t70;
				signed int _t77;
				void* _t78;
				void* _t79;
				intOrPtr* _t81;
				intOrPtr _t83;
				intOrPtr* _t84;
				void* _t85;

				_t68 = __ecx;
				E01143D91(E01145EAF, __ebx, __edi, 0x8c);
				_t83 = __edx;
				 *(_t85 - 0x94) = _t68;
				_t84 =  *((intOrPtr*)(_t85 + 8));
				if( *((intOrPtr*)( *((intOrPtr*)(_t85 + 0xc)))) != 0) {
					_t67 = 0;
					memset(_t85 - 0x90, 0, 0x80);
					_t81 =  *((intOrPtr*)(_t85 + 0xc));
					_push( *(_t85 + 0x10));
					_t69 =  *_t81;
					_push( *((intOrPtr*)(_t69 + 0x14)));
					_push( *((intOrPtr*)(_t69 + 0x1c)));
					_push(_t69);
					_push(_t81 + 4);
					_push(_t83);
					_push( *(_t85 - 0x94));
					_t70 = _t85 - 0x90;
					E011256D3(0, _t70, _t83);
					_push(_t70);
					 *((intOrPtr*)(_t85 - 4)) = 0;
					if(E01125D59(_t85 - 0x90, _t84) != 0) {
						L10:
						_t67 = 1;
						if(_t84 != 0) {
							 *_t84 =  *((intOrPtr*)(_t85 + 0x14));
							_t56 =  *(_t85 - 0x94);
							 *(_t84 + 0x14) = _t56;
							 *((char*)(_t84 + 0x1c)) = _t56 & 0xffffff00 | _t56 !=  *((intOrPtr*)(_t84 + 0x18));
						}
						L12:
						E011256B1(_t85 - 0x50);
						E011256B1(_t85 - 0x5c);
						E011242FB(_t85 - 0x6c);
						E011256B1(_t85 - 0x7c);
						E011242FB(_t85 - 0x8c);
						_t53 = _t67;
						L13:
						return E01143D3B(_t53, _t67, _t83);
					}
					_t77 =  *(_t85 - 0x94);
					if(_t77 == _t83 || ( *(_t85 + 0x10) & 0x00000040) != 0) {
						goto L12;
					} else {
						 *(_t85 - 0x30) =  *(_t85 - 0x30) & 0xffffdfff | 0x00000100;
						_t61 = _t77 + 1;
						while(1) {
							_t78 = _t85 - 0x90;
							_t62 = E01125B90(_t78, _t61, _t83, _t67);
							 *((intOrPtr*)(_t85 - 0x98)) = _t62;
							_push(_t78);
							_t79 = _t85 - 0x90;
							_push(_t84);
							if(_t62 == _t83) {
								break;
							}
							 *((intOrPtr*)(_t85 - 0x3c)) = _t62;
							if(E01125D59(_t79) != 0) {
								goto L10;
							}
							_t61 =  *((intOrPtr*)(_t85 - 0x98)) + 1;
						}
						 *((intOrPtr*)(_t85 - 0x3c)) = _t83;
						if(E01125D59(_t79) == 0) {
							goto L12;
						}
						goto L10;
					}
				}
				_t53 = 0;
				goto L13;
			}

0x01125236
0x01125240
0x01125245
0x01125247
0x01125250
0x01125257
0x01125265
0x0112526f
0x01125274
0x0112527a
0x0112527d
0x01125282
0x01125285
0x01125288
0x01125289
0x0112528a
0x0112528b
0x01125291
0x01125297
0x0112529c
0x011252a4
0x011252ae
0x01125314
0x01125314
0x01125318
0x0112531d
0x0112531f
0x01125328
0x0112532e
0x0112532e
0x01125331
0x01125334
0x0112533c
0x01125344
0x0112534c
0x01125357
0x0112535c
0x0112535e
0x01125363
0x01125363
0x011252b0
0x011252b8
0x00000000
0x011252c0
0x011252cd
0x011252d0
0x011252e8
0x011252eb
0x011252f1
0x011252f6
0x011252fc
0x011252fd
0x01125303
0x01125306
0x00000000
0x00000000
0x011252d5
0x011252df
0x00000000
0x00000000
0x011252e7
0x011252e7
0x01125308
0x01125312
0x00000000
0x00000000
0x00000000
0x01125312
0x011252b8
0x01125259
0x00000000

APIs

__EH_prolog3_GS.LIBCMT ref: 01125240
memset.VCRUNTIME140(?,00000000,00000080,0000008C,01124D68,?,?,00000000,?,?,00000000,00000038,00000058,01121B0D,00000000,?), ref: 0112526F

Strings

@, xrefs: 011252BA

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_memset
String ID: @
API String ID: 2828583354-2766056989
Opcode ID: 3fd6db5afabf16db0f71ce2c5cfc0b1c79f05dfcd31a15ba6f5e07f2c827bdfc
Instruction ID: 059f075280d4e38981ba463150c1e38eee27492192b498f1a3be7bd75a27a322
Opcode Fuzzy Hash: 3fd6db5afabf16db0f71ce2c5cfc0b1c79f05dfcd31a15ba6f5e07f2c827bdfc
Instruction Fuzzy Hash: C7317070800229AFDF69DF64D8C0BEDB776FF11308F144198E859A7252DB309A65CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0112E99D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0112E99D(void* __ebx, void* __edx, intOrPtr __edi) {
				void* _t43;
				intOrPtr* _t54;
				intOrPtr* _t60;
				void* _t88;
				intOrPtr* _t89;

				_t85 = __edi;
				_t68 = __ebx;
				_t43 = E01143D91(E01146EE9, __ebx, __edi, 0x4c);
				if( *0x115a07c == 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					E01142822(__ebx, _t88 - 0x3c, _t88 - 0x3c);
					 *((intOrPtr*)(_t88 - 4)) = 0;
					 *((intOrPtr*)(_t88 - 0x14)) = 0;
					_t85 = 7;
					 *((char*)(_t88 - 4)) = 1;
					 *((intOrPtr*)(_t88 - 0x1c)) = 0;
					 *((intOrPtr*)(_t88 - 0x18)) = __edi;
					 *((short*)(_t88 - 0x2c)) = 0;
					E0112BA2B(L"SELECT Caption FROM Win32_OperatingSystem");
					 *((char*)(_t88 - 4)) = 2;
					E01142A4D(__ebx, _t88 - 0x3c, __edi, _t88 - 0x2c, _t88 - 0x14, _t88 - 0x30);
					E01129A96(_t88 - 0x2c);
					if( *((intOrPtr*)(_t88 - 0x30)) > 0) {
						 *((intOrPtr*)(_t88 - 0x1c)) = 0;
						 *((intOrPtr*)(_t88 - 0x18)) = __edi;
						 *((short*)(_t88 - 0x2c)) = 0;
						 *((char*)(_t88 - 4)) = 3;
						 *((intOrPtr*)(_t88 - 0x44)) = 0;
						 *((intOrPtr*)(_t88 - 0x40)) = __edi;
						 *((short*)(_t88 - 0x54)) = 0;
						E0112BA2B(L"Caption");
						_push(_t88 - 0x2c);
						_push(_t88 - 0x54);
						_push(_t88 - 0x54);
						 *((char*)(_t88 - 4)) = 5;
						_t60 =  *((intOrPtr*)(_t88 - 0x14));
						 *_t89 = _t60;
						if(_t60 != 0) {
							 *((intOrPtr*)( *_t60 + 4))(_t60);
						}
						 *((char*)(_t88 - 4)) = 4;
						E01142BA1(_t68, _t85);
						 *((char*)(_t88 - 4)) = 3;
						E01129A96(_t88 - 0x54);
						if( *((intOrPtr*)(_t88 - 0x1c)) != 0) {
							E011293B6(0x115a06c, 0, E01136693(_t68, _t88 - 0x54, _t88 - 0x2c, _t85));
							E01129AC1(_t88 - 0x54);
						}
						E01129A96(_t88 - 0x2c);
					}
					 *((char*)(_t88 - 4)) = 6;
					_t54 =  *((intOrPtr*)(_t88 - 0x14));
					if(_t54 != 0) {
						 *((intOrPtr*)( *_t54 + 8))(_t54);
					}
					_t43 = E011429B9(_t88 - 0x3c);
				}
				return E01143D3B(_t43, _t68, _t85);
			}

0x0112e99d
0x0112e99d
0x0112e9a4
0x0112e9b0
0x0112e9bb
0x0112e9bf
0x0112e9c0
0x0112e9c1
0x0112e9c8
0x0112e9cb
0x0112e9d0
0x0112e9d1
0x0112e9da
0x0112e9e2
0x0112e9e5
0x0112e9e9
0x0112e9f1
0x0112ea01
0x0112ea09
0x0112ea11
0x0112ea19
0x0112ea1c
0x0112ea1f
0x0112ea23
0x0112ea2f
0x0112ea32
0x0112ea35
0x0112ea39
0x0112ea41
0x0112ea45
0x0112ea46
0x0112ea49
0x0112ea4d
0x0112ea50
0x0112ea54
0x0112ea59
0x0112ea59
0x0112ea5c
0x0112ea60
0x0112ea68
0x0112ea6c
0x0112ea75
0x0112ea88
0x0112ea90
0x0112ea90
0x0112ea98
0x0112ea98
0x0112ea9d
0x0112eaa1
0x0112eaa6
0x0112eaab
0x0112eaab
0x0112eab1
0x0112eab1
0x0112eabb

APIs

__EH_prolog3_GS.LIBCMT ref: 0112E9A4

Part of subcall function 01142822: __EH_prolog3.LIBCMT ref: 01142829
Part of subcall function 01142822: CoInitializeEx.OLE32(00000000,00000000,00000010,01142D31,00000074,0112E986), ref: 0114284E
Part of subcall function 01142822: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 01142867
Part of subcall function 01142822: #1511.MFC140U(00000018), ref: 01142873
Part of subcall function 01142822: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01142987

Part of subcall function 01142A4D: __EH_prolog3_GS.LIBCMT ref: 01142A54
Part of subcall function 01142A4D: #2.OLEAUT32(WQL,?,00000020,01142D74,?,?,0112E986,SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0'), ref: 01142ABB
Part of subcall function 01142A4D: #6.OLEAUT32(00000000), ref: 01142AEA
Part of subcall function 01142A4D: #6.OLEAUT32(0112E986), ref: 01142AF3
Part of subcall function 01142A4D: #1511.MFC140U(00000018), ref: 01142B12
Part of subcall function 01142A4D: _CxxThrowException.VCRUNTIME140(0112E986,01156040,0112E986), ref: 01142B9B

Strings

Caption, xrefs: 0112EA2A
SELECT Caption FROM Win32_OperatingSystem, xrefs: 0112E9DD

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511ExceptionH_prolog3_InitializeThrow$H_prolog3Security
String ID: Caption$SELECT Caption FROM Win32_OperatingSystem
API String ID: 2786062156-1290893371
Opcode ID: 54dc247c926c3641c02919654783395553ce459d54e7faef9e0b8f7a9840f580
Instruction ID: 71a0062989635c61af2a0630849db84ea82b0367e4c3c1119a571d7ef4aa3b68
Opcode Fuzzy Hash: 54dc247c926c3641c02919654783395553ce459d54e7faef9e0b8f7a9840f580
Instruction Fuzzy Hash: 47316F70C1126ADFDF19DBE8D540AEEBBB8BF28708F508059D015B7150DB745A08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0112E80E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0112E80E(void* __ebx, void* __edx, intOrPtr __edi) {
				void* _t43;
				intOrPtr* _t54;
				intOrPtr* _t60;
				void* _t88;
				intOrPtr* _t89;

				_t85 = __edi;
				_t68 = __ebx;
				_t43 = E01143D91(E01146EE9, __ebx, __edi, 0x4c);
				if( *0x115a04c == 0) {
					asm("stosd");
					asm("stosd");
					asm("stosd");
					E01142822(__ebx, _t88 - 0x3c, _t88 - 0x3c);
					 *((intOrPtr*)(_t88 - 4)) = 0;
					 *((intOrPtr*)(_t88 - 0x14)) = 0;
					_t85 = 7;
					 *((char*)(_t88 - 4)) = 1;
					 *((intOrPtr*)(_t88 - 0x1c)) = 0;
					 *((intOrPtr*)(_t88 - 0x18)) = __edi;
					 *((short*)(_t88 - 0x2c)) = 0;
					E0112BA2B(L"Select ProcessorId From Win32_processor");
					 *((char*)(_t88 - 4)) = 2;
					E01142A4D(__ebx, _t88 - 0x3c, __edi, _t88 - 0x2c, _t88 - 0x14, _t88 - 0x30);
					E01129A96(_t88 - 0x2c);
					if( *((intOrPtr*)(_t88 - 0x30)) > 0) {
						 *((intOrPtr*)(_t88 - 0x1c)) = 0;
						 *((intOrPtr*)(_t88 - 0x18)) = __edi;
						 *((short*)(_t88 - 0x2c)) = 0;
						 *((char*)(_t88 - 4)) = 3;
						 *((intOrPtr*)(_t88 - 0x44)) = 0;
						 *((intOrPtr*)(_t88 - 0x40)) = __edi;
						 *((short*)(_t88 - 0x54)) = 0;
						E0112BA2B(L"ProcessorId");
						_push(_t88 - 0x2c);
						_push(_t88 - 0x54);
						_push(_t88 - 0x54);
						 *((char*)(_t88 - 4)) = 5;
						_t60 =  *((intOrPtr*)(_t88 - 0x14));
						 *_t89 = _t60;
						if(_t60 != 0) {
							 *((intOrPtr*)( *_t60 + 4))(_t60);
						}
						 *((char*)(_t88 - 4)) = 4;
						E01142BA1(_t68, _t85);
						 *((char*)(_t88 - 4)) = 3;
						E01129A96(_t88 - 0x54);
						if( *((intOrPtr*)(_t88 - 0x1c)) != 0) {
							E011293B6(0x115a03c, 0, E01136693(_t68, _t88 - 0x54, _t88 - 0x2c, _t85));
							E01129AC1(_t88 - 0x54);
						}
						E01129A96(_t88 - 0x2c);
					}
					 *((char*)(_t88 - 4)) = 6;
					_t54 =  *((intOrPtr*)(_t88 - 0x14));
					if(_t54 != 0) {
						 *((intOrPtr*)( *_t54 + 8))(_t54);
					}
					_t43 = E011429B9(_t88 - 0x3c);
				}
				return E01143D3B(_t43, _t68, _t85);
			}

0x0112e80e
0x0112e80e
0x0112e815
0x0112e821
0x0112e82c
0x0112e830
0x0112e831
0x0112e832
0x0112e839
0x0112e83c
0x0112e841
0x0112e842
0x0112e84b
0x0112e853
0x0112e856
0x0112e85a
0x0112e862
0x0112e872
0x0112e87a
0x0112e882
0x0112e88a
0x0112e88d
0x0112e890
0x0112e894
0x0112e8a0
0x0112e8a3
0x0112e8a6
0x0112e8aa
0x0112e8b2
0x0112e8b6
0x0112e8b7
0x0112e8ba
0x0112e8be
0x0112e8c1
0x0112e8c5
0x0112e8ca
0x0112e8ca
0x0112e8cd
0x0112e8d1
0x0112e8d9
0x0112e8dd
0x0112e8e6
0x0112e8f9
0x0112e901
0x0112e901
0x0112e909
0x0112e909
0x0112e90e
0x0112e912
0x0112e917
0x0112e91c
0x0112e91c
0x0112e922
0x0112e922
0x0112e92c

APIs

__EH_prolog3_GS.LIBCMT ref: 0112E815

Part of subcall function 01142822: __EH_prolog3.LIBCMT ref: 01142829
Part of subcall function 01142822: CoInitializeEx.OLE32(00000000,00000000,00000010,01142D31,00000074,0112E986), ref: 0114284E
Part of subcall function 01142822: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 01142867
Part of subcall function 01142822: #1511.MFC140U(00000018), ref: 01142873
Part of subcall function 01142822: _CxxThrowException.VCRUNTIME140(?,01156040), ref: 01142987

Part of subcall function 01142A4D: __EH_prolog3_GS.LIBCMT ref: 01142A54
Part of subcall function 01142A4D: #2.OLEAUT32(WQL,?,00000020,01142D74,?,?,0112E986,SELECT * FROM Win32_PhysicalMedia WHERE Tag = '\\\\.\\PHYSICALDRIVE0'), ref: 01142ABB
Part of subcall function 01142A4D: #6.OLEAUT32(00000000), ref: 01142AEA
Part of subcall function 01142A4D: #6.OLEAUT32(0112E986), ref: 01142AF3
Part of subcall function 01142A4D: #1511.MFC140U(00000018), ref: 01142B12
Part of subcall function 01142A4D: _CxxThrowException.VCRUNTIME140(0112E986,01156040,0112E986), ref: 01142B9B

Strings

ProcessorId, xrefs: 0112E89B
Select ProcessorId From Win32_processor, xrefs: 0112E84E

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511ExceptionH_prolog3_InitializeThrow$H_prolog3Security
String ID: ProcessorId$Select ProcessorId From Win32_processor
API String ID: 2786062156-1197514809
Opcode ID: c763faa93fdb8a2b6516ec8f26a83dc5a017ecba1b2906a509b96512ed55a683
Instruction ID: b3e3de9b5abd0f888761d903cfcd065c4eea3624916425c382a7fc15976301d8
Opcode Fuzzy Hash: c763faa93fdb8a2b6516ec8f26a83dc5a017ecba1b2906a509b96512ed55a683
Instruction Fuzzy Hash: B6316E70D1126EEFDF19DBE9C544AEEBBB8AF28708F50805AE111B7150DB745B08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0112A2CE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E0112A2CE(void* __ebx, char* __ecx, void* __edx, void* __edi) {
				void* _t39;
				char* _t60;
				void* _t61;
				void* _t76;
				char* _t77;
				void* _t78;

				_t60 = __ecx;
				_t59 = __ebx;
				E01143D91(E011462FE, __ebx, __edi, 0x40);
				_t77 = _t60;
				 *((intOrPtr*)(_t78 - 0x48)) = _t77;
				 *((intOrPtr*)(_t78 - 0x4c)) = _t77;
				 *((intOrPtr*)(_t78 - 0x44)) = 0;
				 *((intOrPtr*)(_t77 + 0x10)) = 0;
				 *((intOrPtr*)(_t77 + 0x14)) = 0xf;
				 *_t77 = 0;
				 *((intOrPtr*)(_t78 - 4)) = 0;
				_push(_t60);
				_t61 = __edx;
				 *((intOrPtr*)(_t78 - 0x44)) = 1;
				E0112B068(__ebx, __edx, 1, _t78 - 0x40);
				 *((intOrPtr*)(_t78 - 0x44)) = 3;
				_push(_t61);
				 *((intOrPtr*)(_t78 - 4)) = 1;
				E0112B068(_t59,  *((intOrPtr*)(_t78 + 8)), 1, _t78 - 0x28);
				 *((intOrPtr*)(_t78 - 0x44)) = 0x13;
				_t39 = 8;
				 *((char*)(_t78 - 4)) = 2;
				_t76 = 4;
				_t40 =  ==  ? 1 : _t39;
				_t41 = ( ==  ? 1 : _t39) +  *((intOrPtr*)(_t78 - 0x30));
				_t42 = ( ==  ? 1 : _t39) +  *((intOrPtr*)(_t78 - 0x30)) +  *((intOrPtr*)(_t78 - 0x18));
				_t43 = ( ==  ? 1 : _t39) +  *((intOrPtr*)(_t78 - 0x30)) +  *((intOrPtr*)(_t78 - 0x18)) +  *((intOrPtr*)(_t78 + 0x10));
				E01122E36(_t77, ( ==  ? 1 : _t39) +  *((intOrPtr*)(_t78 - 0x30)) +  *((intOrPtr*)(_t78 - 0x18)) +  *((intOrPtr*)(_t78 + 0x10)));
				E01129C57(_t77,  *((intOrPtr*)(_t78 + 0xc)),  *((intOrPtr*)(_t78 + 0x10)));
				E01129C57(_t77, ": \"", 3);
				_t48 =  >=  ?  *((void*)(_t78 - 0x40)) : _t78 - 0x40;
				E01129C57(_t77,  >=  ?  *((void*)(_t78 - 0x40)) : _t78 - 0x40,  *((intOrPtr*)(_t78 - 0x30)));
				if( *((intOrPtr*)(_t78 - 0x18)) != 0) {
					E01129C57(_t77, "\", \"", 1);
					_t57 =  >=  ?  *((void*)(_t78 - 0x28)) : _t78 - 0x28;
					E01129C57(_t77,  >=  ?  *((void*)(_t78 - 0x28)) : _t78 - 0x28,  *((intOrPtr*)(_t78 - 0x18)));
				}
				E011294AE(_t77, 0x22);
				E01129AC1(_t78 - 0x28);
				E01129AC1(_t78 - 0x40);
				return E01143D3B(_t77, _t59, _t76);
			}

0x0112a2ce
0x0112a2ce
0x0112a2d5
0x0112a2da
0x0112a2dc
0x0112a2df
0x0112a2e4
0x0112a2e7
0x0112a2ea
0x0112a2f1
0x0112a2f3
0x0112a2f8
0x0112a2fe
0x0112a300
0x0112a303
0x0112a308
0x0112a30f
0x0112a317
0x0112a31a
0x0112a31f
0x0112a328
0x0112a329
0x0112a335
0x0112a336
0x0112a339
0x0112a33c
0x0112a33f
0x0112a343
0x0112a350
0x0112a35e
0x0112a36d
0x0112a374
0x0112a37d
0x0112a387
0x0112a396
0x0112a39d
0x0112a39d
0x0112a3a6
0x0112a3ae
0x0112a3b6
0x0112a3c2

APIs

__EH_prolog3_GS.LIBCMT ref: 0112A2D5

Strings

", ", xrefs: 0112A380
: ", xrefs: 0112A357

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: H_prolog3_
String ID: ", "$: "
API String ID: 2427045233-747220369
Opcode ID: 6a8c53630a0f29728b03951620585a78314501bacb8fbc52c6f9d5365e95fd2a
Instruction ID: 730247c50d864f048667aeb1ce3b619868f0741a548ca5b8a6631fae30b1ff1b
Opcode Fuzzy Hash: 6a8c53630a0f29728b03951620585a78314501bacb8fbc52c6f9d5365e95fd2a
Instruction Fuzzy Hash: 9C315C70A0022DEFCF29EFA8D854BEEBBB5BF54B08F540019E145B7280CB745A65CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0113F962 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74
networkCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E0113F962(void* __ecx, void* __edi, void* __esi, WCHAR* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				short _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				intOrPtr _v64;
				void* _v68;
				signed int _t37;
				signed int _t41;
				int _t43;
				int _t52;
				void* _t64;
				WCHAR* _t66;
				signed int _t68;

				_t37 =  *0x115a014; // 0x2648a249
				_v8 = _t37 ^ _t68;
				_t66 = _a4;
				_t64 = __ecx;
				if(_t66[8] != 0) {
					_t41 = memset( &_v68, 0, 0x3c) | 0xffffffff;
					_v68 = 0x3c;
					_v60 = _t41;
					_v48 = _t41;
					_v36 = _t41;
					_v28 = _t41;
					_v20 = _t41;
					_v12 = _t41;
					if(_t66[0xa] >= 8) {
						_t66 =  *_t66;
					}
					_t43 = InternetCrackUrlW(_t66, 0, 0,  &_v68);
					E01129245(_t64 + 4, _v64, _v60);
					E01129245(_t64 + 0x20, _v52, _v48);
					E01129245(_t64 + 0x3c, _v40, _v36);
					E01129245(_t64 + 0x54, _v32, _v28);
					E01129245(_t64 + 0x6c, _v24, _v20);
					E01129245(_t64 + 0x84, _v16, _v12);
					 *((intOrPtr*)(_t64 + 0x1c)) = _v56;
					 *((short*)(_t64 + 0x38)) = _v44;
					_t52 = _t43;
				} else {
					_t52 = 0;
				}
				return E0114368F(_t52, _v8 ^ _t68);
			}

0x0113f968
0x0113f96f
0x0113f973
0x0113f977
0x0113f97d
0x0113f993
0x0113f996
0x0113f9a0
0x0113f9a7
0x0113f9aa
0x0113f9ad
0x0113f9b0
0x0113f9b3
0x0113f9b6
0x0113f9b8
0x0113f9b8
0x0113f9c3
0x0113f9d4
0x0113f9e2
0x0113f9f0
0x0113f9fe
0x0113fa0c
0x0113fa1d
0x0113fa25
0x0113fa2c
0x0113fa30
0x0113f97f
0x0113f97f
0x0113f97f
0x0113fa3f

APIs

memset.VCRUNTIME140(?,00000000,0000003C), ref: 0113F98E
InternetCrackUrlW.WININET(?,00000000,00000000,0000003C), ref: 0113F9C3

Strings

<, xrefs: 0113F996

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: CrackInternetmemset
String ID: <
API String ID: 1313810035-4251816714
Opcode ID: ba2fbaeabfc3ff7ba2449c14c95a561fcfb8b3105cadb8161a61180d48bab8d1
Instruction ID: 1e8de1238c6c56f09c454b0015982aa304956350a7120986e63c718202f64baf
Opcode Fuzzy Hash: ba2fbaeabfc3ff7ba2449c14c95a561fcfb8b3105cadb8161a61180d48bab8d1
Instruction Fuzzy Hash: 5E31E771D0022EEFCF15DFA8D840AEDBBB5FF18618F104129E515B22A0E7716A65CB94

Uniqueness

Uniqueness Score: -1.00%

Function 011262F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E011262F3(void* __ecx, char _a4, intOrPtr* _a8, intOrPtr* _a16) {
				intOrPtr _v44;
				intOrPtr _t46;
				intOrPtr* _t48;
				intOrPtr* _t51;
				intOrPtr _t73;
				intOrPtr _t74;
				intOrPtr _t77;
				intOrPtr* _t83;
				intOrPtr* _t84;
				intOrPtr* _t86;
				intOrPtr* _t89;

				E011257F8(_v44);
				_push(0);
				_push(0);
				L01145637();
				asm("int3");
				_t46 =  *0x115b570;
				if(_t46 >= 0x5d1745c) {
					_t46 = E011257DA(_a16);
					__imp__?_Xlength_error@std@@YAXPBD@Z("map/set<T> too long");
				}
				_t86 = _a16;
				 *0x115b570 = _t46 + 1;
				_t48 = _a8;
				 *((intOrPtr*)(_t86 + 4)) = _t48;
				_t73 =  *0x115b56c;
				if(_t48 != _t73) {
					if(_a4 == 0) {
						 *((intOrPtr*)(_t48 + 8)) = _t86;
						_t74 =  *0x115b56c;
						if(_t48 ==  *((intOrPtr*)(_t74 + 8))) {
							 *((intOrPtr*)(_t74 + 8)) = _t86;
						}
					} else {
						 *_t48 = _t86;
						_t83 =  *0x115b56c;
						if(_t48 ==  *_t83) {
							 *_t83 = _t86;
						}
					}
				} else {
					 *((intOrPtr*)(_t73 + 4)) = _t86;
					 *((intOrPtr*)( *0x115b56c)) = _t86;
					 *((intOrPtr*)( *0x115b56c + 8)) = _t86;
				}
				_t89 = _t86;
				if( *((char*)( *((intOrPtr*)(_t86 + 4)) + 0xc)) != 0) {
					L24:
					 *((char*)( *((intOrPtr*)( *0x115b56c + 4)) + 0xc)) = 1;
					return _t86;
				} else {
					do {
						_t51 =  *((intOrPtr*)(_t89 + 4));
						_t84 =  *((intOrPtr*)(_t51 + 4));
						_t77 =  *_t84;
						if(_t51 != _t77) {
							if( *((char*)(_t77 + 0xc)) != 0) {
								if(_t89 ==  *_t51) {
									_t89 = _t51;
									E01126580(0x115b56c, _t89);
								}
								 *((char*)( *((intOrPtr*)(_t89 + 4)) + 0xc)) = 1;
								 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4)) + 0xc)) = 0;
								E011265C6(0x115b56c,  *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4)));
								goto L22;
							}
							L18:
							 *((char*)(_t51 + 0xc)) = 1;
							 *((char*)(_t77 + 0xc)) = 1;
							 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4)) + 0xc)) = 0;
							_t89 =  *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4));
							goto L22;
						}
						_t77 =  *((intOrPtr*)(_t84 + 8));
						if( *((char*)(_t77 + 0xc)) == 0) {
							goto L18;
						}
						if(_t89 ==  *((intOrPtr*)(_t51 + 8))) {
							_t89 = _t51;
							E011265C6(0x115b56c, _t89);
						}
						 *((char*)( *((intOrPtr*)(_t89 + 4)) + 0xc)) = 1;
						 *((char*)( *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4)) + 0xc)) = 0;
						E01126580(0x115b56c,  *((intOrPtr*)( *((intOrPtr*)(_t89 + 4)) + 4)));
						L22:
					} while ( *((char*)( *((intOrPtr*)(_t89 + 4)) + 0xc)) == 0);
					goto L24;
				}
			}

0x011262f6
0x011262fb
0x011262fd
0x011262ff
0x01126304
0x01126308
0x01126312
0x01126317
0x01126321
0x01126321
0x01126329
0x0112632d
0x01126332
0x01126335
0x01126338
0x01126340
0x0112635a
0x0112636c
0x0112636f
0x01126378
0x0112637a
0x0112637a
0x0112635c
0x0112635c
0x0112635e
0x01126366
0x01126368
0x01126368
0x01126366
0x01126342
0x01126342
0x0112634a
0x01126351
0x01126351
0x01126380
0x01126386
0x01126430
0x0112643d
0x01126442
0x0112638c
0x01126392
0x01126392
0x01126395
0x01126398
0x0112639c
0x011263da
0x011263f8
0x011263fa
0x011263ff
0x011263ff
0x01126409
0x01126413
0x0112641d
0x00000000
0x0112641d
0x011263dc
0x011263dc
0x011263e0
0x011263ea
0x011263f1
0x00000000
0x011263f1
0x0112639e
0x011263a5
0x00000000
0x00000000
0x011263aa
0x011263ac
0x011263b1
0x011263b1
0x011263bb
0x011263c5
0x011263cf
0x01126422
0x01126425
0x00000000
0x0112642f

APIs

_CxxThrowException.VCRUNTIME140(00000000,00000000), ref: 011262FF
?_Xlength_error@std@@YAXPBD@Z.MSVCP140(map/set<T> too long), ref: 01126321

Strings

map/set<T> too long, xrefs: 0112631C

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: ExceptionThrowXlength_error@std@@
String ID: map/set<T> too long
API String ID: 2465630161-1285458680
Opcode ID: b51d22350e3571fcef4ff35be1f0001f08bef7b433353bba41f9e8a5895b8b0e
Instruction ID: c8b97fd9978e803c0a2f974e46c6c87347bc7e2f9f5bf0638c021b87bb79a337
Opcode Fuzzy Hash: b51d22350e3571fcef4ff35be1f0001f08bef7b433353bba41f9e8a5895b8b0e
Instruction Fuzzy Hash: 44217A30208211DFC71DCF19E584B19BBE2BB59318F18C069E8598B3A2C771EC92CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0112E132 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0112E132(void* __ebx, intOrPtr* __ecx, void* __edi, void* __eflags, intOrPtr _a8) {
				intOrPtr _v4;
				signed int _v16;
				char _v612;
				signed int _v616;
				signed int _v620;
				signed int _t24;
				signed int _t27;
				intOrPtr* _t38;
				char* _t40;
				void* _t51;
				signed int _t52;
				signed int _t53;
				intOrPtr* _t58;
				signed int* _t59;
				signed int _t60;
				signed int _t67;
				signed int _t69;

				_t51 = __edi;
				_t38 = __ecx;
				_t37 = __ebx;
				E01143D5D(E01146D79, __ebx, __edi, 4);
				_t58 = _t38;
				_v16 = _t58;
				 *_t58 = 0;
				 *((intOrPtr*)(_t58 + 4)) = 0;
				_push(_t38);
				_v4 = 0;
				if(E01131E09(__ebx, _t38, _a8, __edi, __eflags) != 0) {
					_push(_a8);
					_t40 = "directory_iterator::directory_iterator";
					E0112A46D(__ebx, _t40, _t22, __eflags);
					asm("int3");
					_t69 = (_t67 & 0xfffffff8) - 0x260;
					_t24 =  *0x115a014; // 0x2648a249
					_v16 = _t24 ^ _t69;
					_push(_t58);
					_t59 = _t40;
					_push(_t51);
					_t52 =  *_t59;
					_t27 = E01144974( *((intOrPtr*)(_t52 + 0x38)),  &_v612);
					__eflags = _t27;
					if(_t27 != 0) {
						__eflags = _t27 - 0x12;
						if(__eflags != 0) {
							_t28 = E0112DEA5(_t37, _t40, _t27, __eflags);
							asm("int3");
							_push(_t59);
							_t60 = _t40[4];
							__eflags = _t60;
							if(_t60 != 0) {
								_push(_t52);
								_t53 = _t52 | 0xffffffff;
								__eflags = _t53;
								_t28 = _t53;
								asm("lock xadd [esi+0x4], eax");
								if(_t53 == 0) {
									_t28 =  *( *_t60)();
									asm("lock xadd [esi+0x8], edi");
									__eflags = _t53 == 1;
									if(_t53 == 1) {
										_t28 =  *_t60;
										goto ( *((intOrPtr*)( *_t60 + 4)));
									}
								}
							}
							return _t28;
						} else {
							 *_t59 =  *_t59 & 0x00000000;
							_t11 =  &(_t59[1]);
							 *_t11 = _t59[1] & 0x00000000;
							__eflags =  *_t11;
							_v616 = _t59[1];
							_v620 =  *_t59;
							L10();
							goto L7;
						}
					} else {
						_push( &_v612);
						E0112E068(_t37, _t52, _t52);
						L7:
						__eflags = _v16 ^ _t69;
						return E0114368F(_t59, _v16 ^ _t69);
					}
				} else {
					return E01143D26(_t58);
				}
			}

0x0112e132
0x0112e132
0x0112e132
0x0112e139
0x0112e13e
0x0112e140
0x0112e145
0x0112e147
0x0112e14d
0x0112e14e
0x0112e159
0x0112e165
0x0112e16a
0x0112e16f
0x0112e174
0x0112e17b
0x0112e181
0x0112e188
0x0112e18f
0x0112e190
0x0112e196
0x0112e198
0x0112e19d
0x0112e1a2
0x0112e1a4
0x0112e1b4
0x0112e1b7
0x0112e1ee
0x0112e1f3
0x01131c14
0x01131c15
0x01131c18
0x01131c1a
0x01131c1c
0x01131c1d
0x01131c1d
0x01131c20
0x01131c22
0x01131c27
0x01131c2d
0x01131c2f
0x01131c34
0x01131c35
0x01131c37
0x01131c3d
0x01131c3d
0x01131c35
0x01131c40
0x01131c42
0x0112e1b9
0x0112e1be
0x0112e1c1
0x0112e1c1
0x0112e1c1
0x0112e1c5
0x0112e1cd
0x0112e1d1
0x00000000
0x0112e1d1
0x0112e1a6
0x0112e1ac
0x0112e1ad
0x0112e1d6
0x0112e1e1
0x0112e1eb
0x0112e1eb
0x0112e15b
0x0112e162
0x0112e162

APIs

__EH_prolog3.LIBCMT ref: 0112E139

Part of subcall function 01131E09: __EH_prolog3_GS.LIBCMT ref: 01131E13
Part of subcall function 01131E09: #1511.MFC140U(00000050,?,00000288,0112E156,?,00000004,0112ED8F,?), ref: 01131E8E
Part of subcall function 01131E09: ___std_fs_close_handle@4.MSVCPRT ref: 01131EFC

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0112E19D

Strings

directory_iterator::directory_iterator, xrefs: 0112E16A

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: #1511H_prolog3H_prolog3____std_fs_close_handle@4___std_fs_directory_iterator_advance@8
String ID: directory_iterator::directory_iterator
API String ID: 1006803992-2645264736
Opcode ID: 107ee63c7a45290bf255c134684f84010e69d841ffa3bd32f40d672562a2afb0
Instruction ID: a55e7ce668f0ceea38ff793308959b8d3055029f11002159fbe332b783fa289a
Opcode Fuzzy Hash: 107ee63c7a45290bf255c134684f84010e69d841ffa3bd32f40d672562a2afb0
Instruction Fuzzy Hash: 3B01C4716153159FCB2CEF68DC0069B77E5BF98614F10453EE9A8C7240EB3099108BD2

Uniqueness

Uniqueness Score: -1.00%

Function 0112A53A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0112A53A(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __eflags) {
				void* _t34;
				void* _t35;
				intOrPtr* _t39;
				void* _t40;
				void* _t41;
				intOrPtr _t42;
				intOrPtr* _t59;
				intOrPtr* _t60;
				char* _t62;
				intOrPtr _t70;
				intOrPtr _t73;
				intOrPtr* _t74;
				void* _t76;

				_t70 = __edx;
				_t59 = __ecx;
				_t58 = __ebx;
				_t34 = E01143D91(E011463DA, __ebx, __edi, 0x14);
				_t74 = _t59;
				 *((intOrPtr*)(_t76 - 0x14)) = _t74;
				 *((intOrPtr*)(_t76 - 0x20)) = _t74;
				 *(_t76 - 0x1c) =  *(_t76 - 0x1c) & 0x00000000;
				_t35 = E0112BF21(_t34);
				 *(_t76 - 4) = 1;
				E0112BF21(_t35);
				 *(_t74 + 0x10) =  *(_t74 + 0x10) & 0x00000000;
				_push(_t59);
				_t60 = _t74;
				 *((intOrPtr*)(_t74 + 0x14)) = 7;
				 *_t74 = 0;
				 *(_t76 - 0x1c) = 2;
				E0112C181(_t60, _t74, 0x105);
				_t39 = _t74;
				if( *((intOrPtr*)(_t74 + 0x14)) >= 8) {
					_t39 =  *_t74;
				}
				_t40 = E01144D59(_t60, _t39);
				_push(_t60);
				_t73 = _t70;
				_t41 = E0112C181(_t74, _t74, _t40);
				if(_t73 != 0xffffffff) {
					_t42 = E0112BF21(_t41);
				} else {
					_t42 = E0112BE15(_t41);
					_t73 = 0x14;
				}
				 *((intOrPtr*)(_t76 - 0x14)) = _t42;
				 *((intOrPtr*)(_t76 - 0x18)) = _t73;
				 *(_t76 - 4) =  *(_t76 - 4) & 0x00000000;
				 *(_t76 - 0x1c) = 1;
				if(_t73 != 0) {
					_push(_t74);
					_t62 = "temp_directory_path";
					E0112A4C5(_t58, _t62, _t76 - 0x18, __eflags);
					asm("int3");
					E01143D5D(E0114644C, _t58, _t73, 4);
					_t75 = _t62;
					 *(_t76 - 0x10) = _t62;
					E0113416D(_t58, _t62, _t73);
					_t18 = _t76 - 4;
					 *_t18 =  *(_t76 - 4) & 0x00000000;
					__eflags =  *_t18;
					E0112BA52( &(_t75[8]), L"report_url");
					 *(_t76 - 4) = 1;
					E011298AC( &(_t75[0x20]), "aipc");
					 *(_t76 - 4) = 2;
					E011298AC( &(_t75[0x38]), "repc");
					 *(_t76 - 4) = 3;
					E011298AC( &(_t75[0x50]), "search_offer");
					 *(_t76 - 4) = 4;
					E011298AC( &(_t75[0x68]), "update_log");
					 *(_t76 - 4) = 5;
					E011298AC( &(_t75[0x80]), "update_action");
					 *(_t76 - 4) = 6;
					E011298AC( &(_t75[0x98]), "uninstall_log");
					return E01143D26(_t75);
				} else {
					return E01143D3B(_t74, _t58, _t73);
				}
			}

0x0112a53a
0x0112a53a
0x0112a53a
0x0112a541
0x0112a546
0x0112a548
0x0112a54b
0x0112a54e
0x0112a552
0x0112a557
0x0112a55e
0x0112a563
0x0112a569
0x0112a56f
0x0112a571
0x0112a578
0x0112a57b
0x0112a582
0x0112a58b
0x0112a58d
0x0112a58f
0x0112a58f
0x0112a592
0x0112a597
0x0112a59b
0x0112a59d
0x0112a5a5
0x0112a5b1
0x0112a5a7
0x0112a5a7
0x0112a5ae
0x0112a5ae
0x0112a5b6
0x0112a5b9
0x0112a5bc
0x0112a5c0
0x0112a5c9
0x0112a5d3
0x0112a5d7
0x0112a5dc
0x0112a5e1
0x0112a5e9
0x0112a5ee
0x0112a5f0
0x0112a5f3
0x0112a5f8
0x0112a5f8
0x0112a5f8
0x0112a604
0x0112a60c
0x0112a615
0x0112a61d
0x0112a626
0x0112a62e
0x0112a637
0x0112a63f
0x0112a648
0x0112a653
0x0112a65c
0x0112a66c
0x0112a670
0x0112a67c
0x0112a5cb
0x0112a5d2
0x0112a5d2

APIs

__EH_prolog3_GS.LIBCMT ref: 0112A541

Part of subcall function 0112BF21: ?_Execute_once@std@@YAHAAUonce_flag@1@P6GHPAX1PAPAX@Z1@Z.MSVCP140(0115B544,0112BF07,0115B53C,?,01129E03,?,?,?,011560D4,00000000,?), ref: 0112BF32
Part of subcall function 0112BF21: terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0(011560D4,00000000,?), ref: 0112BF3F

___std_fs_get_temp_path@4.LIBCPMT ref: 0112A592

Part of subcall function 0112A4C5: __EH_prolog3_align.LIBCMT ref: 0112A4CE
Part of subcall function 0112A4C5: _CxxThrowException.VCRUNTIME140(?,011560B0,?,?,?,00000000,?,00000078,00000008,?,011560B0,?,?,?,?), ref: 0112A505

Strings

temp_directory_path, xrefs: 0112A5D7

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: ExceptionExecute_once@std@@H_prolog3_H_prolog3_alignThrowUonce_flag@1@___std_fs_get_temp_path@4terminate
String ID: temp_directory_path
API String ID: 4000482337-2156615564
Opcode ID: ae2fd429c3072387d7c44d52341a67dd3c7a9f6afb7f1756444bf5dd33173229
Instruction ID: e7751fd67c8d60b762865747efa522c62de98bfb7e418367d4a8be8e1cd1502e
Opcode Fuzzy Hash: ae2fd429c3072387d7c44d52341a67dd3c7a9f6afb7f1756444bf5dd33173229
Instruction Fuzzy Hash: 7D1104B0E103369BDB18EFA4D8047AF76F5AF54B28F10060DD154A7680CBB44A548FE6

Uniqueness

Uniqueness Score: -1.00%

Function 0112DEF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0112DEF7(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a8) {
				signed int _v4;
				char _v24;
				signed char _v32;
				char _v48;
				char _v144;
				intOrPtr* _t24;
				signed char _t29;
				signed int* _t37;
				void* _t38;
				signed int _t40;
				unsigned int _t41;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t49;
				void* _t54;

				_t54 = __eflags;
				_t38 = __edx;
				_push(8);
				_push(0x80);
				E0114500B(E01146D0D, __ebx, __ecx);
				_t24 = E01129DF8( &_v24, _t38);
				_t44 =  *_t24;
				_t47 =  *((intOrPtr*)(_t24 + 4));
				E011298AC( &_v48, "copy_file");
				_v4 = _v4 & 0x00000000;
				_push(_t47);
				_push(_t44);
				_push( *((intOrPtr*)(__ebx + 0xc)));
				_t37 =  &_v144;
				_push( *((intOrPtr*)(__ebx + 8)));
				_push( &_v48);
				E0112DE21(__ebx, _t37, _t44, _t54);
				_push(0x11560b0);
				_push( &_v144);
				L01145637();
				asm("int3");
				_t29 = _v32;
				_push(_t47);
				if(_t29 != 0) {
					_t37[1] = 0xffff;
					__eflags = _t29 - 2;
					if(_t29 == 2) {
						L12:
						_t40 = 1;
						__eflags = 1;
					} else {
						__eflags = _t29 - 3;
						if(_t29 == 3) {
							goto L12;
						} else {
							_t40 = 0;
						}
					}
				} else {
					_t49 = _a8;
					_push(_t44);
					_t41 =  *(_t49 + 0x10);
					_t31 =  !=  ? 0x16d : 0x1ff;
					_t37[1] =  !=  ? 0x16d : 0x1ff;
					_t29 = _t41 >> 0xa;
					if((_t29 & 0x00000001) == 0) {
						L8:
						_t40 = _t41 >> 0x00000004 & 0x00000001 | 0x00000002;
					} else {
						if( *((intOrPtr*)(_t49 + 0x14)) != 0xa000000c) {
							__eflags =  *((intOrPtr*)(_t49 + 0x14)) - 0xa0000003;
							if( *((intOrPtr*)(_t49 + 0x14)) != 0xa0000003) {
								goto L8;
							} else {
								_push(0xa);
								goto L5;
							}
						} else {
							_push(4);
							L5:
							_pop(_t40);
						}
					}
				}
				 *_t37 = _t40;
				return _t29;
			}

0x0112def7
0x0112def7
0x0112def7
0x0112def9
0x0112df03
0x0112df0b
0x0112df18
0x0112df1a
0x0112df1d
0x0112df22
0x0112df29
0x0112df2a
0x0112df2b
0x0112df2e
0x0112df34
0x0112df37
0x0112df38
0x0112df3d
0x0112df48
0x0112df49
0x0112df4e
0x0112df52
0x0112df55
0x0112df58
0x0112dfa4
0x0112dfab
0x0112dfae
0x0112dfb9
0x0112dfbb
0x0112dfbb
0x0112dfb0
0x0112dfb0
0x0112dfb3
0x00000000
0x0112dfb5
0x0112dfb5
0x0112dfb5
0x0112dfb3
0x0112df5a
0x0112df5a
0x0112df62
0x0112df68
0x0112df6e
0x0112df71
0x0112df76
0x0112df7c
0x0112df99
0x0112df9f
0x0112df7e
0x0112df85
0x0112df8c
0x0112df93
0x00000000
0x0112df95
0x0112df95
0x00000000
0x0112df95
0x0112df87
0x0112df87
0x0112df89
0x0112df89
0x0112df89
0x0112df85
0x0112df7c
0x0112dfbc
0x0112dfc0

APIs

__EH_prolog3_align.LIBCMT ref: 0112DF03

Part of subcall function 0112DE21: __EH_prolog3.LIBCMT ref: 0112DE28

_CxxThrowException.VCRUNTIME140(?,011560B0,?,?,?,?,?,copy_file,00000080,00000008,?,011560B0,?,?,?,directory_iterator::operator++), ref: 0112DF49

Strings

copy_file, xrefs: 0112DF10

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: ExceptionH_prolog3H_prolog3_alignThrow
String ID: copy_file
API String ID: 3857449155-1576085228
Opcode ID: 80301e5d6bb9618060ac0edbda5e20bf282ae5ae01ffabc7ddcdeab13dcedc81
Instruction ID: 39ea6da8193c0bbceec174fc07678b2717abb8802c1cc1165ba01bb02217deb9
Opcode Fuzzy Hash: 80301e5d6bb9618060ac0edbda5e20bf282ae5ae01ffabc7ddcdeab13dcedc81
Instruction Fuzzy Hash: 1CF0303184022AAFCF48EB90CC45FDE7739FF28B08F448088E6056B191CB74AA18CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0112DEA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0112DEA5(void* __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a8) {
				signed int _v4;
				char _v24;
				char _v48;
				signed char _v60;
				char _v144;
				intOrPtr* _t32;
				intOrPtr* _t39;
				signed char _t44;
				signed int* _t55;
				void* _t56;
				signed int _t58;
				unsigned int _t59;
				intOrPtr _t63;
				intOrPtr _t67;
				intOrPtr _t69;
				void* _t74;

				_t74 = __eflags;
				_t56 = __edx;
				_push(8);
				_push(0x80);
				E0114500B(E01146D0D, __ebx, __ecx);
				_t32 = E01129DF8( &_v24, _t56);
				E011298AC( &_v48, "directory_iterator::operator++");
				_v4 = _v4 & 0x00000000;
				_push( *((intOrPtr*)(_t32 + 4)));
				_push( *_t32);
				_push( &_v48);
				E0112DDBB(__ebx,  &_v144,  *_t32, _t74);
				_push(0x11560b0);
				_push( &_v144);
				L01145637();
				asm("int3");
				_push(8);
				_push(0x80);
				E0114500B(E01146D0D, __ebx,  &_v144);
				_t39 = E01129DF8( &_v24, _t56);
				_t63 =  *_t39;
				_t67 =  *((intOrPtr*)(_t39 + 4));
				E011298AC( &_v48, "copy_file");
				_v4 = _v4 & 0x00000000;
				_push(_t67);
				_push(_t63);
				_push( *((intOrPtr*)(__ebx + 0xc)));
				_t55 =  &_v144;
				_push( *((intOrPtr*)(__ebx + 8)));
				_push( &_v48);
				E0112DE21(__ebx, _t55, _t63, _t74);
				_push(0x11560b0);
				_push( &_v144);
				L01145637();
				asm("int3");
				_t44 = _v60;
				_push(_t67);
				if(_t44 != 0) {
					_t55[1] = 0xffff;
					__eflags = _t44 - 2;
					if(_t44 == 2) {
						L13:
						_t58 = 1;
						__eflags = 1;
					} else {
						__eflags = _t44 - 3;
						if(_t44 == 3) {
							goto L13;
						} else {
							_t58 = 0;
						}
					}
				} else {
					_t69 = _a8;
					_push(_t63);
					_t59 =  *(_t69 + 0x10);
					_t46 =  !=  ? 0x16d : 0x1ff;
					_t55[1] =  !=  ? 0x16d : 0x1ff;
					_t44 = _t59 >> 0xa;
					if((_t44 & 0x00000001) == 0) {
						L9:
						_t58 = _t59 >> 0x00000004 & 0x00000001 | 0x00000002;
					} else {
						if( *((intOrPtr*)(_t69 + 0x14)) != 0xa000000c) {
							__eflags =  *((intOrPtr*)(_t69 + 0x14)) - 0xa0000003;
							if( *((intOrPtr*)(_t69 + 0x14)) != 0xa0000003) {
								goto L9;
							} else {
								_push(0xa);
								goto L6;
							}
						} else {
							_push(4);
							L6:
							_pop(_t58);
						}
					}
				}
				 *_t55 = _t58;
				return _t44;
			}

0x0112dea5
0x0112dea5
0x0112dea5
0x0112dea7
0x0112deb1
0x0112deb9
0x0112decb
0x0112ded0
0x0112ded7
0x0112ded8
0x0112ded9
0x0112dee0
0x0112dee5
0x0112def0
0x0112def1
0x0112def6
0x0112def7
0x0112def9
0x0112df03
0x0112df0b
0x0112df18
0x0112df1a
0x0112df1d
0x0112df22
0x0112df29
0x0112df2a
0x0112df2b
0x0112df2e
0x0112df34
0x0112df37
0x0112df38
0x0112df3d
0x0112df48
0x0112df49
0x0112df4e
0x0112df52
0x0112df55
0x0112df58
0x0112dfa4
0x0112dfab
0x0112dfae
0x0112dfb9
0x0112dfbb
0x0112dfbb
0x0112dfb0
0x0112dfb0
0x0112dfb3
0x00000000
0x0112dfb5
0x0112dfb5
0x0112dfb5
0x0112dfb3
0x0112df5a
0x0112df5a
0x0112df62
0x0112df68
0x0112df6e
0x0112df71
0x0112df76
0x0112df7c
0x0112df99
0x0112df9f
0x0112df7e
0x0112df85
0x0112df8c
0x0112df93
0x00000000
0x0112df95
0x0112df95
0x00000000
0x0112df95
0x0112df87
0x0112df87
0x0112df89
0x0112df89
0x0112df89
0x0112df85
0x0112df7c
0x0112dfbc
0x0112dfc0

APIs

__EH_prolog3_align.LIBCMT ref: 0112DEB1

Part of subcall function 0112DDBB: __EH_prolog3.LIBCMT ref: 0112DDC2

_CxxThrowException.VCRUNTIME140(?,011560B0,?,?,?,directory_iterator::operator++,00000080,00000008,0112E1F3,?,?), ref: 0112DEF1

Strings

directory_iterator::operator++, xrefs: 0112DEBE

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: ExceptionH_prolog3H_prolog3_alignThrow
String ID: directory_iterator::operator++
API String ID: 3857449155-2285766745
Opcode ID: 7f31fd4feaea0ca14dfdd889f1a0bd305fc514f264e01fc8b941a6a8ecd1df19
Instruction ID: 0ae9645b2380a9978bdc91109633ebe1ba6adc07ceee9fdfce7623d5100fa499
Opcode Fuzzy Hash: 7f31fd4feaea0ca14dfdd889f1a0bd305fc514f264e01fc8b941a6a8ecd1df19
Instruction Fuzzy Hash: 41E06D7185022DABCB18EB90CC45FDE7338BF24A08F448048E145731A0DB706A08CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0114441F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0114441F(intOrPtr* __ecx, void* __eflags) {
				intOrPtr* _t13;

				_t13 = __ecx;
				E01144472(__ecx);
				 *__ecx = 0x38;
				 *((intOrPtr*)(__ecx + 8)) = 0x1120000;
				 *((intOrPtr*)(__ecx + 4)) = 0x1120000;
				 *((intOrPtr*)(__ecx + 0xc)) = 0xe00;
				 *((intOrPtr*)(__ecx + 0x10)) = 0x114b650;
				if(E011322CF(0x1120000, __ecx + 0x14) < 0) {
					if(IsDebuggerPresent() != 0) {
						OutputDebugStringW(L"ERROR : Unable to initialize critical section in CAtlBaseModule\n");
					}
					 *0x115b54c = 1;
				}
				return _t13;
			}

0x01144420
0x01144422
0x0114442c
0x01144435
0x01144438
0x0114443b
0x01144442
0x01144450
0x0114445a
0x01144461
0x01144461
0x01144467
0x01144467
0x01144471

APIs

Part of subcall function 01144472: memset.VCRUNTIME140(?,00000000,00000018,?,?,01144427,?,0112146B), ref: 0114447F

Part of subcall function 011322CF: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,0114444E,?,?,?,0112146B), ref: 011322D5
Part of subcall function 011322CF: GetLastError.KERNEL32(?,0114444E,?,?,?,0112146B), ref: 011322DF

IsDebuggerPresent.KERNEL32(?,?,?,0112146B), ref: 01144452
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0112146B), ref: 01144461

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0114445C

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 4206453544-631824599
Opcode ID: f6d04ec0b0964059f3decd1a8c5a90b955560fcc40af0189fdcea5df4e1adf8a
Instruction ID: b012f59dd2a7d3f76c63de8b78ab5d5009114f3b9f343e81251cfea127b37e08
Opcode Fuzzy Hash: f6d04ec0b0964059f3decd1a8c5a90b955560fcc40af0189fdcea5df4e1adf8a
Instruction Fuzzy Hash: 6BE092702043118BD33CAF75E5047467BE0AF04B49F04C82DD4AAC3A44D7B8D188CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0112486C Relevance: 5.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E0112486C(void* __ebx, void** __ecx, intOrPtr _a4, intOrPtr _a16, intOrPtr _a20) {
				void* _v8;
				void* _v12;
				intOrPtr _v16;
				void _v20;
				void* __esi;
				void* _t29;
				void* _t32;
				void _t34;
				void* _t43;
				void* _t46;
				intOrPtr _t54;
				intOrPtr _t56;
				intOrPtr _t60;
				void* _t62;
				int _t64;
				void _t67;
				void* _t70;
				void* _t72;

				_t56 = _a4;
				_t43 = __ecx;
				_v16 = _a16;
				_t46 = __ecx[4];
				_v8 = _t46;
				_t81 = 0x7fffffff - _t46 - _t56;
				if(0x7fffffff - _t46 < _t56) {
					_t29 = E0112995D(_t46);
					asm("int3");
					_push(_t66);
					_t67 =  *_t46;
					_push(_t59);
					_t60 =  *((intOrPtr*)(_t46 + 4));
					while(_t67 != _t60) {
						E01129AC1(_t67 + 0x14);
						_t29 = E0113F69A(_t67);
						_t67 = _t67 + 0x2c;
					}
					return _t29;
				} else {
					_t62 = _t46 + _t56;
					_v12 = __ecx[5];
					_t32 = E01129AE4(__ecx, _t62);
					_t34 = E01129B1B( ~(0 | _t81 > 0x00000000) | _t32 + 0x00000001, _t56);
					_t54 = _a20;
					__ecx[4] = _t62;
					_push(_t54);
					_push(_v16);
					__ecx[5] = _t32;
					_t64 = _v8 + 1;
					_t70 = _t34 + _t54;
					_v20 = _t34;
					_v8 = _t70;
					_push(_t34);
					if(_v12 < 0x10) {
						memcpy();
						memcpy(_t70, _t43, _t64);
					} else {
						_t72 =  *__ecx;
						memcpy(??, ??, ??);
						memcpy(_v8, _t72, _t64);
						E01129B5C(_t72, _v12 + 1, _t72);
					}
					 *_t43 = _v20;
					return _t43;
				}
			}

0x01124875
0x01124879
0x0112487b
0x01124885
0x0112488a
0x0112488d
0x0112488f
0x0112491b
0x01124920
0x01124921
0x01124922
0x01124924
0x01124925
0x0112493c
0x0112492d
0x01124934
0x01124939
0x01124939
0x01124942
0x01124895
0x01124898
0x0112489e
0x011248a1
0x011248b4
0x011248b9
0x011248bc
0x011248c2
0x011248c3
0x011248c6
0x011248c9
0x011248ce
0x011248d1
0x011248d4
0x011248d7
0x011248d8
0x011248fd
0x01124905
0x011248da
0x011248da
0x011248dc
0x011248e6
0x011248f6
0x011248f6
0x01124911
0x01124918
0x01124918

APIs

Part of subcall function 01129B1B: #1511.MFC140U(00000001,01129A1D,?,01129A6B,00000001,?,?,?,?,?,0112149C), ref: 01129B2F

memcpy.VCRUNTIME140(00000000,01133C49,?,000000EC,000000EC,?,?), ref: 011248DC
memcpy.VCRUNTIME140(?,00000000,?,00000000,01133C49,?,000000EC,000000EC,?,?), ref: 011248E6

Part of subcall function 0113F69A: DeleteCriticalSection.KERNEL32(?,2648A249,?,?,?,00000000,0114958D,000000FF,?,0112364B,?,?,0112474F,?,?,?), ref: 0113F6D9
Part of subcall function 0113F69A: ??1?$basic_ios@_WU?$char_traits@_W@std@@@std@@UAE@XZ.MSVCP140(?,0112364B,?,?,0112474F,?,?,?,?), ref: 0113F6EA

memcpy.VCRUNTIME140(00000000,01133C49,?,000000EC,000000EC,?,?), ref: 011248FD
memcpy.VCRUNTIME140(00000000,?,?,00000000,01133C49,?,000000EC,000000EC,?,?), ref: 01124905

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: memcpy$#1511??1?$basic_ios@_CriticalDeleteSectionU?$char_traits@_W@std@@@std@@
String ID:
API String ID: 403852989-0
Opcode ID: 668e039ffe923240249d5f87f4b0a8cddf752a1cb96e3e88618b23fd69e632a7
Instruction ID: 94fad8f2bbb52b2714911931701c4808610813ac98530d0dc6f7c7def2303d60
Opcode Fuzzy Hash: 668e039ffe923240249d5f87f4b0a8cddf752a1cb96e3e88618b23fd69e632a7
Instruction Fuzzy Hash: BE21A671A001259B8F0CEFADD88089FBBBAEF96314B10416DE805E7215E7709E11CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 011424C1 Relevance: 5.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E011424C1(void* __ecx, intOrPtr _a4, intOrPtr _a16, signed int _a20) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				void* _v20;
				void* __ebx;
				int __edi;
				void* __esi;
				void* __ebp;
				void* _t31;
				void* _t40;

				_v16 = _a16;
				_push(_t40);
				_t35 =  *((intOrPtr*)(__ecx + 0x10));
				_t30 = 0x7ffffffe - _t35;
				_v8 = _t35;
				if(0x7ffffffe - _t35 < _a4) {
					_t30 = E0112995D(_t35);
					asm("int3");
					_t35 = 0x115b430;
					_push(_t41);
					_t42 =  *0x115b430;
					if( *0x115b430 != 0) {
						_t31 = E0113ACAF(_t42, _t40);
						_push(0x38);
						_t30 = E011436A0(_t31, _t42);
					}
					return _t30;
				} else {
					__eax =  *(__ebx + 0x14);
					__edi = __ecx + __edx;
					__ecx = __ebx;
					_v12 =  *(__ebx + 0x14);
					__eax = E01129969(__ebx, __edi);
					__ecx = 0;
					__esi = __eax;
					__eax = __eax + 1;
					0 | __eflags > 0x00000000 =  ~(__eflags > 0);
					__ecx =  ~(__eflags > 0) | __eax;
					__eax = E01129A04(__edx,  ~(__eflags > 0) | __eax);
					__eflags = _v12 - 8;
					__ecx = __eax;
					__eax = _a20;
					 *(__ebx + 0x14) = __esi;
					 *(__ebx + 0x10) = __edi;
					_v20 = __ecx;
					__edx = _a20 + _a20;
					__eax = _v8;
					_push(__edx);
					_push(_v16);
					__esi = __edx + __ecx;
					__edi = 2 + _v8 * 2;
					_v8 = __esi;
					_push(__ecx);
					if(_v12 >= 8) {
						__esi =  *__ebx;
						memcpy(??, ??, ??) = memcpy(_v8, __esi, __edi);
						__eax = _v12;
						__esp = __esp + 0x18;
						__ecx = __esi;
						__edx = 2 + _v12 * 2;
						__eax = E01129B5C(__esi, 2 + _v12 * 2, __esi);
					}
					__eax = _v20;
					_pop(__edi);
					 *__ebx = _v20;
					__eax = __ebx;
					_pop(__esi);
					_pop(__ebx);
					__esp = __ebp;
					_pop(__ebp);
					return __ebx;
				}
			}

0x011424d0
0x011424d9
0x011424da
0x011424dd
0x011424df
0x011424e4
0x01142580
0x01142585
0x01142586
0x0113ac23
0x0113ac24
0x0113ac28
0x0113ac2c
0x0113ac31
0x0113ac34
0x0113ac3a
0x0113ac3c
0x011424ea
0x011424ea
0x011424ed
0x011424f1
0x011424f3
0x011424f6
0x011424fb
0x011424fd
0x011424ff
0x01142505
0x01142507
0x0114250a
0x0114250f
0x01142513
0x01142515
0x01142518
0x0114251b
0x0114251e
0x01142521
0x01142524
0x01142527
0x01142528
0x0114252b
0x0114252e
0x01142535
0x01142538
0x01142539
0x0114253b
0x01142547
0x0114254c
0x0114254f
0x01142552
0x01142554
0x0114255b
0x0114255b
0x01142572
0x01142575
0x01142576
0x01142578
0x0114257a
0x0114257b
0x0114257c
0x0114257c
0x0114257d
0x0114257d

APIs

memcpy.VCRUNTIME140(00000000,?,?,00000000,?,?,?,?), ref: 0114253D
memcpy.VCRUNTIME140(?,00000000,?,00000000,?,?,00000000,?,?,?,?), ref: 01142547
memcpy.VCRUNTIME140(00000000,?,?,00000000,?,?,?,?), ref: 01142562
memcpy.VCRUNTIME140(00000000,?,?,00000000,?,?,00000000,?,?,?,?), ref: 0114256A

Memory Dump Source

Source File: 00000000.00000002.358191467.0000000001121000.00000020.00000001.01000000.00000003.sdmp, Offset: 01120000, based on PE: true

Associated: 00000000.00000002.358188506.0000000001120000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358728621.000000000114B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358731711.000000000114C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358748169.000000000115A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.358751643.000000000115C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1120000_apprun.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 64ea0ca850b77b0bf5347e2108ea2832385f41a7af8799416b7debb90d356a24
Instruction ID: 22bcab81594260b097bb1e639a6248172e2d0423800d4b2c709f438ad438550a
Opcode Fuzzy Hash: 64ea0ca850b77b0bf5347e2108ea2832385f41a7af8799416b7debb90d356a24
Instruction Fuzzy Hash: BF217171A0012AAFCF0CDF6DE88089EBBBAFF95714B00456DE406EB311DB709A10CB91

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report apprun.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: apprun.exePID: 5160, Parent PID: 5604

General

Chronological Activities

Disassembly

Analysis Process: apprun.exePID: 5160, Parent PID: 5604COMMON

Non-executed Functions

Function 011323FF Relevance: 44.1, APIs: 13, Strings: 12, Instructions: 350COMMON

Function 0113A4AA Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 206COMMONCrypto

Windows Analysis Report
apprun.exe

Function 011323FF Relevance: 44.1, APIs: 13, Strings: 12, Instructions: 350
COMMON

Function 0113A4AA Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 206
COMMONCrypto

Function 0113193D Relevance: 29.9, APIs: 4, Strings: 13, Instructions: 190
windownetworkCOMMON

Function 0112E69C Relevance: 18.1, APIs: 12, Instructions: 108
memoryCOMMON

Function 0112EF1A Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 323
COMMONCrypto

Function 01142060 Relevance: 7.6, APIs: 5, Instructions: 54
processCOMMON

Function 01139394 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 371
COMMONCrypto

Function 0113C562 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 530
COMMONCrypto

Function 01135533 Relevance: 3.3, APIs: 2, Instructions: 335
COMMONCrypto

Function 01127275 Relevance: 3.3, APIs: 2, Instructions: 334
COMMONCrypto

Function 011441C9 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Function 0113082A Relevance: 60.0, APIs: 14, Strings: 20, Instructions: 454
COMMON

Function 0113765F Relevance: 56.5, APIs: 7, Strings: 25, Instructions: 486
COMMON

Function 0112AB52 Relevance: 42.3, APIs: 13, Strings: 11, Instructions: 271
COMMON

Function 01130EE6 Relevance: 40.6, APIs: 6, Strings: 17, Instructions: 390
COMMON

Function 0112CE12 Relevance: 40.6, APIs: 12, Strings: 11, Instructions: 353
COMMON

Function 01121DDD Relevance: 37.2, APIs: 11, Strings: 10, Instructions: 467
COMMON

Function 0113D01B Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 168
COMMON

Function 011314C6 Relevance: 35.3, APIs: 3, Strings: 17, Instructions: 302
COMMON

Function 0112FC67 Relevance: 33.6, APIs: 2, Strings: 17, Instructions: 375
COMMON

Function 01134250 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 231
COMMON

Function 01142132 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 209
processCOMMON

Function 01122A18 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 133
libraryloaderCOMMON

Function 011436F8 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51
libraryloaderCOMMON

Function 0112282F Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 121
libraryCOMMON

Function 0112A80E Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 204
COMMON

Function 01142A4D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 114
COMMON

Function 0112195B Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 287
COMMON

Function 01141BDD Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 221
COMMON

Function 01143444 Relevance: 15.1, APIs: 10, Instructions: 56
COMMON

Function 01132ABD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64
COMMON

Function 01143180 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 50
COMMON

Function 0112A5E2 Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 37
COMMON

Function 01121FB7 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 75
COMMON

Function 01126FDA Relevance: 10.7, APIs: 7, Instructions: 245
COMMON

Function 01134DB8 Relevance: 10.7, APIs: 7, Instructions: 180
COMMON

Function 0112E35A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 112
COMMON

Function 01142668 Relevance: 10.6, APIs: 7, Instructions: 105
COMMON

Function 011290E3 Relevance: 10.6, APIs: 7, Instructions: 52
COMMON

Function 0113628C Relevance: 10.6, APIs: 7, Instructions: 52
COMMON

Function 0113EF8F Relevance: 10.6, APIs: 7, Instructions: 52
COMMON

Function 011366F0 Relevance: 10.6, APIs: 7, Instructions: 51
COMMON

Function 0113E97F Relevance: 9.1, APIs: 6, Instructions: 135
COMMON

Function 0113F464 Relevance: 9.1, APIs: 6, Instructions: 87
COMMON

Function 01123F41 Relevance: 9.0, APIs: 6, Instructions: 49
COMMON

Function 01142CC5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 167
COMMON

Function 011345E9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139
COMMON

Function 011384AF Relevance: 8.9, APIs: 7, Instructions: 113
COMMON

Function 011306A7 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 103
COMMON

Function 01121706 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99
COMMON

Function 0113A2C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79
COMMON

Function 01122529 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73
COMMON

Function 01122649 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 73
COMMON

Function 0112A6CA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 60
COMMON

Function 011445C6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 55
COMMON

Function 0112110F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 37
COMMON

Function 01122769 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 32
COMMON

Function 0113420D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25
libraryloaderCOMMON

Function 01123A5E Relevance: 7.6, APIs: 5, Instructions: 128
COMMON

Function 011238AC Relevance: 7.6, APIs: 5, Instructions: 123
COMMON

Function 01124358 Relevance: 7.6, APIs: 5, Instructions: 105
COMMON

Function 01132C4A Relevance: 7.6, APIs: 5, Instructions: 101
COMMON

Function 0113F75C Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Function 0112EC7C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148
COMMON

Function 01142CF5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 143
COMMON

Function 0112EABC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 135
COMMON

Function 0112CC5B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99
COMMON