Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	756299
MD5:	2816bacd01b0d8c48f1d8714c6aa6f0f
SHA1:	474ae88d9cf093dcb9789cb7b79513e0dbd38388
SHA256:	637720ba1437fd6dea873e56a6a1d7bb3c663e490abc4e406e3817dd2eb82c4f
Tags:	exe
Infos:

Detection

BrowserHistorySpy Tool, Quasar

Score:	38
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Compliance

Score:	50
Range:	0 - 100

Signatures

Malicious sample detected (through community Yara rule)

Yara detected Quasar RAT

Query firmware table information (likely to detect VMs)

Changes security center settings (notifications, updates, antivirus, firewall)

May drop file containing decryption instructions (likely related to ransomware)

Writes many files with high entropy

Yara detected BrowserHistorySpy Tool by SecurityXploded

Uses 32bit PE files

Creates files inside the driver directory

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

PE file contains sections with non-standard names

Detected potential crypto function

Stores large binary data to the registry

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

AV process strings found (often used to terminate AV products)

Sample file is different than original file name gathered from version info

OS version to string mapping found (often used in BOTs)

Enables driver privileges

Drops PE files

Tries to load missing DLLs

Drops PE files to the windows directory (C:\Windows)

Creates driver files

Contains capabilities to detect virtual machines

Enables security privileges

Registers a DLL

Creates or modifies windows services

Queries disk information (often used to detect virtual machines)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

System is w10x64

file.exe (PID: 5244 cmdline: C:\Users\user\Desktop\file.exe MD5: 2816BACD01B0D8C48F1D8714C6AA6F0F)

sc.exe (PID: 680 cmdline: C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel" MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 5508 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5640 cmdline: C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel" MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 4080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5744 cmdline: C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor" MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 5752 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5852 cmdline: C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor" MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 5784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 1788 cmdline: C:\Windows\System32\sc.exe config ShMonitor start= auto MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 6140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6020 cmdline: C:\Windows\System32\sc.exe config EsgShKernel start= auto MD5: D79784553A9410D15E04766AAAB77CD6)

conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

regsvr32.exe (PID: 2108 cmdline: C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll" MD5: D78B75FC68247E8A63ACBA846182740E)

EsgInstallerDelay__0.exe (PID: 64 cmdline: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args MHLPvv2eVF5BDDAj57kaKhLlRzVl3TCPBu81sCtfDvA= -wait 300 MD5: EDCE372DE488AA221DA7DB7544C09B3E)

conhost.exe (PID: 1332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5312 cmdline: C:\Windows\System32\sc.exe start EsgShKernel -tt_on MD5: D79784553A9410D15E04766AAAB77CD6)

EsgInstallerDelay__1.exe (PID: 2348 cmdline: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args hOGTiE/QHFPjrWqL1njGygtJtFEVLgswO/2BlkHQX4U= -wait 300 MD5: EDCE372DE488AA221DA7DB7544C09B3E)

conhost.exe (PID: 3624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 5100 cmdline: C:\Windows\System32\sc.exe start ShMonitor MD5: D79784553A9410D15E04766AAAB77CD6)

svchost.exe (PID: 5288 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1556 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 684 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5540 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1360 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 3384 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 868 cmdline: c:\windows\system32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3460 cmdline: c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2080 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 2364 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 2680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ShKernel.exe (PID: 5400 cmdline: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe MD5: F2F6BF33561C9EF8FE3310D46A3C8A25)

SpyHunter5.exe (PID: 5688 cmdline: "C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe" /hide MD5: 096FA37EA53BB15959E9EEF9FD3F2745)

ShMonitor.exe (PID: 4792 cmdline: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe MD5: F9FA9D3B5957F0C365A20DE5C71EC214)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	MALWARE_Win_EXEPWSH_DLAgent	Detects SystemBC	ditekSHen	0xd946f8:$pwsh: powershell 0xd35b48:$s2: User-Agent: 0x10069f8:$s4: LdrLoadDll 0xc35367:$v6: start 0xc3d08b:$v6: start 0xc468ae:$v6: start 0xc468c6:$v6: start 0xc63dac:$v6: start 0xc653d0:$v6: start 0xc6c3d7:$v6: start 0xc6c417:$v6: start 0xc6c457:$v6: start 0xc6ca7c:$v6: start 0xc6e627:$v6: start 0xc9b9fc:$v6: start 0xc9ba30:$v6: start 0xc9bc43:$v6: start 0xc9bc72:$v6: start 0xca2efc:$v6: start 0xca2f30:$v6: start 0xca30d9:$v6: start

Memory Dumps

Source	Rule	Description	Author	Strings
0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0000001C.00000003.422519867.000001D3F58C0000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x16da4:$x1: AsyncRAT 0x1af72:$x1: AsyncRAT
0000001C.00000003.422727533.000001D3F4225000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x16d24:$x1: AsyncRAT 0x1aef2:$x1: AsyncRAT
0000001C.00000003.422306773.000001D3F5841000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x15d2c:$x1: AsyncRAT 0x19efa:$x1: AsyncRAT
0000001C.00000003.478164990.000001D3F34BE000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x435f7:$x1: AsyncRAT 0x4372c:$x1: AsyncRAT 0x43786:$x1: AsyncRAT 0x437fb:$x1: AsyncRAT
0000001C.00000003.509274290.000001D3F5D31000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_BrowserHistorySpy	Yara detected BrowserHistorySpy Tool by SecurityXploded	Joe Security
Click to see the 1 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Quasar RAT

Source: Yara match

File source: 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Cryptography

Source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

Compliance

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates license or readme file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Program Files\EnigmaSoft\SpyHunter\license.txt

Jump to behavior

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\purl.dat	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Native.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\license.txt	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs\20221130_001537.krn.log
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\rh
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Temp
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs\ShMonitor.log

Creates install or setup log file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\esg_setup.log

Jump to behavior

PE / OLE file has a valid certificate

Source: file.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:	Binary string: c:\Users\sd\Documents\SharpDevelop Projects\BackdoorNominatus\BackdoorNominatus - BLUE BUG\obj\Debug\BackdoorNominatus - BLUE BUG.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GIT\esginstaller\_Builds\Release\win32\DelayStart-x64.pdb source: EsgInstallerDelay__0.exe, 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmp, EsgInstallerDelay__0.exe, 00000017.00000000.389009144.00007FF698130000.00000002.00000001.01000000.0000000A.sdmp, EsgInstallerDelay__1.exe, 00000019.00000000.390176462.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmp, EsgInstallerDelay__1.exe, 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: \Random Roblox Shit\MassRobloxAssetStealer\Mass-Roblox-asset-scraper-dumper\MassRobloxAssetStealer\obj\Debug\MassRobloxAssetStealer.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShMonitor.pdb source: file.exe, 00000000.00000003.310467481.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.309938161.00000000045E2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShKernel.pdb source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: ogger.pdbgE source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShMonitor.pdb\ source: file.exe, 00000000.00000003.310467481.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.309938161.00000000045E2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\abc\Release\gerjjkrkjjk33.pdb2617365"<" source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Random Roblox Shit\MassRobloxAssetStealer\Mass-Roblox-asset-scraper-dumper\MassRobloxAssetStealer\obj\Debug\MassRobloxAssetStealer.pdbD source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Azan\onedrive\documents\visual studio 2010\Projects\Project Scorpion\Project Scorpion\obj\x86\Release\Project Scorpion.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-ARM64\EnigmaFileMonDriver.pdb source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb50CFp1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_USING_V110_SDK71_ source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\stefan.joerg\Nextcloud3\_Programmierung\SanboxTestingTool\AdvancedKEYLogger\AdvancedKEYLogger\obj\Debug\AdvancedKEYLogger.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $C:\abc\Release\gerjjkrkjjk33.pdb2617365"<" source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0@.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: s.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $\\Wta..[3243ujwew]\\\kY0VNfo.pdb00448974 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ^Allpcoptimizer\.pdb$F source: ShKernel.exe, 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ~E:\Demo\dWwwang-SiMayRemoteMonitorOS-master\SiMayRemoteMonitorOS\SiMay.RemoteClient.NewCore\obj\Debug\SiMayServiceCore.pdb7eCG source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Azan\onedrive\documents\visual studio 2010\Projects\Project Scorpion\Project Scorpion\obj\x86\Release\Project Scorpion.pdbaG source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Trainer Creator\C++ and C#\Trainer MotoGP 22 Framework without virus\ArmYofOneEngine\obj\Release\MotoGP 22 v1.0.0.0 +17 Options.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ogger.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GIT\esginstaller\_Builds\Release\Win32\Installer.pdb source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: ^Allpcoptimizer\.pdb$ source: ShKernel.exe, 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: type_idOTHERNAMEnameAssignerpartyNameEDIPARTYNAMEd.otherNamed.rfc822Named.dNSNamed.x400Addressd.directoryNamed.ediPartyNamed.uniformResourceIdentifierd.iPAddressd.registeredIDGENERAL_NAMEGeneralNamesGENERAL_NAMESCERTIFICATEcrypto\x509\x509name.cname=compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_USING_V110_SDK71_crypto\dh\dh_lib.c%*s<EMPTY> source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\nativeapp\objfre_wnet_amd64\amd64\Native.pdb source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \x64\Release\HotCoffeeRansomware.pdb9"}]h1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (bo.pdbg source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: type_idOTHERNAMEnameAssignerpartyNameEDIPARTYNAMEd.otherNamed.rfc822Named.dNSNamed.x400Addressd.directoryNamed.ediPartyNamed.uniformResourceIdentifierd.iPAddressd.registeredIDGENERAL_NAMEGeneralNamesGENERAL_NAMESCERTIFICATEcrypto\x509\x509name.cname=compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\dh\dh_lib.c%*s<EMPTY> source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-ARM64\EnigmaFileMonDriver.pdbGCTL source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oella.exe.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-x64\EnigmaFileMonDriver.pdb source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: & 7D08s.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Vegard\Documents\Visual Studio 2017\Projects\VirtualUIPro (CRYPTORIUM RANSOMWARE)\VirtualUIPro\obj\Debug\VirtualUIPro.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Demo\dWwwang-SiMayRemoteMonitorOS-master\SiMayRemoteMonitorOS\SiMay.RemoteClient.NewCore\obj\Debug\SiMayServiceCore.pdb7e source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\Administrador\mis documentos\visual studio 2010\Projects\Fortnite\Fortnite\obj\x86\Debug\Naccarella.exe.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\Wta..[3243ujwew]\\\kY0VNfo.pdb00448974 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (\x64\Release\HotCoffeeRansomware.pdb9"}]h1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EHW###%@$WHRENBRWHrjhss.pdbgs": 8454290, source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 89.187.165.194 89.187.165.194

Source: file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: file.exe, 00000000.00000003.263335717.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263349882.000000000351B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272462882.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268462477.0000000003544000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268789699.0000000003544000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268824243.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268270654.0000000003544000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260831747.00000000034D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263902497.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262407166.0000000003519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307318434.0000000003542000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265568181.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264927055.00000000044F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262488006.00000000034DB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264347122.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.309639531.000000000454A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269778409.00000000044DC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl7
Source: file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crlQ
Source: file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263633202.0000000003548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263633202.0000000003548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmas
Source: file.exe, 00000000.00000003.262458403.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/log_collect.cfg
Source: file.exe, 00000000.00000003.262458403.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/log_collect.cfgH
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266193979.0000000004501000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/
Source: file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf
Source: file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf--
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf6
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf
Source: file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf/msv0t8
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265568181.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_albanian.lng.ecf
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_bulgarian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(simplified).lng.ecf
Source: file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_czech.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_danish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_dutch.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_english.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_finnish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_french.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_german.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_greek.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecf
Source: file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecf8
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_indonesian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_italian.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_japanese.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_korean.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_license.txt.ecf
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_lithuanian.lng.ecf
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_norwegian.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_polish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(brazil).lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(portugal).lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(portugal).lng.ecf29t
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(portugal).lng.ecfH
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_romanian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_russian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_serbian.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_serbian.lng.ecfso
Source: file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_sloven
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecfPAt
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_spanish.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_swedish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_turkish.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_turkish.lng.ecfCy
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_ukrainian.lng.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_native.exe.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_native.exe.ecfX
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shkernel.exe.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shkernel.exe.ecf(
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shmonitor.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shshellext.dll.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_spyhunter5.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_native.exe.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shkernel.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shkernel.exe.ecfn
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shmonitor.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shshellext.dll.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecf
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecfR
Source: file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307522072.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecfG
Source: file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecfp
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def.pro/latest_def.ecf
Source: file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def.pro/latest_def.ecfY
Source: file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def/2022110703.def.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/def/latest_def.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307522072.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/latest.ecf
Source: file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/sh5/latest.ecfH
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_initrd.gz.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_initrd.gz.ecf.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_shldr.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_shldr.mbr.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_shldr.mbr.ecfecf7O
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_vmlinuz.ecf
Source: file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_vmlinuz.ecf:
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://installer.enigmasoftware.com/shos5/3.18.5/sh5_vmlinuz.ecffdiyHxtN/
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: file.exe, 00000000.00000003.261131713.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263633202.0000000003548000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?dist
Source: ShKernel.exe, 0000001C.00000000.403556678.00007FF7097F8000.00000008.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://upx.sf.net
Source: svchost.exe, 00000005.00000002.310228109.0000027493E13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bulla.com
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ebates.com
Source: file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.enigmasoftware.com
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl
Source: file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.google.compre_xpimg_entryp
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.oberhumer.com
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.268360683.00000000045A8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://wwwigmasoftware.com
Source: svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263335717.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262458403.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262407166.0000000003519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263349882.000000000351B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.enigmasoft.net
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263335717.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262407166.0000000003519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263349882.000000000351B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.enigmasoft.net)
Source: file.exe, 00000000.00000003.262458403.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.enigmasoft.net19.5
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://api.enigmasoft.nethttps://www.enigmasoftware.comhttps://clicktoverify.truste.com/pvr.php?pag
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.release.cyclonis.net/v1/download?app=cyclonis-backup&os=win
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: svchost.exe, 00000005.00000002.310323507.0000027493E2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.309587506.0000027493E4F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310494665.0000027493E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000005.00000002.310323507.0000027493E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000005.00000002.310323507.0000027493E2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000005.00000003.309791016.0000027493E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310459621.0000027493E43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000005.00000003.309791016.0000027493E42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310459621.0000027493E43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000002.310494665.0000027493E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://geo-ip.enigmasoft.net/location
Source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://geo-ip.enigmasoft.net/locationgeo_countrycountryosos_lang%1%%2%os_versionx86x64os_arch;ARMge
Source: file.exe, 00000000.00000003.267369004.0000000003544000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmas
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmas3CO
Source: file.exe, 00000000.00000003.272462882.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269795946.00000000044E5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268644221.00000000044E5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267107205.00000000044E5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasB
Source: file.exe, 00000000.00000003.311359366.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269652390.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313320979.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307103077.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268391208.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272301534.000000000456F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268270654.0000000003544000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.274013257.0000000004574000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268541807.0000000004574000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmaso
Source: file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftw
Source: file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266193979.0000000004501000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/M
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf
Source: file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf1c6
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265568181.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_albanian.lng.ecf
Source: file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_albanian.lng.ecfKDn
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_bulgarian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(simplified).lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng.ecfDVD
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecf
Source: file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecfiEp
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_czech.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_danish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_dutch.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_english.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_finnish.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_french.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_german.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_greek.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecf
Source: file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecfdE
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_indonesian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_italian.lng.ecf
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_japanese.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_korean.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_license.txt.ecf
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_lithuanian.lng.ecf
Source: file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_norwegian.lng.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_polish.lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(brazil).lng.ecf
Source: file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(brazil).lng.ecfQsTb
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(portugal).lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_romanian.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_russian.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_serbian.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_spanish.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_spanish.lng.ecfY
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_swedish.lng.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_swedish.lng.ecfg
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_turkish.lng.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_ukrainian.lng.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_ukrainian.lng.ecfhtm
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272528971.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_native.exe.ecf
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shkernel.exe.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shmonitor.exe.ecf
Source: file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shmonitor.exe.ecfR
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shshellext.dll.ecf
Source: file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_spyhunter5.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_spyhunter5.exe.ecf)
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_native.exe.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_native.exe.ecf(
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_native.exe.ecff
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shkernel.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shkernel.exe.ecfj
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shmonitor.exe.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shmonitor.exe.ecfR
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shshellext.dll.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shshellext.dll.ecfq
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecf
Source: file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecfD
Source: file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307522072.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecf
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def.pro/latest_def.ecf
Source: file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272528971.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def/2022110703.def.ecf
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272528971.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def/2022110703.def.ecf7
Source: file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272528971.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def/2022110703.def.ecfH
Source: file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/def/latest_def.ecf
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307522072.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://installer.enigmasoftware.com/sh5/latest.ecf
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://myaccount.enigmasoftware.com/forgot-password/85000.0doc
Source: file.exe, 00000000.00000003.269556765.00000000045EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://purchase.enigmasoftware.com
Source: file.exe, file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262470538.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269586761.0000000004555000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://purchase.enigmasoftware.com/purchase_spyhunter.php?sid=lav&dc=H2O75
Source: file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262470538.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://purchase.enigmasoftware.com/purchase_spyhunter.php?sid=lav&dc=H2O750x01xDa
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://sh.downloads.enigmasoft.net/sh/def/updates/%1%/%2%_updates.ecf
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sh.downloads.enigmasoft.net/sh/def/updates/%1%/%2%_updates.ecf/R
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://sh.downloads.enigmasoft.net/sh/ticket_problem_types/https://purchase.enigmasoftware.com/spyh
Source: svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000005.00000002.310228109.0000027493E13000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000005.00000003.309771847.0000027493E46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000005.00000003.309771847.0000027493E46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310423105.0000027493E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000005.00000003.309587506.0000027493E4F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310494665.0000027493E50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://tt.web.enigmasoftware.com/analytics_all/callback_functions/tt_callback.php10-100enigmasoftwa
Source: file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263335717.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263877291.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263513883.0000000003513000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tt.web.enigmasoftware.com/analytics_all/callback_functions/tt_callback.php?hwx=%HWID%&lng=%L
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cyclonis.com/eula-password-manager/
Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.261089504.000000000351B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/about-us/inquiries-feedback/).
Source: file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/enigmasoft-discount-terms/
Source: file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263165543.0000000003573000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/enigmasoft-discount-terms/.
Source: file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/enigmasoft-privacy-policy/
Source: file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263165543.0000000003573000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/enigmasoft-privacy-policy/;
Source: file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/program-uninstall-steps/.
Source: file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263165543.0000000003573000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/sh/license.txt.
Source: file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/spyhunter-additional-terms-conditions/.
Source: file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/spyhunter-eula/.
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp, ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/spyhunter-remover-details/#windows
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/spyhunter5-special-promotion-terms/
Source: file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263474019.00000000034F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.enigmasoftware.com/support/
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.google-analytics.com/batch
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://www.google-analytics.com/batch%1%

E-Banking Fraud

Yara detected Quasar RAT

Source: Yara match

File source: 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands

May drop file containing decryption instructions (likely related to ransomware)

Source: ShKernel.exe, 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: HELP_DECRYPT\.PNG

Writes many files with high entropy

Source: C:\Users\user\Desktop\file.exe	File created: C:\sh5ldr\vmlinuz entropy: 7.99836962763	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng entropy: 7.99615643718	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng entropy: 7.99609971693	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng entropy: 7.99595141601	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng entropy: 7.99680078701	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng entropy: 7.99711126287	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng entropy: 7.99623035502	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng entropy: 7.99615411913	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng entropy: 7.99671313322	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\German.lng entropy: 7.99580751358	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Greek.lng entropy: 7.99705640146	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng entropy: 7.99572990145	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng entropy: 7.99581949466	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng entropy: 7.99666220285	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Hungarian.lng entropy: 7.99689859487	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Indonesian.lng entropy: 7.9957351524	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Italian.lng entropy: 7.9965164076	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Japanese.lng entropy: 7.9961756396	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Korean.lng entropy: 7.99693442691	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Lithuanian.lng entropy: 7.99626718925	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Norwegian.lng entropy: 7.99690916426	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Polish.lng entropy: 7.99635386591	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Brazil).lng entropy: 7.99562562154	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Portugal).lng entropy: 7.99640862281	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Romanian.lng entropy: 7.99641530631	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Russian.lng entropy: 7.99701029921	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Serbian.lng entropy: 7.99604698987	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Slovene.lng entropy: 7.99606091645	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Spanish.lng entropy: 7.99638398778	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Swedish.lng entropy: 7.99555096602	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Turkish.lng entropy: 7.99631936477	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Ukrainian.lng entropy: 7.99690213117	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def entropy: 7.99980150219	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Defs\Rh\full.dat entropy: 7.99721527657	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\data\acpwl.dat entropy: 7.99684565062	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\sh5ldr\initrd.gz entropy: 7.99524171727	Jump to dropped file
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\data\CrCache.dat entropy: 7.99988653068	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000001C.00000003.422519867.000001D3F58C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000003.422727533.000001D3F4225000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000003.422306773.000001D3F5841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001C.00000003.478164990.000001D3F34BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe, type: DROPPED	Matched rule: Detects SystemBC Author: ditekSHen

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Creates files inside the driver directory

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

File created: C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys

Yara signature match

Source: 0000001C.00000003.422519867.000001D3F58C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000003.422727533.000001D3F4225000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000003.422306773.000001D3F5841000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001C.00000003.478164990.000001D3F34BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe, type: DROPPED	Matched rule: MALWARE_Win_EXEPWSH_DLAgent author = ditekSHen, description = Detects SystemBC

Creates files inside the system directory

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

File created: C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_034EA7C8	0_3_034EA7C8
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69812B6B0	23_2_00007FF69812B6B0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6980F10F0	23_2_00007FF6980F10F0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810D96C	23_2_00007FF69810D96C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69812B970	23_2_00007FF69812B970
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69811AABC	23_2_00007FF69811AABC
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6981052E8	23_2_00007FF6981052E8
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6981282D0	23_2_00007FF6981282D0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698127C70	23_2_00007FF698127C70
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69811C450	23_2_00007FF69811C450
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810BD28	23_2_00007FF69810BD28
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698118D70	23_2_00007FF698118D70
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698110D44	23_2_00007FF698110D44
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69811CD4C	23_2_00007FF69811CD4C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698117DE0	23_2_00007FF698117DE0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6980FD5F0	23_2_00007FF6980FD5F0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6980F9DE0	23_2_00007FF6980F9DE0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810CE5C	23_2_00007FF69810CE5C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810E66C	23_2_00007FF69810E66C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698127EA0	23_2_00007FF698127EA0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698110EF0	23_2_00007FF698110EF0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810A728	23_2_00007FF69810A728
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698108708	23_2_00007FF698108708
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69811A758	23_2_00007FF69811A758
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698111F60	23_2_00007FF698111F60
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698100F40	23_2_00007FF698100F40
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698106F3C	23_2_00007FF698106F3C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698114FCC	23_2_00007FF698114FCC
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69811D8B4	23_2_00007FF69811D8B4
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF6981278E0	23_2_00007FF6981278E0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A570B6B0	25_2_00007FF7A570B6B0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56D10F0	25_2_00007FF7A56D10F0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56EE66C	25_2_00007FF7A56EE66C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56ECE5C	25_2_00007FF7A56ECE5C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E8708	25_2_00007FF7A56E8708
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F0EF0	25_2_00007FF7A56F0EF0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A5707EA0	25_2_00007FF7A5707EA0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F8D70	25_2_00007FF7A56F8D70
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56FCD4C	25_2_00007FF7A56FCD4C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F0D44	25_2_00007FF7A56F0D44
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56EBD28	25_2_00007FF7A56EBD28
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56DD5F0	25_2_00007FF7A56DD5F0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56D9DE0	25_2_00007FF7A56D9DE0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F7DE0	25_2_00007FF7A56F7DE0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A57078E0	25_2_00007FF7A57078E0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56FD8B4	25_2_00007FF7A56FD8B4
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F1F60	25_2_00007FF7A56F1F60
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56FA758	25_2_00007FF7A56FA758
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E0F40	25_2_00007FF7A56E0F40
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E6F3C	25_2_00007FF7A56E6F3C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56EA728	25_2_00007FF7A56EA728
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56F4FCC	25_2_00007FF7A56F4FCC
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A57082D0	25_2_00007FF7A57082D0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E52E8	25_2_00007FF7A56E52E8
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56FAABC	25_2_00007FF7A56FAABC
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56ED96C	25_2_00007FF7A56ED96C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A570B970	25_2_00007FF7A570B970
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A5707C70	25_2_00007FF7A5707C70
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56FC450	25_2_00007FF7A56FC450

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: String function: 00007FF698119450 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: String function: 00007FF7A56F9450 appears 65 times

PE file contains executable resources (Code or Archives)

Source: ShKernel.exe.0.dr	Static PE information: Resource name: BIN type: PE32+ executable (native) x86-64, for MS Windows
Source: ShKernel.exe.0.dr	Static PE information: Resource name: BIN type: PE32+ executable (native) Aarch64, for MS Windows
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: DOS executable (COM, 0x8C-variant)
Source: SpyHunter5.exe.0.dr	Static PE information: Resource name: RT_RCDATA type: COM executable for DOS

Abnormal high CPU Usage

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Process Stats: CPU usage > 98%

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.313238943.0000000004667000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShMonitor.exe6 vs file.exe
Source: file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShMonitor.exe6 vs file.exe
Source: file.exe, 00000000.00000003.311426154.000000000466D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShMonitor.exe6 vs file.exe
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: originalFilename vs file.exe
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "'qwertyuiopasdfghjklzxcvbnmZXCVBNMASDFGHJKLQWERTYUIOP.drv.sys.com.scr.pif.msi.vbs.acm/~/\rbwb.exe.ocx\/ \/ \/.cpl.efi.mui.lnk.vb.js.axUsersvoidlua runtime errorunable to make castexistsexpandbaseNamedirNamepathInfowalkFailed to move %s to %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::FileSystem::Moveboolstd::stringlua_Stateluabind::objecthkcufsmovemodifyTimeMissing parameters!Esg::Classes::fVtekgBaCHLfloqy::FileSystem::WalkregistrydeleteKeydeleteValuekeyExistsC:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\enigmacommon\EnigmaCommon\LuaAPI.cppFailed to remove %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::FileSystem::RemoveFailed to remove %s!extensiondirectorycreateTimeaccessTimeFailed to delete value %s of key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::DeleteValueFailed to alter value %s of key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::SetValueFailed to extract string value %s of key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::GetStringFailed to extract numeric value %s of key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::GetNumbervalueExistssetValuegetStringgetNumbergetBooleangetCurrentControlSetKeyFailed to delete key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::DeleteKeyWinXPWinVistaWin7Win8Win8.1Win10getFilePropertieskillProcessFailed to extract boolean value %s of key %s due to error %lu!Esg::Classes::fVtekgBaCHLfloqy::Registry::GetBooleanosgetNamegetVersiongetArchitectureisSafeModeWin2kFailed to get properties of %s!Esg::Classes::fVtekgBaCHLfloqy::System::GetFilePropertiesFailed to kill proc. %d!Esg::Classes::fVtekgBaCHLfloqy::System::KillProcessFailed to kill proc. %s!Failed to fetch a list of processes! Error %d.Esg::Classes::fVtekgBaCHLfloqy::System::ListProcessescmd /c processExistslistProcessesgetSystemAccountSidgetCurrentUserSidfileVersionproductVersioninternalNameoriginalFilenameEsg::Classes::fVtekgBaCHLfloqy::Log::DebugEsg::Classes::fVtekgBaCHLfloqy::Log::NoticescresolveFailed to parse shortcut %s!Esg::Classes::fVtekgBaCHLfloqy::Shortcut::ResolvetargetargumentsFailed to execute command %S!Esg::Classes::fVtekgBaCHLfloqy::System::ExecutelogwarningdebugnoticeEsg::Classes::fVtekgBaCHLfloqy::Log::ErrorEsg::Classes::fVtekgBaCHLfloqy::Log::WarningworkDiriconPathiconIndex const vs file.exe
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InternalNameLegalCopyrightOriginalFileNameProductNameProductVersionCommentsLegalTrademarksPrivateBuild\VarFileInfo\Translation\StringFileInfo\%04X%04X\\StringFileInfo\040904E4\CompanyNameFileDescriptionFileVersionSpecialBuild%d.%d.%d.%dC:\Dev\Libs\boost_1_70_0\boost\smart_ptr\scoped_array.hppvoid __cdecl boost::scoped_array<unsigned char>::reset(unsigned char *)P vs file.exe
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .NET Init Failed. Path=%s, Status=%dpe_init_failedC:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\Scanner\FileScanPeContext.cppFileScan::PeContext::InitRSDSOriginalFilenameCopyrightcompanynamecommentsdescriptioncopyrightfileversionfiledescriptionlegalcopyrightinternalnameproductnameoriginalfilenameproductversionunsigned __int64 __cdecl boost::unordered::detail::table<struct boost::unordered::detail::map<class std::allocator<struct std::pair<struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > const ,class std::vector<unsigned __int64,class std::allocator<unsigned __int64> > > >,struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > >,class std::vector<unsigned __int64,class std::allocator<unsigned __int64> >,struct PeMetricsStatus::ImportHasher,struct std::equal_to<struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > > > >::min_buckets_for_size(unsigned __int64) constvoid __cdecl boost::unordered::detail::table<struct boost::unordered::detail::map<class std::allocator<struct std::pair<struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > const ,class std::vector<unsigned __int64,class std::allocator<unsigned __int64> > > >,struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > >,class std::vector<unsigned __int64,class std::allocator<unsigned __int64> >,struct PeMetricsStatus::ImportHasher,struct std::equal_to<struct std::pair<class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> >,class std::basic_string<char,struct std::char_traits<char>,class std::allocator<char> > > > > >::rehash_impl(unsigned __int64) vs file.exe
Source: file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNative.exe0 vs file.exe
Source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEnigmaFileMonDriver.sys8 vs file.exe
Source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameShKernel.exe6 vs file.exe

Enables driver privileges

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Process token adjusted: Load Driver

Tries to load missing DLLs

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windowscoredeviceinfo.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Creates driver files

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

File created: C:\Windows\system32\Drivers\EnigmaFileMonDriver.sys

Enables security privileges

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Process token adjusted: Security

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe config ShMonitor start= auto
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe config EsgShKernel start= auto
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args MHLPvv2eVF5BDDAj57kaKhLlRzVl3TCPBu81sCtfDvA= -wait 300
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args hOGTiE/QHFPjrWqL1njGygtJtFEVLgswO/2BlkHQX4U= -wait 300
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe start EsgShKernel -tt_on
Source: unknown	Process created: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe start ShMonitor
Source: unknown	Process created: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process created: C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe "C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe" /hide
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe config ShMonitor start= auto	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe config EsgShKernel start= auto	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args MHLPvv2eVF5BDDAj57kaKhLlRzVl3TCPBu81sCtfDvA= -wait 300	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args hOGTiE/QHFPjrWqL1njGygtJtFEVLgswO/2BlkHQX4U= -wait 300	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe start EsgShKernel -tt_on	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe start ShMonitor	Jump to behavior

Source: Uninstall.lnk.0.dr

LNK file: ..\..\..\..\..\EnigmaSoft Limited\sh5_installer.exe

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\esg_setup.log

Jump to behavior

Source: classification engine

Classification label: sus38.rans.troj.spyw.evad.winEXE@46/58@0/7

Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT key FROM ItemTable;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT creation_utc FROM cookies WHERE creation_utc = %I64d;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: create table 'log_item' (id INTEGER PRIMARY KEY, name TEXT, scan_type INTEGER, starttime TEXT, endtime TEXT, signature_version TEXT, requested_by TEXT, scan_count INTEGER, threat_count INTEGER, status INTEGER NOT NULL, FOREIGN KEY(status) REFERENCES scan_status(status_id));
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT path FROM log_item_data WHERE log_item_id='%1%' AND status=1 LIMIT 1000;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT creation_utc FROM cookies WHERE creation_utc = %I64d;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: select id, name, host from moz_cookies;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT origin, type, permission FROM moz_perms;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT `%s` FROM `%s` WHERE `%s` LIKE ?;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT id, name, host FROM moz_cookies;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: create table 'guard_alert' (alert_id INTEGER PRIMARY KEY, timestamp INTEGER, pid INTEGER, ppath TEXT, path TEXT, size INTEGER, md5 TEXT, company_name TEXT, file_desc TEXT, file_version TEXT, is_malware INTEGER, scan_status TEXT);
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT creation_utc, host_key, name FROM cookies;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT `%s` FROM `%s` WHERE `%s` LIKE ?;MalwareObjSqliteRow::ExistsExists check failed. DB Exception occured: %s
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: SELECT id FROM moz_cookies WHERE id=%I64d;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: create table 'scan_status' (id INTEGER PRIMARY KEY, status_id INTEGER, name TEXT);
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: INSERT INTO scan_status (status_id, name) VALUES (0, 'Started'); INSERT INTO scan_status (status_id, name) VALUES (1, 'Completed'); INSERT INTO scan_status (status_id, name) VALUES (2, 'Interrupted by user'); INSERT INTO scan_status (status_id, name) VALUES (3, 'Failed');
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: create table 'log_item_data' (id INTEGER PRIMARY KEY, log_item_id INTEGER NOT NULL, timestamp TEXT, detection_id INTEGER, path TEXT, title TEXT, status INTEGER, FOREIGN KEY(log_item_id) REFERENCES log_item(id) ON UPDATE CASCADE ON DELETE CASCADE);
Source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	Binary or memory string: select scope, key from webappsstore2;

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Mutant created: \BaseNamedObjects\Global\ESG_AQbwFiKkefurfkxavZoTCL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ESGInstaller_MTX
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:2680:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1332:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5784:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4080:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6060:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5508:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6140:120:WilError_01

Source: C:\Users\user\Desktop\file.exe

File created: C:\Program Files\EnigmaSoft

Jump to behavior

Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C*\AC:\Documents and Settings\clinet\Bureau\SGen-1\Project1.vbp-J
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: B*\AF:\DVD7(3514)\Documents\Visual Basic\VB Project\My Work\FolderView (Auto)\FolderView 2\Remover\Remover.vbp"90000005
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: B*\AF:\DVD7(3514)\Documents\Visual Basic\VB Project\My Work\FolderView (Auto)\FolderView 2\Remover\Remover.vbp, "value
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C*\AC:\Documents and Settings\elnashar0\Desktop\Source\mr mega.vbp
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *\AC:\Users\PC\Pictures\cloud\ActiveX Control Source\VB Splitter.vbp
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: F15.vbp
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: er.vbp
Source: ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: B*\AF:\DVD7(3514)\Documents\Visual Basic\VB Project\My Work\FolderView (Auto)\FolderView 2\Remover\Remover.vbp_type":
Source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @*\A\\192.168.40.1\ASDStaffsRep\Selam\denominationXP\Project1.vbp

Source: file.exe

String found in binary or memory: : 5 esg-installer.b-cdn.net;89.187.165.194;

Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File read: C:\Windows\System32\drivers\etc\hosts

Uses Rich Edit Controls

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Found window with many clickable UI elements (buttons, textforms, scrollbars etc)

Source: C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe

Window detected: Number of UI elements: 13

PE file has a big code size

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Submission file is bigger than most known malware samples

Source: file.exe

Static file information: File size 6881256 > 1048576

Creates a directory in C:\Program Files

Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\purl.dat	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Native.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\license.txt	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs\20221130_001537.krn.log
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\ScanHistory.dat-journal
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Data\rh
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Temp
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Directory created: C:\Program Files\EnigmaSoft\SpyHunter\Logs\ShMonitor.log

PE / OLE file has a valid certificate

Source: file.exe

Static PE information: certificate valid

PE file has a big raw section

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x436400
Source: file.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x115e00

PE file imports many functions

Source: file.exe

Static PE information: More than 200 imports for KERNEL32.dll

PE file contains a mix of data directories often seen in goodware

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

PE file contains a debug data directory

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: c:\Users\sd\Documents\SharpDevelop Projects\BackdoorNominatus\BackdoorNominatus - BLUE BUG\obj\Debug\BackdoorNominatus - BLUE BUG.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GIT\esginstaller\_Builds\Release\win32\DelayStart-x64.pdb source: EsgInstallerDelay__0.exe, 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmp, EsgInstallerDelay__0.exe, 00000017.00000000.389009144.00007FF698130000.00000002.00000001.01000000.0000000A.sdmp, EsgInstallerDelay__1.exe, 00000019.00000000.390176462.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmp, EsgInstallerDelay__1.exe, 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: \Random Roblox Shit\MassRobloxAssetStealer\Mass-Roblox-asset-scraper-dumper\MassRobloxAssetStealer\obj\Debug\MassRobloxAssetStealer.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShMonitor.pdb source: file.exe, 00000000.00000003.310467481.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.309938161.00000000045E2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShKernel.pdb source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: ogger.pdbgE source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\bamboo-agent-home\xml-data\build-dir\SH5-S5P-JOB1\sh5\builds\Release-x64\ShMonitor.pdb\ source: file.exe, 00000000.00000003.310467481.000000000466D000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.310517741.00000000046D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.309938161.00000000045E2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\abc\Release\gerjjkrkjjk33.pdb2617365"<" source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Random Roblox Shit\MassRobloxAssetStealer\Mass-Roblox-asset-scraper-dumper\MassRobloxAssetStealer\obj\Debug\MassRobloxAssetStealer.pdbD source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Azan\onedrive\documents\visual studio 2010\Projects\Project Scorpion\Project Scorpion\obj\x86\Release\Project Scorpion.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-ARM64\EnigmaFileMonDriver.pdb source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: .pdb50CFp1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_USING_V110_SDK71_ source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\stefan.joerg\Nextcloud3\_Programmierung\SanboxTestingTool\AdvancedKEYLogger\AdvancedKEYLogger\obj\Debug\AdvancedKEYLogger.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $C:\abc\Release\gerjjkrkjjk33.pdb2617365"<" source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 0@.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: s.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $\\Wta..[3243ujwew]\\\kY0VNfo.pdb00448974 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ^Allpcoptimizer\.pdb$F source: ShKernel.exe, 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: o.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ~E:\Demo\dWwwang-SiMayRemoteMonitorOS-master\SiMayRemoteMonitorOS\SiMay.RemoteClient.NewCore\obj\Debug\SiMayServiceCore.pdb7eCG source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Azan\onedrive\documents\visual studio 2010\Projects\Project Scorpion\Project Scorpion\obj\x86\Release\Project Scorpion.pdbaG source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\Trainer Creator\C++ and C#\Trainer MotoGP 22 Framework without virus\ArmYofOneEngine\obj\Release\MotoGP 22 v1.0.0.0 +17 Options.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ogger.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\GIT\esginstaller\_Builds\Release\Win32\Installer.pdb source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: ^Allpcoptimizer\.pdb$ source: ShKernel.exe, 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: type_idOTHERNAMEnameAssignerpartyNameEDIPARTYNAMEd.otherNamed.rfc822Named.dNSNamed.x400Addressd.directoryNamed.ediPartyNamed.uniformResourceIdentifierd.iPAddressd.registeredIDGENERAL_NAMEGeneralNamesGENERAL_NAMESCERTIFICATEcrypto\x509\x509name.cname=compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -D_USING_V110_SDK71_crypto\dh\dh_lib.c%*s<EMPTY> source: file.exe, 00000000.00000000.256693561.00000000011B8000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: c:\nativeapp\objfre_wnet_amd64\amd64\Native.pdb source: file.exe, 00000000.00000003.272267837.00000000045CE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273963247.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307263881.00000000045CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307168643.00000000045C7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272202983.00000000045D7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.311471460.00000000045C3000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \x64\Release\HotCoffeeRansomware.pdb9"}]h1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (bo.pdbg source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: type_idOTHERNAMEnameAssignerpartyNameEDIPARTYNAMEd.otherNamed.rfc822Named.dNSNamed.x400Addressd.directoryNamed.ediPartyNamed.uniformResourceIdentifierd.iPAddressd.registeredIDGENERAL_NAMEGeneralNamesGENERAL_NAMESCERTIFICATEcrypto\x509\x509name.cname=compiler: cl /Z7 /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\dh\dh_lib.c%*s<EMPTY> source: file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-ARM64\EnigmaFileMonDriver.pdbGCTL source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: oella.exe.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Sources\spyhunter5\Drivers\builds\Release-x64\EnigmaFileMonDriver.pdb source: file.exe, 00000000.00000003.303975927.0000000008D6A000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000003.437886640.000001D3F5413000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: & 7D08s.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Vegard\Documents\Visual Studio 2017\Projects\VirtualUIPro (CRYPTORIUM RANSOMWARE)\VirtualUIPro\obj\Debug\VirtualUIPro.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\Demo\dWwwang-SiMayRemoteMonitorOS-master\SiMayRemoteMonitorOS\SiMay.RemoteClient.NewCore\obj\Debug\SiMayServiceCore.pdb7e source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Documents and Settings\Administrador\mis documentos\visual studio 2010\Projects\Fortnite\Fortnite\obj\x86\Debug\Naccarella.exe.pdb source: ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \\Wta..[3243ujwew]\\\kY0VNfo.pdb00448974 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: (\x64\Release\HotCoffeeRansomware.pdb9"}]h1 source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EHW###%@$WHRENBRWHrjhss.pdbgs": 8454290, source: ShKernel.exe, 0000001C.00000002.541362843.000001D380000000.00000004.00000020.00020000.00000000.sdmp

PE file contains a valid data directory to section mapping

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_034F2B57 push FFFFFFC3h; ret		0_3_034F2B59
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_034F21FA push esi; rep ret		0_3_034F21FC

PE file contains sections with non-standard names

Source: ShShellExt.dll.0.dr	Static PE information: section name: _RDATA
Source: ShKernel.exe.0.dr	Static PE information: section name: _RDATA
Source: ShMonitor.exe.0.dr	Static PE information: section name: _RDATA
Source: SpyHunter5.exe.0.dr	Static PE information: section name: _RDATA

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

Code function: 23_2_00007FF698114B80 LoadLibraryA,GetProcAddress,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

23_2_00007FF698114B80

Registers a DLL

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"

Persistence and Installation Behavior

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\EnigmaSoft Limited\sh5_installer.exe

Jump to dropped file

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\EnigmaSoft Limited\sh5_installer.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\Native.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Jump to dropped file
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File created: C:\Windows\System32\drivers\EnigmaFileMonDriver.sys	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

File created: C:\Windows\System32\drivers\EnigmaFileMonDriver.sys

Jump to dropped file

Creates license or readme file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Program Files\EnigmaSoft\SpyHunter\license.txt

Jump to behavior

Creates install or setup log file

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\esg_setup.log

Jump to behavior

Boot Survival

Stores files to the Windows start menu directory

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnigmaSoft\Uninstall.lnk

Jump to behavior

Creates or modifies windows services

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EnigmaFileMonDriver\Instances

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\System32\sc.exe C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"

Hooking and other Techniques for Hiding and Protection

Stores large binary data to the registry

Source: C:\Users\user\Desktop\file.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SpyHunter5 UninstallActions

Jump to behavior

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe TID: 1280	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe TID: 1336	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe TID: 1392	Thread sleep count: 57 > 30
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe TID: 1392	Thread sleep time: -57000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Last function: Thread delayed
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_23-19954
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_25-19960

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Program Files\EnigmaSoft\SpyHunter\Native.exe			Jump to dropped file
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Dropped PE file which has not been started: C:\Windows\System32\drivers\EnigmaFileMonDriver.sys			Jump to dropped file

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Thread delayed: delay time: 300000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Thread delayed: delay time: 300000			Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-vm-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-servercommon-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Compute-System-VirtualMachine-onecore-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat	Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-vm-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	File opened / queried: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Thread delayed: delay time: 300000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Thread delayed: delay time: 300000			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	API call chain: ExitProcess graph end node			graph_23-19956
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	API call chain: ExitProcess graph end node			graph_25-19962

Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-onecore-package~31bf3856ad364e35~amd64~~10.0.17134.1.cat
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-onecore-package~31bf3856ad364e35~amd64~en-us~10.0.17134.1.catr
Source: svchost.exe, 00000007.00000002.562501957.0000022F903AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: ShKernel.exe, 0000001C.00000002.547940577.000001D380435000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\microsoft-hyper-v-online-services-package~31bf3856ad364e35~amd64~~10.0.17134.1.catat2420J
Source: svchost.exe, 00000007.00000002.562501957.0000022F903AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware7,1
Source: svchost.exe, 00000001.00000002.538821362.000001EC2D002000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-vm-package~31bf3856ad364e35~amd64~en-us~10.0.17134.1.cath
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-vm-package~31bf3856ad364e35~amd64~en-us~10.0.17134.1.cat
Source: ShKernel.exe, 0000001C.00000002.610627074.000001D380F1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-onecore-package~31bf3856ad364e35~amd64~en-us~10.0.17134.1.cats=
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-primitive-virtualmachine-package~31bf3856ad364e35~amd64~~10.0.17134.1.catcat
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-onecore-package~31bf3856ad364e35~amd64~en-us~10.0.17134.1.cato_
Source: ShKernel.exe, 0000001C.00000002.612769123.000001D380FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: c:\windows\system32\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\hyperv-compute-system-virtualmachine-onecore-package~31bf3856ad364e35~amd64~~10.0.17134.1.catft Corporation1
Source: svchost.exe, 00000001.00000002.542299674.000001EC2D03C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.544015881.00000270A3443000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.542707471.00000265A7C29000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

Code function: 23_2_00007FF698104308 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

23_2_00007FF698104308

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

23_2_00007FF698114B80

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

Code function: 23_2_00007FF69812B970 GetProcessHeap,HeapFree,SHParseDisplayName,SHParseDisplayName,CoInitializeEx,SHOpenFolderAndSelectItems,CoUninitialize,

23_2_00007FF69812B970

Enables debug privileges

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698104308 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00007FF698104308
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF69810BD10 SetUnhandledExceptionFilter,	23_2_00007FF69810BD10
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698107DC8 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_00007FF698107DC8
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: 23_2_00007FF698104050 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_00007FF698104050
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E7DC8 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00007FF7A56E7DC8
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E4050 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FF7A56E4050
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56E4308 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00007FF7A56E4308
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: 25_2_00007FF7A56EBD10 SetUnhandledExceptionFilter,	25_2_00007FF7A56EBD10

Language, Device and Operating System Detection

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	Queries volume information: C:\ VolumeInformation

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	23_2_00007FF698114190
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	23_2_00007FF698113A4C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: _getptd,GetLocaleInfoA,	23_2_00007FF698113B50
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: GetLocaleInfoA,	23_2_00007FF698113C38
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,	23_2_00007FF698113CEC
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: GetLocaleInfoW,	23_2_00007FF698115554
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,	23_2_00007FF6981155B0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: _getptd,GetLocaleInfoA,	23_2_00007FF698113F80
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: GetLocaleInfoA,	23_2_00007FF6981147E8
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: EnumSystemLocalesA,	23_2_00007FF698114090
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	Code function: EnumSystemLocalesA,	23_2_00007FF698114124
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: GetLocaleInfoW,	25_2_00007FF7A56F5554
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,malloc,GetLocaleInfoW,WideCharToMultiByte,free,GetLocaleInfoA,	25_2_00007FF7A56F55B0
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: EnumSystemLocalesA,	25_2_00007FF7A56F4090
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: _getptd,GetLocaleInfoA,	25_2_00007FF7A56F3F80
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: GetLocaleInfoA,	25_2_00007FF7A56F47E8
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	25_2_00007FF7A56F3A4C
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: _getptd,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,GetLocaleInfoA,_itow_s,	25_2_00007FF7A56F4190
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: EnumSystemLocalesA,	25_2_00007FF7A56F4124
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: GetLocaleInfoA,	25_2_00007FF7A56F3C38
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: _getptd,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,	25_2_00007FF7A56F3CEC
Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	Code function: _getptd,GetLocaleInfoA,	25_2_00007FF7A56F3B50

Source: C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

Code function: 23_2_00007FF69812A270 swprintf,GetSystemTime,swprintf,GetCurrentThreadId,swprintf,

23_2_00007FF69812A270

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000007.00000002.562862478.0000022F903BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @C:\Program Files\BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000007.00000002.560281657.0000022F9036D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \BullGuard Ltd\BullGuard\BullGuard.exe
Source: svchost.exe, 00000009.00000002.543283457.0000016C46C3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000009.00000002.545646163.0000016C46D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Stealing of Sensitive Information

Yara detected Quasar RAT

Source: Yara match

File source: 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected BrowserHistorySpy Tool by SecurityXploded

Source: Yara match

File source: 0000001C.00000003.509274290.000001D3F5D31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

OS version to string mapping found (often used in BOTs)

Source: file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: if esg.sys.winVersion() > esg.c.WIN_XP then
Source: file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIN_XP
Source: file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: if esg.sys.winVersion() < esg.c.WIN_7 then return end
Source: file.exe, 00000000.00000003.272612243.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: if esg.sys.winVersion() > esg.c.WIN_XP then
Source: file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIN_7
Source: file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIN_7w
Source: file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: if esg.sys.winVersion() <= esg.c.WIN_XP then

Remote Access Functionality

Yara detected Quasar RAT

Source: Yara match

File source: 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	21 Windows Service	21 Windows Service	33 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	1 Process Injection	1 Disable or Modify Tools	LSASS Memory	161 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Service Execution	1 LSASS Driver	1 Registry Run Keys / Startup Folder	1 Modify Registry	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	2 Native API	1 DLL Side-Loading	1 LSASS Driver	141 Virtualization/Sandbox Evasion	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 DLL Side-Loading	1 Process Injection	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	32 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Regsvr32	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 DLL Side-Loading	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	0%	ReversingLabs
file.exe	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner
C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe	2%	ReversingLabs
C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe	0%	ReversingLabs
C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll	0%	ReversingLabs
C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe	0%	ReversingLabs
C:\ProgramData\EnigmaSoft Limited\sh5_installer.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe	0%	ReversingLabs
C:\Windows\System32\drivers\EnigmaFileMonDriver.sys	0%	ReversingLabs
C:\sh5ldr\shldr	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://dynamic.t	0%	URL Reputation	safe
http://installer.enigmas	0%	Avira URL Cloud	safe
https://installer.enigmasB	0%	Avira URL Cloud	safe
http://wwwigmasoftware.com	0%	Avira URL Cloud	safe
https://api.enigmasoft.nethttps://www.enigmasoftware.comhttps://clicktoverify.truste.com/pvr.php?pag	0%	Avira URL Cloud	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://www.bulla.com	0%	Avira URL Cloud	safe
https://installer.enigmas	0%	Avira URL Cloud	safe
http://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?dist	0%	Avira URL Cloud	safe
https://api.release.cyclonis.net/v1/download?app=cyclonis-backup&os=win	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_spyhunter5.exe.ecf)	file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_finnish.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmas	file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://installer.enigmasoftware.com/sh5/5.13.15.81/M	file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shmonitor.exe.ecfR	file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_albanian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265568181.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://purchase.enigmasoftware.com/purchase_spyhunter.php?sid=lav&dc=H2O75	file.exe, file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262470538.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269586761.0000000004555000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://tt.web.enigmasoftware.com/analytics_all/callback_functions/tt_callback.php10-100enigmasoftwa	file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_indonesian.lng.ecf	file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_greek.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/def/2022110703.def.ecf	file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf6	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_french.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://wwwigmasoftware.com	file.exe, 00000000.00000003.268360683.00000000045A8000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(brazil).lng.ecf	file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasB	file.exe, 00000000.00000003.272462882.00000000044D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269795946.00000000044E5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268644221.00000000044E5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267107205.00000000044E5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_japanese.lng.ecf	file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecfD	file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf--	file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_korean.lng.ecf	file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecf	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_finnish.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/def/latest_def.ecf	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecfG	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_native.exe.ecf	file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266193979.0000000004501000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/shos5/3.18.5/sh5_initrd.gz.ecf.ecf	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000002.310323507.0000027493E2A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_danish.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng.ecfDVD	file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.enigmasoftware.com/support/	file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263474019.00000000034F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_albanian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265568181.00000000044DC000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_native.exe.ecf	file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263633202.0000000003548000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(brazil).lng.ecfQsTb	file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.enigmasoft.nethttps://www.enigmasoftware.comhttps://clicktoverify.truste.com/pvr.php?pag	file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shshellext.dll.ecf	file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.entrust.net/CRL/net1.crl0	file.exe, 00000000.00000003.263224740.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260864313.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.260814598.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x64_shkernel.exe.ecf	file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_romanian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dynamic.t	svchost.exe, 00000005.00000002.310494665.0000027493E50000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecf	file.exe, 00000000.00000003.266226833.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268132894.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269928248.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272579170.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267616025.0000000004522000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265041066.0000000004522000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/shos5/3.18.5/sh5_shldr.mbr.ecfecf7O	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_lithuanian.lng.ecf	file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_turkish.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://purchase.enigmasoftware.com	file.exe, 00000000.00000003.269556765.00000000045EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://purchase.enigmasoftware.com/purchase_spyhunter.php?sid=lav&dc=H2O750x01xDa	file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.262470538.00000000034E3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263265975.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263831490.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/def/latest_def.ecf	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267137010.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267589014.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.310476889.0000027493E4C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000005.00000003.309685110.0000027493E4A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/latest.ecfH	file.exe, 00000000.00000003.263798085.0000000003539000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf/msv0t8	file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_norwegian.lng.ecf	file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://myaccount.enigmasoftware.com/forgot-password/85000.0doc	file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp	false		high
http://www.bulla.com	ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecf	file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307522072.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272829020.0000000003527000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000005.00000003.309542538.0000027493E62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_czech.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmas	file.exe, 00000000.00000003.267369004.0000000003544000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.enigmasoftware.com/enigmasoft-discount-terms/.	file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263165543.0000000003573000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.enigmasoftware.com/program-uninstall-steps/.	file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_romanian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_russian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_portuguese_(portugal).lng.ecf29t	file.exe, 00000000.00000003.267336044.0000000003525000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268446523.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268767018.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270284496.0000000003528000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268202726.0000000003525000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/shos5/3.18.5/sh5_vmlinuz.ecf:	file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_french.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.release.cyclonis.net/v1/download?app=cyclonis-backup&os=win	ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_sloven	file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=	svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000005.00000003.286489874.0000027493E30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/log_collect.cfgH	file.exe, 00000000.00000003.262458403.0000000003513000.00000004.00000800.00020000.00000000.sdmp	false		high
http://svc-stats.linkury.com/StateStatisticsService.svc/V1/JSON/GetDistributorIdFromNameHttpGet?dist	ShKernel.exe, 0000001C.00000002.555272712.000001D3807E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.enigmasoftware.com/spyhunter5-special-promotion-terms/	ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_croatian.lng.ecfiEp	file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_spanish.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.enigmasoftware.com/sh/license.txt.	file.exe, 00000000.00000003.264261988.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307366859.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268147686.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263165543.0000000003573000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267393329.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270034914.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263198322.0000000003599000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263425100.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263666920.000000000355B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266458249.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.263392414.0000000003599000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_swedish.lng.ecfg	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/shos5/3.18.5/sh5_vmlinuz.ecffdiyHxtN/	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_chinese_(traditional).lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_spyhunter5.exe.ecf	file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268589198.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268109273.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.enigmasoftware.com/spyhunter-eula/.	file.exe, 00000000.00000003.263138415.000000000355D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269836633.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266645467.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266193979.0000000004501000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265545201.00000000044D3000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268810091.00000000044D5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265243613.00000000035BA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpwl.dat.ecf1c6	file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.enigmasoftware.com/spyhunter-remover-details/#windows	file.exe, 00000000.00000003.299655855.000000000883E000.00000004.00000800.00020000.00000000.sdmp, ShKernel.exe, 0000001C.00000000.400479129.00007FF7094BE000.00000002.00000001.01000000.0000000C.sdmp, ShKernel.exe, 0000001C.00000002.546229449.000001D380054000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000005.00000002.310439985.0000027493E3E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_acpdata.dat.ecf	file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_bulgarian.lng.ecf	file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265599957.000000000450A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265475931.0000000004509000.00000004.00000800.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_x86_shmonitor.exe.ecfR	file.exe, 00000000.00000003.270258927.0000000003513000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268892636.0000000003513000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/def.pro/2022080401.def.ecfp	file.exe, 00000000.00000003.268574609.00000000044F2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268091368.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269812711.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272484826.00000000044ED000.00000004.00000800.00020000.00000000.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000005.00000003.309771847.0000027493E46000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.309723338.0000027493E41000.00000004.00000020.00020000.00000000.sdmp	false		high
https://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_hungarian.lng.ecf	file.exe, 00000000.00000003.265023125.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264992574.0000000004509000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265090679.0000000003558000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267159645.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268839321.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265257837.00000000044DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268295268.0000000004519000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.269908904.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266159498.00000000044E2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267146694.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266212207.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266637598.0000000004512000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270196143.00000000034E4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265054562.000000000450E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.272560486.000000000451A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268123380.0000000004518000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.264908780.00000000044ED000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266599407.0000000004517000.00000004.00000800.00020000.00000000.sdmp	false		high
http://installer.enigmasoftware.com/sh5/5.13.15.81/sh5_slovene.lng.ecfPAt	file.exe, 00000000.00000003.268508936.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.267477230.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.273074439.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268739494.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.307403176.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.266526363.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.268177522.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.270153315.00000000035A6000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.265217559.00000000035AC000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
172.217.168.68	unknown	United States	15169	GOOGLEUS	false
172.217.168.46	unknown	United States	15169	GOOGLEUS	false
34.240.252.91	unknown	United States	16509	AMAZON-02US	false
89.187.165.194	unknown	Czech Republic	60068	CDN77GB	false
108.156.60.5	unknown	United States	16509	AMAZON-02US	false

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	756299
Start date and time:	2022-11-30 00:13:28 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	SUS
Classification:	sus38.rans.troj.spyw.evad.winEXE@46/58@0/7
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 99.9% (good quality ratio 92.6%) Quality average: 69.1% Quality standard deviation: 29.5%
HCA Information:	Successful, ratio: 98% Number of executed functions: 34 Number of non-executed functions: 212
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Execution Graph export aborted for target file.exe, PID 5244 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:15:30	API Interceptor	1x Sleep call for process: EsgInstallerDelay__1.exe modified
00:15:30	API Interceptor	1x Sleep call for process: EsgInstallerDelay__0.exe modified
00:15:47	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
89.187.165.194	Setup.exe	Get hash	malicious	Browse	heufheuwh.b-cdn.net/chrome.exe
	http://static.s123-cdn-static-d.com	Get hash	malicious	Browse	static.s123-cdn-static-d.com/
	http://static.s123-cdn-static-d.com/uploads/4458163/normal_60b1d1ff0c046.pdf	Get hash	malicious	Browse	static.s123-cdn-static-d.com/uploads/4458163/normal_60b1d1ff0c046.pdf
	http://static.s123-cdn-static-d.com	Get hash	malicious	Browse	static.s123-cdn-static-d.com/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CDN77GB	https://hotelsmag.com/news	Get hash	malicious	Browse	89.187.165.194
	https://d10sfr04.na1.hubspotlinks.com/Ctc/ZU+113/d10sfR04/VVyy_r2MfJLNN4j8c4w6LHWBW7TctdS4SKFxDN5QLhT53q905V1-WJV7CgSfgW30p7nV4bgs7WW512fYZ4fD_1mW7MK0fG1l8bNQN3nL2gJ47y9VW7wW5l995Mk2PW4mKQKg3rWR_0W80RHqb3s-lwNW1rpP_M3nlkR3Mzb6_rMpV3DMV2mthwgswlN379wTWlGP6xW5frLMQ455vKMN4phng0yQG_wVWMjJm420N7gW5bqz517BQZp6W1ztgFM99H6W0W1sWh1h8Bk6GhV8CsVx2Z98X4W87pz-G5nwf-nVxc6fk5q9D81W5H-Hzp8h5YqTW11mRjz3lSTDKW5n2JsN7459TVW2f7j6F2nl6dw3dqZ1	Get hash	malicious	Browse	185.93.2.248
	https://protect-us.mimecast.com/s/lF5dCKrGLrfJw4QKuM13x7?domain=urldefense.com	Get hash	malicious	Browse	89.187.165.194
	http://contemporarystaffing.com	Get hash	malicious	Browse	89.187.165.194
	http://RichardscorpCloud.quickconnect.to/d/f/rFgSB0e7tl5KFBQ896oOK1mmgyAdP07d	Get hash	malicious	Browse	89.187.185.91
	http://grantthornton.co.uk	Get hash	malicious	Browse	89.187.165.194
	20221117_300495_XMLNOTA.msi	Get hash	malicious	Browse	89.187.165.194
	https://cdn.fafopin.cfd/static/i2/Installer.app.zip	Get hash	malicious	Browse	212.102.56.142
	https://swhtf-zgph.maillist-manage.com/click.zc?m=1&mrd=1bcfb51f2d0cfbc8&od=3z25ad9cb441861b9c240b4631eac071c35f6954b3a9d8fdfa95246742dbf6042c&linkDgs=1bcfb51f2d1c289f&repDgs=1bcfb51f2d2f97ee	Get hash	malicious	Browse	89.187.165.194
	http://phubv0wdfen4lqxmv5zp0ldrvnmv6ddihd.gkptfve18bfobcuv1og1z1vi.erpagro.mx/#.aHR0cHM6Ly9udXRkamhhLmhpc3BhdGVjbWV4aWNvLmNvbSNzdG9ja2RhbGVfYWxsQGtocy1uZXQuY29t	Get hash	malicious	Browse	185.93.3.244
	ZeroTier One.msi	Get hash	malicious	Browse	84.17.53.155
	ZeroTier One.msi	Get hash	malicious	Browse	84.17.53.155
	https://www.craft.do/s/dSIrNi3MKB8Txx	Get hash	malicious	Browse	212.102.43.90
	https://my.visme.co/view/y46q1pqg-message-projects#s1	Get hash	malicious	Browse	185.93.3.244
	https://khs-nett.tecnoagrobusiness.mx/lew.doty@khs-net.com	Get hash	malicious	Browse	185.93.3.244
	Postcard#4457.img	Get hash	malicious	Browse	89.187.169.77
	https://indd.adobe.com/view/2a31a097-15e7-48f7-a87a-a19a07c0885e	Get hash	malicious	Browse	185.59.220.194
	https://keynotive.hflip.co/Revised-3-Lines-Model.html	Get hash	malicious	Browse	89.187.165.194
	Fast Cleaner.apk	Get hash	malicious	Browse	89.187.165.194
	Fast Cleaner.apk	Get hash	malicious	Browse	89.187.165.194
AMAZON-02US	EADSXus8Cw.exe	Get hash	malicious	Browse	3.6.98.232
	https://mizuhosi.mobirisesite.com/	Get hash	malicious	Browse	99.86.159.64
	http://openeye.net	Get hash	malicious	Browse	54.171.136.239
	https://comprarcasualty.s3.eu-west-3.amazonaws.com/csa-guidance-on-standard-debt-collection-communication.pdf	Get hash	malicious	Browse	3.5.224.123
	Fwd_ Payment_Confirmation.msg	Get hash	malicious	Browse	13.224.189.75
	https://bit.ly/3GJzdnH	Get hash	malicious	Browse	108.156.60.70
	robinbot_sample2	Get hash	malicious	Browse	3.188.190.144
	payment_copy2_receipt.exe	Get hash	malicious	Browse	75.2.115.196
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fpostsign.web.app/r9s0h3lind07rhinda51arn0h3ldr9slarkd07r9s0h3nW1&c=92652	Get hash	malicious	Browse	18.159.140.180
	robinbot	Get hash	malicious	Browse	3.253.254.97
	robinbot	Get hash	malicious	Browse	18.180.127.60
	https://indd.adobe.com/view/fd4651d1-f41c-4be3-ad8a-eb3a15958d59	Get hash	malicious	Browse	108.156.60.58
	SkyNet.1448.exe	Get hash	malicious	Browse	15.222.3.19
	file.exe	Get hash	malicious	Browse	54.192.99.51
	SkyNet.1448.exe	Get hash	malicious	Browse	15.222.3.19
	VeohWebPlayerSetup_eng.exe	Get hash	malicious	Browse	52.10.49.92
	shedfam.exe	Get hash	malicious	Browse	18.167.242.213
	https://protect-za.mimecast.com/s/uPmFCMjBBwFvRZPBIwJQlBT?domain=s3.amazonaws.com	Get hash	malicious	Browse	52.217.198.0
	2022-571-GLS.exe	Get hash	malicious	Browse	75.2.81.221
	c7oqCiKzbF.exe	Get hash	malicious	Browse	52.217.136.121

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Program Files\EnigmaSoft\SpyHunter\Defs\Rh\full.dat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	61376
Entropy (8bit):	7.99721527656712
Encrypted:	true
SSDEEP:	1536:oGRxST1xi3yoeuedpBKgmS0ITGUTdZWz4Hae4:jSTvineonITvT7Wzte4
MD5:	A23943F49D9212F92A2444941A00870B
SHA1:	8E2C8C6A4039A4A83D9294721043E842A48E7893
SHA-256:	3316093484F7F93128B03E4671EAE32B077A022386958E113C329ECEDC3FF3C8
SHA-512:	70B3E388DB46A0430734C783F4248B11E1E86F56AF9F2F4BF3FA288BFCA49AA2EFAE6B9AE297907CCFFBDD1D4117DDF13AF4F89C669C0AFF4CC9C6DF4324C92D
Malicious:	true
Preview:	..%.2Z....;r.).1.>3.....Y.....t..r{DRP.....I.)N...J..~.2$....e7L.kW.sOx.....55.>-<!...:...@.(..7.K{..0..$>Ht.e.P8.N(m.z...b3.......,....\|MH.:....r.."Oo....~.9.\|...y...S~o...8{fDp....H.u.I.j.....'./.......9J....M...-6.qu.d.n..m......U....E...:w..@.\|.I^........iH..<.B&)5....#.p.w@...Rc.....%b/f...uDK"....SL.....]..'$.I..e.k=H8.fu.-...d.[..`.r=...JAMwC....Zs..,c.aT.4.j.../.."...4-{3._;}2...g2.j.".S...?.A...c...U...].....H...........Nu..>.\O.{.J..P...W.dbz..Z..o.s......x.._p..W.]...9.>$..._9K.=cXS...n....18.k...h.3....ikS(x.....^fw..(.'J..c .[1T8H..(.0.T.<.........Y........NF..J.#...Ib..r...?..+..S..eS.~..F..k.7,..7..6.".R.V,....;.!a./.o....x.g.A..p/RK.....85.p.u.j>..}..x.X.]...5...#$.`...;Bm#.A..`1R....#=...../k.7.yv.#."..M#&...[.wc.......}p7\...Z<.....'.E...ju.:..S.6.{.D...g]g.E..deR_u;....R..&..^.....;.....;...G=w...C..b.X.k...n?..kU...EE..&s....rG/ .....t.+......../q..Y..L".B.}&5N._...TNm...j...@g....S..$./U...J.].].h>.X.

C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	7.999801502191134
Encrypted:	true
SSDEEP:	24576:2lmosBfrRo4tk4wUJvBV2nfyI0RCwQWMLR6LdnEWA:GmosBfrRdwUJv72nfK5QWM9sdE3
MD5:	2303D457188A51F3B4489FDA4A2FF611
SHA1:	1D533E082AC8A75417484D94CEF1427A0B91EA37
SHA-256:	ECC9D5C17BBED89660FD22552D51405CB4FDC81C060D026495C3D3EAFFEE8FCD
SHA-512:	31EC5900E2465C0979C229C6ACA7CC3E0AC3D9663FF4040099EB6EEE0C7D4AC0F5A49CEB381E3106DA7E6259A24D0DEC649BA988B64A2078FFB7664952EEC20C
Malicious:	true
Preview:	..........x.....4.B.6W.=...t......,}5;$+j...}K....,.0Z....4..o8...Qr.Z..'....3x....6.8I..T.d..Y.S..5...V\|..wXM..p...u..foQ...1..g..rlS+~w.t....nP...M>a...;o7..\..........+ .)....s...R.W...n.Z..J..K.,.dG..3#......F....+K....$..W........a..e..R...]..."-.PC\P.>L5.v...7.p<eKM.3..LjmiLi@{,..L=.6^.vM..A.@..P......k..6..E.=.8...Ye......>...jWA!...z........%..)Y.P<]H]..^.....8.(.......".Jn\|]...+.......VS...f2.....~.GV.I"C)....Hme..M.5F.G.0....{s.&4$.K.X.lX../y......8k.......e.:...u;/......:.3m.....~..'}....+.\|..:...0p.O~h.3....J...3.{m.8I.nH...a.....a-.......L...$...;.@..NQ..........Xv.Q..4../.............:.F.]".Y...B....3....g..._...N.3...].!d.....Qd2P$(b..3.S.o7....H.\1..3...j....2>.'.Et.E.og..<......n/.'.........t.7.....2S....y.Q4U...1F..e.p.%7.....?...z .dVpzGU.J;q.......U>jN_...[Y.B..!.5Hw...im.....q..P..%..O5[.1..j..x6.i....mr...o......Zne.L.Y4...PE...B..~...U75....W..=Q...-..`.o....f.F......J....`..'.;x....H.....wS..a....l.d....i

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	50848
Entropy (8bit):	7.995819494658591
Encrypted:	true
SSDEEP:	1536:6Tng6NVUAhysyLo8oo4kDemCWBvLw8+7K5dzO:6Tng6fRhyswo8h4kDemCX8SKba
MD5:	976CB008B4902CA8F7B0FAFD67CC8D7F
SHA1:	B7FB11F06C534EA450EAB52B20B18565211282BE
SHA-256:	C5060390FEBD5CC803490444E7AECCE91E837CCD4ED257BA6CF8F9063450972F
SHA-512:	FD177E34D0C2F8FD5E45674C78F662F62EB7ED471F3E73C3E520B2E9846AA8E548541AB91978BE4AA150489E1C1ABD34E26AA5B3E8F380F2780C5B1FD8E45DD3
Malicious:	true
Preview:	.z...V........&..4.^.y.WH....$.fm".[.c....W...F...d....(...Y.E.......6.l.....S\......7.?..?Cm......}...iu..g.8...qA'{....D.y...~b..3.......\|..PF~.<....n.-.............p.[..#...._........O.".4"\|..:.E>....n.f...#..-......X......:.....#....5.?.i.........?.....B..A....qZs.AT.9v...L..X...>.+..1.o.[..G..].u][.C........^./^.....@..s.3...CY....\|H.Q...!I..J.N...4MC..o.. ...D!.%>a').e...K....[._..b.[..DG.(..pi.,.$CT......o........{P]./kF.W....1.a..EE....V]E..H.....aX....C.........F...E$.[.~..c.,=..]d,.l..W.Z.,!.HN.......L.Q.d...Z.w...=."u?.Se_Y.M.=9......t......c....(.6V...Y..\v3n.2.9D9B....q.3....a.\|..7....3....G.M.'~.9.2..wH..1.Fv.G....UXe~3C).......!.,..DW....k....$..........;.....R.j.F....b^..k........@.v...~(.... ..7,xG...?..rTW.J.5..&....3..6.a.._lC.....e./.:3....T..5.#w./.....N_..~..l......lq.[.....u...d.#...N{S..)v.U@... fV.Q*.L.... ..h..DX\;\.8.^..U....6..R...s..ZE8.\|.Qx.]\|...[9..6..\|p......).'.V.l.h....v(#A...x[........8.]Dy........

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	56704
Entropy (8bit):	7.9966622028475305
Encrypted:	true
SSDEEP:	1536:ASfranQjTDA8Rs1qUTdAjCwW/L5T84SRa:bosPAes1/aewaLJ8xa
MD5:	6618E83905AE4F765661C05EAB36A4FC
SHA1:	3430296DEC76D4B0B94EC96BE8E9B173E5FC17EE
SHA-256:	D63DA339D437AD9254862F9E9A103272E0B7D61A6B2018512E270791F07551AE
SHA-512:	8389B1324506014BAB8D21276ABEF4DCAE4148F21267238FDD814E764A8BF310F677FE6A2103EC2EB1FBB657154B5A625BBEAA13CDC9DFBCB88535A38B961A0B
Malicious:	true
Preview:	...:.p.(..$..f,<.W........H.<.g\|...\|..F..Wi...................Co...y..[H......p../.8g.......U..._.HZ......7...%w0.N........i.HY.C.....9...!..Q.....4&.....P].g..lO...bs..9.u."..3m{......[...w.v.8.).a~.d.....e?y!...d.u....(......-.bj..=Cz%!..:f..$.:c.w..S./...O.z...e .a.....^:.a...'pS%Y....2B..+))'..;...q..].G.....c...B.(w..6'.Q...3[$.1.`.]=.&.1.%...I..F.a....Q._....v..O..yC......y3.Py..d3.....gj..Zoe...5EZ.c.~e...........o....#_.j.....%.&.Q.:i8...C.!Uz..^Vo..43..Q7..n.5L...f...d._...O.F.xs.:...4q.Ly,E..`...m.y...\.h.+q.C...z#...U....&..uXR.9.{.k.).k.........#.N.0{.19...)u........`...,....&@.....=.F.q[-.b......y..Zo0#f..>..p.6'W}....C#...;...8...`...O@).J)....U.j..\|.S.0.Y.'...Z^...x.c.......8...\|.!.])......L..1.q...y.....\p.H.Y._.=.....u}K..0 Y....y.}R.[..E... ?..H...t.<...G.B..t<m....sO..7.@.q..y......t.E.Q.?..c.^.p...A./R...}..>..Gp.....!.. .....kG.!....8.P(.N..5...#R..m.u.-.3..]$.Q..st)v..Y.L5.k..g.h....b0.R.v_:....c.....1w..

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	44544
Entropy (8bit):	7.9961564371757055
Encrypted:	true
SSDEEP:	768:08drReUlmrdsecBBjXHOAm2nqkn1ogUKkVc6spAjwZRI3VPjpUIF3oCqSG:71m4jXKk14HPwnC3VLpF3iSG
MD5:	04FCFAA2CAC93ED7A9BE17B254EAA8B7
SHA1:	F7A1DE255EC9639651248095020CEF09ABE883C5
SHA-256:	9A07B678314123FD9750EF745AFD988449AC88B190E358B5658B18A01343DEA4
SHA-512:	CFB2CEF6D9029450A1B5426B6CE28AD858A547DFE5DE7070C1EC9B0EE07E4179D1D14DE5A910B099A30A6ED9C6758CBABFE6E8ADB3BF2BFC3E447889E3B76F8A
Malicious:	true
Preview:	[4..n.`.alW......4..X...A."........g.......G.j..P."$zy'...{.....~Me.y.P...>..k..%...U.g.......<.e@OQo.R....]....."....BGx..Q.l.iI..,..o..(.n...)...P..z.k.Rj.....`Ldx.-...0O....Y..s.S. .xM.1...<.......u.K@....D./.a].....A.1.]@.Lo.,....t...da@'...%.wYj..z.....!$.K4.......jL./:...-..>...~.Z.......\|N....M:gI....\|H.`.w]. iK.D.........&.o\|.2/WXm..J.'...5>.-X}1...et.....LW.m.%<9r......nn.R..].O..s.?9.0;u..[.0...z=D..a.\|.,!......g..D.Mld..1.%b..O.C..P.m.Ck...5.eJ...X.._..,0....$i.?$...J3vL..;36.<./.p..^...zl..M.v..6l......3.=........&....v........Z.B.'\|-1...=.X.r.....w'.B<.\..S\|...#.4.L..#ltYs...C.\.x.8.i<....L.%w.`QIB.G....<^4.gc...V.8...-2.J-.7}...HM;./x<\.B..Q.=.....AT.. !...F.?v...j5-.V..........c.,..4w......DM..5=.XUJ .j..#..#o.,....;.h....#.\|...f.......4dl..'u..*..dFu...Q.-....c"T."........+`9.w....f...g.wn...A...W.A.].....Z...>AW.....{...g........v..4p!:.Cy<..%Dn....K-N.Z.P..\|7...'....,...[.M.n%?...I...S.\|.~w$t..Pj.y17.6.-..2.}T..>f..R..&....._

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	44960
Entropy (8bit):	7.996099716929491
Encrypted:	true
SSDEEP:	768:QNsB32GtAfawAkaskx2iJgFQpTxgmPjvXQpy7aSreTcJS+vv1vAOXWQBWfsd:os12yAfT5dg1JhpbPj4w2SreTclv9IOJ
MD5:	0BEF946652554363402BE05E41015BBB
SHA1:	93891647EA0CB636541505F9DC045AE8A9D4616C
SHA-256:	EC337520003B26095204172841E21F097C5DFE34C1105097E20E9FA2AB832D5A
SHA-512:	465536C80112FA83235ADF31B8A4E7976030112DC064C4B2681380D962DFD02A16E8BF18F562A60F6F36891060817E29A7323B2E95B834E3C5D0899955521528
Malicious:	true
Preview:	.....^......!..[.\C....>...oo.<.24.~.&..&.?.S..d.c"zl.J.y......xr.s7....\|.........`V..G........W/......<...R.8..{..a.....\|h.'...4.U..j,..S3\|..x5.p..B..7..^.8./@.uL.B,W.....O...g...D..7.X`......i......'fU..GB..i...e...'....`.X&A.@+&..9>6....t....-.".X..b.-...8?u[w.[D/.... ....\|.......7..G........Y...V.T.}.WP.}=...b a.-@X..W}.7u.......N5./.T.>.#N....!.....Y..N.j...!>.xvV!...w.G...tR....U....I.19...?...v...Q9.i.>.8..h\....5..xU.w.9....z.........NifA....~.1..y....z..4.bM..QF..YQ.<.@+..\|....]....ziq...-.U...xX......k....P....$.$!.q....>.n.wQ.......vaZ,........5;X.*...w.6iO.2....yV......e.....;.q..s...Tw.M..F.......561l\|c......iE..Q..I...VA..;O.d.HF<ca.`.x..@..w.!..d....~.f,.pD..H.V...h+.+/d...Z@v\.H..e....2.....L.\...KA.......5..6o....?T4N...x.b.T.p..v..:S..@.D.h3....s.r.8O.E]..H.P.....w`.9,I...De...{.G$.KG.....w.WBwq.g]^.....W.)..gZ...1._..C....6.<T.,...X...].T.5.....g......#d..I.....s...sH...P4..(..;.m..).Y/X...^..1d=.9Px.@...M`y...cb..k.....:....AX.

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	7.9959514160114304
Encrypted:	true
SSDEEP:	768:BtraZA4guj6hHy/kRqRhiXIWOr4mm36MYwx9AnGytdmtTfew1XQI0NAjNVV8JGCT:Bx42SkqT8IWi4Fvynvtdmx6NAJVVmGCT
MD5:	D36F2FB4D4614620274FB5B6C7B74DBD
SHA1:	C878FBA0B13B820467A3A6DFABBF7685938CCBF1
SHA-256:	4425CC691D8602F9DA0166419D06E945DA46AFC1E7B96573B3AD1FA036816301
SHA-512:	7A0F7343D70E2B6DED9256F5D07501247CB3D48817F081A7EA9303FA4874A8E2B19DB0197C766CD05F0445DBC1C72C929F8451695D64BDA8040078E4E0E9E095
Malicious:	true
Preview:	.6.u.O.@.4<.......TCj(.d.k.hb..-..nz..gz[6..G......H<.@uZ....\|..L..,.^`}.e.....{.u...ZEL..y...zg..@.h...w@S.'.2.(..n..C..5C....W4....v...fE...g.Dq.3..~........;.N-..(.J.f.\...J(<..j..O.....Z...7.....<S..... W(.T.9X_.........."z....A$.....j.$.6..../L...v..w.2.Mu?./.e[cf.d.....2x...6z..4....s_"a.?q.p+...o...nr....-.E..M...X...)M... I...l.n.(..).k.X.t.......8.6..t..RA+...k...Dy...UT...3.!....6.;F..,L.u+...j.d..{.tX..c...\|e.6FJb.Ol...R.c...pNU../..N...B..={.6..".(s}@.1..iw/r;i....W.Y..U............e.....y..x..c.$..K.).y...\|.V.y..=..{....6.....{r)t...x.=.5$..o...U].......7.uDE.......\.d.a.,_........gk.4.9..T...i..f...K...9.+....e2..\..L)Y......U..blS...\....B.PLOV^......Yg...G2....h...3.$m.^.\|!.s.@.N%.S.w....8[.....E.1.t6g..$...'.....\p.).....t..-]..V.g../E?.`.f...I,> ..@...O.=bh..hR....J.J..F.......{g.N.qz=U..:C.....,.u2'P..B..:y.:..4.Ky...Ty.0>......3..[.R).v....*..........q.J:?.M......./..z..A..G\|.E.x..~0.D>`........d..t.........&.h..X.4

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	51392
Entropy (8bit):	7.996800787014128
Encrypted:	true
SSDEEP:	1536:p+HtA7Mu2wL/FB99QKYlc7az00MtSHGSS7ot5ZKBP:pZMf2/2c76RG77aKt
MD5:	191C5A8C60F25F69D4F943485B52B787
SHA1:	23827A4424723CA84EBD8AB4F724D8A3F847CD40
SHA-256:	53F153AF1CE3DA8FAEBE4B4D24F50FC460F85438AC4F4DC0BE1BE68B6A9E6BA8
SHA-512:	151B1934F3D1162D5F0111DF4BC8EFD7D34B94C7347AD79AB131FB7986D29BAF0313F8BE3245FEF49F34498A057AD93EA50CD3DCB3483288844D0AB7DD45F428
Malicious:	true
Preview:	xlH...<..HgHTb$...`.1.]A@.d..1...a...\r.(.Q.,>....<..w."..dS.....(.<..f..I..........-..1<J..V)..T;(.....<.O..MZ.6..&......\|{....X8..,..Jy.:4..L.2..."..g.gm.GU...Z.k)f.\|,.,-...e...c..}Z..b..\....b.V[..7.g.8.$.=/d.....2wO........--......3W .../.....%.Po..'..s\|..:t....A&.`X7.\...>2^.yw.n.....O..%................G...H.-........D.(...~olA.L. ..4..g..._...Z....SuK..'.4@......j".G.^...3......^.e.Z...p....;.".f8C~.Rb%...).#............7.......r...q..up.%.+..b9.......z.?.Y-.S...A./...._.L.\...H.S.,... .7i...U.:......%.:.._.'...........6....DJ.......z.`.S...O...?.mD.^\|qy@nD.........-.9.\...o...{..6.J.=..zj.x.zG..5'....S......6.o..:..S.G.7^.... ...s.....-.a...@f]...N`.........}E..c.I..H2...Y.\|.GD...?...A..L....:...O......"0H.>.....f...rx..k..q2...x..&.(...tR....B.j...skO..........>sl...7oD..q..qO./QJ....v.VJ....._.en.H...G<`...L.[.........++-..JleJ...s.E.^......'......&..;.)mZh...U.ek.......;......Qh.&.......fH.^....[.i...kZ..@....

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	47136
Entropy (8bit):	7.99711126287396
Encrypted:	true
SSDEEP:	768:psVmvfwZNnX1uHqX2DXiBwwlT6isbRL9Qiw24aTk2wMcgyON9rexw2oR:WsfwTnqWmQwtNp1bpTiMcTM96CP
MD5:	0985C9DAA23F1700CA990265AE158BC3
SHA1:	C6DA87C9801716989188DFF6F651F01EA3CD5BFF
SHA-256:	C19A7356DD44ADF14C62D253CB88B5E83C11283E7CB57A29FA68AC20F1840EFD
SHA-512:	9F5768270AFA4728B734EB7420A8FF4A82826364A81A53A6DEDDDAB9528EF4DD8748E0C8E0B825AF9F78D3E0EEC99D890FFDCE30B0812F354E0BE2EF5A0FD203
Malicious:	true
Preview:	r..We......>.y......q6=.E~..i.^.._}}r,D..x...@Z .OH~.}+WLn6.i...n..'..._.JK..$..E{.7".p..Z.....<....o....9....ULA. ......l.&s..0ZO.AV_..1<..\|e..6l...<.-.{.A.q(.09...eg..H...(.....v.WSb&...!a.....{....AK4P.;/.v.h.x......$.n.w5r.I......:..^.L0....[..kuM.}iR..D. .2..n...x.c...M..0H...I.lPu...L.F......_q&..pW..$.....&q..h.0<w..q....8..).C...B.t.....L./.....R)RX....c-.lF2\.-..^.g5.n.L.\|N\.@>....3....:P.L`...Y'.~...h.!.C.`.Y.N..F.......b....g....@9]...I.....gG..e.aW.$X04Ks.@R.!wi..._....`;#1...[9.:...pB...1.I:0..._. ....c.Q.<....d*6QoB.<...\.".Qf..S..j...X..Y..2:c.X<.e.>.q....t.7\.y....F......fB.^.~.\HM7...c....wC....TD83..6..r...PX[V...F.[5.G..F{.6.s..,.Xk..).....j..'..-8..J.[......S.g..UH.M3.O).1\|..F....x..S..l&=.-XC..n.....\|e..?....b-.Z..h.c...Q.9..R...{.gfV.o.eaN...^{[7K..y.@.........&\|3.....o...........Q>..........m.!.J;.e..D....z...:p[3.u...{I..w`B0..$Q..6.\`u.,xc.0.{.u.,....z....x...q...C....k.jz6..(.2...9![@....U\|.......o..."..g!.0J..

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	48320
Entropy (8bit):	7.996230355017293
Encrypted:	true
SSDEEP:	768:dAr9iBSGU9AG6FT6OP348PsKlx72ZN8dOG4DDAIREKMRErUGKJ/:w4BSGU9AG2T6i3dhg8cFD0IR1MR8UGKl
MD5:	7E3368BD8F799DCE730BED0D85BCDC9A
SHA1:	0DFDFE81C81806D9CB5A6BD7913455F4E3A34A9A
SHA-256:	782743FB4BBD79488D1DF851C5A26C01CDE4BEE285B7EB451CF24E063AE723B4
SHA-512:	AC8FDA6F6EF00A15E6371420144EA9F53321493A8F4533ABBEAA9CA24322D9358D81E130EA15C909D687345130F54ADA33BB76BD8C486F2CDF64AD85F4750422
Malicious:	true
Preview:	.....Uc...#.:....S..}.~.).E...?/:w<..H.......Tt1$...b..Q.......A1...=.O!.-.1.q..H.W.F.\|v.c9f.gL...~..ZP.@..6..[.>.'..Im.HEAhkh.&.E.).....~..52B...R"...u'...m.H1..,.a,5D.E.+&<...$.<....$...pG..lo...t..z.s..(B=...._.......2...y.z.>?........-....Wc.u..p...........pLg2./B>.rS..1......x.3..,.../.4....@.1..p....0e..D^@RM.X....E...k.y......0..VI...k.S...b.....z.Y...}."I..eG\....{:....x..P.q..d..aQ..p.z\|jh=..{.=jU...B@.Se].$......S>nc.'k./8..9...EY..\|..({......VK..{x........$.@......_.._...L.n..].:K..-..zg.......0z.x.Xov..P15.oW.Kd.R2e0g.X..D.(.>zt..K.z..1.Qz.)..O.F...VPv..q..x5.....V..G..4.....6.."\.....gK%...Z......v4"+.S{.@./<..\|j.;)4x...r..b.t..[".CB[...z&}u.H...K.3..>>.2..'.....j..t+....v$....2.T.sCb.NV.......T.Y.D9?9.b.D..sZ"..R.3.Gx.[....En...xDY..=..j.Wg...a..9ba.?....Iu..@R....Us..=#..E0 .K.P.......Mh._..ET'...U.....L...^+(.B..:..3..6B......]....r/;.<...4..:`3...%............l.`m..........Q..$....qes.O..../.y.....*d&a...I....\|.-b

C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	42784
Entropy (8bit):	7.995729901452885
Encrypted:	true
SSDEEP:	768:Cv3VkgFj7UnG7+bAkmzx1eWHmVypmUIXOv+4/4t7muef3jOEb:43VbPEG7c5m1RQ1X4mr2b
MD5:	CDC4212F25766779E915F5189862523F
SHA1:	FAF1A8BDCD8F0A460BEF210C7AD72841F6504059
SHA-256:	E2A0515CF459BC2C60D1C849C52ADD6928CEDD0460A1C60E81DFB9966C8A95E0
SHA-512:	D99E0AD932B6E9D2E2881781B3A0B55C67C41C9BD4D184C1B2C29F1F50D1E4D0EE22DCB3F0B9B30CB3D296DE67F5D12D873A9BE729277A6CCB2F87227A4887B2
Malicious:	true
Preview:	.E~[.aQ..9k.Q....K....I2.. .>i.(....QBt.o..R.Y..3.%...P.Z...Gi....."...v.5.,/....{..c.23......b.InJ^.C..Oe..w,+..\..\|..K.....x.;......R..#.f.#....Z..vz..ar...........h$....jP=r....q.\|..}j..$.F.9]..$uR......c.T@.f.....L...k..q44......<.`.q.....t...gc$A....z....7.pVX.y..Be~..I.k................b.e..F.....% ..6B.k.....P....'$.a3j7.... ...X.[.#6..X...)"r...,"...4.=h6.~.....K.g....cC_...g..... ..h.....I>.....)..5Bg0..i...;.....d.uS..>W.\|;.;m0E.mO...=r.=..^.d\|.^y.&\|...U&.8m.C....;."kAA\.4\4..z.,....P..3..f..X.gN.a{..>-Ib...?yVK....K...o.8..z.w1a..2..e...W<^+.e.Fp..&k.8V.\|....:.....x..7'.s0..<..T..$.6...<.O....hD.K;...I.d.%*a]...#V..rg.....h.5.o..$.....oI...7.&w..i.O..P......lm.h..t}K$.Y.....`.~.8T....k)l..10`..ss...C.j{...4r.i...k~7Ho.......[...+...N..B..~..(.cd.i.........@...T=vq.{....8..m..].X~...gj\1@IG...ru:........O.....W.......#.p......}.\...MLBP97M.1.x.\...."..O..Q._.........r.............N...8.m..:f..3..S..2..j....?..P{..W.+S......

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	48512
Entropy (8bit):	7.996154119133664
Encrypted:	true
SSDEEP:	768:+s+NSaq94nPlAXHyIbHbKKMOxRGUbxAPk/DvKWr3C2TyOf45bWbAvvTat9yHruzq:TXl4AFTmKhGUuPIuWrpya40Avr/GnZi/
MD5:	0B286A1B30CE5C89E2F9300BB8254286
SHA1:	B974D6DFBC5FE1BC89A62AFC86F6DF6948209D54
SHA-256:	610426F80771C20488BEBABA11B69DD0E32B3F7B1CA25EC4714792EE6F48C8F0
SHA-512:	19F56A34676FA176A01917127E7FAA8ABAA20C136B1F120CF0A3855E31D863EDB3CD7287A572E8C78AF2F904C0EBECE906F7BBC04F6D7FFBE833C69DD59A0D6D
Malicious:	true
Preview:	q3..b.o.=_....\|...G.....h,.v.>.NT!.w......L.3....L...T....2.@v4.fu....".;.....d. .h......Z...`.X]Z(>>.I}....S.",d..R!.....\..(.;...y.?..q.xo...?K.A.Y.......}.....VC...5?a....4.....,..9............=...{`.....p...!.N...d.y]..sK.+.r.N.r}..qq....G]l.....w{..=.\....u....H.....of.c..Kh'...2...}{.... ...r=.IQ..D.=N....4..!Pt...O...T7.-...b..g............4t..M....r-.....N.u.t....&(....}0..(...aY..S...r.......F?.I.,H.!..........6..0.^W........=...{..j..E.-/.....z6..6..L:K.''A..z....c...uA.:U~[.....!....O..'..f.3...S'..P.n3...9..q.l...O-.....F..,f\..-Y&}Ef..hw..)..8JnS....,......_...(*..V".#...wu....2W7..Ls&....gU{..SifB...-...yrN5~'...j_.D...d...........=.........Cj.... .v...G...l2M.p....w4...Oa..R...l.W...C.S....j....m.v........\~.gSe.n..........d...%....A.]9i...C,Q.'.%..I.L...q.6j.u.....m.IQv...u,s.F_I.P.5..r.w.....[.[u$\|...h"h.<T.\>X.....a..H.M..v...iH.9...T..b..#.w...?. m.s~.G..\.Q}@.q.(..WG.i..)~........y?\..X.....[.\|..{\|...q).{.....r.E!..

C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	48224
Entropy (8bit):	7.9967131332237615
Encrypted:	true
SSDEEP:	768:4mioRiouNLX1LAycAs0i/aNpB+5n1P6Wur90/O96Hv69H9PIQPGfSLlt:Pi4iomXJ3zNpBQmo6N9DG6LX
MD5:	5592FD72F10D4DEA1D0810B2857D8632
SHA1:	4BA8A9BCADF7DFC6B10EAB0F0AD138E5A6C451C6
SHA-256:	516EF58F2C62EB4C2B797586A24869C0A9DFD816E4D80DC79C1DB7E2AA334142
SHA-512:	443C875E496A7A0BCAA87402597F7F69A1196E2D63259E17E8F40589B407039D9762176D2A731B50E26FC4AA99658F0D880459AE19177AF85943C3ABF4A6DF8B
Malicious:	true
Preview:	.0.Q...s.n/.x......:'.:..l.]..@..w0..R\..%3..T.....o.7f#w......t...m...=........h....K(I....tTE....L..E..1i...!.....x..hdY.".N....1{..^;....f...G.Y.b.q.+.#s..'..=JN%D.i#2<.....^...J%&vo...O..(.7Q.....j"Ks..{.6Y.8&.'...&^,cl.`.N..N.....aW83...m....3...i..n.....Je>.Z.6b.2.x..O...N....l.e.J.G..qK$Y...g.{....i....0.....k...g..hq#<. .k.:....A....I#A?..R.......H.J.k.^...d.0.M.:.....K.xtJl7..7.@..GoO......[...}..TVU3.....j..C..xO{.ST........3.wnx..e.{a.9w7..n$...7..e.......o...!B4.4...0.).x_...8.?..m.t2S....:...2..t.K..{...2}z...8..P.......2..1lo[.aJ.y..b...H.1.....h...U.\TO...<rw6.)p..L4y....6cs...0.s.N!..P....`.G....^.A.C.C.l9t.... ......!......c.}.]N.....\|F..P....q........._.......u..3.<..6......&.N.'.w..e&...C...H.}1m..P.F.....;.s.M..h...%.`..V/..[.....N.R).]I.`B...<.nS.}xn.6...1n.../.`..............s.#..M..Ix.!........4i..%%,"g.-N.V/..,......;....{b.9-.......6.Oz..=.!W..=J%...?.F..........D..x.0.KGM......v..$w.u$.).WY..\|cG\

C:\Program Files\EnigmaSoft\SpyHunter\Languages\German.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	49504
Entropy (8bit):	7.995807513580829
Encrypted:	true
SSDEEP:	768:/Et3lCkAJLjP5t+GavecrMfYAx3jUN4UR+gN8kP1THWt39FA4sXgqpRUcdGHb3m:G3471H5uuZ3oN4eJ8c1jWnEpldArm
MD5:	9FA1C4183C3E9F5849B29483B2685C14
SHA1:	0BE0F1FDE03E1619CA45A014F72779FADE00B804
SHA-256:	BAE08EA9A1C7969161C5CD640266A4D4CFC676DA5F09476A69C2088D0EC62C3B
SHA-512:	0A57DBEA7ED6290C6843C228237991D5A722A8BDBCDC0FE7A93381B16D4265A28C257D8D6C211FD3B7E54B82A0D8985F08C379EBCFF329CCF9D3E930A2009099
Malicious:	true
Preview:	..?#.x.u..D........Uy#4..(b/.....:.Y..w".d........K.....Gc.E..GY.$.aH.Biw\|....(..We..p......kqK.X._^..l.Nf.dl..(..Mn-R...a.{.R@...A..lN.pvf.....{..4.H.......p.........L...x..v.B.c.Q..s}:N]D......}.1.U..h....'..73.......>Q..L.....i....5..5..p.UJ....D...B.9..{su...)L..q@..\..W...ZM.x^M`v./u.......-.\.O.h...bx.<.e..u..r.B..."...k...4.......).[q..>...NC..5.U.O(..B'.mv\|v....mU...dk..I5....C.tH....v".......X.r;;...../.Q.j...U.&'....l...'...lTZ....2E.e.`q...5s.+.....7....4o...b.>....h6.d....Goq.W.oW...o. mlE.a......J.M,?.c.`....cH.1aZ...q.[7.......u.W.../.~)2}.k=W......d..4..H`....9...(.......)".G<+..JF[....w..b..s.E.-Fz._Q.E^-..hsG.....,.n.Y..m.Wl.5.....^d.U..R..0..1.R..e...dj.Y..$....R.....K.;G......%.g...X.J.......X..../59.i...kF}<..jcBv..m\|..n......f...f.!...E6.3;.F..5.lz.jXb...C...Qu.6.S..O..=..nQ.2C......z.........3..b....y..-.[......Fn3..pK......].....\|x....n.:@....5.Il...S?.3.N..-6.....7..\2..Sy..v.I....zkH...e.9...v'."....

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Greek.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	60096
Entropy (8bit):	7.997056401458807
Encrypted:	true
SSDEEP:	1536:4NCSRPBRJaHcdxJWn2hF+RHfPrH6KDIk2w08lv5Vy+DQ:8RP0GW2hF+Q0lK+DQ
MD5:	50989BE42BCE3389348A4E9BB0193E77
SHA1:	6F1FE6159CF951D267A6C5714420C45C92FA1A8A
SHA-256:	92E2302F8300B415C33F1EAE6FE51F419FE9411768126C09B216B53EF3208ADF
SHA-512:	ED0BA9FC76FB42A3EE160188419F07942DD0AA44B165A369A49849959AFEA63080B1B571C47D2A95F37575C0F6D72A5B8C061B439EBB9E0A027FA63E6C520D21
Malicious:	true
Preview:	..cG.x.........w.>...t.V.7:\|E.O.E}..`.;y........s.R...".'..d.\Mc?.2.+..+p]\..A.A.....%z.W..\.6..R..VGT...x..M..e......Vm....z...y..Kq.%...-.......a...%.[/..)$..C%.D.W_f.>O.......:.^2.......l.......w.....~..&v.............>a..[*..C.nR..M.....`.']G._?C"......:..l......B.+.ix...R).]..r,_...Xh"..gE1.l...C. .{.:>]s.}...3...:...F.}.......&$.....".eP.:^../..N....<..l...z@S...C.=d...go]........S-lk..\......q:......0.v.g..?....4.m..8..m.T.1.{.l.!..3.x.8.x..dd.z.......U^.;...u.8f...q.9.....L.w9.....t.%6{..H..:).R...?z..z%......c1...\|F...M..m...... .m. ....y`.[..... hd..S..c1p...E:9.T_?.`V.a....9/b. 0..@..-....2.i..v..+...0h.&...(V.........u..;.E.?M......y.n....bj.&I..C.k6.>....Ob....o.@..ma..o1L....`.ev3.P.....,.zLVR.....n..F..}.W.P[..%S.._ ,(.(.....).U'5.-....p9.J.........~U=..Y.x.[..]2..WEY...L._....P}$.....xFm1..6i.p..i.H.....A}Z....^.x..j..y...o.z\.kd6.3..u...Z..VE..o9.p.#.P.>.3.@.v...9'.~.....zKl...d.8........}....1..K.L.xk...-._..Z....j..p...

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Hungarian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	51392
Entropy (8bit):	7.9968985948672096
Encrypted:	true
SSDEEP:	768:gOrpeqUFMgGt03zi+NcYO8VhV1BX8QLpkwhWy6lGbVWEsHwxQaGZ:gOLU2g91Oyz1BX80hAl4l7K
MD5:	E21947E89D81EAA19307098634A1CDA3
SHA1:	990A6AB4CD228298769BE7A6494317F56BCD05DC
SHA-256:	13AF244A480AFCEEF13E6E68D1FD88C3C6640463771B26A01B8EF693F55DB008
SHA-512:	E5D789680077B2C261E9DF1845BAAC9BCFE26BE5A7CA7631DC1438E627277981A2CFBCC056A7A75B9B6B7790347381BCA8EAA39CB2DBDA79DEE954836CA0A464
Malicious:	true
Preview:	<.........iB.T2.U...".. .\.p.?-...S{.V..Bg.Qj.......O.N{.vY......}.$.S......,{Y1........8...Ye....y.H.zR^<. ..p._..6.#f~.na...=cz..%.H.=.E^D.._..u.1`).{...z.Y..l.l.4...[.....w .......c.@..R..1.d..s..Ne.!C%T.[a...C...>....]..o.(..e.....!b..v.H...r.a..y..7....$....d.n.lW5...5..............U:..\......-#.t1O.6\|.-}F.G.4.b#...~..#$ X.dQ3vK.J.........r{..=l;8nd.FO.k4..H.t..E..9Z2.\...Pg.ZF..._Gva.F..%.~:.;c&.......6r9/..b2E..ui=X.I.PK,...g......"...H.]\..._9.'..z..#FMeT...4.Qu..#.N...7cy.........I.#...iN....8.o....\W..ZiUD.c.g)....p..........C._..(.Jz.I..@.<.-.....z..L4..(...+...:B....4."Q.$..3..h..e.........J..?.Fg.......s.o.16....%Dk/...........,......hA,5,..[o.k..`q.9.O........9.S)6t...a.M....T7.*....u~.~L.D."..;N...1.A..h..)dd..9y..w.3.t.....V./..M.."..5h<?..5... 6YD\.R..r.%gC8s...7.;yiN.3..G@.,U...6.a...W.D.Q.. ..9s.@...a.<pW/......7.Z...j.C..}\..... ...U.k@:mM)..z..e.h....q............+.z.OQ.^.)d...(:t.?...RGU.....l.97...p..m_.....

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Indonesian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	45440
Entropy (8bit):	7.995735152404058
Encrypted:	true
SSDEEP:	768:6J3jbt4FakmnyjdmO2V2CYOsbRhWtE7o4t6t+M9jkCMr5:Y3jhkmyjdzt5lRw4tUjjVQ
MD5:	AFB1C96541A1206C84101DD39633AB07
SHA1:	1B19ED3188A2AE9637165F4B5FF14FA5F97A9111
SHA-256:	37BC59193E038B46894CD3E30D42FA1F941F518FE9EF5CFDB9362B69D1629FC1
SHA-512:	76E1CDBC2741544D8652B659974575AB89BE4D55933BEA54D46F651C611B8F03048897717AA5A5E539FAA1D6E5B725DF6445FFF8C6C5C6B321B87B3378F27D93
Malicious:	true
Preview:	.....6...O........{.jQ....EO..;..bhF. ...$'.w.-.?.........b.m.u...Ws?...fS...4...c.W&V......%....}h...".........%C..L......==qE.2..O...0<j...3.?...... (.:.../..5< v.O........V1{......W}w.EQ_+.<......`}dF...&.6.V..)#mX.fh..RR.E&=rs7....V.....I...X.)....s..X{.5...........z........F.....r.b.....GU...]I....P;p.$..1\|i...~I.,5T..p.......<5.....E?.2Y..p.R.P&['.c.hRZ.o..b-....d..B.q(.Z.._2.R.p.O..V>Jw.yy..@.....]..9.&u..N..o..YE.3...KM(.]...IQ........L..8..UE..R.W.......l0..k..o...(.Q.."..,}n...@s.x.6......].....x..R.$ ....,.?.._......:._...(..,....W.h..,O.roFe...=?..,..s.L...Xa ..X......G^...\|.'...nN{..KT...&.-..(....z.\|.'.N.d..:....H..#'4......7..Y.....".CTEB...h.../....tl.f&....R.....t.559a20..p.Hi.N.&..bC....IxH....kM.e.Mxv.u...}.7...N.w.....cDN..........e......#@.6....9....F`h..~... .P..:h....P%SU.p..%#..G..>1C.h.....w.P~.Fye.m{.4.d..>..+......PZ..nA..h......!.....<.....<E....k3....n..J...e....a.GI..oZ..w.R..y..~.#.c.i<.$..X]0.......E`@`.......:

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Italian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	48032
Entropy (8bit):	7.996516407599824
Encrypted:	true
SSDEEP:	768:kHqb6Olqm2afhUwNpJt3Lh1kOYjryiBuCVaOW48dDaaMEc9p97HNod+UMiz0iHpI:kHqeOl3EcbcOgBJaOR8dDaabc3bO+kgz
MD5:	9BABEC3C08A0821FB723C033645FF0F4
SHA1:	8B8F635835FA7C20EC9ACE4079497D46324D4602
SHA-256:	8090349E7F670AC61E1A4FE8DE6FFBCDDEED052314CB32750EE5C954472F7C77
SHA-512:	1DB6FFB564CD0C007E303C0CEE0F02DB7EF9D43AB81544D1C2B136B0B6F3460AE2F7A990290D7CC3908D1CB0E0282BDE6FA512CF14C518C7A6C17A18028B9DFA
Malicious:	true
Preview:	.6T?]......=.W...;o.I.c{#{.;\|)..s.n~/..:...cz6.t\|./P...4.-..4....}.BjUoV.H...._2H.<.[.....U..Iq...h.+HF].).z.._..1.....n.#s.\|.....m{.....'`.......LQ.\DJ..>.k.Y..8l.t....Lw.0.=..bq..~...'."...'...)t.uOb+h.i.......]ts\|tw......\|bPrX.....;..%..$L..v.\|.3..:.'gy.._.z5...)n.NU.... U...r.....(.b"y}.C..t,...z5)....(.0..).C..l....E.n.;=...=X..\|.9.....\|.....o..W0/8......'.,W.?;..rr..D.s+./.t.T..7..l...'..8...}.....D..L...0d.[.....#..%s.}..K.........O@.s...?V...7.f ._.....\|.pO~....8:.(I.. ..~K.....5Ry),..\|..(.9a..4.w(3._..._...n...x.J..Vf.?i.4'..I1L22......\-.TX>..x........\|.@.W..?....[I.Jd.....?.{.(.......3d...x9....`\.-...p.b...p..I...1!.KDN...........:...di..)D...>C.....b,5.......q..L...j..S9/`v..7g.#.%.Q.........#pwkKC..~9.....[;......g....zuLV.)...i0`.@...#...0A&LCMH.&.M.......^'..(Xb.{.`..s'.k....w7..BUN#6..y.u......Y^..A\.x....UO).........`.0u.J...1.{.[.U....F.... T.O...0o....a#....s.j0...n.N......Gy....a..R.@.Y.....L..;....;9..j.P...XG....!

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Japanese.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	50752
Entropy (8bit):	7.996175639604411
Encrypted:	true
SSDEEP:	1536:jeBnCzg40bF/wWp+JW0PSgMjDUJeKv5qqWRQ:6og4+rAVM3rHQ
MD5:	63740682BD394B8D4D3979C5268C3B7F
SHA1:	7E74D5DA436498C9974A5F70A4100C7975A08529
SHA-256:	3EC5988B0964907BBE6E6110816EE8575F74E13DBA84287B733112EE4654010C
SHA-512:	0A12634F4190FB4F0C6F6D3C837B1FF6F3EAC21AB1765E704D50CDBCE0AD86423529E581457D3C0D391C2F865637B0C59C2DE502D40A7C9500E64AB300D8CA92
Malicious:	true
Preview:	7..i.].z&S.....v.4.3...\w.R..x0.6E.N:o...$PB.M.....E...\.Y.\.jJ..<@Y.[F.....S.y>...5..12@....9.;.).`.o2bRa<..s9N....L<O...E.b.s.Q.."U..h-z.{.t.....l.Q$.&..A,......P...Yb.=S.T....v...R$9........z.K..,9 .....o?O..;.]...^....{.z...4..-.`..@9.I..>.....Z&..../.,-.........].KY.+...\|.Q.3p}..N..U.5.....,..h...N.Z.4~.hef#v=.. h..[se.2t....s#V..].\|.B.x.fn.;4...D..pqz..'...-....r,..y... ...7.J..I.8......j...I...:.y.0....bF.OS..VpZ..v.&c...2.,.C3k.....@.Y.../......l..9..$D.;.P.<[h.s4MEG..]=.S..G....l...V..4.P../..wq...s;..5'x.,.....1:.p.......kdt....d...(l..v....Z.l.......K9<2....o.~.V.do.'R.....^...!K.5........n.D..T..g."8<...+l...3;..C....Qf.C.5".=.4.'..'...._x.7../F..x..O:....:r.........nj.....'....>k.........[.LNN.nX...Qv. 6%.a..(.....{..x..^.Ih.......)...j#...-.O.^....)h..+g.{....L.f...M.....l_+.C...m..$....i..:9s.....z.s,..W...zg....$.............i.?..Q.9.d:b.....Om..L.lH..\.<".*.!...4..(m.t,P....:....}&Z....On.5...(H.\D.`...C..2

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Korean.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	46944
Entropy (8bit):	7.99693442690835
Encrypted:	true
SSDEEP:	768:wzrYIbPKk6EWhJh49XQo9/BHoRJZ8xSJLG7e4X4d4aSKh0cdtdARp:yrDL6dYN1SdGS4C4aBh0ctAD
MD5:	9B82EDF3F29CD98E20BE6F1F0373083F
SHA1:	795CA4F5A4CC91D59848E0D609D805035AE9EEF7
SHA-256:	1CAB512FB90AB3E6A6F42DFDF648AE7288CA5EF8EB55426C1FA829B292DB55C7
SHA-512:	9770426D8AF8F039FEB5AC949B5F532D816F5CF966536122AF8AEAB832105EA3E90C1A87427808DD1E3E5E7C1FFEFC8E222D427A1D0DB1E667514E1185A71D18
Malicious:	true
Preview:	.+..lL.<....%,@\N&....K>..5.,e.H.4....#.p...31.8..hp.>..C.]F...b.....$T-M..7.R...=ZEM..P. .q.f..G..x..`..<j..273......g..IO..AX.b..X~<.i......Az......#....u..E.b..#-.+....8.....3.:E.e..2.S.s.9.......j@.#G...;[..8J...z.c.0..l..(.J.Qr,.60.(..q(...N.)..e..z.y.".q.>.f;.l\.&.E7;z..:hrs...3..=#........qI9...~.Bs/y....~.......\.h?..Y..my.+.r.KU..l.....a>......&.y!..M"R$Zb..&v...x....DI...\|.....Z...&..a..p.1}.PF.ga.2V.<.5..t.:.."..uPz3.....=..Z.`..P.:..]L..5../.m.9....Y...U....o...e...qMf....k...{..9q.y.. .a.(~.YX.-&./...j........EdQ.P...,.;.;..%... .6......S>eR.v....:.$..h..v...m.....NJ?.P=B.hJ.,g.......D..%}..0....x;r........[.u.;.w.sP..g....u.../...,.8.....6..wKr..........d....6.^].^M..._.>......?..t...p.hKN)[.s.......a.d...R..*...8m?.(2/#.^d..kdw<.&o...k,3..z.yLA.DH...1.n(e....F..._..P..O'~........(....w.kC..O..G..........M....p..j.+.v...A.....W..r!(....C...1k.\|..\|........ &3....3n].j.<].z...Kc.d.......8...P"..(.8..b........0U...2.....C

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Lithuanian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	49856
Entropy (8bit):	7.996267189250834
Encrypted:	true
SSDEEP:	1536:TLwOaTJnmSTLxnaE7ofsu3kFTQC2TWnjYvXW/abGFM:TLwO4Jn3TLhn2C2TWkvG/8
MD5:	E6A368A35D709E63C7BEA7AC035FEF55
SHA1:	2EBE9159DCF29EADC4CECEB052C78F1E061916E1
SHA-256:	F648CF9D6AB1E7F726CF5822477C09F069C7FF1F5CF752AC03767A896E239478
SHA-512:	D2AA3193A8FE6CB6A7C8053FC615AEF565F0999A147291D3BFD34CADAF85CABACA62787C7D06997DF18402BBD04DB8C95BC6A99164407B5949536160B089F1F3
Malicious:	true
Preview:	......W..D............A3..u...4..7..<..I.^.....'$.p&'.v=..c.R...Y.T..j.......E9.......~6:........7.<el...G.)..hO...\Y6b-.3.\|N0.@.)I........Q.k....u.[.jq;7.c.y.[...3.Lw...P4T....p..H.....b..O.h..E.O.$t8.........tN.Z<.<......nF.........h..]...s..)l..%.3...........K..9/#.....f.V....m@".o..#........Z`..>.i...a.'.C..2.....Jb~..2...^....u...aC...-.H...d....g1W.=.+../....[.).@..[.!..k<.f.%.FKl...VI.....t.?.?..J..-.h....F....q.s..<....\|+.=L.7..n..HL..S..r./....H.5&T...........%5.)..........b.xq@l.E(//...yX..x..&.....}...n=..T.....J.q.#ko=\ .$...3o.[.q.3..^....gq`..t..I.P...1.qO........F\&.9.C..-....c.M?#'...h.....v..M,.&.......C..x.GU..%....j.2.}?..l./..z.{...$Z%.^.Zj..G!...d.;.J.V.7.bN.75.~p...Dg.....>...{..F.......#f......pNi;$8d7.h........EmAQ......ne..Y2.K>..%....&n...c."Q...,..(p.a;..+;.. .Du+....I..w../'..I.ssb...(TG....%..(..G..0)7.\|Wk.-F..X.:...).?...Z....E...rM_....eWe...^~......m.....g.K~..`..DW..6%Q"...R....Y.A...

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Norwegian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	45984
Entropy (8bit):	7.996909164261379
Encrypted:	true
SSDEEP:	768:QdNA/Y1o3lc2skDufiksq1EOv/spccjTl8HYGR0Pv3T5yyet+rd060ydi0OGuEiW:mAg1o3l3DOiW1EOnsycjTl8HFqA66VyX
MD5:	58437B307A946DE05E7D5CF7EF06A134
SHA1:	C93C8397F08976F6D741741F3B9C7F50946CC1B3
SHA-256:	49EF1BF1188AAFDBAB8BA546113B4C5792016386077047CC16BCC30534CE362C
SHA-512:	188D27AF0C86466DBCAF797C92F46C9281A91910384EF061BB8F4AB89062E567489EDAA8FB7C0C06B5B0FD331FEDD24EE25D50F3CF6E2D2D8E78F4D28C583E58
Malicious:	true
Preview:	x.#..f..H.....H.&3.C.-c.!.(.&...^.P..q..aVc.& oQ.Rh..n(d.w..ihc.C...}5l..9..^..-..1...K8.I5...\..'...A&T~R..-s ..V;../Mcls...<.6......[..!..3.).2#..}z.2.<U."...-Et..Wrh.(..s.$.,........x....S..B.`G......Y&.RmE..M.v..4..V5...&m.....9X-P...H.]..-.G......Q"......,`...+...@.....#....j.^K.i.&.R...Y..E.)y.=.+....o^.{.H-.R..T....y7."R....k".'..g..=...]..>......Fs._.......^..w"C...n.`.`..o...\.i..hW..vd.v......f....S..o. ...'...n.O..@....^.V..D....R......6"I.X.).{....;....".+..%....Z...~%B.....w@...oW%..(x.$z\|.C..C...qR.8 ..X...a.U...0...@E's#p...u...."Y.L....~..@aL.G.<~.M....]............jr..{..ok...$.......r.vYJ.h... 3!{...Zf.6l.n..!?.....4^.'KY.+...h.NS...#...3...s....;T2.s0lK.L....oQK[..h.(.....'gb.Z..';......yu.5Z.G..@...%.`.".p4..a..\B..-.mP.E@.Q.K.M.#....."'k.>4.n..q.m......4.....\.t:=..k.........V...."c!...0.3.......?.-...!....m.5}..b..q....S...ha.H....E..<..%N.a......h.B.r...9.'m\....=T."+&[CK&*...x.X.T....$..N...A.....v....=....pcL2.2

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Polish.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	50560
Entropy (8bit):	7.99635386590933
Encrypted:	true
SSDEEP:	768:qkvdPVG9smQCA1CMo6XJEGGfC4/p4g1EQrVmuLj+yQWCRKj0aaPbZr3z2BdOpypu:qcGs46bF814g1EQrcuLj+3f9VPp+ja
MD5:	85A7A579403177C9E3E60A25987AF90B
SHA1:	E8EFDC66C30DC0C07FB4557C3143F471C9E37053
SHA-256:	1D1E541BF51C145AA6AA6BCBEB7BDCC431B35594AFF6FA2DADDE44E65F733FD1
SHA-512:	3CE754BFF7A3AE082C8F3AF956AB70F508D21254C77EC8005BA02561DA0BA132A96621E2DEC22562D4211044EAD0853FF583F1E76CA8EFAFF4684B6CEBC1C014
Malicious:	true
Preview:	..U..}..9.I..K..P...g..D....\|..}I./.6...S.9d...H...%.F.c.O........D5.1Q)....8s.&xj.(..=.gd...Mz.Uv..C-....]..`........U....BJ.6....R.]c..UWh...3..vw....2S...Y...dtG..A .6.].Hh+....G...AE(.F..`..>&..@H[...Fc.8...rL.T7...w....r%.....U..Y.o.....t.gxL.^...0..$MbF.t.(..#..[t........%.y{1..........hz...bl.[#...c\....$.C....$\|...w.z...e.3.l...xNq.Us.!.).B.ex...>..... .r..2.@..x..\|.C..{..A.[...#}d`..y..iU.6\|'8.+...Y.8;...W........h{...y RV.....H..C..w.^...T..D....D...% 4....&K.....S.$.?~..+G.D.....O....Zx7..B.)..,..nY..4.>4.G......?...{.....Z....r:.....,.. .......1.3..F..tP.a..o.5\|;2..c[..........r....;.D...7..$...E.L..._...:p....J..rx....W:.S..q.{.k5...o!/..9vO...]@.3DO3.h..=..D....F.R...n"..T .T.^..4_dx"..&.m(.V.S.@E..1\|6\{$U.Q.Oz..A4....`. ...q.....)....o..S.6......\..p..?..d.c.u.l........G......X.'..Y......s<.!..xf=...Cs....K..d..;.P.s...u....9_.=R.I..[.xw...i}h.........O.@..x...?......L.dL..+.C..P.D.}w7>/..*G.6Jp.....D..]vq..A.

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Brazil).lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	47840
Entropy (8bit):	7.995625621538136
Encrypted:	true
SSDEEP:	768:xTreCxDnt3oiPe36rG4dNoAvUYzCpZdWKyxb2HThB8nEy+zIG3cEvtFch:VeuqiPbG47oAvF+pZdWZx63N1Fch
MD5:	4ACF1F61F613FA0539913AC3DA59825D
SHA1:	9DDFE0769A5D3A8B3BE587FDE36D7CF6AF5281AC
SHA-256:	388AD6F6579A920E3709BA1081EF92DC9B7DAB86AEF82955A6111D9328CAA289
SHA-512:	E60F3C201378101DBB543D5EC2FAEF6A39D06CAE447FA98D31638F06B423AEAF953F27E7638355EEC32C66B13C69A51C9CD9C1B60075D3B2128191D833F149F5
Malicious:	true
Preview:	='Mfh..f........a.....].Q0/..k..B.."?\H.=.z..P.l.(Wk...w.f._...b.......1;...L....W.....<..@./+a.m....z.C..S.AY..s..3....\|...O...W.V...pAik..1.v..........:c.......6L.....w...t..Rp.nY_..F..7....2...u.a+.Y..I\|W\|..#M"[W...q..x%.d.w.'8'...b43..>=.).m...d\ ..;...r....=...LEE.Ci..C......._I~.......n..}....L..h.3T.9...\..b...u..F-q...8....'b{...48............%.'.3u..W...0Fv.pG2......Js.....6.<....-A...t...q(3@,........\|H...E...BfM'~\|A...L.-....Kx...(....;...:.; ...2......^..(..'.....2ns.....nL\...n..E.D.P..o.+h?...G.............ud..%.37@..5;W\|K.j.5....>d..N..........Gqb_..0k.G.{L8.a.IP.M.2..0e03c.1Z[.O...\|b...?.....v5...%.82.!......Xxf.s....-....LE..p.u..........$I..}X.".(....9._..}^.>.Kn..#<...&.<8dqdv...!W..B.z......XAAQ...4.].7_...G7_...t...i.@..-....!...-.D..s.vX..._.....n{.'.W".h.D...5w-Xh~o..-x.lD=..S..'..8..Szt..M7\|...#..rH$d.U..e.v.".*....I>.9..s.H..e.-.O.~j..t..h.f.e;I%.)......"&..}..S(%'h3.SA.[F..... ..%.6f'.'h.L.........X..X,.

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Portuguese (Portugal).lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	48224
Entropy (8bit):	7.996408622809594
Encrypted:	true
SSDEEP:	768:YgPomgYKM8lAVvoqOkg6s0316391nodXq2h1Ohro+urLYGzlGW3oTM:YXVAVAq46sy163II2h1OhronrLdzlP35
MD5:	5976967D6E02EDFA7283ABE2499FF861
SHA1:	0F88B636CB2D3120B103FD3AD36403B233152CA3
SHA-256:	B9B9FC82173138B02367D022796056C08B9AFFC1F863E4CE6324BAB50FEB831B
SHA-512:	512AD1D35492C97C1628F7A5F2E37000B74E5234D1421AE0E2B4CF2701C7FB47EAB414517103B2FC12ACFA656D156D11F7C9288D24C0616F3ED2F751DD264922
Malicious:	true
Preview:	..e.o.@R...8(X...-..m.\|...3..[t.>.]......6.i..z...R..~2.....r....-$n....Gr.....L..P.]...Z..ZiF.cs.>37.l..qB.\+..({c...&.+.....q..5...c.)m.eh..f..D..&G....}..Kh&r.%x;..].;...Lu33VR..7.Q.9c.m.=.......a#..Sh.x...6Q.....H.<.$b.l....l .+GV.5...(.w.....\\.yL.>=/.B^Q.5......%.99.\@.~....M..8\|....7...........=.\P....e.;Dz.s.tz..n.t......m..p.ewZ...$2.N?s.\|@fpb...o..$..<v.j...1.aQ. K-i 58....k...+........k....-.~7F.S.#...{jS.a...e..x....Q.\..[ @{...9....>P..JZ....CL.I.+.?<..r...s0MI....w..E8Q...Wr......F...g8...b..6....6W\|..A!.....g....pn.e.%..~..{...E{.............d..aD...9x......u...\....k...Y..>..E...............e1.y.7..r.;...<Xo...u.K.....h[...Qhy..h..0S.Jo...e]Y..g..=iR-@.B...A...u.V......D.l^%%....}..-+....+. ....M...p......p:.J.I'...=..[\d...-.... ..U.....R....ma....Op..Jj.c....".D-a. ...~%n%n...Y....)..6c.x..OS..+...I..R"..S.^...I..h...v...".q.`..g...tb..T...H..$^.....7..N.X.w;....~8R..J..2..W...q..+iB..$..c...T+..~Z...F..ss.st.

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Romanian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	49760
Entropy (8bit):	7.9964153063104035
Encrypted:	true
SSDEEP:	1536:X5n+heipyq7SeJkp2YGzFe7KRYJDcOLW7IQ0:5+xpyq7Se+p2XFpeJLz
MD5:	DC4BABB13A9ADDADCF7EC9272DDEE742
SHA1:	83BB3EE6809E79516EABB38946E5E017B47CD830
SHA-256:	9FA06B1113E8E92F0802C557996B040969F2E5F92D1A8A1950A889E2F35B253A
SHA-512:	29C9869BD6E609B37CDA206A9D2B5370B4DA0F2B987863B4D2B7EDA5002A45D09C8CEF1DD3BFFB0F6F2DED355D758253DB92B6CE346C8A8F56F189E3FE4802E8
Malicious:	true
Preview:	].)>...?z......-..s..Xg93.p................9.....@.. oW.7.GUc.q.jj..=...3....J. ..U:Qa. +....A.Hr.R....Xy.{.V.Y........-k.m....Hj3).%l......X...?...S.4$.....)r...g.1.....F.]..j@.~......!....XP.1..=.t.6Y....QQ..M...".......e.On......{........B1o.....V>#...k.k.....)..+........1.}...g.SM..#.g.,[..X...\...GT5....:..R.B..h"8q.F..je........\|....;....Wq.3.............?......3....<.6.....h.W.....].t^x.!I.....(S................;..&...Sq.N..:F;..z....S....l].HI.....>h.2i;.S..S..yWK......x...1;.j.I.+.....K.Ld vY~0....L.....5....~...&......<x....k..^.....8%.....\g.^.H.U...d.G.D......<...x.3..J.:q..F(.d...T\....h.q...].. ..#..... oC-&.2b........]9u. ..f.....A!m....\.g..*?...7......vd.~S.z.(.o...,R&.k.:...ud...S..F.....\|..'....RN.....!<....u..+.EQ.?.....T3.m.B..%r...P...O.7...{O.k.j..x.b..4....U...:.e7.0.%eC.9.-.../z..._ I...i.r...1..M...=....BN..\..#...fD.~3ph.....h~.......=.G\|d...h.r............]E........1..0'.!...m..H...h........:.Y.(.......d4~

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Russian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	56800
Entropy (8bit):	7.9970102992115475
Encrypted:	true
SSDEEP:	1536:zywOP2/7BSAPayFnIniST+EwdqG3wEgJLxqzOT2xDCvajcwL:e/Ot5FKnikadx3I9AhxDCSwe
MD5:	9F9C51EBFB643D79E2843482F592DD89
SHA1:	108F9AC6A61B9395656FE3069C08360B527EDA7A
SHA-256:	A1871AE3F762E64A18E8A46BD2C175BBE15C40A63C2DDBB2E0CF32FEFFE9775E
SHA-512:	2BE920DACDC2947C4B2F8CC4F2B9CEE9D1BBF6D0C09DF8C2364722D765220ECC4CEC574F80FC95D7D0FB669E10C34FD616EA0432F46212282BEF7BEBD8D8126E
Malicious:	true
Preview:	.S.D(...A$-..;..F..Y.......E..O.s..[...i..H....4..Z."a....;g(.j.<.+..^a/....6P.......~..^{\`..R.@..........>.B..>...<..p.>.Ir.....cO..?;....6~G>.#.o;./A<....9.....~....D{,c..x..."/..s.0b.....\|....[...7`.&.F..!....z..{....n.....r........T.X(x..@...h........y#f..;.f...}..0.l.......Y......6..tt......n.x..}.E...It.f.).....R.:........{.....Pf..7)........CQv....1%.Uk.u.o.f.[.,.x..(.x..S9.......#.....q......`O.g..6.\.#..:...HAGQC.G.P..\|...&4...w^..\..O.....Ty.w^.lo.%..../T.LM.u..^......M..?...XsX.m{.A_3..._l.....P...a...$.Ei....../o.y\|N......Nq.Z...r...H..#.......H?.f%e..Y......(KR..Q...L.7o.,.Nm....G....`6...L...B.5.%.M=..v.x..\y.q.L..qK?..B.:R..w.".....@&G.}...3.y....<P......._....Gn....+..\.....\...j6.5UA.n....1\.G_....u.C..m.\.9`..... ..D_.p.wi..!......ni}.`y.W..n..k)Ia.]kOi...m......D+.....Y.k.N?M`..D$....)..IV=.1.'..$Z.t..8Anw....=.S:B,\D]./.nCo..^..^rB1m..e &. ._....@ fy.[.#.......,...G.\(?.5...n..}9....!....\.B....."Y.D:.Xw.

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Serbian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	50400
Entropy (8bit):	7.996046989865242
Encrypted:	true
SSDEEP:	768:PEzrJZnyxQpTXXTmkJXJ/HA9myX7KjFK8YdXIQIWw1XA:ej1TN/APX7EFKHBImQXA
MD5:	CAFFCCA11A26F706C9E42A81EF6BDA8F
SHA1:	409F1C47D59CCC025A4341AC4BFABF410DF8CBB5
SHA-256:	82EB2B19911E2C6CBD467CBFE193A8E4B307E4C85124898767D5FCCB25F4FD87
SHA-512:	BD012641EE0CD06BF74C0E2922D7B33CB1782A94CBFBB9C066A6EB39AB3354AC200FFD189B349E6A57A82D79F9D17622F813B1722BB247D0FA8B3DF6463AED43
Malicious:	true
Preview:	..D.)..S.x..$...X8...)...\7v......q...,.g.M4.....\|.'..w..._..i..EN.P6..E...5~......F..~}...p0n.Jr.q...tL6.c?.....@..`.@S..zW......sx6..'gol...Ek.0Bl ....K?..h..,/..X{...........S[9s...(....2X,#?.A....B....+GD.[..X..>.j.X...e.h..........U.`K.#.....Cj.!..L.C...$E.+8...y.1'.k..3.Gi.nd'U...w.v7..D.k.M...... ... ......^........c1.......ox....Zv.`..g....~5}sm.. 6.(.....H......v...r?.b..........A...4..V..}....(.lq..mf.g..O..(.)(j..l]. .i..kL...G..{.o...................').e..S.I..\.p..........f.#......-a.W......03..Yw[._..c.V..<.F....l.(ou..8..1.v....5..1g.........:S..#.NW...[.3n'..4..q..fgHg=)Q...jt....@..z......W.M....S.......v.......xJR.H.....J.H.T.D"..s.]7UwX..5..&.:...$h.)..hp=..E...K..p.....q.q.J.....8....f...3..3.........@.i.h}.B...G..c...3..d.J.qH....TC.....I.@.CXX-.....ZO2..I.g.x~g..P.....\|.>n.sWuZ.o..Wv..$...i.) ...y.5..........Z......r...........w..PWf le.:g...(.]B..z...7..q...5.C..ys.q',{.z..'..'....z..<...W..3/.M)..$.{w.C-&

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Slovene.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	49024
Entropy (8bit):	7.996060916447486
Encrypted:	true
SSDEEP:	768:2mvkH0KEnIbYjfPMBT4qkj7EYPrtmVMWJCGp58PKUd9RevBSKJ1xOl:+H0DnIMjsBT7y7EymBAjP1dL6Bt1s
MD5:	C9543B7FF82DF905540969271E56A2B1
SHA1:	7452274FE9BBAA09E74FBF41D2357FECD6040A1F
SHA-256:	A7202A0CC59A7A09B8D8EB5A3C6CBB6FBAB785750B0C2291AC8F5CFD4A56C631
SHA-512:	51BC5A8207F1A27E7C8652723ED5D287FC9CA8A81B495E2AA83342D56361A029D0A02ED4893CAEE24487B290FF3CAD6CF4C7566C9DA5717A3D0C506D3059F4E4
Malicious:	true
Preview:	RmF....(.F.%<)p...%...XB.f#..[...A^1...ZHhR_.y.(..".......mn..u7.)..2..<..~........t..4;w ..jV.v...tl..A>b..w"'..h)W2u.C./..$.,.um.Q..#r.Z._p.N..z...%Gr"'.....}f...eQq....#........Vb...cx.....9....'}......G..r/.t..9.C....&.6D=Z...#.x......K.U.;L.anT..>E.4Z....-W}..,.:..w...~I.l.4.)%...`qt......:...l .Ck.Pq....`G.nu.D.....S...P...T....a..I...,..R.....,!.(&~..4].......5..}..,...a....{#A&{3_An...f.j'....wZ...)../f...t..Lf.X.v.S...X...o.S.ny.Hb.......oA.....eu...gbk.a.>w.....F...;B...2....<9A..QM.w..^J..P..\|.m.Nl.....PT.......).&.N..;]..y..\|o..Hr...mb..x..@..t...`..;.E..$.;.Fqd..S..D._..m.....wg.=....Z.+..w..e&..T..'..a....79..1%.......(8%.....m.F[g.G... ..bk...P01^...kn.^%W.".}...q.Bfs....o..F..[.j......K....w.....y@.n.N.."y...d.#..!...@...K]......bI...cU.\|.<.M....6.z...j........\....P....t.s{..<.3+....j$..i.>."...x....u..<.=..:A...?>g,J...v...OU=.)../.9.6......t...).(.tv..w.B....0..;..........t..L9Ze$.;U.n.........OUWb6:...>./

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Spanish.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	47840
Entropy (8bit):	7.996383987781172
Encrypted:	true
SSDEEP:	768:K3zwfMYYUfSFDGQUhwktB26yA58bVqd3YXE2PUNCH0g1uZS+COkGheq4FuCzl5XH:K3MBSNmhtVZ8bVqdUE2PUNCHXAZ3bD4h
MD5:	EDC771A651BAEABBD4E5BA0E61166764
SHA1:	6EF66787341CB1050A4559D480BC843B78289A0A
SHA-256:	FCD15C7B0031BE60770428F2A0F40838FE84EF466F2DF17052C1BBA7A5BC3FBE
SHA-512:	1D14535907F33482B72C8131C8FFA2E1B45805991CF60EFB7A05A26D236893CB8F44D10444B551096E4582DDE61A6D5855F1B1C441098CD095C6607EEC2CC2B4
Malicious:	true
Preview:	.r.d`.^7.... %...o...@~..=....x...G..@^..Q.T.K...o.Y....u_.<-bxdwF....'..4.\|.)....=....V.6.b-?y.k!..9s.....V.Z.$..b..Lg...og...u_f.W..qb.pk..e..j.T.KyE.`1....'.?2....O\|Y......H.q.\H\|..,.A8.,k.L..5......-..BV.G.4.K.~Vq..^...E.....)Q.3.tJ....m.=.....;.#2....p.....}ho....K.pg8[#B.b..=..`...q".`b...LrC.n..np..L..{X.h...G.a.F.f.....cR....6K...-v.\|n.7.....Tsn7..........#.8$..H........D.u..`).......uA..(gl.\|....+.....z..:.H..w..../..m.M..G....To...VGI...Go..bY.o..3.&,e..u..%N....A9....tQ+3p....<;...&..,..E.a.2;4.9$..`&...a..q..!e....!..L...:..._.;.;u.$P....tW...+.6...R...@__%i7.4r.......3.C..F.m....2............+.Ts.9.U...F....V.:.o.Qy .....P..i.[.^.1P.6.r77.Iff.vt...=..3..!b..gB.......GZi...I.o.T...GFhd.3..\7.I.`(..V.5..r.[.m.H..!.\\|..o.%.._Old.t...*.....V.4<^....M.N..s..ZB.@..Wa8.[..%.5.p..c9.w..hjD.....i.,.=+k.D.I..%..q..mD.....9:Gn.Q..4@.)Us.Q.6K...x...$..>/... L.V..4... ..{..J+..y..`...&:h#.g@/.Xm..j.I...O.....NFn..4.1......{.+)Q..8.. (.

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Swedish.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	47360
Entropy (8bit):	7.995550966019205
Encrypted:	true
SSDEEP:	768:RxEQKc76f9lm3Gc7u0Re1/nrzGgN/mgoTOmhibA37t96E:PMc76VlmWc7uOU/r7/e5wA37D6E
MD5:	086C30E3A434837B293290032963A7FB
SHA1:	8A21DF3E6FF91DD383C3B373C7B645A4AE3DDA44
SHA-256:	999337F8B71378A31F1D818B4CA5A1CBF2CC01128D7ECC50CA8E234FC52B5AD2
SHA-512:	807D5DF44E1A8412FDBB3C55E06D1D09C84543E6D6942194F6793197D8BA00D9A0F16C2B4F28CB02233D9406DEC37E5610B55058B948E145058DEFAE06B55F7A
Malicious:	true
Preview:	h...1...r..~v6'.{... LO=..@........).n...u\|..<..O.l.[z........G.>.......[......Rg......>..xt....4+.....+......r....$yO..MB...XF...:..z..TR...u.....t'....[FYh..a.......7.wl.....Q..=...r.w..rs.4"....`..V.7...$...L..1....".....'.u..........h..Crq...S.".3...2........G.G...J.U.~.....%.&.p'..!........e.j#"...8..0.....'...Lf9Zr....@h...]:.....E..qF.~.-..[..=0...^...q5.PSF. ..(=.'.....T.l....2..qM.15[.F..K....fQ..I:...FF..s..Y6J.9....\5..29.......)..'...-...B.\y...+.y...t..^..d..}.@pj.8i.M.g.@.L......qc...`].z..u...Q..,.....S.h..lr.......f.p...P....v'I..E@5\|M.x....J...M........=...cK.PA.sv.>e.>....z......Aj.L..@.YQJZ0.x......o`i./oM....cz.a..{.ov..Q..o7E.T;~...K.\.h.#..5...Fp@h.Tu~.Bp..f.<xA......~..'..Q[b.bM.o..bP......Y...uE..O},.}.0.5N....M.\|mB......0D.V........."7.o.a..... '..v.N..C..).....4_.$.gX......>!..wb...6.\J...&v.</..HN.$.bt.....H:....z.Y.>_NF]..;.>.u. O.....h.-1g..:...TU.h...?...s.).{....l...v..K.x......}H...P....Vw..

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Turkish.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	48576
Entropy (8bit):	7.996319364768242
Encrypted:	true
SSDEEP:	768:MXc828+Y7CefJ03GAdEIsH9GkJ68o6nMhnIcIa8+iGmHk8daCP1f8lzRGLpnMn+K:Ms828+oCefJ03TTb8TnMhnIa8+iRHk8S
MD5:	CD0D7648ED08183FE8D4D1E788B16557
SHA1:	930947B114E3EB06543190EB93437CD8F9DB0DE8
SHA-256:	3AF1D3C81E0959E1BF30554472E1E71554F11BB03736471E8158CA21FA0EF271
SHA-512:	9002D56B59F3F58A4EF4CC5BFBC04D05B043845687B60EAC113F32C181F3FB02135BA91264562F0E7C2E9E16EB23C3F5B14A8DEDD658E34F256E779C1BEF4141
Malicious:	true
Preview:	..........9....3.W.t.=.3...o.jP.....uP.eH<..0....{(.vHl.s{~.wK..`...b..s....cX..>bu.l..I$.B....7C@...]..9!.+......r...k./....."...{.+eC..i}..Rt.0q......" FMc..=...!..O]..HY...........P.nd.].S.+W})J....m......%N5S..Ey.%A.i.Q..-....y.H....?...V.....8..}X.nN_..o\|k>..`..8<[#V0..._.-#.M.:....=.......V...y+....@.W.m..... .9.....o5..m.^....U.68...K.D..\.......q..2-......N..o.j...i..4.)....i=dea~~.aZtd.YK.2A.....zJ.jx...0...>..=(.U.9.p...w.I...]w.1.0..2..."...........#...0K%.^..T..N.7..l......).).....R".....7Ye.II[....4FX...W..b..Z.=f(<..........\v{.....f.~.n..56....5..]pp.z,..It..Pp....2...y.....+)K....dpbb.....c8;Q.#[..R..{.G.E.iJ.....d(.....dR....-..Vs.l.xd...E~..LEi\!=4..M9.z(..>.C.a.~l.50:..If..-W8..8...%..k}....t..N.R.mG..M...&O>x..Ao[..t`.c..t}x.._.%5...*.+.'.Z...X...@Dj.`..l.\E.].......M.h......T.S.k......X..p)....I.....v)M...}...F...Rf.....I.....-..7..6......{.@..6D.....(.].p........DZ...........%...n.`.H.z._.q.........n.1.._t

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Ukrainian.lng

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	56288
Entropy (8bit):	7.996902131172993
Encrypted:	true
SSDEEP:	1536:uMIhdReDtAraGB5YMM5r9t74N3tIhHH5L9LD:u1hdReDXMM5rT75/L9/
MD5:	D740E315307ADCA0117DC4A12CD88A24
SHA1:	61BF9A0D773F2742BA0A01095F9E4611CA38EEF4
SHA-256:	040F6028A63DC21960DF65066BF14CB38B3A562637EF7716991AA38B97C3168D
SHA-512:	260E5E7180C427ADFFC6DF1DF1308805366CEF219BBE67097281C42AE24157E8758B3AA65EC80A83C65C1207C72F66A0930811E2314DDDF0860222DE22146308
Malicious:	true
Preview:	I....._..A..rQ.a.K...o.FI.@..3...z...n..(.....`...V..i....>J..!.JL].`.;Z..4......!...._.a....%3qB.../.?b.....}.MTC...yQ.,g...v.q...KW.$\0K......E.9.C`....0.....1...rH.v..cJ2...P.=...B....%...y.G.Z.].4.O.^i.P..n%-........J.X.I.J'.D....(8.#d&....`.._..`r.{t?....0.....U@...{c..1..%M\7...A..D.....\)_..<..\...R....m...M.\.g.2;b..E.....z>..3P..k..Q.<...d.:0."`..;.>b]nF.jN.G&~%...........P....d..a.......2.L.U.......9...Lkk...0>G.I....{`....X...a.%.<#B3s....p.Pan.(.[Y..0....5.?P5.V.C9Y..SI.T.S...jD(..Y3..../Bj~......g...k&N4,...VX..:4.X ...k.N...x...@{...(.fI.k......v...../..#.#A(.0~3-../&.?7%....3`...s..35....u......g.....~..:.#.0....!\BD.... ,.$...@..!Sr4.....H..e.ku<..E..3z.....j.k.g........&..#.t..=.6.tL.^Tb..........%.wE/.l.&kB<.m...M.S.{..k....>T......%.,...[.P.f&.#..`..<.R..6.L...r...U....x.W../...l..........V..._..y.\|p2...x;.rYw..d^......z....Lt.....x..Vr)..E+j.......S..=h%...P!.i..F.....H..j.a1......z~.\|..u}..3.R.q...DSR>/.D;...nl#.M.z

C:\Program Files\EnigmaSoft\SpyHunter\Native.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	63464
Entropy (8bit):	6.542288481337166
Encrypted:	false
SSDEEP:	768:96yRcovNvvLkY6CyB1QU59VZtXxznwC2duTmAyVM5DXcE9oPxXWxX74PxWEmP10:9Lcov9TxJKHzTbSuaNC57iPxXW1MPxZ
MD5:	49C446627D85AB0A3C6E731FAB4723A0
SHA1:	554EB949392543B02F553858923B52CB7943F159
SHA-256:	F6540D6953ABE9853744B317341FEB138104A9D78662F08B7136D61A67E5DB4F
SHA-512:	0F2213606329EF81E44CBD2CF1B0A42B7E93C8C8B96597A0B16DF979005F1D1A3566A1CE2B53A220AB06C99B8295203E51B2753E76D699C04500A1A340C2664A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......so..7...7...7...A...4...7.......>v8.5...>v..6...A..6...>v2.2...>v/.6...>v*.6...Rich7...........PE..d...vP\|Z.........."......n...@............................................................@.......... ..........................................(........................K...........................................................................................text....m.......n.................. ..`.rdata...&.......(...r..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..B.reloc..<...........................@..B................................................................................................................................................................................................................................................................................

C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	17032680
Entropy (8bit):	6.59177505889633
Encrypted:	false
SSDEEP:	393216:E4DreTdP6z84yCDy5m9eDG2EIPZLOYy2G+Q:E4Didiz84yCDy5m9cBLdXQ
MD5:	F2F6BF33561C9EF8FE3310D46A3C8A25
SHA1:	09761F024FC32B61FA0667BA9DBE8322BC93F0A6
SHA-256:	34EC1126BC2AF019E1226BA114AD38CC6773F9640DC0EE0E5715F5423D47615E
SHA-512:	55407986BF5592A7A9DFFF5B72AF598F2E9660B44B9FF9A60D772BD8560F2D3875BB525E2CA79DF2F93C56FED52C9A39EFFBF9353486A346B7444EF8447ADFC7
Malicious:	true
Yara Hits:	Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 2%
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$..........qRx."Rx."Rx."...#Ex."...#.x."...#Fx."...#^x."...#\x."...#.x."...#.x."4.."]x."...#Px."...#fz."Rx."Lx."...#yx."...#Sx."...#Vx."...#}x."Rx.".z."...##\|."..."Sx."Rx\|"Sx."...#Sx."RichRx."........PE..d.....Rc..........".........fG.......u........@....................................Q.....`.............................................................0................K...P...%..P'..p....................)..(....'..8...........................................text...b......................... ..`.rdata...Y2.....Z2................@..@.data...Iv...@.......$..............@....pdata..............................@..@_RDATA.......p......................@..@.rsrc...0...........................@..@.reloc...%...P...&...t..............@..B........................................................................................................................................

C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	549352
Entropy (8bit):	6.448794633744019
Encrypted:	false
SSDEEP:	6144:p2KqjCl6BatX60NlFxbueeCk7bTkN4vvcrVrp6Ms2sriIHVohJgkelZW0:pJq2MkN60RFuLCkgCn0dp6MSD1orgZy0
MD5:	F9FA9D3B5957F0C365A20DE5C71EC214
SHA1:	8E6B91CBA2C323D2BCF29229E69DE5F44F5FC8FE
SHA-256:	CF6B1A1B75B0090A59E8A41A52F7E63C249559407A67F0744AAAB15B210B1FAC
SHA-512:	493B7015027043018A7A8FE9030867889F4AB93621FC3F3E45106490B95CCA8FB95D9447FB3C074C122B86B6C47B24C8ACA3ED134132EFD1DC263ED4120CCF8B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........f.j...j...j...1...a...1...x...1.......1...g...j.......8...{...8...`......h...8...3...1...k...<...O...<...k...j.k...<...k...Richj...........................PE..d.....Rc.........."............................@..........................................`....................................................x.......`........A.......K..............p.......................(.......8...............p............................text.............................. ..`.rdata..Z...........................@..@.data............ ..................@....pdata...A.......B..................@..@_RDATA..............................@..@.rsrc...`...........................@..@.reloc..............................@..B........................................................................................................................................................................

C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	857064
Entropy (8bit):	6.597191080622984
Encrypted:	false
SSDEEP:	24576:1kCtesF95/4mjZexpz63VlZOWPBA8Jgi1z:B395/DcxBkM2Jx9
MD5:	8863C0F4CC264B818749049F8251D0E1
SHA1:	B95CF183E3955F5E91E9BBAEA436F095E33CDEA5
SHA-256:	538ABE97A7D5B1C301E8EE72E5E8B8CBA58AE74369C567F5F1E6480506C6EC34
SHA-512:	0E6DE997B81195F9517D19A878CB43E87E2915B8236AFB3B430C4A1AE6002FC51888FA96356F49D66BAB7B952DA15C13EE5EBDF32B38BA0E20C588343F3333DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........<^WG]0.G]0.G]0..53.L]0..55..]0..(4.H]0..(3.M]0../5.E]0..(5..]0..54.\]0..51.V]0.G]1.[\0..56.F]0..(9.l]0..(5.C]0..(4.F]0..(0.F]0..(..F]0.G]..F]0..(2.F]0.RichG]0.................PE..d.....Rc.........." ................x.....................................................`.................................................L...........X.... ...].......K..........`...T....................!..(.......8............................................text............................... ..`.rdata...P.......R..................@..@.data........@...(... ..............@....pdata...]... ...^...H..............@..@_RDATA..............................@..@.rsrc...X...........................@..@.reloc..............................@..B........................................................................................................................................................

C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	18037736
Entropy (8bit):	7.132271432325441
Encrypted:	false
SSDEEP:	196608:ZssPoaV55EByQ6+Lzs2rqIaG7f1GMRlsdGDlOH88KegZkH:Z5AG55EUh+k2rn1GIsMEGnZkH
MD5:	096FA37EA53BB15959E9EEF9FD3F2745
SHA1:	733FA736561BD9FF34B5946D60D0FEB1AFBEF95E
SHA-256:	4F08CAC75CB5A4F5B204986C1F7AC12FD04008E4B10425862A59F0A79512E922
SHA-512:	6B62A2E4DFBD7F2E46F61E52F9AA9DA618C3072D8C17C7784FB9281231A95D8D3E3A1AC2DE7663287F2FB4BC31E87DEB847415629EE173CDC3ACE94CCBE33A63
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......wN].3/3.3/3.3/3.hG0../3.hG6../3.aZ7.'/3.aZ0.?/3..]6.8/3.hG7../3.U@.9/3.hG5.2/3.aZ6.\/3.hG2../3.3/2..-3..]7..-3.3/3.-/3.eZ:..-3.eZ.2/3.3/..2/3.eZ1.2/3.Rich3/3.................PE..d....Rc.........."......`..........P.W........@.............................0.......&....`.....................................................h........;K.....`........K.......X......p.......................(...p...8............p...............................text....^.......`.................. ..`.rdata.. .+..p....+..d..............@..@.data..............................@....pdata..`..........................@..@_RDATA...............X..............@..@.rsrc....;K......<K..Z..............@..@.reloc...X.......Z..................@..B........................................................................................................................................................

C:\Program Files\EnigmaSoft\SpyHunter\data\CrCache.dat

Download File

Process:	C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
File Type:	data
Category:	dropped
Size (bytes):	1691520
Entropy (8bit):	7.999886530677001
Encrypted:	true
SSDEEP:	49152:wyfLU+F+AsgxiKGrdRVZaIlpNQc1waWak35AO+iLya:wYwgA3VZ2c1WmO+m
MD5:	E6CA61B636AD315AC46A30E59E3DCF8A
SHA1:	8B091D8823A53EDAAB40BB4AF1B8731C41CE8852
SHA-256:	FE9AACAB975512E6816CCB41D96049A6BD05D22B37E87558DF24A1672A137B8C
SHA-512:	BBBC2D7D5A62228345DDB4CF871D20C7390DB05A471A1E55C06D2FCDC8F0B6BC82A5846095A5E73C65C7F3A8DD59690368D243A64B033936C93DDF00EB4653F3
Malicious:	true
Preview:	:.9....fb......]...#H...5..>g.U\|.....F7..-y.n...{..P!.8_?.Dc....SN'3...Z.]qt.JT...w.b)....>...j}.xe.b)R$..e.#..s2..8v....^.Y=.?R.5. .l]...s.PZ.nB..u.N>.7.T........x.t. U/.g2'My...P.. ....~........1.!}.G.a$2]....O.W8.d....`...5.$.x.w.,.j...(.....ri.SyA...,10.....84.BF...S.Gt.._...F..k..'9.'F.a/V.g......"..4.;(M..J.m.....3.\.....Yew.L..."0..$9....1G...8'ZA9.o...V.....f.....=p....!]M..F.$<.1=.YAF+8v..s....t....m#..%&...U=..#..uVl..`4.....N..E....&>.98...2....X..>nT.....Z..9B..!x..\|.9.M_&T..=.4.).z....j./Z\.........y..n'....a..K9...V ...u.@..L.!.....d.'$#]....]5Q,.dJ..9.....jl... .WZ^\|'.A(..t.....\.2.{.$...4..Sl.Q......:.M=.$........$..3.Y.....4......W.n.......v..,..e.Edy..F........N...d...5..a..a..Y....?F.<<...qBr1_#.........[......../^L.,......_........+&......f9&\|BY...@AY..m{#.=.NJb.{N.d:0pH..T......v(.(.N3.E........2.k.,... .......l.s.\.;..B#dR,..W.{r..e.s..H.......4.`.w,....>n.. ..i#....../.`.R22.;D.v.Z.."@......U...&.19..S

C:\Program Files\EnigmaSoft\SpyHunter\data\ScanHistory.dat-journal

Download File

Process:	C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	8720
Entropy (8bit):	7.813953058985591
Encrypted:	false
SSDEEP:	192:7CReCQiGhtYDjSmBQt28vfRdfz6hUyOszHtNtAP:7CRlFneJvpchUy3zHtNtAP
MD5:	50B3CF60F997870D5354C5A1A15FB649
SHA1:	9D49FA09944C29A5921EB9CF96C918A65EA542E9
SHA-256:	7D5B14443FBE3DF925E21476719999FF6A13B4C6CBD27DD72AE1F3DCDE43A183
SHA-512:	3070CCEDB081C383DBC550332267B9F3B3B7170D3B77C94F0C72E89190716417E54B5E46FDA266F88919AFC35BCFA1AA80CD21CD8F800F8BE1A646651284FFDA
Malicious:	false
Preview:	.... .c.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................)....?.Z.......x..@..mk...Bm..m.c..AA.....I...j..\|AA"..[.J.w`.2.....>YA..S0..S}rt.e...8.<)..z.......Mr..K..xO`GY..f..0....`....j........".%...c9BV@.${~......b(e.PP.]....g.k...+r.7n.Ni.r..R..$...>K-V9eERO.p%.'io_._.-....L..AY...\|.ke..Q9..;w./.#...[>..Q~y../^sy.....2..5....."o...a..dPxK...s.:.z.q2.i.S.yq`w....N.k,t,?"FN.5Lx.e.i.F%..l......k.@...m..w,WH8#qF.x8...(5,....tGdC./.M........1..(....5....BN..J..zc..2.ue.T.J..f...k..n.q~...5...Y..Z.w..u.}.V...U3.

C:\Program Files\EnigmaSoft\SpyHunter\data\acpdata.dat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	1440
Entropy (8bit):	7.873396989507999
Encrypted:	false
SSDEEP:	24:pHhWsHQrKrsnxHBHkmPid6N9RJ6yFaoZPb5mflkbtNcrhcIqczH1ZEnyE1UfMqGo:dkKyxHBEmaY/J6yFTZP92yzLIxbgnXU7
MD5:	C022DCA528E122811414BA401861354B
SHA1:	185035A39224FFB8C456C95EB9FB2A8D2C173694
SHA-256:	49E16EFA204072C5068B83C826F5941C376FFE98222BABAB253DA3F8320CB9D7
SHA-512:	8BC83270EBFEAC31FDF732738C9CD3613E7940F01C28DD1DE967D4E3972FFDFAFA97944FD1BCE176DF4C09996CC334DD7092DA5E435F2F7300E42516D1FD19EC
Malicious:	false
Preview:	5.w.%>......o.m.rh...@..UFdN. ..=..k.\.....(:...e....v.i...........R .4.4i.)..Q..X.8...........U.......+.,.Hg....Fz..v...iV.............n....?....v...^.$.F.z.....0.t.6V..V..e.....N.....q.F.Ts&_......H...x.}....r.._c.Z......(@Q.~..j.. .k..h.S..]X$......WPB.\o...X....b..V.o....H`E.[...;..O.....y..~].....I...x..........w.1..O.t2.&.87.~./.,{...JV...R....(..C.....yC.X.....5....6.O.0.. d.}P.....V..~...b...{R.1.!.&.z....s{2..=..^w....>...B.ZX9o..a.......)...F7.....4..Y..h.q...#...(d.......ua=D..9.@...+....K~..E....W\|#.54..$zR..!.Nt..w".....&..l?qA.r.....a......W......@e."n.s.^1...Z..G..0.F.$.pu$.....y......T..N............=....... ...ml.._.Fr1Z.+.ePv.$.....5.-..@.50.F..8pI.#V#.k..^.....p.-yb^....T%r.....+.9......_.)4.@..."...K.B..P..;3.X.c.A...Wh[8...8Ll.0.....7.cP..N.b\0.C..{]S.0;A.3..JK..k?...=....;$.>...."B.#.....:...1....j.'..N.r..6g.....U...I.LT...........Y......^..ll.].....$..n..X.........V.P......%.Q...W....z..^.C......Gt.q.k

C:\Program Files\EnigmaSoft\SpyHunter\data\acpwl.dat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	59520
Entropy (8bit):	7.996845650623955
Encrypted:	true
SSDEEP:	1536:iT2cwNpgV1w57Ls0wlFDbxeambZsimilRWFw/1/JIqwjF:iqcOpywVQ0w3dweilRn1/mJ
MD5:	F8294ADDA1A1FDF38BED854604B67A2B
SHA1:	2E1766B3B2A9F2B848F8FF57E68C7F154E95CFC6
SHA-256:	D4A9CEB2B406964D95777D9C2DC46363701D9CC96365C77D4A661FF256969109
SHA-512:	B50C1BB9401C69BB1ED4D0CF3C1731C102618A5D83EAC82AA22F2CC02ADB0B34365CED25BAE695BB05D183C4935A70D6F1335603824BE6FDF5390B6DD0B6FC52
Malicious:	true
Preview:	......7.=Hu..'..wo7..&t.F.D. .....u.XDb...H...7..F....9...{....y(..e3.I.Z[?Z.a..a.i.W..n7.,]h.../.[..........B.."5....Xl..A%...:.{....(..tUC../.-.._....M....'H.sD.`....zvq.].."#.n....g......v.....y&..U.....=..G~..Y.S...Z.[..;....b:..I..LZ<....6.4..J..vxu...Y.h66A._ ...F...V7.ys.&..g$k..yzM...8`L.u.,...........}...P.C~w#4:.......\n....:..k....7V\.......(r&..^...ks...$..aW..X.I......iuT.....v.I............0.fi.:...n_...Ef.c.G...0.g...h.O...zb..u...2t...W.6....B.?..~xQ...-...C.h.&...3..^,J.]e..}...6.........;.y4\|.}...p>....Q..KM]....?.W.~Y.W.............V.g.s.i^n..n..O4{....:N..j.l...Qh...M.1.-.....R.0W..E...KmAs.h.WC.0k.X.4.V..1.a.]..$B......P@.Q..C.t..EU.b.HyX.(.K..y<...<..Ya..r..).rq.$...;A.W..P.a(.2.D..N.....0.qg..:...Aos.F3c.......-V.!Mh.6.d.].".V..6.Q..=.......@9.........Q.i.u.{.....EK...a.Y.$...O.q......e.*...G..2.&V.`'.4.....>.....@W.m.D.l\..Igy..5V.~.l.5..y...,...t.B..]+/....D..]...PG.)...=....T.32.R.\|.u.W..gr.v.-<..M.....J.

C:\Program Files\EnigmaSoft\SpyHunter\license.txt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Unicode text, UTF-8 text, with very long lines (1644), with CRLF line terminators
Category:	dropped
Size (bytes):	107716
Entropy (8bit):	5.2003181449234575
Encrypted:	false
SSDEEP:	3072:FjNLzj07ABLuLmxJJcHj9KlyvLBPjvlXjAjRU0eFljo73FT6TlN5Z7jw769MVDZk:7ZxJJchby6FdT5hgK
MD5:	66507057FFDF4CAF36C3061C80D2D08F
SHA1:	281F661AEA3D9042A1147BC29769537BFADD6219
SHA-256:	A80E70A5E036EAC0C75354D4EE0E4147D606DEBBDDB704435C96CF2DE2C8C777
SHA-512:	B00FABA46CFAE27CFE9B92A5211EFACB315EC98C752EE9E022F1F2D5CDEC12477D228C0CE45ADFBD973C3AAAF50292F53C7A06C8516D96317D674E73B85B5737
Malicious:	false
Preview:	SpyHunter 5 and SpyHunter for Mac - Additional Terms & Conditions....===================================....COPYRIGHT NOTICE..... 2017-2022 EnigmaSoft Ltd. All rights reserved.....Third party code may be aggregated or distributed with EnigmaSoft's proprietary and copyrighted software. The copyright notices and license terms for such third party code are detailed below.....===================================....SOURCE CODE DISTRIBUTION....Certain third party licenses may require distribution of the corresponding source code. ....You may obtain the complete corresponding source code from us for a period of three years after our last provisioning of this product by sending a money order or check for .5 to:....EnigmaSoft Ltd...Attn: GPL Compliance Offer..1 Castle Street..Dublin D02 XD82..IRELAND....Please write "GPL Compliance Source" in the memo line of your payment. This offer is valid to anyone in receipt of this information.....===================================....LIST OF COMPONE

C:\Program Files\EnigmaSoft\SpyHunter\purl.dat

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	128
Entropy (8bit):	6.613204882778696
Encrypted:	false
SSDEEP:	3:1caYq43OVKCoPADbaVotoQISUbuFLS1PN5to3qIm:1cmXQcaVMoQIKxG1L
MD5:	C13C63D7C052C923DCAE07E181EE5F3F
SHA1:	6C7B36F191BF16F1531C4351705117B28DA1C1A9
SHA-256:	A09417F649A518F5171C055BCDAFF7928AD855E9D4921D1373D51499B27262FA
SHA-512:	36766A6C39054E4E32CF63EE9C28512CC3BB927998DA4037DCEFB6C3B988C55046A2B230C85F3AD992D2F27577938DF80F9318FF21B5779AADFFEA56D81253BF
Malicious:	false
Preview:	.T....3.?..K......bn...._k'./...0'.I........D.....C.7.y..}.V.m. :ec:x........sg.fb. n%'<.k.D.9">...=....\...k.....w......V.

C:\ProgramData\EnigmaSoft Limited\sh5_installer.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6881256
Entropy (8bit):	7.120994762388773
Encrypted:	false
SSDEEP:	98304:Hh/MyJC5zMggmeTN1YBi9MCL8e7Wf7teFSiFMMrFDnl9KMBlcbhHEjZD:HXGAggm48/y8e7Wf7tYFM99HEp
MD5:	2816BACD01B0D8C48F1D8714C6AA6F0F
SHA1:	474AE88D9CF093DCB9789CB7B79513E0DBD38388
SHA-256:	637720BA1437FD6DEA873E56A6A1D7BB3C663E490ABC4E406E3817DD2EB82C4F
SHA-512:	8BC78E625A8BE14DC54185E1CDD63F4CF85B5FDCD32EA532FC00E2F805EF9D241D2B3E89E582779B167113CA7B4DABEE60B56F3EACDF4BDC4B5F56C15C823AC2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......C.o..............X.1....X......X. ....d.........................J.......!.......................&...............7..................................Rich............PE..L.....Qc.................dC..L%......(.......C...@...........................i......#i...@...................................Q.T.... U.0\............h..K....f..D...lN.p....................lN.....plN.@.............C.H............................text....cC......dC................. ..`.rdata..D.....C......hC.............@..@.data.......@R.......R.............@....gfids........U.......T.............@..@.tls..........U.......T.............@....rsrc...0\... U..^....T.............@..@.reloc...D....f..F...ne.............@..B................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EnigmaSoft\Uninstall.lnk

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Has command line arguments, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	699
Entropy (8bit):	3.0819274522482916
Encrypted:	false
SSDEEP:	12:8Ul0g0i/kdjHLolgpROXG62MmolgdqP62ib7olgr3wS:8UlFIvOgXJ7RZ
MD5:	C08C660064F10A88A1276AB26D020D20
SHA1:	75C99ED08455B1A570CDCD95BE856C3249904A11
SHA-256:	31FCA4C6FADB51AADAB22AE9C3E81D7BD85346F42B5DA1825E1C72CD9B3829C9
SHA-512:	F6C07FEBBEFFAAA26966FD882092E35E8B4457E70363E2641442B4B2412E881B0AAB3F75E2D0AC192722F422EC8EB3FF865834898ADBAC2314EF223C75EC90DD
Malicious:	false
Preview:	L..................F........................................................}....P.O. .:i.....+00.../C:\...................b.1...........ProgramData.H............................................P.r.o.g.r.a.m.D.a.t.a.....x.1...........EnigmaSoft Limited..V............................................E.n.i.g.m.a.S.o.f.t. .L.i.m.i.t.e.d...".t.2...........sh5_installer.exe.T............................................s.h.5._.i.n.s.t.a.l.l.e.r...e.x.e... .....R.e.m.o.v.e. .S.p.y.H.u.n.t.e.r.3.....\.....\.....\.....\.....\.E.n.i.g.m.a.S.o.f.t. .L.i.m.i.t.e.d.\.s.h.5._.i.n.s.t.a.l.l.e.r...e.x.e.!.C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.E.n.i.g.m.a.S.o.f.t. .L.i.m.i.t.e.d...-.r. .s.h.5. .-.l.n.g. .E.N.....

C:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (2494), with no line terminators
Category:	dropped
Size (bytes):	2494
Entropy (8bit):	5.252849377001231
Encrypted:	false
SSDEEP:	48:cAn/TLtfGgzmQLeUp/B8H+OaBSkC9+TcR6Ks:pTLtf9zmQR4k6kKs
MD5:	20FDB39B527CAE9749852CF3DCA99993
SHA1:	E400F7EC756C26F962B490510C1124BFED0A666F
SHA-256:	449286F631EF1524C2EE769AE40EA7EC5AB7E63858DBDCBCE48FC3B6F8C1C555
SHA-512:	255BAF621E33C9AA3BF3DA4F775BB82E1359E2639B330C37A6056BEB84B7C78BA5AC20859BEBB45B01876C24317EC5F64A3159E6A5840428D32D61944E13A6EA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399969272148706</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399969272304939</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399969272148706</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">133051593686244000</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

C:\ProgramData\USOPrivate\UpdateStore\updatestoretemp51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, ASCII text, with very long lines (2494), with no line terminators
Category:	modified
Size (bytes):	2494
Entropy (8bit):	5.252849377001231
Encrypted:	false
SSDEEP:	48:cAn/TLtfGgzmQLeUp/B8H+OaBSkC9+TcR6Ks:pTLtf9zmQR4k6kKs
MD5:	20FDB39B527CAE9749852CF3DCA99993
SHA1:	E400F7EC756C26F962B490510C1124BFED0A666F
SHA-256:	449286F631EF1524C2EE769AE40EA7EC5AB7E63858DBDCBCE48FC3B6F8C1C555
SHA-512:	255BAF621E33C9AA3BF3DA4F775BB82E1359E2639B330C37A6056BEB84B7C78BA5AC20859BEBB45B01876C24317EC5F64A3159E6A5840428D32D61944E13A6EA
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?><updateStore><sessionVariables><permanent><AUOptions dataType="3">1</AUOptions><AllowMUUpdateService dataType="3">0</AllowMUUpdateService><AreUpdatesPausedByPolicy dataType="11">False</AreUpdatesPausedByPolicy><AttentionRequiredReason dataType="19">0</AttentionRequiredReason><CurrentState dataType="19">1</CurrentState><FirstScanAttemptTime dataType="21">132399969272148706</FirstScanAttemptTime><FlightEnabled dataType="3">0</FlightEnabled><LastError dataType="19">0</LastError><LastErrorState dataType="19">0</LastErrorState><LastErrorStateType dataType="11">False</LastErrorStateType><LastMeteredScanTime dataType="21">132399969272304939</LastMeteredScanTime><LastScanAttemptTime dataType="21">132399969272148706</LastScanAttemptTime><LastScanDeferredReason dataType="19">1</LastScanDeferredReason><LastScanDeferredTime dataType="21">133051593686244000</LastScanDeferredTime><LastScanFailureError dataType="3">-2147023838</LastScanFailureError><LastScanFailu

C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	369512
Entropy (8bit):	6.2987418401396384
Encrypted:	false
SSDEEP:	6144:cVRijf0pLl3/W5FBNoRIa9G+iLBZ0OSxqxu1GUhH++Lf1M131s4E:PTkLl3/W5FBNoOac+pxqM1Lhe+pjX
MD5:	EDCE372DE488AA221DA7DB7544C09B3E
SHA1:	E684BE09C22E93B12AF9F78508E5422B83CBE0FC
SHA-256:	DBC0B0AFEAE1E33F3F8FA2384BBBFD2F787ACA1C75BF2E5372812B3DA33A7EFE
SHA-512:	89A21C8C4D4963B02E36CD887B071B866CEBAFC1F8E04AAB6CF043746AADB37799644E41FA3B1DDB1E297593B0035693E151B9B5ECF95041E0796BF47174E6B1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y...8s..8s..8s..j...8s..@.8s..@...8s..@..8s..@...8s..@.8s..8r.J8s..@...8s..@.8s..@.8s.Rich.8s.........................PE..d...y.4\.........."..........\|.......H.........@....................................V.....@.....................................................d.......h.......h:...n..h5......H............................\..(.......................h............................text...,........................... ..`.rdata..T...........................@..@.data...0........,..................@....pdata..h:.......<..................@..@.tls.................R..............@....rsrc...h............T..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	369512
Entropy (8bit):	6.2987418401396384
Encrypted:	false
SSDEEP:	6144:cVRijf0pLl3/W5FBNoRIa9G+iLBZ0OSxqxu1GUhH++Lf1M131s4E:PTkLl3/W5FBNoOac+pxqM1Lhe+pjX
MD5:	EDCE372DE488AA221DA7DB7544C09B3E
SHA1:	E684BE09C22E93B12AF9F78508E5422B83CBE0FC
SHA-256:	DBC0B0AFEAE1E33F3F8FA2384BBBFD2F787ACA1C75BF2E5372812B3DA33A7EFE
SHA-512:	89A21C8C4D4963B02E36CD887B071B866CEBAFC1F8E04AAB6CF043746AADB37799644E41FA3B1DDB1E297593B0035693E151B9B5ECF95041E0796BF47174E6B1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Y...8s..8s..8s..j...8s..@.8s..@...8s..@..8s..@...8s..@.8s..8r.J8s..@...8s..@.8s..@.8s.Rich.8s.........................PE..d...y.4\.........."..........\|.......H.........@....................................V.....@.....................................................d.......h.......h:...n..h5......H............................\..(.......................h............................text...,........................... ..`.rdata..T...........................@..@.data...0........,..................@....pdata..h:.......<..................@..@.tls.................R..............@....rsrc...h............T..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\esg_setup.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	modified
Size (bytes):	64482
Entropy (8bit):	3.6903364002980066
Encrypted:	false
SSDEEP:	1536:X5AKcAVmmsReFuYuuplhkKOMjNSUUyKGu8dhEvoqwbt7SLPsKa5LUkBRx0WKiOxL:Jm
MD5:	F21C271ECED0E1CD2EE569E956C4EF70
SHA1:	B8302FE4A7390D8024FDB227CDD34ED495808E47
SHA-256:	DA16C8670DD4476CCC03158230E47E70960BCC8A3F09B4D566F199BC2915FAD1
SHA-512:	1595AFF765C92C4365300F2971FFF89A6A57D501B2CF28189E9F04C406500CA2B14D50A0E5D73EE15675993637FECECF11195EC2EF16401EB69CBB7682A5B313
Malicious:	false
Preview:	[.1.].[.0.8.:.1.4.:.2.9...7.4.2.].[.0.0.5.2.3.6.]. .(.2.9.3.). .I.n.s.t.a.l.l.e.r. .3...0...8.1.9...5.0.5.0. .(.0.7.0.8.4.9.6. .:. .4.d.d.d.8.7.2.4.). .i.n.i.t.........[.1.].[.0.8.:.1.4.:.2.9...7.8.9.].[.0.0.5.2.3.6.]. .(.2.9.6.). .H.W.I.D.[.4.3.1.7.7.b.1.f.9.0.4.4.f.0.3.a.6.6.5.7.5.c.a.f.3.e.b.9.e.0.0.6.]. .H.a.s.h.:.[.2.8.1.6.b.a.c.d.0.1.b.0.d.8.c.4.8.f.1.d.8.7.1.4.c.6.a.a.6.f.0.f.].....[.1.].[.0.8.:.1.4.:.2.9...7.8.9.].[.0.0.5.2.3.6.]. .(.2.9.9.). .O.S. .v.e.r.s.i.o.n.:. .W.i.n.d.o.w.s. .1.0. .P.r.o.,. .1.0...0...0...0...1.7.1.3.4.,. .6.4.b.i.t. .=. .1.....[.1.].[.0.8.:.1.4.:.2.9...7.8.9.].[.0.0.5.2.3.6.]. .(.3.0.4.). .A.r.g.s.:. .8.3.8.8.8.9.3.....[.1.].[.0.8.:.1.4.:.3.1...0.3.9.].[.0.0.3.5.2.0.]. .(.3.2.3.). .[.s.h.5.]. .5...1.3...1.5...8.1. .(.W.e.b.).....[.0.].[.0.8.:.1.4.:.3.1...6.3.3.].[.0.0.3.5.2.0.]. .(.5.2.). .F.i.l.e. .R.C. .r.e.g.i.s.t.e.r.e.d.[.1.].[.5.0.8.4.8.].[.9.7.6.c.b.0.0.8.b.4.9.0.2.c.a.8.f.7.b.0.f.a.f.d.6.7.c.c.8.d.7.f.].:. ./.s.h.5./.a.l.b.a.n.i.a.n...l.n.g.....

C:\Windows\Logs\waasmedic\waasmedic.20221130_081446_547.etl

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	2.736344290343422
Encrypted:	false
SSDEEP:	48:j1Rr52UBmb7kUYb7kEyb7klnb7kdb7kbIl9lvb7k0tpl3b7kSb7klb7kwDb7k9O:52Uw0UY0F0h0d0U9R0Cl30S0l0A09O
MD5:	3EF309A9EE17AE9D3922E7FD37AC6B0C
SHA1:	5288E02BAE015066BD153FB5CBE78C6F1489455F
SHA-256:	557AD0B3B40823C2A4523252E8825DA816B0A7844180B17D52DA7BC916CB7EEE
SHA-512:	30318705D2175F4BBA6011FA08A608C8A648B949F07E7951F403F2524E86E8D0D28FCCC8AB4B75C0CC8577385EBAAEA5A712C949A755F5185773A66A604175F0
Malicious:	false
Preview:	....................................................!...........................x.......F.......................B.......y.....Zb....... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1.............................................................WW...... .....w..............E.C.C.B.1.7.5.F.-.1.E.B.2.-.4.3.D.A.-.B.F.B.5.-.A.8.D.5.8.A.4.0.A.4.D.7...C.:.\.W.i.n.d.o.w.s.\.l.o.g.s.\.w.a.a.s.m.e.d.i.c.\.w.a.a.s.m.e.d.i.c...2.0.2.2.1.1.3.0._.0.8.1.4.4.6._.5.4.7...e.t.l.............P.P.x.......F..................................................................9.B.F......17134.1.amd64fre.rs4_release.180410-1804............5.@.F......OYo."(.s..O........WaaSMedicSvc.pdb............................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	10874
Entropy (8bit):	3.166085046821439
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3z5+6I3+zJ9+i:j+s+v+b+P+m+0+Q+q+q+73+zj+i
MD5:	9658A663F2DFBC67E0B56BEFC1C7594F
SHA1:	6E1255D582A2F94F7DE4C4E2D7F18C55D9728A85
SHA-256:	DB8E1DE3403925115F4653FA8F125F7C6F0B69714F45E735E32DD170E91737CC
SHA-512:	04B62023F203E363080EC3E57391C52AEC454D3F2C24C6C588BC1DDFBBC2EFEA5896E30ACAC0DCD4778B422C059D84BBF73AA52EADCA510DB4D55FA8A7C5C803
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\System32\drivers\EnigmaFileMonDriver.sys

Download File

Process:	C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	83992
Entropy (8bit):	6.272239054005574
Encrypted:	false
SSDEEP:	1536:dg3dQYWSNxlINp9BNsrxwpu0jV0IWsyAtZZKltYdjxzzs:dg3dQYWaxmNNNsD0jGIWs33oltu0
MD5:	6BED4CEE4117F47E2EF797DA56935C04
SHA1:	34EBF65A197F4BD8FFFE891130A0B0CB903F75F6
SHA-256:	0BF9F7247339C1676F6F59EE4647A6266DAEFA74CA00C7F1ED608BDC3A0EF693
SHA-512:	8FAF611DCE276B4877463847248BC7A4F41AA1032C679DE55F650536858993C9EC4A8B834017C0C23A5D20E7EFB0EB63AADCF94B1DF49BD2541413F4448F1EA3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PG.i.&.:.&.:.&.:.T.;.&.:.T.;.&.:.T.;.&.:.&.:g&.:.S.;.&.:.S&:.&.:.S.;.&.:Rich.&.:........................PE..d...d].b.........."..........8.......I.........@.....................................t.....A.................................................K..P....`............... ...(...p......p...8...............................8............................................text............................... ..h.rdata..$...........................@..H.data...............................@....pdata..............................@..HPAGE.....!.......".................. ..`INIT....N....@...................... ..b.rsrc........`......................@..B.reloc.......p......................@..B........................................................................................................................................................................................

C:\sh5ldr\initrd.gz

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	gzip compressed data, was "newinitrd", last modified: Fri Feb 9 17:19:34 2018, from Unix, original size modulo 2^32 4180998130
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	7.9952417172698125
Encrypted:	true
SSDEEP:	12288:M6bKggdUNSAChsS7CalpLtMGclsPz0Nvn8WCOrkct9ces20Y8/EiaDrsnLr3PN1U:bKgoU0N2lw0KWhkcDce2uYfmjr
MD5:	356054D8D017B1CD5C7130D30ACB1FAA
SHA1:	536BF38B34297D48D24A0DD58A9C20E3DCD9CB69
SHA-256:	2F9A0353058B4F0A11B531819A48D85CEF0D8B343F33910D77EE33549F3DE857
SHA-512:	FC99CDCFE0B115A3ED388C116E7C6360FCEBA372EAEDA63DA91FD8451645BF8B41828D6C902E131D13C6DA98DF2A5E6A990B7C3C5E310AE7F520E74CCB7CB489
Malicious:	true
Preview:	....&.}Z..newinitrd..Z{p\Wy?.7..y..)....D.-iwe).K.......$.QY...{W...n.+Y....&...v`...1..04.i..v.Ny.Q.B..3!...fj&.........{%..C..j..~.{..u...Yg....e.......,>}..a..F.7...`......s}..O.....~....\|..j........7...?.._....h...q.........u.9..3.Jn^..!......?.co..y....L...1o.#78x...#...L...v.[7.{A.L!6..5....f.C.S.g.....3..W...2.[..@......LY..B.(....d%o......S"....:.... .p.....{zI.k.3M.`Q..]r.HCw0}..........;...I8..,A..*N..X...J>iG...A9f:..Y.T.!......13.....s$..FI..P.9.B....K.0.S,...X.V...uI.#k.$..I.Ll..uI..........K.a..[.5...E.X.{...@+...~p..i98.\|dprrpb..]...I....d..E..a..;..T...F&.>.....}..A.9:>=125%G.O.Ay`prz\|..}.........Fz..2I)......G....n.}e.c....yi..&.j......^O..3.Id!h...%.t.K.z6..).Z....C^..Hw........1j. ~..^..r........\.....S.=I..z....N....9..L...........B.W.j...3y,.:.e.M.....tG...m...2..:..0pFv..`.:%gw..N.....k....).5x..FR!.......M...V2.0E........\..`'Cu.....]......M.X..:d..,.j..\.4.LA.LI.^6!.UY.R(.).]....T....M.<o.S..u..lg^V.H0r

C:\sh5ldr\shldr

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS executable (COM)
Category:	dropped
Size (bytes):	270476
Entropy (8bit):	6.649640171668803
Encrypted:	false
SSDEEP:	6144:AHvZF0wXVHGMvtxkRhmB2xB4+AINF4/KaigfHvU:AHv4MiiB2xB4+A1Ki/s
MD5:	D4FBD43D0BA1237AC37545E278D0414B
SHA1:	55E05CE5F96B9891547E6248BC6972847271707A
SHA-256:	1D458FE14A87DA3249766163996359A2BCEF33ECEE15501A52A81F8B03FE04BA
SHA-512:	ED084E82A7AB6280C724AA40A45E603AC66F11A2662093F299CDBD07FB7C20FE90573F9E4E69607F48896DF83A59234A3DF2634A3AF171CEBFA862B8C2B53ED6
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	.>.. 9...........................................................1.......[..K........Sj[...A..f.>..........y.f.>..X..u..@.h. ...............K......QS..[Yr........1.1........f.GRU.f9.u....... ..f9.uJ.r;......$?t........h...1.`.2.as.`1..).aOu...y.w/.......r.w...1.....1............RVWU...]_^Z.....f`......`.. ...."......f1.f1.f..$...f.....$..".....1.V..\|W..V.............f........ ....fa...h.......<.u....Missing helper..........X.....P....r0.>..U.u(.....Kj@.......;.f1.1..D..u.8T.u.f.D.E.s...................................................................................................................[......"....1.1...f.t<..t.1.f1.f@u......U....f.......D....\.f.D.f.D.....f`.B._.fa.fP.[...f@.............fXf.>X.....u.......[...........S.......Q............u.9.t... .r;.....1.1.......h1..... ...1.1....................Ku..+....p.. x..............-.....-....Ku..1.....f1.6..f...............N............1.... ........../menu.lst...............................

C:\sh5ldr\shldr.mbr

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	DOS/MBR boot sector
Category:	dropped
Size (bytes):	9216
Entropy (8bit):	6.64401103615787
Encrypted:	false
SSDEEP:	192:19tH9JfvwQkeDDL1IjmK2YbfknoZusHC1jIKYBSZV:TTJf4QxDiCK2QknyHHC1jIKYBSn
MD5:	2B0B4E8E51E7B754A9E3F086BBC1D98C
SHA1:	CC133E92C2206552D7C0BD6DC77811FEB45431B1
SHA-256:	8F6293B3DD067EFE6AD19CD5CB9201871FA3AE865F55D23DC5A1BF428BC4C5E0
SHA-512:	26771424BADF099614554113E1525DB3B5522B95540E34A1EED15FA5E0955CD5B6655F1A5B00F233F37CA91C7BB3658C6FEADFD67744A663909ED2322D426084
Malicious:	false
Preview:	.^.. 9...........................................................................................1.......[..k.........Sj}.h. ...............K......QS..[Yr........1.1........f..M.f9.u..9..... ..f9.t(f`...............s.u.faf9.uM.......&....r3......$?t........h...1..K.s.u...\............r.w...1.....1......M.....RVWU...]_^Z...... ....fa....`PSQ............Y[Xr...u.as.`1...aO.......<.u....Missing MBR-helper.........................................................................................U........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\sh5ldr\vmlinuz

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Linux kernel x86 boot executable bzImage, version 3.18.5ESGi (enigma@enigma-mindo-xdev) #3 SMP Wed Feb 4 13:13:25 EET 2015, RO-rootFS, swap_dev 0X2, Normal VGA
Category:	dropped
Size (bytes):	1048576
Entropy (8bit):	7.998369627630954
Encrypted:	true
SSDEEP:	24576:iANSKABQg2hQTjn83uRq5E8p5g5GSfWatSU/alzP/eg:FAehQTz8U2Jp7Sfb/awg
MD5:	EE6BEB0699A62B528A6927A13672E1A2
SHA1:	5E47E0D14246ED311BB8CE774426898A53E8DFE8
SHA-256:	87AA518948A8BE0BCAAB8E9694E29EDE2AD87D4742A5B702F35014D91EB31A7D
SHA-512:	5617275FE4920F387A48BF4C8DB1A40CBE291E9B8F76558D6996B9865E8205D44A517A5BB009BF6E873EF0453AE8F4260476CC1506720D973A817E01CB6495AC
Malicious:	true
Preview:	...........1....-.. .t..........1..........Use a boot loader....Remove disk and press any key to reboot...........................................................................................................................................................................................................................................................................................................................................................................................................c.........U..fHdrS.........1.....................P..................................y.....'...................m...........9..t...P.....t...$.....s.1...u......f.....h...f.>.=U.ZZu...=..Pf1.).....f.f..+..f.....f.........8...t......f.....f`..,......f.fa......f...f.......f`.f......g.\|$D!.t......f...,fa....f.f.fVfSf..4f..f...u.f.....f.....gf.D$.f.!...g.D$...g.D$...g.D$!.g.\$ f1.gf.T$.f.....f.J...f...Pf..t!f.....gf.Q.. u.fNt....f...f....f..4f[f^f.fSf...f..gf.....t.fCf.Z.....f...f[f..No setu

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.120994762388773
TrID:	Win32 Executable (generic) a (10002005/4) 98.81% Windows ActiveX control (116523/4) 1.15% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	6881256
MD5:	2816bacd01b0d8c48f1d8714c6aa6f0f
SHA1:	474ae88d9cf093dcb9789cb7b79513e0dbd38388
SHA256:	637720ba1437fd6dea873e56a6a1d7bb3c663e490abc4e406e3817dd2eb82c4f
SHA512:	8bc78e625a8be14dc54185e1cdd63f4cf85b5fdcd32ea532fc00e2f805ef9d241d2b3e89e582779b167113ca7b4dabee60b56f3eacdf4bdc4b5f56c15c823ac2
SSDEEP:	98304:Hh/MyJC5zMggmeTN1YBi9MCL8e7Wf7teFSiFMMrFDnl9KMBlcbhHEjZD:HXGAggm48/y8e7Wf7tYFM99HEp
TLSH:	D666DF12B641C171E5A302B2997EAFBF987CED200B2458C7E3D45E7D4E702E26637B52
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......C.o..............X..1....X.......X.. ....d..........................J.......!.......................&...............7..........

File Icon


Icon Hash:	f8b6b45971a6ee70

Static PE Info

General

Entrypoint:	0x68a7d4
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63510DF3 [Thu Oct 20 08:59:31 2022 UTC]
TLS Callbacks:	0x689cd0
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	fa3740f07f6d2725edcaa42e6d766d63

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	6/18/2020 5:00:00 PM 6/13/2023 5:00:00 AM
Subject Chain	CN=EnigmaSoft Limited, O=EnigmaSoft Limited, L=Dublin, C=IE, SERIALNUMBER=597114, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE
Version:	3
Thumbprint MD5:	C1CA2DE9B1FC80CB6991C5E96BFDBB56
Thumbprint SHA-1:	9B7616BF6F93FFDEB04A6998A944512C1C753015
Thumbprint SHA-256:	5F5216C99F6851AC1FF36BECDE318E5ECF54222D051E2D4EB142165657C7630F
Serial:	0D52114AABA1B5E4B4B1ACE58C319E4E

Entrypoint Preview

Instruction
call 00007FB4ACAECBB5h
jmp 00007FB4ACAEBD03h
int3
int3
push ecx
lea ecx, dword ptr [esp+04h]
sub ecx, eax
sbb eax, eax
not eax
and ecx, eax
mov eax, esp
and eax, FFFFF000h
cmp ecx, eax
jc 00007FB4ACAEBE7Eh
mov eax, ecx
pop ecx
xchg eax, esp
mov eax, dword ptr [eax]
mov dword ptr [esp], eax
ret
sub eax, 00001000h
test dword ptr [eax], eax
jmp 00007FB4ACAEBE59h
int3
int3
int3
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 0Fh
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FB4ACAEBE2Fh
push ecx
lea ecx, dword ptr [esp+08h]
sub ecx, eax
and ecx, 07h
add eax, ecx
sbb ecx, ecx
or eax, ecx
pop ecx
jmp 00007FB4ACAEBE19h
int3
int3
int3
int3
push esi
mov eax, dword ptr [esp+14h]
or eax, eax
jne 00007FB4ACAEBE9Ah
mov ecx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
xor edx, edx
div ecx
mov ebx, eax
mov eax, dword ptr [esp+08h]
div ecx
mov esi, eax
mov eax, ebx
mul dword ptr [esp+10h]
mov ecx, eax
mov eax, esi
mul dword ptr [esp+10h]
add edx, ecx
jmp 00007FB4ACAEBEB9h
mov ecx, eax
mov ebx, dword ptr [esp+10h]
mov edx, dword ptr [esp+0Ch]
mov eax, dword ptr [esp+08h]
shr ecx, 1
rcr ebx, 1
shr edx, 1
rcr eax, 1
or ecx, ecx
jne 00007FB4ACAEBE66h
div ebx
mov esi, eax
mul dword ptr [esp+14h]
mov ecx, eax
mov eax, dword ptr [esp+10h]
mul esi

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x51fda0	0x154	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x552000	0x115c30	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x68b400	0x4be8	.reloc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x668000	0x344b0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4e6c00	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4e6ccc	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4e6c70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x438000	0x948	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4363cc	0x436400	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x438000	0xeb144	0xeb200	False	0.41603846856725146	data	5.84204624071673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x524000	0x2bee1	0x1ea00	False	0.12552614795918368	Matlab v4 mat-file (little endian) \334, rows 8, columns 8, imaginary	4.35694874016997	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x550000	0x9b8	0xa00	False	0.3890625	data	4.1212839696841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x551000	0x9	0x200	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x552000	0x115c30	0x115e00	False	0.9782669815564552	data	7.982123610094004	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x668000	0x344b0	0x34600	False	0.6026486053102625	data	6.676291391323307	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x553ff0	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States
RT_ICON	0x554658	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States
RT_ICON	0x554940	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States
RT_ICON	0x554a68	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States
RT_ICON	0x555910	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States
RT_ICON	0x5561b8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States
RT_ICON	0x556720	0x9a5e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x560180	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States
RT_ICON	0x562728	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States
RT_ICON	0x5637d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States
RT_DIALOG	0x563c38	0x34	data	English	United States
RT_DIALOG	0x563c6c	0x34	data	English	United States
RT_DIALOG	0x563ca0	0x34	data	English	United States
RT_DIALOG	0x563cd4	0x34	data	English	United States
RT_RCDATA	0x563d08	0x60	data	English	United States
RT_RCDATA	0x563d68	0x480	data	English	United States
RT_RCDATA	0x5641e8	0x60	data	English	United States
RT_RCDATA	0x564248	0x3b60	data	English	United States
RT_RCDATA	0x567da8	0x37c0	data	English	United States
RT_RCDATA	0x56b568	0x38e0	data	English	United States
RT_RCDATA	0x56ee48	0x3b80	data	English	United States
RT_RCDATA	0x5729c8	0x39c0	data	English	United States
RT_RCDATA	0x576388	0x3d40	data	English	United States
RT_RCDATA	0x57a0c8	0x4180	data	English	United States
RT_RCDATA	0x57e248	0x6960	data	English	United States
RT_RCDATA	0x584ba8	0x3dc0	data	English	United States
RT_RCDATA	0x588968	0x41c0	data	English	United States
RT_RCDATA	0x58cb28	0x3c00	data	English	United States
RT_RCDATA	0x590728	0x5fe	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x590d28	0xa0	data	English	United States
RT_RCDATA	0x590dc8	0x7c0	data	English	United States
RT_RCDATA	0x591588	0x340	data	English	United States
RT_RCDATA	0x5918c8	0x18fa0	data	English	United States
RT_RCDATA	0x5aa868	0x7a0	data	English	United States
RT_RCDATA	0x5ab008	0x2e0	data	English	United States
RT_RCDATA	0x5ab2e8	0x260	data	English	United States
RT_RCDATA	0x5ab548	0x280	data	English	United States
RT_RCDATA	0x5ab7c8	0x360	data	English	United States
RT_RCDATA	0x5abb28	0x240	data	English	United States
RT_RCDATA	0x5abd68	0x280	data	English	United States
RT_RCDATA	0x5abfe8	0x260	data	English	United States
RT_RCDATA	0x5ac248	0x2a0	data	English	United States
RT_RCDATA	0x5ac4e8	0xf3e0	data	English	United States
RT_RCDATA	0x5bb8c8	0xa40	data	English	United States
RT_RCDATA	0x5bc308	0x280	data	English	United States
RT_RCDATA	0x5bc588	0x2c0	data	English	United States
RT_RCDATA	0x5bc848	0x280	data	English	United States
RT_RCDATA	0x5bcac8	0x280	data	English	United States
RT_RCDATA	0x5bcd48	0x360	data	English	United States
RT_RCDATA	0x5bd0a8	0x2a0	data	English	United States
RT_RCDATA	0x5bd348	0x2c0	data	English	United States
RT_RCDATA	0x5bd608	0x260	data	English	United States
RT_RCDATA	0x5bd868	0x280	data	English	United States
RT_RCDATA	0x5bdae8	0x520	data	English	United States
RT_RCDATA	0x5be008	0x2c0	data	English	United States
RT_RCDATA	0x5be2c8	0x280	data	English	United States
RT_RCDATA	0x5be548	0x2a0	data	English	United States
RT_RCDATA	0x5be7e8	0x2a0	data	English	United States
RT_RCDATA	0x5bea88	0x360	data	English	United States
RT_RCDATA	0x5bede8	0x140	data	English	United States
RT_RCDATA	0x5bef28	0x2a0	data	English	United States
RT_RCDATA	0x5bf1c8	0x2a0	data	English	United States
RT_RCDATA	0x5bf468	0x2a0	data	English	United States
RT_RCDATA	0x5bf708	0x260	data	English	United States
RT_RCDATA	0x5bf968	0xd460	data	English	United States
RT_RCDATA	0x5ccdc8	0x2a0	data	English	United States
RT_RCDATA	0x5cd068	0x340	data	English	United States
RT_RCDATA	0x5cd3a8	0x2c0	data	English	United States
RT_RCDATA	0x5cd668	0x2c0	data	English	United States
RT_RCDATA	0x5cd928	0x22180	data	English	United States
RT_RCDATA	0x5efaa8	0x221a0	data	English	United States
RT_RCDATA	0x611c48	0x27000	data	English	United States
RT_RCDATA	0x638c48	0xc20	data	English	United States
RT_RCDATA	0x639868	0xd20	data	English	United States
RT_RCDATA	0x63a588	0xd80	data	English	United States
RT_RCDATA	0x63b308	0xc80	data	English	United States
RT_RCDATA	0x63bf88	0xca0	data	English	United States
RT_RCDATA	0x63cc28	0xcc0	data	English	United States
RT_RCDATA	0x63d8e8	0xd00	data	English	United States
RT_RCDATA	0x63e5e8	0xd60	data	English	United States
RT_RCDATA	0x63f348	0xca0	data	English	United States
RT_RCDATA	0x63ffe8	0xc60	data	English	United States
RT_RCDATA	0x640c48	0xcc0	data	English	United States
RT_RCDATA	0x641908	0xf40	data	English	United States
RT_RCDATA	0x642848	0xd60	data	English	United States
RT_RCDATA	0x6435a8	0xca0	data	English	United States
RT_RCDATA	0x644248	0xe40	data	English	United States
RT_RCDATA	0x645088	0xca0	data	English	United States
RT_RCDATA	0x645d28	0xca0	data	English	United States
RT_RCDATA	0x6469c8	0xca0	data	English	United States
RT_RCDATA	0x647668	0xd20	data	English	United States
RT_RCDATA	0x648388	0xfe0	data	English	United States
RT_RCDATA	0x649368	0xc20	data	English	United States
RT_RCDATA	0x649f88	0xd20	data	English	United States
RT_RCDATA	0x64aca8	0xd20	data	English	United States
RT_RCDATA	0x64b9c8	0xc40	data	English	United States
RT_RCDATA	0x64c608	0xd40	data	English	United States
RT_RCDATA	0x64d348	0xd40	data	English	United States
RT_RCDATA	0x64e088	0xee0	data	English	United States
RT_RCDATA	0x64ef68	0xd20	data	English	United States
RT_RCDATA	0x64fc88	0xd40	data	English	United States
RT_RCDATA	0x6509c8	0xe60	data	English	United States
RT_RCDATA	0x651828	0xd00	data	English	United States
RT_RCDATA	0x652528	0xbc0	data	English	United States
RT_RCDATA	0x6530e8	0x840	data	English	United States
RT_RCDATA	0x653928	0x80	data	English	United States
RT_RCDATA	0x6539a8	0x760	data	English	United States
RT_RCDATA	0x654108	0x820	data	English	United States
RT_RCDATA	0x654928	0x940	OpenPGP Public Key	English	United States
RT_RCDATA	0x655268	0xac0	data	English	United States
RT_RCDATA	0x655d28	0x1060	data	English	United States
RT_RCDATA	0x656d88	0xac0	data	English	United States
RT_RCDATA	0x657848	0x920	data	English	United States
RT_RCDATA	0x658168	0xaa0	data	English	United States
RT_RCDATA	0x658c08	0x7a0	data	English	United States
RT_RCDATA	0x6593a8	0x820	data	English	United States
RT_RCDATA	0x659bc8	0x8a0	OpenPGP Public Key	English	United States
RT_RCDATA	0x65a468	0x8c0	data	English	United States
RT_RCDATA	0x65ad28	0x16c0	data	English	United States
RT_RCDATA	0x65c3e8	0x7c00	data	English	United States
RT_RCDATA	0x663fe8	0xa0	data	English	United States
RT_RCDATA	0x664088	0xa0	data	English	United States
RT_RCDATA	0x664128	0xa0	data	English	United States
RT_RCDATA	0x6641c8	0x2c0	data	English	United States
RT_RCDATA	0x664488	0x460	data	English	United States
RT_RCDATA	0x6648e8	0x2e0	data	English	United States
RT_RCDATA	0x664bc8	0xc20	data	English	United States
RT_RCDATA	0x6657e8	0x19e	PNG image data, 15 x 60, 8-bit gray+alpha, non-interlaced	English	United States
RT_RCDATA	0x665988	0x28c	PNG image data, 30 x 120, 8-bit gray+alpha, non-interlaced	English	United States
RT_RCDATA	0x665c14	0x31d	PNG image data, 30 x 180, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x665f34	0x31d	PNG image data, 30 x 180, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x666254	0x5cf	PNG image data, 30 x 180, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x666824	0x5cf	PNG image data, 30 x 180, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x666df4	0xe9	PNG image data, 15 x 60, 8-bit/color RGBA, non-interlaced	English	United States
RT_RCDATA	0x666ee0	0x152	PNG image data, 30 x 120, 8-bit/color RGBA, non-interlaced	English	United States
RT_GROUP_ICON	0x667034	0x92	data	English	United States
RT_VERSION	0x6670c8	0x348	data	English	United States
RT_MANIFEST	0x667410	0x820	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2020), with CRLF line terminators	English	United States

Imports

DLL	Import
gdiplus.dll	GdipCreatePath, GdipCreateRegion, GdipSetClipRegion, GdipSetInfinite, GdipGetClip, GdipDeleteRegion, GdipDeleteGraphics, GdipGetImageHeight, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipImageRotateFlip, GdipGetImagePixelFormat, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromResource, GdipCreateBitmapFromStream, GdipClosePathFigure, GdipAddPathArcI, GdipResetPath, GdipDeletePen, GdipDrawPath, GdipSetPenDashStyle, GdipCreatePen1, GdipSetPixelOffsetMode, GdipSetInterpolationMode, GdipSetCompositingQuality, GdipSetCompositingMode, GdipFillRectangleI, GdipDeleteBrush, GdipCreateTextureIAI, GdipSetImageAttributesColorKeys, GdipSetImageAttributesWrapMode, GdipDrawImagePointRectI, GdipGetImageGraphicsContext, GdipCreateBitmapFromScan0, GdipDrawImageRectRectI, GdipDisposeImage, GdipCloneImage, GdipAlloc, GdipFree, GdipCreateBitmapFromHBITMAP, GdipSetImageAttributesColorMatrix, GdipDisposeImageAttributes, GdipCreateImageAttributes, GdipDeletePath, GdipCombineRegionPath, GdipSetSmoothingMode, GdipGetImageWidth
USP10.dll	ScriptStringAnalyse, ScriptStringOut, ScriptStringGetLogicalWidths, ScriptStringGetOrder, ScriptStringXtoCP, ScriptString_pSize, ScriptString_pcOutChars, ScriptStringFree, ScriptString_pLogAttr, ScriptStringCPtoX
CRYPT32.dll	CryptDecodeObject, CryptMsgClose, CryptQueryObject, CryptMsgGetParam, CertGetNameStringW, CryptHashCertificate, CertGetCertificateContextProperty, CertCloseStore, CertEnumCertificatesInStore, CertOpenSystemStoreW, CertFreeCertificateContext, CertGetEnhancedKeyUsage, CertGetIntendedKeyUsage, CertDuplicateCertificateContext, CertFindCertificateInStore, CertOpenStore
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WS2_32.dll	WSAIoctl, closesocket, WSASetLastError, getpeername, getsockname, socket, ntohs, connect, getsockopt, htons, setsockopt, send, recvfrom, listen, accept, bind, shutdown, getaddrinfo, htonl, gethostname, recv, WSAGetLastError, WSACloseEvent, WSACreateEvent, WSAEventSelect, WSAResetEvent, WSAWaitForMultipleEvents, WSAEnumNetworkEvents, WSACleanup, WSAStartup, select, __WSAFDIsSet, ioctlsocket, freeaddrinfo, getnameinfo, sendto
PSAPI.DLL	GetProcessMemoryInfo, GetModuleFileNameExW, EnumProcessModules, GetProcessImageFileNameW
KERNEL32.dll	CreateEventA, GetLastError, MoveFileExW, InitializeCriticalSectionAndSpinCount, RaiseException, DecodePointer, DeleteCriticalSection, DeleteFileW, Sleep, GetCurrentProcess, SetLastError, EnterCriticalSection, LeaveCriticalSection, GetCurrentThreadId, GetTickCount, CreateFileW, HeapFree, QueryPerformanceFrequency, GetProcessHeap, lstrcmpiW, QueryPerformanceCounter, FindResourceW, GetUserDefaultLCID, GetDiskFreeSpaceExW, LoadLibraryW, HeapAlloc, GetProcAddress, CreateMutexW, WaitForSingleObject, ReleaseMutex, GetCurrentProcessId, GetLocalTime, ReadFile, GetFileSizeEx, WriteFile, RemoveDirectoryW, GetFileAttributesW, SetFileAttributesW, GetExitCodeProcess, EnumResourceNamesW, SizeofResource, InterlockedDecrement, GetModuleFileNameW, MultiByteToWideChar, LoadResource, GetModuleHandleW, InterlockedIncrement, SetDllDirectoryW, LoadLibraryExW, FreeLibrary, FileTimeToSystemTime, SystemTimeToFileTime, TerminateProcess, OpenProcess, OpenMutexW, GetSystemDirectoryW, SleepEx, InitializeCriticalSection, WideCharToMultiByte, VerSetConditionMask, VerifyVersionInfoW, FormatMessageW, GetEnvironmentVariableA, GetStdHandle, WaitForMultipleObjects, PeekNamedPipe, GetFileType, CompareFileTime, GetSystemTimeAsFileTime, GetEnvironmentVariableW, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleExW, SwitchToFiber, DeleteFiber, CreateFiber, LoadLibraryA, ConvertFiberToThread, ConvertThreadToFiber, FindClose, FindFirstFileW, FindNextFileW, GetSystemTime, WaitForSingleObjectEx, MulDiv, ExpandEnvironmentStringsW, GetLongPathNameW, CreateDirectoryW, CopyFileW, DeviceIoControl, LocalFree, GetSystemInfo, GetNativeSystemInfo, LocalAlloc, ProcessIdToSessionId, GetVolumeInformationW, lstrcpyW, lstrcatW, CreateProcessW, CreatePipe, SetHandleInformation, HeapReAlloc, GetComputerNameW, GetCurrentThread, GetLogicalDriveStringsW, GetDriveTypeW, GetModuleHandleA, GlobalAlloc, GlobalLock, GlobalUnlock, GlobalFree, GlobalSize, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, FindFirstVolumeW, GetVolumePathNamesForVolumeNameW, QueryDosDeviceW, FindNextVolumeW, FindVolumeClose, lstrlenW, CreateFileMappingW, MapViewOfFile, UnmapViewOfFile, SetFilePointer, MoveFileW, SetFilePointerEx, GetTimeFormatW, GetDateFormatW, LockResource, GetLogicalDrives, DeleteVolumeMountPointW, DefineDosDeviceW, GetVolumeNameForVolumeMountPointW, SetVolumeMountPointW, GlobalMemoryStatusEx, GetLocaleInfoW, CreateEventW, CreateNamedPipeW, GetLocaleInfoA, CreateTimerQueue, DeleteTimerQueueEx, CreateTimerQueueTimer, lstrcmpA, FileTimeToLocalFileTime, lstrcpynW, RemoveVectoredExceptionHandler, SetUnhandledExceptionFilter, AddVectoredExceptionHandler, IsBadReadPtr, VirtualQuery, FreeResource, GetFileSize, CreateSemaphoreA, DuplicateHandle, ReleaseSemaphore, CloseHandle, SetEvent, GetStringTypeW, EncodePointer, CompareStringW, LCMapStringW, GetCPInfo, ResetEvent, WaitForMultipleObjectsEx, OpenEventA, SetWaitableTimer, ResumeThread, CreateWaitableTimerA, FormatMessageA, UnhandledExceptionFilter, IsProcessorFeaturePresent, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, OutputDebugStringW, InterlockedPopEntrySList, InterlockedPushEntrySList, FlushInstructionCache, VirtualAlloc, VirtualFree, LoadLibraryExA, GetStringTypeExW, LCMapStringA, GetStringTypeExA, RtlUnwind, GetModuleFileNameA, WriteConsoleW, GetACP, GetFileAttributesExW, SystemTimeToTzSpecificLocalTime, CreateThread, ExitThread, FreeLibraryAndExitThread, SetConsoleCtrlHandler, ExitProcess, GetCommandLineA, GetCommandLineW, GetConsoleCP, HeapSize, IsValidCodePage, GetOEMCP, IsValidLocale, EnumSystemLocalesW, GetCurrentDirectoryW, GetFullPathNameW, SetStdHandle, FlushFileBuffers, GetTimeZoneInformation, SetEnvironmentVariableA, SetEnvironmentVariableW, FindFirstFileExW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEndOfFile, GetTempPathW, GetVersionExW, CreateProcessA
USER32.dll	OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsClipboardFormatAvailable, GetClipboardData, EnableWindow, SetTimer, KillTimer, SetWindowRgn, IsCharAlphaNumericA, ScreenToClient, UpdateLayeredWindow, SetCaretPos, SetActiveWindow, GetKeyState, DestroyCaret, ClientToScreen, CreateCaret, ShowCaret, HideCaret, InsertMenuW, TrackPopupMenu, MessageBoxW, GetSystemMetrics, LoadAcceleratorsW, LoadStringW, GetClassInfoW, DispatchMessageW, PeekMessageW, RegisterClassW, CharNextW, TranslateMessage, UpdateWindow, SetForegroundWindow, LoadImageW, GetWindow, MonitorFromWindow, EndDialog, GetWindowInfo, LockSetForegroundWindow, MapWindowPoints, EnumWindows, GetWindowDC, SetWindowTextW, InvalidateRect, GetDC, ReleaseDC, GetFocus, RegisterClassExW, IsWindowEnabled, SetRect, GetClassInfoExW, InflateRect, IsZoomed, DrawTextW, IsIconic, GetCapture, TrackMouseEvent, SetFocus, SetCapture, ReleaseCapture, GetCursorPos, PostMessageW, ShowWindow, RedrawWindow, GetDlgItem, GetWindowLongW, DefWindowProcW, AdjustWindowRectEx, CallWindowProcW, GetWindowRect, DestroyWindow, IsWindowVisible, SetWindowPos, EnumChildWindows, CreateWindowExW, SendMessageW, IsWindow, OffsetRect, LoadCursorW, SetCursor, SetWindowLongW, GetClientRect, GetParent, PtInRect, BeginPaint, EndPaint, UnregisterClassW, ExitWindowsEx, GetMessageExtraInfo, wsprintfW, GetUserObjectInformationW, GetProcessWindowStation, FindWindowExW, GetWindowTextLengthW, GetMenuItemInfoW, MessageBeep, CreatePopupMenu, GetActiveWindow, IsDialogMessageW, DestroyMenu, BringWindowToTop, TranslateAcceleratorW, LoadIconW, TrackPopupMenuEx, RemoveMenu, AllowSetForegroundWindow, MonitorFromPoint, GetMenuItemCount, MoveWindow, LoadStringA, AppendMenuW, PostQuitMessage, DialogBoxParamW, GetMessageW, GetMonitorInfoW, LoadMenuW
GDI32.dll	TextOutW, GetTextMetricsW, StartPage, EndPage, GetBkColor, SetTextAlign, GetTextColor, GetDeviceCaps, CombineRgn, GetDIBits, ExtCreatePen, LineTo, MoveToEx, ExtTextOutW, CreateFontW, GetObjectW, SetBrushOrgEx, SetStretchBltMode, GetTextExtentPoint32W, CreatePen, Rectangle, SelectClipRgn, IntersectClipRect, SetBkColor, CreateSolidBrush, SetTextColor, SetBkMode, BitBlt, CreateCompatibleBitmap, SaveDC, SelectObject, CreateCompatibleDC, DeleteDC, SetViewportOrgEx, ExcludeClipRect, RestoreDC, DeleteObject, CreateRectRgn, ExtSelectClipRgn
ADVAPI32.dll	CloseServiceHandle, CryptSignHashW, OpenServiceW, OpenSCManagerW, GetNamedSecurityInfoW, GetExplicitEntriesFromAclW, InitializeAcl, SetEntriesInAclW, SetNamedSecurityInfoW, QueryServiceStatusEx, ControlService, LookupAccountNameW, RegSaveKeyExW, RegEnumValueW, OpenProcessToken, RegQueryValueExW, InitializeSecurityDescriptor, SetSecurityDescriptorOwner, RegSetKeySecurity, AddAccessAllowedAce, SetSecurityDescriptorDacl, ConvertSidToStringSidW, LookupPrivilegeValueW, GetTokenInformation, GetLengthSid, RegDeleteValueW, RegOpenKeyExW, RegSetValueExW, RegEnumKeyExW, RegCreateKeyExW, RegDeleteKeyW, RegQueryInfoKeyW, RegCloseKey, DeregisterEventSource, RegisterEventSourceW, ReportEventW, CryptAcquireContextW, CryptReleaseContext, CryptGenRandom, CryptDestroyKey, CryptSetHashParam, CryptGetProvParam, CryptGetUserKey, CryptExportKey, CryptDecrypt, CryptCreateHash, CryptDestroyHash, AccessCheck, IsValidSecurityDescriptor, CryptEnumProvidersW, AdjustTokenPrivileges, GetUserNameW, DuplicateToken, FreeSid, OpenThreadToken, AllocateAndInitializeSid, SetSecurityDescriptorGroup
SHELL32.dll	SHOpenFolderAndSelectItems, SHParseDisplayName, ShellExecuteW
ole32.dll	CreateStreamOnHGlobal, CoInitializeEx, CoTaskMemRealloc, CoCreateInstance, CoUninitialize, CoInitialize, CoTaskMemFree, CoTaskMemAlloc
OLEAUT32.dll	VariantInit, SysAllocString, VariantClear, VarUI4FromStr, SysFreeString
SHLWAPI.dll	StrCmpNIW, StrCmpIW
COMCTL32.dll
MSIMG32.dll	AlphaBlend

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 5244, Parent PID: 3452

General

Target ID:	0
Start time:	00:14:27
Start date:	30/11/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0xd80000
File size:	6881256 bytes
MD5 hash:	2816BACD01B0D8C48F1D8714C6AA6F0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5288, Parent PID: 580

General

Target ID:	1
Start time:	00:14:39
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 1556, Parent PID: 580

General

Target ID:	2
Start time:	00:14:39
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 684, Parent PID: 580

General

Target ID:	3
Start time:	00:14:39
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 5540, Parent PID: 580

General

Target ID:	4
Start time:	00:14:40
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 1360, Parent PID: 580

General

Target ID:	5
Start time:	00:14:40
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: SgrmBroker.exePID: 3384, Parent PID: 580

General

Target ID:	6
Start time:	00:14:45
Start date:	30/11/2022
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff65cb30000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 868, Parent PID: 580

General

Target ID:	7
Start time:	00:14:45
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 3460, Parent PID: 580

General

Target ID:	8
Start time:	00:14:46
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: svchost.exePID: 2080, Parent PID: 580

General

Target ID:	9
Start time:	00:14:46
Start date:	30/11/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff651c80000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 680, Parent PID: 5244

General

Target ID:	10
Start time:	00:15:24
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe create EsgShKernel start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe\"" DisplayName= "SpyHunter 5 Kernel"
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5508, Parent PID: 680

General

Target ID:	11
Start time:	00:15:24
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 5640, Parent PID: 5244

General

Target ID:	12
Start time:	00:15:24
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe description EsgShKernel "SpyHunter 5 Kernel"
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4080, Parent PID: 5640

General

Target ID:	13
Start time:	00:15:25
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 5744, Parent PID: 5244

General

Target ID:	14
Start time:	00:15:25
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe create ShMonitor start= demand binPath= "\"C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe\"" DisplayName= "SpyHunter 5 Kernel Monitor"
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5752, Parent PID: 5744

General

Target ID:	15
Start time:	00:15:25
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 5852, Parent PID: 5244

General

Target ID:	16
Start time:	00:15:26
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe description ShMonitor "SpyHunter 5 Kernel Monitor"
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5784, Parent PID: 5852

General

Target ID:	17
Start time:	00:15:26
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 1788, Parent PID: 5244

General

Target ID:	18
Start time:	00:15:26
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe config ShMonitor start= auto
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6140, Parent PID: 1788

General

Target ID:	19
Start time:	00:15:26
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 6020, Parent PID: 5244

General

Target ID:	20
Start time:	00:15:27
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe config EsgShKernel start= auto
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6060, Parent PID: 6020

General

Target ID:	21
Start time:	00:15:27
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: regsvr32.exePID: 2108, Parent PID: 5244

General

Target ID:	22
Start time:	00:15:27
Start date:	30/11/2022
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\regsvr32.exe /s "C:\Program Files\EnigmaSoft\SpyHunter\ShShellExt.dll"
Imagebase:	0x7ff65a000000
File size:	24064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: EsgInstallerDelay__0.exePID: 64, Parent PID: 5244

General

Target ID:	23
Start time:	00:15:29
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__0.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args MHLPvv2eVF5BDDAj57kaKhLlRzVl3TCPBu81sCtfDvA= -wait 300
Imagebase:	0x7ff6980f0000
File size:	369512 bytes
MD5 hash:	EDCE372DE488AA221DA7DB7544C09B3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 1332, Parent PID: 64

General

Target ID:	24
Start time:	00:15:29
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: EsgInstallerDelay__1.exePID: 2348, Parent PID: 5244

General

Target ID:	25
Start time:	00:15:29
Start date:	30/11/2022
Path:	C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\EsgInstallerDelay__1.exe -exec OpfXySN2sIJfRn7kaByo3fAgnhU5bFC+1YK5gktB214= -args hOGTiE/QHFPjrWqL1njGygtJtFEVLgswO/2BlkHQX4U= -wait 300
Imagebase:	0x7ff7a56d0000
File size:	369512 bytes
MD5 hash:	EDCE372DE488AA221DA7DB7544C09B3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3624, Parent PID: 2348

General

Target ID:	26
Start time:	00:15:30
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 5312, Parent PID: 64

General

Target ID:	27
Start time:	00:15:30
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe start EsgShKernel -tt_on
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ShKernel.exePID: 5400, Parent PID: 580

General

Target ID:	28
Start time:	00:15:30
Start date:	30/11/2022
Path:	C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe
Imagebase:	0x7ff7088d0000
File size:	17032680 bytes
MD5 hash:	F2F6BF33561C9EF8FE3310D46A3C8A25
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 0000001C.00000002.583150850.000001D380AA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000003.422519867.000001D3F58C0000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000003.422727533.000001D3F4225000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000003.422306773.000001D3F5841000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000001C.00000003.478164990.000001D3F34BE000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_BrowserHistorySpy, Description: Yara detected BrowserHistorySpy Tool by SecurityXploded, Source: 0000001C.00000003.509274290.000001D3F5D31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_EXEPWSH_DLAgent, Description: Detects SystemBC, Source: C:\Program Files\EnigmaSoft\SpyHunter\ShKernel.exe, Author: ditekSHen
Antivirus matches:	Detection: 2%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: sc.exePID: 5100, Parent PID: 2348

General

Target ID:	29
Start time:	00:15:30
Start date:	30/11/2022
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sc.exe start ShMonitor
Imagebase:	0x7ff676710000
File size:	69120 bytes
MD5 hash:	D79784553A9410D15E04766AAAB77CD6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ShMonitor.exePID: 4792, Parent PID: 580

General

Target ID:	30
Start time:	00:15:30
Start date:	30/11/2022
Path:	C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\EnigmaSoft\SpyHunter\ShMonitor.exe
Imagebase:	0x7ff7a72d0000
File size:	549352 bytes
MD5 hash:	F9FA9D3B5957F0C365A20DE5C71EC214
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Show Windows behavior

Chronological Activities

Analysis Process: MpCmdRun.exePID: 2364, Parent PID: 2080

General

Target ID:	31
Start time:	00:15:47
Start date:	30/11/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff610f30000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 2680, Parent PID: 2364

General

Target ID:	32
Start time:	00:15:47
Start date:	30/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff745070000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: SpyHunter5.exePID: 5688, Parent PID: 5400

General

Target ID:	33
Start time:	00:16:11
Start date:	30/11/2022
Path:	C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe
Wow64 process (32bit):
Commandline:	"C:\Program Files\EnigmaSoft\SpyHunter\SpyHunter5.exe" /hide
Imagebase:
File size:	18037736 bytes
MD5 hash:	096FA37EA53BB15959E9EEF9FD3F2745
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 5244, Parent PID: 3452COMMON

Non-executed Functions

Function 034EA7C8 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.261342350.00000000034E9000.00000004.00000800.00020000.00000000.sdmp, Offset: 034E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_34e3000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28adb1f6b9000afe47085a47e51b50af107ee00796eb9a93c654eb73a465366
Instruction ID: 36b274bf8eb491ad6362c24679f92778a92463ad26eb39cec082f50e60d29267
Opcode Fuzzy Hash: c28adb1f6b9000afe47085a47e51b50af107ee00796eb9a93c654eb73a465366
Instruction Fuzzy Hash: 1322FBA285E3E00FC717CB748D7A551BF616D2310530E86CFC8C68F6A3E359994AD32A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: EsgInstallerDelay__0.exePID: 64, Parent PID: 5244COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4%
Total number of Nodes:	175
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF6980F10F0 Relevance: 26.8, APIs: 12, Strings: 3, Instructions: 501
stringCOMMONLIBRARYCODECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00007FF67FF6980F10F0(void* __ecx, long long __rbx, void* __rdx, long long __rsi, long long __rbp) {
				void* _v40;
				signed int _v56;
				long long _v64;
				long long _v72;
				char _v88;
				char _v96;
				long long _v104;
				long long _v112;
				char _v128;
				char _v136;
				long long _v144;
				long long _v152;
				char _v168;
				char _v176;
				long long _v184;
				long long _v192;
				long long _v200;
				long long _v208;
				char _v232;
				char _v248;
				char _v264;
				long long _v272;
				long long _v280;
				long long _v288;
				char _v312;
				char _v328;
				char _v344;
				long long _v352;
				long long _v360;
				long long _v368;
				char _v376;
				long long _v384;
				long long _v392;
				long long _v400;
				char _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				signed long long _v440;
				long long _v448;
				signed long long _v456;
				long long _v464;
				long long _v472;
				long long _v480;
				void* _v504;
				long long _v512;
				signed int _v520;
				signed int _v528;
				signed int _v536;
				long long _v544;
				signed int _v552;
				void* __rdi;
				void* __r12;
				void* __r13;
				void* __r14;
				void* __r15;
				int _t262;
				void* _t289;
				signed int _t331;
				signed long long _t333;
				signed int _t335;
				void* _t347;
				void* _t349;
				signed long long _t402;
				signed long long _t405;
				long long _t420;
				long long _t435;
				void* _t471;
				void* _t487;
				void* _t495;
				void* _t502;
				char* _t521;
				char* _t527;
				char* _t528;
				signed long long _t530;
				long long _t534;
				long long _t537;
				void* _t545;
				void* _t553;
				void* _t554;
				void* _t555;
				void* _t557;
				long long _t558;

				_t542 = __rbp;
				_t437 = __rbx;
				_t340 = __ecx;
				_t555 = _t545;
				_v184 = 0xfffffffe;
				 *((long long*)(_t555 + 8)) = __rbx;
				 *((long long*)(_t555 + 0x18)) = __rbp;
				 *((long long*)(_t555 + 0x20)) = __rsi;
				_t402 =  *0x98140430; // 0x4918c2c043f
				_v56 = _t402 ^ _t545 - 0x00000220;
				_t539 = __rdx;
				_t350 = __ecx;
				r13d = 0;
				r12d = r13d;
				 *((long long*)(_t555 - 0x40)) = 7;
				 *((long long*)(_t555 - 0x48)) = _t558;
				 *((intOrPtr*)(_t555 - 0x58)) = r13w;
				 *((long long*)(_t555 - 0x90)) = 7;
				 *((long long*)(_t555 - 0x98)) = _t558;
				 *((intOrPtr*)(_t555 - 0xa8)) = r13w;
				if (__ecx <= 0) goto 0x980f134d;
				_t262 = lstrcmpiW(??, ??); // executed
				if (_t262 != 0) goto 0x980f11bd;
				_t331 = r13d + 1;
				if (_t331 - __ecx >= 0) goto 0x980f1248;
				_t530 =  *((intOrPtr*)(__rdx + _t331 * 8));
				asm("repne scasw");
				E00007FF67FF6980F2070(__rbx,  &_v96,  *((intOrPtr*)(__rdx + _t331 * 8)), _t530, __rbp,  !( *(__rdx + r13d * 8) | 0xffffffff) - 1, _t557);
				goto 0x980f123b;
				if (lstrcmpiW(??, ??) != 0) goto 0x980f1207;
				_t333 = _t331 + 2;
				if (_t333 - __ecx >= 0) goto 0x980f129f;
				_t405 = _t333;
				asm("repne scasw");
				_t549 =  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1;
				E00007FF67FF6980F2070(_t437,  &_v176,  *((intOrPtr*)(__rdx + _t405 * 8)),  *((intOrPtr*)(__rdx + _t405 * 8)), _t542,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t557);
				goto 0x980f123b;
				if (lstrcmpiW(??, ??) != 0) goto 0x980f1239;
				_t335 = _t333 + 2;
				if (_t335 - __ecx >= 0) goto 0x980f12f6;
				r12d = E00007FF67FF698104578(_t437,  *((intOrPtr*)(__rdx + _t335 * 8)), L"-wait");
				goto 0x980f123b;
				if (_t335 + 2 - __ecx >= 0) goto 0x980f134d;
				goto 0x980f1170;
				if (_v144 - 8 < 0) goto 0x980f1260;
				E00007FF67FF6981044D8(_t405, _t437, _v168, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0x980f1295;
				E00007FF67FF6981044D8(_t405, _t437, _v88, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				goto 0x980f1b53;
				if (_v144 - 8 < 0) goto 0x980f12b7;
				E00007FF67FF6981044D8(_t405, _t437, _v168, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0x980f12ec;
				E00007FF67FF6981044D8(_t405, _t437, _v88, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				goto 0x980f1b53;
				if (_v144 - 8 < 0) goto 0x980f130e;
				E00007FF67FF6981044D8(_t405, _t437, _v168, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0x980f1343;
				E00007FF67FF6981044D8(_t405, _t437, _v88, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				goto 0x980f1b53;
				E00007FF67FF69812AF90(_t340, _v64 - 8, _t405, _t437,  &_v136, _t542, _t553, _t557);
				E00007FF67FF6981045E0(_t405,  &_v136);
				if (_t405 == 0) goto 0x980f1374;
				 *_t405 =  &_v504;
				goto 0x980f1377;
				_t406 = _t558;
				_v504 = _t558;
				_v480 = _t558;
				_v472 = _t558;
				_v464 = _t558;
				if (_v72 == 0) goto 0x980f1a7c;
				_t517 =  >=  ? _v88 :  &_v88;
				r8d = _v72;
				E00007FF67FF6980F9DE0(_t558,  &_v232,  >=  ? _v88 :  &_v88, _t549, _t553);
				E00007FF67FF6980F9BD0(_t437,  &_v504, _t558);
				if (_v208 == 0) goto 0x980f13ea;
				E00007FF67FF6981044D8(_t558, _t437, _v208, _t558, _t539, _t549, _t553);
				_v208 = _t558;
				_v200 = _t558;
				_v192 = _t558;
				E00007FF67FF6981044D8(_t558, _t437, _v232, _t406, _t539, _t549, _t553);
				_v528 = 0xf4e105e2;
				_v528 = _v528 ^ 0x238cb6e1;
				_v528 = _v528 ^ 0x82cdfde3;
				_v440 = _v528 ^ 0x852c1a21;
				_v528 = 0xf4e105e2;
				_v528 = _v528 ^ 0x238cb6e1;
				_v456 = _v528 ^ 0x82cdfde3;
				_v528 = 0xf4e105e2;
				_v528 = _v528 ^ 0x238cb6e1;
				_v520 = 0xf4e105e2;
				_v408 = _v520;
				_v400 = _v528;
				_v392 = _v456;
				_v384 = _v440;
				r8d = 0;
				if (E00007FF67FF69812BF20(_t335 + 2, 8, _t347, _t349, _t350, _v208, _t437,  &_v504,  &_v408, 0xf4e105e2, 0x238cb6e1, _t549, _t553, _t554, _t557, _t558, 0x82cdfde3, 0x852c1a21) == 0) goto 0x980f1a7c;
				_t420 = _v472;
				_t438 = _t420;
				if (_v480 - _t420 <= 0) goto 0x980f1517;
				E00007FF67FF6981044B8();
				_t421 = _v472;
				_t534 = _v480;
				_v520 = _v504;
				_v512 = _t420;
				if (_t534 - _v472 <= 0) goto 0x980f1535;
				E00007FF67FF6981044B8();
				_v456 = _v504;
				_v448 = _t534;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x150], xmm0");
				asm("movaps xmm1, [esp+0x80]");
				asm("movdqa [esp+0x140], xmm1");
				r9d = _v536 & 0x000000ff;
				_t550 =  &_v248;
				_t521 =  &_v264;
				E00007FF67FF6980F28C0( &_v96, _t521,  &_v248);
				_t289 = E00007FF67FF69812B620(_t335 + 2, _v472,  &_v96, 0xf4e105e2, 0x238cb6e1, _t554); // executed
				if (_t289 != 0) goto 0x980f1678;
				_t471 =  >=  ? _v128 :  &_v128;
				_t111 = _t521 + 4; // 0x4
				r8d = _t111;
				MoveFileExW(??, ??, ??);
				if (_v480 == 0) goto 0x980f15d2;
				E00007FF67FF6981044D8(_v472, _t420, _v480, _t521, 0xf4e105e2,  &_v248, _t553);
				_v480 = _t558;
				_v472 = _t558;
				_v464 = _t558;
				E00007FF67FF6981044D8(_v472, _t420, _v504, _t521, 0xf4e105e2,  &_v248, _t553);
				if (_v104 - 8 < 0) goto 0x980f1604;
				E00007FF67FF6981044D8(_v472, _t420, _v128, _t521, 0xf4e105e2,  &_v248, _t553);
				_v104 = 7;
				_v112 = _t558;
				_v128 = r13w;
				if (_v144 - 8 < 0) goto 0x980f1639;
				E00007FF67FF6981044D8(_v472, _t420, _v168, _t521, 0xf4e105e2,  &_v248, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0x980f166e;
				E00007FF67FF6981044D8(_t421, _t420, _v88, _t521, 0xf4e105e2,  &_v248, _t553);
				goto 0x980f1b53;
				if (_v152 == 0) goto 0x980f192d;
				_t523 =  >=  ? _v168 :  &_v168;
				r8d = _v152;
				E00007FF67FF6980F9DE0(_t421,  &_v312,  >=  ? _v168 :  &_v168,  &_v248, _t553);
				E00007FF67FF6980F9BD0(_t420,  &_v504, _t421);
				if (_v288 == 0) goto 0x980f16d7;
				E00007FF67FF6981044D8(_t421, _t420, _v288, _t421, 0xf4e105e2,  &_v248, _t553);
				_v288 = _t558;
				_v280 = _t558;
				_v272 = _t558;
				E00007FF67FF6981044D8(_t421, _t420, _v312, _t421, 0xf4e105e2,  &_v248, _t553);
				_v520 = 0xf4e105e2;
				_v520 = _v520 ^ 0x238cb6e1;
				_v520 = _v520 ^ 0x82cdfde3;
				_v456 = _v520 ^ 0x852c1a21;
				_v520 = 0xf4e105e2;
				_v520 = _v520 ^ 0x238cb6e1;
				_v440 = _v520 ^ 0x82cdfde3;
				_v520 = 0xf4e105e2;
				_v520 = _v520 ^ 0x238cb6e1;
				_v528 = 0xf4e105e2;
				_v376 = _v528;
				_v368 = _v520;
				_v360 = _v440;
				_v352 = _v456;
				r8d = 0;
				if (E00007FF67FF69812BF20(_t335 + 2, 8, _t347, _t349, _t350, _v288, _t438,  &_v504,  &_v376, 0xf4e105e2, 0x238cb6e1, _t550, _t553, _t554, _t557, _t558, 0x82cdfde3, 0x852c1a21) == 0) goto 0x980f1851;
				_t435 = _v472;
				_t439 = _t435;
				if (_v480 - _t435 <= 0) goto 0x980f17dc;
				E00007FF67FF6981044B8();
				_t436 = _v472;
				_t537 = _v480;
				_v520 = _v504;
				_v512 = _t435;
				if (_t537 - _v472 <= 0) goto 0x980f17fa;
				E00007FF67FF6981044B8();
				_v456 = _v504;
				_v448 = _t537;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x100], xmm0");
				asm("movaps xmm1, [esp+0x80]");
				asm("movdqa [esp+0xf0], xmm1");
				r9d = _v536 & 0x000000ff;
				_t527 =  &_v344;
				E00007FF67FF6980F28C0( &_v176, _t527,  &_v328);
				goto 0x980f192d;
				_t487 =  >=  ? _v128 :  &_v128;
				_t184 = _t527 + 4; // 0x4
				r8d = _t184;
				MoveFileExW(??, ??, ??);
				if (_v480 == 0) goto 0x980f1887;
				E00007FF67FF6981044D8(_v472, _t435, _v480, _t527, 0xf4e105e2,  &_v328, _t553);
				_v480 = _t558;
				_v472 = _t558;
				_v464 = _t558;
				E00007FF67FF6981044D8(_v472, _t435, _v504, _t527, 0xf4e105e2,  &_v328, _t553);
				if (_v104 - 8 < 0) goto 0x980f18b9;
				E00007FF67FF6981044D8(_v472, _t435, _v128, _t527, 0xf4e105e2,  &_v328, _t553);
				_v104 = 7;
				_v112 = _t558;
				_v128 = r13w;
				if (_v144 - 8 < 0) goto 0x980f18ee;
				E00007FF67FF6981044D8(_v472, _t435, _v168, _t527, 0xf4e105e2,  &_v328, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0x980f1923;
				E00007FF67FF6981044D8(_v472, _t435, _v88, _t527, 0xf4e105e2,  &_v328, _t553);
				goto 0x980f1b53;
				if (r12d == 0) goto 0x980f1942;
				r12d = r12d * 0x3e8;
				SleepEx(??, ??); // executed
				_v432 = 0;
				_v428 = 0;
				_v424 = 0;
				_v420 = 0;
				_v416 = 0;
				_v412 = 0;
				_v544 = _t558;
				_v552 = r13d;
				r9d = 0;
				_t552 =  &_v176;
				_t528 =  &_v96;
				E00007FF67FF69812B6B0(_t335 + 2, r12d, _v472,  &_v432, _t528,  &_v176, _t553, _t555); // executed
				_t495 =  >=  ? _v128 :  &_v128;
				_t216 = _t528 + 4; // 0x4, executed
				r8d = _t216;
				MoveFileExW(??, ??, ??); // executed
				if (_v480 == 0) goto 0x980f19d9;
				E00007FF67FF6981044D8(_v472, _t435, _v480, _t528, 0xf4e105e2,  &_v176, _t553);
				_v480 = _t558;
				_v472 = _t558;
				_v464 = _t558;
				E00007FF67FF6981044D8(_v472, _t435, _v504, _t528, 0xf4e105e2,  &_v176, _t553);
				if (_v104 - 8 < 0) goto 0x980f1a0b;
				E00007FF67FF6981044D8(_t436, _t435, _v128, _t528, 0xf4e105e2,  &_v176, _t553);
				_v104 = 7;
				_v112 = _t558;
				_v128 = r13w;
				if (_v144 - 8 < 0) goto 0x980f1a40;
				E00007FF67FF6981044D8(_t436, _t439, _v168, _t528, 0xf4e105e2,  &_v176, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0x980f1a75;
				E00007FF67FF6981044D8(_t436, _t439, _v88, _t528, 0xf4e105e2,  &_v176, _t553);
				goto 0x980f1b53;
				_t502 =  >=  ? _v128 :  &_v128;
				_t239 = _t528 + 4; // 0x4
				r8d = _t239;
				MoveFileExW(??, ??, ??);
				if (_v480 == 0) goto 0x980f1ab2;
				E00007FF67FF6981044D8(_t436, _t439, _v480, _t528, 0xf4e105e2,  &_v176, _t553);
				_v480 = _t558;
				_v472 = _t558;
				_v464 = _t558;
				E00007FF67FF6981044D8(_t436, _t439, _v504, _t528, 0xf4e105e2,  &_v176, _t553);
				if (_v104 - 8 < 0) goto 0x980f1ae4;
				E00007FF67FF6981044D8(_t436, _t439, _v128, _t528, 0xf4e105e2,  &_v176, _t553);
				_v104 = 7;
				_v112 = _t558;
				_v128 = r13w;
				if (_v144 - 8 < 0) goto 0x980f1b19;
				E00007FF67FF6981044D8(_t436, _t439, _v168, _t528, 0xf4e105e2, _t552, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0x980f1b4e;
				E00007FF67FF6981044D8(_t436, _t439, _v88, _t528, 0xf4e105e2, _t552, _t553);
				return E00007FF67FF698104050(r12d, _v56 ^ _t545 - 0x00000220, _t528, _t552, _t553);
			}

0x7ff6980f10f0
0x7ff6980f10f0
0x7ff6980f10f0
0x7ff6980f10f0
0x7ff6980f1103
0x7ff6980f110f
0x7ff6980f1113
0x7ff6980f1117
0x7ff6980f111b
0x7ff6980f1125
0x7ff6980f112d
0x7ff6980f1130
0x7ff6980f1132
0x7ff6980f1135
0x7ff6980f1138
0x7ff6980f1140
0x7ff6980f1144
0x7ff6980f1149
0x7ff6980f1154
0x7ff6980f115b
0x7ff6980f1168
0x7ff6980f117e
0x7ff6980f1186
0x7ff6980f1188
0x7ff6980f118c
0x7ff6980f119f
0x7ff6980f11a2
0x7ff6980f11b4
0x7ff6980f11bb
0x7ff6980f11d0
0x7ff6980f11d2
0x7ff6980f11d6
0x7ff6980f11dc
0x7ff6980f11ec
0x7ff6980f11f2
0x7ff6980f11fe
0x7ff6980f1205
0x7ff6980f121a
0x7ff6980f121c
0x7ff6980f1220
0x7ff6980f1232
0x7ff6980f1237
0x7ff6980f123d
0x7ff6980f1243
0x7ff6980f1251
0x7ff6980f125b
0x7ff6980f1260
0x7ff6980f126c
0x7ff6980f1274
0x7ff6980f1286
0x7ff6980f1290
0x7ff6980f129a
0x7ff6980f12a8
0x7ff6980f12b2
0x7ff6980f12b7
0x7ff6980f12c3
0x7ff6980f12cb
0x7ff6980f12dd
0x7ff6980f12e7
0x7ff6980f12f1
0x7ff6980f12ff
0x7ff6980f1309
0x7ff6980f130e
0x7ff6980f131a
0x7ff6980f1322
0x7ff6980f1334
0x7ff6980f133e
0x7ff6980f1348
0x7ff6980f1355
0x7ff6980f1360
0x7ff6980f1368
0x7ff6980f136f
0x7ff6980f1372
0x7ff6980f1374
0x7ff6980f1377
0x7ff6980f137c
0x7ff6980f1381
0x7ff6980f1386
0x7ff6980f1394
0x7ff6980f13ab
0x7ff6980f13b4
0x7ff6980f13c4
0x7ff6980f13d2
0x7ff6980f13e3
0x7ff6980f13e5
0x7ff6980f13ea
0x7ff6980f13f2
0x7ff6980f13fa
0x7ff6980f140a
0x7ff6980f1419
0x7ff6980f1430
0x7ff6980f1447
0x7ff6980f145e
0x7ff6980f1466
0x7ff6980f1473
0x7ff6980f1480
0x7ff6980f1488
0x7ff6980f1495
0x7ff6980f149a
0x7ff6980f14b9
0x7ff6980f14c1
0x7ff6980f14c9
0x7ff6980f14d1
0x7ff6980f14d9
0x7ff6980f14f0
0x7ff6980f14f6
0x7ff6980f14fb
0x7ff6980f1506
0x7ff6980f1508
0x7ff6980f150d
0x7ff6980f1512
0x7ff6980f151c
0x7ff6980f1521
0x7ff6980f1529
0x7ff6980f152b
0x7ff6980f1535
0x7ff6980f153d
0x7ff6980f1545
0x7ff6980f154a
0x7ff6980f1553
0x7ff6980f155b
0x7ff6980f1564
0x7ff6980f156a
0x7ff6980f1572
0x7ff6980f1582
0x7ff6980f158f
0x7ff6980f1596
0x7ff6980f15ad
0x7ff6980f15b8
0x7ff6980f15b8
0x7ff6980f15bc
0x7ff6980f15cb
0x7ff6980f15cd
0x7ff6980f15d2
0x7ff6980f15d7
0x7ff6980f15dc
0x7ff6980f15e6
0x7ff6980f15f5
0x7ff6980f15ff
0x7ff6980f1604
0x7ff6980f1610
0x7ff6980f1618
0x7ff6980f162a
0x7ff6980f1634
0x7ff6980f1639
0x7ff6980f1645
0x7ff6980f164d
0x7ff6980f165f
0x7ff6980f1669
0x7ff6980f1673
0x7ff6980f1681
0x7ff6980f1698
0x7ff6980f16a1
0x7ff6980f16b1
0x7ff6980f16bf
0x7ff6980f16d0
0x7ff6980f16d2
0x7ff6980f16d7
0x7ff6980f16df
0x7ff6980f16e7
0x7ff6980f16f7
0x7ff6980f16fc
0x7ff6980f1709
0x7ff6980f1716
0x7ff6980f1723
0x7ff6980f172b
0x7ff6980f1738
0x7ff6980f1745
0x7ff6980f174d
0x7ff6980f175a
0x7ff6980f175f
0x7ff6980f177e
0x7ff6980f1786
0x7ff6980f178e
0x7ff6980f1796
0x7ff6980f179e
0x7ff6980f17b5
0x7ff6980f17bb
0x7ff6980f17c0
0x7ff6980f17cb
0x7ff6980f17cd
0x7ff6980f17d2
0x7ff6980f17d7
0x7ff6980f17e1
0x7ff6980f17e6
0x7ff6980f17ee
0x7ff6980f17f0
0x7ff6980f17fa
0x7ff6980f1802
0x7ff6980f180a
0x7ff6980f180f
0x7ff6980f1818
0x7ff6980f1820
0x7ff6980f1829
0x7ff6980f1837
0x7ff6980f1847
0x7ff6980f184c
0x7ff6980f1862
0x7ff6980f186d
0x7ff6980f186d
0x7ff6980f1871
0x7ff6980f1880
0x7ff6980f1882
0x7ff6980f1887
0x7ff6980f188c
0x7ff6980f1891
0x7ff6980f189b
0x7ff6980f18aa
0x7ff6980f18b4
0x7ff6980f18b9
0x7ff6980f18c5
0x7ff6980f18cd
0x7ff6980f18df
0x7ff6980f18e9
0x7ff6980f18ee
0x7ff6980f18fa
0x7ff6980f1902
0x7ff6980f1914
0x7ff6980f191e
0x7ff6980f1928
0x7ff6980f1930
0x7ff6980f1932
0x7ff6980f193c
0x7ff6980f1944
0x7ff6980f194b
0x7ff6980f1952
0x7ff6980f1959
0x7ff6980f1960
0x7ff6980f1967
0x7ff6980f196e
0x7ff6980f1973
0x7ff6980f1978
0x7ff6980f197b
0x7ff6980f1983
0x7ff6980f1993
0x7ff6980f19ac
0x7ff6980f19b7
0x7ff6980f19b7
0x7ff6980f19bb
0x7ff6980f19d2
0x7ff6980f19d4
0x7ff6980f19d9
0x7ff6980f19de
0x7ff6980f19e3
0x7ff6980f19ed
0x7ff6980f19fc
0x7ff6980f1a06
0x7ff6980f1a0b
0x7ff6980f1a17
0x7ff6980f1a1f
0x7ff6980f1a31
0x7ff6980f1a3b
0x7ff6980f1a40
0x7ff6980f1a4c
0x7ff6980f1a54
0x7ff6980f1a66
0x7ff6980f1a70
0x7ff6980f1a77
0x7ff6980f1a8d
0x7ff6980f1a98
0x7ff6980f1a98
0x7ff6980f1a9c
0x7ff6980f1aab
0x7ff6980f1aad
0x7ff6980f1ab2
0x7ff6980f1ab7
0x7ff6980f1abc
0x7ff6980f1ac6
0x7ff6980f1ad5
0x7ff6980f1adf
0x7ff6980f1ae4
0x7ff6980f1af0
0x7ff6980f1af8
0x7ff6980f1b0a
0x7ff6980f1b14
0x7ff6980f1b19
0x7ff6980f1b25
0x7ff6980f1b2d
0x7ff6980f1b3f
0x7ff6980f1b49
0x7ff6980f1b83

APIs

lstrcmpiW.KERNELBASE ref: 00007FF6980F117E
lstrcmpiW.KERNEL32 ref: 00007FF6980F11C8
lstrcmpiW.KERNEL32 ref: 00007FF6980F1212

Part of subcall function 00007FF6980F28C0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F2960
Part of subcall function 00007FF6980F28C0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F29AF

Part of subcall function 00007FF69812B620: GetFileAttributesW.KERNELBASE ref: 00007FF69812B64B
Part of subcall function 00007FF69812B620: GetLastError.KERNEL32 ref: 00007FF69812B67F

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F1508
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F152B
MoveFileExW.KERNEL32 ref: 00007FF6980F15BC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F17CD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F17F0
MoveFileExW.KERNEL32 ref: 00007FF6980F1871

Part of subcall function 00007FF69812B6B0: lstrcpyW.KERNEL32 ref: 00007FF69812B859
Part of subcall function 00007FF69812B6B0: lstrcatW.KERNEL32 ref: 00007FF69812B86E
Part of subcall function 00007FF69812B6B0: lstrcatW.KERNEL32 ref: 00007FF69812B88D

SleepEx.KERNEL32 ref: 00007FF6980F193C
MoveFileExW.KERNELBASE ref: 00007FF6980F19BB
MoveFileExW.KERNEL32 ref: 00007FF6980F1A9C

Strings

-wait, xrefs: 00007FF6980F1207
-exec, xrefs: 00007FF6980F1173
-args, xrefs: 00007FF6980F11BD

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$File$Move$lstrcmpi$lstrcat$AttributesErrorLastSleeplstrcpy
String ID: -args$-exec$-wait
API String ID: 3695391189-3543574200
Opcode ID: b47439b2d598f34099cd404de5d1fba8806b7a4de36602e438ec1d6f7ee21c83
Instruction ID: 2bcf356e1e3c8c3e1ba09167a0ae98fd182c28166e331853d77eaf35a7eb1aed
Opcode Fuzzy Hash: b47439b2d598f34099cd404de5d1fba8806b7a4de36602e438ec1d6f7ee21c83
Instruction Fuzzy Hash: 5742E43261CBC281E7719B25F8843AEB3A4FB85788F904165DACD87A99DF3CD454DB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69812B6B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149
stringprocessCOMMONLIBRARYCODECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00007FF67FF69812B6B0(void* __ebx, signed int __ecx, void* __rax, signed long long* __rcx, void* __rdx, void* __r8, signed long long __r9, void* __r11, long long _a8, long long _a16, long long _a24, long long _a32, intOrPtr _a40, char _a48, intOrPtr _a56, long long _a72, long long _a80, long long _a88, char _a96, intOrPtr _a104, long long _a128, char _a136, char _a144, intOrPtr _a196, char _a200, char _a248, char _a256, long long _a272, long long _a280, char _a296, signed int _a65832) {
				intOrPtr _v0;
				intOrPtr _v8;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r12;
				void* _t79;
				signed long long _t114;
				signed long long _t115;
				void* _t119;
				void* _t145;
				void* _t150;
				void* _t151;
				long long _t152;
				void* _t153;
				signed long long _t159;
				void* _t161;
				long long _t163;

				_t159 = __r9;
				_t92 = __ecx;
				E00007FF67FF69812C0A0(0x10160, __rax, _t161, __r11);
				_t154 = _t153 - __rax;
				_a88 = 0xfffffffe;
				_t114 =  *0x98140430; // 0x4918c2c043f
				_t115 = _t114 ^ _t153 - __rax;
				_a65832 = _t115;
				_t151 = __r8;
				_t119 = __rdx;
				_t152 = __rcx;
				r12d = 0;
				_a40 = r12d;
				 *__rcx = _t115;
				__rcx[1] = _t115;
				__rcx[2] = _t115;
				_a136 = 0x68;
				_t7 = _t163 + 0x60; // 0x60
				r8d = _t7;
				E00007FF67FF69810B240(0, __ecx, 0,  &_a144, __rdx, __r8);
				_a196 = 1;
				_a200 = r12w;
				if ( *((intOrPtr*)(__r8 + 0x18)) == _t150) goto 0x9812b900;
				_t12 = _t163 + 1; // 0x1
				r9d = _t12;
				r8d = 0;
				E00007FF67FF6980F4AA0(_t159);
				if (_t115 == 0xffffffff) goto 0x9812b79d;
				E00007FF67FF6980F6580(0, _t115 - 0xffffffff, _t115, __rdx,  &_a96, "\"", __r8, __rcx, __rdx, _t159, _t163);
				_a40 = 1;
				E00007FF67FF6980F6650(0, _t115 - 0xffffffff, _t115, _t119,  &_a48, _t115, _t151, "\"", _t159);
				_a40 = 3;
				goto 0x9812b7a0;
				_a280 = 7;
				_a272 = _t163;
				_a256 = r12w;
				r8d = 0;
				E00007FF67FF6980F2390(_t119,  &_a248, _t119, _t150, _t151, _t152, "\"", _t159 | 0xffffffff);
				if ((dil & 0x00000002) == 0) goto 0x9812b804;
				if (_a80 - 8 < 0) goto 0x9812b7f0;
				E00007FF67FF6981044D8(_t119, _t119, _a56, _t119, _t151, "\"", _t159 | 0xffffffff);
				_a80 = 7;
				_a72 = _t163;
				_a56 = r12w;
				if ((dil & 0x00000001) == 0) goto 0x9812b822;
				if (_a128 - 8 < 0) goto 0x9812b822;
				_t79 = E00007FF67FF6981044D8(_t119, _t119, _a104, _t119, _t151, "\"", _t159 | 0xffffffff);
				r8d = 0xfffe;
				E00007FF67FF69810B240(_t79, _t92, 0,  &_a296, _t119, "\"");
				_t145 =  >=  ? _a256 :  &_a256;
				lstrcpyW(??, ??);
				lstrcatW(??, ??);
				if ( *((long long*)(_t151 + 0x20)) - 8 < 0) goto 0x9812b881;
				goto 0x9812b885;
				lstrcatW(??, ??);
				if ( *((long long*)(_t119 + 0x20)) - 8 < 0) goto 0x9812b8a0;
				goto 0x9812b8a4;
				_a32 = _t152;
				_a24 =  &_a136;
				_a16 = _t163;
				_a8 = _t163;
				_v0 = r12d;
				_v8 = r12d;
				r9d = 0;
				r8d = 0;
				CreateProcessW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??); // executed
				if (_a280 - 8 < 0) goto 0x9812b8fc;
				E00007FF67FF6981044D8( &_a136, _t119, _a256,  &_a296, _t151, "\"", _t159 | 0xffffffff);
				goto 0x9812b94b;
				if ( *((long long*)(_t119 + 0x20)) - 8 < 0) goto 0x9812b90d;
				goto 0x9812b911;
				_a32 = _t152;
				_a24 =  &_a136;
				_a16 = _t163;
				_a8 = _t163;
				_v0 = r12d;
				_v8 = r12d;
				r9d = 0;
				r8d = 0;
				CreateProcessW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				return E00007FF67FF698104050(_t92, _a65832 ^ _t154,  &_a296, "\"", _t159 | 0xffffffff);
			}

0x7ff69812b6b0
0x7ff69812b6b0
0x7ff69812b6bc
0x7ff69812b6c1
0x7ff69812b6c4
0x7ff69812b6d0
0x7ff69812b6d7
0x7ff69812b6da
0x7ff69812b6e2
0x7ff69812b6e5
0x7ff69812b6e8
0x7ff69812b6eb
0x7ff69812b6f1
0x7ff69812b6f8
0x7ff69812b6fb
0x7ff69812b6ff
0x7ff69812b703
0x7ff69812b710
0x7ff69812b710
0x7ff69812b71d
0x7ff69812b722
0x7ff69812b72d
0x7ff69812b73a
0x7ff69812b740
0x7ff69812b740
0x7ff69812b745
0x7ff69812b752
0x7ff69812b75b
0x7ff69812b76f
0x7ff69812b775
0x7ff69812b78c
0x7ff69812b797
0x7ff69812b79b
0x7ff69812b7a0
0x7ff69812b7ac
0x7ff69812b7b4
0x7ff69812b7c1
0x7ff69812b7cf
0x7ff69812b7d9
0x7ff69812b7e4
0x7ff69812b7eb
0x7ff69812b7f0
0x7ff69812b7f9
0x7ff69812b7fe
0x7ff69812b808
0x7ff69812b813
0x7ff69812b81d
0x7ff69812b824
0x7ff69812b832
0x7ff69812b848
0x7ff69812b859
0x7ff69812b86e
0x7ff69812b879
0x7ff69812b87f
0x7ff69812b88d
0x7ff69812b898
0x7ff69812b89e
0x7ff69812b8a4
0x7ff69812b8b1
0x7ff69812b8b6
0x7ff69812b8bb
0x7ff69812b8c0
0x7ff69812b8c5
0x7ff69812b8ca
0x7ff69812b8cd
0x7ff69812b8d8
0x7ff69812b8ed
0x7ff69812b8f7
0x7ff69812b8fe
0x7ff69812b905
0x7ff69812b90b
0x7ff69812b911
0x7ff69812b91e
0x7ff69812b923
0x7ff69812b928
0x7ff69812b92d
0x7ff69812b932
0x7ff69812b937
0x7ff69812b93a
0x7ff69812b93f
0x7ff69812b968

APIs

lstrcpyW.KERNEL32 ref: 00007FF69812B859
lstrcatW.KERNEL32 ref: 00007FF69812B86E
lstrcatW.KERNEL32 ref: 00007FF69812B88D
CreateProcessW.KERNELBASE ref: 00007FF69812B8D8
CreateProcessW.KERNEL32 ref: 00007FF69812B93F

Strings

h, xrefs: 00007FF69812B703

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: CreateProcesslstrcat$lstrcpy
String ID: h
API String ID: 3136576379-2439710439
Opcode ID: 921a10a08777df4f326595dd1351c16fdca3307fa6b663e0858bbc25aff6aeb9
Instruction ID: 904d009df34540660a17cf1b89543b0f1d8ad1eaff5c55d242de4d326bda883b
Opcode Fuzzy Hash: 921a10a08777df4f326595dd1351c16fdca3307fa6b663e0858bbc25aff6aeb9
Instruction Fuzzy Hash: BA618172518AC2C2EB30CF24E8447AA73A1FB85354F904275DADD86AE8DF3CD595CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810574C Relevance: 13.6, APIs: 9, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lock.LIBCMT ref: 00007FF698105775
DecodePointer.KERNEL32 ref: 00007FF6981057A8
DecodePointer.KERNEL32 ref: 00007FF6981057C5
DecodePointer.KERNEL32 ref: 00007FF698105804
DecodePointer.KERNEL32 ref: 00007FF69810581D
DecodePointer.KERNEL32 ref: 00007FF69810582C
_initterm.LIBCMT ref: 00007FF69810586B
_initterm.LIBCMT ref: 00007FF69810587E
ExitProcess.KERNEL32 ref: 00007FF6981058B7

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: f7ab496e4a34eae790cf03e36a8f78beb75be275483b8bc54828459c6ad654f5
Instruction ID: d2a97860feee69ef10e58cb70cfffb61ff679f8870a10de59ae3d1f72830ed15
Opcode Fuzzy Hash: f7ab496e4a34eae790cf03e36a8f78beb75be275483b8bc54828459c6ad654f5
Instruction Fuzzy Hash: B0415021A0E64381E6709F32EC406B97295FF88788F9440B9DA5DD77A6DF3CE4A5C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981045E0 Relevance: 9.1, APIs: 6, Instructions: 138
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00007FF67FF6981045E0(void* __rax, void* __rcx) {
				void* _t2;

				goto 0x981045fa;
				if (E00007FF67FF69810BC98(__rax, __rcx) == 0) goto 0x9810460a;
				_t2 = malloc(??);
				if (__rax == 0) goto 0x981045eb;
				return _t2;
			}

0x7ff6981045e9
0x7ff6981045f5
0x7ff6981045fa
0x7ff698104602
0x7ff698104609

APIs

malloc.LIBCMT ref: 00007FF6981045FA

Part of subcall function 00007FF6981048B0: _FF_MSGBANNER.LIBCMT ref: 00007FF6981048E0
Part of subcall function 00007FF6981048B0: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF69810A598,?,?,00000000,00007FF69810FED9,?,?,?,00007FF69810FF83), ref: 00007FF698104905
Part of subcall function 00007FF6981048B0: _errno.LIBCMT ref: 00007FF698104929
Part of subcall function 00007FF6981048B0: _errno.LIBCMT ref: 00007FF698104934

_FF_MSGBANNER.LIBCMT ref: 00007FF698104709
_FF_MSGBANNER.LIBCMT ref: 00007FF698104734
_RTC_Initialize.LIBCMT ref: 00007FF69810474D
GetCommandLineW.KERNEL32 ref: 00007FF698104766
_cinit.LIBCMT ref: 00007FF6981047A6

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$AllocateCommandHeapInitializeLine_cinitmalloc
String ID:
API String ID: 2456440378-0
Opcode ID: d9342fbc873394faf5c233f4d5feb5bd075710e0ef0b8a8265e5b7922b41a891
Instruction ID: 33671136b5537996c3d96890c84858c3ab7e71295b32c47a49259d31c89d174d
Opcode Fuzzy Hash: d9342fbc873394faf5c233f4d5feb5bd075710e0ef0b8a8265e5b7922b41a891
Instruction Fuzzy Hash: 15512C61E0C24786FA70AFB4A8912B92291EF91348FD405B9D64EC76D3EF6CE460D70D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810C75C Relevance: 7.7, APIs: 5, Instructions: 199
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00007FF67FF69810C75C(void* __ecx, signed long long __rbx, void* __rdx, signed long long __rdi, signed long long __rsi, signed long long __r12) {
				void* _v24;
				signed long long* _v64;
				intOrPtr _v70;
				void* _v136;
				signed int _t63;
				signed int _t65;
				signed char _t74;
				signed int _t75;
				signed int _t83;
				signed int _t86;
				void* _t88;
				signed int _t95;
				signed long long* _t127;
				signed long long* _t129;
				signed long long* _t131;
				long long _t136;
				long long* _t140;
				signed long long _t151;
				signed long long _t153;
				signed char* _t158;
				void* _t162;
				signed long long* _t163;
				signed long long* _t166;
				signed long long* _t168;
				long long* _t174;
				void* _t176;
				signed char* _t177;
				void* _t180;
				struct _STARTUPINFOA* _t184;

				_t151 = __rdi;
				_t150 = __rdx;
				_t137 = __rbx;
				_t127 = _t163;
				_t127[1] = __rbx;
				_t127[2] = __rsi;
				_t127[3] = __rdi;
				_t127[4] = __r12;
				GetStartupInfoA(_t184);
				_t6 = _t150 - 0x38; // 0x20
				r12d = _t6;
				E00007FF67FF69810A5E0(__rbx, __r12, __rdx, __rdi, __rsi, _t162, _t180, _t176);
				_t166 = _t127;
				r15d = 0;
				if (_t127 != _t184) goto 0x9810c7ac;
				goto 0x9810ca27;
				 *0x981489e0 = _t127;
				 *0x981489c0 = r12d;
				if (_t166 -  &(_t127[0x160]) >= 0) goto 0x9810c80a;
				_t166[1] = r15b;
				 *_t166 =  *_t166 | 0xffffffff;
				_t166[1] = 0xa;
				_t166[1] = r15d;
				_t166[7] = r15b;
				_t166[7] = 0xa;
				_t166[7] = 0xa;
				_t166[0xa] = r15d;
				_t166[9] = r15b;
				_t129 =  *0x981489e0; // 0x29a0b10
				if ( &(_t166[0xb]) - _t129 + 0xb00 < 0) goto 0x9810c7c7;
				_t86 =  *0x981489c0; // 0x20
				if (_v70 == r15w) goto 0x9810c95f;
				_t131 = _v64;
				if (_t131 == _t184) goto 0x9810c95f;
				_t177 =  &(_t131[0]);
				_t158 =  &(_t177[ *_t131]);
				_t82 =  <  ?  *_t131 : 0x800;
				if (_t86 - 0x800 >= 0) goto 0x9810c8d2;
				E00007FF67FF69810A5E0(_t137, __r12, _t150, _t151, _t158, _t162);
				_t168 = _t131;
				if (_t131 == _t184) goto 0x9810c8ca;
				0x981489e0[_t151] = _t131;
				_t63 =  *0x981489c0; // 0x20
				 *0x981489c0 = _t63 + r12d;
				_t20 =  &(_t168[0x160]); // 0xb00
				if (_t168 - _t20 >= 0) goto 0x9810c8c1;
				_t168[1] = r15b;
				 *_t168 =  *_t168 | 0xffffffff;
				_t168[1] = 0xa;
				_t168[1] = r15d;
				_t168[7] = _t168[7] & 0x00000080;
				_t168[7] = 0xa;
				_t168[7] = 0xa;
				_t168[0xa] = r15d;
				_t168[9] = r15b;
				if ( &(_t168[0xb]) -  &(0x981489e0[_t151][0x160]) < 0) goto 0x9810c880;
				_t65 =  *0x981489c0; // 0x20
				_t107 = _t65 - ( <  ?  *_t131 : 0x800);
				if (_t65 - ( <  ?  *_t131 : 0x800) < 0) goto 0x9810c84c;
				goto 0x9810c8d9;
				_t83 =  *0x981489c0; // 0x20
				goto 0x9810c8d9;
				_t95 = r15d;
				if (_t83 - r15d <= 0) goto 0x9810c95f;
				if ( *_t158 == 0xffffffff) goto 0x9810c952;
				if ( *_t158 == 0xfffffffe) goto 0x9810c952;
				if (( *_t177 & 0x00000001) == 0) goto 0x9810c952;
				if (( *_t177 & 0x00000008) != 0) goto 0x9810c909;
				if (GetFileType(??) == r15d) goto 0x9810c952;
				r12d = r12d & 0x0000001f;
				_t174 = 0x981489e0[_t95 >> 5] + _t95 * 0x58;
				_t136 =  *_t158;
				 *_t174 = _t136;
				 *((char*)(_t174 + 8)) =  *_t177;
				if (E00007FF67FF698110438() == r15d) goto 0x9810c94a;
				 *((intOrPtr*)(_t174 + 0xc)) =  *((intOrPtr*)(_t174 + 0xc)) + 1;
				goto 0x9810c952;
				goto 0x9810ca27;
				if (_t95 + 1 - _t83 < 0) goto 0x9810c8e1;
				r12d = r15d;
				_t153 = _t184;
				_t140 =  *0x981489e0 + _t153 * 0x58;
				if ( *_t140 == 0xffffffff) goto 0x9810c985;
				if ( *_t140 == 0xfffffffe) goto 0x9810c985;
				 *(_t140 + 8) =  *(_t140 + 8) | 0x00000080;
				goto 0x9810ca04;
				 *(_t140 + 8) = 0x81;
				asm("sbb ecx, ecx");
				_t88 =  ==  ? 0xfffffff6 : _t86 + 0xfffffff5;
				GetStdHandle(??);
				if (_t136 == 0xffffffff) goto 0x9810c9f9;
				if (_t136 == _t184) goto 0x9810c9f9;
				_t74 = GetFileType(??); // executed
				if (_t74 == r15d) goto 0x9810c9f9;
				 *_t140 = _t136;
				_t75 = _t74 & 0x000000ff;
				if (_t75 != 2) goto 0x9810c9d3;
				 *(_t140 + 8) =  *(_t140 + 8) | 0x00000040;
				goto 0x9810c9dc;
				if (_t75 != 3) goto 0x9810c9dc;
				 *(_t140 + 8) =  *(_t140 + 8) | 0x00000008;
				if (E00007FF67FF698110438() == r15d) goto 0x9810c9f4;
				 *((intOrPtr*)(_t140 + 0xc)) =  *((intOrPtr*)(_t140 + 0xc)) + 1;
				goto 0x9810ca04;
				goto 0x9810ca27;
				 *(_t140 + 8) =  *(_t140 + 8) | 0x00000040;
				 *_t140 = 0xfffffffe;
				r12d = r12d + 1;
				if (_t153 + 1 - 3 < 0) goto 0x9810c965;
				SetHandleCount(??);
				return 0xffffffff;
			}

0x7ff69810c75c
0x7ff69810c75c
0x7ff69810c75c
0x7ff69810c75c
0x7ff69810c75f
0x7ff69810c763
0x7ff69810c767
0x7ff69810c76b
0x7ff69810c781
0x7ff69810c78d
0x7ff69810c78d
0x7ff69810c794
0x7ff69810c799
0x7ff69810c79c
0x7ff69810c7a2
0x7ff69810c7a7
0x7ff69810c7ac
0x7ff69810c7b6
0x7ff69810c7c5
0x7ff69810c7c7
0x7ff69810c7cb
0x7ff69810c7cf
0x7ff69810c7d4
0x7ff69810c7d8
0x7ff69810c7dc
0x7ff69810c7e1
0x7ff69810c7e6
0x7ff69810c7ea
0x7ff69810c7f2
0x7ff69810c802
0x7ff69810c804
0x7ff69810c810
0x7ff69810c816
0x7ff69810c81e
0x7ff69810c824
0x7ff69810c82b
0x7ff69810c835
0x7ff69810c83f
0x7ff69810c854
0x7ff69810c859
0x7ff69810c85f
0x7ff69810c861
0x7ff69810c865
0x7ff69810c86e
0x7ff69810c874
0x7ff69810c87e
0x7ff69810c880
0x7ff69810c884
0x7ff69810c888
0x7ff69810c88d
0x7ff69810c891
0x7ff69810c896
0x7ff69810c89b
0x7ff69810c8a0
0x7ff69810c8a4
0x7ff69810c8b9
0x7ff69810c8bb
0x7ff69810c8c4
0x7ff69810c8c6
0x7ff69810c8c8
0x7ff69810c8ca
0x7ff69810c8d0
0x7ff69810c8d9
0x7ff69810c8df
0x7ff69810c8e5
0x7ff69810c8eb
0x7ff69810c8f2
0x7ff69810c8f9
0x7ff69810c907
0x7ff69810c913
0x7ff69810c91b
0x7ff69810c91f
0x7ff69810c922
0x7ff69810c92a
0x7ff69810c941
0x7ff69810c943
0x7ff69810c948
0x7ff69810c94d
0x7ff69810c95d
0x7ff69810c95f
0x7ff69810c962
0x7ff69810c96c
0x7ff69810c977
0x7ff69810c97d
0x7ff69810c97f
0x7ff69810c983
0x7ff69810c985
0x7ff69810c990
0x7ff69810c99d
0x7ff69810c9a0
0x7ff69810c9ad
0x7ff69810c9b2
0x7ff69810c9b7
0x7ff69810c9c0
0x7ff69810c9c2
0x7ff69810c9c5
0x7ff69810c9cb
0x7ff69810c9cd
0x7ff69810c9d1
0x7ff69810c9d6
0x7ff69810c9d8
0x7ff69810c9ed
0x7ff69810c9ef
0x7ff69810c9f2
0x7ff69810c9f7
0x7ff69810c9f9
0x7ff69810c9fd
0x7ff69810ca04
0x7ff69810ca0e
0x7ff69810ca1a
0x7ff69810ca48

APIs

GetStartupInfoA.KERNEL32 ref: 00007FF69810C781

Part of subcall function 00007FF69810A5E0: Sleep.KERNEL32(?,?,?,00007FF69810B8EB,?,?,?,00007FF6981078B5,?,?,?,?,00007FF698104871), ref: 00007FF69810A625

GetFileType.KERNEL32 ref: 00007FF69810C8FE

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: 8533c35c8a20efeb12ed51f4efd1269282dbaf34b7f114ec22bf48b726a2f410
Instruction ID: 22c5a92e69e4a3fffe54a2d3fb5ba11ce76f1e90b43aba06723f04b35a8eafeb
Opcode Fuzzy Hash: 8533c35c8a20efeb12ed51f4efd1269282dbaf34b7f114ec22bf48b726a2f410
Instruction Fuzzy Hash: 11919C61A08A8381E7208F38D8486283B95FB457B4FA587B6C67D873D1DF3DE856C709

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698108520 Relevance: 6.4, APIs: 5, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00007FF67FF698108520(long long __rax, long long __rbx, void* __rcx, void* __rdx, void* __r8, long long _a8, long long _a24) {
				long long _v64;
				long long _v72;
				void* __rsi;
				void* __rbp;
				signed int _t53;
				signed int _t55;
				void* _t57;
				void* _t63;
				void* _t64;
				void* _t65;
				long long _t68;
				void* _t78;
				void* _t96;
				long long _t97;
				void* _t99;
				long long _t100;
				intOrPtr _t106;
				void* _t109;
				long long _t113;

				_t92 = __rdx;
				_t68 = __rax;
				_a8 = __rbx;
				_t78 = __rcx;
				r12d = 1;
				E00007FF67FF69810A574(_t57, __rax, __rcx, __rcx, _t96, _t99); // executed
				_t97 = _t68;
				_a24 = _t68;
				if (_t97 == _t68) goto 0x981086f1;
				_t3 = _t97 + 4; // 0x4
				_t100 = _t3;
				_t4 = _t78 + 0x68; // 0x68
				_t5 = _t109 + 2; // 0x3
				r8d = _t5;
				 *_t100 = 0;
				 *_t97 = r12d;
				_t106 =  *0x98130c88; // 0x7ff698130c50
				_v64 =  *_t4;
				_v72 = 0x98130d90;
				E00007FF67FF6981082BC(_t100, __rdx, _t106);
				_t8 = _t78 + 0x88; // 0x88
				if (E00007FF67FF698113850(0x98130d90, _t100, _t92, _t97, _t100, 0x98130d8c) == 0) goto 0x981085db;
				r9d = 0;
				r8d = 0;
				_v72 = _t97;
				E00007FF67FF698104308();
				E00007FF67FF69810BBE0(0,  *_t4,  *_t8);
				r8d = 3;
				_t53 =  !=  ? 0 : r12d;
				_t11 = _t78 + 0x48; // 0x4a
				_t113 = (_t109 + 1 << 5) + _t11;
				_v64 =  *_t113;
				_v72 = 0x98130d90;
				E00007FF67FF6981082BC(_t100,  *_t8,  *0x98130c88);
				if (0x7ff698130ca0 - 0x98130ce8 < 0) goto 0x981085af;
				r13d = 0;
				if (_t53 != r13d) goto 0x98108697;
				_t63 =  *((intOrPtr*)(_t78 + 0x58)) - _t113;
				if (_t63 == 0) goto 0x9810866e;
				asm("lock xadd [ecx], eax");
				if (_t63 != 0) goto 0x9810866e;
				free(??);
				_t64 =  *((intOrPtr*)(_t78 + 0x60)) - _t113;
				if (_t64 == 0) goto 0x9810868a;
				asm("lock xadd [edx], ecx");
				if (_t64 != 0) goto 0x9810868a;
				free(??);
				 *((long long*)(_t78 + 0x58)) = _a24;
				 *((long long*)(_t78 + 0x48)) = _t100;
				goto 0x981086e9;
				free(??);
				_t55 = _t53 | 0xffffffff;
				_t65 =  *((intOrPtr*)(_t78 + 0x58)) - _t113;
				if (_t65 == 0) goto 0x981086be;
				asm("lock xadd [ecx], eax");
				if (_t65 != 0) goto 0x981086be;
				free(??);
				if ( *((intOrPtr*)(_t78 + 0x60)) == _t113) goto 0x981086da;
				asm("lock xadd [edx], ecx");
				if (_t55 + _t55 != 0) goto 0x981086da;
				free(??);
				 *((long long*)(_t78 + 0x58)) = _t113;
				 *((long long*)(_t78 + 0x48)) = _t113;
				 *((long long*)(_t78 + 0x50)) = _t113;
				 *((long long*)(_t78 + 0x60)) = _t113;
				return _t55 + _t55;
			}

0x7ff698108520
0x7ff698108520
0x7ff698108520
0x7ff698108534
0x7ff698108537
0x7ff698108545
0x7ff69810854a
0x7ff69810854d
0x7ff69810855a
0x7ff698108560
0x7ff698108560
0x7ff698108564
0x7ff698108568
0x7ff698108568
0x7ff69810856d
0x7ff698108570
0x7ff698108577
0x7ff69810857e
0x7ff698108592
0x7ff698108597
0x7ff69810859f
0x7ff6981085c5
0x7ff6981085c7
0x7ff6981085ca
0x7ff6981085d1
0x7ff6981085d6
0x7ff6981085e3
0x7ff6981085ed
0x7ff6981085f8
0x7ff698108610
0x7ff698108610
0x7ff698108619
0x7ff698108625
0x7ff69810862a
0x7ff698108639
0x7ff698108647
0x7ff69810864d
0x7ff698108656
0x7ff698108659
0x7ff69810865d
0x7ff698108663
0x7ff698108669
0x7ff698108672
0x7ff698108675
0x7ff698108679
0x7ff69810867f
0x7ff698108685
0x7ff69810868a
0x7ff69810868e
0x7ff698108695
0x7ff69810869a
0x7ff6981086a3
0x7ff6981086a6
0x7ff6981086a9
0x7ff6981086ad
0x7ff6981086b3
0x7ff6981086b9
0x7ff6981086c5
0x7ff6981086c9
0x7ff6981086cf
0x7ff6981086d5
0x7ff6981086e1
0x7ff6981086e5
0x7ff6981086e9
0x7ff6981086ed
0x7ff698108705

APIs

Part of subcall function 00007FF69810A574: malloc.LIBCMT ref: 00007FF69810A593
Part of subcall function 00007FF69810A574: Sleep.KERNEL32(?,?,00000000,00007FF69810FED9,?,?,?,00007FF69810FF83), ref: 00007FF69810A5AA

Part of subcall function 00007FF698113850: _errno.LIBCMT ref: 00007FF69811386B

free.LIBCMT ref: 00007FF698108669
free.LIBCMT ref: 00007FF698108685

Part of subcall function 00007FF698104308: RtlCaptureContext.KERNEL32 ref: 00007FF698104347
Part of subcall function 00007FF698104308: IsDebuggerPresent.KERNEL32 ref: 00007FF6981043E5
Part of subcall function 00007FF698104308: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6981043EF
Part of subcall function 00007FF698104308: UnhandledExceptionFilter.KERNEL32 ref: 00007FF6981043FA
Part of subcall function 00007FF698104308: GetCurrentProcess.KERNEL32 ref: 00007FF698104410
Part of subcall function 00007FF698104308: TerminateProcess.KERNEL32 ref: 00007FF69810441E

free.LIBCMT ref: 00007FF69810869A

Part of subcall function 00007FF69810484C: HeapFree.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104862
Part of subcall function 00007FF69810484C: _errno.LIBCMT ref: 00007FF69810486C
Part of subcall function 00007FF69810484C: GetLastError.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104874

free.LIBCMT ref: 00007FF6981086B9
free.LIBCMT ref: 00007FF6981086D5

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminatemalloc
String ID:
API String ID: 2327265721-0
Opcode ID: def5f98aa189ed1fb9de0a002abd7351bc365c7a9b586d71034df92824fd45d2
Instruction ID: 57fb61641f55dc774862a9ef9ba27ea3dce36eab7b24ca5608cc214ac9314dd1
Opcode Fuzzy Hash: def5f98aa189ed1fb9de0a002abd7351bc365c7a9b586d71034df92824fd45d2
Instruction Fuzzy Hash: 3551B232A09A8282EB309F35EC5016E3795FB84B98F894176DE5DC7794CE3CD996C348

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698108E74 Relevance: 6.1, APIs: 4, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00007FF67FF698108E74(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, signed int __r12, long long _a8, long long _a16, signed int* _a24, long long _a32) {
				signed int* _v40;
				signed int _v56;
				void* _t36;
				void* _t49;
				void* _t50;
				intOrPtr _t56;
				void* _t63;
				void* _t64;
				signed int* _t75;
				signed int _t92;
				intOrPtr _t96;
				signed int* _t99;
				signed int* _t102;
				void* _t110;
				intOrPtr _t111;
				void* _t115;

				_t110 = __r9;
				_t108 = __r8;
				_t104 = __rbp;
				_t91 = __rdx;
				_t81 = __rcx;
				_t80 = __rbx;
				_t75 = __rax;
				_t64 = __esi;
				_t63 = __edi;
				_t50 = __ebx;
				_a8 = __rsi;
				_a16 = __rdi;
				_a32 = __r12;
				_t115 = __rdx;
				r14d = __ecx;
				r12d = 0;
				_t65 = __ecx - 5;
				if (__ecx - 5 <= 0) goto 0x98108ec1;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 0x16;
				_v56 = _v56 & __r12;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(__rax, __rbx, __rcx, __rdx, __rsi, __rbp, __r8);
				goto 0x98109077;
				E00007FF67FF69810B93C(0, _t65, __rax);
				_t102 = _t75;
				_a24 = _t75;
				E00007FF67FF69810819C(_t75);
				_t102[0x32] = _t102[0x32] | 0x00000010;
				E00007FF67FF69810A5E0(_t80, _t81, _t91, __rdi, _t102, _t104);
				_t99 = _t75;
				if (_t75 == 0) goto 0x9810906d;
				E00007FF67FF69810FF60();
				_t92 = _t102[0x30];
				if (_t92 == 0) goto 0x98108f2b;
				if (_t99 == _t92) goto 0x98108f2b;
				r8d = 0x160;
				_t36 = E00007FF67FF69810AE90(0xc, _t99 - _t92, _t99, _t92, _t108);
				 *_t99 =  *_t99 & 0x00000000;
				E00007FF67FF698108004(_t36, _t99, _t108);
				E00007FF67FF69810FE60();
				_t109 = _t115;
				E00007FF67FF698108C50(_t50, 0xc, r14d, _t99, _t92, _t115, _t110); // executed
				_v40 = _t75;
				if (_t75 == 0) goto 0x9810905f;
				if (_t115 == 0) goto 0x98108f82;
				E00007FF67FF69810BBE0(0xc, _t115, 0x98140a20);
				_t56 =  *0x981430bc; // 0x0
				r13d = 1;
				_t57 =  !=  ? r13d : _t56;
				 *0x981430bc =  !=  ? r13d : _t56;
				goto 0x98108f88;
				r13d = 1;
				E00007FF67FF69810FF60();
				_t11 =  &(_t102[0x30]); // 0xc0
				E00007FF67FF69810809C(E00007FF67FF698108144(_t63, _t64, _t75, _t11, _t99, _t102), _t99, _t115);
				if ((_t102[0x32] & 0x00000002) != 0) goto 0x98109053;
				if (( *0x98140a10 & r13b) != 0) goto 0x98109053;
				E00007FF67FF698108144(_t63, _t64, _t75, 0x98140b90, _t102[0x30], _t102);
				_t96 =  *0x98140b90; // 0x29a4b80
				r8d = 0x18;
				E00007FF67FF69810AE90(0xc,  *0x98140a10 & r13b, 0x98143ba0, _t96 + 0xc, _t115);
				_t111 =  *0x98140b90; // 0x29a4b80
				 *0x98143bb8 =  *((intOrPtr*)(_t111 + 4));
				 *0x98143bbc =  *((intOrPtr*)(_t111 + 8));
				 *0x98140b98 =  *((intOrPtr*)(_t111 + 0x108));
				 *0x98141718 =  *((intOrPtr*)(_t111 + 0x158));
				 *0x981401f8 =  *((intOrPtr*)(_t111 + 0x128));
				 *0x98140440 =  *((intOrPtr*)(_t111 + 0x140));
				 *0x98141720 =  *((intOrPtr*)(_t111 + 0x10c));
				E00007FF67FF69810FE60();
				goto 0x9810906d;
				E00007FF67FF69810809C( *((intOrPtr*)(_t111 + 0x10c)), _t99, _t109);
				_t49 = E00007FF67FF698107E88(_t80, _t99, _t102, _t109);
				_t102[0x32] = _t102[0x32] & 0xffffffef;
				return _t49;
			}

0x7ff698108e74
0x7ff698108e74
0x7ff698108e74
0x7ff698108e74
0x7ff698108e74
0x7ff698108e74
0x7ff698108e74
0x7ff698108e74
0x7ff698108e74
0x7ff698108e74
0x7ff698108e74
0x7ff698108e79
0x7ff698108e7e
0x7ff698108e8d
0x7ff698108e90
0x7ff698108e93
0x7ff698108e96
0x7ff698108e99
0x7ff698108e9b
0x7ff698108ea0
0x7ff698108ea6
0x7ff698108eab
0x7ff698108eae
0x7ff698108eb5
0x7ff698108ebc
0x7ff698108ec1
0x7ff698108ec6
0x7ff698108ec9
0x7ff698108ece
0x7ff698108ed3
0x7ff698108ee4
0x7ff698108ee9
0x7ff698108eef
0x7ff698108efa
0x7ff698108f00
0x7ff698108f0a
0x7ff698108f0f
0x7ff698108f14
0x7ff698108f1a
0x7ff698108f1f
0x7ff698108f25
0x7ff698108f30
0x7ff698108f35
0x7ff698108f3e
0x7ff698108f46
0x7ff698108f4e
0x7ff698108f57
0x7ff698108f63
0x7ff698108f68
0x7ff698108f70
0x7ff698108f76
0x7ff698108f7a
0x7ff698108f80
0x7ff698108f82
0x7ff698108f8d
0x7ff698108f96
0x7ff698108fa5
0x7ff698108fb1
0x7ff698108fbe
0x7ff698108fd2
0x7ff698108fd7
0x7ff698108fe2
0x7ff698108fef
0x7ff698108ff4
0x7ff698108fff
0x7ff698109009
0x7ff698109016
0x7ff698109023
0x7ff698109031
0x7ff69810903f
0x7ff69810904d
0x7ff698109058
0x7ff69810905d
0x7ff698109062
0x7ff698109067
0x7ff69810906d
0x7ff698109090

APIs

_errno.LIBCMT ref: 00007FF698108E9B

Part of subcall function 00007FF698104430: DecodePointer.KERNEL32 ref: 00007FF698104457

_getptd.LIBCMT ref: 00007FF698108EC1
_lock.LIBCMT ref: 00007FF698108EFA
_lock.LIBCMT ref: 00007FF698108F8D

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _lock$DecodePointer_errno_getptd
String ID:
API String ID: 4201827665-0
Opcode ID: f69661139c2ccdaea8614eccadf113ca2f6b788d7e3362209dbcf903ea8732cd
Instruction ID: 90530d8e3e718044c99cd903456b211887ade55b5af1edcd314ada0433a756ae
Opcode Fuzzy Hash: f69661139c2ccdaea8614eccadf113ca2f6b788d7e3362209dbcf903ea8732cd
Instruction Fuzzy Hash: 58515A31A0964386F764AF329C51BBA2295FF84788F9040B9DA5EC7796DE3CE421C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810BAD8 Relevance: 4.5, APIs: 3, Instructions: 35
memorythreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E00007FF67FF69810BAD8(long* __rax, void* __rcx, void* __rdx, void* __rdi, void* __rsi) {
				void* __rbx;
				intOrPtr _t5;
				void* _t6;
				long _t8;
				long* _t21;
				void* _t22;
				long* _t23;
				void* _t31;

				_t30 = __rsi;
				_t29 = __rdi;
				_t21 = __rax;
				E00007FF67FF698105910(__rax); // executed
				_t5 = E00007FF67FF69810FD50(_t22, __rdi, __rsi);
				if (_t5 == 0) goto 0x9810bb4c;
				__imp__FlsAlloc();
				 *0x98140810 = _t5;
				if (_t5 == 0xffffffff) goto 0x9810bb4c;
				_t6 = E00007FF67FF69810A5E0(_t22, 0x7ff69810b960, __rdx, _t29, _t30, _t31);
				_t23 = _t21;
				if (_t21 == 0) goto 0x9810bb4c;
				__imp__FlsSetValue();
				if (_t6 == 0) goto 0x9810bb4c;
				E00007FF67FF69810B804(_t23, _t23, _t21);
				_t8 = GetCurrentThreadId();
				_t23[2] = _t23[2] | 0xffffffff;
				 *_t23 = _t8;
				goto 0x9810bb53;
				E00007FF67FF69810B7DC(_t23, _t23, _t21);
				return 0;
			}

0x7ff69810bad8
0x7ff69810bad8
0x7ff69810bad8
0x7ff69810bade
0x7ff69810bae3
0x7ff69810baea
0x7ff69810baf3
0x7ff69810baf9
0x7ff69810bb02
0x7ff69810bb0e
0x7ff69810bb13
0x7ff69810bb19
0x7ff69810bb24
0x7ff69810bb2c
0x7ff69810bb33
0x7ff69810bb38
0x7ff69810bb3e
0x7ff69810bb43
0x7ff69810bb4a
0x7ff69810bb4c
0x7ff69810bb58

APIs

Part of subcall function 00007FF698105910: _initp_misc_winsig.LIBCMT ref: 00007FF698105949
Part of subcall function 00007FF698105910: EncodePointer.KERNEL32(?,?,00000000,00007FF69810BAE3,?,?,00000000,00007FF698104727), ref: 00007FF698105965

FlsAlloc.KERNEL32(?,?,00000000,00007FF698104727), ref: 00007FF69810BAF3

Part of subcall function 00007FF69810A5E0: Sleep.KERNEL32(?,?,?,00007FF69810B8EB,?,?,?,00007FF6981078B5,?,?,?,?,00007FF698104871), ref: 00007FF69810A625

FlsSetValue.KERNEL32(?,?,00000000,00007FF698104727), ref: 00007FF69810BB24

Part of subcall function 00007FF69810B804: _lock.LIBCMT ref: 00007FF69810B854
Part of subcall function 00007FF69810B804: _lock.LIBCMT ref: 00007FF69810B874

GetCurrentThreadId.KERNEL32 ref: 00007FF69810BB38

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
String ID:
API String ID: 54287522-0
Opcode ID: de95eaae2b1d1c57757afb457a2a3e14f08f94a5831e49998ee3f3ac3efbfa47
Instruction ID: cbaa299b811bcdedb756635c2fc5475f8628ddb27fe88d50d6193c7944ee3c23
Opcode Fuzzy Hash: de95eaae2b1d1c57757afb457a2a3e14f08f94a5831e49998ee3f3ac3efbfa47
Instruction Fuzzy Hash: 12014B60E0960746FBB4AF719C4527862D1EF44B60F8447B4D42EC62E5EF6CA8E1C319

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698114664 Relevance: 3.1, APIs: 2, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00007FF67FF698114664(void* __eax, long long __rbx, signed long long __rcx, signed long long __rdx, void* __rsi, void* __rbp, intOrPtr* __r8, long long _a8) {
				signed long long _v24;
				void* _t19;
				intOrPtr* _t34;
				intOrPtr* _t36;
				signed long long _t38;
				signed long long _t42;

				_t41 = __rdx;
				_t38 = __rcx;
				_a8 = __rbx;
				_t36 = __r8;
				_t42 = __rdx;
				if (__rcx == 0) goto 0x981146ab;
				_t2 = _t41 - 0x20; // -32
				_t34 = _t2;
				if (_t34 - __rdx >= 0) goto 0x981146ab;
				E00007FF67FF6981078AC(_t34);
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *_t34 = 0xc;
				E00007FF67FF698104430(_t34, __r8, __rcx, __rdx, __rsi, __rbp, __r8);
				goto 0x98114708;
				_t44 =  ==  ? _t34 : _t42 * _t38;
				if (( ==  ? _t34 : _t42 * _t38) - 0xffffffe0 > 0) goto 0x981146db;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t34 != 0) goto 0x98114708;
				if ( *0x98143b98 == 0) goto 0x981146fd;
				_t19 = E00007FF67FF69810BC98(_t34,  ==  ? _t34 : _t42 * _t38);
				if (_t19 != 0) goto 0x981146bb;
				if (_t36 == 0) goto 0x981146a7;
				 *_t36 = 0xc;
				goto 0x981146a7;
				if (_t36 == 0) goto 0x98114708;
				 *_t36 = 0xc;
				return _t19;
			}

0x7ff698114664
0x7ff698114664
0x7ff698114664
0x7ff69811466e
0x7ff698114671
0x7ff698114677
0x7ff69811467b
0x7ff69811467b
0x7ff698114685
0x7ff698114687
0x7ff69811468c
0x7ff698114692
0x7ff698114695
0x7ff69811469c
0x7ff6981146a2
0x7ff6981146a9
0x7ff6981146b7
0x7ff6981146c1
0x7ff6981146d0
0x7ff6981146d9
0x7ff6981146e2
0x7ff6981146e7
0x7ff6981146ee
0x7ff6981146f3
0x7ff6981146f5
0x7ff6981146fb
0x7ff698114700
0x7ff698114702
0x7ff698114712

APIs

_errno.LIBCMT ref: 00007FF698114687

Part of subcall function 00007FF698104430: DecodePointer.KERNEL32 ref: 00007FF698104457

RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FF69810A613,?,?,?,00007FF69810B8EB,?,?,?,00007FF6981078B5), ref: 00007FF6981146D0

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: AllocateDecodeHeapPointer_errno
String ID:
API String ID: 15861996-0
Opcode ID: b0e852ac2ae4dd9ee59b8914b12bc75567783781675997a08f6f7f30866a8375
Instruction ID: 97268cdbc9c4097fedc9a4a5a68d383863a9a18083e49773ff72d26a593194a9
Opcode Fuzzy Hash: b0e852ac2ae4dd9ee59b8914b12bc75567783781675997a08f6f7f30866a8375
Instruction Fuzzy Hash: 1611CE25B1964382FB354B35E64577962D2DFA2FA8F988670CE5EC7AC4DE3CA440C60C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69812B620 Relevance: 3.0, APIs: 2, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00007FF67FF69812B620(void* __ebx, long long __rax, void* __rcx, void* __rsi, void* __rbp, void* __r10) {
				long long _v24;
				long long _v32;
				short _v48;
				char _v56;
				void* __rbx;
				long _t12;
				void* _t19;
				void* _t20;
				long long _t26;
				void* _t27;
				void* _t36;
				void* _t37;

				_t26 = __rax;
				if ( *((long long*)(__rcx + 0x18)) - 3 < 0) goto 0x9812b6a6;
				_t33 = __rcx;
				E00007FF67FF69812B410(__ebx, _t19, _t20,  *((long long*)(__rcx + 0x18)) - 3, _t27,  &_v56, __rcx, __rbp, _t36, __r10);
				if ( *((long long*)(_t26 + 0x20)) - 8 < 0) goto 0x9812b647;
				goto 0x9812b64b;
				_t12 = GetFileAttributesW(??); // executed
				if (_v24 - 8 < 0) goto 0x9812b665;
				E00007FF67FF6981044D8(_t26, _t27, _v48, _t33, __rsi, _t36, _t37);
				_v24 = 7;
				_v32 = _t26;
				_v48 = 0;
				if (_t12 != 0xffffffff) goto 0x9812b692;
				if (GetLastError() != 0x20) goto 0x9812b6a6;
				return 1;
			}

0x7ff69812b620
0x7ff69812b62b
0x7ff69812b62d
0x7ff69812b635
0x7ff69812b63f
0x7ff69812b645
0x7ff69812b64b
0x7ff69812b659
0x7ff69812b660
0x7ff69812b667
0x7ff69812b670
0x7ff69812b675
0x7ff69812b67d
0x7ff69812b688
0x7ff69812b691

APIs

GetFileAttributesW.KERNELBASE ref: 00007FF69812B64B
GetLastError.KERNEL32 ref: 00007FF69812B67F

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 8bc7ac336bc4565f4dd3e229d3f68aa04ac1717867004368b237860524ec1113
Instruction ID: f353c9398a3fd08105ecbe3144b33221df4bd696f73f45c1fe6175ebf45b82cd
Opcode Fuzzy Hash: 8bc7ac336bc4565f4dd3e229d3f68aa04ac1717867004368b237860524ec1113
Instruction Fuzzy Hash: 53019262E18943C2EF308B30E48537863A1EB92754F940271D69DC66E0DF2CD9D6C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810C6C8 Relevance: 3.0, APIs: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00007FF67FF69810C6C8(void* __edi, void* __ebp, intOrPtr* __rax, long long __rbx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* _t15;
				intOrPtr* _t24;
				intOrPtr* _t25;
				long long _t27;
				intOrPtr* _t34;

				_t27 = __rbx;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				GetEnvironmentStringsW();
				_t34 = __rax;
				if (__rax != __rbx) goto 0x9810c6f0;
				goto 0x9810c73c;
				if ( *__rax == 0) goto 0x9810c707;
				_t24 = __rax + 2;
				if ( *_t24 != 0) goto 0x9810c6f5;
				_t25 = _t24 + 2;
				if ( *_t25 != 0) goto 0x9810c6f5;
				_t39 = 0 - __edi + 2;
				E00007FF67FF69810A574(__ebp, _t25, __rbx, 0 - __edi + 2, __rsi, 0 - __edi + 2); // executed
				if (_t25 == _t27) goto 0x9810c730;
				E00007FF67FF69810AE90(_t15, _t25 - _t27, _t25, _t34, _t39);
				return FreeEnvironmentStringsW(??);
			}

0x7ff69810c6c8
0x7ff69810c6c8
0x7ff69810c6cd
0x7ff69810c6d2
0x7ff69810c6dc
0x7ff69810c6e4
0x7ff69810c6ea
0x7ff69810c6ee
0x7ff69810c6f3
0x7ff69810c6f5
0x7ff69810c6fc
0x7ff69810c6fe
0x7ff69810c705
0x7ff69810c70c
0x7ff69810c712
0x7ff69810c71d
0x7ff69810c728
0x7ff69810c750

APIs

GetEnvironmentStringsW.KERNEL32(?,?,00000001,00007FF698104777), ref: 00007FF69810C6DC
FreeEnvironmentStringsW.KERNEL32(?,?,00000001,00007FF698104777), ref: 00007FF69810C733

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: e9e2d5b3a4917f75dcd00ab3f1514e9b6828666610862c6d897de6f71c12553c
Instruction ID: 81f1381258442b0619d9bd4847f8df85cc6b74f007c0fdb3f9797e3e26c92344
Opcode Fuzzy Hash: e9e2d5b3a4917f75dcd00ab3f1514e9b6828666610862c6d897de6f71c12553c
Instruction Fuzzy Hash: 8D017112E0824385EE70AF72A94503966A0EB44BC0BC84471DA4E93756DE2CE9A1C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698105910 Relevance: 3.0, APIs: 2, Instructions: 26
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00007FF67FF698105910(long long __rax) {
				void* _t2;
				void* _t10;

				E00007FF67FF69810B7B0(); // executed
				_t10 = E00007FF67FF69811016C(E00007FF67FF69811A280(E00007FF67FF698110188(E00007FF67FF698110428(E00007FF67FF69810FD2C(E00007FF67FF698104300(E00007FF67FF698110430(E00007FF67FF69810BC90(_t2, __rax), __rax), __rax), __rax), __rax), __rax)), __rax);
				0x9810b7a8();
				 *0x98140200 = __rax;
				return _t10;
			}

0x7ff698105916
0x7ff698105959
0x7ff698105965
0x7ff69810596a
0x7ff698105976

APIs

_initp_misc_winsig.LIBCMT ref: 00007FF698105949

Part of subcall function 00007FF69811016C: EncodePointer.KERNEL32(?,?,?,?,00007FF69810595E,?,?,00000000,00007FF69810BAE3,?,?,00000000,00007FF698104727), ref: 00007FF698110177

EncodePointer.KERNEL32(?,?,00000000,00007FF69810BAE3,?,?,00000000,00007FF698104727), ref: 00007FF698105965

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: EncodePointer$_initp_misc_winsig
String ID:
API String ID: 190222155-0
Opcode ID: 74bf83648d0d11f1f7dce34e57aca7fdbc386c1892a025d5a760b0d6547989f4
Instruction ID: 675dde66c2045171d9d9582598a85d442439e696151cc1584cd392ab1940d316
Opcode Fuzzy Hash: 74bf83648d0d11f1f7dce34e57aca7fdbc386c1892a025d5a760b0d6547989f4
Instruction Fuzzy Hash: 86F02800E5D20740F968BB727C665BD12548F96754FC821B5E91FDA293DD2CA561C388

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810CABC Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(?,?,?,?,00007FF6981046FC), ref: 00007FF69810CACE
HeapSetInformation.KERNEL32 ref: 00007FF69810CAF8

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: a0f4fcd3cb0a49994bd9f38eb5e0d86323c9ca9cc061fcc2852eb2b41b563da2
Instruction ID: c0f969f1535df1a2a98a1292d14ed9ff9a6cb8e9477b3fd580433708ddcf0103
Opcode Fuzzy Hash: a0f4fcd3cb0a49994bd9f38eb5e0d86323c9ca9cc061fcc2852eb2b41b563da2
Instruction Fuzzy Hash: 2DE04F75A25B8286F7A89B31A8597696290FF88380FD05079E94DC27A4DF3CD585CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810C308 Relevance: 2.6, APIs: 2, Instructions: 81
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00007FF67FF69810C308(signed int __eax, void* __ecx, long long __rbx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _v24;
				void* _t22;
				signed int _t35;
				signed long long _t46;
				void* _t49;
				long long _t51;
				signed long long _t64;
				signed long long _t72;
				void* _t77;

				_t67 = __rsi;
				_t63 = __rdi;
				_t61 = __rdx;
				_t46 = _t72;
				 *((long long*)(_t46 + 8)) = __rbx;
				 *((long long*)(_t46 + 0x10)) = __rbp;
				 *((long long*)(_t46 + 0x18)) = __rsi;
				 *((long long*)(_t46 + 0x20)) = __rdi;
				_t49 =  *0x98143058; // 0x0
				r12d = 0;
				if (_t49 != _t77) goto 0x9810c350;
				goto 0x9810c40b;
				if ((__eax | 0xffffffff) == 0x3d) goto 0x9810c343;
				E00007FF67FF69810FD34(__eax | 0xffffffff, _t49);
				if (( *(_t49 + 2 + _t46 * 2) & 0x0000ffff) != r12w) goto 0x9810c33b;
				_t8 = _t63 + 1; // 0x1
				_t22 = E00007FF67FF69810A5E0(_t49 + 2 + _t46 * 2, _t8, __rdx, __rdi, __rsi, __rbp);
				_t64 = _t46;
				 *0x98143090 = _t46;
				if (_t46 == _t77) goto 0x9810c333;
				_t51 =  *0x98143058; // 0x0
				if ( *_t51 == r12w) goto 0x9810c3ed;
				E00007FF67FF69810FD34(_t22, _t51);
				_t9 = _t46 + 1; // 0x1
				_t35 = _t9;
				if ( *_t51 == 0x3d) goto 0x9810c3d9;
				_t70 = _t35;
				E00007FF67FF69810A5E0(_t51, _t35, _t61, _t64, _t67, _t35); // executed
				 *_t64 = _t46;
				if (_t46 == _t77) goto 0x9810c426;
				if (E00007FF67FF698105EE0(_t46, _t51, _t46, _t70, _t51) == r12d) goto 0x9810c3d5;
				r9d = 0;
				r8d = 0;
				_v24 = _t77;
				E00007FF67FF698104308();
				if ( *((intOrPtr*)(_t51 + _t35 * 2)) != r12w) goto 0x9810c385;
				free(_t77);
				 *0x98143058 = _t77;
				 *(_t64 + 8) = _t77;
				 *0x98149c04 = 1;
				return 0;
			}

0x7ff69810c308
0x7ff69810c308
0x7ff69810c308
0x7ff69810c308
0x7ff69810c30b
0x7ff69810c30f
0x7ff69810c313
0x7ff69810c317
0x7ff69810c321
0x7ff69810c328
0x7ff69810c331
0x7ff69810c336
0x7ff69810c33f
0x7ff69810c346
0x7ff69810c357
0x7ff69810c359
0x7ff69810c364
0x7ff69810c369
0x7ff69810c36c
0x7ff69810c376
0x7ff69810c378
0x7ff69810c383
0x7ff69810c388
0x7ff69810c391
0x7ff69810c391
0x7ff69810c394
0x7ff69810c396
0x7ff69810c3a1
0x7ff69810c3a6
0x7ff69810c3ac
0x7ff69810c3bf
0x7ff69810c3c1
0x7ff69810c3c4
0x7ff69810c3cb
0x7ff69810c3d0
0x7ff69810c3e4
0x7ff69810c3f0
0x7ff69810c3f5
0x7ff69810c3fc
0x7ff69810c3ff
0x7ff69810c425

APIs

free.LIBCMT ref: 00007FF69810C3F0
free.LIBCMT ref: 00007FF69810C42D

Part of subcall function 00007FF69810484C: HeapFree.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104862
Part of subcall function 00007FF69810484C: _errno.LIBCMT ref: 00007FF69810486C
Part of subcall function 00007FF69810484C: GetLastError.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104874

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: c1d1efebb4359f288f5ab5fbc08614582816a885133ec421e98c48bdfdb18eab
Instruction ID: 407d952949189b5f6b2d43ba79e498059da7a075a19d5875724942b2ba6976f4
Opcode Fuzzy Hash: c1d1efebb4359f288f5ab5fbc08614582816a885133ec421e98c48bdfdb18eab
Instruction Fuzzy Hash: 12318D22A1864380E734DF31E84167973A1FB84B84FC88575DA4D8B795CF7CE4A1D708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810A574 Relevance: 2.5, APIs: 2, Instructions: 30
sleepCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 00007FF69810A593

Part of subcall function 00007FF6981048B0: _FF_MSGBANNER.LIBCMT ref: 00007FF6981048E0
Part of subcall function 00007FF6981048B0: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF69810A598,?,?,00000000,00007FF69810FED9,?,?,?,00007FF69810FF83), ref: 00007FF698104905
Part of subcall function 00007FF6981048B0: _errno.LIBCMT ref: 00007FF698104929
Part of subcall function 00007FF6981048B0: _errno.LIBCMT ref: 00007FF698104934

Sleep.KERNEL32(?,?,00000000,00007FF69810FED9,?,?,?,00007FF69810FF83), ref: 00007FF69810A5AA

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$AllocateHeapSleepmalloc
String ID:
API String ID: 4275769124-0
Opcode ID: bd13dfa245dfbbdecbc5965e138b5fdfee0d4ec3a6d1675b05ac1045423cc446
Instruction ID: d53dbfaf5ab5ff498e4fe692620526afcbab74a786ecc967759e8df31498efc2
Opcode Fuzzy Hash: bd13dfa245dfbbdecbc5965e138b5fdfee0d4ec3a6d1675b05ac1045423cc446
Instruction Fuzzy Hash: 07F0FC32A0878786E6259F31B84003E73A1FBC4B90F840275EA9D47795CF3CE861C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698110024 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(?,?,00000001,00007FF6981056CF,?,?,00000001,00007FF6981047AB), ref: 00007FF69811003D

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: bfac969eb8d0f6839c0f34c126e53fdce9e834d7b244de2d6ab758f89b9f9e62
Instruction ID: 2d5db3765fe0a223a62f97b9c57e80c932fb47a69dec09203a891efd8a3ac21e
Opcode Fuzzy Hash: bfac969eb8d0f6839c0f34c126e53fdce9e834d7b244de2d6ab758f89b9f9e62
Instruction Fuzzy Hash: 93D01222F6854681DB514B71F55016923A4EBC5BD8F988071D64C47655CD2CC496C705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810A5E0 Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00007FF67FF69810A5E0(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t10;
				void* _t11;
				void* _t17;
				void* _t20;
				long long _t29;
				void* _t37;
				void* _t40;
				long _t41;

				_t29 = __rdi;
				_t20 = _t37;
				 *((long long*)(_t20 + 8)) = __rbx;
				 *((long long*)(_t20 + 0x10)) = __rbp;
				 *((long long*)(_t20 + 0x18)) = __rsi;
				 *((long long*)(_t20 + 0x20)) = __rdi;
				r12d = r12d | 0xffffffff;
				r8d = 0;
				_t11 = E00007FF67FF698114664(_t10, __rbx, __rcx, __rdx, __rdx, __rcx, _t40); // executed
				if (_t20 != 0) goto 0x9810a645;
				_t17 =  *0x981430c0 - _t11; // 0x0
				if (_t17 <= 0) goto 0x9810a645;
				Sleep(_t41);
				_t5 = _t29 + 0x3e8; // 0x3e8
				r11d = _t5;
				_t15 =  >  ? r12d : r11d;
				_t19 = ( >  ? r12d : r11d) - r12d;
				if (( >  ? r12d : r11d) != r12d) goto 0x9810a605;
				return _t11;
			}

0x7ff69810a5e0
0x7ff69810a5e0
0x7ff69810a5e3
0x7ff69810a5e7
0x7ff69810a5eb
0x7ff69810a5ef
0x7ff69810a601
0x7ff69810a605
0x7ff69810a60e
0x7ff69810a619
0x7ff69810a61b
0x7ff69810a621
0x7ff69810a625
0x7ff69810a62b
0x7ff69810a62b
0x7ff69810a63c
0x7ff69810a640
0x7ff69810a643
0x7ff69810a662

APIs

Part of subcall function 00007FF698114664: _errno.LIBCMT ref: 00007FF698114687

Sleep.KERNEL32(?,?,?,00007FF69810B8EB,?,?,?,00007FF6981078B5,?,?,?,?,00007FF698104871), ref: 00007FF69810A625

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: e0c6aa7e01e015a0de39a721ee99d897d7ef22429643003cfd3a104248ad44f7
Instruction ID: 065128616ed0cfb7f354c9d1b40656b7f8d05c41541806639ee8f101bb054b22
Opcode Fuzzy Hash: e0c6aa7e01e015a0de39a721ee99d897d7ef22429643003cfd3a104248ad44f7
Instruction Fuzzy Hash: 4B016722A14B8286EA659F26A84042976B1FBC8FD4B494175DE5D47751CF3CE851C708

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF698118D70 Relevance: 40.8, APIs: 27, Instructions: 305
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 66%

			E00007FF67FF698118D70(void* __ebx, long long __rbx, long long __rcx, void* __rdx, void* __r8, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t122;
				void* _t135;
				intOrPtr _t137;
				char _t156;
				intOrPtr _t158;
				intOrPtr* _t165;
				long long _t174;
				intOrPtr* _t180;
				intOrPtr* _t183;
				intOrPtr _t184;
				intOrPtr* _t185;
				intOrPtr* _t189;
				intOrPtr* _t190;
				intOrPtr _t202;
				long long _t209;
				intOrPtr _t213;
				void* _t214;
				void* _t216;
				intOrPtr* _t217;
				intOrPtr _t219;
				intOrPtr _t222;
				intOrPtr* _t223;
				long long _t224;
				void* _t226;
				intOrPtr* _t229;
				intOrPtr _t230;
				void* _t232;
				intOrPtr* _t236;
				void* _t239;
				void* _t240;
				void* _t255;
				intOrPtr _t256;
				intOrPtr _t258;
				void* _t260;
				void* _t264;
				intOrPtr* _t266;
				intOrPtr* _t268;
				void* _t270;
				intOrPtr _t271;

				_t244 = __r9;
				_t242 = __r8;
				_t214 = __rdx;
				_t122 = __ebx;
				 *((long long*)(_t239 + 8)) = __rcx;
				_t240 = _t239 - 0x90;
				 *((long long*)(_t240 + 0x20)) = 0xfffffffe;
				 *((long long*)(_t240 + 0xe8)) = __rbx;
				 *((long long*)(__rcx)) = 0x98133d10;
				_t217 =  *((intOrPtr*)(__rcx + 0x80));
				if (_t217 -  *((intOrPtr*)(__rcx + 0x88)) <= 0) goto 0x98118dba;
				E00007FF67FF6981044B8();
				_t183 =  *((intOrPtr*)(__rcx + 0x68));
				_t256 =  *((intOrPtr*)(__rcx + 0x88));
				if ( *((intOrPtr*)(__rcx + 0x80)) - _t256 <= 0) goto 0x98118dd3;
				E00007FF67FF6981044B8();
				if (_t183 == 0) goto 0x98118de1;
				if (_t183 ==  *((intOrPtr*)(__rcx + 0x68))) goto 0x98118de6;
				E00007FF67FF6981044B8();
				if (_t217 == _t256) goto 0x98118eb1;
				if (_t183 != 0) goto 0x98118dfe;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98118e01;
				_t135 = _t217 -  *((intOrPtr*)( *_t183 + 0x20));
				if (_t135 < 0) goto 0x98118e0c;
				E00007FF67FF6981044B8();
				asm("lock xadd [esi], eax");
				asm("bt eax, 0x1e");
				if (_t135 < 0) goto 0x98118e66;
				if (0x80000000 - 0x80000000 <= 0) goto 0x98118e66;
				asm("lock bts dword [esi], 0x1e");
				if (0x80000000 - 0x80000000 < 0) goto 0x98118e66;
				_t137 =  *((intOrPtr*)( *((intOrPtr*)(_t217 + 8)) + 8));
				if (_t137 != 0) goto 0x98118e5d;
				E00007FF67FF6980F3F90(0, 0, 0x98133d10,  *((intOrPtr*)(_t217 + 8)), __r9);
				asm("lock dec esp");
				if (_t137 == 0) goto 0x98118e5a;
				CloseHandle(_t270);
				goto 0x98118e5d;
				SetEvent(_t264);
				if (_t183 != 0) goto 0x98118e75;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98118e78;
				if (_t217 -  *((intOrPtr*)( *_t183 + 0x20)) < 0) goto 0x98118e83;
				E00007FF67FF6981044B8();
				E00007FF67FF698118BD0(_t122, 0, 0x98133d10, _t183,  *_t217, _t214,  *((intOrPtr*)(_t217 + 8)), 0x98133d10, __r8, __r9, _t260, _t255);
				if (_t183 != 0) goto 0x98118e9a;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98118e9d;
				if (_t217 -  *((intOrPtr*)( *_t183 + 0x20)) < 0) goto 0x98118ea8;
				E00007FF67FF6981044B8();
				goto 0x98118dd7;
				_t266 =  *((intOrPtr*)(_t240 + 0xd0)) + 0x98;
				 *((long long*)(_t240 + 0xe0)) = _t266;
				_t236 =  *((intOrPtr*)(_t266 + 0x18));
				if (_t236 -  *((intOrPtr*)(_t266 + 0x20)) <= 0) goto 0x98118ed7;
				E00007FF67FF6981044B8();
				_t229 =  *_t266;
				_t271 =  *((intOrPtr*)(_t266 + 0x20));
				if ( *((intOrPtr*)(_t266 + 0x18)) - _t271 <= 0) goto 0x98118ee9;
				E00007FF67FF6981044B8();
				if (_t229 == 0) goto 0x98118efa;
				if (_t229 ==  *_t266) goto 0x98118eff;
				E00007FF67FF6981044B8();
				if (_t236 == _t271) goto 0x9811907f;
				if (_t229 != 0) goto 0x98118f17;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98118f1a;
				if (_t236 -  *((intOrPtr*)( *_t229 + 0x20)) < 0) goto 0x98118f25;
				E00007FF67FF6981044B8();
				_t184 =  *_t236;
				 *((long long*)(_t240 + 0x28)) = _t184 + 0x30;
				 *((char*)(_t240 + 0x30)) = 0;
				E00007FF67FF6981189A0(0, 0, _t184 + 0x30, _t240 + 0x28, _t217 + 0x10, _t229, _t236, __r8, __r9);
				 *((char*)(_t184 + 0x28)) = 1;
				E00007FF67FF698118BD0(_t122, 0, _t184 + 0x30, _t184, _t184 + 0x40, _t214, _t229, _t236, __r8, __r9, _t216, _t226);
				 *((long long*)(_t240 + 0x48)) =  *((intOrPtr*)( *((intOrPtr*)(_t184 + 0xb8))));
				_t174 =  *((intOrPtr*)(_t184 + 0x90));
				 *((long long*)(_t240 + 0x40)) = _t174;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x50], xmm0");
				_t185 =  *((intOrPtr*)(_t240 + 0x50));
				_t219 =  *((intOrPtr*)(_t240 + 0x58));
				if (_t185 == 0) goto 0x98118f9a;
				if (_t185 == _t174) goto 0x98118f9f;
				E00007FF67FF6981044B8();
				if (_t219 ==  *((intOrPtr*)(_t184 + 0xb8))) goto 0x98118fec;
				if (_t185 != 0) goto 0x98118fb3;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98118fb6;
				if (_t219 !=  *((intOrPtr*)( *_t185 + 0x28))) goto 0x98118fc1;
				E00007FF67FF6981044B8();
				E00007FF67FF698118BD0(_t122, 0, _t174, _t185,  *((intOrPtr*)(_t219 + 0x10)), _t214, _t229, _t236, __r8, __r9);
				if (_t185 != 0) goto 0x98118fd9;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98118fdc;
				if (_t219 !=  *((intOrPtr*)( *_t185 + 0x28))) goto 0x98118fe7;
				E00007FF67FF6981044B8();
				goto 0x98118f90;
				_t156 =  *((char*)(_t240 + 0x30));
				if (_t156 == 0) goto 0x98119059;
				asm("lock xadd [eax], ecx");
				asm("bt ecx, 0x1e");
				if (_t156 < 0) goto 0x98119059;
				if (0x80000000 - 0x80000000 <= 0) goto 0x98119059;
				asm("lock bts dword [eax], 0x1e");
				if (0x80000000 - 0x80000000 < 0) goto 0x98119059;
				_t158 =  *((intOrPtr*)( *((intOrPtr*)(_t240 + 0x28)) + 8));
				if (_t158 != 0) goto 0x98119050;
				E00007FF67FF6980F3F90(0, 0,  *((intOrPtr*)(_t240 + 0x28)), _t229, __r9);
				asm("lock dec esp");
				if (_t158 == 0) goto 0x9811904d;
				CloseHandle(_t232);
				goto 0x98119050;
				SetEvent(??);
				if (_t229 != 0) goto 0x98119068;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x9811906b;
				if (_t236 -  *((intOrPtr*)( *_t229 + 0x20)) < 0) goto 0x98119076;
				E00007FF67FF6981044B8();
				goto 0x98118ef0;
				_t258 =  *((intOrPtr*)(_t240 + 0xd0));
				_t202 =  *((intOrPtr*)(_t258 + 0xc8));
				_t268 =  *((intOrPtr*)(_t240 + 0xe0));
				if (_t202 == 0) goto 0x981190a9;
				if (_t202 == 0xffffffff) goto 0x981190a9;
				CloseHandle(??);
				 *((long long*)(_t240 + 0xd8)) = _t268;
				_t222 =  *((intOrPtr*)(_t268 + 0x18));
				if (_t222 == 0) goto 0x98119105;
				_t230 =  *((intOrPtr*)(_t268 + 0x20));
				if (_t222 == _t230) goto 0x981190fc;
				_t223 = _t222 + 8;
				_t189 =  *_t223;
				_t165 = _t189;
				if (_t165 == 0) goto 0x981190ef;
				asm("lock add dword [ebx+0x8], 0xffffffff");
				if (_t165 != 0) goto 0x981190ef;
				 *((intOrPtr*)( *_t189 + 8))();
				asm("lock add dword [ebx+0xc], 0xffffffff");
				if (_t165 != 0) goto 0x981190ef;
				 *((intOrPtr*)( *_t189 + 0x10))();
				_t224 = _t223 + 0x10;
				if (_t224 - 8 != _t230) goto 0x981190c7;
				E00007FF67FF6981044D8(_t224 - 8, _t189,  *((intOrPtr*)(_t268 + 0x18)), _t214, _t230, __r8, __r9);
				 *((long long*)(_t268 + 0x18)) = _t224;
				 *((long long*)(_t268 + 0x20)) = _t224;
				 *((long long*)(_t268 + 0x28)) = _t224;
				E00007FF67FF6981044D8(_t224 - 8, _t189,  *_t268, _t214, _t230, _t242, _t244);
				if ( *((intOrPtr*)(_t258 + 0x80)) == 0) goto 0x9811912e;
				E00007FF67FF6981044D8(_t224 - 8, _t189,  *((intOrPtr*)(_t258 + 0x80)), _t214, _t230, _t242, _t244);
				 *((long long*)(_t258 + 0x80)) = _t224;
				 *((long long*)(_t258 + 0x88)) = _t224;
				 *((long long*)(_t258 + 0x90)) = _t224;
				E00007FF67FF6981044D8(_t224 - 8, _t189,  *((intOrPtr*)(_t258 + 0x68)), _t214, _t230, _t242, _t244);
				_t190 = _t258 + 0x28;
				 *((long long*)(_t240 + 0xd8)) = _t190;
				_t64 = _t190 + 0x30; // 0x44c748000000e0ec
				_t180 =  *_t64;
				 *((long long*)(_t240 + 0x58)) = _t180;
				_t209 =  *_t190;
				 *((long long*)(_t240 + 0x50)) = _t209;
				 *((long long*)(_t240 + 0x48)) =  *_t180;
				 *((long long*)(_t240 + 0x40)) = _t209;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movaps xmm1, [esp+0x40]");
				asm("movdqa [esp+0x70], xmm1");
				E00007FF67FF6980F55C0(_t190, _t190, _t240 + 0x80, _t224, _t230, _t240 + 0x70, _t240 + 0x60);
				_t72 = _t190 + 0x30; // 0x44c748000000e0ec
				E00007FF67FF6981044D8( *_t180, _t190,  *_t72, _t240 + 0x80, _t230, _t240 + 0x70, _t240 + 0x60);
				 *((long long*)(_t190 + 0x30)) = _t224;
				 *((long long*)(_t190 + 0x38)) = _t224;
				E00007FF67FF6981044D8( *_t180, _t190,  *_t190, _t240 + 0x80, _t230, _t240 + 0x70, _t240 + 0x60);
				_t213 =  *((intOrPtr*)(_t258 + 0x10));
				if (_t213 == 0) goto 0x981191dc;
				if (_t213 == 0xffffffff) goto 0x981191dc;
				return CloseHandle(??);
			}

0x7ff698118d70
0x7ff698118d70
0x7ff698118d70
0x7ff698118d70
0x7ff698118d70
0x7ff698118d80
0x7ff698118d87
0x7ff698118d90
0x7ff698118da2
0x7ff698118da5
0x7ff698118db3
0x7ff698118db5
0x7ff698118dba
0x7ff698118dbe
0x7ff698118dcc
0x7ff698118dce
0x7ff698118dda
0x7ff698118ddf
0x7ff698118de1
0x7ff698118de9
0x7ff698118df2
0x7ff698118df4
0x7ff698118df9
0x7ff698118dfc
0x7ff698118e01
0x7ff698118e05
0x7ff698118e07
0x7ff698118e15
0x7ff698118e19
0x7ff698118e1d
0x7ff698118e24
0x7ff698118e26
0x7ff698118e2b
0x7ff698118e31
0x7ff698118e34
0x7ff698118e3a
0x7ff698118e44
0x7ff698118e4d
0x7ff698118e52
0x7ff698118e58
0x7ff698118e60
0x7ff698118e69
0x7ff698118e6b
0x7ff698118e70
0x7ff698118e73
0x7ff698118e7c
0x7ff698118e7e
0x7ff698118e86
0x7ff698118e8e
0x7ff698118e90
0x7ff698118e95
0x7ff698118e98
0x7ff698118ea1
0x7ff698118ea3
0x7ff698118eac
0x7ff698118eb9
0x7ff698118ec0
0x7ff698118ec8
0x7ff698118ed0
0x7ff698118ed2
0x7ff698118ed7
0x7ff698118eda
0x7ff698118ee2
0x7ff698118ee4
0x7ff698118ef3
0x7ff698118ef8
0x7ff698118efa
0x7ff698118f02
0x7ff698118f0b
0x7ff698118f0d
0x7ff698118f12
0x7ff698118f15
0x7ff698118f1e
0x7ff698118f20
0x7ff698118f25
0x7ff698118f2d
0x7ff698118f32
0x7ff698118f3c
0x7ff698118f42
0x7ff698118f4a
0x7ff698118f59
0x7ff698118f5e
0x7ff698118f65
0x7ff698118f6a
0x7ff698118f6f
0x7ff698118f7f
0x7ff698118f84
0x7ff698118f93
0x7ff698118f98
0x7ff698118f9a
0x7ff698118fa2
0x7ff698118fa7
0x7ff698118fa9
0x7ff698118fae
0x7ff698118fb1
0x7ff698118fba
0x7ff698118fbc
0x7ff698118fc5
0x7ff698118fcd
0x7ff698118fcf
0x7ff698118fd4
0x7ff698118fd7
0x7ff698118fe0
0x7ff698118fe2
0x7ff698118fea
0x7ff698118fec
0x7ff698118ff1
0x7ff698118ffd
0x7ff698119001
0x7ff698119005
0x7ff69811900d
0x7ff698119014
0x7ff698119019
0x7ff698119024
0x7ff698119027
0x7ff69811902d
0x7ff698119037
0x7ff698119040
0x7ff698119045
0x7ff69811904b
0x7ff698119053
0x7ff69811905c
0x7ff69811905e
0x7ff698119063
0x7ff698119066
0x7ff69811906f
0x7ff698119071
0x7ff69811907a
0x7ff69811907f
0x7ff698119087
0x7ff698119092
0x7ff69811909a
0x7ff6981190a0
0x7ff6981190a2
0x7ff6981190a9
0x7ff6981190b1
0x7ff6981190b8
0x7ff6981190ba
0x7ff6981190c1
0x7ff6981190c3
0x7ff6981190c7
0x7ff6981190ca
0x7ff6981190cd
0x7ff6981190cf
0x7ff6981190d4
0x7ff6981190dc
0x7ff6981190df
0x7ff6981190e4
0x7ff6981190ec
0x7ff6981190ef
0x7ff6981190fa
0x7ff698119100
0x7ff698119107
0x7ff69811910b
0x7ff69811910f
0x7ff698119116
0x7ff698119127
0x7ff698119129
0x7ff69811912e
0x7ff698119136
0x7ff69811913e
0x7ff69811914b
0x7ff698119151
0x7ff698119156
0x7ff69811915e
0x7ff69811915e
0x7ff698119162
0x7ff698119167
0x7ff69811916a
0x7ff698119172
0x7ff698119177
0x7ff69811917c
0x7ff698119181
0x7ff698119187
0x7ff69811918c
0x7ff6981191a7
0x7ff6981191ac
0x7ff6981191b0
0x7ff6981191b5
0x7ff6981191b9
0x7ff6981191c0
0x7ff6981191c6
0x7ff6981191ce
0x7ff6981191d4
0x7ff6981191f6

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118DB5

Part of subcall function 00007FF698118BD0: SetEvent.KERNEL32 ref: 00007FF698118C45

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118DCE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118DE1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118DF4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118E07
CloseHandle.KERNEL32 ref: 00007FF698118E52
SetEvent.KERNEL32 ref: 00007FF698118E60
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118E6B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118E7E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118E90
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118EA3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118ED2
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118EE4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118EFA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118F0D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118F20
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118F9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118FA9
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118FBC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118FCF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118FE2
CloseHandle.KERNEL32 ref: 00007FF698119045
SetEvent.KERNEL32 ref: 00007FF698119053
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69811905E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698119071
CloseHandle.KERNEL32 ref: 00007FF6981190A2
CloseHandle.KERNEL32 ref: 00007FF6981191D6

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$CloseHandle$Event
String ID:
API String ID: 2169016680-0
Opcode ID: ccb0c04af5b048eba43420b57f02c5b60818a04f1f3508e1cd6e1abe130cdd7e
Instruction ID: 5e10757a4ad193928842262bb29edfc672da12f26dd702c22a04a90c3fc62f8f
Opcode Fuzzy Hash: ccb0c04af5b048eba43420b57f02c5b60818a04f1f3508e1cd6e1abe130cdd7e
Instruction Fuzzy Hash: 0AD1CD22A09A4381EA70AF31D44477D63A9FF60B94FD98172DAADD7695CF3CE840C358

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698110EF0 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 42%

			E00007FF67FF698110EF0(void* __ebx, signed long long __ecx, signed int __esi, void* __rax, long long __rbx, void* __rcx, char* __rdx, void* __r8, void* __r11) {
				void* __rsi;
				void* __rbp;
				int _t188;
				int _t193;
				signed int _t196;
				char _t207;
				signed int _t214;
				signed int _t220;
				int _t224;
				long _t228;
				void* _t234;
				signed int _t236;
				signed int _t237;
				char _t250;
				signed int _t283;
				void* _t285;
				signed int _t288;
				signed int _t290;
				signed long long _t360;
				signed long long _t361;
				intOrPtr _t364;
				signed int* _t371;
				signed int* _t386;
				signed long long _t388;
				intOrPtr* _t389;
				void* _t390;
				signed short* _t391;
				signed long long _t392;
				intOrPtr _t395;
				intOrPtr _t408;
				intOrPtr* _t417;
				char* _t427;
				intOrPtr _t430;
				int _t442;
				short* _t444;
				char* _t445;
				char* _t446;
				short* _t449;
				signed int* _t450;
				int _t454;
				intOrPtr* _t456;
				signed short* _t457;
				void* _t461;
				signed long long _t462;
				void* _t467;
				void* _t474;
				int _t476;
				char* _t477;
				void* _t479;
				void* _t481;
				signed long long _t483;
				signed long long _t485;
				void* _t489;
				signed long long _t491;

				_t475 = __r11;
				_t464 = __r8;
				_t427 = __rdx;
				_t283 = __esi;
				_t234 = __ebx;
				 *((long long*)(_t461 + 0x20)) = __rbx;
				E00007FF67FF69812C0A0(0x1b30, __rax, _t474, __r11);
				_t462 = _t461 - __rax;
				_t360 =  *0x98140430; // 0x4918c2c043f
				_t361 = _t360 ^ _t462;
				 *(_t462 + 0x1b20) = _t361;
				r13d = r8d;
				_t477 = __rdx;
				_t388 = __ecx;
				 *(_t462 + 0x40) = 0;
				if (r8d != 0) goto 0x98110f3c;
				goto 0x98111623;
				if (__rdx != 0) goto 0x98110f6f;
				E00007FF67FF6981078CC(_t361);
				 *_t361 =  *_t361 & 0;
				E00007FF67FF6981078AC(_t361);
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & _t442;
				r9d = 0;
				r8d = 0;
				 *_t361 = 0x16;
				E00007FF67FF698104430(_t361, __ecx, __rcx, __rdx, _t444, _t454, __r8, _t489, _t481);
				goto 0x98111623;
				_t483 = _t388 >> 5;
				r15d = r15d & 0x0000001f;
				_t395 =  *((intOrPtr*)(0x981489e0 + _t483 * 8));
				 *(_t462 + 0x50) = _t483;
				_t491 = _t388 * 0x58;
				sil =  *(_t491 + _t395 + 0x38);
				sil = sil + sil;
				sil = sil >> 1;
				if (sil == 2) goto 0x98110fa8;
				if (sil != 1) goto 0x98110fb1;
				if (( !r13d & 0x00000001) == 0) goto 0x98110f41;
				if (( *(_t491 + _t395 + 8) & 0x00000020) == 0) goto 0x98110fc6;
				_t17 = _t427 + 2; // 0x2
				r8d = _t17;
				E00007FF67FF698114D74(_t234, _t234, 0x981489e0, _t388, _t427);
				if (E00007FF67FF698114F44(_t234, 0x981489e0, _t388, _t444, _t454, _t464) == 0) goto 0x981112c6;
				_t364 =  *((intOrPtr*)(0x981489e0 + _t483 * 8));
				if (( *(_t491 + 0x7ff6981489e8) & 0x00000080) == 0) goto 0x981112c6;
				E00007FF67FF69810B93C(_t234,  *(_t491 + 0x7ff6981489e8) & 0x00000080, _t364);
				_t236 = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t364 + 0xc0)) + 0x14)) == 0x00000000;
				if (GetConsoleMode(_t479) == 0) goto 0x981112c6;
				if (_t236 == 0) goto 0x9811102f;
				if (sil == 0) goto 0x981112c6;
				_t188 = GetConsoleCP();
				 *(_t462 + 0x4c) =  *(_t462 + 0x4c) & 0;
				_t389 = _t477;
				 *(_t462 + 0x58) = _t188;
				if (r13d == 0) goto 0x981112c0;
				r14d =  *(_t462 + 0x58);
				if (sil != 0) goto 0x981111df;
				_t250 =  *_t389;
				r14d = 0;
				_t430 =  *((intOrPtr*)(0x981489e0 +  *(_t462 + 0x50) * 8));
				r14b = _t250 == 0xa;
				if ( *(_t491 + _t430 + 0x50) == 0) goto 0x981110a1;
				 *((char*)(_t462 + 0x5d)) = _t250;
				r8d = 2;
				 *((char*)(_t462 + 0x5c)) =  *((intOrPtr*)(_t491 + _t430 + 0x4c));
				 *(_t491 + _t430 + 0x50) =  *(_t491 + _t430 + 0x50) & 0x00000000;
				goto 0x981110ea;
				if (E00007FF67FF69810FA14(_t250,  *(_t491 + _t430 + 0x50), 0x981489e0, _t475) == 0) goto 0x981110e1;
				if (_t479 - _t389 + _t477 - 1 <= 0) goto 0x9811128f;
				r8d = 2;
				if (E00007FF67FF69811554C(0, _t479 - _t389 + _t477 - 1, _t389, _t462 + 0x44, _t444, _t467) == 0xffffffff) goto 0x98111252;
				_t390 = _t389 + 1;
				goto 0x981110fd;
				r8d = 1;
				if (E00007FF67FF69811554C(0, E00007FF67FF69811554C(0, _t479 - _t389 + _t477 - 1, _t389, _t462 + 0x44, _t444, _t467) - 0xffffffff, _t390, _t462 + 0x44, _t444, _t467) == 0xffffffff) goto 0x98111252;
				 *(_t462 + 0x38) =  *(_t462 + 0x38) & 0x00000000;
				 *(_t462 + 0x30) =  *(_t462 + 0x30) & 0x00000000;
				r9d = 1;
				 *((intOrPtr*)(_t462 + 0x28)) = 5;
				_t391 = _t390 + 1;
				 *(_t462 + 0x20) = _t462 + 0x5c;
				_t193 = WideCharToMultiByte(_t476, _t442, _t444, _t454);
				_t288 = _t193;
				if (_t193 == 0) goto 0x98111252;
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & 0x00000000;
				r8d = _t288;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x981112b6;
				if ( *(_t462 + 0x4c) - _t288 < 0) goto 0x98111252;
				if (r14d == 0) goto 0x98111244;
				_t371 =  *(_t462 + 0x50);
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & 0x00000000;
				 *((intOrPtr*)(_t462 + 0x5c)) = bpl;
				r8d = 0x7ff6981489d4;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x981112b6;
				if ( *(_t462 + 0x4c) - 1 < 0) goto 0x98111252;
				 *(_t462 + 0x40) =  *(_t462 + 0x40) + 1;
				goto 0x98111244;
				if (sil == 1) goto 0x981111eb;
				if (sil != 2) goto 0x98111202;
				_t196 =  *_t391 & 0x0000ffff;
				r14d = 0;
				 *(_t462 + 0x44) = _t196;
				r14b = _t196 == 0xa;
				_t392 =  &(_t391[1]);
				if (sil == 1) goto 0x9811120e;
				if (sil != 2) goto 0x98111244;
				if (E00007FF67FF698115A0C( *(_t462 + 0x44) & 0x0000ffff) !=  *(_t462 + 0x44)) goto 0x981112b6;
				if (r14d == 0) goto 0x98111244;
				 *(_t462 + 0x44) = 0xd;
				if (E00007FF67FF698115A0C(0xd) !=  *(_t462 + 0x44)) goto 0x981112b6;
				 *(_t462 + 0x40) =  *(_t462 + 0x40) + 1;
				if (_t236 - r12d - r13d < 0) goto 0x98111053;
				_t237 =  *(_t462 + 0x4c);
				_t290 =  *(_t462 + 0x40);
				if (_t236 - r12d +  *(_t462 + 0x40) + 4 != 0) goto 0x9811161f;
				if (_t237 == 0) goto 0x981115e9;
				if (_t237 != 5) goto 0x981115dd;
				E00007FF67FF6981078AC(_t371);
				 *_t371 = 9;
				E00007FF67FF6981078CC(_t371);
				 *_t371 = _t237;
				goto 0x98110f67;
				_t485 =  *(_t462 + 0x50);
				 *((char*)(_t491 +  *((intOrPtr*)(0x981489e0 + _t485 * 8)) + 0x4c)) =  *_t392;
				 *(_t491 +  *((intOrPtr*)(0x981489e0 + _t485 * 8)) + 0x50) = 1;
				goto 0x9811125b;
				GetLastError();
				goto 0x98111256;
				goto 0x98111267;
				_t408 =  *((intOrPtr*)(0x981489e0 + _t485 * 8));
				if (( *(_t491 + _t408 + 8) & 0x00000080) == 0) goto 0x981115a7;
				_t456 = _t477;
				if (sil != 0) goto 0x981113bb;
				if (r13d == 0) goto 0x981115f0;
				_t111 = _t392 + 0xd; // 0xd
				r14d =  *(_t462 + 0x40);
				_t445 = _t462 + 0x720;
				if (_t290 - r12d - r13d >= 0) goto 0x98111336;
				_t207 =  *_t456;
				_t457 = _t456 + 1;
				if (_t207 != 0xa) goto 0x98111325;
				 *_t445 = _t111;
				r14d = r14d + 1;
				_t446 = _t445 + 1;
				 *_t446 = _t207;
				if (_t408 + 2 - 0x13ff < 0) goto 0x98111306;
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & _t392;
				r8d = _t283;
				r8d = r8d - _t207;
				 *(_t462 + 0x40) = r14d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x981113ae;
				if ( *((intOrPtr*)(_t462 + 0x48)) - _t446 + 1 - _t462 + 0x720 < 0) goto 0x9811125b;
				if (_t290 - r12d - r13d < 0) goto 0x981112f7;
				goto 0x9811125b;
				GetLastError();
				goto 0x9811125b;
				if (sil != 2) goto 0x98111499;
				if (r13d == 0) goto 0x981115f0;
				r14d =  *(_t462 + 0x40);
				_t449 = _t462 + 0x720;
				if (_t290 - r12d - r13d >= 0) goto 0x9811141d;
				_t214 =  *_t457 & 0x0000ffff;
				if (_t214 != 0xa) goto 0x98111409;
				 *_t449 = 0xd;
				r14d = r14d + 2;
				_t450 = _t449 + 2;
				 *_t450 = _t214;
				if ( *((intOrPtr*)(_t491 +  *((intOrPtr*)(0x981489e0 +  *(_t462 + 0x50) * 8)))) + 4 - 0x13fe < 0) goto 0x981113e2;
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & _t392;
				r8d = _t283;
				r8d = r8d - _t214;
				 *(_t462 + 0x40) = r14d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x981113ae;
				if ( *((intOrPtr*)(_t462 + 0x48)) -  &(_t450[0]) - _t462 + 0x720 < 0) goto 0x9811125b;
				if (_t290 - r12d - r13d < 0) goto 0x981113d3;
				goto 0x9811125b;
				if (r13d == 0) goto 0x981115f0;
				r8d = 0xd;
				_t417 = _t462 + 0x70;
				if (_t290 - r12d - r13d >= 0) goto 0x981114e7;
				_t220 = _t457[1] & 0x0000ffff;
				if (_t220 != 0xa) goto 0x981114d3;
				 *_t417 = r8w;
				 *(_t417 + 2) = _t220;
				if (_t462 + 0x724 - 0x6a8 < 0) goto 0x981114af;
				 *(_t462 + 0x38) =  *(_t462 + 0x38) & 0x00000000;
				 *(_t462 + 0x30) =  *(_t462 + 0x30) & 0x00000000;
				 *((intOrPtr*)(_t462 + 0x28)) = 0xd55;
				asm("cdq");
				r9d = 0 - _t220 >> 1;
				 *(_t462 + 0x20) = _t462 + 0x720;
				_t224 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				r14d = _t224;
				if (_t224 == 0) goto 0x981112b6;
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & 0x00000000;
				r8d = r14d;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x9811157d;
				_t285 = 0 +  *((intOrPtr*)(_t462 + 0x48));
				if (r14d - _t285 > 0) goto 0x98111538;
				goto 0x98111585;
				GetLastError();
				if (r14d - _t285 > 0) goto 0x98111256;
				r8d = 0xd;
				if (_t290 - r12d - r13d < 0) goto 0x981114a8;
				goto 0x98111256;
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & _t442;
				r8d = r13d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0x981115d0;
				goto 0x9811125f;
				_t228 = GetLastError();
				goto 0x9811125f;
				E00007FF67FF6981078EC(_t228,  *(_t462 + 0x50));
				goto 0x98110f67;
				_t386 =  *((intOrPtr*)(0x981489e0 +  *(_t462 + 0x50) * 8));
				if (( *(_t491 + 0x7ff6981489e8) & 0x00000040) == 0) goto 0x98111607;
				if ( *_t477 == 0x1a) goto 0x98110f35;
				E00007FF67FF6981078AC(_t386);
				 *0x981489e0 = 0x1c;
				E00007FF67FF6981078CC(_t386);
				 *_t386 =  *_t386 & 0x00000000;
				goto 0x98110f67;
				return E00007FF67FF698104050(_t228,  *(_t462 + 0x1b20) ^ _t462, _t477, _t462 + 0x70, _t462 + 0x48);
			}

0x7ff698110ef0
0x7ff698110ef0
0x7ff698110ef0
0x7ff698110ef0
0x7ff698110ef0
0x7ff698110ef0
0x7ff698110f05
0x7ff698110f0a
0x7ff698110f0d
0x7ff698110f14
0x7ff698110f17
0x7ff698110f23
0x7ff698110f26
0x7ff698110f29
0x7ff698110f2c
0x7ff698110f33
0x7ff698110f37
0x7ff698110f3f
0x7ff698110f41
0x7ff698110f46
0x7ff698110f48
0x7ff698110f4d
0x7ff698110f52
0x7ff698110f55
0x7ff698110f5c
0x7ff698110f62
0x7ff698110f6a
0x7ff698110f7c
0x7ff698110f80
0x7ff698110f84
0x7ff698110f88
0x7ff698110f8d
0x7ff698110f91
0x7ff698110f96
0x7ff698110f99
0x7ff698110fa0
0x7ff698110fa6
0x7ff698110faf
0x7ff698110fb7
0x7ff698110fbd
0x7ff698110fbd
0x7ff698110fc1
0x7ff698110fcf
0x7ff698110fdc
0x7ff698110fe6
0x7ff698110fec
0x7ff698111011
0x7ff69811101c
0x7ff698111024
0x7ff698111029
0x7ff69811102f
0x7ff698111035
0x7ff698111039
0x7ff69811103c
0x7ff698111043
0x7ff698111049
0x7ff698111056
0x7ff698111061
0x7ff698111063
0x7ff698111070
0x7ff698111075
0x7ff69811107f
0x7ff698111086
0x7ff69811108a
0x7ff698111090
0x7ff698111094
0x7ff69811109f
0x7ff6981110ab
0x7ff6981110ba
0x7ff6981110c5
0x7ff6981110d6
0x7ff6981110dc
0x7ff6981110df
0x7ff6981110e1
0x7ff6981110f7
0x7ff6981110fd
0x7ff698111103
0x7ff698111117
0x7ff69811111f
0x7ff698111127
0x7ff69811112a
0x7ff69811112f
0x7ff698111135
0x7ff698111139
0x7ff698111144
0x7ff698111163
0x7ff69811116e
0x7ff698111181
0x7ff69811118f
0x7ff698111195
0x7ff69811119a
0x7ff6981111a0
0x7ff6981111b1
0x7ff6981111ca
0x7ff6981111d5
0x7ff6981111d7
0x7ff6981111dd
0x7ff6981111e3
0x7ff6981111e9
0x7ff6981111eb
0x7ff6981111ee
0x7ff6981111f5
0x7ff6981111fa
0x7ff6981111fe
0x7ff698111206
0x7ff69811120c
0x7ff69811121d
0x7ff698111229
0x7ff69811122d
0x7ff69811123c
0x7ff698111240
0x7ff69811124c
0x7ff698111252
0x7ff69811125b
0x7ff698111261
0x7ff698111269
0x7ff698111272
0x7ff698111278
0x7ff69811127d
0x7ff698111283
0x7ff698111288
0x7ff69811128a
0x7ff698111291
0x7ff69811129d
0x7ff6981112a7
0x7ff6981112b4
0x7ff6981112b6
0x7ff6981112be
0x7ff6981112c4
0x7ff6981112cd
0x7ff6981112d7
0x7ff6981112df
0x7ff6981112e5
0x7ff6981112ee
0x7ff6981112f4
0x7ff6981112f7
0x7ff6981112fc
0x7ff69811130e
0x7ff698111310
0x7ff698111313
0x7ff698111318
0x7ff69811131a
0x7ff69811131c
0x7ff69811131f
0x7ff698111328
0x7ff698111334
0x7ff698111336
0x7ff698111343
0x7ff698111346
0x7ff698111350
0x7ff698111377
0x7ff698111390
0x7ff6981113a3
0x7ff6981113a9
0x7ff6981113ae
0x7ff6981113b6
0x7ff6981113bf
0x7ff6981113c8
0x7ff6981113d3
0x7ff6981113d8
0x7ff6981113ea
0x7ff6981113ec
0x7ff6981113f8
0x7ff6981113fa
0x7ff6981113fd
0x7ff698111401
0x7ff69811140d
0x7ff69811141b
0x7ff69811141d
0x7ff69811142a
0x7ff69811142d
0x7ff698111437
0x7ff69811145e
0x7ff69811147b
0x7ff69811148e
0x7ff698111494
0x7ff69811149c
0x7ff6981114a2
0x7ff6981114a8
0x7ff6981114b7
0x7ff6981114b9
0x7ff6981114c5
0x7ff6981114c7
0x7ff6981114d7
0x7ff6981114e5
0x7ff6981114e7
0x7ff6981114ed
0x7ff6981114ff
0x7ff69811150e
0x7ff698111515
0x7ff698111520
0x7ff698111525
0x7ff69811152b
0x7ff698111530
0x7ff69811153d
0x7ff69811154e
0x7ff698111561
0x7ff698111570
0x7ff698111572
0x7ff698111579
0x7ff69811157b
0x7ff69811157d
0x7ff698111588
0x7ff698111590
0x7ff69811159c
0x7ff6981115a2
0x7ff6981115ab
0x7ff6981115b5
0x7ff6981115c3
0x7ff6981115cb
0x7ff6981115d0
0x7ff6981115d8
0x7ff6981115df
0x7ff6981115e4
0x7ff6981115f0
0x7ff6981115fa
0x7ff698111601
0x7ff698111607
0x7ff69811160c
0x7ff698111612
0x7ff698111617
0x7ff69811161a
0x7ff69811164d

APIs

__doserrno.LIBCMT ref: 00007FF698110F41
_errno.LIBCMT ref: 00007FF698110F48

Strings

U, xrefs: 00007FF6981114FF

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: __doserrno_errno
String ID: U
API String ID: 921712934-4171548499
Opcode ID: b58e01479b693e4d3fc4ee5255ae4a2aff408e3cce59a02e304553b3b8b91440
Instruction ID: 69a11514aa8118b44ad55a3de8ca8f5cbb48707c3b7721814b298e254f8b9482
Opcode Fuzzy Hash: b58e01479b693e4d3fc4ee5255ae4a2aff408e3cce59a02e304553b3b8b91440
Instruction Fuzzy Hash: 52121422A1C64386EB748F35E4443BEA7A0FBA4784F945176DA4EC3A94DF3DE445CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698114B80 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114BBD
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114BD9
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114C01
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114C0A
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114C20
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114C29
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114C3F
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114C48
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114C66
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114C6F
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114CA1
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114CB0
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114D08
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114D28
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF69810BEF0,?,?,?,?,?,00007FF69810BF84), ref: 00007FF698114D41

Strings

GetProcessWindowStation, xrefs: 00007FF698114C5C
GetLastActivePopup, xrefs: 00007FF698114C0F
MessageBoxA, xrefs: 00007FF698114BCF
USER32.DLL, xrefs: 00007FF698114BB6
GetActiveWindow, xrefs: 00007FF698114BF0
GetUserObjectInformationA, xrefs: 00007FF698114C2E

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: a389ad23ff19189e30bc8357c642974d605cec1610676e8388d2556dc910d0fd
Instruction ID: 8b45ad53c435a0ba6adbda7976755fb5415e0d3a86a2a73d171d4f8476b0a6bf
Opcode Fuzzy Hash: a389ad23ff19189e30bc8357c642974d605cec1610676e8388d2556dc910d0fd
Instruction Fuzzy Hash: 1A51E720A0AB0340EE75DB72B81467822A1EF96B84FC444B9DD1EC77A5EE2DE452C31D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810A728 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810A79A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810A7B0
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810A85A
malloc.LIBCMT ref: 00007FF69810A8CB
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810A902
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810A927
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810A977
malloc.LIBCMT ref: 00007FF69810A9CA
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810AA04
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810AA47
free.LIBCMT ref: 00007FF69810AA58
free.LIBCMT ref: 00007FF69810AA66
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810AAF5
malloc.LIBCMT ref: 00007FF69810AB63
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810ABAC
free.LIBCMT ref: 00007FF69810ABF4
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF69810ACD9), ref: 00007FF69810AC14
free.LIBCMT ref: 00007FF69810AC26
free.LIBCMT ref: 00007FF69810AC38

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: deef6aef4076a8aecc8c09d005643f978d232f5a9d69fe706d5c65247fb8c331
Instruction ID: 81f8b7ffd6fdec75f8a8d29c56f280adf6f2b39ec56f9a5dec3a7688e36a891e
Opcode Fuzzy Hash: deef6aef4076a8aecc8c09d005643f978d232f5a9d69fe706d5c65247fb8c331
Instruction Fuzzy Hash: 48F1C232A086838AE7308F3498409AD77A1FB48798F944675EA5ED7BD4DF3CE951C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980F9DE0 Relevance: 27.4, APIs: 18, Instructions: 428
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 60%

			E00007FF67FF6980F9DE0(long long __rax, long long __rcx, long long __rdx, void* __r8, signed long long __r9, long long _a8, long long _a16, signed int _a24, signed int _a32) {
				long long _v88;
				char _v104;
				char _v120;
				char _v136;
				signed int* _v144;
				long long _v152;
				signed int* _v160;
				long long _v168;
				signed int* _v176;
				long long _v184;
				signed long long _v200;
				signed int _v208;
				long long _v216;
				signed int* _v224;
				long long _v232;
				char _v256;
				signed int _v264;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* _t200;
				signed int _t211;
				long long _t297;
				long long _t298;
				long long _t300;
				long long _t301;
				long long _t304;
				long long _t306;
				long long _t307;
				long long _t310;
				long long _t312;
				long long _t313;
				signed int* _t324;
				signed int* _t325;
				signed int* _t326;
				signed int* _t331;
				signed int* _t332;
				signed int* _t333;
				signed int* _t338;
				signed int* _t339;
				signed int* _t340;
				void* _t351;
				void* _t355;
				void* _t359;
				void* _t363;
				void* _t365;
				long long _t366;
				intOrPtr* _t367;
				long long _t368;
				intOrPtr* _t369;
				long long _t370;
				intOrPtr* _t371;
				void* _t372;
				signed int* _t373;
				void* _t374;
				signed int* _t375;
				void* _t376;
				long long _t377;
				void* _t383;
				signed long long _t384;
				signed int* _t393;
				void* _t396;
				void* _t398;

				_t384 = __r9;
				_t383 = __r8;
				_t282 = __rax;
				_a24 = r8d;
				_a16 = __rdx;
				_a8 = __rcx;
				_v88 = 0xfffffffe;
				_t211 = r8d;
				_t377 = __rdx;
				_t297 = __rcx;
				_a32 = 0;
				E00007FF67FF6981045E0(__rax, __rcx);
				if (__rax == 0) goto 0x980f9e3b;
				 *((long long*)(__rax)) =  &_v256;
				goto 0x980f9e3d;
				_v256 = __rax;
				_v232 = 0;
				_v224 = 0;
				_v216 = 0;
				if (_t211 != 0) goto 0x980f9eab;
				E00007FF67FF6980FA460(__rax, _t297, _t297,  &_v256, _t365, _t372, __r8);
				if (_v232 == 0) goto 0x980f9e7e;
				E00007FF67FF6981044D8(_t282, _t297, _v232,  &_v256, _t372, _t383, _t384);
				_v232 = 0;
				_v224 = 0;
				_v216 = 0;
				E00007FF67FF6981044D8(_t282, _t297, _v256,  &_v256, _t372, _t383, _t384);
				goto 0x980fa440;
				_t351 = _t365;
				E00007FF67FF6980FA530(_t200, _t297, _t297,  &_v256, _t351, _t372, _t383, _t384);
				r8d = 0;
				_v208 = r8d;
				r9d = 0;
				_v200 = _t384;
				if (_t211 == 0) goto 0x980fa3fb;
				_t324 = _v224;
				_t298 = _v232;
				asm("o16 nop [eax+eax]");
				sil = 0x41;
				r14d = sil & 0xffffffff;
				r13d = sil & 0xffffffff;
				_a32 = sil;
				_t25 = _t383 + 1; // 0x1
				if (_t25 - _t211 >= 0) goto 0x980f9f07;
				_t29 = _t383 + 2; // 0x2
				if (_t29 - _t211 >= 0) goto 0x980f9f14;
				r14b =  *((intOrPtr*)(_t377 + 4 + _t384 * 2));
				_t33 = _t383 + 3; // 0x3
				if (_t33 - _t211 >= 0) goto 0x980f9f29;
				r13b =  *((intOrPtr*)(_t377 + 6 + _t384 * 2));
				_a32 = r13b;
				_t38 = _t351 - 0x41; // 0x0
				if (_t38 - 0x19 > 0) goto 0x980f9f35;
				goto 0x980f9f56;
				_t39 = _t351 - 0x61; // -32
				if (_t39 - 0x19 > 0) goto 0x980f9f41;
				goto 0x980f9f56;
				_t40 = _t351 - 0x30; // 0x11
				if (_t40 - 9 > 0) goto 0x980f9f4d;
				goto 0x980f9f56;
				_t43 = _t372 - 0x41; // 0x29a4fdf
				if (_t43 - 0x19 > 0) goto 0x980f9f63;
				sil = sil - 0x41;
				goto 0x980f9f89;
				_t44 = _t372 - 0x61; // 0x29a4fbf
				if (_t44 - 0x19 > 0) goto 0x980f9f70;
				sil = sil - 0x47;
				goto 0x980f9f89;
				_t45 = _t372 - 0x30; // 0x29a4ff0
				if (_t45 - 9 > 0) goto 0x980f9f7d;
				sil = sil + 4;
				goto 0x980f9f89;
				sil = sil != 0x2b;
				sil = sil + 0x3e;
				if (_t398 - 0x41 - 0x19 > 0) goto 0x980f9f97;
				goto 0x980f9fbf;
				if (_t398 - 0x61 - 0x19 > 0) goto 0x980f9fa5;
				goto 0x980f9fbf;
				if (_t398 - 0x30 - 9 > 0) goto 0x980f9fb3;
				goto 0x980f9fbf;
				bpl = r14b != 0x2b;
				bpl = bpl + 0x3e;
				_t52 = _t396 - 0x41; // -65
				if (_t52 - 0x19 > 0) goto 0x980f9fcd;
				_t53 = _t396 - 0x41; // -65
				r15d = _t53;
				goto 0x980f9ff5;
				_t54 = _t396 - 0x61; // -97
				if (_t54 - 0x19 > 0) goto 0x980f9fdb;
				_t55 = _t396 - 0x47; // -71
				r15d = _t55;
				goto 0x980f9ff5;
				_t56 = _t396 - 0x30; // -48
				if (_t56 - 9 > 0) goto 0x980f9fe9;
				_t57 = _t396 + 4; // 0x4
				r15d = _t57;
				goto 0x980f9ff5;
				r15b = r13b != 0x2b;
				r15b = r15b + 0x3e;
				r8d = sil & 0xffffffff;
				r8b = r8b >> 4;
				r8b = r8b | (( *(_t377 + _t384 * 2) & 0x000000ff) - 0xfffffffffffffffa + 0x00000004 & 0xffffff00 | ( *(_t377 + _t384 * 2) & 0x000000ff) - 0xfffffffffffffffa + 0x00000004 != 0x0000002b) + 0x0000003e << 0x00000002;
				_v264 = r8b;
				if (_t298 != 0) goto 0x980fa011;
				goto 0x980fa019;
				if (_t324 - _t298 - _v216 - _t298 >= 0) goto 0x980fa039;
				 *_t324 = r8b;
				_t325 =  &(_t324[0]);
				_v224 = _t325;
				goto 0x980fa140;
				_t393 = _t325;
				if (_v232 - _t325 <= 0) goto 0x980fa050;
				E00007FF67FF6981044B8();
				_t326 = _v224;
				_t300 = _v232;
				_t366 = _v256;
				_v168 = _t366;
				_v160 = _t393;
				if (_t326 != _t300) goto 0x980fa06f;
				r12d = 0;
				goto 0x980fa08d;
				if (_t300 - _t326 <= 0) goto 0x980fa079;
				E00007FF67FF6981044B8();
				if (_t366 == 0) goto 0x980fa085;
				if (_t366 == _v256) goto 0x980fa08a;
				E00007FF67FF6981044B8();
				asm("movaps xmm0, [esp+0x80]");
				asm("movdqa [esp+0xa0], xmm0");
				r8d = 1;
				E00007FF67FF6980F53A0(_t300,  &_v256,  &_v136, _t372, _t383,  &_v264);
				_t301 = _v232;
				if (_t301 - _v224 <= 0) goto 0x980fa0dc;
				E00007FF67FF6981044B8();
				_t367 = _v256;
				if (_t367 != 0) goto 0x980fa0fa;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x980fa102;
				_t355 = _t301 + _t393 - _t300;
				if (_t355 -  *((intOrPtr*)( *_v256 + 0x20)) > 0) goto 0x980fa11f;
				if (_t367 == 0) goto 0x980fa117;
				goto 0x980fa119;
				if (_t355 -  *((intOrPtr*)( *_t367 + 0x18)) >= 0) goto 0x980fa138;
				E00007FF67FF6981044B8();
				_t331 = _v224;
				_t304 = _v232;
				r13b = _a32;
				goto 0x980fa140;
				r13b = _a32;
				if (r14b == 0x3d) goto 0x980fa27f;
				r8d = bpl & 0xffffffff;
				r8b = r8b >> 2;
				sil = sil << 4;
				r8b = r8b | sil;
				_a32 = r8b;
				if (_t304 != 0) goto 0x980fa16a;
				goto 0x980fa172;
				if (_t331 - _t304 - _v216 - _t304 >= 0) goto 0x980fa192;
				 *_t331 = r8b;
				_t332 =  &(_t331[0]);
				_v224 = _t332;
				goto 0x980fa27f;
				_t373 = _t332;
				if (_v232 - _t332 <= 0) goto 0x980fa1a9;
				E00007FF67FF6981044B8();
				_t333 = _v224;
				_t306 = _v232;
				_t368 = _v256;
				_v184 = _t368;
				_v176 = _t373;
				if (_t333 != _t306) goto 0x980fa1c1;
				goto 0x980fa1df;
				if (_t306 - _t333 <= 0) goto 0x980fa1cb;
				E00007FF67FF6981044B8();
				if (_t368 == 0) goto 0x980fa1d7;
				if (_t368 == _v256) goto 0x980fa1dc;
				E00007FF67FF6981044B8();
				_t374 = _t373 - _t306;
				asm("movaps xmm0, [esp+0x70]");
				asm("movdqa [esp+0xc0], xmm0");
				r8d = 1;
				E00007FF67FF6980F53A0(_t306,  &_v256,  &_v104, _t374, _t383,  &_a32);
				_t307 = _v232;
				if (_t307 - _v224 <= 0) goto 0x980fa22e;
				E00007FF67FF6981044B8();
				_t369 = _v256;
				if (_t369 != 0) goto 0x980fa24c;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x980fa254;
				_t359 = _t307 + _t374;
				if (_t359 -  *((intOrPtr*)( *_v256 + 0x20)) > 0) goto 0x980fa270;
				if (_t369 == 0) goto 0x980fa268;
				goto 0x980fa26a;
				if (_t359 -  *((intOrPtr*)( *_t369 + 0x18)) >= 0) goto 0x980fa27f;
				E00007FF67FF6981044B8();
				_t338 = _v224;
				_t310 = _v232;
				if (r13b == 0x3d) goto 0x980fa3bf;
				bpl = bpl << 6;
				bpl = bpl | r15b;
				_a32 = bpl;
				if (_t310 != 0) goto 0x980fa2a1;
				goto 0x980fa2a9;
				if (_t338 - _t310 - _v216 - _t310 >= 0) goto 0x980fa2c9;
				 *_t338 = bpl;
				_t339 =  &(_t338[0]);
				_v224 = _t339;
				goto 0x980fa3bf;
				_t375 = _t339;
				if (_v232 - _t339 <= 0) goto 0x980fa2e0;
				E00007FF67FF6981044B8();
				_t340 = _v224;
				_t312 = _v232;
				_t370 = _v256;
				_v152 = _t370;
				_v144 = _t375;
				if (_t340 != _t312) goto 0x980fa2fe;
				goto 0x980fa31c;
				if (_t312 - _t340 <= 0) goto 0x980fa308;
				E00007FF67FF6981044B8();
				if (_t370 == 0) goto 0x980fa314;
				if (_t370 == _v256) goto 0x980fa319;
				E00007FF67FF6981044B8();
				_t376 = _t375 - _t312;
				asm("movaps xmm0, [esp+0x90]");
				asm("movdqa [esp+0xb0], xmm0");
				r8d = 1;
				E00007FF67FF6980F53A0(_t312,  &_v256,  &_v120, _t376, _t383,  &_a32);
				_t313 = _v232;
				if (_t313 - _v224 <= 0) goto 0x980fa36e;
				E00007FF67FF6981044B8();
				_t371 = _v256;
				if (_t371 != 0) goto 0x980fa38c;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x980fa394;
				_t363 = _t376 + _t313;
				if (_t363 -  *((intOrPtr*)( *_v256 + 0x20)) > 0) goto 0x980fa3b0;
				if (_t371 == 0) goto 0x980fa3a8;
				goto 0x980fa3aa;
				if (_t363 -  *((intOrPtr*)( *_t371 + 0x18)) >= 0) goto 0x980fa3bf;
				E00007FF67FF6981044B8();
				r8d = _v208;
				r8d = r8d + 4;
				_v208 = r8d;
				_v200 = _v200 + 4;
				if (r8d - _a24 < 0) goto 0x980f9ee0;
				E00007FF67FF6980FA460( *_t371, _a8, _a8,  &_v256, _t371, _t376, _t383);
				if (_v232 == 0) goto 0x980fa418;
				E00007FF67FF6981044D8( *_t371, _a8, _v232,  &_v256, _t376, _t383, _v200 + 4);
				_v232 = 0;
				_v224 = 0;
				_v216 = 0;
				return E00007FF67FF6981044D8( *_t371, _a8, _v256,  &_v256, _t376, _t383, _v200 + 4);
			}

0x7ff6980f9de0
0x7ff6980f9de0
0x7ff6980f9de0
0x7ff6980f9de0
0x7ff6980f9de5
0x7ff6980f9dea
0x7ff6980f9e02
0x7ff6980f9e0e
0x7ff6980f9e11
0x7ff6980f9e14
0x7ff6980f9e17
0x7ff6980f9e27
0x7ff6980f9e2f
0x7ff6980f9e36
0x7ff6980f9e39
0x7ff6980f9e3d
0x7ff6980f9e42
0x7ff6980f9e4b
0x7ff6980f9e54
0x7ff6980f9e5f
0x7ff6980f9e69
0x7ff6980f9e77
0x7ff6980f9e79
0x7ff6980f9e7e
0x7ff6980f9e87
0x7ff6980f9e90
0x7ff6980f9e9e
0x7ff6980f9ea6
0x7ff6980f9eab
0x7ff6980f9eb3
0x7ff6980f9eb8
0x7ff6980f9ebb
0x7ff6980f9ec0
0x7ff6980f9ec3
0x7ff6980f9eca
0x7ff6980f9ed0
0x7ff6980f9ed5
0x7ff6980f9eda
0x7ff6980f9ee6
0x7ff6980f9ee9
0x7ff6980f9eed
0x7ff6980f9ef1
0x7ff6980f9ef9
0x7ff6980f9eff
0x7ff6980f9f07
0x7ff6980f9f0d
0x7ff6980f9f0f
0x7ff6980f9f14
0x7ff6980f9f1a
0x7ff6980f9f1c
0x7ff6980f9f21
0x7ff6980f9f29
0x7ff6980f9f2e
0x7ff6980f9f33
0x7ff6980f9f35
0x7ff6980f9f3a
0x7ff6980f9f3f
0x7ff6980f9f41
0x7ff6980f9f46
0x7ff6980f9f4b
0x7ff6980f9f56
0x7ff6980f9f5b
0x7ff6980f9f5d
0x7ff6980f9f61
0x7ff6980f9f63
0x7ff6980f9f68
0x7ff6980f9f6a
0x7ff6980f9f6e
0x7ff6980f9f70
0x7ff6980f9f75
0x7ff6980f9f77
0x7ff6980f9f7b
0x7ff6980f9f81
0x7ff6980f9f85
0x7ff6980f9f8f
0x7ff6980f9f95
0x7ff6980f9f9d
0x7ff6980f9fa3
0x7ff6980f9fab
0x7ff6980f9fb1
0x7ff6980f9fb7
0x7ff6980f9fbb
0x7ff6980f9fbf
0x7ff6980f9fc5
0x7ff6980f9fc7
0x7ff6980f9fc7
0x7ff6980f9fcb
0x7ff6980f9fcd
0x7ff6980f9fd3
0x7ff6980f9fd5
0x7ff6980f9fd5
0x7ff6980f9fd9
0x7ff6980f9fdb
0x7ff6980f9fe1
0x7ff6980f9fe3
0x7ff6980f9fe3
0x7ff6980f9fe7
0x7ff6980f9fed
0x7ff6980f9ff1
0x7ff6980f9ff5
0x7ff6980f9ff9
0x7ff6980fa000
0x7ff6980fa003
0x7ff6980fa00b
0x7ff6980fa00f
0x7ff6980fa022
0x7ff6980fa024
0x7ff6980fa027
0x7ff6980fa02a
0x7ff6980fa034
0x7ff6980fa039
0x7ff6980fa03f
0x7ff6980fa041
0x7ff6980fa046
0x7ff6980fa04b
0x7ff6980fa050
0x7ff6980fa055
0x7ff6980fa05d
0x7ff6980fa068
0x7ff6980fa06a
0x7ff6980fa06d
0x7ff6980fa072
0x7ff6980fa074
0x7ff6980fa07c
0x7ff6980fa083
0x7ff6980fa085
0x7ff6980fa08d
0x7ff6980fa095
0x7ff6980fa0a3
0x7ff6980fa0b6
0x7ff6980fa0bb
0x7ff6980fa0cb
0x7ff6980fa0cd
0x7ff6980fa0dc
0x7ff6980fa0e4
0x7ff6980fa0e6
0x7ff6980fa0eb
0x7ff6980fa0f8
0x7ff6980fa102
0x7ff6980fa10b
0x7ff6980fa110
0x7ff6980fa115
0x7ff6980fa11d
0x7ff6980fa11f
0x7ff6980fa124
0x7ff6980fa129
0x7ff6980fa12e
0x7ff6980fa136
0x7ff6980fa138
0x7ff6980fa144
0x7ff6980fa14a
0x7ff6980fa14e
0x7ff6980fa152
0x7ff6980fa156
0x7ff6980fa159
0x7ff6980fa164
0x7ff6980fa168
0x7ff6980fa17b
0x7ff6980fa17d
0x7ff6980fa180
0x7ff6980fa183
0x7ff6980fa18d
0x7ff6980fa192
0x7ff6980fa198
0x7ff6980fa19a
0x7ff6980fa19f
0x7ff6980fa1a4
0x7ff6980fa1a9
0x7ff6980fa1ae
0x7ff6980fa1b3
0x7ff6980fa1bb
0x7ff6980fa1bf
0x7ff6980fa1c4
0x7ff6980fa1c6
0x7ff6980fa1ce
0x7ff6980fa1d5
0x7ff6980fa1d7
0x7ff6980fa1dc
0x7ff6980fa1df
0x7ff6980fa1e4
0x7ff6980fa1f5
0x7ff6980fa208
0x7ff6980fa20d
0x7ff6980fa21d
0x7ff6980fa21f
0x7ff6980fa22e
0x7ff6980fa236
0x7ff6980fa238
0x7ff6980fa23d
0x7ff6980fa24a
0x7ff6980fa254
0x7ff6980fa25c
0x7ff6980fa261
0x7ff6980fa266
0x7ff6980fa26e
0x7ff6980fa270
0x7ff6980fa275
0x7ff6980fa27a
0x7ff6980fa283
0x7ff6980fa289
0x7ff6980fa28d
0x7ff6980fa290
0x7ff6980fa29b
0x7ff6980fa29f
0x7ff6980fa2b2
0x7ff6980fa2b4
0x7ff6980fa2b7
0x7ff6980fa2ba
0x7ff6980fa2c4
0x7ff6980fa2c9
0x7ff6980fa2cf
0x7ff6980fa2d1
0x7ff6980fa2d6
0x7ff6980fa2db
0x7ff6980fa2e0
0x7ff6980fa2e5
0x7ff6980fa2ed
0x7ff6980fa2f8
0x7ff6980fa2fc
0x7ff6980fa301
0x7ff6980fa303
0x7ff6980fa30b
0x7ff6980fa312
0x7ff6980fa314
0x7ff6980fa319
0x7ff6980fa31c
0x7ff6980fa324
0x7ff6980fa335
0x7ff6980fa348
0x7ff6980fa34d
0x7ff6980fa35d
0x7ff6980fa35f
0x7ff6980fa36e
0x7ff6980fa376
0x7ff6980fa378
0x7ff6980fa37d
0x7ff6980fa38a
0x7ff6980fa394
0x7ff6980fa39c
0x7ff6980fa3a1
0x7ff6980fa3a6
0x7ff6980fa3ae
0x7ff6980fa3b0
0x7ff6980fa3bf
0x7ff6980fa3c4
0x7ff6980fa3c8
0x7ff6980fa3d6
0x7ff6980fa3ed
0x7ff6980fa403
0x7ff6980fa411
0x7ff6980fa413
0x7ff6980fa418
0x7ff6980fa421
0x7ff6980fa42a
0x7ff6980fa453

APIs

Part of subcall function 00007FF6981045E0: malloc.LIBCMT ref: 00007FF6981045FA

Part of subcall function 00007FF6980FA530: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA593
Part of subcall function 00007FF6980FA530: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA5A2

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA041
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA074
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA085
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA0CD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA0E6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA11F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA19A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA1C6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA1D7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA21F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA238
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA270
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA2D1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA303
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA314
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA35F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA378
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FA3B0

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$malloc
String ID:
API String ID: 2964583507-0
Opcode ID: c150c4ca955c388edfe3a66c9f1b7fa42ad70acee1887465953eb8fb120a1af7
Instruction ID: 3ca7b02e13c62d210fb3c963410a72e651539c201054b65a5edf3a8acdd2374f
Opcode Fuzzy Hash: c150c4ca955c388edfe3a66c9f1b7fa42ad70acee1887465953eb8fb120a1af7
Instruction Fuzzy Hash: 3412C42260C68681EA70DB25E0407BEB361FB95798FD88071EB8D87AC9DF2DE544D70C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698117DE0 Relevance: 24.1, APIs: 16, Instructions: 142
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 23%

			E00007FF67FF698117DE0(void* __ebx, void* __edi, long long __rbx, long long __rbp, void* __r9, long long _a8) {
				void* _v24;
				char _v40;
				char _v56;
				long long _v64;
				long long _v72;
				long long _v88;
				void* __rsi;
				void* _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t99;
				intOrPtr* _t101;
				intOrPtr* _t113;
				long long _t114;
				intOrPtr* _t115;
				intOrPtr* _t119;

				_t57 = __ebx;
				_t90 = _t119;
				_v88 = 0xfffffffe;
				 *((long long*)(_t90 + 0x10)) = __rbx;
				 *((long long*)(_t90 + 0x18)) = __rbp;
				_t58 =  *0x98141798; // 0xffffffff
				if (_t58 != 0xffffffff) goto 0x98117e0b;
				goto 0x98117e14;
				TlsGetValue(??);
				_t115 = _t90;
				_a8 = _t115;
				if (_t115 == 0) goto 0x98117f9e;
				if ( *((long long*)(_t115 + 0x60)) != 0) goto 0x98117e39;
				if ( *((long long*)(_t115 + 0x18)) == 0) goto 0x98117f77;
				goto 0x98117e40;
				if ( *((long long*)(_t115 + 0x18)) == 0) goto 0x98117e96;
				_t113 =  *((intOrPtr*)(_t115 + 0x18));
				 *((long long*)(_t115 + 0x18)) =  *((intOrPtr*)(_t113 + 8));
				_t101 =  *_t113;
				if (_t101 == 0) goto 0x98117e7b;
				 *((intOrPtr*)( *_t101 + 8))();
				 *((intOrPtr*)( *((intOrPtr*)( *_t113))))();
				GetProcessHeap();
				HeapFree(??, ??, ??);
				GetProcessHeap();
				HeapFree(??, ??, ??);
				if ( *((long long*)(_t115 + 0x18)) != 0) goto 0x98117e40;
				if ( *((long long*)(_t115 + 0x60)) == 0) goto 0x98117e25;
				_t114 =  *((intOrPtr*)( *((intOrPtr*)(_t115 + 0x58))));
				_v64 = _t114;
				_t99 =  *((intOrPtr*)(_t115 + 0x28));
				_v72 = _t99;
				if (_t99 != 0) goto 0x98117ec4;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98117ec7;
				if (_t114 !=  *((intOrPtr*)( *_t99 + 0x30))) goto 0x98117ed2;
				E00007FF67FF6981044B8();
				if ( *((long long*)(_t114 + 0x20)) == 0) goto 0x98117f49;
				if (_t99 != 0) goto 0x98117ee8;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98117eeb;
				if (_t114 !=  *((intOrPtr*)( *_t99 + 0x30))) goto 0x98117ef6;
				E00007FF67FF6981044B8();
				if ( *((long long*)(_t114 + 0x30)) == 0) goto 0x98117f49;
				if (_t99 != 0) goto 0x98117f0c;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98117f0f;
				if (_t114 !=  *((intOrPtr*)( *_t99 + 0x30))) goto 0x98117f1a;
				E00007FF67FF6981044B8();
				if (_t99 != 0) goto 0x98117f2d;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98117f30;
				if (_t114 !=  *((intOrPtr*)( *_t99 + 0x30))) goto 0x98117f3b;
				E00007FF67FF6981044B8();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t114 + 0x20)))) + 8))();
				asm("movaps xmm0, [esp+0x30]");
				asm("movdqa [esp+0x40], xmm0");
				_t29 = _t115 + 0x28; // 0x28
				E00007FF67FF6980F5EB0(0, __edi, _t99, _t29,  &_v40, _t115,  &_v56, __r9);
				if ( *((long long*)(_t115 + 0x60)) != 0) goto 0x98117ea0;
				goto 0x98117e25;
				E00007FF67FF6981163B0(_t57, _t99, 0x98144010, 0x7ff6981161c0, _t115);
				_t59 =  *0x98141798; // 0xffffffff
				if (_t59 == 0xffffffff) goto 0x98117f9e;
				TlsSetValue(??, ??);
				_t88 = _t115;
				if (_t88 == 0) goto 0x98117fc8;
				asm("lock add dword [esi+0x8], 0xffffffff");
				if (_t88 != 0) goto 0x98117fc8;
				 *((intOrPtr*)( *_t115))();
				GetProcessHeap();
				return HeapFree(??, ??, ??);
			}

0x7ff698117de0
0x7ff698117de0
0x7ff698117deb
0x7ff698117df4
0x7ff698117df8
0x7ff698117dfc
0x7ff698117e05
0x7ff698117e09
0x7ff698117e0b
0x7ff698117e11
0x7ff698117e14
0x7ff698117e1f
0x7ff698117e2a
0x7ff698117e31
0x7ff698117e37
0x7ff698117e3e
0x7ff698117e40
0x7ff698117e48
0x7ff698117e4c
0x7ff698117e52
0x7ff698117e57
0x7ff698117e65
0x7ff698117e67
0x7ff698117e75
0x7ff698117e7b
0x7ff698117e89
0x7ff698117e94
0x7ff698117e9b
0x7ff698117ea4
0x7ff698117ea7
0x7ff698117eac
0x7ff698117eb0
0x7ff698117eb8
0x7ff698117eba
0x7ff698117ebf
0x7ff698117ec2
0x7ff698117ecb
0x7ff698117ecd
0x7ff698117ed7
0x7ff698117edc
0x7ff698117ede
0x7ff698117ee3
0x7ff698117ee6
0x7ff698117eef
0x7ff698117ef1
0x7ff698117efb
0x7ff698117f00
0x7ff698117f02
0x7ff698117f07
0x7ff698117f0a
0x7ff698117f13
0x7ff698117f15
0x7ff698117f21
0x7ff698117f23
0x7ff698117f28
0x7ff698117f2b
0x7ff698117f34
0x7ff698117f36
0x7ff698117f46
0x7ff698117f49
0x7ff698117f4e
0x7ff698117f5e
0x7ff698117f62
0x7ff698117f6c
0x7ff698117f72
0x7ff698117f85
0x7ff698117f8a
0x7ff698117f93
0x7ff698117f97
0x7ff698117f9e
0x7ff698117fa1
0x7ff698117fa3
0x7ff698117fa8
0x7ff698117fb2
0x7ff698117fb4
0x7ff698117fdc

APIs

TlsGetValue.KERNEL32 ref: 00007FF698117E0B
GetProcessHeap.KERNEL32 ref: 00007FF698117E67
HeapFree.KERNEL32 ref: 00007FF698117E75
GetProcessHeap.KERNEL32 ref: 00007FF698117E7B
HeapFree.KERNEL32 ref: 00007FF698117E89
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698117EBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698117ECD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698117EDE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698117EF1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698117F02
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698117F15
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698117F23
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698117F36

Part of subcall function 00007FF6981163B0: OpenEventA.KERNEL32 ref: 00007FF698116456
Part of subcall function 00007FF6981163B0: CloseHandle.KERNEL32 ref: 00007FF69811646F
Part of subcall function 00007FF6981163B0: ResetEvent.KERNEL32 ref: 00007FF698116482
Part of subcall function 00007FF6981163B0: CreateEventA.KERNEL32 ref: 00007FF6981164D7
Part of subcall function 00007FF6981163B0: CloseHandle.KERNEL32 ref: 00007FF6981164F0
Part of subcall function 00007FF6981163B0: SetEvent.KERNEL32 ref: 00007FF69811650E
Part of subcall function 00007FF6981163B0: CloseHandle.KERNEL32 ref: 00007FF6981165B4

TlsSetValue.KERNEL32 ref: 00007FF698117F97
GetProcessHeap.KERNEL32 ref: 00007FF698117FB4
HeapFree.KERNEL32 ref: 00007FF698117FC2

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$Heap$Event$CloseFreeHandleProcess$Value$CreateOpenReset
String ID:
API String ID: 3479055706-0
Opcode ID: d7bddb002446de1d6353830d7340297a2e8ea3ae02d25d3a1f121764180d7d71
Instruction ID: c6cbe99f1cbc60fa85999e8c68274bde3861fe3869839c9afd74e159c1206f03
Opcode Fuzzy Hash: d7bddb002446de1d6353830d7340297a2e8ea3ae02d25d3a1f121764180d7d71
Instruction Fuzzy Hash: 1461AC22A19A0783EA759B32D44037D63A1FB64B90F9455B1DA5EC37A8CF3CE841C348

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69812B970 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 271
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 42%

			E00007FF67FF69812B970(void* __ebx, void* __ecx, void* __edx, void* __edi, signed int __rbx, long long __rcx, long long __r8, void* __r10, void* _a16) {
				signed int _v48;
				long long _v64;
				long long _v72;
				char _v88;
				char _v96;
				long long _v104;
				long long _v112;
				char _v128;
				char _v136;
				long long _v144;
				intOrPtr _v168;
				char _v176;
				long long _v184;
				intOrPtr _v208;
				char _v216;
				long long _v224;
				long long _v240;
				char _v256;
				char _v264;
				char _v272;
				char _v280;
				void* _v288;
				char _v292;
				signed int _v296;
				char _v304;
				char _v312;
				long long _v328;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed short _t123;
				void* _t136;
				signed int* _t153;
				void* _t160;
				signed long long _t186;
				signed int _t190;
				signed long long _t195;
				signed long long _t196;
				void* _t219;
				void* _t224;
				long long _t243;
				long long _t244;
				signed int* _t245;
				void* _t246;
				void* _t247;
				signed short* _t253;
				signed long long _t261;
				void* _t262;
				void* _t267;
				void* _t268;
				long long _t269;
				void* _t270;

				_t267 = __r10;
				_t140 = __edx;
				_t138 = __ecx;
				_t268 = _t247;
				_v224 = 0xfffffffe;
				 *((long long*)(_t268 + 0x10)) = __rbx;
				_t186 =  *0x98140430; // 0x4918c2c043f
				_v48 = _t186 ^ _t247 - 0x00000140;
				_t244 = __r8;
				_t243 = __rcx;
				 *((long long*)(_t268 - 0x38)) = __rcx;
				r12d = 0;
				_v296 = r12d;
				_t152 = __edx;
				if (__edx != 0) goto 0x9812ba95;
				 *((long long*)(_t268 - 0xe8)) = 7;
				_v240 = _t269;
				_v256 = r12w;
				_t195 = __rbx | 0xffffffff;
				_t261 = _t195;
				r8d = 0;
				E00007FF67FF6980F2390(_t195,  &_v264, __rcx, __rcx, __r8, _t246, __r8, _t261);
				_v328 = _t244;
				r9b = 1;
				E00007FF67FF6980F6710(_t140, _t152, _t195,  &_v288, _t246,  &_v264, _t261);
				E00007FF67FF698116BF0(_t195,  &_v288);
				_t245 = _v288;
				_t153 = _t245;
				if (_t153 == 0) goto 0x9812ba6d;
				asm("lock xadd [esi+0x8], ebx");
				_t136 = __ebx + 0xffffffff;
				if (_t153 != 0) goto 0x9812ba6d;
				 *( *_t245)();
				GetProcessHeap();
				if (HeapFree(??, ??, ??) != 0) goto 0x9812ba6d;
				_t16 = _t269 + 0x49; // 0x49
				r9d = _t16;
				_t253 = "D:\\Libraries\\boost\\boost/thread/win32/thread_heap_alloc.hpp";
				E00007FF67FF69812AB00(_t136, __ecx, __edi, _t195, "detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0", "void __cdecl boost::detail::free_raw_heap_memory(void *)", _t245, _t246, _t253, _t261);
				if ( *((long long*)(_t243 + 0x20)) - 8 < 0) goto 0x9812ba7d;
				E00007FF67FF6981044D8( *_t245, _t195,  *((intOrPtr*)(_t243 + 8)), "void __cdecl boost::detail::free_raw_heap_memory(void *)", _t245, _t253, _t261);
				 *((long long*)(_t243 + 0x20)) = 7;
				 *((long long*)(_t243 + 0x18)) = _t269;
				 *((intOrPtr*)(_t243 + 8)) = r12w;
				goto 0x9812be31;
				E00007FF67FF69812B410(_t136, _t138, 0,  *((long long*)(_t243 + 0x20)) - 8, _t195,  &_v136,  *((intOrPtr*)(_t243 + 8)), _t246, _t253, _t267);
				r9d = 4;
				_t262 =  <  ? _v112 : _t261;
				_t208 =  >=  ? _v128 :  &_v128;
				r8d = 4;
				_t254 =  <  ? _t262 : _t253;
				_t196 = _t195 | 0xffffffff;
				if (( <  ? _t262 : _t253) == 0) goto 0x9812bb19;
				_t160 =  *((intOrPtr*)( >=  ? _v128 :  &_v128)) - (L"\\\\?\\" & 0x0000ffff);
				if (_t160 != 0) goto 0x9812bb0a;
				if (_t160 != 0) goto 0x9812baf2;
				goto 0x9812bb19;
				r8d = 1;
				r8d =  <  ? _t136 : r8d;
				goto 0x9812bb1c;
				r8d = r12d;
				_t190 = r8d;
				if (r8d != 0) goto 0x9812bb34;
				if (_t262 - 4 < 0) goto 0x9812bb84;
				if ((r12d & 0xffffff00 | _t262 != 0x00000004) != 0) goto 0x9812bb84;
				_t29 = _t190 + 4; // 0x8
				r8d = _t29;
				E00007FF67FF6980F4500(_t190,  &_v136,  &_v176);
				r8d = r8d ^ r8d;
				E00007FF67FF6980F2390(_t196,  &_v136, _t190, _t243, _t245, _t246, ( <  ? _t262 : _t253) - 1, _t196);
				if (_v144 - 8 < 0) goto 0x9812bb84;
				E00007FF67FF6981044D8(_t190, _t196, _v168, _t190, _t245, ( <  ? _t262 : _t253) - 1, _t196);
				r13d = 0x5c;
				_v312 = r13w;
				r9d = _t270 - 0x5b;
				E00007FF67FF6980F4BB0(_t196,  &_v136,  &_v312, _t243, _t245, _t246);
				if (_t190 == 0xffffffff) goto 0x9812bbf5;
				_v304 = r13w;
				r9d = _t270 - 0x5b;
				E00007FF67FF6980F4BB0(_t196,  &_v136,  &_v304, _t243, _t245, _t246);
				r8d = 0;
				E00007FF67FF6980F4500(_t190,  &_v136,  &_v216);
				_v296 = 1;
				goto 0x9812bbfd;
				_v64 = 7;
				_v72 = _t269;
				_v88 = r12w;
				_t266 = _t196;
				r8d = 0;
				_t242 =  &_v136;
				E00007FF67FF6980F2390(_t196,  &_v96,  &_v136, _t243, _t245, _t246, _t196, _t196);
				if ((bpl & 0x00000001) == 0) goto 0x9812bc4f;
				if (_v184 - 8 < 0) goto 0x9812bc4f;
				_t123 = E00007FF67FF6981044D8( &_v136, _t196, _v208,  &_v136, _t245, _t196, _t196);
				_t219 =  >=  ? _v88 :  &_v88;
				_v328 =  &_v292;
				r9d = 0;
				__imp__SHParseDisplayName();
				if (_t123 == 0) goto 0x9812bd27;
				if (_t245 == 0) goto 0x9812bc95;
				 *_t245 = _t123 & 0x0000ffff;
				if (_v64 - 8 < 0) goto 0x9812bcad;
				E00007FF67FF6981044D8( &_v292, _t196, _v88,  &_v136, _t245,  &_v280, _t196);
				_v64 = 7;
				_v72 = _t269;
				_v88 = r12w;
				if (_v104 - 8 < 0) goto 0x9812bce2;
				E00007FF67FF6981044D8( &_v292, _t196, _v128,  &_v136, _t245,  &_v280, _t196);
				_v104 = 7;
				_v112 = _t269;
				_v128 = r12w;
				if ( *((long long*)(_t243 + 0x20)) - 8 < 0) goto 0x9812bd0f;
				E00007FF67FF6981044D8( &_v292, _t196,  *((intOrPtr*)(_t243 + 8)),  &_v136, _t245,  &_v280, _t196);
				 *((long long*)(_t243 + 0x20)) = 7;
				 *((long long*)(_t243 + 0x18)) = _t269;
				 *((intOrPtr*)(_t243 + 8)) = r12w;
				goto 0x9812be31;
				_t224 =  >=  ? _v128 :  &_v128;
				_v328 =  &_v292;
				r9d = 0;
				__imp__SHParseDisplayName();
				__imp__CoInitializeEx();
				r9d = 0;
				__imp__SHOpenFolderAndSelectItems();
				if (0 == 0) goto 0x9812bd95;
				if (_t245 == 0) goto 0x9812bd95;
				 *_t245 = 0;
				if (0 == 0) goto 0x9812bd9e;
				if (0 != 1) goto 0x9812bda4;
				__imp__CoUninitialize();
				if (_v64 - 8 < 0) goto 0x9812bdbc;
				E00007FF67FF6981044D8( &_v292, _t196, _v88,  &_v136, _t245,  &_v272, _t196);
				_v64 = 7;
				_v72 = _t269;
				_v88 = r12w;
				if (_v104 - 8 < 0) goto 0x9812bdf1;
				E00007FF67FF6981044D8( &_v292, _t196, _v128, _t242, _t245,  &_v272, _t266);
				_v104 = 7;
				_v112 = _t269;
				_v128 = r12w;
				if ( *((long long*)(_t243 + 0x20)) - 8 < 0) goto 0x9812be1e;
				E00007FF67FF6981044D8( &_v292, _t196,  *((intOrPtr*)(_t243 + 8)), _t242, _t245,  &_v272, _t266);
				 *((long long*)(_t243 + 0x20)) = 7;
				 *((long long*)(_t243 + 0x18)) = _t269;
				 *((intOrPtr*)(_t243 + 8)) = r12w;
				return E00007FF67FF698104050(0, _v48 ^ _t247 - 0x00000140, _t242,  &_v272, _t266);
			}

0x7ff69812b970
0x7ff69812b970
0x7ff69812b970
0x7ff69812b970
0x7ff69812b981
0x7ff69812b98d
0x7ff69812b991
0x7ff69812b99b
0x7ff69812b9a3
0x7ff69812b9a6
0x7ff69812b9a9
0x7ff69812b9ad
0x7ff69812b9b3
0x7ff69812b9b8
0x7ff69812b9ba
0x7ff69812b9c0
0x7ff69812b9cb
0x7ff69812b9d0
0x7ff69812b9d6
0x7ff69812b9da
0x7ff69812b9dd
0x7ff69812b9e8
0x7ff69812b9ed
0x7ff69812b9f2
0x7ff69812ba06
0x7ff69812ba11
0x7ff69812ba17
0x7ff69812ba1c
0x7ff69812ba1f
0x7ff69812ba21
0x7ff69812ba26
0x7ff69812ba29
0x7ff69812ba33
0x7ff69812ba35
0x7ff69812ba4b
0x7ff69812ba4d
0x7ff69812ba4d
0x7ff69812ba52
0x7ff69812ba67
0x7ff69812ba72
0x7ff69812ba78
0x7ff69812ba7d
0x7ff69812ba85
0x7ff69812ba89
0x7ff69812ba90
0x7ff69812baa0
0x7ff69812baa6
0x7ff69812bab7
0x7ff69812bacc
0x7ff69812bad5
0x7ff69812bade
0x7ff69812bae9
0x7ff69812baf0
0x7ff69812baf5
0x7ff69812baf8
0x7ff69812bb06
0x7ff69812bb08
0x7ff69812bb0a
0x7ff69812bb13
0x7ff69812bb17
0x7ff69812bb19
0x7ff69812bb1c
0x7ff69812bb22
0x7ff69812bb28
0x7ff69812bb36
0x7ff69812bb3b
0x7ff69812bb3b
0x7ff69812bb4f
0x7ff69812bb58
0x7ff69812bb66
0x7ff69812bb75
0x7ff69812bb7f
0x7ff69812bb84
0x7ff69812bb8a
0x7ff69812bb90
0x7ff69812bba4
0x7ff69812bbad
0x7ff69812bbaf
0x7ff69812bbb5
0x7ff69812bbc9
0x7ff69812bbd1
0x7ff69812bbe4
0x7ff69812bbef
0x7ff69812bbf3
0x7ff69812bbfd
0x7ff69812bc09
0x7ff69812bc11
0x7ff69812bc1a
0x7ff69812bc1d
0x7ff69812bc20
0x7ff69812bc2b
0x7ff69812bc35
0x7ff69812bc40
0x7ff69812bc4a
0x7ff69812bc60
0x7ff69812bc6e
0x7ff69812bc73
0x7ff69812bc7d
0x7ff69812bc85
0x7ff69812bc8e
0x7ff69812bc93
0x7ff69812bc9e
0x7ff69812bca8
0x7ff69812bcad
0x7ff69812bcb9
0x7ff69812bcc1
0x7ff69812bcd3
0x7ff69812bcdd
0x7ff69812bce2
0x7ff69812bcee
0x7ff69812bcf6
0x7ff69812bd04
0x7ff69812bd0a
0x7ff69812bd0f
0x7ff69812bd17
0x7ff69812bd1b
0x7ff69812bd22
0x7ff69812bd38
0x7ff69812bd46
0x7ff69812bd4b
0x7ff69812bd55
0x7ff69812bd64
0x7ff69812bd74
0x7ff69812bd81
0x7ff69812bd89
0x7ff69812bd8e
0x7ff69812bd93
0x7ff69812bd97
0x7ff69812bd9c
0x7ff69812bd9e
0x7ff69812bdad
0x7ff69812bdb7
0x7ff69812bdbc
0x7ff69812bdc8
0x7ff69812bdd0
0x7ff69812bde2
0x7ff69812bdec
0x7ff69812bdf1
0x7ff69812bdfd
0x7ff69812be05
0x7ff69812be13
0x7ff69812be19
0x7ff69812be1e
0x7ff69812be26
0x7ff69812be2a
0x7ff69812be57

APIs

Part of subcall function 00007FF698116BF0: GetProcessHeap.KERNEL32 ref: 00007FF698116C23
Part of subcall function 00007FF698116BF0: HeapFree.KERNEL32 ref: 00007FF698116C31

GetProcessHeap.KERNEL32 ref: 00007FF69812BA35
HeapFree.KERNEL32 ref: 00007FF69812BA43
SHParseDisplayName.SHELL32 ref: 00007FF69812BC7D
SHParseDisplayName.SHELL32 ref: 00007FF69812BD55
CoInitializeEx.OLE32 ref: 00007FF69812BD64
SHOpenFolderAndSelectItems.SHELL32 ref: 00007FF69812BD81
CoUninitialize.OLE32 ref: 00007FF69812BD9E

Strings

detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0, xrefs: 00007FF69812BA60
\\?\, xrefs: 00007FF69812BAE2
D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp, xrefs: 00007FF69812BA52
void __cdecl boost::detail::free_raw_heap_memory(void *), xrefs: 00007FF69812BA59

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: Heap$DisplayFreeNameParseProcess$FolderInitializeItemsOpenSelectUninitialize
String ID: D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp$\\?\$detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0$void __cdecl boost::detail::free_raw_heap_memory(void *)
API String ID: 1792686712-3491708354
Opcode ID: 3a8b11ccadee6583c85372323fada0a20ee016908da08a30510c647ca9ef4f30
Instruction ID: f4af074592fc87f106a0e370bb5426af2f0d5e6afa1164a51567edd7a2248bb2
Opcode Fuzzy Hash: 3a8b11ccadee6583c85372323fada0a20ee016908da08a30510c647ca9ef4f30
Instruction Fuzzy Hash: 42C19032608AC2C1EB309B21E4447FE73A0FB85754F804675DA9D87A95DF3DE599C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698114190 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00007FF67FF698114190(void* __ebx, void* __ecx, void* __eflags, long long __rbx, signed long long __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9) {
				void* _t53;
				int _t56;
				short _t57;
				void* _t70;
				void* _t118;
				char* _t119;
				char* _t120;
				char* _t121;
				char* _t122;
				intOrPtr* _t125;
				char* _t134;
				signed long long _t144;
				long long _t147;
				intOrPtr* _t148;
				void* _t150;
				void* _t159;
				_Unknown_base(*)()* _t160;
				void* _t161;

				_t159 = __r9;
				_t141 = __rdi;
				_t70 = __ebx;
				_t118 = _t150;
				 *((long long*)(_t118 + 8)) = __rbx;
				 *((long long*)(_t118 + 0x10)) = _t147;
				 *((long long*)(_t118 + 0x18)) = __rsi;
				 *((long long*)(_t118 + 0x20)) = __rdi;
				_t161 = __r8;
				_t148 = __rdx;
				_t144 = __rcx;
				E00007FF67FF69810B93C(__ecx, __eflags, _t118);
				_t5 = _t118 + 0x140; // 0x140
				_t125 = _t5;
				if (__rcx != 0) goto 0x981141cf;
				 *(_t125 + 0x10) =  *(_t125 + 0x10) | 0x00000104;
				goto 0x981142b2;
				_t119 = __rcx + 0x40;
				 *_t125 = __rcx;
				 *((long long*)(_t125 + 8)) = _t119;
				if (_t119 == 0) goto 0x981141f9;
				if ( *_t119 == 0) goto 0x981141f9;
				_t10 = _t125 + 8; // 0x148
				E00007FF67FF6981139B4(0x16, _t125, 0x98132940, __rdi, __rcx, _t10);
				_t120 =  *_t125;
				 *(_t125 + 0x10) =  *(_t125 + 0x10) & 0x00000000;
				if (_t120 == 0) goto 0x9811426e;
				if ( *_t120 == 0) goto 0x9811426e;
				_t121 =  *((intOrPtr*)(_t125 + 8));
				if (_t121 == 0) goto 0x98114222;
				if ( *_t121 == 0) goto 0x98114222;
				E00007FF67FF698114090(_t121, _t125);
				goto 0x9811422a;
				E00007FF67FF698114124(_t121, _t125);
				if ( *(_t125 + 0x10) != 0) goto 0x981142c8;
				if (E00007FF67FF6981139B4(0x40, _t125, 0x98132530, _t141, _t144, _t125) == 0) goto 0x981142be;
				_t122 =  *((intOrPtr*)(_t125 + 8));
				if (_t122 == 0) goto 0x98114264;
				if ( *_t122 == 0) goto 0x98114264;
				E00007FF67FF698114090(_t122, _t125);
				goto 0x981142be;
				_t53 = E00007FF67FF698114124(_t122, _t125);
				goto 0x981142be;
				_t134 =  *((intOrPtr*)(_t125 + 8));
				if (_t134 == 0) goto 0x981142ab;
				if ( *_t134 == 0) goto 0x981142ab;
				E00007FF67FF6981070C0(_t53, _t134);
				 *(_t125 + 0x1c) = 0 | _t122 == 0x00000003;
				EnumSystemLocalesA(_t160);
				if (( *(_t125 + 0x10) & 0x00000004) != 0) goto 0x981142be;
				 *(_t125 + 0x10) =  *(_t125 + 0x10) & 0x00000000;
				goto 0x981142be;
				 *(_t125 + 0x10) = 0x104;
				_t56 = GetUserDefaultLCID();
				 *(_t125 + 0x20) = _t56;
				 *(_t125 + 0x24) = _t56;
				if ( *(_t125 + 0x10) == 0) goto 0x981143db;
				asm("dec eax");
				_t57 = E00007FF67FF698113A4C(_t70, _t122 == 3, _t125, 0x7ff698113b50 & _t144 + 0x00000080, _t125, _t159);
				if (_t57 == 0) goto 0x981143db;
				if (_t57 == 0xfde8) goto 0x981143db;
				if (_t57 == 0xfde9) goto 0x981143db;
				if (IsValidCodePage(??) == 0) goto 0x981143db;
				if (IsValidLocale(??, ??) == 0) goto 0x981143db;
				if (_t148 == 0) goto 0x98114340;
				 *_t148 =  *(_t125 + 0x20) & 0x0000ffff;
				 *((short*)(_t148 + 4)) = _t57;
				 *((short*)(_t148 + 2)) =  *(_t125 + 0x24) & 0x0000ffff;
				if (_t161 == 0) goto 0x981143d4;
				if ( *_t148 != 0x814) goto 0x98114383;
				if (E00007FF67FF69810B72C(_t144 + 0x80, _t161, _t125,  ~_t144, _t148, "Norwegian-Nynorsk") == 0) goto 0x9811439e;
				 *(_t150 - 0x30 + 0x20) =  *(_t150 - 0x30 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104308();
				goto 0x9811439e;
				r9d = 0x40;
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x981143db;
				r9d = 0x40;
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x981143db;
				r9d = 0xa;
				_t42 = _t159 + 6; // 0x6
				r8d = _t42;
				E00007FF67FF698106228(_t57);
				goto 0x981143dd;
				return 0;
			}

0x7ff698114190
0x7ff698114190
0x7ff698114190
0x7ff698114190
0x7ff698114193
0x7ff698114197
0x7ff69811419b
0x7ff69811419f
0x7ff6981141a9
0x7ff6981141ac
0x7ff6981141af
0x7ff6981141b2
0x7ff6981141b7
0x7ff6981141b7
0x7ff6981141c1
0x7ff6981141c3
0x7ff6981141ca
0x7ff6981141cf
0x7ff6981141d3
0x7ff6981141d6
0x7ff6981141dd
0x7ff6981141e2
0x7ff6981141e4
0x7ff6981141f4
0x7ff6981141f9
0x7ff6981141fc
0x7ff698114203
0x7ff698114208
0x7ff69811420a
0x7ff698114211
0x7ff698114216
0x7ff69811421b
0x7ff698114220
0x7ff698114225
0x7ff69811422e
0x7ff69811424a
0x7ff69811424c
0x7ff698114253
0x7ff698114258
0x7ff69811425d
0x7ff698114262
0x7ff698114267
0x7ff69811426c
0x7ff69811426e
0x7ff698114275
0x7ff69811427a
0x7ff69811427c
0x7ff69811428f
0x7ff698114299
0x7ff6981142a3
0x7ff6981142a5
0x7ff6981142a9
0x7ff6981142ab
0x7ff6981142b2
0x7ff6981142b8
0x7ff6981142bb
0x7ff6981142c2
0x7ff6981142d5
0x7ff6981142db
0x7ff6981142e4
0x7ff6981142ef
0x7ff6981142fa
0x7ff69811430b
0x7ff698114321
0x7ff69811432a
0x7ff698114330
0x7ff698114338
0x7ff69811433c
0x7ff698114343
0x7ff698114352
0x7ff69811436a
0x7ff69811436c
0x7ff698114372
0x7ff698114375
0x7ff69811437c
0x7ff698114381
0x7ff698114386
0x7ff69811439c
0x7ff6981143ab
0x7ff6981143b9
0x7ff6981143bb
0x7ff6981143cb
0x7ff6981143cb
0x7ff6981143cf
0x7ff6981143d9
0x7ff6981143f7

APIs

_getptd.LIBCMT ref: 00007FF6981141B2
GetUserDefaultLCID.KERNEL32(?,?,?,?,00000000,00007FF698108850), ref: 00007FF6981142B2
IsValidCodePage.KERNEL32(?,?,?,?,00000000,00007FF698108850), ref: 00007FF698114303
IsValidLocale.KERNEL32(?,?,?,?,00000000,00007FF698108850), ref: 00007FF698114319
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00007FF698108850), ref: 00007FF698114394
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00007FF698108850), ref: 00007FF6981143B1
_itow_s.LIBCMT ref: 00007FF6981143CF

Strings

Norwegian-Nynorsk, xrefs: 00007FF698114354

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
String ID: Norwegian-Nynorsk
API String ID: 2273835618-461349085
Opcode ID: cf4e325a6d4d68f7bfb079dc3385f1bf38945245c1b1c03b25c738e8f555b466
Instruction ID: c0bad5f197c3f8542ebda671cb018134210e137dcf65911bf84767710a7a50dd
Opcode Fuzzy Hash: cf4e325a6d4d68f7bfb079dc3385f1bf38945245c1b1c03b25c738e8f555b466
Instruction Fuzzy Hash: CF614D61A0875386FB799F31E4003B922A1EB66F44F8840B6DA4DC66D9DF7CE881C34C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69812A270 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 155
timethreadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 43%

			E00007FF67FF69812A270(void* __ebx, void* __ecx, long long __rbx, signed int __rdx, long long __rbp, void* __r8, signed long long __r9, intOrPtr _a40, intOrPtr _a48, intOrPtr _a56) {
				void* _v24;
				signed int _v40;
				void* _v104;
				long long _v112;
				intOrPtr _v136;
				char _v144;
				long long _v152;
				long long _v160;
				signed int _v168;
				signed short _v170;
				signed short _v172;
				signed int _v174;
				signed short _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				signed int _v200;
				signed int _v208;
				signed int _v216;
				void* __rdi;
				void* __rsi;
				void* __r12;
				signed long long _t106;
				signed long long _t107;
				signed long long _t110;
				void* _t157;
				void* _t161;
				signed long long _t173;
				void* _t175;

				_t173 = __r9;
				_t175 = _t161;
				_v152 = 0xfffffffe;
				 *((long long*)(_t175 + 8)) = __rbx;
				 *((long long*)(_t175 + 0x20)) = __rbp;
				_t106 =  *0x98140430; // 0x4918c2c043f
				_t107 = _t106 ^ _t161 - 0x000000e0;
				_v40 = _t107;
				_t110 = __rdx;
				_v160 = __rdx;
				_t159 = _a40;
				_v168 = 0;
				 *((long long*)(__rdx + 0x20)) = 7;
				 *(__rdx + 0x18) = _t107;
				 *((short*)(__rdx + 8)) = 0;
				_v168 = 1;
				_t13 = _t107 + 0x40; // 0x40
				r8d = _t13;
				E00007FF67FF69810B240(0, __ecx, 0, _t175 - 0x68, __rdx, __r8);
				if ((sil & 0x00000001) == 0) goto 0x9812a336;
				r9d = r8d;
				E00007FF67FF69810488C(L"[%d]", _t173);
				asm("repne scasw");
				E00007FF67FF6980F47C0(__rdx, __rdx,  &_v104,  &_v104, _t157, _a40,  !( &_v104 | 0xffffffff) - 1);
				if ((sil & 0x00000002) == 0) goto 0x9812a3bb;
				_v184 = 0;
				_v180 = 0;
				_v176 = 0;
				_v172 = 0;
				GetSystemTime(??);
				r9d = _v176 & 0x0000ffff;
				_v200 = _v170 & 0x0000ffff;
				_v208 = _v172 & 0x0000ffff;
				_v216 = _v174 & 0x0000ffff;
				E00007FF67FF69810488C(L"[%02d:%02d:%02d.%03d]", _t173);
				asm("repne scasw");
				E00007FF67FF6980F47C0(__rdx, __rdx,  &_v104,  &_v104, _t157, _a40,  !( &_v104 | 0xffffffff) - 1);
				if ((sil & 0x00000004) == 0) goto 0x9812a40b;
				r9d = GetCurrentThreadId();
				E00007FF67FF69810488C(L"[%06d] ", _t173);
				asm("repne scasw");
				E00007FF67FF6980F47C0(__rdx, __rdx,  &_v104,  &_v104, _t157, _a40,  !( &_v104 | 0xffffffff) - 1);
				if ((sil & 0x00000008) == 0) goto 0x9812a42f;
				asm("repne scasw");
				_t171 =  !(__rdx | 0xffffffff) - 1;
				E00007FF67FF6980F47C0(__rdx, __rdx, _t159, _t159, _t157, _t159,  !(__rdx | 0xffffffff) - 1);
				if ((sil & 0x00000020) == 0) goto 0x9812a499;
				r8d = 1;
				E00007FF67FF6980F47C0(__rdx, __rdx, "(", _t159, _t157, _t159,  !(__rdx | 0xffffffff) - 1);
				E00007FF67FF69812ACF0(__ebx, _a56, sil & 0x00000020, __rdx,  &_v144, _t159, _t173, _a48);
				r8d = r8d ^ r8d;
				E00007FF67FF6980F5250(_t110, _t110, _t107, _t159, _t157, _t159, _t171, _t173 | 0xffffffff);
				if (_v112 - 8 < 0) goto 0x9812a484;
				E00007FF67FF6981044D8(_t107, _t110, _v136, _t107, _t157, _t171, _t173 | 0xffffffff);
				r8d = 1;
				E00007FF67FF6980F47C0(_t110, _t110, ")", _t159, _t157, _t159, _t171);
				if ((sil & 0x00000010) == 0) goto 0x9812a4d2;
				r8d = 3;
				E00007FF67FF6980F47C0(_t110, _t110, L" : ", _t159, _t157, _t159, _t171);
				asm("repne scasw");
				E00007FF67FF6980F47C0(_t110, _t110, _a48, _a48, _t157, _t159,  !(_t110 | 0xffffffff) - 1);
				r8d = 1;
				E00007FF67FF6980F47C0(_t110, _t110, " ", _a48, _t157, _t159,  !(_t110 | 0xffffffff) - 1);
				return E00007FF67FF698104050(_v174 & 0x0000ffff, _v40 ^ _t161 - 0x000000e0, " ",  !(_t110 | 0xffffffff) - 1, _t173 | 0xffffffff);
			}

0x7ff69812a270
0x7ff69812a270
0x7ff69812a27e
0x7ff69812a287
0x7ff69812a28b
0x7ff69812a28f
0x7ff69812a296
0x7ff69812a299
0x7ff69812a2a7
0x7ff69812a2aa
0x7ff69812a2af
0x7ff69812a2c1
0x7ff69812a2c5
0x7ff69812a2cd
0x7ff69812a2d1
0x7ff69812a2d5
0x7ff69812a2df
0x7ff69812a2df
0x7ff69812a2e7
0x7ff69812a2f0
0x7ff69812a2f2
0x7ff69812a309
0x7ff69812a31c
0x7ff69812a331
0x7ff69812a33a
0x7ff69812a33e
0x7ff69812a342
0x7ff69812a346
0x7ff69812a34a
0x7ff69812a353
0x7ff69812a368
0x7ff69812a36e
0x7ff69812a372
0x7ff69812a376
0x7ff69812a38e
0x7ff69812a3a1
0x7ff69812a3b6
0x7ff69812a3bf
0x7ff69812a3c7
0x7ff69812a3de
0x7ff69812a3f1
0x7ff69812a406
0x7ff69812a40f
0x7ff69812a41a
0x7ff69812a420
0x7ff69812a42a
0x7ff69812a433
0x7ff69812a435
0x7ff69812a445
0x7ff69812a456
0x7ff69812a460
0x7ff69812a469
0x7ff69812a478
0x7ff69812a47f
0x7ff69812a484
0x7ff69812a494
0x7ff69812a49d
0x7ff69812a49f
0x7ff69812a4af
0x7ff69812a4bd
0x7ff69812a4cd
0x7ff69812a4d2
0x7ff69812a4e2
0x7ff69812a511

APIs

swprintf.LIBCMT ref: 00007FF69812A309
GetSystemTime.KERNEL32 ref: 00007FF69812A353
swprintf.LIBCMT ref: 00007FF69812A38E
GetCurrentThreadId.KERNEL32 ref: 00007FF69812A3C1
swprintf.LIBCMT ref: 00007FF69812A3DE

Strings

[%06d] , xrefs: 00007FF69812A3CA
: , xrefs: 00007FF69812A4A5
[%d], xrefs: 00007FF69812A2F5
[%02d:%02d:%02d.%03d], xrefs: 00007FF69812A37A

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: swprintf$CurrentSystemThreadTime
String ID: : $[%02d:%02d:%02d.%03d]$[%06d] $[%d]
API String ID: 4294719311-3835557347
Opcode ID: edd22a6c2a58dc5b7b6573fc0000327affbe386b199eabaa2583348143a99127
Instruction ID: b8ede616008df5834e767b6a34ff2e63bb3ddae68bdddac2480668983d6f97d4
Opcode Fuzzy Hash: edd22a6c2a58dc5b7b6573fc0000327affbe386b199eabaa2583348143a99127
Instruction Fuzzy Hash: 8B617B31618A8245E7609B75E8407EA72A0FB85BB0F945372EE6D83AD6DF3CD441C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698110D44 Relevance: 15.1, APIs: 10, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E00007FF67FF698110D44(signed int __ecx, void* __edi, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, signed int _a8, long long _a16, long long _a24) {
				long long _v56;
				void* __rdi;
				void* __r12;
				void* _t34;
				signed int _t45;
				void* _t59;
				void* _t63;
				signed int* _t69;
				signed int* _t70;
				long long _t71;
				signed long long _t85;
				void* _t86;
				signed long long _t88;

				_t83 = __r8;
				_t79 = __rbp;
				_t77 = __rsi;
				_t74 = __rdx;
				_t73 = __rcx;
				_t71 = __rbx;
				_t59 = __edi;
				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __ecx;
				_t86 = __rdx;
				_t76 = __ecx;
				if (__edi != 0xfffffffe) goto 0x98110d89;
				E00007FF67FF6981078CC(__rax);
				 *__rax = 0;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 9;
				goto 0x98110e9e;
				if (__edi < 0) goto 0x98110e75;
				_t63 = _t59 -  *0x981489c0; // 0x20
				if (_t63 >= 0) goto 0x98110e75;
				_t88 = __ecx >> 5;
				r12d = r12d & 0x0000001f;
				_t85 = __ecx * 0x58;
				_t69 =  *((intOrPtr*)(0x981489e0 + _t88 * 8));
				if (_t63 != 0) goto 0x98110df5;
				E00007FF67FF6981078CC(_t69);
				 *_t69 = 0;
				E00007FF67FF6981078AC(_t69);
				 *_t69 = 9;
				_v56 = __rbx;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(_t69, __rbx, __rcx, __rdx, __rsi, __rbp, __r8);
				goto 0x98110e9e;
				if ((0 | r8d - 0x7fffffff < 0x00000000) != 0) goto 0x98110e30;
				E00007FF67FF6981078CC(_t69);
				 *_t69 = 0;
				E00007FF67FF6981078AC(_t69);
				 *_t69 = 0x16;
				_v56 = _t71;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(_t69, _t71, _t73, _t74, _t77, _t79, _t83);
				goto 0x98110e9e;
				_t34 = E00007FF67FF69811593C(0, __edi, _t71, _t76, _t77, _t85);
				_t70 =  *((intOrPtr*)(0x981489e0 + _t88 * 8));
				if (( *(_t70 + _t85 + 8) & 0x00000001) == 0) goto 0x98110e55;
				_t45 = E00007FF67FF6981105C4(_t34, _t59, r8d, _t86, _t83);
				goto 0x98110e6a;
				E00007FF67FF6981078AC(_t70);
				 *_t70 = 9;
				E00007FF67FF6981078CC(_t70);
				 *_t70 = _t45;
				E00007FF67FF6981159E4();
				goto 0x98110e9e;
				E00007FF67FF6981078CC(_t70);
				 *_t70 = _t45 | 0xffffffff;
				E00007FF67FF6981078AC(_t70);
				 *_t70 = 9;
				_v56 = _t71;
				r9d = 0;
				r8d = 0;
				return E00007FF67FF698104430(_t70, _t71, _t73, _t86, _t77, _t79, _t83) | 0xffffffff;
			}

0x7ff698110d44
0x7ff698110d44
0x7ff698110d44
0x7ff698110d44
0x7ff698110d44
0x7ff698110d44
0x7ff698110d44
0x7ff698110d44
0x7ff698110d49
0x7ff698110d4e
0x7ff698110d62
0x7ff698110d65
0x7ff698110d6b
0x7ff698110d6d
0x7ff698110d74
0x7ff698110d76
0x7ff698110d7b
0x7ff698110d84
0x7ff698110d8d
0x7ff698110d93
0x7ff698110d99
0x7ff698110da5
0x7ff698110db0
0x7ff698110db4
0x7ff698110db8
0x7ff698110dc5
0x7ff698110dc7
0x7ff698110dcc
0x7ff698110dce
0x7ff698110dd3
0x7ff698110dd9
0x7ff698110dde
0x7ff698110de1
0x7ff698110de8
0x7ff698110df0
0x7ff698110e03
0x7ff698110e05
0x7ff698110e0a
0x7ff698110e0c
0x7ff698110e11
0x7ff698110e17
0x7ff698110e1c
0x7ff698110e1f
0x7ff698110e26
0x7ff698110e2e
0x7ff698110e32
0x7ff698110e38
0x7ff698110e42
0x7ff698110e51
0x7ff698110e53
0x7ff698110e55
0x7ff698110e5a
0x7ff698110e60
0x7ff698110e65
0x7ff698110e6c
0x7ff698110e73
0x7ff698110e75
0x7ff698110e7a
0x7ff698110e7c
0x7ff698110e81
0x7ff698110e87
0x7ff698110e8c
0x7ff698110e8f
0x7ff698110eb5

APIs

__doserrno.LIBCMT ref: 00007FF698110D6D
_errno.LIBCMT ref: 00007FF698110D76
__doserrno.LIBCMT ref: 00007FF698110DC7
_errno.LIBCMT ref: 00007FF698110DCE

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: ae8c6979646cd0df4c87d9af4eb6b8836ed11e81636247d6cf9537f00f559d2d
Instruction ID: 26f4f5f252a68d1e3ade69881590fcf0d9986eb92320ae3ba714bc05c0929322
Opcode Fuzzy Hash: ae8c6979646cd0df4c87d9af4eb6b8836ed11e81636247d6cf9537f00f559d2d
Instruction Fuzzy Hash: 1C41D032E2C25346E3306F35AC4153D3651EF80764F959A79EA29CB7E2CE3DA400C718

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810BD28 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137
fileCOMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 78%

			E00007FF67FF69810BD28(void* __ecx, long long __rbx, long long __rdi, void* __rsi, void* __rbp, void* __r9, long long __r13, long long _a8, void* _a16, long long _a24, long long _a32) {
				signed int _v24;
				void* _t38;
				void* _t47;
				void* _t68;
				void* _t93;
				void* _t104;
				void* _t122;
				void* _t131;

				_t131 = __r9;
				_t118 = __rbp;
				_t117 = __rsi;
				_a8 = __rbx;
				_a24 = __rdi;
				_a32 = __r13;
				_t68 = __ecx;
				if (__ecx ==  *0x98140820) goto 0x9810bd5a;
				if (1 - 0x17 < 0) goto 0x9810bd4b;
				if (1 - 0x17 >= 0) goto 0x9810bf37;
				if (E00007FF67FF698111C68(3, 0x7ff698140830, __rbx, _t93, _t104, __rsi, __rbp, _t122) == 1) goto 0x9810bef2;
				if (E00007FF67FF698111C68(3, 0x7ff698140830, __rbx, _t93, _t104, __rsi, __rbp, _t122) != 0) goto 0x9810bd91;
				if ( *0x98140188 == 1) goto 0x9810bef2;
				if (_t68 == 0xfc) goto 0x9810bf37;
				r13d = 0x314;
				if (E00007FF67FF69810B72C(0x7ff698140830, 0x98143660, __r13, __rsi, __rbp, "Runtime Error!\n\nProgram: ") == 0) goto 0x9810bdd5;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104308();
				r8d = 0x104;
				 *0x9814377d = 0;
				if (GetModuleFileNameA(??, ??, ??) != 0) goto 0x9810be26;
				if (E00007FF67FF69810B72C(0x7ff698140830, 0x98143679, 0x98143679, __rsi, __rbp, "<program name unknown>") == 0) goto 0x9810be26;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				_t38 = E00007FF67FF6981070C0(E00007FF67FF698104308(), 0x98143679);
				if (0x7ff698140831 - 0x3c <= 0) goto 0x9810be81;
				E00007FF67FF6981070C0(_t38, 0x98143679);
				r9d = 3;
				if (E00007FF67FF6981138DC(0x7ff698140831, 0xffed30283e6f, 0xffff800967ebfb05, _t117, _t118, "...", _t131) == 0) goto 0x9810be81;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104308();
				if (E00007FF67FF698113850(0x7ff698140831, 0x98143660, __r13, _t117, _t118, "\n\n") == 0) goto 0x9810beac;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104308();
				if (E00007FF67FF698113850(0x7ff698140831, 0x98143660, __r13, _t117, _t118,  *0x7FF698140838) == 0) goto 0x9810bedb;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104308();
				r8d = 0x12010;
				E00007FF67FF698114B80(0x7ff698140831, __rbx, 0x98143660, "Microsoft Visual C++ Runtime Library", _t118, _t131);
				goto 0x9810bf37;
				_t47 = GetStdHandle(??);
				if (0x7ff698140831 == 0) goto 0x9810bf37;
				if (0x7ff698140831 == 0xffffffff) goto 0x9810bf37;
				E00007FF67FF6981070C0(_t47,  *((intOrPtr*)(0x7ff698140838)));
				_v24 = _v24 & 0x00000000;
				return WriteFile(??, ??, ??, ??, ??);
			}

0x7ff69810bd28
0x7ff69810bd28
0x7ff69810bd28
0x7ff69810bd28
0x7ff69810bd2d
0x7ff69810bd32
0x7ff69810bd44
0x7ff69810bd4d
0x7ff69810bd58
0x7ff69810bd5d
0x7ff69810bd70
0x7ff69810bd82
0x7ff69810bd8b
0x7ff69810bd97
0x7ff69810bda4
0x7ff69810bdbe
0x7ff69810bdc0
0x7ff69810bdc6
0x7ff69810bdc9
0x7ff69810bdd0
0x7ff69810bddc
0x7ff69810bde4
0x7ff69810bdf3
0x7ff69810be0f
0x7ff69810be11
0x7ff69810be17
0x7ff69810be1a
0x7ff69810be2d
0x7ff69810be39
0x7ff69810be42
0x7ff69810be5a
0x7ff69810be6a
0x7ff69810be6c
0x7ff69810be72
0x7ff69810be75
0x7ff69810be7c
0x7ff69810be95
0x7ff69810be97
0x7ff69810be9d
0x7ff69810bea0
0x7ff69810bea7
0x7ff69810bec4
0x7ff69810bec6
0x7ff69810becc
0x7ff69810becf
0x7ff69810bed6
0x7ff69810bee2
0x7ff69810beeb
0x7ff69810bef0
0x7ff69810bef7
0x7ff69810bf03
0x7ff69810bf09
0x7ff69810bf16
0x7ff69810bf20
0x7ff69810bf4c

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF69810BF84,?,?,?,?,00007FF6981048E5,?,?,00000000,00007FF69810A598), ref: 00007FF69810BDEB
GetStdHandle.KERNEL32(?,?,?,?,?,00007FF69810BF84,?,?,?,?,00007FF6981048E5,?,?,00000000,00007FF69810A598), ref: 00007FF69810BEF7
WriteFile.KERNEL32 ref: 00007FF69810BF31

Strings

Runtime Error!Program: , xrefs: 00007FF69810BDAA
Microsoft Visual C++ Runtime Library, xrefs: 00007FF69810BEDB
<program name unknown>, xrefs: 00007FF69810BDF5
..., xrefs: 00007FF69810BE4E

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: bdf2f308c5beea1c5eb5347bd727d01a46f02e2dd6c2599cccca75c08203b709
Instruction ID: e495a086ef45b4583060267e6255261e06df6b77e54a6a56e3d530f36f2a284a
Opcode Fuzzy Hash: bdf2f308c5beea1c5eb5347bd727d01a46f02e2dd6c2599cccca75c08203b709
Instruction Fuzzy Hash: CD51D221B0864341FB349B31A951B7A6291EF84798FC042BAEA4DC7AD5CF3CE555C308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981155B0 Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF6981157DA), ref: 00007FF69811560A
GetLastError.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF6981157DA), ref: 00007FF69811561C
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF6981157DA), ref: 00007FF698115667
malloc.LIBCMT ref: 00007FF6981156CC

Part of subcall function 00007FF6981048B0: _FF_MSGBANNER.LIBCMT ref: 00007FF6981048E0
Part of subcall function 00007FF6981048B0: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF69810A598,?,?,00000000,00007FF69810FED9,?,?,?,00007FF69810FF83), ref: 00007FF698104905
Part of subcall function 00007FF6981048B0: _errno.LIBCMT ref: 00007FF698104929
Part of subcall function 00007FF6981048B0: _errno.LIBCMT ref: 00007FF698104934

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF6981157DA), ref: 00007FF6981156F9
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF6981157DA), ref: 00007FF698115733
free.LIBCMT ref: 00007FF698115747
GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF6981157DA), ref: 00007FF69811575D

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefreemalloc
String ID:
API String ID: 4202622830-0
Opcode ID: fe5207ceeda70ec711b59715bf62eec6586ad5d6bb0a9c1674ed90db119e1240
Instruction ID: e3eb633046a42294230660d26ce7924dcd950f5a596b3ec7ee6a5b673e3d59b9
Opcode Fuzzy Hash: fe5207ceeda70ec711b59715bf62eec6586ad5d6bb0a9c1674ed90db119e1240
Instruction Fuzzy Hash: F0517C32A086838AE7709F31A9411AD7391FB647A8FD406B5DA1ED3B94DF7CE850C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698104050 Relevance: 12.1, APIs: 8, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 48%

			E00007FF67FF698104050(signed int __ecx, void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9) {
				signed long long _v24;
				void* __rbx;
				void* _t16;
				intOrPtr* _t23;
				void* _t24;
				void* _t27;
				void* _t29;
				void* _t30;

				_t27 = __rdx;
				_t16 = __rcx -  *0x98140430; // 0x4918c2c043f
				if (_t16 != 0) goto 0x9810406a;
				asm("dec eax");
				if ((__ecx & 0x0000ffff) != 0) goto 0x98104066;
				asm("repe ret");
				asm("dec eax");
				goto 0x9810b5e0;
				asm("int3");
				_push(_t24);
				_t23 = __r8;
				if (__r9 == 0) goto 0x981040c9;
				if (__rcx != 0) goto 0x981040a8;
				E00007FF67FF6981078AC(__r8);
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *__r8 = 0x16;
				E00007FF67FF698104430(__r8, _t24, __rcx, __rdx, _t29, _t30, __r8);
				goto 0x981040cb;
				if (_t23 == 0) goto 0x98104083;
				if (_t27 - __r9 >= 0) goto 0x981040be;
				E00007FF67FF6981078AC(_t23);
				goto 0x9810408d;
				E00007FF67FF69810AE90(0, _t27 - __r9, _t26, _t23, __r9);
				return 0;
			}

0x7ff698104050
0x7ff698104050
0x7ff698104057
0x7ff698104059
0x7ff698104062
0x7ff698104064
0x7ff698104066
0x7ff69810406a
0x7ff69810406f
0x7ff698104070
0x7ff698104076
0x7ff69810407c
0x7ff698104081
0x7ff698104083
0x7ff69810408d
0x7ff698104093
0x7ff698104096
0x7ff69810409d
0x7ff69810409f
0x7ff6981040a6
0x7ff6981040ab
0x7ff6981040b0
0x7ff6981040b2
0x7ff6981040bc
0x7ff6981040c4
0x7ff6981040d0

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF69810B5F3
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF69810B612
RtlVirtualUnwind.KERNEL32 ref: 00007FF69810B65E
IsDebuggerPresent.KERNEL32 ref: 00007FF69810B6D0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF69810B6E8
UnhandledExceptionFilter.KERNEL32 ref: 00007FF69810B6F5
GetCurrentProcess.KERNEL32 ref: 00007FF69810B70E
TerminateProcess.KERNEL32 ref: 00007FF69810B71C

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: e14f49882a9b6dccd73c3a84256284ea3c026c336a414e1e863b8d0485961774
Instruction ID: 7aa9288d42444fef69c1c3ee82e50c4ead937e6f6ccd208523e52e6025ddcdcd
Opcode Fuzzy Hash: e14f49882a9b6dccd73c3a84256284ea3c026c336a414e1e863b8d0485961774
Instruction Fuzzy Hash: 0531E635A08B4386E6609B75F84076973A0FB84758FD041BADA8EC3765DF7CE494C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69811A758 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 171
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 83%

			E00007FF67FF69811A758(void* __eflags, long long __rbx, char* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9) {
				void* _t68;
				void* _t70;
				signed int _t99;
				signed int _t103;
				void* _t122;
				intOrPtr* _t129;
				intOrPtr _t130;
				signed long long _t136;
				char* _t138;
				char* _t154;
				char* _t155;
				char* _t160;
				long long _t167;
				intOrPtr* _t168;
				intOrPtr* _t170;
				void* _t171;
				void* _t179;
				long long _t181;
				void* _t183;

				_t173 = __r8;
				_t163 = __rsi;
				_t129 = _t170;
				 *((long long*)(_t129 + 8)) = __rbx;
				 *((long long*)(_t129 + 0x10)) = _t167;
				 *((long long*)(_t129 + 0x18)) = __rsi;
				 *((long long*)(_t129 + 0x20)) = __rdi;
				_t171 = _t170 - 0x50;
				_t179 = __rdx;
				_t160 = __rcx;
				r15d = r9d;
				_t136 = r8d;
				E00007FF67FF698104E5C(_t129, _t129 - 0x38,  *((intOrPtr*)(_t171 + 0xa0)));
				r13d = 0;
				if (__rcx != _t181) goto 0x9811a7d3;
				E00007FF67FF6981078AC(_t129);
				_t7 = _t181 + 0x16; // 0x16
				r9d = 0;
				r8d = 0;
				 *_t129 = _t7;
				 *((long long*)(_t171 + 0x20)) = _t181;
				E00007FF67FF698104430(_t129, _t136, _t129 - 0x38,  *((intOrPtr*)(_t171 + 0xa0)), __rsi, _t167, __r8, _t183, _t181);
				if ( *((intOrPtr*)(_t171 + 0x48)) == r13b) goto 0x9811a7cc;
				 *( *((intOrPtr*)(_t171 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t171 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0x9811a990;
				if (_t179 - _t181 > 0) goto 0x9811a80d;
				E00007FF67FF6981078AC(_t129);
				r9d = 0;
				r8d = 0;
				 *_t129 = 0x16;
				 *((long long*)(_t171 + 0x20)) = _t181;
				E00007FF67FF698104430(_t129, _t136,  *((intOrPtr*)(_t171 + 0x40)),  *((intOrPtr*)(_t171 + 0xa0)), _t163, _t167, _t173);
				if ( *((intOrPtr*)(_t171 + 0x48)) == r13b) goto 0x9811a7cc;
				_t130 =  *((intOrPtr*)(_t171 + 0x40));
				 *(_t130 + 0xc8) =  *(_t130 + 0xc8) & 0xfffffffd;
				goto 0x9811a7cc;
				_t67 =  >  ? 0x16 : r13d;
				_t68 = ( >  ? 0x16 : r13d) + 9;
				if (_t179 - _t130 > 0) goto 0x9811a82f;
				_t70 = E00007FF67FF6981078AC(_t130);
				goto 0x9811a7a3;
				_t168 =  *((intOrPtr*)(_t171 + 0x90));
				if ( *((intOrPtr*)(_t171 + 0x98)) == r13b) goto 0x9811a877;
				sil =  *_t168 == 0x2d;
				r13b = 0x22 > 0;
				if (r13d == 0) goto 0x9811a874;
				E00007FF67FF6981070C0(_t70, _t181 + _t160);
				_t20 = _t130 + 1; // 0x1
				E00007FF67FF69810AE90(0, r13d, r13d + _t181 + _t160, _t181 + _t160, _t20);
				r13d = 0;
				if ( *_t168 != 0x2d) goto 0x9811a887;
				 *_t160 = 0x2d;
				_t154 = _t160 + 1;
				if (0x22 - r13d <= 0) goto 0x9811a8a7;
				 *_t154 =  *((intOrPtr*)(_t154 + 1));
				_t155 = _t154 + 1;
				 *_t155 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t171 + 0x30)) + 0x128))))));
				_t138 = _t136 + _t155 + _t181;
				_t157 =  ==  ? _t179 : _t179 + _t160 - _t138;
				if (E00007FF67FF69810B72C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t171 + 0x30)) + 0x128)))), _t138,  ==  ? _t179 : _t179 + _t160 - _t138, _t181 + _t160, _t168, "e+000") == r13d) goto 0x9811a8f2;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t171 + 0x20)) = _t181;
				E00007FF67FF698104308();
				if (r15d == r13d) goto 0x9811a8fe;
				 *_t138 = 0x45;
				_t122 =  *((char*)( *((intOrPtr*)(_t168 + 0x10)))) - 0x30;
				if (_t122 == 0) goto 0x9811a95e;
				r8d =  *(_t168 + 4);
				r8d = r8d - 1;
				if (_t122 >= 0) goto 0x9811a918;
				r8d =  ~r8d;
				 *((char*)(_t138 + 1)) = 0x2d;
				if (r8d - 0x64 < 0) goto 0x9811a939;
				_t99 = (0x51eb851f * r8d >> 0x20 >> 5) + (0x51eb851f * r8d >> 0x20 >> 5 >> 0x1f);
				 *((intOrPtr*)(_t138 + 2)) =  *((intOrPtr*)(_t138 + 2)) + _t99;
				r8d = r8d + _t99 * 0xffffff9c;
				if (r8d - 0xa < 0) goto 0x9811a95a;
				_t103 = (0x66666667 * r8d >> 0x20 >> 2) + (0x66666667 * r8d >> 0x20 >> 2 >> 0x1f);
				 *((intOrPtr*)(_t138 + 3)) =  *((intOrPtr*)(_t138 + 3)) + _t103;
				r8d = r8d + _t103 * 0xfffffff6;
				 *((intOrPtr*)(_t138 + 4)) =  *((intOrPtr*)(_t138 + 4)) + r8b;
				if (( *0x98144108 & 0x00000001) == 0) goto 0x9811a97b;
				if ( *((char*)(_t138 + 2)) != 0x30) goto 0x9811a97b;
				r8d = 3;
				E00007FF67FF69810AE90(0,  *((char*)(_t138 + 2)) - 0x30, _t138 + 2, _t138 + 3, "e+000");
				if ( *((intOrPtr*)(_t171 + 0x48)) == r13b) goto 0x9811a98e;
				 *( *((intOrPtr*)(_t171 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t171 + 0x40)) + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ff69811a758
0x7ff69811a758
0x7ff69811a758
0x7ff69811a75b
0x7ff69811a75f
0x7ff69811a763
0x7ff69811a767
0x7ff69811a771
0x7ff69811a775
0x7ff69811a780
0x7ff69811a787
0x7ff69811a78a
0x7ff69811a78d
0x7ff69811a792
0x7ff69811a798
0x7ff69811a79a
0x7ff69811a79f
0x7ff69811a7a3
0x7ff69811a7a6
0x7ff69811a7ad
0x7ff69811a7af
0x7ff69811a7b4
0x7ff69811a7be
0x7ff69811a7c5
0x7ff69811a7ce
0x7ff69811a7d6
0x7ff69811a7d8
0x7ff69811a7e2
0x7ff69811a7e5
0x7ff69811a7ec
0x7ff69811a7ee
0x7ff69811a7f3
0x7ff69811a7fd
0x7ff69811a7ff
0x7ff69811a804
0x7ff69811a80b
0x7ff69811a813
0x7ff69811a816
0x7ff69811a81e
0x7ff69811a820
0x7ff69811a82a
0x7ff69811a82f
0x7ff69811a83f
0x7ff69811a848
0x7ff69811a851
0x7ff69811a858
0x7ff69811a85d
0x7ff69811a868
0x7ff69811a86f
0x7ff69811a874
0x7ff69811a87e
0x7ff69811a880
0x7ff69811a883
0x7ff69811a88a
0x7ff69811a88f
0x7ff69811a896
0x7ff69811a8a5
0x7ff69811a8bf
0x7ff69811a8d0
0x7ff69811a8dc
0x7ff69811a8de
0x7ff69811a8e1
0x7ff69811a8e8
0x7ff69811a8ed
0x7ff69811a8f9
0x7ff69811a8fb
0x7ff69811a902
0x7ff69811a905
0x7ff69811a907
0x7ff69811a90b
0x7ff69811a90f
0x7ff69811a911
0x7ff69811a914
0x7ff69811a91c
0x7ff69811a92e
0x7ff69811a930
0x7ff69811a936
0x7ff69811a93d
0x7ff69811a94f
0x7ff69811a951
0x7ff69811a957
0x7ff69811a95a
0x7ff69811a965
0x7ff69811a96a
0x7ff69811a970
0x7ff69811a976
0x7ff69811a980
0x7ff69811a987
0x7ff69811a9ae

APIs

Part of subcall function 00007FF698104E5C: _getptd.LIBCMT ref: 00007FF698104E72

_errno.LIBCMT ref: 00007FF69811A79A

Part of subcall function 00007FF698104430: DecodePointer.KERNEL32 ref: 00007FF698104457

_errno.LIBCMT ref: 00007FF69811A7D8
_errno.LIBCMT ref: 00007FF69811A820

Strings

gfff, xrefs: 00007FF69811A93F
e+000, xrefs: 00007FF69811A8B2
-, xrefs: 00007FF69811A914

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: -$e+000$gfff
API String ID: 2834218312-2620144452
Opcode ID: 6a11d317345159555b390f4911d319f69cbeb2ee95697cea1cf0a9819997a2cf
Instruction ID: 236bf38f713217ac6d2a3da918798a2a2f39aa90cca95fa8ebb5694abf8ed170
Opcode Fuzzy Hash: 6a11d317345159555b390f4911d319f69cbeb2ee95697cea1cf0a9819997a2cf
Instruction Fuzzy Hash: DE615966A187C346E7308F34A841A6E7FA1FB91B98F888271DA5C87B85CF3DD455C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698114FCC Relevance: 10.6, APIs: 7, Instructions: 138
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 78%

			E00007FF67FF698114FCC(intOrPtr* __rax, long long __rbx, signed int* __rcx, void* __rdx, void* __r8, long long _a8, signed int _a32, intOrPtr _a40) {
				intOrPtr _v32;
				intOrPtr _v40;
				char _v56;
				long long _v88;
				void* __rsi;
				void* __rbp;
				intOrPtr* _t41;
				void* _t51;
				void* _t52;
				long long _t53;

				_t41 = __rax;
				_a8 = __rbx;
				_a32 = r9w;
				_t51 = __r8;
				_t52 = __rdx;
				if (__rdx != _t53) goto 0x98115001;
				if (__r8 - _t53 <= 0) goto 0x98115001;
				if (__rcx == _t53) goto 0x98114ffa;
				 *__rcx = 0;
				goto 0x981150a5;
				if (__rcx == _t53) goto 0x98115009;
				 *__rcx =  *__rcx | 0xffffffff;
				if (__r8 - 0x7fffffff <= 0) goto 0x98115036;
				E00007FF67FF6981078AC(__rax);
				r9d = 0;
				r8d = 0;
				 *__rax = 0x16;
				_v88 = _t53;
				E00007FF67FF698104430(__rax, __rcx, __rcx, __rdx, __rdx, _t53, __r8);
				goto 0x981150a5;
				E00007FF67FF698104E5C(__rax,  &_v56, _a40);
				if ( *((intOrPtr*)(_v56 + 0x14)) != 0) goto 0x98115124;
				if ((_a32 & 0x0000ffff) - 0xff <= 0) goto 0x981150b5;
				if (_t52 == _t53) goto 0x98115080;
				if (_t51 - _t53 <= 0) goto 0x98115080;
				E00007FF67FF69810B240(_a32 & 0x0000ffff, 0xff, 0, _t52, _a40, _t51);
				E00007FF67FF6981078AC(_t41);
				 *_t41 = 0x2a;
				E00007FF67FF6981078AC(_t41);
				if (_v32 == bpl) goto 0x981150a5;
				 *(_v40 + 0xc8) =  *(_v40 + 0xc8) & 0xfffffffd;
				return  *_t41;
			}

0x7ff698114fcc
0x7ff698114fcc
0x7ff698114fd1
0x7ff698114fe0
0x7ff698114fe3
0x7ff698114fec
0x7ff698114ff1
0x7ff698114ff6
0x7ff698114ff8
0x7ff698114ffc
0x7ff698115004
0x7ff698115006
0x7ff698115010
0x7ff698115012
0x7ff69811501c
0x7ff69811501f
0x7ff698115026
0x7ff698115028
0x7ff69811502d
0x7ff698115034
0x7ff698115043
0x7ff698115051
0x7ff698115067
0x7ff69811506c
0x7ff698115071
0x7ff69811507b
0x7ff698115080
0x7ff698115085
0x7ff69811508b
0x7ff698115097
0x7ff69811509e
0x7ff6981150b4

APIs

_errno.LIBCMT ref: 00007FF698115012
_errno.LIBCMT ref: 00007FF698115080
_errno.LIBCMT ref: 00007FF69811508B
_errno.LIBCMT ref: 00007FF6981150BF
WideCharToMultiByte.KERNEL32 ref: 00007FF69811515A
GetLastError.KERNEL32 ref: 00007FF69811517A
_errno.LIBCMT ref: 00007FF6981151A0

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$ByteCharErrorLastMultiWide
String ID:
API String ID: 3895584640-0
Opcode ID: e3ab19df20f39bfc49d13db797055911675bc5e6ef2466dfda626c9a0c4a69ea
Instruction ID: 5d1126a0795861f1497ac4d80a11acec37f5e374847c6ea5e5424717f76674f6
Opcode Fuzzy Hash: e3ab19df20f39bfc49d13db797055911675bc5e6ef2466dfda626c9a0c4a69ea
Instruction Fuzzy Hash: 3151A522E0C6838AF7709FB4A4406BEB790EB91B50FD88175D69D86AC5CF6C9841CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698104308 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 17%

			E00007FF67FF698104308() {
				void* _v0;
				long long _v992;
				long long _v1088;
				char _v1240;
				long long _v1384;
				char _v1396;
				signed int _v1400;
				char _v1416;
				char _v1424;
				long long _v1432;
				long long _v1440;
				void* _v1448;
				signed long long _v1456;
				long long _v1464;
				long long _v1472;
				long long _v1480;
				void* _t30;
				int _t32;
				void* _t39;
				long long _t48;
				void* _t61;
				void* _t64;

				_v1400 = _v1400 & 0x00000000;
				r8d = 0x94;
				E00007FF67FF69810B240(_t30, _t39, 0,  &_v1396, _t61, _t64);
				_t48 =  &_v1240;
				_v1440 =  &_v1400;
				_v1432 = _t48;
				__imp__RtlCaptureContext();
				r8d = 0;
				0x9811a26c();
				if (_t48 == 0) goto 0x981043a5;
				_v1456 = _v1456 & 0x00000000;
				_v1464 =  &_v1416;
				_v1472 =  &_v1424;
				_v1480 =  &_v1240;
				0x9811a266();
				goto 0x981043c5;
				_v992 = _v0;
				_v1088 =  &_v0;
				_v1400 = 0xc0000417;
				_v1396 = 1;
				_v1384 = _v0;
				_t32 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(??);
				if (UnhandledExceptionFilter(??) != 0) goto 0x98104410;
				if (_t32 != 0) goto 0x98104410;
				E00007FF67FF69810B7A0(_t34);
				GetCurrentProcess();
				return TerminateProcess(??, ??);
			}

0x7ff698104311
0x7ff69810431d
0x7ff698104323
0x7ff69810432d
0x7ff69810433d
0x7ff698104342
0x7ff698104347
0x7ff69810435d
0x7ff698104360
0x7ff698104368
0x7ff69810436a
0x7ff69810437a
0x7ff698104387
0x7ff698104397
0x7ff69810439e
0x7ff6981043a3
0x7ff6981043ad
0x7ff6981043bd
0x7ff6981043cd
0x7ff6981043d5
0x7ff6981043dd
0x7ff6981043e5
0x7ff6981043ef
0x7ff698104402
0x7ff698104406
0x7ff69810440b
0x7ff698104410
0x7ff69810442c

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF698104347
IsDebuggerPresent.KERNEL32 ref: 00007FF6981043E5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6981043EF
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6981043FA
GetCurrentProcess.KERNEL32 ref: 00007FF698104410
TerminateProcess.KERNEL32 ref: 00007FF69810441E

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 9acd44f4c9021e6a40fc53f3eba1dfe77eba2fb851b38d84d1ef46dfb6a26ca4
Instruction ID: 50ff613287b1530a1c9a73185917367043f789417c8c667e152ddff68846c173
Opcode Fuzzy Hash: 9acd44f4c9021e6a40fc53f3eba1dfe77eba2fb851b38d84d1ef46dfb6a26ca4
Instruction Fuzzy Hash: 53312132A0CB8682EB759B65F4803AEB3A0FB94744F900135DB8D83A69DF7CD594CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69811AABC Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 75%

			E00007FF67FF69811AABC(void* __eflags, long long __rbx, unsigned int* __rcx, char* __rdx, long long __rdi, void* __rsi, void* __r8, void* __r9, void* __r10, void* __r11, long long __r12) {
				void* _t93;
				char _t94;
				signed char _t95;
				signed int _t123;
				signed int _t124;
				signed int _t138;
				void* _t139;
				intOrPtr* _t176;
				signed long long _t180;
				intOrPtr* _t196;
				signed int* _t197;
				void* _t209;
				signed long long _t215;
				signed long long _t224;
				void* _t225;
				signed long long _t230;
				signed long long _t232;
				signed long long _t233;
				signed long long _t236;
				signed long long _t237;
				char* _t242;
				char* _t243;
				intOrPtr* _t244;
				void* _t245;
				intOrPtr* _t246;
				char* _t247;
				void* _t248;
				char* _t250;
				void* _t251;
				char* _t252;
				char* _t253;
				char* _t254;
				char* _t255;
				long long _t258;
				intOrPtr* _t260;
				void* _t261;
				char* _t268;
				void* _t270;
				void* _t271;
				void* _t275;
				unsigned int* _t276;
				long long _t278;
				intOrPtr* _t279;
				void* _t281;

				_t271 = __r11;
				_t270 = __r10;
				_t263 = __r8;
				_t257 = __rsi;
				_t176 = _t260;
				 *((long long*)(_t176 + 8)) = __rbx;
				 *((long long*)(_t176 + 0x10)) = _t258;
				 *((long long*)(_t176 + 0x18)) = __rdi;
				 *((long long*)(_t176 + 0x20)) = __r12;
				_t261 = _t260 - 0x50;
				_t242 = __rdx;
				_t276 = __rcx;
				_t209 = __r8;
				r15d = 0x3ff;
				r12d = 0x30;
				E00007FF67FF698104E5C(_t176, _t176 - 0x38,  *((intOrPtr*)(_t261 + 0x98)));
				r14d = 0;
				_t138 =  <  ? r14d : r9d;
				if (__rdx != _t278) goto 0x9811ab4b;
				E00007FF67FF6981078AC(_t176);
				r9d = 0;
				r8d = 0;
				 *_t176 = __r12 - 0x1a;
				 *((long long*)(_t261 + 0x20)) = _t278;
				E00007FF67FF698104430(_t176, __r8, _t176 - 0x38,  *((intOrPtr*)(_t261 + 0x98)), __rsi, _t258, __r8, _t281, _t278);
				if ( *((intOrPtr*)(_t261 + 0x48)) == r14b) goto 0x9811ab44;
				 *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0x9811aec6;
				if (_t209 - _t278 > 0) goto 0x9811ab85;
				E00007FF67FF6981078AC(_t176);
				r9d = 0;
				r8d = 0;
				 *_t176 = 0x16;
				 *((long long*)(_t261 + 0x20)) = _t278;
				E00007FF67FF698104430(_t176, _t209,  *((intOrPtr*)(_t261 + 0x40)),  *((intOrPtr*)(_t261 + 0x98)), _t257, _t258, _t263);
				if ( *((intOrPtr*)(_t261 + 0x48)) == r14b) goto 0x9811ab44;
				 *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0x9811ab44;
				 *_t242 = r14b;
				_t215 = _t258 + 0xb;
				if (_t209 - _t215 > 0) goto 0x9811aba2;
				E00007FF67FF6981078AC( *((intOrPtr*)(_t261 + 0x40)));
				goto 0x9811ab1b;
				_t180 =  *_t276 >> 0x00000034 & _t215;
				if (_t180 != _t215) goto 0x9811ac56;
				_t20 = _t242 + 2; // 0x401
				_t230 = _t20;
				r9d = _t138;
				_t265 =  ==  ? _t209 : _t209 - 2;
				 *((long long*)(_t261 + 0x28)) = _t278;
				 *((intOrPtr*)(_t261 + 0x20)) = r14d;
				if (E00007FF67FF69811A9B0(0x22, _t276, _t230, _t258,  ==  ? _t209 : _t209 - 2, _t275) == r14d) goto 0x9811ac04;
				 *_t242 = r14b;
				if ( *((intOrPtr*)(_t261 + 0x48)) == r14b) goto 0x9811aec6;
				 *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0x9811aec6;
				if ( *((char*)(_t242 + 2)) != 0x2d) goto 0x9811ac10;
				 *_t242 = 0x2d;
				_t243 = _t242 + 1;
				 *_t243 = 0x30;
				asm("sbb cl, cl");
				 *((char*)(_t243 + 1)) = 0x158;
				_t30 = _t243 + 2; // 0x402
				E00007FF67FF69811B3A4(0x65, _t30,  ==  ? _t209 : _t209 - 2);
				if (_t180 == _t278) goto 0x9811ac4c;
				asm("sbb cl, cl");
				 *_t180 = 0xb0;
				 *((intOrPtr*)(_t180 + 3)) = r14b;
				goto 0x9811aeb6;
				if (( *_t276 & 0x00000000) == 0) goto 0x9811ac6c;
				 *_t243 = 0x2d;
				_t244 = _t243 + 1;
				r9d =  *(_t261 + 0x90);
				r11d = 0x30;
				 *_t244 = r11b;
				asm("sbb cl, cl");
				asm("sbb edx, edx");
				 *((char*)(_t244 + 1)) = 0x118;
				if (( *_t276 & 0x00000000) != 0) goto 0x9811acd2;
				 *((intOrPtr*)(_t244 + 2)) = r11b;
				_t245 = _t244 + 3;
				asm("dec ebp");
				r15d = r15d & 0x000003fe;
				goto 0x9811acda;
				 *((char*)(_t245 + 2)) = 0x31;
				_t246 = _t245 + 3;
				r10d = 0;
				_t279 = _t246;
				_t247 = _t246 + 1;
				if (_t138 != r10d) goto 0x9811aced;
				 *_t279 = r10b;
				goto 0x9811ad01;
				 *_t279 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x30)) + 0x128))))));
				if (( *_t276 & 0xffffffff) <= 0) goto 0x9811ad9b;
				if (_t138 - r10d <= 0) goto 0x9811ad4d;
				_t93 =  ~r9d + r11w;
				if (_t93 - 0x39 <= 0) goto 0x9811ad37;
				_t94 = _t93 + 0xffffffff00000087;
				r12w = r12w + 0xfffc;
				 *_t247 = _t94;
				_t248 = _t247 + 1;
				_t139 = _t138 - 1;
				if (r12w - r10w >= 0) goto 0x9811ad15;
				if (r12w - r10w < 0) goto 0x9811ad9b;
				if (_t94 - 8 <= 0) goto 0x9811ad9b;
				_t45 = _t248 - 1; // 0x3fc
				_t196 = _t45;
				if ( *_t196 == 0x66) goto 0x9811ad77;
				if ( *_t196 != 0x46) goto 0x9811ad7f;
				 *_t196 = r11b;
				_t197 = _t196 - 1;
				goto 0x9811ad6d;
				if (_t197 == _t279) goto 0x9811ad98;
				_t123 =  *_t197;
				if (_t123 != 0x39) goto 0x9811ad92;
				 *_t197 = 0xffffffff000000c1;
				goto 0x9811ad9b;
				_t124 = _t123 + 1;
				 *_t197 = _t124;
				goto 0x9811ad9b;
				 *((char*)(_t197 - 1)) =  *((char*)(_t197 - 1)) + 1;
				if (_t139 - r10d <= 0) goto 0x9811adc2;
				r8d = _t139;
				_t95 = E00007FF67FF69810B240(_t94, _t124, r11b, _t248, _t230, 0 >> 4);
				r9d =  *(_t261 + 0x90);
				r10d = 0;
				_t49 = _t270 + 0x30; // 0x30
				r11d = _t49;
				_t250 =  ==  ? _t279 : _t248 + 0xffffffff;
				r9d =  ~r9d;
				asm("sbb al, al");
				 *_t250 = (_t95 & 0x000000e0) + 0x70;
				if ( *_t279 - r10b < 0) goto 0x9811adf1;
				 *((char*)(_t250 + 1)) = 0x2b;
				_t251 = _t250 + 2;
				goto 0x9811adfc;
				 *((char*)(_t251 + 1)) = 0x2d;
				_t252 = _t251 + 2;
				_t224 =  ~(( *_t276 >> 0x34) - _t281);
				_t268 = _t252;
				 *_t252 = r11b;
				if (_t224 - 0x3e8 < 0) goto 0x9811ae3e;
				_t232 = (_t230 >> 7) + (_t230 >> 7 >> 0x3f);
				_t233 = _t232 * 0xfffffc18;
				 *_t252 = _t271 + _t232;
				_t253 = _t252 + 1;
				_t225 = _t224 + _t233;
				if (_t253 != _t268) goto 0x9811ae44;
				if (_t225 - 0x64 < 0) goto 0x9811ae72;
				_t236 = (_t233 + _t225 >> 6) + (_t233 + _t225 >> 6 >> 0x3f);
				_t237 = _t236 * 0xffffff9c;
				 *_t253 = _t271 + _t236;
				_t254 = _t253 + 1;
				if (_t254 != _t268) goto 0x9811ae7d;
				if (_t225 + _t237 - 0xa < 0) goto 0x9811aea8;
				 *_t254 = _t271 + (_t237 >> 2) + (_t237 >> 2 >> 0x3f);
				_t255 = _t254 + 1;
				 *_t255 = (_t124 & 0x000007ff) + r11b;
				 *((intOrPtr*)(_t255 + 1)) = r10b;
				if ( *((intOrPtr*)(_t261 + 0x48)) == r10b) goto 0x9811aec4;
				 *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ff69811aabc
0x7ff69811aabc
0x7ff69811aabc
0x7ff69811aabc
0x7ff69811aabc
0x7ff69811aabf
0x7ff69811aac3
0x7ff69811aac7
0x7ff69811aacb
0x7ff69811aad5
0x7ff69811aad9
0x7ff69811aae4
0x7ff69811aaee
0x7ff69811aaf1
0x7ff69811aaf7
0x7ff69811aafd
0x7ff69811ab02
0x7ff69811ab08
0x7ff69811ab0f
0x7ff69811ab11
0x7ff69811ab1b
0x7ff69811ab1e
0x7ff69811ab25
0x7ff69811ab27
0x7ff69811ab2c
0x7ff69811ab36
0x7ff69811ab3d
0x7ff69811ab46
0x7ff69811ab4e
0x7ff69811ab50
0x7ff69811ab5a
0x7ff69811ab5d
0x7ff69811ab64
0x7ff69811ab66
0x7ff69811ab6b
0x7ff69811ab75
0x7ff69811ab7c
0x7ff69811ab83
0x7ff69811ab88
0x7ff69811ab8b
0x7ff69811ab91
0x7ff69811ab93
0x7ff69811ab9d
0x7ff69811abaf
0x7ff69811abb5
0x7ff69811abc3
0x7ff69811abc3
0x7ff69811abc7
0x7ff69811abcd
0x7ff69811abd1
0x7ff69811abd6
0x7ff69811abe3
0x7ff69811abe5
0x7ff69811abed
0x7ff69811abf8
0x7ff69811abff
0x7ff69811ac08
0x7ff69811ac0a
0x7ff69811ac0d
0x7ff69811ac17
0x7ff69811ac23
0x7ff69811ac2b
0x7ff69811ac2e
0x7ff69811ac32
0x7ff69811ac3a
0x7ff69811ac3e
0x7ff69811ac46
0x7ff69811ac48
0x7ff69811ac51
0x7ff69811ac64
0x7ff69811ac66
0x7ff69811ac69
0x7ff69811ac6c
0x7ff69811ac74
0x7ff69811ac87
0x7ff69811ac8f
0x7ff69811aca3
0x7ff69811aca5
0x7ff69811acb2
0x7ff69811acb4
0x7ff69811acbc
0x7ff69811acc6
0x7ff69811acc9
0x7ff69811acd0
0x7ff69811acd2
0x7ff69811acd6
0x7ff69811acda
0x7ff69811acdd
0x7ff69811ace0
0x7ff69811ace6
0x7ff69811ace8
0x7ff69811aceb
0x7ff69811acfe
0x7ff69811ad05
0x7ff69811ad18
0x7ff69811ad2a
0x7ff69811ad32
0x7ff69811ad34
0x7ff69811ad37
0x7ff69811ad3c
0x7ff69811ad42
0x7ff69811ad45
0x7ff69811ad4b
0x7ff69811ad51
0x7ff69811ad67
0x7ff69811ad69
0x7ff69811ad69
0x7ff69811ad70
0x7ff69811ad75
0x7ff69811ad77
0x7ff69811ad7a
0x7ff69811ad7d
0x7ff69811ad82
0x7ff69811ad84
0x7ff69811ad89
0x7ff69811ad8e
0x7ff69811ad90
0x7ff69811ad92
0x7ff69811ad94
0x7ff69811ad96
0x7ff69811ad98
0x7ff69811ad9e
0x7ff69811ada0
0x7ff69811adab
0x7ff69811adb0
0x7ff69811adbb
0x7ff69811adbe
0x7ff69811adbe
0x7ff69811adc5
0x7ff69811adc9
0x7ff69811adcc
0x7ff69811add2
0x7ff69811ade5
0x7ff69811ade7
0x7ff69811adeb
0x7ff69811adef
0x7ff69811adf1
0x7ff69811adf5
0x7ff69811adf9
0x7ff69811ae03
0x7ff69811ae06
0x7ff69811ae09
0x7ff69811ae23
0x7ff69811ae2a
0x7ff69811ae31
0x7ff69811ae33
0x7ff69811ae36
0x7ff69811ae3c
0x7ff69811ae42
0x7ff69811ae5f
0x7ff69811ae66
0x7ff69811ae6a
0x7ff69811ae6c
0x7ff69811ae75
0x7ff69811ae7b
0x7ff69811aea0
0x7ff69811aea2
0x7ff69811aeb0
0x7ff69811aeb2
0x7ff69811aeb6
0x7ff69811aebd
0x7ff69811aee4

APIs

Part of subcall function 00007FF698104E5C: _getptd.LIBCMT ref: 00007FF698104E72

_errno.LIBCMT ref: 00007FF69811AB11

Part of subcall function 00007FF698104430: DecodePointer.KERNEL32 ref: 00007FF698104457

_errno.LIBCMT ref: 00007FF69811AB50
_errno.LIBCMT ref: 00007FF69811AB93

Strings

0, xrefs: 00007FF69811AAF7
gfffffff, xrefs: 00007FF69811AE7D

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: 0$gfffffff
API String ID: 2834218312-1804767287
Opcode ID: 5e0a4473535deda9db7320d224ec572da4a58290ec71d1521485fd4c5be27886
Instruction ID: 30c132a06e785a6a152859bd379a4382b03b538fb25a96003f0593e6d86a2a08
Opcode Fuzzy Hash: 5e0a4473535deda9db7320d224ec572da4a58290ec71d1521485fd4c5be27886
Instruction Fuzzy Hash: 28B11F62B087CB47EB218B389141B6E6FA5EB21790F948271DB5D877D6DE3DE850C308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698113A4C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00007FF67FF698113A4C(void* __ebx, void* __ecx, long long __rbx, char* __rcx, void* __rdx, void* __r9, long long _a24) {
				signed int _v16;
				char _v24;
				signed long long _t25;
				signed long long _t26;
				void* _t40;
				void* _t44;

				_t44 = __r9;
				_a24 = __rbx;
				_t25 =  *0x98140430; // 0x4918c2c043f
				_t26 = _t25 ^ _t40 - 0x00000030;
				_v16 = _t26;
				if (__rcx == 0) goto 0x98113ad6;
				if ( *__rcx == 0) goto 0x98113ad6;
				if (E00007FF67FF69810BBE0(__ecx, __rcx, 0x98132ac8) == 0) goto 0x98113ad6;
				if (E00007FF67FF69810BBE0(__ecx, __rcx, 0x98132ac4) != 0) goto 0x98113ab6;
				_t4 = _t26 + 8; // 0x8
				r9d = _t4;
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x98113af3;
				E00007FF67FF698104984(_t26, 0x98132ac4);
				return E00007FF67FF698104050( *((intOrPtr*)(__rdx + 0x24)), _v16 ^ _t40 - 0x00000030, 0x98132ac4,  &_v24, _t44);
			}

0x7ff698113a4c
0x7ff698113a4c
0x7ff698113a56
0x7ff698113a5d
0x7ff698113a60
0x7ff698113a6e
0x7ff698113a73
0x7ff698113a83
0x7ff698113a96
0x7ff698113a9b
0x7ff698113a9b
0x7ff698113aaf
0x7ff698113ab9
0x7ff698113ad5

APIs

GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00007FF6981142E0,?,?,?,?,00000000,00007FF698108850), ref: 00007FF698113AA7
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00007FF6981142E0,?,?,?,?,00000000,00007FF698108850), ref: 00007FF698113AE9
GetACP.KERNEL32(?,?,?,?,00000000,00007FF6981142E0,?,?,?,?,00000000,00007FF698108850), ref: 00007FF698113B0C

Strings

ACP, xrefs: 00007FF698113A75
OCP, xrefs: 00007FF698113A85

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 05857ef6789c705f425dab733761c92d82b1b5cb51473c9fdfa44ed524b23ad1
Instruction ID: 89a29e51ad0646eef9966e8729e3bc995a731745d2ded9a7662651a9f7b813e4
Opcode Fuzzy Hash: 05857ef6789c705f425dab733761c92d82b1b5cb51473c9fdfa44ed524b23ad1
Instruction Fuzzy Hash: 27217921B0C64782EA34DB31E8511B963A0FF58788FC440B5DA4DC3AA9EE2CE944C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698106F3C Relevance: 7.6, APIs: 5, Instructions: 105
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E00007FF67FF698106F3C(intOrPtr* __rax, long long __rbx, long long* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, signed int __r9, long long _a8, long long _a16, long long _a24, signed long long _a32) {
				long long _v40;
				signed int _t35;
				signed int _t42;
				void* _t55;
				long long _t69;
				long long* _t71;
				long long _t79;
				signed long long _t82;
				long long _t92;

				_t88 = __r8;
				_t84 = __rbp;
				_t78 = __rdx;
				_t73 = __rcx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __rcx;
				r12d = r8d;
				_t71 = __rcx;
				if ((0 | __rcx != _t79) != 0) goto 0x98106f95;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 0x16;
				_v40 = _t79;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(__rax, __rcx, __rcx, __rdx, __r9, __rbp, __r8);
				goto 0x98107093;
				if (r8d == 4) goto 0x98106fcd;
				if (r8d == 0) goto 0x98106fcd;
				if (r8d == 0x40) goto 0x98106fcd;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 0x16;
				_v40 = _t79;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(__rax, _t71, _t73, _t78, __r9, _t84, _t88);
				goto 0x98107093;
				if (r8d == 0) goto 0x98106fd8;
				if (r8d != 0x40) goto 0x9810700b;
				_t69 = __r9 - 2;
				if (_t69 - 0x7ffffffd <= 0) goto 0x9810700b;
				E00007FF67FF6981078AC(_t69);
				 *_t69 = 0x16;
				_v40 = _t79;
				r9d = 0;
				r8d = 0;
				_t35 = E00007FF67FF698104430(_t69, _t71, _t73, _t78, __r9, _t84, _t88);
				goto 0x98107093;
				_t82 = __r9 & 0xfffffffe;
				E00007FF67FF69810B4D0(_t35 | 0xffffffff, _t73);
				E00007FF67FF698106BCC(_t71, _t71, _t82);
				E00007FF67FF698111B24(_t69, _t71);
				 *(_t71 + 0x18) =  *(_t71 + 0x18) & 0xffffc2f3;
				if ((r12b & 0x00000004) == 0) goto 0x9810704b;
				 *(_t71 + 0x18) =  *(_t71 + 0x18) | 0x00000004;
				_a32 = _t82;
				goto 0x9810707c;
				if (_t71 + 0x20 != _t79) goto 0x98107074;
				_t42 = E00007FF67FF69810A574(_t55, _t69, _t71, _t82, _t82, _t84);
				_t92 = _t69;
				if (_t69 != _t79) goto 0x9810706b;
				 *0x981430c8 =  *0x981430c8 + 1;
				goto 0x98107089;
				 *(_t71 + 0x18) =  *(_t71 + 0x18) | 0x00000408;
				goto 0x9810707c;
				 *(_t71 + 0x18) = _t42 | 0x00000500;
				 *((intOrPtr*)(_t71 + 0x24)) = 2;
				 *((long long*)(_t71 + 0x10)) = _t92;
				 *_t71 = _t92;
				 *((intOrPtr*)(_t71 + 8)) = 0xffffffff;
				E00007FF67FF69810B560(_t42 | 0x00000500, _t71);
				return 0xffffffff;
			}

0x7ff698106f3c
0x7ff698106f3c
0x7ff698106f3c
0x7ff698106f3c
0x7ff698106f3c
0x7ff698106f41
0x7ff698106f46
0x7ff698106f57
0x7ff698106f5d
0x7ff698106f6c
0x7ff698106f6e
0x7ff698106f73
0x7ff698106f79
0x7ff698106f7e
0x7ff698106f81
0x7ff698106f88
0x7ff698106f90
0x7ff698106f99
0x7ff698106f9e
0x7ff698106fa4
0x7ff698106fa6
0x7ff698106fab
0x7ff698106fb1
0x7ff698106fb6
0x7ff698106fb9
0x7ff698106fc0
0x7ff698106fc8
0x7ff698106fd0
0x7ff698106fd6
0x7ff698106fd8
0x7ff698106fe2
0x7ff698106fe4
0x7ff698106fe9
0x7ff698106fef
0x7ff698106ff4
0x7ff698106ff7
0x7ff698106ffe
0x7ff698107006
0x7ff69810700b
0x7ff69810700f
0x7ff698107018
0x7ff698107020
0x7ff698107025
0x7ff698107033
0x7ff698107038
0x7ff698107044
0x7ff698107049
0x7ff69810704e
0x7ff698107053
0x7ff698107058
0x7ff69810705e
0x7ff698107060
0x7ff698107069
0x7ff69810706b
0x7ff698107072
0x7ff698107079
0x7ff69810707c
0x7ff69810707f
0x7ff698107083
0x7ff698107086
0x7ff69810708c
0x7ff6981070a6

APIs

_errno.LIBCMT ref: 00007FF698106F6E

Part of subcall function 00007FF698104430: DecodePointer.KERNEL32 ref: 00007FF698104457

_errno.LIBCMT ref: 00007FF698106FA6

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: c827abf252cecc7df5f4a5742bc49cb4568c02ee89e71d0df796e521da3256ab
Instruction ID: 7e6d8c80916b14072ca9a91849c264392d2a2a3f9ff84a643ee2da7a43fc4621
Opcode Fuzzy Hash: c827abf252cecc7df5f4a5742bc49cb4568c02ee89e71d0df796e521da3256ab
Instruction Fuzzy Hash: 8241E272E1861342F3349E35AD0163E7190EB81768FA00775EA6AC7AD9CE7DE460CA48

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698113CEC Relevance: 6.2, APIs: 4, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00007FF67FF698113CEC(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rbp, void* __r9, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v152;
				signed int _t58;
				signed int _t68;
				signed int _t85;
				void* _t105;
				signed long long _t131;
				signed long long _t132;
				signed long long _t155;
				void* _t156;
				void* _t159;

				_t167 = __r9;
				_t157 = __rbp;
				_a16 = __rbx;
				_a24 = __rbp;
				_t131 =  *0x98140430; // 0x4918c2c043f
				_t132 = _t131 ^ _t159 - 0x000000b0;
				_v24 = _t132;
				_t134 = __rcx;
				E00007FF67FF69810B93C(__ecx, __eflags, _t132);
				_t155 = _t132;
				_t58 = E00007FF67FF698113B14(__rcx, __rdx, __r9);
				r9d = 0x78;
				asm("sbb edx, edx");
				_t85 = _t58;
				if (GetLocaleInfoA(??, ??, ??, ??) != 0) goto 0x98113d64;
				 *(_t155 + 0x150) = 0;
				goto 0x98113f59;
				if (E00007FF67FF698115C40(_t105, _t132, __rcx,  *((intOrPtr*)(_t155 + 0x148)),  &_v152, _t156, __rbp,  &_v152, __r9) != 0) goto 0x98113e5c;
				r9d = 0x78;
				asm("sbb edx, edx");
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x98113d54;
				if (E00007FF67FF698115C40(_t105, _t132, __rcx,  *((intOrPtr*)(_t155 + 0x140)),  &_v152, _t156, __rbp,  &_v152, __r9) != 0) goto 0x98113dd4;
				 *(_t155 + 0x150) =  *(_t155 + 0x150) | 0x00000304;
				 *((intOrPtr*)(_t155 + 0x160)) = _t85;
				goto 0x98113e56;
				if (( *(_t155 + 0x150) & 0x00000002) != 0) goto 0x98113e5c;
				if ( *((intOrPtr*)(_t155 + 0x154)) == 0) goto 0x98113e2a;
				if (E00007FF67FF698115DF0(_t105, _t132, __rcx,  *((intOrPtr*)(_t155 + 0x140)),  &_v152, _t156, __rbp,  *((intOrPtr*)(_t155 + 0x154)), __r9) != 0) goto 0x98113e2a;
				 *(_t155 + 0x150) =  *(_t155 + 0x150) | 0x00000002;
				 *((intOrPtr*)(_t155 + 0x164)) = _t85;
				if (E00007FF67FF6981070C0(_t66,  *((intOrPtr*)(_t155 + 0x140))) !=  *((intOrPtr*)(_t155 + 0x154))) goto 0x98113e5c;
				 *((intOrPtr*)(_t155 + 0x160)) = _t85;
				goto 0x98113e5c;
				_t68 =  *(_t155 + 0x150);
				if ((_t68 & 0x00000001) != 0) goto 0x98113e5c;
				if (_t85 ==  *0x98132ab0) goto 0x98113e5c;
				if (1 - 0xa < 0) goto 0x98113e3d;
				 *(_t155 + 0x150) = _t68 | 0x00000001;
				 *((intOrPtr*)(_t155 + 0x164)) = _t85;
				if (( *(_t155 + 0x150) & 0x00000300) == 0x300) goto 0x98113f4b;
				r9d = 0x78;
				asm("sbb edx, edx");
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0x98113d54;
				if (E00007FF67FF698115C40(_t105, _t132, _t134,  *((intOrPtr*)(_t155 + 0x140)),  &_v152, _t156, _t157,  &_v152, _t167) != 0) goto 0x98113efc;
				asm("bts dword [edi+0x150], 0x9");
				if ( *((intOrPtr*)(_t155 + 0x158)) == 0) goto 0x98113ed9;
				asm("bts eax, 0x8");
				goto 0x98113f3d;
				if ( *((intOrPtr*)(_t155 + 0x154)) == 0) goto 0x98113f35;
				if (E00007FF67FF6981070C0( *(_t155 + 0x150),  *((intOrPtr*)(_t155 + 0x140))) !=  *((intOrPtr*)(_t155 + 0x154))) goto 0x98113f35;
				goto 0x98113f23;
				if ( *((intOrPtr*)(_t155 + 0x158)) != 0) goto 0x98113f4b;
				if ( *((intOrPtr*)(_t155 + 0x154)) == 0) goto 0x98113f4b;
				if (E00007FF67FF698115C40(_t105, _t132, _t134,  *((intOrPtr*)(_t155 + 0x140)),  &_v152, _t156, _t157,  &_v152, _t167) != 0) goto 0x98113f4b;
				_t49 = _t155 + 0x140; // 0x140
				if (E00007FF67FF698113C38(_t85, 0, _t134, _t49, _t167) == 0) goto 0x98113f4b;
				asm("bts dword [edi+0x150], 0x8");
				if ( *((intOrPtr*)(_t155 + 0x160)) != 0) goto 0x98113f4b;
				 *((intOrPtr*)(_t155 + 0x160)) = _t85;
				return E00007FF67FF698104050(_t85, _v24 ^ _t159 - 0x000000b0,  &_v152, _t49, _t167);
			}

0x7ff698113cec
0x7ff698113cec
0x7ff698113cec
0x7ff698113cf1
0x7ff698113cfe
0x7ff698113d05
0x7ff698113d08
0x7ff698113d10
0x7ff698113d13
0x7ff698113d1b
0x7ff698113d1e
0x7ff698113d30
0x7ff698113d36
0x7ff698113d3a
0x7ff698113d52
0x7ff698113d54
0x7ff698113d5f
0x7ff698113d77
0x7ff698113d88
0x7ff698113d92
0x7ff698113da8
0x7ff698113dbd
0x7ff698113dbf
0x7ff698113dc9
0x7ff698113dcf
0x7ff698113ddb
0x7ff698113de3
0x7ff698113dff
0x7ff698113e08
0x7ff698113e0f
0x7ff698113e20
0x7ff698113e22
0x7ff698113e28
0x7ff698113e2a
0x7ff698113e32
0x7ff698113e40
0x7ff698113e4b
0x7ff698113e50
0x7ff698113e56
0x7ff698113e6b
0x7ff698113e7c
0x7ff698113e86
0x7ff698113e9c
0x7ff698113eb5
0x7ff698113eb7
0x7ff698113ecb
0x7ff698113ecd
0x7ff698113ed7
0x7ff698113edf
0x7ff698113ef3
0x7ff698113efa
0x7ff698113f02
0x7ff698113f0a
0x7ff698113f1f
0x7ff698113f23
0x7ff698113f33
0x7ff698113f35
0x7ff698113f43
0x7ff698113f45
0x7ff698113f7d

APIs

_getptd.LIBCMT ref: 00007FF698113D13
GetLocaleInfoA.KERNEL32 ref: 00007FF698113D48
GetLocaleInfoA.KERNEL32 ref: 00007FF698113DA0
GetLocaleInfoA.KERNEL32 ref: 00007FF698113E94

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: InfoLocale$_getptd
String ID:
API String ID: 1743167714-0
Opcode ID: 0bc0ce5ffb63eeeb20c95d733831d935c457454a07d1c7dd2c0a88a1cc289cfb
Instruction ID: 95f1d81ce5b06c26a64cd668aedbd7ebd6fe2fd663f201e84cfcef15acfdf979
Opcode Fuzzy Hash: 0bc0ce5ffb63eeeb20c95d733831d935c457454a07d1c7dd2c0a88a1cc289cfb
Instruction Fuzzy Hash: 42615A72B08A8797EA789A31D9447E9B3A1FB98705F90017AD35DC7299CF3CE864C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981052E8 Relevance: 6.1, APIs: 4, Instructions: 115
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 70%

			E00007FF67FF6981052E8(void* __edi, void* __esi, intOrPtr* __rax, long long __rbx, signed long long* __rcx, intOrPtr* __rdx, long long __rsi, long long __rbp, signed long long __r8, void* __r9, long long _a8, long long _a16, long long _a24, long long _a40, intOrPtr _a48) {
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				char _v56;
				long long _v72;
				void* __rdi;
				intOrPtr* _t77;
				intOrPtr _t78;
				intOrPtr* _t79;
				signed long long _t80;
				intOrPtr* _t82;
				long long* _t84;
				intOrPtr* _t90;
				signed long long _t93;
				signed long long* _t95;
				long long _t103;
				long long _t109;

				_t97 = __rbp;
				_t90 = __rdx;
				_t84 = __rcx;
				_t77 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				r14d = 0;
				_t93 = __r8;
				_t82 = __rdx;
				_t95 = __rcx;
				if (__rdx != _t109) goto 0x9810531e;
				if (__r8 == _t109) goto 0x9810534e;
				goto 0x98105323;
				if (__r8 - _t109 > 0) goto 0x9810534a;
				E00007FF67FF6981078AC(__rax);
				r9d = 0;
				r8d = 0;
				 *__rax = 0x16;
				_v72 = _t109;
				E00007FF67FF698104430(__rax, __rdx, __rcx, __rdx, __rcx, __rbp, __r8);
				goto 0x9810547a;
				 *_t90 = r14w;
				if (_t84 == _t109) goto 0x98105356;
				 *_t84 = _t109;
				E00007FF67FF698104E5C(__rax,  &_v56, _a48);
				_t103 = _a40;
				_t104 =  >  ? _t93 : _t103;
				_t65 = ( >  ? _t93 : _t103) - 0x7fffffff;
				if (( >  ? _t93 : _t103) - 0x7fffffff <= 0) goto 0x981053b5;
				E00007FF67FF6981078AC(_t77);
				r9d = 0;
				r8d = 0;
				 *_t77 = 0x16;
				_v72 = _t109;
				E00007FF67FF698104430(_t77, _t82,  &_v56, _a48, _t95, _t97,  >  ? _t93 : _t103);
				if (_v32 == r14b) goto 0x98105343;
				_t78 = _v40;
				 *(_t78 + 0xc8) =  *(_t78 + 0xc8) & 0xfffffffd;
				goto 0x98105343;
				E00007FF67FF6981050E0(__edi, __esi, r14d, _t82, _t82, __r9, _t93, _t95,  >  ? _t93 : _t103,  &_v56);
				if (_t78 != 0xffffffff) goto 0x981053f7;
				if (_t82 == _t109) goto 0x981053d4;
				 *_t82 = r14w;
				E00007FF67FF6981078AC(_t78);
				if (_v32 == r14b) goto 0x9810547a;
				 *(_v40 + 0xc8) =  *(_v40 + 0xc8) & 0xfffffffd;
				goto 0x9810547a;
				_t79 = _t78 + 1;
				if (_t82 == _t109) goto 0x9810545d;
				if (_t79 - _t93 <= 0) goto 0x98105457;
				if (_a40 == 0xffffffff) goto 0x9810544f;
				 *_t82 = r14w;
				E00007FF67FF6981078AC(_t79);
				r9d = 0;
				r8d = 0;
				 *_t79 = 0x22;
				_v72 = _t109;
				E00007FF67FF698104430(_t79, _t82, _v40, __r9, _t95, _t97,  >  ? _t93 : _t103);
				if (_v32 == r14b) goto 0x98105343;
				 *(_v40 + 0xc8) =  *(_v40 + 0xc8) & 0xfffffffd;
				goto 0x98105343;
				_t80 = _t93;
				 *((intOrPtr*)(_t82 + _t80 * 2 - 2)) = r14w;
				if (_t95 == _t109) goto 0x98105465;
				 *_t95 = _t80;
				if (_v32 == r14b) goto 0x98105478;
				 *(_v40 + 0xc8) =  *(_v40 + 0xc8) & 0xfffffffd;
				return 0x50;
			}

0x7ff6981052e8
0x7ff6981052e8
0x7ff6981052e8
0x7ff6981052e8
0x7ff6981052e8
0x7ff6981052ed
0x7ff6981052f2
0x7ff698105300
0x7ff698105306
0x7ff698105309
0x7ff69810530c
0x7ff698105315
0x7ff69810531a
0x7ff69810531c
0x7ff698105321
0x7ff698105323
0x7ff69810532d
0x7ff698105330
0x7ff698105337
0x7ff698105339
0x7ff69810533e
0x7ff698105345
0x7ff69810534a
0x7ff698105351
0x7ff698105353
0x7ff698105363
0x7ff698105368
0x7ff698105373
0x7ff698105377
0x7ff69810537e
0x7ff698105380
0x7ff69810538a
0x7ff69810538d
0x7ff698105394
0x7ff698105396
0x7ff69810539b
0x7ff6981053a5
0x7ff6981053a7
0x7ff6981053ac
0x7ff6981053b3
0x7ff6981053c0
0x7ff6981053c9
0x7ff6981053ce
0x7ff6981053d0
0x7ff6981053d4
0x7ff6981053e0
0x7ff6981053eb
0x7ff6981053f2
0x7ff6981053f7
0x7ff6981053fd
0x7ff698105402
0x7ff69810540d
0x7ff69810540f
0x7ff698105413
0x7ff69810541d
0x7ff698105420
0x7ff698105427
0x7ff698105429
0x7ff69810542e
0x7ff698105438
0x7ff698105443
0x7ff69810544a
0x7ff69810544f
0x7ff698105457
0x7ff698105460
0x7ff698105462
0x7ff69810546a
0x7ff698105471
0x7ff698105493

APIs

_errno.LIBCMT ref: 00007FF698105323
_errno.LIBCMT ref: 00007FF698105380
_errno.LIBCMT ref: 00007FF6981053D4
_errno.LIBCMT ref: 00007FF698105413

Part of subcall function 00007FF698104430: DecodePointer.KERNEL32 ref: 00007FF698104457

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 969b6b03ac756c984ef9ddfa99fd8f5d4939811ed42fda2eef39814d5a7e2c3c
Instruction ID: e8a4f41ad6ef7a8143d58da32a100a12da961f9b70f874cf2ff8d1a1da08853d
Opcode Fuzzy Hash: 969b6b03ac756c984ef9ddfa99fd8f5d4939811ed42fda2eef39814d5a7e2c3c
Instruction Fuzzy Hash: 2D41CB22A0C64341E7709F35A8406BE7660FB407A4F944271DBADAB7D5CF7DD4A1CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698107DC8 Relevance: 4.5, APIs: 3, Instructions: 35
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 33%

			E00007FF67FF698107DC8(void* __rax) {
				long long _v0;
				char _v1240;
				long long _v1384;
				char _v1400;
				long long _v1408;
				long long _v1416;
				void* _t17;
				signed int _t22;
				void* _t33;
				void* _t37;
				void* _t38;
				void* _t42;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t48;
				void* _t49;
				void* _t50;

				_t33 = __rax;
				if (( *0x981403f0 & 0x00000001) == 0) goto 0x98107de2;
				E00007FF67FF69810BD28(0xa, _t37, _t43, _t44, _t45, _t49, _t50);
				E00007FF67FF6981101A8(0xa,  *0x981403f0 & 0x00000001, _t33, _t37, _t42, _t44, _t45, _t48);
				if (_t33 == 0) goto 0x98107df6;
				_t17 = E00007FF67FF6981101B4(0x16, _t33, _t33, _t37, _t38, _t42, _t44, _t45, _t48);
				if (( *0x981403f0 & 0x00000002) == 0) goto 0x98107e5e;
				__imp__RtlCaptureContext();
				r8d = 0x98;
				E00007FF67FF69810B240(_t17, 0x16, 0,  &_v1400, _t42, _t48);
				_v1384 = _v0;
				_v1400 = 0x40000015;
				_v1416 =  &_v1400;
				_v1408 =  &_v1240;
				SetUnhandledExceptionFilter(??);
				UnhandledExceptionFilter(??);
				E00007FF67FF6981058E4( &_v1240, _t42, _t48);
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				_t22 =  *0x981403f0; // 0x3
				r8d = 0;
				r8d =  !r8d;
				r8d = r8d & _t22;
				r8d = r8d;
				 *0x981403f0 = r8d;
				return _t22;
			}

0x7ff698107dc8
0x7ff698107dd6
0x7ff698107ddd
0x7ff698107de2
0x7ff698107dea
0x7ff698107df1
0x7ff698107dfd
0x7ff698107e07
0x7ff698107e14
0x7ff698107e1a
0x7ff698107e29
0x7ff698107e33
0x7ff698107e3b
0x7ff698107e48
0x7ff698107e4d
0x7ff698107e58
0x7ff698107e63
0x7ff698107e68
0x7ff698107e69
0x7ff698107e6a
0x7ff698107e6b
0x7ff698107e6c
0x7ff698107e72
0x7ff698107e77
0x7ff698107e7a
0x7ff698107e7d
0x7ff698107e80
0x7ff698107e87

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF698107E07
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF698107E4D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF698107E58

Part of subcall function 00007FF69810BD28: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF69810BF84,?,?,?,?,00007FF6981048E5,?,?,00000000,00007FF69810A598), ref: 00007FF69810BDEB

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextFileModuleName
String ID:
API String ID: 2731829486-0
Opcode ID: debd26cd0c4cef6c731ff63eb1ad758df596568ae4c31ee477f4fbe37bc1369f
Instruction ID: b6cce4e3a1540793395d889c867a00e0bcae98359187d1cd1e67cb7e7082cd9c
Opcode Fuzzy Hash: debd26cd0c4cef6c731ff63eb1ad758df596568ae4c31ee477f4fbe37bc1369f
Instruction Fuzzy Hash: 64014021A1CA8B82F6759B74E8543BA63A0FF85304F800179EA8EC7AA5DF3DE554C705

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698113F80 Relevance: 3.1, APIs: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00007FF67FF698113F80(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, void* __r9, long long _a16) {
				signed int _v24;
				char _v152;
				signed int _t24;
				signed int _t25;
				void* _t27;
				signed int _t35;
				void* _t46;
				signed long long _t56;
				signed long long _t57;
				signed long long _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t78 = __r9;
				_a16 = __rbx;
				_t56 =  *0x98140430; // 0x4918c2c043f
				_t57 = _t56 ^ _t73 - 0x000000b0;
				_v24 = _t57;
				E00007FF67FF69810B93C(__ecx, __eflags, _t57);
				_t70 = _t57;
				_t24 = E00007FF67FF698113B14(__rcx, __rdx, __r9);
				r9d = 0x78;
				asm("sbb edx, edx");
				_t35 = _t24;
				_t25 = GetLocaleInfoA(??, ??, ??, ??);
				if (_t25 != 0) goto 0x98113fee;
				 *(_t70 + 0x150) =  *(_t70 + 0x150) & _t25;
				goto 0x9811406c;
				_t27 = E00007FF67FF698115C40(_t46, _t57, __rcx,  *((intOrPtr*)(_t70 + 0x140)),  &_v152, _t71, _t72,  &_v152, __r9);
				if (_t27 != 0) goto 0x98114010;
				if ( *((intOrPtr*)(_t70 + 0x158)) != _t27) goto 0x9811404b;
				goto 0x98114039;
				if ( *((intOrPtr*)(_t70 + 0x158)) != 0) goto 0x9811405e;
				if ( *((intOrPtr*)(_t70 + 0x154)) == 0) goto 0x9811405e;
				if (E00007FF67FF698115C40(_t46, _t57, __rcx,  *((intOrPtr*)(_t70 + 0x140)),  &_v152, _t71, _t72,  &_v152, __r9) != 0) goto 0x9811405e;
				_t15 = _t70 + 0x140; // 0x140
				if (E00007FF67FF698113C38(_t35, 0, __rcx, _t15, __r9) == 0) goto 0x9811405e;
				 *(_t70 + 0x150) =  *(_t70 + 0x150) | 0x00000004;
				 *((intOrPtr*)(_t70 + 0x160)) = _t35;
				 *((intOrPtr*)(_t70 + 0x164)) = _t35;
				return E00007FF67FF698104050(_t35, _v24 ^ _t73 - 0x000000b0,  &_v152, _t15, _t78);
			}

0x7ff698113f80
0x7ff698113f80
0x7ff698113f8d
0x7ff698113f94
0x7ff698113f97
0x7ff698113fa2
0x7ff698113faa
0x7ff698113fad
0x7ff698113fbf
0x7ff698113fc5
0x7ff698113fc9
0x7ff698113fd7
0x7ff698113fdf
0x7ff698113fe1
0x7ff698113fec
0x7ff698113ffa
0x7ff698114001
0x7ff698114009
0x7ff69811400e
0x7ff698114017
0x7ff698114020
0x7ff698114035
0x7ff698114039
0x7ff698114049
0x7ff69811404b
0x7ff698114052
0x7ff698114058
0x7ff69811408c

APIs

_getptd.LIBCMT ref: 00007FF698113FA2
GetLocaleInfoA.KERNEL32 ref: 00007FF698113FD7

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 8215a528e03593ee6d7b746b53d1d61c556e40d2f5d1c02d57fb3af718ca9510
Instruction ID: 7c9fb45c0033672899fa3651442eb891e3287b1593050933d98e212fe4a3fc42
Opcode Fuzzy Hash: 8215a528e03593ee6d7b746b53d1d61c556e40d2f5d1c02d57fb3af718ca9510
Instruction Fuzzy Hash: DD219E32B0868386EB788B36D9453EA73A1FB98B45F804075C76CCB284DF3CE464C648

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698113B50 Relevance: 3.1, APIs: 2, Instructions: 56
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FF67FF698113B50(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __r9, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v152;
				signed int _t20;
				void* _t38;
				signed int _t39;
				signed long long _t46;
				signed long long _t47;
				signed long long _t60;
				void* _t63;
				void* _t64;

				_a16 = __rbx;
				_a24 = __rsi;
				_t46 =  *0x98140430; // 0x4918c2c043f
				_t47 = _t46 ^ _t64 - 0x000000b0;
				_v24 = _t47;
				E00007FF67FF69810B93C(__ecx, __eflags, _t47);
				_t60 = _t47;
				_t20 = E00007FF67FF698113B14(__rcx, __rdx, __r9);
				r9d = 0x78;
				asm("sbb edx, edx");
				_t39 = _t20;
				if (GetLocaleInfoA(??, ??, ??, ??) != 0) goto 0x98113bc3;
				 *(_t60 + 0x150) = 0;
				goto 0x98113c10;
				if (E00007FF67FF698115C40(_t38, _t47, __rcx,  *((intOrPtr*)(_t60 + 0x148)),  &_v152, __rsi, _t63,  &_v152, __r9) != 0) goto 0x98113c02;
				if (_t39 ==  *0x98132ab0) goto 0x98113c02;
				if (1 - 0xa < 0) goto 0x98113bdf;
				 *(_t60 + 0x150) =  *(_t60 + 0x150) | 0x00000004;
				 *((intOrPtr*)(_t60 + 0x164)) = _t39;
				 *((intOrPtr*)(_t60 + 0x160)) = _t39;
				return E00007FF67FF698104050(_t20, _v24 ^ _t64 - 0x000000b0,  &_v152,  &_v152, __r9);
			}

0x7ff698113b50
0x7ff698113b55
0x7ff698113b62
0x7ff698113b69
0x7ff698113b6c
0x7ff698113b77
0x7ff698113b7f
0x7ff698113b82
0x7ff698113b94
0x7ff698113b9a
0x7ff698113b9e
0x7ff698113bb6
0x7ff698113bb8
0x7ff698113bc1
0x7ff698113bd6
0x7ff698113be2
0x7ff698113bed
0x7ff698113bef
0x7ff698113bf6
0x7ff698113bfc
0x7ff698113c34

APIs

_getptd.LIBCMT ref: 00007FF698113B77
GetLocaleInfoA.KERNEL32 ref: 00007FF698113BAC

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 3725f289b4d2ea193df2ce5123be0ff46d713da7cc956edd8377e18af458a1f1
Instruction ID: 74060d9a8c5cdb28cab3754af1411c9f9c4697a82b4e52c877ce88538eb26342
Opcode Fuzzy Hash: 3725f289b4d2ea193df2ce5123be0ff46d713da7cc956edd8377e18af458a1f1
Instruction Fuzzy Hash: 92218E32B0868286EB388B31E8453EA73A1FB88744F844176DA5D87758DF3CE455C744

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698113C38 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF67FF698113C38(signed int __ecx, void* __edx, long long __rbx, intOrPtr* __r8, void* __r9, long long _a16) {
				signed int _v40;
				char _v168;
				intOrPtr _t11;
				signed int _t19;
				void* _t22;
				signed int _t23;
				signed long long _t32;
				void* _t42;
				intOrPtr* _t43;
				void* _t44;

				_t49 = __r9;
				_a16 = __rbx;
				_t32 =  *0x98140430; // 0x4918c2c043f
				_v40 = _t32 ^ _t44 - 0x000000b0;
				_t23 = __ecx;
				r9d = 0x78;
				_t19 = __ecx & 0x000003ff;
				_t43 = __r8;
				_t22 = __edx;
				asm("bts ecx, 0xa");
				if (GetLocaleInfoA(??, ??, ??, ??) != 0) goto 0x98113c89;
				goto 0x98113cc8;
				if (_t23 == E00007FF67FF698113B14( &_v168, _t42, __r9)) goto 0x98113cc3;
				if (_t22 == 0) goto 0x98113cc3;
				_t11 =  *((intOrPtr*)( *_t43));
				if (_t11 - 0x41 < 0) goto 0x98113cac;
				if (_t11 - 0x5a <= 0) goto 0x98113cb2;
				if (_t11 - 0x61 - 0x19 > 0) goto 0x98113cb6;
				goto 0x98113c9f;
				if (1 == E00007FF67FF6981070C0(_t11 - 0x61,  *_t43)) goto 0x98113c85;
				return E00007FF67FF698104050(_t19, _v40 ^ _t44 - 0x000000b0, _t42,  &_v168, _t49);
			}

0x7ff698113c38
0x7ff698113c38
0x7ff698113c47
0x7ff698113c51
0x7ff698113c59
0x7ff698113c5b
0x7ff698113c61
0x7ff698113c67
0x7ff698113c6a
0x7ff698113c75
0x7ff698113c83
0x7ff698113c87
0x7ff698113c95
0x7ff698113c99
0x7ff698113c9f
0x7ff698113ca6
0x7ff698113caa
0x7ff698113cb0
0x7ff698113cb4
0x7ff698113cc1
0x7ff698113cea

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FF698113C79

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 561f16ab229c201782425c5e858161fb2405d6ba09c4687a7d6224523272dac9
Instruction ID: 1ae5488175a5c608d7312d631fd5810ff73fd5daa5e7e4b5ae4b7519043383f6
Opcode Fuzzy Hash: 561f16ab229c201782425c5e858161fb2405d6ba09c4687a7d6224523272dac9
Instruction Fuzzy Hash: 0E117732A0868745EB705B35E4943FB6350EB94748FD445BADA4EC7289DE2CE546C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698114090 Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00007FF67FF698114090(void* __rax, intOrPtr* __rcx) {
				void* _t18;
				void* _t19;
				int _t21;
				signed int _t30;
				void* _t33;

				_t33 = __rax;
				_t19 = E00007FF67FF6981070C0(_t18,  *__rcx);
				 *(__rcx + 0x18) = 0 | _t33 == 0x00000003;
				E00007FF67FF6981070C0(_t19,  *((intOrPtr*)(__rcx + 8)));
				 *(__rcx + 0x20) =  *(__rcx + 0x20) & 0x00000000;
				_t30 =  *(__rcx + 0x18);
				 *(__rcx + 0x1c) = 0 | _t33 == 0x00000003;
				if (_t30 == 0) goto 0x98114104;
				 *((intOrPtr*)(__rcx + 0x14)) = 2;
				_t21 = EnumSystemLocalesA(??, ??);
				asm("bt dword [ebx+0x10], 0x8");
				if (_t30 >= 0) goto 0x981140fa;
				asm("bt dword [ebx+0x10], 0x9");
				if (_t30 >= 0) goto 0x981140fa;
				if (( *(__rcx + 0x10) & 0x00000007) != 0) goto 0x981140fe;
				 *(__rcx + 0x10) =  *(__rcx + 0x10) & 0x00000000;
				return _t21;
			}

0x7ff698114090
0x7ff69811409c
0x7ff6981140ae
0x7ff6981140b1
0x7ff6981140bf
0x7ff6981140c3
0x7ff6981140c7
0x7ff6981140ca
0x7ff6981140d1
0x7ff6981140e0
0x7ff6981140e6
0x7ff6981140eb
0x7ff6981140ed
0x7ff6981140f2
0x7ff6981140f8
0x7ff6981140fa
0x7ff698114103

APIs

EnumSystemLocalesA.KERNEL32(?,?,00000140,00007FF698114262,?,?,?,?,00000000,00007FF698108850), ref: 00007FF6981140E0

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 652e2adc2ef40ec4f417bb9152526422ec59cf4ea67f75d0aec53b619a148058
Instruction ID: 21330a55720d5cf6f3def314de194113042eb3cb016be0e2f34193ef0be44aa3
Opcode Fuzzy Hash: 652e2adc2ef40ec4f417bb9152526422ec59cf4ea67f75d0aec53b619a148058
Instruction Fuzzy Hash: F5118272A086078BFB289F31C4553B96692FB65F09F948475C60E82289CF7CD5A4C68D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698114124 Relevance: 1.5, APIs: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00007FF67FF698114124(void* __rax, intOrPtr* __rcx) {
				void* _t11;
				int _t13;
				signed int _t15;
				void* _t22;

				_t22 = __rax;
				E00007FF67FF6981070C0(_t11,  *__rcx);
				_t15 = 0 | _t22 == 0x00000003;
				 *(__rcx + 0x18) = _t15;
				if (_t15 == 0) goto 0x9811416f;
				 *((intOrPtr*)(__rcx + 0x14)) = 2;
				_t13 = EnumSystemLocalesA(??, ??);
				if (( *(__rcx + 0x10) & 0x00000004) != 0) goto 0x98114169;
				 *(__rcx + 0x10) =  *(__rcx + 0x10) & 0x00000000;
				return _t13;
			}

0x7ff698114124
0x7ff698114130
0x7ff69811413b
0x7ff69811413e
0x7ff698114143
0x7ff69811414a
0x7ff698114159
0x7ff698114163
0x7ff698114165
0x7ff69811416e

APIs

EnumSystemLocalesA.KERNEL32(?,?,00000140,00007FF69811422A,?,?,?,?,00000000,00007FF698108850), ref: 00007FF698114159

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 3d5422c1ba3494a547b773480a24b884cd67a5761106213dd57e8685c9b22a05
Instruction ID: e0305e611e21448981461566a1500ee8a7ec63f0876075ef0e58b41f4d3921da
Opcode Fuzzy Hash: 3d5422c1ba3494a547b773480a24b884cd67a5761106213dd57e8685c9b22a05
Instruction Fuzzy Hash: A6F0A462F0860B47F7289B35C4553BA63A3FBB5F05F9880B1C60D822DACE6DE591C24D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698115554 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00007FF67FF698115554(void* __edx, void* __eflags, long long __rbx, void* __rcx, long long __rsi, void* __r9, long long _a8, long long _a16, intOrPtr _a40) {
				char _v16;
				intOrPtr _v24;
				char _v40;
				int _t12;
				long long _t21;

				_a8 = __rbx;
				_a16 = __rsi;
				E00007FF67FF698104E5C(_t21,  &_v40, __rcx);
				r9d = _a40;
				_t12 = GetLocaleInfoW(??, ??, ??, ??);
				if (_v16 == 0) goto 0x9811559d;
				 *(_v24 + 0xc8) =  *(_v24 + 0xc8) & 0xfffffffd;
				return _t12;
			}

0x7ff698115554
0x7ff698115559
0x7ff698115573
0x7ff698115578
0x7ff698115584
0x7ff69811558f
0x7ff698115596
0x7ff6981155ac

APIs

Part of subcall function 00007FF698104E5C: _getptd.LIBCMT ref: 00007FF698104E72

GetLocaleInfoW.KERNEL32 ref: 00007FF698115584

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: InfoLocale_getptd
String ID:
API String ID: 3731964398-0
Opcode ID: 273c0c3762a87635050a4efb665b572f58bd5e5aebf2acfdd310a93b0c4f2c57
Instruction ID: f66b93871104a7f4b4766e85e3cc6bd762b1a120e75e40c750abd8974352d0b6
Opcode Fuzzy Hash: 273c0c3762a87635050a4efb665b572f58bd5e5aebf2acfdd310a93b0c4f2c57
Instruction Fuzzy Hash: 0DF0E922A087C183D7118B15F04405EF761F7C4BE0F584220EBAE47B99DF2CC851CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981147E8 Relevance: 1.5, APIs: 1, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 54%

			E00007FF67FF6981147E8(void* __ebx, signed int __ecx, void* __r9) {
				signed int _v16;
				char _v18;
				char _v24;
				signed long long _t15;
				void* _t20;
				signed long long _t21;

				_t15 =  *0x98140430; // 0x4918c2c043f
				_v16 = _t15 ^ _t21;
				r9d = 6;
				_v18 = 0;
				if (GetLocaleInfoA(??, ??, ??, ??) != 0) goto 0x9811481f;
				goto 0x98114829;
				E00007FF67FF698104984(_t15 ^ _t21, _t20);
				return E00007FF67FF698104050(__ecx, _v16 ^ _t21, _t20,  &_v24, __r9);
			}

0x7ff6981147ec
0x7ff6981147f6
0x7ff698114800
0x7ff69811480b
0x7ff698114818
0x7ff69811481d
0x7ff698114824
0x7ff69811483a

APIs

GetLocaleInfoA.KERNEL32 ref: 00007FF698114810

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 9478a0754d96ab441e65dc32299cb2b76fe1b23b54e2c58b5c9fa0f16241b3d4
Instruction ID: 8291b903dc0905eb161ac97cd2bd46f12d4f2159d4332260686c8b93c4aff4e4
Opcode Fuzzy Hash: 9478a0754d96ab441e65dc32299cb2b76fe1b23b54e2c58b5c9fa0f16241b3d4
Instruction Fuzzy Hash: BCE06521B1C58381F630D771E8512BA6750FFA975CFD00272D69CC66A5DE2CD115CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810BD10 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF69810BD1B

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f397d1fdbb08d3cb22f24e9ce4b848354adc2b7f56e0debdcf051eeacf6740ea
Instruction ID: 4c9ee9a02d60caed7a8e44509b549004bff07dadb75f37a5b62b25fda0d049f1
Opcode Fuzzy Hash: f397d1fdbb08d3cb22f24e9ce4b848354adc2b7f56e0debdcf051eeacf6740ea
Instruction Fuzzy Hash: 36B09210E19843C1D615AB31AC8506512A0EF68300FD008B1C00DC0220DF5C95AACB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698112F18 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF698112F2D

Part of subcall function 00007FF69810484C: HeapFree.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104862
Part of subcall function 00007FF69810484C: _errno.LIBCMT ref: 00007FF69810486C
Part of subcall function 00007FF69810484C: GetLastError.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104874

free.LIBCMT ref: 00007FF698112F36
free.LIBCMT ref: 00007FF698112F3F
free.LIBCMT ref: 00007FF698112F48
free.LIBCMT ref: 00007FF698112F51
free.LIBCMT ref: 00007FF698112F5A
free.LIBCMT ref: 00007FF698112F62
free.LIBCMT ref: 00007FF698112F6B
free.LIBCMT ref: 00007FF698112F74
free.LIBCMT ref: 00007FF698112F7D
free.LIBCMT ref: 00007FF698112F86
free.LIBCMT ref: 00007FF698112F8F
free.LIBCMT ref: 00007FF698112F98
free.LIBCMT ref: 00007FF698112FA1
free.LIBCMT ref: 00007FF698112FAA
free.LIBCMT ref: 00007FF698112FB3
free.LIBCMT ref: 00007FF698112FBF
free.LIBCMT ref: 00007FF698112FCB
free.LIBCMT ref: 00007FF698112FD7
free.LIBCMT ref: 00007FF698112FE3
free.LIBCMT ref: 00007FF698112FEF
free.LIBCMT ref: 00007FF698112FFB
free.LIBCMT ref: 00007FF698113007
free.LIBCMT ref: 00007FF698113013
free.LIBCMT ref: 00007FF69811301F
free.LIBCMT ref: 00007FF69811302B
free.LIBCMT ref: 00007FF698113037
free.LIBCMT ref: 00007FF698113043
free.LIBCMT ref: 00007FF69811304F
free.LIBCMT ref: 00007FF69811305B
free.LIBCMT ref: 00007FF698113067
free.LIBCMT ref: 00007FF698113073
free.LIBCMT ref: 00007FF69811307F
free.LIBCMT ref: 00007FF69811308B
free.LIBCMT ref: 00007FF698113097
free.LIBCMT ref: 00007FF6981130A3
free.LIBCMT ref: 00007FF6981130AF
free.LIBCMT ref: 00007FF6981130BB
free.LIBCMT ref: 00007FF6981130C7
free.LIBCMT ref: 00007FF6981130D3
free.LIBCMT ref: 00007FF6981130DF
free.LIBCMT ref: 00007FF6981130EB
free.LIBCMT ref: 00007FF6981130F7

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: ecc7a25734b82c8a69be3194843af15d0c5e0e132872565f55c5672a604358f9
Instruction ID: 50f9ac89d6c2b3d6e840cc59e6174a46d24cfdd7dfc8c605b834847d3167557a
Opcode Fuzzy Hash: ecc7a25734b82c8a69be3194843af15d0c5e0e132872565f55c5672a604358f9
Instruction Fuzzy Hash: 1F418522E1648381EA64AFF1CC912BC2724EFC4B48F454476D94DCB1A7CE18D865D35C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981105C4 Relevance: 30.5, APIs: 20, Instructions: 485
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00007FF67FF6981105C4(void* __eax, signed int __ecx, void* __esi, long long __rdx, void* __r8, signed int _a8, long long _a16, char _a24, char _a32, char _a33) {
				long long _v88;
				unsigned int _v96;
				signed int _v100;
				intOrPtr _v104;
				unsigned int _v112;
				long long _v120;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				void* _t237;
				signed char _t240;
				signed short _t251;
				void* _t259;
				int _t266;
				void* _t268;
				signed int _t269;
				void* _t279;
				signed int _t286;
				unsigned int _t287;
				void* _t289;
				void* _t290;
				void* _t291;
				signed int _t292;
				void* _t293;
				signed short _t300;
				char _t301;
				char _t302;
				signed int _t312;
				signed int _t313;
				void* _t341;
				void* _t346;
				signed short* _t417;
				intOrPtr _t419;
				intOrPtr _t424;
				intOrPtr _t425;
				long long _t427;
				char* _t430;
				intOrPtr* _t432;
				intOrPtr _t434;
				intOrPtr* _t440;
				intOrPtr* _t443;
				void* _t444;
				signed short* _t445;
				signed short* _t446;
				signed short* _t447;
				signed char* _t449;
				signed char* _t450;
				signed char* _t451;
				signed char* _t453;
				signed short* _t457;
				signed short* _t458;
				intOrPtr _t461;
				intOrPtr _t466;
				char* _t476;
				long long _t485;
				signed long long _t487;
				void* _t488;
				void* _t492;
				signed short* _t507;
				signed short* _t508;
				intOrPtr* _t511;
				signed short* _t512;
				signed short* _t513;
				signed short* _t516;
				signed short* _t518;
				signed long long _t520;
				void* _t521;
				void* _t523;

				_t492 = __r8;
				_t474 = __rdx;
				_a16 = __rdx;
				_a8 = __ecx;
				r12d = 0xfffffffe;
				_t417 = __ecx;
				_t286 = r8d;
				_v100 = r12d;
				_v96 = _t286;
				if (__eax != r12d) goto 0x98110610;
				E00007FF67FF6981078CC(__ecx);
				 *__ecx = 0;
				_t237 = E00007FF67FF6981078AC(__ecx);
				 *__ecx = 9;
				goto 0x98110d2f;
				if (_t237 < 0) goto 0x98110d09;
				_t341 = _t237 -  *0x981489c0; // 0x20
				if (_t341 >= 0) goto 0x98110d09;
				_t520 = __ecx >> 5;
				_t461 =  *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8));
				_t487 = __ecx * 0x58;
				if (( *(_t461 + _t487 + 8) & 0x00000001) == 0) goto 0x98110d09;
				if (_t286 - 0x7fffffff <= 0) goto 0x98110671;
				E00007FF67FF6981078CC(__ecx);
				 *__ecx = 0;
				_t240 = E00007FF67FF6981078AC(__ecx);
				 *__ecx = 0x16;
				goto 0x98110d1b;
				if (_t286 == 0) goto 0x98110d05;
				if ((_t240 & 0x00000002) != 0) goto 0x98110d05;
				_t346 = __rdx - _t485;
				if (_t346 == 0) goto 0x9811065a;
				r15b =  *(_t461 + _t487 + 0x38);
				r8d = 4;
				r15b = r15b + r15b;
				r15b = r15b >> 1;
				if (_t346 == 0) goto 0x981106b7;
				if (_t346 != 0) goto 0x981106b2;
				if (( !_t286 & 0x00000001) == 0) goto 0x9811065a;
				_t287 = _t286 & 0xfffffffe;
				goto 0x9811071b;
				if (( !_t287 & 0x00000001) == 0) goto 0x9811065a;
				_t289 =  <  ? r8d : _t287 >> 1;
				E00007FF67FF69810A574(0, __ecx, _t444, _t461, _t487, _t488);
				_t518 = _t417;
				if (_t417 != _t485) goto 0x981106f2;
				E00007FF67FF6981078AC(_t417);
				 *_t417 = 0xc;
				E00007FF67FF6981078CC(_t417);
				 *_t417 = 8;
				goto 0x98110d2f;
				_t22 = _t474 + 1; // 0x1
				r8d = _t22;
				E00007FF67FF698114D74(_t289, _a8, _t417, _t444, __rdx);
				 *( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x40) = _t417;
				_t419 =  *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8));
				r8d = 0xa;
				if (( *(_t419 + _t487 + 8) & 0x00000048) == 0) goto 0x981107d3;
				_t300 =  *((intOrPtr*)(_t419 + _t487 + 9));
				if (_t300 == r8b) goto 0x981107d3;
				if (_t289 == 0) goto 0x981107d3;
				 *_t518 = _t300;
				r10d = r10d | 0xffffffff;
				_t290 = _t289 + r10d;
				_t41 =  &(_t518[0]); // 0x1
				_t476 = _t41;
				 *((intOrPtr*)( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 9)) = r8b;
				if (r15b == dil) goto 0x981107d3;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x39));
				if (_t301 == r8b) goto 0x981107d3;
				if (_t290 == 0) goto 0x981107d3;
				 *_t476 = _t301;
				_t291 = _t290 + r10d;
				 *((intOrPtr*)( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x39)) = r8b;
				if (r15b != 1) goto 0x981107d3;
				_t302 =  *((intOrPtr*)( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x3a));
				if (_t302 == r8b) goto 0x981107d3;
				if (_t291 == 0) goto 0x981107d3;
				 *((char*)(_t476 + 1)) = _t302;
				_t424 =  *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8));
				_t64 = _t492 - 7; // -6
				_t292 = _t291 + r10d;
				 *((intOrPtr*)(_t424 + _t487 + 0x3a)) = r8b;
				r8d = _t292;
				_v120 = _t485;
				if (ReadFile(??, ??, ??, ??, ??) == 0) goto 0x98110cc9;
				if (0 < 0) goto 0x98110cc9;
				if (_v104 - _t424 > 0) goto 0x98110cc9;
				_t425 =  *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8));
				if (( *(_t425 + _t487 + 8) & 0x00000080) == 0) goto 0x98110ca7;
				if (r15b == 2) goto 0x98110af0;
				if (0 == 0) goto 0x9811084a;
				if ( *_t518 != 0xa) goto 0x9811084a;
				 *(_t425 + _t487 + 8) =  *(_t425 + _t487 + 8) | 0x00000004;
				goto 0x9811084f;
				 *(_t425 + _t487 + 8) =  *(_t425 + _t487 + 8) & 0x000000fb;
				_t445 = _t518;
				_t507 = _t518;
				_t427 = _t64 + _t518;
				_v88 = _t427;
				if (_t518 - _t427 >= 0) goto 0x981109a3;
				_t251 =  *_t507;
				if (_t251 == 0x1a) goto 0x98110984;
				if (_t251 == bpl) goto 0x9811088c;
				 *_t445 = _t251;
				_t446 =  &(_t445[0]);
				_t508 =  &(_t507[0]);
				goto 0x98110977;
				if (_t508 - _v88 - 1 >= 0) goto 0x981108b4;
				_t92 =  &(_t508[0]); // 0x1
				_t430 = _t92;
				if ( *_t430 != 0xa) goto 0x981108ac;
				goto 0x9811093c;
				goto 0x98110971;
				_t97 =  &_a24; // 0x1000000ae
				r8d = 1;
				_t511 = _t430 + 1;
				_v120 = _t485;
				if (ReadFile(??, ??, ??, ??, ??) != 0) goto 0x981108ef;
				if (GetLastError() != 0) goto 0x9811096a;
				if (_v104 == 0) goto 0x9811096a;
				if (( *( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 8) & 0x00000048) == 0) goto 0x9811092d;
				if (_a24 == 0xa) goto 0x9811093c;
				 *_t446 = bpl;
				_t466 =  *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8));
				 *((char*)(_t466 + _t487 + 9)) = _a24;
				goto 0x98110974;
				if (_t446 != _t518) goto 0x98110941;
				if (_a24 != 0xa) goto 0x98110941;
				 *_t446 = 0xa;
				goto 0x98110974;
				r8d = 1;
				E00007FF67FF698114D74(_t292, _a8,  *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)), _t446, _t97 | 0xffffffff);
				if (_a24 == 0xa) goto 0x98110977;
				goto 0x98110971;
				 *_t446 = bpl;
				_t447 =  &(_t446[0]);
				if (_t511 - _v88 < 0) goto 0x9811086e;
				goto 0x981109a3;
				_t432 =  *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8));
				if (( *(_t432 + _t487 + 8) & 0x00000040) != 0) goto 0x9811099a;
				 *(_t432 + _t487 + 8) =  *(_t432 + _t487 + 8) | 0x00000002;
				goto 0x981109a3;
				 *_t447 =  *_t511;
				if (r15b != 1) goto 0x98110ca2;
				if (_t292 - r13d == 0) goto 0x98110ca2;
				r15d = 1;
				_t449 =  &(_t447[0]) - _t521;
				if (( *_t449 & 0x00000080) != 0) goto 0x981109d0;
				_t450 =  &(_t449[_t521]);
				goto 0x98110a82;
				_t312 = r15d;
				goto 0x981109e5;
				if (_t312 - 4 > 0) goto 0x981109f2;
				if (_t450 - _t518 < 0) goto 0x981109f2;
				_t451 = _t450 - _t521;
				_t313 = _t312 + r15d;
				if ( *((intOrPtr*)(_t432 + 0x7ff698141380)) == dil) goto 0x981109d5;
				if ( *((char*)(_t466 + 0x7ff698141380)) != 0) goto 0x98110a16;
				_t259 = E00007FF67FF6981078AC(_t432);
				 *_t432 = 0x2a;
				r12d = r12d | 0xffffffff;
				goto 0x98110ca7;
				if (_t259 + 1 != _t313) goto 0x98110a24;
				goto 0x98110a82;
				_t434 =  *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8));
				if (( *(_t434 + _t487 + 8) & 0x00000048) == 0) goto 0x98110a6e;
				_t453 =  &(( &(_t451[_t313]))[_t521]);
				 *((char*)(_t434 + _t487 + 9)) =  *_t451 & 0x000000ff;
				if (_t313 - 2 < 0) goto 0x98110a50;
				 *((char*)( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x39)) =  *_t453;
				if (_t313 != 3) goto 0x98110a66;
				 *((char*)( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x3a)) = _t453[_t521];
				goto 0x98110a82;
				r8d = r15d;
				E00007FF67FF698114D74(_t292, _a8, _t313,  &(( &(_t453[_t521]))[_t521]) - _t313,  ~_t313);
				_t293 = _t292 - r13d;
				r9d = _t293;
				_v112 = _v96 >> 1;
				_v120 = _a16;
				_t266 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t266 != 0) goto 0x98110acb;
				_t268 = E00007FF67FF6981078EC(GetLastError(), _t313);
				r12d = r12d | 0xffffffff;
				goto 0x98110caf;
				r12d = _v100;
				dil = _t268 != _t293;
				 *((intOrPtr*)(0x7ff6980f0000 + _t487 + 0x48)) = 0;
				goto 0x98110caf;
				if (0 == 0) goto 0x98110b07;
				if ( *_t518 != 0xa) goto 0x98110b07;
				 *(0x7ff6980f0000 + _t487 + 8) =  *(0x7ff6980f0000 + _t487 + 8) | 0x00000004;
				goto 0x98110b0c;
				 *(0x7ff6980f0000 + _t487 + 8) =  *( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 8) & 0x000000fb;
				_t457 = _t518;
				_t512 = _t518;
				_t523 = _t266 + _t266 + _t518;
				if (_t518 - _t523 >= 0) goto 0x98110c9d;
				_t269 =  *_t512 & 0x0000ffff;
				if (_t269 == 0x1a) goto 0x98110c7b;
				if (_t269 == 0xd) goto 0x98110b4b;
				 *_t457 = _t269;
				_t458 =  &(_t457[1]);
				_t513 =  &(_t512[1]);
				goto 0x98110c70;
				if (_t513 - _t523 - 2 >= 0) goto 0x98110b6f;
				_t180 =  &(_t513[1]); // 0x2
				_t440 = _t180;
				if ( *_t440 != 0xa) goto 0x98110b67;
				goto 0x98110c29;
				goto 0x98110c69;
				r8d = 2;
				_t516 = _t440 + 2;
				_v120 = _t485;
				if (ReadFile(??, ??, ??, ??, ??) != 0) goto 0x98110baf;
				if (GetLastError() != 0) goto 0x98110c5d;
				if (_v104 == 0) goto 0x98110c5d;
				if (( *( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 8) & 0x00000048) == 0) goto 0x98110c15;
				if (_a32 == 0xa) goto 0x98110c29;
				 *_t458 = 0xd;
				 *((char*)( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 9)) = _a32;
				 *((char*)( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x39)) = _a33;
				 *((char*)( *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x3a)) = 0xa;
				goto 0x98110c6c;
				if (_t458 != _t518) goto 0x98110c2e;
				if (_a32 != 0xa) goto 0x98110c2e;
				 *_t458 = 0xa;
				goto 0x98110c6c;
				r8d = 1;
				E00007FF67FF698114D74(_t293, _a8,  *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8)), _t458, 0xfffffffe);
				if (_a32 == 0xa) goto 0x98110c70;
				goto 0x98110c69;
				 *_t458 = 0xd;
				if (_t516 - _t523 < 0) goto 0x98110b27;
				goto 0x98110c9d;
				_t443 =  *((intOrPtr*)(0x7ff6980f0000 + 0x589e0 + _t520 * 8));
				if (( *(_t443 + _t487 + 8) & 0x00000040) != 0) goto 0x98110c91;
				 *(_t443 + _t487 + 8) =  *(_t443 + _t487 + 8) | 0x00000002;
				goto 0x98110c9d;
				_t458[1] =  *_t516 & 0x0000ffff;
				r12d = _v100;
				if (_t518 == _a16) goto 0x98110cbc;
				free(??);
				r12d =  ==  ? _t293 - r13d : r12d;
				goto 0x98110d32;
				if (GetLastError() != 5) goto 0x98110cef;
				E00007FF67FF6981078AC(_t443);
				 *_t443 = 9;
				_t279 = E00007FF67FF6981078CC(_t443);
				 *_t443 = 5;
				goto 0x98110a0d;
				if (_t279 != 0x6d) goto 0x98110cf9;
				r12d = 0;
				goto 0x98110ca7;
				E00007FF67FF6981078EC(_t279, _t443);
				goto 0x98110a0d;
				goto 0x98110d32;
				E00007FF67FF6981078CC(_t443);
				 *_t443 = 0;
				E00007FF67FF6981078AC(_t443);
				 *_t443 = 9;
				r9d = 0;
				r8d = 0;
				_v120 = _t485;
				return E00007FF67FF698104430(_t443,  &(_t458[2]), _t518, 0xfffffffe, _t487, _t488, 0x7ff6980f0000) | 0xffffffff;
			}

0x7ff6981105c4
0x7ff6981105c4
0x7ff6981105c4
0x7ff6981105c9
0x7ff6981105dd
0x7ff6981105e3
0x7ff6981105e6
0x7ff6981105e9
0x7ff6981105ee
0x7ff6981105f5
0x7ff6981105f7
0x7ff6981105fe
0x7ff698110600
0x7ff698110605
0x7ff69811060b
0x7ff698110614
0x7ff69811061a
0x7ff698110620
0x7ff698110633
0x7ff69811063a
0x7ff698110642
0x7ff69811064c
0x7ff698110658
0x7ff69811065a
0x7ff69811065f
0x7ff698110661
0x7ff698110666
0x7ff69811066c
0x7ff698110675
0x7ff69811067d
0x7ff698110683
0x7ff698110686
0x7ff698110688
0x7ff69811068d
0x7ff698110693
0x7ff698110696
0x7ff6981106a0
0x7ff6981106a5
0x7ff6981106ad
0x7ff6981106af
0x7ff6981106b5
0x7ff6981106bd
0x7ff6981106c4
0x7ff6981106ca
0x7ff6981106cf
0x7ff6981106d5
0x7ff6981106d7
0x7ff6981106dc
0x7ff6981106e2
0x7ff6981106e7
0x7ff6981106ed
0x7ff6981106fb
0x7ff6981106fb
0x7ff6981106ff
0x7ff698110716
0x7ff69811071b
0x7ff698110726
0x7ff698110731
0x7ff698110737
0x7ff69811073e
0x7ff698110746
0x7ff69811074c
0x7ff698110758
0x7ff69811075c
0x7ff69811075f
0x7ff69811075f
0x7ff698110767
0x7ff69811076f
0x7ff698110779
0x7ff698110780
0x7ff698110784
0x7ff698110786
0x7ff698110790
0x7ff69811079a
0x7ff6981107a3
0x7ff6981107ad
0x7ff6981107b4
0x7ff6981107b8
0x7ff6981107ba
0x7ff6981107bc
0x7ff6981107c7
0x7ff6981107cb
0x7ff6981107ce
0x7ff6981107e0
0x7ff6981107e7
0x7ff6981107f4
0x7ff698110801
0x7ff69811080c
0x7ff69811081b
0x7ff698110828
0x7ff698110832
0x7ff69811083a
0x7ff698110841
0x7ff698110843
0x7ff698110848
0x7ff69811084a
0x7ff698110852
0x7ff698110855
0x7ff698110858
0x7ff69811085b
0x7ff698110863
0x7ff69811086e
0x7ff698110874
0x7ff69811087d
0x7ff69811087f
0x7ff698110881
0x7ff698110884
0x7ff698110887
0x7ff698110897
0x7ff698110899
0x7ff698110899
0x7ff6981108a1
0x7ff6981108a7
0x7ff6981108af
0x7ff6981108c1
0x7ff6981108cd
0x7ff6981108d3
0x7ff6981108d6
0x7ff6981108e3
0x7ff6981108ed
0x7ff6981108f3
0x7ff698110909
0x7ff698110913
0x7ff698110915
0x7ff698110918
0x7ff698110927
0x7ff69811092b
0x7ff698110930
0x7ff69811093a
0x7ff69811093c
0x7ff69811093f
0x7ff698110948
0x7ff698110952
0x7ff698110966
0x7ff698110968
0x7ff698110971
0x7ff698110974
0x7ff69811097c
0x7ff698110982
0x7ff698110984
0x7ff698110991
0x7ff698110993
0x7ff698110998
0x7ff69811099e
0x7ff6981109ac
0x7ff6981109b4
0x7ff6981109ba
0x7ff6981109c0
0x7ff6981109c6
0x7ff6981109c8
0x7ff6981109cb
0x7ff6981109d0
0x7ff6981109d3
0x7ff6981109d8
0x7ff6981109dd
0x7ff6981109df
0x7ff6981109e2
0x7ff6981109f0
0x7ff698110a00
0x7ff698110a02
0x7ff698110a07
0x7ff698110a0d
0x7ff698110a11
0x7ff698110a1a
0x7ff698110a22
0x7ff698110a24
0x7ff698110a31
0x7ff698110a33
0x7ff698110a39
0x7ff698110a3d
0x7ff698110a4c
0x7ff698110a53
0x7ff698110a62
0x7ff698110a6c
0x7ff698110a77
0x7ff698110a7d
0x7ff698110a8e
0x7ff698110a93
0x7ff698110a99
0x7ff698110aa4
0x7ff698110aa9
0x7ff698110ab3
0x7ff698110abd
0x7ff698110ac2
0x7ff698110ac6
0x7ff698110acb
0x7ff698110ae1
0x7ff698110ae7
0x7ff698110aeb
0x7ff698110af7
0x7ff698110afe
0x7ff698110b00
0x7ff698110b05
0x7ff698110b07
0x7ff698110b0f
0x7ff698110b12
0x7ff698110b15
0x7ff698110b1c
0x7ff698110b27
0x7ff698110b30
0x7ff698110b39
0x7ff698110b3b
0x7ff698110b3e
0x7ff698110b42
0x7ff698110b46
0x7ff698110b52
0x7ff698110b54
0x7ff698110b54
0x7ff698110b5c
0x7ff698110b62
0x7ff698110b6a
0x7ff698110b88
0x7ff698110b8e
0x7ff698110b92
0x7ff698110b9f
0x7ff698110ba9
0x7ff698110bb3
0x7ff698110bcd
0x7ff698110bdc
0x7ff698110bde
0x7ff698110bf0
0x7ff698110c03
0x7ff698110c0f
0x7ff698110c13
0x7ff698110c18
0x7ff698110c27
0x7ff698110c29
0x7ff698110c2c
0x7ff698110c3c
0x7ff698110c40
0x7ff698110c59
0x7ff698110c5b
0x7ff698110c69
0x7ff698110c73
0x7ff698110c79
0x7ff698110c7b
0x7ff698110c88
0x7ff698110c8a
0x7ff698110c8f
0x7ff698110c96
0x7ff698110ca2
0x7ff698110cb2
0x7ff698110cb7
0x7ff698110cc0
0x7ff698110cc7
0x7ff698110cd2
0x7ff698110cd4
0x7ff698110cd9
0x7ff698110cdf
0x7ff698110ce4
0x7ff698110cea
0x7ff698110cf2
0x7ff698110cf4
0x7ff698110cf7
0x7ff698110cfb
0x7ff698110d00
0x7ff698110d07
0x7ff698110d09
0x7ff698110d0e
0x7ff698110d10
0x7ff698110d15
0x7ff698110d1b
0x7ff698110d1e
0x7ff698110d25
0x7ff698110d42

APIs

__doserrno.LIBCMT ref: 00007FF6981105F7
_errno.LIBCMT ref: 00007FF698110600
__doserrno.LIBCMT ref: 00007FF69811065A
_errno.LIBCMT ref: 00007FF698110661

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: edecc77121cc5808f797c38e0de8add454756a7ebf3f8fd74126f6dce199133d
Instruction ID: 64ebbce8da44a314c36b88d4a0853678e4daff7207e690a814d4be6f3d979933
Opcode Fuzzy Hash: edecc77121cc5808f797c38e0de8add454756a7ebf3f8fd74126f6dce199133d
Instruction Fuzzy Hash: 2022C112E0C68782E7719B3494443BD3A91FBA1794FD881B6CA8EC36E5DF2CE444C70A

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698109D48 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 337
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E00007FF67FF698109D48(void* __ebx, void* __ecx, void* __edi, void* __ebp, void* __rax, long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, signed int* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t152;
				intOrPtr _t155;
				void* _t160;
				void* _t161;
				signed int _t162;
				void* _t207;
				void* _t208;
				signed int* _t213;
				long long _t214;
				signed int _t220;
				intOrPtr _t222;
				signed int* _t223;
				void* _t271;
				intOrPtr* _t272;
				intOrPtr* _t273;
				void* _t275;
				signed int* _t276;
				void* _t280;
				long long _t281;
				intOrPtr* _t283;
				signed int* _t285;
				void* _t288;
				void* _t289;
				void* _t307;
				long long _t308;
				void* _t310;
				void* _t315;
				signed int* _t316;
				void* _t318;
				signed int* _t320;

				_t207 = __rax;
				_t159 = __edi;
				_t152 = __ecx;
				 *((long long*)(_t288 + 0x20)) = __rbx;
				 *((long long*)(_t288 + 0x18)) = __r8;
				 *((long long*)(_t288 + 0x10)) = __rdx;
				_t289 = _t288 - 0xa0;
				_t222 =  *((intOrPtr*)(_t289 + 0x100));
				r15d = 0;
				_t308 = __rdx;
				_t272 = __rcx;
				_t316 = __r9;
				_t281 = __r8;
				 *((intOrPtr*)(_t289 + 0x60)) = r15b;
				r14b = r15b;
				 *((intOrPtr*)(_t289 + 0xe0)) = r15b;
				_t160 = E00007FF67FF698112548(_t222, __r9);
				E00007FF67FF6981071FC(__edi, _t207, _t222, __rdx, _t316, _t275, _t281, _t222, _t289 + 0x78, _t320, _t318);
				if (_t160 - E00007FF67FF6981125C0(_t207, __rdx, _t222) <= 0) goto 0x98109de8;
				r9d = _t160;
				E00007FF67FF698112578(_t106, _t289 + 0x78, _t222);
				r9d = _t160;
				E00007FF67FF698112584(_t207, _t222, _t308, _t222, _t315);
				goto 0x98109df2;
				_t161 = E00007FF67FF6981125C0(_t207, _t308, _t222);
				if (_t161 - 0xffffffff < 0) goto 0x98109dfc;
				if (_t161 -  *((intOrPtr*)(_t222 + 4)) < 0) goto 0x98109e01;
				E00007FF67FF698110148(_t207);
				if ( *_t272 != 0xe06d7363) goto 0x9810a258;
				if ( *((intOrPtr*)(_t272 + 0x18)) != 4) goto 0x98109fc7;
				if ( *((intOrPtr*)(_t272 + 0x20)) == 0x19930520) goto 0x98109e36;
				if ( *((intOrPtr*)(_t272 + 0x20)) == 0x19930521) goto 0x98109e36;
				if ( *((intOrPtr*)(_t272 + 0x20)) != 0x19930522) goto 0x98109fc7;
				if ( *((intOrPtr*)(_t272 + 0x30)) != _t320) goto 0x98109fc7;
				E00007FF67FF69810B93C(_t152,  *((intOrPtr*)(_t272 + 0x30)) - _t320, _t207);
				if ( *((intOrPtr*)(_t207 + 0xf0)) == _t320) goto 0x9810a23d;
				E00007FF67FF69810B93C(_t152,  *((intOrPtr*)(_t207 + 0xf0)) - _t320, _t207);
				_t273 =  *((intOrPtr*)(_t207 + 0xf0));
				E00007FF67FF69810B93C(_t152,  *((intOrPtr*)(_t207 + 0xf0)) - _t320, _t207);
				 *((char*)(_t289 + 0x60)) = 1;
				 *((long long*)(_t289 + 0xf0)) =  *((intOrPtr*)(_t207 + 0xf8));
				if (E00007FF67FF698114658(E00007FF67FF698107334(_t207,  *((intOrPtr*)(_t273 + 0x38))), _t273) != r15d) goto 0x98109e97;
				E00007FF67FF698110148(_t207);
				if ( *_t273 != 0xe06d7363) goto 0x98109ecb;
				if ( *((intOrPtr*)(_t273 + 0x18)) != 4) goto 0x98109ecb;
				if ( *((intOrPtr*)(_t273 + 0x20)) == 0x19930520) goto 0x98109ec0;
				if ( *((intOrPtr*)(_t273 + 0x20)) == 0x19930521) goto 0x98109ec0;
				if ( *((intOrPtr*)(_t273 + 0x20)) != 0x19930522) goto 0x98109ecb;
				if ( *((intOrPtr*)(_t273 + 0x30)) != _t320) goto 0x98109ecb;
				E00007FF67FF698110148(_t207);
				E00007FF67FF69810B93C(_t152,  *((intOrPtr*)(_t273 + 0x30)) - _t320, _t207);
				if ( *(_t207 + 0x108) == _t320) goto 0x98109fc7;
				E00007FF67FF69810B93C(_t152,  *(_t207 + 0x108) - _t320, _t207);
				_t283 =  *(_t207 + 0x108);
				E00007FF67FF69810B93C(_t152,  *(_t207 + 0x108) - _t320, _t207);
				 *(_t207 + 0x108) = _t320;
				if (E00007FF67FF698109468(_t207, _t222, _t273, _t283, _t275, _t283) != r15b) goto 0x98109fbf;
				r12d = r15d;
				if ( *_t283 - r15d <= 0) goto 0x98109f67;
				_t276 = _t320;
				E00007FF67FF6981072E8(_t207);
				_t208 = _t207 + _t276;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t283 + 4)) + _t208 + 4)) == r15d) goto 0x98109f43;
				E00007FF67FF6981072E8(_t208);
				_t223 =  *((intOrPtr*)( *((intOrPtr*)(_t283 + 4)) + _t208 + _t276 + 4));
				E00007FF67FF6981072E8(_t208 + _t276);
				goto 0x98109f46;
				if (E00007FF67FF6981045C0(_t320, 0x98140408) != r15b) goto 0x98109f6d;
				r12d = r12d + 1;
				if (r12d -  *_t283 < 0) goto 0x98109f15;
				E00007FF67FF698110124(r12d -  *_t283, _t320);
				asm("int3");
				E00007FF67FF6981093E4(1, _t273);
				 *((long long*)(_t289 + 0xe0)) = "bad exception";
				E00007FF67FF6981040EC(_t223, _t289 + 0x88, _t289 + 0xe0,  &(_t276[5]), _t307);
				 *((long long*)(_t289 + 0x88)) = 0x98130da8;
				E00007FF67FF698107168(_t320, _t223, _t289 + 0x88, 0x9813e0e0, _t271);
				asm("int3");
				if ( *_t273 != 0xe06d7363) goto 0x9810a258;
				if ( *((intOrPtr*)(_t273 + 0x18)) != 4) goto 0x9810a258;
				if ( *((intOrPtr*)(_t273 + 0x20)) == 0x19930520) goto 0x98109ffc;
				if ( *((intOrPtr*)(_t273 + 0x20)) == 0x19930521) goto 0x98109ffc;
				if ( *((intOrPtr*)(_t273 + 0x20)) != 0x19930522) goto 0x9810a258;
				if (_t223[3] - r15d <= 0) goto 0x9810a18a;
				r8d =  *((intOrPtr*)(_t289 + 0x110));
				 *(_t289 + 0x30) = _t316;
				 *(_t289 + 0x28) = _t289 + 0x68;
				_t213 = _t289 + 0x64;
				r9d = _t161;
				 *(_t289 + 0x20) = _t213;
				E00007FF67FF69810757C(__ebx, _t223, _t223,  &(_t276[5]));
				_t285 = _t213;
				if ( *((intOrPtr*)(_t289 + 0x64)) -  *((intOrPtr*)(_t289 + 0x68)) >= 0) goto 0x9810a18a;
				if ( *_t285 - _t161 > 0) goto 0x9810a16f;
				if (_t161 - _t285[1] > 0) goto 0x9810a16f;
				E00007FF67FF6981072E8(_t213);
				r14d = _t285[3];
				_t310 = _t213 + _t285[4];
				if (r14d - r15d <= 0) goto 0x9810a157;
				E00007FF67FF698107300(_t213);
				_t214 = _t213 +  *((intOrPtr*)( *((intOrPtr*)(_t273 + 0x30)) + 0xc)) + 4;
				 *((long long*)(_t289 + 0x70)) = _t214;
				E00007FF67FF698107300(_t214);
				r15d =  *((intOrPtr*)(_t214 +  *((intOrPtr*)( *((intOrPtr*)(_t273 + 0x30)) + 0xc))));
				goto 0x9810a0d1;
				E00007FF67FF698107300(_t214);
				 *((long long*)(_t289 + 0x80)) = _t214 +  *((intOrPtr*)( *((intOrPtr*)(_t289 + 0x70))));
				if (E00007FF67FF6981090E0(_t223, _t310, _t214 +  *((intOrPtr*)( *((intOrPtr*)(_t289 + 0x70)))), _t273,  &(_t276[5]),  *((intOrPtr*)(_t273 + 0x30))) != 0) goto 0x9810a0e2;
				r15d = r15d - 1;
				 *((long long*)(_t289 + 0x70)) =  *((long long*)(_t289 + 0x70)) + 4;
				if (r15d > 0) goto 0x9810a09d;
				r14d = r14d - 1;
				r15d = 0;
				goto 0x9810a06a;
				r14b = 1;
				 *((char*)(_t289 + 0x58)) =  *((intOrPtr*)(_t289 + 0x108));
				 *((char*)(_t289 + 0x50)) =  *((intOrPtr*)(_t289 + 0x60));
				 *((long long*)(_t289 + 0x48)) =  *((intOrPtr*)(_t289 + 0x118));
				 *((intOrPtr*)(_t289 + 0xe0)) = r14b;
				 *((intOrPtr*)(_t289 + 0x40)) =  *((intOrPtr*)(_t289 + 0x110));
				 *(_t289 + 0x38) = _t285;
				 *(_t289 + 0x30) =  *((intOrPtr*)(_t289 + 0x80));
				 *(_t289 + 0x28) = _t310 + 0x14;
				 *(_t289 + 0x20) = _t223;
				E00007FF67FF698109A40( *((intOrPtr*)(_t289 + 0x64)), _t159, _t223, _t273,  *((intOrPtr*)(_t289 + 0xe8)), _t285,  *((intOrPtr*)(_t289 + 0xf0)), _t316);
				r15d = 0;
				goto 0x9810a167;
				r14b =  *((intOrPtr*)(_t289 + 0xe0));
				_t155 =  *((intOrPtr*)(_t289 + 0x64)) + 1;
				 *((intOrPtr*)(_t289 + 0x64)) = _t155;
				if (_t155 -  *((intOrPtr*)(_t289 + 0x68)) < 0) goto 0x9810a048;
				if (r14b != r15b) goto 0x9810a22a;
				if (( *_t223 & 0x1fffffff) - 0x19930521 < 0) goto 0x9810a22a;
				_t162 = _t223[8];
				if (_t162 == r15d) goto 0x9810a1b1;
				E00007FF67FF6981072E8( *((intOrPtr*)(_t289 + 0x80)));
				goto 0x9810a1b4;
				if (_t320 == _t320) goto 0x9810a22a;
				if (_t162 == r15d) goto 0x9810a1cf;
				E00007FF67FF6981072E8(_t320);
				_t220 = _t223[8];
				goto 0x9810a1d2;
				if (E00007FF67FF698109468(_t220, _t223, _t273, _t320, _t162,  &(_t285[5])) != r15b) goto 0x9810a22a;
				E00007FF67FF6981071FC(_t159, _t220, _t223,  *((intOrPtr*)(_t289 + 0xe8)), _t316, _t162,  &(_t285[5]), _t223, _t289 + 0xe0, _t275, _t280);
				 *((char*)(_t289 + 0x40)) =  *((intOrPtr*)(_t289 + 0x108));
				 *(_t289 + 0x38) = _t316;
				 *(_t289 + 0x30) = _t223;
				 *(_t289 + 0x28) =  *(_t289 + 0x28) | 0xffffffff;
				 *(_t289 + 0x20) = _t320;
				E00007FF67FF69810777C(_t223,  *((intOrPtr*)(_t289 + 0xe8)), _t273, _t162,  &(_t285[5]),  *((intOrPtr*)(_t289 + 0xf0)), _t220);
				E00007FF67FF69810B93C( *((intOrPtr*)(_t289 + 0x108)), E00007FF67FF698109468(_t220, _t223, _t273, _t320, _t162,  &(_t285[5])) - r15b, _t220);
				if ( *((intOrPtr*)(_t220 + 0x108)) == _t320) goto 0x9810a23d;
				return E00007FF67FF698110148(_t220);
			}

0x7ff698109d48
0x7ff698109d48
0x7ff698109d48
0x7ff698109d48
0x7ff698109d4d
0x7ff698109d52
0x7ff698109d62
0x7ff698109d69
0x7ff698109d71
0x7ff698109d74
0x7ff698109d77
0x7ff698109d80
0x7ff698109d83
0x7ff698109d86
0x7ff698109d8b
0x7ff698109d8e
0x7ff698109da9
0x7ff698109dab
0x7ff698109dc6
0x7ff698109dcd
0x7ff698109dd0
0x7ff698109dd5
0x7ff698109de1
0x7ff698109de6
0x7ff698109df0
0x7ff698109df5
0x7ff698109dfa
0x7ff698109dfc
0x7ff698109e07
0x7ff698109e11
0x7ff698109e1e
0x7ff698109e27
0x7ff698109e30
0x7ff698109e3a
0x7ff698109e40
0x7ff698109e4c
0x7ff698109e52
0x7ff698109e57
0x7ff698109e5e
0x7ff698109e6e
0x7ff698109e73
0x7ff698109e90
0x7ff698109e92
0x7ff698109e9d
0x7ff698109ea3
0x7ff698109eac
0x7ff698109eb5
0x7ff698109ebe
0x7ff698109ec4
0x7ff698109ec6
0x7ff698109ecb
0x7ff698109ed7
0x7ff698109edd
0x7ff698109ee2
0x7ff698109ee9
0x7ff698109ef4
0x7ff698109f03
0x7ff698109f0d
0x7ff698109f10
0x7ff698109f12
0x7ff698109f15
0x7ff698109f1e
0x7ff698109f26
0x7ff698109f28
0x7ff698109f34
0x7ff698109f39
0x7ff698109f41
0x7ff698109f58
0x7ff698109f5a
0x7ff698109f65
0x7ff698109f67
0x7ff698109f6c
0x7ff698109f72
0x7ff698109f8e
0x7ff698109f96
0x7ff698109fb1
0x7ff698109fb9
0x7ff698109fbe
0x7ff698109fcd
0x7ff698109fd7
0x7ff698109fe4
0x7ff698109fed
0x7ff698109ff6
0x7ff69810a000
0x7ff69810a006
0x7ff69810a013
0x7ff69810a018
0x7ff69810a01d
0x7ff69810a022
0x7ff69810a02b
0x7ff69810a030
0x7ff69810a039
0x7ff69810a042
0x7ff69810a04b
0x7ff69810a054
0x7ff69810a05a
0x7ff69810a063
0x7ff69810a067
0x7ff69810a06d
0x7ff69810a073
0x7ff69810a080
0x7ff69810a085
0x7ff69810a08a
0x7ff69810a097
0x7ff69810a09b
0x7ff69810a09d
0x7ff69810a0b7
0x7ff69810a0c6
0x7ff69810a0c8
0x7ff69810a0cb
0x7ff69810a0d4
0x7ff69810a0d6
0x7ff69810a0dd
0x7ff69810a0e0
0x7ff69810a0f1
0x7ff69810a0f4
0x7ff69810a0ff
0x7ff69810a10e
0x7ff69810a11a
0x7ff69810a122
0x7ff69810a12e
0x7ff69810a133
0x7ff69810a138
0x7ff69810a148
0x7ff69810a14d
0x7ff69810a152
0x7ff69810a155
0x7ff69810a157
0x7ff69810a16f
0x7ff69810a175
0x7ff69810a17b
0x7ff69810a184
0x7ff69810a196
0x7ff69810a19c
0x7ff69810a1a2
0x7ff69810a1a7
0x7ff69810a1af
0x7ff69810a1b7
0x7ff69810a1bc
0x7ff69810a1be
0x7ff69810a1c6
0x7ff69810a1cd
0x7ff69810a1dd
0x7ff69810a1f0
0x7ff69810a204
0x7ff69810a208
0x7ff69810a20d
0x7ff69810a212
0x7ff69810a220
0x7ff69810a225
0x7ff69810a22a
0x7ff69810a236
0x7ff69810a257

APIs

Part of subcall function 00007FF6981071FC: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF698107270

__GetUnwindTryBlock.LIBCMT ref: 00007FF698109DB9
__SetUnwindTryBlock.LIBCMT ref: 00007FF698109DE1

Part of subcall function 00007FF698107168: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF698104678), ref: 00007FF6981071E8

__GetUnwindTryBlock.LIBCMT ref: 00007FF698109DEB
_getptd.LIBCMT ref: 00007FF698109E40
_getptd.LIBCMT ref: 00007FF698109E52
_getptd.LIBCMT ref: 00007FF698109E5E
_SetThrowImageBase.LIBCMT ref: 00007FF698109E7B
_getptd.LIBCMT ref: 00007FF698109ECB
_getptd.LIBCMT ref: 00007FF698109EDD
_getptd.LIBCMT ref: 00007FF698109EE9
_getptd.LIBCMT ref: 00007FF69810A22A

Strings

csm, xrefs: 00007FF698109E97
csm, xrefs: 00007FF698109FC7
bad exception, xrefs: 00007FF698109F77
csm, xrefs: 00007FF698109E01

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _getptd$BlockUnwind$BaseEntryExceptionFunctionImageLookupRaiseThrow
String ID: bad exception$csm$csm$csm
API String ID: 2351602029-820278400
Opcode ID: 9879b71105d79e3faefd726c5ecf8e7106465e3219339e0629f894a23453c9a7
Instruction ID: cce52d2fa1d516accfe6ade138bb8df6deca2ee08a7a626955da57ffdcf75f43
Opcode Fuzzy Hash: 9879b71105d79e3faefd726c5ecf8e7106465e3219339e0629f894a23453c9a7
Instruction Fuzzy Hash: 2DE19372A0878386DA709F31A8506BD77A0FB54784F844575EE8E87B96CF3CE4A1C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FB470 Relevance: 19.7, APIs: 13, Instructions: 249
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E00007FF67FF6980FB470(long long __rdx, void* __r8, long long _a16, intOrPtr* _a40, intOrPtr* _a48, intOrPtr* _a56) {
				char _v56;
				char _v72;
				intOrPtr _v80;
				char _v88;
				void* __rdi;
				void* __rbp;
				void* __r12;
				void* _t21;
				intOrPtr _t31;
				intOrPtr* _t36;
				long long* _t37;
				intOrPtr* _t38;
				intOrPtr* _t40;
				long long* _t42;
				void* _t44;
				void* _t46;
				void* _t54;
				void* _t55;

				_a16 = __rdx;
				_t36 = _a48;
				_t37 =  &_v72;
				_t42 =  &_v56;
				 *_t37 =  *_t36;
				 *((long long*)(_t37 + 8)) =  *((intOrPtr*)(_t36 + 8));
				_t38 = _a40;
				 *_t42 =  *_t38;
				 *((long long*)(_t42 + 8)) =  *((intOrPtr*)(_t38 + 8));
				E00007FF67FF6980FBC70( &_v88, __r8, _t44, _t46,  &_v56,  &_v72, __rdx, _t54, _t55);
				if ( *((long long*)(__r8 + 0x38)) != 0) goto 0x980fb5e3;
				_t31 = _v88;
				if (_t31 == 0xfffffffc) goto 0x980fb4f7;
				if (_t31 == 0) goto 0x980fb4f2;
				if (_t31 ==  *_t36) goto 0x980fb4f7;
				_t21 = E00007FF67FF6981044B8();
				if (_v80 !=  *((intOrPtr*)(_t36 + 8))) goto 0x980fb528;
				_t40 = _a56;
				 *((long long*)(__rdx)) =  *_t40;
				 *((long long*)(__rdx + 8)) =  *((intOrPtr*)(_t40 + 8));
				return _t21;
			}

0x7ff6980fb470
0x7ff6980fb47f
0x7ff6980fb487
0x7ff6980fb492
0x7ff6980fb49a
0x7ff6980fb4a6
0x7ff6980fb4aa
0x7ff6980fb4ba
0x7ff6980fb4c6
0x7ff6980fb4cd
0x7ff6980fb4d7
0x7ff6980fb4dd
0x7ff6980fb4e6
0x7ff6980fb4eb
0x7ff6980fb4f0
0x7ff6980fb4f2
0x7ff6980fb500
0x7ff6980fb502
0x7ff6980fb50d
0x7ff6980fb515
0x7ff6980fb527

APIs

Part of subcall function 00007FF6980FBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBCCA
Part of subcall function 00007FF6980FBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBCED
Part of subcall function 00007FF6980FBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBD08
Part of subcall function 00007FF6980FBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBD28
Part of subcall function 00007FF6980FBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBD74
Part of subcall function 00007FF6980FBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBD9B

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB4F2
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB59B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB5BE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB620
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB63A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB65D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB67E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB699
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB6B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB6FE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB721
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB76E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB791

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c1a07d890f2d1985cc669972f8e1ed61626581fff1d6e9b679634fa50c2043ac
Instruction ID: c49af2557055e0719d36ffd01ad442bfbf9aabd874fa9c097f72f2c32210ee09
Opcode Fuzzy Hash: c1a07d890f2d1985cc669972f8e1ed61626581fff1d6e9b679634fa50c2043ac
Instruction Fuzzy Hash: 60B17122709B4680DA709F25E490279B760FB54BA8F988272DE9D877E4DF3CE451D70C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698128E80 Relevance: 19.7, APIs: 13, Instructions: 192
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E00007FF67FF698128E80(void* __ebx, void* __edx, signed int __ebp, long long __rbx, void* __rcx, void* __rdx, long long __rsi) {
				void* _t106;
				void* _t140;
				long long* _t143;
				long long _t148;
				intOrPtr* _t153;
				void* _t171;
				void* _t172;
				long long _t175;
				long long _t177;
				intOrPtr _t178;
				void* _t179;
				void* _t181;
				intOrPtr* _t182;
				intOrPtr _t183;
				long long _t185;
				long long _t186;
				intOrPtr _t190;
				void* _t193;
				void* _t194;
				void* _t207;
				long long _t208;

				_t106 = __edx;
				_t140 = _t193;
				_t194 = _t193 - 0xa0;
				 *((long long*)(_t194 + 0x30)) = 0xfffffffe;
				 *((long long*)(_t140 + 8)) = __rbx;
				 *((long long*)(_t140 + 0x18)) = _t185;
				 *((long long*)(_t140 + 0x20)) = __rsi;
				_t207 = __rdx;
				_t181 = __rcx;
				if (__rdx == 0) goto 0x98129173;
				if (r8d == 0) goto 0x98129173;
				_t153 = __rcx + 0x210;
				_t186 =  *((intOrPtr*)(_t153 + 0x20));
				if ( *((intOrPtr*)(_t153 + 0x18)) - _t186 <= 0) goto 0x98128ed5;
				E00007FF67FF6981044B8();
				 *((long long*)(_t194 + 0x40)) =  *_t153;
				 *((long long*)(_t194 + 0x48)) = _t186;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x60], xmm0");
				 *((char*)(_t194 + 0x20)) =  *(_t194 + 0xc8) & 0x000000ff;
				E00007FF67FF6980FD1A0(_t106, _t153, _t153, _t194 + 0x60, __rcx, __rdx, __rdx + _t172);
				_t143 =  *((intOrPtr*)(_t153 + 0x20)) -  *((intOrPtr*)(_t153 + 0x18));
				if (_t143 - 3 >= 0) goto 0x98128f30;
				goto 0x98129175;
				_t112 =  *(_t181 + 0x2a4) * __ebp;
				 *(_t194 + 0xc8) = 0;
				E00007FF67FF6981045E0(_t143, _t153);
				r13d = 0;
				if (_t143 == 0) goto 0x98128f5b;
				 *_t143 = _t194 + 0x70;
				goto 0x98128f5e;
				 *((long long*)(_t194 + 0x70)) = _t208;
				r12d =  *(_t181 + 0x2a4) * __ebp;
				E00007FF67FF6980F4CA0(_t208, _t153, _t194 + 0x70, _t194 + 0x60, _t181, _t194 + 0xc8);
				if ( *((intOrPtr*)(_t194 + 0x90)) !=  *((intOrPtr*)(_t194 + 0x88))) goto 0x98128f9d;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(_t153 + 0x20)) !=  *((intOrPtr*)(_t153 + 0x18))) goto 0x98128fac;
				E00007FF67FF6981044B8();
				 *((intOrPtr*)(_t194 + 0x20)) = r13d;
				r9d = __ebp;
				E00007FF67FF6981277F0(_t181 + 0x20,  *((intOrPtr*)(_t153 + 0x18)), _t181,  *((intOrPtr*)(_t194 + 0x88)));
				_t175 =  *((intOrPtr*)(_t181 + 0x260));
				if ( *((intOrPtr*)(_t181 + 0x258)) - _t175 <= 0) goto 0x98128fd9;
				E00007FF67FF6981044B8();
				 *((long long*)(_t194 + 0x60)) =  *((intOrPtr*)(_t181 + 0x240));
				 *((long long*)(_t194 + 0x68)) = _t175;
				_t148 =  *((intOrPtr*)(_t194 + 0x90));
				if ( *((intOrPtr*)(_t194 + 0x88)) - _t148 <= 0) goto 0x98129017;
				E00007FF67FF6981044B8();
				_t177 =  *((intOrPtr*)(_t194 + 0x88));
				 *((long long*)(_t194 + 0x40)) =  *((intOrPtr*)(_t194 + 0x70));
				 *((long long*)(_t194 + 0x48)) = _t148;
				if (_t177 -  *((intOrPtr*)(_t194 + 0x90)) <= 0) goto 0x98129035;
				E00007FF67FF6981044B8();
				 *((long long*)(_t194 + 0x50)) =  *((intOrPtr*)(_t194 + 0x70));
				 *((long long*)(_t194 + 0x58)) = _t177;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x40], xmm0");
				asm("movaps xmm1, [esp+0x50]");
				asm("movdqa [esp+0x50], xmm1");
				asm("movaps xmm0, [esp+0x60]");
				asm("movdqa [esp+0x60], xmm0");
				 *((char*)(_t194 + 0x20)) =  *(_t194 + 0xc8) & 0x000000ff;
				E00007FF67FF6980F9750(_t112, _t153, _t181 + 0x240, _t194 + 0x60, _t181, _t194 + 0x50, _t194 + 0x40);
				_t178 =  *((intOrPtr*)(_t153 + 0x18));
				if (_t178 -  *((intOrPtr*)(_t153 + 0x20)) <= 0) goto 0x98129096;
				E00007FF67FF6981044B8();
				_t182 =  *_t153;
				if (_t182 != 0) goto 0x981290a8;
				E00007FF67FF6981044B8();
				goto 0x981290ab;
				_t179 = _t178 + _t207;
				if (_t179 -  *((intOrPtr*)( *_t182 + 0x20)) > 0) goto 0x981290c7;
				if (_t182 == 0) goto 0x981290be;
				goto 0x981290c1;
				if (_t179 -  *((intOrPtr*)(_t208 + 0x18)) >= 0) goto 0x981290cc;
				E00007FF67FF6981044B8();
				_t183 =  *((intOrPtr*)(_t153 + 0x18));
				if (_t183 -  *((intOrPtr*)(_t153 + 0x20)) <= 0) goto 0x981290db;
				E00007FF67FF6981044B8();
				if (_t153 == 0) goto 0x981290ec;
				if ( *((intOrPtr*)(_t153 + 0x18)) - _t183 > 0) goto 0x981290ec;
				if (_t183 -  *((intOrPtr*)(_t153 + 0x20)) <= 0) goto 0x981290f1;
				E00007FF67FF6981044B8();
				_t190 =  *_t153;
				if ( *((intOrPtr*)(_t153 + 0x18)) - _t179 > 0) goto 0x98129100;
				if (_t179 -  *((intOrPtr*)(_t153 + 0x20)) <= 0) goto 0x98129105;
				E00007FF67FF6981044B8();
				if (_t190 == 0) goto 0x9812910f;
				if (_t190 ==  *_t153) goto 0x98129114;
				E00007FF67FF6981044B8();
				if (_t183 == _t179) goto 0x9812913b;
				_t171 =  *((intOrPtr*)(_t153 + 0x20)) - _t179;
				if (_t171 <= 0) goto 0x98129137;
				E00007FF67FF698104070(_t183, _t171, _t179, _t171);
				 *((long long*)(_t153 + 0x20)) = _t171 + _t183;
				if ( *((intOrPtr*)(_t194 + 0x88)) == 0) goto 0x9812914d;
				E00007FF67FF6981044D8(_t208, _t153,  *((intOrPtr*)(_t194 + 0x88)), _t171, _t183, _t179, _t171);
				 *((long long*)(_t194 + 0x88)) = _t208;
				 *((long long*)(_t194 + 0x90)) = _t208;
				 *((long long*)(_t194 + 0x98)) = _t208;
				E00007FF67FF6981044D8(_t208, _t153,  *((intOrPtr*)(_t194 + 0x70)), _t171, _t183, _t179, _t171);
				goto 0x98129175;
				return 1;
			}

0x7ff698128e80
0x7ff698128e80
0x7ff698128e88
0x7ff698128e8f
0x7ff698128e98
0x7ff698128e9c
0x7ff698128ea0
0x7ff698128ea7
0x7ff698128eaa
0x7ff698128eb0
0x7ff698128eb9
0x7ff698128ebf
0x7ff698128ec6
0x7ff698128ece
0x7ff698128ed0
0x7ff698128ed8
0x7ff698128edd
0x7ff698128ee2
0x7ff698128ee7
0x7ff698128ef9
0x7ff698128f08
0x7ff698128f17
0x7ff698128f27
0x7ff698128f2b
0x7ff698128f34
0x7ff698128f37
0x7ff698128f44
0x7ff698128f49
0x7ff698128f4f
0x7ff698128f56
0x7ff698128f59
0x7ff698128f5e
0x7ff698128f63
0x7ff698128f75
0x7ff698128f8e
0x7ff698128f90
0x7ff698128fa5
0x7ff698128fa7
0x7ff698128fb0
0x7ff698128fb5
0x7ff698128fbf
0x7ff698128fc4
0x7ff698128fd2
0x7ff698128fd4
0x7ff698128fe0
0x7ff698128fe5
0x7ff698128fea
0x7ff698129000
0x7ff698129002
0x7ff69812900f
0x7ff69812901c
0x7ff698129021
0x7ff698129029
0x7ff69812902b
0x7ff698129035
0x7ff69812903a
0x7ff69812903f
0x7ff698129044
0x7ff69812904a
0x7ff69812904f
0x7ff698129055
0x7ff69812905a
0x7ff698129068
0x7ff698129082
0x7ff698129087
0x7ff69812908f
0x7ff698129091
0x7ff698129096
0x7ff69812909c
0x7ff69812909e
0x7ff6981290a6
0x7ff6981290ab
0x7ff6981290b2
0x7ff6981290b7
0x7ff6981290bc
0x7ff6981290c5
0x7ff6981290c7
0x7ff6981290cc
0x7ff6981290d4
0x7ff6981290d6
0x7ff6981290de
0x7ff6981290e4
0x7ff6981290ea
0x7ff6981290ec
0x7ff6981290f1
0x7ff6981290f8
0x7ff6981290fe
0x7ff698129100
0x7ff698129108
0x7ff69812910d
0x7ff69812910f
0x7ff698129117
0x7ff69812911d
0x7ff698129127
0x7ff698129132
0x7ff698129137
0x7ff698129146
0x7ff698129148
0x7ff69812914d
0x7ff698129155
0x7ff69812915d
0x7ff69812916a
0x7ff698129171
0x7ff698129191

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698128ED0

Part of subcall function 00007FF6981045E0: malloc.LIBCMT ref: 00007FF6981045FA

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698128F90
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698128FA7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698128FD4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129002
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812902B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129091
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812909E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981290C7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981290D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981290EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129100
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812910F

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$malloc
String ID:
API String ID: 2964583507-0
Opcode ID: 0262d0dafc344c9128b52d1992c683ba543df2f7131d274a0e5fc425fc83073a
Instruction ID: 50d38c5de7b19ed8c096ef91118cc29d8735c192f1ba44ce68c82fa7232fc38d
Opcode Fuzzy Hash: 0262d0dafc344c9128b52d1992c683ba543df2f7131d274a0e5fc425fc83073a
Instruction Fuzzy Hash: 0A918222A08B8681E670AF39E4402BEA3A5FB85B94F944171DEDC97789CF3CE451C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698129680 Relevance: 19.7, APIs: 13, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E00007FF67FF698129680(void* __ebx, void* __edx, void* __rcx, void* __rdx) {
				long long _v56;
				long long _v64;
				char _v72;
				long long _v80;
				long long _v88;
				long long _v96;
				char _v120;
				long long _v128;
				char _v136;
				long long _v144;
				char _v152;
				signed int _v168;
				char _v184;
				void* __rbx;
				void* __rsi;
				void* _t100;
				signed int _t106;
				long long _t136;
				intOrPtr* _t143;
				void* _t158;
				void* _t159;
				intOrPtr _t160;
				void* _t161;
				long long _t162;
				long long _t164;
				long long _t165;
				long long _t166;
				intOrPtr* _t167;
				intOrPtr _t168;
				void* _t169;
				intOrPtr _t171;
				void* _t182;

				_t100 = __edx;
				_v56 = 0xfffffffe;
				_t106 = r8d;
				_t182 = __rdx;
				_t159 = __rcx;
				if (__rdx == 0) goto 0x98129950;
				if (r8d == 0) goto 0x98129950;
				_t143 = __rcx + 0x210;
				_t162 =  *((intOrPtr*)(_t143 + 0x20));
				if ( *((intOrPtr*)(_t143 + 0x18)) - _t162 <= 0) goto 0x981296cb;
				E00007FF67FF6981044B8();
				_v152 =  *_t143;
				_v144 = _t162;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x50], xmm0");
				_v184 = _v168 & 0x000000ff;
				E00007FF67FF6980FD1A0(_t100, _t143, _t143,  &_v136, _t162, __rdx, __rdx + _t169);
				_t136 =  *((intOrPtr*)(_t143 + 0x20)) -  *((intOrPtr*)(_t143 + 0x18));
				if (_t136 - 1 >= 0) goto 0x98129723;
				goto 0x98129952;
				_v168 = 0;
				E00007FF67FF6981045E0(_t136, _t143);
				if (_t136 == 0) goto 0x98129744;
				 *_t136 =  &_v120;
				goto 0x98129746;
				_v120 = _t136;
				r12d =  *(_t159 + 0x2a4) * _t106;
				E00007FF67FF6980F4CA0(_t136, _t143,  &_v120,  &_v136, _t162,  &_v168);
				if (_v88 != _v96) goto 0x98129774;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(_t143 + 0x20)) !=  *((intOrPtr*)(_t143 + 0x18))) goto 0x98129788;
				E00007FF67FF6981044B8();
				if (_t106 == 0) goto 0x9812979f;
				r9d = _t106;
				E00007FF67FF698127870(_t106, _t159 + 0x20,  *((intOrPtr*)(_t143 + 0x18)), _v96);
				_t164 =  *((intOrPtr*)(_t159 + 0x260));
				if ( *((intOrPtr*)(_t159 + 0x258)) - _t164 <= 0) goto 0x981297b4;
				E00007FF67FF6981044B8();
				_v136 =  *((intOrPtr*)(_t159 + 0x240));
				_v128 = _t164;
				_t165 = _v88;
				if (_v96 - _t165 <= 0) goto 0x981297d9;
				E00007FF67FF6981044B8();
				_v152 = _v120;
				_v144 = _t165;
				_t166 = _v96;
				if (_t166 - _v88 <= 0) goto 0x98129801;
				E00007FF67FF6981044B8();
				_v72 = _v120;
				_v64 = _t166;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x40], xmm0");
				asm("movaps xmm1, [esp+0x90]");
				asm("movdqa [esp+0x90], xmm1");
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x50], xmm0");
				_v184 = _v168 & 0x000000ff;
				E00007FF67FF6980F9750( *(_t159 + 0x2a4) * _t106, _t143, _t159 + 0x240,  &_v136, _t166,  &_v72,  &_v152);
				_t160 =  *((intOrPtr*)(_t143 + 0x18));
				if (_t160 -  *((intOrPtr*)(_t143 + 0x20)) <= 0) goto 0x9812986e;
				E00007FF67FF6981044B8();
				_t167 =  *_t143;
				if (_t167 != 0) goto 0x98129880;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98129883;
				_t161 = _t160 + _t182;
				if (_t161 -  *((intOrPtr*)( *_t167 + 0x20)) > 0) goto 0x9812989e;
				if (_t167 == 0) goto 0x98129896;
				goto 0x98129898;
				if (_t161 -  *((intOrPtr*)( *_t167 + 0x18)) >= 0) goto 0x981298a3;
				E00007FF67FF6981044B8();
				_t168 =  *((intOrPtr*)(_t143 + 0x18));
				if (_t168 -  *((intOrPtr*)(_t143 + 0x20)) <= 0) goto 0x981298b2;
				E00007FF67FF6981044B8();
				if (_t143 == 0) goto 0x981298c3;
				if ( *((intOrPtr*)(_t143 + 0x18)) - _t168 > 0) goto 0x981298c3;
				if (_t168 -  *((intOrPtr*)(_t143 + 0x20)) <= 0) goto 0x981298c8;
				E00007FF67FF6981044B8();
				_t171 =  *_t143;
				if ( *((intOrPtr*)(_t143 + 0x18)) - _t161 > 0) goto 0x981298d7;
				if (_t161 -  *((intOrPtr*)(_t143 + 0x20)) <= 0) goto 0x981298dc;
				E00007FF67FF6981044B8();
				if (_t171 == 0) goto 0x981298e6;
				if (_t171 ==  *_t143) goto 0x981298eb;
				E00007FF67FF6981044B8();
				if (_t168 == _t161) goto 0x98129912;
				_t158 =  *((intOrPtr*)(_t143 + 0x20)) - _t161;
				if (_t158 <= 0) goto 0x9812990e;
				E00007FF67FF698104070(_t168, _t158, _t161, _t158);
				 *((long long*)(_t143 + 0x20)) = _t158 + _t168;
				if (_v96 == 0) goto 0x98129921;
				E00007FF67FF6981044D8( *_t167, _t143, _v96, _t158, _t168, _t161, _t158);
				_v96 = 0;
				_v88 = 0;
				_v80 = 0;
				E00007FF67FF6981044D8( *_t167, _t143, _v120, _t158, _t168, _t161, _t158);
				goto 0x98129952;
				return 1;
			}

0x7ff698129680
0x7ff69812968e
0x7ff69812969a
0x7ff69812969d
0x7ff6981296a0
0x7ff6981296a6
0x7ff6981296af
0x7ff6981296b5
0x7ff6981296bc
0x7ff6981296c4
0x7ff6981296c6
0x7ff6981296ce
0x7ff6981296d3
0x7ff6981296d8
0x7ff6981296dd
0x7ff6981296ec
0x7ff6981296fb
0x7ff69812970a
0x7ff69812971a
0x7ff69812971e
0x7ff698129726
0x7ff698129730
0x7ff698129738
0x7ff69812973f
0x7ff698129742
0x7ff698129746
0x7ff69812974b
0x7ff69812975a
0x7ff69812976d
0x7ff69812976f
0x7ff698129781
0x7ff698129783
0x7ff69812978a
0x7ff698129790
0x7ff69812979a
0x7ff69812979f
0x7ff6981297ad
0x7ff6981297af
0x7ff6981297bb
0x7ff6981297c0
0x7ff6981297c5
0x7ff6981297d2
0x7ff6981297d4
0x7ff6981297de
0x7ff6981297e3
0x7ff6981297e8
0x7ff6981297f5
0x7ff6981297f7
0x7ff698129801
0x7ff698129809
0x7ff698129811
0x7ff698129816
0x7ff69812981c
0x7ff698129824
0x7ff69812982d
0x7ff698129832
0x7ff69812983d
0x7ff69812985a
0x7ff69812985f
0x7ff698129867
0x7ff698129869
0x7ff69812986e
0x7ff698129874
0x7ff698129876
0x7ff69812987b
0x7ff69812987e
0x7ff698129883
0x7ff69812988a
0x7ff69812988f
0x7ff698129894
0x7ff69812989c
0x7ff69812989e
0x7ff6981298a3
0x7ff6981298ab
0x7ff6981298ad
0x7ff6981298b5
0x7ff6981298bb
0x7ff6981298c1
0x7ff6981298c3
0x7ff6981298c8
0x7ff6981298cf
0x7ff6981298d5
0x7ff6981298d7
0x7ff6981298df
0x7ff6981298e4
0x7ff6981298e6
0x7ff6981298ee
0x7ff6981298f4
0x7ff6981298fe
0x7ff698129909
0x7ff69812990e
0x7ff69812991a
0x7ff69812991c
0x7ff698129921
0x7ff69812992a
0x7ff698129936
0x7ff698129947
0x7ff69812994e
0x7ff69812995f

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981296C6

Part of subcall function 00007FF6981045E0: malloc.LIBCMT ref: 00007FF6981045FA

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812976F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129783
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981297AF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981297D4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981297F7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129869
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129876
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812989E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981298AD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981298C3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981298D7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981298E6

Part of subcall function 00007FF698104070: _errno.LIBCMT ref: 00007FF698104083

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_errnomalloc
String ID:
API String ID: 1149948996-0
Opcode ID: 862ef2bf900044cd6533764cdbe942e68350a6ca9e47dc2d25e2abce830e237e
Instruction ID: a21835819f488c4e9f15ac90fbcefd7e1d7fff6af8476c90df9fd17d2e7a4cd5
Opcode Fuzzy Hash: 862ef2bf900044cd6533764cdbe942e68350a6ca9e47dc2d25e2abce830e237e
Instruction Fuzzy Hash: 4B81A722908A8781E670AF39E4407BDA3A4FB85B94F940171EBCC97789DF3CE452C758

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810953C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00007FF67FF69810953C(void* __eflags, void* __rax, void* __rcx, signed int _a8, signed int _a16, void* _a24, long long _a32) {
				char _v80;
				void* _v104;
				signed int _v112;
				signed int _v120;
				signed int _v128;
				signed int _v136;
				long long _v144;
				signed int _v168;
				void* __rbx;
				void* _t79;
				void* _t80;
				void* _t97;
				long long _t98;
				signed int _t101;
				signed int _t106;
				signed int _t124;
				intOrPtr* _t126;
				void* _t127;
				signed long long _t133;

				_t97 = __rax;
				r14d = 0;
				_v168 = r14d;
				_a8 = _a8 & r14d;
				_v128 = _v128 & _t133;
				_v136 = _v136 & _t133;
				E00007FF67FF69810B93C(_t80, __eflags, __rax);
				_t98 =  *((intOrPtr*)(_t97 + 0xf8));
				_a32 = _t98;
				E00007FF67FF69810B93C(_t80, __eflags, _t98);
				_a24 =  *((intOrPtr*)(_t98 + 0xf0));
				_t124 =  *((intOrPtr*)(__rcx + 0x50));
				_a16 = _t124;
				_v144 =  *((intOrPtr*)(__rcx + 0x48));
				_t101 =  *((intOrPtr*)(__rcx + 0x30));
				_v112 = _t101;
				_v104 =  *((intOrPtr*)(__rcx + 0x28));
				E00007FF67FF69810B93C(_t80, __eflags, _t101);
				 *(_t101 + 0xf0) = _t124;
				E00007FF67FF69810B93C(_t80, __eflags, _t101);
				 *((long long*)(_t101 + 0xf8)) =  *((intOrPtr*)(__rcx + 0x40));
				E00007FF67FF69810B93C(_t80, __eflags, _t101);
				E00007FF67FF6981076A4(_t101,  &_v80,  *((intOrPtr*)( *(_t101 + 0xf0) + 0x28)));
				_v120 = _t101;
				_t88 =  *((intOrPtr*)(__rcx + 0x58)) - _t133;
				if ( *((intOrPtr*)(__rcx + 0x58)) == _t133) goto 0x98109625;
				_a8 = 1;
				E00007FF67FF69810B93C(_t80,  *((intOrPtr*)(__rcx + 0x58)) - _t133, _t101);
				_t106 =  *((intOrPtr*)(_t101 + 0x138));
				_v136 = _t106;
				E00007FF67FF69810B93C(_t80,  *((intOrPtr*)(__rcx + 0x58)) - _t133, _t101);
				 *(_t101 + 0xf0) = _t106;
				r8d = 0x100;
				E00007FF67FF69812C050(_v112,  *((intOrPtr*)(__rcx + 0x28)), _t127);
				_v128 = _t101;
				_v168 = 1;
				E00007FF67FF69810B93C(_t80, _t88, _t101);
				 *(_t101 + 0x2c0) =  *(_t101 + 0x2c0) & 0x00000000;
				if (_a8 == 0) goto 0x98109699;
				E00007FF67FF6981093E4(1, _a16);
				r8d =  *((intOrPtr*)(_v136 + 0x18));
				RaiseException(??, ??, ??, ??);
				goto 0x981096b4;
				_t126 = _a16;
				r8d =  *((intOrPtr*)(_t126 + 0x18));
				RaiseException(??, ??, ??, ??);
				r14d = _v168;
				E00007FF67FF69810771C(_t101, _v128, _v120);
				if (r14d != 0) goto 0x9810971d;
				if ( *_t126 != 0xe06d7363) goto 0x9810971d;
				if ( *((intOrPtr*)(_t126 + 0x18)) != 4) goto 0x9810971d;
				if ( *((intOrPtr*)(_t126 + 0x20)) == 0x19930520) goto 0x98109706;
				if ( *((intOrPtr*)(_t126 + 0x20)) == 0x19930521) goto 0x98109706;
				if ( *((intOrPtr*)(_t126 + 0x20)) != 0x19930522) goto 0x9810971d;
				if (E00007FF67FF6981076E8(_t101,  *((intOrPtr*)(_t126 + 0x28))) == 0) goto 0x9810971d;
				E00007FF67FF6981093E4(1, _t126);
				E00007FF67FF69810B93C( *_t126, E00007FF67FF6981076E8(_t101,  *((intOrPtr*)(_t126 + 0x28))), _t101);
				 *(_t101 + 0xf0) = _a24;
				_t79 = E00007FF67FF69810B93C( *_t126, E00007FF67FF6981076E8(_t101,  *((intOrPtr*)(_t126 + 0x28))), _t101);
				 *((long long*)(_t101 + 0xf8)) = _a32;
				 *((long long*)( *((intOrPtr*)(_v144 + 0x1c)) +  *_v104)) = 0xfffffffe;
				return _t79;
			}

0x7ff69810953c
0x7ff698109550
0x7ff698109553
0x7ff698109558
0x7ff698109560
0x7ff698109565
0x7ff69810956a
0x7ff69810956f
0x7ff698109576
0x7ff69810957e
0x7ff69810958a
0x7ff698109592
0x7ff698109596
0x7ff6981095a2
0x7ff6981095ab
0x7ff6981095af
0x7ff6981095b8
0x7ff6981095bd
0x7ff6981095c2
0x7ff6981095c9
0x7ff6981095ce
0x7ff6981095d5
0x7ff6981095ea
0x7ff6981095f2
0x7ff6981095f7
0x7ff6981095fb
0x7ff6981095fd
0x7ff698109608
0x7ff69810960d
0x7ff698109614
0x7ff698109619
0x7ff69810961e
0x7ff698109625
0x7ff698109633
0x7ff69810963b
0x7ff69810964d
0x7ff698109655
0x7ff69810965a
0x7ff698109669
0x7ff698109678
0x7ff698109686
0x7ff698109691
0x7ff698109697
0x7ff698109699
0x7ff6981096a5
0x7ff6981096ae
0x7ff6981096b4
0x7ff6981096d3
0x7ff6981096db
0x7ff6981096e3
0x7ff6981096e9
0x7ff6981096f2
0x7ff6981096fb
0x7ff698109704
0x7ff698109711
0x7ff698109718
0x7ff69810971d
0x7ff69810972a
0x7ff698109731
0x7ff698109736
0x7ff69810974a
0x7ff698109765

APIs

_getptd.LIBCMT ref: 00007FF69810956A
_getptd.LIBCMT ref: 00007FF69810957E
_getptd.LIBCMT ref: 00007FF6981095BD
_getptd.LIBCMT ref: 00007FF6981095C9
_getptd.LIBCMT ref: 00007FF6981095D5
_CreateFrameInfo.LIBCMT ref: 00007FF6981095EA

Part of subcall function 00007FF6981076A4: _getptd.LIBCMT ref: 00007FF6981076B0
Part of subcall function 00007FF6981076A4: _getptd.LIBCMT ref: 00007FF6981076BE
Part of subcall function 00007FF6981076A4: _getptd.LIBCMT ref: 00007FF6981076D2

_getptd.LIBCMT ref: 00007FF698109608
_getptd.LIBCMT ref: 00007FF698109619
_getptd.LIBCMT ref: 00007FF69810971D
_getptd.LIBCMT ref: 00007FF698109731

Strings

csm, xrefs: 00007FF6981096DD

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: 37636cbeaf357c96540da33d70be5943baabf356ee6162a4f4101045cc2b1b7a
Instruction ID: 55ce302405bec2eee58aed034d88db3e98526845499bf089ea07ab1c662ff9f7
Opcode Fuzzy Hash: 37636cbeaf357c96540da33d70be5943baabf356ee6162a4f4101045cc2b1b7a
Instruction Fuzzy Hash: B0416F72509B8382D6709F26E8403BE77A4FB84B90F845175DA8D97B96CF3CD0A2CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981291A0 Relevance: 18.3, APIs: 12, Instructions: 262
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00007FF67FF6981291A0(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp) {
				void* _v40;
				signed int _v48;
				long long _v56;
				long long _v64;
				long long _v72;
				long long _v80;
				char _v104;
				long long _v112;
				long long _v120;
				long long _v128;
				char _v152;
				long long _v160;
				char _v168;
				long long _v176;
				char _v184;
				long long _v192;
				char _v200;
				signed int _v216;
				char _v232;
				signed int _t142;
				signed int _t180;
				signed int _t202;
				void* _t209;
				signed long long _t210;
				long long* _t212;
				long long _t218;
				long long* _t220;
				long long* _t223;
				long long _t230;
				signed long long _t238;
				signed long long _t245;
				void* _t264;
				long long _t267;
				long long _t268;
				long long _t269;
				long long _t274;
				long long _t275;
				long long _t276;
				void* _t284;

				_t230 = __rbx;
				_t209 = _t284;
				_v56 = 0xfffffffe;
				 *((long long*)(_t209 + 0x10)) = __rbx;
				 *((long long*)(_t209 + 0x18)) = __rbp;
				 *((long long*)(_t209 + 0x20)) = __rsi;
				_t210 =  *0x98140430; // 0x4918c2c043f
				_v48 = _t210 ^ _t284 - 0x000000e0;
				_t264 = __rcx;
				_t212 =  *((intOrPtr*)(__rcx + 0x230));
				if (_t212 !=  *((intOrPtr*)(__rcx + 0x228))) goto 0x98129372;
				E00007FF67FF6981045E0(_t212, __rcx);
				if (_t212 == 0) goto 0x98129216;
				 *_t212 =  &_v152;
				goto 0x98129219;
				_v152 = __rbx;
				_v216 = sil;
				E00007FF67FF6980F4CA0(__rbx, __rbx,  &_v152, __rdx, __rsi,  &_v216);
				if ( *((intOrPtr*)(_t264 + 0x290)) !=  *((intOrPtr*)(_t264 + 0x288))) goto 0x9812924c;
				E00007FF67FF6981044B8();
				if (_v120 != _v128) goto 0x98129275;
				E00007FF67FF6981044B8();
				E00007FF67FF698122840(_v120, _t264 + 0x20, _v128,  *((intOrPtr*)(_t264 + 0x288)));
				_t267 =  *((intOrPtr*)(_t264 + 0x260));
				if ( *((intOrPtr*)(_t264 + 0x258)) - _t267 <= 0) goto 0x98129296;
				E00007FF67FF6981044B8();
				_v184 =  *((intOrPtr*)(_t264 + 0x240));
				_v176 = _t267;
				_t268 =  *((intOrPtr*)(_t264 + 0x290));
				if ( *((intOrPtr*)(_t264 + 0x288)) - _t268 <= 0) goto 0x981292bc;
				E00007FF67FF6981044B8();
				_v168 =  *((intOrPtr*)(_t264 + 0x270));
				_v160 = _t268;
				_t269 =  *((intOrPtr*)(_t264 + 0x288));
				if (_t269 -  *((intOrPtr*)(_t264 + 0x290)) <= 0) goto 0x981292e2;
				E00007FF67FF6981044B8();
				_t218 =  *((intOrPtr*)(_t264 + 0x270));
				_v200 = _t218;
				_v192 = _t269;
				asm("movaps xmm0, [esp+0x60]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movaps xmm1, [esp+0x40]");
				asm("movdqa [esp+0x40], xmm1");
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x50], xmm0");
				_v232 = _v216 & 0x000000ff;
				E00007FF67FF6980F9750(sil & 0xffffffff, _t230, _t264 + 0x240,  &_v184, _t269,  &_v200,  &_v168);
				if (_v128 == 0) goto 0x9812934b;
				E00007FF67FF6981044D8(_t218, _t230, _v128,  &_v184, _t269,  &_v200,  &_v168);
				_v128 = _t230;
				_v120 = _t230;
				_v112 = _t230;
				_t238 = _v152;
				_t142 = E00007FF67FF6981044D8(_t218, _t230, _t238,  &_v184, _t269,  &_v200,  &_v168);
				goto 0x98129646;
				_t180 = _t142 % _t238;
				if (_t180 != 0) goto 0x9812939f;
				_v216 =  *(_t264 + 0x2a4) & 0x000000ff;
				goto 0x981293c2;
				_v216 = ( *(_t264 + 0x2a4) & 0x000000ff) - _t180;
				_t220 = _t218 -  *((intOrPtr*)(_t238 + 0x228));
				E00007FF67FF6981045E0(_t220, _t238);
				if (_t220 == 0) goto 0x981293dd;
				 *_t220 =  &_v152;
				goto 0x981293e0;
				_v152 = _t230;
				E00007FF67FF6980F4CA0(_t230, _t230,  &_v152, (_t220 + 1) * _t238, _t269,  &_v216);
				if ( *((intOrPtr*)(_t264 + 0x230)) !=  *((intOrPtr*)(_t264 + 0x228))) goto 0x9812941b;
				E00007FF67FF6981044B8();
				_t223 = _v120;
				if (_t223 != _v128) goto 0x98129444;
				E00007FF67FF6981044B8();
				E00007FF67FF69810AE90(8, _t223 - _v128, _v128,  *((intOrPtr*)(_t264 + 0x228)),  *((intOrPtr*)(_t264 + 0x230)) -  *((intOrPtr*)(_t264 + 0x228)));
				_v216 = 0;
				E00007FF67FF6981045E0(_t223, _v128);
				if (_t223 == 0) goto 0x98129470;
				 *_t223 =  &_v104;
				goto 0x98129473;
				_v104 = _t230;
				E00007FF67FF6980F4CA0(_t230, _t230,  &_v104, (_t220 + 1) * _t238,  *((intOrPtr*)(_t264 + 0x228)),  &_v216);
				if (_v72 != _v80) goto 0x981294a8;
				E00007FF67FF6981044B8();
				_t245 = _v120;
				if (_t245 != _v128) goto 0x981294d2;
				_t202 = E00007FF67FF6981044B8() / _t245;
				if (_t202 == 0) goto 0x9812950b;
				r12d =  *(_t264 + 0x20);
				r12d = r12d << 2;
				E00007FF67FF698122840((_t220 + 1) * _t238, _t264 + 0x20, _v128, _v80);
				r13d = r13d + 0xffffffff;
				if (_t202 != 0) goto 0x981294f0;
				_t274 =  *((intOrPtr*)(_t264 + 0x260));
				if ( *((intOrPtr*)(_t264 + 0x258)) - _t274 <= 0) goto 0x98129520;
				E00007FF67FF6981044B8();
				_v168 =  *((intOrPtr*)(_t264 + 0x240));
				_v160 = _t274;
				_t275 = _v72;
				if (_v80 - _t275 <= 0) goto 0x98129548;
				E00007FF67FF6981044B8();
				_v184 = _v104;
				_v176 = _t275;
				_t276 = _v80;
				if (_t276 - _v72 <= 0) goto 0x98129579;
				E00007FF67FF6981044B8();
				_v200 = _v104;
				_v192 = _t276;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x50], xmm0");
				asm("movaps xmm1, [esp+0x40]");
				asm("movdqa [esp+0x40], xmm1");
				asm("movaps xmm0, [esp+0x60]");
				asm("movdqa [esp+0x60], xmm0");
				_v232 = _v216 & 0x000000ff;
				E00007FF67FF6980F9750(_t154 % _t245, _t230, _t264 + 0x240,  &_v168, _t276,  &_v200,  &_v184);
				r8d = 0;
				E00007FF67FF6980F4D20(_t264 + 0x210,  &_v168);
				if (_v80 == 0) goto 0x981295ec;
				E00007FF67FF6981044D8(_v104, _t230, _v80,  &_v168, _t276,  &_v200,  &_v184);
				_v80 = _t230;
				_v72 = _t230;
				_v64 = _t230;
				E00007FF67FF6981044D8(_v104, _t230, _v104,  &_v168, _t276,  &_v200,  &_v184);
				if (_v128 == 0) goto 0x98129624;
				E00007FF67FF6981044D8(_v104, _t230, _v128,  &_v168, _t276,  &_v200,  &_v184);
				_v128 = _t230;
				_v120 = _t230;
				_v112 = _t230;
				E00007FF67FF6981044D8(_v104, _t230, _v152,  &_v168, _t276,  &_v200,  &_v184);
				return E00007FF67FF698104050( *(_t264 + 0x2a4), _v48 ^ _t284 - 0x000000e0,  &_v168,  &_v200,  &_v184);
			}

0x7ff6981291a0
0x7ff6981291a0
0x7ff6981291b3
0x7ff6981291bf
0x7ff6981291c3
0x7ff6981291c7
0x7ff6981291cb
0x7ff6981291d5
0x7ff6981291dd
0x7ff6981291e0
0x7ff6981291ee
0x7ff698129200
0x7ff69812920a
0x7ff698129211
0x7ff698129214
0x7ff698129219
0x7ff69812921e
0x7ff698129231
0x7ff698129245
0x7ff698129247
0x7ff698129266
0x7ff698129268
0x7ff69812927c
0x7ff698129281
0x7ff69812928f
0x7ff698129291
0x7ff69812929d
0x7ff6981292a2
0x7ff6981292a7
0x7ff6981292b5
0x7ff6981292b7
0x7ff6981292c3
0x7ff6981292c8
0x7ff6981292cd
0x7ff6981292db
0x7ff6981292dd
0x7ff6981292e2
0x7ff6981292e9
0x7ff6981292ee
0x7ff6981292f3
0x7ff6981292f8
0x7ff6981292fe
0x7ff698129303
0x7ff698129309
0x7ff69812930e
0x7ff698129319
0x7ff698129333
0x7ff698129344
0x7ff698129346
0x7ff69812934b
0x7ff698129353
0x7ff69812935b
0x7ff698129363
0x7ff698129368
0x7ff69812936d
0x7ff698129387
0x7ff69812938c
0x7ff698129395
0x7ff69812939d
0x7ff6981293a8
0x7ff6981293b4
0x7ff6981293c7
0x7ff6981293d1
0x7ff6981293d8
0x7ff6981293db
0x7ff6981293e0
0x7ff6981293f2
0x7ff698129414
0x7ff698129416
0x7ff698129422
0x7ff698129435
0x7ff698129437
0x7ff69812944a
0x7ff69812944f
0x7ff698129459
0x7ff698129461
0x7ff69812946b
0x7ff69812946e
0x7ff698129473
0x7ff69812948b
0x7ff6981294a1
0x7ff6981294a3
0x7ff6981294b0
0x7ff6981294c3
0x7ff6981294e3
0x7ff6981294e5
0x7ff6981294e7
0x7ff6981294eb
0x7ff6981294fa
0x7ff698129505
0x7ff698129509
0x7ff69812950b
0x7ff698129519
0x7ff69812951b
0x7ff698129527
0x7ff69812952c
0x7ff698129531
0x7ff698129541
0x7ff698129543
0x7ff698129550
0x7ff698129555
0x7ff69812955a
0x7ff69812956a
0x7ff69812956c
0x7ff698129579
0x7ff69812957e
0x7ff698129583
0x7ff698129588
0x7ff69812958e
0x7ff698129593
0x7ff698129599
0x7ff69812959e
0x7ff6981295a9
0x7ff6981295c3
0x7ff6981295c8
0x7ff6981295d4
0x7ff6981295e5
0x7ff6981295e7
0x7ff6981295ec
0x7ff6981295f4
0x7ff6981295fc
0x7ff69812960c
0x7ff69812961d
0x7ff69812961f
0x7ff698129624
0x7ff69812962c
0x7ff698129634
0x7ff698129641
0x7ff698129676

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129247
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129268
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129291
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981292B7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981292DD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129437
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981294A3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6981294C5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812951B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698129543

Part of subcall function 00007FF6981045E0: malloc.LIBCMT ref: 00007FF6981045FA

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812956C

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$malloc
String ID:
API String ID: 2964583507-0
Opcode ID: f4cbc4c68556a3b7f8acf23e6ad581c02c96a0da4a1036aa3f1361d0f83fc89d
Instruction ID: 89c0e12a99c3e8091dcb85b7f314c9b9293dfae16c7b3f5b3ad293e8b3917be4
Opcode Fuzzy Hash: f4cbc4c68556a3b7f8acf23e6ad581c02c96a0da4a1036aa3f1361d0f83fc89d
Instruction Fuzzy Hash: 3DD18222609BC282D6749B39E4803AEB3A4FB85780F844175EBDD93B99CF3CE461C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698118BD0 Relevance: 18.1, APIs: 12, Instructions: 111
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 28%

			E00007FF67FF698118BD0(void* __ebx, void* __edx, void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				long long _v40;
				void* __r12;
				void* _t48;
				void* _t49;
				intOrPtr _t54;
				void* _t66;
				intOrPtr* _t70;
				intOrPtr _t79;
				long long _t83;
				intOrPtr* _t85;
				intOrPtr _t89;

				_t48 = __ebx;
				_v40 = 0xfffffffe;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t83 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x10)) == 0) goto 0x98118d4e;
				_a8 = __rcx;
				E00007FF67FF698118830(__edx,  *((intOrPtr*)(__rcx + 0x10)), __rax, __rbx, __rcx, __rsi);
				_t54 =  *((intOrPtr*)(_t83 + 0x10));
				if (_t54 != 0) goto 0x98118c50;
				asm("lock xadd [edi], eax");
				asm("bt eax, 0x1e");
				if (_t54 < 0) goto 0x98118d4e;
				if (0x80000000 - 0x80000000 <= 0) goto 0x98118d4e;
				asm("lock bts dword [edi], 0x1e");
				if (0x80000000 - 0x80000000 < 0) goto 0x98118d4e;
				E00007FF67FF6981187E0(_t83);
				SetEvent(??);
				goto 0x98118d4e;
				 *((intOrPtr*)(_t83 + 0x10)) =  *((intOrPtr*)(_t83 + 0x10)) -  *((intOrPtr*)(_t83 + 0x10));
				r8d = 0;
				ReleaseSemaphore(??, ??, ??);
				_t85 =  *((intOrPtr*)(_t83 + 0x30));
				if (_t85 -  *((intOrPtr*)(_t83 + 0x38)) <= 0) goto 0x98118c76;
				E00007FF67FF6981044B8();
				_t70 =  *((intOrPtr*)(_t83 + 0x18));
				_t89 =  *((intOrPtr*)(_t83 + 0x38));
				if ( *((intOrPtr*)(_t83 + 0x30)) - _t89 <= 0) goto 0x98118c89;
				E00007FF67FF6981044B8();
				if (_t70 == 0) goto 0x98118c9a;
				if (_t70 ==  *((intOrPtr*)(_t83 + 0x18))) goto 0x98118c9f;
				E00007FF67FF6981044B8();
				if (_t85 == _t89) goto 0x98118cfa;
				if (_t70 != 0) goto 0x98118cb3;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98118cb6;
				if (_t85 -  *((intOrPtr*)( *_t70 + 0x20)) < 0) goto 0x98118cc1;
				E00007FF67FF6981044B8();
				 *((char*)( *_t85 + 0x14)) = 1;
				r8d = 0;
				ReleaseSemaphore(??, ??, ??);
				if (_t70 != 0) goto 0x98118ce6;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x98118ce9;
				if (_t85 -  *((intOrPtr*)( *_t70 + 0x20)) < 0) goto 0x98118cf4;
				E00007FF67FF6981044B8();
				goto 0x98118c90;
				E00007FF67FF698118120(_t48, _t49,  *((intOrPtr*)( *_t85 + 0x10)), _t70, _t83 + 0x18, __r9,  *((intOrPtr*)(_t83 + 0x18)));
				_t79 =  *((intOrPtr*)(_t83 + 0x48));
				if (_t79 == 0) goto 0x98118d18;
				_t66 = _t79 - 0xffffffff;
				if (_t66 == 0) goto 0x98118d18;
				CloseHandle(??);
				 *((long long*)(_t83 + 0x48)) = 0;
				asm("lock xadd [edi], eax");
				asm("bt eax, 0x1e");
				if (_t66 < 0) goto 0x98118d4e;
				if (0x80000000 - 0x80000000 <= 0) goto 0x98118d4e;
				asm("lock bts dword [edi], 0x1e");
				if (0x80000000 - 0x80000000 < 0) goto 0x98118d4e;
				E00007FF67FF6981187E0(_t83);
				return SetEvent(??);
			}

0x7ff698118bd0
0x7ff698118bda
0x7ff698118be3
0x7ff698118be8
0x7ff698118bed
0x7ff698118bf2
0x7ff698118bfa
0x7ff698118c00
0x7ff698118c05
0x7ff698118c0b
0x7ff698118c0f
0x7ff698118c16
0x7ff698118c1a
0x7ff698118c1e
0x7ff698118c29
0x7ff698118c2f
0x7ff698118c34
0x7ff698118c3d
0x7ff698118c45
0x7ff698118c4b
0x7ff698118c57
0x7ff698118c5a
0x7ff698118c61
0x7ff698118c67
0x7ff698118c6f
0x7ff698118c71
0x7ff698118c76
0x7ff698118c7a
0x7ff698118c82
0x7ff698118c84
0x7ff698118c93
0x7ff698118c98
0x7ff698118c9a
0x7ff698118ca2
0x7ff698118ca7
0x7ff698118ca9
0x7ff698118cae
0x7ff698118cb1
0x7ff698118cba
0x7ff698118cbc
0x7ff698118cc7
0x7ff698118ccb
0x7ff698118cd1
0x7ff698118cda
0x7ff698118cdc
0x7ff698118ce1
0x7ff698118ce4
0x7ff698118ced
0x7ff698118cef
0x7ff698118cf8
0x7ff698118cfe
0x7ff698118d03
0x7ff698118d0a
0x7ff698118d0c
0x7ff698118d10
0x7ff698118d12
0x7ff698118d18
0x7ff698118d25
0x7ff698118d29
0x7ff698118d2d
0x7ff698118d34
0x7ff698118d36
0x7ff698118d3b
0x7ff698118d40
0x7ff698118d66

APIs

Part of subcall function 00007FF698118830: CloseHandle.KERNEL32 ref: 00007FF6981188AD
Part of subcall function 00007FF698118830: WaitForSingleObjectEx.KERNEL32 ref: 00007FF6981188C9

SetEvent.KERNEL32 ref: 00007FF698118C45
ReleaseSemaphore.KERNEL32 ref: 00007FF698118C61
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118C71
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118C84
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118C9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118CA9
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118CBC
ReleaseSemaphore.KERNEL32 ref: 00007FF698118CD1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118CDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118CEF
CloseHandle.KERNEL32 ref: 00007FF698118D12
SetEvent.KERNEL32 ref: 00007FF698118D48

Part of subcall function 00007FF6981187E0: CloseHandle.KERNEL32 ref: 00007FF69811880E

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$CloseHandle$EventReleaseSemaphore$ObjectSingleWait
String ID:
API String ID: 1624490810-0
Opcode ID: c0190eb963667e3a822ce395726a3cc2af1d6bc88ac9c223897c4959d47fd861
Instruction ID: 73dc8475beaafdbad333ba5f8376eb68df0b55ccc88657961e2b4857d8a4af21
Opcode Fuzzy Hash: c0190eb963667e3a822ce395726a3cc2af1d6bc88ac9c223897c4959d47fd861
Instruction Fuzzy Hash: 8A417022A1960386EA70AB3595443BD63A1FF60760F948172DA6CD7AD5CF3CE861C358

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810B960 Relevance: 18.1, APIs: 12, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00007FF67FF69810B960(void* __edi, void* __esi, long long __rbx, void* __rcx, void* __rsi, long long _a8, long long _a16) {
				void* _t15;
				void* _t17;
				long long _t33;
				void* _t36;
				long long _t54;
				void* _t59;
				intOrPtr* _t60;
				void* _t66;

				if (__rcx == 0) goto 0x9810ba94;
				_a16 = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x38)) == 0) goto 0x9810b984;
				free(_t59);
				if ( *((intOrPtr*)(__rcx + 0x48)) == 0) goto 0x9810b992;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0x58)) == 0) goto 0x9810b9a0;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0x68)) == 0) goto 0x9810b9ae;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0x70)) == 0) goto 0x9810b9bc;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0x78)) == 0) goto 0x9810b9ca;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0x80)) == 0) goto 0x9810b9db;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0xa0)) == 0x98131be0) goto 0x9810b9f3;
				free(??);
				E00007FF67FF69810FF60();
				_t54 =  *((intOrPtr*)(__rcx + 0xb8));
				_a8 = _t54;
				_t33 = _t54;
				if (_t33 == 0) goto 0x9810ba2c;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t33 != 0) goto 0x9810ba2c;
				if (_a8 == 0x98140bb0) goto 0x9810ba2c;
				free(??);
				E00007FF67FF69810FE60();
				E00007FF67FF69810FF60();
				_t60 =  *((intOrPtr*)(__rcx + 0xc0));
				if (_t60 == 0) goto 0x9810ba78;
				E00007FF67FF69810809C(_t15, _t60, _t66);
				_t36 = _t60 -  *0x98140b90; // 0x29a4b80
				if (_t36 == 0) goto 0x9810ba78;
				if (_t60 == 0x98140a30) goto 0x9810ba78;
				if ( *_t60 != 0) goto 0x9810ba78;
				_t17 = E00007FF67FF698107E88(__rcx, _t60, __rsi, _t66);
				E00007FF67FF69810FE60();
				free(??);
				return _t17;
			}

0x7ff69810b963
0x7ff69810b969
0x7ff69810b97d
0x7ff69810b97f
0x7ff69810b98b
0x7ff69810b98d
0x7ff69810b999
0x7ff69810b99b
0x7ff69810b9a7
0x7ff69810b9a9
0x7ff69810b9b5
0x7ff69810b9b7
0x7ff69810b9c3
0x7ff69810b9c5
0x7ff69810b9d4
0x7ff69810b9d6
0x7ff69810b9ec
0x7ff69810b9ee
0x7ff69810b9f8
0x7ff69810b9fe
0x7ff69810ba05
0x7ff69810ba0a
0x7ff69810ba0d
0x7ff69810ba0f
0x7ff69810ba13
0x7ff69810ba24
0x7ff69810ba26
0x7ff69810ba31
0x7ff69810ba3b
0x7ff69810ba41
0x7ff69810ba4b
0x7ff69810ba50
0x7ff69810ba55
0x7ff69810ba5c
0x7ff69810ba68
0x7ff69810ba6d
0x7ff69810ba72
0x7ff69810ba7d
0x7ff69810ba85
0x7ff69810ba94

APIs

free.LIBCMT ref: 00007FF69810B97F

Part of subcall function 00007FF69810484C: HeapFree.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104862
Part of subcall function 00007FF69810484C: _errno.LIBCMT ref: 00007FF69810486C
Part of subcall function 00007FF69810484C: GetLastError.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104874

free.LIBCMT ref: 00007FF69810B98D
free.LIBCMT ref: 00007FF69810B99B
free.LIBCMT ref: 00007FF69810B9A9
free.LIBCMT ref: 00007FF69810B9B7
free.LIBCMT ref: 00007FF69810B9C5
free.LIBCMT ref: 00007FF69810B9D6
free.LIBCMT ref: 00007FF69810B9EE
_lock.LIBCMT ref: 00007FF69810B9F8
free.LIBCMT ref: 00007FF69810BA26
_lock.LIBCMT ref: 00007FF69810BA3B
free.LIBCMT ref: 00007FF69810BA85

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: e75674a27ccaf353bf9c4577a142a6384d94bbdb2786d43ce8d8575ba90e4d59
Instruction ID: 4c88f3282f1cd088adf8a0c4b43f477ba241ef5b574d0dc7d34fc9fb2cb2cba7
Opcode Fuzzy Hash: e75674a27ccaf353bf9c4577a142a6384d94bbdb2786d43ce8d8575ba90e4d59
Instruction Fuzzy Hash: 1031F915A0F54384FEB8AFF198A17782355EF80B84F8415B6D90E876D6DE1CA8A0C31D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FAC50 Relevance: 16.9, APIs: 11, Instructions: 422
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 53%

			E00007FF67FF6980FAC50(long long __rcx, void* __rdx, intOrPtr* __r8, intOrPtr* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t194;
				void* _t197;
				void* _t198;
				intOrPtr _t250;
				signed long long _t256;
				long long* _t263;
				intOrPtr _t265;
				intOrPtr _t267;
				intOrPtr _t278;
				intOrPtr* _t283;
				intOrPtr _t288;
				intOrPtr _t295;
				intOrPtr _t298;
				intOrPtr _t300;
				long long _t303;
				long long _t305;
				long long _t306;
				long long _t307;
				intOrPtr _t308;
				long long _t309;
				long long _t310;
				intOrPtr _t311;
				signed long long _t312;
				long long* _t314;
				intOrPtr* _t315;
				intOrPtr* _t327;
				intOrPtr* _t329;
				intOrPtr _t330;
				intOrPtr* _t336;
				long long* _t341;
				long long* _t369;
				long long* _t370;
				long long* _t372;
				signed long long _t374;
				long long* _t375;
				long long* _t377;
				signed long long _t378;
				signed long long _t380;
				signed long long _t382;
				intOrPtr* _t386;
				intOrPtr* _t387;
				intOrPtr _t389;
				long long _t391;
				long long _t392;
				intOrPtr _t393;
				long long _t395;
				long long _t396;
				signed long long _t397;
				intOrPtr _t413;
				intOrPtr* _t415;
				void* _t416;
				long long _t417;

				 *((long long*)(_t397 + 0x160)) = 0xfffffffe;
				asm("movaps [esp+0x1b0], xmm6");
				_t256 =  *0x98140430; // 0x4918c2c043f
				 *(_t397 + 0x1a8) = _t256 ^ _t397;
				_t415 = __r8;
				_t416 = __rdx;
				_t396 = __rcx;
				_t314 = _t397 + 0xe0;
				 *_t314 =  *((intOrPtr*)(__r9));
				 *((long long*)(_t314 + 8)) =  *((intOrPtr*)(__r9 + 8));
				 *((long long*)(_t314 + 0x10)) =  *((intOrPtr*)(__r9 + 0x10));
				 *((long long*)(_t314 + 0x18)) =  *((intOrPtr*)(__r9 + 0x18));
				_t369 = _t397 + 0x100;
				_t315 =  *((intOrPtr*)(_t397 + 0x220));
				 *_t369 =  *_t315;
				_t263 =  *((intOrPtr*)(_t315 + 8));
				 *((long long*)(_t369 + 8)) = _t263;
				E00007FF67FF6981045E0(_t263, _t315);
				r14d = 0;
				if (_t263 == 0) goto 0x980facf4;
				 *_t263 = _t397 + 0xa0;
				goto 0x980facf7;
				 *((long long*)(_t397 + 0xa0)) = _t417;
				 *((long long*)(_t397 + 0xc0)) = _t417;
				 *((long long*)(_t397 + 0xc8)) = _t417;
				 *((long long*)(_t397 + 0xd0)) = _t417;
				 *((long long*)(_t397 + 0xd8)) = _t417;
				_t265 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t265 - 8 < 0) goto 0x980fad32;
				goto 0x980fad39;
				_t386 = _t396 + 8;
				_t303 = _t386;
				if (_t303 == 0) goto 0x980fad6c;
				if (_t265 - 8 < 0) goto 0x980fad49;
				goto 0x980fad4c;
				if (_t386 - _t303 > 0) goto 0x980fad6c;
				if (_t265 - 8 < 0) goto 0x980fad5c;
				goto 0x980fad5f;
				if (_t303 - _t386 +  *(_t396 + 0x18) * 2 <= 0) goto 0x980fad71;
				E00007FF67FF6981044B8();
				 *((long long*)(_t397 + 0x80)) = _t396;
				 *((long long*)(_t397 + 0x88)) = _t303;
				_t267 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t267 - 8 < 0) goto 0x980fad90;
				goto 0x980fad93;
				_t305 = _t386;
				if (_t305 == 0) goto 0x980fadc6;
				if (_t267 - 8 < 0) goto 0x980fada3;
				goto 0x980fada6;
				if (_t386 - _t305 > 0) goto 0x980fadc6;
				if (_t267 - 8 < 0) goto 0x980fadb6;
				goto 0x980fadb9;
				if (_t305 - _t386 +  *(_t396 + 0x18) * 2 <= 0) goto 0x980fadcb;
				E00007FF67FF6981044B8();
				 *((long long*)(_t397 + 0x90)) = _t396;
				 *((long long*)(_t397 + 0x98)) = _t305;
				_t389 =  *((intOrPtr*)(_t397 + 0xe0));
				asm("movaps xmm6, [esp+0x80]");
				if (_t389 == 0xfffffffc) goto 0x980fae0a;
				if (_t389 == 0) goto 0x980fae05;
				if (_t389 ==  *((intOrPtr*)(_t397 + 0xf0))) goto 0x980fae0a;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(_t397 + 0xe8)) ==  *((intOrPtr*)(_t397 + 0xf8))) goto 0x980fb04c;
				_t370 = _t397 + 0x150;
				_t327 = _t397 + 0xe0;
				 *_t370 =  *_t327;
				 *((long long*)(_t370 + 8)) =  *((intOrPtr*)(_t327 + 8));
				asm("movaps xmm0, [esp+0x90]");
				asm("movdqa [esp+0x170], xmm0");
				asm("movdqa [esp+0x140], xmm6");
				 *((long long*)(_t397 + 0x30)) = _t397 + 0x150;
				 *((long long*)(_t397 + 0x28)) = _t397 + 0x170;
				 *((long long*)(_t397 + 0x20)) = _t397 + 0x140;
				E00007FF67FF6980FB470(_t397 + 0x130, _t397 + 0xa0);
				asm("movaps xmm6, [esp+0x130]");
				_t372 = _t397 + 0x90;
				_t329 = _t397 + 0xf0;
				 *_t372 =  *_t329;
				 *((long long*)(_t372 + 8)) =  *((intOrPtr*)(_t329 + 8));
				_t330 =  *((intOrPtr*)(_t397 + 0xd0));
				_t391 =  *((intOrPtr*)(_t397 + 0xd8)) + _t330;
				if (_t330 - _t391 <= 0) goto 0x980faedf;
				E00007FF67FF6981044B8();
				 *((long long*)(_t397 + 0x80)) =  *((intOrPtr*)(_t397 + 0xa0));
				 *((long long*)(_t397 + 0x88)) = _t391;
				asm("movaps xmm0, [esp+0x80]");
				asm("movdqa [esp+0x120], xmm0");
				 *((char*)(_t397 + 0x20)) =  *(_t397 + 0x40) & 0x000000ff;
				E00007FF67FF6980FBE60(_t305, _t397 + 0xa0, _t397 + 0x120, _t391,  *((intOrPtr*)(_t397 + 0x100)),  *((intOrPtr*)(_t397 + 0x108)));
				_t278 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t278 - 8 < 0) goto 0x980faf40;
				goto 0x980faf43;
				_t374 =  *(_t396 + 0x18);
				_t392 = _t386 + _t374 * 2;
				if (_t392 == 0) goto 0x980faf7a;
				if (_t278 - 8 < 0) goto 0x980faf5b;
				goto 0x980faf5e;
				if (_t386 - _t392 > 0) goto 0x980faf7a;
				if (_t278 - 8 < 0) goto 0x980faf6e;
				goto 0x980faf71;
				if (_t392 - _t386 + _t374 * 2 <= 0) goto 0x980faf7f;
				E00007FF67FF6981044B8();
				 *((long long*)(_t397 + 0x50)) = _t396;
				 *((long long*)(_t397 + 0x58)) = _t392;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x70], xmm0");
				_t375 = _t397 + 0x60;
				_t336 = _t397 + 0xf0;
				 *_t375 =  *_t336;
				_t283 =  *((intOrPtr*)(_t336 + 8));
				 *((long long*)(_t375 + 8)) = _t283;
				E00007FF67FF6980FA9F0(_t305, _t416, _t397 + 0x180, _t392, _t397 + 0x60, _t397 + 0x70);
				_t377 = _t397 + 0xe0;
				 *_t377 =  *_t283;
				 *((long long*)(_t377 + 8)) =  *((intOrPtr*)(_t283 + 8));
				 *((long long*)(_t377 + 0x10)) =  *((intOrPtr*)(_t283 + 0x10));
				 *((long long*)(_t377 + 0x18)) =  *((intOrPtr*)(_t283 + 0x18));
				_t393 =  *((intOrPtr*)(_t397 + 0xe0));
				if (_t393 == 0xfffffffc) goto 0x980fb011;
				if (_t393 == 0) goto 0x980fb00c;
				if (_t393 ==  *((intOrPtr*)(_t397 + 0xf0))) goto 0x980fb011;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(_t397 + 0xe8)) ==  *((intOrPtr*)(_t397 + 0xf8))) goto 0x980fadf0;
				_t341 = _t397 + 0x100;
				 *_t341 =  *_t415;
				 *((long long*)(_t341 + 8)) =  *((intOrPtr*)(_t415 + 8));
				goto 0x980fadf0;
				_t288 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t288 - 8 < 0) goto 0x980fb05b;
				goto 0x980fb05e;
				_t378 =  *(_t396 + 0x18);
				_t306 = _t386 + _t378 * 2;
				if (_t306 == 0) goto 0x980fb095;
				if (_t288 - 8 < 0) goto 0x980fb076;
				goto 0x980fb079;
				if (_t386 - _t306 > 0) goto 0x980fb095;
				if (_t288 - 8 < 0) goto 0x980fb089;
				goto 0x980fb08c;
				if (_t306 - _t386 + _t378 * 2 <= 0) goto 0x980fb09a;
				E00007FF67FF6981044B8();
				 *((long long*)(_t397 + 0x50)) = _t396;
				 *((long long*)(_t397 + 0x58)) = _t306;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movaps xmm1, [esp+0x90]");
				asm("movdqa [esp+0x70], xmm1");
				asm("movdqa [esp+0x120], xmm6");
				 *((long long*)(_t397 + 0x30)) = _t397 + 0x60;
				 *((long long*)(_t397 + 0x28)) = _t397 + 0x70;
				 *((long long*)(_t397 + 0x20)) = _t397 + 0x120;
				E00007FF67FF6980FB470(_t397 + 0x130, _t397 + 0xa0);
				_t413 =  *((intOrPtr*)(_t397 + 0xd8));
				if (_t413 != 0) goto 0x980fb1a0;
				_t295 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t295 - 8 < 0) goto 0x980fb124;
				goto 0x980fb127;
				_t380 =  *(_t396 + 0x18);
				_t307 = _t386 + _t380 * 2;
				if (_t307 == 0) goto 0x980fb159;
				if (_t295 - 8 < 0) goto 0x980fb13f;
				goto 0x980fb142;
				if (_t386 - _t307 > 0) goto 0x980fb159;
				if (_t295 - 8 < 0) goto 0x980fb150;
				_t387 =  *_t386;
				if (_t307 - _t387 + _t380 * 2 <= 0) goto 0x980fb15e;
				E00007FF67FF6981044B8();
				 *((long long*)(_t397 + 0x50)) = _t396;
				 *((long long*)(_t397 + 0x58)) = _t307;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movaps xmm1, [esp+0x130]");
				asm("movdqa [esp+0x70], xmm1");
				E00007FF67FF6980F4940(_t307, _t396, _t397 + 0x120,  *((intOrPtr*)(_t397 + 0xe0)), _t396, _t397 + 0x70, _t397 + 0x60);
				goto 0x980fb2f3;
				_t308 =  *((intOrPtr*)(_t397 + 0xd0));
				_t395 = _t413 + _t308;
				if (_t308 - _t395 <= 0) goto 0x980fb1c6;
				E00007FF67FF6981044B8();
				_t309 =  *((intOrPtr*)(_t397 + 0xd0));
				 *((long long*)(_t397 + 0x50)) =  *((intOrPtr*)(_t397 + 0xa0));
				 *((long long*)(_t397 + 0x58)) = _t395;
				if (_t309 -  *((intOrPtr*)(_t397 + 0xd8)) + _t309 <= 0) goto 0x980fb1ee;
				E00007FF67FF6981044B8();
				 *((long long*)(_t397 + 0x80)) =  *((intOrPtr*)(_t397 + 0xa0));
				 *((long long*)(_t397 + 0x88)) = _t309;
				_t298 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t298 - 8 < 0) goto 0x980fb20d;
				goto 0x980fb210;
				_t382 =  *(_t396 + 0x18);
				_t310 = _t387 + _t382 * 2;
				if (_t310 == 0) goto 0x980fb242;
				if (_t298 - 8 < 0) goto 0x980fb228;
				goto 0x980fb22b;
				if (_t387 - _t310 > 0) goto 0x980fb242;
				if (_t298 - 8 < 0) goto 0x980fb239;
				if (_t310 -  *_t387 + _t382 * 2 <= 0) goto 0x980fb247;
				E00007FF67FF6981044B8();
				 *((long long*)(_t397 + 0x90)) = _t396;
				 *((long long*)(_t397 + 0x98)) = _t310;
				 *((long long*)(_t397 + 0x1a0)) = 7;
				 *((long long*)(_t397 + 0x198)) = _t417;
				 *((intOrPtr*)(_t397 + 0x188)) = r14w;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movaps xmm1, [esp+0x80]");
				asm("movdqa [esp+0x70], xmm1");
				r9d =  *(_t397 + 0x40) & 0x000000ff;
				E00007FF67FF6980FC2A0( *(_t397 + 0x40) & 0x000000ff, _t197, _t198, _t310, _t397 + 0x180, _t397 + 0x70, _t395, _t396, _t397 + 0x60, _t397 + 0x60);
				asm("movaps xmm0, [esp+0x90]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movdqa [esp+0x70], xmm0");
				_t412 = _t397 + 0x180;
				_t405 = _t397 + 0x60;
				_t384 = _t397 + 0x70;
				E00007FF67FF6980F2B00(_t310, _t396, _t397 + 0x70,  *_t387, _t395, _t396, _t397 + 0x60, _t397 + 0x180);
				if ( *((long long*)(_t397 + 0x1a0)) - 8 < 0) goto 0x980fb2f3;
				E00007FF67FF6981044D8( *_t387 + _t382 * 2, _t310,  *((intOrPtr*)(_t397 + 0x188)), _t397 + 0x70, _t395, _t397 + 0x60, _t397 + 0x180);
				_t300 =  *((intOrPtr*)(_t397 + 0xd8));
				if (_t300 == 0) goto 0x980fb31b;
				_t250 = _t300;
				if (_t250 == 0) goto 0x980fb31b;
				 *((long long*)(_t397 + 0xd8)) = _t300 - 1;
				if (_t250 != 0) goto 0x980fb300;
				 *((long long*)(_t397 + 0xd0)) = _t417;
				_t311 =  *((intOrPtr*)(_t397 + 0xc8));
				if (_t311 == 0) goto 0x980fb352;
				_t312 = _t311 - 1;
				if ( *((long long*)( *((intOrPtr*)(_t397 + 0xc0)) + _t312 * 8)) == 0) goto 0x980fb34b;
				E00007FF67FF6981044D8(_t300 - 1, _t312,  *((intOrPtr*)( *((intOrPtr*)(_t397 + 0xc0)) + _t312 * 8)), _t397 + 0x70, _t395, _t397 + 0x60, _t397 + 0x180);
				if (_t312 != 0) goto 0x980fb330;
				goto 0x980fb35a;
				if ( *((intOrPtr*)(_t397 + 0xc0)) == 0) goto 0x980fb364;
				E00007FF67FF6981044D8(_t300 - 1, _t312,  *((intOrPtr*)(_t397 + 0xc0)), _t397 + 0x70, _t395, _t397 + 0x60, _t397 + 0x180);
				 *((long long*)(_t397 + 0xc8)) = _t417;
				 *((long long*)(_t397 + 0xc0)) = _t417;
				E00007FF67FF6981044D8(_t300 - 1, _t312,  *((intOrPtr*)(_t397 + 0xa0)), _t397 + 0x70, _t395, _t397 + 0x60, _t397 + 0x180);
				_t194 = E00007FF67FF698104050(8,  *(_t397 + 0x1a8) ^ _t397, _t384, _t405, _t412);
				asm("movaps xmm6, [esp+0x1b0]");
				return _t194;
			}

0x7ff6980fac62
0x7ff6980fac6e
0x7ff6980fac76
0x7ff6980fac80
0x7ff6980fac88
0x7ff6980fac8b
0x7ff6980fac8e
0x7ff6980fac91
0x7ff6980fac9c
0x7ff6980faca3
0x7ff6980facab
0x7ff6980facb3
0x7ff6980facb7
0x7ff6980facbf
0x7ff6980facca
0x7ff6980faccd
0x7ff6980facd1
0x7ff6980facda
0x7ff6980facdf
0x7ff6980face5
0x7ff6980facef
0x7ff6980facf2
0x7ff6980facf7
0x7ff6980facff
0x7ff6980fad07
0x7ff6980fad0f
0x7ff6980fad17
0x7ff6980fad1f
0x7ff6980fad27
0x7ff6980fad30
0x7ff6980fad32
0x7ff6980fad36
0x7ff6980fad3c
0x7ff6980fad42
0x7ff6980fad47
0x7ff6980fad4f
0x7ff6980fad55
0x7ff6980fad5a
0x7ff6980fad6a
0x7ff6980fad6c
0x7ff6980fad71
0x7ff6980fad79
0x7ff6980fad81
0x7ff6980fad89
0x7ff6980fad8e
0x7ff6980fad90
0x7ff6980fad96
0x7ff6980fad9c
0x7ff6980fada1
0x7ff6980fada9
0x7ff6980fadaf
0x7ff6980fadb4
0x7ff6980fadc4
0x7ff6980fadc6
0x7ff6980fadcb
0x7ff6980fadd3
0x7ff6980fade0
0x7ff6980fade8
0x7ff6980fadf4
0x7ff6980fadf9
0x7ff6980fae03
0x7ff6980fae05
0x7ff6980fae1a
0x7ff6980fae20
0x7ff6980fae28
0x7ff6980fae33
0x7ff6980fae3a
0x7ff6980fae3e
0x7ff6980fae46
0x7ff6980fae4f
0x7ff6980fae60
0x7ff6980fae6d
0x7ff6980fae7a
0x7ff6980fae97
0x7ff6980fae9c
0x7ff6980faea4
0x7ff6980faeac
0x7ff6980faeb7
0x7ff6980faebe
0x7ff6980faec2
0x7ff6980faed2
0x7ff6980faed8
0x7ff6980faeda
0x7ff6980faee7
0x7ff6980faeef
0x7ff6980faef7
0x7ff6980faeff
0x7ff6980faf08
0x7ff6980faf2c
0x7ff6980faf31
0x7ff6980faf39
0x7ff6980faf3e
0x7ff6980faf43
0x7ff6980faf47
0x7ff6980faf4e
0x7ff6980faf54
0x7ff6980faf59
0x7ff6980faf61
0x7ff6980faf67
0x7ff6980faf6c
0x7ff6980faf78
0x7ff6980faf7a
0x7ff6980faf7f
0x7ff6980faf84
0x7ff6980faf89
0x7ff6980faf8e
0x7ff6980faf94
0x7ff6980faf99
0x7ff6980fafa4
0x7ff6980fafa7
0x7ff6980fafab
0x7ff6980fafc4
0x7ff6980fafc9
0x7ff6980fafd4
0x7ff6980fafdb
0x7ff6980fafe3
0x7ff6980fafeb
0x7ff6980fafef
0x7ff6980faffb
0x7ff6980fb000
0x7ff6980fb00a
0x7ff6980fb00c
0x7ff6980fb021
0x7ff6980fb027
0x7ff6980fb033
0x7ff6980fb03b
0x7ff6980fb047
0x7ff6980fb04c
0x7ff6980fb054
0x7ff6980fb059
0x7ff6980fb05e
0x7ff6980fb062
0x7ff6980fb069
0x7ff6980fb06f
0x7ff6980fb074
0x7ff6980fb07c
0x7ff6980fb082
0x7ff6980fb087
0x7ff6980fb093
0x7ff6980fb095
0x7ff6980fb09a
0x7ff6980fb09f
0x7ff6980fb0a4
0x7ff6980fb0a9
0x7ff6980fb0af
0x7ff6980fb0b7
0x7ff6980fb0bd
0x7ff6980fb0cb
0x7ff6980fb0d5
0x7ff6980fb0e2
0x7ff6980fb0ff
0x7ff6980fb104
0x7ff6980fb10f
0x7ff6980fb115
0x7ff6980fb11d
0x7ff6980fb122
0x7ff6980fb127
0x7ff6980fb12b
0x7ff6980fb132
0x7ff6980fb138
0x7ff6980fb13d
0x7ff6980fb145
0x7ff6980fb14b
0x7ff6980fb14d
0x7ff6980fb157
0x7ff6980fb159
0x7ff6980fb15e
0x7ff6980fb163
0x7ff6980fb168
0x7ff6980fb16d
0x7ff6980fb173
0x7ff6980fb17b
0x7ff6980fb196
0x7ff6980fb19b
0x7ff6980fb1a0
0x7ff6980fb1a8
0x7ff6980fb1af
0x7ff6980fb1b1
0x7ff6980fb1be
0x7ff6980fb1ce
0x7ff6980fb1d3
0x7ff6980fb1df
0x7ff6980fb1e1
0x7ff6980fb1ee
0x7ff6980fb1f6
0x7ff6980fb1fe
0x7ff6980fb206
0x7ff6980fb20b
0x7ff6980fb210
0x7ff6980fb214
0x7ff6980fb21b
0x7ff6980fb221
0x7ff6980fb226
0x7ff6980fb22e
0x7ff6980fb234
0x7ff6980fb240
0x7ff6980fb242
0x7ff6980fb247
0x7ff6980fb24f
0x7ff6980fb257
0x7ff6980fb263
0x7ff6980fb26b
0x7ff6980fb274
0x7ff6980fb279
0x7ff6980fb27f
0x7ff6980fb287
0x7ff6980fb28d
0x7ff6980fb2a5
0x7ff6980fb2ab
0x7ff6980fb2b3
0x7ff6980fb2b9
0x7ff6980fb2bf
0x7ff6980fb2c7
0x7ff6980fb2cc
0x7ff6980fb2d4
0x7ff6980fb2e3
0x7ff6980fb2ed
0x7ff6980fb2f3
0x7ff6980fb2fe
0x7ff6980fb300
0x7ff6980fb303
0x7ff6980fb309
0x7ff6980fb311
0x7ff6980fb313
0x7ff6980fb31b
0x7ff6980fb326
0x7ff6980fb330
0x7ff6980fb338
0x7ff6980fb33e
0x7ff6980fb34e
0x7ff6980fb350
0x7ff6980fb35d
0x7ff6980fb35f
0x7ff6980fb364
0x7ff6980fb36c
0x7ff6980fb37c
0x7ff6980fb38c
0x7ff6980fb391
0x7ff6980fb3aa

APIs

Part of subcall function 00007FF6981045E0: malloc.LIBCMT ref: 00007FF6981045FA

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAD6C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FADC6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAE05
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAEDA

Part of subcall function 00007FF6980FBE60: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBE9F
Part of subcall function 00007FF6980FBE60: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBEB1

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAF7A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB00C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB095

Part of subcall function 00007FF6980FB470: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB4F2

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB159
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB1B1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB1E1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FB242

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$malloc
String ID:
API String ID: 2964583507-0
Opcode ID: 3fab2268b774a43a72f155c8a4013d7ec2b68cad78901ac3ed3aa2c380edfcb8
Instruction ID: 3327c2d9a7621fe949a36682470e3f88abfe8ba25b6bc543a4c59d70104cd4cd
Opcode Fuzzy Hash: 3fab2268b774a43a72f155c8a4013d7ec2b68cad78901ac3ed3aa2c380edfcb8
Instruction Fuzzy Hash: CD225D32608BC681DA709F25E4903FDA360FB98784F848172DA8D97BA4DF7CD455DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69812A0F0 Relevance: 16.6, APIs: 11, Instructions: 88COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF69812A106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A135
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A148
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A15B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A16C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A17F
CloseHandle.KERNEL32 ref: 00007FF69812A188
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A193
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A1A6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A1B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A1C3

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$CloseCriticalEnterHandleSection
String ID:
API String ID: 2649207071-0
Opcode ID: c33f4b02dd8f6b7dcacff032d374c0c5cdb63b6fa274afd2291ba177bfd6c425
Instruction ID: f070a4dff19c21b6e42270e9dc30117f7a5aa1eb48babd7c9fec1ca8d2456c3b
Opcode Fuzzy Hash: c33f4b02dd8f6b7dcacff032d374c0c5cdb63b6fa274afd2291ba177bfd6c425
Instruction Fuzzy Hash: 20412C21E4CA5381FAB1AF31944067866A1EB45BA4FC952B1DA6DD73D5CF2CE842C31C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FEF30 Relevance: 15.4, APIs: 10, Instructions: 392
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FF67FF6980FEF30(char __ebx, void* __ecx, long long __rbx, void* __rcx, long long __rbp, void* __r9) {
				void* _v40;
				signed int _v48;
				long long _v56;
				long long _v64;
				char _v80;
				char _v88;
				long long _v96;
				char _v104;
				char _v112;
				char _v119;
				signed char _v120;
				long long _v128;
				long long _v136;
				long long _v144;
				long long _v152;
				void* __rdi;
				void* __rsi;
				signed char _t142;
				void* _t146;
				void* _t152;
				void* _t258;
				signed long long _t259;
				intOrPtr* _t261;
				intOrPtr* _t262;
				long long _t324;
				char* _t326;
				void* _t329;
				char* _t331;
				char* _t333;
				void* _t334;
				void* _t335;
				intOrPtr* _t340;
				intOrPtr _t356;
				char _t360;
				long long _t378;
				char _t385;
				char _t387;
				char _t389;
				void* _t397;
				char* _t399;
				char* _t401;
				void* _t402;
				void* _t406;
				void* _t409;
				char _t411;
				char _t413;
				long long _t426;
				long long _t432;
				signed long long _t434;
				long long _t437;

				_t323 = __rbx;
				_t258 = _t406;
				_v96 = 0xfffffffe;
				 *((long long*)(_t258 + 0x10)) = __rbx;
				 *((long long*)(_t258 + 0x18)) = __rbp;
				_t259 =  *0x98140430; // 0x4918c2c043f
				_v48 = _t259 ^ _t406 - 0x00000090;
				_t402 = __rcx;
				_t261 =  *((intOrPtr*)(__rcx + 0x40));
				if ( *_t261 == 0) goto 0x980fef9c;
				_t262 =  *((intOrPtr*)(__rcx + 0x58));
				if ( *_t261 -  *_t262 +  *_t261 >= 0) goto 0x980fef9c;
				 *_t262 =  *_t262 - 1;
				_t340 =  *((intOrPtr*)(__rcx + 0x40));
				_t369 =  *_t340;
				 *_t340 =  *_t340 + 1;
				goto 0x980ff542;
				_t341 =  *((intOrPtr*)(__rcx + 0x88));
				if ( *((intOrPtr*)(__rcx + 0x88)) != 0) goto 0x980fefb0;
				goto 0x980ff542;
				if ( *((long long*)(__rcx + 0x70)) != 0) goto 0x980fefd3;
				_t142 = E00007FF67FF698106DD4( *_t340 + 1, __rbx,  *((intOrPtr*)(__rcx + 0x88)), _t369, _t409);
				if (_t142 == 0xffffffff) goto 0x980fefc7;
				r12d = _t142 & 0x000000ff;
				goto 0x980fefcb;
				goto 0x980ff542;
				_v56 = 0xf;
				r14d = 0;
				_v64 = _t437;
				_v80 = r14b;
				if (E00007FF67FF698106DD4( *_t340 + 1, _t323, _t341, _t369, _t409) == r12d) goto 0x980ff52a;
				if ((_t434 | 0xffffffffffffffff) - _v64 - 1 > 0) goto 0x980ff01b;
				E00007FF67FF6981033CC( *_t340 + 1, _t323, _t397, __rbp, _t409, __r9);
				_t324 = _v64 + 1;
				if (_t324 - 0xfffffffe <= 0) goto 0x980ff02f;
				_t146 = E00007FF67FF6981033CC( *_t340 + 1, _t324, _t397, __rbp, _t409, __r9);
				if (_v56 - _t324 >= 0) goto 0x980ff05b;
				E00007FF67FF6980F2250(_t146,  &_v88, _t324, _v64);
				goto 0x980ff085;
				if (_t324 != 0) goto 0x980ff085;
				_v64 = _t437;
				_t265 =  >=  ? _v80 :  &_v80;
				 *((char*)( >=  ? _v80 :  &_v80)) = __ebx;
				goto 0x980ff0c7;
				if (_t324 == 0) goto 0x980ff0c7;
				_t267 =  >=  ? _v80 :  &_v80;
				 *((intOrPtr*)(( >=  ? _v80 :  &_v80) + _v64)) = dil;
				_v64 = _t324;
				_t269 =  >=  ? _v80 :  &_v80;
				 *((char*)(( >=  ? _v80 :  &_v80) + _t324)) = 0;
				_t411 = _v80;
				if (_v56 - 0x10 < 0) goto 0x980ff0dc;
				if (_t411 == 0) goto 0x980ff108;
				goto 0x980ff0e1;
				_t399 =  &_v80;
				_t271 =  >=  ? _t411 :  &_v80;
				_t198 = ( >=  ? _t411 :  &_v80) - _t399;
				if (( >=  ? _t411 :  &_v80) - _t399 > 0) goto 0x980ff108;
				_t273 =  >=  ? _t411 :  &_v80;
				_t274 = ( >=  ? _t411 :  &_v80) + _v64;
				_t200 = _t399 - ( >=  ? _t411 :  &_v80) + _v64;
				if (_t399 - ( >=  ? _t411 :  &_v80) + _v64 <= 0) goto 0x980ff11f;
				E00007FF67FF6981044B8();
				if ( &_v88 == 0xfffffffc) goto 0x980ff156;
				_t277 =  >=  ? _v80 :  &_v80;
				_t278 = ( >=  ? _v80 :  &_v80) + _v64;
				_t203 = _t399 - ( >=  ? _v80 :  &_v80) + _v64;
				if (_t399 - ( >=  ? _v80 :  &_v80) + _v64 < 0) goto 0x980ff156;
				E00007FF67FF6981044B8();
				_t378 = _v64;
				_t413 = _v80;
				if (_v56 - 0x10 < 0) goto 0x980ff169;
				if (_t413 == 0) goto 0x980ff195;
				goto 0x980ff16e;
				_t326 =  &_v80;
				_t280 =  >=  ? _t413 :  &_v80;
				_t207 = ( >=  ? _t413 :  &_v80) - _t326;
				if (( >=  ? _t413 :  &_v80) - _t326 > 0) goto 0x980ff195;
				_t282 =  >=  ? _t413 :  &_v80;
				_t283 = ( >=  ? _t413 :  &_v80) + _t378;
				_t209 = _t326 - ( >=  ? _t413 :  &_v80) + _t378;
				if (_t326 - ( >=  ? _t413 :  &_v80) + _t378 <= 0) goto 0x980ff1ac;
				E00007FF67FF6981044B8();
				if ( &_v88 == 0xfffffffc) goto 0x980ff1d1;
				_t286 =  >=  ? _v80 :  &_v80;
				_t287 = ( >=  ? _v80 :  &_v80) + _v64;
				_t212 = _t326 - ( >=  ? _v80 :  &_v80) + _v64;
				if (_t326 - ( >=  ? _v80 :  &_v80) + _v64 < 0) goto 0x980ff1d1;
				E00007FF67FF6981044B8();
				_v128 =  &_v104;
				_v136 =  &_v119;
				_v144 =  &_v120;
				_v152 =  &_v112;
				_t152 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t402 + 0x70)))) + 0x20))();
				if (_t152 < 0) goto 0x980ff510;
				if (_t152 - 1 <= 0) goto 0x980ff238;
				if (_t152 != 3) goto 0x980ff510;
				if (_v64 - 1 >= 0) goto 0x980ff363;
				goto 0x980ff347;
				if (_v104 !=  &_v120) goto 0x980ff41f;
				_t385 = _v80;
				if (_v56 - 0x10 < 0) goto 0x980ff265;
				if (_t385 == 0) goto 0x980ff296;
				goto 0x980ff26a;
				_t401 =  &_v80;
				_t291 =  >=  ? _t385 :  &_v80;
				_t221 = ( >=  ? _t385 :  &_v80) - _t401;
				if (( >=  ? _t385 :  &_v80) - _t401 > 0) goto 0x980ff296;
				_t293 =  >=  ? _t385 :  &_v80;
				_t294 = ( >=  ? _t385 :  &_v80) + _v64;
				_t223 = _t401 - ( >=  ? _t385 :  &_v80) + _v64;
				if (_t401 - ( >=  ? _t385 :  &_v80) + _v64 <= 0) goto 0x980ff2ad;
				E00007FF67FF6981044B8();
				if ( &_v88 == 0xfffffffc) goto 0x980ff2e4;
				_t297 =  >=  ? _v80 :  &_v80;
				_t298 = ( >=  ? _v80 :  &_v80) + _v64;
				_t226 = _t401 - ( >=  ? _v80 :  &_v80) + _v64;
				if (_t401 - ( >=  ? _v80 :  &_v80) + _v64 < 0) goto 0x980ff2e4;
				E00007FF67FF6981044B8();
				_t426 = _v64;
				_t387 = _v80;
				_t329 =  <  ? _t426 : _v112 - _t401;
				if (_t329 == 0) goto 0x980ff347;
				_t300 =  >=  ? _t387 :  &_v80;
				_t355 =  >=  ? _t387 :  &_v80;
				_t427 = _t426 - _t329;
				_t416 = _t329 + ( >=  ? _t387 :  &_v80);
				E00007FF67FF698104070( >=  ? _t387 :  &_v80, _v56, _t329 + ( >=  ? _t387 :  &_v80), _t426 - _t329);
				_t432 = _v64 - _t329;
				_v64 = _t432;
				_t302 =  >=  ? _v80 :  &_v80;
				 *((char*)(_t432 + ( >=  ? _v80 :  &_v80))) = 0;
				_t356 =  *((intOrPtr*)(_t402 + 0x88));
				if (E00007FF67FF698106DD4( >=  ? _v80 :  &_v80, _t329, _t356, _v56, _t329 + ( >=  ? _t387 :  &_v80)) == 0xffffffff) goto 0x980ff52a;
				goto 0x980ff000;
				_t389 = _v80;
				if (_v56 - 0x10 < 0) goto 0x980ff380;
				if (_t389 == 0) goto 0x980ff3ac;
				goto 0x980ff385;
				_t331 =  &_v80;
				_t304 =  >=  ? _t389 :  &_v80;
				_t236 = ( >=  ? _t389 :  &_v80) - _t331;
				if (( >=  ? _t389 :  &_v80) - _t331 > 0) goto 0x980ff3ac;
				_t306 =  >=  ? _t389 :  &_v80;
				_t307 = ( >=  ? _t389 :  &_v80) + _t356;
				_t238 = _t331 - ( >=  ? _t389 :  &_v80) + _t356;
				if (_t331 - ( >=  ? _t389 :  &_v80) + _t356 <= 0) goto 0x980ff3c3;
				E00007FF67FF6981044B8();
				if ( &_v88 == 0xfffffffc) goto 0x980ff3e8;
				_t310 =  >=  ? _v80 :  &_v80;
				_t311 = ( >=  ? _v80 :  &_v80) + _v64;
				_t241 = _t331 - ( >=  ? _v80 :  &_v80) + _v64;
				if (_t331 - ( >=  ? _v80 :  &_v80) + _v64 < 0) goto 0x980ff3e8;
				E00007FF67FF6981044B8();
				r9d = 1;
				E00007FF67FF6981044E0(( >=  ? _v80 :  &_v80) + _v64, _t331,  &_v120, _t426 - _t329, _t402, _t331, _t426 - _t329);
				if (_v56 - 0x10 < 0) goto 0x980ff418;
				E00007FF67FF6981044D8(( >=  ? _v80 :  &_v80) + _v64, _t331, _v80, _t426 - _t329, _t402, _t331, _t427);
				goto 0x980ff542;
				_t360 = _v80;
				if (_v56 - 0x10 < 0) goto 0x980ff43c;
				if (_t360 == 0) goto 0x980ff46d;
				goto 0x980ff441;
				_t333 =  &_v80;
				_t313 =  >=  ? _t360 :  &_v80;
				_t246 = ( >=  ? _t360 :  &_v80) - _t333;
				if (( >=  ? _t360 :  &_v80) - _t333 > 0) goto 0x980ff46d;
				_t315 =  >=  ? _t360 :  &_v80;
				_t316 = ( >=  ? _t360 :  &_v80) + _v64;
				_t248 = _t333 - ( >=  ? _t360 :  &_v80) + _v64;
				if (_t333 - ( >=  ? _t360 :  &_v80) + _v64 <= 0) goto 0x980ff484;
				E00007FF67FF6981044B8();
				if ( &_v88 == 0xfffffffc) goto 0x980ff4b6;
				_t319 =  >=  ? _v80 :  &_v80;
				_t320 = ( >=  ? _v80 :  &_v80) + _v64;
				_t251 = _t333 - ( >=  ? _v80 :  &_v80) + _v64;
				if (_t333 - ( >=  ? _v80 :  &_v80) + _v64 < 0) goto 0x980ff4b6;
				_t334 = (_v120 & 0x000000ff) - E00007FF67FF6981044B8() + _v64;
				if (_t334 <= 0) goto 0x980ff4fc;
				_t335 = _t334 - 1;
				E00007FF67FF698106B00( *((char*)(_t335 + _v112)), _v112, _t335, _v80,  *((intOrPtr*)(_t402 + 0x88)), _t402, _t378);
				if (_t335 <= 0) goto 0x980ff4ef;
				goto 0x980ff4d0;
				if (_v56 - 0x10 < 0) goto 0x980ff50c;
				E00007FF67FF6981044D8(_v112, _t335, _v80, _v56, _t402, _v64, _t427);
				goto 0x980ff542;
				if (_v56 - 0x10 < 0) goto 0x980ff525;
				E00007FF67FF6981044D8(_v112, _t335, _v80, _v56, _t402, _v64, _t427);
				goto 0x980ff542;
				if (_v56 - 0x10 < 0) goto 0x980ff53f;
				E00007FF67FF6981044D8(_v112, _t335, _v80, _v56, _t402, _v64, _t427);
				return E00007FF67FF698104050( *((char*)(_t335 + _v112)), _v48 ^ _t406 - 0x00000090, _v56, _v64, _t427);
			}

0x7ff6980fef30
0x7ff6980fef30
0x7ff6980fef42
0x7ff6980fef4b
0x7ff6980fef4f
0x7ff6980fef53
0x7ff6980fef5d
0x7ff6980fef65
0x7ff6980fef68
0x7ff6980fef70
0x7ff6980fef75
0x7ff6980fef82
0x7ff6980fef84
0x7ff6980fef86
0x7ff6980fef8a
0x7ff6980fef91
0x7ff6980fef97
0x7ff6980fef9c
0x7ff6980fefa6
0x7ff6980fefab
0x7ff6980fefb5
0x7ff6980fefb7
0x7ff6980fefbf
0x7ff6980fefc1
0x7ff6980fefc5
0x7ff6980fefce
0x7ff6980fefd3
0x7ff6980fefdf
0x7ff6980fefe2
0x7ff6980fefe7
0x7ff6980feffa
0x7ff6980ff00f
0x7ff6980ff011
0x7ff6980ff01b
0x7ff6980ff023
0x7ff6980ff025
0x7ff6980ff03a
0x7ff6980ff047
0x7ff6980ff059
0x7ff6980ff05e
0x7ff6980ff060
0x7ff6980ff06e
0x7ff6980ff074
0x7ff6980ff083
0x7ff6980ff088
0x7ff6980ff093
0x7ff6980ff099
0x7ff6980ff09d
0x7ff6980ff0b0
0x7ff6980ff0b6
0x7ff6980ff0c7
0x7ff6980ff0d0
0x7ff6980ff0d8
0x7ff6980ff0da
0x7ff6980ff0dc
0x7ff6980ff0ea
0x7ff6980ff0ee
0x7ff6980ff0f1
0x7ff6980ff0fc
0x7ff6980ff100
0x7ff6980ff103
0x7ff6980ff106
0x7ff6980ff108
0x7ff6980ff128
0x7ff6980ff133
0x7ff6980ff137
0x7ff6980ff13a
0x7ff6980ff13d
0x7ff6980ff13f
0x7ff6980ff14c
0x7ff6980ff151
0x7ff6980ff15d
0x7ff6980ff165
0x7ff6980ff167
0x7ff6980ff169
0x7ff6980ff177
0x7ff6980ff17b
0x7ff6980ff17e
0x7ff6980ff189
0x7ff6980ff18d
0x7ff6980ff190
0x7ff6980ff193
0x7ff6980ff195
0x7ff6980ff1b5
0x7ff6980ff1c0
0x7ff6980ff1c4
0x7ff6980ff1c7
0x7ff6980ff1ca
0x7ff6980ff1cc
0x7ff6980ff1e1
0x7ff6980ff1eb
0x7ff6980ff1f5
0x7ff6980ff1ff
0x7ff6980ff20b
0x7ff6980ff210
0x7ff6980ff219
0x7ff6980ff21e
0x7ff6980ff22d
0x7ff6980ff233
0x7ff6980ff242
0x7ff6980ff248
0x7ff6980ff259
0x7ff6980ff261
0x7ff6980ff263
0x7ff6980ff265
0x7ff6980ff273
0x7ff6980ff277
0x7ff6980ff27a
0x7ff6980ff285
0x7ff6980ff28e
0x7ff6980ff291
0x7ff6980ff294
0x7ff6980ff296
0x7ff6980ff2b6
0x7ff6980ff2c1
0x7ff6980ff2c5
0x7ff6980ff2c8
0x7ff6980ff2cb
0x7ff6980ff2cd
0x7ff6980ff2da
0x7ff6980ff2df
0x7ff6980ff2ef
0x7ff6980ff2f6
0x7ff6980ff301
0x7ff6980ff30e
0x7ff6980ff312
0x7ff6980ff315
0x7ff6980ff31c
0x7ff6980ff326
0x7ff6980ff329
0x7ff6980ff33c
0x7ff6980ff342
0x7ff6980ff347
0x7ff6980ff358
0x7ff6980ff35e
0x7ff6980ff363
0x7ff6980ff374
0x7ff6980ff37c
0x7ff6980ff37e
0x7ff6980ff380
0x7ff6980ff38e
0x7ff6980ff392
0x7ff6980ff395
0x7ff6980ff3a0
0x7ff6980ff3a4
0x7ff6980ff3a7
0x7ff6980ff3aa
0x7ff6980ff3ac
0x7ff6980ff3cc
0x7ff6980ff3d7
0x7ff6980ff3db
0x7ff6980ff3de
0x7ff6980ff3e1
0x7ff6980ff3e3
0x7ff6980ff3e8
0x7ff6980ff3f9
0x7ff6980ff40c
0x7ff6980ff413
0x7ff6980ff41a
0x7ff6980ff41f
0x7ff6980ff430
0x7ff6980ff438
0x7ff6980ff43a
0x7ff6980ff43c
0x7ff6980ff44a
0x7ff6980ff44e
0x7ff6980ff451
0x7ff6980ff45c
0x7ff6980ff465
0x7ff6980ff468
0x7ff6980ff46b
0x7ff6980ff46d
0x7ff6980ff48d
0x7ff6980ff498
0x7ff6980ff49c
0x7ff6980ff49f
0x7ff6980ff4a2
0x7ff6980ff4c1
0x7ff6980ff4c7
0x7ff6980ff4d0
0x7ff6980ff4de
0x7ff6980ff4e6
0x7ff6980ff4ed
0x7ff6980ff505
0x7ff6980ff507
0x7ff6980ff50e
0x7ff6980ff519
0x7ff6980ff520
0x7ff6980ff528
0x7ff6980ff533
0x7ff6980ff53a
0x7ff6980ff56d

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4881c8078162d35f82bba43f03a585fc8a805b2fb2cb09d7df4f1abe047ead2c
Instruction ID: 90a2a3f09d870839e5201f436172dbbc6967ef8095d0eac3136213a89913cf4d
Opcode Fuzzy Hash: 4881c8078162d35f82bba43f03a585fc8a805b2fb2cb09d7df4f1abe047ead2c
Instruction Fuzzy Hash: 9F02A76370CB4281EE209B25E0502ADA751FB947D0FD48671EA9D87BE5DF3CE484DB48

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698107934 Relevance: 15.3, APIs: 10, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00007FF67FF698107934(signed long long __rbx, long long __rcx, long long __rsi, long long __rbp) {
				void* _v40;
				signed int _v48;
				char _v65;
				intOrPtr _v66;
				signed short _v72;
				signed long long _v96;
				signed int _v104;
				char _v120;
				char _v128;
				char _v136;
				long long _v144;
				long long _v152;
				void* __rdi;
				signed int _t102;
				signed int _t130;
				signed int _t135;
				void* _t137;
				void* _t139;
				void* _t164;
				signed long long _t167;
				signed long long _t168;
				intOrPtr* _t169;
				signed int _t170;
				long long _t172;
				signed long long _t180;
				signed char* _t189;
				signed char* _t194;
				signed long long _t211;
				void* _t214;
				int _t222;
				long long _t223;
				long long _t225;
				intOrPtr* _t228;
				long long _t229;
				void* _t231;
				void* _t234;
				void* _t236;
				void* _t239;
				void* _t241;
				signed long long _t242;
				signed long long _t243;
				void* _t245;
				signed long long _t247;
				void* _t249;
				signed long long _t251;
				void* _t253;
				signed long long _t255;

				_t225 = __rsi;
				_t180 = __rbx;
				_t239 = _t231;
				 *((long long*)(_t239 + 0x10)) = __rbx;
				 *((long long*)(_t239 + 0x18)) = __rbp;
				 *((long long*)(_t239 + 0x20)) = __rsi;
				_t167 =  *0x98140430; // 0x4918c2c043f
				_t168 = _t167 ^ _t231 - 0x00000090;
				_v48 = _t168;
				_t223 = __rcx;
				 *((long long*)(_t239 - 0x58)) = __rcx;
				_v96 = __rbx;
				_t242 = __rbx;
				 *((long long*)(_t239 - 0x50)) = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x14)) == 0) goto 0x98107cd0;
				_t228 = __rcx + 4;
				_t10 = _t180 + 1; // 0x1
				_t137 = _t10;
				if ( *_t228 != 0) goto 0x981079bb;
				r8d =  *(__rcx + 0x30) & 0x0000ffff;
				r9d = 0x1004;
				_v152 = _t228;
				if (E00007FF67FF69810FB68(0, 0, __rbx, _t239 - 0x58, _t234) != 0) goto 0x98107ca0;
				E00007FF67FF69810A574(_t139, _t168, __rbx, _t239 - 0x58, __rsi, _t228);
				r12d = 0x180;
				_v96 = _t168;
				E00007FF67FF69810A5E0(_t180, _t242, _t214, _t223, _t225, _t228, _t253, _t249);
				_t247 = _t168;
				E00007FF67FF69810A5E0(_t180, _t242, _t225, _t223, _t225, _t228, _t245, _t241);
				_t255 = _t168;
				E00007FF67FF69810A5E0(_t180, _t242, _t225, _t223, _t225, _t228);
				_t251 = _t168;
				E00007FF67FF69810A5E0(_t180, _t242, _t225, _t223, _t225, _t228);
				_t243 = _t168;
				_t169 = _v96;
				if (_t169 == _t180) goto 0x98107ca0;
				if (_t247 == _t180) goto 0x98107ca0;
				if (_t243 == _t180) goto 0x98107ca0;
				if (_t255 == _t180) goto 0x98107ca0;
				if (_t251 == _t180) goto 0x98107ca0;
				 *_t169 = 0;
				 *_t243 = 0;
				if (0 + _t137 - 0x100 < 0) goto 0x98107a45;
				if (GetCPInfo(_t222) == 0) goto 0x98107ca0;
				if (_v72 - 5 > 0) goto 0x98107ca0;
				_t102 = _v72 & 0x0000ffff;
				_v104 = _t102;
				if (_t102 - _t137 <= 0) goto 0x98107ab0;
				if (_v66 == 0) goto 0x98107ab0;
				_t22 =  &_v65; // 0x1f7
				_t189 = _t22;
				if ( *_t189 == 0) goto 0x98107ab0;
				_t130 =  *(_t189 - 1) & 0x000000ff;
				goto 0x98107aa0;
				_t170 = _t130;
				 *((char*)(_t170 + _t243)) = 0x20;
				if (_t130 + _t137 - ( *_t189 & 0x000000ff) <= 0) goto 0x98107a96;
				if ( *((intOrPtr*)( &(_t189[2]) - 1)) != 0) goto 0x98107a8c;
				_v128 = 0;
				_t27 = _t247 + 0x100; // 0x100
				_v136 = 0;
				_v144 =  *_t228;
				_v152 = _t27;
				r9d = 0x100;
				if (E00007FF67FF698112858(_t137,  *((intOrPtr*)( &(_t189[2]) - 1)), _t170, _t180, _t27, _t225, _t243, _t236) == 0) goto 0x98107ca0;
				_v120 = 0;
				_v128 =  *_t228;
				_t34 = _t255 + 0x81; // 0x81
				_v136 = 0xff;
				_v144 = _t34;
				_t37 = _t170 + 1; // 0x100
				r8d = _t37;
				_t38 = _t243 + 1; // 0x1
				_v152 = 0xff;
				if (E00007FF67FF69810AC68(0,  *((intOrPtr*)(_t223 + 0x14)), E00007FF67FF698112858(_t137,  *((intOrPtr*)( &(_t189[2]) - 1)), _t170, _t180, _t27, _t225, _t243, _t236), _t170, _t180, _t34, _t225, _t243, _t38) == 0) goto 0x98107ca0;
				_v120 = 0;
				_v128 =  *_t228;
				_t43 = _t251 + 0x81; // 0x81
				_v136 = 0xff;
				_v144 = _t43;
				_t46 = _t243 + 1; // 0x1
				r8d = 0x200;
				_v152 = 0xff;
				if (E00007FF67FF69810AC68(0,  *((intOrPtr*)(_t223 + 0x14)), E00007FF67FF69810AC68(0,  *((intOrPtr*)(_t223 + 0x14)), E00007FF67FF698112858(_t137,  *((intOrPtr*)( &(_t189[2]) - 1)), _t170, _t180, _t27, _t225, _t243, _t236), _t170, _t180, _t34, _t225, _t243, _t38), _t170, _t180, _t43, _t225, _t243, _t46) == 0) goto 0x98107ca0;
				_t49 = _t247 + 0xfe; // 0xfe
				_t229 = _t49;
				 *_t229 = 0;
				 *((char*)(_t255 + 0x7f)) = 0;
				 *((char*)(_t251 + 0x7f)) = 0;
				 *((char*)(_t255 + 0x80)) = 0;
				 *((char*)(_t251 + 0x80)) = 0;
				if (_v104 - _t137 <= 0) goto 0x98107bc5;
				if (_v66 == 0) goto 0x98107bc5;
				_t55 =  &_v65; // 0x1f7
				_t194 = _t55;
				if ( *_t194 == 0) goto 0x98107bc5;
				_t135 =  *(_t194 - 1) & 0x000000ff;
				goto 0x98107bb5;
				r8d = 0x8000;
				 *((intOrPtr*)(_t247 + 0x100 + _t135 * 2)) = r8w;
				if (_t135 + _t137 - ( *_t194 & 0x000000ff) <= 0) goto 0x98107ba1;
				if ( *((intOrPtr*)( &(_t194[2]) - 1)) != 0) goto 0x98107b97;
				_t61 = _t247 + 0x200; // 0x200
				r8d = 0xfe;
				E00007FF67FF69810AE90(0,  *((intOrPtr*)( &(_t194[2]) - 1)), _t247, _t61, _t243);
				_t62 = _t255 + 0x100; // 0x100
				r8d = 0x7f;
				E00007FF67FF69810AE90(0,  *((intOrPtr*)( &(_t194[2]) - 1)), _t255, _t62, _t243);
				_t63 = _t251 + 0x100; // 0x100
				r8d = 0x7f;
				E00007FF67FF69810AE90(0,  *((intOrPtr*)( &(_t194[2]) - 1)), _t251, _t63, _t243);
				_t164 =  *((intOrPtr*)(_t223 + 0x130)) - _t180;
				if (_t164 == 0) goto 0x98107c55;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t164 != 0) goto 0x98107c55;
				free(??);
				free(??);
				free(??);
				free(??);
				_t172 = _v96;
				 *_t172 = _t137;
				 *((long long*)(_t223 + 0x130)) = _t172;
				_t71 = _t247 + 0x100; // 0x100
				 *((long long*)(_t223 + 0x140)) = _t71;
				_t73 = _t255 + 0x80; // 0x80
				 *((long long*)(_t223 + 0x138)) = _t229;
				 *((long long*)(_t223 + 0x148)) = _t73;
				_t76 = _t251 + 0x80; // 0x80
				 *((long long*)(_t223 + 0x150)) = _t76;
				 *(_t223 + 0x10c) = _v104;
				goto 0x98107cc4;
				free(??);
				free(??);
				free(??);
				free(??);
				_t211 = _t243;
				free(??);
				goto 0x98107d25;
				if ( *(_t211 + 0x130) == _t180) goto 0x98107ce0;
				asm("lock add dword [eax], 0xffffffff");
				 *(_t211 + 0x130) = _t180;
				 *((long long*)(_t211 + 0x140)) = 0x98130ed0;
				 *(_t211 + 0x138) = _t180;
				 *((long long*)(_t211 + 0x148)) = 0x98131360;
				 *((intOrPtr*)(_t211 + 0x10c)) = 1;
				 *((long long*)(_t211 + 0x150)) = 0x981314e0;
				return E00007FF67FF698104050(0, _v48 ^ _t231 - 0x00000090, _t63, _t243, _t46);
			}

0x7ff698107934
0x7ff698107934
0x7ff698107934
0x7ff698107937
0x7ff69810793b
0x7ff69810793f
0x7ff698107953
0x7ff69810795a
0x7ff69810795d
0x7ff698107967
0x7ff69810796a
0x7ff69810796e
0x7ff69810797c
0x7ff69810797f
0x7ff698107986
0x7ff69810798c
0x7ff698107990
0x7ff698107990
0x7ff698107996
0x7ff698107998
0x7ff6981079a3
0x7ff6981079a9
0x7ff6981079b5
0x7ff6981079c0
0x7ff6981079c5
0x7ff6981079d3
0x7ff6981079d8
0x7ff6981079e3
0x7ff6981079e6
0x7ff6981079f1
0x7ff6981079f4
0x7ff698107a01
0x7ff698107a04
0x7ff698107a09
0x7ff698107a0c
0x7ff698107a14
0x7ff698107a1d
0x7ff698107a26
0x7ff698107a2f
0x7ff698107a38
0x7ff698107a3e
0x7ff698107a45
0x7ff698107a51
0x7ff698107a63
0x7ff698107a6e
0x7ff698107a74
0x7ff698107a7b
0x7ff698107a7f
0x7ff698107a85
0x7ff698107a87
0x7ff698107a87
0x7ff698107a8e
0x7ff698107a90
0x7ff698107a94
0x7ff698107a96
0x7ff698107a9b
0x7ff698107aa5
0x7ff698107aae
0x7ff698107ab3
0x7ff698107ab7
0x7ff698107abe
0x7ff698107ac2
0x7ff698107ac6
0x7ff698107acd
0x7ff698107adf
0x7ff698107aeb
0x7ff698107aef
0x7ff698107af8
0x7ff698107aff
0x7ff698107b03
0x7ff698107b08
0x7ff698107b08
0x7ff698107b0c
0x7ff698107b13
0x7ff698107b1e
0x7ff698107b2a
0x7ff698107b2e
0x7ff698107b37
0x7ff698107b3e
0x7ff698107b42
0x7ff698107b47
0x7ff698107b4e
0x7ff698107b54
0x7ff698107b5f
0x7ff698107b69
0x7ff698107b69
0x7ff698107b70
0x7ff698107b74
0x7ff698107b78
0x7ff698107b7c
0x7ff698107b83
0x7ff698107b8a
0x7ff698107b90
0x7ff698107b92
0x7ff698107b92
0x7ff698107b99
0x7ff698107b9b
0x7ff698107b9f
0x7ff698107ba4
0x7ff698107bac
0x7ff698107bba
0x7ff698107bc3
0x7ff698107bc5
0x7ff698107bcc
0x7ff698107bd5
0x7ff698107bda
0x7ff698107be1
0x7ff698107bea
0x7ff698107bef
0x7ff698107bf6
0x7ff698107bff
0x7ff698107c0b
0x7ff698107c0e
0x7ff698107c10
0x7ff698107c14
0x7ff698107c24
0x7ff698107c34
0x7ff698107c44
0x7ff698107c50
0x7ff698107c55
0x7ff698107c5a
0x7ff698107c5c
0x7ff698107c63
0x7ff698107c6a
0x7ff698107c71
0x7ff698107c78
0x7ff698107c7f
0x7ff698107c86
0x7ff698107c8d
0x7ff698107c98
0x7ff698107c9e
0x7ff698107ca5
0x7ff698107cad
0x7ff698107cb5
0x7ff698107cbd
0x7ff698107cc4
0x7ff698107cc7
0x7ff698107cce
0x7ff698107cda
0x7ff698107cdc
0x7ff698107cec
0x7ff698107cf3
0x7ff698107d01
0x7ff698107d08
0x7ff698107d16
0x7ff698107d1c
0x7ff698107d55

APIs

GetCPInfo.KERNEL32 ref: 00007FF698107A5B

Part of subcall function 00007FF69810FB68: GetLastError.KERNEL32 ref: 00007FF69810FBD1
Part of subcall function 00007FF69810FB68: free.LIBCMT ref: 00007FF69810FC5D

free.LIBCMT ref: 00007FF698107C24
free.LIBCMT ref: 00007FF698107C34
free.LIBCMT ref: 00007FF698107C44
free.LIBCMT ref: 00007FF698107C50
free.LIBCMT ref: 00007FF698107CA5
free.LIBCMT ref: 00007FF698107CAD
free.LIBCMT ref: 00007FF698107CB5
free.LIBCMT ref: 00007FF698107CBD
free.LIBCMT ref: 00007FF698107CC7

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: 56237f1013cf1dc1397bfeea8cdaa334b227246309f0e1c3ee9da10f49af2e64
Instruction ID: 753df8867a83d9b89e3ead095387bc6366b825276c605b93f841e7c69b615d2a
Opcode Fuzzy Hash: 56237f1013cf1dc1397bfeea8cdaa334b227246309f0e1c3ee9da10f49af2e64
Instruction Fuzzy Hash: 5FB1CD32A0868387DB20CF34A8806B977A4FB88784FC44576EA9EC7795DF39D561C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69811483C Relevance: 15.2, APIs: 10, Instructions: 177
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 15%

			E00007FF67FF69811483C(int __ecx, void* __edx, long long __r8, int* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t39;
				int _t41;
				void* _t43;
				int _t45;
				int _t48;
				int _t50;
				int _t69;
				int _t71;
				int _t72;
				signed long long _t97;
				intOrPtr* _t105;
				int _t108;
				void* _t109;
				long long _t120;
				signed long long _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t139;
				void* _t140;
				long long _t141;
				long long _t142;

				_t138 = __r9;
				_t127 = _t126 - 0x88;
				_t125 = _t127 + 0x40;
				_t97 =  *0x98140430; // 0x4918c2c043f
				 *(_t125 + 0x30) = _t97 ^ _t125;
				_t141 =  *((intOrPtr*)(_t125 + 0xb0));
				r12d =  *__r9;
				 *_t125 = 0;
				 *(_t125 + 0x10) = __r9;
				r13d = __edx;
				r15d = __ecx;
				 *((long long*)(_t125 + 8)) = __r8;
				if (__ecx == __edx) goto 0x98114aa1;
				if (GetCPInfo(??, ??) == 0) goto 0x9811493f;
				if ( *((intOrPtr*)(_t125 + 0x18)) != 1) goto 0x9811493f;
				if (GetCPInfo(??, ??) == 0) goto 0x9811493f;
				if ( *((intOrPtr*)(_t125 + 0x18)) != 1) goto 0x9811493f;
				 *_t125 = 1;
				if (r12d == 0xffffffff) goto 0x98114932;
				_t69 = r12d;
				if (_t69 <= 0) goto 0x98114986;
				_t108 = _t69;
				if (_t108 - 0xfffffff0 > 0) goto 0x98114986;
				_t109 = _t108 + _t108 + 0x10;
				if (_t109 - 0x400 > 0) goto 0x9811496d;
				if (_t109 + 0xf - _t109 > 0) goto 0x98114914;
				_t39 = E00007FF67FF69812C0A0(_t38, 0xffffffffffffff0, _t139, _t140);
				_t128 = _t127 - 0xffffffffffffff0;
				_t105 = _t128 + 0x40;
				if (_t105 == 0) goto 0x98114966;
				 *_t105 = 0xcccc;
				goto 0x98114980;
				E00007FF67FF6981070C0(_t39, _t105);
				goto 0x981148d5;
				r9d = r12d;
				 *(_t128 + 0x28) = 0xffffffffffffff1;
				 *((long long*)(_t128 + 0x20)) = _t120;
				_t41 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				_t71 = _t41;
				if (_t41 != 0) goto 0x981148d5;
				goto 0x98114aa4;
				_t43 = malloc(??);
				if (0xffffffffffffff0 == 0) goto 0x98114988;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0x98114988;
				if (0x1000000000000000 == 0) goto 0x98114966;
				E00007FF67FF69810B240(_t43, r15d, 0, 0x1000000000000000, _t125 + 0x18, _t71 + _t71);
				r9d = r12d;
				 *(_t128 + 0x28) = _t71;
				 *((long long*)(_t128 + 0x20)) = 0x1000000000000000;
				_t45 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				r15d = 0;
				if (_t45 == r15d) goto 0x98114a90;
				if (_t141 == _t142) goto 0x98114a07;
				 *((long long*)(_t128 + 0x38)) = _t142;
				 *((long long*)(_t128 + 0x30)) = _t142;
				 *(_t128 + 0x28) =  *(_t125 + 0xb8);
				r9d = _t71;
				 *((long long*)(_t128 + 0x20)) = _t141;
				if (WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??) == r15d) goto 0x98114a90;
				goto 0x98114a90;
				if ( *_t125 != r15d) goto 0x98114a39;
				 *((long long*)(_t128 + 0x38)) = _t142;
				 *((long long*)(_t128 + 0x30)) = _t142;
				r9d = _t71;
				 *(_t128 + 0x28) = r15d;
				 *((long long*)(_t128 + 0x20)) = _t142;
				_t48 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				_t72 = _t48;
				if (_t48 == r15d) goto 0x98114a90;
				E00007FF67FF69810A5E0(0x1000000000000000, 0x1000000000000000, _t72, _t120, _t141, _t125);
				if (0xffffffffffffff0 == _t142) goto 0x98114a90;
				 *((long long*)(_t128 + 0x38)) = _t142;
				 *((long long*)(_t128 + 0x30)) = _t142;
				r9d = _t72;
				 *(_t128 + 0x28) = _t72;
				 *((long long*)(_t128 + 0x20)) = 0xffffffffffffff0;
				_t50 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				if (_t50 != r15d) goto 0x98114a84;
				free(??);
				goto 0x98114a90;
				if (r12d == 0xffffffff) goto 0x98114a90;
				 *( *(_t125 + 0x10)) = _t50;
				if ( *((intOrPtr*)(0xffffffffffffff0)) != 0xdddd) goto 0x98114aa1;
				free(??);
				return E00007FF67FF698104050(r13d,  *(_t125 + 0x30) ^ _t125, _t72, 0x1000000000000000, _t138);
			}

0x7ff69811483c
0x7ff698114849
0x7ff698114850
0x7ff698114855
0x7ff69811485f
0x7ff698114863
0x7ff69811486a
0x7ff698114875
0x7ff698114878
0x7ff69811487c
0x7ff69811487f
0x7ff698114882
0x7ff698114888
0x7ff69811489a
0x7ff6981148a4
0x7ff6981148b9
0x7ff6981148c3
0x7ff6981148c5
0x7ff6981148d0
0x7ff6981148d2
0x7ff6981148d7
0x7ff6981148dd
0x7ff6981148ed
0x7ff6981148f3
0x7ff6981148ff
0x7ff698114908
0x7ff698114918
0x7ff69811491d
0x7ff698114920
0x7ff698114928
0x7ff69811492a
0x7ff698114930
0x7ff698114935
0x7ff69811493d
0x7ff69811493f
0x7ff69811494d
0x7ff698114951
0x7ff698114956
0x7ff69811495c
0x7ff698114960
0x7ff698114968
0x7ff69811496d
0x7ff698114978
0x7ff69811497a
0x7ff698114984
0x7ff69811498b
0x7ff698114998
0x7ff6981149a1
0x7ff6981149ac
0x7ff6981149b0
0x7ff6981149b5
0x7ff6981149bb
0x7ff6981149c1
0x7ff6981149ca
0x7ff6981149d2
0x7ff6981149d7
0x7ff6981149dc
0x7ff6981149e0
0x7ff6981149eb
0x7ff6981149f9
0x7ff698114a02
0x7ff698114a0b
0x7ff698114a0d
0x7ff698114a12
0x7ff698114a17
0x7ff698114a22
0x7ff698114a27
0x7ff698114a2c
0x7ff698114a32
0x7ff698114a37
0x7ff698114a41
0x7ff698114a4c
0x7ff698114a4e
0x7ff698114a53
0x7ff698114a58
0x7ff698114a63
0x7ff698114a67
0x7ff698114a6c
0x7ff698114a75
0x7ff698114a7a
0x7ff698114a82
0x7ff698114a88
0x7ff698114a8e
0x7ff698114a9a
0x7ff698114a9c
0x7ff698114ac0

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF698114892
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF6981148B1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF698114956
malloc.LIBCMT ref: 00007FF69811496D
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF6981149B5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF6981149F0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF698114A2C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF698114A6C
free.LIBCMT ref: 00007FF698114A7A
free.LIBCMT ref: 00007FF698114A9C

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree$malloc
String ID:
API String ID: 1309074677-0
Opcode ID: ddcdf63aba2af7ccbb4f9ff1091687fe12846f0595223e00f381b2a32135b9a6
Instruction ID: 3e410bcbc05e93a15d315c52afc23c54bcc49f804527cfb0dc93e22c39afe5c6
Opcode Fuzzy Hash: ddcdf63aba2af7ccbb4f9ff1091687fe12846f0595223e00f381b2a32135b9a6
Instruction Fuzzy Hash: 6761D272A0868386E7308F35A84017A63D6FB95BE8F944675DA5E87BD4DF3CE841C20C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981163B0 Relevance: 15.1, APIs: 10, Instructions: 140COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32 ref: 00007FF698116456
CloseHandle.KERNEL32 ref: 00007FF69811646F
ResetEvent.KERNEL32 ref: 00007FF698116482
CreateEventA.KERNEL32 ref: 00007FF6981164D7
CloseHandle.KERNEL32 ref: 00007FF6981164F0
SetEvent.KERNEL32 ref: 00007FF69811650E
CreateEventA.KERNEL32 ref: 00007FF698116562
CloseHandle.KERNEL32 ref: 00007FF69811657B
WaitForSingleObjectEx.KERNEL32 ref: 00007FF698116596
CloseHandle.KERNEL32 ref: 00007FF6981165B4

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: Event$CloseHandle$Create$ObjectOpenResetSingleWait
String ID:
API String ID: 3951656645-0
Opcode ID: 71be907ffdb5954fb9f19019735728fde777d6d86074cdaac84bb97474247b25
Instruction ID: 815f8bd22f82821814c62ff06c4ce75af8e9379d046c390e11ea2d552705fb29
Opcode Fuzzy Hash: 71be907ffdb5954fb9f19019735728fde777d6d86074cdaac84bb97474247b25
Instruction Fuzzy Hash: FB61B33260C68282EB71CB70A14433AB7A1EB947F4F940275D6AD87AD8CF6ED440CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698107E88 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF698107ED4

Part of subcall function 00007FF69810484C: HeapFree.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104862
Part of subcall function 00007FF69810484C: _errno.LIBCMT ref: 00007FF69810486C
Part of subcall function 00007FF69810484C: GetLastError.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104874

Part of subcall function 00007FF6981133F4: free.LIBCMT ref: 00007FF698113412
Part of subcall function 00007FF6981133F4: free.LIBCMT ref: 00007FF698113424
Part of subcall function 00007FF6981133F4: free.LIBCMT ref: 00007FF698113436
Part of subcall function 00007FF6981133F4: free.LIBCMT ref: 00007FF698113448
Part of subcall function 00007FF6981133F4: free.LIBCMT ref: 00007FF69811345A
Part of subcall function 00007FF6981133F4: free.LIBCMT ref: 00007FF69811346C
Part of subcall function 00007FF6981133F4: free.LIBCMT ref: 00007FF69811347E

free.LIBCMT ref: 00007FF698107EF6
free.LIBCMT ref: 00007FF698107F0E
free.LIBCMT ref: 00007FF698107F1A
free.LIBCMT ref: 00007FF698107F3E
free.LIBCMT ref: 00007FF698107F52
free.LIBCMT ref: 00007FF698107F61
free.LIBCMT ref: 00007FF698107F6D
free.LIBCMT ref: 00007FF698107F9A
free.LIBCMT ref: 00007FF698107FC2
free.LIBCMT ref: 00007FF698107FDC

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: b084e4c1cfd9c5e526710a43c79106415be09ec5de4f2ef4ea707cbabc5b9e00
Instruction ID: fdedeb907a103404998f1dc3ea4f8e1df238791071bf71a5693926e5a51c3f77
Opcode Fuzzy Hash: b084e4c1cfd9c5e526710a43c79106415be09ec5de4f2ef4ea707cbabc5b9e00
Instruction Fuzzy Hash: D941E032E0A58785EE75DF71C8503B823A4EF84B58F840876DA1EC7795CF2DA4A1C319

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FC050 Relevance: 13.7, APIs: 9, Instructions: 176
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00007FF67FF6980FC050(void* __esi, intOrPtr* __rcx, long long __rdx, void* __r8, long long __r12, long long __r13, long long __r14, long long _a8, long long _a16, long long _a24, long long _a32) {
				intOrPtr* _v72;
				long long _v80;
				void* _v88;
				signed int _t64;
				long long _t117;
				intOrPtr* _t118;
				intOrPtr* _t119;
				signed short* _t124;
				unsigned long long _t127;
				unsigned long long _t130;
				long long _t136;
				intOrPtr* _t137;
				signed short* _t148;
				signed long long _t152;
				signed long long _t155;
				void* _t159;

				_a16 = __rdx;
				_t117 =  *((intOrPtr*)(__rcx + 0x30));
				if (_t117 - _t117 +  *((intOrPtr*)(__rcx + 0x38)) <= 0) goto 0x980fc07e;
				E00007FF67FF6981044B8();
				_t137 =  *((intOrPtr*)(__rcx));
				_v80 = _t117;
				_v88 = _t137;
				if (__rdx == __r8) goto 0x980fc290;
				_a24 = __r13;
				_a32 = __r14;
				asm("movaps [esp+0x40], xmm6");
				asm("movaps xmm6, [esp+0x20]");
				_a8 = __r12;
				_t155 = _t117 + __rdx;
				_t159 = __r8 - 1;
				_t152 = _t117 + __r8 - 1;
				if (__rdx == _t159) goto 0x980fc273;
				asm("movdqa [esp+0x20], xmm6");
				if (_t137 != 0) goto 0x980fc0e6;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x980fc0ed;
				if (_t152 -  *((intOrPtr*)( *_t137 + 0x38)) +  *((intOrPtr*)( *_t137 + 0x30)) > 0) goto 0x980fc10d;
				if (_t137 == 0) goto 0x980fc105;
				goto 0x980fc107;
				if (_t152 -  *((intOrPtr*)( *_t137 + 0x30)) >= 0) goto 0x980fc112;
				E00007FF67FF6981044B8();
				_t118 = _v88;
				_t127 = _t152 >> 3;
				if (_t118 != 0) goto 0x980fc135;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x980fc13b;
				if (_t152 -  *((intOrPtr*)( *_t118 + 0x38)) +  *((intOrPtr*)( *_t118 + 0x30)) < 0) goto 0x980fc14d;
				E00007FF67FF6981044B8();
				if (_t118 == 0) goto 0x980fc157;
				goto 0x980fc159;
				if ( *((intOrPtr*)( *_t118 + 0x28)) - _t127 > 0) goto 0x980fc16f;
				if (_t118 == 0) goto 0x980fc169;
				goto 0x980fc16b;
				if (_t118 == 0) goto 0x980fc179;
				goto 0x980fc17b;
				asm("movdqa [esp+0x30], xmm6");
				_t148 =  *((intOrPtr*)( *((intOrPtr*)( *_t118 + 0x20)) + (_t127 -  *((intOrPtr*)( *_t118 + 0x28))) * 8)) + _t152 * 2;
				if (_t137 != 0) goto 0x980fc19e;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x980fc1a5;
				if (_t155 -  *((intOrPtr*)( *_t137 + 0x38)) +  *((intOrPtr*)( *_t137 + 0x30)) > 0) goto 0x980fc1c5;
				if (_t137 == 0) goto 0x980fc1bd;
				goto 0x980fc1bf;
				if (_t155 -  *((intOrPtr*)( *_t137 + 0x30)) >= 0) goto 0x980fc1ca;
				E00007FF67FF6981044B8();
				_t119 = _v72;
				_t130 = _t155 >> 3;
				if (_t119 != 0) goto 0x980fc1ed;
				E00007FF67FF6981044B8();
				r11d = 0;
				goto 0x980fc1f3;
				if (_t155 -  *((intOrPtr*)( *_t119 + 0x38)) +  *((intOrPtr*)( *_t119 + 0x30)) < 0) goto 0x980fc205;
				E00007FF67FF6981044B8();
				if (_t119 == 0) goto 0x980fc20f;
				goto 0x980fc211;
				if ( *((intOrPtr*)( *_t119 + 0x28)) - _t130 > 0) goto 0x980fc227;
				if (_t119 == 0) goto 0x980fc221;
				goto 0x980fc223;
				if (_t119 == 0) goto 0x980fc231;
				goto 0x980fc233;
				_t124 =  *((intOrPtr*)( *((intOrPtr*)( *_t119 + 0x20)) + (_t130 -  *((intOrPtr*)( *_t119 + 0x28))) * 8)) + _t155 * 2;
				if (_t124 == _t148) goto 0x980fc254;
				_t64 =  *_t148 & 0x0000ffff;
				 *_t124 = _t64;
				 *_t148 =  *_t124 & 0x0000ffff;
				_t136 = _a16 + 1;
				_a16 = _t136;
				if (_t136 != _t159) goto 0x980fc0c0;
				asm("movaps xmm6, [esp+0x40]");
				return _t64;
			}

0x7ff6980fc050
0x7ff6980fc05f
0x7ff6980fc077
0x7ff6980fc079
0x7ff6980fc07e
0x7ff6980fc081
0x7ff6980fc086
0x7ff6980fc08e
0x7ff6980fc094
0x7ff6980fc09c
0x7ff6980fc0a4
0x7ff6980fc0a9
0x7ff6980fc0ae
0x7ff6980fc0b6
0x7ff6980fc0c0
0x7ff6980fc0c3
0x7ff6980fc0c9
0x7ff6980fc0cf
0x7ff6980fc0d8
0x7ff6980fc0da
0x7ff6980fc0df
0x7ff6980fc0e4
0x7ff6980fc0f8
0x7ff6980fc0fd
0x7ff6980fc103
0x7ff6980fc10b
0x7ff6980fc10d
0x7ff6980fc112
0x7ff6980fc11d
0x7ff6980fc127
0x7ff6980fc129
0x7ff6980fc12e
0x7ff6980fc133
0x7ff6980fc146
0x7ff6980fc148
0x7ff6980fc150
0x7ff6980fc155
0x7ff6980fc15d
0x7ff6980fc162
0x7ff6980fc167
0x7ff6980fc172
0x7ff6980fc177
0x7ff6980fc17f
0x7ff6980fc189
0x7ff6980fc190
0x7ff6980fc192
0x7ff6980fc197
0x7ff6980fc19c
0x7ff6980fc1b0
0x7ff6980fc1b5
0x7ff6980fc1bb
0x7ff6980fc1c3
0x7ff6980fc1c5
0x7ff6980fc1ca
0x7ff6980fc1d5
0x7ff6980fc1df
0x7ff6980fc1e1
0x7ff6980fc1e6
0x7ff6980fc1eb
0x7ff6980fc1fe
0x7ff6980fc200
0x7ff6980fc208
0x7ff6980fc20d
0x7ff6980fc215
0x7ff6980fc21a
0x7ff6980fc21f
0x7ff6980fc22a
0x7ff6980fc22f
0x7ff6980fc23b
0x7ff6980fc242
0x7ff6980fc244
0x7ff6980fc24c
0x7ff6980fc24f
0x7ff6980fc25f
0x7ff6980fc262
0x7ff6980fc26d
0x7ff6980fc28b
0x7ff6980fc29a

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC079
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC0DA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC10D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC129
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC148
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC192
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC1C5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC1E1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC200

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4030c83a59812f64d6c05d60debb6fb5f98c41b8662f9c9e344c53440360d978
Instruction ID: ecaabba02c1a04f7f7ac0049ee23ab3be00dcaba8f590f231944746e9c81a32b
Opcode Fuzzy Hash: 4030c83a59812f64d6c05d60debb6fb5f98c41b8662f9c9e344c53440360d978
Instruction Fuzzy Hash: 4861A022B18AA584EAB09F35D4412B963A4FF65B88F898471EE4DC7794DF3CD851E30C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981125EC Relevance: 13.7, APIs: 9, Instructions: 173
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E00007FF67FF6981125EC(void* __edx, long long __rbx, intOrPtr* __rcx, long long __rdi, long long __rsi, void* __r8) {
				void* _t43;
				int _t45;
				int _t55;
				void* _t71;
				intOrPtr _t84;
				signed long long _t100;
				intOrPtr _t108;
				void* _t113;
				long long _t121;
				intOrPtr* _t122;
				long long _t125;
				char* _t131;
				signed long long _t132;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t148;
				void* _t149;
				int _t150;
				int _t151;
				int _t153;
				short* _t156;
				void* _t157;
				int _t160;

				_t121 = __rdi;
				 *(_t134 + 0x20) = r9d;
				_t135 = _t134 - 0x40;
				_t132 = _t135 + 0x30;
				 *((long long*)(_t132 + 0x40)) = __rbx;
				 *((long long*)(_t132 + 0x48)) = __rsi;
				 *((long long*)(_t132 + 0x50)) = __rdi;
				_t100 =  *0x98140430; // 0x4918c2c043f
				 *(_t132 + 8) = _t100 ^ _t132;
				r9d =  *0x98143f5c; // 0x1
				_t157 = __r8;
				r15d = __edx;
				_t7 = _t121 + 1; // 0x2
				_t71 = _t7;
				if (r9d != 0) goto 0x98112679;
				r8d = 1;
				if (GetStringTypeW(_t160, _t156) == 0) goto 0x9811265e;
				 *0x98143f5c = 1;
				goto 0x98112694;
				GetLastError();
				r9d =  *0x98143f5c; // 0x1
				r9d =  ==  ? _t71 : r9d;
				 *0x98143f5c = r9d;
				if (r9d == _t71) goto 0x981127a8;
				if (r9d == 0) goto 0x981127a8;
				if (r9d != 1) goto 0x981127d7;
				if ( *((intOrPtr*)(_t132 + 0x68)) != 0) goto 0x981126a2;
				 *(_t132 + 0x78) =  ~( *(_t132 + 0x78));
				r9d =  *(_t132 + 0x58);
				asm("sbb edx, edx");
				 *((intOrPtr*)(_t135 + 0x28)) = 0;
				 *((long long*)(_t135 + 0x20)) = __rbx;
				_t151 = MultiByteToWideChar(_t153, _t150, _t131);
				_t84 = r12d;
				if (_t84 == 0) goto 0x981127d7;
				r13d = 0xdddd;
				if (_t84 <= 0) goto 0x98112740;
				if (_t151 - 0xfffffff0 > 0) goto 0x98112740;
				_t16 = _t151 + 0x10; // 0x1a
				_t113 = _t151 + _t16;
				if (_t113 - 0x400 > 0) goto 0x9811272a;
				_t17 = _t113 + 0xf; // 0x29
				if (_t17 - _t113 > 0) goto 0x98112708;
				E00007FF67FF69812C0A0(_t41, 0xffffffffffffff0, _t148, _t149);
				_t136 = _t135 - 0xfffffff0;
				_t122 = _t136 + 0x30;
				if (_t122 == __rbx) goto 0x981127d7;
				 *_t122 = 0xcccc;
				goto 0x9811273a;
				_t43 = malloc(??);
				if (0xfffffff0 == __rbx) goto 0x98112743;
				 *((intOrPtr*)(0xffffffffffffff0)) = r13d;
				goto 0x98112743;
				_t125 = __rbx;
				if (__rbx == __rbx) goto 0x981127d7;
				E00007FF67FF69810B240(_t43,  *((intOrPtr*)( *__rcx + 4)), 0, __rbx, 0x981315e0, _t151 + _t151);
				r9d =  *(_t132 + 0x58);
				 *((intOrPtr*)(_t136 + 0x28)) = r12d;
				 *((long long*)(_t136 + 0x20)) = __rbx;
				_t45 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t45 == 0) goto 0x98112793;
				r8d = _t45;
				_t55 = GetStringTypeW(??, ??, ??, ??);
				_t23 = _t125 - 0x10; // -16
				if ( *_t23 != r13d) goto 0x981127a1;
				free(??);
				goto 0x98112830;
				r12d =  *((intOrPtr*)(_t132 + 0x70));
				if (r12d != _t55) goto 0x981127bc;
				r12d =  *((intOrPtr*)( *__rcx + 0x14));
				if ( *((intOrPtr*)(_t132 + 0x68)) != _t55) goto 0x981127ca;
				_t108 =  *__rcx;
				if (E00007FF67FF6981147E8(_t55, r12d,  *((intOrPtr*)(_t132 + 0x60))) != 0xffffffff) goto 0x981127db;
				goto 0x98112830;
				if (0 ==  *((intOrPtr*)(_t108 + 4))) goto 0x98112803;
				 *((intOrPtr*)(_t136 + 0x28)) = _t55;
				 *((long long*)(_t136 + 0x20)) = __rbx;
				E00007FF67FF69811483C( *((intOrPtr*)(_t108 + 4)), 0, _t157, _t132 + 0x58);
				if (_t108 == __rbx) goto 0x981127d7;
				r9d =  *(_t132 + 0x58);
				 *((long long*)(_t136 + 0x20)) =  *((intOrPtr*)(_t132 + 0x60));
				GetStringTypeA(??, ??, ??, ??, ??);
				if (_t108 == __rbx) goto 0x9811282e;
				free(??);
				return E00007FF67FF698104050(r12d,  *(_t132 + 8) ^ _t132, __rbx, _t108, _t132 + 0x58);
			}

0x7ff6981125ec
0x7ff6981125ec
0x7ff6981125fa
0x7ff6981125fe
0x7ff698112603
0x7ff698112607
0x7ff69811260b
0x7ff69811260f
0x7ff698112619
0x7ff69811261d
0x7ff69811262b
0x7ff69811262e
0x7ff698112634
0x7ff698112634
0x7ff69811263a
0x7ff698112647
0x7ff698112654
0x7ff698112656
0x7ff69811265c
0x7ff69811265e
0x7ff698112664
0x7ff69811266e
0x7ff698112672
0x7ff69811267c
0x7ff698112685
0x7ff69811268e
0x7ff698112699
0x7ff6981126a2
0x7ff6981126a5
0x7ff6981126ac
0x7ff6981126b0
0x7ff6981126b7
0x7ff6981126c4
0x7ff6981126c7
0x7ff6981126ca
0x7ff6981126d0
0x7ff6981126d6
0x7ff6981126e5
0x7ff6981126e7
0x7ff6981126e7
0x7ff6981126f3
0x7ff6981126f5
0x7ff6981126fc
0x7ff69811270c
0x7ff698112711
0x7ff698112714
0x7ff69811271c
0x7ff698112722
0x7ff698112728
0x7ff69811272a
0x7ff698112735
0x7ff698112737
0x7ff69811273e
0x7ff698112740
0x7ff698112746
0x7ff698112757
0x7ff69811275c
0x7ff69811276a
0x7ff69811276f
0x7ff698112774
0x7ff69811277c
0x7ff698112782
0x7ff698112791
0x7ff698112793
0x7ff69811279a
0x7ff69811279c
0x7ff6981127a3
0x7ff6981127a8
0x7ff6981127b2
0x7ff6981127b8
0x7ff6981127c1
0x7ff6981127c3
0x7ff6981127d5
0x7ff6981127d9
0x7ff6981127dd
0x7ff6981127ea
0x7ff6981127ee
0x7ff6981127f3
0x7ff6981127fe
0x7ff698112807
0x7ff698112814
0x7ff698112819
0x7ff698112824
0x7ff698112829
0x7ff698112855

APIs

GetStringTypeW.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF6981128BE), ref: 00007FF69811264C
GetLastError.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF6981128BE), ref: 00007FF69811265E
MultiByteToWideChar.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF6981128BE), ref: 00007FF6981126BE
malloc.LIBCMT ref: 00007FF69811272A
MultiByteToWideChar.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF6981128BE), ref: 00007FF698112774
GetStringTypeW.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF6981128BE), ref: 00007FF69811278B
free.LIBCMT ref: 00007FF69811279C
GetStringTypeA.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF6981128BE), ref: 00007FF698112819
free.LIBCMT ref: 00007FF698112829

Part of subcall function 00007FF69811483C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF698114892
Part of subcall function 00007FF69811483C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF6981148B1
Part of subcall function 00007FF69811483C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF6981149B5
Part of subcall function 00007FF69811483C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF6981149F0

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
String ID:
API String ID: 3804003340-0
Opcode ID: 115f6eea8dedc5ed251d069930978551ce189c9ac9d53966058a53c2e0c20737
Instruction ID: cdd452f383a8163783f2a0fb90394c9a1e15b6981990d2f39eb83557a06c23f3
Opcode Fuzzy Hash: 115f6eea8dedc5ed251d069930978551ce189c9ac9d53966058a53c2e0c20737
Instruction Fuzzy Hash: E1617E36A0868786DB30CF71A44046967D6FB64BECB9442B5EA1DD3BD4DE38E841C348

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69811181C Relevance: 13.6, APIs: 9, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00007FF67FF69811181C(void* __ebx, signed int __ecx, void* __edx, void* __esi, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, signed int _a8, long long _a16, long long _a24) {
				long long _v56;
				void* __rdi;
				void* __r12;
				void* _t34;
				signed int _t49;
				void* _t55;
				signed int* _t59;
				signed int* _t60;
				long long _t66;
				signed long long _t69;
				void* _t76;
				signed long long _t78;

				_t75 = __r8;
				_t71 = __rbp;
				_t65 = __rdx;
				_t64 = __rcx;
				_t34 = __ebx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __ecx;
				r12d = r8d;
				r13d = __edx;
				_t62 = __ecx;
				if (__ebx != 0xfffffffe) goto 0x98111861;
				E00007FF67FF6981078CC(__rax);
				 *__rax = 0;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 9;
				goto 0x98111935;
				if (__ebx < 0) goto 0x9811190c;
				_t55 = _t34 -  *0x981489c0; // 0x20
				if (_t55 >= 0) goto 0x9811190c;
				_t78 = __ecx >> 5;
				_t69 = __ecx * 0x58;
				_t59 =  *((intOrPtr*)(0x981489e0 + _t78 * 8));
				if (_t55 != 0) goto 0x981118c8;
				E00007FF67FF6981078CC(_t59);
				 *_t59 = 0;
				E00007FF67FF6981078AC(_t59);
				 *_t59 = 9;
				_v56 = _t66;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(_t59, __ecx, __rcx, __rdx, _t69, __rbp, __r8);
				goto 0x98111935;
				E00007FF67FF69811593C(_t34, _t34, _t62, _t66, _t69, _t76);
				_t60 =  *((intOrPtr*)(0x981489e0 + _t78 * 8));
				if (( *(_t60 + _t69 + 8) & 0x00000001) == 0) goto 0x981118ec;
				r8d = r12d;
				_t49 = E00007FF67FF698111784(_t34, _t34, r13d, _t60, _t62, _t69);
				goto 0x98111901;
				E00007FF67FF6981078AC(_t60);
				 *_t60 = 9;
				E00007FF67FF6981078CC(_t60);
				 *_t60 = _t49;
				E00007FF67FF6981159E4();
				goto 0x98111935;
				E00007FF67FF6981078CC(_t60);
				 *_t60 = _t49 | 0xffffffff;
				E00007FF67FF6981078AC(_t60);
				 *_t60 = 9;
				_v56 = _t66;
				r9d = 0;
				r8d = 0;
				return E00007FF67FF698104430(_t60, _t62, _t64, _t65, _t69, _t71, _t75) | 0xffffffff;
			}

0x7ff69811181c
0x7ff69811181c
0x7ff69811181c
0x7ff69811181c
0x7ff69811181c
0x7ff69811181c
0x7ff698111821
0x7ff698111826
0x7ff698111837
0x7ff69811183a
0x7ff69811183d
0x7ff698111843
0x7ff698111845
0x7ff69811184c
0x7ff69811184e
0x7ff698111853
0x7ff69811185c
0x7ff698111865
0x7ff69811186b
0x7ff698111871
0x7ff69811187d
0x7ff69811188b
0x7ff69811188f
0x7ff69811189b
0x7ff69811189d
0x7ff6981118a2
0x7ff6981118a4
0x7ff6981118a9
0x7ff6981118af
0x7ff6981118b4
0x7ff6981118b7
0x7ff6981118be
0x7ff6981118c6
0x7ff6981118ca
0x7ff6981118d0
0x7ff6981118d9
0x7ff6981118db
0x7ff6981118e8
0x7ff6981118ea
0x7ff6981118ec
0x7ff6981118f1
0x7ff6981118f7
0x7ff6981118fc
0x7ff698111903
0x7ff69811190a
0x7ff69811190c
0x7ff698111911
0x7ff698111913
0x7ff698111918
0x7ff69811191e
0x7ff698111923
0x7ff698111926
0x7ff69811194c

APIs

__doserrno.LIBCMT ref: 00007FF698111845
_errno.LIBCMT ref: 00007FF69811184E
__doserrno.LIBCMT ref: 00007FF69811189D
_errno.LIBCMT ref: 00007FF6981118A4

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: f10987436b34bd0968861f3bbb4ff45c1ba2012104b75b240ae358803b696601
Instruction ID: d4bee3238140ac3aa44d36ba84add0713328564454e04973fb4e18874a0895b3
Opcode Fuzzy Hash: f10987436b34bd0968861f3bbb4ff45c1ba2012104b75b240ae358803b696601
Instruction Fuzzy Hash: 9931FE22E1864742E3256F35AC4127D7650FBC0760F9566B2EA2A8B7D2CF3D9001C718

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698119F60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00007FF67FF698119F60(void* __ebx, long long __rbx, long long __rdx, void* __r8, void* __r9, void* _a8) {
				signed int _v56;
				long long _v64;
				long long _v72;
				char _v88;
				char _v96;
				long long _v112;
				long long _v120;
				long long _v128;
				intOrPtr _v136;
				long long _v152;
				intOrPtr _v160;
				long long _v168;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t70;
				signed long long _t109;
				char _t117;
				long long _t143;
				long long _t144;
				long long _t145;
				long long _t149;
				long long _t150;
				void* _t154;
				void* _t163;
				void* _t164;
				void* _t165;
				void* _t166;
				signed long long _t167;
				void* _t169;
				void* _t170;
				void* _t182;
				void* _t185;
				long long _t186;
				long long _t187;

				_t185 = _t170;
				_v120 = 0xfffffffe;
				 *((long long*)(_t185 + 8)) = __rbx;
				_t109 =  *0x98140430; // 0x4918c2c043f
				_v56 = _t109 ^ _t170 - 0x000000a0;
				_t186 = __rdx;
				 *((long long*)(_t185 - 0x68)) = __rdx;
				r13d = 0;
				_v136 = r13d;
				 *((long long*)(_t185 - 0x80)) = _t187;
				_v152 = _t187;
				_v160 = r13d;
				_v168 = _t185 - 0x80;
				r9d = 0x400;
				_t70 = FormatMessageA(??, ??, ??, ??, ??, ??, ??);
				_t124 = _v128;
				_v112 = _v128;
				if (_t70 != 0) goto 0x9811a016;
				 *((long long*)(__rdx + 0x20)) = 0xf;
				 *((long long*)(__rdx + 0x18)) = _t187;
				 *(__rdx + 8) = _t70;
				_t16 = _t187 + 0xd; // 0xd
				r8d = _t16;
				E00007FF67FF6980F1DC0(_v128, __rdx, "Unknown error", _t154, _t167, __r8);
				_v136 = 1;
				LocalFree(??);
				goto 0x9811a23e;
				_v64 = 0xf;
				_v72 = _t187;
				_v88 = 0;
				asm("repne scasb");
				E00007FF67FF6980F1DC0(_v128,  &_v96, _v128, _v128, _t167,  !(_t124 | 0xffffffff) - 1);
				_t143 = _v72;
				if (_t143 == 0) goto 0x9811a1d4;
				_t163 = _t143 - 1;
				if (_t163 - _t143 <= 0) goto 0x9811a08e;
				E00007FF67FF6981044B8();
				_t144 = _v72;
				_t114 =  >=  ? _v88 :  &_v88;
				if ( *((char*)(( >=  ? _v88 :  &_v88) + _t163)) == 0xa) goto 0x9811a0da;
				_t164 = _t144 - 1;
				if (_t164 - _t144 <= 0) goto 0x9811a0c1;
				E00007FF67FF6981044B8();
				_t145 = _v72;
				_t116 =  >=  ? _v88 :  &_v88;
				if ( *((char*)(( >=  ? _v88 :  &_v88) + _t164)) != 0xd) goto 0x9811a18b;
				_t165 = _t145 - 1;
				if (_t145 - _t165 >= 0) goto 0x9811a0fc;
				E00007FF67FF698103434( >=  ? _v88 :  &_v88, _t124, _v64, _t167 | 0xffffffff);
				_t182 = _v72 - _t165;
				if (_t182 - 0xffffffff >= 0) goto 0x9811a110;
				_t169 = _t182;
				if (_t182 == 0) goto 0x9811a181;
				_t117 = _v88;
				_t176 =  >=  ? _t117 :  &_v88;
				_t132 =  >=  ? _t117 :  &_v88;
				_t133 = ( >=  ? _t117 :  &_v88) + _t165;
				_t177 = ( >=  ? _t117 :  &_v88) + _t165;
				_t178 = ( >=  ? _t117 :  &_v88) + _t165 + _t169;
				E00007FF67FF698104070(( >=  ? _t117 :  &_v88) + _t165, _v64 - _t165, ( >=  ? _t117 :  &_v88) + _t165 + _t169, _t182 - _t169);
				_t149 = _v72 - _t169;
				_v72 = _t149;
				_t119 =  >=  ? _v88 :  &_v88;
				 *((char*)(( >=  ? _v88 :  &_v88) + _t149)) = 0;
				_t150 = _v72;
				if (_t150 == 0) goto 0x9811a1d4;
				goto 0x9811a070;
				if (_t150 == 0) goto 0x9811a1d4;
				_t166 = _t150 - 1;
				if (_t166 - _t150 <= 0) goto 0x9811a1ae;
				E00007FF67FF6981044B8();
				_t121 =  >=  ? _v88 :  &_v88;
				if ( *((char*)(( >=  ? _v88 :  &_v88) + _t166)) != 0x2e) goto 0x9811a1d4;
				E00007FF67FF6980F1FC0(_t124,  &_v96, _v72 - 1, _t166, _t169, ( >=  ? _t117 :  &_v88) + _t165 + _t169 | 0xffffffff);
				 *((long long*)(_t186 + 0x20)) = 0xf;
				 *((long long*)(_t186 + 0x18)) = _t187;
				 *((char*)(_t186 + 8)) = 0;
				r8d = 0;
				E00007FF67FF6980F1CA0(_t124, _t186,  &_v96, _v64, _t166, _t169, ( >=  ? _t117 :  &_v88) + _t165 + _t169 | 0xffffffff, _t182 - _t169 | 0xffffffff);
				_v136 = 1;
				if (_v64 - 0x10 < 0) goto 0x9811a219;
				E00007FF67FF6981044D8( >=  ? _v88 :  &_v88, _t124, _v88,  &_v96, _t166, ( >=  ? _t117 :  &_v88) + _t165 + _t169 | 0xffffffff, _t182 - _t169 | 0xffffffff);
				_v64 = 0xf;
				_v72 = _t187;
				_v88 = 0;
				LocalFree(??);
				return E00007FF67FF698104050(0x1300, _v56 ^ _t170 - 0x000000a0,  &_v96, ( >=  ? _t117 :  &_v88) + _t165 + _t169 | 0xffffffff, _t182 - _t169 | 0xffffffff);
			}

0x7ff698119f60
0x7ff698119f71
0x7ff698119f7a
0x7ff698119f7e
0x7ff698119f88
0x7ff698119f90
0x7ff698119f93
0x7ff698119f97
0x7ff698119f9a
0x7ff698119f9f
0x7ff698119fa3
0x7ff698119fa8
0x7ff698119fb1
0x7ff698119fbd
0x7ff698119fc3
0x7ff698119fc9
0x7ff698119fce
0x7ff698119fd5
0x7ff698119fd7
0x7ff698119fe0
0x7ff698119fe5
0x7ff698119fea
0x7ff698119fea
0x7ff698119ff8
0x7ff698119ffd
0x7ff69811a008
0x7ff69811a011
0x7ff69811a016
0x7ff69811a022
0x7ff69811a02a
0x7ff69811a038
0x7ff69811a049
0x7ff69811a04f
0x7ff69811a05a
0x7ff69811a070
0x7ff69811a077
0x7ff69811a079
0x7ff69811a086
0x7ff69811a097
0x7ff69811a0a1
0x7ff69811a0a3
0x7ff69811a0aa
0x7ff69811a0ac
0x7ff69811a0b9
0x7ff69811a0ca
0x7ff69811a0d4
0x7ff69811a0de
0x7ff69811a0e5
0x7ff69811a0e7
0x7ff69811a0ff
0x7ff69811a106
0x7ff69811a108
0x7ff69811a10e
0x7ff69811a115
0x7ff69811a11e
0x7ff69811a12b
0x7ff69811a135
0x7ff69811a138
0x7ff69811a13b
0x7ff69811a141
0x7ff69811a14e
0x7ff69811a151
0x7ff69811a167
0x7ff69811a16d
0x7ff69811a179
0x7ff69811a184
0x7ff69811a186
0x7ff69811a18e
0x7ff69811a190
0x7ff69811a197
0x7ff69811a199
0x7ff69811a1b7
0x7ff69811a1c1
0x7ff69811a1cf
0x7ff69811a1d4
0x7ff69811a1dd
0x7ff69811a1e2
0x7ff69811a1ec
0x7ff69811a1f7
0x7ff69811a1fc
0x7ff69811a20d
0x7ff69811a214
0x7ff69811a219
0x7ff69811a225
0x7ff69811a22d
0x7ff69811a235
0x7ff69811a264

APIs

FormatMessageA.KERNEL32 ref: 00007FF698119FC3
LocalFree.KERNEL32 ref: 00007FF69811A008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69811A079
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69811A0AC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69811A199

Strings

Unknown error, xrefs: 00007FF698119FEE

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$FormatFreeLocalMessage
String ID: Unknown error
API String ID: 3408990668-83687255
Opcode ID: 7b9eeed1eaa9fbeac6c5963c93b71ae23eb17b54183d238eedd3940b7ac5251d
Instruction ID: 85b7fa25c00fa3e0af0dee45bc5a5e65bcde5ce5de9859c7d1be8d8beb901459
Opcode Fuzzy Hash: 7b9eeed1eaa9fbeac6c5963c93b71ae23eb17b54183d238eedd3940b7ac5251d
Instruction Fuzzy Hash: FD716262A08BC281EB309B25E4447AEB7A1F7907A4F909371DAAD876D9DF3CD445CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FE8C0 Relevance: 12.3, APIs: 8, Instructions: 340
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00007FF67FF6980FE8C0(void* __edx, void* __ebp, long long __rbx, void* __rcx, long long _a24) {
				signed int _v64;
				long long _v72;
				long long _v80;
				char _v96;
				char _v104;
				long long _v112;
				char _v120;
				char _v128;
				void* _v135;
				char _v136;
				void* _v144;
				long long _v152;
				long long _v160;
				long long _v168;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t126;
				void* _t133;
				void* _t156;
				void* _t192;
				signed long long _t222;
				void* _t263;
				long long _t275;
				char* _t277;
				char* _t279;
				long long _t280;
				long long _t285;
				char _t286;
				char _t288;
				char _t291;
				char _t293;
				long long _t301;
				intOrPtr* _t308;
				long long* _t310;
				long long _t311;
				long long _t328;
				char* _t331;
				void* _t333;
				void* _t334;
				signed long long _t336;
				intOrPtr* _t340;
				intOrPtr* _t341;
				long long _t344;
				long long _t352;
				void* _t361;
				long long _t362;

				_v112 = 0xfffffffe;
				_a24 = __rbx;
				_t222 =  *0x98140430; // 0x4918c2c043f
				_v64 = _t222 ^  &_v144;
				r13d = __edx;
				_t361 = __rcx;
				if (__edx != 0xffffffff) goto 0x980fe908;
				goto 0x980fee09;
				_t308 =  *((intOrPtr*)(__rcx + 0x48));
				if ( *_t308 == 0) goto 0x980fe941;
				_t340 =  *((intOrPtr*)(__rcx + 0x60));
				if ( *_t308 -  *_t340 +  *_t308 >= 0) goto 0x980fe941;
				 *_t340 =  *_t340 - 1;
				_t310 =  *((intOrPtr*)(__rcx + 0x48));
				_t341 =  *_t310;
				_t285 = _t341 + 1;
				 *_t310 = _t285;
				 *_t341 = r13b;
				goto 0x980fee09;
				_t311 =  *((intOrPtr*)(__rcx + 0x88));
				if (_t311 != 0) goto 0x980fe956;
				goto 0x980fee09;
				if ( *((long long*)(__rcx + 0x70)) != 0) goto 0x980fe978;
				E00007FF67FF6981068AC(r13b, _t222 ^  &_v144, __rbx, _t285, _t311, _t334, _t341);
				_t155 =  !=  ? r13d : __ebp;
				goto 0x980fee09;
				_v136 = r13b;
				_v72 = _t311;
				_v96 = 0;
				_v96 = _t285;
				_v80 = 8;
				_t225 =  >=  ? _t285 :  &_v96;
				 *((char*)(( >=  ? _t285 :  &_v96) + 8)) = 0;
				r15d = 0;
				_t286 = _v96;
				if (_v72 - 0x10 < 0) goto 0x980fe9d8;
				if (_t286 == 0) goto 0x980fea04;
				goto 0x980fe9dd;
				_t331 =  &_v96;
				_t227 =  >=  ? _t286 :  &_v96;
				_t167 = ( >=  ? _t286 :  &_v96) - _t331;
				if (( >=  ? _t286 :  &_v96) - _t331 > 0) goto 0x980fea04;
				_t229 =  >=  ? _t286 :  &_v96;
				_t230 = ( >=  ? _t286 :  &_v96) + _v80;
				_t169 = _t331 - ( >=  ? _t286 :  &_v96) + _v80;
				if (_t331 - ( >=  ? _t286 :  &_v96) + _v80 <= 0) goto 0x980fea1b;
				E00007FF67FF6981044B8();
				if ( &_v104 == 0xfffffffc) goto 0x980fea52;
				_t233 =  >=  ? _v96 :  &_v96;
				_t234 = ( >=  ? _v96 :  &_v96) + _v80;
				_t172 = _t331 - ( >=  ? _v96 :  &_v96) + _v80;
				if (_t331 - ( >=  ? _v96 :  &_v96) + _v80 < 0) goto 0x980fea52;
				E00007FF67FF6981044B8();
				_t344 = _v80;
				_t288 = _v96;
				_t335 = _t344;
				if (_v72 - 0x10 < 0) goto 0x980fea65;
				if (_t288 == 0) goto 0x980fea91;
				goto 0x980fea6a;
				_t275 =  &_v96;
				_t236 =  >=  ? _t288 :  &_v96;
				_t176 = ( >=  ? _t288 :  &_v96) - _t275;
				if (( >=  ? _t288 :  &_v96) - _t275 > 0) goto 0x980fea91;
				_t238 =  >=  ? _t288 :  &_v96;
				_t239 = ( >=  ? _t288 :  &_v96) + _t344;
				_t178 = _t275 - ( >=  ? _t288 :  &_v96) + _t344;
				if (_t275 - ( >=  ? _t288 :  &_v96) + _t344 <= 0) goto 0x980feaa8;
				E00007FF67FF6981044B8();
				if ( &_v104 == 0xfffffffc) goto 0x980feacd;
				_t242 =  >=  ? _v96 :  &_v96;
				_t243 = ( >=  ? _v96 :  &_v96) + _v80;
				_t181 = _t275 - ( >=  ? _v96 :  &_v96) + _v80;
				if (_t275 - ( >=  ? _v96 :  &_v96) + _v80 < 0) goto 0x980feacd;
				E00007FF67FF6981044B8();
				_v144 =  &_v120;
				_v152 = _t331 + _t344;
				_v160 = _t275;
				_v168 =  &_v128;
				_t126 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t361 + 0x70)))) + 0x28))();
				if (_t126 < 0) goto 0x980fedf2;
				if (_t126 - 1 > 0) goto 0x980fedbb;
				_t291 = _v96;
				if (_v72 - 0x10 < 0) goto 0x980feb38;
				if (_t291 == 0) goto 0x980feb69;
				goto 0x980feb3d;
				_t277 =  &_v96;
				_t247 =  >=  ? _t291 :  &_v96;
				_t187 = ( >=  ? _t291 :  &_v96) - _t277;
				if (( >=  ? _t291 :  &_v96) - _t277 > 0) goto 0x980feb69;
				_t249 =  >=  ? _t291 :  &_v96;
				_t250 = ( >=  ? _t291 :  &_v96) + _v80;
				_t189 = _t277 - ( >=  ? _t291 :  &_v96) + _v80;
				if (_t277 - ( >=  ? _t291 :  &_v96) + _v80 <= 0) goto 0x980feb80;
				E00007FF67FF6981044B8();
				if ( &_v104 == 0xfffffffc) goto 0x980febb7;
				_t253 =  >=  ? _v96 :  &_v96;
				_t254 = ( >=  ? _v96 :  &_v96) + _v80;
				_t192 = _t277 - ( >=  ? _v96 :  &_v96) + _v80;
				if (_t192 < 0) goto 0x980febb7;
				E00007FF67FF6981044B8();
				_t293 = _v96;
				_t333 = _v120 - _t277;
				if (_t192 == 0) goto 0x980fec70;
				if (_v72 - 0x10 < 0) goto 0x980febd5;
				if (_t293 == 0) goto 0x980fec01;
				goto 0x980febda;
				_t279 =  &_v96;
				_t256 =  >=  ? _t293 :  &_v96;
				_t196 = ( >=  ? _t293 :  &_v96) - _t279;
				if (( >=  ? _t293 :  &_v96) - _t279 > 0) goto 0x980fec01;
				_t258 =  >=  ? _t293 :  &_v96;
				_t259 = ( >=  ? _t293 :  &_v96) + _v80;
				_t198 = _t279 - ( >=  ? _t293 :  &_v96) + _v80;
				if (_t279 - ( >=  ? _t293 :  &_v96) + _v80 <= 0) goto 0x980fec18;
				E00007FF67FF6981044B8();
				if ( &_v104 == 0xfffffffc) goto 0x980fec3d;
				_t262 =  >=  ? _v96 :  &_v96;
				_t263 = ( >=  ? _v96 :  &_v96) + _v80;
				if (_t279 - _t263 < 0) goto 0x980fec3d;
				E00007FF67FF6981044B8();
				_t359 =  *((intOrPtr*)(_t361 + 0x88));
				E00007FF67FF698105B14(_t279, _t279, _v72, _t333, _t344, _t333,  *((intOrPtr*)(_t361 + 0x88)));
				if (_t333 != _t263) goto 0x980fed83;
				_t352 = _v80;
				 *((char*)(_t361 + 0x79)) = 1;
				if (_v128 !=  &_v136) goto 0x980fedab;
				if (_t333 != 0) goto 0x980fe9c8;
				if (_t352 - 0x20 >= 0) goto 0x980fed9c;
				if ((_t336 | 0xffffffffffffffff) - _t352 - 8 > 0) goto 0x980fecbc;
				E00007FF67FF6981033CC((_t336 | 0xffffffffffffffff) - _t352, _t279, _t333, _t336 | 0xffffffffffffffff, _t352,  *((intOrPtr*)(_t361 + 0x88)));
				_t84 = _v80 + 8; // 0x10
				_t280 = _t84;
				if (_t280 - 0xfffffffe <= 0) goto 0x980fecdd;
				_t133 = E00007FF67FF6981033CC((_t336 | 0xffffffffffffffff) - _t352, _t280, _t333, _t336 | 0xffffffffffffffff, _v80,  *((intOrPtr*)(_t361 + 0x88)));
				if (_v72 - _t280 >= 0) goto 0x980fed03;
				E00007FF67FF6980F2250(_t133,  &_v104, _t280, _v80);
				goto 0x980fed34;
				if (_t280 != 0) goto 0x980fed34;
				_v80 = _t362;
				_t268 =  >=  ? _v96 :  &_v96;
				 *((intOrPtr*)( >=  ? _v96 :  &_v96)) = r15b;
				_t301 = _v96;
				goto 0x980fe9c8;
				if (_t280 == 0) goto 0x980fe9c8;
				_t270 =  >=  ? _t301 :  &_v96;
				 *((long long*)(_v80 + ( >=  ? _t301 :  &_v96))) = _t301;
				_v80 = _t280;
				_t272 =  >=  ? _v96 :  &_v96;
				 *((char*)(_t280 + ( >=  ? _v96 :  &_v96))) = 0;
				_t328 = _v72;
				_t357 = _v80;
				goto 0x980fe9c8;
				if (_v72 - 0x10 < 0) goto 0x980fed98;
				E00007FF67FF6981044D8( >=  ? _v96 :  &_v96, _t280, _v96, _t328, _t344, _v80,  *((intOrPtr*)(_t361 + 0x88)));
				goto 0x980fee09;
				if (_t328 - 0x10 < 0) goto 0x980feda7;
				E00007FF67FF6981044D8( >=  ? _v96 :  &_v96, _t280, _v96, _t328, _t344, _v80,  *((intOrPtr*)(_t361 + 0x88)));
				goto 0x980fee09;
				if (_t328 - 0x10 < 0) goto 0x980fedb6;
				E00007FF67FF6981044D8( >=  ? _v96 :  &_v96, _t280, _v96, _t328, _t335, _v80, _t359);
				goto 0x980fee09;
				if (r13d != 3) goto 0x980fedf2;
				E00007FF67FF6981068AC(_v136, _t272, _t280, _v96,  *((intOrPtr*)(_t361 + 0x88)), _t335, _v80);
				_t156 =  !=  ? r13d :  !=  ? r13d : __ebp;
				if (_v72 - 0x10 < 0) goto 0x980fedee;
				E00007FF67FF6981044D8(_t272, _t280, _v96,  *((intOrPtr*)(_t361 + 0x88)), _t335, _v80, _t359);
				goto 0x980fee09;
				if (_v72 - 0x10 < 0) goto 0x980fee07;
				E00007FF67FF6981044D8(_t272, _t280, _v96,  *((intOrPtr*)(_t361 + 0x88)), _t335, _t357, _t359);
				return E00007FF67FF698104050(_v136, _v64 ^  &_v144,  *((intOrPtr*)(_t361 + 0x88)), _t357, _t359);
			}

0x7ff6980fe8d3
0x7ff6980fe8dc
0x7ff6980fe8e4
0x7ff6980fe8ee
0x7ff6980fe8f6
0x7ff6980fe8f9
0x7ff6980fe8ff
0x7ff6980fe903
0x7ff6980fe908
0x7ff6980fe910
0x7ff6980fe915
0x7ff6980fe922
0x7ff6980fe924
0x7ff6980fe927
0x7ff6980fe92c
0x7ff6980fe92f
0x7ff6980fe933
0x7ff6980fe936
0x7ff6980fe93c
0x7ff6980fe941
0x7ff6980fe94c
0x7ff6980fe951
0x7ff6980fe95c
0x7ff6980fe962
0x7ff6980fe96d
0x7ff6980fe973
0x7ff6980fe978
0x7ff6980fe982
0x7ff6980fe98a
0x7ff6980fe991
0x7ff6980fe996
0x7ff6980fe9a8
0x7ff6980fe9ac
0x7ff6980fe9b3
0x7ff6980fe9c3
0x7ff6980fe9cc
0x7ff6980fe9d4
0x7ff6980fe9d6
0x7ff6980fe9d8
0x7ff6980fe9e6
0x7ff6980fe9ea
0x7ff6980fe9ed
0x7ff6980fe9f8
0x7ff6980fe9fc
0x7ff6980fe9ff
0x7ff6980fea02
0x7ff6980fea04
0x7ff6980fea24
0x7ff6980fea2f
0x7ff6980fea33
0x7ff6980fea36
0x7ff6980fea39
0x7ff6980fea3b
0x7ff6980fea48
0x7ff6980fea4d
0x7ff6980fea52
0x7ff6980fea59
0x7ff6980fea61
0x7ff6980fea63
0x7ff6980fea65
0x7ff6980fea73
0x7ff6980fea77
0x7ff6980fea7a
0x7ff6980fea85
0x7ff6980fea89
0x7ff6980fea8c
0x7ff6980fea8f
0x7ff6980fea91
0x7ff6980feab1
0x7ff6980feabc
0x7ff6980feac0
0x7ff6980feac3
0x7ff6980feac6
0x7ff6980feac8
0x7ff6980feade
0x7ff6980feae3
0x7ff6980feae8
0x7ff6980feaf2
0x7ff6980feb06
0x7ff6980feb0c
0x7ff6980feb15
0x7ff6980feb1b
0x7ff6980feb2c
0x7ff6980feb34
0x7ff6980feb36
0x7ff6980feb38
0x7ff6980feb46
0x7ff6980feb4a
0x7ff6980feb4d
0x7ff6980feb58
0x7ff6980feb61
0x7ff6980feb64
0x7ff6980feb67
0x7ff6980feb69
0x7ff6980feb89
0x7ff6980feb94
0x7ff6980feb98
0x7ff6980feb9b
0x7ff6980feb9e
0x7ff6980feba0
0x7ff6980febb2
0x7ff6980febbc
0x7ff6980febbf
0x7ff6980febc9
0x7ff6980febd1
0x7ff6980febd3
0x7ff6980febd5
0x7ff6980febe3
0x7ff6980febe7
0x7ff6980febea
0x7ff6980febf5
0x7ff6980febf9
0x7ff6980febfc
0x7ff6980febff
0x7ff6980fec01
0x7ff6980fec21
0x7ff6980fec2c
0x7ff6980fec30
0x7ff6980fec36
0x7ff6980fec38
0x7ff6980fec3d
0x7ff6980fec50
0x7ff6980fec58
0x7ff6980fec66
0x7ff6980fec70
0x7ff6980fec80
0x7ff6980fec89
0x7ff6980fec93
0x7ff6980feca3
0x7ff6980feca5
0x7ff6980fecbc
0x7ff6980fecbc
0x7ff6980fecc4
0x7ff6980fecc6
0x7ff6980fece0
0x7ff6980fecea
0x7ff6980fed01
0x7ff6980fed06
0x7ff6980fed08
0x7ff6980fed16
0x7ff6980fed1a
0x7ff6980fed2a
0x7ff6980fed2f
0x7ff6980fed37
0x7ff6980fed46
0x7ff6980fed4c
0x7ff6980fed50
0x7ff6980fed63
0x7ff6980fed69
0x7ff6980fed6c
0x7ff6980fed74
0x7ff6980fed7e
0x7ff6980fed8c
0x7ff6980fed93
0x7ff6980fed9a
0x7ff6980feda0
0x7ff6980feda2
0x7ff6980feda9
0x7ff6980fedaf
0x7ff6980fedb1
0x7ff6980fedb9
0x7ff6980fedbe
0x7ff6980fedcd
0x7ff6980fedd5
0x7ff6980fede2
0x7ff6980fede9
0x7ff6980fedf0
0x7ff6980fedfb
0x7ff6980fee02
0x7ff6980fee33

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d40a9783c5088da7ce004c666f8bdd368779f830e9e7fa24a0836714183e228
Instruction ID: 8ac099f3495a31baf1feed4ba43e469e3b2e44edcad5c8e40f61b462975de828
Opcode Fuzzy Hash: 9d40a9783c5088da7ce004c666f8bdd368779f830e9e7fa24a0836714183e228
Instruction Fuzzy Hash: ECE1A62170CB4281FE309A25E44426E6B51FB997E0FD08672DA9D87BE9DF3CE084D748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FFB00 Relevance: 12.3, APIs: 8, Instructions: 295
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FF67FF6980FFB00(void* __edx, long long __rbx, long long __rcx, long long __rdx, long long __rsi) {
				void* __rdi;
				void* _t121;
				void* _t162;
				void* _t171;
				void* _t197;
				signed long long _t198;
				signed long long _t223;
				void* _t233;
				void* _t235;
				void* _t237;
				long long _t239;
				long long _t280;
				void* _t282;
				void* _t284;
				long long _t288;
				long long _t289;
				void* _t291;
				signed long long _t292;
				intOrPtr _t294;
				intOrPtr _t296;
				intOrPtr _t299;
				intOrPtr _t301;
				intOrPtr _t326;
				long long _t328;

				_t197 = _t291;
				_t292 = _t291 - 0x70;
				 *((long long*)(_t292 + 0x38)) = 0xfffffffe;
				 *((long long*)(_t197 + 0x10)) = __rbx;
				 *((long long*)(_t197 + 0x18)) = _t288;
				 *((long long*)(_t197 + 0x20)) = __rsi;
				_t198 =  *0x98140430; // 0x4918c2c043f
				 *(_t292 + 0x68) = _t198 ^ _t292;
				_t289 = __rcx;
				if ( *((long long*)(__rcx + 0x70)) == 0) goto 0x980fff52;
				if ( *((char*)(__rcx + 0x79)) == 0) goto 0x980fff52;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rcx)) + 8))() != 0xffffffff) goto 0x980ffb5d;
				goto 0x980fff54;
				 *((long long*)(_t292 + 0x60)) = __rdx;
				 *((char*)(_t292 + 0x48)) = 0;
				 *((long long*)(_t292 + 0x48)) = __rcx;
				 *((long long*)(_t292 + 0x58)) = 8;
				_t202 =  >=  ? __rcx : _t292 + 0x48;
				 *((char*)(( >=  ? __rcx : _t292 + 0x48) + 8)) = 0;
				r13d = 0;
				_t294 =  *((intOrPtr*)(_t292 + 0x48));
				if ( *((intOrPtr*)(_t292 + 0x60)) - 0x10 < 0) goto 0x980ffbb0;
				if (_t294 == 0) goto 0x980ffbe1;
				goto 0x980ffbb5;
				_t282 = _t292 + 0x48;
				_t204 =  >=  ? _t294 : _t292 + 0x48;
				_t147 = ( >=  ? _t294 : _t292 + 0x48) - _t282;
				if (( >=  ? _t294 : _t292 + 0x48) - _t282 > 0) goto 0x980ffbe1;
				_t243 =  >=  ? _t294 : _t292 + 0x48;
				_t244 = ( >=  ? _t294 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t149 = _t282 - ( >=  ? _t294 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t282 - ( >=  ? _t294 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) <= 0) goto 0x980ffbf0;
				E00007FF67FF6981044B8();
				if (_t292 + 0x40 == 0xfffffffc) goto 0x980ffc24;
				_t246 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				_t247 = ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t152 = _t282 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t282 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) < 0) goto 0x980ffc24;
				E00007FF67FF6981044B8();
				_t296 =  *((intOrPtr*)(_t292 + 0x48));
				_t286 =  *((intOrPtr*)(_t292 + 0x58));
				if ( *((intOrPtr*)(_t292 + 0x60)) - 0x10 < 0) goto 0x980ffc39;
				if (_t296 == 0) goto 0x980ffc6a;
				goto 0x980ffc3e;
				_t233 = _t292 + 0x48;
				_t209 =  >=  ? _t296 : _t292 + 0x48;
				_t156 = ( >=  ? _t296 : _t292 + 0x48) - _t233;
				if (( >=  ? _t296 : _t292 + 0x48) - _t233 > 0) goto 0x980ffc6a;
				_t249 =  >=  ? _t296 : _t292 + 0x48;
				_t250 = ( >=  ? _t296 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t158 = _t233 - ( >=  ? _t296 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t233 - ( >=  ? _t296 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) <= 0) goto 0x980ffc79;
				E00007FF67FF6981044B8();
				if (_t292 + 0x40 == 0xfffffffc) goto 0x980ffca3;
				_t252 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				_t253 = ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t161 = _t233 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t233 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) < 0) goto 0x980ffca3;
				E00007FF67FF6981044B8();
				 *((long long*)(_t292 + 0x20)) = _t292 + 0x30;
				_t162 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x70)))) + 0x30))();
				if (_t162 == 0) goto 0x980ffcd1;
				if (_t162 != 0) goto 0x980ffef9;
				goto 0x980ffcd5;
				 *((intOrPtr*)(__rcx + 0x79)) = r13b;
				_t299 =  *((intOrPtr*)(_t292 + 0x48));
				if ( *((intOrPtr*)(_t292 + 0x60)) - 0x10 < 0) goto 0x980ffcef;
				if (_t299 == 0) goto 0x980ffd20;
				goto 0x980ffcf4;
				_t235 = _t292 + 0x48;
				_t215 =  >=  ? _t299 : _t292 + 0x48;
				_t166 = ( >=  ? _t299 : _t292 + 0x48) - _t235;
				if (( >=  ? _t299 : _t292 + 0x48) - _t235 > 0) goto 0x980ffd20;
				_t256 =  >=  ? _t299 : _t292 + 0x48;
				_t257 = ( >=  ? _t299 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t168 = _t235 - ( >=  ? _t299 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t235 - ( >=  ? _t299 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) <= 0) goto 0x980ffd2f;
				E00007FF67FF6981044B8();
				if (_t292 + 0x40 == 0xfffffffc) goto 0x980ffd63;
				_t259 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				_t260 = ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t171 = _t235 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t171 < 0) goto 0x980ffd63;
				E00007FF67FF6981044B8();
				_t301 =  *((intOrPtr*)(_t292 + 0x48));
				_t284 =  *((intOrPtr*)(_t292 + 0x30)) - _t235;
				if (_t171 == 0) goto 0x980ffe15;
				if ( *((intOrPtr*)(_t292 + 0x60)) - 0x10 < 0) goto 0x980ffd81;
				if (_t301 == 0) goto 0x980ffdb2;
				goto 0x980ffd86;
				_t237 = _t292 + 0x48;
				_t220 =  >=  ? _t301 : _t292 + 0x48;
				_t175 = ( >=  ? _t301 : _t292 + 0x48) - _t237;
				if (( >=  ? _t301 : _t292 + 0x48) - _t237 > 0) goto 0x980ffdb2;
				_t262 =  >=  ? _t301 : _t292 + 0x48;
				_t263 = ( >=  ? _t301 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t177 = _t237 - ( >=  ? _t301 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t237 - ( >=  ? _t301 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) <= 0) goto 0x980ffdc1;
				E00007FF67FF6981044B8();
				if (_t292 + 0x40 == 0xfffffffc) goto 0x980ffdeb;
				_t278 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				_t223 =  *((intOrPtr*)(_t292 + 0x58));
				_t279 = ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) + _t223;
				_t180 = _t237 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) + _t223;
				if (_t237 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) + _t223 < 0) goto 0x980ffdeb;
				E00007FF67FF6981044B8();
				E00007FF67FF698105B14(_t237, _t237, ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) + _t223, _t284,  *((intOrPtr*)(_t292 + 0x58)), _t284,  *((intOrPtr*)(__rcx + 0x88)));
				if (_t284 != _t223) goto 0x980fff2a;
				if ( *((intOrPtr*)(_t289 + 0x79)) == r13b) goto 0x980fff40;
				if (_t284 != 0) goto 0x980ffba0;
				if ((_t223 | 0xffffffff) -  *((intOrPtr*)(_t292 + 0x58)) - 8 > 0) goto 0x980ffe46;
				E00007FF67FF6981033CC((_t223 | 0xffffffff) -  *((intOrPtr*)(_t292 + 0x58)), _t237, _t284, _t289,  *((intOrPtr*)(_t292 + 0x48)),  *((intOrPtr*)(_t292 + 0x60)));
				_t239 =  *((intOrPtr*)(_t292 + 0x58)) + 8;
				if (_t239 - 0xfffffffe <= 0) goto 0x980ffe64;
				_t121 = E00007FF67FF6981033CC((_t223 | 0xffffffff) -  *((intOrPtr*)(_t292 + 0x58)), _t239, _t284, _t289,  *((intOrPtr*)(_t292 + 0x48)),  *((intOrPtr*)(_t292 + 0x60)));
				if ( *((intOrPtr*)(_t292 + 0x60)) - _t239 >= 0) goto 0x980ffe87;
				_t280 = _t239;
				E00007FF67FF6980F2250(_t121, _t292 + 0x40, _t280,  *((intOrPtr*)(_t292 + 0x58)));
				goto 0x980ffeb0;
				if (_t239 != 0) goto 0x980ffeb0;
				 *((long long*)(_t292 + 0x58)) = _t328;
				_t227 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				 *((intOrPtr*)( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48)) = r13b;
				goto 0x980ffba0;
				if (_t239 == 0) goto 0x980ffba0;
				_t267 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				 *((long long*)( *((intOrPtr*)(_t292 + 0x58)) + ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48))) = _t280;
				 *((long long*)(_t292 + 0x58)) = _t239;
				_t230 =  >=  ?  *((void*)(_t292 + 0x48)) : _t292 + 0x48;
				 *((char*)(_t239 + ( >=  ?  *((void*)(_t292 + 0x48)) : _t292 + 0x48))) = 0;
				_t326 =  *((intOrPtr*)(_t292 + 0x60));
				_t310 =  *((intOrPtr*)(_t292 + 0x48));
				goto 0x980ffba0;
				if ( *((long long*)(_t292 + 0x60)) == 0x10) goto 0x980fff14;
				if ( *((long long*)(_t292 + 0x60)) - 0x10 < 0) goto 0x980fff10;
				E00007FF67FF6981044D8( >=  ?  *((void*)(_t292 + 0x48)) : _t292 + 0x48, _t239,  *((intOrPtr*)(_t292 + 0x48)), _t280,  *((intOrPtr*)(_t292 + 0x58)),  *((intOrPtr*)(_t292 + 0x48)), _t326);
				goto 0x980fff54;
				if ( *((long long*)(_t292 + 0x60)) - 0x10 < 0) goto 0x980fff26;
				E00007FF67FF6981044D8( >=  ?  *((void*)(_t292 + 0x48)) : _t292 + 0x48, _t239,  *((intOrPtr*)(_t292 + 0x48)), _t280,  *((intOrPtr*)(_t292 + 0x58)),  *((intOrPtr*)(_t292 + 0x48)), _t326);
				goto 0x980fff54;
				if ( *((long long*)(_t292 + 0x60)) - 0x10 < 0) goto 0x980fff3c;
				E00007FF67FF6981044D8(_t230, _t239,  *((intOrPtr*)(_t292 + 0x48)), _t280, _t286,  *((intOrPtr*)(_t292 + 0x48)), _t326);
				goto 0x980fff54;
				if (_t326 - 0x10 < 0) goto 0x980fff4e;
				E00007FF67FF6981044D8(_t230, _t239, _t310, _t280, _t286, _t310, _t326);
				goto 0x980fff54;
				return E00007FF67FF698104050(0,  *(_t292 + 0x68) ^ _t292, _t280, _t310, _t326);
			}

0x7ff6980ffb00
0x7ff6980ffb08
0x7ff6980ffb0c
0x7ff6980ffb15
0x7ff6980ffb19
0x7ff6980ffb1d
0x7ff6980ffb21
0x7ff6980ffb2b
0x7ff6980ffb30
0x7ff6980ffb38
0x7ff6980ffb42
0x7ff6980ffb54
0x7ff6980ffb58
0x7ff6980ffb62
0x7ff6980ffb67
0x7ff6980ffb6e
0x7ff6980ffb73
0x7ff6980ffb85
0x7ff6980ffb89
0x7ff6980ffb8c
0x7ff6980ffb94
0x7ff6980ffba4
0x7ff6980ffbac
0x7ff6980ffbae
0x7ff6980ffbb0
0x7ff6980ffbbe
0x7ff6980ffbc2
0x7ff6980ffbc5
0x7ff6980ffbd0
0x7ff6980ffbd9
0x7ff6980ffbdc
0x7ff6980ffbdf
0x7ff6980ffbe1
0x7ff6980ffbf9
0x7ff6980ffc04
0x7ff6980ffc0d
0x7ff6980ffc10
0x7ff6980ffc13
0x7ff6980ffc15
0x7ff6980ffc1f
0x7ff6980ffc24
0x7ff6980ffc2d
0x7ff6980ffc35
0x7ff6980ffc37
0x7ff6980ffc39
0x7ff6980ffc47
0x7ff6980ffc4b
0x7ff6980ffc4e
0x7ff6980ffc59
0x7ff6980ffc62
0x7ff6980ffc65
0x7ff6980ffc68
0x7ff6980ffc6a
0x7ff6980ffc82
0x7ff6980ffc8d
0x7ff6980ffc96
0x7ff6980ffc99
0x7ff6980ffc9c
0x7ff6980ffc9e
0x7ff6980ffcb3
0x7ff6980ffcc2
0x7ff6980ffcc4
0x7ff6980ffcc9
0x7ff6980ffccf
0x7ff6980ffcd1
0x7ff6980ffcd5
0x7ff6980ffce3
0x7ff6980ffceb
0x7ff6980ffced
0x7ff6980ffcef
0x7ff6980ffcfd
0x7ff6980ffd01
0x7ff6980ffd04
0x7ff6980ffd0f
0x7ff6980ffd18
0x7ff6980ffd1b
0x7ff6980ffd1e
0x7ff6980ffd20
0x7ff6980ffd38
0x7ff6980ffd43
0x7ff6980ffd4c
0x7ff6980ffd4f
0x7ff6980ffd52
0x7ff6980ffd54
0x7ff6980ffd5e
0x7ff6980ffd68
0x7ff6980ffd6b
0x7ff6980ffd75
0x7ff6980ffd7d
0x7ff6980ffd7f
0x7ff6980ffd81
0x7ff6980ffd8f
0x7ff6980ffd93
0x7ff6980ffd96
0x7ff6980ffda1
0x7ff6980ffdaa
0x7ff6980ffdad
0x7ff6980ffdb0
0x7ff6980ffdb2
0x7ff6980ffdca
0x7ff6980ffdd5
0x7ff6980ffdd9
0x7ff6980ffdde
0x7ff6980ffde1
0x7ff6980ffde4
0x7ff6980ffde6
0x7ff6980ffdfd
0x7ff6980ffe05
0x7ff6980ffe19
0x7ff6980ffe22
0x7ff6980ffe35
0x7ff6980ffe37
0x7ff6980ffe4b
0x7ff6980ffe53
0x7ff6980ffe55
0x7ff6980ffe67
0x7ff6980ffe6e
0x7ff6980ffe76
0x7ff6980ffe85
0x7ff6980ffe8a
0x7ff6980ffe8c
0x7ff6980ffe9a
0x7ff6980ffe9e
0x7ff6980ffeab
0x7ff6980ffeb3
0x7ff6980ffec2
0x7ff6980ffecd
0x7ff6980ffed1
0x7ff6980ffee1
0x7ff6980ffee7
0x7ff6980ffeea
0x7ff6980ffeef
0x7ff6980ffef4
0x7ff6980ffefc
0x7ff6980fff04
0x7ff6980fff0b
0x7ff6980fff12
0x7ff6980fff1a
0x7ff6980fff21
0x7ff6980fff28
0x7ff6980fff30
0x7ff6980fff37
0x7ff6980fff3e
0x7ff6980fff44
0x7ff6980fff49
0x7ff6980fff50
0x7ff6980fff7a

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FFBE1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FFC15
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FFC6A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FFC9E

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bb00c0e8b7afb0c2600c17caa4aa4b149fb672f7b61d2350a14f23c70e491a44
Instruction ID: 4523fd9fdef14062095ed4f90fb780b768f675f5ed1cd708a49574e0f88ad3f9
Opcode Fuzzy Hash: bb00c0e8b7afb0c2600c17caa4aa4b149fb672f7b61d2350a14f23c70e491a44
Instruction Fuzzy Hash: EDC1B72360C78681EE209F69E0501A9A761EB927E4FE44572EB6D83BE5CF7CD484D70C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FBC70 Relevance: 12.1, APIs: 8, Instructions: 145
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF6980FBC70(intOrPtr* __rcx, intOrPtr* __rdx, long long __rdi, long long __rbp, intOrPtr* __r8, intOrPtr* __r9, long long __r12, long long __r13, long long __r15, long long _a8, long long _a16, long long _a24) {
				long long _v32;
				long long _v40;
				void* _t62;
				intOrPtr _t89;
				intOrPtr _t102;
				intOrPtr _t103;
				long long _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				intOrPtr _t120;
				intOrPtr* _t126;
				signed long long _t131;
				unsigned long long _t139;

				 *((long long*)(__rcx)) =  *((intOrPtr*)(__r8));
				 *((long long*)(__rcx + 8)) =  *((intOrPtr*)(__r8 + 8));
				if ( *((long long*)(__rdx + 0x38)) == 0) goto 0x980fbe4a;
				_v40 = __r15;
				_a8 = __rbp;
				_a16 = __rdi;
				_a24 = __r12;
				r15d = 0;
				_v32 = __r13;
				_t89 =  *__rcx;
				if (_t89 == 0xfffffffc) goto 0x980fbccf;
				if (_t89 == 0) goto 0x980fbcca;
				if (_t89 ==  *__r9) goto 0x980fbccf;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(__rcx + 8)) ==  *((intOrPtr*)(__r9 + 8))) goto 0x980fbe25;
				_t131 =  *((intOrPtr*)(__rdx + 0x30));
				if (_t131 -  *((intOrPtr*)(__rdx + 0x38)) + _t131 <= 0) goto 0x980fbcf2;
				E00007FF67FF6981044B8();
				_t126 =  *((intOrPtr*)(__rdx));
				_t139 = _t131 >> 3;
				r13d = r13d & 0x00000007;
				if (_t126 != 0) goto 0x980fbd15;
				E00007FF67FF6981044B8();
				goto 0x980fbd1b;
				if (_t131 -  *((intOrPtr*)( *_t126 + 0x38)) +  *((intOrPtr*)( *_t126 + 0x30)) < 0) goto 0x980fbd2d;
				E00007FF67FF6981044B8();
				if (_t126 == 0) goto 0x980fbd37;
				goto 0x980fbd3a;
				if ( *((intOrPtr*)(__r15 + 0x28)) - _t139 > 0) goto 0x980fbd51;
				if (_t126 == 0) goto 0x980fbd4a;
				goto 0x980fbd4d;
				if (_t126 == 0) goto 0x980fbd5b;
				goto 0x980fbd5e;
				_t102 =  *__rcx;
				if (_t102 == 0xfffffffc) goto 0x980fbda0;
				if (_t102 != 0) goto 0x980fbd79;
				E00007FF67FF6981044B8();
				_t103 =  *__rcx;
				if ( *((long long*)(_t103 + 0x20)) - 8 < 0) goto 0x980fbd89;
				goto 0x980fbd8d;
				if ( *((intOrPtr*)(__rcx + 8)) - _t103 + 8 +  *(_t103 + 0x18) * 2 < 0) goto 0x980fbda0;
				E00007FF67FF6981044B8();
				 *((short*)( *((intOrPtr*)(__rcx + 8)))) =  *( *((intOrPtr*)( *((intOrPtr*)(__r15 + 0x20)) + (_t139 -  *((intOrPtr*)(__r15 + 0x28))) * 8)) + _t131 * 2) & 0x0000ffff;
				_t120 =  *((intOrPtr*)(__rdx + 0x38));
				if (_t120 == 0) goto 0x980fbddc;
				 *((long long*)(__rdx + 0x30)) =  *((long long*)(__rdx + 0x30)) + 1;
				if ( *(__rdx + 0x28) << 3 -  *((intOrPtr*)(__rdx + 0x30)) > 0) goto 0x980fbdcb;
				 *((long long*)(__rdx + 0x30)) = __r15;
				_t36 = _t120 - 1; // -1
				_t107 = _t36;
				 *((long long*)(__rdx + 0x38)) = _t107;
				if (_t107 != 0) goto 0x980fbddc;
				 *((long long*)(__rdx + 0x30)) = __r15;
				_t108 =  *__rcx;
				if (_t108 == 0xfffffffc) goto 0x980fbe16;
				if (_t108 != 0) goto 0x980fbdef;
				E00007FF67FF6981044B8();
				_t109 =  *__rcx;
				if ( *((long long*)(_t109 + 0x20)) - 8 < 0) goto 0x980fbdff;
				goto 0x980fbe03;
				if ( *((intOrPtr*)(__rcx + 8)) - _t109 + 8 +  *(_t109 + 0x18) * 2 < 0) goto 0x980fbe16;
				_t62 = E00007FF67FF6981044B8();
				 *((long long*)(__rcx + 8)) =  *((long long*)(__rcx + 8)) + 2;
				if ( *((intOrPtr*)(__rdx + 0x38)) != __r15) goto 0x980fbcb7;
				return _t62;
			}

0x7ff6980fbc84
0x7ff6980fbc8e
0x7ff6980fbc95
0x7ff6980fbc9b
0x7ff6980fbca0
0x7ff6980fbca5
0x7ff6980fbcaa
0x7ff6980fbcaf
0x7ff6980fbcb2
0x7ff6980fbcb7
0x7ff6980fbcbe
0x7ff6980fbcc3
0x7ff6980fbcc8
0x7ff6980fbcca
0x7ff6980fbcd7
0x7ff6980fbcdd
0x7ff6980fbceb
0x7ff6980fbced
0x7ff6980fbcf2
0x7ff6980fbcfb
0x7ff6980fbcff
0x7ff6980fbd06
0x7ff6980fbd08
0x7ff6980fbd13
0x7ff6980fbd26
0x7ff6980fbd28
0x7ff6980fbd30
0x7ff6980fbd35
0x7ff6980fbd3e
0x7ff6980fbd43
0x7ff6980fbd48
0x7ff6980fbd54
0x7ff6980fbd59
0x7ff6980fbd66
0x7ff6980fbd6d
0x7ff6980fbd72
0x7ff6980fbd74
0x7ff6980fbd79
0x7ff6980fbd81
0x7ff6980fbd87
0x7ff6980fbd99
0x7ff6980fbd9b
0x7ff6980fbda9
0x7ff6980fbdac
0x7ff6980fbdb3
0x7ff6980fbdb9
0x7ff6980fbdc5
0x7ff6980fbdc7
0x7ff6980fbdcb
0x7ff6980fbdcb
0x7ff6980fbdcf
0x7ff6980fbdd6
0x7ff6980fbdd8
0x7ff6980fbddc
0x7ff6980fbde3
0x7ff6980fbde8
0x7ff6980fbdea
0x7ff6980fbdef
0x7ff6980fbdf7
0x7ff6980fbdfd
0x7ff6980fbe0f
0x7ff6980fbe11
0x7ff6980fbe16
0x7ff6980fbe1f
0x7ff6980fbe49

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBCCA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBCED
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBD08
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBD28
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBD74
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBD9B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBDEA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FBE11

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 22a5dda9e8a811af525db2b3f1416110af8d8fcdbcad987767e050683361c72f
Instruction ID: fdb3ff2e912909019a211e372e55998da05dfd7f28333317078eace6c9abe6c2
Opcode Fuzzy Hash: 22a5dda9e8a811af525db2b3f1416110af8d8fcdbcad987767e050683361c72f
Instruction Fuzzy Hash: EC519D22609B4682DA709F26D090138ABA0FB64BA4B988671CF5D877E4DF3CE851D71D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FA9F0 Relevance: 12.1, APIs: 8, Instructions: 132
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00007FF67FF6980FA9F0(long long __rbx, intOrPtr* __rcx, long long* __rdx, long long __rsi, intOrPtr* __r8, intOrPtr* __r9) {
				void* _t58;
				intOrPtr _t99;
				long long* _t102;
				intOrPtr* _t112;
				intOrPtr* _t116;
				signed short* _t120;
				long long _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t127;
				intOrPtr _t138;

				 *((long long*)(_t126 + 8)) = __rbx;
				 *((long long*)(_t126 + 0x10)) = _t123;
				 *((long long*)(_t126 + 0x18)) = __rsi;
				_t127 = _t126 - 0x40;
				_t102 = _t127 + 0x20;
				 *_t102 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t102 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t124 =  *((intOrPtr*)(_t127 + 0x20));
				_t138 =  *((intOrPtr*)(_t127 + 0x28));
				if (_t124 == 0xfffffffc) goto 0x980faa48;
				if (_t124 == 0) goto 0x980faa43;
				if (_t124 ==  *((intOrPtr*)(__r9))) goto 0x980faa48;
				E00007FF67FF6981044B8();
				if (_t138 ==  *((intOrPtr*)(__r9 + 8))) goto 0x980fab89;
				_t120 =  *((intOrPtr*)(__rcx));
				if (_t120 ==  *((intOrPtr*)(__rcx + 8))) goto 0x980fab89;
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqa [esp+0x30], xmm0");
				_t99 =  *((intOrPtr*)(_t127 + 0x30));
				_t116 =  *((intOrPtr*)(_t127 + 0x38));
				if (_t99 == 0xfffffffc) goto 0x980faa8c;
				if (_t99 == 0) goto 0x980faa87;
				if (_t99 ==  *((intOrPtr*)(__r9))) goto 0x980faa8c;
				E00007FF67FF6981044B8();
				if (_t116 ==  *((intOrPtr*)(__r9 + 8))) goto 0x980fab18;
				if (_t120 ==  *((intOrPtr*)(__rcx + 8))) goto 0x980fab18;
				if (_t99 == 0xfffffffc) goto 0x980faad0;
				if (_t99 != 0) goto 0x980faaad;
				E00007FF67FF6981044B8();
				if ( *((long long*)(_t99 + 0x20)) - 8 < 0) goto 0x980faaba;
				goto 0x980faabe;
				if (_t116 - _t99 + 8 +  *(_t99 + 0x18) * 2 < 0) goto 0x980faad0;
				E00007FF67FF6981044B8();
				if ( *_t116 != ( *_t120 & 0x0000ffff)) goto 0x980fab18;
				if (_t99 == 0xfffffffc) goto 0x980fab0b;
				if (_t99 != 0) goto 0x980faae8;
				E00007FF67FF6981044B8();
				if ( *((long long*)(_t99 + 0x20)) - 8 < 0) goto 0x980faaf5;
				goto 0x980faaf9;
				if (_t116 - _t99 + 8 +  *(_t99 + 0x18) * 2 < 0) goto 0x980fab0b;
				E00007FF67FF6981044B8();
				goto 0x980faa76;
				 *((long long*)(_t127 + 0x38)) = _t116 + 2;
				if ( &(_t120[1]) ==  *((intOrPtr*)(__rcx + 8))) goto 0x980fab64;
				if (_t124 == 0xfffffffc) goto 0x980fab56;
				if (_t124 != 0) goto 0x980fab33;
				E00007FF67FF6981044B8();
				if ( *((long long*)(_t124 + 0x20)) - 8 < 0) goto 0x980fab40;
				goto 0x980fab44;
				if (_t138 - _t124 + 8 +  *(_t124 + 0x18) * 2 < 0) goto 0x980fab56;
				_t58 = E00007FF67FF6981044B8();
				 *((long long*)(_t127 + 0x28)) = _t138 + 2;
				goto 0x980faa32;
				_t112 = _t127 + 0x20;
				 *__rdx =  *_t112;
				 *((long long*)(__rdx + 8)) =  *((intOrPtr*)(_t112 + 8));
				 *((long long*)(__rdx + 0x10)) =  *((intOrPtr*)(_t127 + 0x30));
				goto 0x980faba6;
				 *__rdx =  *((intOrPtr*)(__r9));
				 *((long long*)(__rdx + 8)) =  *((intOrPtr*)(__r9 + 8));
				 *((long long*)(__rdx + 0x10)) =  *((intOrPtr*)(__r9));
				 *((long long*)(__rdx + 0x18)) =  *((intOrPtr*)(__r9 + 8));
				return _t58;
			}

0x7ff6980fa9f0
0x7ff6980fa9f5
0x7ff6980fa9fa
0x7ff6980faa08
0x7ff6980faa12
0x7ff6980faa17
0x7ff6980faa21
0x7ff6980faa25
0x7ff6980faa2a
0x7ff6980faa36
0x7ff6980faa3b
0x7ff6980faa41
0x7ff6980faa43
0x7ff6980faa4d
0x7ff6980faa53
0x7ff6980faa5b
0x7ff6980faa61
0x7ff6980faa66
0x7ff6980faa6c
0x7ff6980faa71
0x7ff6980faa7a
0x7ff6980faa7f
0x7ff6980faa85
0x7ff6980faa87
0x7ff6980faa91
0x7ff6980faa9b
0x7ff6980faaa1
0x7ff6980faaa6
0x7ff6980faaa8
0x7ff6980faab2
0x7ff6980faab8
0x7ff6980faac9
0x7ff6980faacb
0x7ff6980faad6
0x7ff6980faadc
0x7ff6980faae1
0x7ff6980faae3
0x7ff6980faaed
0x7ff6980faaf3
0x7ff6980fab04
0x7ff6980fab06
0x7ff6980fab13
0x7ff6980fab18
0x7ff6980fab21
0x7ff6980fab27
0x7ff6980fab2c
0x7ff6980fab2e
0x7ff6980fab38
0x7ff6980fab3e
0x7ff6980fab4f
0x7ff6980fab51
0x7ff6980fab5a
0x7ff6980fab5f
0x7ff6980fab64
0x7ff6980fab6c
0x7ff6980fab78
0x7ff6980fab7f
0x7ff6980fab87
0x7ff6980fab8d
0x7ff6980fab95
0x7ff6980fab9d
0x7ff6980fabb8
0x7ff6980fabcc

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAA43
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAA87
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAAA8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAACB
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAAE3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAB06
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAB2E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FAB51

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c39085dac5a8c37aa111a4ee3f5df2e94acb3f7c8a7dde8f4e7502a9263f1198
Instruction ID: 7b1b644b3a9578253c55850b326f02f56e2de9dcc773b0de72ee5f7ce4201944
Opcode Fuzzy Hash: c39085dac5a8c37aa111a4ee3f5df2e94acb3f7c8a7dde8f4e7502a9263f1198
Instruction Fuzzy Hash: 0D517522A08B46C0EA70DF25E4448797364FB647A8B958372DAAD833D5DF3CE485D35C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980F4D20 Relevance: 12.1, APIs: 8, Instructions: 99
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FF67FF6980F4D20(intOrPtr* __rcx, void* __rdx, char _a24) {
				long long _v32;
				char _v40;
				void* __rbx;
				void* __rsi;
				intOrPtr _t21;
				long long _t25;

				_a24 = r8b;
				_t25 =  *((intOrPtr*)(__rcx + 0x20));
				_t21 =  *((intOrPtr*)(__rcx + 0x18));
				_a24 = 0;
				if (_t25 - _t21 - __rdx >= 0) goto 0x980f4d93;
				if (_t21 - _t25 <= 0) goto 0x980f4d55;
				E00007FF67FF6981044B8();
				_v32 = _t25;
				_v40 =  *((intOrPtr*)(__rcx));
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqa [esp+0x20], xmm0");
				return E00007FF67FF6980F53A0(__rcx, __rcx,  &_v40, _t25,  *((intOrPtr*)(__rcx + 0x18)) -  *((intOrPtr*)(__rcx + 0x20)) + __rdx,  &_a24);
			}

0x7ff6980f4d20
0x7ff6980f4d2d
0x7ff6980f4d34
0x7ff6980f4d3e
0x7ff6980f4d49
0x7ff6980f4d4e
0x7ff6980f4d50
0x7ff6980f4d5c
0x7ff6980f4d65
0x7ff6980f4d6f
0x7ff6980f4d74
0x7ff6980f4d92

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4D50
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4DB0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4DBF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4DCF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4DF6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4E0C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4E20
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4E2F

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1051cff0eb89c7fb68da50a8adb59ec4bf6f1c5a90234f486663dca69e2acc4d
Instruction ID: 147af151f222b8939eb5aefd8778467b0d06e372ba07cf90a9782606d3560041
Opcode Fuzzy Hash: 1051cff0eb89c7fb68da50a8adb59ec4bf6f1c5a90234f486663dca69e2acc4d
Instruction Fuzzy Hash: B241A462A08E8185E730AF36E4001BDA3A5FB64BC8F9441B1DE8C97689DF7CE491D75C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698114E0C Relevance: 12.1, APIs: 8, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E00007FF67FF698114E0C(void* __ebx, signed int __ecx, void* __esi, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, signed int _a8, long long _a16, long long _a24) {
				signed long long _v56;
				void* __rdi;
				void* __r12;
				void* _t30;
				void* _t47;
				intOrPtr* _t52;
				signed long long _t54;
				signed long long _t55;
				signed long long _t63;
				signed long long _t65;
				signed long long _t68;
				void* _t75;
				void* _t76;
				signed long long _t78;

				_t74 = __r8;
				_t70 = __rbp;
				_t60 = __rcx;
				_t30 = __ebx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __ecx;
				r12d = r8d;
				_t76 = __rdx;
				_t58 = __ecx;
				if (__ebx != 0xfffffffe) goto 0x98114e52;
				E00007FF67FF6981078CC(__rax);
				 *__rax = 0;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 9;
				goto 0x98114f2b;
				if (__ebx < 0) goto 0x98114f01;
				_t47 = _t30 -  *0x981489c0; // 0x20
				if (_t47 >= 0) goto 0x98114f01;
				_t78 = __ecx >> 5;
				_t68 = __ecx * 0x58;
				_t52 =  *((intOrPtr*)(0x981489e0 + _t78 * 8));
				if (_t47 != 0) goto 0x98114eba;
				E00007FF67FF6981078CC(_t52);
				 *_t52 = 0;
				E00007FF67FF6981078AC(_t52);
				 *_t52 = 9;
				_v56 = _t63;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(_t52, __ecx, __rcx, __rdx, _t68, __rbp, __r8);
				goto 0x98114f2b;
				E00007FF67FF69811593C(_t30, _t30, _t58, _t63, _t68, _t75);
				_t54 =  *((intOrPtr*)(0x981489e0 + _t78 * 8));
				if (( *(_t54 + _t68 + 8) & 0x00000001) == 0) goto 0x98114edf;
				r8d = r12d;
				E00007FF67FF698114D74(_t30, _t30, _t54, _t58, _t76);
				goto 0x98114ef5;
				E00007FF67FF6981078AC(_t54);
				 *_t54 = 9;
				E00007FF67FF6981078CC(_t54);
				 *_t54 = 0;
				_t65 = _t54 | 0xffffffff;
				E00007FF67FF6981159E4();
				_t55 = _t65;
				goto 0x98114f2b;
				E00007FF67FF6981078CC(_t55);
				 *_t55 = 0;
				E00007FF67FF6981078AC(_t55);
				 *_t55 = 9;
				_v56 = _t65;
				r9d = 0;
				r8d = 0;
				return E00007FF67FF698104430(_t55, _t58, _t60, _t76, _t68, _t70, _t74);
			}

0x7ff698114e0c
0x7ff698114e0c
0x7ff698114e0c
0x7ff698114e0c
0x7ff698114e0c
0x7ff698114e11
0x7ff698114e16
0x7ff698114e27
0x7ff698114e2a
0x7ff698114e2d
0x7ff698114e33
0x7ff698114e35
0x7ff698114e3c
0x7ff698114e3e
0x7ff698114e43
0x7ff698114e4d
0x7ff698114e56
0x7ff698114e5c
0x7ff698114e62
0x7ff698114e6e
0x7ff698114e7c
0x7ff698114e80
0x7ff698114e8c
0x7ff698114e8e
0x7ff698114e93
0x7ff698114e95
0x7ff698114e9a
0x7ff698114ea0
0x7ff698114ea5
0x7ff698114ea8
0x7ff698114eaf
0x7ff698114eb8
0x7ff698114ebc
0x7ff698114ec2
0x7ff698114ecb
0x7ff698114ecd
0x7ff698114ed5
0x7ff698114edd
0x7ff698114edf
0x7ff698114ee4
0x7ff698114eea
0x7ff698114eef
0x7ff698114ef1
0x7ff698114ef7
0x7ff698114efc
0x7ff698114eff
0x7ff698114f01
0x7ff698114f06
0x7ff698114f08
0x7ff698114f0d
0x7ff698114f13
0x7ff698114f18
0x7ff698114f1b
0x7ff698114f42

APIs

__doserrno.LIBCMT ref: 00007FF698114E35
_errno.LIBCMT ref: 00007FF698114E3E
__doserrno.LIBCMT ref: 00007FF698114E8E
_errno.LIBCMT ref: 00007FF698114E95

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: fd70bf307f78bc1a0b30db4c381cd12ef6fe9862424e331efe26ad2a528cd58b
Instruction ID: f4125c777fe3a4c92b3735def384fedcab64c2756ad7a80892b42a68e01b25ee
Opcode Fuzzy Hash: fd70bf307f78bc1a0b30db4c381cd12ef6fe9862424e331efe26ad2a528cd58b
Instruction Fuzzy Hash: 9131EF31A1864342E6216F35AC4163D3652EB81BB4F945771EE3E8BBD2CE3D9011C71C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698111650 Relevance: 12.1, APIs: 8, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00007FF67FF698111650(void* __ebx, signed int __ecx, signed int __esi, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, void* __r11, signed int _a8, long long _a16, long long _a24) {
				long long _v56;
				void* __rdi;
				void* __r12;
				void* _t34;
				signed int _t47;
				void* _t53;
				signed int* _t57;
				signed int* _t58;
				long long _t65;
				signed long long _t68;
				void* _t75;
				void* _t76;
				void* _t77;
				signed long long _t79;

				_t75 = __r11;
				_t74 = __r8;
				_t70 = __rbp;
				_t62 = __rcx;
				_t34 = __ebx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __ecx;
				r12d = r8d;
				_t77 = __rdx;
				_t60 = __ecx;
				if (__ebx != 0xfffffffe) goto 0x98111695;
				E00007FF67FF6981078CC(__rax);
				 *__rax = 0;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 9;
				goto 0x98111769;
				if (__ebx < 0) goto 0x98111740;
				_t53 = _t34 -  *0x981489c0; // 0x20
				if (_t53 >= 0) goto 0x98111740;
				_t79 = __ecx >> 5;
				_t68 = __ecx * 0x58;
				_t57 =  *((intOrPtr*)(0x981489e0 + _t79 * 8));
				if (_t53 != 0) goto 0x981116fc;
				E00007FF67FF6981078CC(_t57);
				 *_t57 = 0;
				E00007FF67FF6981078AC(_t57);
				 *_t57 = 9;
				_v56 = _t65;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(_t57, __ecx, __rcx, __rdx, _t68, __rbp, __r8);
				goto 0x98111769;
				E00007FF67FF69811593C(_t34, _t34, _t60, _t65, _t68, _t76);
				_t58 =  *((intOrPtr*)(0x981489e0 + _t79 * 8));
				if (( *(_t58 + _t68 + 8) & 0x00000001) == 0) goto 0x98111720;
				r8d = r12d;
				_t47 = E00007FF67FF698110EF0(_t34, _t34, __esi & 0x0000001f, _t58, _t60, _t62, _t77, _t74, _t75);
				goto 0x98111735;
				E00007FF67FF6981078AC(_t58);
				 *_t58 = 9;
				E00007FF67FF6981078CC(_t58);
				 *_t58 = _t47;
				E00007FF67FF6981159E4();
				goto 0x98111769;
				E00007FF67FF6981078CC(_t58);
				 *_t58 = _t47 | 0xffffffff;
				E00007FF67FF6981078AC(_t58);
				 *_t58 = 9;
				_v56 = _t65;
				r9d = 0;
				r8d = 0;
				return E00007FF67FF698104430(_t58, _t60, _t62, _t77, _t68, _t70, _t74) | 0xffffffff;
			}

0x7ff698111650
0x7ff698111650
0x7ff698111650
0x7ff698111650
0x7ff698111650
0x7ff698111650
0x7ff698111655
0x7ff69811165a
0x7ff69811166b
0x7ff69811166e
0x7ff698111671
0x7ff698111677
0x7ff698111679
0x7ff698111680
0x7ff698111682
0x7ff698111687
0x7ff698111690
0x7ff698111699
0x7ff69811169f
0x7ff6981116a5
0x7ff6981116b1
0x7ff6981116bf
0x7ff6981116c3
0x7ff6981116cf
0x7ff6981116d1
0x7ff6981116d6
0x7ff6981116d8
0x7ff6981116dd
0x7ff6981116e3
0x7ff6981116e8
0x7ff6981116eb
0x7ff6981116f2
0x7ff6981116fa
0x7ff6981116fe
0x7ff698111704
0x7ff69811170d
0x7ff69811170f
0x7ff69811171c
0x7ff69811171e
0x7ff698111720
0x7ff698111725
0x7ff69811172b
0x7ff698111730
0x7ff698111737
0x7ff69811173e
0x7ff698111740
0x7ff698111745
0x7ff698111747
0x7ff69811174c
0x7ff698111752
0x7ff698111757
0x7ff69811175a
0x7ff698111780

APIs

__doserrno.LIBCMT ref: 00007FF698111679
_errno.LIBCMT ref: 00007FF698111682
__doserrno.LIBCMT ref: 00007FF6981116D1
_errno.LIBCMT ref: 00007FF6981116D8

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3340a66846d07b0f9e714060594e045375b321804dd7a017f53166dadd991860
Instruction ID: 71b039b7ac68b85971495afd5e40be25a396b632d86b98a6d9a99400efccc360
Opcode Fuzzy Hash: 3340a66846d07b0f9e714060594e045375b321804dd7a017f53166dadd991860
Instruction Fuzzy Hash: DA31E132E1864346F3366F35AC4157D7651EBC07A0F955A76EA2D8BBD2CE3D9001C718

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698111A0C Relevance: 12.1, APIs: 8, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00007FF67FF698111A0C(void* __ebx, signed int __ecx, void* __esi, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, signed int _a8, long long _a24, long long _a32) {
				long long _v40;
				void* __rdi;
				void* __r12;
				signed int _t26;
				void* _t33;
				void* _t52;
				signed int* _t56;
				signed int* _t57;
				long long _t63;
				signed long long _t66;
				signed long long _t74;

				_t72 = __r8;
				_t68 = __rbp;
				_t62 = __rdx;
				_t61 = __rcx;
				_t33 = __ebx;
				_a24 = __rbx;
				_a32 = __rsi;
				_a8 = __ecx;
				_t59 = __ecx;
				if (__ebx != 0xfffffffe) goto 0x98111a47;
				E00007FF67FF6981078CC(__rax);
				 *__rax = 0;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 9;
				goto 0x98111b10;
				if (__ebx < 0) goto 0x98111ae7;
				_t52 = _t33 -  *0x981489c0; // 0x20
				if (_t52 >= 0) goto 0x98111ae7;
				_t74 = __ecx >> 5;
				_t66 = __ecx * 0x58;
				_t56 =  *((intOrPtr*)(0x981489e0 + _t74 * 8));
				if (_t52 != 0) goto 0x98111aaf;
				E00007FF67FF6981078CC(_t56);
				 *_t56 = 0;
				E00007FF67FF6981078AC(_t56);
				 *_t56 = 9;
				_v40 = _t63;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(_t56, __ecx, __rcx, __rdx, _t66, __rbp, __r8);
				goto 0x98111b10;
				E00007FF67FF69811593C(_t33, _t33, _t59, _t63, _t66, _t74);
				_t57 =  *((intOrPtr*)(0x981489e0 + _t74 * 8));
				if (( *(_t57 + _t66 + 8) & 0x00000001) == 0) goto 0x98111ace;
				_t26 = E00007FF67FF698111950(_t33, 0, _t57, _t59);
				goto 0x98111adc;
				E00007FF67FF6981078AC(_t57);
				 *_t57 = 9;
				E00007FF67FF6981159E4();
				goto 0x98111b10;
				E00007FF67FF6981078CC(_t57);
				 *_t57 = _t26 | 0xffffffff;
				E00007FF67FF6981078AC(_t57);
				 *_t57 = 9;
				_v40 = _t63;
				r9d = 0;
				r8d = 0;
				return E00007FF67FF698104430(_t57, _t59, _t61, _t62, _t66, _t68, _t72) | 0xffffffff;
			}

0x7ff698111a0c
0x7ff698111a0c
0x7ff698111a0c
0x7ff698111a0c
0x7ff698111a0c
0x7ff698111a0c
0x7ff698111a11
0x7ff698111a16
0x7ff698111a23
0x7ff698111a29
0x7ff698111a2b
0x7ff698111a32
0x7ff698111a34
0x7ff698111a39
0x7ff698111a42
0x7ff698111a4b
0x7ff698111a51
0x7ff698111a57
0x7ff698111a63
0x7ff698111a71
0x7ff698111a75
0x7ff698111a82
0x7ff698111a84
0x7ff698111a89
0x7ff698111a8b
0x7ff698111a90
0x7ff698111a96
0x7ff698111a9b
0x7ff698111a9e
0x7ff698111aa5
0x7ff698111aad
0x7ff698111ab1
0x7ff698111ab7
0x7ff698111ac1
0x7ff698111ac5
0x7ff698111acc
0x7ff698111ace
0x7ff698111ad3
0x7ff698111ade
0x7ff698111ae5
0x7ff698111ae7
0x7ff698111aec
0x7ff698111aee
0x7ff698111af3
0x7ff698111af9
0x7ff698111afe
0x7ff698111b01
0x7ff698111b23

APIs

__doserrno.LIBCMT ref: 00007FF698111A2B
_errno.LIBCMT ref: 00007FF698111A34
__doserrno.LIBCMT ref: 00007FF698111A84
_errno.LIBCMT ref: 00007FF698111A8B

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 45ca130e8ce689a6ec9fb1e7b1bd1d1e802a5172bf7414796e69646001ebef35
Instruction ID: d257577ad887757e9ddaf469e62418ab997dea06d0dee9319d74cb0f1d92f474
Opcode Fuzzy Hash: 45ca130e8ce689a6ec9fb1e7b1bd1d1e802a5172bf7414796e69646001ebef35
Instruction Fuzzy Hash: 4A31D132E1869342F3356F31AC4123E7A50EFC0764F955676EA2A876C2CE3C9400C71C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981064C8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E00007FF67FF6981064C8(void* __eflags, long long __rbx, void* __rcx, long long __rdx, long long __rdi, long long __rsi, signed int** __r8) {
				signed int _t59;
				signed int _t60;
				void* _t79;
				void* _t87;
				void* _t123;
				signed int _t129;
				intOrPtr* _t140;
				intOrPtr* _t141;
				signed int* _t144;
				signed int* _t145;
				signed int* _t146;
				signed int* _t149;
				signed long long _t153;
				long long _t161;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr _t169;
				void* _t171;
				void* _t175;
				signed int** _t176;
				void* _t178;
				signed int* _t179;

				_t159 = __rsi;
				_t140 = _t163;
				 *((long long*)(_t140 + 8)) = __rbx;
				 *((long long*)(_t140 + 0x10)) = _t161;
				 *((long long*)(_t140 + 0x18)) = __rsi;
				 *((long long*)(_t140 + 0x20)) = __rdi;
				_t164 = _t163 - 0x50;
				_t179 = __rdx;
				_t153 = _t140 - 0x38;
				r12d = r9d;
				_t176 = __r8;
				E00007FF67FF698104E5C(_t140, _t153, __rcx);
				if (__r8 == 0) goto 0x98106503;
				 *((long long*)(__r8)) = __rdx;
				if (__rdx != 0) goto 0x98106532;
				E00007FF67FF6981078AC(_t140);
				 *(_t164 + 0x20) =  *(_t164 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *_t140 = 0x16;
				E00007FF67FF698104430(_t140, __rbx, _t153, __rcx, __rsi, _t161, __r8, _t178, _t175);
				goto 0x9810671b;
				if (r12d == 0) goto 0x98106543;
				if (r12d - 2 < 0) goto 0x98106508;
				if (r12d - 0x24 > 0) goto 0x98106508;
				bpl =  *_t179;
				_t144 =  &(_t179[0]);
				if ( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x30)) + 0x10c)) - 1 <= 0) goto 0x98106575;
				E00007FF67FF69810FA5C(bpl & 0xffffffff, 8, 0,  *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x30)) + 0x10c)) - 1, _t140, _t159, _t161, _t164 + 0x30, _t171);
				_t169 =  *((intOrPtr*)(_t164 + 0x30));
				goto 0x98106587;
				_t141 =  *((intOrPtr*)(_t169 + 0x140));
				_t59 =  *(_t141 + _t153 * 2) & 8;
				if (_t59 == 0) goto 0x98106593;
				bpl =  *_t144;
				_t145 =  &(_t144[0]);
				goto 0x98106551;
				if (bpl != 0x2d) goto 0x981065a5;
				goto 0x981065ab;
				if (bpl != 0x2b) goto 0x981065b1;
				bpl =  *_t145;
				_t146 =  &(_t145[0]);
				if (r12d < 0) goto 0x9810670d;
				if (r12d == 1) goto 0x9810670d;
				if (r12d - 0x24 > 0) goto 0x9810670d;
				if (r12d != 0) goto 0x981065fb;
				if (bpl == 0x30) goto 0x981065e1;
				r12d = 0xa;
				goto 0x98106619;
				if ( *_t146 == 0x78) goto 0x981065f3;
				if ( *_t146 == 0x58) goto 0x981065f3;
				r12d = 8;
				goto 0x98106619;
				r12d = 0x10;
				goto 0x98106607;
				if (r12d != 0x10) goto 0x98106619;
				if (bpl != 0x30) goto 0x98106619;
				if ( *_t146 == 0x78) goto 0x98106611;
				if ( *_t146 != 0x58) goto 0x98106619;
				bpl = _t146[0];
				_t60 = _t59 | 0xffffffff;
				r9d = _t60 / r12d;
				r8d =  *( *((intOrPtr*)(_t169 + 0x140)) + _t153 * 2) & 0x0000ffff;
				if ((r8b & 0x00000004) == 0) goto 0x98106643;
				goto 0x9810665d;
				if ((r8d & 0x00000103) == 0) goto 0x98106678;
				if (_t161 - 0x61 - 0x19 > 0) goto 0x9810665a;
				_t79 = bpl - 0x20 + 0xffffffc9;
				if (_t79 - r12d >= 0) goto 0x98106678;
				_t123 = 0 - r9d;
				if (_t123 < 0) goto 0x9810668c;
				if (_t123 != 0) goto 0x98106670;
				if (_t79 - _t60 % r12d <= 0) goto 0x9810668c;
				if (_t176 != 0) goto 0x98106692;
				if ((sil & 0x00000008) != 0) goto 0x9810669a;
				_t149 =  !=  ? _t179 :  &(_t146[0]) - 1;
				goto 0x981066e5;
				_t87 = 0 * r12d + _t79;
				bpl =  *_t149;
				goto 0x9810662b;
				if ((sil & 0x00000004) != 0) goto 0x981066c2;
				_t129 = sil & 0x00000001;
				if (_t129 != 0) goto 0x981066e5;
				if (_t129 == 0) goto 0x981066ba;
				if (_t87 - 0x80000000 > 0) goto 0x981066c2;
				if ((( *(_t164 + 0x90) | 0xe) & 0x00000002) != 0) goto 0x981066e5;
				if (_t87 - 0x7fffffff <= 0) goto 0x981066e5;
				E00007FF67FF6981078AC(_t141);
				 *_t141 = 0x22;
				if ((sil & 0x00000001) == 0) goto 0x981066d8;
				goto 0x981066e5;
				asm("sbb edi, edi");
				if (_t176 == 0) goto 0x981066ee;
				 *_t176 =  &(_t149[0]);
				if ((sil & 0x00000002) == 0) goto 0x981066f6;
				if ( *((char*)(_t164 + 0x48)) == 0) goto 0x98106709;
				 *( *((intOrPtr*)(_t164 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t164 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0x9810672b;
				if (_t176 == 0) goto 0x98106716;
				 *_t176 = _t179;
				if ( *((intOrPtr*)(_t164 + 0x48)) == dil) goto 0x98106729;
				 *( *((intOrPtr*)(_t164 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t164 + 0x40)) + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ff6981064c8
0x7ff6981064c8
0x7ff6981064cb
0x7ff6981064cf
0x7ff6981064d3
0x7ff6981064d7
0x7ff6981064e1
0x7ff6981064e5
0x7ff6981064eb
0x7ff6981064ef
0x7ff6981064f2
0x7ff6981064f5
0x7ff6981064fd
0x7ff6981064ff
0x7ff698106506
0x7ff698106508
0x7ff69810650d
0x7ff698106513
0x7ff698106516
0x7ff69810651d
0x7ff698106523
0x7ff69810652d
0x7ff698106535
0x7ff69810653b
0x7ff698106541
0x7ff698106543
0x7ff69810654d
0x7ff698106559
0x7ff698106569
0x7ff69810656e
0x7ff698106573
0x7ff698106575
0x7ff698106584
0x7ff698106589
0x7ff69810658b
0x7ff69810658e
0x7ff698106591
0x7ff69810659e
0x7ff6981065a3
0x7ff6981065a9
0x7ff6981065ab
0x7ff6981065ae
0x7ff6981065b4
0x7ff6981065be
0x7ff6981065c8
0x7ff6981065d1
0x7ff6981065d7
0x7ff6981065d9
0x7ff6981065df
0x7ff6981065e4
0x7ff6981065e9
0x7ff6981065eb
0x7ff6981065f1
0x7ff6981065f3
0x7ff6981065f9
0x7ff6981065ff
0x7ff698106605
0x7ff69810660a
0x7ff69810660f
0x7ff698106611
0x7ff698106622
0x7ff698106628
0x7ff69810662f
0x7ff698106638
0x7ff698106641
0x7ff69810664a
0x7ff698106655
0x7ff69810665a
0x7ff698106660
0x7ff698106665
0x7ff698106668
0x7ff69810666a
0x7ff69810666e
0x7ff698106676
0x7ff69810667f
0x7ff698106684
0x7ff69810668a
0x7ff698106690
0x7ff698106692
0x7ff698106698
0x7ff6981066a3
0x7ff6981066a5
0x7ff6981066a9
0x7ff6981066b0
0x7ff6981066b8
0x7ff6981066bc
0x7ff6981066c0
0x7ff6981066c2
0x7ff6981066c7
0x7ff6981066d1
0x7ff6981066d6
0x7ff6981066df
0x7ff6981066e8
0x7ff6981066ea
0x7ff6981066f2
0x7ff6981066fb
0x7ff698106702
0x7ff69810670b
0x7ff698106710
0x7ff698106712
0x7ff69810671b
0x7ff698106722
0x7ff698106749

APIs

Part of subcall function 00007FF698104E5C: _getptd.LIBCMT ref: 00007FF698104E72

_errno.LIBCMT ref: 00007FF698106508
_errno.LIBCMT ref: 00007FF6981066C2

Strings

0, xrefs: 00007FF698106601
+, xrefs: 00007FF6981065A5
0, xrefs: 00007FF6981065D3
-, xrefs: 00007FF69810659A

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: aad5d6a6d4a97e1526b7f6d55b50bd1c2d78e1ed061e41c5c93955d9012505b4
Instruction ID: a310add0034fb337a52ea0d03b2da298bd1f2660c27fe5dcabd7922a534f0952
Opcode Fuzzy Hash: aad5d6a6d4a97e1526b7f6d55b50bd1c2d78e1ed061e41c5c93955d9012505b4
Instruction Fuzzy Hash: 4471D522D1C78381FBB54E35AC1537A2691EF40758F9542B6DA9F862C5DE6CE860C309

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698128B10 Relevance: 10.7, APIs: 7, Instructions: 189
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00007FF67FF698128B10(void* __ebx, void* __edi, void* __eflags, long long __rbx, signed int __rcx, void* __rdx, void* __r9) {
				void* __rsi;
				signed int _t116;
				void* _t139;
				long long* _t145;
				void* _t150;
				void* _t152;
				void* _t158;
				intOrPtr _t162;
				intOrPtr _t163;
				long long _t165;
				void* _t183;
				long long _t186;
				void* _t188;
				void* _t189;
				long long _t190;
				signed int _t191;
				void* _t193;
				void* _t194;
				intOrPtr _t203;
				long long _t205;
				void* _t208;
				long long _t209;

				_t139 = _t193;
				_t194 = _t193 - 0xa0;
				 *((long long*)(_t194 + 0x30)) = 0xfffffffe;
				 *((long long*)(_t139 + 0x10)) = __rbx;
				 *((long long*)(_t139 + 0x18)) = _t190;
				_t191 = __rcx;
				if (__eflags != 0) goto 0x98128b4d;
				goto 0x98128e5a;
				if (__rdx == 0) goto 0x98128b72;
				goto 0x98128e5a;
				_t145 =  *((intOrPtr*)(__rcx + 0x230)) -  *((intOrPtr*)(__rcx + 0x228));
				_t116 = 0 % __rcx;
				if (_t145 - 1 >= 0) goto 0x98128b95;
				goto 0x98128e5a;
				 *((char*)(_t194 + 0xd0)) = 0;
				_t158 =  *((intOrPtr*)(__rcx + 0x230)) -  *((intOrPtr*)(__rcx + 0x228));
				E00007FF67FF6981045E0(_t145, __rcx);
				r14d = 0;
				if (_t145 == 0) goto 0x98128bc7;
				 *_t145 = _t194 + 0x70;
				goto 0x98128bca;
				 *((long long*)(_t194 + 0x70)) = _t209;
				E00007FF67FF6980F4CA0(_t209, _t158, _t194 + 0x70, _t158, _t188, _t194 + 0xd0);
				if ( *((intOrPtr*)(_t194 + 0x90)) !=  *((intOrPtr*)(_t194 + 0x88))) goto 0x98128c07;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(_t191 + 0x230)) !=  *((intOrPtr*)(_t191 + 0x228))) goto 0x98128c1c;
				E00007FF67FF6981044B8();
				 *((intOrPtr*)(_t194 + 0x20)) = r14d;
				r9d = __edi;
				E00007FF67FF6981277F0(_t191 + 0x20,  *((intOrPtr*)(_t191 + 0x228)), _t188,  *((intOrPtr*)(_t194 + 0x88)));
				_t150 =  *((intOrPtr*)(_t194 + 0x90)) -  *((intOrPtr*)(_t194 + 0x88));
				_t183 = _t150 - 1;
				if (_t183 - _t150 < 0) goto 0x98128c6b;
				E00007FF67FF6981044B8();
				_t162 =  *((intOrPtr*)(_t194 + 0x88));
				r12d =  *(_t162 + _t183) & 0x000000ff;
				if (r12b == 0) goto 0x98128d60;
				if ((r12b & 0xffffffff) -  *((intOrPtr*)(_t191 + 0x2a4)) > 0) goto 0x98128d2a;
				if (r12b - 1 < 0) goto 0x98128d2a;
				r13d = r12b & 0xffffffff;
				if (r12b == 0) goto 0x98128d60;
				asm("o16 nop [eax+eax]");
				_t152 =  *((intOrPtr*)(_t194 + 0x90)) - _t162;
				_t189 = _t152 - 1;
				if (_t189 - _t152 < 0) goto 0x98128cd4;
				E00007FF67FF6981044B8();
				_t203 =  *((intOrPtr*)(_t194 + 0x90));
				_t163 =  *((intOrPtr*)(_t194 + 0x88));
				if ( *((intOrPtr*)(_t163 + _t189)) != r12b) goto 0x98128cf4;
				if (_t203 == _t163) goto 0x98128cea;
				 *((long long*)(_t194 + 0x90)) = _t203 - 1;
				if (_t209 + 1 - _t208 < 0) goto 0x98128cb0;
				goto 0x98128d60;
				if (_t163 == 0) goto 0x98128d01;
				E00007FF67FF6981044D8(_t152, _t163, _t163,  *((intOrPtr*)(_t191 + 0x228)), _t189,  *((intOrPtr*)(_t194 + 0x88)), __r9);
				 *((long long*)(_t194 + 0x88)) = _t209;
				 *((long long*)(_t194 + 0x90)) = _t209;
				 *((long long*)(_t194 + 0x98)) = _t209;
				E00007FF67FF6981044D8(_t152, _t163,  *((intOrPtr*)(_t194 + 0x70)),  *((intOrPtr*)(_t191 + 0x228)), _t189,  *((intOrPtr*)(_t194 + 0x88)), __r9);
				goto 0x98128e5a;
				if (_t163 == 0) goto 0x98128d37;
				E00007FF67FF6981044D8(_t152, _t163, _t163,  *((intOrPtr*)(_t191 + 0x228)), _t189,  *((intOrPtr*)(_t194 + 0x88)), __r9);
				 *((long long*)(_t194 + 0x88)) = _t209;
				 *((long long*)(_t194 + 0x90)) = _t209;
				 *((long long*)(_t194 + 0x98)) = _t209;
				E00007FF67FF6981044D8(_t152, _t163,  *((intOrPtr*)(_t194 + 0x70)),  *((intOrPtr*)(_t191 + 0x228)), _t189,  *((intOrPtr*)(_t194 + 0x88)), __r9);
				goto 0x98128e5a;
				_t186 =  *((intOrPtr*)(_t191 + 0x260));
				if ( *((intOrPtr*)(_t191 + 0x258)) - _t186 <= 0) goto 0x98128d85;
				E00007FF67FF6981044B8();
				_t205 =  *((intOrPtr*)(_t194 + 0x90));
				 *((long long*)(_t194 + 0x60)) =  *((intOrPtr*)(_t191 + 0x240));
				 *((long long*)(_t194 + 0x68)) = _t186;
				if ( *((intOrPtr*)(_t194 + 0x88)) - _t205 <= 0) goto 0x98128db3;
				E00007FF67FF6981044B8();
				_t165 =  *((intOrPtr*)(_t194 + 0x88));
				 *((long long*)(_t194 + 0x40)) =  *((intOrPtr*)(_t194 + 0x70));
				 *((long long*)(_t194 + 0x48)) = _t205;
				if (_t165 -  *((intOrPtr*)(_t194 + 0x90)) <= 0) goto 0x98128dd1;
				E00007FF67FF6981044B8();
				 *((long long*)(_t194 + 0x50)) =  *((intOrPtr*)(_t194 + 0x70));
				 *((long long*)(_t194 + 0x58)) = _t165;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x40], xmm0");
				asm("movaps xmm1, [esp+0x50]");
				asm("movdqa [esp+0x50], xmm1");
				asm("movaps xmm0, [esp+0x60]");
				asm("movdqa [esp+0x60], xmm0");
				 *((char*)(_t194 + 0x20)) = 0;
				E00007FF67FF6980F9750(_t116, _t165, _t191 + 0x240, _t194 + 0x60, _t189, _t194 + 0x50, _t194 + 0x40);
				if ( *((intOrPtr*)(_t194 + 0x88)) == 0) goto 0x98128e36;
				E00007FF67FF6981044D8( *((intOrPtr*)(_t194 + 0x70)), _t165,  *((intOrPtr*)(_t194 + 0x88)), _t194 + 0x60, _t189, _t194 + 0x50, _t194 + 0x40);
				 *((long long*)(_t194 + 0x88)) = _t209;
				 *((long long*)(_t194 + 0x90)) = _t209;
				 *((long long*)(_t194 + 0x98)) = _t209;
				E00007FF67FF6981044D8( *((intOrPtr*)(_t194 + 0x70)), _t165,  *((intOrPtr*)(_t194 + 0x70)), _t194 + 0x60, _t189, _t194 + 0x50, _t194 + 0x40);
				return 1;
			}

0x7ff698128b10
0x7ff698128b1b
0x7ff698128b22
0x7ff698128b2b
0x7ff698128b2f
0x7ff698128b33
0x7ff698128b44
0x7ff698128b48
0x7ff698128b69
0x7ff698128b6d
0x7ff698128b79
0x7ff698128b82
0x7ff698128b8c
0x7ff698128b90
0x7ff698128b95
0x7ff698128ba4
0x7ff698128bb0
0x7ff698128bb5
0x7ff698128bbb
0x7ff698128bc2
0x7ff698128bc5
0x7ff698128bca
0x7ff698128bdf
0x7ff698128bf8
0x7ff698128bfa
0x7ff698128c15
0x7ff698128c17
0x7ff698128c20
0x7ff698128c25
0x7ff698128c32
0x7ff698128c4a
0x7ff698128c4d
0x7ff698128c54
0x7ff698128c56
0x7ff698128c63
0x7ff698128c6b
0x7ff698128c73
0x7ff698128c83
0x7ff698128c8d
0x7ff698128c96
0x7ff698128c9d
0x7ff698128ca3
0x7ff698128cb3
0x7ff698128cb6
0x7ff698128cbd
0x7ff698128cbf
0x7ff698128cc4
0x7ff698128ccc
0x7ff698128cd8
0x7ff698128cdd
0x7ff698128ce2
0x7ff698128cf0
0x7ff698128cf2
0x7ff698128cf7
0x7ff698128cfc
0x7ff698128d01
0x7ff698128d09
0x7ff698128d11
0x7ff698128d1e
0x7ff698128d25
0x7ff698128d2d
0x7ff698128d32
0x7ff698128d37
0x7ff698128d3f
0x7ff698128d47
0x7ff698128d54
0x7ff698128d5b
0x7ff698128d60
0x7ff698128d6e
0x7ff698128d70
0x7ff698128d75
0x7ff698128d8c
0x7ff698128d91
0x7ff698128d9c
0x7ff698128d9e
0x7ff698128dab
0x7ff698128db8
0x7ff698128dbd
0x7ff698128dc5
0x7ff698128dc7
0x7ff698128dd1
0x7ff698128dd6
0x7ff698128ddb
0x7ff698128de0
0x7ff698128de6
0x7ff698128deb
0x7ff698128df1
0x7ff698128df6
0x7ff698128e04
0x7ff698128e1e
0x7ff698128e2f
0x7ff698128e31
0x7ff698128e36
0x7ff698128e3e
0x7ff698128e46
0x7ff698128e53
0x7ff698128e75

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb120ec78b6aca7237791ca1e518357a6acf2baba424791a472cd37449a4be2c
Instruction ID: 88aa8562caff1492d33280264bcc4c7442769ff3e81bce835fac734f0ca6da66
Opcode Fuzzy Hash: fb120ec78b6aca7237791ca1e518357a6acf2baba424791a472cd37449a4be2c
Instruction Fuzzy Hash: 7C919E22608BC685DA709F35E8803FEA3A0FB86794F944172DA8C97B59CF3CD456D718

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981050E0 Relevance: 10.6, APIs: 7, Instructions: 146
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 42%

			E00007FF67FF6981050E0(void* __edi, intOrPtr __esi, void* __ebp, long long __rbx, short* __rcx, signed char* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9) {
				void* _t57;
				void* _t72;
				signed long long _t93;
				intOrPtr* _t97;
				intOrPtr* _t98;
				short* _t101;
				long long _t102;
				long long _t113;
				intOrPtr* _t114;
				void* _t119;
				long long _t121;
				signed char* _t122;
				signed long long _t126;
				void* _t127;
				void* _t134;
				int _t136;
				signed char* _t137;
				void* _t139;
				long long _t141;

				_t93 = _t126;
				 *((long long*)(_t93 + 8)) = __rbx;
				 *((long long*)(_t93 + 0x10)) = _t121;
				 *((long long*)(_t93 + 0x18)) = __rsi;
				 *((long long*)(_t93 + 0x20)) = __rdi;
				_t127 = _t126 - 0x50;
				r14d = 0;
				_t119 = __r8;
				_t137 = __rdx;
				_t101 = __rcx;
				_t113 = _t141;
				if (__rcx == _t141) goto 0x98105123;
				_t72 = __r8 - _t141;
				if (_t72 != 0) goto 0x9810511d;
				goto 0x981052c9;
				if (_t72 <= 0) goto 0x98105123;
				 *((intOrPtr*)(__rcx)) = r14w;
				if (__rdx != _t141) goto 0x98105150;
				E00007FF67FF6981078AC(_t93);
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t127 + 0x20)) = _t141;
				 *_t93 = 0x16;
				E00007FF67FF698104430(_t93, __rcx, __rcx, __rdx, __r8, _t121, __r8, _t141, _t139);
				goto 0x981052c9;
				E00007FF67FF698104E5C(_t93 | 0xffffffff, _t127 + 0x30, __r9);
				if (_t101 == _t141) goto 0x9810526c;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x30)) + 0x14)) != r14d) goto 0x981051c0;
				if (_t119 - _t141 <= 0) goto 0x98105190;
				 *_t101 =  *(_t113 + _t137) & 0x000000ff;
				if ( *(_t113 + _t137) == r14b) goto 0x981051a5;
				_t114 = _t113 + 1;
				_t102 = _t101 + 2;
				if (_t114 - _t119 < 0) goto 0x98105176;
				if ( *((intOrPtr*)(_t127 + 0x48)) == r14b) goto 0x981051b8;
				 *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0x981051b8;
				if ( *((intOrPtr*)(_t127 + 0x48)) == r14b) goto 0x981051b8;
				 *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) & 0xfffffffd;
				_t97 = _t114;
				goto 0x981052c9;
				r9d = __edi;
				 *((intOrPtr*)(_t127 + 0x28)) = __esi;
				 *((long long*)(_t127 + 0x20)) = _t102;
				MultiByteToWideChar(_t136, ??, ??, ??, ??);
				if (_t97 != _t141) goto 0x981052b3;
				if (GetLastError() == 0x7a) goto 0x98105206;
				E00007FF67FF6981078AC(_t97);
				 *_t97 = 0x2a;
				 *_t102 = r14w;
				goto 0x98105190;
				r13d = __esi;
				_t122 = _t137;
				if (__esi == r14d) goto 0x9810523e;
				r13d = r13d - 1;
				if ( *_t122 == r14b) goto 0x9810523e;
				if (E00007FF67FF69810F9CC( *_t122 & 0x000000ff,  *_t122 - r14b, _t97, _t134) == r14d) goto 0x98105236;
				if (_t122[1] == r14b) goto 0x981051f5;
				goto 0x9810520f;
				_t98 =  *((intOrPtr*)(_t127 + 0x30));
				r9d = __ebp - r12d;
				 *((intOrPtr*)(_t127 + 0x28)) = __esi;
				 *((long long*)(_t127 + 0x20)) = _t102;
				MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t98 != _t141) goto 0x981052b6;
				goto 0x981051f5;
				if ( *((intOrPtr*)(_t98 + 0x14)) != r14d) goto 0x9810527c;
				E00007FF67FF6981070C0(_t98, _t137);
				goto 0x981052b6;
				r9d = __edi;
				 *((intOrPtr*)(_t127 + 0x28)) = r14d;
				 *((long long*)(_t127 + 0x20)) = _t141;
				MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t98 != _t141) goto 0x981052b3;
				_t57 = E00007FF67FF6981078AC(_t98);
				 *_t98 = 0x2a;
				goto 0x98105190;
				if ( *((intOrPtr*)(_t127 + 0x48)) == r14b) goto 0x981052c9;
				 *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) & 0xfffffffd;
				return _t57;
			}

0x7ff6981050e0
0x7ff6981050e3
0x7ff6981050e7
0x7ff6981050eb
0x7ff6981050ef
0x7ff6981050f9
0x7ff6981050fd
0x7ff698105100
0x7ff698105103
0x7ff698105106
0x7ff698105109
0x7ff69810510f
0x7ff698105111
0x7ff698105114
0x7ff698105118
0x7ff69810511d
0x7ff69810511f
0x7ff698105126
0x7ff698105128
0x7ff69810512d
0x7ff698105130
0x7ff698105137
0x7ff69810513c
0x7ff698105142
0x7ff69810514b
0x7ff698105158
0x7ff698105165
0x7ff69810516f
0x7ff698105174
0x7ff69810517b
0x7ff698105182
0x7ff698105184
0x7ff698105187
0x7ff69810518e
0x7ff698105195
0x7ff69810519c
0x7ff6981051a3
0x7ff6981051aa
0x7ff6981051b1
0x7ff6981051b8
0x7ff6981051bb
0x7ff6981051cd
0x7ff6981051d0
0x7ff6981051d4
0x7ff6981051d9
0x7ff6981051e4
0x7ff6981051f3
0x7ff6981051f5
0x7ff6981051fa
0x7ff698105200
0x7ff698105204
0x7ff698105206
0x7ff698105209
0x7ff69810520f
0x7ff698105211
0x7ff698105218
0x7ff69810522b
0x7ff698105234
0x7ff69810523c
0x7ff69810523e
0x7ff698105251
0x7ff698105254
0x7ff698105258
0x7ff69810525d
0x7ff698105268
0x7ff69810526a
0x7ff698105270
0x7ff698105275
0x7ff69810527a
0x7ff698105289
0x7ff69810528c
0x7ff698105291
0x7ff698105296
0x7ff6981052a1
0x7ff6981052a3
0x7ff6981052a8
0x7ff6981052ae
0x7ff6981052bb
0x7ff6981052c2
0x7ff6981052e7

APIs

_errno.LIBCMT ref: 00007FF698105128

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 7d651b8da09034c2c0d35e20cf68fc683c853b3f3c94acc4a5abf00da545e554
Instruction ID: 169a2c1af7ab375a1771c3b63f0988e195e1cddec58c060796ac0bcac1264a21
Opcode Fuzzy Hash: 7d651b8da09034c2c0d35e20cf68fc683c853b3f3c94acc4a5abf00da545e554
Instruction Fuzzy Hash: 2351B221A0868386E7708F34A9401BD7BA5FF45BA4F9442B1EA6DA77D5CF3CE460C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69811228C Relevance: 10.6, APIs: 7, Instructions: 79
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00007FF67FF69811228C(signed int __ebx, signed int __ecx, void* __edi, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, void* __rbp, void* __r8, signed int _a8, long long _a24) {
				signed int _v40;
				void* __rdi;
				void* __rsi;
				void* __r12;
				signed int _t34;
				void* _t48;
				void* _t51;
				intOrPtr* _t57;
				intOrPtr* _t58;
				signed long long _t61;
				signed long long _t68;

				_t73 = __r8;
				_t69 = __rbp;
				_t65 = __rdx;
				_t48 = __edi;
				_a24 = __rbx;
				_a8 = __ecx;
				_t66 = __ecx;
				if (__edi != 0xfffffffe) goto 0x981122b8;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 9;
				goto 0x98112391;
				if (__ecx < 0) goto 0x9811236e;
				_t51 = _t48 -  *0x981489c0; // 0x20
				if (_t51 >= 0) goto 0x9811236e;
				_t68 = __ecx >> 5;
				_t34 = __ebx & 0x0000001f;
				_t61 = __ecx * 0x58;
				_t57 =  *((intOrPtr*)(0x981489e0 + _t68 * 8));
				if (_t51 != 0) goto 0x98112317;
				E00007FF67FF6981078AC(_t57);
				 *_t57 = 9;
				_v40 = _v40 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(_t57, _t61, __rcx, __rdx, _t68, __rbp, __r8);
				goto 0x98112391;
				E00007FF67FF69811593C(_t34, __edi, _t61, _t66, _t68, 0x981489e0);
				_t58 =  *((intOrPtr*)(0x981489e0 + _t68 * 8));
				if (( *(_t58 + _t61 + 8) & 0x00000001) == 0) goto 0x98112355;
				E00007FF67FF6981158B8(_t48, 0, _t58, _t61, _t68, _t69, _t73);
				if (FlushFileBuffers(??) != 0) goto 0x98112348;
				GetLastError();
				goto 0x9811234a;
				if (0 == 0) goto 0x98112363;
				E00007FF67FF6981078CC(_t58);
				 *_t58 = 0;
				E00007FF67FF6981078AC(_t58);
				 *_t58 = 9;
				E00007FF67FF6981159E4();
				goto 0x98112391;
				E00007FF67FF6981078AC(_t58);
				 *_t58 = 9;
				_v40 = _v40 & 0x00000000;
				r9d = 0;
				r8d = 0;
				return E00007FF67FF698104430(_t58, _t61, _t58, _t65, _t68, _t69, _t73) | 0xffffffff;
			}

0x7ff69811228c
0x7ff69811228c
0x7ff69811228c
0x7ff69811228c
0x7ff69811228c
0x7ff698112291
0x7ff69811229d
0x7ff6981122a3
0x7ff6981122a5
0x7ff6981122aa
0x7ff6981122b3
0x7ff6981122ba
0x7ff6981122c0
0x7ff6981122c6
0x7ff6981122d2
0x7ff6981122dd
0x7ff6981122e0
0x7ff6981122e4
0x7ff6981122f0
0x7ff6981122f2
0x7ff6981122f7
0x7ff6981122fd
0x7ff698112303
0x7ff698112306
0x7ff69811230d
0x7ff698112315
0x7ff698112319
0x7ff69811231f
0x7ff698112328
0x7ff69811232c
0x7ff69811233c
0x7ff69811233e
0x7ff698112346
0x7ff69811234c
0x7ff69811234e
0x7ff698112353
0x7ff698112355
0x7ff69811235a
0x7ff698112365
0x7ff69811236c
0x7ff69811236e
0x7ff698112373
0x7ff698112379
0x7ff69811237f
0x7ff698112382
0x7ff69811239e

APIs

_errno.LIBCMT ref: 00007FF6981122A5
_errno.LIBCMT ref: 00007FF6981122F2

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 940a07213795119bc703be0b840b2cf50cf32eea5432c9220b670cdf8d9e1718
Instruction ID: 8c36e218aa9d78c2c6a792cb8773ca01f8bacf70453e641e07e923a07aa4b3ff
Opcode Fuzzy Hash: 940a07213795119bc703be0b840b2cf50cf32eea5432c9220b670cdf8d9e1718
Instruction Fuzzy Hash: 1231D121E2864386F730AF35984177D2651EF94768F9842B9EA2EC72D2CF3CA440C31C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810964D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF67FF69810964D(void* __rax, intOrPtr _a32, intOrPtr _a56, intOrPtr _a64, intOrPtr _a72, intOrPtr _a80, intOrPtr* _a96, intOrPtr _a208, intOrPtr* _a216, long long _a224, long long _a232) {
				void* _t36;
				void* _t37;
				void* _t44;
				void* _t53;
				intOrPtr* _t68;

				_t53 = __rax;
				_a32 = 1;
				E00007FF67FF69810B93C(_t37, _t44, __rax);
				 *(_t53 + 0x2c0) =  *(_t53 + 0x2c0) & 0x00000000;
				if (_a208 == 0) goto 0x98109699;
				E00007FF67FF6981093E4(1, _a216);
				r8d =  *((intOrPtr*)(_a64 + 0x18));
				RaiseException(??, ??, ??, ??);
				goto 0x981096b4;
				_t68 = _a216;
				r8d =  *((intOrPtr*)(_t68 + 0x18));
				RaiseException(??, ??, ??, ??);
				r14d = _a32;
				E00007FF67FF69810771C(_t53, _a72, _a80);
				if (r14d != 0) goto 0x9810971d;
				if ( *_t68 != 0xe06d7363) goto 0x9810971d;
				if ( *((intOrPtr*)(_t68 + 0x18)) != 4) goto 0x9810971d;
				if ( *((intOrPtr*)(_t68 + 0x20)) == 0x19930520) goto 0x98109706;
				if ( *((intOrPtr*)(_t68 + 0x20)) == 0x19930521) goto 0x98109706;
				if ( *((intOrPtr*)(_t68 + 0x20)) != 0x19930522) goto 0x9810971d;
				if (E00007FF67FF6981076E8(_t53,  *((intOrPtr*)(_t68 + 0x28))) == 0) goto 0x9810971d;
				E00007FF67FF6981093E4(1, _t68);
				E00007FF67FF69810B93C( *_t68, E00007FF67FF6981076E8(_t53,  *((intOrPtr*)(_t68 + 0x28))), _t53);
				 *((long long*)(_t53 + 0xf0)) = _a224;
				_t36 = E00007FF67FF69810B93C( *_t68, E00007FF67FF6981076E8(_t53,  *((intOrPtr*)(_t68 + 0x28))), _t53);
				 *((long long*)(_t53 + 0xf8)) = _a232;
				 *((long long*)( *((intOrPtr*)(_a56 + 0x1c)) +  *_a96)) = 0xfffffffe;
				return _t36;
			}

0x7ff69810964d
0x7ff69810964d
0x7ff698109655
0x7ff69810965a
0x7ff698109669
0x7ff698109678
0x7ff698109686
0x7ff698109691
0x7ff698109697
0x7ff698109699
0x7ff6981096a5
0x7ff6981096ae
0x7ff6981096b4
0x7ff6981096d3
0x7ff6981096db
0x7ff6981096e3
0x7ff6981096e9
0x7ff6981096f2
0x7ff6981096fb
0x7ff698109704
0x7ff698109711
0x7ff698109718
0x7ff69810971d
0x7ff69810972a
0x7ff698109731
0x7ff698109736
0x7ff69810974a
0x7ff698109765

APIs

_getptd.LIBCMT ref: 00007FF698109655
RaiseException.KERNEL32 ref: 00007FF698109691
RaiseException.KERNEL32 ref: 00007FF6981096AE
_getptd.LIBCMT ref: 00007FF69810971D
_getptd.LIBCMT ref: 00007FF698109731

Strings

csm, xrefs: 00007FF6981096DD

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _getptd$ExceptionRaise
String ID: csm
API String ID: 2255768072-1018135373
Opcode ID: b9f1586c76201837a7cedb49760973dd62f8e83127a431f82f18a74b45bd6239
Instruction ID: c14522ba79c99dcb3e9f3968d61fae7941f09822cdda5d20fe6712c09cf37033
Opcode Fuzzy Hash: b9f1586c76201837a7cedb49760973dd62f8e83127a431f82f18a74b45bd6239
Instruction Fuzzy Hash: 4E313E7660864383EA709F26E45026D7361FB84B51F804172DE9E93B96CF3DE896CF14

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810FE78 Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 47%

			E00007FF67FF69810FE78(void* __ecx, void* __edx, void* __ebp, long long __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* __r13;
				long long _t39;
				void* _t41;
				void* _t44;
				signed long long _t52;
				void* _t62;

				_t54 = __rsi;
				_t44 = __rcx;
				_t39 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t41 = __ecx;
				if ( *0x98143b90 != 0) goto 0x9810feb6;
				E00007FF67FF69810BF50();
				_t4 = _t54 + 0x1d; // 0x1e
				E00007FF67FF69810BD28(_t4, _t41, __rdi, __rsi, __rbp, __r9, _t62);
				E00007FF67FF6981055B4();
				_t52 = _t41 + _t41;
				if ( *((long long*)(0x981410f0 + _t52 * 8)) == 0) goto 0x9810fecf;
				goto 0x9810ff4a;
				E00007FF67FF69810A574(__ebp, _t39, _t41, _t44, __rsi, __rbp);
				if (_t39 != 0) goto 0x9810fef0;
				E00007FF67FF6981078AC(_t39);
				 *_t39 = 0xc;
				goto 0x9810ff4a;
				E00007FF67FF69810FF60();
				if ( *((long long*)(0x981410f0 + _t52 * 8)) != 0) goto 0x9810ff32;
				if (E00007FF67FF698110438() != 0) goto 0x9810ff2b;
				free(??);
				E00007FF67FF6981078AC(_t39);
				 *_t39 = 0xc;
				goto 0x9810ff3b;
				 *((long long*)(0x981410f0 + _t52 * 8)) = _t39;
				goto 0x9810ff3b;
				free(??);
				LeaveCriticalSection(??);
				return 0;
			}

0x7ff69810fe78
0x7ff69810fe78
0x7ff69810fe78
0x7ff69810fe78
0x7ff69810fe7d
0x7ff69810fe82
0x7ff69810fe8d
0x7ff69810fe9d
0x7ff69810fe9f
0x7ff69810fea4
0x7ff69810fea7
0x7ff69810feb1
0x7ff69810feb9
0x7ff69810fec9
0x7ff69810fecd
0x7ff69810fed4
0x7ff69810fedf
0x7ff69810fee1
0x7ff69810fee6
0x7ff69810feee
0x7ff69810fef5
0x7ff69810ff01
0x7ff69810ff12
0x7ff69810ff17
0x7ff69810ff1c
0x7ff69810ff21
0x7ff69810ff29
0x7ff69810ff2b
0x7ff69810ff30
0x7ff69810ff35
0x7ff69810ff42
0x7ff69810ff5f

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF69810FE9F

Part of subcall function 00007FF69810BD28: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF69810BF84,?,?,?,?,00007FF6981048E5,?,?,00000000,00007FF69810A598), ref: 00007FF69810BDEB

Part of subcall function 00007FF6981055B4: ExitProcess.KERNEL32 ref: 00007FF6981055C3

Part of subcall function 00007FF69810A574: malloc.LIBCMT ref: 00007FF69810A593
Part of subcall function 00007FF69810A574: Sleep.KERNEL32(?,?,00000000,00007FF69810FED9,?,?,?,00007FF69810FF83), ref: 00007FF69810A5AA

_errno.LIBCMT ref: 00007FF69810FEE1
_lock.LIBCMT ref: 00007FF69810FEF5
free.LIBCMT ref: 00007FF69810FF17
_errno.LIBCMT ref: 00007FF69810FF1C
LeaveCriticalSection.KERNEL32(?,?,?,00007FF69810FF83), ref: 00007FF69810FF42

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
String ID:
API String ID: 1024173049-0
Opcode ID: ac058671c3edeb939d153bb6fb2abfec8c3f6b002bac18dcab764f1b054be2dd
Instruction ID: 7a21aedf444b66975fb62b8f78ff86d0c63200dd3178773ca5e187520876bee5
Opcode Fuzzy Hash: ac058671c3edeb939d153bb6fb2abfec8c3f6b002bac18dcab764f1b054be2dd
Instruction Fuzzy Hash: 28216822E1964382F674AF30A85637A6295EF85784F8444B5EA4EC77C2CF3CE861C718

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FCEF0 Relevance: 9.2, APIs: 6, Instructions: 159
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00007FF67FF6980FCEF0(void* __ebp, long long __rbx, long long __rcx, intOrPtr* __rdx, long long __rsi, void* __rbp, intOrPtr* __r8) {
				void* _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				long long _v88;
				void* __rdi;
				void* __r12;
				void* _t68;
				void* _t71;
				intOrPtr _t105;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				signed long long _t113;
				intOrPtr _t116;
				intOrPtr* _t120;
				intOrPtr _t122;
				intOrPtr _t123;
				long long _t126;
				long long* _t129;
				long long* _t130;
				signed long long _t144;
				signed long long _t148;
				signed long long _t150;
				intOrPtr* _t153;
				void* _t156;
				intOrPtr* _t159;
				void* _t161;
				void* _t162;
				void* _t164;
				signed long long _t166;
				void* _t168;
				intOrPtr* _t169;
				void* _t171;

				_t159 = __r8;
				_t155 = __rbp;
				_t162 = _t156;
				 *((long long*)(_t162 + 8)) = __rcx;
				_v88 = 0xfffffffe;
				 *((long long*)(_t162 + 0x10)) = __rbx;
				 *((long long*)(_t162 + 0x18)) = __rsi;
				_t169 = __r8;
				_t153 = __rdx;
				_t126 = __rcx;
				_t129 = _t162 - 0x38;
				 *_t129 =  *__rdx;
				 *((long long*)(_t129 + 8)) =  *((intOrPtr*)(__rdx + 8));
				_t130 = _t162 - 0x50;
				 *_t130 =  *__r8;
				 *((long long*)(_t130 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t105 =  *((intOrPtr*)(_t162 - 0x50));
				if (_t105 == 0xfffffffc) goto 0x980fcf5c;
				if (_t105 == 0) goto 0x980fcf57;
				if (_t105 ==  *((intOrPtr*)(_t162 - 0x38))) goto 0x980fcf5c;
				E00007FF67FF6981044B8();
				_t144 = _v72 - _v48 >> 1;
				_t148 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t148 - _t144 > 0) goto 0x980fcfa6;
				if ( *((intOrPtr*)(__rcx + 0x20)) == _t144) goto 0x980fcfa6;
				r8b = 1;
				if (E00007FF67FF6980F24C0(__rcx, __rcx, _t144, __rdx, __rbp, _t164, _t171, _t168) == 0) goto 0x980fcfa6;
				 *(_t126 + 0x18) = _t148;
				if ( *((long long*)(_t126 + 0x20)) - 8 < 0) goto 0x980fcf98;
				goto 0x980fcf9c;
				r13d = 0;
				 *((intOrPtr*)(_t126 + 8 + _t148 * 2)) = r13w;
				goto 0x980fcfa9;
				r13d = 0;
				_t108 =  *_t153;
				if (_t108 == 0xfffffffc) goto 0x980fcfcb;
				if (_t108 == 0) goto 0x980fcfc6;
				if (_t108 ==  *_t169) goto 0x980fcfcb;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(_t153 + 8)) ==  *((intOrPtr*)(_t169 + 8))) goto 0x980fd0f4;
				_t110 =  *_t153;
				if (_t110 == 0xfffffffc) goto 0x980fd013;
				if (_t110 != 0) goto 0x980fcfec;
				E00007FF67FF6981044B8();
				_t111 =  *_t153;
				if ( *((long long*)(_t111 + 0x20)) - 8 < 0) goto 0x980fcffc;
				goto 0x980fd000;
				if ( *((intOrPtr*)(_t153 + 8)) - _t111 + 8 +  *(_t111 + 0x18) * 2 < 0) goto 0x980fd013;
				E00007FF67FF6981044B8();
				_t113 =  *((intOrPtr*)(_t153 + 8));
				r12d =  *_t113 & 0x0000ffff;
				if ((_t113 | 0xffffffff) -  *(_t126 + 0x18) - 1 > 0) goto 0x980fd02e;
				E00007FF67FF6981033CC((_t113 | 0xffffffff) -  *(_t126 + 0x18), _t126, _t148, _t155, _t159, _t161);
				_t150 =  *(_t126 + 0x18) + 1;
				if (_t150 - 0xfffffffe <= 0) goto 0x980fd03f;
				_t68 = E00007FF67FF6981033CC((_t113 | 0xffffffff) -  *(_t126 + 0x18), _t126, _t150, _t155, _t159, _t161);
				_t116 =  *((intOrPtr*)(_t126 + 0x20));
				if (_t116 - _t150 >= 0) goto 0x980fd059;
				E00007FF67FF6980F26D0(_t68, _t126, _t150,  *(_t126 + 0x18), _t166, _t164);
				goto 0x980fd078;
				if (_t150 != 0) goto 0x980fd078;
				 *(_t126 + 0x18) = _t166;
				if (_t116 - 8 < 0) goto 0x980fd06e;
				goto 0x980fd072;
				 *((intOrPtr*)(_t126 + 8)) = r13w;
				goto 0x980fd0b0;
				if (_t150 == 0) goto 0x980fd0b0;
				if ( *((long long*)(_t126 + 0x20)) - 8 < 0) goto 0x980fd091;
				goto 0x980fd098;
				_t120 = _t126 + 8;
				 *((intOrPtr*)(_t120 +  *(_t126 + 0x18) * 2)) = r12w;
				 *(_t126 + 0x18) = _t150;
				if ( *((long long*)(_t126 + 0x20)) - 8 < 0) goto 0x980fd0ab;
				 *((intOrPtr*)( *_t120 + _t150 * 2)) = r13w;
				_t122 =  *_t153;
				if (_t122 == 0xfffffffc) goto 0x980fd0ea;
				if (_t122 != 0) goto 0x980fd0c3;
				E00007FF67FF6981044B8();
				_t123 =  *_t153;
				if ( *((long long*)(_t123 + 0x20)) - 8 < 0) goto 0x980fd0d3;
				goto 0x980fd0d7;
				if ( *((intOrPtr*)(_t153 + 8)) - _t123 + 8 +  *(_t123 + 0x18) * 2 < 0) goto 0x980fd0ea;
				_t71 = E00007FF67FF6981044B8();
				 *((long long*)(_t153 + 8)) =  *((long long*)(_t153 + 8)) + 2;
				goto 0x980fcfb3;
				return _t71;
			}

0x7ff6980fcef0
0x7ff6980fcef0
0x7ff6980fcef0
0x7ff6980fcef3
0x7ff6980fcf04
0x7ff6980fcf0d
0x7ff6980fcf11
0x7ff6980fcf15
0x7ff6980fcf18
0x7ff6980fcf1b
0x7ff6980fcf1e
0x7ff6980fcf25
0x7ff6980fcf2c
0x7ff6980fcf30
0x7ff6980fcf37
0x7ff6980fcf3e
0x7ff6980fcf42
0x7ff6980fcf4a
0x7ff6980fcf4f
0x7ff6980fcf55
0x7ff6980fcf57
0x7ff6980fcf66
0x7ff6980fcf69
0x7ff6980fcf70
0x7ff6980fcf76
0x7ff6980fcf78
0x7ff6980fcf85
0x7ff6980fcf87
0x7ff6980fcf90
0x7ff6980fcf96
0x7ff6980fcf9c
0x7ff6980fcf9f
0x7ff6980fcfa4
0x7ff6980fcfa6
0x7ff6980fcfb3
0x7ff6980fcfba
0x7ff6980fcfbf
0x7ff6980fcfc4
0x7ff6980fcfc6
0x7ff6980fcfd3
0x7ff6980fcfd9
0x7ff6980fcfe0
0x7ff6980fcfe5
0x7ff6980fcfe7
0x7ff6980fcfec
0x7ff6980fcff4
0x7ff6980fcffa
0x7ff6980fd00c
0x7ff6980fd00e
0x7ff6980fd013
0x7ff6980fd017
0x7ff6980fd027
0x7ff6980fd029
0x7ff6980fd032
0x7ff6980fd038
0x7ff6980fd03a
0x7ff6980fd03f
0x7ff6980fd046
0x7ff6980fd052
0x7ff6980fd057
0x7ff6980fd05c
0x7ff6980fd05e
0x7ff6980fd066
0x7ff6980fd06c
0x7ff6980fd072
0x7ff6980fd076
0x7ff6980fd07b
0x7ff6980fd086
0x7ff6980fd08f
0x7ff6980fd091
0x7ff6980fd098
0x7ff6980fd09d
0x7ff6980fd0a6
0x7ff6980fd0ab
0x7ff6980fd0b0
0x7ff6980fd0b7
0x7ff6980fd0bc
0x7ff6980fd0be
0x7ff6980fd0c3
0x7ff6980fd0cb
0x7ff6980fd0d1
0x7ff6980fd0e3
0x7ff6980fd0e5
0x7ff6980fd0ea
0x7ff6980fd0ef
0x7ff6980fd10d

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FCF57
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FCFC6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FCFE7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FD00E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FD0BE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FD0E5

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7f6f2e91ed5572e42ace02233fa957f2e227a56f2aac9c965945f59fe9a565ff
Instruction ID: 79a8943f89ac3214e7699f4af58c8099455d22cacd737173a21ff5d6173147b5
Opcode Fuzzy Hash: 7f6f2e91ed5572e42ace02233fa957f2e227a56f2aac9c965945f59fe9a565ff
Instruction Fuzzy Hash: 54616D32608B5280EA349F35D48512CB3A5FB64BA4B958375CE6D873E4DF38E896D34C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980F3030 Relevance: 9.1, APIs: 6, Instructions: 149
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E00007FF67FF6980F3030(void* __ebp, long long __rbx, long long __rcx, intOrPtr* __rdx, long long __rsi, void* __rbp, intOrPtr* __r8) {
				void* _v40;
				intOrPtr _v48;
				intOrPtr _v64;
				long long _v88;
				void* __rdi;
				void* __r12;
				void* _t58;
				void* _t61;
				intOrPtr _t91;
				intOrPtr _t94;
				signed long long _t101;
				intOrPtr _t104;
				intOrPtr* _t108;
				long long _t116;
				long long* _t119;
				long long* _t120;
				void* _t127;
				intOrPtr* _t131;
				signed long long _t134;
				signed long long _t136;
				void* _t139;
				intOrPtr* _t142;
				void* _t144;
				void* _t145;
				signed long long _t147;
				void* _t149;
				void* _t151;
				intOrPtr* _t152;
				void* _t154;

				_t142 = __r8;
				_t138 = __rbp;
				_t145 = _t139;
				 *((long long*)(_t145 + 8)) = __rcx;
				_v88 = 0xfffffffe;
				 *((long long*)(_t145 + 0x10)) = __rbx;
				 *((long long*)(_t145 + 0x18)) = __rsi;
				_t152 = __r8;
				_t131 = __rdx;
				_t116 = __rcx;
				_t119 = _t145 - 0x48;
				 *_t119 =  *__r8;
				 *((long long*)(_t119 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t120 = _t145 - 0x38;
				 *_t120 =  *__rdx;
				 *((long long*)(_t120 + 8)) =  *((intOrPtr*)(__rdx + 8));
				_t91 =  *((intOrPtr*)(_t145 - 0x48));
				if (_t91 == 0) goto 0x980f3091;
				if (_t91 ==  *((intOrPtr*)(_t145 - 0x38))) goto 0x980f3096;
				E00007FF67FF6981044B8();
				_t127 = _v64 - _v48;
				_t134 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t134 - _t127 > 0) goto 0x980f30dd;
				if ( *((intOrPtr*)(__rcx + 0x20)) == _t127) goto 0x980f30dd;
				r8b = 1;
				if (E00007FF67FF6980F24C0(__rcx, __rcx, _t127, _t134, __rbp, _t147, _t154, _t151) == 0) goto 0x980f30dd;
				 *(_t116 + 0x18) = _t134;
				if ( *((long long*)(_t116 + 0x20)) - 8 < 0) goto 0x980f30cf;
				goto 0x980f30d3;
				r12d = 0;
				 *((intOrPtr*)(_t116 + 8 + _t134 * 2)) = r12w;
				goto 0x980f30e0;
				r12d = 0;
				asm("o16 nop [eax+eax]");
				_t94 =  *_t131;
				if (_t94 == 0) goto 0x980f30fd;
				if (_t94 ==  *_t152) goto 0x980f3102;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(_t131 + 8)) ==  *((intOrPtr*)(_t152 + 8))) goto 0x980f320e;
				if ( *_t131 != 0) goto 0x980f312a;
				E00007FF67FF6981044B8();
				if ( *_t131 != 0) goto 0x980f312a;
				goto 0x980f312d;
				if ( *((intOrPtr*)(_t131 + 8)) -  *((intOrPtr*)( *_t147 + 0x20)) < 0) goto 0x980f313c;
				E00007FF67FF6981044B8();
				_t101 =  *((intOrPtr*)(_t131 + 8));
				r13d =  *_t101 & 0x000000ff;
				if ((_t101 | 0xffffffff) -  *(_t116 + 0x18) - 1 > 0) goto 0x980f3157;
				E00007FF67FF6981033CC((_t101 | 0xffffffff) -  *(_t116 + 0x18), _t116, _t131, _t138, _t142, _t144);
				_t136 =  *(_t116 + 0x18) + 1;
				if (_t136 - 0xfffffffe <= 0) goto 0x980f3168;
				_t58 = E00007FF67FF6981033CC((_t101 | 0xffffffff) -  *(_t116 + 0x18), _t116, _t131, _t138, _t142, _t144);
				_t104 =  *((intOrPtr*)(_t116 + 0x20));
				if (_t104 - _t136 >= 0) goto 0x980f3182;
				E00007FF67FF6980F26D0(_t58, _t116, _t136,  *(_t116 + 0x18), _t149, _t147);
				goto 0x980f31a1;
				if (_t136 != 0) goto 0x980f31a1;
				 *(_t116 + 0x18) = _t147;
				if (_t104 - 8 < 0) goto 0x980f3197;
				goto 0x980f319b;
				 *((intOrPtr*)(_t116 + 8)) = r12w;
				goto 0x980f31d9;
				if (_t136 == 0) goto 0x980f31d9;
				if ( *((long long*)(_t116 + 0x20)) - 8 < 0) goto 0x980f31ba;
				goto 0x980f31c1;
				_t108 = _t116 + 8;
				 *((intOrPtr*)(_t108 +  *(_t116 + 0x18) * 2)) = r13w;
				 *(_t116 + 0x18) = _t136;
				if ( *((long long*)(_t116 + 0x20)) - 8 < 0) goto 0x980f31d4;
				 *((intOrPtr*)( *_t108 + _t136 * 2)) = r12w;
				if ( *_t131 != 0) goto 0x980f31f3;
				E00007FF67FF6981044B8();
				if ( *_t131 != 0) goto 0x980f31f3;
				goto 0x980f31f6;
				if ( *((intOrPtr*)(_t131 + 8)) -  *((intOrPtr*)( *_t147 + 0x20)) < 0) goto 0x980f3205;
				_t61 = E00007FF67FF6981044B8();
				 *((long long*)(_t131 + 8)) =  *((long long*)(_t131 + 8)) + 1;
				goto 0x980f30f0;
				return _t61;
			}

0x7ff6980f3030
0x7ff6980f3030
0x7ff6980f3030
0x7ff6980f3033
0x7ff6980f3044
0x7ff6980f304d
0x7ff6980f3051
0x7ff6980f3055
0x7ff6980f3058
0x7ff6980f305b
0x7ff6980f305e
0x7ff6980f3065
0x7ff6980f306c
0x7ff6980f3070
0x7ff6980f3077
0x7ff6980f307e
0x7ff6980f3082
0x7ff6980f3089
0x7ff6980f308f
0x7ff6980f3091
0x7ff6980f309b
0x7ff6980f30a0
0x7ff6980f30a7
0x7ff6980f30ad
0x7ff6980f30af
0x7ff6980f30bc
0x7ff6980f30be
0x7ff6980f30c7
0x7ff6980f30cd
0x7ff6980f30d3
0x7ff6980f30d6
0x7ff6980f30db
0x7ff6980f30dd
0x7ff6980f30ea
0x7ff6980f30f0
0x7ff6980f30f6
0x7ff6980f30fb
0x7ff6980f30fd
0x7ff6980f310a
0x7ff6980f3116
0x7ff6980f3118
0x7ff6980f3123
0x7ff6980f3128
0x7ff6980f3135
0x7ff6980f3137
0x7ff6980f313c
0x7ff6980f3140
0x7ff6980f3150
0x7ff6980f3152
0x7ff6980f315b
0x7ff6980f3161
0x7ff6980f3163
0x7ff6980f3168
0x7ff6980f316f
0x7ff6980f317b
0x7ff6980f3180
0x7ff6980f3185
0x7ff6980f3187
0x7ff6980f318f
0x7ff6980f3195
0x7ff6980f319b
0x7ff6980f319f
0x7ff6980f31a4
0x7ff6980f31af
0x7ff6980f31b8
0x7ff6980f31ba
0x7ff6980f31c1
0x7ff6980f31c6
0x7ff6980f31cf
0x7ff6980f31d4
0x7ff6980f31df
0x7ff6980f31e1
0x7ff6980f31ec
0x7ff6980f31f1
0x7ff6980f31fe
0x7ff6980f3200
0x7ff6980f3205
0x7ff6980f3209
0x7ff6980f3227

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F3091
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F30FD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F3118
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F3137
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F31E1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F3200

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 06a8641fa43e2610765a8969c89ceab00d32e648021870bd44166826c331591f
Instruction ID: 6f13b3ec40db71853c316d18b7990b254b8e23ae79567512100becc7f9017c10
Opcode Fuzzy Hash: 06a8641fa43e2610765a8969c89ceab00d32e648021870bd44166826c331591f
Instruction Fuzzy Hash: 52516F22A09B4580EB249F35D48402C73A4FB14FA4F96867ADE6D877D4DF38E8A1D35C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810F7AC Relevance: 9.1, APIs: 6, Instructions: 122
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00007FF67FF69810F7AC(void* __ecx, void* __edx, void* __ebp, void* __esp, void* __eflags, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r10, void* __r11, long long __r12, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed int _v24;
				void* _t46;
				signed int _t49;
				char _t55;
				void* _t64;
				void* _t69;
				signed int _t78;
				long long _t89;
				intOrPtr* _t90;
				long long _t93;
				void* _t95;
				long long _t102;
				long long _t109;
				long long _t112;
				void* _t118;
				void* _t124;

				_t118 = __r11;
				_t95 = __rcx;
				_t64 = __edx;
				_t58 = __ecx;
				_t89 = _t112;
				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = __rsi;
				 *((long long*)(_t89 + 0x18)) = __rdi;
				 *((long long*)(_t89 + 0x20)) = __r12;
				_t69 = __ecx;
				r13d = r13d | 0xffffffff;
				E00007FF67FF69810B93C(__ecx, __eflags, _t89);
				_t109 = _t89;
				E00007FF67FF69810F3E8(_t58, __eflags, _t89, __rbx, _t124);
				_t46 = E00007FF67FF69810F4A4(_t69, __eflags, _t89);
				r12d = _t46;
				if (_t46 ==  *((intOrPtr*)( *((intOrPtr*)(_t109 + 0xb8)) + 4))) goto 0x9810f981;
				E00007FF67FF69810A574(__ebp, _t89,  *((intOrPtr*)(_t109 + 0xb8)), _t95, _t109, __rbp);
				_t93 = _t89;
				if (_t89 == __rdi) goto 0x9810f986;
				r8d = 0x220;
				E00007FF67FF69810AE90(0x220, _t89 - __rdi, _t89,  *((intOrPtr*)(_t109 + 0xb8)), __r8);
				 *_t93 = 0;
				_t49 = E00007FF67FF69810F534(r12d, _t64, __esp, _t89 - __rdi, _t93, _t93, __r8, __r10, _t118);
				r13d = _t49;
				_t78 = _t49;
				if (_t78 != 0) goto 0x9810f95b;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t78 != 0) goto 0x9810f85e;
				if ( *((intOrPtr*)(_t109 + 0xb8)) == 0x98140bb0) goto 0x9810f865;
				free(??);
				goto 0x9810f865;
				 *((long long*)(_t109 + 0xb8)) = _t93;
				asm("lock add dword [ebx], 0x1");
				if (( *(_t109 + 0xc8) & 0x00000002) != 0) goto 0x9810f986;
				if (( *0x98140a10 & 0x00000001) != 0) goto 0x9810f986;
				E00007FF67FF69810FF60();
				 *0x98143bd4 =  *((intOrPtr*)(_t93 + 4));
				 *0x98143bd8 =  *((intOrPtr*)(_t93 + 8));
				 *0x98143bdc =  *((intOrPtr*)(_t93 + 0xc));
				_v24 = 0;
				if (0 - 5 >= 0) goto 0x9810f8db;
				 *0x7FF698143BC8 =  *(_t93 + 0x10) & 0x0000ffff;
				_v24 = 1;
				goto 0x9810f8bd;
				_v24 = 0;
				if (0 - 0x101 >= 0) goto 0x9810f900;
				 *0x7FF698140DD0 =  *((intOrPtr*)(0 + _t93 + 0x1c));
				_v24 = 1;
				goto 0x9810f8e1;
				_v24 = 0;
				if (0 - 0x100 >= 0) goto 0x9810f926;
				_t55 =  *((intOrPtr*)(0 + _t93 + 0x11d));
				 *0x7FF698140EE0 = _t55;
				_v24 = 1;
				goto 0x9810f904;
				_t90 =  *0x98140fe0; // 0x29a6d30
				asm("lock add dword [eax], 0xffffffff");
				if (0 != 0x100) goto 0x9810f944;
				_t102 =  *0x98140fe0; // 0x29a6d30
				if (_t102 == 0x98140bb0) goto 0x9810f944;
				free(??);
				 *0x98140fe0 = _t93;
				asm("lock add dword [ebx], 0x1");
				E00007FF67FF69810FE60();
				goto 0x9810f986;
				if (_t55 != 0xffffffff) goto 0x9810f986;
				if (_t93 == 0x98140bb0) goto 0x9810f974;
				free(??);
				E00007FF67FF6981078AC(_t90);
				 *_t90 = 0x16;
				goto 0x9810f986;
				r13d = 0;
				return r13d;
			}

0x7ff69810f7ac
0x7ff69810f7ac
0x7ff69810f7ac
0x7ff69810f7ac
0x7ff69810f7ac
0x7ff69810f7af
0x7ff69810f7b3
0x7ff69810f7b7
0x7ff69810f7bb
0x7ff69810f7c5
0x7ff69810f7c7
0x7ff69810f7cb
0x7ff69810f7d0
0x7ff69810f7d3
0x7ff69810f7e1
0x7ff69810f7e6
0x7ff69810f7ec
0x7ff69810f7f7
0x7ff69810f7fc
0x7ff69810f804
0x7ff69810f814
0x7ff69810f81a
0x7ff69810f81f
0x7ff69810f827
0x7ff69810f82c
0x7ff69810f82f
0x7ff69810f831
0x7ff69810f83e
0x7ff69810f842
0x7ff69810f855
0x7ff69810f857
0x7ff69810f85c
0x7ff69810f865
0x7ff69810f86c
0x7ff69810f877
0x7ff69810f884
0x7ff69810f88f
0x7ff69810f898
0x7ff69810f8a1
0x7ff69810f8aa
0x7ff69810f8b2
0x7ff69810f8c0
0x7ff69810f8ca
0x7ff69810f8d5
0x7ff69810f8d9
0x7ff69810f8dd
0x7ff69810f8e7
0x7ff69810f8f0
0x7ff69810f8fa
0x7ff69810f8fe
0x7ff69810f900
0x7ff69810f90a
0x7ff69810f90f
0x7ff69810f916
0x7ff69810f920
0x7ff69810f924
0x7ff69810f926
0x7ff69810f92d
0x7ff69810f931
0x7ff69810f933
0x7ff69810f93d
0x7ff69810f93f
0x7ff69810f944
0x7ff69810f94b
0x7ff69810f954
0x7ff69810f959
0x7ff69810f95e
0x7ff69810f96a
0x7ff69810f96f
0x7ff69810f974
0x7ff69810f979
0x7ff69810f97f
0x7ff69810f983
0x7ff69810f9a3

APIs

_getptd.LIBCMT ref: 00007FF69810F7CB

Part of subcall function 00007FF69810F3E8: _getptd.LIBCMT ref: 00007FF69810F3F2

Part of subcall function 00007FF69810F4A4: GetOEMCP.KERNEL32 ref: 00007FF69810F4CE

Part of subcall function 00007FF69810A574: malloc.LIBCMT ref: 00007FF69810A593
Part of subcall function 00007FF69810A574: Sleep.KERNEL32(?,?,00000000,00007FF69810FED9,?,?,?,00007FF69810FF83), ref: 00007FF69810A5AA

free.LIBCMT ref: 00007FF69810F857

Part of subcall function 00007FF69810484C: HeapFree.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104862
Part of subcall function 00007FF69810484C: _errno.LIBCMT ref: 00007FF69810486C
Part of subcall function 00007FF69810484C: GetLastError.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104874

_lock.LIBCMT ref: 00007FF69810F88F
free.LIBCMT ref: 00007FF69810F93F
free.LIBCMT ref: 00007FF69810F96F
_errno.LIBCMT ref: 00007FF69810F974

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 2878544890-0
Opcode ID: dbefac1bd4e860cba46ec646c9f1af48dc9b2591202d1de2f3d620e5c24df54c
Instruction ID: d79d919400eb7e7ba893fc1e21a0693f1714cbb8faa594d56fa9cc329e6ea707
Opcode Fuzzy Hash: dbefac1bd4e860cba46ec646c9f1af48dc9b2591202d1de2f3d620e5c24df54c
Instruction Fuzzy Hash: 0E51D37290868386E770DF719841279B6A1FB84B58F9441B6EA9EC73E5CF3CE452C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698129FC0 Relevance: 9.1, APIs: 6, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF698129FC0(void* __edx, long long __rbx, void* __rcx, long long __rsi) {
				void* _t40;
				void* _t42;
				intOrPtr _t60;
				intOrPtr* _t61;
				long long _t63;
				long long _t72;
				intOrPtr _t73;
				intOrPtr* _t77;
				long long* _t78;
				intOrPtr* _t80;
				long long _t87;
				void* _t90;
				void* _t91;

				 *((long long*)(_t90 + 8)) = __rbx;
				 *((long long*)(_t90 + 0x10)) = _t87;
				 *((long long*)(_t90 + 0x18)) = __rsi;
				_t91 = _t90 - 0x50;
				_t42 = __edx;
				_t60 =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x60)) + 8));
				if ( *((char*)(_t60 + 0x29)) != 0) goto 0x98129ffe;
				if ( *((intOrPtr*)(_t60 + 0x18)) - __edx >= 0) goto 0x98129ff2;
				_t61 =  *((intOrPtr*)(_t60 + 0x10));
				goto 0x98129ff8;
				_t72 = _t61;
				if ( *((char*)( *_t61 + 0x29)) == 0) goto 0x98129fe7;
				_t63 =  *((intOrPtr*)(__rcx + 0x30));
				 *((long long*)(_t91 + 0x28)) = _t72;
				 *((long long*)(_t91 + 0x20)) = _t63;
				if (_t63 == 0) goto 0x9812a01a;
				if (_t63 == _t63) goto 0x9812a01f;
				E00007FF67FF6981044B8();
				if (_t72 ==  *((intOrPtr*)(__rcx + 0x60))) goto 0x9812a030;
				if (_t42 -  *((intOrPtr*)(_t72 + 0x18)) < 0) goto 0x9812a030;
				goto 0x9812a047;
				_t77 = _t91 + 0x30;
				 *((long long*)(_t91 + 0x38)) =  *((intOrPtr*)(__rcx + 0x60));
				 *((long long*)(_t91 + 0x30)) =  *((intOrPtr*)(__rcx + 0x30));
				_t78 = _t91 + 0x40;
				 *_t78 =  *_t77;
				 *((long long*)(_t78 + 8)) =  *((intOrPtr*)(_t77 + 8));
				_t80 =  *((intOrPtr*)(_t91 + 0x40));
				if (_t80 == 0) goto 0x9812a06e;
				if (_t80 ==  *((intOrPtr*)(__rcx + 0x30))) goto 0x9812a073;
				E00007FF67FF6981044B8();
				_t73 =  *((intOrPtr*)(_t91 + 0x48));
				if (_t73 ==  *((intOrPtr*)(__rcx + 0x60))) goto 0x9812a0c3;
				if (_t80 != 0) goto 0x9812a08e;
				E00007FF67FF6981044B8();
				goto 0x9812a091;
				if (_t73 !=  *((intOrPtr*)( *_t80 + 0x30))) goto 0x9812a09c;
				E00007FF67FF6981044B8();
				if ( *((long long*)(_t73 + 0x20)) == 0xffffffff) goto 0x9812a0c3;
				if (_t80 != 0) goto 0x9812a0af;
				E00007FF67FF6981044B8();
				goto 0x9812a0b2;
				if (_t73 !=  *((intOrPtr*)( *_t80 + 0x30))) goto 0x9812a0bd;
				_t40 = E00007FF67FF6981044B8();
				goto 0x9812a0c7;
				return _t40;
			}

0x7ff698129fc0
0x7ff698129fc5
0x7ff698129fca
0x7ff698129fd0
0x7ff698129fd8
0x7ff698129fdd
0x7ff698129fe5
0x7ff698129fea
0x7ff698129fec
0x7ff698129ff0
0x7ff698129ff2
0x7ff698129ffc
0x7ff698129ffe
0x7ff69812a006
0x7ff69812a00b
0x7ff69812a013
0x7ff69812a018
0x7ff69812a01a
0x7ff69812a022
0x7ff69812a027
0x7ff69812a02e
0x7ff69812a034
0x7ff69812a039
0x7ff69812a042
0x7ff69812a04e
0x7ff69812a053
0x7ff69812a05a
0x7ff69812a05e
0x7ff69812a066
0x7ff69812a06c
0x7ff69812a06e
0x7ff69812a073
0x7ff69812a07b
0x7ff69812a082
0x7ff69812a084
0x7ff69812a08c
0x7ff69812a095
0x7ff69812a097
0x7ff69812a0a1
0x7ff69812a0a6
0x7ff69812a0a8
0x7ff69812a0ad
0x7ff69812a0b6
0x7ff69812a0b8
0x7ff69812a0c1
0x7ff69812a0db

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A01A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A06E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A084
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A097
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A0A8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A0B8

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b1dad616f5987b4a8820b29c662f81acca57bbf043e1374bbabc96fa387b78c7
Instruction ID: e49823be2fb830ba08167b1f98e8f29dcef6df5e9983f6353c8e64a95d681f2f
Opcode Fuzzy Hash: b1dad616f5987b4a8820b29c662f81acca57bbf043e1374bbabc96fa387b78c7
Instruction Fuzzy Hash: 4F315F32A09B4382EBB19F25D04056C77A1FB45BA4F9802B1EA9C877D5DF2CE852C34C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698115A0C Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconout.LIBCMT ref: 00007FF698115A3A

Part of subcall function 00007FF698115FDC: CreateFileA.KERNEL32 ref: 00007FF698116005

WriteConsoleW.KERNEL32 ref: 00007FF698115A66
GetLastError.KERNEL32 ref: 00007FF698115A81
GetConsoleOutputCP.KERNEL32(?,?,?,?,00007FF698111218,?,?,?,00000001,00000000,?,00000001,00007FF69811171C), ref: 00007FF698115A93
WideCharToMultiByte.KERNEL32 ref: 00007FF698115AC6
WriteConsoleA.KERNEL32 ref: 00007FF698115AEC

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
String ID:
API String ID: 2210154019-0
Opcode ID: b6307e78168ad8cfc449806c29395060a627c9e19e62e9274fd19f5beea39485
Instruction ID: bb7f579144eefd6df45f4f6198bae50f3d21160620161889269046946a93f943
Opcode Fuzzy Hash: b6307e78168ad8cfc449806c29395060a627c9e19e62e9274fd19f5beea39485
Instruction Fuzzy Hash: 5B311C21A1CA4782E7708B30E8443BA63A1FB957A9FA00375E56DC75E4DF7CD544CB08

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810B8B8 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF6981078B5,?,?,?,?,00007FF698104871,?,?,?,00007FF698104219), ref: 00007FF69810B8C2
FlsGetValue.KERNEL32(?,?,?,00007FF6981078B5,?,?,?,?,00007FF698104871,?,?,?,00007FF698104219), ref: 00007FF69810B8D0
SetLastError.KERNEL32(?,?,?,00007FF6981078B5,?,?,?,?,00007FF698104871,?,?,?,00007FF698104219), ref: 00007FF69810B928

Part of subcall function 00007FF69810A5E0: Sleep.KERNEL32(?,?,?,00007FF69810B8EB,?,?,?,00007FF6981078B5,?,?,?,?,00007FF698104871), ref: 00007FF69810A625

FlsSetValue.KERNEL32(?,?,?,00007FF6981078B5,?,?,?,?,00007FF698104871,?,?,?,00007FF698104219), ref: 00007FF69810B8FC
free.LIBCMT ref: 00007FF69810B91F

Part of subcall function 00007FF69810B804: _lock.LIBCMT ref: 00007FF69810B854
Part of subcall function 00007FF69810B804: _lock.LIBCMT ref: 00007FF69810B874

GetCurrentThreadId.KERNEL32 ref: 00007FF69810B910

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 47fe6f310744996d0618dde16060a0968cc8db3ffcff5d940b5b223bec7bd5a3
Instruction ID: 278a0c3e200df36d5c80c87eac9c556ee512537be69038c7039cb0e98196df29
Opcode Fuzzy Hash: 47fe6f310744996d0618dde16060a0968cc8db3ffcff5d940b5b223bec7bd5a3
Instruction Fuzzy Hash: A8014D65E0974382FB745F75988413C62D1EF887A0F848675D91EC73E5DE3CE854C618

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981133F4 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF698113412

Part of subcall function 00007FF69810484C: HeapFree.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104862
Part of subcall function 00007FF69810484C: _errno.LIBCMT ref: 00007FF69810486C
Part of subcall function 00007FF69810484C: GetLastError.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104874

free.LIBCMT ref: 00007FF698113424
free.LIBCMT ref: 00007FF698113436
free.LIBCMT ref: 00007FF698113448
free.LIBCMT ref: 00007FF69811345A
free.LIBCMT ref: 00007FF69811346C
free.LIBCMT ref: 00007FF69811347E

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 864e03c431a6d3e9e346be6ff6aff8a7b4752ac3b6a64fe7f5e624e93be13a61
Instruction ID: 3d95f3763f7711b7d5c8b054e27011e65690f567581469f0b850e90b2bba9303
Opcode Fuzzy Hash: 864e03c431a6d3e9e346be6ff6aff8a7b4752ac3b6a64fe7f5e624e93be13a61
Instruction Fuzzy Hash: 75018A12E0944391EAB1EBB2D4D10782765EFD0B48FC504BAD90EC7996CE2CF890D25D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698109204 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00007FF67FF698109204(intOrPtr* __rcx) {
				void* _t11;
				intOrPtr* _t16;

				_t16 =  *((intOrPtr*)(__rcx));
				if ( *_t16 == 0xe0434f4d) goto 0x9810922d;
				_t13 =  *_t16 - 0xe06d7363;
				if ( *_t16 != 0xe06d7363) goto 0x98109246;
				E00007FF67FF69810B93C(_t11,  *_t16 - 0xe06d7363, _t16);
				 *(_t16 + 0x100) =  *(_t16 + 0x100) & 0x00000000;
				E00007FF67FF698110124( *_t16 - 0xe06d7363, _t16);
				asm("int3");
				E00007FF67FF69810B93C(_t11, _t13, _t16);
				if ( *(_t16 + 0x100) <= 0) goto 0x98109246;
				E00007FF67FF69810B93C(_t11,  *(_t16 + 0x100), _t16);
				 *(_t16 + 0x100) =  *(_t16 + 0x100) - 1;
				return 0;
			}

0x7ff698109208
0x7ff698109211
0x7ff698109213
0x7ff698109219
0x7ff69810921b
0x7ff698109220
0x7ff698109227
0x7ff69810922c
0x7ff69810922d
0x7ff698109239
0x7ff69810923b
0x7ff698109240
0x7ff69810924c

APIs

_getptd.LIBCMT ref: 00007FF69810921B

Part of subcall function 00007FF698110124: _getptd.LIBCMT ref: 00007FF698110128

_getptd.LIBCMT ref: 00007FF69810922D
_getptd.LIBCMT ref: 00007FF69810923B

Strings

MOC, xrefs: 00007FF69810920B
csm, xrefs: 00007FF698109213

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _getptd
String ID: MOC$csm
API String ID: 3186804695-1389381023
Opcode ID: 00ecfaa5011b527fe4e670c7211831b1227f345612b3d7dc83072e452741e803
Instruction ID: 2c56593eeebd96d3ea7ff3da6238b707222d55832a308e924781d813ed450cf3
Opcode Fuzzy Hash: 00ecfaa5011b527fe4e670c7211831b1227f345612b3d7dc83072e452741e803
Instruction Fuzzy Hash: 94E0E5B6D0924386E6252FB1C8463B835B0EB59B15FD6D0B0C24C823828FBC68A0CA56

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69811348C Relevance: 7.7, APIs: 6, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00007FF67FF69811348C(void* __ebp, signed int __rbx, long long __rcx, signed int __rdi, signed int __rsi, void* __r8, void* __r9) {
				signed int _t88;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				char _t105;
				char _t106;
				char _t107;
				signed int _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t142;
				signed int* _t149;
				signed int* _t157;
				signed int* _t159;
				signed int _t176;
				char* _t213;
				char* _t214;
				signed int _t216;
				long long _t219;
				signed int _t221;
				signed int* _t223;
				signed int* _t225;
				void* _t226;
				char* _t229;
				void* _t232;
				void* _t233;
				signed int* _t234;
				void* _t236;
				signed int* _t237;
				void* _t239;
				intOrPtr* _t240;

				_t232 = __r9;
				_t228 = __r8;
				_t216 = __rdi;
				_t176 = __rbx;
				_t159 = _t225;
				_t159[2] = __rbx;
				_t159[4] = _t221;
				_t159[6] = __rsi;
				_t159[8] = __rdi;
				_t226 = _t225 - 0x40;
				r12d = 0;
				_t219 = __rcx;
				 *((long long*)(_t159 - 0x28)) = __rcx;
				 *(_t159 - 0x20) =  *(_t159 - 0x20) & _t233;
				if ( *((intOrPtr*)(__rcx + 0x18)) != r12d) goto 0x981134d2;
				if ( *((intOrPtr*)(__rcx + 0x1c)) != r12d) goto 0x981134d2;
				r13d = 0;
				goto 0x981137db;
				_t10 = _t216 - 0x57; // 0x1
				E00007FF67FF69810A5E0(__rbx, __rcx, __rdi, __rdi, __rcx, 0x981401a0, _t239, _t236);
				_t223 = _t159;
				if (_t159 != 0) goto 0x981134f4;
				goto 0x9811382c;
				E00007FF67FF69810A574(__ebp, _t159, _t176, _t176, _t219, _t223);
				_t237 = _t159;
				if (_t159 != 0) goto 0x98113513;
				free(_t233);
				goto 0x981134ea;
				 *_t159 =  *_t159 & r12d;
				if ( *((intOrPtr*)(_t219 + 0x18)) == r12d) goto 0x98113788;
				E00007FF67FF69810A574(__ebp, _t159, _t176, _t176, _t219, _t223);
				_t234 = _t159;
				_t149 = _t159;
				if (_t149 != 0) goto 0x9811353d;
				free(??);
				goto 0x9811350c;
				 *_t159 =  *_t159 & 0x00000000;
				_t142 =  *(_t219 + 0x38) & 0x0000ffff;
				r9d = 0x15;
				_t13 =  &(_t223[6]); // 0x18
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t13;
				_t88 = E00007FF67FF69810FB68(4, __r9 - 0x14, _t176, _t226 + 0x30, __r8);
				_t17 =  &(_t223[8]); // 0x20
				r9d = 0x14;
				 *((long long*)(_t226 + 0x20)) = _t17;
				r8d = _t142;
				_t111 = _t88;
				_t89 = E00007FF67FF69810FB68(_t111, _t232 - 0x13, _t176, _t226 + 0x30, __r8);
				_t21 =  &(_t223[0xa]); // 0x28
				r9d = 0x16;
				 *((long long*)(_t226 + 0x20)) = _t21;
				r8d = _t142;
				_t112 = _t111 | _t89;
				_t90 = E00007FF67FF69810FB68(_t112, _t232 - 0x15, _t176, _t226 + 0x30, __r8);
				r9d = 0x17;
				_t113 = _t112 | _t90;
				_t26 =  &(_t223[0xc]); // 0x30
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t26;
				_t91 = E00007FF67FF69810FB68(_t113, _t232 - 0x16, _t176, _t226 + 0x30, __r8);
				r9d = 0x18;
				_t29 =  &(_t223[0xe]); // 0x38
				_t240 = _t29;
				r8d = _t142;
				_t114 = _t113 | _t91;
				 *((long long*)(_t226 + 0x20)) = _t240;
				_t92 = E00007FF67FF69810FB68(_t114, _t232 - 0x17, _t176, _t226 + 0x30, __r8);
				r9d = 0x50;
				_t115 = _t114 | _t92;
				_t33 =  &(_t223[0x10]); // 0x40
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t33;
				_t93 = E00007FF67FF69810FB68(_t115, _t232 - 0x4f, _t176, _t226 + 0x30, _t228);
				r9d = 0x51;
				_t116 = _t115 | _t93;
				_t37 =  &(_t223[0x12]); // 0x48
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t37;
				_t94 = E00007FF67FF69810FB68(_t116, _t232 - 0x50, _t176, _t226 + 0x30, _t228);
				r9d = 0x1a;
				_t117 = _t116 | _t94;
				_t42 =  &(_t223[0x14]); // 0x50
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t42;
				_t95 = E00007FF67FF69810FB68(_t117, 0, _t176, _t226 + 0x30, _t228);
				r9d = 0x19;
				_t118 = _t117 | _t95;
				_t45 =  &(_t223[0x14]); // 0x51
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t45;
				_t96 = E00007FF67FF69810FB68(_t118, 0, _t176, _t226 + 0x30, _t228);
				r9d = 0x54;
				_t119 = _t118 | _t96;
				_t48 =  &(_t223[0x14]); // 0x52
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t48;
				_t120 = _t119 | E00007FF67FF69810FB68(_t119, 0, _t176, _t226 + 0x30, _t228);
				_t50 =  &(_t223[0x14]); // 0x53
				r9d = 0x55;
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t50;
				_t121 = _t120 | E00007FF67FF69810FB68(_t120, 0, _t176, _t226 + 0x30, _t228);
				_t54 =  &(_t223[0x15]); // 0x54
				r9d = 0x56;
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t54;
				_t99 = E00007FF67FF69810FB68(_t121, 0, _t176, _t226 + 0x30, _t228);
				r9d = 0x57;
				_t122 = _t121 | _t99;
				_t57 =  &(_t223[0x15]); // 0x55
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t57;
				_t100 = E00007FF67FF69810FB68(_t122, 0, _t176, _t226 + 0x30, _t228);
				r9d = 0x52;
				_t60 =  &(_t223[0x15]); // 0x56
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t60;
				_t101 = E00007FF67FF69810FB68(_t122 | _t100, 0, _t176, _t226 + 0x30, _t228);
				r9d = 0x53;
				_t63 =  &(_t223[0x15]); // 0x57
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t63;
				_t102 = E00007FF67FF69810FB68(_t122 | _t100 | _t101, 0, _t176, _t226 + 0x30, _t228);
				if (_t149 == 0) goto 0x98113754;
				E00007FF67FF6981133F4(_t102 | _t122 | _t100 | _t101, _t223);
				free(??);
				free(??);
				goto 0x9811350c;
				_t213 =  *_t240;
				goto 0x9811376a;
				_t105 =  *_t213;
				if (_t105 - 0x30 < 0) goto 0x98113771;
				if (_t105 - 0x39 > 0) goto 0x98113771;
				_t106 = _t105 - 0x30;
				 *_t213 = _t106;
				_t214 = _t213 + 1;
				if ( *_t214 != 0) goto 0x98113759;
				goto 0x9811379a;
				if (_t106 != 0x3b) goto 0x98113767;
				_t229 = _t214;
				_t107 =  *((intOrPtr*)(_t229 + 1));
				 *_t229 = _t107;
				if (_t107 != 0) goto 0x98113778;
				goto 0x9811376a;
				E00007FF67FF69810AE90(_t10, _t107, _t223, 0x981401a0, _t216);
				 *_t223 =  *( *(_t219 + 0x128));
				_t223[2] = ( *(_t219 + 0x128))[2];
				_t223[4] = ( *(_t219 + 0x128))[4];
				 *_t237 = 1;
				if (_t234 == 0) goto 0x981137db;
				 *_t234 = 1;
				if ( *(_t219 + 0x120) == 0) goto 0x981137eb;
				asm("lock add dword [eax], 0xffffffff");
				_t157 =  *(_t219 + 0x110);
				if (_t157 == 0) goto 0x98113815;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t157 != 0) goto 0x98113815;
				free(??);
				free(??);
				 *(_t219 + 0x120) = _t234;
				 *(_t219 + 0x110) = _t237;
				 *(_t219 + 0x128) = _t223;
				return 0;
			}

0x7ff69811348c
0x7ff69811348c
0x7ff69811348c
0x7ff69811348c
0x7ff69811348c
0x7ff69811348f
0x7ff698113493
0x7ff698113497
0x7ff69811349b
0x7ff6981134a5
0x7ff6981134a9
0x7ff6981134ac
0x7ff6981134af
0x7ff6981134b3
0x7ff6981134bb
0x7ff6981134c1
0x7ff6981134c3
0x7ff6981134cd
0x7ff6981134da
0x7ff6981134dd
0x7ff6981134e2
0x7ff6981134e8
0x7ff6981134ef
0x7ff6981134fc
0x7ff698113501
0x7ff698113507
0x7ff69811350c
0x7ff698113511
0x7ff698113513
0x7ff69811351a
0x7ff698113523
0x7ff698113528
0x7ff69811352b
0x7ff69811352e
0x7ff698113533
0x7ff69811353b
0x7ff69811353d
0x7ff698113540
0x7ff698113544
0x7ff69811354a
0x7ff698113557
0x7ff69811355a
0x7ff69811355f
0x7ff698113564
0x7ff698113568
0x7ff69811356e
0x7ff69811357c
0x7ff69811357f
0x7ff698113581
0x7ff698113586
0x7ff69811358a
0x7ff698113590
0x7ff69811359e
0x7ff6981135a1
0x7ff6981135a3
0x7ff6981135a8
0x7ff6981135b3
0x7ff6981135b5
0x7ff6981135bd
0x7ff6981135c0
0x7ff6981135c5
0x7ff6981135ca
0x7ff6981135d0
0x7ff6981135d0
0x7ff6981135dd
0x7ff6981135e0
0x7ff6981135e2
0x7ff6981135e7
0x7ff6981135ec
0x7ff6981135f2
0x7ff6981135f4
0x7ff698113601
0x7ff698113604
0x7ff698113609
0x7ff69811360e
0x7ff698113614
0x7ff698113616
0x7ff698113623
0x7ff698113626
0x7ff69811362b
0x7ff698113635
0x7ff69811363b
0x7ff69811363d
0x7ff698113641
0x7ff698113646
0x7ff69811364b
0x7ff698113655
0x7ff69811365b
0x7ff69811365d
0x7ff698113661
0x7ff698113666
0x7ff69811366b
0x7ff698113675
0x7ff69811367b
0x7ff69811367d
0x7ff698113681
0x7ff698113686
0x7ff698113690
0x7ff698113692
0x7ff69811369b
0x7ff6981136a1
0x7ff6981136a6
0x7ff6981136b5
0x7ff6981136b7
0x7ff6981136bb
0x7ff6981136c1
0x7ff6981136c6
0x7ff6981136cb
0x7ff6981136d5
0x7ff6981136db
0x7ff6981136dd
0x7ff6981136e1
0x7ff6981136e6
0x7ff6981136eb
0x7ff6981136f5
0x7ff6981136fd
0x7ff698113701
0x7ff698113706
0x7ff69811370b
0x7ff698113715
0x7ff69811371d
0x7ff698113721
0x7ff698113726
0x7ff69811372b
0x7ff698113732
0x7ff698113737
0x7ff69811373f
0x7ff698113747
0x7ff69811374f
0x7ff698113754
0x7ff698113757
0x7ff698113759
0x7ff69811375d
0x7ff698113761
0x7ff698113763
0x7ff698113765
0x7ff698113767
0x7ff69811376d
0x7ff69811376f
0x7ff698113773
0x7ff698113775
0x7ff698113778
0x7ff69811377c
0x7ff698113784
0x7ff698113786
0x7ff698113795
0x7ff6981137a4
0x7ff6981137b3
0x7ff6981137c2
0x7ff6981137c6
0x7ff6981137d1
0x7ff6981137d3
0x7ff6981137e5
0x7ff6981137e7
0x7ff6981137f2
0x7ff6981137f5
0x7ff6981137f7
0x7ff6981137fb
0x7ff698113804
0x7ff698113810
0x7ff698113815
0x7ff69811381c
0x7ff698113823
0x7ff69811384a

APIs

free.LIBCMT ref: 00007FF69811350C
free.LIBCMT ref: 00007FF698113533
free.LIBCMT ref: 00007FF698113804
free.LIBCMT ref: 00007FF698113810

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6dfd3ff1200bf06653a9c526eabe73c63303c5f0231cfc1aad9142993ce12b02
Instruction ID: 3162b8d74db20b9ef88e93d884bb396a0dbfd7a8c198da27efeb4cd6ed85be22
Opcode Fuzzy Hash: 6dfd3ff1200bf06653a9c526eabe73c63303c5f0231cfc1aad9142993ce12b02
Instruction Fuzzy Hash: 0EB17232B09B8285EB70DF72E4515A977A0FB99748F804175EA8E83B89DF3CD115CB48

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69812A560 Relevance: 7.6, APIs: 5, Instructions: 130
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00007FF67FF69812A560(void* __ebx, void* __ecx, void* __edi, long long __rbx, void* __rcx, void* __rdx, long long __rbp, long long __r8, void* __r9, char _a8, char _a32) {
				void* _v24;
				long long _v40;
				long long _v48;
				long long _v56;
				char _v80;
				long long _v88;
				long long _v104;
				void* __rdi;
				void* __rsi;
				intOrPtr _t74;
				void* _t84;
				void* _t87;
				void* _t92;
				long long* _t93;
				long long _t100;
				void* _t104;
				intOrPtr _t120;
				void* _t135;
				void* _t138;
				void* _t140;
				void* _t145;
				long long _t150;

				_t92 = _t140;
				_v88 = 0xfffffffe;
				 *((long long*)(_t92 + 0x10)) = __rbx;
				 *((long long*)(_t92 + 0x18)) = __rbp;
				_t100 = __r8;
				_t138 = __rdx;
				_t135 = __rcx;
				r12d = 0;
				 *((intOrPtr*)(_t92 + 0x20)) = r12d;
				if ( *((intOrPtr*)(__rcx + 0x28)) == r12b) goto 0x9812a6fe;
				_t136 = __rcx + 0x70;
				_t124 = __rcx + 0x70;
				E00007FF67FF6981278E0(__ebx, __edi, __r8, __rcx + 0x90, __rcx + 0x70, __rcx, _t136);
				r8d = 0;
				E00007FF67FF6980F4D20(_t136 + 0x210, _t136);
				r8d = 0;
				E00007FF67FF6980F4D20(_t136 + 0x240, _t124);
				if ( *((intOrPtr*)(_t100 + 0x18)) == _t150) goto 0x9812a5f7;
				_t93 =  *((intOrPtr*)(_t100 + 0x18));
				if ( *((long long*)(_t100 + 0x20)) - 8 < 0) goto 0x9812a5df;
				goto 0x9812a5e3;
				r8d = _t93 + _t93;
				_t84 = E00007FF67FF698129680(__ebx, 0, _t136, _t100 + 8);
				if (_t84 == 0) goto 0x9812a750;
				E00007FF67FF6981291A0(_t100, _t136, _t100 + 8, _t136, _t138);
				_t74 =  *((intOrPtr*)(_t135 + 0x2d0)) -  *((intOrPtr*)(_t135 + 0x2c8));
				if (_t84 == 0) goto 0x9812a750;
				E00007FF67FF6981045E0(_t93, _t136);
				if (_t93 == 0) goto 0x9812a62a;
				 *_t93 =  &_v80;
				goto 0x9812a62d;
				_v80 = _t150;
				_a8 = 0;
				E00007FF67FF6980F4CA0(_t150, _t100,  &_v80, _t100 + 4, _t136,  &_a8);
				if (_v48 != _v56) goto 0x9812a66c;
				E00007FF67FF6981044B8();
				 *_v56 = _t74;
				_t87 = _v48 - _v56 - 4;
				if (_t87 > 0) goto 0x9812a68b;
				E00007FF67FF6981044B8();
				E00007FF67FF698128A00(_t136);
				_t145 = _t135;
				E00007FF67FF69810AE90(8, _t87, _v56 + 4, _v48 - _v56, _t145);
				_t104 = _v48 - _v56;
				if (_t87 != 0) goto 0x9812a6bb;
				E00007FF67FF6981044B8();
				_v104 = _t150;
				r8d = _t74;
				WriteFile(??, ??, ??, ??, ??);
				if (_v56 == 0) goto 0x9812a6e3;
				E00007FF67FF6981044D8(_v48 - _v56, _t104, _v56, _v56, _t136, _t145,  &_a32);
				_v56 = _t150;
				_v48 = _t150;
				_v40 = _t150;
				_t120 = _v80;
				E00007FF67FF6981044D8(_v48 - _v56, _t104, _t120, _v56, _t136, _t145,  &_a32);
				goto 0x9812a750;
				if ( *((intOrPtr*)(_t120 + 0x29)) == r12b) goto 0x9812a721;
				if ( *((long long*)(_t145 + 0x20)) - 8 < 0) goto 0x9812a711;
				goto 0x9812a715;
				E00007FF67FF698106068(L"%s", _t145 + 8, _t145,  &_a32);
				if ( *((long long*)(_t104 + 0x20)) - 8 < 0) goto 0x9812a732;
				goto 0x9812a736;
				r8d =  *((intOrPtr*)(_t104 + 0x18)) +  *((intOrPtr*)(_t104 + 0x18));
				_v104 = _t150;
				return WriteFile(??, ??, ??, ??, ??);
			}

0x7ff69812a560
0x7ff69812a56b
0x7ff69812a574
0x7ff69812a578
0x7ff69812a57c
0x7ff69812a57f
0x7ff69812a582
0x7ff69812a585
0x7ff69812a588
0x7ff69812a590
0x7ff69812a596
0x7ff69812a59e
0x7ff69812a5a1
0x7ff69812a5ad
0x7ff69812a5b2
0x7ff69812a5be
0x7ff69812a5c3
0x7ff69812a5cc
0x7ff69812a5ce
0x7ff69812a5d7
0x7ff69812a5dd
0x7ff69812a5e3
0x7ff69812a5ef
0x7ff69812a5f1
0x7ff69812a5fa
0x7ff69812a605
0x7ff69812a60b
0x7ff69812a616
0x7ff69812a61e
0x7ff69812a625
0x7ff69812a628
0x7ff69812a62d
0x7ff69812a632
0x7ff69812a64d
0x7ff69812a660
0x7ff69812a662
0x7ff69812a66c
0x7ff69812a67b
0x7ff69812a67f
0x7ff69812a681
0x7ff69812a68e
0x7ff69812a696
0x7ff69812a69d
0x7ff69812a6ac
0x7ff69812a6af
0x7ff69812a6b1
0x7ff69812a6bb
0x7ff69812a6c8
0x7ff69812a6ce
0x7ff69812a6dc
0x7ff69812a6de
0x7ff69812a6e3
0x7ff69812a6e8
0x7ff69812a6ed
0x7ff69812a6f2
0x7ff69812a6f7
0x7ff69812a6fc
0x7ff69812a702
0x7ff69812a709
0x7ff69812a70f
0x7ff69812a71c
0x7ff69812a72a
0x7ff69812a730
0x7ff69812a736
0x7ff69812a73a
0x7ff69812a764

APIs

WriteFile.KERNEL32 ref: 00007FF69812A74A

Part of subcall function 00007FF6980F4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4D50

Part of subcall function 00007FF6980F4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4DB0
Part of subcall function 00007FF6980F4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4DBF
Part of subcall function 00007FF6980F4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4DCF
Part of subcall function 00007FF6980F4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4DF6
Part of subcall function 00007FF6980F4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4E0C
Part of subcall function 00007FF6980F4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4E20
Part of subcall function 00007FF6980F4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4E2F

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A662
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A681
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A6B1
WriteFile.KERNEL32 ref: 00007FF69812A6CE

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo$FileWrite
String ID:
API String ID: 255116272-0
Opcode ID: f65e552bf3d28aa478b740350a4f5241e804a358c94a3600ca4f6d6addcbd357
Instruction ID: 5269b4a3e54a237655052cb2d56e37fc31eed5fc477465301213d1afdb9be6a3
Opcode Fuzzy Hash: f65e552bf3d28aa478b740350a4f5241e804a358c94a3600ca4f6d6addcbd357
Instruction Fuzzy Hash: 8B518022608A8385EB30DF75E4809AEB361FB85B94FC44175EA8E87795CF3CE456C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980F55C0 Relevance: 7.6, APIs: 5, Instructions: 119
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E00007FF67FF6980F55C0(long long __rbx, intOrPtr* __rcx, long long* __rdx, long long __rdi, long long __rsi, long long* __r8, intOrPtr* __r9) {
				void* _t59;
				void* _t60;
				void* _t61;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t91;
				intOrPtr _t92;
				long long _t93;
				long long* _t106;
				intOrPtr* _t107;
				long long _t109;
				long long _t110;
				long long* _t112;
				intOrPtr* _t113;
				long long _t125;
				intOrPtr* _t126;
				void* _t128;
				void* _t129;
				long long* _t136;

				_t103 = __rcx;
				 *((long long*)(_t128 + 8)) = __rbx;
				 *((long long*)(_t128 + 0x10)) = _t125;
				 *((long long*)(_t128 + 0x18)) = __rsi;
				 *((long long*)(_t128 + 0x20)) = __rdi;
				_t129 = _t128 - 0x50;
				_t5 = _t103 + 0x30; // 0x44c748000000e0ec
				_t80 =  *((intOrPtr*)(__r8));
				_t136 = __rdx;
				_t126 = __rcx;
				if (_t80 == 0) goto 0x980f55fa;
				if (_t80 ==  *__rcx) goto 0x980f55ff;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(__r8 + 8)) !=  *((intOrPtr*)( *_t5))) goto 0x980f5670;
				_t81 =  *__r9;
				_t7 = _t126 + 0x30; // 0x44c748000000e0ec
				if (_t81 == 0) goto 0x980f5617;
				if (_t81 ==  *__rcx) goto 0x980f561c;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(__r9 + 8)) !=  *_t7) goto 0x980f5670;
				_t9 = _t126 + 0x30; // 0x44c748000000e0ec
				E00007FF67FF6980F6320(__r8, __rcx,  *((intOrPtr*)( *_t9 + 8)), __r9, __rcx);
				_t11 = _t126 + 0x30; // 0x44c748000000e0ec
				 *((long long*)( *_t11 + 8)) =  *_t11;
				_t13 = _t126 + 0x30; // 0x44c748000000e0ec
				 *((long long*)(_t126 + 0x38)) = 0;
				 *((long long*)( *_t13)) =  *_t13;
				_t15 = _t126 + 0x30; // 0x44c748000000e0ec
				 *((long long*)( *_t15 + 0x10)) =  *_t15;
				_t17 = _t126 + 0x30; // 0x44c748000000e0ec
				 *_t136 =  *_t126;
				 *((long long*)(_t136 + 8)) =  *((intOrPtr*)( *_t17));
				goto 0x980f5766;
				asm("o16 nop [eax+eax]");
				_t86 =  *((intOrPtr*)(__r8));
				if (_t86 == 0) goto 0x980f567d;
				if (_t86 ==  *__r9) goto 0x980f5682;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(__r8 + 8)) ==  *((intOrPtr*)(__r9 + 8))) goto 0x980f572e;
				_t106 = _t129 + 0x20;
				 *_t106 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t106 + 8)) =  *((intOrPtr*)(__r8 + 8));
				if ( *__r8 != 0) goto 0x980f56ae;
				E00007FF67FF6981044B8();
				_t90 =  *((intOrPtr*)(__r8 + 8));
				if ( *((char*)(_t90 + 0x39)) == 0) goto 0x980f56bf;
				E00007FF67FF6981044B8();
				goto 0x980f570c;
				_t107 =  *((intOrPtr*)(_t90 + 0x10));
				if ( *((char*)(_t107 + 0x39)) != 0) goto 0x980f56e0;
				_t91 =  *_t107;
				if ( *((char*)(_t91 + 0x39)) != 0) goto 0x980f5708;
				_t92 =  *_t91;
				if ( *((char*)(_t92 + 0x39)) == 0) goto 0x980f56d2;
				goto 0x980f5708;
				_t109 =  *((intOrPtr*)(_t92 + 8));
				if ( *((char*)(_t109 + 0x39)) != 0) goto 0x980f5708;
				asm("o16 nop [eax+eax]");
				_t93 =  *((intOrPtr*)(_t109 + 0x10));
				if ( *((intOrPtr*)(__r8 + 8)) != _t93) goto 0x980f5708;
				 *((long long*)(__r8 + 8)) = _t109;
				_t110 =  *((intOrPtr*)(_t109 + 8));
				if ( *((char*)(_t110 + 0x39)) == 0) goto 0x980f56f0;
				 *((long long*)(__r8 + 8)) = _t110;
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqa [esp+0x30], xmm0");
				_t59 = E00007FF67FF6980F5EB0(_t60, _t61, __r8, _t126, _t129 + 0x40, __r9, _t129 + 0x30, __r9);
				goto 0x980f5670;
				_t112 = _t129 + 0x30;
				 *_t112 = _t93;
				 *((long long*)(_t112 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t113 = _t129 + 0x20;
				 *((long long*)(_t129 + 0x28)) =  *((intOrPtr*)(_t129 + 0x38));
				 *((long long*)(_t129 + 0x20)) =  *_t126;
				 *_t136 =  *_t113;
				 *((long long*)(_t136 + 8)) =  *((intOrPtr*)(_t113 + 8));
				return _t59;
			}

0x7ff6980f55c0
0x7ff6980f55c0
0x7ff6980f55c5
0x7ff6980f55ca
0x7ff6980f55cf
0x7ff6980f55d6
0x7ff6980f55da
0x7ff6980f55e7
0x7ff6980f55ea
0x7ff6980f55ed
0x7ff6980f55f3
0x7ff6980f55f8
0x7ff6980f55fa
0x7ff6980f5603
0x7ff6980f5605
0x7ff6980f5608
0x7ff6980f560f
0x7ff6980f5615
0x7ff6980f5617
0x7ff6980f5620
0x7ff6980f5622
0x7ff6980f562d
0x7ff6980f5632
0x7ff6980f5636
0x7ff6980f563a
0x7ff6980f563e
0x7ff6980f5646
0x7ff6980f5649
0x7ff6980f564d
0x7ff6980f5651
0x7ff6980f565c
0x7ff6980f5660
0x7ff6980f5665
0x7ff6980f566a
0x7ff6980f5670
0x7ff6980f5676
0x7ff6980f567b
0x7ff6980f567d
0x7ff6980f568d
0x7ff6980f5697
0x7ff6980f569c
0x7ff6980f56a3
0x7ff6980f56a7
0x7ff6980f56a9
0x7ff6980f56ae
0x7ff6980f56b6
0x7ff6980f56b8
0x7ff6980f56bd
0x7ff6980f56bf
0x7ff6980f56c7
0x7ff6980f56c9
0x7ff6980f56d0
0x7ff6980f56d5
0x7ff6980f56dc
0x7ff6980f56de
0x7ff6980f56e0
0x7ff6980f56e8
0x7ff6980f56ea
0x7ff6980f56f0
0x7ff6980f56f8
0x7ff6980f56fa
0x7ff6980f56fe
0x7ff6980f5706
0x7ff6980f5708
0x7ff6980f570c
0x7ff6980f571e
0x7ff6980f5724
0x7ff6980f5729
0x7ff6980f572e
0x7ff6980f5733
0x7ff6980f573a
0x7ff6980f5743
0x7ff6980f5748
0x7ff6980f5751
0x7ff6980f5759
0x7ff6980f5761
0x7ff6980f5783

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F55FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F5617

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f24478f95e3a0eeb8cc74fcbd0085942c264e63632729c83631c048cfd9381a0
Instruction ID: babd3768f0973b761f49c969c2260a65c150a8f8b4ddcb493d540020221f62e0
Opcode Fuzzy Hash: f24478f95e3a0eeb8cc74fcbd0085942c264e63632729c83631c048cfd9381a0
Instruction Fuzzy Hash: B4515932A09F8585EB60CF25E48026D77A4F758F88F988076EB8D877A4DF38D490C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FC520 Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00007FF67FF6980FC520(long long __rbx, intOrPtr* __rcx, long long* __rdx, long long __rdi, long long __rsi, long long* __r8, intOrPtr* __r9) {
				void* _t51;
				void* _t52;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t81;
				long long _t82;
				long long* _t94;
				intOrPtr* _t95;
				long long _t97;
				long long _t98;
				long long* _t100;
				intOrPtr* _t101;
				long long _t111;
				intOrPtr* _t112;
				void* _t114;
				void* _t115;
				void* _t121;
				long long* _t122;

				 *((long long*)(_t114 + 8)) = __rbx;
				 *((long long*)(_t114 + 0x10)) = _t111;
				 *((long long*)(_t114 + 0x18)) = __rsi;
				 *((long long*)(_t114 + 0x20)) = __rdi;
				_t115 = _t114 - 0x50;
				_t71 =  *((intOrPtr*)(__r8));
				_t122 = __rdx;
				_t112 = __rcx;
				if (_t71 == 0) goto 0x980fc55a;
				if (_t71 ==  *__rcx) goto 0x980fc55f;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(__r8 + 8)) !=  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x30))))) goto 0x980fc5a3;
				_t72 =  *__r9;
				if (_t72 == 0) goto 0x980fc577;
				if (_t72 ==  *__rcx) goto 0x980fc57c;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(__r9 + 8)) !=  *((intOrPtr*)(__rcx + 0x30))) goto 0x980fc5a3;
				E00007FF67FF6980FCB50(__r8, __rcx, __r9, _t121);
				 *((long long*)(_t122 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t112 + 0x30))));
				 *_t122 =  *_t112;
				goto 0x980fc6a6;
				_t75 =  *((intOrPtr*)(__r8));
				if (_t75 == 0) goto 0x980fc5b0;
				if (_t75 ==  *__r9) goto 0x980fc5b5;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(__r8 + 8)) ==  *((intOrPtr*)(__r9 + 8))) goto 0x980fc66e;
				_t94 = _t115 + 0x20;
				 *_t94 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t94 + 8)) =  *((intOrPtr*)(__r8 + 8));
				if ( *__r8 != 0) goto 0x980fc5e1;
				E00007FF67FF6981044B8();
				_t79 =  *((intOrPtr*)(__r8 + 8));
				if ( *((char*)(_t79 + 0x29)) == 0) goto 0x980fc5f2;
				E00007FF67FF6981044B8();
				goto 0x980fc64c;
				_t95 =  *((intOrPtr*)(_t79 + 0x10));
				if ( *((char*)(_t95 + 0x29)) != 0) goto 0x980fc61e;
				_t80 =  *_t95;
				if ( *((char*)(_t80 + 0x29)) != 0) goto 0x980fc648;
				asm("o16 nop [eax+eax]");
				_t81 =  *_t80;
				if ( *((char*)(_t81 + 0x29)) == 0) goto 0x980fc610;
				goto 0x980fc648;
				_t97 =  *((intOrPtr*)(_t81 + 8));
				if ( *((char*)(_t97 + 0x29)) != 0) goto 0x980fc648;
				_t82 =  *((intOrPtr*)(_t97 + 0x10));
				if ( *((intOrPtr*)(__r8 + 8)) != _t82) goto 0x980fc648;
				 *((long long*)(__r8 + 8)) = _t97;
				_t98 =  *((intOrPtr*)(_t97 + 8));
				if ( *((char*)(_t98 + 0x29)) == 0) goto 0x980fc630;
				 *((long long*)(__r8 + 8)) = _t98;
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqa [esp+0x30], xmm0");
				_t51 = E00007FF67FF6980FC760(_t52, __r8, _t112, _t115 + 0x40, __r9, _t115 + 0x30, __r9);
				goto 0x980fc5a3;
				_t100 = _t115 + 0x30;
				 *_t100 = _t82;
				 *((long long*)(_t100 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t101 = _t115 + 0x20;
				 *((long long*)(_t115 + 0x28)) =  *((intOrPtr*)(_t115 + 0x38));
				 *((long long*)(_t115 + 0x20)) =  *_t112;
				 *_t122 =  *_t101;
				 *((long long*)(_t122 + 8)) =  *((intOrPtr*)(_t101 + 8));
				return _t51;
			}

0x7ff6980fc520
0x7ff6980fc525
0x7ff6980fc52a
0x7ff6980fc52f
0x7ff6980fc536
0x7ff6980fc547
0x7ff6980fc54a
0x7ff6980fc54d
0x7ff6980fc553
0x7ff6980fc558
0x7ff6980fc55a
0x7ff6980fc563
0x7ff6980fc565
0x7ff6980fc56f
0x7ff6980fc575
0x7ff6980fc577
0x7ff6980fc580
0x7ff6980fc585
0x7ff6980fc591
0x7ff6980fc59a
0x7ff6980fc59e
0x7ff6980fc5a3
0x7ff6980fc5a9
0x7ff6980fc5ae
0x7ff6980fc5b0
0x7ff6980fc5c0
0x7ff6980fc5ca
0x7ff6980fc5cf
0x7ff6980fc5d6
0x7ff6980fc5da
0x7ff6980fc5dc
0x7ff6980fc5e1
0x7ff6980fc5e9
0x7ff6980fc5eb
0x7ff6980fc5f0
0x7ff6980fc5f2
0x7ff6980fc5fa
0x7ff6980fc5fc
0x7ff6980fc603
0x7ff6980fc605
0x7ff6980fc613
0x7ff6980fc61a
0x7ff6980fc61c
0x7ff6980fc61e
0x7ff6980fc626
0x7ff6980fc630
0x7ff6980fc638
0x7ff6980fc63a
0x7ff6980fc63e
0x7ff6980fc646
0x7ff6980fc648
0x7ff6980fc64c
0x7ff6980fc65e
0x7ff6980fc664
0x7ff6980fc669
0x7ff6980fc66e
0x7ff6980fc673
0x7ff6980fc67a
0x7ff6980fc683
0x7ff6980fc688
0x7ff6980fc691
0x7ff6980fc699
0x7ff6980fc6a1
0x7ff6980fc6c3

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC55A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC577
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC5B0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC5DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC5EB

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3f9fb94ebf619a72e56c9b87b2a251ac8c4213fab99a0683694bafe1793dd332
Instruction ID: 545caac19b9382fd4727c0706fd7a2f9a536acc8d813907f835cd3a0e7347fad
Opcode Fuzzy Hash: 3f9fb94ebf619a72e56c9b87b2a251ac8c4213fab99a0683694bafe1793dd332
Instruction Fuzzy Hash: 6C514D32609B9585EB60CF29D48126C77A0F7A8F88F988175DA8D877A4DF3CE491D348

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FD490 Relevance: 7.6, APIs: 5, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF6980FD490(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r12, void* __r13, void* __r14, long long _a8, long long _a16, long long _a24, long long _a32) {

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_a32 = __rdi;
			}

0x7ff6980fd490
0x7ff6980fd495
0x7ff6980fd49a
0x7ff6980fd49f

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FD4F7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FD50A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FD562
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FD584
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FD5AF

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9adf0773738e164250931235ba60c9b3937481e2f1625136ecae2f05f93c4938
Instruction ID: edd9adf1c4d98b90dacb427322326ad882a943431753fe9840ff60025db3a3ee
Opcode Fuzzy Hash: 9adf0773738e164250931235ba60c9b3937481e2f1625136ecae2f05f93c4938
Instruction Fuzzy Hash: 5541A463B05B9685DA209F25E54016DB3A4FB58FCCB988172EECC87B98DE3CE151C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980F4E70 Relevance: 7.6, APIs: 5, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00007FF67FF6980F4E70(long long __rbx, intOrPtr* __rcx, long long* __rdx, long long __rdi, long long __rsi, long long __rbp, intOrPtr* __r8, void* __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				long long _v32;
				char _v40;
				void* _t33;
				intOrPtr _t46;
				intOrPtr* _t54;
				intOrPtr _t57;
				long long* _t58;
				intOrPtr* _t60;
				signed long long _t67;
				long long _t69;
				intOrPtr _t85;
				long long _t86;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_a32 = __rdi;
				_t57 =  *((intOrPtr*)(__rcx + 0x20));
				_t85 =  *((intOrPtr*)(__rcx + 0x18));
				if ((_t57 - _t85 & 0xfffffff0) != 0) goto 0x980f4eb7;
				goto 0x980f4edf;
				if (_t85 - _t57 <= 0) goto 0x980f4ec1;
				E00007FF67FF6981044B8();
				_t46 =  *((intOrPtr*)(__r8));
				if (_t46 == 0) goto 0x980f4ecf;
				if (_t46 ==  *((intOrPtr*)(__rcx))) goto 0x980f4ed4;
				E00007FF67FF6981044B8();
				_t67 =  *((intOrPtr*)(__r8 + 8)) - _t85 >> 4;
				_t58 =  &_v40;
				 *_t58 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t58 + 8)) =  *((intOrPtr*)(__r8 + 8));
				r8d = 1;
				E00007FF67FF6980F5790(__rcx, __rcx,  &_v40, __rsi, __r8, __r9);
				_t86 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t86 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0x980f4f18;
				E00007FF67FF6981044B8();
				_t54 =  *((intOrPtr*)(__rcx));
				_v32 = _t86;
				_v40 = _t54;
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqa [esp+0x20], xmm0");
				if (_t54 != 0) goto 0x980f4f3f;
				E00007FF67FF6981044B8();
				goto 0x980f4f42;
				_t69 = (_t67 << 4) + _t86;
				if (_t69 -  *((intOrPtr*)( *_t54 + 0x20)) > 0) goto 0x980f4f5d;
				if (_t54 == 0) goto 0x980f4f57;
				if (_t69 -  *((intOrPtr*)( *_t54 + 0x18)) >= 0) goto 0x980f4f62;
				_t33 = E00007FF67FF6981044B8();
				_v32 = _t69;
				_t60 =  &_v40;
				 *__rdx =  *_t60;
				_a8 =  *((intOrPtr*)(_t60 + 8));
				return _t33;
			}

0x7ff6980f4e70
0x7ff6980f4e75
0x7ff6980f4e7a
0x7ff6980f4e7f
0x7ff6980f4e91
0x7ff6980f4e97
0x7ff6980f4eb0
0x7ff6980f4eb5
0x7ff6980f4eba
0x7ff6980f4ebc
0x7ff6980f4ec1
0x7ff6980f4ec8
0x7ff6980f4ecd
0x7ff6980f4ecf
0x7ff6980f4edb
0x7ff6980f4ee3
0x7ff6980f4eed
0x7ff6980f4ef7
0x7ff6980f4efe
0x7ff6980f4f04
0x7ff6980f4f09
0x7ff6980f4f11
0x7ff6980f4f13
0x7ff6980f4f18
0x7ff6980f4f1b
0x7ff6980f4f20
0x7ff6980f4f25
0x7ff6980f4f2a
0x7ff6980f4f33
0x7ff6980f4f35
0x7ff6980f4f3d
0x7ff6980f4f46
0x7ff6980f4f4d
0x7ff6980f4f52
0x7ff6980f4f5b
0x7ff6980f4f5d
0x7ff6980f4f6c
0x7ff6980f4f76
0x7ff6980f4f7e
0x7ff6980f4f86
0x7ff6980f4f9c

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4EBC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4ECF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4F13
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4F35
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F4F5D

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0dfe290ad0cdf64aa43669a68593f605fd5eb979421ae91750d4b89d46ba8f38
Instruction ID: b385e8e94cbb549a4cff1189cee87c85550cbc4a501c00935e63efd5459c02a0
Opcode Fuzzy Hash: 0dfe290ad0cdf64aa43669a68593f605fd5eb979421ae91750d4b89d46ba8f38
Instruction Fuzzy Hash: 0E318F32B08F8581DB309F26E44016DA3A4FB58B98F988171EE8C97B98DF3CE551C748

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698104BB8 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FF698104CC9,?,?,?,?,00007FF6981056F2,?,?,00000001,00007FF6981047AB), ref: 00007FF698104BE1
DecodePointer.KERNEL32(?,?,?,00007FF698104CC9,?,?,?,?,00007FF6981056F2,?,?,00000001,00007FF6981047AB), ref: 00007FF698104BF0

Part of subcall function 00007FF69810E508: _errno.LIBCMT ref: 00007FF69810E511

EncodePointer.KERNEL32(?,?,?,00007FF698104CC9,?,?,?,?,00007FF6981056F2,?,?,00000001,00007FF6981047AB), ref: 00007FF698104C6D

Part of subcall function 00007FF69810A664: realloc.LIBCMT ref: 00007FF69810A68F
Part of subcall function 00007FF69810A664: Sleep.KERNEL32(?,?,00000000,00007FF698104C5D,?,?,?,00007FF698104CC9,?,?,?,?,00007FF6981056F2,?,?,00000001), ref: 00007FF69810A6AB

EncodePointer.KERNEL32(?,?,?,00007FF698104CC9,?,?,?,?,00007FF6981056F2,?,?,00000001,00007FF6981047AB), ref: 00007FF698104C7C
EncodePointer.KERNEL32(?,?,?,00007FF698104CC9,?,?,?,?,00007FF6981056F2,?,?,00000001,00007FF6981047AB), ref: 00007FF698104C88

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 5b966a757f574a0e75c82934206f0acfde00076619bb92cc83a203d31cb58b5a
Instruction ID: 50e215f156af8f4f49c45a052ade2580b1d80e2aaa068287a581d960be14e733
Opcode Fuzzy Hash: 5b966a757f574a0e75c82934206f0acfde00076619bb92cc83a203d31cb58b5a
Instruction Fuzzy Hash: ED21A361B0960350EA20AF72EE881B96291FB857C4BC448B5E94DC7396DE7CE4A1C30D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69811A424 Relevance: 7.6, APIs: 5, Instructions: 68
threadCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00007FF67FF69811A424(void* __edx, intOrPtr* __rax, signed int __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, long long __r8, long long __r9, long long _a8, long long _a16, char _a24, long long _a32, signed int _a40, intOrPtr _a48) {
				long long _v32;
				signed int _v40;
				void* __rdi;
				long _t28;
				intOrPtr* _t45;
				intOrPtr _t50;
				void* _t56;
				intOrPtr* _t57;
				long long _t59;

				_t53 = __rdx;
				_t48 = __rcx;
				_t46 = __rbx;
				_t45 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a32 = __rsi;
				_t59 = __r8;
				r12d = __edx;
				if (__r8 != 0) goto 0x9811a473;
				E00007FF67FF6981078AC(__rax);
				_v40 = _v40 & __rbx;
				r9d = 0;
				r8d = 0;
				 *__rax = 0x16;
				E00007FF67FF698104430(__rax, __rbx, __rcx, __rdx, __r8, __r9, __r8);
				goto 0x9811a50a;
				E00007FF67FF69811384C();
				E00007FF67FF69810A5E0(_t46, _t48, _t53, _t56, _t59, __r9);
				_t57 = _t45;
				if (_t45 == 0) goto 0x9811a4f7;
				E00007FF67FF69810B93C(1, _t45, _t45);
				E00007FF67FF69810B804(_t46, _t57,  *((intOrPtr*)(_t45 + 0xc0)));
				_t50 = _a48;
				 *(_t57 + 8) =  *(_t57 + 8) | 0xffffffff;
				_t69 =  !=  ? _t50 :  &_a24;
				_v32 =  !=  ? _t50 :  &_a24;
				 *((long long*)(_t57 + 0x90)) = _t59;
				 *((long long*)(_t57 + 0x98)) = __r9;
				_v40 = _a40;
				CreateThread(??, ??, ??, ??, ??, ??);
				if (_t45 != 0) goto 0x9811a50c;
				_t28 = GetLastError();
				free(??);
				if (_t28 == 0) goto 0x9811a50a;
				E00007FF67FF6981078EC(_t28, _t45);
				return 0;
			}

0x7ff69811a424
0x7ff69811a424
0x7ff69811a424
0x7ff69811a424
0x7ff69811a424
0x7ff69811a429
0x7ff69811a42e
0x7ff69811a441
0x7ff69811a444
0x7ff69811a44d
0x7ff69811a44f
0x7ff69811a454
0x7ff69811a459
0x7ff69811a45c
0x7ff69811a463
0x7ff69811a469
0x7ff69811a46e
0x7ff69811a473
0x7ff69811a482
0x7ff69811a487
0x7ff69811a48d
0x7ff69811a48f
0x7ff69811a49e
0x7ff69811a4a3
0x7ff69811a4a8
0x7ff69811a4b9
0x7ff69811a4c3
0x7ff69811a4d2
0x7ff69811a4d9
0x7ff69811a4e0
0x7ff69811a4e4
0x7ff69811a4ed
0x7ff69811a4ef
0x7ff69811a4fa
0x7ff69811a501
0x7ff69811a505
0x7ff69811a524

APIs

_errno.LIBCMT ref: 00007FF69811A44F

Part of subcall function 00007FF698104430: DecodePointer.KERNEL32 ref: 00007FF698104457

_getptd.LIBCMT ref: 00007FF69811A48F
CreateThread.KERNEL32 ref: 00007FF69811A4E4
GetLastError.KERNEL32 ref: 00007FF69811A4EF
free.LIBCMT ref: 00007FF69811A4FA

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: CreateDecodeErrorLastPointerThread_errno_getptdfree
String ID:
API String ID: 220819306-0
Opcode ID: ece87a1fc5feb03447c1b275c00dd7aa7aefcaa37945c33b4158078beb98526a
Instruction ID: 1369a029a2c00610d3432edd1f856743c75a37d1f80cbda06b1e560a801823ab
Opcode Fuzzy Hash: ece87a1fc5feb03447c1b275c00dd7aa7aefcaa37945c33b4158078beb98526a
Instruction Fuzzy Hash: B421A621A0878282E6249FB5A94167A7695FF94B90F844275EF5D83B96CF3CE450C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698118120 Relevance: 7.6, APIs: 5, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E00007FF67FF698118120(void* __ebx, void* __ecx, void* __edx, long long __rbx, intOrPtr* __rcx, void* __r9, long long __r12, signed char _a8, long long _a16, long long _a24) {
				void* __rsi;
				void* _t27;
				void* _t29;
				void* _t30;
				intOrPtr _t46;
				intOrPtr* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				long long _t65;

				_t30 = __edx;
				_t29 = __ecx;
				_a24 = __rbx;
				_t46 =  *((intOrPtr*)(__rcx + 0x20));
				_t54 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t46 <= 0) goto 0x9811813e;
				E00007FF67FF6981044B8();
				_t55 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t55 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0x9811814d;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t55 > 0) goto 0x98118159;
				if (_t55 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0x9811815e;
				E00007FF67FF6981044B8();
				_t57 =  *__rcx;
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t46 > 0) goto 0x9811816d;
				if (_t46 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0x98118172;
				E00007FF67FF6981044B8();
				if (_t57 == 0) goto 0x9811817c;
				if (_t57 ==  *__rcx) goto 0x98118181;
				E00007FF67FF6981044B8();
				if (_t55 == _t46) goto 0x981181e4;
				_t58 =  *((intOrPtr*)(__rcx + 0x20));
				_a16 = __r12;
				_t65 = _t55 + (_t58 - _t46 >> 3) * 8;
				if (_t46 == _t58) goto 0x981181c5;
				asm("o16 nop [eax+eax]");
				E00007FF67FF6981169F0(_t46, _t55 - _t46 + _t46, _t46);
				if (_t46 + 8 != _t58) goto 0x981181b0;
				r9d = _a8 & 0x000000ff;
				_t27 = E00007FF67FF698117D10(__ebx, _t29, _t30, _t58 - _t46 >> 3, _t46 + 8, _t65,  *((intOrPtr*)(_t54 + 0x20)), _t55 - _t46, _t54 + 0x10, __r9);
				 *((long long*)(_t54 + 0x20)) = _t65;
				return _t27;
			}

0x7ff698118120
0x7ff698118120
0x7ff698118120
0x7ff69811812c
0x7ff698118130
0x7ff698118137
0x7ff698118139
0x7ff69811813e
0x7ff698118146
0x7ff698118148
0x7ff698118151
0x7ff698118157
0x7ff698118159
0x7ff69811815e
0x7ff698118165
0x7ff69811816b
0x7ff69811816d
0x7ff698118175
0x7ff69811817a
0x7ff69811817c
0x7ff698118184
0x7ff698118186
0x7ff69811818a
0x7ff698118199
0x7ff6981181a0
0x7ff6981181a5
0x7ff6981181b7
0x7ff6981181c3
0x7ff6981181c5
0x7ff6981181d6
0x7ff6981181db
0x7ff6981181f0

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118139
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118148
_invalid_parameter_noinfo.LIBCMT ref: 00007FF698118159
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69811816D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69811817C

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 94e8535373d5eee8c31459157ca0df03a4c9a942121b1679b2ccc5edc3a1f7ea
Instruction ID: dcfbd9a2a019dc688a0781b5aac17b18c1a43ac7f985bfb6972e2893de74805a
Opcode Fuzzy Hash: 94e8535373d5eee8c31459157ca0df03a4c9a942121b1679b2ccc5edc3a1f7ea
Instruction Fuzzy Hash: F9219223B14A539AE9307F31A5400B8A3A4FB25784F9C4172DB8C87A85CF28E4B1C358

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980F9D30 Relevance: 7.5, APIs: 5, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF6980F9D30(long long __rbx, intOrPtr* __rcx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* _t23;
				void* _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t43 =  *((intOrPtr*)(__rcx + 0x20));
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t43 <= 0) goto 0x980f9d56;
				E00007FF67FF6981044B8();
				_t41 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t41 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0x980f9d65;
				E00007FF67FF6981044B8();
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t41 > 0) goto 0x980f9d71;
				if (_t41 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0x980f9d76;
				E00007FF67FF6981044B8();
				_t46 =  *__rcx;
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t43 > 0) goto 0x980f9d85;
				if (_t43 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0x980f9d8a;
				E00007FF67FF6981044B8();
				if (_t46 == 0) goto 0x980f9d94;
				if (_t46 ==  *__rcx) goto 0x980f9d99;
				E00007FF67FF6981044B8();
				if (_t41 == _t43) goto 0x980f9dc0;
				_t40 =  *((intOrPtr*)(__rcx + 0x20)) - _t43;
				if (_t40 <= 0) goto 0x980f9dbc;
				_t23 = E00007FF67FF698104070(_t41, _t40, _t43, _t40);
				 *((long long*)(__rcx + 0x20)) = _t40 + _t41;
				return _t23;
			}

0x7ff6980f9d30
0x7ff6980f9d35
0x7ff6980f9d3a
0x7ff6980f9d44
0x7ff6980f9d4f
0x7ff6980f9d51
0x7ff6980f9d56
0x7ff6980f9d5e
0x7ff6980f9d60
0x7ff6980f9d69
0x7ff6980f9d6f
0x7ff6980f9d71
0x7ff6980f9d76
0x7ff6980f9d7d
0x7ff6980f9d83
0x7ff6980f9d85
0x7ff6980f9d8d
0x7ff6980f9d92
0x7ff6980f9d94
0x7ff6980f9d9c
0x7ff6980f9da2
0x7ff6980f9dac
0x7ff6980f9db7
0x7ff6980f9dbc
0x7ff6980f9dd4

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F9D51
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F9D60
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F9D71
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F9D85
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980F9D94

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 395423532e8a034f72e2356662622c31c4559b370181be70f9e98b2c9a67ad87
Instruction ID: fc27a075b47b2e243e79821bf65767b3d309852210779f792e0e9927733e70be
Opcode Fuzzy Hash: 395423532e8a034f72e2356662622c31c4559b370181be70f9e98b2c9a67ad87
Instruction Fuzzy Hash: A611B762A08A4282E770BF75D44007C63A4FB14FC4FA54171DA4C9768BCE2CE451C39D

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810CB08 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF69810CB3F
GetCurrentProcessId.KERNEL32 ref: 00007FF69810CB4A
GetCurrentThreadId.KERNEL32 ref: 00007FF69810CB56
GetTickCount.KERNEL32 ref: 00007FF69810CB62
QueryPerformanceCounter.KERNEL32 ref: 00007FF69810CB73

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 51358f02df6aa1c520c902237605ff6eac71f778f40a86b1a1b9eb1d44f505ae
Instruction ID: 97f74532b24023e395f1375955476100b104c2e5cedf2b4468f75616b0dbc99c
Opcode Fuzzy Hash: 51358f02df6aa1c520c902237605ff6eac71f778f40a86b1a1b9eb1d44f505ae
Instruction Fuzzy Hash: 44015221629B0282E7A18F31E89016963A0FB49BA4F846671DE5EC7770DE3CD994C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69811A384 Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF69811A399
FlsSetValue.KERNEL32 ref: 00007FF69811A3B0
GetLastError.KERNEL32 ref: 00007FF69811A3B9
ExitThread.KERNEL32 ref: 00007FF69811A3C1
GetCurrentThreadId.KERNEL32 ref: 00007FF69811A3C8

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: ThreadValue$CurrentErrorExitLast
String ID:
API String ID: 1808566232-0
Opcode ID: 94f429541888e2a87e9ddcd7a9c91dd1b61d2b74d0858537a8fdef3fe104ab33
Instruction ID: a216eeb309b9d3c6853189146e29036dde159936b4ebcb124b3d259e03130b28
Opcode Fuzzy Hash: 94f429541888e2a87e9ddcd7a9c91dd1b61d2b74d0858537a8fdef3fe104ab33
Instruction Fuzzy Hash: 65110024E18B4781EF71AF7198497BC2294EF54B94F9444B9D90DC63E3EE3CA894C318

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980F4750 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 26
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E00007FF67FF6980F4750(intOrPtr* __rcx) {
				void* __rbx;
				void* _t6;
				void* _t7;
				void* _t10;
				intOrPtr* _t11;
				intOrPtr* _t13;
				intOrPtr* _t14;
				void* _t20;
				void* _t21;
				void* _t24;

				_t14 =  *((intOrPtr*)(__rcx));
				_t11 = _t14;
				if (_t11 == 0) goto 0x980f47a5;
				asm("lock add dword [ebx+0x8], 0xffffffff");
				if (_t11 != 0) goto 0x980f47a5;
				_t13 =  *_t14;
				 *_t13();
				GetProcessHeap();
				if (HeapFree(??, ??, ??) != 0) goto 0x980f47a5;
				_t1 = _t13 + 0x49; // 0x49
				r9d = _t1;
				return E00007FF67FF69812AB00(_t6, _t7, _t10, _t14, "detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0", "void __cdecl boost::detail::free_raw_heap_memory(void *)", _t20, _t21, "D:\\Libraries\\boost\\boost/thread/win32/thread_heap_alloc.hpp", _t24);
			}

0x7ff6980f4756
0x7ff6980f4759
0x7ff6980f475c
0x7ff6980f475e
0x7ff6980f4763
0x7ff6980f4765
0x7ff6980f476d
0x7ff6980f476f
0x7ff6980f4785
0x7ff6980f4787
0x7ff6980f4787
0x7ff6980f47aa

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6980F476F
HeapFree.KERNEL32 ref: 00007FF6980F477D

Strings

detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0, xrefs: 00007FF6980F4799
D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp, xrefs: 00007FF6980F478B
void __cdecl boost::detail::free_raw_heap_memory(void *), xrefs: 00007FF6980F4792

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp$detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0$void __cdecl boost::detail::free_raw_heap_memory(void *)
API String ID: 3859560861-3333080286
Opcode ID: bbd1b308470604d059fc8b3b034bf7eafb81cdd28000ebdae6b9dc5dbe87673a
Instruction ID: 14dcc00b1992a6c5ee6dd58c380fff93ea30542d6c81ffe1ca7bb4490d3debdf
Opcode Fuzzy Hash: bbd1b308470604d059fc8b3b034bf7eafb81cdd28000ebdae6b9dc5dbe87673a
Instruction Fuzzy Hash: 2CF030A1F04A0792FF249F32E8405B82351EFA5B55B898071C91D822B0EE2CD94AD308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980F4110 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 18
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00007FF67FF6980F4110(void* __rax, void* __rcx) {
				void* __rbx;
				void* _t5;
				void* _t6;
				void* _t8;
				void* _t10;
				void* _t16;
				void* _t17;
				void* _t20;

				_t10 = __rax;
				GetProcessHeap();
				if (HeapFree(??, ??, ??) != 0) goto 0x980f414f;
				_t1 = _t10 + 0x49; // 0x49
				r9d = _t1;
				return E00007FF67FF69812AB00(_t5, _t6, _t8, __rcx, "detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0", "void __cdecl boost::detail::free_raw_heap_memory(void *)", _t16, _t17, "D:\\Libraries\\boost\\boost/thread/win32/thread_heap_alloc.hpp", _t20);
			}

0x7ff6980f4110
0x7ff6980f4119
0x7ff6980f412f
0x7ff6980f4131
0x7ff6980f4131
0x7ff6980f4154

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6980F4119
HeapFree.KERNEL32 ref: 00007FF6980F4127

Strings

detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0, xrefs: 00007FF6980F4143
D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp, xrefs: 00007FF6980F4135
void __cdecl boost::detail::free_raw_heap_memory(void *), xrefs: 00007FF6980F413C

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp$detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0$void __cdecl boost::detail::free_raw_heap_memory(void *)
API String ID: 3859560861-3333080286
Opcode ID: 390c634eb8512d6bd36f964db49dd20d87de3fa4aeae6bde1dec52a086757f87
Instruction ID: 83e959811651608212791bdb6b3b64d30732b62df52113a7e5752b2e91007c4a
Opcode Fuzzy Hash: 390c634eb8512d6bd36f964db49dd20d87de3fa4aeae6bde1dec52a086757f87
Instruction Fuzzy Hash: 9CE04FA0E04A4792FF349B72B8415B41351FF64B85FC640B2C80DC2271EE2CEA89C30C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698109B04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00007FF67FF698109B04(void* __ebx, void* __ecx, void* __edi, void* __ebp, void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __r8, signed long long __r9) {
				void* __rsi;
				void* __rbp;
				intOrPtr _t102;
				void* _t107;
				void* _t123;
				long long _t126;
				void* _t127;
				void* _t128;
				long long _t170;
				intOrPtr* _t174;
				long long _t177;
				void* _t179;
				void* _t180;
				signed long long _t191;
				void* _t194;

				_t123 = __rax;
				_t107 = __edi;
				_t104 = __ecx;
				 *((long long*)(_t179 + 0x10)) = __rbx;
				 *((long long*)(_t179 + 0x18)) = __r8;
				_t180 = _t179 - 0x70;
				_t191 = __r9;
				_t194 = __rdx;
				_t174 = __rcx;
				if ( *__rcx == 0x80000003) goto 0x98109d30;
				E00007FF67FF69810B93C(__ecx,  *__rcx - 0x80000003, __rax);
				r15d =  *((intOrPtr*)(_t180 + 0xe0));
				_t177 =  *((intOrPtr*)(_t180 + 0xd0));
				if ( *((long long*)(_t123 + 0xe0)) == 0) goto 0x98109ba2;
				E00007FF67FF69810B93C(_t104,  *((long long*)(_t123 + 0xe0)), _t123);
				E00007FF67FF69810B7B0();
				if ( *((intOrPtr*)(_t123 + 0xe0)) == _t123) goto 0x98109ba2;
				if ( *__rcx == 0xe0434f4d) goto 0x98109ba2;
				 *(_t180 + 0x30) =  *((intOrPtr*)(_t180 + 0xe8));
				 *((intOrPtr*)(_t180 + 0x28)) = r15d;
				 *((long long*)(_t180 + 0x20)) = _t177;
				if (E00007FF67FF698107528(__rcx, __rdx, __r8, __r9) != 0) goto 0x98109d30;
				if ( *((intOrPtr*)(_t177 + 0xc)) != 0) goto 0x98109bad;
				E00007FF67FF698110148( *((intOrPtr*)(_t180 + 0xe8)));
				r12d =  *((intOrPtr*)(_t180 + 0xd8));
				 *(_t180 + 0x30) = __r9;
				 *((long long*)(_t180 + 0x28)) = _t180 + 0x60;
				_t126 = _t180 + 0xb0;
				r8d = r15d;
				r9d = r12d;
				 *((long long*)(_t180 + 0x20)) = _t126;
				E00007FF67FF69810757C(__ebx, _t123, _t177, _t174);
				_t170 = _t126;
				goto 0x98109d26;
				if (r12d -  *_t170 < 0) goto 0x98109d19;
				if (r12d -  *((intOrPtr*)(_t170 + 4)) > 0) goto 0x98109d19;
				E00007FF67FF6981072E8(_t126);
				if ( *((intOrPtr*)(_t126 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x10)) == 0) goto 0x98109c44;
				E00007FF67FF6981072E8(_t126);
				E00007FF67FF6981072E8(_t126);
				_t127 = _t126 +  *((intOrPtr*)(_t126 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x10));
				goto 0x98109c46;
				if (_t127 == 0) goto 0x98109c93;
				E00007FF67FF6981072E8(_t127);
				if ( *((intOrPtr*)(_t127 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x10)) == 0) goto 0x98109c8b;
				E00007FF67FF6981072E8(_t127);
				E00007FF67FF6981072E8(_t127);
				_t128 = _t127 +  *((intOrPtr*)(_t127 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x10));
				goto 0x98109c8d;
				if ( *((char*)(_t128 + 0x10)) != 0) goto 0x98109d12;
				E00007FF67FF6981072E8(_t128);
				if (( *(_t128 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x14) & 0x00000040) != 0) goto 0x98109d12;
				E00007FF67FF6981072E8(_t128);
				 *((char*)(_t180 + 0x58)) = 0;
				 *((char*)(_t180 + 0x50)) = 1;
				 *((long long*)(_t180 + 0x48)) =  *((intOrPtr*)(_t180 + 0xe8));
				 *((intOrPtr*)(_t180 + 0x40)) = r15d;
				 *((long long*)(_t180 + 0x38)) = _t170;
				 *(_t180 + 0x30) =  *(_t180 + 0x30) & 0x00000000;
				 *((long long*)(_t180 + 0x28)) = _t128 + ( *(_t170 + 0xc) - 1 + ( *(_t170 + 0xc) - 1) * 4) * 4 +  *((intOrPtr*)(_t170 + 0x10));
				 *((long long*)(_t180 + 0x20)) = _t177;
				E00007FF67FF698109A40( *(_t170 + 0xc) - 1, _t107,  *((intOrPtr*)(_t127 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x10)), _t174, _t194, _t177,  *((intOrPtr*)(_t180 + 0xc0)), _t191);
				_t102 =  *((intOrPtr*)(_t180 + 0xb0)) + 1;
				 *((intOrPtr*)(_t180 + 0xb0)) = _t102;
				if (_t102 -  *((intOrPtr*)(_t180 + 0x60)) < 0) goto 0x98109bf1;
				return _t102;
			}

0x7ff698109b04
0x7ff698109b04
0x7ff698109b04
0x7ff698109b04
0x7ff698109b09
0x7ff698109b19
0x7ff698109b23
0x7ff698109b29
0x7ff698109b2c
0x7ff698109b2f
0x7ff698109b35
0x7ff698109b3a
0x7ff698109b42
0x7ff698109b52
0x7ff698109b54
0x7ff698109b5c
0x7ff698109b68
0x7ff698109b70
0x7ff698109b80
0x7ff698109b8b
0x7ff698109b90
0x7ff698109b9c
0x7ff698109ba6
0x7ff698109ba8
0x7ff698109bad
0x7ff698109bba
0x7ff698109bbf
0x7ff698109bc4
0x7ff698109bcc
0x7ff698109bcf
0x7ff698109bd8
0x7ff698109bdd
0x7ff698109be2
0x7ff698109bec
0x7ff698109bf4
0x7ff698109bfe
0x7ff698109c04
0x7ff698109c1e
0x7ff698109c20
0x7ff698109c3a
0x7ff698109c3f
0x7ff698109c42
0x7ff698109c49
0x7ff698109c4b
0x7ff698109c65
0x7ff698109c67
0x7ff698109c81
0x7ff698109c86
0x7ff698109c89
0x7ff698109c91
0x7ff698109c93
0x7ff698109cad
0x7ff698109caf
0x7ff698109cbf
0x7ff698109cc4
0x7ff698109ceb
0x7ff698109cf0
0x7ff698109cf5
0x7ff698109cfa
0x7ff698109d00
0x7ff698109d08
0x7ff698109d0d
0x7ff698109d19
0x7ff698109d1f
0x7ff698109d2a
0x7ff698109d47

APIs

_getptd.LIBCMT ref: 00007FF698109B35
_getptd.LIBCMT ref: 00007FF698109B54
_CallSETranslator.LIBCMT ref: 00007FF698109B95

Part of subcall function 00007FF698107528: _getptd.LIBCMT ref: 00007FF69810754F

Strings

MOC, xrefs: 00007FF698109B6A

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _getptd$CallTranslator
String ID: MOC
API String ID: 3569367362-624257665
Opcode ID: 701c7f62758117df9d68805bcdd9943e9059ba62097dbbdcab498742cdacb196
Instruction ID: be363242ed14a81b386b83401ef1b6252a469cf3c3cb2787bef261ae1c962d8e
Opcode Fuzzy Hash: 701c7f62758117df9d68805bcdd9943e9059ba62097dbbdcab498742cdacb196
Instruction Fuzzy Hash: 70619472A08AC796DA30CF25D8907AD73A0FB80B98F944975DB8E83695DF7CD161C704

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698105578 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF6981055C1,?,?,00000028,00007FF6981048F9,?,?,00000000,00007FF69810A598,?,?,00000000,00007FF69810FED9), ref: 00007FF698105587
GetProcAddress.KERNEL32(?,?,000000FF,00007FF6981055C1,?,?,00000028,00007FF6981048F9,?,?,00000000,00007FF69810A598,?,?,00000000,00007FF69810FED9), ref: 00007FF69810559C

Strings

CorExitProcess, xrefs: 00007FF698105592
mscoree.dll, xrefs: 00007FF698105580

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 8e88595b131e52f817ebab1db4fb07a491aba47a0bed957ca3a8eab92fd5a99f
Instruction ID: 60a21a7fe88bf853f2e8dc0a538110a4aa06d280d62960f80fee3f5f1ec5831c
Opcode Fuzzy Hash: 8e88595b131e52f817ebab1db4fb07a491aba47a0bed957ca3a8eab92fd5a99f
Instruction Fuzzy Hash: EDE0EC50B15B0382EE699F70AC841781291DF48710FC850BAC45EC63A0DF2CED99C318

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698108948 Relevance: 6.2, APIs: 4, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00007FF67FF698108948(void* __ebx, void* __ecx, signed long long __edx, void* __eflags, long long __rbx, void* __rcx, void* __r8) {
				void* __rsi;
				void* __rbp;
				void* _t133;
				void* _t147;
				void* _t159;
				void* _t163;
				signed long long _t165;
				signed long long _t166;
				signed long long _t167;
				long long _t178;
				signed long long _t183;
				signed long long _t207;
				signed long long _t209;
				intOrPtr _t210;
				void* _t213;
				void* _t214;
				void* _t216;
				signed long long _t217;
				void* _t219;
				signed long long _t220;
				void* _t223;
				signed long long _t224;
				void* _t227;
				void* _t230;
				signed long long _t231;
				void* _t233;
				signed long long _t234;
				void* _t237;
				void* _t239;
				signed long long _t240;

				_t226 = __r8;
				_t137 = __ecx;
				 *((long long*)(_t223 + 0x20)) = __rbx;
				_t224 = _t223 - 0x210;
				_t165 =  *0x98140430; // 0x4918c2c043f
				_t166 = _t165 ^ _t224;
				 *(_t224 + 0x200) = _t166;
				_t240 = __edx;
				_t214 = __rcx;
				E00007FF67FF69810B93C(__ecx, __eflags, _t166);
				_t217 = _t166;
				_t167 = _t224 + 0x40;
				r8d = 0x83;
				 *((intOrPtr*)(_t224 + 0x28)) = r15d;
				 *(_t224 + 0x20) = _t167;
				E00007FF67FF698108708(__ebx, __r8, _t224 + 0x70, __r8, _t224 + 0x48);
				if (_t167 != 0) goto 0x981089b5;
				goto 0x98108c24;
				_t183 = _t240 << 5;
				if (E00007FF67FF69810BBE0(_t137, _t224 + 0x70,  *((intOrPtr*)(_t183 + __rcx + 0x48))) == 0) goto 0x98108c1f;
				E00007FF67FF6981070C0(_t114, _t224 + 0x70);
				_t220 = _t167;
				_t12 = _t167 + 5; // 0x5
				E00007FF67FF69810A574(_t147, _t167, _t183, _t12, _t217, _t220);
				_t231 = _t167;
				if (_t167 == 0) goto 0x981089ae;
				_t234 = _t240 + 3;
				 *((long long*)(_t224 + 0x58)) =  *((intOrPtr*)(_t183 + _t214 + 0x48));
				r8d = 6;
				 *(_t224 + 0x50) =  *(_t214 + _t234 * 4);
				 *((long long*)(_t224 + 0x60)) = _t214 + (_t240 + 0x12 + _t240 * 2) * 2;
				E00007FF67FF69810AE90(_t137, _t167, _t224 + 0x68, _t214 + (_t240 + 0x12 + _t240 * 2) * 2, _t226);
				_t28 = _t220 + 1; // 0x1
				_t227 = _t224 + 0x70;
				_t30 = _t231 + 4; // 0x4
				 *((intOrPtr*)(_t224 + 0x44)) =  *((intOrPtr*)(_t214 + 4));
				if (E00007FF67FF69810B72C(_t214 + (_t240 + 0x12 + _t240 * 2) * 2, _t30, _t28, _t217, _t220, _t227) == 0) goto 0x98108a5b;
				 *(_t224 + 0x20) =  *(_t224 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104308();
				_t35 = _t231 + 4; // 0x4
				_t207 = _t224 + 0x48;
				 *((long long*)(_t183 + _t214 + 0x48)) = _t35;
				r8d = 6;
				 *(_t214 + _t234 * 4) =  *(_t224 + 0x48) & 0x0000ffff;
				E00007FF67FF69810AE90(0, E00007FF67FF69810B72C(_t214 + (_t240 + 0x12 + _t240 * 2) * 2, _t30, _t28, _t217, _t220, _t227),  *((intOrPtr*)(_t224 + 0x60)), _t207, _t227);
				if (r15d != 2) goto 0x98108b94;
				r8d = 0;
				 *((intOrPtr*)(_t214 + 4)) =  *((intOrPtr*)(_t224 + 0x40));
				if ( *((intOrPtr*)(_t214 + 4)) ==  *((intOrPtr*)(_t217 + 0x27c + _t207 * 8))) goto 0x98108acd;
				 *((long long*)(_t217 + 0x27c + _t207 * 8)) =  *((intOrPtr*)(_t217 + 0x29c));
				r8d = r8d + 1;
				if (_t207 + 1 - 5 < 0) goto 0x98108aa0;
				goto 0x98108aec;
				if (r8d == 0) goto 0x98108aec;
				_t209 = r8d;
				 *((long long*)(_t217 + 0x27c)) =  *((intOrPtr*)(_t217 + 0x27c + _t209 * 8));
				 *((long long*)(_t217 + 0x27c + _t209 * 8)) =  *((intOrPtr*)(_t217 + 0x27c + _t207 * 8));
				if (r8d != 5) goto 0x98108b88;
				_t63 = _t227 + 0x7a; // 0x7a
				 *((intOrPtr*)(_t224 + 0x38)) = 1;
				 *((intOrPtr*)(_t224 + 0x30)) =  *((intOrPtr*)(_t214 + 0x14));
				 *((intOrPtr*)(_t224 + 0x28)) =  *((intOrPtr*)(_t214 + 4));
				_t69 = _t220 - 0x7e; // -4
				r9d = _t63;
				 *(_t224 + 0x20) = _t224 + 0x100;
				_t159 = E00007FF67FF698112858(_t69, r8d - 5, _t224 + 0x100, _t183,  *((intOrPtr*)(_t217 + 0x27c + _t207 * 8)), _t217, 0x98130d00, _t224 + 0x48, _t239, _t237, _t233);
				if (_t159 == 0) goto 0x98108b78;
				 *(_t224 + 0x100) =  *(_t224 + 0x100) & 0x000001ff;
				if (_t159 != 0) goto 0x98108b3d;
				_t210 =  *0x981403f8; // 0x7ff6981310d4
				r8d = 0xfe;
				 *(_t217 + 0x280) = 0 | E00007FF67FF698114410(0x1ff, _t224 + 0x100, _t210, 0x98130d00) == 0x00000000;
				goto 0x98108b7f;
				 *(_t217 + 0x280) =  *(_t217 + 0x280) & 0x00000000;
				 *((intOrPtr*)(_t217 + 0x27c)) =  *((intOrPtr*)(_t214 + 4));
				 *(_t214 + 0x108) =  *(_t217 + 0x280);
				if (r15d != 1) goto 0x98108ba1;
				 *((intOrPtr*)(_t214 + 8)) =  *((intOrPtr*)(_t224 + 0x40));
				_t133 =  *((intOrPtr*)(0x98130c80 + (_t240 + _t240 * 2) * 8))(_t219);
				_t178 =  *((intOrPtr*)(_t224 + 0x58));
				if (_t133 == 0) goto 0x98108bdd;
				 *((long long*)(_t183 + _t214 + 0x48)) = _t178;
				free(_t230);
				r11d =  *(_t224 + 0x50);
				 *(_t214 + _t234 * 4) = r11d;
				 *((intOrPtr*)(_t214 + 4)) =  *((intOrPtr*)(_t224 + 0x44));
				goto 0x981089ae;
				_t163 = _t178 - 0x98140a20;
				if (_t163 == 0) goto 0x98108c12;
				asm("lock add dword [edx], 0xffffffff");
				if (_t163 != 0) goto 0x98108c12;
				free(_t213);
				free(_t216);
				 *(_t183 + _t214 + 0x50) =  *(_t183 + _t214 + 0x50) & 0x00000000;
				 *_t231 = 1;
				 *(_t183 + _t214 + 0x58) = _t231;
				return E00007FF67FF698104050(E00007FF67FF698114410(0x1ff, _t224 + 0x100, _t210, 0x98130d00) == 0,  *(_t224 + 0x200) ^ _t224,  *(_t183 + _t214 + 0x58), 0x98130d00, _t224 + 0x48);
			}

0x7ff698108948
0x7ff698108948
0x7ff698108948
0x7ff698108958
0x7ff69810895f
0x7ff698108966
0x7ff698108969
0x7ff698108974
0x7ff698108977
0x7ff69810897a
0x7ff698108989
0x7ff69810898c
0x7ff698108991
0x7ff69810899a
0x7ff69810899f
0x7ff6981089a4
0x7ff6981089ac
0x7ff6981089b0
0x7ff6981089bd
0x7ff6981089cd
0x7ff6981089d8
0x7ff6981089dd
0x7ff6981089e0
0x7ff6981089e4
0x7ff6981089e9
0x7ff6981089ef
0x7ff6981089f6
0x7ff6981089ff
0x7ff698108a08
0x7ff698108a0e
0x7ff698108a1e
0x7ff698108a23
0x7ff698108a2b
0x7ff698108a2f
0x7ff698108a34
0x7ff698108a39
0x7ff698108a44
0x7ff698108a46
0x7ff698108a4c
0x7ff698108a4f
0x7ff698108a56
0x7ff698108a60
0x7ff698108a65
0x7ff698108a6a
0x7ff698108a74
0x7ff698108a7a
0x7ff698108a7e
0x7ff698108a87
0x7ff698108a91
0x7ff698108a96
0x7ff698108aaa
0x7ff698108ab4
0x7ff698108abf
0x7ff698108ac9
0x7ff698108acb
0x7ff698108ad0
0x7ff698108ad2
0x7ff698108add
0x7ff698108ae4
0x7ff698108af0
0x7ff698108af9
0x7ff698108afd
0x7ff698108b05
0x7ff698108b13
0x7ff698108b1f
0x7ff698108b22
0x7ff698108b27
0x7ff698108b31
0x7ff698108b33
0x7ff698108b42
0x7ff698108b4d
0x7ff698108b4f
0x7ff698108b5e
0x7ff698108b70
0x7ff698108b76
0x7ff698108b78
0x7ff698108b82
0x7ff698108b8e
0x7ff698108b98
0x7ff698108b9e
0x7ff698108baf
0x7ff698108bb4
0x7ff698108bb9
0x7ff698108bbe
0x7ff698108bc3
0x7ff698108bc8
0x7ff698108bd1
0x7ff698108bd5
0x7ff698108bd8
0x7ff698108be4
0x7ff698108be7
0x7ff698108bee
0x7ff698108bf2
0x7ff698108bf9
0x7ff698108c07
0x7ff698108c0c
0x7ff698108c12
0x7ff698108c1a
0x7ff698108c4e

APIs

_getptd.LIBCMT ref: 00007FF69810897A

Part of subcall function 00007FF698108708: _getptd.LIBCMT ref: 00007FF698108742

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: b831a8e5acdfc9b34b1f275e6a2a44ae26707a0638727e3522d71a78b478d697
Instruction ID: 0b2e070f85c5014a34101ca42419400e25d29f2ad2fcc4a678a906bb35b3f43a
Opcode Fuzzy Hash: b831a8e5acdfc9b34b1f275e6a2a44ae26707a0638727e3522d71a78b478d697
Instruction Fuzzy Hash: 4D817D72A1A68796DB24DF35E9806AA73A0FB84784F904136DB8D87B54DF3CE461CB04

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980FC2A0 Relevance: 6.1, APIs: 4, Instructions: 146
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E00007FF67FF6980FC2A0(void* __ebx, void* __edx, void* __ebp, long long __rbx, long long __rcx, intOrPtr* __rdx, long long __rsi, void* __rbp, intOrPtr* __r8, void* __r9) {
				void* _v40;
				intOrPtr _v48;
				intOrPtr _v64;
				long long _v88;
				void* __rdi;
				void* __r12;
				void* _t55;
				void* _t58;
				void* _t61;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t93;
				signed long long _t94;
				intOrPtr _t97;
				intOrPtr* _t101;
				intOrPtr* _t104;
				long long _t110;
				long long* _t113;
				long long* _t114;
				intOrPtr _t123;
				void* _t125;
				signed long long _t129;
				signed long long _t131;
				intOrPtr* _t134;
				void* _t137;
				intOrPtr* _t140;
				void* _t142;
				void* _t143;
				signed long long _t145;
				void* _t147;
				void* _t149;
				intOrPtr* _t150;
				void* _t152;

				_t142 = __r9;
				_t140 = __r8;
				_t136 = __rbp;
				_t61 = __ebp;
				_t143 = _t137;
				 *((long long*)(_t143 + 8)) = __rcx;
				_v88 = 0xfffffffe;
				 *((long long*)(_t143 + 0x10)) = __rbx;
				 *((long long*)(_t143 + 0x18)) = __rsi;
				_t150 = __r8;
				_t134 = __rdx;
				_t110 = __rcx;
				_t113 = _t143 - 0x38;
				 *_t113 =  *__r8;
				 *((long long*)(_t113 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t114 = _t143 - 0x48;
				 *_t114 =  *__rdx;
				 *((long long*)(_t114 + 8)) =  *((intOrPtr*)(__rdx + 8));
				_t89 =  *((intOrPtr*)(_t143 - 0x38));
				if (_t89 == 0) goto 0x980fc301;
				if (_t89 ==  *((intOrPtr*)(_t143 - 0x48))) goto 0x980fc306;
				E00007FF67FF6981044B8();
				_t90 = _v64;
				_t123 = _v48;
				if (_t90 - _t123 > 0) goto 0x980fc31a;
				goto 0x980fc31d;
				_t125 = _t123 - _t90 - _t90;
				_t129 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t129 - _t125 > 0) goto 0x980fc35a;
				if ( *((intOrPtr*)(__rcx + 0x20)) == _t125) goto 0x980fc35a;
				r8b = 1;
				if (E00007FF67FF6980F24C0(__rcx, __rcx, _t125, __rdx, __rbp, _t145, _t152, _t149) == 0) goto 0x980fc35a;
				 *(_t110 + 0x18) = _t129;
				if ( *((long long*)(_t110 + 0x20)) - 8 < 0) goto 0x980fc34c;
				goto 0x980fc350;
				r12d = 0;
				 *((intOrPtr*)(_t110 + 8 + _t129 * 2)) = r12w;
				goto 0x980fc35d;
				r12d = 0;
				_t93 =  *_t134;
				if (_t93 == 0) goto 0x980fc374;
				if (_t93 ==  *_t150) goto 0x980fc379;
				E00007FF67FF6981044B8();
				_t94 =  *((intOrPtr*)(_t150 + 8));
				if ( *((intOrPtr*)(_t134 + 8)) == _t94) goto 0x980fc46e;
				E00007FF67FF6980FBBB0(_t61, _t110, _t134, _t134, _t136);
				r13d =  *_t94 & 0x0000ffff;
				if ((_t94 | 0xffffffff) -  *(_t110 + 0x18) - 1 > 0) goto 0x980fc3a6;
				E00007FF67FF6981033CC((_t94 | 0xffffffff) -  *(_t110 + 0x18), _t110, _t129, _t136, _t140, _t142);
				_t131 =  *(_t110 + 0x18) + 1;
				if (_t131 - 0xfffffffe <= 0) goto 0x980fc3b7;
				_t55 = E00007FF67FF6981033CC((_t94 | 0xffffffff) -  *(_t110 + 0x18), _t110, _t131, _t136, _t140, _t142);
				_t97 =  *((intOrPtr*)(_t110 + 0x20));
				if (_t97 - _t131 >= 0) goto 0x980fc3d1;
				E00007FF67FF6980F26D0(_t55, _t110, _t131,  *(_t110 + 0x18), _t147, _t145);
				goto 0x980fc3f0;
				if (_t131 != 0) goto 0x980fc3f0;
				 *(_t110 + 0x18) = _t145;
				if (_t97 - 8 < 0) goto 0x980fc3e6;
				goto 0x980fc3ea;
				 *((intOrPtr*)(_t110 + 8)) = r12w;
				goto 0x980fc428;
				if (_t131 == 0) goto 0x980fc428;
				if ( *((long long*)(_t110 + 0x20)) - 8 < 0) goto 0x980fc409;
				goto 0x980fc410;
				_t101 = _t110 + 8;
				 *((intOrPtr*)(_t101 +  *(_t110 + 0x18) * 2)) = r13w;
				 *(_t110 + 0x18) = _t131;
				if ( *((long long*)(_t110 + 0x20)) - 8 < 0) goto 0x980fc423;
				 *((intOrPtr*)( *_t101 + _t131 * 2)) = r12w;
				if ( *_t134 != 0) goto 0x980fc442;
				E00007FF67FF6981044B8();
				_t104 =  *_t134;
				if (_t104 != 0) goto 0x980fc442;
				goto 0x980fc445;
				if (_t104 == 0) goto 0x980fc44f;
				goto 0x980fc452;
				if ( *((intOrPtr*)(_t134 + 8)) -  *((intOrPtr*)(_t145 + 0x38)) +  *((intOrPtr*)( *_t104 + 0x30)) < 0) goto 0x980fc465;
				_t58 = E00007FF67FF6981044B8();
				 *((long long*)(_t134 + 8)) =  *((long long*)(_t134 + 8)) + 1;
				goto 0x980fc367;
				return _t58;
			}

0x7ff6980fc2a0
0x7ff6980fc2a0
0x7ff6980fc2a0
0x7ff6980fc2a0
0x7ff6980fc2a0
0x7ff6980fc2a3
0x7ff6980fc2b4
0x7ff6980fc2bd
0x7ff6980fc2c1
0x7ff6980fc2c5
0x7ff6980fc2c8
0x7ff6980fc2cb
0x7ff6980fc2ce
0x7ff6980fc2d5
0x7ff6980fc2dc
0x7ff6980fc2e0
0x7ff6980fc2e7
0x7ff6980fc2ee
0x7ff6980fc2f2
0x7ff6980fc2f9
0x7ff6980fc2ff
0x7ff6980fc301
0x7ff6980fc306
0x7ff6980fc30b
0x7ff6980fc313
0x7ff6980fc318
0x7ff6980fc31a
0x7ff6980fc31d
0x7ff6980fc324
0x7ff6980fc32a
0x7ff6980fc32c
0x7ff6980fc339
0x7ff6980fc33b
0x7ff6980fc344
0x7ff6980fc34a
0x7ff6980fc350
0x7ff6980fc353
0x7ff6980fc358
0x7ff6980fc35a
0x7ff6980fc367
0x7ff6980fc36d
0x7ff6980fc372
0x7ff6980fc374
0x7ff6980fc379
0x7ff6980fc381
0x7ff6980fc38a
0x7ff6980fc38f
0x7ff6980fc39f
0x7ff6980fc3a1
0x7ff6980fc3aa
0x7ff6980fc3b0
0x7ff6980fc3b2
0x7ff6980fc3b7
0x7ff6980fc3be
0x7ff6980fc3ca
0x7ff6980fc3cf
0x7ff6980fc3d4
0x7ff6980fc3d6
0x7ff6980fc3de
0x7ff6980fc3e4
0x7ff6980fc3ea
0x7ff6980fc3ee
0x7ff6980fc3f3
0x7ff6980fc3fe
0x7ff6980fc407
0x7ff6980fc409
0x7ff6980fc410
0x7ff6980fc415
0x7ff6980fc41e
0x7ff6980fc423
0x7ff6980fc42e
0x7ff6980fc430
0x7ff6980fc435
0x7ff6980fc43b
0x7ff6980fc440
0x7ff6980fc448
0x7ff6980fc44d
0x7ff6980fc45e
0x7ff6980fc460
0x7ff6980fc465
0x7ff6980fc469
0x7ff6980fc487

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC301
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC374
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC430
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6980FC460

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5c141b8904f02e943c942c556673060c55fd9cceccc76b955d807c772474a688
Instruction ID: bf2eeae03bc0d013c5bc901ed459041a89a0b7ee8e1c1b59f485d382eeb15130
Opcode Fuzzy Hash: 5c141b8904f02e943c942c556673060c55fd9cceccc76b955d807c772474a688
Instruction Fuzzy Hash: 3B513C22609B5280EA348F25D44603C6365FB24FE4BA48675CE6D877E4DF39E891E35C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69812A770 Relevance: 6.1, APIs: 4, Instructions: 132
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E00007FF67FF69812A770(void* __ebx, signed int __ecx, void* __edx, void* __edi, long long __rcx, void* __r8, void* __r9, long long _a40, intOrPtr _a48, void* _a56, void* _a64) {
				signed int _v56;
				long long _v64;
				intOrPtr _v88;
				char _v96;
				long long _v104;
				signed int _v112;
				short _v128;
				char _v136;
				char _v152;
				long long _v168;
				char _v184;
				long long _v192;
				long long _v200;
				long long _v208;
				long long _v216;
				signed char _v232;
				intOrPtr _v248;
				long long _v256;
				void* _v264;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t72;
				void* _t73;
				signed long long _t92;
				long long _t105;
				long long _t106;
				short _t111;
				short _t112;
				long long _t130;
				long long _t132;
				void* _t133;
				signed int _t134;
				signed long long _t138;

				_t142 = __r9;
				_t72 = __edi;
				_t69 = __ecx;
				_v168 = 0xfffffffe;
				_t92 =  *0x98140430; // 0x4918c2c043f
				_v56 = _t92 ^  &_v264;
				_t73 = __edx;
				_t106 = __rcx;
				if (r8d -  *((intOrPtr*)(__rcx + 0x318)) < 0) goto 0x9812a9e5;
				r9d =  *(__rcx + 0x2c);
				_v248 = _a48;
				_v256 = _a40;
				_v264 = __r9;
				E00007FF67FF69812A270(__ebx, __ecx, __rcx,  &_v96, _t134, __r8, __r9);
				_v104 = 7;
				_v112 = _t134;
				_v128 = 0;
				E00007FF67FF6980F79A0();
				_t111 = _v128;
				_t145 =  >=  ? _t111 :  &_v128;
				_t138 = _v112;
				_t130 = ( >=  ? _t111 :  &_v128) + _t138 * 2;
				if (_t130 == 0) goto 0x9812a87d;
				_t95 =  >=  ? _t111 :  &_v128;
				_t79 = ( >=  ? _t111 :  &_v128) - _t130;
				if (( >=  ? _t111 :  &_v128) - _t130 > 0) goto 0x9812a87d;
				_t97 =  >=  ? _t111 :  &_v128;
				if (_t130 - ( >=  ? _t111 :  &_v128) + _t138 * 2 <= 0) goto 0x9812a89a;
				E00007FF67FF6981044B8();
				_t112 = _v128;
				_v216 =  &_v136;
				_v208 = _t130;
				if (_v104 - 8 < 0) goto 0x9812a8bc;
				if (_t112 == 0) goto 0x9812a8f2;
				goto 0x9812a8c4;
				_t132 =  &_v128;
				_t101 =  >=  ? _t112 :  &_v128;
				_t85 = ( >=  ? _t112 :  &_v128) - _t132;
				if (( >=  ? _t112 :  &_v128) - _t132 > 0) goto 0x9812a8f2;
				_t103 =  >=  ? _t112 :  &_v128;
				if (_t132 - ( >=  ? _t112 :  &_v128) + _v112 * 2 <= 0) goto 0x9812a8f7;
				E00007FF67FF6981044B8();
				_t105 =  &_v136;
				_v200 = _t105;
				_v192 = _t132;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x90], xmm0");
				asm("movaps xmm1, [esp+0x60]");
				asm("movdqa [esp+0x70], xmm1");
				r9d = _v232 & 0x000000ff;
				E00007FF67FF6980FCD30( &_v96,  &_v184,  &_v152);
				r8d = 2;
				E00007FF67FF6980F47C0(_t106,  &_v96, L"\r\n", _t132, _t133, _t134,  &_v152);
				_v216 = _t106;
				EnterCriticalSection(??);
				E00007FF67FF698129FC0(_t73, _t106, _t106, _t133);
				if (_t105 == 0xffffffff) goto 0x9812a98f;
				E00007FF67FF69812A560(__ebx, _t69, _t72, _t106, _t106, _t105, _t134,  &_v96, _t142);
				LeaveCriticalSection(??);
				if (_v104 - 8 < 0) goto 0x9812a9b1;
				E00007FF67FF6981044D8(_t105, _t106, _v128, _t105, _t133,  &_v96, _t142);
				_v104 = 7;
				_v112 = _t134;
				_v128 = 0;
				if (_v64 - 8 < 0) goto 0x9812a9e5;
				E00007FF67FF6981044D8(_t105, _t106, _v88, _t105, _t133,  &_v96, _t142);
				return E00007FF67FF698104050(_t69, _v56 ^  &_v264, _t105,  &_v96, _t142);
			}

0x7ff69812a770
0x7ff69812a770
0x7ff69812a770
0x7ff69812a77c
0x7ff69812a788
0x7ff69812a792
0x7ff69812a79d
0x7ff69812a79f
0x7ff69812a7b3
0x7ff69812a7b9
0x7ff69812a7c4
0x7ff69812a7c8
0x7ff69812a7cd
0x7ff69812a7dd
0x7ff69812a7e3
0x7ff69812a7f1
0x7ff69812a7f9
0x7ff69812a819
0x7ff69812a826
0x7ff69812a83a
0x7ff69812a83e
0x7ff69812a846
0x7ff69812a84d
0x7ff69812a85b
0x7ff69812a85f
0x7ff69812a862
0x7ff69812a870
0x7ff69812a87b
0x7ff69812a87d
0x7ff69812a892
0x7ff69812a8a2
0x7ff69812a8a7
0x7ff69812a8b0
0x7ff69812a8b8
0x7ff69812a8ba
0x7ff69812a8bc
0x7ff69812a8d0
0x7ff69812a8d4
0x7ff69812a8d7
0x7ff69812a8e5
0x7ff69812a8f0
0x7ff69812a8f2
0x7ff69812a8f7
0x7ff69812a8ff
0x7ff69812a904
0x7ff69812a909
0x7ff69812a90e
0x7ff69812a917
0x7ff69812a91c
0x7ff69812a922
0x7ff69812a93d
0x7ff69812a942
0x7ff69812a957
0x7ff69812a95c
0x7ff69812a964
0x7ff69812a970
0x7ff69812a979
0x7ff69812a989
0x7ff69812a992
0x7ff69812a9a2
0x7ff69812a9ac
0x7ff69812a9b1
0x7ff69812a9bd
0x7ff69812a9c5
0x7ff69812a9d6
0x7ff69812a9e0
0x7ff69812aa00

APIs

Part of subcall function 00007FF69812A270: swprintf.LIBCMT ref: 00007FF69812A309
Part of subcall function 00007FF69812A270: GetSystemTime.KERNEL32 ref: 00007FF69812A353
Part of subcall function 00007FF69812A270: swprintf.LIBCMT ref: 00007FF69812A38E
Part of subcall function 00007FF69812A270: GetCurrentThreadId.KERNEL32 ref: 00007FF69812A3C1
Part of subcall function 00007FF69812A270: swprintf.LIBCMT ref: 00007FF69812A3DE

_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A87D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF69812A8F2
EnterCriticalSection.KERNEL32 ref: 00007FF69812A964
LeaveCriticalSection.KERNEL32 ref: 00007FF69812A992

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: swprintf$CriticalSection_invalid_parameter_noinfo$CurrentEnterLeaveSystemThreadTime
String ID:
API String ID: 1744438772-0
Opcode ID: e23f237a98b1d8089097f5cf546f0080097a3824f3602463ab54cee6507bbf80
Instruction ID: 39c61ab7f53c48669aaeec1670665f39961485c28d8d49bfd9b283ae860a40df
Opcode Fuzzy Hash: e23f237a98b1d8089097f5cf546f0080097a3824f3602463ab54cee6507bbf80
Instruction Fuzzy Hash: 5051312260DBC294EA709B25F8407EEB365FB86794F804271DADD83A99DF3CD449CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698109250 Relevance: 6.1, APIs: 4, Instructions: 107
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00007FF67FF698109250(long long __rcx, long long __rdx, long long __r8, intOrPtr _a8, void* _a16, intOrPtr _a24, intOrPtr _a32) {
				long long _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _t63;
				void* _t65;
				signed long long _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t69;
				long long _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t100;
				long long _t112;
				long long _t115;
				void* _t121;
				signed long long _t123;
				long long _t128;

				_t80 = _t115;
				 *((intOrPtr*)(_t80 + 0x20)) = r9d;
				 *((long long*)(_t80 + 0x18)) = __r8;
				 *((long long*)(_t80 + 0x10)) = __rdx;
				 *((long long*)(_t80 + 8)) = __rcx;
				r13d = r9d;
				_t112 = __r8;
				_t128 = __rcx;
				_t66 = E00007FF67FF698112550(__rcx, __rdx, __r8);
				E00007FF67FF6981072E8(_t80);
				_v64 = _t80;
				E00007FF67FF69810B93C(_t65, _t69, _t80);
				 *((intOrPtr*)(_t80 + 0x100)) =  *((intOrPtr*)(_t80 + 0x100)) + 1;
				if (_t66 == 0xffffffff) goto 0x9810939b;
				if (_t66 - r13d <= 0) goto 0x9810939b;
				if (_t66 - 0xffffffff <= 0) goto 0x981092b9;
				if (_t66 -  *((intOrPtr*)(_t112 + 4)) < 0) goto 0x981092be;
				E00007FF67FF698110148(_t80);
				_t123 = _t66;
				E00007FF67FF6981072E8(_t80);
				_t81 = _t80 + _t123 * 8;
				_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t112 + 8)) + _t81));
				_v72 = _t67;
				E00007FF67FF6981072E8(_t81);
				_t82 = _t81 + _t123 * 8;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t112 + 8)) + _t82 + 4)) == 0) goto 0x9810930a;
				E00007FF67FF6981072E8(_t82);
				_t83 = _t82 + _t123 * 8;
				E00007FF67FF6981072E8(_t83);
				_t84 = _t83 +  *((intOrPtr*)( *((intOrPtr*)(_t112 + 8)) + _t83 + 4));
				goto 0x9810930c;
				if (_t84 == 0) goto 0x9810936d;
				r9d = _t67;
				E00007FF67FF698112578(0, _t128, _t112);
				E00007FF67FF6981072E8(_t84);
				_t100 =  *((intOrPtr*)(_t112 + 8));
				_t85 = _t84 + _t123 * 8;
				_t76 =  *((intOrPtr*)(_t100 + _t85 + 4));
				if ( *((intOrPtr*)(_t100 + _t85 + 4)) == 0) goto 0x98109352;
				E00007FF67FF6981072E8(_t85);
				_t86 = _t85 + _t123 * 8;
				E00007FF67FF6981072E8(_t86);
				_t87 = _t86 +  *((intOrPtr*)( *((intOrPtr*)(_t112 + 8)) + _t86 + 4));
				goto 0x98109354;
				r8d = 0x103;
				E00007FF67FF69812C050(_t87, _t128, _t121);
				E00007FF67FF698107318(_t87, _t80);
				r13d = _a32;
				_t68 = _v72;
				_v68 = _t68;
				goto 0x9810929d;
				E00007FF67FF69810B93C(_t65, _t76, _t87);
				if ( *((intOrPtr*)(_t87 + 0x100)) <= 0) goto 0x981093b4;
				E00007FF67FF69810B93C(_t65,  *((intOrPtr*)(_t87 + 0x100)), _t87);
				 *((intOrPtr*)(_t87 + 0x100)) =  *((intOrPtr*)(_t87 + 0x100)) - 1;
				if (_t68 == 0xffffffff) goto 0x981093c3;
				if (_t68 - r13d <= 0) goto 0x981093c3;
				_t63 = E00007FF67FF698110148(_t87);
				r9d = _t68;
				return E00007FF67FF698112578(_t63, _a8, _a24);
			}

0x7ff698109250
0x7ff698109253
0x7ff698109257
0x7ff69810925b
0x7ff69810925f
0x7ff698109272
0x7ff698109275
0x7ff69810927b
0x7ff698109283
0x7ff698109285
0x7ff69810928d
0x7ff698109292
0x7ff698109297
0x7ff6981092a0
0x7ff6981092a9
0x7ff6981092b2
0x7ff6981092b7
0x7ff6981092b9
0x7ff6981092be
0x7ff6981092c1
0x7ff6981092ca
0x7ff6981092ce
0x7ff6981092d1
0x7ff6981092d5
0x7ff6981092de
0x7ff6981092e7
0x7ff6981092e9
0x7ff6981092f2
0x7ff6981092fb
0x7ff698109300
0x7ff698109308
0x7ff69810930f
0x7ff698109311
0x7ff69810931d
0x7ff698109322
0x7ff698109327
0x7ff69810932b
0x7ff69810932f
0x7ff698109334
0x7ff698109336
0x7ff69810933f
0x7ff698109348
0x7ff69810934d
0x7ff698109350
0x7ff698109354
0x7ff698109360
0x7ff698109368
0x7ff69810936f
0x7ff698109389
0x7ff69810938d
0x7ff698109396
0x7ff69810939b
0x7ff6981093a7
0x7ff6981093a9
0x7ff6981093ae
0x7ff6981093b7
0x7ff6981093bc
0x7ff6981093be
0x7ff6981093c3
0x7ff6981093e3

APIs

Part of subcall function 00007FF6981072E8: _getptd.LIBCMT ref: 00007FF6981072EC

_getptd.LIBCMT ref: 00007FF698109292
_SetImageBase.LIBCMT ref: 00007FF698109368
_getptd.LIBCMT ref: 00007FF69810939B
_getptd.LIBCMT ref: 00007FF6981093A9

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _getptd$BaseImage
String ID:
API String ID: 2482573191-0
Opcode ID: 5665795fcf005ae9679d0fd918da8335e09ef8a53e3ab91a4d23fb740d9e4aa0
Instruction ID: 1660fe342f6f57c210d3b16aad77e7879dbbd5a81a473f3b4ea8ad0dba0a0884
Opcode Fuzzy Hash: 5665795fcf005ae9679d0fd918da8335e09ef8a53e3ab91a4d23fb740d9e4aa0
Instruction Fuzzy Hash: 1D418962A0860381EA309F75D8911BDA790EF85B94FC58571EE5DC77E2CE3CE492C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698108214 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00007FF67FF698108214(void* __edi, void* __esi, long long __rcx, void* __rsi) {
				void* __rbx;
				void* _t4;
				intOrPtr _t15;
				void* _t23;
				intOrPtr* _t30;
				void* _t36;

				if (__rcx == 0) goto 0x981082ba;
				E00007FF67FF69810FF60();
				_t15 =  *((intOrPtr*)(__rcx + 8));
				if (_t15 == 0) goto 0x98108255;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t15 != 0) goto 0x98108255;
				if ( *((intOrPtr*)(__rcx + 8)) == 0x98140bb0) goto 0x98108255;
				free(_t23);
				E00007FF67FF69810FE60();
				if ( *((long long*)(__rcx)) == 0) goto 0x981082a1;
				E00007FF67FF69810FF60();
				E00007FF67FF69810809C(_t4,  *((intOrPtr*)(__rcx)), _t36);
				_t30 =  *((intOrPtr*)(__rcx));
				if (_t30 == 0) goto 0x98108297;
				if ( *_t30 != 0) goto 0x98108297;
				if (_t30 == 0x98140a30) goto 0x98108297;
				E00007FF67FF698107E88(__rcx, _t30, __rsi, _t36);
				E00007FF67FF69810FE60();
				 *((long long*)(__rcx)) = 0x98140a30;
				 *((long long*)(__rcx + 8)) = 0x98140a30;
				free(??);
				return 0xbaadf00d;
			}

0x7ff698108217
0x7ff69810822a
0x7ff698108234
0x7ff698108237
0x7ff698108239
0x7ff69810823d
0x7ff69810824d
0x7ff69810824f
0x7ff69810825a
0x7ff698108263
0x7ff69810826a
0x7ff698108273
0x7ff698108278
0x7ff69810827e
0x7ff698108283
0x7ff69810828f
0x7ff698108291
0x7ff69810829c
0x7ff6981082a6
0x7ff6981082a9
0x7ff6981082b0
0x7ff6981082ba

APIs

_lock.LIBCMT ref: 00007FF69810822A
free.LIBCMT ref: 00007FF69810824F

Part of subcall function 00007FF69810484C: HeapFree.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104862
Part of subcall function 00007FF69810484C: _errno.LIBCMT ref: 00007FF69810486C
Part of subcall function 00007FF69810484C: GetLastError.KERNEL32(?,?,?,00007FF698104219), ref: 00007FF698104874

_lock.LIBCMT ref: 00007FF69810826A
free.LIBCMT ref: 00007FF6981082B0

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _lockfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 3188102813-0
Opcode ID: 4d6a6f156befe5a0da9afee2539e0a2b99425bf6e00ddd8f4db7cbe1f4866d2c
Instruction ID: 30cd414fc32e07a2dcbf9faba147d3b261758b4165afa96a5d74ecae1adbd0f0
Opcode Fuzzy Hash: 4d6a6f156befe5a0da9afee2539e0a2b99425bf6e00ddd8f4db7cbe1f4866d2c
Instruction Fuzzy Hash: 89113C22A0B90785FF749FB1CC617782390EF85B45F8445B6D60EC62D6CE2CA860C229

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810B7DC Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,00007FF69810BB51,?,?,00000000,00007FF698104727), ref: 00007FF69810B7EB
DeleteCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,00007FF69810BB51), ref: 00007FF69810FE12
free.LIBCMT ref: 00007FF69810FE1B
DeleteCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,00007FF69810BB51), ref: 00007FF69810FE3B

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 6873f9bc57506945de8e1b5125113889f3f65db8f6cd79cb80fb404202243c4b
Instruction ID: 068b87097918ffd8f2f2f3c6251cd2a294d6d5bf355b72a299905a82dfcac437
Opcode Fuzzy Hash: 6873f9bc57506945de8e1b5125113889f3f65db8f6cd79cb80fb404202243c4b
Instruction Fuzzy Hash: 10119132E09A4786FA749F31E94523873A0FF44B94F984175D61D876E6CF2CE4A1C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698105F64 Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF67FF698105F64(void* __edi, intOrPtr* __rax, long long __rbx, signed int __rcx, long long _a8) {
				signed int _v24;
				signed int _t16;
				void* _t21;
				void* _t29;
				signed int _t37;
				signed int _t39;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t49;

				_t39 = __rcx;
				_t35 = __rax;
				_a8 = __rbx;
				_t37 = __rcx;
				if (__rcx != 0) goto 0x98105f9c;
				E00007FF67FF6981078AC(__rax);
				_v24 = _v24 & __rcx;
				r9d = 0;
				r8d = 0;
				 *__rax = 0x16;
				E00007FF67FF698104430(__rax, __rcx, __rcx, _t43, _t44, _t45, _t49);
				goto 0x98105fe2;
				if (( *(_t39 + 0x18) & 0x00000083) == 0) goto 0x98105fdc;
				_t16 = E00007FF67FF698106BCC(_t37, _t39, _t44);
				E00007FF67FF698111B24(__rax, _t37);
				if (E00007FF67FF698111A0C(_t21, E00007FF67FF698110EB8(__rax, _t37, _t37, _t43, _t44, _t45, _t49), _t29, _t35, _t37, _t37, _t43, _t44, _t45, _t49) >= 0) goto 0x98105fc9;
				goto 0x98105fdc;
				if ( *(_t37 + 0x28) == 0) goto 0x98105fdc;
				free(??);
				 *(_t37 + 0x28) =  *(_t37 + 0x28) & 0x00000000;
				 *(_t37 + 0x18) =  *(_t37 + 0x18) & 0x00000000;
				return _t16 | 0xffffffff;
			}

0x7ff698105f64
0x7ff698105f64
0x7ff698105f64
0x7ff698105f71
0x7ff698105f77
0x7ff698105f79
0x7ff698105f7e
0x7ff698105f83
0x7ff698105f86
0x7ff698105f8d
0x7ff698105f93
0x7ff698105f9a
0x7ff698105fa0
0x7ff698105fa2
0x7ff698105fac
0x7ff698105fc2
0x7ff698105fc7
0x7ff698105fd0
0x7ff698105fd2
0x7ff698105fd7
0x7ff698105fdc
0x7ff698105fec

APIs

_errno.LIBCMT ref: 00007FF698105F79

Part of subcall function 00007FF698104430: DecodePointer.KERNEL32 ref: 00007FF698104457

_flush.LIBCMT ref: 00007FF698105FA2
_freebuf.LIBCMT ref: 00007FF698105FAC

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: DecodePointer_errno_flush_freebuf
String ID:
API String ID: 1889905870-0
Opcode ID: e85fca2b21714c02f18f57603225243ab33633c5b8a898005f5a6ec10b8aea6d
Instruction ID: aef001c6aacdc978c09df2464f3874aafbd18dcc775bf4c6a487867ffec1fa60
Opcode Fuzzy Hash: e85fca2b21714c02f18f57603225243ab33633c5b8a898005f5a6ec10b8aea6d
Instruction Fuzzy Hash: 49019E22E1864346FB34AE759C113BC6651DF94768FA917B0EA2DC66D6CF3CE820C61C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981158B8 Relevance: 6.0, APIs: 4, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E00007FF67FF6981158B8(signed int __ecx, void* __edx, signed int* __rax, void* __rbx, void* __rsi, void* __rbp, void* __r8) {
				signed long long _v24;
				intOrPtr _t28;
				signed int* _t29;
				signed long long _t34;

				if (__ecx != 0xfffffffe) goto 0x981158d6;
				E00007FF67FF6981078CC(__rax);
				 *__rax =  *__rax & 0x00000000;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 9;
				goto 0x98115933;
				if (__ecx < 0) goto 0x9811590b;
				if (__ecx -  *0x981489c0 >= 0) goto 0x9811590b;
				_t34 = __ecx * 0x58;
				_t28 =  *((intOrPtr*)(0x981489e0 + (__ecx >> 5) * 8));
				if (( *(_t28 + _t34 + 8) & 0x00000001) == 0) goto 0x9811590b;
				_t29 =  *((intOrPtr*)(_t28 + _t34));
				goto 0x98115937;
				E00007FF67FF6981078CC(_t29);
				 *_t29 =  *_t29 & 0x00000000;
				E00007FF67FF6981078AC(_t29);
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *_t29 = 9;
				return E00007FF67FF698104430(_t29, __rbx, 0x981489e0, _t34, __rsi, __rbp, __r8);
			}

0x7ff6981158bf
0x7ff6981158c1
0x7ff6981158c6
0x7ff6981158c9
0x7ff6981158ce
0x7ff6981158d4
0x7ff6981158d8
0x7ff6981158e0
0x7ff6981158f6
0x7ff6981158fa
0x7ff698115903
0x7ff698115905
0x7ff698115909
0x7ff69811590b
0x7ff698115910
0x7ff698115913
0x7ff698115918
0x7ff69811591e
0x7ff698115921
0x7ff698115928
0x7ff69811593b

APIs

__doserrno.LIBCMT ref: 00007FF6981158C1
_errno.LIBCMT ref: 00007FF6981158C9

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 42309f2acd20e35207d32cf45d5d8bb19fd6256df55cf22ec14333df7ab8f0c2
Instruction ID: cddd06a9bf72e18f0e3d1c1ceb0b7d5320f7288598887e8fe6e2c08eabf7cd65
Opcode Fuzzy Hash: 42309f2acd20e35207d32cf45d5d8bb19fd6256df55cf22ec14333df7ab8f0c2
Instruction Fuzzy Hash: FC0175B2E1854B41FA345F35C8513BC2651EFA0775FD447B6D92E862D1CF3D6410C619

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6980F40C0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 16
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E00007FF67FF6980F40C0(intOrPtr* __rcx) {
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t9;
				intOrPtr _t11;
				void* _t14;
				void* _t15;
				void* _t17;

				_t11 =  *__rcx;
				if (_t11 == 0) goto 0x980f40fc;
				if (_t11 == 0xffffffff) goto 0x980f40fc;
				if (CloseHandle(??) != 0) goto 0x980f40fc;
				r9d = 0x1dd;
				return E00007FF67FF69812AB00(_t3, _t4, _t5, _t9, "CloseHandle(handle_to_manage)", "void __cdecl boost::detail::win32::handle_manager::cleanup(void)", _t14, _t15, "D:\\Libraries\\boost\\boost/thread/win32/thread_primitives.hpp", _t17);
			}

0x7ff6980f40c4
0x7ff6980f40ca
0x7ff6980f40d0
0x7ff6980f40da
0x7ff6980f40f1
0x7ff6980f4100

APIs

CloseHandle.KERNEL32 ref: 00007FF6980F40D2

Strings

CloseHandle(handle_to_manage), xrefs: 00007FF6980F40EA
D:\Libraries\boost\boost/thread/win32/thread_primitives.hpp, xrefs: 00007FF6980F40DC
void __cdecl boost::detail::win32::handle_manager::cleanup(void), xrefs: 00007FF6980F40E3

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: CloseHandle
String ID: CloseHandle(handle_to_manage)$D:\Libraries\boost\boost/thread/win32/thread_primitives.hpp$void __cdecl boost::detail::win32::handle_manager::cleanup(void)
API String ID: 2962429428-1328045786
Opcode ID: e94c27bac43ffa26f5226572da9408715b3b101fcc1e669ba66f1d71604591b2
Instruction ID: 132eee703e6aea153d750ad1a0607bd9a84b032ed860a3fa71f9009ea7859c94
Opcode Fuzzy Hash: e94c27bac43ffa26f5226572da9408715b3b101fcc1e669ba66f1d71604591b2
Instruction Fuzzy Hash: A2E04F25E09A0391FE349776B8511742250FF21B74FC043B2C83ED31E0AE2CA54AC34C

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69810A2C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00007FF67FF69810A2C8(void* __edi, void* __ebp, void* __rax, long long __rbx, intOrPtr* __rcx, long long __rdx, long long __rsi, long long __rbp, void* __r8, long long __r9, long long _a8, long long _a16, long long _a24, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				intOrPtr _t50;
				void* _t52;
				void* _t68;
				void* _t72;
				intOrPtr _t73;
				void* _t75;
				char _t86;
				void* _t103;
				intOrPtr _t105;
				intOrPtr* _t109;
				signed int* _t126;
				long long _t128;
				long long _t131;
				long long* _t146;
				void* _t147;

				_t103 = __rax;
				_t72 = __edi;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t131 = __r9;
				_t147 = __r8;
				_t128 = __rdx;
				_t109 = __rcx;
				E00007FF67FF69810B93C(_t68, _t75, __rax);
				_t126 = _a40;
				r8d = 0x80000029;
				r9d = 0x80000026;
				r14d = 1;
				if ( *((intOrPtr*)(_t103 + 0x2c0)) != 0) goto 0x9810a351;
				if ( *__rcx == 0xe06d7363) goto 0x9810a351;
				if ( *__rcx != r8d) goto 0x9810a336;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0x9810a336;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0x9810a351;
				if ( *__rcx == r9d) goto 0x9810a351;
				if (( *_t126 & 0x1fffffff) - 0x19930522 < 0) goto 0x9810a351;
				if ((_t126[9] & r14b) != 0) goto 0x9810a4d1;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0x9810a3ef;
				if (_t126[1] == 0) goto 0x9810a4d1;
				_t86 = _a48;
				if (_t86 != 0) goto 0x9810a4d1;
				if (_t86 == 0) goto 0x9810a3b8;
				if ( *__rcx != r9d) goto 0x9810a3b8;
				_t50 = E00007FF67FF6981124BC(_t103, __rcx, _t126, __r9, __rdx, __r9,  *((intOrPtr*)(__r8 + 0xf8)));
				if (_t50 - 0xffffffff < 0) goto 0x9810a39d;
				if (_t50 - _t126[1] < 0) goto 0x9810a3a2;
				E00007FF67FF698110148(_t103);
				r9d = _t50;
				_t52 = E00007FF67FF698109250(__rdx, _t131, _t126);
				goto 0x9810a4d1;
				if (_t52 == 0) goto 0x9810a3dc;
				if ( *_t109 != r8d) goto 0x9810a3dc;
				_t73 =  *((intOrPtr*)(_t109 + 0x38));
				if (_t73 - 0xffffffff < 0) goto 0x9810a3ce;
				if (_t73 - _t126[1] < 0) goto 0x9810a3d3;
				E00007FF67FF698110148(_t103);
				r9d = _t73;
				goto 0x9810a3a8;
				E00007FF67FF698107350(_t72, _t109, _t128, _t131, _t128, _t126);
				goto 0x9810a4d1;
				if (_t126[3] != 0) goto 0x9810a423;
				if (( *_t126 & 0x1fffffff) - 0x19930521 < 0) goto 0x9810a4d1;
				if (_t126[8] == 0) goto 0x9810a418;
				E00007FF67FF6981072E8(_t103);
				goto 0x9810a41a;
				if (_t103 + _t126[8] == 0) goto 0x9810a4d1;
				if ( *_t109 != 0xe06d7363) goto 0x9810a498;
				if ( *((intOrPtr*)(_t109 + 0x18)) - 3 < 0) goto 0x9810a498;
				if ( *((intOrPtr*)(_t109 + 0x20)) - 0x19930522 <= 0) goto 0x9810a498;
				_t105 =  *((intOrPtr*)(_t109 + 0x30));
				if ( *((intOrPtr*)(_t105 + 8)) == 0) goto 0x9810a456;
				E00007FF67FF698107300(_t105);
				_t146 =  *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x30)) + 8)) + _t105;
				goto 0x9810a459;
				r11d = 0;
				if (_t146 == 0) goto 0x9810a498;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t126;
				 *_t146();
				goto 0x9810a4d4;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t126;
				E00007FF67FF698109D48(_t50,  *_t126 & 0x1fffffff, _t72, __ebp, _a56, _t109, _t109, _t128, _t147, _t131);
				return r14d;
			}

0x7ff69810a2c8
0x7ff69810a2c8
0x7ff69810a2c8
0x7ff69810a2cd
0x7ff69810a2d2
0x7ff69810a2e0
0x7ff69810a2e3
0x7ff69810a2e6
0x7ff69810a2e9
0x7ff69810a2ec
0x7ff69810a2f1
0x7ff69810a305
0x7ff69810a30b
0x7ff69810a311
0x7ff69810a317
0x7ff69810a31f
0x7ff69810a324
0x7ff69810a32a
0x7ff69810a334
0x7ff69810a339
0x7ff69810a345
0x7ff69810a34b
0x7ff69810a356
0x7ff69810a360
0x7ff69810a366
0x7ff69810a36e
0x7ff69810a377
0x7ff69810a37c
0x7ff69810a38c
0x7ff69810a396
0x7ff69810a39b
0x7ff69810a39d
0x7ff69810a3a2
0x7ff69810a3ae
0x7ff69810a3b3
0x7ff69810a3ba
0x7ff69810a3bf
0x7ff69810a3c1
0x7ff69810a3c7
0x7ff69810a3cc
0x7ff69810a3ce
0x7ff69810a3d7
0x7ff69810a3da
0x7ff69810a3e5
0x7ff69810a3ea
0x7ff69810a3f3
0x7ff69810a3fe
0x7ff69810a408
0x7ff69810a40a
0x7ff69810a416
0x7ff69810a41d
0x7ff69810a429
0x7ff69810a42f
0x7ff69810a438
0x7ff69810a43a
0x7ff69810a442
0x7ff69810a444
0x7ff69810a451
0x7ff69810a454
0x7ff69810a456
0x7ff69810a45c
0x7ff69810a46c
0x7ff69810a47b
0x7ff69810a48a
0x7ff69810a48e
0x7ff69810a493
0x7ff69810a496
0x7ff69810a4a6
0x7ff69810a4b5
0x7ff69810a4c3
0x7ff69810a4c7
0x7ff69810a4cc
0x7ff69810a4ec

APIs

_getptd.LIBCMT ref: 00007FF69810A2EC

Strings

csm, xrefs: 00007FF69810A319
csm, xrefs: 00007FF69810A423

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 98f21436721bd78c3725fa0ca854348773e5603e32f22c9a78c881d467c025b4
Instruction ID: 19e3845f4a75457a9a57463c0b4f271d0a0c549f872acaed08a11e5768ab249c
Opcode Fuzzy Hash: 98f21436721bd78c3725fa0ca854348773e5603e32f22c9a78c881d467c025b4
Instruction Fuzzy Hash: 26518F229082438AEB709E359844B7D7690FB41B84F888175DE8DDBB85CF3CE8A0C749

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698100850 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF67FF698100850(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9) {
				void* __rbx;
				long long _t35;
				signed int _t43;
				signed int _t44;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				void* _t52;
				signed long long _t62;
				char* _t68;
				char* _t69;
				intOrPtr _t72;
				void* _t73;
				long long _t74;
				long long* _t76;
				void* _t84;
				void* _t86;
				signed long long _t89;

				_t62 =  *0x98140430; // 0x4918c2c043f
				 *(_t89 + 0xe0) = _t62 ^ _t89;
				_t72 =  *((intOrPtr*)(__r9 + 0x20));
				_t48 = _t72;
				if (_t48 > 0) goto 0x98100891;
				asm("inc ecx");
				if (_t48 < 0) goto 0x98100891;
				_t43 =  *(__r9 + 0x18);
				asm("movsd xmm1, [esp+0x158]");
				r9d = 6;
				r9d =  >  ? 0x24 : r9d;
				_t84 = _t86;
				_t73 = _t72 - r9d;
				_t50 = (_t43 & 0x00003000) - 0x2000;
				if (_t50 != 0) goto 0x98100969;
				asm("movapd xmm0, xmm1");
				asm("mulsd xmm0, [0x3480b]");
				asm("ucomisd xmm0, xmm1");
				if (_t50 != 0) goto 0x981008e1;
				if (_t50 == 0) goto 0x98100969;
				asm("xorpd xmm3, xmm3");
				asm("movsd xmm4, [0x347e3]");
				asm("comisd xmm3, xmm1");
				if (_t50 <= 0) goto 0x981008fb;
				asm("xorpd xmm1, xmm4");
				goto 0x981008fd;
				asm("movsd xmm0, [0x347c3]");
				asm("movsd xmm2, [0x347b3]");
				asm("comisd xmm1, xmm0");
				if (_t50 < 0) goto 0x9810092a;
				_t51 = _t86 - 0x1388;
				if (_t51 >= 0) goto 0x9810092a;
				asm("divsd xmm1, xmm2");
				asm("comisd xmm1, xmm0");
				if (_t51 >= 0) goto 0x98100913;
				asm("comisd xmm1, xmm3");
				if (_t51 <= 0) goto 0x98100961;
				_t52 = _t73 - 0xa;
				if (_t52 < 0) goto 0x98100961;
				asm("movsd xmm0, [0x3477a]");
				asm("comisd xmm0, xmm1");
				if (_t52 < 0) goto 0x98100961;
				if (_t84 - 0x1388 >= 0) goto 0x98100961;
				_t74 = _t73 - 0xa;
				asm("mulsd xmm1, xmm2");
				if (_t74 - 0xa >= 0) goto 0x98100940;
				if (0 == 0) goto 0x98100969;
				asm("xorpd xmm1, xmm4");
				_t76 = _t89 + 0x50;
				 *((char*)(_t89 + 0x60)) = 0x25;
				 *_t76 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t76 + 8)) =  *((intOrPtr*)(__r8 + 8));
				if ((_t43 & 0x00000020) == 0) goto 0x98100995;
				 *((char*)(_t89 + 0x61)) = 0x2b;
				_t68 = _t89 + 0x62;
				if ((_t43 & 0x00000010) == 0) goto 0x981009a0;
				 *_t68 = 0x23;
				_t69 = _t68 + 1;
				_t44 = _t43 & 0x00003000;
				 *_t69 = 0x2e;
				 *((char*)(_t69 + 1)) = 0x2a;
				if (_t44 != 0x2000) goto 0x981009b9;
				goto 0x981009da;
				if (_t44 != 0x3000) goto 0x981009c5;
				goto 0x981009da;
				r8d = 0x65;
				_t42 =  ==  ? r8d : 0x67;
				 *((char*)(_t69 + 2)) =  ==  ? r8d : 0x67;
				asm("movsd [esp+0x20], xmm1");
				 *((char*)(_t69 + 3)) = 0;
				_t35 = E00007FF67FF698104828(_t89 + 0x60, __r9);
				_t94 = __r9;
				 *((long long*)(_t89 + 0x48)) = _t35;
				 *((long long*)(_t89 + 0x40)) = _t74;
				 *((long long*)(_t89 + 0x38)) = _t84 + 0xa;
				 *((long long*)(_t89 + 0x30)) = _t86 + 0xa;
				 *((long long*)(_t89 + 0x28)) = _t89 + 0x70;
				 *((char*)(_t89 + 0x20)) =  *(_t89 + 0x150) & 0x000000ff;
				E00007FF67FF698100F40( *(_t89 + 0x150) & 0x000000ff, _t44 - 0x1000, _t74, __rcx, __rdx, _t89 + 0x50, __r9);
				return E00007FF67FF698104050( ==  ? r8d : 0x67,  *(_t89 + 0xe0) ^ _t89, __rdx, _t89 + 0x50, _t94);
			}

0x7ff698100860
0x7ff69810086a
0x7ff698100872
0x7ff69810087f
0x7ff698100882
0x7ff698100884
0x7ff69810088a
0x7ff698100891
0x7ff698100894
0x7ff6981008a5
0x7ff6981008a8
0x7ff6981008b1
0x7ff6981008b4
0x7ff6981008be
0x7ff6981008c3
0x7ff6981008c9
0x7ff6981008cd
0x7ff6981008d5
0x7ff6981008d9
0x7ff6981008db
0x7ff6981008e1
0x7ff6981008e5
0x7ff6981008ed
0x7ff6981008f1
0x7ff6981008f5
0x7ff6981008f9
0x7ff6981008fd
0x7ff698100905
0x7ff69810090d
0x7ff698100911
0x7ff698100913
0x7ff69810091a
0x7ff69810091c
0x7ff698100924
0x7ff698100928
0x7ff69810092a
0x7ff69810092e
0x7ff698100930
0x7ff698100934
0x7ff698100936
0x7ff698100940
0x7ff698100944
0x7ff69810094d
0x7ff69810094f
0x7ff698100957
0x7ff69810095f
0x7ff698100963
0x7ff698100965
0x7ff69810096c
0x7ff698100971
0x7ff698100976
0x7ff69810097d
0x7ff698100989
0x7ff69810098b
0x7ff698100990
0x7ff698100998
0x7ff69810099a
0x7ff69810099d
0x7ff6981009a0
0x7ff6981009a6
0x7ff6981009a9
0x7ff6981009b3
0x7ff6981009b7
0x7ff6981009bf
0x7ff6981009c3
0x7ff6981009ca
0x7ff6981009d6
0x7ff6981009da
0x7ff6981009e7
0x7ff6981009f2
0x7ff6981009f6
0x7ff698100a00
0x7ff698100a0e
0x7ff698100a1b
0x7ff698100a20
0x7ff698100a25
0x7ff698100a2a
0x7ff698100a2f
0x7ff698100a36
0x7ff698100a5d

APIs

swprintf.LIBCMT ref: 00007FF6981009F6

Strings

+, xrefs: 00007FF69810098B
%, xrefs: 00007FF698100971

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 4a7392d89f1e279d8a6d564c2a1305181f93ac8bdff9bcfff4d940475f5d063f
Instruction ID: dd3e17ec0d0a08322ca0a90717e392e757e185f2f70a363a47734495ce98f965
Opcode Fuzzy Hash: 4a7392d89f1e279d8a6d564c2a1305181f93ac8bdff9bcfff4d940475f5d063f
Instruction Fuzzy Hash: 5C512723E0CB8389FA328E34E8553AA6695EF56780F9482B2D98D937A1DF3CD055C344

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698100A60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00007FF67FF698100A60(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9) {
				void* __rbx;
				long long _t36;
				signed int _t44;
				signed int _t45;
				intOrPtr _t49;
				void* _t51;
				void* _t52;
				void* _t53;
				signed long long _t63;
				char* _t69;
				char* _t70;
				intOrPtr _t73;
				void* _t74;
				long long _t75;
				long long* _t77;
				void* _t85;
				void* _t87;
				signed long long _t90;

				_t63 =  *0x98140430; // 0x4918c2c043f
				 *(_t90 + 0xe0) = _t63 ^ _t90;
				_t73 =  *((intOrPtr*)(__r9 + 0x20));
				_t49 = _t73;
				if (_t49 > 0) goto 0x98100aa1;
				asm("inc ecx");
				if (_t49 < 0) goto 0x98100aa1;
				_t44 =  *(__r9 + 0x18);
				asm("movsd xmm0, [esp+0x158]");
				r9d = 6;
				r9d =  >  ? 0x24 : r9d;
				_t85 = _t87;
				_t74 = _t73 - r9d;
				_t51 = (_t44 & 0x00003000) - 0x2000;
				if (_t51 != 0) goto 0x98100b69;
				asm("xorpd xmm3, xmm3");
				asm("movsd xmm4, [0x345eb]");
				asm("comisd xmm3, xmm0");
				if (_t51 <= 0) goto 0x98100af3;
				asm("xorpd xmm0, xmm4");
				goto 0x98100af5;
				asm("movsd xmm1, [0x345cb]");
				asm("movsd xmm2, [0x345bb]");
				asm("comisd xmm0, xmm1");
				if (_t51 < 0) goto 0x98100b27;
				_t52 = _t87 - 0x1388;
				if (_t52 >= 0) goto 0x98100b27;
				asm("divsd xmm0, xmm2");
				asm("comisd xmm0, xmm1");
				if (_t52 >= 0) goto 0x98100b10;
				asm("comisd xmm0, xmm3");
				if (_t52 <= 0) goto 0x98100b61;
				_t53 = _t74 - 0xa;
				if (_t53 < 0) goto 0x98100b61;
				asm("movsd xmm1, [0x3457d]");
				asm("comisd xmm1, xmm0");
				if (_t53 < 0) goto 0x98100b61;
				if (_t85 - 0x1388 >= 0) goto 0x98100b61;
				_t75 = _t74 - 0xa;
				asm("mulsd xmm0, xmm2");
				if (_t75 - 0xa >= 0) goto 0x98100b40;
				if (0 == 0) goto 0x98100b69;
				asm("xorpd xmm0, xmm4");
				_t77 = _t90 + 0x50;
				 *((char*)(_t90 + 0x60)) = 0x25;
				 *_t77 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t77 + 8)) =  *((intOrPtr*)(__r8 + 8));
				if ((_t44 & 0x00000020) == 0) goto 0x98100b95;
				 *((char*)(_t90 + 0x61)) = 0x2b;
				_t69 = _t90 + 0x62;
				if ((_t44 & 0x00000010) == 0) goto 0x98100ba0;
				 *_t69 = 0x23;
				_t70 = _t69 + 1;
				 *_t70 = 0x2e;
				_t45 = _t44 & 0x00003000;
				 *((char*)(_t70 + 1)) = 0x2a;
				 *((char*)(_t70 + 2)) = 0x4c;
				if (_t45 != 0x2000) goto 0x98100bbd;
				goto 0x98100bde;
				if (_t45 != 0x3000) goto 0x98100bc9;
				goto 0x98100bde;
				r8d = 0x65;
				_t43 =  ==  ? r8d : 0x67;
				 *((char*)(_t70 + 3)) =  ==  ? r8d : 0x67;
				asm("movsd [esp+0x20], xmm0");
				 *((char*)(_t70 + 4)) = 0;
				_t36 = E00007FF67FF698104828(_t90 + 0x60, __r9);
				_t95 = __r9;
				 *((long long*)(_t90 + 0x48)) = _t36;
				 *((long long*)(_t90 + 0x40)) = _t75;
				 *((long long*)(_t90 + 0x38)) = _t85 + 0xa;
				 *((long long*)(_t90 + 0x30)) = _t87 + 0xa;
				 *((long long*)(_t90 + 0x28)) = _t90 + 0x70;
				 *((char*)(_t90 + 0x20)) =  *(_t90 + 0x150) & 0x000000ff;
				E00007FF67FF698100F40( *(_t90 + 0x150) & 0x000000ff, _t45 - 0x1000, _t75, __rcx, __rdx, _t90 + 0x50, __r9);
				return E00007FF67FF698104050( ==  ? r8d : 0x67,  *(_t90 + 0xe0) ^ _t90, __rdx, _t90 + 0x50, _t95);
			}

0x7ff698100a70
0x7ff698100a7a
0x7ff698100a82
0x7ff698100a8f
0x7ff698100a92
0x7ff698100a94
0x7ff698100a9a
0x7ff698100aa1
0x7ff698100aa4
0x7ff698100ab5
0x7ff698100ab8
0x7ff698100ac1
0x7ff698100ac4
0x7ff698100ace
0x7ff698100ad3
0x7ff698100ad9
0x7ff698100add
0x7ff698100ae5
0x7ff698100ae9
0x7ff698100aed
0x7ff698100af1
0x7ff698100af5
0x7ff698100afd
0x7ff698100b05
0x7ff698100b09
0x7ff698100b10
0x7ff698100b17
0x7ff698100b19
0x7ff698100b21
0x7ff698100b25
0x7ff698100b27
0x7ff698100b2b
0x7ff698100b2d
0x7ff698100b31
0x7ff698100b33
0x7ff698100b40
0x7ff698100b44
0x7ff698100b4d
0x7ff698100b4f
0x7ff698100b57
0x7ff698100b5f
0x7ff698100b63
0x7ff698100b65
0x7ff698100b6c
0x7ff698100b71
0x7ff698100b76
0x7ff698100b7d
0x7ff698100b89
0x7ff698100b8b
0x7ff698100b90
0x7ff698100b98
0x7ff698100b9a
0x7ff698100b9d
0x7ff698100ba0
0x7ff698100ba3
0x7ff698100ba9
0x7ff698100bad
0x7ff698100bb7
0x7ff698100bbb
0x7ff698100bc3
0x7ff698100bc7
0x7ff698100bce
0x7ff698100bda
0x7ff698100bde
0x7ff698100beb
0x7ff698100bf6
0x7ff698100bfa
0x7ff698100c04
0x7ff698100c12
0x7ff698100c1f
0x7ff698100c24
0x7ff698100c29
0x7ff698100c2e
0x7ff698100c33
0x7ff698100c3a
0x7ff698100c61

APIs

swprintf.LIBCMT ref: 00007FF698100BFA

Strings

+, xrefs: 00007FF698100B8B
%, xrefs: 00007FF698100B71

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: f56427867cc14d5ba6facdcfc3d5dd5fa3c1aaa7c4077d046ccc8f1ad1e565a5
Instruction ID: 05e00fa736aed71336fefb11096f3d634fa4d2e307300c5ba88b187ebb1e353b
Opcode Fuzzy Hash: f56427867cc14d5ba6facdcfc3d5dd5fa3c1aaa7c4077d046ccc8f1ad1e565a5
Instruction Fuzzy Hash: B4513722A0CB82C9E7718F34EC503AAA795EB96784F9482B2D94DD7791DF3CD055C708

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981069E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FF67FF6981069E4(void* __ecx, void* __edx, long long __rbx, void* __rdx, long long _a8) {
				signed long long _v24;
				void* _t37;
				signed long long _t41;
				void* _t55;
				void* _t56;
				void* _t60;
				signed long long _t62;

				_a8 = __rbx;
				if (( *(__rdx + 0x18) & 0x00000040) != 0) goto 0x98106a97;
				_t62 = E00007FF67FF698110EB8(_t37, __rdx, __rdx, __rdx, _t55, _t56, _t60);
				if (r11d == 0xffffffff) goto 0x98106a39;
				if (r11d == 0xfffffffe) goto 0x98106a39;
				goto 0x98106a3c;
				if (( *0x7FF6981409D8 & 0x0000007f) != 0) goto 0x98106a69;
				if (r11d == 0xffffffff) goto 0x98106a63;
				if (r11d == 0xfffffffe) goto 0x98106a63;
				_t41 = _t62 >> 5;
				if (( *(_t62 * 0x58 +  *((intOrPtr*)(0x981489e0 + _t41 * 8)) + 0x38) & 0x00000080) == 0) goto 0x98106a97;
				E00007FF67FF6981078AC(_t41);
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *_t41 = 0x16;
				return E00007FF67FF698104430(_t41, __rdx, 0x981409a0, _t62 * 0x58 +  *((intOrPtr*)(0x981489e0 + _t41 * 8)), _t55, _t56, 0x981489e0) | 0xffffffff;
			}

0x7ff6981069e4
0x7ff6981069f7
0x7ff698106a13
0x7ff698106a1a
0x7ff698106a20
0x7ff698106a37
0x7ff698106a40
0x7ff698106a46
0x7ff698106a4c
0x7ff698106a57
0x7ff698106a67
0x7ff698106a69
0x7ff698106a6e
0x7ff698106a74
0x7ff698106a77
0x7ff698106a7e
0x7ff698106a96

APIs

_getbuf.LIBCMT ref: 00007FF698106AB8

Part of subcall function 00007FF698110EB8: _errno.LIBCMT ref: 00007FF698110EC1

_errno.LIBCMT ref: 00007FF698106A69

Strings

@, xrefs: 00007FF698106AD5

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$_getbuf
String ID: @
API String ID: 606515832-2766056989
Opcode ID: a4fa89e5b4d4656ba4716eb9c8b861f2449aaef3002945440b091910db96db11
Instruction ID: 42d3d18b76c72e099abe7952d2c4cf54b939208f5fc757603358b5068acf10ae
Opcode Fuzzy Hash: a4fa89e5b4d4656ba4716eb9c8b861f2449aaef3002945440b091910db96db11
Instruction Fuzzy Hash: 06310562A1CB47C4EB74AE38D84433A2790EB90B6CF94D2B5DA1D822D5CF7CD861C258

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698106DD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00007FF67FF698106DD4(intOrPtr* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, void* __r8, long long _a8, long long _a16) {
				signed long long _v24;
				signed int _t28;
				signed long long _t31;
				void* _t34;
				signed long long _t60;
				intOrPtr* _t64;
				signed long long _t72;
				signed long long _t82;
				void* _t83;
				void* _t84;
				void* _t91;

				_t88 = __r8;
				_t77 = __rdx;
				_t66 = __rcx;
				_t58 = __rax;
				_a16 = __rbx;
				_a8 = __rcx;
				_t64 = __rcx;
				if ((0 | __rcx != 0x00000000) != 0) goto 0x98106e1b;
				E00007FF67FF6981078AC(__rax);
				 *__rax = 0x16;
				_v24 = _v24 & _t82;
				r9d = 0;
				r8d = 0;
				_t28 = E00007FF67FF698104430(__rax, __rcx, __rcx, __rdx, _t83, _t84, __r8);
				goto 0x98106eed;
				E00007FF67FF69810B4D0(_t28 | 0xffffffff, _t66);
				if (( *(_t64 + 0x18) & 0x00000040) != 0) goto 0x98106ec1;
				_t31 = E00007FF67FF698110EB8(_t58, _t64, _t64, _t77, _t83, _t84, _t88);
				if (_t31 == 0xffffffff) goto 0x98106e62;
				if (_t31 == 0xfffffffe) goto 0x98106e62;
				goto 0x98106e73;
				if (( *0x7FF6981409D8 & 0x0000007f) != 0) goto 0x98106e9e;
				if (_t31 == 0xffffffff) goto 0x98106e98;
				if (_t31 == 0xfffffffe) goto 0x98106e98;
				_t72 = _t31;
				_t60 = _t72 >> 5;
				if (( *(_t72 * 0x58 +  *((intOrPtr*)(0x981489e0 + _t60 * 8)) + 0x38) & 0x00000080) == 0) goto 0x98106ec1;
				E00007FF67FF6981078AC(_t60);
				 *_t60 = 0x16;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF67FF698104430(_t60, _t64, _t72 * 0x58 +  *((intOrPtr*)(0x981489e0 + _t60 * 8)), 0x981409a0, _t83, _t84, 0x981489e0);
				if (0xffffffff != 0) goto 0x98106ee3;
				 *((intOrPtr*)(_t64 + 8)) =  *((intOrPtr*)(_t64 + 8)) + 0xffffffff;
				if (0xffffffff < 0) goto 0x98106ed9;
				 *_t64 =  *_t64 + 1;
				goto 0x98106ee3;
				_t34 = E00007FF67FF698110468( *_t64 + 1, _t64, _t64, 0x981409a0, _t83, _t84, 0x981489e0, _t91);
				E00007FF67FF69810B560(_t34, _t64);
				return _t34;
			}

0x7ff698106dd4
0x7ff698106dd4
0x7ff698106dd4
0x7ff698106dd4
0x7ff698106dd4
0x7ff698106dd9
0x7ff698106de3
0x7ff698106df2
0x7ff698106df4
0x7ff698106df9
0x7ff698106dff
0x7ff698106e04
0x7ff698106e07
0x7ff698106e0e
0x7ff698106e16
0x7ff698106e1b
0x7ff698106e25
0x7ff698106e2e
0x7ff698106e36
0x7ff698106e3b
0x7ff698106e60
0x7ff698106e77
0x7ff698106e7c
0x7ff698106e81
0x7ff698106e83
0x7ff698106e89
0x7ff698106e9c
0x7ff698106e9e
0x7ff698106ea3
0x7ff698106ea9
0x7ff698106eaf
0x7ff698106eb2
0x7ff698106eb9
0x7ff698106ec3
0x7ff698106ec5
0x7ff698106ec9
0x7ff698106ed4
0x7ff698106ed7
0x7ff698106edc
0x7ff698106ee6
0x7ff698106ef7

APIs

_errno.LIBCMT ref: 00007FF698106DF4

Part of subcall function 00007FF698104430: DecodePointer.KERNEL32 ref: 00007FF698104457

_errno.LIBCMT ref: 00007FF698106E9E

Strings

@, xrefs: 00007FF698106E21

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: 72ca26e853ff08c01ad7965e478854bad7cf710359f113a4bafd6f72de130865
Instruction ID: 884dda249b5aefb8a13ab8dff17f0532bc2a0a7a54cc9ff7b4e93b23e9e001e8
Opcode Fuzzy Hash: 72ca26e853ff08c01ad7965e478854bad7cf710359f113a4bafd6f72de130865
Instruction Fuzzy Hash: 8031BE62A1870741EF74DE39DC517792251EF90BA8F9446B5DA2EC62E5CF2CE421C208

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69811B5D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00007FF67FF69811B5D4(intOrPtr* __rax, long long __rbx, char* __rcx, void* __rdx, void* __rsi, void* __rbp, void* __r8, void* __r9, long long _a8) {
				signed long long _v24;
				void* _t17;
				void* _t19;
				void* _t34;
				char* _t40;
				char* _t41;
				char* _t42;
				char* _t44;
				char* _t46;
				void* _t49;
				char* _t59;

				_t49 = __rdx;
				_t46 = __rcx;
				_a8 = __rbx;
				_t59 =  *((intOrPtr*)(__r9 + 0x10));
				_t44 = __rcx;
				if (__rcx != 0) goto 0x9811b612;
				E00007FF67FF6981078AC(__rax);
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *__rax = 0x16;
				E00007FF67FF698104430(__rax, __rcx, __rcx, __rdx, __rsi, __rbp, __r8);
				goto 0x9811b6a2;
				if (_t49 == 0) goto 0x9811b5ea;
				 *_t46 = 0;
				_t16 =  >  ? r8d : 0;
				_t17 = ( >  ? r8d : 0) + 1;
				if (_t49 - __rax > 0) goto 0x9811b638;
				_t19 = E00007FF67FF6981078AC(__rax);
				goto 0x9811b5f4;
				 *_t46 = 0x30;
				_t5 = _t46 + 1; // 0x1
				_t40 = _t5;
				goto 0x9811b65d;
				if ( *_t59 == 0) goto 0x9811b650;
				goto 0x9811b655;
				 *_t40 = 0x30;
				_t41 = _t40 + 1;
				r8d = r8d - 1;
				_t34 = r8d;
				if (_t34 > 0) goto 0x9811b641;
				 *_t41 = 0;
				if (_t34 < 0) goto 0x9811b67c;
				if ( *((char*)(_t59 + 1)) - 0x35 < 0) goto 0x9811b67c;
				goto 0x9811b672;
				 *_t41 = 0x30;
				_t42 = _t41 - 1;
				if ( *_t42 == 0x39) goto 0x9811b66f;
				 *_t42 =  *_t42 + 1;
				if ( *_t44 != 0x31) goto 0x9811b687;
				 *((intOrPtr*)(__r9 + 4)) =  *((intOrPtr*)(__r9 + 4)) + 1;
				goto 0x9811b6a0;
				_t8 = _t44 + 1; // 0x1
				E00007FF67FF6981070C0(_t19, _t8);
				_t9 = _t44 + 1; // 0x1
				_t10 = _t42 + 1; // 0x1
				E00007FF67FF69810AE90(0x30,  *_t44 - 0x31, _t44, _t9, _t10);
				return 0;
			}

0x7ff69811b5d4
0x7ff69811b5d4
0x7ff69811b5d4
0x7ff69811b5de
0x7ff69811b5e2
0x7ff69811b5e8
0x7ff69811b5ea
0x7ff69811b5f4
0x7ff69811b5fa
0x7ff69811b5fd
0x7ff69811b604
0x7ff69811b606
0x7ff69811b60d
0x7ff69811b615
0x7ff69811b61c
0x7ff69811b61f
0x7ff69811b623
0x7ff69811b62a
0x7ff69811b62c
0x7ff69811b636
0x7ff69811b638
0x7ff69811b63b
0x7ff69811b63b
0x7ff69811b63f
0x7ff69811b645
0x7ff69811b64e
0x7ff69811b655
0x7ff69811b657
0x7ff69811b65a
0x7ff69811b65d
0x7ff69811b660
0x7ff69811b662
0x7ff69811b665
0x7ff69811b66b
0x7ff69811b66d
0x7ff69811b66f
0x7ff69811b672
0x7ff69811b678
0x7ff69811b67a
0x7ff69811b67f
0x7ff69811b681
0x7ff69811b685
0x7ff69811b687
0x7ff69811b68b
0x7ff69811b690
0x7ff69811b697
0x7ff69811b69b
0x7ff69811b6ac

APIs

_errno.LIBCMT ref: 00007FF69811B5EA
_errno.LIBCMT ref: 00007FF69811B62C

Strings

1, xrefs: 00007FF69811B67C

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _errno
String ID: 1
API String ID: 2918714741-2212294583
Opcode ID: 9de920149e30724e33a27b75c9f7a44d4c9aef464fb0973900e33d5a7901a343
Instruction ID: 91315719fdfd8204ae59b06953204af30573e596b252fd002e2b729e9bdbb2dc
Opcode Fuzzy Hash: 9de920149e30724e33a27b75c9f7a44d4c9aef464fb0973900e33d5a7901a343
Instruction Fuzzy Hash: 3621D662A1D6D38AFB778F38A81437C6A90DF75744FD8C0B1C64E866C2DE2D9880C719

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698100630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF698100630(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9, signed int _a40, intOrPtr _a48) {
				signed int _v40;
				char _v104;
				char _v118;
				char _v119;
				char _v120;
				char _v136;
				long long _v152;
				long long _v160;
				char _v168;
				void* __rbx;
				long long _t28;
				signed int _t32;
				signed int _t34;
				signed long long _t47;
				char* _t52;
				char* _t53;
				long long* _t58;
				signed long long _t68;

				_t47 =  *0x98140430; // 0x4918c2c043f
				_v40 = _t47 ^ _t68;
				_t58 =  &_v136;
				 *_t58 =  *((intOrPtr*)(__r8));
				_t34 =  *(__r9 + 0x18);
				 *((long long*)(_t58 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_v120 = 0x25;
				if ((_t34 & 0x00000020) == 0) goto 0x98100686;
				_v119 = 0x2b;
				_t52 =  &_v118;
				if ((_t34 & 0x00000008) == 0) goto 0x98100691;
				 *_t52 = 0x23;
				_t53 = _t52 + 1;
				 *_t53 = 0x49;
				 *((char*)(_t53 + 1)) = 0x36;
				_t32 = _t34 & 0x00000e00;
				 *((char*)(_t53 + 2)) = 0x34;
				if (_t32 != 0x400) goto 0x981006b0;
				goto 0x981006c7;
				if (_t32 == 0x800) goto 0x981006bc;
				goto 0x981006c7;
				 *((char*)(_t53 + 3)) = 0x78;
				 *((char*)(_t53 + 4)) = 0;
				_t28 = E00007FF67FF698104828( &_v120, _a48);
				_t74 = __r9;
				_v152 = _t28;
				_v160 =  &_v104;
				_v168 = _a40 & 0x000000ff;
				E00007FF67FF698101B30(0x40, _t32 - 0x800, __rdx, __rcx, __rdx,  &_v136, __r9);
				return E00007FF67FF698104050(_a40 & 0x000000ff, _v40 ^ _t68, __rdx,  &_v136, _t74);
			}

0x7ff69810063b
0x7ff698100645
0x7ff698100653
0x7ff698100658
0x7ff698100662
0x7ff698100666
0x7ff698100672
0x7ff69810067a
0x7ff69810067c
0x7ff698100681
0x7ff698100689
0x7ff69810068b
0x7ff69810068e
0x7ff698100691
0x7ff698100696
0x7ff69810069a
0x7ff6981006a0
0x7ff6981006aa
0x7ff6981006ae
0x7ff6981006b6
0x7ff6981006ba
0x7ff6981006cf
0x7ff6981006e1
0x7ff6981006e5
0x7ff6981006ef
0x7ff6981006fd
0x7ff69810070a
0x7ff69810070f
0x7ff698100716
0x7ff698100738

APIs

swprintf.LIBCMT ref: 00007FF6981006E5

Strings

+, xrefs: 00007FF69810067C
%, xrefs: 00007FF698100672

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 199c0298df90e3aed58233d8eadc2c7ef0cc3010c3b583627453f619fa6fd15e
Instruction ID: 5378d2c181003194a09607895b0d3aadf305904682e1b028967d5029970a2fc2
Opcode Fuzzy Hash: 199c0298df90e3aed58233d8eadc2c7ef0cc3010c3b583627453f619fa6fd15e
Instruction Fuzzy Hash: 3D31E35260C7C289E721CB25E8903ABBB91EB99B84F888075DB8C83795CF3DC509C745

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698100740 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF698100740(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9, signed int _a40, intOrPtr _a48) {
				signed int _v40;
				char _v104;
				char _v118;
				char _v119;
				char _v120;
				char _v136;
				long long _v152;
				long long _v160;
				char _v168;
				void* __rbx;
				long long _t28;
				signed int _t32;
				signed int _t34;
				signed long long _t47;
				char* _t52;
				char* _t53;
				long long* _t58;
				signed long long _t68;

				_t47 =  *0x98140430; // 0x4918c2c043f
				_v40 = _t47 ^ _t68;
				_t58 =  &_v136;
				 *_t58 =  *((intOrPtr*)(__r8));
				_t34 =  *(__r9 + 0x18);
				 *((long long*)(_t58 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_v120 = 0x25;
				if ((_t34 & 0x00000020) == 0) goto 0x98100796;
				_v119 = 0x2b;
				_t52 =  &_v118;
				if ((_t34 & 0x00000008) == 0) goto 0x981007a1;
				 *_t52 = 0x23;
				_t53 = _t52 + 1;
				 *_t53 = 0x49;
				 *((char*)(_t53 + 1)) = 0x36;
				_t32 = _t34 & 0x00000e00;
				 *((char*)(_t53 + 2)) = 0x34;
				if (_t32 != 0x400) goto 0x981007c0;
				goto 0x981007d7;
				if (_t32 == 0x800) goto 0x981007cc;
				goto 0x981007d7;
				 *((char*)(_t53 + 3)) = 0x78;
				 *((char*)(_t53 + 4)) = 0;
				_t28 = E00007FF67FF698104828( &_v120, _a48);
				_t74 = __r9;
				_v152 = _t28;
				_v160 =  &_v104;
				_v168 = _a40 & 0x000000ff;
				E00007FF67FF698101B30(0x40, _t32 - 0x800, __rdx, __rcx, __rdx,  &_v136, __r9);
				return E00007FF67FF698104050(_a40 & 0x000000ff, _v40 ^ _t68, __rdx,  &_v136, _t74);
			}

0x7ff69810074b
0x7ff698100755
0x7ff698100763
0x7ff698100768
0x7ff698100772
0x7ff698100776
0x7ff698100782
0x7ff69810078a
0x7ff69810078c
0x7ff698100791
0x7ff698100799
0x7ff69810079b
0x7ff69810079e
0x7ff6981007a1
0x7ff6981007a6
0x7ff6981007aa
0x7ff6981007b0
0x7ff6981007ba
0x7ff6981007be
0x7ff6981007c6
0x7ff6981007ca
0x7ff6981007df
0x7ff6981007f1
0x7ff6981007f5
0x7ff6981007ff
0x7ff69810080d
0x7ff69810081a
0x7ff69810081f
0x7ff698100826
0x7ff698100848

APIs

swprintf.LIBCMT ref: 00007FF6981007F5

Strings

%, xrefs: 00007FF698100782
+, xrefs: 00007FF69810078C

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 3bca78181c14e379637e49068abc0e93dd171a5e81286bc63a8eb4f6a4bf3c7a
Instruction ID: f4ced110987b7803780afe4ebdc371fcbee95095e69a7f10e2a9cb0481053b51
Opcode Fuzzy Hash: 3bca78181c14e379637e49068abc0e93dd171a5e81286bc63a8eb4f6a4bf3c7a
Instruction Fuzzy Hash: FE31E91220C7C289E7658B25E8943AFB791E799B84F988075DBCC83796DF7CC409CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698100430 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF698100430(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9, signed int _a40, intOrPtr _a48) {
				signed int _v40;
				char _v104;
				char _v118;
				char _v119;
				char _v120;
				char _v136;
				long long _v152;
				long long _v160;
				char _v168;
				void* __rbx;
				signed int _t26;
				long long _t33;
				signed int _t37;
				signed long long _t45;
				long long* _t53;
				char* _t61;
				char* _t62;
				signed long long _t66;

				_t45 =  *0x98140430; // 0x4918c2c043f
				_v40 = _t45 ^ _t66;
				_t53 =  &_v136;
				 *_t53 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t53 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t26 =  *(__r9 + 0x18);
				_v120 = 0x25;
				if ((_t26 & 0x00000020) == 0) goto 0x98100485;
				_v119 = 0x2b;
				_t61 =  &_v118;
				if ((_t26 & 0x00000008) == 0) goto 0x9810048f;
				 *_t61 = 0x23;
				_t62 = _t61 + 1;
				 *_t62 = 0x6c;
				_t37 = _t26 & 0x00000e00;
				if (_t37 != 0x400) goto 0x981004a6;
				goto 0x981004bb;
				if (_t37 == 0x800) goto 0x981004b2;
				goto 0x981004bb;
				r9d = _a48;
				 *((char*)(_t62 + 1)) = 0x78;
				 *((char*)(_t62 + 2)) = 0;
				_t33 = E00007FF67FF698104828( &_v120, __r9);
				_t71 = __r9;
				_v152 = _t33;
				_v160 =  &_v104;
				_v168 = _a40 & 0x000000ff;
				E00007FF67FF698101B30(0x40, _t37 - 0x800, __rdx, __rcx, __rdx,  &_v136, __r9);
				return E00007FF67FF698104050(_a40 & 0x000000ff, _v40 ^ _t66, __rdx,  &_v136, _t71);
			}

0x7ff69810043b
0x7ff698100445
0x7ff698100453
0x7ff698100458
0x7ff698100462
0x7ff698100466
0x7ff69810046d
0x7ff698100479
0x7ff69810047b
0x7ff698100480
0x7ff698100487
0x7ff698100489
0x7ff69810048c
0x7ff698100491
0x7ff698100494
0x7ff6981004a0
0x7ff6981004a4
0x7ff6981004ac
0x7ff6981004b0
0x7ff6981004bb
0x7ff6981004c3
0x7ff6981004c6
0x7ff6981004d9
0x7ff6981004e3
0x7ff6981004f1
0x7ff6981004fe
0x7ff698100503
0x7ff69810050a
0x7ff69810052c

APIs

swprintf.LIBCMT ref: 00007FF6981004D9

Strings

%, xrefs: 00007FF69810046D
+, xrefs: 00007FF69810047B

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: d3730cdb89768898581950ed3844910f35159086da06fdda1a3db010544c9348
Instruction ID: c41ea7fb7446305c23e76eaedda1c097833f74c43ac720fc83c82ead8cd21779
Opcode Fuzzy Hash: d3730cdb89768898581950ed3844910f35159086da06fdda1a3db010544c9348
Instruction Fuzzy Hash: 4121DD62208BC285EB31CF24E8503AAB760EB99784F844075DA8C87B99DF6CC055CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF698100530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF67FF698100530(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9, signed int _a40, intOrPtr _a48) {
				signed int _v40;
				char _v104;
				char _v118;
				char _v119;
				char _v120;
				char _v136;
				long long _v152;
				long long _v160;
				char _v168;
				void* __rbx;
				signed int _t26;
				long long _t33;
				signed int _t37;
				signed long long _t45;
				long long* _t53;
				char* _t61;
				char* _t62;
				signed long long _t66;

				_t45 =  *0x98140430; // 0x4918c2c043f
				_v40 = _t45 ^ _t66;
				_t53 =  &_v136;
				 *_t53 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t53 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t26 =  *(__r9 + 0x18);
				_v120 = 0x25;
				if ((_t26 & 0x00000020) == 0) goto 0x98100585;
				_v119 = 0x2b;
				_t61 =  &_v118;
				if ((_t26 & 0x00000008) == 0) goto 0x9810058f;
				 *_t61 = 0x23;
				_t62 = _t61 + 1;
				 *_t62 = 0x6c;
				_t37 = _t26 & 0x00000e00;
				if (_t37 != 0x400) goto 0x981005a6;
				goto 0x981005bb;
				if (_t37 == 0x800) goto 0x981005b2;
				goto 0x981005bb;
				r9d = _a48;
				 *((char*)(_t62 + 1)) = 0x78;
				 *((char*)(_t62 + 2)) = 0;
				_t33 = E00007FF67FF698104828( &_v120, __r9);
				_t71 = __r9;
				_v152 = _t33;
				_v160 =  &_v104;
				_v168 = _a40 & 0x000000ff;
				E00007FF67FF698101B30(0x40, _t37 - 0x800, __rdx, __rcx, __rdx,  &_v136, __r9);
				return E00007FF67FF698104050(_a40 & 0x000000ff, _v40 ^ _t66, __rdx,  &_v136, _t71);
			}

0x7ff69810053b
0x7ff698100545
0x7ff698100553
0x7ff698100558
0x7ff698100562
0x7ff698100566
0x7ff69810056d
0x7ff698100579
0x7ff69810057b
0x7ff698100580
0x7ff698100587
0x7ff698100589
0x7ff69810058c
0x7ff698100591
0x7ff698100594
0x7ff6981005a0
0x7ff6981005a4
0x7ff6981005ac
0x7ff6981005b0
0x7ff6981005bb
0x7ff6981005c3
0x7ff6981005c6
0x7ff6981005d9
0x7ff6981005e3
0x7ff6981005f1
0x7ff6981005fe
0x7ff698100603
0x7ff69810060a
0x7ff69810062c

APIs

swprintf.LIBCMT ref: 00007FF6981005D9

Strings

+, xrefs: 00007FF69810057B
%, xrefs: 00007FF69810056D

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 1df7e744390f40849ec1a5d9bdad50f2f4d21f9ca7a496e96129a9086ee3ae5b
Instruction ID: 025ed9c14c495eaf3e614fb08778fa3b8de81e29c9e4184a7f6efdf3022eb5e6
Opcode Fuzzy Hash: 1df7e744390f40849ec1a5d9bdad50f2f4d21f9ca7a496e96129a9086ee3ae5b
Instruction Fuzzy Hash: CD21EF6220CBC285EB318F24E8503AAB760EB99784F844075DACD83B99DF6CD055CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF69812C547 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00007FF67FF69812C547(void* __ecx, void* __rax, void* __rdx) {
				void* __rbx;
				void* _t14;
				void* _t17;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t36;

				_t27 = __rax;
				_t18 = __ecx;
				_t36 = __rdx;
				E00007FF67FF69810771C(__rax, _t28,  *((intOrPtr*)(__rdx + 0x50)));
				if ( *((intOrPtr*)(__rdx + 0x20)) != 0) goto 0x9812c5a7;
				_t29 =  *((intOrPtr*)(__rdx + 0xd8));
				if ( *_t29 != 0xe06d7363) goto 0x9812c5a7;
				if ( *((intOrPtr*)(_t29 + 0x18)) != 4) goto 0x9812c5a7;
				if ( *((intOrPtr*)(_t29 + 0x20)) == 0x19930520) goto 0x9812c590;
				if ( *((intOrPtr*)(_t29 + 0x20)) == 0x19930521) goto 0x9812c590;
				if ( *((intOrPtr*)(_t29 + 0x20)) != 0x19930522) goto 0x9812c5a7;
				_t14 = E00007FF67FF6981076E8(__rax,  *((intOrPtr*)(_t29 + 0x28)));
				_t26 = _t14;
				if (_t14 == 0) goto 0x9812c5a7;
				E00007FF67FF6981093E4(1, _t29);
				E00007FF67FF69810B93C(__ecx, _t14, _t27);
				 *((long long*)(_t27 + 0xf0)) =  *((intOrPtr*)(_t36 + 0xe0));
				_t17 = E00007FF67FF69810B93C(_t18, _t26, _t27);
				 *((long long*)(_t27 + 0xf8)) =  *((intOrPtr*)(_t36 + 0xe8));
				return _t17;
			}

0x7ff69812c547
0x7ff69812c547
0x7ff69812c54e
0x7ff69812c555
0x7ff69812c55e
0x7ff69812c560
0x7ff69812c56d
0x7ff69812c573
0x7ff69812c57c
0x7ff69812c585
0x7ff69812c58e
0x7ff69812c594
0x7ff69812c599
0x7ff69812c59b
0x7ff69812c5a2
0x7ff69812c5a7
0x7ff69812c5b3
0x7ff69812c5ba
0x7ff69812c5c6
0x7ff69812c5d3

APIs

Part of subcall function 00007FF69810771C: _getptd.LIBCMT ref: 00007FF698107729
Part of subcall function 00007FF69810771C: _getptd.LIBCMT ref: 00007FF69810773C

_getptd.LIBCMT ref: 00007FF69812C5A7
_getptd.LIBCMT ref: 00007FF69812C5BA

Strings

csm, xrefs: 00007FF69812C567

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 97aebfb5d78ca228d74b9f39178d7e69d976561db45659c44281a7df79628fe9
Instruction ID: 29a46604035e6a27e78a8b228fbec9b99aec47018723bbcadbaf4dee30c8bc72
Opcode Fuzzy Hash: 97aebfb5d78ca228d74b9f39178d7e69d976561db45659c44281a7df79628fe9
Instruction Fuzzy Hash: 87019262A0474389DB309F3AC8502BC2364EFA9B49FC441B5CA0E8A685CF3CD4D2C308

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF6981131E8 Relevance: 5.1, APIs: 4, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00007FF67FF6981131E8(void* __ecx, void* __ebp, signed int* __rbx, long long __rcx, signed int __rsi) {
				void* __rdi;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				char _t44;
				char _t45;
				char _t46;
				void* _t52;
				signed int _t58;
				void* _t65;
				void* _t73;
				signed int* _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int* _t80;
				char* _t100;
				char* _t101;
				void* _t102;
				long long _t105;
				signed int _t107;
				signed int* _t109;
				signed int* _t111;
				void* _t112;
				char* _t115;
				void* _t118;
				void* _t120;
				signed int* _t123;
				void* _t125;
				signed int* _t127;
				void* _t129;
				signed int* _t130;

				_t80 = __rbx;
				_t52 = __ecx;
				_t75 = _t111;
				_t75[2] = __rbx;
				_t75[4] = _t107;
				_t75[6] = __rsi;
				_t112 = _t111 - 0x40;
				_t105 = __rcx;
				 *((long long*)(_t75 - 0x38)) = __rcx;
				 *((long long*)(_t75 - 0x30)) = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x1c)) != 0) goto 0x9811322d;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0) goto 0x9811322d;
				goto 0x98113385;
				_t8 = _t102 - 0x57; // 0x1
				r12d = _t8;
				E00007FF67FF69810A5E0(__rbx, _t118, _t102, _t102, __rcx, 0x981401a0, _t129, _t125);
				_t109 = _t75;
				if (_t75 != _t80) goto 0x98113251;
				goto 0x981133d6;
				E00007FF67FF69810AE90(_t52, _t75 - _t80, _t75,  *(_t105 + 0x128), _t102);
				E00007FF67FF69810A574(__ebp, _t75, _t80, _t102, _t105, _t109);
				_t127 = _t75;
				if (_t75 != _t80) goto 0x98113282;
				free(_t120);
				goto 0x98113249;
				 *_t75 = 0;
				if ( *((intOrPtr*)(_t105 + 0x1c)) == 0) goto 0x98113355;
				E00007FF67FF69810A574(__ebp, _t75, _t80, _t102, _t105, _t109);
				_t65 = _t75 - _t80;
				if (_t65 == 0) goto 0x98113310;
				 *_t75 = 0;
				_t58 =  *(_t105 + 0x3e) & 0x0000ffff;
				r9d = 0xe;
				r8d = _t58;
				 *(_t112 + 0x20) = _t109;
				_t39 = E00007FF67FF69810FB68(0, r12d, _t80, _t112 + 0x30, _t102);
				_t14 =  &(_t109[2]); // 0x8
				 *(_t112 + 0x20) = _t14;
				r9d = 0xf;
				r8d = _t58;
				_t40 = E00007FF67FF69810FB68(_t39, r12d, _t80, _t112 + 0x30, _t102);
				_t17 =  &(_t109[4]); // 0x10
				_t130 = _t17;
				r9d = 0x10;
				r8d = _t58;
				 *(_t112 + 0x20) = _t130;
				_t41 = E00007FF67FF69810FB68(_t39 | _t40, r12d, _t80, _t112 + 0x30, _t102);
				if (_t65 == 0) goto 0x98113320;
				E00007FF67FF6981131A0(_t41 | _t39 | _t40, _t109);
				r12d = r12d | 0xffffffff;
				free(_t118);
				goto 0x9811327b;
				_t100 =  *_t130;
				goto 0x98113338;
				_t44 =  *_t100;
				if (_t44 - 0x30 < 0) goto 0x9811333e;
				if (_t44 - 0x39 > 0) goto 0x9811333e;
				_t45 = _t44 - 0x30;
				 *_t100 = _t45;
				_t101 = _t100 + _t118;
				if ( *_t101 != 0) goto 0x98113327;
				goto 0x98113379;
				if (_t45 != 0x3b) goto 0x98113335;
				_t115 = _t101;
				_t46 =  *((intOrPtr*)(_t115 + 1));
				 *_t115 = _t46;
				if (_t46 != 0) goto 0x98113345;
				goto 0x98113338;
				_t76 =  *0x981401a0; // 0x7ff698140190
				_t123 = _t80;
				 *_t109 = _t76;
				_t77 =  *0x981401a8; // 0x7ff698143064
				_t109[2] = _t77;
				_t78 =  *0x981401b0; // 0x7ff698143064
				_t109[4] = _t78;
				 *_t127 = r12d;
				if (_t123 == _t80) goto 0x98113385;
				 *_t123 = r12d;
				if ( *(_t105 + 0x118) == _t80) goto 0x98113395;
				asm("lock add dword [eax], 0xffffffff");
				_t73 =  *(_t105 + 0x110) - _t80;
				if (_t73 == 0) goto 0x981133bf;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t73 != 0) goto 0x981133bf;
				free(_t102);
				free(??);
				 *(_t105 + 0x118) = _t123;
				 *(_t105 + 0x110) = _t127;
				 *(_t105 + 0x128) = _t109;
				return 0;
			}

0x7ff6981131e8
0x7ff6981131e8
0x7ff6981131e8
0x7ff6981131eb
0x7ff6981131ef
0x7ff6981131f3
0x7ff698113200
0x7ff698113206
0x7ff698113209
0x7ff69811320d
0x7ff698113214
0x7ff698113219
0x7ff698113228
0x7ff698113235
0x7ff698113235
0x7ff69811323c
0x7ff698113241
0x7ff698113247
0x7ff69811324c
0x7ff69811325e
0x7ff69811326b
0x7ff698113270
0x7ff698113276
0x7ff69811327b
0x7ff698113280
0x7ff698113282
0x7ff698113287
0x7ff698113290
0x7ff698113298
0x7ff69811329b
0x7ff69811329d
0x7ff69811329f
0x7ff6981132a8
0x7ff6981132b1
0x7ff6981132b4
0x7ff6981132b9
0x7ff6981132be
0x7ff6981132c2
0x7ff6981132cc
0x7ff6981132d2
0x7ff6981132da
0x7ff6981132df
0x7ff6981132df
0x7ff6981132e8
0x7ff6981132ee
0x7ff6981132f6
0x7ff6981132fb
0x7ff698113302
0x7ff698113307
0x7ff69811330c
0x7ff698113313
0x7ff69811331b
0x7ff698113320
0x7ff698113325
0x7ff698113327
0x7ff69811332b
0x7ff69811332f
0x7ff698113331
0x7ff698113333
0x7ff698113335
0x7ff69811333a
0x7ff69811333c
0x7ff698113340
0x7ff698113342
0x7ff698113345
0x7ff698113349
0x7ff698113351
0x7ff698113353
0x7ff698113355
0x7ff69811335c
0x7ff69811335f
0x7ff698113363
0x7ff69811336a
0x7ff69811336e
0x7ff698113375
0x7ff698113379
0x7ff69811337f
0x7ff698113381
0x7ff69811338f
0x7ff698113391
0x7ff69811339c
0x7ff69811339f
0x7ff6981133a1
0x7ff6981133a5
0x7ff6981133ae
0x7ff6981133ba
0x7ff6981133bf
0x7ff6981133c6
0x7ff6981133cd
0x7ff6981133f3

APIs

free.LIBCMT ref: 00007FF69811327B
free.LIBCMT ref: 00007FF698113313
free.LIBCMT ref: 00007FF6981133AE
free.LIBCMT ref: 00007FF6981133BA

Memory Dump Source

Source File: 00000017.00000002.391524227.00007FF6980F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FF6980F0000, based on PE: true

Associated: 00000017.00000002.391510045.00007FF6980F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392275576.00007FF698130000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392459180.00007FF698140000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392531809.00007FF69814A000.00000002.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000017.00000002.392646846.00007FF69814F000.00000002.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_7ff6980f0000_EsgInstallerDelay__0.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8821a1df296688c370d858aa2f429f45ff0a23e2406f815d5f3f7c622645e2ca
Instruction ID: 959b80336e744de4fc0a17f7e49784dfc34b25a5951bc6e817221b721914018d
Opcode Fuzzy Hash: 8821a1df296688c370d858aa2f429f45ff0a23e2406f815d5f3f7c622645e2ca
Instruction Fuzzy Hash: 6E51B332A1968386EBB09F32A4401BD77A1FB54B84F844579DB9EC7785CE3CE592C708

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: EsgInstallerDelay__1.exePID: 2348, Parent PID: 5244COMMON

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	175
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF7A56D10F0 Relevance: 26.8, APIs: 12, Strings: 3, Instructions: 501
stringCOMMONLIBRARYCODECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00007FF77FF7A56D10F0(void* __ecx, long long __rbx, void* __rdx, long long __rsi, long long __rbp) {
				void* _v40;
				signed int _v56;
				long long _v64;
				long long _v72;
				char _v88;
				char _v96;
				long long _v104;
				long long _v112;
				char _v128;
				char _v136;
				long long _v144;
				long long _v152;
				char _v168;
				char _v176;
				long long _v184;
				long long _v192;
				long long _v200;
				long long _v208;
				char _v232;
				char _v248;
				char _v264;
				long long _v272;
				long long _v280;
				long long _v288;
				char _v312;
				char _v328;
				char _v344;
				long long _v352;
				long long _v360;
				long long _v368;
				char _v376;
				long long _v384;
				long long _v392;
				long long _v400;
				char _v408;
				char _v412;
				char _v416;
				char _v420;
				char _v424;
				char _v428;
				char _v432;
				signed long long _v440;
				long long _v448;
				signed long long _v456;
				long long _v464;
				long long _v472;
				long long _v480;
				void* _v504;
				long long _v512;
				signed int _v520;
				signed int _v528;
				signed int _v536;
				long long _v544;
				signed int _v552;
				void* __rdi;
				void* __r12;
				void* __r13;
				void* __r14;
				void* __r15;
				int _t262;
				void* _t289;
				signed int _t331;
				signed long long _t333;
				signed int _t335;
				void* _t347;
				void* _t349;
				signed long long _t402;
				signed long long _t405;
				long long _t420;
				long long _t435;
				void* _t471;
				void* _t487;
				void* _t495;
				void* _t502;
				char* _t521;
				char* _t527;
				char* _t528;
				signed long long _t530;
				long long _t534;
				long long _t537;
				void* _t545;
				void* _t553;
				void* _t554;
				void* _t555;
				void* _t557;
				long long _t558;

				_t542 = __rbp;
				_t437 = __rbx;
				_t340 = __ecx;
				_t555 = _t545;
				_v184 = 0xfffffffe;
				 *((long long*)(_t555 + 8)) = __rbx;
				 *((long long*)(_t555 + 0x18)) = __rbp;
				 *((long long*)(_t555 + 0x20)) = __rsi;
				_t402 =  *0xa5720430; // 0x4918c7c3922
				_v56 = _t402 ^ _t545 - 0x00000220;
				_t539 = __rdx;
				_t350 = __ecx;
				r13d = 0;
				r12d = r13d;
				 *((long long*)(_t555 - 0x40)) = 7;
				 *((long long*)(_t555 - 0x48)) = _t558;
				 *((intOrPtr*)(_t555 - 0x58)) = r13w;
				 *((long long*)(_t555 - 0x90)) = 7;
				 *((long long*)(_t555 - 0x98)) = _t558;
				 *((intOrPtr*)(_t555 - 0xa8)) = r13w;
				if (__ecx <= 0) goto 0xa56d134d;
				_t262 = lstrcmpiW(??, ??); // executed
				if (_t262 != 0) goto 0xa56d11bd;
				_t331 = r13d + 1;
				if (_t331 - __ecx >= 0) goto 0xa56d1248;
				_t530 =  *((intOrPtr*)(__rdx + _t331 * 8));
				asm("repne scasw");
				E00007FF77FF7A56D2070(__rbx,  &_v96,  *((intOrPtr*)(__rdx + _t331 * 8)), _t530, __rbp,  !( *(__rdx + r13d * 8) | 0xffffffff) - 1, _t557);
				goto 0xa56d123b;
				if (lstrcmpiW(??, ??) != 0) goto 0xa56d1207;
				_t333 = _t331 + 2;
				if (_t333 - __ecx >= 0) goto 0xa56d129f;
				_t405 = _t333;
				asm("repne scasw");
				_t549 =  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1;
				E00007FF77FF7A56D2070(_t437,  &_v176,  *((intOrPtr*)(__rdx + _t405 * 8)),  *((intOrPtr*)(__rdx + _t405 * 8)), _t542,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t557);
				goto 0xa56d123b;
				if (lstrcmpiW(??, ??) != 0) goto 0xa56d1239;
				_t335 = _t333 + 2;
				if (_t335 - __ecx >= 0) goto 0xa56d12f6;
				r12d = E00007FF77FF7A56E4578(_t437,  *((intOrPtr*)(__rdx + _t335 * 8)), L"-wait");
				goto 0xa56d123b;
				if (_t335 + 2 - __ecx >= 0) goto 0xa56d134d;
				goto 0xa56d1170;
				if (_v144 - 8 < 0) goto 0xa56d1260;
				E00007FF77FF7A56E44D8(_t405, _t437, _v168, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0xa56d1295;
				E00007FF77FF7A56E44D8(_t405, _t437, _v88, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				goto 0xa56d1b53;
				if (_v144 - 8 < 0) goto 0xa56d12b7;
				E00007FF77FF7A56E44D8(_t405, _t437, _v168, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0xa56d12ec;
				E00007FF77FF7A56E44D8(_t405, _t437, _v88, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				goto 0xa56d1b53;
				if (_v144 - 8 < 0) goto 0xa56d130e;
				E00007FF77FF7A56E44D8(_t405, _t437, _v168, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0xa56d1343;
				E00007FF77FF7A56E44D8(_t405, _t437, _v88, L"-wait", __rdx,  !( *(__rdx + _t530 * 8) | 0xffffffff) - 1, _t553);
				goto 0xa56d1b53;
				E00007FF77FF7A570AF90(_t340, _v64 - 8, _t405, _t437,  &_v136, _t542, _t553, _t557);
				E00007FF77FF7A56E45E0(_t405,  &_v136);
				if (_t405 == 0) goto 0xa56d1374;
				 *_t405 =  &_v504;
				goto 0xa56d1377;
				_t406 = _t558;
				_v504 = _t558;
				_v480 = _t558;
				_v472 = _t558;
				_v464 = _t558;
				if (_v72 == 0) goto 0xa56d1a7c;
				_t517 =  >=  ? _v88 :  &_v88;
				r8d = _v72;
				E00007FF77FF7A56D9DE0(_t558,  &_v232,  >=  ? _v88 :  &_v88, _t549, _t553);
				E00007FF77FF7A56D9BD0(_t437,  &_v504, _t558);
				if (_v208 == 0) goto 0xa56d13ea;
				E00007FF77FF7A56E44D8(_t558, _t437, _v208, _t558, _t539, _t549, _t553);
				_v208 = _t558;
				_v200 = _t558;
				_v192 = _t558;
				E00007FF77FF7A56E44D8(_t558, _t437, _v232, _t406, _t539, _t549, _t553);
				_v528 = 0xf4e105e2;
				_v528 = _v528 ^ 0x238cb6e1;
				_v528 = _v528 ^ 0x82cdfde3;
				_v440 = _v528 ^ 0x852c1a21;
				_v528 = 0xf4e105e2;
				_v528 = _v528 ^ 0x238cb6e1;
				_v456 = _v528 ^ 0x82cdfde3;
				_v528 = 0xf4e105e2;
				_v528 = _v528 ^ 0x238cb6e1;
				_v520 = 0xf4e105e2;
				_v408 = _v520;
				_v400 = _v528;
				_v392 = _v456;
				_v384 = _v440;
				r8d = 0;
				if (E00007FF77FF7A570BF20(_t335 + 2, 8, _t347, _t349, _t350, _v208, _t437,  &_v504,  &_v408, 0xf4e105e2, 0x238cb6e1, _t549, _t553, _t554, _t557, _t558, 0x82cdfde3, 0x852c1a21) == 0) goto 0xa56d1a7c;
				_t420 = _v472;
				_t438 = _t420;
				if (_v480 - _t420 <= 0) goto 0xa56d1517;
				E00007FF77FF7A56E44B8();
				_t421 = _v472;
				_t534 = _v480;
				_v520 = _v504;
				_v512 = _t420;
				if (_t534 - _v472 <= 0) goto 0xa56d1535;
				E00007FF77FF7A56E44B8();
				_v456 = _v504;
				_v448 = _t534;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x150], xmm0");
				asm("movaps xmm1, [esp+0x80]");
				asm("movdqa [esp+0x140], xmm1");
				r9d = _v536 & 0x000000ff;
				_t550 =  &_v248;
				_t521 =  &_v264;
				E00007FF77FF7A56D28C0( &_v96, _t521,  &_v248);
				_t289 = E00007FF77FF7A570B620(_t335 + 2, _v472,  &_v96, 0xf4e105e2, 0x238cb6e1, _t554); // executed
				if (_t289 != 0) goto 0xa56d1678;
				_t471 =  >=  ? _v128 :  &_v128;
				_t111 = _t521 + 4; // 0x4
				r8d = _t111;
				MoveFileExW(??, ??, ??);
				if (_v480 == 0) goto 0xa56d15d2;
				E00007FF77FF7A56E44D8(_v472, _t420, _v480, _t521, 0xf4e105e2,  &_v248, _t553);
				_v480 = _t558;
				_v472 = _t558;
				_v464 = _t558;
				E00007FF77FF7A56E44D8(_v472, _t420, _v504, _t521, 0xf4e105e2,  &_v248, _t553);
				if (_v104 - 8 < 0) goto 0xa56d1604;
				E00007FF77FF7A56E44D8(_v472, _t420, _v128, _t521, 0xf4e105e2,  &_v248, _t553);
				_v104 = 7;
				_v112 = _t558;
				_v128 = r13w;
				if (_v144 - 8 < 0) goto 0xa56d1639;
				E00007FF77FF7A56E44D8(_v472, _t420, _v168, _t521, 0xf4e105e2,  &_v248, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0xa56d166e;
				E00007FF77FF7A56E44D8(_t421, _t420, _v88, _t521, 0xf4e105e2,  &_v248, _t553);
				goto 0xa56d1b53;
				if (_v152 == 0) goto 0xa56d192d;
				_t523 =  >=  ? _v168 :  &_v168;
				r8d = _v152;
				E00007FF77FF7A56D9DE0(_t421,  &_v312,  >=  ? _v168 :  &_v168,  &_v248, _t553);
				E00007FF77FF7A56D9BD0(_t420,  &_v504, _t421);
				if (_v288 == 0) goto 0xa56d16d7;
				E00007FF77FF7A56E44D8(_t421, _t420, _v288, _t421, 0xf4e105e2,  &_v248, _t553);
				_v288 = _t558;
				_v280 = _t558;
				_v272 = _t558;
				E00007FF77FF7A56E44D8(_t421, _t420, _v312, _t421, 0xf4e105e2,  &_v248, _t553);
				_v520 = 0xf4e105e2;
				_v520 = _v520 ^ 0x238cb6e1;
				_v520 = _v520 ^ 0x82cdfde3;
				_v456 = _v520 ^ 0x852c1a21;
				_v520 = 0xf4e105e2;
				_v520 = _v520 ^ 0x238cb6e1;
				_v440 = _v520 ^ 0x82cdfde3;
				_v520 = 0xf4e105e2;
				_v520 = _v520 ^ 0x238cb6e1;
				_v528 = 0xf4e105e2;
				_v376 = _v528;
				_v368 = _v520;
				_v360 = _v440;
				_v352 = _v456;
				r8d = 0;
				if (E00007FF77FF7A570BF20(_t335 + 2, 8, _t347, _t349, _t350, _v288, _t438,  &_v504,  &_v376, 0xf4e105e2, 0x238cb6e1, _t550, _t553, _t554, _t557, _t558, 0x82cdfde3, 0x852c1a21) == 0) goto 0xa56d1851;
				_t435 = _v472;
				_t439 = _t435;
				if (_v480 - _t435 <= 0) goto 0xa56d17dc;
				E00007FF77FF7A56E44B8();
				_t436 = _v472;
				_t537 = _v480;
				_v520 = _v504;
				_v512 = _t435;
				if (_t537 - _v472 <= 0) goto 0xa56d17fa;
				E00007FF77FF7A56E44B8();
				_v456 = _v504;
				_v448 = _t537;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x100], xmm0");
				asm("movaps xmm1, [esp+0x80]");
				asm("movdqa [esp+0xf0], xmm1");
				r9d = _v536 & 0x000000ff;
				_t527 =  &_v344;
				E00007FF77FF7A56D28C0( &_v176, _t527,  &_v328);
				goto 0xa56d192d;
				_t487 =  >=  ? _v128 :  &_v128;
				_t184 = _t527 + 4; // 0x4
				r8d = _t184;
				MoveFileExW(??, ??, ??);
				if (_v480 == 0) goto 0xa56d1887;
				E00007FF77FF7A56E44D8(_v472, _t435, _v480, _t527, 0xf4e105e2,  &_v328, _t553);
				_v480 = _t558;
				_v472 = _t558;
				_v464 = _t558;
				E00007FF77FF7A56E44D8(_v472, _t435, _v504, _t527, 0xf4e105e2,  &_v328, _t553);
				if (_v104 - 8 < 0) goto 0xa56d18b9;
				E00007FF77FF7A56E44D8(_v472, _t435, _v128, _t527, 0xf4e105e2,  &_v328, _t553);
				_v104 = 7;
				_v112 = _t558;
				_v128 = r13w;
				if (_v144 - 8 < 0) goto 0xa56d18ee;
				E00007FF77FF7A56E44D8(_v472, _t435, _v168, _t527, 0xf4e105e2,  &_v328, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0xa56d1923;
				E00007FF77FF7A56E44D8(_v472, _t435, _v88, _t527, 0xf4e105e2,  &_v328, _t553);
				goto 0xa56d1b53;
				if (r12d == 0) goto 0xa56d1942;
				r12d = r12d * 0x3e8;
				SleepEx(??, ??); // executed
				_v432 = 0;
				_v428 = 0;
				_v424 = 0;
				_v420 = 0;
				_v416 = 0;
				_v412 = 0;
				_v544 = _t558;
				_v552 = r13d;
				r9d = 0;
				_t552 =  &_v176;
				_t528 =  &_v96;
				E00007FF77FF7A570B6B0(_t335 + 2, r12d, _v472,  &_v432, _t528,  &_v176, _t553, _t555); // executed
				_t495 =  >=  ? _v128 :  &_v128;
				_t216 = _t528 + 4; // 0x4, executed
				r8d = _t216;
				MoveFileExW(??, ??, ??); // executed
				if (_v480 == 0) goto 0xa56d19d9;
				E00007FF77FF7A56E44D8(_v472, _t435, _v480, _t528, 0xf4e105e2,  &_v176, _t553);
				_v480 = _t558;
				_v472 = _t558;
				_v464 = _t558;
				E00007FF77FF7A56E44D8(_v472, _t435, _v504, _t528, 0xf4e105e2,  &_v176, _t553);
				if (_v104 - 8 < 0) goto 0xa56d1a0b;
				E00007FF77FF7A56E44D8(_t436, _t435, _v128, _t528, 0xf4e105e2,  &_v176, _t553);
				_v104 = 7;
				_v112 = _t558;
				_v128 = r13w;
				if (_v144 - 8 < 0) goto 0xa56d1a40;
				E00007FF77FF7A56E44D8(_t436, _t439, _v168, _t528, 0xf4e105e2,  &_v176, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0xa56d1a75;
				E00007FF77FF7A56E44D8(_t436, _t439, _v88, _t528, 0xf4e105e2,  &_v176, _t553);
				goto 0xa56d1b53;
				_t502 =  >=  ? _v128 :  &_v128;
				_t239 = _t528 + 4; // 0x4
				r8d = _t239;
				MoveFileExW(??, ??, ??);
				if (_v480 == 0) goto 0xa56d1ab2;
				E00007FF77FF7A56E44D8(_t436, _t439, _v480, _t528, 0xf4e105e2,  &_v176, _t553);
				_v480 = _t558;
				_v472 = _t558;
				_v464 = _t558;
				E00007FF77FF7A56E44D8(_t436, _t439, _v504, _t528, 0xf4e105e2,  &_v176, _t553);
				if (_v104 - 8 < 0) goto 0xa56d1ae4;
				E00007FF77FF7A56E44D8(_t436, _t439, _v128, _t528, 0xf4e105e2,  &_v176, _t553);
				_v104 = 7;
				_v112 = _t558;
				_v128 = r13w;
				if (_v144 - 8 < 0) goto 0xa56d1b19;
				E00007FF77FF7A56E44D8(_t436, _t439, _v168, _t528, 0xf4e105e2, _t552, _t553);
				_v144 = 7;
				_v152 = _t558;
				_v168 = r13w;
				if (_v64 - 8 < 0) goto 0xa56d1b4e;
				E00007FF77FF7A56E44D8(_t436, _t439, _v88, _t528, 0xf4e105e2, _t552, _t553);
				return E00007FF77FF7A56E4050(r12d, _v56 ^ _t545 - 0x00000220, _t528, _t552, _t553);
			}

0x7ff7a56d10f0
0x7ff7a56d10f0
0x7ff7a56d10f0
0x7ff7a56d10f0
0x7ff7a56d1103
0x7ff7a56d110f
0x7ff7a56d1113
0x7ff7a56d1117
0x7ff7a56d111b
0x7ff7a56d1125
0x7ff7a56d112d
0x7ff7a56d1130
0x7ff7a56d1132
0x7ff7a56d1135
0x7ff7a56d1138
0x7ff7a56d1140
0x7ff7a56d1144
0x7ff7a56d1149
0x7ff7a56d1154
0x7ff7a56d115b
0x7ff7a56d1168
0x7ff7a56d117e
0x7ff7a56d1186
0x7ff7a56d1188
0x7ff7a56d118c
0x7ff7a56d119f
0x7ff7a56d11a2
0x7ff7a56d11b4
0x7ff7a56d11bb
0x7ff7a56d11d0
0x7ff7a56d11d2
0x7ff7a56d11d6
0x7ff7a56d11dc
0x7ff7a56d11ec
0x7ff7a56d11f2
0x7ff7a56d11fe
0x7ff7a56d1205
0x7ff7a56d121a
0x7ff7a56d121c
0x7ff7a56d1220
0x7ff7a56d1232
0x7ff7a56d1237
0x7ff7a56d123d
0x7ff7a56d1243
0x7ff7a56d1251
0x7ff7a56d125b
0x7ff7a56d1260
0x7ff7a56d126c
0x7ff7a56d1274
0x7ff7a56d1286
0x7ff7a56d1290
0x7ff7a56d129a
0x7ff7a56d12a8
0x7ff7a56d12b2
0x7ff7a56d12b7
0x7ff7a56d12c3
0x7ff7a56d12cb
0x7ff7a56d12dd
0x7ff7a56d12e7
0x7ff7a56d12f1
0x7ff7a56d12ff
0x7ff7a56d1309
0x7ff7a56d130e
0x7ff7a56d131a
0x7ff7a56d1322
0x7ff7a56d1334
0x7ff7a56d133e
0x7ff7a56d1348
0x7ff7a56d1355
0x7ff7a56d1360
0x7ff7a56d1368
0x7ff7a56d136f
0x7ff7a56d1372
0x7ff7a56d1374
0x7ff7a56d1377
0x7ff7a56d137c
0x7ff7a56d1381
0x7ff7a56d1386
0x7ff7a56d1394
0x7ff7a56d13ab
0x7ff7a56d13b4
0x7ff7a56d13c4
0x7ff7a56d13d2
0x7ff7a56d13e3
0x7ff7a56d13e5
0x7ff7a56d13ea
0x7ff7a56d13f2
0x7ff7a56d13fa
0x7ff7a56d140a
0x7ff7a56d1419
0x7ff7a56d1430
0x7ff7a56d1447
0x7ff7a56d145e
0x7ff7a56d1466
0x7ff7a56d1473
0x7ff7a56d1480
0x7ff7a56d1488
0x7ff7a56d1495
0x7ff7a56d149a
0x7ff7a56d14b9
0x7ff7a56d14c1
0x7ff7a56d14c9
0x7ff7a56d14d1
0x7ff7a56d14d9
0x7ff7a56d14f0
0x7ff7a56d14f6
0x7ff7a56d14fb
0x7ff7a56d1506
0x7ff7a56d1508
0x7ff7a56d150d
0x7ff7a56d1512
0x7ff7a56d151c
0x7ff7a56d1521
0x7ff7a56d1529
0x7ff7a56d152b
0x7ff7a56d1535
0x7ff7a56d153d
0x7ff7a56d1545
0x7ff7a56d154a
0x7ff7a56d1553
0x7ff7a56d155b
0x7ff7a56d1564
0x7ff7a56d156a
0x7ff7a56d1572
0x7ff7a56d1582
0x7ff7a56d158f
0x7ff7a56d1596
0x7ff7a56d15ad
0x7ff7a56d15b8
0x7ff7a56d15b8
0x7ff7a56d15bc
0x7ff7a56d15cb
0x7ff7a56d15cd
0x7ff7a56d15d2
0x7ff7a56d15d7
0x7ff7a56d15dc
0x7ff7a56d15e6
0x7ff7a56d15f5
0x7ff7a56d15ff
0x7ff7a56d1604
0x7ff7a56d1610
0x7ff7a56d1618
0x7ff7a56d162a
0x7ff7a56d1634
0x7ff7a56d1639
0x7ff7a56d1645
0x7ff7a56d164d
0x7ff7a56d165f
0x7ff7a56d1669
0x7ff7a56d1673
0x7ff7a56d1681
0x7ff7a56d1698
0x7ff7a56d16a1
0x7ff7a56d16b1
0x7ff7a56d16bf
0x7ff7a56d16d0
0x7ff7a56d16d2
0x7ff7a56d16d7
0x7ff7a56d16df
0x7ff7a56d16e7
0x7ff7a56d16f7
0x7ff7a56d16fc
0x7ff7a56d1709
0x7ff7a56d1716
0x7ff7a56d1723
0x7ff7a56d172b
0x7ff7a56d1738
0x7ff7a56d1745
0x7ff7a56d174d
0x7ff7a56d175a
0x7ff7a56d175f
0x7ff7a56d177e
0x7ff7a56d1786
0x7ff7a56d178e
0x7ff7a56d1796
0x7ff7a56d179e
0x7ff7a56d17b5
0x7ff7a56d17bb
0x7ff7a56d17c0
0x7ff7a56d17cb
0x7ff7a56d17cd
0x7ff7a56d17d2
0x7ff7a56d17d7
0x7ff7a56d17e1
0x7ff7a56d17e6
0x7ff7a56d17ee
0x7ff7a56d17f0
0x7ff7a56d17fa
0x7ff7a56d1802
0x7ff7a56d180a
0x7ff7a56d180f
0x7ff7a56d1818
0x7ff7a56d1820
0x7ff7a56d1829
0x7ff7a56d1837
0x7ff7a56d1847
0x7ff7a56d184c
0x7ff7a56d1862
0x7ff7a56d186d
0x7ff7a56d186d
0x7ff7a56d1871
0x7ff7a56d1880
0x7ff7a56d1882
0x7ff7a56d1887
0x7ff7a56d188c
0x7ff7a56d1891
0x7ff7a56d189b
0x7ff7a56d18aa
0x7ff7a56d18b4
0x7ff7a56d18b9
0x7ff7a56d18c5
0x7ff7a56d18cd
0x7ff7a56d18df
0x7ff7a56d18e9
0x7ff7a56d18ee
0x7ff7a56d18fa
0x7ff7a56d1902
0x7ff7a56d1914
0x7ff7a56d191e
0x7ff7a56d1928
0x7ff7a56d1930
0x7ff7a56d1932
0x7ff7a56d193c
0x7ff7a56d1944
0x7ff7a56d194b
0x7ff7a56d1952
0x7ff7a56d1959
0x7ff7a56d1960
0x7ff7a56d1967
0x7ff7a56d196e
0x7ff7a56d1973
0x7ff7a56d1978
0x7ff7a56d197b
0x7ff7a56d1983
0x7ff7a56d1993
0x7ff7a56d19ac
0x7ff7a56d19b7
0x7ff7a56d19b7
0x7ff7a56d19bb
0x7ff7a56d19d2
0x7ff7a56d19d4
0x7ff7a56d19d9
0x7ff7a56d19de
0x7ff7a56d19e3
0x7ff7a56d19ed
0x7ff7a56d19fc
0x7ff7a56d1a06
0x7ff7a56d1a0b
0x7ff7a56d1a17
0x7ff7a56d1a1f
0x7ff7a56d1a31
0x7ff7a56d1a3b
0x7ff7a56d1a40
0x7ff7a56d1a4c
0x7ff7a56d1a54
0x7ff7a56d1a66
0x7ff7a56d1a70
0x7ff7a56d1a77
0x7ff7a56d1a8d
0x7ff7a56d1a98
0x7ff7a56d1a98
0x7ff7a56d1a9c
0x7ff7a56d1aab
0x7ff7a56d1aad
0x7ff7a56d1ab2
0x7ff7a56d1ab7
0x7ff7a56d1abc
0x7ff7a56d1ac6
0x7ff7a56d1ad5
0x7ff7a56d1adf
0x7ff7a56d1ae4
0x7ff7a56d1af0
0x7ff7a56d1af8
0x7ff7a56d1b0a
0x7ff7a56d1b14
0x7ff7a56d1b19
0x7ff7a56d1b25
0x7ff7a56d1b2d
0x7ff7a56d1b3f
0x7ff7a56d1b49
0x7ff7a56d1b83

APIs

lstrcmpiW.KERNELBASE ref: 00007FF7A56D117E
lstrcmpiW.KERNEL32 ref: 00007FF7A56D11C8
lstrcmpiW.KERNEL32 ref: 00007FF7A56D1212

Part of subcall function 00007FF7A56D28C0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D2960
Part of subcall function 00007FF7A56D28C0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D29AF

Part of subcall function 00007FF7A570B620: GetFileAttributesW.KERNELBASE ref: 00007FF7A570B64B
Part of subcall function 00007FF7A570B620: GetLastError.KERNEL32 ref: 00007FF7A570B67F

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D1508
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D152B
MoveFileExW.KERNEL32 ref: 00007FF7A56D15BC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D17CD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D17F0
MoveFileExW.KERNEL32 ref: 00007FF7A56D1871

Part of subcall function 00007FF7A570B6B0: lstrcpyW.KERNEL32 ref: 00007FF7A570B859
Part of subcall function 00007FF7A570B6B0: lstrcatW.KERNEL32 ref: 00007FF7A570B86E
Part of subcall function 00007FF7A570B6B0: lstrcatW.KERNEL32 ref: 00007FF7A570B88D

SleepEx.KERNEL32 ref: 00007FF7A56D193C
MoveFileExW.KERNELBASE ref: 00007FF7A56D19BB
MoveFileExW.KERNEL32 ref: 00007FF7A56D1A9C

Strings

-wait, xrefs: 00007FF7A56D1207
-exec, xrefs: 00007FF7A56D1173
-args, xrefs: 00007FF7A56D11BD

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$File$Move$lstrcmpi$lstrcat$AttributesErrorLastSleeplstrcpy
String ID: -args$-exec$-wait
API String ID: 3695391189-3543574200
Opcode ID: b47439b2d598f34099cd404de5d1fba8806b7a4de36602e438ec1d6f7ee21c83
Instruction ID: a9cd1f4494770cd57dc3a0aa57f3b33545f5c0585361cd591f63312824b34cd1
Opcode Fuzzy Hash: b47439b2d598f34099cd404de5d1fba8806b7a4de36602e438ec1d6f7ee21c83
Instruction Fuzzy Hash: DA421632A1EBC185E760AB14F4843AEB3A5FBCAB84F911135DA8D43A69DF7DD054CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A570B6B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 149
stringprocessCOMMONLIBRARYCODECrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 52%

			E00007FF77FF7A570B6B0(void* __ebx, signed int __ecx, void* __rax, signed long long* __rcx, void* __rdx, void* __r8, signed long long __r9, void* __r11, long long _a8, long long _a16, long long _a24, long long _a32, intOrPtr _a40, char _a48, intOrPtr _a56, long long _a72, long long _a80, long long _a88, char _a96, intOrPtr _a104, long long _a128, char _a136, char _a144, intOrPtr _a196, char _a200, char _a248, char _a256, long long _a272, long long _a280, char _a296, signed int _a65832) {
				intOrPtr _v0;
				intOrPtr _v8;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* __r12;
				void* _t79;
				signed long long _t114;
				signed long long _t115;
				void* _t119;
				void* _t145;
				void* _t150;
				void* _t151;
				long long _t152;
				void* _t153;
				signed long long _t159;
				void* _t161;
				long long _t163;

				_t159 = __r9;
				_t92 = __ecx;
				E00007FF77FF7A570C0A0(0x10160, __rax, _t161, __r11);
				_t154 = _t153 - __rax;
				_a88 = 0xfffffffe;
				_t114 =  *0xa5720430; // 0x4918c7c3922
				_t115 = _t114 ^ _t153 - __rax;
				_a65832 = _t115;
				_t151 = __r8;
				_t119 = __rdx;
				_t152 = __rcx;
				r12d = 0;
				_a40 = r12d;
				 *__rcx = _t115;
				__rcx[1] = _t115;
				__rcx[2] = _t115;
				_a136 = 0x68;
				_t7 = _t163 + 0x60; // 0x60
				r8d = _t7;
				E00007FF77FF7A56EB240(0, __ecx, 0,  &_a144, __rdx, __r8);
				_a196 = 1;
				_a200 = r12w;
				if ( *((intOrPtr*)(__r8 + 0x18)) == _t150) goto 0xa570b900;
				_t12 = _t163 + 1; // 0x1
				r9d = _t12;
				r8d = 0;
				E00007FF77FF7A56D4AA0(_t159);
				if (_t115 == 0xffffffff) goto 0xa570b79d;
				E00007FF77FF7A56D6580(0, _t115 - 0xffffffff, _t115, __rdx,  &_a96, "\"", __r8, __rcx, __rdx, _t159, _t163);
				_a40 = 1;
				E00007FF77FF7A56D6650(0, _t115 - 0xffffffff, _t115, _t119,  &_a48, _t115, _t151, "\"", _t159);
				_a40 = 3;
				goto 0xa570b7a0;
				_a280 = 7;
				_a272 = _t163;
				_a256 = r12w;
				r8d = 0;
				E00007FF77FF7A56D2390(_t119,  &_a248, _t119, _t150, _t151, _t152, "\"", _t159 | 0xffffffff);
				if ((dil & 0x00000002) == 0) goto 0xa570b804;
				if (_a80 - 8 < 0) goto 0xa570b7f0;
				E00007FF77FF7A56E44D8(_t119, _t119, _a56, _t119, _t151, "\"", _t159 | 0xffffffff);
				_a80 = 7;
				_a72 = _t163;
				_a56 = r12w;
				if ((dil & 0x00000001) == 0) goto 0xa570b822;
				if (_a128 - 8 < 0) goto 0xa570b822;
				_t79 = E00007FF77FF7A56E44D8(_t119, _t119, _a104, _t119, _t151, "\"", _t159 | 0xffffffff);
				r8d = 0xfffe;
				E00007FF77FF7A56EB240(_t79, _t92, 0,  &_a296, _t119, "\"");
				_t145 =  >=  ? _a256 :  &_a256;
				lstrcpyW(??, ??);
				lstrcatW(??, ??);
				if ( *((long long*)(_t151 + 0x20)) - 8 < 0) goto 0xa570b881;
				goto 0xa570b885;
				lstrcatW(??, ??);
				if ( *((long long*)(_t119 + 0x20)) - 8 < 0) goto 0xa570b8a0;
				goto 0xa570b8a4;
				_a32 = _t152;
				_a24 =  &_a136;
				_a16 = _t163;
				_a8 = _t163;
				_v0 = r12d;
				_v8 = r12d;
				r9d = 0;
				r8d = 0;
				CreateProcessW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??); // executed
				if (_a280 - 8 < 0) goto 0xa570b8fc;
				E00007FF77FF7A56E44D8( &_a136, _t119, _a256,  &_a296, _t151, "\"", _t159 | 0xffffffff);
				goto 0xa570b94b;
				if ( *((long long*)(_t119 + 0x20)) - 8 < 0) goto 0xa570b90d;
				goto 0xa570b911;
				_a32 = _t152;
				_a24 =  &_a136;
				_a16 = _t163;
				_a8 = _t163;
				_v0 = r12d;
				_v8 = r12d;
				r9d = 0;
				r8d = 0;
				CreateProcessW(??, ??, ??, ??, ??, ??, ??, ??, ??, ??);
				return E00007FF77FF7A56E4050(_t92, _a65832 ^ _t154,  &_a296, "\"", _t159 | 0xffffffff);
			}

0x7ff7a570b6b0
0x7ff7a570b6b0
0x7ff7a570b6bc
0x7ff7a570b6c1
0x7ff7a570b6c4
0x7ff7a570b6d0
0x7ff7a570b6d7
0x7ff7a570b6da
0x7ff7a570b6e2
0x7ff7a570b6e5
0x7ff7a570b6e8
0x7ff7a570b6eb
0x7ff7a570b6f1
0x7ff7a570b6f8
0x7ff7a570b6fb
0x7ff7a570b6ff
0x7ff7a570b703
0x7ff7a570b710
0x7ff7a570b710
0x7ff7a570b71d
0x7ff7a570b722
0x7ff7a570b72d
0x7ff7a570b73a
0x7ff7a570b740
0x7ff7a570b740
0x7ff7a570b745
0x7ff7a570b752
0x7ff7a570b75b
0x7ff7a570b76f
0x7ff7a570b775
0x7ff7a570b78c
0x7ff7a570b797
0x7ff7a570b79b
0x7ff7a570b7a0
0x7ff7a570b7ac
0x7ff7a570b7b4
0x7ff7a570b7c1
0x7ff7a570b7cf
0x7ff7a570b7d9
0x7ff7a570b7e4
0x7ff7a570b7eb
0x7ff7a570b7f0
0x7ff7a570b7f9
0x7ff7a570b7fe
0x7ff7a570b808
0x7ff7a570b813
0x7ff7a570b81d
0x7ff7a570b824
0x7ff7a570b832
0x7ff7a570b848
0x7ff7a570b859
0x7ff7a570b86e
0x7ff7a570b879
0x7ff7a570b87f
0x7ff7a570b88d
0x7ff7a570b898
0x7ff7a570b89e
0x7ff7a570b8a4
0x7ff7a570b8b1
0x7ff7a570b8b6
0x7ff7a570b8bb
0x7ff7a570b8c0
0x7ff7a570b8c5
0x7ff7a570b8ca
0x7ff7a570b8cd
0x7ff7a570b8d8
0x7ff7a570b8ed
0x7ff7a570b8f7
0x7ff7a570b8fe
0x7ff7a570b905
0x7ff7a570b90b
0x7ff7a570b911
0x7ff7a570b91e
0x7ff7a570b923
0x7ff7a570b928
0x7ff7a570b92d
0x7ff7a570b932
0x7ff7a570b937
0x7ff7a570b93a
0x7ff7a570b93f
0x7ff7a570b968

APIs

lstrcpyW.KERNEL32 ref: 00007FF7A570B859
lstrcatW.KERNEL32 ref: 00007FF7A570B86E
lstrcatW.KERNEL32 ref: 00007FF7A570B88D
CreateProcessW.KERNELBASE ref: 00007FF7A570B8D8
CreateProcessW.KERNEL32 ref: 00007FF7A570B93F

Strings

h, xrefs: 00007FF7A570B703

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: CreateProcesslstrcat$lstrcpy
String ID: h
API String ID: 3136576379-2439710439
Opcode ID: 921a10a08777df4f326595dd1351c16fdca3307fa6b663e0858bbc25aff6aeb9
Instruction ID: c83e8f89ea15e7f046d20eec5f8537f423173ea70d9154bc2384d00bf66144a5
Opcode Fuzzy Hash: 921a10a08777df4f326595dd1351c16fdca3307fa6b663e0858bbc25aff6aeb9
Instruction Fuzzy Hash: 0061A23251AAC1C6E731DF14E8447AEB3A1FB8AB64F911234DA9D46AB8DF3CD154CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E574C Relevance: 13.6, APIs: 9, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_lock.LIBCMT ref: 00007FF7A56E5775
DecodePointer.KERNEL32 ref: 00007FF7A56E57A8
DecodePointer.KERNEL32 ref: 00007FF7A56E57C5
DecodePointer.KERNEL32 ref: 00007FF7A56E5804
DecodePointer.KERNEL32 ref: 00007FF7A56E581D
DecodePointer.KERNEL32 ref: 00007FF7A56E582C
_initterm.LIBCMT ref: 00007FF7A56E586B
_initterm.LIBCMT ref: 00007FF7A56E587E
ExitProcess.KERNEL32 ref: 00007FF7A56E58B7

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: DecodePointer$_initterm$ExitProcess_lock
String ID:
API String ID: 2551688548-0
Opcode ID: f7ab496e4a34eae790cf03e36a8f78beb75be275483b8bc54828459c6ad654f5
Instruction ID: 94d790bda1fb9f618f0b180d316491c5cf4267edc3f452e86b71f309e436d53e
Opcode Fuzzy Hash: f7ab496e4a34eae790cf03e36a8f78beb75be275483b8bc54828459c6ad654f5
Instruction Fuzzy Hash: AA418F21A0F652C1EA90BB11E88027DE297FF6AF84F966034EE4D037B5DE3DE4518720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E45E0 Relevance: 9.1, APIs: 6, Instructions: 138
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E00007FF77FF7A56E45E0(void* __rax, void* __rcx) {
				void* _t2;

				goto 0xa56e45fa;
				if (E00007FF77FF7A56EBC98(__rax, __rcx) == 0) goto 0xa56e460a;
				_t2 = malloc(??);
				if (__rax == 0) goto 0xa56e45eb;
				return _t2;
			}

0x7ff7a56e45e9
0x7ff7a56e45f5
0x7ff7a56e45fa
0x7ff7a56e4602
0x7ff7a56e4609

APIs

malloc.LIBCMT ref: 00007FF7A56E45FA

Part of subcall function 00007FF7A56E48B0: _FF_MSGBANNER.LIBCMT ref: 00007FF7A56E48E0
Part of subcall function 00007FF7A56E48B0: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7A56EA598,?,?,00000000,00007FF7A56EFED9,?,?,?,00007FF7A56EFF83), ref: 00007FF7A56E4905
Part of subcall function 00007FF7A56E48B0: _errno.LIBCMT ref: 00007FF7A56E4929
Part of subcall function 00007FF7A56E48B0: _errno.LIBCMT ref: 00007FF7A56E4934

_FF_MSGBANNER.LIBCMT ref: 00007FF7A56E4709
_FF_MSGBANNER.LIBCMT ref: 00007FF7A56E4734
_RTC_Initialize.LIBCMT ref: 00007FF7A56E474D
GetCommandLineW.KERNEL32 ref: 00007FF7A56E4766
_cinit.LIBCMT ref: 00007FF7A56E47A6

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$AllocateCommandHeapInitializeLine_cinitmalloc
String ID:
API String ID: 2456440378-0
Opcode ID: d9342fbc873394faf5c233f4d5feb5bd075710e0ef0b8a8265e5b7922b41a891
Instruction ID: 5954a21f29010656eb0845cf08239e498e10369c4260b0e1e6d4e2decdce018c
Opcode Fuzzy Hash: d9342fbc873394faf5c233f4d5feb5bd075710e0ef0b8a8265e5b7922b41a891
Instruction Fuzzy Hash: 31514F20E0F243CAFA60BB74A4512B9A293AF57F45FD62035DD4D466B2DE7EE4408731

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EC75C Relevance: 7.7, APIs: 5, Instructions: 199
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00007FF77FF7A56EC75C(void* __ecx, signed long long __rbx, void* __rdx, signed long long __rdi, signed long long __rsi, signed long long __r12) {
				void* _v24;
				signed long long* _v64;
				intOrPtr _v70;
				void* _v136;
				signed int _t63;
				signed int _t65;
				signed char _t74;
				signed int _t75;
				signed int _t83;
				signed int _t86;
				void* _t88;
				signed int _t95;
				signed long long* _t127;
				signed long long* _t129;
				signed long long* _t131;
				long long _t136;
				long long* _t140;
				signed long long _t151;
				signed long long _t153;
				signed char* _t158;
				void* _t162;
				signed long long* _t163;
				signed long long* _t166;
				signed long long* _t168;
				long long* _t174;
				void* _t176;
				signed char* _t177;
				void* _t180;
				struct _STARTUPINFOA* _t184;

				_t151 = __rdi;
				_t150 = __rdx;
				_t137 = __rbx;
				_t127 = _t163;
				_t127[1] = __rbx;
				_t127[2] = __rsi;
				_t127[3] = __rdi;
				_t127[4] = __r12;
				GetStartupInfoA(_t184);
				_t6 = _t150 - 0x38; // 0x20
				r12d = _t6;
				E00007FF77FF7A56EA5E0(__rbx, __r12, __rdx, __rdi, __rsi, _t162, _t180, _t176);
				_t166 = _t127;
				r15d = 0;
				if (_t127 != _t184) goto 0xa56ec7ac;
				goto 0xa56eca27;
				 *0xa57289e0 = _t127;
				 *0xa57289c0 = r12d;
				if (_t166 -  &(_t127[0x160]) >= 0) goto 0xa56ec80a;
				_t166[1] = r15b;
				 *_t166 =  *_t166 | 0xffffffff;
				_t166[1] = 0xa;
				_t166[1] = r15d;
				_t166[7] = r15b;
				_t166[7] = 0xa;
				_t166[7] = 0xa;
				_t166[0xa] = r15d;
				_t166[9] = r15b;
				_t129 =  *0xa57289e0; // 0x2be0b10
				if ( &(_t166[0xb]) - _t129 + 0xb00 < 0) goto 0xa56ec7c7;
				_t86 =  *0xa57289c0; // 0x20
				if (_v70 == r15w) goto 0xa56ec95f;
				_t131 = _v64;
				if (_t131 == _t184) goto 0xa56ec95f;
				_t177 =  &(_t131[0]);
				_t158 =  &(_t177[ *_t131]);
				_t82 =  <  ?  *_t131 : 0x800;
				if (_t86 - 0x800 >= 0) goto 0xa56ec8d2;
				E00007FF77FF7A56EA5E0(_t137, __r12, _t150, _t151, _t158, _t162);
				_t168 = _t131;
				if (_t131 == _t184) goto 0xa56ec8ca;
				0xa57289e0[_t151] = _t131;
				_t63 =  *0xa57289c0; // 0x20
				 *0xa57289c0 = _t63 + r12d;
				_t20 =  &(_t168[0x160]); // 0xb00
				if (_t168 - _t20 >= 0) goto 0xa56ec8c1;
				_t168[1] = r15b;
				 *_t168 =  *_t168 | 0xffffffff;
				_t168[1] = 0xa;
				_t168[1] = r15d;
				_t168[7] = _t168[7] & 0x00000080;
				_t168[7] = 0xa;
				_t168[7] = 0xa;
				_t168[0xa] = r15d;
				_t168[9] = r15b;
				if ( &(_t168[0xb]) -  &(0xa57289e0[_t151][0x160]) < 0) goto 0xa56ec880;
				_t65 =  *0xa57289c0; // 0x20
				_t107 = _t65 - ( <  ?  *_t131 : 0x800);
				if (_t65 - ( <  ?  *_t131 : 0x800) < 0) goto 0xa56ec84c;
				goto 0xa56ec8d9;
				_t83 =  *0xa57289c0; // 0x20
				goto 0xa56ec8d9;
				_t95 = r15d;
				if (_t83 - r15d <= 0) goto 0xa56ec95f;
				if ( *_t158 == 0xffffffff) goto 0xa56ec952;
				if ( *_t158 == 0xfffffffe) goto 0xa56ec952;
				if (( *_t177 & 0x00000001) == 0) goto 0xa56ec952;
				if (( *_t177 & 0x00000008) != 0) goto 0xa56ec909;
				if (GetFileType(??) == r15d) goto 0xa56ec952;
				r12d = r12d & 0x0000001f;
				_t174 = 0xa57289e0[_t95 >> 5] + _t95 * 0x58;
				_t136 =  *_t158;
				 *_t174 = _t136;
				 *((char*)(_t174 + 8)) =  *_t177;
				if (E00007FF77FF7A56F0438() == r15d) goto 0xa56ec94a;
				 *((intOrPtr*)(_t174 + 0xc)) =  *((intOrPtr*)(_t174 + 0xc)) + 1;
				goto 0xa56ec952;
				goto 0xa56eca27;
				if (_t95 + 1 - _t83 < 0) goto 0xa56ec8e1;
				r12d = r15d;
				_t153 = _t184;
				_t140 =  *0xa57289e0 + _t153 * 0x58;
				if ( *_t140 == 0xffffffff) goto 0xa56ec985;
				if ( *_t140 == 0xfffffffe) goto 0xa56ec985;
				 *(_t140 + 8) =  *(_t140 + 8) | 0x00000080;
				goto 0xa56eca04;
				 *(_t140 + 8) = 0x81;
				asm("sbb ecx, ecx");
				_t88 =  ==  ? 0xfffffff6 : _t86 + 0xfffffff5;
				GetStdHandle(??);
				if (_t136 == 0xffffffff) goto 0xa56ec9f9;
				if (_t136 == _t184) goto 0xa56ec9f9;
				_t74 = GetFileType(??); // executed
				if (_t74 == r15d) goto 0xa56ec9f9;
				 *_t140 = _t136;
				_t75 = _t74 & 0x000000ff;
				if (_t75 != 2) goto 0xa56ec9d3;
				 *(_t140 + 8) =  *(_t140 + 8) | 0x00000040;
				goto 0xa56ec9dc;
				if (_t75 != 3) goto 0xa56ec9dc;
				 *(_t140 + 8) =  *(_t140 + 8) | 0x00000008;
				if (E00007FF77FF7A56F0438() == r15d) goto 0xa56ec9f4;
				 *((intOrPtr*)(_t140 + 0xc)) =  *((intOrPtr*)(_t140 + 0xc)) + 1;
				goto 0xa56eca04;
				goto 0xa56eca27;
				 *(_t140 + 8) =  *(_t140 + 8) | 0x00000040;
				 *_t140 = 0xfffffffe;
				r12d = r12d + 1;
				if (_t153 + 1 - 3 < 0) goto 0xa56ec965;
				SetHandleCount(??);
				return 0xffffffff;
			}

0x7ff7a56ec75c
0x7ff7a56ec75c
0x7ff7a56ec75c
0x7ff7a56ec75c
0x7ff7a56ec75f
0x7ff7a56ec763
0x7ff7a56ec767
0x7ff7a56ec76b
0x7ff7a56ec781
0x7ff7a56ec78d
0x7ff7a56ec78d
0x7ff7a56ec794
0x7ff7a56ec799
0x7ff7a56ec79c
0x7ff7a56ec7a2
0x7ff7a56ec7a7
0x7ff7a56ec7ac
0x7ff7a56ec7b6
0x7ff7a56ec7c5
0x7ff7a56ec7c7
0x7ff7a56ec7cb
0x7ff7a56ec7cf
0x7ff7a56ec7d4
0x7ff7a56ec7d8
0x7ff7a56ec7dc
0x7ff7a56ec7e1
0x7ff7a56ec7e6
0x7ff7a56ec7ea
0x7ff7a56ec7f2
0x7ff7a56ec802
0x7ff7a56ec804
0x7ff7a56ec810
0x7ff7a56ec816
0x7ff7a56ec81e
0x7ff7a56ec824
0x7ff7a56ec82b
0x7ff7a56ec835
0x7ff7a56ec83f
0x7ff7a56ec854
0x7ff7a56ec859
0x7ff7a56ec85f
0x7ff7a56ec861
0x7ff7a56ec865
0x7ff7a56ec86e
0x7ff7a56ec874
0x7ff7a56ec87e
0x7ff7a56ec880
0x7ff7a56ec884
0x7ff7a56ec888
0x7ff7a56ec88d
0x7ff7a56ec891
0x7ff7a56ec896
0x7ff7a56ec89b
0x7ff7a56ec8a0
0x7ff7a56ec8a4
0x7ff7a56ec8b9
0x7ff7a56ec8bb
0x7ff7a56ec8c4
0x7ff7a56ec8c6
0x7ff7a56ec8c8
0x7ff7a56ec8ca
0x7ff7a56ec8d0
0x7ff7a56ec8d9
0x7ff7a56ec8df
0x7ff7a56ec8e5
0x7ff7a56ec8eb
0x7ff7a56ec8f2
0x7ff7a56ec8f9
0x7ff7a56ec907
0x7ff7a56ec913
0x7ff7a56ec91b
0x7ff7a56ec91f
0x7ff7a56ec922
0x7ff7a56ec92a
0x7ff7a56ec941
0x7ff7a56ec943
0x7ff7a56ec948
0x7ff7a56ec94d
0x7ff7a56ec95d
0x7ff7a56ec95f
0x7ff7a56ec962
0x7ff7a56ec96c
0x7ff7a56ec977
0x7ff7a56ec97d
0x7ff7a56ec97f
0x7ff7a56ec983
0x7ff7a56ec985
0x7ff7a56ec990
0x7ff7a56ec99d
0x7ff7a56ec9a0
0x7ff7a56ec9ad
0x7ff7a56ec9b2
0x7ff7a56ec9b7
0x7ff7a56ec9c0
0x7ff7a56ec9c2
0x7ff7a56ec9c5
0x7ff7a56ec9cb
0x7ff7a56ec9cd
0x7ff7a56ec9d1
0x7ff7a56ec9d6
0x7ff7a56ec9d8
0x7ff7a56ec9ed
0x7ff7a56ec9ef
0x7ff7a56ec9f2
0x7ff7a56ec9f7
0x7ff7a56ec9f9
0x7ff7a56ec9fd
0x7ff7a56eca04
0x7ff7a56eca0e
0x7ff7a56eca1a
0x7ff7a56eca48

APIs

GetStartupInfoA.KERNEL32 ref: 00007FF7A56EC781

Part of subcall function 00007FF7A56EA5E0: Sleep.KERNEL32(?,?,?,00007FF7A56EB8EB,?,?,?,00007FF7A56E78B5,?,?,?,?,00007FF7A56E4871), ref: 00007FF7A56EA625

GetFileType.KERNEL32 ref: 00007FF7A56EC8FE

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: FileInfoSleepStartupType
String ID:
API String ID: 1527402494-0
Opcode ID: 8533c35c8a20efeb12ed51f4efd1269282dbaf34b7f114ec22bf48b726a2f410
Instruction ID: c56d522fb6da715ecf79792a923575e8df8525aeafd4e92a108d4c3039af3383
Opcode Fuzzy Hash: 8533c35c8a20efeb12ed51f4efd1269282dbaf34b7f114ec22bf48b726a2f410
Instruction Fuzzy Hash: F5918031A1B68281E750AF24D448638AA96FB06F74F965735CA7D473E2DF3EE841C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E8520 Relevance: 6.4, APIs: 5, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00007FF77FF7A56E8520(long long __rax, long long __rbx, void* __rcx, void* __rdx, void* __r8, long long _a8, long long _a24) {
				long long _v64;
				long long _v72;
				void* __rsi;
				void* __rbp;
				signed int _t53;
				signed int _t55;
				void* _t57;
				void* _t63;
				void* _t64;
				void* _t65;
				long long _t68;
				void* _t78;
				void* _t96;
				long long _t97;
				void* _t99;
				long long _t100;
				intOrPtr _t106;
				void* _t109;
				long long _t113;

				_t92 = __rdx;
				_t68 = __rax;
				_a8 = __rbx;
				_t78 = __rcx;
				r12d = 1;
				E00007FF77FF7A56EA574(_t57, __rax, __rcx, __rcx, _t96, _t99); // executed
				_t97 = _t68;
				_a24 = _t68;
				if (_t97 == _t68) goto 0xa56e86f1;
				_t3 = _t97 + 4; // 0x4
				_t100 = _t3;
				_t4 = _t78 + 0x68; // 0x68
				_t5 = _t109 + 2; // 0x3
				r8d = _t5;
				 *_t100 = 0;
				 *_t97 = r12d;
				_t106 =  *0xa5710c88; // 0x7ff7a5710c50
				_v64 =  *_t4;
				_v72 = 0xa5710d90;
				E00007FF77FF7A56E82BC(_t100, __rdx, _t106);
				_t8 = _t78 + 0x88; // 0x88
				if (E00007FF77FF7A56F3850(0xa5710d90, _t100, _t92, _t97, _t100, 0xa5710d8c) == 0) goto 0xa56e85db;
				r9d = 0;
				r8d = 0;
				_v72 = _t97;
				E00007FF77FF7A56E4308();
				E00007FF77FF7A56EBBE0(0,  *_t4,  *_t8);
				r8d = 3;
				_t53 =  !=  ? 0 : r12d;
				_t11 = _t78 + 0x48; // 0x4a
				_t113 = (_t109 + 1 << 5) + _t11;
				_v64 =  *_t113;
				_v72 = 0xa5710d90;
				E00007FF77FF7A56E82BC(_t100,  *_t8,  *0xa5710c88);
				if (0x7ff7a5710ca0 - 0xa5710ce8 < 0) goto 0xa56e85af;
				r13d = 0;
				if (_t53 != r13d) goto 0xa56e8697;
				_t63 =  *((intOrPtr*)(_t78 + 0x58)) - _t113;
				if (_t63 == 0) goto 0xa56e866e;
				asm("lock xadd [ecx], eax");
				if (_t63 != 0) goto 0xa56e866e;
				free(??);
				_t64 =  *((intOrPtr*)(_t78 + 0x60)) - _t113;
				if (_t64 == 0) goto 0xa56e868a;
				asm("lock xadd [edx], ecx");
				if (_t64 != 0) goto 0xa56e868a;
				free(??);
				 *((long long*)(_t78 + 0x58)) = _a24;
				 *((long long*)(_t78 + 0x48)) = _t100;
				goto 0xa56e86e9;
				free(??);
				_t55 = _t53 | 0xffffffff;
				_t65 =  *((intOrPtr*)(_t78 + 0x58)) - _t113;
				if (_t65 == 0) goto 0xa56e86be;
				asm("lock xadd [ecx], eax");
				if (_t65 != 0) goto 0xa56e86be;
				free(??);
				if ( *((intOrPtr*)(_t78 + 0x60)) == _t113) goto 0xa56e86da;
				asm("lock xadd [edx], ecx");
				if (_t55 + _t55 != 0) goto 0xa56e86da;
				free(??);
				 *((long long*)(_t78 + 0x58)) = _t113;
				 *((long long*)(_t78 + 0x48)) = _t113;
				 *((long long*)(_t78 + 0x50)) = _t113;
				 *((long long*)(_t78 + 0x60)) = _t113;
				return _t55 + _t55;
			}

0x7ff7a56e8520
0x7ff7a56e8520
0x7ff7a56e8520
0x7ff7a56e8534
0x7ff7a56e8537
0x7ff7a56e8545
0x7ff7a56e854a
0x7ff7a56e854d
0x7ff7a56e855a
0x7ff7a56e8560
0x7ff7a56e8560
0x7ff7a56e8564
0x7ff7a56e8568
0x7ff7a56e8568
0x7ff7a56e856d
0x7ff7a56e8570
0x7ff7a56e8577
0x7ff7a56e857e
0x7ff7a56e8592
0x7ff7a56e8597
0x7ff7a56e859f
0x7ff7a56e85c5
0x7ff7a56e85c7
0x7ff7a56e85ca
0x7ff7a56e85d1
0x7ff7a56e85d6
0x7ff7a56e85e3
0x7ff7a56e85ed
0x7ff7a56e85f8
0x7ff7a56e8610
0x7ff7a56e8610
0x7ff7a56e8619
0x7ff7a56e8625
0x7ff7a56e862a
0x7ff7a56e8639
0x7ff7a56e8647
0x7ff7a56e864d
0x7ff7a56e8656
0x7ff7a56e8659
0x7ff7a56e865d
0x7ff7a56e8663
0x7ff7a56e8669
0x7ff7a56e8672
0x7ff7a56e8675
0x7ff7a56e8679
0x7ff7a56e867f
0x7ff7a56e8685
0x7ff7a56e868a
0x7ff7a56e868e
0x7ff7a56e8695
0x7ff7a56e869a
0x7ff7a56e86a3
0x7ff7a56e86a6
0x7ff7a56e86a9
0x7ff7a56e86ad
0x7ff7a56e86b3
0x7ff7a56e86b9
0x7ff7a56e86c5
0x7ff7a56e86c9
0x7ff7a56e86cf
0x7ff7a56e86d5
0x7ff7a56e86e1
0x7ff7a56e86e5
0x7ff7a56e86e9
0x7ff7a56e86ed
0x7ff7a56e8705

APIs

Part of subcall function 00007FF7A56EA574: malloc.LIBCMT ref: 00007FF7A56EA593
Part of subcall function 00007FF7A56EA574: Sleep.KERNEL32(?,?,00000000,00007FF7A56EFED9,?,?,?,00007FF7A56EFF83), ref: 00007FF7A56EA5AA

Part of subcall function 00007FF7A56F3850: _errno.LIBCMT ref: 00007FF7A56F386B

free.LIBCMT ref: 00007FF7A56E8669
free.LIBCMT ref: 00007FF7A56E8685

Part of subcall function 00007FF7A56E4308: RtlCaptureContext.KERNEL32 ref: 00007FF7A56E4347
Part of subcall function 00007FF7A56E4308: IsDebuggerPresent.KERNEL32 ref: 00007FF7A56E43E5
Part of subcall function 00007FF7A56E4308: SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7A56E43EF
Part of subcall function 00007FF7A56E4308: UnhandledExceptionFilter.KERNEL32 ref: 00007FF7A56E43FA
Part of subcall function 00007FF7A56E4308: GetCurrentProcess.KERNEL32 ref: 00007FF7A56E4410
Part of subcall function 00007FF7A56E4308: TerminateProcess.KERNEL32 ref: 00007FF7A56E441E

free.LIBCMT ref: 00007FF7A56E869A

Part of subcall function 00007FF7A56E484C: HeapFree.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4862
Part of subcall function 00007FF7A56E484C: _errno.LIBCMT ref: 00007FF7A56E486C
Part of subcall function 00007FF7A56E484C: GetLastError.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4874

free.LIBCMT ref: 00007FF7A56E86B9
free.LIBCMT ref: 00007FF7A56E86D5

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: free$ExceptionFilterProcessUnhandled_errno$CaptureContextCurrentDebuggerErrorFreeHeapLastPresentSleepTerminatemalloc
String ID:
API String ID: 2327265721-0
Opcode ID: def5f98aa189ed1fb9de0a002abd7351bc365c7a9b586d71034df92824fd45d2
Instruction ID: 47dfe1653a7f7645e4d0da96568ed624bc1e9ca269fa6982dadf8c4b561aae49
Opcode Fuzzy Hash: def5f98aa189ed1fb9de0a002abd7351bc365c7a9b586d71034df92824fd45d2
Instruction Fuzzy Hash: 30510632607A81D6EB60AF25E80017EB356FB86F98F9A4035DE4D477A4CE3DD886C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E8E74 Relevance: 6.1, APIs: 4, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00007FF77FF7A56E8E74(void* __ebx, void* __ecx, void* __edi, void* __esi, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, signed int __r12, long long _a8, long long _a16, signed int* _a24, long long _a32) {
				signed int* _v40;
				signed int _v56;
				void* _t36;
				void* _t49;
				void* _t50;
				intOrPtr _t56;
				void* _t63;
				void* _t64;
				signed int* _t75;
				signed int _t92;
				intOrPtr _t96;
				signed int* _t99;
				signed int* _t102;
				void* _t110;
				intOrPtr _t111;
				void* _t115;

				_t110 = __r9;
				_t108 = __r8;
				_t104 = __rbp;
				_t91 = __rdx;
				_t81 = __rcx;
				_t80 = __rbx;
				_t75 = __rax;
				_t64 = __esi;
				_t63 = __edi;
				_t50 = __ebx;
				_a8 = __rsi;
				_a16 = __rdi;
				_a32 = __r12;
				_t115 = __rdx;
				r14d = __ecx;
				r12d = 0;
				_t65 = __ecx - 5;
				if (__ecx - 5 <= 0) goto 0xa56e8ec1;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 0x16;
				_v56 = _v56 & __r12;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(__rax, __rbx, __rcx, __rdx, __rsi, __rbp, __r8);
				goto 0xa56e9077;
				E00007FF77FF7A56EB93C(0, _t65, __rax);
				_t102 = _t75;
				_a24 = _t75;
				E00007FF77FF7A56E819C(_t75);
				_t102[0x32] = _t102[0x32] | 0x00000010;
				E00007FF77FF7A56EA5E0(_t80, _t81, _t91, __rdi, _t102, _t104);
				_t99 = _t75;
				if (_t75 == 0) goto 0xa56e906d;
				E00007FF77FF7A56EFF60();
				_t92 = _t102[0x30];
				if (_t92 == 0) goto 0xa56e8f2b;
				if (_t99 == _t92) goto 0xa56e8f2b;
				r8d = 0x160;
				_t36 = E00007FF77FF7A56EAE90(0xc, _t99 - _t92, _t99, _t92, _t108);
				 *_t99 =  *_t99 & 0x00000000;
				E00007FF77FF7A56E8004(_t36, _t99, _t108);
				E00007FF77FF7A56EFE60();
				_t109 = _t115;
				E00007FF77FF7A56E8C50(_t50, 0xc, r14d, _t99, _t92, _t115, _t110); // executed
				_v40 = _t75;
				if (_t75 == 0) goto 0xa56e905f;
				if (_t115 == 0) goto 0xa56e8f82;
				E00007FF77FF7A56EBBE0(0xc, _t115, 0xa5720a20);
				_t56 =  *0xa57230bc; // 0x0
				r13d = 1;
				_t57 =  !=  ? r13d : _t56;
				 *0xa57230bc =  !=  ? r13d : _t56;
				goto 0xa56e8f88;
				r13d = 1;
				E00007FF77FF7A56EFF60();
				_t11 =  &(_t102[0x30]); // 0xc0
				E00007FF77FF7A56E809C(E00007FF77FF7A56E8144(_t63, _t64, _t75, _t11, _t99, _t102), _t99, _t115);
				if ((_t102[0x32] & 0x00000002) != 0) goto 0xa56e9053;
				if (( *0xa5720a10 & r13b) != 0) goto 0xa56e9053;
				E00007FF77FF7A56E8144(_t63, _t64, _t75, 0xa5720b90, _t102[0x30], _t102);
				_t96 =  *0xa5720b90; // 0x2be4b80
				r8d = 0x18;
				E00007FF77FF7A56EAE90(0xc,  *0xa5720a10 & r13b, 0xa5723ba0, _t96 + 0xc, _t115);
				_t111 =  *0xa5720b90; // 0x2be4b80
				 *0xa5723bb8 =  *((intOrPtr*)(_t111 + 4));
				 *0xa5723bbc =  *((intOrPtr*)(_t111 + 8));
				 *0xa5720b98 =  *((intOrPtr*)(_t111 + 0x108));
				 *0xa5721718 =  *((intOrPtr*)(_t111 + 0x158));
				 *0xa57201f8 =  *((intOrPtr*)(_t111 + 0x128));
				 *0xa5720440 =  *((intOrPtr*)(_t111 + 0x140));
				 *0xa5721720 =  *((intOrPtr*)(_t111 + 0x10c));
				E00007FF77FF7A56EFE60();
				goto 0xa56e906d;
				E00007FF77FF7A56E809C( *((intOrPtr*)(_t111 + 0x10c)), _t99, _t109);
				_t49 = E00007FF77FF7A56E7E88(_t80, _t99, _t102, _t109);
				_t102[0x32] = _t102[0x32] & 0xffffffef;
				return _t49;
			}

0x7ff7a56e8e74
0x7ff7a56e8e74
0x7ff7a56e8e74
0x7ff7a56e8e74
0x7ff7a56e8e74
0x7ff7a56e8e74
0x7ff7a56e8e74
0x7ff7a56e8e74
0x7ff7a56e8e74
0x7ff7a56e8e74
0x7ff7a56e8e74
0x7ff7a56e8e79
0x7ff7a56e8e7e
0x7ff7a56e8e8d
0x7ff7a56e8e90
0x7ff7a56e8e93
0x7ff7a56e8e96
0x7ff7a56e8e99
0x7ff7a56e8e9b
0x7ff7a56e8ea0
0x7ff7a56e8ea6
0x7ff7a56e8eab
0x7ff7a56e8eae
0x7ff7a56e8eb5
0x7ff7a56e8ebc
0x7ff7a56e8ec1
0x7ff7a56e8ec6
0x7ff7a56e8ec9
0x7ff7a56e8ece
0x7ff7a56e8ed3
0x7ff7a56e8ee4
0x7ff7a56e8ee9
0x7ff7a56e8eef
0x7ff7a56e8efa
0x7ff7a56e8f00
0x7ff7a56e8f0a
0x7ff7a56e8f0f
0x7ff7a56e8f14
0x7ff7a56e8f1a
0x7ff7a56e8f1f
0x7ff7a56e8f25
0x7ff7a56e8f30
0x7ff7a56e8f35
0x7ff7a56e8f3e
0x7ff7a56e8f46
0x7ff7a56e8f4e
0x7ff7a56e8f57
0x7ff7a56e8f63
0x7ff7a56e8f68
0x7ff7a56e8f70
0x7ff7a56e8f76
0x7ff7a56e8f7a
0x7ff7a56e8f80
0x7ff7a56e8f82
0x7ff7a56e8f8d
0x7ff7a56e8f96
0x7ff7a56e8fa5
0x7ff7a56e8fb1
0x7ff7a56e8fbe
0x7ff7a56e8fd2
0x7ff7a56e8fd7
0x7ff7a56e8fe2
0x7ff7a56e8fef
0x7ff7a56e8ff4
0x7ff7a56e8fff
0x7ff7a56e9009
0x7ff7a56e9016
0x7ff7a56e9023
0x7ff7a56e9031
0x7ff7a56e903f
0x7ff7a56e904d
0x7ff7a56e9058
0x7ff7a56e905d
0x7ff7a56e9062
0x7ff7a56e9067
0x7ff7a56e906d
0x7ff7a56e9090

APIs

_errno.LIBCMT ref: 00007FF7A56E8E9B

Part of subcall function 00007FF7A56E4430: DecodePointer.KERNEL32 ref: 00007FF7A56E4457

_getptd.LIBCMT ref: 00007FF7A56E8EC1
_lock.LIBCMT ref: 00007FF7A56E8EFA
_lock.LIBCMT ref: 00007FF7A56E8F8D

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _lock$DecodePointer_errno_getptd
String ID:
API String ID: 4201827665-0
Opcode ID: f69661139c2ccdaea8614eccadf113ca2f6b788d7e3362209dbcf903ea8732cd
Instruction ID: 3369e462e2a910ffd0efabf8feb747fbe0315b2bef29d2f67858c4ea6614d543
Opcode Fuzzy Hash: f69661139c2ccdaea8614eccadf113ca2f6b788d7e3362209dbcf903ea8732cd
Instruction Fuzzy Hash: 9A517031A1B642C6F754FB21A8407BAA292FF4AF84F965035DE5D537B2DE3EE4018720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EBAD8 Relevance: 4.5, APIs: 3, Instructions: 35
memorythreadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 23%

			E00007FF77FF7A56EBAD8(long* __rax, void* __rcx, void* __rdx, void* __rdi, void* __rsi) {
				void* __rbx;
				intOrPtr _t5;
				void* _t6;
				long _t8;
				long* _t21;
				void* _t22;
				long* _t23;
				void* _t31;

				_t30 = __rsi;
				_t29 = __rdi;
				_t21 = __rax;
				E00007FF77FF7A56E5910(__rax); // executed
				_t5 = E00007FF77FF7A56EFD50(_t22, __rdi, __rsi);
				if (_t5 == 0) goto 0xa56ebb4c;
				__imp__FlsAlloc();
				 *0xa5720810 = _t5;
				if (_t5 == 0xffffffff) goto 0xa56ebb4c;
				_t6 = E00007FF77FF7A56EA5E0(_t22, 0x7ff7a56eb960, __rdx, _t29, _t30, _t31);
				_t23 = _t21;
				if (_t21 == 0) goto 0xa56ebb4c;
				__imp__FlsSetValue();
				if (_t6 == 0) goto 0xa56ebb4c;
				E00007FF77FF7A56EB804(_t23, _t23, _t21);
				_t8 = GetCurrentThreadId();
				_t23[2] = _t23[2] | 0xffffffff;
				 *_t23 = _t8;
				goto 0xa56ebb53;
				E00007FF77FF7A56EB7DC(_t23, _t23, _t21);
				return 0;
			}

0x7ff7a56ebad8
0x7ff7a56ebad8
0x7ff7a56ebad8
0x7ff7a56ebade
0x7ff7a56ebae3
0x7ff7a56ebaea
0x7ff7a56ebaf3
0x7ff7a56ebaf9
0x7ff7a56ebb02
0x7ff7a56ebb0e
0x7ff7a56ebb13
0x7ff7a56ebb19
0x7ff7a56ebb24
0x7ff7a56ebb2c
0x7ff7a56ebb33
0x7ff7a56ebb38
0x7ff7a56ebb3e
0x7ff7a56ebb43
0x7ff7a56ebb4a
0x7ff7a56ebb4c
0x7ff7a56ebb58

APIs

Part of subcall function 00007FF7A56E5910: _initp_misc_winsig.LIBCMT ref: 00007FF7A56E5949
Part of subcall function 00007FF7A56E5910: EncodePointer.KERNEL32(?,?,00000000,00007FF7A56EBAE3,?,?,00000000,00007FF7A56E4727), ref: 00007FF7A56E5965

FlsAlloc.KERNEL32(?,?,00000000,00007FF7A56E4727), ref: 00007FF7A56EBAF3

Part of subcall function 00007FF7A56EA5E0: Sleep.KERNEL32(?,?,?,00007FF7A56EB8EB,?,?,?,00007FF7A56E78B5,?,?,?,?,00007FF7A56E4871), ref: 00007FF7A56EA625

FlsSetValue.KERNEL32(?,?,00000000,00007FF7A56E4727), ref: 00007FF7A56EBB24

Part of subcall function 00007FF7A56EB804: _lock.LIBCMT ref: 00007FF7A56EB854
Part of subcall function 00007FF7A56EB804: _lock.LIBCMT ref: 00007FF7A56EB874

GetCurrentThreadId.KERNEL32 ref: 00007FF7A56EBB38

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _lock$AllocCurrentEncodePointerSleepThreadValue_initp_misc_winsig
String ID:
API String ID: 54287522-0
Opcode ID: de95eaae2b1d1c57757afb457a2a3e14f08f94a5831e49998ee3f3ac3efbfa47
Instruction ID: 7907f16a4afaac192668f233211cafd670f40db0d3b0410bf56b677a2f3fd49a
Opcode Fuzzy Hash: de95eaae2b1d1c57757afb457a2a3e14f08f94a5831e49998ee3f3ac3efbfa47
Instruction Fuzzy Hash: 9D012C20E0B603C6FA547B719844279E392AF4BF60F86A630D82D952F5FE6DA4418631

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F4664 Relevance: 3.1, APIs: 2, Instructions: 52
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00007FF77FF7A56F4664(void* __eax, long long __rbx, signed long long __rcx, signed long long __rdx, void* __rsi, void* __rbp, intOrPtr* __r8, long long _a8) {
				signed long long _v24;
				void* _t19;
				intOrPtr* _t34;
				intOrPtr* _t36;
				signed long long _t38;
				signed long long _t42;

				_t41 = __rdx;
				_t38 = __rcx;
				_a8 = __rbx;
				_t36 = __r8;
				_t42 = __rdx;
				if (__rcx == 0) goto 0xa56f46ab;
				_t2 = _t41 - 0x20; // -32
				_t34 = _t2;
				if (_t34 - __rdx >= 0) goto 0xa56f46ab;
				E00007FF77FF7A56E78AC(_t34);
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *_t34 = 0xc;
				E00007FF77FF7A56E4430(_t34, __r8, __rcx, __rdx, __rsi, __rbp, __r8);
				goto 0xa56f4708;
				_t44 =  ==  ? _t34 : _t42 * _t38;
				if (( ==  ? _t34 : _t42 * _t38) - 0xffffffe0 > 0) goto 0xa56f46db;
				RtlAllocateHeap(??, ??, ??); // executed
				if (_t34 != 0) goto 0xa56f4708;
				if ( *0xa5723b98 == 0) goto 0xa56f46fd;
				_t19 = E00007FF77FF7A56EBC98(_t34,  ==  ? _t34 : _t42 * _t38);
				if (_t19 != 0) goto 0xa56f46bb;
				if (_t36 == 0) goto 0xa56f46a7;
				 *_t36 = 0xc;
				goto 0xa56f46a7;
				if (_t36 == 0) goto 0xa56f4708;
				 *_t36 = 0xc;
				return _t19;
			}

0x7ff7a56f4664
0x7ff7a56f4664
0x7ff7a56f4664
0x7ff7a56f466e
0x7ff7a56f4671
0x7ff7a56f4677
0x7ff7a56f467b
0x7ff7a56f467b
0x7ff7a56f4685
0x7ff7a56f4687
0x7ff7a56f468c
0x7ff7a56f4692
0x7ff7a56f4695
0x7ff7a56f469c
0x7ff7a56f46a2
0x7ff7a56f46a9
0x7ff7a56f46b7
0x7ff7a56f46c1
0x7ff7a56f46d0
0x7ff7a56f46d9
0x7ff7a56f46e2
0x7ff7a56f46e7
0x7ff7a56f46ee
0x7ff7a56f46f3
0x7ff7a56f46f5
0x7ff7a56f46fb
0x7ff7a56f4700
0x7ff7a56f4702
0x7ff7a56f4712

APIs

_errno.LIBCMT ref: 00007FF7A56F4687

Part of subcall function 00007FF7A56E4430: DecodePointer.KERNEL32 ref: 00007FF7A56E4457

RtlAllocateHeap.NTDLL(?,?,?,?,00000000,00007FF7A56EA613,?,?,?,00007FF7A56EB8EB,?,?,?,00007FF7A56E78B5), ref: 00007FF7A56F46D0

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: AllocateDecodeHeapPointer_errno
String ID:
API String ID: 15861996-0
Opcode ID: b0e852ac2ae4dd9ee59b8914b12bc75567783781675997a08f6f7f30866a8375
Instruction ID: 237846f370c4390ef727fc1ee0185a9b98c7d7153e8f3bf6a116d32b68860d4e
Opcode Fuzzy Hash: b0e852ac2ae4dd9ee59b8914b12bc75567783781675997a08f6f7f30866a8375
Instruction Fuzzy Hash: AF11C422F1F64281FB556B24D605379E2D39F86F95F86A630CE1D46EE4DF3DA0848620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A570B620 Relevance: 3.0, APIs: 2, Instructions: 43
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			E00007FF77FF7A570B620(void* __ebx, long long __rax, void* __rcx, void* __rsi, void* __rbp, void* __r10) {
				long long _v24;
				long long _v32;
				short _v48;
				char _v56;
				void* __rbx;
				long _t12;
				void* _t19;
				void* _t20;
				long long _t26;
				void* _t27;
				void* _t36;
				void* _t37;

				_t26 = __rax;
				if ( *((long long*)(__rcx + 0x18)) - 3 < 0) goto 0xa570b6a6;
				_t33 = __rcx;
				E00007FF77FF7A570B410(__ebx, _t19, _t20,  *((long long*)(__rcx + 0x18)) - 3, _t27,  &_v56, __rcx, __rbp, _t36, __r10);
				if ( *((long long*)(_t26 + 0x20)) - 8 < 0) goto 0xa570b647;
				goto 0xa570b64b;
				_t12 = GetFileAttributesW(??); // executed
				if (_v24 - 8 < 0) goto 0xa570b665;
				E00007FF77FF7A56E44D8(_t26, _t27, _v48, _t33, __rsi, _t36, _t37);
				_v24 = 7;
				_v32 = _t26;
				_v48 = 0;
				if (_t12 != 0xffffffff) goto 0xa570b692;
				if (GetLastError() != 0x20) goto 0xa570b6a6;
				return 1;
			}

0x7ff7a570b620
0x7ff7a570b62b
0x7ff7a570b62d
0x7ff7a570b635
0x7ff7a570b63f
0x7ff7a570b645
0x7ff7a570b64b
0x7ff7a570b659
0x7ff7a570b660
0x7ff7a570b667
0x7ff7a570b670
0x7ff7a570b675
0x7ff7a570b67d
0x7ff7a570b688
0x7ff7a570b691

APIs

GetFileAttributesW.KERNELBASE ref: 00007FF7A570B64B
GetLastError.KERNEL32 ref: 00007FF7A570B67F

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: AttributesErrorFileLast
String ID:
API String ID: 1799206407-0
Opcode ID: 8bc7ac336bc4565f4dd3e229d3f68aa04ac1717867004368b237860524ec1113
Instruction ID: b88141436bdd827ff4d941eb3b16622725d12eb7a2df11cc36d1e78dc765fb8e
Opcode Fuzzy Hash: 8bc7ac336bc4565f4dd3e229d3f68aa04ac1717867004368b237860524ec1113
Instruction Fuzzy Hash: DD01D622D1A54182EF21AB20D84437CA3A1FB9AF54F9A0230D69D662F4DF2CDAD48720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EC6C8 Relevance: 3.0, APIs: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 66%

			E00007FF77FF7A56EC6C8(void* __edi, void* __ebp, intOrPtr* __rax, long long __rbx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* _t15;
				intOrPtr* _t24;
				intOrPtr* _t25;
				long long _t27;
				intOrPtr* _t34;

				_t27 = __rbx;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				GetEnvironmentStringsW();
				_t34 = __rax;
				if (__rax != __rbx) goto 0xa56ec6f0;
				goto 0xa56ec73c;
				if ( *__rax == 0) goto 0xa56ec707;
				_t24 = __rax + 2;
				if ( *_t24 != 0) goto 0xa56ec6f5;
				_t25 = _t24 + 2;
				if ( *_t25 != 0) goto 0xa56ec6f5;
				_t39 = 0 - __edi + 2;
				E00007FF77FF7A56EA574(__ebp, _t25, __rbx, 0 - __edi + 2, __rsi, 0 - __edi + 2); // executed
				if (_t25 == _t27) goto 0xa56ec730;
				E00007FF77FF7A56EAE90(_t15, _t25 - _t27, _t25, _t34, _t39);
				return FreeEnvironmentStringsW(??);
			}

0x7ff7a56ec6c8
0x7ff7a56ec6c8
0x7ff7a56ec6cd
0x7ff7a56ec6d2
0x7ff7a56ec6dc
0x7ff7a56ec6e4
0x7ff7a56ec6ea
0x7ff7a56ec6ee
0x7ff7a56ec6f3
0x7ff7a56ec6f5
0x7ff7a56ec6fc
0x7ff7a56ec6fe
0x7ff7a56ec705
0x7ff7a56ec70c
0x7ff7a56ec712
0x7ff7a56ec71d
0x7ff7a56ec728
0x7ff7a56ec750

APIs

GetEnvironmentStringsW.KERNEL32(?,?,00000001,00007FF7A56E4777), ref: 00007FF7A56EC6DC
FreeEnvironmentStringsW.KERNEL32(?,?,00000001,00007FF7A56E4777), ref: 00007FF7A56EC733

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: e9e2d5b3a4917f75dcd00ab3f1514e9b6828666610862c6d897de6f71c12553c
Instruction ID: dce921f1546587f0982317a97d7367eb20fe59833b78f5170f1f973771997ec7
Opcode Fuzzy Hash: e9e2d5b3a4917f75dcd00ab3f1514e9b6828666610862c6d897de6f71c12553c
Instruction Fuzzy Hash: 13018412F0B281C5EE60BF52A54903AE3A2FF4AFC4B8A5431DF4D177A6DE6DE5818310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E5910 Relevance: 3.0, APIs: 2, Instructions: 26
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E00007FF77FF7A56E5910(long long __rax) {
				void* _t2;
				void* _t10;

				E00007FF77FF7A56EB7B0(); // executed
				_t10 = E00007FF77FF7A56F016C(E00007FF77FF7A56FA280(E00007FF77FF7A56F0188(E00007FF77FF7A56F0428(E00007FF77FF7A56EFD2C(E00007FF77FF7A56E4300(E00007FF77FF7A56F0430(E00007FF77FF7A56EBC90(_t2, __rax), __rax), __rax), __rax), __rax), __rax)), __rax);
				0xa56eb7a8();
				 *0xa5720200 = __rax;
				return _t10;
			}

0x7ff7a56e5916
0x7ff7a56e5959
0x7ff7a56e5965
0x7ff7a56e596a
0x7ff7a56e5976

APIs

_initp_misc_winsig.LIBCMT ref: 00007FF7A56E5949

Part of subcall function 00007FF7A56F016C: EncodePointer.KERNEL32(?,?,?,?,00007FF7A56E595E,?,?,00000000,00007FF7A56EBAE3,?,?,00000000,00007FF7A56E4727), ref: 00007FF7A56F0177

EncodePointer.KERNEL32(?,?,00000000,00007FF7A56EBAE3,?,?,00000000,00007FF7A56E4727), ref: 00007FF7A56E5965

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: EncodePointer$_initp_misc_winsig
String ID:
API String ID: 190222155-0
Opcode ID: 74bf83648d0d11f1f7dce34e57aca7fdbc386c1892a025d5a760b0d6547989f4
Instruction ID: bc7fbd29ab038fec442110256c05cf5df3d5f92ec6854c332b1973f2884f4505
Opcode Fuzzy Hash: 74bf83648d0d11f1f7dce34e57aca7fdbc386c1892a025d5a760b0d6547989f4
Instruction Fuzzy Hash: 90F07F01E8B20780E948BB6268620BD83924F97F90FCA3131E80F1A2B3DD2DA84547A0

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56ECABC Relevance: 3.0, APIs: 2, Instructions: 18
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(?,?,?,?,00007FF7A56E46FC), ref: 00007FF7A56ECACE
HeapSetInformation.KERNEL32 ref: 00007FF7A56ECAF8

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: Heap$CreateInformation
String ID:
API String ID: 1774340351-0
Opcode ID: a0f4fcd3cb0a49994bd9f38eb5e0d86323c9ca9cc061fcc2852eb2b41b563da2
Instruction ID: 7492a423171df84be669d189e5f81a157e3f47202c55e424f94ff3e0b3f5a7f3
Opcode Fuzzy Hash: a0f4fcd3cb0a49994bd9f38eb5e0d86323c9ca9cc061fcc2852eb2b41b563da2
Instruction Fuzzy Hash: 34E0DF74A27781C3F788AB21A80AB29A290FF8CB40FC05038E94D42BB4EF3CD040CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EC308 Relevance: 2.6, APIs: 2, Instructions: 81
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 63%

			E00007FF77FF7A56EC308(signed int __eax, void* __ecx, long long __rbx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r9, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _v24;
				void* _t22;
				signed int _t35;
				signed long long _t46;
				void* _t49;
				long long _t51;
				signed long long _t64;
				signed long long _t72;
				void* _t77;

				_t67 = __rsi;
				_t63 = __rdi;
				_t61 = __rdx;
				_t46 = _t72;
				 *((long long*)(_t46 + 8)) = __rbx;
				 *((long long*)(_t46 + 0x10)) = __rbp;
				 *((long long*)(_t46 + 0x18)) = __rsi;
				 *((long long*)(_t46 + 0x20)) = __rdi;
				_t49 =  *0xa5723058; // 0x0
				r12d = 0;
				if (_t49 != _t77) goto 0xa56ec350;
				goto 0xa56ec40b;
				if ((__eax | 0xffffffff) == 0x3d) goto 0xa56ec343;
				E00007FF77FF7A56EFD34(__eax | 0xffffffff, _t49);
				if (( *(_t49 + 2 + _t46 * 2) & 0x0000ffff) != r12w) goto 0xa56ec33b;
				_t8 = _t63 + 1; // 0x1
				_t22 = E00007FF77FF7A56EA5E0(_t49 + 2 + _t46 * 2, _t8, __rdx, __rdi, __rsi, __rbp);
				_t64 = _t46;
				 *0xa5723090 = _t46;
				if (_t46 == _t77) goto 0xa56ec333;
				_t51 =  *0xa5723058; // 0x0
				if ( *_t51 == r12w) goto 0xa56ec3ed;
				E00007FF77FF7A56EFD34(_t22, _t51);
				_t9 = _t46 + 1; // 0x1
				_t35 = _t9;
				if ( *_t51 == 0x3d) goto 0xa56ec3d9;
				_t70 = _t35;
				E00007FF77FF7A56EA5E0(_t51, _t35, _t61, _t64, _t67, _t35); // executed
				 *_t64 = _t46;
				if (_t46 == _t77) goto 0xa56ec426;
				if (E00007FF77FF7A56E5EE0(_t46, _t51, _t46, _t70, _t51) == r12d) goto 0xa56ec3d5;
				r9d = 0;
				r8d = 0;
				_v24 = _t77;
				E00007FF77FF7A56E4308();
				if ( *((intOrPtr*)(_t51 + _t35 * 2)) != r12w) goto 0xa56ec385;
				free(_t77);
				 *0xa5723058 = _t77;
				 *(_t64 + 8) = _t77;
				 *0xa5729c04 = 1;
				return 0;
			}

0x7ff7a56ec308
0x7ff7a56ec308
0x7ff7a56ec308
0x7ff7a56ec308
0x7ff7a56ec30b
0x7ff7a56ec30f
0x7ff7a56ec313
0x7ff7a56ec317
0x7ff7a56ec321
0x7ff7a56ec328
0x7ff7a56ec331
0x7ff7a56ec336
0x7ff7a56ec33f
0x7ff7a56ec346
0x7ff7a56ec357
0x7ff7a56ec359
0x7ff7a56ec364
0x7ff7a56ec369
0x7ff7a56ec36c
0x7ff7a56ec376
0x7ff7a56ec378
0x7ff7a56ec383
0x7ff7a56ec388
0x7ff7a56ec391
0x7ff7a56ec391
0x7ff7a56ec394
0x7ff7a56ec396
0x7ff7a56ec3a1
0x7ff7a56ec3a6
0x7ff7a56ec3ac
0x7ff7a56ec3bf
0x7ff7a56ec3c1
0x7ff7a56ec3c4
0x7ff7a56ec3cb
0x7ff7a56ec3d0
0x7ff7a56ec3e4
0x7ff7a56ec3f0
0x7ff7a56ec3f5
0x7ff7a56ec3fc
0x7ff7a56ec3ff
0x7ff7a56ec425

APIs

free.LIBCMT ref: 00007FF7A56EC3F0
free.LIBCMT ref: 00007FF7A56EC42D

Part of subcall function 00007FF7A56E484C: HeapFree.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4862
Part of subcall function 00007FF7A56E484C: _errno.LIBCMT ref: 00007FF7A56E486C
Part of subcall function 00007FF7A56E484C: GetLastError.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4874

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: c1d1efebb4359f288f5ab5fbc08614582816a885133ec421e98c48bdfdb18eab
Instruction ID: 891c6606aad88ce9b79d609b2871d9cdd13f947c165b2f15a2adfe5e8679b881
Opcode Fuzzy Hash: c1d1efebb4359f288f5ab5fbc08614582816a885133ec421e98c48bdfdb18eab
Instruction Fuzzy Hash: 3F316E22A0B642C0FA64AF21E405179B3A6FB46F80FCA5131DE4D437A6DE7EE851C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EA574 Relevance: 2.5, APIs: 2, Instructions: 30
sleepCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.LIBCMT ref: 00007FF7A56EA593

Part of subcall function 00007FF7A56E48B0: _FF_MSGBANNER.LIBCMT ref: 00007FF7A56E48E0
Part of subcall function 00007FF7A56E48B0: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7A56EA598,?,?,00000000,00007FF7A56EFED9,?,?,?,00007FF7A56EFF83), ref: 00007FF7A56E4905
Part of subcall function 00007FF7A56E48B0: _errno.LIBCMT ref: 00007FF7A56E4929
Part of subcall function 00007FF7A56E48B0: _errno.LIBCMT ref: 00007FF7A56E4934

Sleep.KERNEL32(?,?,00000000,00007FF7A56EFED9,?,?,?,00007FF7A56EFF83), ref: 00007FF7A56EA5AA

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$AllocateHeapSleepmalloc
String ID:
API String ID: 4275769124-0
Opcode ID: bd13dfa245dfbbdecbc5965e138b5fdfee0d4ec3a6d1675b05ac1045423cc446
Instruction ID: 8077d52a5f019db46d2031b2cb03cd05dc027fe722d3291b0da27e5e143fc4d8
Opcode Fuzzy Hash: bd13dfa245dfbbdecbc5965e138b5fdfee0d4ec3a6d1675b05ac1045423cc446
Instruction Fuzzy Hash: D4F0C832A0A785C6EA51AF15F44003EF2A2FB8AF90F860534EE5D077A4CF3DE8528750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F0024 Relevance: 1.5, APIs: 1, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(?,?,00000001,00007FF7A56E56CF,?,?,00000001,00007FF7A56E47AB), ref: 00007FF7A56F003D

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: bfac969eb8d0f6839c0f34c126e53fdce9e834d7b244de2d6ab758f89b9f9e62
Instruction ID: 5d340e92a0e50040f2bf27200e1496ddfd1b624ef5c63fca5b560b176dcb91ae
Opcode Fuzzy Hash: bfac969eb8d0f6839c0f34c126e53fdce9e834d7b244de2d6ab758f89b9f9e62
Instruction Fuzzy Hash: 2AD02B33F25541C1DB015B20F44016CA3A5EB8AFD4FD98031DA0C03625CD3CC856C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EA5E0 Relevance: 1.3, APIs: 1, Instructions: 36
sleepCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 86%

			E00007FF77FF7A56EA5E0(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* _a8, void* _a16, void* _a24, void* _a32) {
				void* _t10;
				void* _t11;
				void* _t17;
				void* _t20;
				long long _t29;
				void* _t37;
				void* _t40;
				long _t41;

				_t29 = __rdi;
				_t20 = _t37;
				 *((long long*)(_t20 + 8)) = __rbx;
				 *((long long*)(_t20 + 0x10)) = __rbp;
				 *((long long*)(_t20 + 0x18)) = __rsi;
				 *((long long*)(_t20 + 0x20)) = __rdi;
				r12d = r12d | 0xffffffff;
				r8d = 0;
				_t11 = E00007FF77FF7A56F4664(_t10, __rbx, __rcx, __rdx, __rdx, __rcx, _t40); // executed
				if (_t20 != 0) goto 0xa56ea645;
				_t17 =  *0xa57230c0 - _t11; // 0x0
				if (_t17 <= 0) goto 0xa56ea645;
				Sleep(_t41);
				_t5 = _t29 + 0x3e8; // 0x3e8
				r11d = _t5;
				_t15 =  >  ? r12d : r11d;
				_t19 = ( >  ? r12d : r11d) - r12d;
				if (( >  ? r12d : r11d) != r12d) goto 0xa56ea605;
				return _t11;
			}

0x7ff7a56ea5e0
0x7ff7a56ea5e0
0x7ff7a56ea5e3
0x7ff7a56ea5e7
0x7ff7a56ea5eb
0x7ff7a56ea5ef
0x7ff7a56ea601
0x7ff7a56ea605
0x7ff7a56ea60e
0x7ff7a56ea619
0x7ff7a56ea61b
0x7ff7a56ea621
0x7ff7a56ea625
0x7ff7a56ea62b
0x7ff7a56ea62b
0x7ff7a56ea63c
0x7ff7a56ea640
0x7ff7a56ea643
0x7ff7a56ea662

APIs

Part of subcall function 00007FF7A56F4664: _errno.LIBCMT ref: 00007FF7A56F4687

Sleep.KERNEL32(?,?,?,00007FF7A56EB8EB,?,?,?,00007FF7A56E78B5,?,?,?,?,00007FF7A56E4871), ref: 00007FF7A56EA625

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: Sleep_errno
String ID:
API String ID: 1068366078-0
Opcode ID: e0c6aa7e01e015a0de39a721ee99d897d7ef22429643003cfd3a104248ad44f7
Instruction ID: 835c6d5d1073405d5be3e7a06f6d1ae54db1b870c305a6e8f99546df787a79a6
Opcode Fuzzy Hash: e0c6aa7e01e015a0de39a721ee99d897d7ef22429643003cfd3a104248ad44f7
Instruction Fuzzy Hash: 2501DB32A26B81C5EA54AF16985402DF762FB8AFD0F4A5131DE5D07B60CF3CE891C700

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF7A56F8D70 Relevance: 40.8, APIs: 27, Instructions: 305
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 66%

			E00007FF77FF7A56F8D70(void* __ebx, long long __rbx, long long __rcx, void* __rdx, void* __r8, void* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t122;
				void* _t135;
				intOrPtr _t137;
				char _t156;
				intOrPtr _t158;
				intOrPtr* _t165;
				long long _t174;
				intOrPtr* _t180;
				intOrPtr* _t183;
				intOrPtr _t184;
				intOrPtr* _t185;
				intOrPtr* _t189;
				intOrPtr* _t190;
				intOrPtr _t202;
				long long _t209;
				intOrPtr _t213;
				void* _t214;
				void* _t216;
				intOrPtr* _t217;
				intOrPtr _t219;
				intOrPtr _t222;
				intOrPtr* _t223;
				long long _t224;
				void* _t226;
				intOrPtr* _t229;
				intOrPtr _t230;
				void* _t232;
				intOrPtr* _t236;
				void* _t239;
				void* _t240;
				void* _t255;
				intOrPtr _t256;
				intOrPtr _t258;
				void* _t260;
				void* _t264;
				intOrPtr* _t266;
				intOrPtr* _t268;
				void* _t270;
				intOrPtr _t271;

				_t244 = __r9;
				_t242 = __r8;
				_t214 = __rdx;
				_t122 = __ebx;
				 *((long long*)(_t239 + 8)) = __rcx;
				_t240 = _t239 - 0x90;
				 *((long long*)(_t240 + 0x20)) = 0xfffffffe;
				 *((long long*)(_t240 + 0xe8)) = __rbx;
				 *((long long*)(__rcx)) = 0xa5713d10;
				_t217 =  *((intOrPtr*)(__rcx + 0x80));
				if (_t217 -  *((intOrPtr*)(__rcx + 0x88)) <= 0) goto 0xa56f8dba;
				E00007FF77FF7A56E44B8();
				_t183 =  *((intOrPtr*)(__rcx + 0x68));
				_t256 =  *((intOrPtr*)(__rcx + 0x88));
				if ( *((intOrPtr*)(__rcx + 0x80)) - _t256 <= 0) goto 0xa56f8dd3;
				E00007FF77FF7A56E44B8();
				if (_t183 == 0) goto 0xa56f8de1;
				if (_t183 ==  *((intOrPtr*)(__rcx + 0x68))) goto 0xa56f8de6;
				E00007FF77FF7A56E44B8();
				if (_t217 == _t256) goto 0xa56f8eb1;
				if (_t183 != 0) goto 0xa56f8dfe;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f8e01;
				_t135 = _t217 -  *((intOrPtr*)( *_t183 + 0x20));
				if (_t135 < 0) goto 0xa56f8e0c;
				E00007FF77FF7A56E44B8();
				asm("lock xadd [esi], eax");
				asm("bt eax, 0x1e");
				if (_t135 < 0) goto 0xa56f8e66;
				if (0x80000000 - 0x80000000 <= 0) goto 0xa56f8e66;
				asm("lock bts dword [esi], 0x1e");
				if (0x80000000 - 0x80000000 < 0) goto 0xa56f8e66;
				_t137 =  *((intOrPtr*)( *((intOrPtr*)(_t217 + 8)) + 8));
				if (_t137 != 0) goto 0xa56f8e5d;
				E00007FF77FF7A56D3F90(0, 0, 0xa5713d10,  *((intOrPtr*)(_t217 + 8)), __r9);
				asm("lock dec esp");
				if (_t137 == 0) goto 0xa56f8e5a;
				CloseHandle(_t270);
				goto 0xa56f8e5d;
				SetEvent(_t264);
				if (_t183 != 0) goto 0xa56f8e75;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f8e78;
				if (_t217 -  *((intOrPtr*)( *_t183 + 0x20)) < 0) goto 0xa56f8e83;
				E00007FF77FF7A56E44B8();
				E00007FF77FF7A56F8BD0(_t122, 0, 0xa5713d10, _t183,  *_t217, _t214,  *((intOrPtr*)(_t217 + 8)), 0xa5713d10, __r8, __r9, _t260, _t255);
				if (_t183 != 0) goto 0xa56f8e9a;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f8e9d;
				if (_t217 -  *((intOrPtr*)( *_t183 + 0x20)) < 0) goto 0xa56f8ea8;
				E00007FF77FF7A56E44B8();
				goto 0xa56f8dd7;
				_t266 =  *((intOrPtr*)(_t240 + 0xd0)) + 0x98;
				 *((long long*)(_t240 + 0xe0)) = _t266;
				_t236 =  *((intOrPtr*)(_t266 + 0x18));
				if (_t236 -  *((intOrPtr*)(_t266 + 0x20)) <= 0) goto 0xa56f8ed7;
				E00007FF77FF7A56E44B8();
				_t229 =  *_t266;
				_t271 =  *((intOrPtr*)(_t266 + 0x20));
				if ( *((intOrPtr*)(_t266 + 0x18)) - _t271 <= 0) goto 0xa56f8ee9;
				E00007FF77FF7A56E44B8();
				if (_t229 == 0) goto 0xa56f8efa;
				if (_t229 ==  *_t266) goto 0xa56f8eff;
				E00007FF77FF7A56E44B8();
				if (_t236 == _t271) goto 0xa56f907f;
				if (_t229 != 0) goto 0xa56f8f17;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f8f1a;
				if (_t236 -  *((intOrPtr*)( *_t229 + 0x20)) < 0) goto 0xa56f8f25;
				E00007FF77FF7A56E44B8();
				_t184 =  *_t236;
				 *((long long*)(_t240 + 0x28)) = _t184 + 0x30;
				 *((char*)(_t240 + 0x30)) = 0;
				E00007FF77FF7A56F89A0(0, 0, _t184 + 0x30, _t240 + 0x28, _t217 + 0x10, _t229, _t236, __r8, __r9);
				 *((char*)(_t184 + 0x28)) = 1;
				E00007FF77FF7A56F8BD0(_t122, 0, _t184 + 0x30, _t184, _t184 + 0x40, _t214, _t229, _t236, __r8, __r9, _t216, _t226);
				 *((long long*)(_t240 + 0x48)) =  *((intOrPtr*)( *((intOrPtr*)(_t184 + 0xb8))));
				_t174 =  *((intOrPtr*)(_t184 + 0x90));
				 *((long long*)(_t240 + 0x40)) = _t174;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x50], xmm0");
				_t185 =  *((intOrPtr*)(_t240 + 0x50));
				_t219 =  *((intOrPtr*)(_t240 + 0x58));
				if (_t185 == 0) goto 0xa56f8f9a;
				if (_t185 == _t174) goto 0xa56f8f9f;
				E00007FF77FF7A56E44B8();
				if (_t219 ==  *((intOrPtr*)(_t184 + 0xb8))) goto 0xa56f8fec;
				if (_t185 != 0) goto 0xa56f8fb3;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f8fb6;
				if (_t219 !=  *((intOrPtr*)( *_t185 + 0x28))) goto 0xa56f8fc1;
				E00007FF77FF7A56E44B8();
				E00007FF77FF7A56F8BD0(_t122, 0, _t174, _t185,  *((intOrPtr*)(_t219 + 0x10)), _t214, _t229, _t236, __r8, __r9);
				if (_t185 != 0) goto 0xa56f8fd9;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f8fdc;
				if (_t219 !=  *((intOrPtr*)( *_t185 + 0x28))) goto 0xa56f8fe7;
				E00007FF77FF7A56E44B8();
				goto 0xa56f8f90;
				_t156 =  *((char*)(_t240 + 0x30));
				if (_t156 == 0) goto 0xa56f9059;
				asm("lock xadd [eax], ecx");
				asm("bt ecx, 0x1e");
				if (_t156 < 0) goto 0xa56f9059;
				if (0x80000000 - 0x80000000 <= 0) goto 0xa56f9059;
				asm("lock bts dword [eax], 0x1e");
				if (0x80000000 - 0x80000000 < 0) goto 0xa56f9059;
				_t158 =  *((intOrPtr*)( *((intOrPtr*)(_t240 + 0x28)) + 8));
				if (_t158 != 0) goto 0xa56f9050;
				E00007FF77FF7A56D3F90(0, 0,  *((intOrPtr*)(_t240 + 0x28)), _t229, __r9);
				asm("lock dec esp");
				if (_t158 == 0) goto 0xa56f904d;
				CloseHandle(_t232);
				goto 0xa56f9050;
				SetEvent(??);
				if (_t229 != 0) goto 0xa56f9068;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f906b;
				if (_t236 -  *((intOrPtr*)( *_t229 + 0x20)) < 0) goto 0xa56f9076;
				E00007FF77FF7A56E44B8();
				goto 0xa56f8ef0;
				_t258 =  *((intOrPtr*)(_t240 + 0xd0));
				_t202 =  *((intOrPtr*)(_t258 + 0xc8));
				_t268 =  *((intOrPtr*)(_t240 + 0xe0));
				if (_t202 == 0) goto 0xa56f90a9;
				if (_t202 == 0xffffffff) goto 0xa56f90a9;
				CloseHandle(??);
				 *((long long*)(_t240 + 0xd8)) = _t268;
				_t222 =  *((intOrPtr*)(_t268 + 0x18));
				if (_t222 == 0) goto 0xa56f9105;
				_t230 =  *((intOrPtr*)(_t268 + 0x20));
				if (_t222 == _t230) goto 0xa56f90fc;
				_t223 = _t222 + 8;
				_t189 =  *_t223;
				_t165 = _t189;
				if (_t165 == 0) goto 0xa56f90ef;
				asm("lock add dword [ebx+0x8], 0xffffffff");
				if (_t165 != 0) goto 0xa56f90ef;
				 *((intOrPtr*)( *_t189 + 8))();
				asm("lock add dword [ebx+0xc], 0xffffffff");
				if (_t165 != 0) goto 0xa56f90ef;
				 *((intOrPtr*)( *_t189 + 0x10))();
				_t224 = _t223 + 0x10;
				if (_t224 - 8 != _t230) goto 0xa56f90c7;
				E00007FF77FF7A56E44D8(_t224 - 8, _t189,  *((intOrPtr*)(_t268 + 0x18)), _t214, _t230, __r8, __r9);
				 *((long long*)(_t268 + 0x18)) = _t224;
				 *((long long*)(_t268 + 0x20)) = _t224;
				 *((long long*)(_t268 + 0x28)) = _t224;
				E00007FF77FF7A56E44D8(_t224 - 8, _t189,  *_t268, _t214, _t230, _t242, _t244);
				if ( *((intOrPtr*)(_t258 + 0x80)) == 0) goto 0xa56f912e;
				E00007FF77FF7A56E44D8(_t224 - 8, _t189,  *((intOrPtr*)(_t258 + 0x80)), _t214, _t230, _t242, _t244);
				 *((long long*)(_t258 + 0x80)) = _t224;
				 *((long long*)(_t258 + 0x88)) = _t224;
				 *((long long*)(_t258 + 0x90)) = _t224;
				E00007FF77FF7A56E44D8(_t224 - 8, _t189,  *((intOrPtr*)(_t258 + 0x68)), _t214, _t230, _t242, _t244);
				_t190 = _t258 + 0x28;
				 *((long long*)(_t240 + 0xd8)) = _t190;
				_t64 = _t190 + 0x30; // 0x44c748000000e0ec
				_t180 =  *_t64;
				 *((long long*)(_t240 + 0x58)) = _t180;
				_t209 =  *_t190;
				 *((long long*)(_t240 + 0x50)) = _t209;
				 *((long long*)(_t240 + 0x48)) =  *_t180;
				 *((long long*)(_t240 + 0x40)) = _t209;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movaps xmm1, [esp+0x40]");
				asm("movdqa [esp+0x70], xmm1");
				E00007FF77FF7A56D55C0(_t190, _t190, _t240 + 0x80, _t224, _t230, _t240 + 0x70, _t240 + 0x60);
				_t72 = _t190 + 0x30; // 0x44c748000000e0ec
				E00007FF77FF7A56E44D8( *_t180, _t190,  *_t72, _t240 + 0x80, _t230, _t240 + 0x70, _t240 + 0x60);
				 *((long long*)(_t190 + 0x30)) = _t224;
				 *((long long*)(_t190 + 0x38)) = _t224;
				E00007FF77FF7A56E44D8( *_t180, _t190,  *_t190, _t240 + 0x80, _t230, _t240 + 0x70, _t240 + 0x60);
				_t213 =  *((intOrPtr*)(_t258 + 0x10));
				if (_t213 == 0) goto 0xa56f91dc;
				if (_t213 == 0xffffffff) goto 0xa56f91dc;
				return CloseHandle(??);
			}

0x7ff7a56f8d70
0x7ff7a56f8d70
0x7ff7a56f8d70
0x7ff7a56f8d70
0x7ff7a56f8d70
0x7ff7a56f8d80
0x7ff7a56f8d87
0x7ff7a56f8d90
0x7ff7a56f8da2
0x7ff7a56f8da5
0x7ff7a56f8db3
0x7ff7a56f8db5
0x7ff7a56f8dba
0x7ff7a56f8dbe
0x7ff7a56f8dcc
0x7ff7a56f8dce
0x7ff7a56f8dda
0x7ff7a56f8ddf
0x7ff7a56f8de1
0x7ff7a56f8de9
0x7ff7a56f8df2
0x7ff7a56f8df4
0x7ff7a56f8df9
0x7ff7a56f8dfc
0x7ff7a56f8e01
0x7ff7a56f8e05
0x7ff7a56f8e07
0x7ff7a56f8e15
0x7ff7a56f8e19
0x7ff7a56f8e1d
0x7ff7a56f8e24
0x7ff7a56f8e26
0x7ff7a56f8e2b
0x7ff7a56f8e31
0x7ff7a56f8e34
0x7ff7a56f8e3a
0x7ff7a56f8e44
0x7ff7a56f8e4d
0x7ff7a56f8e52
0x7ff7a56f8e58
0x7ff7a56f8e60
0x7ff7a56f8e69
0x7ff7a56f8e6b
0x7ff7a56f8e70
0x7ff7a56f8e73
0x7ff7a56f8e7c
0x7ff7a56f8e7e
0x7ff7a56f8e86
0x7ff7a56f8e8e
0x7ff7a56f8e90
0x7ff7a56f8e95
0x7ff7a56f8e98
0x7ff7a56f8ea1
0x7ff7a56f8ea3
0x7ff7a56f8eac
0x7ff7a56f8eb9
0x7ff7a56f8ec0
0x7ff7a56f8ec8
0x7ff7a56f8ed0
0x7ff7a56f8ed2
0x7ff7a56f8ed7
0x7ff7a56f8eda
0x7ff7a56f8ee2
0x7ff7a56f8ee4
0x7ff7a56f8ef3
0x7ff7a56f8ef8
0x7ff7a56f8efa
0x7ff7a56f8f02
0x7ff7a56f8f0b
0x7ff7a56f8f0d
0x7ff7a56f8f12
0x7ff7a56f8f15
0x7ff7a56f8f1e
0x7ff7a56f8f20
0x7ff7a56f8f25
0x7ff7a56f8f2d
0x7ff7a56f8f32
0x7ff7a56f8f3c
0x7ff7a56f8f42
0x7ff7a56f8f4a
0x7ff7a56f8f59
0x7ff7a56f8f5e
0x7ff7a56f8f65
0x7ff7a56f8f6a
0x7ff7a56f8f6f
0x7ff7a56f8f7f
0x7ff7a56f8f84
0x7ff7a56f8f93
0x7ff7a56f8f98
0x7ff7a56f8f9a
0x7ff7a56f8fa2
0x7ff7a56f8fa7
0x7ff7a56f8fa9
0x7ff7a56f8fae
0x7ff7a56f8fb1
0x7ff7a56f8fba
0x7ff7a56f8fbc
0x7ff7a56f8fc5
0x7ff7a56f8fcd
0x7ff7a56f8fcf
0x7ff7a56f8fd4
0x7ff7a56f8fd7
0x7ff7a56f8fe0
0x7ff7a56f8fe2
0x7ff7a56f8fea
0x7ff7a56f8fec
0x7ff7a56f8ff1
0x7ff7a56f8ffd
0x7ff7a56f9001
0x7ff7a56f9005
0x7ff7a56f900d
0x7ff7a56f9014
0x7ff7a56f9019
0x7ff7a56f9024
0x7ff7a56f9027
0x7ff7a56f902d
0x7ff7a56f9037
0x7ff7a56f9040
0x7ff7a56f9045
0x7ff7a56f904b
0x7ff7a56f9053
0x7ff7a56f905c
0x7ff7a56f905e
0x7ff7a56f9063
0x7ff7a56f9066
0x7ff7a56f906f
0x7ff7a56f9071
0x7ff7a56f907a
0x7ff7a56f907f
0x7ff7a56f9087
0x7ff7a56f9092
0x7ff7a56f909a
0x7ff7a56f90a0
0x7ff7a56f90a2
0x7ff7a56f90a9
0x7ff7a56f90b1
0x7ff7a56f90b8
0x7ff7a56f90ba
0x7ff7a56f90c1
0x7ff7a56f90c3
0x7ff7a56f90c7
0x7ff7a56f90ca
0x7ff7a56f90cd
0x7ff7a56f90cf
0x7ff7a56f90d4
0x7ff7a56f90dc
0x7ff7a56f90df
0x7ff7a56f90e4
0x7ff7a56f90ec
0x7ff7a56f90ef
0x7ff7a56f90fa
0x7ff7a56f9100
0x7ff7a56f9107
0x7ff7a56f910b
0x7ff7a56f910f
0x7ff7a56f9116
0x7ff7a56f9127
0x7ff7a56f9129
0x7ff7a56f912e
0x7ff7a56f9136
0x7ff7a56f913e
0x7ff7a56f914b
0x7ff7a56f9151
0x7ff7a56f9156
0x7ff7a56f915e
0x7ff7a56f915e
0x7ff7a56f9162
0x7ff7a56f9167
0x7ff7a56f916a
0x7ff7a56f9172
0x7ff7a56f9177
0x7ff7a56f917c
0x7ff7a56f9181
0x7ff7a56f9187
0x7ff7a56f918c
0x7ff7a56f91a7
0x7ff7a56f91ac
0x7ff7a56f91b0
0x7ff7a56f91b5
0x7ff7a56f91b9
0x7ff7a56f91c0
0x7ff7a56f91c6
0x7ff7a56f91ce
0x7ff7a56f91d4
0x7ff7a56f91f6

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8DB5

Part of subcall function 00007FF7A56F8BD0: SetEvent.KERNEL32 ref: 00007FF7A56F8C45

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8DCE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8DE1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8DF4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8E07
CloseHandle.KERNEL32 ref: 00007FF7A56F8E52
SetEvent.KERNEL32 ref: 00007FF7A56F8E60
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8E6B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8E7E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8E90
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8EA3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8ED2
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8EE4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8EFA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8F0D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8F20
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8F9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8FA9
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8FBC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8FCF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8FE2
CloseHandle.KERNEL32 ref: 00007FF7A56F9045
SetEvent.KERNEL32 ref: 00007FF7A56F9053
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F905E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F9071
CloseHandle.KERNEL32 ref: 00007FF7A56F90A2
CloseHandle.KERNEL32 ref: 00007FF7A56F91D6

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$CloseHandle$Event
String ID:
API String ID: 2169016680-0
Opcode ID: ccb0c04af5b048eba43420b57f02c5b60818a04f1f3508e1cd6e1abe130cdd7e
Instruction ID: 2cb6476cc2834645339f7e54a51f060ca3ce98def935d9c676c6b892d96e7a7d
Opcode Fuzzy Hash: ccb0c04af5b048eba43420b57f02c5b60818a04f1f3508e1cd6e1abe130cdd7e
Instruction Fuzzy Hash: A6D18223E0BA42D5EB60BB21D40427DA3A6FF46F90F9A6235EE5D136A5DF3CD4458320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F0EF0 Relevance: 39.0, APIs: 21, Strings: 1, Instructions: 468
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 42%

			E00007FF77FF7A56F0EF0(void* __ebx, signed long long __ecx, signed int __esi, void* __rax, long long __rbx, void* __rcx, char* __rdx, void* __r8, void* __r11) {
				void* __rsi;
				void* __rbp;
				int _t188;
				int _t193;
				signed int _t196;
				char _t207;
				signed int _t214;
				signed int _t220;
				int _t224;
				long _t228;
				void* _t234;
				signed int _t236;
				signed int _t237;
				char _t250;
				signed int _t283;
				void* _t285;
				signed int _t288;
				signed int _t290;
				signed long long _t360;
				signed long long _t361;
				intOrPtr _t364;
				signed int* _t371;
				signed int* _t386;
				signed long long _t388;
				intOrPtr* _t389;
				void* _t390;
				signed short* _t391;
				signed long long _t392;
				intOrPtr _t395;
				intOrPtr _t408;
				intOrPtr* _t417;
				char* _t427;
				intOrPtr _t430;
				int _t442;
				short* _t444;
				char* _t445;
				char* _t446;
				short* _t449;
				signed int* _t450;
				int _t454;
				intOrPtr* _t456;
				signed short* _t457;
				void* _t461;
				signed long long _t462;
				void* _t467;
				void* _t474;
				int _t476;
				char* _t477;
				void* _t479;
				void* _t481;
				signed long long _t483;
				signed long long _t485;
				void* _t489;
				signed long long _t491;

				_t475 = __r11;
				_t464 = __r8;
				_t427 = __rdx;
				_t283 = __esi;
				_t234 = __ebx;
				 *((long long*)(_t461 + 0x20)) = __rbx;
				E00007FF77FF7A570C0A0(0x1b30, __rax, _t474, __r11);
				_t462 = _t461 - __rax;
				_t360 =  *0xa5720430; // 0x4918c7c3922
				_t361 = _t360 ^ _t462;
				 *(_t462 + 0x1b20) = _t361;
				r13d = r8d;
				_t477 = __rdx;
				_t388 = __ecx;
				 *(_t462 + 0x40) = 0;
				if (r8d != 0) goto 0xa56f0f3c;
				goto 0xa56f1623;
				if (__rdx != 0) goto 0xa56f0f6f;
				E00007FF77FF7A56E78CC(_t361);
				 *_t361 =  *_t361 & 0;
				E00007FF77FF7A56E78AC(_t361);
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & _t442;
				r9d = 0;
				r8d = 0;
				 *_t361 = 0x16;
				E00007FF77FF7A56E4430(_t361, __ecx, __rcx, __rdx, _t444, _t454, __r8, _t489, _t481);
				goto 0xa56f1623;
				_t483 = _t388 >> 5;
				r15d = r15d & 0x0000001f;
				_t395 =  *((intOrPtr*)(0xa57289e0 + _t483 * 8));
				 *(_t462 + 0x50) = _t483;
				_t491 = _t388 * 0x58;
				sil =  *(_t491 + _t395 + 0x38);
				sil = sil + sil;
				sil = sil >> 1;
				if (sil == 2) goto 0xa56f0fa8;
				if (sil != 1) goto 0xa56f0fb1;
				if (( !r13d & 0x00000001) == 0) goto 0xa56f0f41;
				if (( *(_t491 + _t395 + 8) & 0x00000020) == 0) goto 0xa56f0fc6;
				_t17 = _t427 + 2; // 0x2
				r8d = _t17;
				E00007FF77FF7A56F4D74(_t234, _t234, 0xa57289e0, _t388, _t427);
				if (E00007FF77FF7A56F4F44(_t234, 0xa57289e0, _t388, _t444, _t454, _t464) == 0) goto 0xa56f12c6;
				_t364 =  *((intOrPtr*)(0xa57289e0 + _t483 * 8));
				if (( *(_t491 + 0x7ff7a57289e8) & 0x00000080) == 0) goto 0xa56f12c6;
				E00007FF77FF7A56EB93C(_t234,  *(_t491 + 0x7ff7a57289e8) & 0x00000080, _t364);
				_t236 = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t364 + 0xc0)) + 0x14)) == 0x00000000;
				if (GetConsoleMode(_t479) == 0) goto 0xa56f12c6;
				if (_t236 == 0) goto 0xa56f102f;
				if (sil == 0) goto 0xa56f12c6;
				_t188 = GetConsoleCP();
				 *(_t462 + 0x4c) =  *(_t462 + 0x4c) & 0;
				_t389 = _t477;
				 *(_t462 + 0x58) = _t188;
				if (r13d == 0) goto 0xa56f12c0;
				r14d =  *(_t462 + 0x58);
				if (sil != 0) goto 0xa56f11df;
				_t250 =  *_t389;
				r14d = 0;
				_t430 =  *((intOrPtr*)(0xa57289e0 +  *(_t462 + 0x50) * 8));
				r14b = _t250 == 0xa;
				if ( *(_t491 + _t430 + 0x50) == 0) goto 0xa56f10a1;
				 *((char*)(_t462 + 0x5d)) = _t250;
				r8d = 2;
				 *((char*)(_t462 + 0x5c)) =  *((intOrPtr*)(_t491 + _t430 + 0x4c));
				 *(_t491 + _t430 + 0x50) =  *(_t491 + _t430 + 0x50) & 0x00000000;
				goto 0xa56f10ea;
				if (E00007FF77FF7A56EFA14(_t250,  *(_t491 + _t430 + 0x50), 0xa57289e0, _t475) == 0) goto 0xa56f10e1;
				if (_t479 - _t389 + _t477 - 1 <= 0) goto 0xa56f128f;
				r8d = 2;
				if (E00007FF77FF7A56F554C(0, _t479 - _t389 + _t477 - 1, _t389, _t462 + 0x44, _t444, _t467) == 0xffffffff) goto 0xa56f1252;
				_t390 = _t389 + 1;
				goto 0xa56f10fd;
				r8d = 1;
				if (E00007FF77FF7A56F554C(0, E00007FF77FF7A56F554C(0, _t479 - _t389 + _t477 - 1, _t389, _t462 + 0x44, _t444, _t467) - 0xffffffff, _t390, _t462 + 0x44, _t444, _t467) == 0xffffffff) goto 0xa56f1252;
				 *(_t462 + 0x38) =  *(_t462 + 0x38) & 0x00000000;
				 *(_t462 + 0x30) =  *(_t462 + 0x30) & 0x00000000;
				r9d = 1;
				 *((intOrPtr*)(_t462 + 0x28)) = 5;
				_t391 = _t390 + 1;
				 *(_t462 + 0x20) = _t462 + 0x5c;
				_t193 = WideCharToMultiByte(_t476, _t442, _t444, _t454);
				_t288 = _t193;
				if (_t193 == 0) goto 0xa56f1252;
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & 0x00000000;
				r8d = _t288;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xa56f12b6;
				if ( *(_t462 + 0x4c) - _t288 < 0) goto 0xa56f1252;
				if (r14d == 0) goto 0xa56f1244;
				_t371 =  *(_t462 + 0x50);
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & 0x00000000;
				 *((intOrPtr*)(_t462 + 0x5c)) = bpl;
				r8d = 0x7ff7a57289d4;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xa56f12b6;
				if ( *(_t462 + 0x4c) - 1 < 0) goto 0xa56f1252;
				 *(_t462 + 0x40) =  *(_t462 + 0x40) + 1;
				goto 0xa56f1244;
				if (sil == 1) goto 0xa56f11eb;
				if (sil != 2) goto 0xa56f1202;
				_t196 =  *_t391 & 0x0000ffff;
				r14d = 0;
				 *(_t462 + 0x44) = _t196;
				r14b = _t196 == 0xa;
				_t392 =  &(_t391[1]);
				if (sil == 1) goto 0xa56f120e;
				if (sil != 2) goto 0xa56f1244;
				if (E00007FF77FF7A56F5A0C( *(_t462 + 0x44) & 0x0000ffff) !=  *(_t462 + 0x44)) goto 0xa56f12b6;
				if (r14d == 0) goto 0xa56f1244;
				 *(_t462 + 0x44) = 0xd;
				if (E00007FF77FF7A56F5A0C(0xd) !=  *(_t462 + 0x44)) goto 0xa56f12b6;
				 *(_t462 + 0x40) =  *(_t462 + 0x40) + 1;
				if (_t236 - r12d - r13d < 0) goto 0xa56f1053;
				_t237 =  *(_t462 + 0x4c);
				_t290 =  *(_t462 + 0x40);
				if (_t236 - r12d +  *(_t462 + 0x40) + 4 != 0) goto 0xa56f161f;
				if (_t237 == 0) goto 0xa56f15e9;
				if (_t237 != 5) goto 0xa56f15dd;
				E00007FF77FF7A56E78AC(_t371);
				 *_t371 = 9;
				E00007FF77FF7A56E78CC(_t371);
				 *_t371 = _t237;
				goto 0xa56f0f67;
				_t485 =  *(_t462 + 0x50);
				 *((char*)(_t491 +  *((intOrPtr*)(0xa57289e0 + _t485 * 8)) + 0x4c)) =  *_t392;
				 *(_t491 +  *((intOrPtr*)(0xa57289e0 + _t485 * 8)) + 0x50) = 1;
				goto 0xa56f125b;
				GetLastError();
				goto 0xa56f1256;
				goto 0xa56f1267;
				_t408 =  *((intOrPtr*)(0xa57289e0 + _t485 * 8));
				if (( *(_t491 + _t408 + 8) & 0x00000080) == 0) goto 0xa56f15a7;
				_t456 = _t477;
				if (sil != 0) goto 0xa56f13bb;
				if (r13d == 0) goto 0xa56f15f0;
				_t111 = _t392 + 0xd; // 0xd
				r14d =  *(_t462 + 0x40);
				_t445 = _t462 + 0x720;
				if (_t290 - r12d - r13d >= 0) goto 0xa56f1336;
				_t207 =  *_t456;
				_t457 = _t456 + 1;
				if (_t207 != 0xa) goto 0xa56f1325;
				 *_t445 = _t111;
				r14d = r14d + 1;
				_t446 = _t445 + 1;
				 *_t446 = _t207;
				if (_t408 + 2 - 0x13ff < 0) goto 0xa56f1306;
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & _t392;
				r8d = _t283;
				r8d = r8d - _t207;
				 *(_t462 + 0x40) = r14d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xa56f13ae;
				if ( *((intOrPtr*)(_t462 + 0x48)) - _t446 + 1 - _t462 + 0x720 < 0) goto 0xa56f125b;
				if (_t290 - r12d - r13d < 0) goto 0xa56f12f7;
				goto 0xa56f125b;
				GetLastError();
				goto 0xa56f125b;
				if (sil != 2) goto 0xa56f1499;
				if (r13d == 0) goto 0xa56f15f0;
				r14d =  *(_t462 + 0x40);
				_t449 = _t462 + 0x720;
				if (_t290 - r12d - r13d >= 0) goto 0xa56f141d;
				_t214 =  *_t457 & 0x0000ffff;
				if (_t214 != 0xa) goto 0xa56f1409;
				 *_t449 = 0xd;
				r14d = r14d + 2;
				_t450 = _t449 + 2;
				 *_t450 = _t214;
				if ( *((intOrPtr*)(_t491 +  *((intOrPtr*)(0xa57289e0 +  *(_t462 + 0x50) * 8)))) + 4 - 0x13fe < 0) goto 0xa56f13e2;
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & _t392;
				r8d = _t283;
				r8d = r8d - _t214;
				 *(_t462 + 0x40) = r14d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xa56f13ae;
				if ( *((intOrPtr*)(_t462 + 0x48)) -  &(_t450[0]) - _t462 + 0x720 < 0) goto 0xa56f125b;
				if (_t290 - r12d - r13d < 0) goto 0xa56f13d3;
				goto 0xa56f125b;
				if (r13d == 0) goto 0xa56f15f0;
				r8d = 0xd;
				_t417 = _t462 + 0x70;
				if (_t290 - r12d - r13d >= 0) goto 0xa56f14e7;
				_t220 = _t457[1] & 0x0000ffff;
				if (_t220 != 0xa) goto 0xa56f14d3;
				 *_t417 = r8w;
				 *(_t417 + 2) = _t220;
				if (_t462 + 0x724 - 0x6a8 < 0) goto 0xa56f14af;
				 *(_t462 + 0x38) =  *(_t462 + 0x38) & 0x00000000;
				 *(_t462 + 0x30) =  *(_t462 + 0x30) & 0x00000000;
				 *((intOrPtr*)(_t462 + 0x28)) = 0xd55;
				asm("cdq");
				r9d = 0 - _t220 >> 1;
				 *(_t462 + 0x20) = _t462 + 0x720;
				_t224 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				r14d = _t224;
				if (_t224 == 0) goto 0xa56f12b6;
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & 0x00000000;
				r8d = r14d;
				r8d = r8d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xa56f157d;
				_t285 = 0 +  *((intOrPtr*)(_t462 + 0x48));
				if (r14d - _t285 > 0) goto 0xa56f1538;
				goto 0xa56f1585;
				GetLastError();
				if (r14d - _t285 > 0) goto 0xa56f1256;
				r8d = 0xd;
				if (_t290 - r12d - r13d < 0) goto 0xa56f14a8;
				goto 0xa56f1256;
				 *(_t462 + 0x20) =  *(_t462 + 0x20) & _t442;
				r8d = r13d;
				if (WriteFile(??, ??, ??, ??, ??) == 0) goto 0xa56f15d0;
				goto 0xa56f125f;
				_t228 = GetLastError();
				goto 0xa56f125f;
				E00007FF77FF7A56E78EC(_t228,  *(_t462 + 0x50));
				goto 0xa56f0f67;
				_t386 =  *((intOrPtr*)(0xa57289e0 +  *(_t462 + 0x50) * 8));
				if (( *(_t491 + 0x7ff7a57289e8) & 0x00000040) == 0) goto 0xa56f1607;
				if ( *_t477 == 0x1a) goto 0xa56f0f35;
				E00007FF77FF7A56E78AC(_t386);
				 *0xa57289e0 = 0x1c;
				E00007FF77FF7A56E78CC(_t386);
				 *_t386 =  *_t386 & 0x00000000;
				goto 0xa56f0f67;
				return E00007FF77FF7A56E4050(_t228,  *(_t462 + 0x1b20) ^ _t462, _t477, _t462 + 0x70, _t462 + 0x48);
			}

0x7ff7a56f0ef0
0x7ff7a56f0ef0
0x7ff7a56f0ef0
0x7ff7a56f0ef0
0x7ff7a56f0ef0
0x7ff7a56f0ef0
0x7ff7a56f0f05
0x7ff7a56f0f0a
0x7ff7a56f0f0d
0x7ff7a56f0f14
0x7ff7a56f0f17
0x7ff7a56f0f23
0x7ff7a56f0f26
0x7ff7a56f0f29
0x7ff7a56f0f2c
0x7ff7a56f0f33
0x7ff7a56f0f37
0x7ff7a56f0f3f
0x7ff7a56f0f41
0x7ff7a56f0f46
0x7ff7a56f0f48
0x7ff7a56f0f4d
0x7ff7a56f0f52
0x7ff7a56f0f55
0x7ff7a56f0f5c
0x7ff7a56f0f62
0x7ff7a56f0f6a
0x7ff7a56f0f7c
0x7ff7a56f0f80
0x7ff7a56f0f84
0x7ff7a56f0f88
0x7ff7a56f0f8d
0x7ff7a56f0f91
0x7ff7a56f0f96
0x7ff7a56f0f99
0x7ff7a56f0fa0
0x7ff7a56f0fa6
0x7ff7a56f0faf
0x7ff7a56f0fb7
0x7ff7a56f0fbd
0x7ff7a56f0fbd
0x7ff7a56f0fc1
0x7ff7a56f0fcf
0x7ff7a56f0fdc
0x7ff7a56f0fe6
0x7ff7a56f0fec
0x7ff7a56f1011
0x7ff7a56f101c
0x7ff7a56f1024
0x7ff7a56f1029
0x7ff7a56f102f
0x7ff7a56f1035
0x7ff7a56f1039
0x7ff7a56f103c
0x7ff7a56f1043
0x7ff7a56f1049
0x7ff7a56f1056
0x7ff7a56f1061
0x7ff7a56f1063
0x7ff7a56f1070
0x7ff7a56f1075
0x7ff7a56f107f
0x7ff7a56f1086
0x7ff7a56f108a
0x7ff7a56f1090
0x7ff7a56f1094
0x7ff7a56f109f
0x7ff7a56f10ab
0x7ff7a56f10ba
0x7ff7a56f10c5
0x7ff7a56f10d6
0x7ff7a56f10dc
0x7ff7a56f10df
0x7ff7a56f10e1
0x7ff7a56f10f7
0x7ff7a56f10fd
0x7ff7a56f1103
0x7ff7a56f1117
0x7ff7a56f111f
0x7ff7a56f1127
0x7ff7a56f112a
0x7ff7a56f112f
0x7ff7a56f1135
0x7ff7a56f1139
0x7ff7a56f1144
0x7ff7a56f1163
0x7ff7a56f116e
0x7ff7a56f1181
0x7ff7a56f118f
0x7ff7a56f1195
0x7ff7a56f119a
0x7ff7a56f11a0
0x7ff7a56f11b1
0x7ff7a56f11ca
0x7ff7a56f11d5
0x7ff7a56f11d7
0x7ff7a56f11dd
0x7ff7a56f11e3
0x7ff7a56f11e9
0x7ff7a56f11eb
0x7ff7a56f11ee
0x7ff7a56f11f5
0x7ff7a56f11fa
0x7ff7a56f11fe
0x7ff7a56f1206
0x7ff7a56f120c
0x7ff7a56f121d
0x7ff7a56f1229
0x7ff7a56f122d
0x7ff7a56f123c
0x7ff7a56f1240
0x7ff7a56f124c
0x7ff7a56f1252
0x7ff7a56f125b
0x7ff7a56f1261
0x7ff7a56f1269
0x7ff7a56f1272
0x7ff7a56f1278
0x7ff7a56f127d
0x7ff7a56f1283
0x7ff7a56f1288
0x7ff7a56f128a
0x7ff7a56f1291
0x7ff7a56f129d
0x7ff7a56f12a7
0x7ff7a56f12b4
0x7ff7a56f12b6
0x7ff7a56f12be
0x7ff7a56f12c4
0x7ff7a56f12cd
0x7ff7a56f12d7
0x7ff7a56f12df
0x7ff7a56f12e5
0x7ff7a56f12ee
0x7ff7a56f12f4
0x7ff7a56f12f7
0x7ff7a56f12fc
0x7ff7a56f130e
0x7ff7a56f1310
0x7ff7a56f1313
0x7ff7a56f1318
0x7ff7a56f131a
0x7ff7a56f131c
0x7ff7a56f131f
0x7ff7a56f1328
0x7ff7a56f1334
0x7ff7a56f1336
0x7ff7a56f1343
0x7ff7a56f1346
0x7ff7a56f1350
0x7ff7a56f1377
0x7ff7a56f1390
0x7ff7a56f13a3
0x7ff7a56f13a9
0x7ff7a56f13ae
0x7ff7a56f13b6
0x7ff7a56f13bf
0x7ff7a56f13c8
0x7ff7a56f13d3
0x7ff7a56f13d8
0x7ff7a56f13ea
0x7ff7a56f13ec
0x7ff7a56f13f8
0x7ff7a56f13fa
0x7ff7a56f13fd
0x7ff7a56f1401
0x7ff7a56f140d
0x7ff7a56f141b
0x7ff7a56f141d
0x7ff7a56f142a
0x7ff7a56f142d
0x7ff7a56f1437
0x7ff7a56f145e
0x7ff7a56f147b
0x7ff7a56f148e
0x7ff7a56f1494
0x7ff7a56f149c
0x7ff7a56f14a2
0x7ff7a56f14a8
0x7ff7a56f14b7
0x7ff7a56f14b9
0x7ff7a56f14c5
0x7ff7a56f14c7
0x7ff7a56f14d7
0x7ff7a56f14e5
0x7ff7a56f14e7
0x7ff7a56f14ed
0x7ff7a56f14ff
0x7ff7a56f150e
0x7ff7a56f1515
0x7ff7a56f1520
0x7ff7a56f1525
0x7ff7a56f152b
0x7ff7a56f1530
0x7ff7a56f153d
0x7ff7a56f154e
0x7ff7a56f1561
0x7ff7a56f1570
0x7ff7a56f1572
0x7ff7a56f1579
0x7ff7a56f157b
0x7ff7a56f157d
0x7ff7a56f1588
0x7ff7a56f1590
0x7ff7a56f159c
0x7ff7a56f15a2
0x7ff7a56f15ab
0x7ff7a56f15b5
0x7ff7a56f15c3
0x7ff7a56f15cb
0x7ff7a56f15d0
0x7ff7a56f15d8
0x7ff7a56f15df
0x7ff7a56f15e4
0x7ff7a56f15f0
0x7ff7a56f15fa
0x7ff7a56f1601
0x7ff7a56f1607
0x7ff7a56f160c
0x7ff7a56f1612
0x7ff7a56f1617
0x7ff7a56f161a
0x7ff7a56f164d

APIs

__doserrno.LIBCMT ref: 00007FF7A56F0F41
_errno.LIBCMT ref: 00007FF7A56F0F48

Strings

U, xrefs: 00007FF7A56F14FF

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: __doserrno_errno
String ID: U
API String ID: 921712934-4171548499
Opcode ID: b58e01479b693e4d3fc4ee5255ae4a2aff408e3cce59a02e304553b3b8b91440
Instruction ID: 366e3d70bd25705617296fd37a2b3359cc21ba7704707000517f51824a5fdb25
Opcode Fuzzy Hash: b58e01479b693e4d3fc4ee5255ae4a2aff408e3cce59a02e304553b3b8b91440
Instruction Fuzzy Hash: F212D423E0E64286EB20AB65D44437EE762FB86F84F865136DA4D426B4DF3DE449C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EA728 Relevance: 28.9, APIs: 19, Instructions: 377COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EA79A
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EA7B0
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EA85A
malloc.LIBCMT ref: 00007FF7A56EA8CB
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EA902
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EA927
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EA977
malloc.LIBCMT ref: 00007FF7A56EA9CA
LCMapStringW.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EAA04
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EAA47
free.LIBCMT ref: 00007FF7A56EAA58
free.LIBCMT ref: 00007FF7A56EAA66
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EAAF5
malloc.LIBCMT ref: 00007FF7A56EAB63
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EABAC
free.LIBCMT ref: 00007FF7A56EABF4
LCMapStringA.KERNEL32(?,?,?,?,?,?,00000000,?,00000140,?,?,00007FF7A56EACD9), ref: 00007FF7A56EAC14
free.LIBCMT ref: 00007FF7A56EAC26
free.LIBCMT ref: 00007FF7A56EAC38

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: String$free$ByteCharMultiWidemalloc$ErrorLast
String ID:
API String ID: 1837315383-0
Opcode ID: deef6aef4076a8aecc8c09d005643f978d232f5a9d69fe706d5c65247fb8c331
Instruction ID: 4b0660502a25696bb4ccbdf1404fce3c676f9a6c1938af59a525ff6d97a58715
Opcode Fuzzy Hash: deef6aef4076a8aecc8c09d005643f978d232f5a9d69fe706d5c65247fb8c331
Instruction Fuzzy Hash: 4AF10332A0B681CAE720AF24944417DB392FB4AF98F965234EE1D57BE4DF3DE9018710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56D9DE0 Relevance: 27.4, APIs: 18, Instructions: 428
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 60%

			E00007FF77FF7A56D9DE0(long long __rax, long long __rcx, long long __rdx, void* __r8, signed long long __r9, long long _a8, long long _a16, signed int _a24, signed int _a32) {
				long long _v88;
				char _v104;
				char _v120;
				char _v136;
				signed int* _v144;
				long long _v152;
				signed int* _v160;
				long long _v168;
				signed int* _v176;
				long long _v184;
				signed long long _v200;
				signed int _v208;
				long long _v216;
				signed int* _v224;
				long long _v232;
				char _v256;
				signed int _v264;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* _t200;
				signed int _t211;
				long long _t297;
				long long _t298;
				long long _t300;
				long long _t301;
				long long _t304;
				long long _t306;
				long long _t307;
				long long _t310;
				long long _t312;
				long long _t313;
				signed int* _t324;
				signed int* _t325;
				signed int* _t326;
				signed int* _t331;
				signed int* _t332;
				signed int* _t333;
				signed int* _t338;
				signed int* _t339;
				signed int* _t340;
				void* _t351;
				void* _t355;
				void* _t359;
				void* _t363;
				void* _t365;
				long long _t366;
				intOrPtr* _t367;
				long long _t368;
				intOrPtr* _t369;
				long long _t370;
				intOrPtr* _t371;
				void* _t372;
				signed int* _t373;
				void* _t374;
				signed int* _t375;
				void* _t376;
				long long _t377;
				void* _t383;
				signed long long _t384;
				signed int* _t393;
				void* _t396;
				void* _t398;

				_t384 = __r9;
				_t383 = __r8;
				_t282 = __rax;
				_a24 = r8d;
				_a16 = __rdx;
				_a8 = __rcx;
				_v88 = 0xfffffffe;
				_t211 = r8d;
				_t377 = __rdx;
				_t297 = __rcx;
				_a32 = 0;
				E00007FF77FF7A56E45E0(__rax, __rcx);
				if (__rax == 0) goto 0xa56d9e3b;
				 *((long long*)(__rax)) =  &_v256;
				goto 0xa56d9e3d;
				_v256 = __rax;
				_v232 = 0;
				_v224 = 0;
				_v216 = 0;
				if (_t211 != 0) goto 0xa56d9eab;
				E00007FF77FF7A56DA460(__rax, _t297, _t297,  &_v256, _t365, _t372, __r8);
				if (_v232 == 0) goto 0xa56d9e7e;
				E00007FF77FF7A56E44D8(_t282, _t297, _v232,  &_v256, _t372, _t383, _t384);
				_v232 = 0;
				_v224 = 0;
				_v216 = 0;
				E00007FF77FF7A56E44D8(_t282, _t297, _v256,  &_v256, _t372, _t383, _t384);
				goto 0xa56da440;
				_t351 = _t365;
				E00007FF77FF7A56DA530(_t200, _t297, _t297,  &_v256, _t351, _t372, _t383, _t384);
				r8d = 0;
				_v208 = r8d;
				r9d = 0;
				_v200 = _t384;
				if (_t211 == 0) goto 0xa56da3fb;
				_t324 = _v224;
				_t298 = _v232;
				asm("o16 nop [eax+eax]");
				sil = 0x41;
				r14d = sil & 0xffffffff;
				r13d = sil & 0xffffffff;
				_a32 = sil;
				_t25 = _t383 + 1; // 0x1
				if (_t25 - _t211 >= 0) goto 0xa56d9f07;
				_t29 = _t383 + 2; // 0x2
				if (_t29 - _t211 >= 0) goto 0xa56d9f14;
				r14b =  *((intOrPtr*)(_t377 + 4 + _t384 * 2));
				_t33 = _t383 + 3; // 0x3
				if (_t33 - _t211 >= 0) goto 0xa56d9f29;
				r13b =  *((intOrPtr*)(_t377 + 6 + _t384 * 2));
				_a32 = r13b;
				_t38 = _t351 - 0x41; // 0x0
				if (_t38 - 0x19 > 0) goto 0xa56d9f35;
				goto 0xa56d9f56;
				_t39 = _t351 - 0x61; // -32
				if (_t39 - 0x19 > 0) goto 0xa56d9f41;
				goto 0xa56d9f56;
				_t40 = _t351 - 0x30; // 0x11
				if (_t40 - 9 > 0) goto 0xa56d9f4d;
				goto 0xa56d9f56;
				_t43 = _t372 - 0x41; // 0x2be4fdf
				if (_t43 - 0x19 > 0) goto 0xa56d9f63;
				sil = sil - 0x41;
				goto 0xa56d9f89;
				_t44 = _t372 - 0x61; // 0x2be4fbf
				if (_t44 - 0x19 > 0) goto 0xa56d9f70;
				sil = sil - 0x47;
				goto 0xa56d9f89;
				_t45 = _t372 - 0x30; // 0x2be4ff0
				if (_t45 - 9 > 0) goto 0xa56d9f7d;
				sil = sil + 4;
				goto 0xa56d9f89;
				sil = sil != 0x2b;
				sil = sil + 0x3e;
				if (_t398 - 0x41 - 0x19 > 0) goto 0xa56d9f97;
				goto 0xa56d9fbf;
				if (_t398 - 0x61 - 0x19 > 0) goto 0xa56d9fa5;
				goto 0xa56d9fbf;
				if (_t398 - 0x30 - 9 > 0) goto 0xa56d9fb3;
				goto 0xa56d9fbf;
				bpl = r14b != 0x2b;
				bpl = bpl + 0x3e;
				_t52 = _t396 - 0x41; // -65
				if (_t52 - 0x19 > 0) goto 0xa56d9fcd;
				_t53 = _t396 - 0x41; // -65
				r15d = _t53;
				goto 0xa56d9ff5;
				_t54 = _t396 - 0x61; // -97
				if (_t54 - 0x19 > 0) goto 0xa56d9fdb;
				_t55 = _t396 - 0x47; // -71
				r15d = _t55;
				goto 0xa56d9ff5;
				_t56 = _t396 - 0x30; // -48
				if (_t56 - 9 > 0) goto 0xa56d9fe9;
				_t57 = _t396 + 4; // 0x4
				r15d = _t57;
				goto 0xa56d9ff5;
				r15b = r13b != 0x2b;
				r15b = r15b + 0x3e;
				r8d = sil & 0xffffffff;
				r8b = r8b >> 4;
				r8b = r8b | (( *(_t377 + _t384 * 2) & 0x000000ff) - 0xfffffffffffffffa + 0x00000004 & 0xffffff00 | ( *(_t377 + _t384 * 2) & 0x000000ff) - 0xfffffffffffffffa + 0x00000004 != 0x0000002b) + 0x0000003e << 0x00000002;
				_v264 = r8b;
				if (_t298 != 0) goto 0xa56da011;
				goto 0xa56da019;
				if (_t324 - _t298 - _v216 - _t298 >= 0) goto 0xa56da039;
				 *_t324 = r8b;
				_t325 =  &(_t324[0]);
				_v224 = _t325;
				goto 0xa56da140;
				_t393 = _t325;
				if (_v232 - _t325 <= 0) goto 0xa56da050;
				E00007FF77FF7A56E44B8();
				_t326 = _v224;
				_t300 = _v232;
				_t366 = _v256;
				_v168 = _t366;
				_v160 = _t393;
				if (_t326 != _t300) goto 0xa56da06f;
				r12d = 0;
				goto 0xa56da08d;
				if (_t300 - _t326 <= 0) goto 0xa56da079;
				E00007FF77FF7A56E44B8();
				if (_t366 == 0) goto 0xa56da085;
				if (_t366 == _v256) goto 0xa56da08a;
				E00007FF77FF7A56E44B8();
				asm("movaps xmm0, [esp+0x80]");
				asm("movdqa [esp+0xa0], xmm0");
				r8d = 1;
				E00007FF77FF7A56D53A0(_t300,  &_v256,  &_v136, _t372, _t383,  &_v264);
				_t301 = _v232;
				if (_t301 - _v224 <= 0) goto 0xa56da0dc;
				E00007FF77FF7A56E44B8();
				_t367 = _v256;
				if (_t367 != 0) goto 0xa56da0fa;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56da102;
				_t355 = _t301 + _t393 - _t300;
				if (_t355 -  *((intOrPtr*)( *_v256 + 0x20)) > 0) goto 0xa56da11f;
				if (_t367 == 0) goto 0xa56da117;
				goto 0xa56da119;
				if (_t355 -  *((intOrPtr*)( *_t367 + 0x18)) >= 0) goto 0xa56da138;
				E00007FF77FF7A56E44B8();
				_t331 = _v224;
				_t304 = _v232;
				r13b = _a32;
				goto 0xa56da140;
				r13b = _a32;
				if (r14b == 0x3d) goto 0xa56da27f;
				r8d = bpl & 0xffffffff;
				r8b = r8b >> 2;
				sil = sil << 4;
				r8b = r8b | sil;
				_a32 = r8b;
				if (_t304 != 0) goto 0xa56da16a;
				goto 0xa56da172;
				if (_t331 - _t304 - _v216 - _t304 >= 0) goto 0xa56da192;
				 *_t331 = r8b;
				_t332 =  &(_t331[0]);
				_v224 = _t332;
				goto 0xa56da27f;
				_t373 = _t332;
				if (_v232 - _t332 <= 0) goto 0xa56da1a9;
				E00007FF77FF7A56E44B8();
				_t333 = _v224;
				_t306 = _v232;
				_t368 = _v256;
				_v184 = _t368;
				_v176 = _t373;
				if (_t333 != _t306) goto 0xa56da1c1;
				goto 0xa56da1df;
				if (_t306 - _t333 <= 0) goto 0xa56da1cb;
				E00007FF77FF7A56E44B8();
				if (_t368 == 0) goto 0xa56da1d7;
				if (_t368 == _v256) goto 0xa56da1dc;
				E00007FF77FF7A56E44B8();
				_t374 = _t373 - _t306;
				asm("movaps xmm0, [esp+0x70]");
				asm("movdqa [esp+0xc0], xmm0");
				r8d = 1;
				E00007FF77FF7A56D53A0(_t306,  &_v256,  &_v104, _t374, _t383,  &_a32);
				_t307 = _v232;
				if (_t307 - _v224 <= 0) goto 0xa56da22e;
				E00007FF77FF7A56E44B8();
				_t369 = _v256;
				if (_t369 != 0) goto 0xa56da24c;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56da254;
				_t359 = _t307 + _t374;
				if (_t359 -  *((intOrPtr*)( *_v256 + 0x20)) > 0) goto 0xa56da270;
				if (_t369 == 0) goto 0xa56da268;
				goto 0xa56da26a;
				if (_t359 -  *((intOrPtr*)( *_t369 + 0x18)) >= 0) goto 0xa56da27f;
				E00007FF77FF7A56E44B8();
				_t338 = _v224;
				_t310 = _v232;
				if (r13b == 0x3d) goto 0xa56da3bf;
				bpl = bpl << 6;
				bpl = bpl | r15b;
				_a32 = bpl;
				if (_t310 != 0) goto 0xa56da2a1;
				goto 0xa56da2a9;
				if (_t338 - _t310 - _v216 - _t310 >= 0) goto 0xa56da2c9;
				 *_t338 = bpl;
				_t339 =  &(_t338[0]);
				_v224 = _t339;
				goto 0xa56da3bf;
				_t375 = _t339;
				if (_v232 - _t339 <= 0) goto 0xa56da2e0;
				E00007FF77FF7A56E44B8();
				_t340 = _v224;
				_t312 = _v232;
				_t370 = _v256;
				_v152 = _t370;
				_v144 = _t375;
				if (_t340 != _t312) goto 0xa56da2fe;
				goto 0xa56da31c;
				if (_t312 - _t340 <= 0) goto 0xa56da308;
				E00007FF77FF7A56E44B8();
				if (_t370 == 0) goto 0xa56da314;
				if (_t370 == _v256) goto 0xa56da319;
				E00007FF77FF7A56E44B8();
				_t376 = _t375 - _t312;
				asm("movaps xmm0, [esp+0x90]");
				asm("movdqa [esp+0xb0], xmm0");
				r8d = 1;
				E00007FF77FF7A56D53A0(_t312,  &_v256,  &_v120, _t376, _t383,  &_a32);
				_t313 = _v232;
				if (_t313 - _v224 <= 0) goto 0xa56da36e;
				E00007FF77FF7A56E44B8();
				_t371 = _v256;
				if (_t371 != 0) goto 0xa56da38c;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56da394;
				_t363 = _t376 + _t313;
				if (_t363 -  *((intOrPtr*)( *_v256 + 0x20)) > 0) goto 0xa56da3b0;
				if (_t371 == 0) goto 0xa56da3a8;
				goto 0xa56da3aa;
				if (_t363 -  *((intOrPtr*)( *_t371 + 0x18)) >= 0) goto 0xa56da3bf;
				E00007FF77FF7A56E44B8();
				r8d = _v208;
				r8d = r8d + 4;
				_v208 = r8d;
				_v200 = _v200 + 4;
				if (r8d - _a24 < 0) goto 0xa56d9ee0;
				E00007FF77FF7A56DA460( *_t371, _a8, _a8,  &_v256, _t371, _t376, _t383);
				if (_v232 == 0) goto 0xa56da418;
				E00007FF77FF7A56E44D8( *_t371, _a8, _v232,  &_v256, _t376, _t383, _v200 + 4);
				_v232 = 0;
				_v224 = 0;
				_v216 = 0;
				return E00007FF77FF7A56E44D8( *_t371, _a8, _v256,  &_v256, _t376, _t383, _v200 + 4);
			}

0x7ff7a56d9de0
0x7ff7a56d9de0
0x7ff7a56d9de0
0x7ff7a56d9de0
0x7ff7a56d9de5
0x7ff7a56d9dea
0x7ff7a56d9e02
0x7ff7a56d9e0e
0x7ff7a56d9e11
0x7ff7a56d9e14
0x7ff7a56d9e17
0x7ff7a56d9e27
0x7ff7a56d9e2f
0x7ff7a56d9e36
0x7ff7a56d9e39
0x7ff7a56d9e3d
0x7ff7a56d9e42
0x7ff7a56d9e4b
0x7ff7a56d9e54
0x7ff7a56d9e5f
0x7ff7a56d9e69
0x7ff7a56d9e77
0x7ff7a56d9e79
0x7ff7a56d9e7e
0x7ff7a56d9e87
0x7ff7a56d9e90
0x7ff7a56d9e9e
0x7ff7a56d9ea6
0x7ff7a56d9eab
0x7ff7a56d9eb3
0x7ff7a56d9eb8
0x7ff7a56d9ebb
0x7ff7a56d9ec0
0x7ff7a56d9ec3
0x7ff7a56d9eca
0x7ff7a56d9ed0
0x7ff7a56d9ed5
0x7ff7a56d9eda
0x7ff7a56d9ee6
0x7ff7a56d9ee9
0x7ff7a56d9eed
0x7ff7a56d9ef1
0x7ff7a56d9ef9
0x7ff7a56d9eff
0x7ff7a56d9f07
0x7ff7a56d9f0d
0x7ff7a56d9f0f
0x7ff7a56d9f14
0x7ff7a56d9f1a
0x7ff7a56d9f1c
0x7ff7a56d9f21
0x7ff7a56d9f29
0x7ff7a56d9f2e
0x7ff7a56d9f33
0x7ff7a56d9f35
0x7ff7a56d9f3a
0x7ff7a56d9f3f
0x7ff7a56d9f41
0x7ff7a56d9f46
0x7ff7a56d9f4b
0x7ff7a56d9f56
0x7ff7a56d9f5b
0x7ff7a56d9f5d
0x7ff7a56d9f61
0x7ff7a56d9f63
0x7ff7a56d9f68
0x7ff7a56d9f6a
0x7ff7a56d9f6e
0x7ff7a56d9f70
0x7ff7a56d9f75
0x7ff7a56d9f77
0x7ff7a56d9f7b
0x7ff7a56d9f81
0x7ff7a56d9f85
0x7ff7a56d9f8f
0x7ff7a56d9f95
0x7ff7a56d9f9d
0x7ff7a56d9fa3
0x7ff7a56d9fab
0x7ff7a56d9fb1
0x7ff7a56d9fb7
0x7ff7a56d9fbb
0x7ff7a56d9fbf
0x7ff7a56d9fc5
0x7ff7a56d9fc7
0x7ff7a56d9fc7
0x7ff7a56d9fcb
0x7ff7a56d9fcd
0x7ff7a56d9fd3
0x7ff7a56d9fd5
0x7ff7a56d9fd5
0x7ff7a56d9fd9
0x7ff7a56d9fdb
0x7ff7a56d9fe1
0x7ff7a56d9fe3
0x7ff7a56d9fe3
0x7ff7a56d9fe7
0x7ff7a56d9fed
0x7ff7a56d9ff1
0x7ff7a56d9ff5
0x7ff7a56d9ff9
0x7ff7a56da000
0x7ff7a56da003
0x7ff7a56da00b
0x7ff7a56da00f
0x7ff7a56da022
0x7ff7a56da024
0x7ff7a56da027
0x7ff7a56da02a
0x7ff7a56da034
0x7ff7a56da039
0x7ff7a56da03f
0x7ff7a56da041
0x7ff7a56da046
0x7ff7a56da04b
0x7ff7a56da050
0x7ff7a56da055
0x7ff7a56da05d
0x7ff7a56da068
0x7ff7a56da06a
0x7ff7a56da06d
0x7ff7a56da072
0x7ff7a56da074
0x7ff7a56da07c
0x7ff7a56da083
0x7ff7a56da085
0x7ff7a56da08d
0x7ff7a56da095
0x7ff7a56da0a3
0x7ff7a56da0b6
0x7ff7a56da0bb
0x7ff7a56da0cb
0x7ff7a56da0cd
0x7ff7a56da0dc
0x7ff7a56da0e4
0x7ff7a56da0e6
0x7ff7a56da0eb
0x7ff7a56da0f8
0x7ff7a56da102
0x7ff7a56da10b
0x7ff7a56da110
0x7ff7a56da115
0x7ff7a56da11d
0x7ff7a56da11f
0x7ff7a56da124
0x7ff7a56da129
0x7ff7a56da12e
0x7ff7a56da136
0x7ff7a56da138
0x7ff7a56da144
0x7ff7a56da14a
0x7ff7a56da14e
0x7ff7a56da152
0x7ff7a56da156
0x7ff7a56da159
0x7ff7a56da164
0x7ff7a56da168
0x7ff7a56da17b
0x7ff7a56da17d
0x7ff7a56da180
0x7ff7a56da183
0x7ff7a56da18d
0x7ff7a56da192
0x7ff7a56da198
0x7ff7a56da19a
0x7ff7a56da19f
0x7ff7a56da1a4
0x7ff7a56da1a9
0x7ff7a56da1ae
0x7ff7a56da1b3
0x7ff7a56da1bb
0x7ff7a56da1bf
0x7ff7a56da1c4
0x7ff7a56da1c6
0x7ff7a56da1ce
0x7ff7a56da1d5
0x7ff7a56da1d7
0x7ff7a56da1dc
0x7ff7a56da1df
0x7ff7a56da1e4
0x7ff7a56da1f5
0x7ff7a56da208
0x7ff7a56da20d
0x7ff7a56da21d
0x7ff7a56da21f
0x7ff7a56da22e
0x7ff7a56da236
0x7ff7a56da238
0x7ff7a56da23d
0x7ff7a56da24a
0x7ff7a56da254
0x7ff7a56da25c
0x7ff7a56da261
0x7ff7a56da266
0x7ff7a56da26e
0x7ff7a56da270
0x7ff7a56da275
0x7ff7a56da27a
0x7ff7a56da283
0x7ff7a56da289
0x7ff7a56da28d
0x7ff7a56da290
0x7ff7a56da29b
0x7ff7a56da29f
0x7ff7a56da2b2
0x7ff7a56da2b4
0x7ff7a56da2b7
0x7ff7a56da2ba
0x7ff7a56da2c4
0x7ff7a56da2c9
0x7ff7a56da2cf
0x7ff7a56da2d1
0x7ff7a56da2d6
0x7ff7a56da2db
0x7ff7a56da2e0
0x7ff7a56da2e5
0x7ff7a56da2ed
0x7ff7a56da2f8
0x7ff7a56da2fc
0x7ff7a56da301
0x7ff7a56da303
0x7ff7a56da30b
0x7ff7a56da312
0x7ff7a56da314
0x7ff7a56da319
0x7ff7a56da31c
0x7ff7a56da324
0x7ff7a56da335
0x7ff7a56da348
0x7ff7a56da34d
0x7ff7a56da35d
0x7ff7a56da35f
0x7ff7a56da36e
0x7ff7a56da376
0x7ff7a56da378
0x7ff7a56da37d
0x7ff7a56da38a
0x7ff7a56da394
0x7ff7a56da39c
0x7ff7a56da3a1
0x7ff7a56da3a6
0x7ff7a56da3ae
0x7ff7a56da3b0
0x7ff7a56da3bf
0x7ff7a56da3c4
0x7ff7a56da3c8
0x7ff7a56da3d6
0x7ff7a56da3ed
0x7ff7a56da403
0x7ff7a56da411
0x7ff7a56da413
0x7ff7a56da418
0x7ff7a56da421
0x7ff7a56da42a
0x7ff7a56da453

APIs

Part of subcall function 00007FF7A56E45E0: malloc.LIBCMT ref: 00007FF7A56E45FA

Part of subcall function 00007FF7A56DA530: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA593
Part of subcall function 00007FF7A56DA530: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA5A2

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA041
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA074
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA085
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA0CD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA0E6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA11F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA19A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA1C6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA1D7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA21F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA238
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA270
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA2D1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA303
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA314
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA35F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA378
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DA3B0

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$malloc
String ID:
API String ID: 2964583507-0
Opcode ID: c150c4ca955c388edfe3a66c9f1b7fa42ad70acee1887465953eb8fb120a1af7
Instruction ID: f6036f3d7542a751f779a6a615e6f7ab62f835d3b8ab791e08be0fb0dc57947c
Opcode Fuzzy Hash: c150c4ca955c388edfe3a66c9f1b7fa42ad70acee1887465953eb8fb120a1af7
Instruction Fuzzy Hash: 0312B933A0F98585EA60AA15D04037EE773EB86F94FDA2531DF8D03AA9EF2DD5508710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F7DE0 Relevance: 24.1, APIs: 16, Instructions: 142
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 23%

			E00007FF77FF7A56F7DE0(void* __ebx, void* __edi, long long __rbx, long long __rbp, void* __r9, long long _a8) {
				void* _v24;
				char _v40;
				char _v56;
				long long _v64;
				long long _v72;
				long long _v88;
				void* __rsi;
				void* _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t88;
				intOrPtr* _t90;
				intOrPtr* _t99;
				intOrPtr* _t101;
				intOrPtr* _t113;
				long long _t114;
				intOrPtr* _t115;
				intOrPtr* _t119;

				_t57 = __ebx;
				_t90 = _t119;
				_v88 = 0xfffffffe;
				 *((long long*)(_t90 + 0x10)) = __rbx;
				 *((long long*)(_t90 + 0x18)) = __rbp;
				_t58 =  *0xa5721798; // 0xffffffff
				if (_t58 != 0xffffffff) goto 0xa56f7e0b;
				goto 0xa56f7e14;
				TlsGetValue(??);
				_t115 = _t90;
				_a8 = _t115;
				if (_t115 == 0) goto 0xa56f7f9e;
				if ( *((long long*)(_t115 + 0x60)) != 0) goto 0xa56f7e39;
				if ( *((long long*)(_t115 + 0x18)) == 0) goto 0xa56f7f77;
				goto 0xa56f7e40;
				if ( *((long long*)(_t115 + 0x18)) == 0) goto 0xa56f7e96;
				_t113 =  *((intOrPtr*)(_t115 + 0x18));
				 *((long long*)(_t115 + 0x18)) =  *((intOrPtr*)(_t113 + 8));
				_t101 =  *_t113;
				if (_t101 == 0) goto 0xa56f7e7b;
				 *((intOrPtr*)( *_t101 + 8))();
				 *((intOrPtr*)( *((intOrPtr*)( *_t113))))();
				GetProcessHeap();
				HeapFree(??, ??, ??);
				GetProcessHeap();
				HeapFree(??, ??, ??);
				if ( *((long long*)(_t115 + 0x18)) != 0) goto 0xa56f7e40;
				if ( *((long long*)(_t115 + 0x60)) == 0) goto 0xa56f7e25;
				_t114 =  *((intOrPtr*)( *((intOrPtr*)(_t115 + 0x58))));
				_v64 = _t114;
				_t99 =  *((intOrPtr*)(_t115 + 0x28));
				_v72 = _t99;
				if (_t99 != 0) goto 0xa56f7ec4;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f7ec7;
				if (_t114 !=  *((intOrPtr*)( *_t99 + 0x30))) goto 0xa56f7ed2;
				E00007FF77FF7A56E44B8();
				if ( *((long long*)(_t114 + 0x20)) == 0) goto 0xa56f7f49;
				if (_t99 != 0) goto 0xa56f7ee8;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f7eeb;
				if (_t114 !=  *((intOrPtr*)( *_t99 + 0x30))) goto 0xa56f7ef6;
				E00007FF77FF7A56E44B8();
				if ( *((long long*)(_t114 + 0x30)) == 0) goto 0xa56f7f49;
				if (_t99 != 0) goto 0xa56f7f0c;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f7f0f;
				if (_t114 !=  *((intOrPtr*)( *_t99 + 0x30))) goto 0xa56f7f1a;
				E00007FF77FF7A56E44B8();
				if (_t99 != 0) goto 0xa56f7f2d;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f7f30;
				if (_t114 !=  *((intOrPtr*)( *_t99 + 0x30))) goto 0xa56f7f3b;
				E00007FF77FF7A56E44B8();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t114 + 0x20)))) + 8))();
				asm("movaps xmm0, [esp+0x30]");
				asm("movdqa [esp+0x40], xmm0");
				_t29 = _t115 + 0x28; // 0x28
				E00007FF77FF7A56D5EB0(0, __edi, _t99, _t29,  &_v40, _t115,  &_v56, __r9);
				if ( *((long long*)(_t115 + 0x60)) != 0) goto 0xa56f7ea0;
				goto 0xa56f7e25;
				E00007FF77FF7A56F63B0(_t57, _t99, 0xa5724010, 0x7ff7a56f61c0, _t115);
				_t59 =  *0xa5721798; // 0xffffffff
				if (_t59 == 0xffffffff) goto 0xa56f7f9e;
				TlsSetValue(??, ??);
				_t88 = _t115;
				if (_t88 == 0) goto 0xa56f7fc8;
				asm("lock add dword [esi+0x8], 0xffffffff");
				if (_t88 != 0) goto 0xa56f7fc8;
				 *((intOrPtr*)( *_t115))();
				GetProcessHeap();
				return HeapFree(??, ??, ??);
			}

0x7ff7a56f7de0
0x7ff7a56f7de0
0x7ff7a56f7deb
0x7ff7a56f7df4
0x7ff7a56f7df8
0x7ff7a56f7dfc
0x7ff7a56f7e05
0x7ff7a56f7e09
0x7ff7a56f7e0b
0x7ff7a56f7e11
0x7ff7a56f7e14
0x7ff7a56f7e1f
0x7ff7a56f7e2a
0x7ff7a56f7e31
0x7ff7a56f7e37
0x7ff7a56f7e3e
0x7ff7a56f7e40
0x7ff7a56f7e48
0x7ff7a56f7e4c
0x7ff7a56f7e52
0x7ff7a56f7e57
0x7ff7a56f7e65
0x7ff7a56f7e67
0x7ff7a56f7e75
0x7ff7a56f7e7b
0x7ff7a56f7e89
0x7ff7a56f7e94
0x7ff7a56f7e9b
0x7ff7a56f7ea4
0x7ff7a56f7ea7
0x7ff7a56f7eac
0x7ff7a56f7eb0
0x7ff7a56f7eb8
0x7ff7a56f7eba
0x7ff7a56f7ebf
0x7ff7a56f7ec2
0x7ff7a56f7ecb
0x7ff7a56f7ecd
0x7ff7a56f7ed7
0x7ff7a56f7edc
0x7ff7a56f7ede
0x7ff7a56f7ee3
0x7ff7a56f7ee6
0x7ff7a56f7eef
0x7ff7a56f7ef1
0x7ff7a56f7efb
0x7ff7a56f7f00
0x7ff7a56f7f02
0x7ff7a56f7f07
0x7ff7a56f7f0a
0x7ff7a56f7f13
0x7ff7a56f7f15
0x7ff7a56f7f21
0x7ff7a56f7f23
0x7ff7a56f7f28
0x7ff7a56f7f2b
0x7ff7a56f7f34
0x7ff7a56f7f36
0x7ff7a56f7f46
0x7ff7a56f7f49
0x7ff7a56f7f4e
0x7ff7a56f7f5e
0x7ff7a56f7f62
0x7ff7a56f7f6c
0x7ff7a56f7f72
0x7ff7a56f7f85
0x7ff7a56f7f8a
0x7ff7a56f7f93
0x7ff7a56f7f97
0x7ff7a56f7f9e
0x7ff7a56f7fa1
0x7ff7a56f7fa3
0x7ff7a56f7fa8
0x7ff7a56f7fb2
0x7ff7a56f7fb4
0x7ff7a56f7fdc

APIs

TlsGetValue.KERNEL32 ref: 00007FF7A56F7E0B
GetProcessHeap.KERNEL32 ref: 00007FF7A56F7E67
HeapFree.KERNEL32 ref: 00007FF7A56F7E75
GetProcessHeap.KERNEL32 ref: 00007FF7A56F7E7B
HeapFree.KERNEL32 ref: 00007FF7A56F7E89
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F7EBA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F7ECD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F7EDE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F7EF1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F7F02
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F7F15
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F7F23
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F7F36

Part of subcall function 00007FF7A56F63B0: OpenEventA.KERNEL32 ref: 00007FF7A56F6456
Part of subcall function 00007FF7A56F63B0: CloseHandle.KERNEL32 ref: 00007FF7A56F646F
Part of subcall function 00007FF7A56F63B0: ResetEvent.KERNEL32 ref: 00007FF7A56F6482
Part of subcall function 00007FF7A56F63B0: CreateEventA.KERNEL32 ref: 00007FF7A56F64D7
Part of subcall function 00007FF7A56F63B0: CloseHandle.KERNEL32 ref: 00007FF7A56F64F0
Part of subcall function 00007FF7A56F63B0: SetEvent.KERNEL32 ref: 00007FF7A56F650E
Part of subcall function 00007FF7A56F63B0: CloseHandle.KERNEL32 ref: 00007FF7A56F65B4

TlsSetValue.KERNEL32 ref: 00007FF7A56F7F97
GetProcessHeap.KERNEL32 ref: 00007FF7A56F7FB4
HeapFree.KERNEL32 ref: 00007FF7A56F7FC2

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$Heap$Event$CloseFreeHandleProcess$Value$CreateOpenReset
String ID:
API String ID: 3479055706-0
Opcode ID: d7bddb002446de1d6353830d7340297a2e8ea3ae02d25d3a1f121764180d7d71
Instruction ID: 4017b391dcb3d5f7bc94cf1d39e7119f00952c826fd36e7ff911f095a107bc8b
Opcode Fuzzy Hash: d7bddb002446de1d6353830d7340297a2e8ea3ae02d25d3a1f121764180d7d71
Instruction Fuzzy Hash: 3F616022E1AA0686E765BB21D4403BDA362FB46F50F966231DA5D037B4DF3DE849C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A570B970 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 271
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 42%

			E00007FF77FF7A570B970(void* __ebx, void* __ecx, void* __edx, void* __edi, signed int __rbx, long long __rcx, long long __r8, void* __r10, void* _a16) {
				signed int _v48;
				long long _v64;
				long long _v72;
				char _v88;
				char _v96;
				long long _v104;
				long long _v112;
				char _v128;
				char _v136;
				long long _v144;
				intOrPtr _v168;
				char _v176;
				long long _v184;
				intOrPtr _v208;
				char _v216;
				long long _v224;
				long long _v240;
				char _v256;
				char _v264;
				char _v272;
				char _v280;
				void* _v288;
				char _v292;
				signed int _v296;
				char _v304;
				char _v312;
				long long _v328;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				signed short _t123;
				void* _t136;
				signed int* _t153;
				void* _t160;
				signed long long _t186;
				signed int _t190;
				signed long long _t195;
				signed long long _t196;
				void* _t219;
				void* _t224;
				long long _t243;
				long long _t244;
				signed int* _t245;
				void* _t246;
				void* _t247;
				signed short* _t253;
				signed long long _t261;
				void* _t262;
				void* _t267;
				void* _t268;
				long long _t269;
				void* _t270;

				_t267 = __r10;
				_t140 = __edx;
				_t138 = __ecx;
				_t268 = _t247;
				_v224 = 0xfffffffe;
				 *((long long*)(_t268 + 0x10)) = __rbx;
				_t186 =  *0xa5720430; // 0x4918c7c3922
				_v48 = _t186 ^ _t247 - 0x00000140;
				_t244 = __r8;
				_t243 = __rcx;
				 *((long long*)(_t268 - 0x38)) = __rcx;
				r12d = 0;
				_v296 = r12d;
				_t152 = __edx;
				if (__edx != 0) goto 0xa570ba95;
				 *((long long*)(_t268 - 0xe8)) = 7;
				_v240 = _t269;
				_v256 = r12w;
				_t195 = __rbx | 0xffffffff;
				_t261 = _t195;
				r8d = 0;
				E00007FF77FF7A56D2390(_t195,  &_v264, __rcx, __rcx, __r8, _t246, __r8, _t261);
				_v328 = _t244;
				r9b = 1;
				E00007FF77FF7A56D6710(_t140, _t152, _t195,  &_v288, _t246,  &_v264, _t261);
				E00007FF77FF7A56F6BF0(_t195,  &_v288);
				_t245 = _v288;
				_t153 = _t245;
				if (_t153 == 0) goto 0xa570ba6d;
				asm("lock xadd [esi+0x8], ebx");
				_t136 = __ebx + 0xffffffff;
				if (_t153 != 0) goto 0xa570ba6d;
				 *( *_t245)();
				GetProcessHeap();
				if (HeapFree(??, ??, ??) != 0) goto 0xa570ba6d;
				_t16 = _t269 + 0x49; // 0x49
				r9d = _t16;
				_t253 = "D:\\Libraries\\boost\\boost/thread/win32/thread_heap_alloc.hpp";
				E00007FF77FF7A570AB00(_t136, __ecx, __edi, _t195, "detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0", "void __cdecl boost::detail::free_raw_heap_memory(void *)", _t245, _t246, _t253, _t261);
				if ( *((long long*)(_t243 + 0x20)) - 8 < 0) goto 0xa570ba7d;
				E00007FF77FF7A56E44D8( *_t245, _t195,  *((intOrPtr*)(_t243 + 8)), "void __cdecl boost::detail::free_raw_heap_memory(void *)", _t245, _t253, _t261);
				 *((long long*)(_t243 + 0x20)) = 7;
				 *((long long*)(_t243 + 0x18)) = _t269;
				 *((intOrPtr*)(_t243 + 8)) = r12w;
				goto 0xa570be31;
				E00007FF77FF7A570B410(_t136, _t138, 0,  *((long long*)(_t243 + 0x20)) - 8, _t195,  &_v136,  *((intOrPtr*)(_t243 + 8)), _t246, _t253, _t267);
				r9d = 4;
				_t262 =  <  ? _v112 : _t261;
				_t208 =  >=  ? _v128 :  &_v128;
				r8d = 4;
				_t254 =  <  ? _t262 : _t253;
				_t196 = _t195 | 0xffffffff;
				if (( <  ? _t262 : _t253) == 0) goto 0xa570bb19;
				_t160 =  *((intOrPtr*)( >=  ? _v128 :  &_v128)) - (L"\\\\?\\" & 0x0000ffff);
				if (_t160 != 0) goto 0xa570bb0a;
				if (_t160 != 0) goto 0xa570baf2;
				goto 0xa570bb19;
				r8d = 1;
				r8d =  <  ? _t136 : r8d;
				goto 0xa570bb1c;
				r8d = r12d;
				_t190 = r8d;
				if (r8d != 0) goto 0xa570bb34;
				if (_t262 - 4 < 0) goto 0xa570bb84;
				if ((r12d & 0xffffff00 | _t262 != 0x00000004) != 0) goto 0xa570bb84;
				_t29 = _t190 + 4; // 0x8
				r8d = _t29;
				E00007FF77FF7A56D4500(_t190,  &_v136,  &_v176);
				r8d = r8d ^ r8d;
				E00007FF77FF7A56D2390(_t196,  &_v136, _t190, _t243, _t245, _t246, ( <  ? _t262 : _t253) - 1, _t196);
				if (_v144 - 8 < 0) goto 0xa570bb84;
				E00007FF77FF7A56E44D8(_t190, _t196, _v168, _t190, _t245, ( <  ? _t262 : _t253) - 1, _t196);
				r13d = 0x5c;
				_v312 = r13w;
				r9d = _t270 - 0x5b;
				E00007FF77FF7A56D4BB0(_t196,  &_v136,  &_v312, _t243, _t245, _t246);
				if (_t190 == 0xffffffff) goto 0xa570bbf5;
				_v304 = r13w;
				r9d = _t270 - 0x5b;
				E00007FF77FF7A56D4BB0(_t196,  &_v136,  &_v304, _t243, _t245, _t246);
				r8d = 0;
				E00007FF77FF7A56D4500(_t190,  &_v136,  &_v216);
				_v296 = 1;
				goto 0xa570bbfd;
				_v64 = 7;
				_v72 = _t269;
				_v88 = r12w;
				_t266 = _t196;
				r8d = 0;
				_t242 =  &_v136;
				E00007FF77FF7A56D2390(_t196,  &_v96,  &_v136, _t243, _t245, _t246, _t196, _t196);
				if ((bpl & 0x00000001) == 0) goto 0xa570bc4f;
				if (_v184 - 8 < 0) goto 0xa570bc4f;
				_t123 = E00007FF77FF7A56E44D8( &_v136, _t196, _v208,  &_v136, _t245, _t196, _t196);
				_t219 =  >=  ? _v88 :  &_v88;
				_v328 =  &_v292;
				r9d = 0;
				__imp__SHParseDisplayName();
				if (_t123 == 0) goto 0xa570bd27;
				if (_t245 == 0) goto 0xa570bc95;
				 *_t245 = _t123 & 0x0000ffff;
				if (_v64 - 8 < 0) goto 0xa570bcad;
				E00007FF77FF7A56E44D8( &_v292, _t196, _v88,  &_v136, _t245,  &_v280, _t196);
				_v64 = 7;
				_v72 = _t269;
				_v88 = r12w;
				if (_v104 - 8 < 0) goto 0xa570bce2;
				E00007FF77FF7A56E44D8( &_v292, _t196, _v128,  &_v136, _t245,  &_v280, _t196);
				_v104 = 7;
				_v112 = _t269;
				_v128 = r12w;
				if ( *((long long*)(_t243 + 0x20)) - 8 < 0) goto 0xa570bd0f;
				E00007FF77FF7A56E44D8( &_v292, _t196,  *((intOrPtr*)(_t243 + 8)),  &_v136, _t245,  &_v280, _t196);
				 *((long long*)(_t243 + 0x20)) = 7;
				 *((long long*)(_t243 + 0x18)) = _t269;
				 *((intOrPtr*)(_t243 + 8)) = r12w;
				goto 0xa570be31;
				_t224 =  >=  ? _v128 :  &_v128;
				_v328 =  &_v292;
				r9d = 0;
				__imp__SHParseDisplayName();
				__imp__CoInitializeEx();
				r9d = 0;
				__imp__SHOpenFolderAndSelectItems();
				if (0 == 0) goto 0xa570bd95;
				if (_t245 == 0) goto 0xa570bd95;
				 *_t245 = 0;
				if (0 == 0) goto 0xa570bd9e;
				if (0 != 1) goto 0xa570bda4;
				__imp__CoUninitialize();
				if (_v64 - 8 < 0) goto 0xa570bdbc;
				E00007FF77FF7A56E44D8( &_v292, _t196, _v88,  &_v136, _t245,  &_v272, _t196);
				_v64 = 7;
				_v72 = _t269;
				_v88 = r12w;
				if (_v104 - 8 < 0) goto 0xa570bdf1;
				E00007FF77FF7A56E44D8( &_v292, _t196, _v128, _t242, _t245,  &_v272, _t266);
				_v104 = 7;
				_v112 = _t269;
				_v128 = r12w;
				if ( *((long long*)(_t243 + 0x20)) - 8 < 0) goto 0xa570be1e;
				E00007FF77FF7A56E44D8( &_v292, _t196,  *((intOrPtr*)(_t243 + 8)), _t242, _t245,  &_v272, _t266);
				 *((long long*)(_t243 + 0x20)) = 7;
				 *((long long*)(_t243 + 0x18)) = _t269;
				 *((intOrPtr*)(_t243 + 8)) = r12w;
				return E00007FF77FF7A56E4050(0, _v48 ^ _t247 - 0x00000140, _t242,  &_v272, _t266);
			}

0x7ff7a570b970
0x7ff7a570b970
0x7ff7a570b970
0x7ff7a570b970
0x7ff7a570b981
0x7ff7a570b98d
0x7ff7a570b991
0x7ff7a570b99b
0x7ff7a570b9a3
0x7ff7a570b9a6
0x7ff7a570b9a9
0x7ff7a570b9ad
0x7ff7a570b9b3
0x7ff7a570b9b8
0x7ff7a570b9ba
0x7ff7a570b9c0
0x7ff7a570b9cb
0x7ff7a570b9d0
0x7ff7a570b9d6
0x7ff7a570b9da
0x7ff7a570b9dd
0x7ff7a570b9e8
0x7ff7a570b9ed
0x7ff7a570b9f2
0x7ff7a570ba06
0x7ff7a570ba11
0x7ff7a570ba17
0x7ff7a570ba1c
0x7ff7a570ba1f
0x7ff7a570ba21
0x7ff7a570ba26
0x7ff7a570ba29
0x7ff7a570ba33
0x7ff7a570ba35
0x7ff7a570ba4b
0x7ff7a570ba4d
0x7ff7a570ba4d
0x7ff7a570ba52
0x7ff7a570ba67
0x7ff7a570ba72
0x7ff7a570ba78
0x7ff7a570ba7d
0x7ff7a570ba85
0x7ff7a570ba89
0x7ff7a570ba90
0x7ff7a570baa0
0x7ff7a570baa6
0x7ff7a570bab7
0x7ff7a570bacc
0x7ff7a570bad5
0x7ff7a570bade
0x7ff7a570bae9
0x7ff7a570baf0
0x7ff7a570baf5
0x7ff7a570baf8
0x7ff7a570bb06
0x7ff7a570bb08
0x7ff7a570bb0a
0x7ff7a570bb13
0x7ff7a570bb17
0x7ff7a570bb19
0x7ff7a570bb1c
0x7ff7a570bb22
0x7ff7a570bb28
0x7ff7a570bb36
0x7ff7a570bb3b
0x7ff7a570bb3b
0x7ff7a570bb4f
0x7ff7a570bb58
0x7ff7a570bb66
0x7ff7a570bb75
0x7ff7a570bb7f
0x7ff7a570bb84
0x7ff7a570bb8a
0x7ff7a570bb90
0x7ff7a570bba4
0x7ff7a570bbad
0x7ff7a570bbaf
0x7ff7a570bbb5
0x7ff7a570bbc9
0x7ff7a570bbd1
0x7ff7a570bbe4
0x7ff7a570bbef
0x7ff7a570bbf3
0x7ff7a570bbfd
0x7ff7a570bc09
0x7ff7a570bc11
0x7ff7a570bc1a
0x7ff7a570bc1d
0x7ff7a570bc20
0x7ff7a570bc2b
0x7ff7a570bc35
0x7ff7a570bc40
0x7ff7a570bc4a
0x7ff7a570bc60
0x7ff7a570bc6e
0x7ff7a570bc73
0x7ff7a570bc7d
0x7ff7a570bc85
0x7ff7a570bc8e
0x7ff7a570bc93
0x7ff7a570bc9e
0x7ff7a570bca8
0x7ff7a570bcad
0x7ff7a570bcb9
0x7ff7a570bcc1
0x7ff7a570bcd3
0x7ff7a570bcdd
0x7ff7a570bce2
0x7ff7a570bcee
0x7ff7a570bcf6
0x7ff7a570bd04
0x7ff7a570bd0a
0x7ff7a570bd0f
0x7ff7a570bd17
0x7ff7a570bd1b
0x7ff7a570bd22
0x7ff7a570bd38
0x7ff7a570bd46
0x7ff7a570bd4b
0x7ff7a570bd55
0x7ff7a570bd64
0x7ff7a570bd74
0x7ff7a570bd81
0x7ff7a570bd89
0x7ff7a570bd8e
0x7ff7a570bd93
0x7ff7a570bd97
0x7ff7a570bd9c
0x7ff7a570bd9e
0x7ff7a570bdad
0x7ff7a570bdb7
0x7ff7a570bdbc
0x7ff7a570bdc8
0x7ff7a570bdd0
0x7ff7a570bde2
0x7ff7a570bdec
0x7ff7a570bdf1
0x7ff7a570bdfd
0x7ff7a570be05
0x7ff7a570be13
0x7ff7a570be19
0x7ff7a570be1e
0x7ff7a570be26
0x7ff7a570be2a
0x7ff7a570be57

APIs

Part of subcall function 00007FF7A56F6BF0: GetProcessHeap.KERNEL32 ref: 00007FF7A56F6C23
Part of subcall function 00007FF7A56F6BF0: HeapFree.KERNEL32 ref: 00007FF7A56F6C31

GetProcessHeap.KERNEL32 ref: 00007FF7A570BA35
HeapFree.KERNEL32 ref: 00007FF7A570BA43
SHParseDisplayName.SHELL32 ref: 00007FF7A570BC7D
SHParseDisplayName.SHELL32 ref: 00007FF7A570BD55
CoInitializeEx.OLE32 ref: 00007FF7A570BD64
SHOpenFolderAndSelectItems.SHELL32 ref: 00007FF7A570BD81
CoUninitialize.OLE32 ref: 00007FF7A570BD9E

Strings

D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp, xrefs: 00007FF7A570BA52
void __cdecl boost::detail::free_raw_heap_memory(void *), xrefs: 00007FF7A570BA59
\\?\, xrefs: 00007FF7A570BAE2
detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0, xrefs: 00007FF7A570BA60

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: Heap$DisplayFreeNameParseProcess$FolderInitializeItemsOpenSelectUninitialize
String ID: D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp$\\?\$detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0$void __cdecl boost::detail::free_raw_heap_memory(void *)
API String ID: 1792686712-3491708354
Opcode ID: 3a8b11ccadee6583c85372323fada0a20ee016908da08a30510c647ca9ef4f30
Instruction ID: 1c5144a693de158538f28bd991478141afbaf4aea4b911cef1fce4a1ed277c6d
Opcode Fuzzy Hash: 3a8b11ccadee6583c85372323fada0a20ee016908da08a30510c647ca9ef4f30
Instruction Fuzzy Hash: EBC1C5326096C182E731AB11E8447FEF3A1FB8AB54F814235DA9D53AA8DF3DE554C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F4190 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00007FF77FF7A56F4190(void* __ebx, void* __ecx, void* __eflags, long long __rbx, signed long long __rcx, intOrPtr* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9) {
				void* _t53;
				int _t56;
				short _t57;
				void* _t70;
				void* _t118;
				char* _t119;
				char* _t120;
				char* _t121;
				char* _t122;
				intOrPtr* _t125;
				char* _t134;
				signed long long _t144;
				long long _t147;
				intOrPtr* _t148;
				void* _t150;
				void* _t159;
				_Unknown_base(*)()* _t160;
				void* _t161;

				_t159 = __r9;
				_t141 = __rdi;
				_t70 = __ebx;
				_t118 = _t150;
				 *((long long*)(_t118 + 8)) = __rbx;
				 *((long long*)(_t118 + 0x10)) = _t147;
				 *((long long*)(_t118 + 0x18)) = __rsi;
				 *((long long*)(_t118 + 0x20)) = __rdi;
				_t161 = __r8;
				_t148 = __rdx;
				_t144 = __rcx;
				E00007FF77FF7A56EB93C(__ecx, __eflags, _t118);
				_t5 = _t118 + 0x140; // 0x140
				_t125 = _t5;
				if (__rcx != 0) goto 0xa56f41cf;
				 *(_t125 + 0x10) =  *(_t125 + 0x10) | 0x00000104;
				goto 0xa56f42b2;
				_t119 = __rcx + 0x40;
				 *_t125 = __rcx;
				 *((long long*)(_t125 + 8)) = _t119;
				if (_t119 == 0) goto 0xa56f41f9;
				if ( *_t119 == 0) goto 0xa56f41f9;
				_t10 = _t125 + 8; // 0x148
				E00007FF77FF7A56F39B4(0x16, _t125, 0xa5712940, __rdi, __rcx, _t10);
				_t120 =  *_t125;
				 *(_t125 + 0x10) =  *(_t125 + 0x10) & 0x00000000;
				if (_t120 == 0) goto 0xa56f426e;
				if ( *_t120 == 0) goto 0xa56f426e;
				_t121 =  *((intOrPtr*)(_t125 + 8));
				if (_t121 == 0) goto 0xa56f4222;
				if ( *_t121 == 0) goto 0xa56f4222;
				E00007FF77FF7A56F4090(_t121, _t125);
				goto 0xa56f422a;
				E00007FF77FF7A56F4124(_t121, _t125);
				if ( *(_t125 + 0x10) != 0) goto 0xa56f42c8;
				if (E00007FF77FF7A56F39B4(0x40, _t125, 0xa5712530, _t141, _t144, _t125) == 0) goto 0xa56f42be;
				_t122 =  *((intOrPtr*)(_t125 + 8));
				if (_t122 == 0) goto 0xa56f4264;
				if ( *_t122 == 0) goto 0xa56f4264;
				E00007FF77FF7A56F4090(_t122, _t125);
				goto 0xa56f42be;
				_t53 = E00007FF77FF7A56F4124(_t122, _t125);
				goto 0xa56f42be;
				_t134 =  *((intOrPtr*)(_t125 + 8));
				if (_t134 == 0) goto 0xa56f42ab;
				if ( *_t134 == 0) goto 0xa56f42ab;
				E00007FF77FF7A56E70C0(_t53, _t134);
				 *(_t125 + 0x1c) = 0 | _t122 == 0x00000003;
				EnumSystemLocalesA(_t160);
				if (( *(_t125 + 0x10) & 0x00000004) != 0) goto 0xa56f42be;
				 *(_t125 + 0x10) =  *(_t125 + 0x10) & 0x00000000;
				goto 0xa56f42be;
				 *(_t125 + 0x10) = 0x104;
				_t56 = GetUserDefaultLCID();
				 *(_t125 + 0x20) = _t56;
				 *(_t125 + 0x24) = _t56;
				if ( *(_t125 + 0x10) == 0) goto 0xa56f43db;
				asm("dec eax");
				_t57 = E00007FF77FF7A56F3A4C(_t70, _t122 == 3, _t125, 0x7ff7a56f3b50 & _t144 + 0x00000080, _t125, _t159);
				if (_t57 == 0) goto 0xa56f43db;
				if (_t57 == 0xfde8) goto 0xa56f43db;
				if (_t57 == 0xfde9) goto 0xa56f43db;
				if (IsValidCodePage(??) == 0) goto 0xa56f43db;
				if (IsValidLocale(??, ??) == 0) goto 0xa56f43db;
				if (_t148 == 0) goto 0xa56f4340;
				 *_t148 =  *(_t125 + 0x20) & 0x0000ffff;
				 *((short*)(_t148 + 4)) = _t57;
				 *((short*)(_t148 + 2)) =  *(_t125 + 0x24) & 0x0000ffff;
				if (_t161 == 0) goto 0xa56f43d4;
				if ( *_t148 != 0x814) goto 0xa56f4383;
				if (E00007FF77FF7A56EB72C(_t144 + 0x80, _t161, _t125,  ~_t144, _t148, "Norwegian-Nynorsk") == 0) goto 0xa56f439e;
				 *(_t150 - 0x30 + 0x20) =  *(_t150 - 0x30 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4308();
				goto 0xa56f439e;
				r9d = 0x40;
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0xa56f43db;
				r9d = 0x40;
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0xa56f43db;
				r9d = 0xa;
				_t42 = _t159 + 6; // 0x6
				r8d = _t42;
				E00007FF77FF7A56E6228(_t57);
				goto 0xa56f43dd;
				return 0;
			}

0x7ff7a56f4190
0x7ff7a56f4190
0x7ff7a56f4190
0x7ff7a56f4190
0x7ff7a56f4193
0x7ff7a56f4197
0x7ff7a56f419b
0x7ff7a56f419f
0x7ff7a56f41a9
0x7ff7a56f41ac
0x7ff7a56f41af
0x7ff7a56f41b2
0x7ff7a56f41b7
0x7ff7a56f41b7
0x7ff7a56f41c1
0x7ff7a56f41c3
0x7ff7a56f41ca
0x7ff7a56f41cf
0x7ff7a56f41d3
0x7ff7a56f41d6
0x7ff7a56f41dd
0x7ff7a56f41e2
0x7ff7a56f41e4
0x7ff7a56f41f4
0x7ff7a56f41f9
0x7ff7a56f41fc
0x7ff7a56f4203
0x7ff7a56f4208
0x7ff7a56f420a
0x7ff7a56f4211
0x7ff7a56f4216
0x7ff7a56f421b
0x7ff7a56f4220
0x7ff7a56f4225
0x7ff7a56f422e
0x7ff7a56f424a
0x7ff7a56f424c
0x7ff7a56f4253
0x7ff7a56f4258
0x7ff7a56f425d
0x7ff7a56f4262
0x7ff7a56f4267
0x7ff7a56f426c
0x7ff7a56f426e
0x7ff7a56f4275
0x7ff7a56f427a
0x7ff7a56f427c
0x7ff7a56f428f
0x7ff7a56f4299
0x7ff7a56f42a3
0x7ff7a56f42a5
0x7ff7a56f42a9
0x7ff7a56f42ab
0x7ff7a56f42b2
0x7ff7a56f42b8
0x7ff7a56f42bb
0x7ff7a56f42c2
0x7ff7a56f42d5
0x7ff7a56f42db
0x7ff7a56f42e4
0x7ff7a56f42ef
0x7ff7a56f42fa
0x7ff7a56f430b
0x7ff7a56f4321
0x7ff7a56f432a
0x7ff7a56f4330
0x7ff7a56f4338
0x7ff7a56f433c
0x7ff7a56f4343
0x7ff7a56f4352
0x7ff7a56f436a
0x7ff7a56f436c
0x7ff7a56f4372
0x7ff7a56f4375
0x7ff7a56f437c
0x7ff7a56f4381
0x7ff7a56f4386
0x7ff7a56f439c
0x7ff7a56f43ab
0x7ff7a56f43b9
0x7ff7a56f43bb
0x7ff7a56f43cb
0x7ff7a56f43cb
0x7ff7a56f43cf
0x7ff7a56f43d9
0x7ff7a56f43f7

APIs

_getptd.LIBCMT ref: 00007FF7A56F41B2
GetUserDefaultLCID.KERNEL32(?,?,?,?,00000000,00007FF7A56E8850), ref: 00007FF7A56F42B2
IsValidCodePage.KERNEL32(?,?,?,?,00000000,00007FF7A56E8850), ref: 00007FF7A56F4303
IsValidLocale.KERNEL32(?,?,?,?,00000000,00007FF7A56E8850), ref: 00007FF7A56F4319
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00007FF7A56E8850), ref: 00007FF7A56F4394
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00007FF7A56E8850), ref: 00007FF7A56F43B1
_itow_s.LIBCMT ref: 00007FF7A56F43CF

Strings

Norwegian-Nynorsk, xrefs: 00007FF7A56F4354

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: Locale$InfoValid$CodeDefaultPageUser_getptd_itow_s
String ID: Norwegian-Nynorsk
API String ID: 2273835618-461349085
Opcode ID: cf4e325a6d4d68f7bfb079dc3385f1bf38945245c1b1c03b25c738e8f555b466
Instruction ID: 7571ce1fba559da564b59f26392996bedf2f0f769425c5b46bb99c92d7719a48
Opcode Fuzzy Hash: cf4e325a6d4d68f7bfb079dc3385f1bf38945245c1b1c03b25c738e8f555b466
Instruction Fuzzy Hash: D9616423E0A74286FB65AF21D40037CA2A2BF46F45F8A9035DA4D46AF5DF7CE549C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F0D44 Relevance: 15.1, APIs: 10, Instructions: 106
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7A56F0D44(signed int __ecx, void* __edi, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, signed int _a8, long long _a16, long long _a24) {
				long long _v56;
				void* __rdi;
				void* __r12;
				void* _t34;
				signed int _t45;
				void* _t59;
				void* _t63;
				signed int* _t69;
				signed int* _t70;
				long long _t71;
				signed long long _t85;
				void* _t86;
				signed long long _t88;

				_t83 = __r8;
				_t79 = __rbp;
				_t77 = __rsi;
				_t74 = __rdx;
				_t73 = __rcx;
				_t71 = __rbx;
				_t59 = __edi;
				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __ecx;
				_t86 = __rdx;
				_t76 = __ecx;
				if (__edi != 0xfffffffe) goto 0xa56f0d89;
				E00007FF77FF7A56E78CC(__rax);
				 *__rax = 0;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 9;
				goto 0xa56f0e9e;
				if (__edi < 0) goto 0xa56f0e75;
				_t63 = _t59 -  *0xa57289c0; // 0x20
				if (_t63 >= 0) goto 0xa56f0e75;
				_t88 = __ecx >> 5;
				r12d = r12d & 0x0000001f;
				_t85 = __ecx * 0x58;
				_t69 =  *((intOrPtr*)(0xa57289e0 + _t88 * 8));
				if (_t63 != 0) goto 0xa56f0df5;
				E00007FF77FF7A56E78CC(_t69);
				 *_t69 = 0;
				E00007FF77FF7A56E78AC(_t69);
				 *_t69 = 9;
				_v56 = __rbx;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(_t69, __rbx, __rcx, __rdx, __rsi, __rbp, __r8);
				goto 0xa56f0e9e;
				if ((0 | r8d - 0x7fffffff < 0x00000000) != 0) goto 0xa56f0e30;
				E00007FF77FF7A56E78CC(_t69);
				 *_t69 = 0;
				E00007FF77FF7A56E78AC(_t69);
				 *_t69 = 0x16;
				_v56 = _t71;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(_t69, _t71, _t73, _t74, _t77, _t79, _t83);
				goto 0xa56f0e9e;
				_t34 = E00007FF77FF7A56F593C(0, __edi, _t71, _t76, _t77, _t85);
				_t70 =  *((intOrPtr*)(0xa57289e0 + _t88 * 8));
				if (( *(_t70 + _t85 + 8) & 0x00000001) == 0) goto 0xa56f0e55;
				_t45 = E00007FF77FF7A56F05C4(_t34, _t59, r8d, _t86, _t83);
				goto 0xa56f0e6a;
				E00007FF77FF7A56E78AC(_t70);
				 *_t70 = 9;
				E00007FF77FF7A56E78CC(_t70);
				 *_t70 = _t45;
				E00007FF77FF7A56F59E4();
				goto 0xa56f0e9e;
				E00007FF77FF7A56E78CC(_t70);
				 *_t70 = _t45 | 0xffffffff;
				E00007FF77FF7A56E78AC(_t70);
				 *_t70 = 9;
				_v56 = _t71;
				r9d = 0;
				r8d = 0;
				return E00007FF77FF7A56E4430(_t70, _t71, _t73, _t86, _t77, _t79, _t83) | 0xffffffff;
			}

0x7ff7a56f0d44
0x7ff7a56f0d44
0x7ff7a56f0d44
0x7ff7a56f0d44
0x7ff7a56f0d44
0x7ff7a56f0d44
0x7ff7a56f0d44
0x7ff7a56f0d44
0x7ff7a56f0d49
0x7ff7a56f0d4e
0x7ff7a56f0d62
0x7ff7a56f0d65
0x7ff7a56f0d6b
0x7ff7a56f0d6d
0x7ff7a56f0d74
0x7ff7a56f0d76
0x7ff7a56f0d7b
0x7ff7a56f0d84
0x7ff7a56f0d8d
0x7ff7a56f0d93
0x7ff7a56f0d99
0x7ff7a56f0da5
0x7ff7a56f0db0
0x7ff7a56f0db4
0x7ff7a56f0db8
0x7ff7a56f0dc5
0x7ff7a56f0dc7
0x7ff7a56f0dcc
0x7ff7a56f0dce
0x7ff7a56f0dd3
0x7ff7a56f0dd9
0x7ff7a56f0dde
0x7ff7a56f0de1
0x7ff7a56f0de8
0x7ff7a56f0df0
0x7ff7a56f0e03
0x7ff7a56f0e05
0x7ff7a56f0e0a
0x7ff7a56f0e0c
0x7ff7a56f0e11
0x7ff7a56f0e17
0x7ff7a56f0e1c
0x7ff7a56f0e1f
0x7ff7a56f0e26
0x7ff7a56f0e2e
0x7ff7a56f0e32
0x7ff7a56f0e38
0x7ff7a56f0e42
0x7ff7a56f0e51
0x7ff7a56f0e53
0x7ff7a56f0e55
0x7ff7a56f0e5a
0x7ff7a56f0e60
0x7ff7a56f0e65
0x7ff7a56f0e6c
0x7ff7a56f0e73
0x7ff7a56f0e75
0x7ff7a56f0e7a
0x7ff7a56f0e7c
0x7ff7a56f0e81
0x7ff7a56f0e87
0x7ff7a56f0e8c
0x7ff7a56f0e8f
0x7ff7a56f0eb5

APIs

__doserrno.LIBCMT ref: 00007FF7A56F0D6D
_errno.LIBCMT ref: 00007FF7A56F0D76
__doserrno.LIBCMT ref: 00007FF7A56F0DC7
_errno.LIBCMT ref: 00007FF7A56F0DCE

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: ae8c6979646cd0df4c87d9af4eb6b8836ed11e81636247d6cf9537f00f559d2d
Instruction ID: c0f0d2c6af792f063950c402237037d7221d430fef78cdd39ee7b7bfa14de798
Opcode Fuzzy Hash: ae8c6979646cd0df4c87d9af4eb6b8836ed11e81636247d6cf9537f00f559d2d
Instruction Fuzzy Hash: C141F933E1A24286E3117F34984157EB653BF82F60F976634EA69077E6CE3DA404C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EBD28 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137
fileCOMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 78%

			E00007FF77FF7A56EBD28(void* __ecx, long long __rbx, long long __rdi, void* __rsi, void* __rbp, void* __r9, long long __r13, long long _a8, void* _a16, long long _a24, long long _a32) {
				signed int _v24;
				void* _t38;
				void* _t47;
				void* _t68;
				void* _t93;
				void* _t104;
				void* _t122;
				void* _t131;

				_t131 = __r9;
				_t118 = __rbp;
				_t117 = __rsi;
				_a8 = __rbx;
				_a24 = __rdi;
				_a32 = __r13;
				_t68 = __ecx;
				if (__ecx ==  *0xa5720820) goto 0xa56ebd5a;
				if (1 - 0x17 < 0) goto 0xa56ebd4b;
				if (1 - 0x17 >= 0) goto 0xa56ebf37;
				if (E00007FF77FF7A56F1C68(3, 0x7ff7a5720830, __rbx, _t93, _t104, __rsi, __rbp, _t122) == 1) goto 0xa56ebef2;
				if (E00007FF77FF7A56F1C68(3, 0x7ff7a5720830, __rbx, _t93, _t104, __rsi, __rbp, _t122) != 0) goto 0xa56ebd91;
				if ( *0xa5720188 == 1) goto 0xa56ebef2;
				if (_t68 == 0xfc) goto 0xa56ebf37;
				r13d = 0x314;
				if (E00007FF77FF7A56EB72C(0x7ff7a5720830, 0xa5723660, __r13, __rsi, __rbp, "Runtime Error!\n\nProgram: ") == 0) goto 0xa56ebdd5;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4308();
				r8d = 0x104;
				 *0xa572377d = 0;
				if (GetModuleFileNameA(??, ??, ??) != 0) goto 0xa56ebe26;
				if (E00007FF77FF7A56EB72C(0x7ff7a5720830, 0xa5723679, 0xa5723679, __rsi, __rbp, "<program name unknown>") == 0) goto 0xa56ebe26;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				_t38 = E00007FF77FF7A56E70C0(E00007FF77FF7A56E4308(), 0xa5723679);
				if (0x7ff7a5720831 - 0x3c <= 0) goto 0xa56ebe81;
				E00007FF77FF7A56E70C0(_t38, 0xa5723679);
				r9d = 3;
				if (E00007FF77FF7A56F38DC(0x7ff7a5720831, 0xffef4ae43e6f, 0xffff80085a8dfb05, _t117, _t118, "...", _t131) == 0) goto 0xa56ebe81;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4308();
				if (E00007FF77FF7A56F3850(0x7ff7a5720831, 0xa5723660, __r13, _t117, _t118, "\n\n") == 0) goto 0xa56ebeac;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4308();
				if (E00007FF77FF7A56F3850(0x7ff7a5720831, 0xa5723660, __r13, _t117, _t118,  *0x7FF7A5720838) == 0) goto 0xa56ebedb;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4308();
				r8d = 0x12010;
				E00007FF77FF7A56F4B80(0x7ff7a5720831, __rbx, 0xa5723660, "Microsoft Visual C++ Runtime Library", _t118, _t131);
				goto 0xa56ebf37;
				_t47 = GetStdHandle(??);
				if (0x7ff7a5720831 == 0) goto 0xa56ebf37;
				if (0x7ff7a5720831 == 0xffffffff) goto 0xa56ebf37;
				E00007FF77FF7A56E70C0(_t47,  *((intOrPtr*)(0x7ff7a5720838)));
				_v24 = _v24 & 0x00000000;
				return WriteFile(??, ??, ??, ??, ??);
			}

0x7ff7a56ebd28
0x7ff7a56ebd28
0x7ff7a56ebd28
0x7ff7a56ebd28
0x7ff7a56ebd2d
0x7ff7a56ebd32
0x7ff7a56ebd44
0x7ff7a56ebd4d
0x7ff7a56ebd58
0x7ff7a56ebd5d
0x7ff7a56ebd70
0x7ff7a56ebd82
0x7ff7a56ebd8b
0x7ff7a56ebd97
0x7ff7a56ebda4
0x7ff7a56ebdbe
0x7ff7a56ebdc0
0x7ff7a56ebdc6
0x7ff7a56ebdc9
0x7ff7a56ebdd0
0x7ff7a56ebddc
0x7ff7a56ebde4
0x7ff7a56ebdf3
0x7ff7a56ebe0f
0x7ff7a56ebe11
0x7ff7a56ebe17
0x7ff7a56ebe1a
0x7ff7a56ebe2d
0x7ff7a56ebe39
0x7ff7a56ebe42
0x7ff7a56ebe5a
0x7ff7a56ebe6a
0x7ff7a56ebe6c
0x7ff7a56ebe72
0x7ff7a56ebe75
0x7ff7a56ebe7c
0x7ff7a56ebe95
0x7ff7a56ebe97
0x7ff7a56ebe9d
0x7ff7a56ebea0
0x7ff7a56ebea7
0x7ff7a56ebec4
0x7ff7a56ebec6
0x7ff7a56ebecc
0x7ff7a56ebecf
0x7ff7a56ebed6
0x7ff7a56ebee2
0x7ff7a56ebeeb
0x7ff7a56ebef0
0x7ff7a56ebef7
0x7ff7a56ebf03
0x7ff7a56ebf09
0x7ff7a56ebf16
0x7ff7a56ebf20
0x7ff7a56ebf4c

APIs

GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF7A56EBF84,?,?,?,?,00007FF7A56E48E5,?,?,00000000,00007FF7A56EA598), ref: 00007FF7A56EBDEB
GetStdHandle.KERNEL32(?,?,?,?,?,00007FF7A56EBF84,?,?,?,?,00007FF7A56E48E5,?,?,00000000,00007FF7A56EA598), ref: 00007FF7A56EBEF7
WriteFile.KERNEL32 ref: 00007FF7A56EBF31

Strings

<program name unknown>, xrefs: 00007FF7A56EBDF5
..., xrefs: 00007FF7A56EBE4E
Microsoft Visual C++ Runtime Library, xrefs: 00007FF7A56EBEDB
Runtime Error!Program: , xrefs: 00007FF7A56EBDAA

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: bdf2f308c5beea1c5eb5347bd727d01a46f02e2dd6c2599cccca75c08203b709
Instruction ID: b649922e2bad81b30cbfd1952c7783465eaae0fa86ee9b60475d20b565cb1f99
Opcode Fuzzy Hash: bdf2f308c5beea1c5eb5347bd727d01a46f02e2dd6c2599cccca75c08203b709
Instruction Fuzzy Hash: A751CF21E1B64381FB24B721A5557BAA352FF4AF94FC25235DE0C46AF1CE3DE1058620

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F55B0 Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF7A56F57DA), ref: 00007FF7A56F560A
GetLastError.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF7A56F57DA), ref: 00007FF7A56F561C
GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF7A56F57DA), ref: 00007FF7A56F5667
malloc.LIBCMT ref: 00007FF7A56F56CC

Part of subcall function 00007FF7A56E48B0: _FF_MSGBANNER.LIBCMT ref: 00007FF7A56E48E0
Part of subcall function 00007FF7A56E48B0: RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7A56EA598,?,?,00000000,00007FF7A56EFED9,?,?,?,00007FF7A56EFF83), ref: 00007FF7A56E4905
Part of subcall function 00007FF7A56E48B0: _errno.LIBCMT ref: 00007FF7A56E4929
Part of subcall function 00007FF7A56E48B0: _errno.LIBCMT ref: 00007FF7A56E4934

GetLocaleInfoW.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF7A56F57DA), ref: 00007FF7A56F56F9
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF7A56F57DA), ref: 00007FF7A56F5733
free.LIBCMT ref: 00007FF7A56F5747
GetLocaleInfoA.KERNEL32(?,?,?,?,?,?,00001004,00000000,?,00007FF7A56F57DA), ref: 00007FF7A56F575D

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: InfoLocale$_errno$AllocateByteCharErrorHeapLastMultiWidefreemalloc
String ID:
API String ID: 4202622830-0
Opcode ID: fe5207ceeda70ec711b59715bf62eec6586ad5d6bb0a9c1674ed90db119e1240
Instruction ID: 2e6f30b80618b8e4e365ce86f4241ce0c56dec02ae17287695792d9081dd0aed
Opcode Fuzzy Hash: fe5207ceeda70ec711b59715bf62eec6586ad5d6bb0a9c1674ed90db119e1240
Instruction Fuzzy Hash: A1518532E0A64286E760AF10AA4467DB392FB26F94FD51535DA2E137B4CF7CE8448710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E4050 Relevance: 12.1, APIs: 8, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 48%

			E00007FF77FF7A56E4050(signed int __ecx, void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9) {
				signed long long _v24;
				void* __rbx;
				void* _t16;
				intOrPtr* _t23;
				void* _t24;
				void* _t27;
				void* _t29;
				void* _t30;

				_t27 = __rdx;
				_t16 = __rcx -  *0xa5720430; // 0x4918c7c3922
				if (_t16 != 0) goto 0xa56e406a;
				asm("dec eax");
				if ((__ecx & 0x0000ffff) != 0) goto 0xa56e4066;
				asm("repe ret");
				asm("dec eax");
				goto 0xa56eb5e0;
				asm("int3");
				_push(_t24);
				_t23 = __r8;
				if (__r9 == 0) goto 0xa56e40c9;
				if (__rcx != 0) goto 0xa56e40a8;
				E00007FF77FF7A56E78AC(__r8);
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *__r8 = 0x16;
				E00007FF77FF7A56E4430(__r8, _t24, __rcx, __rdx, _t29, _t30, __r8);
				goto 0xa56e40cb;
				if (_t23 == 0) goto 0xa56e4083;
				if (_t27 - __r9 >= 0) goto 0xa56e40be;
				E00007FF77FF7A56E78AC(_t23);
				goto 0xa56e408d;
				E00007FF77FF7A56EAE90(0, _t27 - __r9, _t26, _t23, __r9);
				return 0;
			}

0x7ff7a56e4050
0x7ff7a56e4050
0x7ff7a56e4057
0x7ff7a56e4059
0x7ff7a56e4062
0x7ff7a56e4064
0x7ff7a56e4066
0x7ff7a56e406a
0x7ff7a56e406f
0x7ff7a56e4070
0x7ff7a56e4076
0x7ff7a56e407c
0x7ff7a56e4081
0x7ff7a56e4083
0x7ff7a56e408d
0x7ff7a56e4093
0x7ff7a56e4096
0x7ff7a56e409d
0x7ff7a56e409f
0x7ff7a56e40a6
0x7ff7a56e40ab
0x7ff7a56e40b0
0x7ff7a56e40b2
0x7ff7a56e40bc
0x7ff7a56e40c4
0x7ff7a56e40d0

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7A56EB5F3
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7A56EB612
RtlVirtualUnwind.KERNEL32 ref: 00007FF7A56EB65E
IsDebuggerPresent.KERNEL32 ref: 00007FF7A56EB6D0
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7A56EB6E8
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7A56EB6F5
GetCurrentProcess.KERNEL32 ref: 00007FF7A56EB70E
TerminateProcess.KERNEL32 ref: 00007FF7A56EB71C

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerEntryFunctionLookupPresentTerminateUnwindVirtual
String ID:
API String ID: 3778485334-0
Opcode ID: e14f49882a9b6dccd73c3a84256284ea3c026c336a414e1e863b8d0485961774
Instruction ID: def017ddae7ad7b7e51277024fbe77c94a20f21c5e564b1212f75d10e124949d
Opcode Fuzzy Hash: e14f49882a9b6dccd73c3a84256284ea3c026c336a414e1e863b8d0485961774
Instruction Fuzzy Hash: 0D31063191AB46C5EA50AB55F840369B3A1FB8AF44FD25135DA8D52B74DF3DE084CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56FA758 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 171
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 83%

			E00007FF77FF7A56FA758(void* __eflags, long long __rbx, char* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9) {
				void* _t68;
				void* _t70;
				signed int _t99;
				signed int _t103;
				void* _t122;
				intOrPtr* _t129;
				intOrPtr _t130;
				signed long long _t136;
				char* _t138;
				char* _t154;
				char* _t155;
				char* _t160;
				long long _t167;
				intOrPtr* _t168;
				intOrPtr* _t170;
				void* _t171;
				void* _t179;
				long long _t181;
				void* _t183;

				_t173 = __r8;
				_t163 = __rsi;
				_t129 = _t170;
				 *((long long*)(_t129 + 8)) = __rbx;
				 *((long long*)(_t129 + 0x10)) = _t167;
				 *((long long*)(_t129 + 0x18)) = __rsi;
				 *((long long*)(_t129 + 0x20)) = __rdi;
				_t171 = _t170 - 0x50;
				_t179 = __rdx;
				_t160 = __rcx;
				r15d = r9d;
				_t136 = r8d;
				E00007FF77FF7A56E4E5C(_t129, _t129 - 0x38,  *((intOrPtr*)(_t171 + 0xa0)));
				r13d = 0;
				if (__rcx != _t181) goto 0xa56fa7d3;
				E00007FF77FF7A56E78AC(_t129);
				_t7 = _t181 + 0x16; // 0x16
				r9d = 0;
				r8d = 0;
				 *_t129 = _t7;
				 *((long long*)(_t171 + 0x20)) = _t181;
				E00007FF77FF7A56E4430(_t129, _t136, _t129 - 0x38,  *((intOrPtr*)(_t171 + 0xa0)), __rsi, _t167, __r8, _t183, _t181);
				if ( *((intOrPtr*)(_t171 + 0x48)) == r13b) goto 0xa56fa7cc;
				 *( *((intOrPtr*)(_t171 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t171 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0xa56fa990;
				if (_t179 - _t181 > 0) goto 0xa56fa80d;
				E00007FF77FF7A56E78AC(_t129);
				r9d = 0;
				r8d = 0;
				 *_t129 = 0x16;
				 *((long long*)(_t171 + 0x20)) = _t181;
				E00007FF77FF7A56E4430(_t129, _t136,  *((intOrPtr*)(_t171 + 0x40)),  *((intOrPtr*)(_t171 + 0xa0)), _t163, _t167, _t173);
				if ( *((intOrPtr*)(_t171 + 0x48)) == r13b) goto 0xa56fa7cc;
				_t130 =  *((intOrPtr*)(_t171 + 0x40));
				 *(_t130 + 0xc8) =  *(_t130 + 0xc8) & 0xfffffffd;
				goto 0xa56fa7cc;
				_t67 =  >  ? 0x16 : r13d;
				_t68 = ( >  ? 0x16 : r13d) + 9;
				if (_t179 - _t130 > 0) goto 0xa56fa82f;
				_t70 = E00007FF77FF7A56E78AC(_t130);
				goto 0xa56fa7a3;
				_t168 =  *((intOrPtr*)(_t171 + 0x90));
				if ( *((intOrPtr*)(_t171 + 0x98)) == r13b) goto 0xa56fa877;
				sil =  *_t168 == 0x2d;
				r13b = 0x22 > 0;
				if (r13d == 0) goto 0xa56fa874;
				E00007FF77FF7A56E70C0(_t70, _t181 + _t160);
				_t20 = _t130 + 1; // 0x1
				E00007FF77FF7A56EAE90(0, r13d, r13d + _t181 + _t160, _t181 + _t160, _t20);
				r13d = 0;
				if ( *_t168 != 0x2d) goto 0xa56fa887;
				 *_t160 = 0x2d;
				_t154 = _t160 + 1;
				if (0x22 - r13d <= 0) goto 0xa56fa8a7;
				 *_t154 =  *((intOrPtr*)(_t154 + 1));
				_t155 = _t154 + 1;
				 *_t155 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t171 + 0x30)) + 0x128))))));
				_t138 = _t136 + _t155 + _t181;
				_t157 =  ==  ? _t179 : _t179 + _t160 - _t138;
				if (E00007FF77FF7A56EB72C( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t171 + 0x30)) + 0x128)))), _t138,  ==  ? _t179 : _t179 + _t160 - _t138, _t181 + _t160, _t168, "e+000") == r13d) goto 0xa56fa8f2;
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t171 + 0x20)) = _t181;
				E00007FF77FF7A56E4308();
				if (r15d == r13d) goto 0xa56fa8fe;
				 *_t138 = 0x45;
				_t122 =  *((char*)( *((intOrPtr*)(_t168 + 0x10)))) - 0x30;
				if (_t122 == 0) goto 0xa56fa95e;
				r8d =  *(_t168 + 4);
				r8d = r8d - 1;
				if (_t122 >= 0) goto 0xa56fa918;
				r8d =  ~r8d;
				 *((char*)(_t138 + 1)) = 0x2d;
				if (r8d - 0x64 < 0) goto 0xa56fa939;
				_t99 = (0x51eb851f * r8d >> 0x20 >> 5) + (0x51eb851f * r8d >> 0x20 >> 5 >> 0x1f);
				 *((intOrPtr*)(_t138 + 2)) =  *((intOrPtr*)(_t138 + 2)) + _t99;
				r8d = r8d + _t99 * 0xffffff9c;
				if (r8d - 0xa < 0) goto 0xa56fa95a;
				_t103 = (0x66666667 * r8d >> 0x20 >> 2) + (0x66666667 * r8d >> 0x20 >> 2 >> 0x1f);
				 *((intOrPtr*)(_t138 + 3)) =  *((intOrPtr*)(_t138 + 3)) + _t103;
				r8d = r8d + _t103 * 0xfffffff6;
				 *((intOrPtr*)(_t138 + 4)) =  *((intOrPtr*)(_t138 + 4)) + r8b;
				if (( *0xa5724108 & 0x00000001) == 0) goto 0xa56fa97b;
				if ( *((char*)(_t138 + 2)) != 0x30) goto 0xa56fa97b;
				r8d = 3;
				E00007FF77FF7A56EAE90(0,  *((char*)(_t138 + 2)) - 0x30, _t138 + 2, _t138 + 3, "e+000");
				if ( *((intOrPtr*)(_t171 + 0x48)) == r13b) goto 0xa56fa98e;
				 *( *((intOrPtr*)(_t171 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t171 + 0x40)) + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ff7a56fa758
0x7ff7a56fa758
0x7ff7a56fa758
0x7ff7a56fa75b
0x7ff7a56fa75f
0x7ff7a56fa763
0x7ff7a56fa767
0x7ff7a56fa771
0x7ff7a56fa775
0x7ff7a56fa780
0x7ff7a56fa787
0x7ff7a56fa78a
0x7ff7a56fa78d
0x7ff7a56fa792
0x7ff7a56fa798
0x7ff7a56fa79a
0x7ff7a56fa79f
0x7ff7a56fa7a3
0x7ff7a56fa7a6
0x7ff7a56fa7ad
0x7ff7a56fa7af
0x7ff7a56fa7b4
0x7ff7a56fa7be
0x7ff7a56fa7c5
0x7ff7a56fa7ce
0x7ff7a56fa7d6
0x7ff7a56fa7d8
0x7ff7a56fa7e2
0x7ff7a56fa7e5
0x7ff7a56fa7ec
0x7ff7a56fa7ee
0x7ff7a56fa7f3
0x7ff7a56fa7fd
0x7ff7a56fa7ff
0x7ff7a56fa804
0x7ff7a56fa80b
0x7ff7a56fa813
0x7ff7a56fa816
0x7ff7a56fa81e
0x7ff7a56fa820
0x7ff7a56fa82a
0x7ff7a56fa82f
0x7ff7a56fa83f
0x7ff7a56fa848
0x7ff7a56fa851
0x7ff7a56fa858
0x7ff7a56fa85d
0x7ff7a56fa868
0x7ff7a56fa86f
0x7ff7a56fa874
0x7ff7a56fa87e
0x7ff7a56fa880
0x7ff7a56fa883
0x7ff7a56fa88a
0x7ff7a56fa88f
0x7ff7a56fa896
0x7ff7a56fa8a5
0x7ff7a56fa8bf
0x7ff7a56fa8d0
0x7ff7a56fa8dc
0x7ff7a56fa8de
0x7ff7a56fa8e1
0x7ff7a56fa8e8
0x7ff7a56fa8ed
0x7ff7a56fa8f9
0x7ff7a56fa8fb
0x7ff7a56fa902
0x7ff7a56fa905
0x7ff7a56fa907
0x7ff7a56fa90b
0x7ff7a56fa90f
0x7ff7a56fa911
0x7ff7a56fa914
0x7ff7a56fa91c
0x7ff7a56fa92e
0x7ff7a56fa930
0x7ff7a56fa936
0x7ff7a56fa93d
0x7ff7a56fa94f
0x7ff7a56fa951
0x7ff7a56fa957
0x7ff7a56fa95a
0x7ff7a56fa965
0x7ff7a56fa96a
0x7ff7a56fa970
0x7ff7a56fa976
0x7ff7a56fa980
0x7ff7a56fa987
0x7ff7a56fa9ae

APIs

Part of subcall function 00007FF7A56E4E5C: _getptd.LIBCMT ref: 00007FF7A56E4E72

_errno.LIBCMT ref: 00007FF7A56FA79A

Part of subcall function 00007FF7A56E4430: DecodePointer.KERNEL32 ref: 00007FF7A56E4457

_errno.LIBCMT ref: 00007FF7A56FA7D8
_errno.LIBCMT ref: 00007FF7A56FA820

Strings

e+000, xrefs: 00007FF7A56FA8B2
-, xrefs: 00007FF7A56FA914
gfff, xrefs: 00007FF7A56FA93F

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: -$e+000$gfff
API String ID: 2834218312-2620144452
Opcode ID: 6a11d317345159555b390f4911d319f69cbeb2ee95697cea1cf0a9819997a2cf
Instruction ID: 6d4004a05a8f53ff6306601409f5130c494446c3e99d03d37b7b991e93980ed9
Opcode Fuzzy Hash: 6a11d317345159555b390f4911d319f69cbeb2ee95697cea1cf0a9819997a2cf
Instruction Fuzzy Hash: 4F614D27F1A2C186E7609B35A44166EB793FB86F44F8AA231DA5C07BE5CE3DD449C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F4FCC Relevance: 10.6, APIs: 7, Instructions: 138
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 78%

			E00007FF77FF7A56F4FCC(intOrPtr* __rax, long long __rbx, signed int* __rcx, void* __rdx, void* __r8, long long _a8, signed int _a32, intOrPtr _a40) {
				intOrPtr _v32;
				intOrPtr _v40;
				char _v56;
				long long _v88;
				void* __rsi;
				void* __rbp;
				intOrPtr* _t41;
				void* _t51;
				void* _t52;
				long long _t53;

				_t41 = __rax;
				_a8 = __rbx;
				_a32 = r9w;
				_t51 = __r8;
				_t52 = __rdx;
				if (__rdx != _t53) goto 0xa56f5001;
				if (__r8 - _t53 <= 0) goto 0xa56f5001;
				if (__rcx == _t53) goto 0xa56f4ffa;
				 *__rcx = 0;
				goto 0xa56f50a5;
				if (__rcx == _t53) goto 0xa56f5009;
				 *__rcx =  *__rcx | 0xffffffff;
				if (__r8 - 0x7fffffff <= 0) goto 0xa56f5036;
				E00007FF77FF7A56E78AC(__rax);
				r9d = 0;
				r8d = 0;
				 *__rax = 0x16;
				_v88 = _t53;
				E00007FF77FF7A56E4430(__rax, __rcx, __rcx, __rdx, __rdx, _t53, __r8);
				goto 0xa56f50a5;
				E00007FF77FF7A56E4E5C(__rax,  &_v56, _a40);
				if ( *((intOrPtr*)(_v56 + 0x14)) != 0) goto 0xa56f5124;
				if ((_a32 & 0x0000ffff) - 0xff <= 0) goto 0xa56f50b5;
				if (_t52 == _t53) goto 0xa56f5080;
				if (_t51 - _t53 <= 0) goto 0xa56f5080;
				E00007FF77FF7A56EB240(_a32 & 0x0000ffff, 0xff, 0, _t52, _a40, _t51);
				E00007FF77FF7A56E78AC(_t41);
				 *_t41 = 0x2a;
				E00007FF77FF7A56E78AC(_t41);
				if (_v32 == bpl) goto 0xa56f50a5;
				 *(_v40 + 0xc8) =  *(_v40 + 0xc8) & 0xfffffffd;
				return  *_t41;
			}

0x7ff7a56f4fcc
0x7ff7a56f4fcc
0x7ff7a56f4fd1
0x7ff7a56f4fe0
0x7ff7a56f4fe3
0x7ff7a56f4fec
0x7ff7a56f4ff1
0x7ff7a56f4ff6
0x7ff7a56f4ff8
0x7ff7a56f4ffc
0x7ff7a56f5004
0x7ff7a56f5006
0x7ff7a56f5010
0x7ff7a56f5012
0x7ff7a56f501c
0x7ff7a56f501f
0x7ff7a56f5026
0x7ff7a56f5028
0x7ff7a56f502d
0x7ff7a56f5034
0x7ff7a56f5043
0x7ff7a56f5051
0x7ff7a56f5067
0x7ff7a56f506c
0x7ff7a56f5071
0x7ff7a56f507b
0x7ff7a56f5080
0x7ff7a56f5085
0x7ff7a56f508b
0x7ff7a56f5097
0x7ff7a56f509e
0x7ff7a56f50b4

APIs

_errno.LIBCMT ref: 00007FF7A56F5012
_errno.LIBCMT ref: 00007FF7A56F5080
_errno.LIBCMT ref: 00007FF7A56F508B
_errno.LIBCMT ref: 00007FF7A56F50BF
WideCharToMultiByte.KERNEL32 ref: 00007FF7A56F515A
GetLastError.KERNEL32 ref: 00007FF7A56F517A
_errno.LIBCMT ref: 00007FF7A56F51A0

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$ByteCharErrorLastMultiWide
String ID:
API String ID: 3895584640-0
Opcode ID: e3ab19df20f39bfc49d13db797055911675bc5e6ef2466dfda626c9a0c4a69ea
Instruction ID: 421e5dfcf3c482df44242f6a57a3be76a608cae02131233c2e8f6c587dd1108f
Opcode Fuzzy Hash: e3ab19df20f39bfc49d13db797055911675bc5e6ef2466dfda626c9a0c4a69ea
Instruction Fuzzy Hash: 9E51F833E0E2828AE770AF24E54077EF752EBA2F50FD55131D68D02AE5DE2C98458725

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E4308 Relevance: 9.1, APIs: 6, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 17%

			E00007FF77FF7A56E4308() {
				void* _v0;
				long long _v992;
				long long _v1088;
				char _v1240;
				long long _v1384;
				char _v1396;
				signed int _v1400;
				char _v1416;
				char _v1424;
				long long _v1432;
				long long _v1440;
				void* _v1448;
				signed long long _v1456;
				long long _v1464;
				long long _v1472;
				long long _v1480;
				void* _t30;
				int _t32;
				void* _t39;
				long long _t48;
				void* _t61;
				void* _t64;

				_v1400 = _v1400 & 0x00000000;
				r8d = 0x94;
				E00007FF77FF7A56EB240(_t30, _t39, 0,  &_v1396, _t61, _t64);
				_t48 =  &_v1240;
				_v1440 =  &_v1400;
				_v1432 = _t48;
				__imp__RtlCaptureContext();
				r8d = 0;
				0xa56fa26c();
				if (_t48 == 0) goto 0xa56e43a5;
				_v1456 = _v1456 & 0x00000000;
				_v1464 =  &_v1416;
				_v1472 =  &_v1424;
				_v1480 =  &_v1240;
				0xa56fa266();
				goto 0xa56e43c5;
				_v992 = _v0;
				_v1088 =  &_v0;
				_v1400 = 0xc0000417;
				_v1396 = 1;
				_v1384 = _v0;
				_t32 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(??);
				if (UnhandledExceptionFilter(??) != 0) goto 0xa56e4410;
				if (_t32 != 0) goto 0xa56e4410;
				E00007FF77FF7A56EB7A0(_t34);
				GetCurrentProcess();
				return TerminateProcess(??, ??);
			}

0x7ff7a56e4311
0x7ff7a56e431d
0x7ff7a56e4323
0x7ff7a56e432d
0x7ff7a56e433d
0x7ff7a56e4342
0x7ff7a56e4347
0x7ff7a56e435d
0x7ff7a56e4360
0x7ff7a56e4368
0x7ff7a56e436a
0x7ff7a56e437a
0x7ff7a56e4387
0x7ff7a56e4397
0x7ff7a56e439e
0x7ff7a56e43a3
0x7ff7a56e43ad
0x7ff7a56e43bd
0x7ff7a56e43cd
0x7ff7a56e43d5
0x7ff7a56e43dd
0x7ff7a56e43e5
0x7ff7a56e43ef
0x7ff7a56e4402
0x7ff7a56e4406
0x7ff7a56e440b
0x7ff7a56e4410
0x7ff7a56e442c

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7A56E4347
IsDebuggerPresent.KERNEL32 ref: 00007FF7A56E43E5
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7A56E43EF
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7A56E43FA
GetCurrentProcess.KERNEL32 ref: 00007FF7A56E4410
TerminateProcess.KERNEL32 ref: 00007FF7A56E441E

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CaptureContextCurrentDebuggerPresentTerminate
String ID:
API String ID: 1269745586-0
Opcode ID: 9acd44f4c9021e6a40fc53f3eba1dfe77eba2fb851b38d84d1ef46dfb6a26ca4
Instruction ID: aa9e912b04d08d2c7d3bc2f834189edbe036a9f0b6bc30f015038b2d175477b6
Opcode Fuzzy Hash: 9acd44f4c9021e6a40fc53f3eba1dfe77eba2fb851b38d84d1ef46dfb6a26ca4
Instruction Fuzzy Hash: 5A31523261EB82C6EA649B50F4403AEB3A0FB89B45F810135DA8D43B65EF3CD548CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56FAABC Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 298
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 75%

			E00007FF77FF7A56FAABC(void* __eflags, long long __rbx, unsigned int* __rcx, char* __rdx, long long __rdi, void* __rsi, void* __r8, void* __r9, void* __r10, void* __r11, long long __r12) {
				void* _t93;
				char _t94;
				signed char _t95;
				signed int _t123;
				signed int _t124;
				signed int _t138;
				void* _t139;
				intOrPtr* _t176;
				signed long long _t180;
				intOrPtr* _t196;
				signed int* _t197;
				void* _t209;
				signed long long _t215;
				signed long long _t224;
				void* _t225;
				signed long long _t230;
				signed long long _t232;
				signed long long _t233;
				signed long long _t236;
				signed long long _t237;
				char* _t242;
				char* _t243;
				intOrPtr* _t244;
				void* _t245;
				intOrPtr* _t246;
				char* _t247;
				void* _t248;
				char* _t250;
				void* _t251;
				char* _t252;
				char* _t253;
				char* _t254;
				char* _t255;
				long long _t258;
				intOrPtr* _t260;
				void* _t261;
				char* _t268;
				void* _t270;
				void* _t271;
				void* _t275;
				unsigned int* _t276;
				long long _t278;
				intOrPtr* _t279;
				void* _t281;

				_t271 = __r11;
				_t270 = __r10;
				_t263 = __r8;
				_t257 = __rsi;
				_t176 = _t260;
				 *((long long*)(_t176 + 8)) = __rbx;
				 *((long long*)(_t176 + 0x10)) = _t258;
				 *((long long*)(_t176 + 0x18)) = __rdi;
				 *((long long*)(_t176 + 0x20)) = __r12;
				_t261 = _t260 - 0x50;
				_t242 = __rdx;
				_t276 = __rcx;
				_t209 = __r8;
				r15d = 0x3ff;
				r12d = 0x30;
				E00007FF77FF7A56E4E5C(_t176, _t176 - 0x38,  *((intOrPtr*)(_t261 + 0x98)));
				r14d = 0;
				_t138 =  <  ? r14d : r9d;
				if (__rdx != _t278) goto 0xa56fab4b;
				E00007FF77FF7A56E78AC(_t176);
				r9d = 0;
				r8d = 0;
				 *_t176 = __r12 - 0x1a;
				 *((long long*)(_t261 + 0x20)) = _t278;
				E00007FF77FF7A56E4430(_t176, __r8, _t176 - 0x38,  *((intOrPtr*)(_t261 + 0x98)), __rsi, _t258, __r8, _t281, _t278);
				if ( *((intOrPtr*)(_t261 + 0x48)) == r14b) goto 0xa56fab44;
				 *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0xa56faec6;
				if (_t209 - _t278 > 0) goto 0xa56fab85;
				E00007FF77FF7A56E78AC(_t176);
				r9d = 0;
				r8d = 0;
				 *_t176 = 0x16;
				 *((long long*)(_t261 + 0x20)) = _t278;
				E00007FF77FF7A56E4430(_t176, _t209,  *((intOrPtr*)(_t261 + 0x40)),  *((intOrPtr*)(_t261 + 0x98)), _t257, _t258, _t263);
				if ( *((intOrPtr*)(_t261 + 0x48)) == r14b) goto 0xa56fab44;
				 *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0xa56fab44;
				 *_t242 = r14b;
				_t215 = _t258 + 0xb;
				if (_t209 - _t215 > 0) goto 0xa56faba2;
				E00007FF77FF7A56E78AC( *((intOrPtr*)(_t261 + 0x40)));
				goto 0xa56fab1b;
				_t180 =  *_t276 >> 0x00000034 & _t215;
				if (_t180 != _t215) goto 0xa56fac56;
				_t20 = _t242 + 2; // 0x401
				_t230 = _t20;
				r9d = _t138;
				_t265 =  ==  ? _t209 : _t209 - 2;
				 *((long long*)(_t261 + 0x28)) = _t278;
				 *((intOrPtr*)(_t261 + 0x20)) = r14d;
				if (E00007FF77FF7A56FA9B0(0x22, _t276, _t230, _t258,  ==  ? _t209 : _t209 - 2, _t275) == r14d) goto 0xa56fac04;
				 *_t242 = r14b;
				if ( *((intOrPtr*)(_t261 + 0x48)) == r14b) goto 0xa56faec6;
				 *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0xa56faec6;
				if ( *((char*)(_t242 + 2)) != 0x2d) goto 0xa56fac10;
				 *_t242 = 0x2d;
				_t243 = _t242 + 1;
				 *_t243 = 0x30;
				asm("sbb cl, cl");
				 *((char*)(_t243 + 1)) = 0x158;
				_t30 = _t243 + 2; // 0x402
				E00007FF77FF7A56FB3A4(0x65, _t30,  ==  ? _t209 : _t209 - 2);
				if (_t180 == _t278) goto 0xa56fac4c;
				asm("sbb cl, cl");
				 *_t180 = 0xb0;
				 *((intOrPtr*)(_t180 + 3)) = r14b;
				goto 0xa56faeb6;
				if (( *_t276 & 0x00000000) == 0) goto 0xa56fac6c;
				 *_t243 = 0x2d;
				_t244 = _t243 + 1;
				r9d =  *(_t261 + 0x90);
				r11d = 0x30;
				 *_t244 = r11b;
				asm("sbb cl, cl");
				asm("sbb edx, edx");
				 *((char*)(_t244 + 1)) = 0x118;
				if (( *_t276 & 0x00000000) != 0) goto 0xa56facd2;
				 *((intOrPtr*)(_t244 + 2)) = r11b;
				_t245 = _t244 + 3;
				asm("dec ebp");
				r15d = r15d & 0x000003fe;
				goto 0xa56facda;
				 *((char*)(_t245 + 2)) = 0x31;
				_t246 = _t245 + 3;
				r10d = 0;
				_t279 = _t246;
				_t247 = _t246 + 1;
				if (_t138 != r10d) goto 0xa56faced;
				 *_t279 = r10b;
				goto 0xa56fad01;
				 *_t279 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t261 + 0x30)) + 0x128))))));
				if (( *_t276 & 0xffffffff) <= 0) goto 0xa56fad9b;
				if (_t138 - r10d <= 0) goto 0xa56fad4d;
				_t93 =  ~r9d + r11w;
				if (_t93 - 0x39 <= 0) goto 0xa56fad37;
				_t94 = _t93 + 0xffffffff00000087;
				r12w = r12w + 0xfffc;
				 *_t247 = _t94;
				_t248 = _t247 + 1;
				_t139 = _t138 - 1;
				if (r12w - r10w >= 0) goto 0xa56fad15;
				if (r12w - r10w < 0) goto 0xa56fad9b;
				if (_t94 - 8 <= 0) goto 0xa56fad9b;
				_t45 = _t248 - 1; // 0x3fc
				_t196 = _t45;
				if ( *_t196 == 0x66) goto 0xa56fad77;
				if ( *_t196 != 0x46) goto 0xa56fad7f;
				 *_t196 = r11b;
				_t197 = _t196 - 1;
				goto 0xa56fad6d;
				if (_t197 == _t279) goto 0xa56fad98;
				_t123 =  *_t197;
				if (_t123 != 0x39) goto 0xa56fad92;
				 *_t197 = 0xffffffff000000c1;
				goto 0xa56fad9b;
				_t124 = _t123 + 1;
				 *_t197 = _t124;
				goto 0xa56fad9b;
				 *((char*)(_t197 - 1)) =  *((char*)(_t197 - 1)) + 1;
				if (_t139 - r10d <= 0) goto 0xa56fadc2;
				r8d = _t139;
				_t95 = E00007FF77FF7A56EB240(_t94, _t124, r11b, _t248, _t230, 0 >> 4);
				r9d =  *(_t261 + 0x90);
				r10d = 0;
				_t49 = _t270 + 0x30; // 0x30
				r11d = _t49;
				_t250 =  ==  ? _t279 : _t248 + 0xffffffff;
				r9d =  ~r9d;
				asm("sbb al, al");
				 *_t250 = (_t95 & 0x000000e0) + 0x70;
				if ( *_t279 - r10b < 0) goto 0xa56fadf1;
				 *((char*)(_t250 + 1)) = 0x2b;
				_t251 = _t250 + 2;
				goto 0xa56fadfc;
				 *((char*)(_t251 + 1)) = 0x2d;
				_t252 = _t251 + 2;
				_t224 =  ~(( *_t276 >> 0x34) - _t281);
				_t268 = _t252;
				 *_t252 = r11b;
				if (_t224 - 0x3e8 < 0) goto 0xa56fae3e;
				_t232 = (_t230 >> 7) + (_t230 >> 7 >> 0x3f);
				_t233 = _t232 * 0xfffffc18;
				 *_t252 = _t271 + _t232;
				_t253 = _t252 + 1;
				_t225 = _t224 + _t233;
				if (_t253 != _t268) goto 0xa56fae44;
				if (_t225 - 0x64 < 0) goto 0xa56fae72;
				_t236 = (_t233 + _t225 >> 6) + (_t233 + _t225 >> 6 >> 0x3f);
				_t237 = _t236 * 0xffffff9c;
				 *_t253 = _t271 + _t236;
				_t254 = _t253 + 1;
				if (_t254 != _t268) goto 0xa56fae7d;
				if (_t225 + _t237 - 0xa < 0) goto 0xa56faea8;
				 *_t254 = _t271 + (_t237 >> 2) + (_t237 >> 2 >> 0x3f);
				_t255 = _t254 + 1;
				 *_t255 = (_t124 & 0x000007ff) + r11b;
				 *((intOrPtr*)(_t255 + 1)) = r10b;
				if ( *((intOrPtr*)(_t261 + 0x48)) == r10b) goto 0xa56faec4;
				 *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t261 + 0x40)) + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ff7a56faabc
0x7ff7a56faabc
0x7ff7a56faabc
0x7ff7a56faabc
0x7ff7a56faabc
0x7ff7a56faabf
0x7ff7a56faac3
0x7ff7a56faac7
0x7ff7a56faacb
0x7ff7a56faad5
0x7ff7a56faad9
0x7ff7a56faae4
0x7ff7a56faaee
0x7ff7a56faaf1
0x7ff7a56faaf7
0x7ff7a56faafd
0x7ff7a56fab02
0x7ff7a56fab08
0x7ff7a56fab0f
0x7ff7a56fab11
0x7ff7a56fab1b
0x7ff7a56fab1e
0x7ff7a56fab25
0x7ff7a56fab27
0x7ff7a56fab2c
0x7ff7a56fab36
0x7ff7a56fab3d
0x7ff7a56fab46
0x7ff7a56fab4e
0x7ff7a56fab50
0x7ff7a56fab5a
0x7ff7a56fab5d
0x7ff7a56fab64
0x7ff7a56fab66
0x7ff7a56fab6b
0x7ff7a56fab75
0x7ff7a56fab7c
0x7ff7a56fab83
0x7ff7a56fab88
0x7ff7a56fab8b
0x7ff7a56fab91
0x7ff7a56fab93
0x7ff7a56fab9d
0x7ff7a56fabaf
0x7ff7a56fabb5
0x7ff7a56fabc3
0x7ff7a56fabc3
0x7ff7a56fabc7
0x7ff7a56fabcd
0x7ff7a56fabd1
0x7ff7a56fabd6
0x7ff7a56fabe3
0x7ff7a56fabe5
0x7ff7a56fabed
0x7ff7a56fabf8
0x7ff7a56fabff
0x7ff7a56fac08
0x7ff7a56fac0a
0x7ff7a56fac0d
0x7ff7a56fac17
0x7ff7a56fac23
0x7ff7a56fac2b
0x7ff7a56fac2e
0x7ff7a56fac32
0x7ff7a56fac3a
0x7ff7a56fac3e
0x7ff7a56fac46
0x7ff7a56fac48
0x7ff7a56fac51
0x7ff7a56fac64
0x7ff7a56fac66
0x7ff7a56fac69
0x7ff7a56fac6c
0x7ff7a56fac74
0x7ff7a56fac87
0x7ff7a56fac8f
0x7ff7a56faca3
0x7ff7a56faca5
0x7ff7a56facb2
0x7ff7a56facb4
0x7ff7a56facbc
0x7ff7a56facc6
0x7ff7a56facc9
0x7ff7a56facd0
0x7ff7a56facd2
0x7ff7a56facd6
0x7ff7a56facda
0x7ff7a56facdd
0x7ff7a56face0
0x7ff7a56face6
0x7ff7a56face8
0x7ff7a56faceb
0x7ff7a56facfe
0x7ff7a56fad05
0x7ff7a56fad18
0x7ff7a56fad2a
0x7ff7a56fad32
0x7ff7a56fad34
0x7ff7a56fad37
0x7ff7a56fad3c
0x7ff7a56fad42
0x7ff7a56fad45
0x7ff7a56fad4b
0x7ff7a56fad51
0x7ff7a56fad67
0x7ff7a56fad69
0x7ff7a56fad69
0x7ff7a56fad70
0x7ff7a56fad75
0x7ff7a56fad77
0x7ff7a56fad7a
0x7ff7a56fad7d
0x7ff7a56fad82
0x7ff7a56fad84
0x7ff7a56fad89
0x7ff7a56fad8e
0x7ff7a56fad90
0x7ff7a56fad92
0x7ff7a56fad94
0x7ff7a56fad96
0x7ff7a56fad98
0x7ff7a56fad9e
0x7ff7a56fada0
0x7ff7a56fadab
0x7ff7a56fadb0
0x7ff7a56fadbb
0x7ff7a56fadbe
0x7ff7a56fadbe
0x7ff7a56fadc5
0x7ff7a56fadc9
0x7ff7a56fadcc
0x7ff7a56fadd2
0x7ff7a56fade5
0x7ff7a56fade7
0x7ff7a56fadeb
0x7ff7a56fadef
0x7ff7a56fadf1
0x7ff7a56fadf5
0x7ff7a56fadf9
0x7ff7a56fae03
0x7ff7a56fae06
0x7ff7a56fae09
0x7ff7a56fae23
0x7ff7a56fae2a
0x7ff7a56fae31
0x7ff7a56fae33
0x7ff7a56fae36
0x7ff7a56fae3c
0x7ff7a56fae42
0x7ff7a56fae5f
0x7ff7a56fae66
0x7ff7a56fae6a
0x7ff7a56fae6c
0x7ff7a56fae75
0x7ff7a56fae7b
0x7ff7a56faea0
0x7ff7a56faea2
0x7ff7a56faeb0
0x7ff7a56faeb2
0x7ff7a56faeb6
0x7ff7a56faebd
0x7ff7a56faee4

APIs

Part of subcall function 00007FF7A56E4E5C: _getptd.LIBCMT ref: 00007FF7A56E4E72

_errno.LIBCMT ref: 00007FF7A56FAB11

Part of subcall function 00007FF7A56E4430: DecodePointer.KERNEL32 ref: 00007FF7A56E4457

_errno.LIBCMT ref: 00007FF7A56FAB50
_errno.LIBCMT ref: 00007FF7A56FAB93

Strings

gfffffff, xrefs: 00007FF7A56FAE7D
0, xrefs: 00007FF7A56FAAF7

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$DecodePointer_getptd
String ID: 0$gfffffff
API String ID: 2834218312-1804767287
Opcode ID: 5e0a4473535deda9db7320d224ec572da4a58290ec71d1521485fd4c5be27886
Instruction ID: 195a42ab171bac751a6fb39d58f3c04a3461658f03bb4221372d0f7d4e133fac
Opcode Fuzzy Hash: 5e0a4473535deda9db7320d224ec572da4a58290ec71d1521485fd4c5be27886
Instruction Fuzzy Hash: B4B13663F0A3CA47E7619B28914136EBB96EB12F90F969231DB5D077E5CA3DE418C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F3A4C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00007FF77FF7A56F3A4C(void* __ebx, void* __ecx, long long __rbx, char* __rcx, void* __rdx, void* __r9, long long _a24) {
				signed int _v16;
				char _v24;
				signed long long _t25;
				signed long long _t26;
				void* _t40;
				void* _t44;

				_t44 = __r9;
				_a24 = __rbx;
				_t25 =  *0xa5720430; // 0x4918c7c3922
				_t26 = _t25 ^ _t40 - 0x00000030;
				_v16 = _t26;
				if (__rcx == 0) goto 0xa56f3ad6;
				if ( *__rcx == 0) goto 0xa56f3ad6;
				if (E00007FF77FF7A56EBBE0(__ecx, __rcx, 0xa5712ac8) == 0) goto 0xa56f3ad6;
				if (E00007FF77FF7A56EBBE0(__ecx, __rcx, 0xa5712ac4) != 0) goto 0xa56f3ab6;
				_t4 = _t26 + 8; // 0x8
				r9d = _t4;
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0xa56f3af3;
				E00007FF77FF7A56E4984(_t26, 0xa5712ac4);
				return E00007FF77FF7A56E4050( *((intOrPtr*)(__rdx + 0x24)), _v16 ^ _t40 - 0x00000030, 0xa5712ac4,  &_v24, _t44);
			}

0x7ff7a56f3a4c
0x7ff7a56f3a4c
0x7ff7a56f3a56
0x7ff7a56f3a5d
0x7ff7a56f3a60
0x7ff7a56f3a6e
0x7ff7a56f3a73
0x7ff7a56f3a83
0x7ff7a56f3a96
0x7ff7a56f3a9b
0x7ff7a56f3a9b
0x7ff7a56f3aaf
0x7ff7a56f3ab9
0x7ff7a56f3ad5

APIs

GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00007FF7A56F42E0,?,?,?,?,00000000,00007FF7A56E8850), ref: 00007FF7A56F3AA7
GetLocaleInfoA.KERNEL32(?,?,?,?,00000000,00007FF7A56F42E0,?,?,?,?,00000000,00007FF7A56E8850), ref: 00007FF7A56F3AE9
GetACP.KERNEL32(?,?,?,?,00000000,00007FF7A56F42E0,?,?,?,?,00000000,00007FF7A56E8850), ref: 00007FF7A56F3B0C

Strings

ACP, xrefs: 00007FF7A56F3A75
OCP, xrefs: 00007FF7A56F3A85

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 05857ef6789c705f425dab733761c92d82b1b5cb51473c9fdfa44ed524b23ad1
Instruction ID: 1a87af5a7c53296f196a6ddfa5b18655201272a4bff23107535d43bdf0c14451
Opcode Fuzzy Hash: 05857ef6789c705f425dab733761c92d82b1b5cb51473c9fdfa44ed524b23ad1
Instruction Fuzzy Hash: C5215321F0E54786EA24EB22E451179E392FF4AF84FC66131D94D466B5EE2CE509C730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E6F3C Relevance: 7.6, APIs: 5, Instructions: 105
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E00007FF77FF7A56E6F3C(intOrPtr* __rax, long long __rbx, long long* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, signed int __r9, long long _a8, long long _a16, long long _a24, signed long long _a32) {
				long long _v40;
				signed int _t35;
				signed int _t42;
				void* _t55;
				long long _t69;
				long long* _t71;
				long long _t79;
				signed long long _t82;
				long long _t92;

				_t88 = __r8;
				_t84 = __rbp;
				_t78 = __rdx;
				_t73 = __rcx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __rcx;
				r12d = r8d;
				_t71 = __rcx;
				if ((0 | __rcx != _t79) != 0) goto 0xa56e6f95;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 0x16;
				_v40 = _t79;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(__rax, __rcx, __rcx, __rdx, __r9, __rbp, __r8);
				goto 0xa56e7093;
				if (r8d == 4) goto 0xa56e6fcd;
				if (r8d == 0) goto 0xa56e6fcd;
				if (r8d == 0x40) goto 0xa56e6fcd;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 0x16;
				_v40 = _t79;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(__rax, _t71, _t73, _t78, __r9, _t84, _t88);
				goto 0xa56e7093;
				if (r8d == 0) goto 0xa56e6fd8;
				if (r8d != 0x40) goto 0xa56e700b;
				_t69 = __r9 - 2;
				if (_t69 - 0x7ffffffd <= 0) goto 0xa56e700b;
				E00007FF77FF7A56E78AC(_t69);
				 *_t69 = 0x16;
				_v40 = _t79;
				r9d = 0;
				r8d = 0;
				_t35 = E00007FF77FF7A56E4430(_t69, _t71, _t73, _t78, __r9, _t84, _t88);
				goto 0xa56e7093;
				_t82 = __r9 & 0xfffffffe;
				E00007FF77FF7A56EB4D0(_t35 | 0xffffffff, _t73);
				E00007FF77FF7A56E6BCC(_t71, _t71, _t82);
				E00007FF77FF7A56F1B24(_t69, _t71);
				 *(_t71 + 0x18) =  *(_t71 + 0x18) & 0xffffc2f3;
				if ((r12b & 0x00000004) == 0) goto 0xa56e704b;
				 *(_t71 + 0x18) =  *(_t71 + 0x18) | 0x00000004;
				_a32 = _t82;
				goto 0xa56e707c;
				if (_t71 + 0x20 != _t79) goto 0xa56e7074;
				_t42 = E00007FF77FF7A56EA574(_t55, _t69, _t71, _t82, _t82, _t84);
				_t92 = _t69;
				if (_t69 != _t79) goto 0xa56e706b;
				 *0xa57230c8 =  *0xa57230c8 + 1;
				goto 0xa56e7089;
				 *(_t71 + 0x18) =  *(_t71 + 0x18) | 0x00000408;
				goto 0xa56e707c;
				 *(_t71 + 0x18) = _t42 | 0x00000500;
				 *((intOrPtr*)(_t71 + 0x24)) = 2;
				 *((long long*)(_t71 + 0x10)) = _t92;
				 *_t71 = _t92;
				 *((intOrPtr*)(_t71 + 8)) = 0xffffffff;
				E00007FF77FF7A56EB560(_t42 | 0x00000500, _t71);
				return 0xffffffff;
			}

0x7ff7a56e6f3c
0x7ff7a56e6f3c
0x7ff7a56e6f3c
0x7ff7a56e6f3c
0x7ff7a56e6f3c
0x7ff7a56e6f41
0x7ff7a56e6f46
0x7ff7a56e6f57
0x7ff7a56e6f5d
0x7ff7a56e6f6c
0x7ff7a56e6f6e
0x7ff7a56e6f73
0x7ff7a56e6f79
0x7ff7a56e6f7e
0x7ff7a56e6f81
0x7ff7a56e6f88
0x7ff7a56e6f90
0x7ff7a56e6f99
0x7ff7a56e6f9e
0x7ff7a56e6fa4
0x7ff7a56e6fa6
0x7ff7a56e6fab
0x7ff7a56e6fb1
0x7ff7a56e6fb6
0x7ff7a56e6fb9
0x7ff7a56e6fc0
0x7ff7a56e6fc8
0x7ff7a56e6fd0
0x7ff7a56e6fd6
0x7ff7a56e6fd8
0x7ff7a56e6fe2
0x7ff7a56e6fe4
0x7ff7a56e6fe9
0x7ff7a56e6fef
0x7ff7a56e6ff4
0x7ff7a56e6ff7
0x7ff7a56e6ffe
0x7ff7a56e7006
0x7ff7a56e700b
0x7ff7a56e700f
0x7ff7a56e7018
0x7ff7a56e7020
0x7ff7a56e7025
0x7ff7a56e7033
0x7ff7a56e7038
0x7ff7a56e7044
0x7ff7a56e7049
0x7ff7a56e704e
0x7ff7a56e7053
0x7ff7a56e7058
0x7ff7a56e705e
0x7ff7a56e7060
0x7ff7a56e7069
0x7ff7a56e706b
0x7ff7a56e7072
0x7ff7a56e7079
0x7ff7a56e707c
0x7ff7a56e707f
0x7ff7a56e7083
0x7ff7a56e7086
0x7ff7a56e708c
0x7ff7a56e70a6

APIs

_errno.LIBCMT ref: 00007FF7A56E6F6E

Part of subcall function 00007FF7A56E4430: DecodePointer.KERNEL32 ref: 00007FF7A56E4457

_errno.LIBCMT ref: 00007FF7A56E6FA6

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: c827abf252cecc7df5f4a5742bc49cb4568c02ee89e71d0df796e521da3256ab
Instruction ID: d740a54bf67d242b1639582b4e653c1b3e46b808648b78de03790ea307f2c69a
Opcode Fuzzy Hash: c827abf252cecc7df5f4a5742bc49cb4568c02ee89e71d0df796e521da3256ab
Instruction Fuzzy Hash: 25411772E1B652C5F321BF34A80127EB152EB92FA4F912731DE59076E5CE7ED4408B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F3CEC Relevance: 6.2, APIs: 4, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00007FF77FF7A56F3CEC(void* __ecx, void* __edx, void* __eflags, long long __rbx, void* __rcx, void* __rdx, long long __rbp, void* __r9, long long _a16, long long _a24) {
				void* _v8;
				signed int _v24;
				char _v152;
				signed int _t58;
				signed int _t68;
				signed int _t85;
				void* _t105;
				signed long long _t131;
				signed long long _t132;
				signed long long _t155;
				void* _t156;
				void* _t159;

				_t167 = __r9;
				_t157 = __rbp;
				_a16 = __rbx;
				_a24 = __rbp;
				_t131 =  *0xa5720430; // 0x4918c7c3922
				_t132 = _t131 ^ _t159 - 0x000000b0;
				_v24 = _t132;
				_t134 = __rcx;
				E00007FF77FF7A56EB93C(__ecx, __eflags, _t132);
				_t155 = _t132;
				_t58 = E00007FF77FF7A56F3B14(__rcx, __rdx, __r9);
				r9d = 0x78;
				asm("sbb edx, edx");
				_t85 = _t58;
				if (GetLocaleInfoA(??, ??, ??, ??) != 0) goto 0xa56f3d64;
				 *(_t155 + 0x150) = 0;
				goto 0xa56f3f59;
				if (E00007FF77FF7A56F5C40(_t105, _t132, __rcx,  *((intOrPtr*)(_t155 + 0x148)),  &_v152, _t156, __rbp,  &_v152, __r9) != 0) goto 0xa56f3e5c;
				r9d = 0x78;
				asm("sbb edx, edx");
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0xa56f3d54;
				if (E00007FF77FF7A56F5C40(_t105, _t132, __rcx,  *((intOrPtr*)(_t155 + 0x140)),  &_v152, _t156, __rbp,  &_v152, __r9) != 0) goto 0xa56f3dd4;
				 *(_t155 + 0x150) =  *(_t155 + 0x150) | 0x00000304;
				 *((intOrPtr*)(_t155 + 0x160)) = _t85;
				goto 0xa56f3e56;
				if (( *(_t155 + 0x150) & 0x00000002) != 0) goto 0xa56f3e5c;
				if ( *((intOrPtr*)(_t155 + 0x154)) == 0) goto 0xa56f3e2a;
				if (E00007FF77FF7A56F5DF0(_t105, _t132, __rcx,  *((intOrPtr*)(_t155 + 0x140)),  &_v152, _t156, __rbp,  *((intOrPtr*)(_t155 + 0x154)), __r9) != 0) goto 0xa56f3e2a;
				 *(_t155 + 0x150) =  *(_t155 + 0x150) | 0x00000002;
				 *((intOrPtr*)(_t155 + 0x164)) = _t85;
				if (E00007FF77FF7A56E70C0(_t66,  *((intOrPtr*)(_t155 + 0x140))) !=  *((intOrPtr*)(_t155 + 0x154))) goto 0xa56f3e5c;
				 *((intOrPtr*)(_t155 + 0x160)) = _t85;
				goto 0xa56f3e5c;
				_t68 =  *(_t155 + 0x150);
				if ((_t68 & 0x00000001) != 0) goto 0xa56f3e5c;
				if (_t85 ==  *0xa5712ab0) goto 0xa56f3e5c;
				if (1 - 0xa < 0) goto 0xa56f3e3d;
				 *(_t155 + 0x150) = _t68 | 0x00000001;
				 *((intOrPtr*)(_t155 + 0x164)) = _t85;
				if (( *(_t155 + 0x150) & 0x00000300) == 0x300) goto 0xa56f3f4b;
				r9d = 0x78;
				asm("sbb edx, edx");
				if (GetLocaleInfoA(??, ??, ??, ??) == 0) goto 0xa56f3d54;
				if (E00007FF77FF7A56F5C40(_t105, _t132, _t134,  *((intOrPtr*)(_t155 + 0x140)),  &_v152, _t156, _t157,  &_v152, _t167) != 0) goto 0xa56f3efc;
				asm("bts dword [edi+0x150], 0x9");
				if ( *((intOrPtr*)(_t155 + 0x158)) == 0) goto 0xa56f3ed9;
				asm("bts eax, 0x8");
				goto 0xa56f3f3d;
				if ( *((intOrPtr*)(_t155 + 0x154)) == 0) goto 0xa56f3f35;
				if (E00007FF77FF7A56E70C0( *(_t155 + 0x150),  *((intOrPtr*)(_t155 + 0x140))) !=  *((intOrPtr*)(_t155 + 0x154))) goto 0xa56f3f35;
				goto 0xa56f3f23;
				if ( *((intOrPtr*)(_t155 + 0x158)) != 0) goto 0xa56f3f4b;
				if ( *((intOrPtr*)(_t155 + 0x154)) == 0) goto 0xa56f3f4b;
				if (E00007FF77FF7A56F5C40(_t105, _t132, _t134,  *((intOrPtr*)(_t155 + 0x140)),  &_v152, _t156, _t157,  &_v152, _t167) != 0) goto 0xa56f3f4b;
				_t49 = _t155 + 0x140; // 0x140
				if (E00007FF77FF7A56F3C38(_t85, 0, _t134, _t49, _t167) == 0) goto 0xa56f3f4b;
				asm("bts dword [edi+0x150], 0x8");
				if ( *((intOrPtr*)(_t155 + 0x160)) != 0) goto 0xa56f3f4b;
				 *((intOrPtr*)(_t155 + 0x160)) = _t85;
				return E00007FF77FF7A56E4050(_t85, _v24 ^ _t159 - 0x000000b0,  &_v152, _t49, _t167);
			}

0x7ff7a56f3cec
0x7ff7a56f3cec
0x7ff7a56f3cec
0x7ff7a56f3cf1
0x7ff7a56f3cfe
0x7ff7a56f3d05
0x7ff7a56f3d08
0x7ff7a56f3d10
0x7ff7a56f3d13
0x7ff7a56f3d1b
0x7ff7a56f3d1e
0x7ff7a56f3d30
0x7ff7a56f3d36
0x7ff7a56f3d3a
0x7ff7a56f3d52
0x7ff7a56f3d54
0x7ff7a56f3d5f
0x7ff7a56f3d77
0x7ff7a56f3d88
0x7ff7a56f3d92
0x7ff7a56f3da8
0x7ff7a56f3dbd
0x7ff7a56f3dbf
0x7ff7a56f3dc9
0x7ff7a56f3dcf
0x7ff7a56f3ddb
0x7ff7a56f3de3
0x7ff7a56f3dff
0x7ff7a56f3e08
0x7ff7a56f3e0f
0x7ff7a56f3e20
0x7ff7a56f3e22
0x7ff7a56f3e28
0x7ff7a56f3e2a
0x7ff7a56f3e32
0x7ff7a56f3e40
0x7ff7a56f3e4b
0x7ff7a56f3e50
0x7ff7a56f3e56
0x7ff7a56f3e6b
0x7ff7a56f3e7c
0x7ff7a56f3e86
0x7ff7a56f3e9c
0x7ff7a56f3eb5
0x7ff7a56f3eb7
0x7ff7a56f3ecb
0x7ff7a56f3ecd
0x7ff7a56f3ed7
0x7ff7a56f3edf
0x7ff7a56f3ef3
0x7ff7a56f3efa
0x7ff7a56f3f02
0x7ff7a56f3f0a
0x7ff7a56f3f1f
0x7ff7a56f3f23
0x7ff7a56f3f33
0x7ff7a56f3f35
0x7ff7a56f3f43
0x7ff7a56f3f45
0x7ff7a56f3f7d

APIs

_getptd.LIBCMT ref: 00007FF7A56F3D13
GetLocaleInfoA.KERNEL32 ref: 00007FF7A56F3D48
GetLocaleInfoA.KERNEL32 ref: 00007FF7A56F3DA0
GetLocaleInfoA.KERNEL32 ref: 00007FF7A56F3E94

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: InfoLocale$_getptd
String ID:
API String ID: 1743167714-0
Opcode ID: 0bc0ce5ffb63eeeb20c95d733831d935c457454a07d1c7dd2c0a88a1cc289cfb
Instruction ID: df55175dcbbf84e00b21ffe691d3f7da0e3a7e7c21f4009af85bfdc8f1cf3568
Opcode Fuzzy Hash: 0bc0ce5ffb63eeeb20c95d733831d935c457454a07d1c7dd2c0a88a1cc289cfb
Instruction Fuzzy Hash: 7A616073F0698697DA6CAA24E9443E9B362FB89F05F811136D65D872A0CF3CE468C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E52E8 Relevance: 6.1, APIs: 4, Instructions: 115
COMMONLIBRARYCODECrypto

Download Yara Rule

C-Code - Quality: 70%

			E00007FF77FF7A56E52E8(void* __edi, void* __esi, intOrPtr* __rax, long long __rbx, signed long long* __rcx, intOrPtr* __rdx, long long __rsi, long long __rbp, signed long long __r8, void* __r9, long long _a8, long long _a16, long long _a24, long long _a40, intOrPtr _a48) {
				void* _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				char _v56;
				long long _v72;
				void* __rdi;
				intOrPtr* _t77;
				intOrPtr _t78;
				intOrPtr* _t79;
				signed long long _t80;
				intOrPtr* _t82;
				long long* _t84;
				intOrPtr* _t90;
				signed long long _t93;
				signed long long* _t95;
				long long _t103;
				long long _t109;

				_t97 = __rbp;
				_t90 = __rdx;
				_t84 = __rcx;
				_t77 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				r14d = 0;
				_t93 = __r8;
				_t82 = __rdx;
				_t95 = __rcx;
				if (__rdx != _t109) goto 0xa56e531e;
				if (__r8 == _t109) goto 0xa56e534e;
				goto 0xa56e5323;
				if (__r8 - _t109 > 0) goto 0xa56e534a;
				E00007FF77FF7A56E78AC(__rax);
				r9d = 0;
				r8d = 0;
				 *__rax = 0x16;
				_v72 = _t109;
				E00007FF77FF7A56E4430(__rax, __rdx, __rcx, __rdx, __rcx, __rbp, __r8);
				goto 0xa56e547a;
				 *_t90 = r14w;
				if (_t84 == _t109) goto 0xa56e5356;
				 *_t84 = _t109;
				E00007FF77FF7A56E4E5C(__rax,  &_v56, _a48);
				_t103 = _a40;
				_t104 =  >  ? _t93 : _t103;
				_t65 = ( >  ? _t93 : _t103) - 0x7fffffff;
				if (( >  ? _t93 : _t103) - 0x7fffffff <= 0) goto 0xa56e53b5;
				E00007FF77FF7A56E78AC(_t77);
				r9d = 0;
				r8d = 0;
				 *_t77 = 0x16;
				_v72 = _t109;
				E00007FF77FF7A56E4430(_t77, _t82,  &_v56, _a48, _t95, _t97,  >  ? _t93 : _t103);
				if (_v32 == r14b) goto 0xa56e5343;
				_t78 = _v40;
				 *(_t78 + 0xc8) =  *(_t78 + 0xc8) & 0xfffffffd;
				goto 0xa56e5343;
				E00007FF77FF7A56E50E0(__edi, __esi, r14d, _t82, _t82, __r9, _t93, _t95,  >  ? _t93 : _t103,  &_v56);
				if (_t78 != 0xffffffff) goto 0xa56e53f7;
				if (_t82 == _t109) goto 0xa56e53d4;
				 *_t82 = r14w;
				E00007FF77FF7A56E78AC(_t78);
				if (_v32 == r14b) goto 0xa56e547a;
				 *(_v40 + 0xc8) =  *(_v40 + 0xc8) & 0xfffffffd;
				goto 0xa56e547a;
				_t79 = _t78 + 1;
				if (_t82 == _t109) goto 0xa56e545d;
				if (_t79 - _t93 <= 0) goto 0xa56e5457;
				if (_a40 == 0xffffffff) goto 0xa56e544f;
				 *_t82 = r14w;
				E00007FF77FF7A56E78AC(_t79);
				r9d = 0;
				r8d = 0;
				 *_t79 = 0x22;
				_v72 = _t109;
				E00007FF77FF7A56E4430(_t79, _t82, _v40, __r9, _t95, _t97,  >  ? _t93 : _t103);
				if (_v32 == r14b) goto 0xa56e5343;
				 *(_v40 + 0xc8) =  *(_v40 + 0xc8) & 0xfffffffd;
				goto 0xa56e5343;
				_t80 = _t93;
				 *((intOrPtr*)(_t82 + _t80 * 2 - 2)) = r14w;
				if (_t95 == _t109) goto 0xa56e5465;
				 *_t95 = _t80;
				if (_v32 == r14b) goto 0xa56e5478;
				 *(_v40 + 0xc8) =  *(_v40 + 0xc8) & 0xfffffffd;
				return 0x50;
			}

0x7ff7a56e52e8
0x7ff7a56e52e8
0x7ff7a56e52e8
0x7ff7a56e52e8
0x7ff7a56e52e8
0x7ff7a56e52ed
0x7ff7a56e52f2
0x7ff7a56e5300
0x7ff7a56e5306
0x7ff7a56e5309
0x7ff7a56e530c
0x7ff7a56e5315
0x7ff7a56e531a
0x7ff7a56e531c
0x7ff7a56e5321
0x7ff7a56e5323
0x7ff7a56e532d
0x7ff7a56e5330
0x7ff7a56e5337
0x7ff7a56e5339
0x7ff7a56e533e
0x7ff7a56e5345
0x7ff7a56e534a
0x7ff7a56e5351
0x7ff7a56e5353
0x7ff7a56e5363
0x7ff7a56e5368
0x7ff7a56e5373
0x7ff7a56e5377
0x7ff7a56e537e
0x7ff7a56e5380
0x7ff7a56e538a
0x7ff7a56e538d
0x7ff7a56e5394
0x7ff7a56e5396
0x7ff7a56e539b
0x7ff7a56e53a5
0x7ff7a56e53a7
0x7ff7a56e53ac
0x7ff7a56e53b3
0x7ff7a56e53c0
0x7ff7a56e53c9
0x7ff7a56e53ce
0x7ff7a56e53d0
0x7ff7a56e53d4
0x7ff7a56e53e0
0x7ff7a56e53eb
0x7ff7a56e53f2
0x7ff7a56e53f7
0x7ff7a56e53fd
0x7ff7a56e5402
0x7ff7a56e540d
0x7ff7a56e540f
0x7ff7a56e5413
0x7ff7a56e541d
0x7ff7a56e5420
0x7ff7a56e5427
0x7ff7a56e5429
0x7ff7a56e542e
0x7ff7a56e5438
0x7ff7a56e5443
0x7ff7a56e544a
0x7ff7a56e544f
0x7ff7a56e5457
0x7ff7a56e5460
0x7ff7a56e5462
0x7ff7a56e546a
0x7ff7a56e5471
0x7ff7a56e5493

APIs

_errno.LIBCMT ref: 00007FF7A56E5323
_errno.LIBCMT ref: 00007FF7A56E5380
_errno.LIBCMT ref: 00007FF7A56E53D4
_errno.LIBCMT ref: 00007FF7A56E5413

Part of subcall function 00007FF7A56E4430: DecodePointer.KERNEL32 ref: 00007FF7A56E4457

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$DecodePointer
String ID:
API String ID: 2310398763-0
Opcode ID: 969b6b03ac756c984ef9ddfa99fd8f5d4939811ed42fda2eef39814d5a7e2c3c
Instruction ID: a2e742b23abbe2e11deb4dc54e68de2573c6034753ab0f6e097bf3d64536b07d
Opcode Fuzzy Hash: 969b6b03ac756c984ef9ddfa99fd8f5d4939811ed42fda2eef39814d5a7e2c3c
Instruction Fuzzy Hash: BF41E822A0B682C1E760AF24B44077EF263EB62F50F955331EEAC176E5DE7ED8414B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F2F18 Relevance: 53.8, APIs: 43, Instructions: 94COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7A56F2F2D

Part of subcall function 00007FF7A56E484C: HeapFree.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4862
Part of subcall function 00007FF7A56E484C: _errno.LIBCMT ref: 00007FF7A56E486C
Part of subcall function 00007FF7A56E484C: GetLastError.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4874

free.LIBCMT ref: 00007FF7A56F2F36
free.LIBCMT ref: 00007FF7A56F2F3F
free.LIBCMT ref: 00007FF7A56F2F48
free.LIBCMT ref: 00007FF7A56F2F51
free.LIBCMT ref: 00007FF7A56F2F5A
free.LIBCMT ref: 00007FF7A56F2F62
free.LIBCMT ref: 00007FF7A56F2F6B
free.LIBCMT ref: 00007FF7A56F2F74
free.LIBCMT ref: 00007FF7A56F2F7D
free.LIBCMT ref: 00007FF7A56F2F86
free.LIBCMT ref: 00007FF7A56F2F8F
free.LIBCMT ref: 00007FF7A56F2F98
free.LIBCMT ref: 00007FF7A56F2FA1
free.LIBCMT ref: 00007FF7A56F2FAA
free.LIBCMT ref: 00007FF7A56F2FB3
free.LIBCMT ref: 00007FF7A56F2FBF
free.LIBCMT ref: 00007FF7A56F2FCB
free.LIBCMT ref: 00007FF7A56F2FD7
free.LIBCMT ref: 00007FF7A56F2FE3
free.LIBCMT ref: 00007FF7A56F2FEF
free.LIBCMT ref: 00007FF7A56F2FFB
free.LIBCMT ref: 00007FF7A56F3007
free.LIBCMT ref: 00007FF7A56F3013
free.LIBCMT ref: 00007FF7A56F301F
free.LIBCMT ref: 00007FF7A56F302B
free.LIBCMT ref: 00007FF7A56F3037
free.LIBCMT ref: 00007FF7A56F3043
free.LIBCMT ref: 00007FF7A56F304F
free.LIBCMT ref: 00007FF7A56F305B
free.LIBCMT ref: 00007FF7A56F3067
free.LIBCMT ref: 00007FF7A56F3073
free.LIBCMT ref: 00007FF7A56F307F
free.LIBCMT ref: 00007FF7A56F308B
free.LIBCMT ref: 00007FF7A56F3097
free.LIBCMT ref: 00007FF7A56F30A3
free.LIBCMT ref: 00007FF7A56F30AF
free.LIBCMT ref: 00007FF7A56F30BB
free.LIBCMT ref: 00007FF7A56F30C7
free.LIBCMT ref: 00007FF7A56F30D3
free.LIBCMT ref: 00007FF7A56F30DF
free.LIBCMT ref: 00007FF7A56F30EB
free.LIBCMT ref: 00007FF7A56F30F7

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: ecc7a25734b82c8a69be3194843af15d0c5e0e132872565f55c5672a604358f9
Instruction ID: 63168e111bc0ce232fe9f5e6f94802bd34fb4513d1a4f3b6a23f3c5208a326b8
Opcode Fuzzy Hash: ecc7a25734b82c8a69be3194843af15d0c5e0e132872565f55c5672a604358f9
Instruction Fuzzy Hash: C1418532E17481C5EA84BBB1C4512BD672EAF85F85F476031DD4D4B1B7CE15D8468364

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F4B80 Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 130libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4BBD
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4BD9
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4C01
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4C0A
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4C20
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4C29
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4C3F
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4C48
GetProcAddress.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4C66
EncodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4C6F
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4CA1
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4CB0
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4D08
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4D28
DecodePointer.KERNEL32(?,?,?,?,?,000000FC,00000000,00007FF7A56EBEF0,?,?,?,?,?,00007FF7A56EBF84), ref: 00007FF7A56F4D41

Strings

GetProcessWindowStation, xrefs: 00007FF7A56F4C5C
USER32.DLL, xrefs: 00007FF7A56F4BB6
GetActiveWindow, xrefs: 00007FF7A56F4BF0
MessageBoxA, xrefs: 00007FF7A56F4BCF
GetLastActivePopup, xrefs: 00007FF7A56F4C0F
GetUserObjectInformationA, xrefs: 00007FF7A56F4C2E

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: Pointer$AddressDecodeProc$Encode$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
API String ID: 3085332118-232180764
Opcode ID: a389ad23ff19189e30bc8357c642974d605cec1610676e8388d2556dc910d0fd
Instruction ID: e8f5335dbc82dae6c189b774827b7b2b510a3104da4465dd0adc330499e10983
Opcode Fuzzy Hash: a389ad23ff19189e30bc8357c642974d605cec1610676e8388d2556dc910d0fd
Instruction Fuzzy Hash: C251F861E0BB0380ED55FB52B850178A2A2AF4AF85FC6A535DD5D16BB5EE3CE4068330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F05C4 Relevance: 30.5, APIs: 20, Instructions: 485
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00007FF77FF7A56F05C4(void* __eax, signed int __ecx, void* __esi, long long __rdx, void* __r8, signed int _a8, long long _a16, char _a24, char _a32, char _a33) {
				long long _v88;
				unsigned int _v96;
				signed int _v100;
				intOrPtr _v104;
				unsigned int _v112;
				long long _v120;
				void* __rbx;
				void* __rsi;
				void* __rbp;
				void* _t237;
				signed char _t240;
				signed short _t251;
				void* _t259;
				int _t266;
				void* _t268;
				signed int _t269;
				void* _t279;
				signed int _t286;
				unsigned int _t287;
				void* _t289;
				void* _t290;
				void* _t291;
				signed int _t292;
				void* _t293;
				signed short _t300;
				char _t301;
				char _t302;
				signed int _t312;
				signed int _t313;
				void* _t341;
				void* _t346;
				signed short* _t417;
				intOrPtr _t419;
				intOrPtr _t424;
				intOrPtr _t425;
				long long _t427;
				char* _t430;
				intOrPtr* _t432;
				intOrPtr _t434;
				intOrPtr* _t440;
				intOrPtr* _t443;
				void* _t444;
				signed short* _t445;
				signed short* _t446;
				signed short* _t447;
				signed char* _t449;
				signed char* _t450;
				signed char* _t451;
				signed char* _t453;
				signed short* _t457;
				signed short* _t458;
				intOrPtr _t461;
				intOrPtr _t466;
				char* _t476;
				long long _t485;
				signed long long _t487;
				void* _t488;
				void* _t492;
				signed short* _t507;
				signed short* _t508;
				intOrPtr* _t511;
				signed short* _t512;
				signed short* _t513;
				signed short* _t516;
				signed short* _t518;
				signed long long _t520;
				void* _t521;
				void* _t523;

				_t492 = __r8;
				_t474 = __rdx;
				_a16 = __rdx;
				_a8 = __ecx;
				r12d = 0xfffffffe;
				_t417 = __ecx;
				_t286 = r8d;
				_v100 = r12d;
				_v96 = _t286;
				if (__eax != r12d) goto 0xa56f0610;
				E00007FF77FF7A56E78CC(__ecx);
				 *__ecx = 0;
				_t237 = E00007FF77FF7A56E78AC(__ecx);
				 *__ecx = 9;
				goto 0xa56f0d2f;
				if (_t237 < 0) goto 0xa56f0d09;
				_t341 = _t237 -  *0xa57289c0; // 0x20
				if (_t341 >= 0) goto 0xa56f0d09;
				_t520 = __ecx >> 5;
				_t461 =  *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8));
				_t487 = __ecx * 0x58;
				if (( *(_t461 + _t487 + 8) & 0x00000001) == 0) goto 0xa56f0d09;
				if (_t286 - 0x7fffffff <= 0) goto 0xa56f0671;
				E00007FF77FF7A56E78CC(__ecx);
				 *__ecx = 0;
				_t240 = E00007FF77FF7A56E78AC(__ecx);
				 *__ecx = 0x16;
				goto 0xa56f0d1b;
				if (_t286 == 0) goto 0xa56f0d05;
				if ((_t240 & 0x00000002) != 0) goto 0xa56f0d05;
				_t346 = __rdx - _t485;
				if (_t346 == 0) goto 0xa56f065a;
				r15b =  *(_t461 + _t487 + 0x38);
				r8d = 4;
				r15b = r15b + r15b;
				r15b = r15b >> 1;
				if (_t346 == 0) goto 0xa56f06b7;
				if (_t346 != 0) goto 0xa56f06b2;
				if (( !_t286 & 0x00000001) == 0) goto 0xa56f065a;
				_t287 = _t286 & 0xfffffffe;
				goto 0xa56f071b;
				if (( !_t287 & 0x00000001) == 0) goto 0xa56f065a;
				_t289 =  <  ? r8d : _t287 >> 1;
				E00007FF77FF7A56EA574(0, __ecx, _t444, _t461, _t487, _t488);
				_t518 = _t417;
				if (_t417 != _t485) goto 0xa56f06f2;
				E00007FF77FF7A56E78AC(_t417);
				 *_t417 = 0xc;
				E00007FF77FF7A56E78CC(_t417);
				 *_t417 = 8;
				goto 0xa56f0d2f;
				_t22 = _t474 + 1; // 0x1
				r8d = _t22;
				E00007FF77FF7A56F4D74(_t289, _a8, _t417, _t444, __rdx);
				 *( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x40) = _t417;
				_t419 =  *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8));
				r8d = 0xa;
				if (( *(_t419 + _t487 + 8) & 0x00000048) == 0) goto 0xa56f07d3;
				_t300 =  *((intOrPtr*)(_t419 + _t487 + 9));
				if (_t300 == r8b) goto 0xa56f07d3;
				if (_t289 == 0) goto 0xa56f07d3;
				 *_t518 = _t300;
				r10d = r10d | 0xffffffff;
				_t290 = _t289 + r10d;
				_t41 =  &(_t518[0]); // 0x1
				_t476 = _t41;
				 *((intOrPtr*)( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 9)) = r8b;
				if (r15b == dil) goto 0xa56f07d3;
				_t301 =  *((intOrPtr*)( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x39));
				if (_t301 == r8b) goto 0xa56f07d3;
				if (_t290 == 0) goto 0xa56f07d3;
				 *_t476 = _t301;
				_t291 = _t290 + r10d;
				 *((intOrPtr*)( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x39)) = r8b;
				if (r15b != 1) goto 0xa56f07d3;
				_t302 =  *((intOrPtr*)( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x3a));
				if (_t302 == r8b) goto 0xa56f07d3;
				if (_t291 == 0) goto 0xa56f07d3;
				 *((char*)(_t476 + 1)) = _t302;
				_t424 =  *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8));
				_t64 = _t492 - 7; // -6
				_t292 = _t291 + r10d;
				 *((intOrPtr*)(_t424 + _t487 + 0x3a)) = r8b;
				r8d = _t292;
				_v120 = _t485;
				if (ReadFile(??, ??, ??, ??, ??) == 0) goto 0xa56f0cc9;
				if (0 < 0) goto 0xa56f0cc9;
				if (_v104 - _t424 > 0) goto 0xa56f0cc9;
				_t425 =  *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8));
				if (( *(_t425 + _t487 + 8) & 0x00000080) == 0) goto 0xa56f0ca7;
				if (r15b == 2) goto 0xa56f0af0;
				if (0 == 0) goto 0xa56f084a;
				if ( *_t518 != 0xa) goto 0xa56f084a;
				 *(_t425 + _t487 + 8) =  *(_t425 + _t487 + 8) | 0x00000004;
				goto 0xa56f084f;
				 *(_t425 + _t487 + 8) =  *(_t425 + _t487 + 8) & 0x000000fb;
				_t445 = _t518;
				_t507 = _t518;
				_t427 = _t64 + _t518;
				_v88 = _t427;
				if (_t518 - _t427 >= 0) goto 0xa56f09a3;
				_t251 =  *_t507;
				if (_t251 == 0x1a) goto 0xa56f0984;
				if (_t251 == bpl) goto 0xa56f088c;
				 *_t445 = _t251;
				_t446 =  &(_t445[0]);
				_t508 =  &(_t507[0]);
				goto 0xa56f0977;
				if (_t508 - _v88 - 1 >= 0) goto 0xa56f08b4;
				_t92 =  &(_t508[0]); // 0x1
				_t430 = _t92;
				if ( *_t430 != 0xa) goto 0xa56f08ac;
				goto 0xa56f093c;
				goto 0xa56f0971;
				_t97 =  &_a24; // 0x1000000ae
				r8d = 1;
				_t511 = _t430 + 1;
				_v120 = _t485;
				if (ReadFile(??, ??, ??, ??, ??) != 0) goto 0xa56f08ef;
				if (GetLastError() != 0) goto 0xa56f096a;
				if (_v104 == 0) goto 0xa56f096a;
				if (( *( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 8) & 0x00000048) == 0) goto 0xa56f092d;
				if (_a24 == 0xa) goto 0xa56f093c;
				 *_t446 = bpl;
				_t466 =  *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8));
				 *((char*)(_t466 + _t487 + 9)) = _a24;
				goto 0xa56f0974;
				if (_t446 != _t518) goto 0xa56f0941;
				if (_a24 != 0xa) goto 0xa56f0941;
				 *_t446 = 0xa;
				goto 0xa56f0974;
				r8d = 1;
				E00007FF77FF7A56F4D74(_t292, _a8,  *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)), _t446, _t97 | 0xffffffff);
				if (_a24 == 0xa) goto 0xa56f0977;
				goto 0xa56f0971;
				 *_t446 = bpl;
				_t447 =  &(_t446[0]);
				if (_t511 - _v88 < 0) goto 0xa56f086e;
				goto 0xa56f09a3;
				_t432 =  *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8));
				if (( *(_t432 + _t487 + 8) & 0x00000040) != 0) goto 0xa56f099a;
				 *(_t432 + _t487 + 8) =  *(_t432 + _t487 + 8) | 0x00000002;
				goto 0xa56f09a3;
				 *_t447 =  *_t511;
				if (r15b != 1) goto 0xa56f0ca2;
				if (_t292 - r13d == 0) goto 0xa56f0ca2;
				r15d = 1;
				_t449 =  &(_t447[0]) - _t521;
				if (( *_t449 & 0x00000080) != 0) goto 0xa56f09d0;
				_t450 =  &(_t449[_t521]);
				goto 0xa56f0a82;
				_t312 = r15d;
				goto 0xa56f09e5;
				if (_t312 - 4 > 0) goto 0xa56f09f2;
				if (_t450 - _t518 < 0) goto 0xa56f09f2;
				_t451 = _t450 - _t521;
				_t313 = _t312 + r15d;
				if ( *((intOrPtr*)(_t432 + 0x7ff7a5721380)) == dil) goto 0xa56f09d5;
				if ( *((char*)(_t466 + 0x7ff7a5721380)) != 0) goto 0xa56f0a16;
				_t259 = E00007FF77FF7A56E78AC(_t432);
				 *_t432 = 0x2a;
				r12d = r12d | 0xffffffff;
				goto 0xa56f0ca7;
				if (_t259 + 1 != _t313) goto 0xa56f0a24;
				goto 0xa56f0a82;
				_t434 =  *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8));
				if (( *(_t434 + _t487 + 8) & 0x00000048) == 0) goto 0xa56f0a6e;
				_t453 =  &(( &(_t451[_t313]))[_t521]);
				 *((char*)(_t434 + _t487 + 9)) =  *_t451 & 0x000000ff;
				if (_t313 - 2 < 0) goto 0xa56f0a50;
				 *((char*)( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x39)) =  *_t453;
				if (_t313 != 3) goto 0xa56f0a66;
				 *((char*)( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x3a)) = _t453[_t521];
				goto 0xa56f0a82;
				r8d = r15d;
				E00007FF77FF7A56F4D74(_t292, _a8, _t313,  &(( &(_t453[_t521]))[_t521]) - _t313,  ~_t313);
				_t293 = _t292 - r13d;
				r9d = _t293;
				_v112 = _v96 >> 1;
				_v120 = _a16;
				_t266 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t266 != 0) goto 0xa56f0acb;
				_t268 = E00007FF77FF7A56E78EC(GetLastError(), _t313);
				r12d = r12d | 0xffffffff;
				goto 0xa56f0caf;
				r12d = _v100;
				dil = _t268 != _t293;
				 *((intOrPtr*)(0x7ff7a56d0000 + _t487 + 0x48)) = 0;
				goto 0xa56f0caf;
				if (0 == 0) goto 0xa56f0b07;
				if ( *_t518 != 0xa) goto 0xa56f0b07;
				 *(0x7ff7a56d0000 + _t487 + 8) =  *(0x7ff7a56d0000 + _t487 + 8) | 0x00000004;
				goto 0xa56f0b0c;
				 *(0x7ff7a56d0000 + _t487 + 8) =  *( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 8) & 0x000000fb;
				_t457 = _t518;
				_t512 = _t518;
				_t523 = _t266 + _t266 + _t518;
				if (_t518 - _t523 >= 0) goto 0xa56f0c9d;
				_t269 =  *_t512 & 0x0000ffff;
				if (_t269 == 0x1a) goto 0xa56f0c7b;
				if (_t269 == 0xd) goto 0xa56f0b4b;
				 *_t457 = _t269;
				_t458 =  &(_t457[1]);
				_t513 =  &(_t512[1]);
				goto 0xa56f0c70;
				if (_t513 - _t523 - 2 >= 0) goto 0xa56f0b6f;
				_t180 =  &(_t513[1]); // 0x2
				_t440 = _t180;
				if ( *_t440 != 0xa) goto 0xa56f0b67;
				goto 0xa56f0c29;
				goto 0xa56f0c69;
				r8d = 2;
				_t516 = _t440 + 2;
				_v120 = _t485;
				if (ReadFile(??, ??, ??, ??, ??) != 0) goto 0xa56f0baf;
				if (GetLastError() != 0) goto 0xa56f0c5d;
				if (_v104 == 0) goto 0xa56f0c5d;
				if (( *( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 8) & 0x00000048) == 0) goto 0xa56f0c15;
				if (_a32 == 0xa) goto 0xa56f0c29;
				 *_t458 = 0xd;
				 *((char*)( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 9)) = _a32;
				 *((char*)( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x39)) = _a33;
				 *((char*)( *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)) + _t487 + 0x3a)) = 0xa;
				goto 0xa56f0c6c;
				if (_t458 != _t518) goto 0xa56f0c2e;
				if (_a32 != 0xa) goto 0xa56f0c2e;
				 *_t458 = 0xa;
				goto 0xa56f0c6c;
				r8d = 1;
				E00007FF77FF7A56F4D74(_t293, _a8,  *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8)), _t458, 0xfffffffe);
				if (_a32 == 0xa) goto 0xa56f0c70;
				goto 0xa56f0c69;
				 *_t458 = 0xd;
				if (_t516 - _t523 < 0) goto 0xa56f0b27;
				goto 0xa56f0c9d;
				_t443 =  *((intOrPtr*)(0x7ff7a56d0000 + 0x589e0 + _t520 * 8));
				if (( *(_t443 + _t487 + 8) & 0x00000040) != 0) goto 0xa56f0c91;
				 *(_t443 + _t487 + 8) =  *(_t443 + _t487 + 8) | 0x00000002;
				goto 0xa56f0c9d;
				_t458[1] =  *_t516 & 0x0000ffff;
				r12d = _v100;
				if (_t518 == _a16) goto 0xa56f0cbc;
				free(??);
				r12d =  ==  ? _t293 - r13d : r12d;
				goto 0xa56f0d32;
				if (GetLastError() != 5) goto 0xa56f0cef;
				E00007FF77FF7A56E78AC(_t443);
				 *_t443 = 9;
				_t279 = E00007FF77FF7A56E78CC(_t443);
				 *_t443 = 5;
				goto 0xa56f0a0d;
				if (_t279 != 0x6d) goto 0xa56f0cf9;
				r12d = 0;
				goto 0xa56f0ca7;
				E00007FF77FF7A56E78EC(_t279, _t443);
				goto 0xa56f0a0d;
				goto 0xa56f0d32;
				E00007FF77FF7A56E78CC(_t443);
				 *_t443 = 0;
				E00007FF77FF7A56E78AC(_t443);
				 *_t443 = 9;
				r9d = 0;
				r8d = 0;
				_v120 = _t485;
				return E00007FF77FF7A56E4430(_t443,  &(_t458[2]), _t518, 0xfffffffe, _t487, _t488, 0x7ff7a56d0000) | 0xffffffff;
			}

0x7ff7a56f05c4
0x7ff7a56f05c4
0x7ff7a56f05c4
0x7ff7a56f05c9
0x7ff7a56f05dd
0x7ff7a56f05e3
0x7ff7a56f05e6
0x7ff7a56f05e9
0x7ff7a56f05ee
0x7ff7a56f05f5
0x7ff7a56f05f7
0x7ff7a56f05fe
0x7ff7a56f0600
0x7ff7a56f0605
0x7ff7a56f060b
0x7ff7a56f0614
0x7ff7a56f061a
0x7ff7a56f0620
0x7ff7a56f0633
0x7ff7a56f063a
0x7ff7a56f0642
0x7ff7a56f064c
0x7ff7a56f0658
0x7ff7a56f065a
0x7ff7a56f065f
0x7ff7a56f0661
0x7ff7a56f0666
0x7ff7a56f066c
0x7ff7a56f0675
0x7ff7a56f067d
0x7ff7a56f0683
0x7ff7a56f0686
0x7ff7a56f0688
0x7ff7a56f068d
0x7ff7a56f0693
0x7ff7a56f0696
0x7ff7a56f06a0
0x7ff7a56f06a5
0x7ff7a56f06ad
0x7ff7a56f06af
0x7ff7a56f06b5
0x7ff7a56f06bd
0x7ff7a56f06c4
0x7ff7a56f06ca
0x7ff7a56f06cf
0x7ff7a56f06d5
0x7ff7a56f06d7
0x7ff7a56f06dc
0x7ff7a56f06e2
0x7ff7a56f06e7
0x7ff7a56f06ed
0x7ff7a56f06fb
0x7ff7a56f06fb
0x7ff7a56f06ff
0x7ff7a56f0716
0x7ff7a56f071b
0x7ff7a56f0726
0x7ff7a56f0731
0x7ff7a56f0737
0x7ff7a56f073e
0x7ff7a56f0746
0x7ff7a56f074c
0x7ff7a56f0758
0x7ff7a56f075c
0x7ff7a56f075f
0x7ff7a56f075f
0x7ff7a56f0767
0x7ff7a56f076f
0x7ff7a56f0779
0x7ff7a56f0780
0x7ff7a56f0784
0x7ff7a56f0786
0x7ff7a56f0790
0x7ff7a56f079a
0x7ff7a56f07a3
0x7ff7a56f07ad
0x7ff7a56f07b4
0x7ff7a56f07b8
0x7ff7a56f07ba
0x7ff7a56f07bc
0x7ff7a56f07c7
0x7ff7a56f07cb
0x7ff7a56f07ce
0x7ff7a56f07e0
0x7ff7a56f07e7
0x7ff7a56f07f4
0x7ff7a56f0801
0x7ff7a56f080c
0x7ff7a56f081b
0x7ff7a56f0828
0x7ff7a56f0832
0x7ff7a56f083a
0x7ff7a56f0841
0x7ff7a56f0843
0x7ff7a56f0848
0x7ff7a56f084a
0x7ff7a56f0852
0x7ff7a56f0855
0x7ff7a56f0858
0x7ff7a56f085b
0x7ff7a56f0863
0x7ff7a56f086e
0x7ff7a56f0874
0x7ff7a56f087d
0x7ff7a56f087f
0x7ff7a56f0881
0x7ff7a56f0884
0x7ff7a56f0887
0x7ff7a56f0897
0x7ff7a56f0899
0x7ff7a56f0899
0x7ff7a56f08a1
0x7ff7a56f08a7
0x7ff7a56f08af
0x7ff7a56f08c1
0x7ff7a56f08cd
0x7ff7a56f08d3
0x7ff7a56f08d6
0x7ff7a56f08e3
0x7ff7a56f08ed
0x7ff7a56f08f3
0x7ff7a56f0909
0x7ff7a56f0913
0x7ff7a56f0915
0x7ff7a56f0918
0x7ff7a56f0927
0x7ff7a56f092b
0x7ff7a56f0930
0x7ff7a56f093a
0x7ff7a56f093c
0x7ff7a56f093f
0x7ff7a56f0948
0x7ff7a56f0952
0x7ff7a56f0966
0x7ff7a56f0968
0x7ff7a56f0971
0x7ff7a56f0974
0x7ff7a56f097c
0x7ff7a56f0982
0x7ff7a56f0984
0x7ff7a56f0991
0x7ff7a56f0993
0x7ff7a56f0998
0x7ff7a56f099e
0x7ff7a56f09ac
0x7ff7a56f09b4
0x7ff7a56f09ba
0x7ff7a56f09c0
0x7ff7a56f09c6
0x7ff7a56f09c8
0x7ff7a56f09cb
0x7ff7a56f09d0
0x7ff7a56f09d3
0x7ff7a56f09d8
0x7ff7a56f09dd
0x7ff7a56f09df
0x7ff7a56f09e2
0x7ff7a56f09f0
0x7ff7a56f0a00
0x7ff7a56f0a02
0x7ff7a56f0a07
0x7ff7a56f0a0d
0x7ff7a56f0a11
0x7ff7a56f0a1a
0x7ff7a56f0a22
0x7ff7a56f0a24
0x7ff7a56f0a31
0x7ff7a56f0a33
0x7ff7a56f0a39
0x7ff7a56f0a3d
0x7ff7a56f0a4c
0x7ff7a56f0a53
0x7ff7a56f0a62
0x7ff7a56f0a6c
0x7ff7a56f0a77
0x7ff7a56f0a7d
0x7ff7a56f0a8e
0x7ff7a56f0a93
0x7ff7a56f0a99
0x7ff7a56f0aa4
0x7ff7a56f0aa9
0x7ff7a56f0ab3
0x7ff7a56f0abd
0x7ff7a56f0ac2
0x7ff7a56f0ac6
0x7ff7a56f0acb
0x7ff7a56f0ae1
0x7ff7a56f0ae7
0x7ff7a56f0aeb
0x7ff7a56f0af7
0x7ff7a56f0afe
0x7ff7a56f0b00
0x7ff7a56f0b05
0x7ff7a56f0b07
0x7ff7a56f0b0f
0x7ff7a56f0b12
0x7ff7a56f0b15
0x7ff7a56f0b1c
0x7ff7a56f0b27
0x7ff7a56f0b30
0x7ff7a56f0b39
0x7ff7a56f0b3b
0x7ff7a56f0b3e
0x7ff7a56f0b42
0x7ff7a56f0b46
0x7ff7a56f0b52
0x7ff7a56f0b54
0x7ff7a56f0b54
0x7ff7a56f0b5c
0x7ff7a56f0b62
0x7ff7a56f0b6a
0x7ff7a56f0b88
0x7ff7a56f0b8e
0x7ff7a56f0b92
0x7ff7a56f0b9f
0x7ff7a56f0ba9
0x7ff7a56f0bb3
0x7ff7a56f0bcd
0x7ff7a56f0bdc
0x7ff7a56f0bde
0x7ff7a56f0bf0
0x7ff7a56f0c03
0x7ff7a56f0c0f
0x7ff7a56f0c13
0x7ff7a56f0c18
0x7ff7a56f0c27
0x7ff7a56f0c29
0x7ff7a56f0c2c
0x7ff7a56f0c3c
0x7ff7a56f0c40
0x7ff7a56f0c59
0x7ff7a56f0c5b
0x7ff7a56f0c69
0x7ff7a56f0c73
0x7ff7a56f0c79
0x7ff7a56f0c7b
0x7ff7a56f0c88
0x7ff7a56f0c8a
0x7ff7a56f0c8f
0x7ff7a56f0c96
0x7ff7a56f0ca2
0x7ff7a56f0cb2
0x7ff7a56f0cb7
0x7ff7a56f0cc0
0x7ff7a56f0cc7
0x7ff7a56f0cd2
0x7ff7a56f0cd4
0x7ff7a56f0cd9
0x7ff7a56f0cdf
0x7ff7a56f0ce4
0x7ff7a56f0cea
0x7ff7a56f0cf2
0x7ff7a56f0cf4
0x7ff7a56f0cf7
0x7ff7a56f0cfb
0x7ff7a56f0d00
0x7ff7a56f0d07
0x7ff7a56f0d09
0x7ff7a56f0d0e
0x7ff7a56f0d10
0x7ff7a56f0d15
0x7ff7a56f0d1b
0x7ff7a56f0d1e
0x7ff7a56f0d25
0x7ff7a56f0d42

APIs

__doserrno.LIBCMT ref: 00007FF7A56F05F7
_errno.LIBCMT ref: 00007FF7A56F0600
__doserrno.LIBCMT ref: 00007FF7A56F065A
_errno.LIBCMT ref: 00007FF7A56F0661

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: edecc77121cc5808f797c38e0de8add454756a7ebf3f8fd74126f6dce199133d
Instruction ID: 2d6550c28ccbbfd2700236233313bc46ae82773cc799bd0a01c20a95e77b66a6
Opcode Fuzzy Hash: edecc77121cc5808f797c38e0de8add454756a7ebf3f8fd74126f6dce199133d
Instruction Fuzzy Hash: 7322ED23E0F68682E7616B1594442BDBB92BB43F64FDAA135C95F036E5DE3CD848C321

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E9D48 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 337
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 74%

			E00007FF77FF7A56E9D48(void* __ebx, void* __ecx, void* __edi, void* __ebp, void* __rax, long long __rbx, intOrPtr* __rcx, long long __rdx, long long __r8, signed int* __r9) {
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t152;
				intOrPtr _t155;
				void* _t160;
				void* _t161;
				signed int _t162;
				void* _t207;
				void* _t208;
				signed int* _t213;
				long long _t214;
				signed int _t220;
				intOrPtr _t222;
				signed int* _t223;
				void* _t271;
				intOrPtr* _t272;
				intOrPtr* _t273;
				void* _t275;
				signed int* _t276;
				void* _t280;
				long long _t281;
				intOrPtr* _t283;
				signed int* _t285;
				void* _t288;
				void* _t289;
				void* _t307;
				long long _t308;
				void* _t310;
				void* _t315;
				signed int* _t316;
				void* _t318;
				signed int* _t320;

				_t207 = __rax;
				_t159 = __edi;
				_t152 = __ecx;
				 *((long long*)(_t288 + 0x20)) = __rbx;
				 *((long long*)(_t288 + 0x18)) = __r8;
				 *((long long*)(_t288 + 0x10)) = __rdx;
				_t289 = _t288 - 0xa0;
				_t222 =  *((intOrPtr*)(_t289 + 0x100));
				r15d = 0;
				_t308 = __rdx;
				_t272 = __rcx;
				_t316 = __r9;
				_t281 = __r8;
				 *((intOrPtr*)(_t289 + 0x60)) = r15b;
				r14b = r15b;
				 *((intOrPtr*)(_t289 + 0xe0)) = r15b;
				_t160 = E00007FF77FF7A56F2548(_t222, __r9);
				E00007FF77FF7A56E71FC(__edi, _t207, _t222, __rdx, _t316, _t275, _t281, _t222, _t289 + 0x78, _t320, _t318);
				if (_t160 - E00007FF77FF7A56F25C0(_t207, __rdx, _t222) <= 0) goto 0xa56e9de8;
				r9d = _t160;
				E00007FF77FF7A56F2578(_t106, _t289 + 0x78, _t222);
				r9d = _t160;
				E00007FF77FF7A56F2584(_t207, _t222, _t308, _t222, _t315);
				goto 0xa56e9df2;
				_t161 = E00007FF77FF7A56F25C0(_t207, _t308, _t222);
				if (_t161 - 0xffffffff < 0) goto 0xa56e9dfc;
				if (_t161 -  *((intOrPtr*)(_t222 + 4)) < 0) goto 0xa56e9e01;
				E00007FF77FF7A56F0148(_t207);
				if ( *_t272 != 0xe06d7363) goto 0xa56ea258;
				if ( *((intOrPtr*)(_t272 + 0x18)) != 4) goto 0xa56e9fc7;
				if ( *((intOrPtr*)(_t272 + 0x20)) == 0x19930520) goto 0xa56e9e36;
				if ( *((intOrPtr*)(_t272 + 0x20)) == 0x19930521) goto 0xa56e9e36;
				if ( *((intOrPtr*)(_t272 + 0x20)) != 0x19930522) goto 0xa56e9fc7;
				if ( *((intOrPtr*)(_t272 + 0x30)) != _t320) goto 0xa56e9fc7;
				E00007FF77FF7A56EB93C(_t152,  *((intOrPtr*)(_t272 + 0x30)) - _t320, _t207);
				if ( *((intOrPtr*)(_t207 + 0xf0)) == _t320) goto 0xa56ea23d;
				E00007FF77FF7A56EB93C(_t152,  *((intOrPtr*)(_t207 + 0xf0)) - _t320, _t207);
				_t273 =  *((intOrPtr*)(_t207 + 0xf0));
				E00007FF77FF7A56EB93C(_t152,  *((intOrPtr*)(_t207 + 0xf0)) - _t320, _t207);
				 *((char*)(_t289 + 0x60)) = 1;
				 *((long long*)(_t289 + 0xf0)) =  *((intOrPtr*)(_t207 + 0xf8));
				if (E00007FF77FF7A56F4658(E00007FF77FF7A56E7334(_t207,  *((intOrPtr*)(_t273 + 0x38))), _t273) != r15d) goto 0xa56e9e97;
				E00007FF77FF7A56F0148(_t207);
				if ( *_t273 != 0xe06d7363) goto 0xa56e9ecb;
				if ( *((intOrPtr*)(_t273 + 0x18)) != 4) goto 0xa56e9ecb;
				if ( *((intOrPtr*)(_t273 + 0x20)) == 0x19930520) goto 0xa56e9ec0;
				if ( *((intOrPtr*)(_t273 + 0x20)) == 0x19930521) goto 0xa56e9ec0;
				if ( *((intOrPtr*)(_t273 + 0x20)) != 0x19930522) goto 0xa56e9ecb;
				if ( *((intOrPtr*)(_t273 + 0x30)) != _t320) goto 0xa56e9ecb;
				E00007FF77FF7A56F0148(_t207);
				E00007FF77FF7A56EB93C(_t152,  *((intOrPtr*)(_t273 + 0x30)) - _t320, _t207);
				if ( *(_t207 + 0x108) == _t320) goto 0xa56e9fc7;
				E00007FF77FF7A56EB93C(_t152,  *(_t207 + 0x108) - _t320, _t207);
				_t283 =  *(_t207 + 0x108);
				E00007FF77FF7A56EB93C(_t152,  *(_t207 + 0x108) - _t320, _t207);
				 *(_t207 + 0x108) = _t320;
				if (E00007FF77FF7A56E9468(_t207, _t222, _t273, _t283, _t275, _t283) != r15b) goto 0xa56e9fbf;
				r12d = r15d;
				if ( *_t283 - r15d <= 0) goto 0xa56e9f67;
				_t276 = _t320;
				E00007FF77FF7A56E72E8(_t207);
				_t208 = _t207 + _t276;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t283 + 4)) + _t208 + 4)) == r15d) goto 0xa56e9f43;
				E00007FF77FF7A56E72E8(_t208);
				_t223 =  *((intOrPtr*)( *((intOrPtr*)(_t283 + 4)) + _t208 + _t276 + 4));
				E00007FF77FF7A56E72E8(_t208 + _t276);
				goto 0xa56e9f46;
				if (E00007FF77FF7A56E45C0(_t320, 0xa5720408) != r15b) goto 0xa56e9f6d;
				r12d = r12d + 1;
				if (r12d -  *_t283 < 0) goto 0xa56e9f15;
				E00007FF77FF7A56F0124(r12d -  *_t283, _t320);
				asm("int3");
				E00007FF77FF7A56E93E4(1, _t273);
				 *((long long*)(_t289 + 0xe0)) = "bad exception";
				E00007FF77FF7A56E40EC(_t223, _t289 + 0x88, _t289 + 0xe0,  &(_t276[5]), _t307);
				 *((long long*)(_t289 + 0x88)) = 0xa5710da8;
				E00007FF77FF7A56E7168(_t320, _t223, _t289 + 0x88, 0xa571e0e0, _t271);
				asm("int3");
				if ( *_t273 != 0xe06d7363) goto 0xa56ea258;
				if ( *((intOrPtr*)(_t273 + 0x18)) != 4) goto 0xa56ea258;
				if ( *((intOrPtr*)(_t273 + 0x20)) == 0x19930520) goto 0xa56e9ffc;
				if ( *((intOrPtr*)(_t273 + 0x20)) == 0x19930521) goto 0xa56e9ffc;
				if ( *((intOrPtr*)(_t273 + 0x20)) != 0x19930522) goto 0xa56ea258;
				if (_t223[3] - r15d <= 0) goto 0xa56ea18a;
				r8d =  *((intOrPtr*)(_t289 + 0x110));
				 *(_t289 + 0x30) = _t316;
				 *(_t289 + 0x28) = _t289 + 0x68;
				_t213 = _t289 + 0x64;
				r9d = _t161;
				 *(_t289 + 0x20) = _t213;
				E00007FF77FF7A56E757C(__ebx, _t223, _t223,  &(_t276[5]));
				_t285 = _t213;
				if ( *((intOrPtr*)(_t289 + 0x64)) -  *((intOrPtr*)(_t289 + 0x68)) >= 0) goto 0xa56ea18a;
				if ( *_t285 - _t161 > 0) goto 0xa56ea16f;
				if (_t161 - _t285[1] > 0) goto 0xa56ea16f;
				E00007FF77FF7A56E72E8(_t213);
				r14d = _t285[3];
				_t310 = _t213 + _t285[4];
				if (r14d - r15d <= 0) goto 0xa56ea157;
				E00007FF77FF7A56E7300(_t213);
				_t214 = _t213 +  *((intOrPtr*)( *((intOrPtr*)(_t273 + 0x30)) + 0xc)) + 4;
				 *((long long*)(_t289 + 0x70)) = _t214;
				E00007FF77FF7A56E7300(_t214);
				r15d =  *((intOrPtr*)(_t214 +  *((intOrPtr*)( *((intOrPtr*)(_t273 + 0x30)) + 0xc))));
				goto 0xa56ea0d1;
				E00007FF77FF7A56E7300(_t214);
				 *((long long*)(_t289 + 0x80)) = _t214 +  *((intOrPtr*)( *((intOrPtr*)(_t289 + 0x70))));
				if (E00007FF77FF7A56E90E0(_t223, _t310, _t214 +  *((intOrPtr*)( *((intOrPtr*)(_t289 + 0x70)))), _t273,  &(_t276[5]),  *((intOrPtr*)(_t273 + 0x30))) != 0) goto 0xa56ea0e2;
				r15d = r15d - 1;
				 *((long long*)(_t289 + 0x70)) =  *((long long*)(_t289 + 0x70)) + 4;
				if (r15d > 0) goto 0xa56ea09d;
				r14d = r14d - 1;
				r15d = 0;
				goto 0xa56ea06a;
				r14b = 1;
				 *((char*)(_t289 + 0x58)) =  *((intOrPtr*)(_t289 + 0x108));
				 *((char*)(_t289 + 0x50)) =  *((intOrPtr*)(_t289 + 0x60));
				 *((long long*)(_t289 + 0x48)) =  *((intOrPtr*)(_t289 + 0x118));
				 *((intOrPtr*)(_t289 + 0xe0)) = r14b;
				 *((intOrPtr*)(_t289 + 0x40)) =  *((intOrPtr*)(_t289 + 0x110));
				 *(_t289 + 0x38) = _t285;
				 *(_t289 + 0x30) =  *((intOrPtr*)(_t289 + 0x80));
				 *(_t289 + 0x28) = _t310 + 0x14;
				 *(_t289 + 0x20) = _t223;
				E00007FF77FF7A56E9A40( *((intOrPtr*)(_t289 + 0x64)), _t159, _t223, _t273,  *((intOrPtr*)(_t289 + 0xe8)), _t285,  *((intOrPtr*)(_t289 + 0xf0)), _t316);
				r15d = 0;
				goto 0xa56ea167;
				r14b =  *((intOrPtr*)(_t289 + 0xe0));
				_t155 =  *((intOrPtr*)(_t289 + 0x64)) + 1;
				 *((intOrPtr*)(_t289 + 0x64)) = _t155;
				if (_t155 -  *((intOrPtr*)(_t289 + 0x68)) < 0) goto 0xa56ea048;
				if (r14b != r15b) goto 0xa56ea22a;
				if (( *_t223 & 0x1fffffff) - 0x19930521 < 0) goto 0xa56ea22a;
				_t162 = _t223[8];
				if (_t162 == r15d) goto 0xa56ea1b1;
				E00007FF77FF7A56E72E8( *((intOrPtr*)(_t289 + 0x80)));
				goto 0xa56ea1b4;
				if (_t320 == _t320) goto 0xa56ea22a;
				if (_t162 == r15d) goto 0xa56ea1cf;
				E00007FF77FF7A56E72E8(_t320);
				_t220 = _t223[8];
				goto 0xa56ea1d2;
				if (E00007FF77FF7A56E9468(_t220, _t223, _t273, _t320, _t162,  &(_t285[5])) != r15b) goto 0xa56ea22a;
				E00007FF77FF7A56E71FC(_t159, _t220, _t223,  *((intOrPtr*)(_t289 + 0xe8)), _t316, _t162,  &(_t285[5]), _t223, _t289 + 0xe0, _t275, _t280);
				 *((char*)(_t289 + 0x40)) =  *((intOrPtr*)(_t289 + 0x108));
				 *(_t289 + 0x38) = _t316;
				 *(_t289 + 0x30) = _t223;
				 *(_t289 + 0x28) =  *(_t289 + 0x28) | 0xffffffff;
				 *(_t289 + 0x20) = _t320;
				E00007FF77FF7A56E777C(_t223,  *((intOrPtr*)(_t289 + 0xe8)), _t273, _t162,  &(_t285[5]),  *((intOrPtr*)(_t289 + 0xf0)), _t220);
				E00007FF77FF7A56EB93C( *((intOrPtr*)(_t289 + 0x108)), E00007FF77FF7A56E9468(_t220, _t223, _t273, _t320, _t162,  &(_t285[5])) - r15b, _t220);
				if ( *((intOrPtr*)(_t220 + 0x108)) == _t320) goto 0xa56ea23d;
				return E00007FF77FF7A56F0148(_t220);
			}

0x7ff7a56e9d48
0x7ff7a56e9d48
0x7ff7a56e9d48
0x7ff7a56e9d48
0x7ff7a56e9d4d
0x7ff7a56e9d52
0x7ff7a56e9d62
0x7ff7a56e9d69
0x7ff7a56e9d71
0x7ff7a56e9d74
0x7ff7a56e9d77
0x7ff7a56e9d80
0x7ff7a56e9d83
0x7ff7a56e9d86
0x7ff7a56e9d8b
0x7ff7a56e9d8e
0x7ff7a56e9da9
0x7ff7a56e9dab
0x7ff7a56e9dc6
0x7ff7a56e9dcd
0x7ff7a56e9dd0
0x7ff7a56e9dd5
0x7ff7a56e9de1
0x7ff7a56e9de6
0x7ff7a56e9df0
0x7ff7a56e9df5
0x7ff7a56e9dfa
0x7ff7a56e9dfc
0x7ff7a56e9e07
0x7ff7a56e9e11
0x7ff7a56e9e1e
0x7ff7a56e9e27
0x7ff7a56e9e30
0x7ff7a56e9e3a
0x7ff7a56e9e40
0x7ff7a56e9e4c
0x7ff7a56e9e52
0x7ff7a56e9e57
0x7ff7a56e9e5e
0x7ff7a56e9e6e
0x7ff7a56e9e73
0x7ff7a56e9e90
0x7ff7a56e9e92
0x7ff7a56e9e9d
0x7ff7a56e9ea3
0x7ff7a56e9eac
0x7ff7a56e9eb5
0x7ff7a56e9ebe
0x7ff7a56e9ec4
0x7ff7a56e9ec6
0x7ff7a56e9ecb
0x7ff7a56e9ed7
0x7ff7a56e9edd
0x7ff7a56e9ee2
0x7ff7a56e9ee9
0x7ff7a56e9ef4
0x7ff7a56e9f03
0x7ff7a56e9f0d
0x7ff7a56e9f10
0x7ff7a56e9f12
0x7ff7a56e9f15
0x7ff7a56e9f1e
0x7ff7a56e9f26
0x7ff7a56e9f28
0x7ff7a56e9f34
0x7ff7a56e9f39
0x7ff7a56e9f41
0x7ff7a56e9f58
0x7ff7a56e9f5a
0x7ff7a56e9f65
0x7ff7a56e9f67
0x7ff7a56e9f6c
0x7ff7a56e9f72
0x7ff7a56e9f8e
0x7ff7a56e9f96
0x7ff7a56e9fb1
0x7ff7a56e9fb9
0x7ff7a56e9fbe
0x7ff7a56e9fcd
0x7ff7a56e9fd7
0x7ff7a56e9fe4
0x7ff7a56e9fed
0x7ff7a56e9ff6
0x7ff7a56ea000
0x7ff7a56ea006
0x7ff7a56ea013
0x7ff7a56ea018
0x7ff7a56ea01d
0x7ff7a56ea022
0x7ff7a56ea02b
0x7ff7a56ea030
0x7ff7a56ea039
0x7ff7a56ea042
0x7ff7a56ea04b
0x7ff7a56ea054
0x7ff7a56ea05a
0x7ff7a56ea063
0x7ff7a56ea067
0x7ff7a56ea06d
0x7ff7a56ea073
0x7ff7a56ea080
0x7ff7a56ea085
0x7ff7a56ea08a
0x7ff7a56ea097
0x7ff7a56ea09b
0x7ff7a56ea09d
0x7ff7a56ea0b7
0x7ff7a56ea0c6
0x7ff7a56ea0c8
0x7ff7a56ea0cb
0x7ff7a56ea0d4
0x7ff7a56ea0d6
0x7ff7a56ea0dd
0x7ff7a56ea0e0
0x7ff7a56ea0f1
0x7ff7a56ea0f4
0x7ff7a56ea0ff
0x7ff7a56ea10e
0x7ff7a56ea11a
0x7ff7a56ea122
0x7ff7a56ea12e
0x7ff7a56ea133
0x7ff7a56ea138
0x7ff7a56ea148
0x7ff7a56ea14d
0x7ff7a56ea152
0x7ff7a56ea155
0x7ff7a56ea157
0x7ff7a56ea16f
0x7ff7a56ea175
0x7ff7a56ea17b
0x7ff7a56ea184
0x7ff7a56ea196
0x7ff7a56ea19c
0x7ff7a56ea1a2
0x7ff7a56ea1a7
0x7ff7a56ea1af
0x7ff7a56ea1b7
0x7ff7a56ea1bc
0x7ff7a56ea1be
0x7ff7a56ea1c6
0x7ff7a56ea1cd
0x7ff7a56ea1dd
0x7ff7a56ea1f0
0x7ff7a56ea204
0x7ff7a56ea208
0x7ff7a56ea20d
0x7ff7a56ea212
0x7ff7a56ea220
0x7ff7a56ea225
0x7ff7a56ea22a
0x7ff7a56ea236
0x7ff7a56ea257

APIs

Part of subcall function 00007FF7A56E71FC: RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7A56E7270

__GetUnwindTryBlock.LIBCMT ref: 00007FF7A56E9DB9
__SetUnwindTryBlock.LIBCMT ref: 00007FF7A56E9DE1

Part of subcall function 00007FF7A56E7168: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7A56E4678), ref: 00007FF7A56E71E8

__GetUnwindTryBlock.LIBCMT ref: 00007FF7A56E9DEB
_getptd.LIBCMT ref: 00007FF7A56E9E40
_getptd.LIBCMT ref: 00007FF7A56E9E52
_getptd.LIBCMT ref: 00007FF7A56E9E5E
_SetThrowImageBase.LIBCMT ref: 00007FF7A56E9E7B
_getptd.LIBCMT ref: 00007FF7A56E9ECB
_getptd.LIBCMT ref: 00007FF7A56E9EDD
_getptd.LIBCMT ref: 00007FF7A56E9EE9
_getptd.LIBCMT ref: 00007FF7A56EA22A

Strings

bad exception, xrefs: 00007FF7A56E9F77
csm, xrefs: 00007FF7A56E9E97
csm, xrefs: 00007FF7A56E9E01
csm, xrefs: 00007FF7A56E9FC7

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _getptd$BlockUnwind$BaseEntryExceptionFunctionImageLookupRaiseThrow
String ID: bad exception$csm$csm$csm
API String ID: 2351602029-820278400
Opcode ID: 9879b71105d79e3faefd726c5ecf8e7106465e3219339e0629f894a23453c9a7
Instruction ID: 65b8de5c58555b8f334c29d5401b9cf6e9773afe8f6d62b0e5e9a6e7712f4e51
Opcode Fuzzy Hash: 9879b71105d79e3faefd726c5ecf8e7106465e3219339e0629f894a23453c9a7
Instruction Fuzzy Hash: CFE1B47290B782C6DA70BB21A4442B9A7A2FF46F84F856135DE8D07B65CF3DE491C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DB470 Relevance: 19.7, APIs: 13, Instructions: 249
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7A56DB470(long long __rdx, void* __r8, long long _a16, intOrPtr* _a40, intOrPtr* _a48, intOrPtr* _a56) {
				char _v56;
				char _v72;
				intOrPtr _v80;
				char _v88;
				void* __rdi;
				void* __rbp;
				void* __r12;
				void* _t21;
				intOrPtr _t31;
				intOrPtr* _t36;
				long long* _t37;
				intOrPtr* _t38;
				intOrPtr* _t40;
				long long* _t42;
				void* _t44;
				void* _t46;
				void* _t54;
				void* _t55;

				_a16 = __rdx;
				_t36 = _a48;
				_t37 =  &_v72;
				_t42 =  &_v56;
				 *_t37 =  *_t36;
				 *((long long*)(_t37 + 8)) =  *((intOrPtr*)(_t36 + 8));
				_t38 = _a40;
				 *_t42 =  *_t38;
				 *((long long*)(_t42 + 8)) =  *((intOrPtr*)(_t38 + 8));
				E00007FF77FF7A56DBC70( &_v88, __r8, _t44, _t46,  &_v56,  &_v72, __rdx, _t54, _t55);
				if ( *((long long*)(__r8 + 0x38)) != 0) goto 0xa56db5e3;
				_t31 = _v88;
				if (_t31 == 0xfffffffc) goto 0xa56db4f7;
				if (_t31 == 0) goto 0xa56db4f2;
				if (_t31 ==  *_t36) goto 0xa56db4f7;
				_t21 = E00007FF77FF7A56E44B8();
				if (_v80 !=  *((intOrPtr*)(_t36 + 8))) goto 0xa56db528;
				_t40 = _a56;
				 *((long long*)(__rdx)) =  *_t40;
				 *((long long*)(__rdx + 8)) =  *((intOrPtr*)(_t40 + 8));
				return _t21;
			}

0x7ff7a56db470
0x7ff7a56db47f
0x7ff7a56db487
0x7ff7a56db492
0x7ff7a56db49a
0x7ff7a56db4a6
0x7ff7a56db4aa
0x7ff7a56db4ba
0x7ff7a56db4c6
0x7ff7a56db4cd
0x7ff7a56db4d7
0x7ff7a56db4dd
0x7ff7a56db4e6
0x7ff7a56db4eb
0x7ff7a56db4f0
0x7ff7a56db4f2
0x7ff7a56db500
0x7ff7a56db502
0x7ff7a56db50d
0x7ff7a56db515
0x7ff7a56db527

APIs

Part of subcall function 00007FF7A56DBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBCCA
Part of subcall function 00007FF7A56DBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBCED
Part of subcall function 00007FF7A56DBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBD08
Part of subcall function 00007FF7A56DBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBD28
Part of subcall function 00007FF7A56DBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBD74
Part of subcall function 00007FF7A56DBC70: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBD9B

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB4F2
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB59B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB5BE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB620
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB63A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB65D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB67E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB699
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB6B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB6FE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB721
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB76E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB791

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c1a07d890f2d1985cc669972f8e1ed61626581fff1d6e9b679634fa50c2043ac
Instruction ID: 01f789d3a9cd41e7f1a1a1a7f4dd5a7875eaf994fe44fe5c585e9e9fca6848d2
Opcode Fuzzy Hash: c1a07d890f2d1985cc669972f8e1ed61626581fff1d6e9b679634fa50c2043ac
Instruction Fuzzy Hash: 33B1A12360BE8581EA60AF15E04026DA362FB45FA8F895631DE9C437F8DF39E491C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A5708E80 Relevance: 19.7, APIs: 13, Instructions: 192
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E00007FF77FF7A5708E80(void* __ebx, void* __edx, signed int __ebp, long long __rbx, void* __rcx, void* __rdx, long long __rsi) {
				void* _t106;
				void* _t140;
				long long* _t143;
				long long _t148;
				intOrPtr* _t153;
				void* _t171;
				void* _t172;
				long long _t175;
				long long _t177;
				intOrPtr _t178;
				void* _t179;
				void* _t181;
				intOrPtr* _t182;
				intOrPtr _t183;
				long long _t185;
				long long _t186;
				intOrPtr _t190;
				void* _t193;
				void* _t194;
				void* _t207;
				long long _t208;

				_t106 = __edx;
				_t140 = _t193;
				_t194 = _t193 - 0xa0;
				 *((long long*)(_t194 + 0x30)) = 0xfffffffe;
				 *((long long*)(_t140 + 8)) = __rbx;
				 *((long long*)(_t140 + 0x18)) = _t185;
				 *((long long*)(_t140 + 0x20)) = __rsi;
				_t207 = __rdx;
				_t181 = __rcx;
				if (__rdx == 0) goto 0xa5709173;
				if (r8d == 0) goto 0xa5709173;
				_t153 = __rcx + 0x210;
				_t186 =  *((intOrPtr*)(_t153 + 0x20));
				if ( *((intOrPtr*)(_t153 + 0x18)) - _t186 <= 0) goto 0xa5708ed5;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t194 + 0x40)) =  *_t153;
				 *((long long*)(_t194 + 0x48)) = _t186;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x60], xmm0");
				 *((char*)(_t194 + 0x20)) =  *(_t194 + 0xc8) & 0x000000ff;
				E00007FF77FF7A56DD1A0(_t106, _t153, _t153, _t194 + 0x60, __rcx, __rdx, __rdx + _t172);
				_t143 =  *((intOrPtr*)(_t153 + 0x20)) -  *((intOrPtr*)(_t153 + 0x18));
				if (_t143 - 3 >= 0) goto 0xa5708f30;
				goto 0xa5709175;
				_t112 =  *(_t181 + 0x2a4) * __ebp;
				 *(_t194 + 0xc8) = 0;
				E00007FF77FF7A56E45E0(_t143, _t153);
				r13d = 0;
				if (_t143 == 0) goto 0xa5708f5b;
				 *_t143 = _t194 + 0x70;
				goto 0xa5708f5e;
				 *((long long*)(_t194 + 0x70)) = _t208;
				r12d =  *(_t181 + 0x2a4) * __ebp;
				E00007FF77FF7A56D4CA0(_t208, _t153, _t194 + 0x70, _t194 + 0x60, _t181, _t194 + 0xc8);
				if ( *((intOrPtr*)(_t194 + 0x90)) !=  *((intOrPtr*)(_t194 + 0x88))) goto 0xa5708f9d;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(_t153 + 0x20)) !=  *((intOrPtr*)(_t153 + 0x18))) goto 0xa5708fac;
				E00007FF77FF7A56E44B8();
				 *((intOrPtr*)(_t194 + 0x20)) = r13d;
				r9d = __ebp;
				E00007FF77FF7A57077F0(_t181 + 0x20,  *((intOrPtr*)(_t153 + 0x18)), _t181,  *((intOrPtr*)(_t194 + 0x88)));
				_t175 =  *((intOrPtr*)(_t181 + 0x260));
				if ( *((intOrPtr*)(_t181 + 0x258)) - _t175 <= 0) goto 0xa5708fd9;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t194 + 0x60)) =  *((intOrPtr*)(_t181 + 0x240));
				 *((long long*)(_t194 + 0x68)) = _t175;
				_t148 =  *((intOrPtr*)(_t194 + 0x90));
				if ( *((intOrPtr*)(_t194 + 0x88)) - _t148 <= 0) goto 0xa5709017;
				E00007FF77FF7A56E44B8();
				_t177 =  *((intOrPtr*)(_t194 + 0x88));
				 *((long long*)(_t194 + 0x40)) =  *((intOrPtr*)(_t194 + 0x70));
				 *((long long*)(_t194 + 0x48)) = _t148;
				if (_t177 -  *((intOrPtr*)(_t194 + 0x90)) <= 0) goto 0xa5709035;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t194 + 0x50)) =  *((intOrPtr*)(_t194 + 0x70));
				 *((long long*)(_t194 + 0x58)) = _t177;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x40], xmm0");
				asm("movaps xmm1, [esp+0x50]");
				asm("movdqa [esp+0x50], xmm1");
				asm("movaps xmm0, [esp+0x60]");
				asm("movdqa [esp+0x60], xmm0");
				 *((char*)(_t194 + 0x20)) =  *(_t194 + 0xc8) & 0x000000ff;
				E00007FF77FF7A56D9750(_t112, _t153, _t181 + 0x240, _t194 + 0x60, _t181, _t194 + 0x50, _t194 + 0x40);
				_t178 =  *((intOrPtr*)(_t153 + 0x18));
				if (_t178 -  *((intOrPtr*)(_t153 + 0x20)) <= 0) goto 0xa5709096;
				E00007FF77FF7A56E44B8();
				_t182 =  *_t153;
				if (_t182 != 0) goto 0xa57090a8;
				E00007FF77FF7A56E44B8();
				goto 0xa57090ab;
				_t179 = _t178 + _t207;
				if (_t179 -  *((intOrPtr*)( *_t182 + 0x20)) > 0) goto 0xa57090c7;
				if (_t182 == 0) goto 0xa57090be;
				goto 0xa57090c1;
				if (_t179 -  *((intOrPtr*)(_t208 + 0x18)) >= 0) goto 0xa57090cc;
				E00007FF77FF7A56E44B8();
				_t183 =  *((intOrPtr*)(_t153 + 0x18));
				if (_t183 -  *((intOrPtr*)(_t153 + 0x20)) <= 0) goto 0xa57090db;
				E00007FF77FF7A56E44B8();
				if (_t153 == 0) goto 0xa57090ec;
				if ( *((intOrPtr*)(_t153 + 0x18)) - _t183 > 0) goto 0xa57090ec;
				if (_t183 -  *((intOrPtr*)(_t153 + 0x20)) <= 0) goto 0xa57090f1;
				E00007FF77FF7A56E44B8();
				_t190 =  *_t153;
				if ( *((intOrPtr*)(_t153 + 0x18)) - _t179 > 0) goto 0xa5709100;
				if (_t179 -  *((intOrPtr*)(_t153 + 0x20)) <= 0) goto 0xa5709105;
				E00007FF77FF7A56E44B8();
				if (_t190 == 0) goto 0xa570910f;
				if (_t190 ==  *_t153) goto 0xa5709114;
				E00007FF77FF7A56E44B8();
				if (_t183 == _t179) goto 0xa570913b;
				_t171 =  *((intOrPtr*)(_t153 + 0x20)) - _t179;
				if (_t171 <= 0) goto 0xa5709137;
				E00007FF77FF7A56E4070(_t183, _t171, _t179, _t171);
				 *((long long*)(_t153 + 0x20)) = _t171 + _t183;
				if ( *((intOrPtr*)(_t194 + 0x88)) == 0) goto 0xa570914d;
				E00007FF77FF7A56E44D8(_t208, _t153,  *((intOrPtr*)(_t194 + 0x88)), _t171, _t183, _t179, _t171);
				 *((long long*)(_t194 + 0x88)) = _t208;
				 *((long long*)(_t194 + 0x90)) = _t208;
				 *((long long*)(_t194 + 0x98)) = _t208;
				E00007FF77FF7A56E44D8(_t208, _t153,  *((intOrPtr*)(_t194 + 0x70)), _t171, _t183, _t179, _t171);
				goto 0xa5709175;
				return 1;
			}

0x7ff7a5708e80
0x7ff7a5708e80
0x7ff7a5708e88
0x7ff7a5708e8f
0x7ff7a5708e98
0x7ff7a5708e9c
0x7ff7a5708ea0
0x7ff7a5708ea7
0x7ff7a5708eaa
0x7ff7a5708eb0
0x7ff7a5708eb9
0x7ff7a5708ebf
0x7ff7a5708ec6
0x7ff7a5708ece
0x7ff7a5708ed0
0x7ff7a5708ed8
0x7ff7a5708edd
0x7ff7a5708ee2
0x7ff7a5708ee7
0x7ff7a5708ef9
0x7ff7a5708f08
0x7ff7a5708f17
0x7ff7a5708f27
0x7ff7a5708f2b
0x7ff7a5708f34
0x7ff7a5708f37
0x7ff7a5708f44
0x7ff7a5708f49
0x7ff7a5708f4f
0x7ff7a5708f56
0x7ff7a5708f59
0x7ff7a5708f5e
0x7ff7a5708f63
0x7ff7a5708f75
0x7ff7a5708f8e
0x7ff7a5708f90
0x7ff7a5708fa5
0x7ff7a5708fa7
0x7ff7a5708fb0
0x7ff7a5708fb5
0x7ff7a5708fbf
0x7ff7a5708fc4
0x7ff7a5708fd2
0x7ff7a5708fd4
0x7ff7a5708fe0
0x7ff7a5708fe5
0x7ff7a5708fea
0x7ff7a5709000
0x7ff7a5709002
0x7ff7a570900f
0x7ff7a570901c
0x7ff7a5709021
0x7ff7a5709029
0x7ff7a570902b
0x7ff7a5709035
0x7ff7a570903a
0x7ff7a570903f
0x7ff7a5709044
0x7ff7a570904a
0x7ff7a570904f
0x7ff7a5709055
0x7ff7a570905a
0x7ff7a5709068
0x7ff7a5709082
0x7ff7a5709087
0x7ff7a570908f
0x7ff7a5709091
0x7ff7a5709096
0x7ff7a570909c
0x7ff7a570909e
0x7ff7a57090a6
0x7ff7a57090ab
0x7ff7a57090b2
0x7ff7a57090b7
0x7ff7a57090bc
0x7ff7a57090c5
0x7ff7a57090c7
0x7ff7a57090cc
0x7ff7a57090d4
0x7ff7a57090d6
0x7ff7a57090de
0x7ff7a57090e4
0x7ff7a57090ea
0x7ff7a57090ec
0x7ff7a57090f1
0x7ff7a57090f8
0x7ff7a57090fe
0x7ff7a5709100
0x7ff7a5709108
0x7ff7a570910d
0x7ff7a570910f
0x7ff7a5709117
0x7ff7a570911d
0x7ff7a5709127
0x7ff7a5709132
0x7ff7a5709137
0x7ff7a5709146
0x7ff7a5709148
0x7ff7a570914d
0x7ff7a5709155
0x7ff7a570915d
0x7ff7a570916a
0x7ff7a5709171
0x7ff7a5709191

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5708ED0

Part of subcall function 00007FF7A56E45E0: malloc.LIBCMT ref: 00007FF7A56E45FA

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5708F90
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5708FA7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5708FD4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709002
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570902B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709091
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570909E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57090C7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57090D6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57090EC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709100
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570910F

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$malloc
String ID:
API String ID: 2964583507-0
Opcode ID: 0262d0dafc344c9128b52d1992c683ba543df2f7131d274a0e5fc425fc83073a
Instruction ID: 9bece8c3af326d898e33a31443e8e8e315f119a7c89302fe4b89653df7f6affd
Opcode Fuzzy Hash: 0262d0dafc344c9128b52d1992c683ba543df2f7131d274a0e5fc425fc83073a
Instruction Fuzzy Hash: 9E917772A0AB85C5D760AB25E4002AEE3A1FB89F84F955131EEDC13769DF3DE841C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A5709680 Relevance: 19.7, APIs: 13, Instructions: 183
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E00007FF77FF7A5709680(void* __ebx, void* __edx, void* __rcx, void* __rdx) {
				long long _v56;
				long long _v64;
				char _v72;
				long long _v80;
				long long _v88;
				long long _v96;
				char _v120;
				long long _v128;
				char _v136;
				long long _v144;
				char _v152;
				signed int _v168;
				char _v184;
				void* __rbx;
				void* __rsi;
				void* _t100;
				signed int _t106;
				long long _t136;
				intOrPtr* _t143;
				void* _t158;
				void* _t159;
				intOrPtr _t160;
				void* _t161;
				long long _t162;
				long long _t164;
				long long _t165;
				long long _t166;
				intOrPtr* _t167;
				intOrPtr _t168;
				void* _t169;
				intOrPtr _t171;
				void* _t182;

				_t100 = __edx;
				_v56 = 0xfffffffe;
				_t106 = r8d;
				_t182 = __rdx;
				_t159 = __rcx;
				if (__rdx == 0) goto 0xa5709950;
				if (r8d == 0) goto 0xa5709950;
				_t143 = __rcx + 0x210;
				_t162 =  *((intOrPtr*)(_t143 + 0x20));
				if ( *((intOrPtr*)(_t143 + 0x18)) - _t162 <= 0) goto 0xa57096cb;
				E00007FF77FF7A56E44B8();
				_v152 =  *_t143;
				_v144 = _t162;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x50], xmm0");
				_v184 = _v168 & 0x000000ff;
				E00007FF77FF7A56DD1A0(_t100, _t143, _t143,  &_v136, _t162, __rdx, __rdx + _t169);
				_t136 =  *((intOrPtr*)(_t143 + 0x20)) -  *((intOrPtr*)(_t143 + 0x18));
				if (_t136 - 1 >= 0) goto 0xa5709723;
				goto 0xa5709952;
				_v168 = 0;
				E00007FF77FF7A56E45E0(_t136, _t143);
				if (_t136 == 0) goto 0xa5709744;
				 *_t136 =  &_v120;
				goto 0xa5709746;
				_v120 = _t136;
				r12d =  *(_t159 + 0x2a4) * _t106;
				E00007FF77FF7A56D4CA0(_t136, _t143,  &_v120,  &_v136, _t162,  &_v168);
				if (_v88 != _v96) goto 0xa5709774;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(_t143 + 0x20)) !=  *((intOrPtr*)(_t143 + 0x18))) goto 0xa5709788;
				E00007FF77FF7A56E44B8();
				if (_t106 == 0) goto 0xa570979f;
				r9d = _t106;
				E00007FF77FF7A5707870(_t106, _t159 + 0x20,  *((intOrPtr*)(_t143 + 0x18)), _v96);
				_t164 =  *((intOrPtr*)(_t159 + 0x260));
				if ( *((intOrPtr*)(_t159 + 0x258)) - _t164 <= 0) goto 0xa57097b4;
				E00007FF77FF7A56E44B8();
				_v136 =  *((intOrPtr*)(_t159 + 0x240));
				_v128 = _t164;
				_t165 = _v88;
				if (_v96 - _t165 <= 0) goto 0xa57097d9;
				E00007FF77FF7A56E44B8();
				_v152 = _v120;
				_v144 = _t165;
				_t166 = _v96;
				if (_t166 - _v88 <= 0) goto 0xa5709801;
				E00007FF77FF7A56E44B8();
				_v72 = _v120;
				_v64 = _t166;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x40], xmm0");
				asm("movaps xmm1, [esp+0x90]");
				asm("movdqa [esp+0x90], xmm1");
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x50], xmm0");
				_v184 = _v168 & 0x000000ff;
				E00007FF77FF7A56D9750( *(_t159 + 0x2a4) * _t106, _t143, _t159 + 0x240,  &_v136, _t166,  &_v72,  &_v152);
				_t160 =  *((intOrPtr*)(_t143 + 0x18));
				if (_t160 -  *((intOrPtr*)(_t143 + 0x20)) <= 0) goto 0xa570986e;
				E00007FF77FF7A56E44B8();
				_t167 =  *_t143;
				if (_t167 != 0) goto 0xa5709880;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa5709883;
				_t161 = _t160 + _t182;
				if (_t161 -  *((intOrPtr*)( *_t167 + 0x20)) > 0) goto 0xa570989e;
				if (_t167 == 0) goto 0xa5709896;
				goto 0xa5709898;
				if (_t161 -  *((intOrPtr*)( *_t167 + 0x18)) >= 0) goto 0xa57098a3;
				E00007FF77FF7A56E44B8();
				_t168 =  *((intOrPtr*)(_t143 + 0x18));
				if (_t168 -  *((intOrPtr*)(_t143 + 0x20)) <= 0) goto 0xa57098b2;
				E00007FF77FF7A56E44B8();
				if (_t143 == 0) goto 0xa57098c3;
				if ( *((intOrPtr*)(_t143 + 0x18)) - _t168 > 0) goto 0xa57098c3;
				if (_t168 -  *((intOrPtr*)(_t143 + 0x20)) <= 0) goto 0xa57098c8;
				E00007FF77FF7A56E44B8();
				_t171 =  *_t143;
				if ( *((intOrPtr*)(_t143 + 0x18)) - _t161 > 0) goto 0xa57098d7;
				if (_t161 -  *((intOrPtr*)(_t143 + 0x20)) <= 0) goto 0xa57098dc;
				E00007FF77FF7A56E44B8();
				if (_t171 == 0) goto 0xa57098e6;
				if (_t171 ==  *_t143) goto 0xa57098eb;
				E00007FF77FF7A56E44B8();
				if (_t168 == _t161) goto 0xa5709912;
				_t158 =  *((intOrPtr*)(_t143 + 0x20)) - _t161;
				if (_t158 <= 0) goto 0xa570990e;
				E00007FF77FF7A56E4070(_t168, _t158, _t161, _t158);
				 *((long long*)(_t143 + 0x20)) = _t158 + _t168;
				if (_v96 == 0) goto 0xa5709921;
				E00007FF77FF7A56E44D8( *_t167, _t143, _v96, _t158, _t168, _t161, _t158);
				_v96 = 0;
				_v88 = 0;
				_v80 = 0;
				E00007FF77FF7A56E44D8( *_t167, _t143, _v120, _t158, _t168, _t161, _t158);
				goto 0xa5709952;
				return 1;
			}

0x7ff7a5709680
0x7ff7a570968e
0x7ff7a570969a
0x7ff7a570969d
0x7ff7a57096a0
0x7ff7a57096a6
0x7ff7a57096af
0x7ff7a57096b5
0x7ff7a57096bc
0x7ff7a57096c4
0x7ff7a57096c6
0x7ff7a57096ce
0x7ff7a57096d3
0x7ff7a57096d8
0x7ff7a57096dd
0x7ff7a57096ec
0x7ff7a57096fb
0x7ff7a570970a
0x7ff7a570971a
0x7ff7a570971e
0x7ff7a5709726
0x7ff7a5709730
0x7ff7a5709738
0x7ff7a570973f
0x7ff7a5709742
0x7ff7a5709746
0x7ff7a570974b
0x7ff7a570975a
0x7ff7a570976d
0x7ff7a570976f
0x7ff7a5709781
0x7ff7a5709783
0x7ff7a570978a
0x7ff7a5709790
0x7ff7a570979a
0x7ff7a570979f
0x7ff7a57097ad
0x7ff7a57097af
0x7ff7a57097bb
0x7ff7a57097c0
0x7ff7a57097c5
0x7ff7a57097d2
0x7ff7a57097d4
0x7ff7a57097de
0x7ff7a57097e3
0x7ff7a57097e8
0x7ff7a57097f5
0x7ff7a57097f7
0x7ff7a5709801
0x7ff7a5709809
0x7ff7a5709811
0x7ff7a5709816
0x7ff7a570981c
0x7ff7a5709824
0x7ff7a570982d
0x7ff7a5709832
0x7ff7a570983d
0x7ff7a570985a
0x7ff7a570985f
0x7ff7a5709867
0x7ff7a5709869
0x7ff7a570986e
0x7ff7a5709874
0x7ff7a5709876
0x7ff7a570987b
0x7ff7a570987e
0x7ff7a5709883
0x7ff7a570988a
0x7ff7a570988f
0x7ff7a5709894
0x7ff7a570989c
0x7ff7a570989e
0x7ff7a57098a3
0x7ff7a57098ab
0x7ff7a57098ad
0x7ff7a57098b5
0x7ff7a57098bb
0x7ff7a57098c1
0x7ff7a57098c3
0x7ff7a57098c8
0x7ff7a57098cf
0x7ff7a57098d5
0x7ff7a57098d7
0x7ff7a57098df
0x7ff7a57098e4
0x7ff7a57098e6
0x7ff7a57098ee
0x7ff7a57098f4
0x7ff7a57098fe
0x7ff7a5709909
0x7ff7a570990e
0x7ff7a570991a
0x7ff7a570991c
0x7ff7a5709921
0x7ff7a570992a
0x7ff7a5709936
0x7ff7a5709947
0x7ff7a570994e
0x7ff7a570995f

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57096C6

Part of subcall function 00007FF7A56E45E0: malloc.LIBCMT ref: 00007FF7A56E45FA

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570976F
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709783
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57097AF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57097D4
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57097F7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709869
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709876
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570989E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57098AD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57098C3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57098D7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57098E6

Part of subcall function 00007FF7A56E4070: _errno.LIBCMT ref: 00007FF7A56E4083

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_errnomalloc
String ID:
API String ID: 1149948996-0
Opcode ID: 862ef2bf900044cd6533764cdbe942e68350a6ca9e47dc2d25e2abce830e237e
Instruction ID: ac707d1738c915b59bb7876e13afe1a86627e89dd76e4fa7490f768952d26326
Opcode Fuzzy Hash: 862ef2bf900044cd6533764cdbe942e68350a6ca9e47dc2d25e2abce830e237e
Instruction Fuzzy Hash: 9F816962A0AA85C5E760BF25D4003BDE3E1FB86F80F951131DE9C237A9DF6CE8518760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E953C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00007FF77FF7A56E953C(void* __eflags, void* __rax, void* __rcx, signed int _a8, signed int _a16, void* _a24, long long _a32) {
				char _v80;
				void* _v104;
				signed int _v112;
				signed int _v120;
				signed int _v128;
				signed int _v136;
				long long _v144;
				signed int _v168;
				void* __rbx;
				void* _t79;
				void* _t80;
				void* _t97;
				long long _t98;
				signed int _t101;
				signed int _t106;
				signed int _t124;
				intOrPtr* _t126;
				void* _t127;
				signed long long _t133;

				_t97 = __rax;
				r14d = 0;
				_v168 = r14d;
				_a8 = _a8 & r14d;
				_v128 = _v128 & _t133;
				_v136 = _v136 & _t133;
				E00007FF77FF7A56EB93C(_t80, __eflags, __rax);
				_t98 =  *((intOrPtr*)(_t97 + 0xf8));
				_a32 = _t98;
				E00007FF77FF7A56EB93C(_t80, __eflags, _t98);
				_a24 =  *((intOrPtr*)(_t98 + 0xf0));
				_t124 =  *((intOrPtr*)(__rcx + 0x50));
				_a16 = _t124;
				_v144 =  *((intOrPtr*)(__rcx + 0x48));
				_t101 =  *((intOrPtr*)(__rcx + 0x30));
				_v112 = _t101;
				_v104 =  *((intOrPtr*)(__rcx + 0x28));
				E00007FF77FF7A56EB93C(_t80, __eflags, _t101);
				 *(_t101 + 0xf0) = _t124;
				E00007FF77FF7A56EB93C(_t80, __eflags, _t101);
				 *((long long*)(_t101 + 0xf8)) =  *((intOrPtr*)(__rcx + 0x40));
				E00007FF77FF7A56EB93C(_t80, __eflags, _t101);
				E00007FF77FF7A56E76A4(_t101,  &_v80,  *((intOrPtr*)( *(_t101 + 0xf0) + 0x28)));
				_v120 = _t101;
				_t88 =  *((intOrPtr*)(__rcx + 0x58)) - _t133;
				if ( *((intOrPtr*)(__rcx + 0x58)) == _t133) goto 0xa56e9625;
				_a8 = 1;
				E00007FF77FF7A56EB93C(_t80,  *((intOrPtr*)(__rcx + 0x58)) - _t133, _t101);
				_t106 =  *((intOrPtr*)(_t101 + 0x138));
				_v136 = _t106;
				E00007FF77FF7A56EB93C(_t80,  *((intOrPtr*)(__rcx + 0x58)) - _t133, _t101);
				 *(_t101 + 0xf0) = _t106;
				r8d = 0x100;
				E00007FF77FF7A570C050(_v112,  *((intOrPtr*)(__rcx + 0x28)), _t127);
				_v128 = _t101;
				_v168 = 1;
				E00007FF77FF7A56EB93C(_t80, _t88, _t101);
				 *(_t101 + 0x2c0) =  *(_t101 + 0x2c0) & 0x00000000;
				if (_a8 == 0) goto 0xa56e9699;
				E00007FF77FF7A56E93E4(1, _a16);
				r8d =  *((intOrPtr*)(_v136 + 0x18));
				RaiseException(??, ??, ??, ??);
				goto 0xa56e96b4;
				_t126 = _a16;
				r8d =  *((intOrPtr*)(_t126 + 0x18));
				RaiseException(??, ??, ??, ??);
				r14d = _v168;
				E00007FF77FF7A56E771C(_t101, _v128, _v120);
				if (r14d != 0) goto 0xa56e971d;
				if ( *_t126 != 0xe06d7363) goto 0xa56e971d;
				if ( *((intOrPtr*)(_t126 + 0x18)) != 4) goto 0xa56e971d;
				if ( *((intOrPtr*)(_t126 + 0x20)) == 0x19930520) goto 0xa56e9706;
				if ( *((intOrPtr*)(_t126 + 0x20)) == 0x19930521) goto 0xa56e9706;
				if ( *((intOrPtr*)(_t126 + 0x20)) != 0x19930522) goto 0xa56e971d;
				if (E00007FF77FF7A56E76E8(_t101,  *((intOrPtr*)(_t126 + 0x28))) == 0) goto 0xa56e971d;
				E00007FF77FF7A56E93E4(1, _t126);
				E00007FF77FF7A56EB93C( *_t126, E00007FF77FF7A56E76E8(_t101,  *((intOrPtr*)(_t126 + 0x28))), _t101);
				 *(_t101 + 0xf0) = _a24;
				_t79 = E00007FF77FF7A56EB93C( *_t126, E00007FF77FF7A56E76E8(_t101,  *((intOrPtr*)(_t126 + 0x28))), _t101);
				 *((long long*)(_t101 + 0xf8)) = _a32;
				 *((long long*)( *((intOrPtr*)(_v144 + 0x1c)) +  *_v104)) = 0xfffffffe;
				return _t79;
			}

0x7ff7a56e953c
0x7ff7a56e9550
0x7ff7a56e9553
0x7ff7a56e9558
0x7ff7a56e9560
0x7ff7a56e9565
0x7ff7a56e956a
0x7ff7a56e956f
0x7ff7a56e9576
0x7ff7a56e957e
0x7ff7a56e958a
0x7ff7a56e9592
0x7ff7a56e9596
0x7ff7a56e95a2
0x7ff7a56e95ab
0x7ff7a56e95af
0x7ff7a56e95b8
0x7ff7a56e95bd
0x7ff7a56e95c2
0x7ff7a56e95c9
0x7ff7a56e95ce
0x7ff7a56e95d5
0x7ff7a56e95ea
0x7ff7a56e95f2
0x7ff7a56e95f7
0x7ff7a56e95fb
0x7ff7a56e95fd
0x7ff7a56e9608
0x7ff7a56e960d
0x7ff7a56e9614
0x7ff7a56e9619
0x7ff7a56e961e
0x7ff7a56e9625
0x7ff7a56e9633
0x7ff7a56e963b
0x7ff7a56e964d
0x7ff7a56e9655
0x7ff7a56e965a
0x7ff7a56e9669
0x7ff7a56e9678
0x7ff7a56e9686
0x7ff7a56e9691
0x7ff7a56e9697
0x7ff7a56e9699
0x7ff7a56e96a5
0x7ff7a56e96ae
0x7ff7a56e96b4
0x7ff7a56e96d3
0x7ff7a56e96db
0x7ff7a56e96e3
0x7ff7a56e96e9
0x7ff7a56e96f2
0x7ff7a56e96fb
0x7ff7a56e9704
0x7ff7a56e9711
0x7ff7a56e9718
0x7ff7a56e971d
0x7ff7a56e972a
0x7ff7a56e9731
0x7ff7a56e9736
0x7ff7a56e974a
0x7ff7a56e9765

APIs

_getptd.LIBCMT ref: 00007FF7A56E956A
_getptd.LIBCMT ref: 00007FF7A56E957E
_getptd.LIBCMT ref: 00007FF7A56E95BD
_getptd.LIBCMT ref: 00007FF7A56E95C9
_getptd.LIBCMT ref: 00007FF7A56E95D5
_CreateFrameInfo.LIBCMT ref: 00007FF7A56E95EA

Part of subcall function 00007FF7A56E76A4: _getptd.LIBCMT ref: 00007FF7A56E76B0
Part of subcall function 00007FF7A56E76A4: _getptd.LIBCMT ref: 00007FF7A56E76BE
Part of subcall function 00007FF7A56E76A4: _getptd.LIBCMT ref: 00007FF7A56E76D2

_getptd.LIBCMT ref: 00007FF7A56E9608
_getptd.LIBCMT ref: 00007FF7A56E9619
_getptd.LIBCMT ref: 00007FF7A56E971D
_getptd.LIBCMT ref: 00007FF7A56E9731

Strings

csm, xrefs: 00007FF7A56E96DD

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _getptd$CreateFrameInfo
String ID: csm
API String ID: 4181383844-1018135373
Opcode ID: 37636cbeaf357c96540da33d70be5943baabf356ee6162a4f4101045cc2b1b7a
Instruction ID: 185e312ec1a60b3b0af1bc4ee66453dc5daf5c5144595ed3410775fc2602817e
Opcode Fuzzy Hash: 37636cbeaf357c96540da33d70be5943baabf356ee6162a4f4101045cc2b1b7a
Instruction Fuzzy Hash: F741703250AB82C2DA70AF12E4403BEB7A5FB46F90F855135DE8D07BA1DF39D4958B10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A57091A0 Relevance: 18.3, APIs: 12, Instructions: 262
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 62%

			E00007FF77FF7A57091A0(long long __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp) {
				void* _v40;
				signed int _v48;
				long long _v56;
				long long _v64;
				long long _v72;
				long long _v80;
				char _v104;
				long long _v112;
				long long _v120;
				long long _v128;
				char _v152;
				long long _v160;
				char _v168;
				long long _v176;
				char _v184;
				long long _v192;
				char _v200;
				signed int _v216;
				char _v232;
				signed int _t142;
				signed int _t180;
				signed int _t202;
				void* _t209;
				signed long long _t210;
				long long* _t212;
				long long _t218;
				long long* _t220;
				long long* _t223;
				long long _t230;
				signed long long _t238;
				signed long long _t245;
				void* _t264;
				long long _t267;
				long long _t268;
				long long _t269;
				long long _t274;
				long long _t275;
				long long _t276;
				void* _t284;

				_t230 = __rbx;
				_t209 = _t284;
				_v56 = 0xfffffffe;
				 *((long long*)(_t209 + 0x10)) = __rbx;
				 *((long long*)(_t209 + 0x18)) = __rbp;
				 *((long long*)(_t209 + 0x20)) = __rsi;
				_t210 =  *0xa5720430; // 0x4918c7c3922
				_v48 = _t210 ^ _t284 - 0x000000e0;
				_t264 = __rcx;
				_t212 =  *((intOrPtr*)(__rcx + 0x230));
				if (_t212 !=  *((intOrPtr*)(__rcx + 0x228))) goto 0xa5709372;
				E00007FF77FF7A56E45E0(_t212, __rcx);
				if (_t212 == 0) goto 0xa5709216;
				 *_t212 =  &_v152;
				goto 0xa5709219;
				_v152 = __rbx;
				_v216 = sil;
				E00007FF77FF7A56D4CA0(__rbx, __rbx,  &_v152, __rdx, __rsi,  &_v216);
				if ( *((intOrPtr*)(_t264 + 0x290)) !=  *((intOrPtr*)(_t264 + 0x288))) goto 0xa570924c;
				E00007FF77FF7A56E44B8();
				if (_v120 != _v128) goto 0xa5709275;
				E00007FF77FF7A56E44B8();
				E00007FF77FF7A5702840(_v120, _t264 + 0x20, _v128,  *((intOrPtr*)(_t264 + 0x288)));
				_t267 =  *((intOrPtr*)(_t264 + 0x260));
				if ( *((intOrPtr*)(_t264 + 0x258)) - _t267 <= 0) goto 0xa5709296;
				E00007FF77FF7A56E44B8();
				_v184 =  *((intOrPtr*)(_t264 + 0x240));
				_v176 = _t267;
				_t268 =  *((intOrPtr*)(_t264 + 0x290));
				if ( *((intOrPtr*)(_t264 + 0x288)) - _t268 <= 0) goto 0xa57092bc;
				E00007FF77FF7A56E44B8();
				_v168 =  *((intOrPtr*)(_t264 + 0x270));
				_v160 = _t268;
				_t269 =  *((intOrPtr*)(_t264 + 0x288));
				if (_t269 -  *((intOrPtr*)(_t264 + 0x290)) <= 0) goto 0xa57092e2;
				E00007FF77FF7A56E44B8();
				_t218 =  *((intOrPtr*)(_t264 + 0x270));
				_v200 = _t218;
				_v192 = _t269;
				asm("movaps xmm0, [esp+0x60]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movaps xmm1, [esp+0x40]");
				asm("movdqa [esp+0x40], xmm1");
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x50], xmm0");
				_v232 = _v216 & 0x000000ff;
				E00007FF77FF7A56D9750(sil & 0xffffffff, _t230, _t264 + 0x240,  &_v184, _t269,  &_v200,  &_v168);
				if (_v128 == 0) goto 0xa570934b;
				E00007FF77FF7A56E44D8(_t218, _t230, _v128,  &_v184, _t269,  &_v200,  &_v168);
				_v128 = _t230;
				_v120 = _t230;
				_v112 = _t230;
				_t238 = _v152;
				_t142 = E00007FF77FF7A56E44D8(_t218, _t230, _t238,  &_v184, _t269,  &_v200,  &_v168);
				goto 0xa5709646;
				_t180 = _t142 % _t238;
				if (_t180 != 0) goto 0xa570939f;
				_v216 =  *(_t264 + 0x2a4) & 0x000000ff;
				goto 0xa57093c2;
				_v216 = ( *(_t264 + 0x2a4) & 0x000000ff) - _t180;
				_t220 = _t218 -  *((intOrPtr*)(_t238 + 0x228));
				E00007FF77FF7A56E45E0(_t220, _t238);
				if (_t220 == 0) goto 0xa57093dd;
				 *_t220 =  &_v152;
				goto 0xa57093e0;
				_v152 = _t230;
				E00007FF77FF7A56D4CA0(_t230, _t230,  &_v152, (_t220 + 1) * _t238, _t269,  &_v216);
				if ( *((intOrPtr*)(_t264 + 0x230)) !=  *((intOrPtr*)(_t264 + 0x228))) goto 0xa570941b;
				E00007FF77FF7A56E44B8();
				_t223 = _v120;
				if (_t223 != _v128) goto 0xa5709444;
				E00007FF77FF7A56E44B8();
				E00007FF77FF7A56EAE90(8, _t223 - _v128, _v128,  *((intOrPtr*)(_t264 + 0x228)),  *((intOrPtr*)(_t264 + 0x230)) -  *((intOrPtr*)(_t264 + 0x228)));
				_v216 = 0;
				E00007FF77FF7A56E45E0(_t223, _v128);
				if (_t223 == 0) goto 0xa5709470;
				 *_t223 =  &_v104;
				goto 0xa5709473;
				_v104 = _t230;
				E00007FF77FF7A56D4CA0(_t230, _t230,  &_v104, (_t220 + 1) * _t238,  *((intOrPtr*)(_t264 + 0x228)),  &_v216);
				if (_v72 != _v80) goto 0xa57094a8;
				E00007FF77FF7A56E44B8();
				_t245 = _v120;
				if (_t245 != _v128) goto 0xa57094d2;
				_t202 = E00007FF77FF7A56E44B8() / _t245;
				if (_t202 == 0) goto 0xa570950b;
				r12d =  *(_t264 + 0x20);
				r12d = r12d << 2;
				E00007FF77FF7A5702840((_t220 + 1) * _t238, _t264 + 0x20, _v128, _v80);
				r13d = r13d + 0xffffffff;
				if (_t202 != 0) goto 0xa57094f0;
				_t274 =  *((intOrPtr*)(_t264 + 0x260));
				if ( *((intOrPtr*)(_t264 + 0x258)) - _t274 <= 0) goto 0xa5709520;
				E00007FF77FF7A56E44B8();
				_v168 =  *((intOrPtr*)(_t264 + 0x240));
				_v160 = _t274;
				_t275 = _v72;
				if (_v80 - _t275 <= 0) goto 0xa5709548;
				E00007FF77FF7A56E44B8();
				_v184 = _v104;
				_v176 = _t275;
				_t276 = _v80;
				if (_t276 - _v72 <= 0) goto 0xa5709579;
				E00007FF77FF7A56E44B8();
				_v200 = _v104;
				_v192 = _t276;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x50], xmm0");
				asm("movaps xmm1, [esp+0x40]");
				asm("movdqa [esp+0x40], xmm1");
				asm("movaps xmm0, [esp+0x60]");
				asm("movdqa [esp+0x60], xmm0");
				_v232 = _v216 & 0x000000ff;
				E00007FF77FF7A56D9750(_t154 % _t245, _t230, _t264 + 0x240,  &_v168, _t276,  &_v200,  &_v184);
				r8d = 0;
				E00007FF77FF7A56D4D20(_t264 + 0x210,  &_v168);
				if (_v80 == 0) goto 0xa57095ec;
				E00007FF77FF7A56E44D8(_v104, _t230, _v80,  &_v168, _t276,  &_v200,  &_v184);
				_v80 = _t230;
				_v72 = _t230;
				_v64 = _t230;
				E00007FF77FF7A56E44D8(_v104, _t230, _v104,  &_v168, _t276,  &_v200,  &_v184);
				if (_v128 == 0) goto 0xa5709624;
				E00007FF77FF7A56E44D8(_v104, _t230, _v128,  &_v168, _t276,  &_v200,  &_v184);
				_v128 = _t230;
				_v120 = _t230;
				_v112 = _t230;
				E00007FF77FF7A56E44D8(_v104, _t230, _v152,  &_v168, _t276,  &_v200,  &_v184);
				return E00007FF77FF7A56E4050( *(_t264 + 0x2a4), _v48 ^ _t284 - 0x000000e0,  &_v168,  &_v200,  &_v184);
			}

0x7ff7a57091a0
0x7ff7a57091a0
0x7ff7a57091b3
0x7ff7a57091bf
0x7ff7a57091c3
0x7ff7a57091c7
0x7ff7a57091cb
0x7ff7a57091d5
0x7ff7a57091dd
0x7ff7a57091e0
0x7ff7a57091ee
0x7ff7a5709200
0x7ff7a570920a
0x7ff7a5709211
0x7ff7a5709214
0x7ff7a5709219
0x7ff7a570921e
0x7ff7a5709231
0x7ff7a5709245
0x7ff7a5709247
0x7ff7a5709266
0x7ff7a5709268
0x7ff7a570927c
0x7ff7a5709281
0x7ff7a570928f
0x7ff7a5709291
0x7ff7a570929d
0x7ff7a57092a2
0x7ff7a57092a7
0x7ff7a57092b5
0x7ff7a57092b7
0x7ff7a57092c3
0x7ff7a57092c8
0x7ff7a57092cd
0x7ff7a57092db
0x7ff7a57092dd
0x7ff7a57092e2
0x7ff7a57092e9
0x7ff7a57092ee
0x7ff7a57092f3
0x7ff7a57092f8
0x7ff7a57092fe
0x7ff7a5709303
0x7ff7a5709309
0x7ff7a570930e
0x7ff7a5709319
0x7ff7a5709333
0x7ff7a5709344
0x7ff7a5709346
0x7ff7a570934b
0x7ff7a5709353
0x7ff7a570935b
0x7ff7a5709363
0x7ff7a5709368
0x7ff7a570936d
0x7ff7a5709387
0x7ff7a570938c
0x7ff7a5709395
0x7ff7a570939d
0x7ff7a57093a8
0x7ff7a57093b4
0x7ff7a57093c7
0x7ff7a57093d1
0x7ff7a57093d8
0x7ff7a57093db
0x7ff7a57093e0
0x7ff7a57093f2
0x7ff7a5709414
0x7ff7a5709416
0x7ff7a5709422
0x7ff7a5709435
0x7ff7a5709437
0x7ff7a570944a
0x7ff7a570944f
0x7ff7a5709459
0x7ff7a5709461
0x7ff7a570946b
0x7ff7a570946e
0x7ff7a5709473
0x7ff7a570948b
0x7ff7a57094a1
0x7ff7a57094a3
0x7ff7a57094b0
0x7ff7a57094c3
0x7ff7a57094e3
0x7ff7a57094e5
0x7ff7a57094e7
0x7ff7a57094eb
0x7ff7a57094fa
0x7ff7a5709505
0x7ff7a5709509
0x7ff7a570950b
0x7ff7a5709519
0x7ff7a570951b
0x7ff7a5709527
0x7ff7a570952c
0x7ff7a5709531
0x7ff7a5709541
0x7ff7a5709543
0x7ff7a5709550
0x7ff7a5709555
0x7ff7a570955a
0x7ff7a570956a
0x7ff7a570956c
0x7ff7a5709579
0x7ff7a570957e
0x7ff7a5709583
0x7ff7a5709588
0x7ff7a570958e
0x7ff7a5709593
0x7ff7a5709599
0x7ff7a570959e
0x7ff7a57095a9
0x7ff7a57095c3
0x7ff7a57095c8
0x7ff7a57095d4
0x7ff7a57095e5
0x7ff7a57095e7
0x7ff7a57095ec
0x7ff7a57095f4
0x7ff7a57095fc
0x7ff7a570960c
0x7ff7a570961d
0x7ff7a570961f
0x7ff7a5709624
0x7ff7a570962c
0x7ff7a5709634
0x7ff7a5709641
0x7ff7a5709676

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709247
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709268
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709291
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57092B7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57092DD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709416
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709437
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57094A3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A57094C5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570951B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A5709543

Part of subcall function 00007FF7A56E45E0: malloc.LIBCMT ref: 00007FF7A56E45FA

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570956C

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$malloc
String ID:
API String ID: 2964583507-0
Opcode ID: f4cbc4c68556a3b7f8acf23e6ad581c02c96a0da4a1036aa3f1361d0f83fc89d
Instruction ID: b5da1323bc87cd273ee4b8ac8324580a19e8bb44cd936bc2899ed8e59b41ec2e
Opcode Fuzzy Hash: f4cbc4c68556a3b7f8acf23e6ad581c02c96a0da4a1036aa3f1361d0f83fc89d
Instruction Fuzzy Hash: 7FD17522A0ABC5C5D664AB25E4402AEF3A1FB86F40F850131EBDC53BA9DF7CE455C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F8BD0 Relevance: 18.1, APIs: 12, Instructions: 111
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 28%

			E00007FF77FF7A56F8BD0(void* __ebx, void* __edx, void* __rax, long long __rbx, long long __rcx, void* __rdx, long long __rsi, long long __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				long long _v40;
				void* __r12;
				void* _t48;
				void* _t49;
				intOrPtr _t54;
				void* _t66;
				intOrPtr* _t70;
				intOrPtr _t79;
				long long _t83;
				intOrPtr* _t85;
				intOrPtr _t89;

				_t48 = __ebx;
				_v40 = 0xfffffffe;
				_a16 = __rbx;
				_a24 = __rbp;
				_a32 = __rsi;
				_t83 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x10)) == 0) goto 0xa56f8d4e;
				_a8 = __rcx;
				E00007FF77FF7A56F8830(__edx,  *((intOrPtr*)(__rcx + 0x10)), __rax, __rbx, __rcx, __rsi);
				_t54 =  *((intOrPtr*)(_t83 + 0x10));
				if (_t54 != 0) goto 0xa56f8c50;
				asm("lock xadd [edi], eax");
				asm("bt eax, 0x1e");
				if (_t54 < 0) goto 0xa56f8d4e;
				if (0x80000000 - 0x80000000 <= 0) goto 0xa56f8d4e;
				asm("lock bts dword [edi], 0x1e");
				if (0x80000000 - 0x80000000 < 0) goto 0xa56f8d4e;
				E00007FF77FF7A56F87E0(_t83);
				SetEvent(??);
				goto 0xa56f8d4e;
				 *((intOrPtr*)(_t83 + 0x10)) =  *((intOrPtr*)(_t83 + 0x10)) -  *((intOrPtr*)(_t83 + 0x10));
				r8d = 0;
				ReleaseSemaphore(??, ??, ??);
				_t85 =  *((intOrPtr*)(_t83 + 0x30));
				if (_t85 -  *((intOrPtr*)(_t83 + 0x38)) <= 0) goto 0xa56f8c76;
				E00007FF77FF7A56E44B8();
				_t70 =  *((intOrPtr*)(_t83 + 0x18));
				_t89 =  *((intOrPtr*)(_t83 + 0x38));
				if ( *((intOrPtr*)(_t83 + 0x30)) - _t89 <= 0) goto 0xa56f8c89;
				E00007FF77FF7A56E44B8();
				if (_t70 == 0) goto 0xa56f8c9a;
				if (_t70 ==  *((intOrPtr*)(_t83 + 0x18))) goto 0xa56f8c9f;
				E00007FF77FF7A56E44B8();
				if (_t85 == _t89) goto 0xa56f8cfa;
				if (_t70 != 0) goto 0xa56f8cb3;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f8cb6;
				if (_t85 -  *((intOrPtr*)( *_t70 + 0x20)) < 0) goto 0xa56f8cc1;
				E00007FF77FF7A56E44B8();
				 *((char*)( *_t85 + 0x14)) = 1;
				r8d = 0;
				ReleaseSemaphore(??, ??, ??);
				if (_t70 != 0) goto 0xa56f8ce6;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56f8ce9;
				if (_t85 -  *((intOrPtr*)( *_t70 + 0x20)) < 0) goto 0xa56f8cf4;
				E00007FF77FF7A56E44B8();
				goto 0xa56f8c90;
				E00007FF77FF7A56F8120(_t48, _t49,  *((intOrPtr*)( *_t85 + 0x10)), _t70, _t83 + 0x18, __r9,  *((intOrPtr*)(_t83 + 0x18)));
				_t79 =  *((intOrPtr*)(_t83 + 0x48));
				if (_t79 == 0) goto 0xa56f8d18;
				_t66 = _t79 - 0xffffffff;
				if (_t66 == 0) goto 0xa56f8d18;
				CloseHandle(??);
				 *((long long*)(_t83 + 0x48)) = 0;
				asm("lock xadd [edi], eax");
				asm("bt eax, 0x1e");
				if (_t66 < 0) goto 0xa56f8d4e;
				if (0x80000000 - 0x80000000 <= 0) goto 0xa56f8d4e;
				asm("lock bts dword [edi], 0x1e");
				if (0x80000000 - 0x80000000 < 0) goto 0xa56f8d4e;
				E00007FF77FF7A56F87E0(_t83);
				return SetEvent(??);
			}

0x7ff7a56f8bd0
0x7ff7a56f8bda
0x7ff7a56f8be3
0x7ff7a56f8be8
0x7ff7a56f8bed
0x7ff7a56f8bf2
0x7ff7a56f8bfa
0x7ff7a56f8c00
0x7ff7a56f8c05
0x7ff7a56f8c0b
0x7ff7a56f8c0f
0x7ff7a56f8c16
0x7ff7a56f8c1a
0x7ff7a56f8c1e
0x7ff7a56f8c29
0x7ff7a56f8c2f
0x7ff7a56f8c34
0x7ff7a56f8c3d
0x7ff7a56f8c45
0x7ff7a56f8c4b
0x7ff7a56f8c57
0x7ff7a56f8c5a
0x7ff7a56f8c61
0x7ff7a56f8c67
0x7ff7a56f8c6f
0x7ff7a56f8c71
0x7ff7a56f8c76
0x7ff7a56f8c7a
0x7ff7a56f8c82
0x7ff7a56f8c84
0x7ff7a56f8c93
0x7ff7a56f8c98
0x7ff7a56f8c9a
0x7ff7a56f8ca2
0x7ff7a56f8ca7
0x7ff7a56f8ca9
0x7ff7a56f8cae
0x7ff7a56f8cb1
0x7ff7a56f8cba
0x7ff7a56f8cbc
0x7ff7a56f8cc7
0x7ff7a56f8ccb
0x7ff7a56f8cd1
0x7ff7a56f8cda
0x7ff7a56f8cdc
0x7ff7a56f8ce1
0x7ff7a56f8ce4
0x7ff7a56f8ced
0x7ff7a56f8cef
0x7ff7a56f8cf8
0x7ff7a56f8cfe
0x7ff7a56f8d03
0x7ff7a56f8d0a
0x7ff7a56f8d0c
0x7ff7a56f8d10
0x7ff7a56f8d12
0x7ff7a56f8d18
0x7ff7a56f8d25
0x7ff7a56f8d29
0x7ff7a56f8d2d
0x7ff7a56f8d34
0x7ff7a56f8d36
0x7ff7a56f8d3b
0x7ff7a56f8d40
0x7ff7a56f8d66

APIs

Part of subcall function 00007FF7A56F8830: CloseHandle.KERNEL32 ref: 00007FF7A56F88AD
Part of subcall function 00007FF7A56F8830: WaitForSingleObjectEx.KERNEL32 ref: 00007FF7A56F88C9

SetEvent.KERNEL32 ref: 00007FF7A56F8C45
ReleaseSemaphore.KERNEL32 ref: 00007FF7A56F8C61
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8C71
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8C84
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8C9A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8CA9
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8CBC
ReleaseSemaphore.KERNEL32 ref: 00007FF7A56F8CD1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8CDC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8CEF
CloseHandle.KERNEL32 ref: 00007FF7A56F8D12
SetEvent.KERNEL32 ref: 00007FF7A56F8D48

Part of subcall function 00007FF7A56F87E0: CloseHandle.KERNEL32 ref: 00007FF7A56F880E

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$CloseHandle$EventReleaseSemaphore$ObjectSingleWait
String ID:
API String ID: 1624490810-0
Opcode ID: c0190eb963667e3a822ce395726a3cc2af1d6bc88ac9c223897c4959d47fd861
Instruction ID: f2e41df43b8c6ad48b7710d39c8f3d25ad6ae0043d63dd1c9802d8c0d3244398
Opcode Fuzzy Hash: c0190eb963667e3a822ce395726a3cc2af1d6bc88ac9c223897c4959d47fd861
Instruction Fuzzy Hash: 5B419122E0B602A6EA50BB25950423CA362FF52F64F9A2270DA6C576B5CF3CE4558370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EB960 Relevance: 18.1, APIs: 12, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00007FF77FF7A56EB960(void* __edi, void* __esi, long long __rbx, void* __rcx, void* __rsi, long long _a8, long long _a16) {
				void* _t15;
				void* _t17;
				long long _t33;
				void* _t36;
				long long _t54;
				void* _t59;
				intOrPtr* _t60;
				void* _t66;

				if (__rcx == 0) goto 0xa56eba94;
				_a16 = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x38)) == 0) goto 0xa56eb984;
				free(_t59);
				if ( *((intOrPtr*)(__rcx + 0x48)) == 0) goto 0xa56eb992;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0x58)) == 0) goto 0xa56eb9a0;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0x68)) == 0) goto 0xa56eb9ae;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0x70)) == 0) goto 0xa56eb9bc;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0x78)) == 0) goto 0xa56eb9ca;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0x80)) == 0) goto 0xa56eb9db;
				free(??);
				if ( *((intOrPtr*)(__rcx + 0xa0)) == 0xa5711be0) goto 0xa56eb9f3;
				free(??);
				E00007FF77FF7A56EFF60();
				_t54 =  *((intOrPtr*)(__rcx + 0xb8));
				_a8 = _t54;
				_t33 = _t54;
				if (_t33 == 0) goto 0xa56eba2c;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t33 != 0) goto 0xa56eba2c;
				if (_a8 == 0xa5720bb0) goto 0xa56eba2c;
				free(??);
				E00007FF77FF7A56EFE60();
				E00007FF77FF7A56EFF60();
				_t60 =  *((intOrPtr*)(__rcx + 0xc0));
				if (_t60 == 0) goto 0xa56eba78;
				E00007FF77FF7A56E809C(_t15, _t60, _t66);
				_t36 = _t60 -  *0xa5720b90; // 0x2be4b80
				if (_t36 == 0) goto 0xa56eba78;
				if (_t60 == 0xa5720a30) goto 0xa56eba78;
				if ( *_t60 != 0) goto 0xa56eba78;
				_t17 = E00007FF77FF7A56E7E88(__rcx, _t60, __rsi, _t66);
				E00007FF77FF7A56EFE60();
				free(??);
				return _t17;
			}

0x7ff7a56eb963
0x7ff7a56eb969
0x7ff7a56eb97d
0x7ff7a56eb97f
0x7ff7a56eb98b
0x7ff7a56eb98d
0x7ff7a56eb999
0x7ff7a56eb99b
0x7ff7a56eb9a7
0x7ff7a56eb9a9
0x7ff7a56eb9b5
0x7ff7a56eb9b7
0x7ff7a56eb9c3
0x7ff7a56eb9c5
0x7ff7a56eb9d4
0x7ff7a56eb9d6
0x7ff7a56eb9ec
0x7ff7a56eb9ee
0x7ff7a56eb9f8
0x7ff7a56eb9fe
0x7ff7a56eba05
0x7ff7a56eba0a
0x7ff7a56eba0d
0x7ff7a56eba0f
0x7ff7a56eba13
0x7ff7a56eba24
0x7ff7a56eba26
0x7ff7a56eba31
0x7ff7a56eba3b
0x7ff7a56eba41
0x7ff7a56eba4b
0x7ff7a56eba50
0x7ff7a56eba55
0x7ff7a56eba5c
0x7ff7a56eba68
0x7ff7a56eba6d
0x7ff7a56eba72
0x7ff7a56eba7d
0x7ff7a56eba85
0x7ff7a56eba94

APIs

free.LIBCMT ref: 00007FF7A56EB97F

Part of subcall function 00007FF7A56E484C: HeapFree.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4862
Part of subcall function 00007FF7A56E484C: _errno.LIBCMT ref: 00007FF7A56E486C
Part of subcall function 00007FF7A56E484C: GetLastError.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4874

free.LIBCMT ref: 00007FF7A56EB98D
free.LIBCMT ref: 00007FF7A56EB99B
free.LIBCMT ref: 00007FF7A56EB9A9
free.LIBCMT ref: 00007FF7A56EB9B7
free.LIBCMT ref: 00007FF7A56EB9C5
free.LIBCMT ref: 00007FF7A56EB9D6
free.LIBCMT ref: 00007FF7A56EB9EE
_lock.LIBCMT ref: 00007FF7A56EB9F8
free.LIBCMT ref: 00007FF7A56EBA26
_lock.LIBCMT ref: 00007FF7A56EBA3B
free.LIBCMT ref: 00007FF7A56EBA85

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: free$_lock$ErrorFreeHeapLast_errno
String ID:
API String ID: 1575098132-0
Opcode ID: e75674a27ccaf353bf9c4577a142a6384d94bbdb2786d43ce8d8575ba90e4d59
Instruction ID: 9d3f325b174aefe70ee3893ed0baa38253d8433821f51522158e6f533688f4ad
Opcode Fuzzy Hash: e75674a27ccaf353bf9c4577a142a6384d94bbdb2786d43ce8d8575ba90e4d59
Instruction Fuzzy Hash: 17311D21E0B542C9FE95BBA59061379A356EF87F80F862135ED0E076F6DE1EE4418331

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DAC50 Relevance: 16.9, APIs: 11, Instructions: 422
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 53%

			E00007FF77FF7A56DAC50(long long __rcx, void* __rdx, intOrPtr* __r8, intOrPtr* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t194;
				void* _t197;
				void* _t198;
				intOrPtr _t250;
				signed long long _t256;
				long long* _t263;
				intOrPtr _t265;
				intOrPtr _t267;
				intOrPtr _t278;
				intOrPtr* _t283;
				intOrPtr _t288;
				intOrPtr _t295;
				intOrPtr _t298;
				intOrPtr _t300;
				long long _t303;
				long long _t305;
				long long _t306;
				long long _t307;
				intOrPtr _t308;
				long long _t309;
				long long _t310;
				intOrPtr _t311;
				signed long long _t312;
				long long* _t314;
				intOrPtr* _t315;
				intOrPtr* _t327;
				intOrPtr* _t329;
				intOrPtr _t330;
				intOrPtr* _t336;
				long long* _t341;
				long long* _t369;
				long long* _t370;
				long long* _t372;
				signed long long _t374;
				long long* _t375;
				long long* _t377;
				signed long long _t378;
				signed long long _t380;
				signed long long _t382;
				intOrPtr* _t386;
				intOrPtr* _t387;
				intOrPtr _t389;
				long long _t391;
				long long _t392;
				intOrPtr _t393;
				long long _t395;
				long long _t396;
				signed long long _t397;
				intOrPtr _t413;
				intOrPtr* _t415;
				void* _t416;
				long long _t417;

				 *((long long*)(_t397 + 0x160)) = 0xfffffffe;
				asm("movaps [esp+0x1b0], xmm6");
				_t256 =  *0xa5720430; // 0x4918c7c3922
				 *(_t397 + 0x1a8) = _t256 ^ _t397;
				_t415 = __r8;
				_t416 = __rdx;
				_t396 = __rcx;
				_t314 = _t397 + 0xe0;
				 *_t314 =  *((intOrPtr*)(__r9));
				 *((long long*)(_t314 + 8)) =  *((intOrPtr*)(__r9 + 8));
				 *((long long*)(_t314 + 0x10)) =  *((intOrPtr*)(__r9 + 0x10));
				 *((long long*)(_t314 + 0x18)) =  *((intOrPtr*)(__r9 + 0x18));
				_t369 = _t397 + 0x100;
				_t315 =  *((intOrPtr*)(_t397 + 0x220));
				 *_t369 =  *_t315;
				_t263 =  *((intOrPtr*)(_t315 + 8));
				 *((long long*)(_t369 + 8)) = _t263;
				E00007FF77FF7A56E45E0(_t263, _t315);
				r14d = 0;
				if (_t263 == 0) goto 0xa56dacf4;
				 *_t263 = _t397 + 0xa0;
				goto 0xa56dacf7;
				 *((long long*)(_t397 + 0xa0)) = _t417;
				 *((long long*)(_t397 + 0xc0)) = _t417;
				 *((long long*)(_t397 + 0xc8)) = _t417;
				 *((long long*)(_t397 + 0xd0)) = _t417;
				 *((long long*)(_t397 + 0xd8)) = _t417;
				_t265 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t265 - 8 < 0) goto 0xa56dad32;
				goto 0xa56dad39;
				_t386 = _t396 + 8;
				_t303 = _t386;
				if (_t303 == 0) goto 0xa56dad6c;
				if (_t265 - 8 < 0) goto 0xa56dad49;
				goto 0xa56dad4c;
				if (_t386 - _t303 > 0) goto 0xa56dad6c;
				if (_t265 - 8 < 0) goto 0xa56dad5c;
				goto 0xa56dad5f;
				if (_t303 - _t386 +  *(_t396 + 0x18) * 2 <= 0) goto 0xa56dad71;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t397 + 0x80)) = _t396;
				 *((long long*)(_t397 + 0x88)) = _t303;
				_t267 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t267 - 8 < 0) goto 0xa56dad90;
				goto 0xa56dad93;
				_t305 = _t386;
				if (_t305 == 0) goto 0xa56dadc6;
				if (_t267 - 8 < 0) goto 0xa56dada3;
				goto 0xa56dada6;
				if (_t386 - _t305 > 0) goto 0xa56dadc6;
				if (_t267 - 8 < 0) goto 0xa56dadb6;
				goto 0xa56dadb9;
				if (_t305 - _t386 +  *(_t396 + 0x18) * 2 <= 0) goto 0xa56dadcb;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t397 + 0x90)) = _t396;
				 *((long long*)(_t397 + 0x98)) = _t305;
				_t389 =  *((intOrPtr*)(_t397 + 0xe0));
				asm("movaps xmm6, [esp+0x80]");
				if (_t389 == 0xfffffffc) goto 0xa56dae0a;
				if (_t389 == 0) goto 0xa56dae05;
				if (_t389 ==  *((intOrPtr*)(_t397 + 0xf0))) goto 0xa56dae0a;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(_t397 + 0xe8)) ==  *((intOrPtr*)(_t397 + 0xf8))) goto 0xa56db04c;
				_t370 = _t397 + 0x150;
				_t327 = _t397 + 0xe0;
				 *_t370 =  *_t327;
				 *((long long*)(_t370 + 8)) =  *((intOrPtr*)(_t327 + 8));
				asm("movaps xmm0, [esp+0x90]");
				asm("movdqa [esp+0x170], xmm0");
				asm("movdqa [esp+0x140], xmm6");
				 *((long long*)(_t397 + 0x30)) = _t397 + 0x150;
				 *((long long*)(_t397 + 0x28)) = _t397 + 0x170;
				 *((long long*)(_t397 + 0x20)) = _t397 + 0x140;
				E00007FF77FF7A56DB470(_t397 + 0x130, _t397 + 0xa0);
				asm("movaps xmm6, [esp+0x130]");
				_t372 = _t397 + 0x90;
				_t329 = _t397 + 0xf0;
				 *_t372 =  *_t329;
				 *((long long*)(_t372 + 8)) =  *((intOrPtr*)(_t329 + 8));
				_t330 =  *((intOrPtr*)(_t397 + 0xd0));
				_t391 =  *((intOrPtr*)(_t397 + 0xd8)) + _t330;
				if (_t330 - _t391 <= 0) goto 0xa56daedf;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t397 + 0x80)) =  *((intOrPtr*)(_t397 + 0xa0));
				 *((long long*)(_t397 + 0x88)) = _t391;
				asm("movaps xmm0, [esp+0x80]");
				asm("movdqa [esp+0x120], xmm0");
				 *((char*)(_t397 + 0x20)) =  *(_t397 + 0x40) & 0x000000ff;
				E00007FF77FF7A56DBE60(_t305, _t397 + 0xa0, _t397 + 0x120, _t391,  *((intOrPtr*)(_t397 + 0x100)),  *((intOrPtr*)(_t397 + 0x108)));
				_t278 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t278 - 8 < 0) goto 0xa56daf40;
				goto 0xa56daf43;
				_t374 =  *(_t396 + 0x18);
				_t392 = _t386 + _t374 * 2;
				if (_t392 == 0) goto 0xa56daf7a;
				if (_t278 - 8 < 0) goto 0xa56daf5b;
				goto 0xa56daf5e;
				if (_t386 - _t392 > 0) goto 0xa56daf7a;
				if (_t278 - 8 < 0) goto 0xa56daf6e;
				goto 0xa56daf71;
				if (_t392 - _t386 + _t374 * 2 <= 0) goto 0xa56daf7f;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t397 + 0x50)) = _t396;
				 *((long long*)(_t397 + 0x58)) = _t392;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x70], xmm0");
				_t375 = _t397 + 0x60;
				_t336 = _t397 + 0xf0;
				 *_t375 =  *_t336;
				_t283 =  *((intOrPtr*)(_t336 + 8));
				 *((long long*)(_t375 + 8)) = _t283;
				E00007FF77FF7A56DA9F0(_t305, _t416, _t397 + 0x180, _t392, _t397 + 0x60, _t397 + 0x70);
				_t377 = _t397 + 0xe0;
				 *_t377 =  *_t283;
				 *((long long*)(_t377 + 8)) =  *((intOrPtr*)(_t283 + 8));
				 *((long long*)(_t377 + 0x10)) =  *((intOrPtr*)(_t283 + 0x10));
				 *((long long*)(_t377 + 0x18)) =  *((intOrPtr*)(_t283 + 0x18));
				_t393 =  *((intOrPtr*)(_t397 + 0xe0));
				if (_t393 == 0xfffffffc) goto 0xa56db011;
				if (_t393 == 0) goto 0xa56db00c;
				if (_t393 ==  *((intOrPtr*)(_t397 + 0xf0))) goto 0xa56db011;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(_t397 + 0xe8)) ==  *((intOrPtr*)(_t397 + 0xf8))) goto 0xa56dadf0;
				_t341 = _t397 + 0x100;
				 *_t341 =  *_t415;
				 *((long long*)(_t341 + 8)) =  *((intOrPtr*)(_t415 + 8));
				goto 0xa56dadf0;
				_t288 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t288 - 8 < 0) goto 0xa56db05b;
				goto 0xa56db05e;
				_t378 =  *(_t396 + 0x18);
				_t306 = _t386 + _t378 * 2;
				if (_t306 == 0) goto 0xa56db095;
				if (_t288 - 8 < 0) goto 0xa56db076;
				goto 0xa56db079;
				if (_t386 - _t306 > 0) goto 0xa56db095;
				if (_t288 - 8 < 0) goto 0xa56db089;
				goto 0xa56db08c;
				if (_t306 - _t386 + _t378 * 2 <= 0) goto 0xa56db09a;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t397 + 0x50)) = _t396;
				 *((long long*)(_t397 + 0x58)) = _t306;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movaps xmm1, [esp+0x90]");
				asm("movdqa [esp+0x70], xmm1");
				asm("movdqa [esp+0x120], xmm6");
				 *((long long*)(_t397 + 0x30)) = _t397 + 0x60;
				 *((long long*)(_t397 + 0x28)) = _t397 + 0x70;
				 *((long long*)(_t397 + 0x20)) = _t397 + 0x120;
				E00007FF77FF7A56DB470(_t397 + 0x130, _t397 + 0xa0);
				_t413 =  *((intOrPtr*)(_t397 + 0xd8));
				if (_t413 != 0) goto 0xa56db1a0;
				_t295 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t295 - 8 < 0) goto 0xa56db124;
				goto 0xa56db127;
				_t380 =  *(_t396 + 0x18);
				_t307 = _t386 + _t380 * 2;
				if (_t307 == 0) goto 0xa56db159;
				if (_t295 - 8 < 0) goto 0xa56db13f;
				goto 0xa56db142;
				if (_t386 - _t307 > 0) goto 0xa56db159;
				if (_t295 - 8 < 0) goto 0xa56db150;
				_t387 =  *_t386;
				if (_t307 - _t387 + _t380 * 2 <= 0) goto 0xa56db15e;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t397 + 0x50)) = _t396;
				 *((long long*)(_t397 + 0x58)) = _t307;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movaps xmm1, [esp+0x130]");
				asm("movdqa [esp+0x70], xmm1");
				E00007FF77FF7A56D4940(_t307, _t396, _t397 + 0x120,  *((intOrPtr*)(_t397 + 0xe0)), _t396, _t397 + 0x70, _t397 + 0x60);
				goto 0xa56db2f3;
				_t308 =  *((intOrPtr*)(_t397 + 0xd0));
				_t395 = _t413 + _t308;
				if (_t308 - _t395 <= 0) goto 0xa56db1c6;
				E00007FF77FF7A56E44B8();
				_t309 =  *((intOrPtr*)(_t397 + 0xd0));
				 *((long long*)(_t397 + 0x50)) =  *((intOrPtr*)(_t397 + 0xa0));
				 *((long long*)(_t397 + 0x58)) = _t395;
				if (_t309 -  *((intOrPtr*)(_t397 + 0xd8)) + _t309 <= 0) goto 0xa56db1ee;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t397 + 0x80)) =  *((intOrPtr*)(_t397 + 0xa0));
				 *((long long*)(_t397 + 0x88)) = _t309;
				_t298 =  *((intOrPtr*)(_t396 + 0x20));
				if (_t298 - 8 < 0) goto 0xa56db20d;
				goto 0xa56db210;
				_t382 =  *(_t396 + 0x18);
				_t310 = _t387 + _t382 * 2;
				if (_t310 == 0) goto 0xa56db242;
				if (_t298 - 8 < 0) goto 0xa56db228;
				goto 0xa56db22b;
				if (_t387 - _t310 > 0) goto 0xa56db242;
				if (_t298 - 8 < 0) goto 0xa56db239;
				if (_t310 -  *_t387 + _t382 * 2 <= 0) goto 0xa56db247;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t397 + 0x90)) = _t396;
				 *((long long*)(_t397 + 0x98)) = _t310;
				 *((long long*)(_t397 + 0x1a0)) = 7;
				 *((long long*)(_t397 + 0x198)) = _t417;
				 *((intOrPtr*)(_t397 + 0x188)) = r14w;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movaps xmm1, [esp+0x80]");
				asm("movdqa [esp+0x70], xmm1");
				r9d =  *(_t397 + 0x40) & 0x000000ff;
				E00007FF77FF7A56DC2A0( *(_t397 + 0x40) & 0x000000ff, _t197, _t198, _t310, _t397 + 0x180, _t397 + 0x70, _t395, _t396, _t397 + 0x60, _t397 + 0x60);
				asm("movaps xmm0, [esp+0x90]");
				asm("movdqa [esp+0x60], xmm0");
				asm("movdqa [esp+0x70], xmm0");
				_t412 = _t397 + 0x180;
				_t405 = _t397 + 0x60;
				_t384 = _t397 + 0x70;
				E00007FF77FF7A56D2B00(_t310, _t396, _t397 + 0x70,  *_t387, _t395, _t396, _t397 + 0x60, _t397 + 0x180);
				if ( *((long long*)(_t397 + 0x1a0)) - 8 < 0) goto 0xa56db2f3;
				E00007FF77FF7A56E44D8( *_t387 + _t382 * 2, _t310,  *((intOrPtr*)(_t397 + 0x188)), _t397 + 0x70, _t395, _t397 + 0x60, _t397 + 0x180);
				_t300 =  *((intOrPtr*)(_t397 + 0xd8));
				if (_t300 == 0) goto 0xa56db31b;
				_t250 = _t300;
				if (_t250 == 0) goto 0xa56db31b;
				 *((long long*)(_t397 + 0xd8)) = _t300 - 1;
				if (_t250 != 0) goto 0xa56db300;
				 *((long long*)(_t397 + 0xd0)) = _t417;
				_t311 =  *((intOrPtr*)(_t397 + 0xc8));
				if (_t311 == 0) goto 0xa56db352;
				_t312 = _t311 - 1;
				if ( *((long long*)( *((intOrPtr*)(_t397 + 0xc0)) + _t312 * 8)) == 0) goto 0xa56db34b;
				E00007FF77FF7A56E44D8(_t300 - 1, _t312,  *((intOrPtr*)( *((intOrPtr*)(_t397 + 0xc0)) + _t312 * 8)), _t397 + 0x70, _t395, _t397 + 0x60, _t397 + 0x180);
				if (_t312 != 0) goto 0xa56db330;
				goto 0xa56db35a;
				if ( *((intOrPtr*)(_t397 + 0xc0)) == 0) goto 0xa56db364;
				E00007FF77FF7A56E44D8(_t300 - 1, _t312,  *((intOrPtr*)(_t397 + 0xc0)), _t397 + 0x70, _t395, _t397 + 0x60, _t397 + 0x180);
				 *((long long*)(_t397 + 0xc8)) = _t417;
				 *((long long*)(_t397 + 0xc0)) = _t417;
				E00007FF77FF7A56E44D8(_t300 - 1, _t312,  *((intOrPtr*)(_t397 + 0xa0)), _t397 + 0x70, _t395, _t397 + 0x60, _t397 + 0x180);
				_t194 = E00007FF77FF7A56E4050(8,  *(_t397 + 0x1a8) ^ _t397, _t384, _t405, _t412);
				asm("movaps xmm6, [esp+0x1b0]");
				return _t194;
			}

0x7ff7a56dac62
0x7ff7a56dac6e
0x7ff7a56dac76
0x7ff7a56dac80
0x7ff7a56dac88
0x7ff7a56dac8b
0x7ff7a56dac8e
0x7ff7a56dac91
0x7ff7a56dac9c
0x7ff7a56daca3
0x7ff7a56dacab
0x7ff7a56dacb3
0x7ff7a56dacb7
0x7ff7a56dacbf
0x7ff7a56dacca
0x7ff7a56daccd
0x7ff7a56dacd1
0x7ff7a56dacda
0x7ff7a56dacdf
0x7ff7a56dace5
0x7ff7a56dacef
0x7ff7a56dacf2
0x7ff7a56dacf7
0x7ff7a56dacff
0x7ff7a56dad07
0x7ff7a56dad0f
0x7ff7a56dad17
0x7ff7a56dad1f
0x7ff7a56dad27
0x7ff7a56dad30
0x7ff7a56dad32
0x7ff7a56dad36
0x7ff7a56dad3c
0x7ff7a56dad42
0x7ff7a56dad47
0x7ff7a56dad4f
0x7ff7a56dad55
0x7ff7a56dad5a
0x7ff7a56dad6a
0x7ff7a56dad6c
0x7ff7a56dad71
0x7ff7a56dad79
0x7ff7a56dad81
0x7ff7a56dad89
0x7ff7a56dad8e
0x7ff7a56dad90
0x7ff7a56dad96
0x7ff7a56dad9c
0x7ff7a56dada1
0x7ff7a56dada9
0x7ff7a56dadaf
0x7ff7a56dadb4
0x7ff7a56dadc4
0x7ff7a56dadc6
0x7ff7a56dadcb
0x7ff7a56dadd3
0x7ff7a56dade0
0x7ff7a56dade8
0x7ff7a56dadf4
0x7ff7a56dadf9
0x7ff7a56dae03
0x7ff7a56dae05
0x7ff7a56dae1a
0x7ff7a56dae20
0x7ff7a56dae28
0x7ff7a56dae33
0x7ff7a56dae3a
0x7ff7a56dae3e
0x7ff7a56dae46
0x7ff7a56dae4f
0x7ff7a56dae60
0x7ff7a56dae6d
0x7ff7a56dae7a
0x7ff7a56dae97
0x7ff7a56dae9c
0x7ff7a56daea4
0x7ff7a56daeac
0x7ff7a56daeb7
0x7ff7a56daebe
0x7ff7a56daec2
0x7ff7a56daed2
0x7ff7a56daed8
0x7ff7a56daeda
0x7ff7a56daee7
0x7ff7a56daeef
0x7ff7a56daef7
0x7ff7a56daeff
0x7ff7a56daf08
0x7ff7a56daf2c
0x7ff7a56daf31
0x7ff7a56daf39
0x7ff7a56daf3e
0x7ff7a56daf43
0x7ff7a56daf47
0x7ff7a56daf4e
0x7ff7a56daf54
0x7ff7a56daf59
0x7ff7a56daf61
0x7ff7a56daf67
0x7ff7a56daf6c
0x7ff7a56daf78
0x7ff7a56daf7a
0x7ff7a56daf7f
0x7ff7a56daf84
0x7ff7a56daf89
0x7ff7a56daf8e
0x7ff7a56daf94
0x7ff7a56daf99
0x7ff7a56dafa4
0x7ff7a56dafa7
0x7ff7a56dafab
0x7ff7a56dafc4
0x7ff7a56dafc9
0x7ff7a56dafd4
0x7ff7a56dafdb
0x7ff7a56dafe3
0x7ff7a56dafeb
0x7ff7a56dafef
0x7ff7a56daffb
0x7ff7a56db000
0x7ff7a56db00a
0x7ff7a56db00c
0x7ff7a56db021
0x7ff7a56db027
0x7ff7a56db033
0x7ff7a56db03b
0x7ff7a56db047
0x7ff7a56db04c
0x7ff7a56db054
0x7ff7a56db059
0x7ff7a56db05e
0x7ff7a56db062
0x7ff7a56db069
0x7ff7a56db06f
0x7ff7a56db074
0x7ff7a56db07c
0x7ff7a56db082
0x7ff7a56db087
0x7ff7a56db093
0x7ff7a56db095
0x7ff7a56db09a
0x7ff7a56db09f
0x7ff7a56db0a4
0x7ff7a56db0a9
0x7ff7a56db0af
0x7ff7a56db0b7
0x7ff7a56db0bd
0x7ff7a56db0cb
0x7ff7a56db0d5
0x7ff7a56db0e2
0x7ff7a56db0ff
0x7ff7a56db104
0x7ff7a56db10f
0x7ff7a56db115
0x7ff7a56db11d
0x7ff7a56db122
0x7ff7a56db127
0x7ff7a56db12b
0x7ff7a56db132
0x7ff7a56db138
0x7ff7a56db13d
0x7ff7a56db145
0x7ff7a56db14b
0x7ff7a56db14d
0x7ff7a56db157
0x7ff7a56db159
0x7ff7a56db15e
0x7ff7a56db163
0x7ff7a56db168
0x7ff7a56db16d
0x7ff7a56db173
0x7ff7a56db17b
0x7ff7a56db196
0x7ff7a56db19b
0x7ff7a56db1a0
0x7ff7a56db1a8
0x7ff7a56db1af
0x7ff7a56db1b1
0x7ff7a56db1be
0x7ff7a56db1ce
0x7ff7a56db1d3
0x7ff7a56db1df
0x7ff7a56db1e1
0x7ff7a56db1ee
0x7ff7a56db1f6
0x7ff7a56db1fe
0x7ff7a56db206
0x7ff7a56db20b
0x7ff7a56db210
0x7ff7a56db214
0x7ff7a56db21b
0x7ff7a56db221
0x7ff7a56db226
0x7ff7a56db22e
0x7ff7a56db234
0x7ff7a56db240
0x7ff7a56db242
0x7ff7a56db247
0x7ff7a56db24f
0x7ff7a56db257
0x7ff7a56db263
0x7ff7a56db26b
0x7ff7a56db274
0x7ff7a56db279
0x7ff7a56db27f
0x7ff7a56db287
0x7ff7a56db28d
0x7ff7a56db2a5
0x7ff7a56db2ab
0x7ff7a56db2b3
0x7ff7a56db2b9
0x7ff7a56db2bf
0x7ff7a56db2c7
0x7ff7a56db2cc
0x7ff7a56db2d4
0x7ff7a56db2e3
0x7ff7a56db2ed
0x7ff7a56db2f3
0x7ff7a56db2fe
0x7ff7a56db300
0x7ff7a56db303
0x7ff7a56db309
0x7ff7a56db311
0x7ff7a56db313
0x7ff7a56db31b
0x7ff7a56db326
0x7ff7a56db330
0x7ff7a56db338
0x7ff7a56db33e
0x7ff7a56db34e
0x7ff7a56db350
0x7ff7a56db35d
0x7ff7a56db35f
0x7ff7a56db364
0x7ff7a56db36c
0x7ff7a56db37c
0x7ff7a56db38c
0x7ff7a56db391
0x7ff7a56db3aa

APIs

Part of subcall function 00007FF7A56E45E0: malloc.LIBCMT ref: 00007FF7A56E45FA

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAD6C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DADC6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAE05
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAEDA

Part of subcall function 00007FF7A56DBE60: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBE9F
Part of subcall function 00007FF7A56DBE60: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBEB1

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAF7A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB00C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB095

Part of subcall function 00007FF7A56DB470: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB4F2

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB159
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB1B1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB1E1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DB242

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$malloc
String ID:
API String ID: 2964583507-0
Opcode ID: 3fab2268b774a43a72f155c8a4013d7ec2b68cad78901ac3ed3aa2c380edfcb8
Instruction ID: 323b379acdd0ff881524851c57f065789f050290bffbd5693013faa4701129de
Opcode Fuzzy Hash: 3fab2268b774a43a72f155c8a4013d7ec2b68cad78901ac3ed3aa2c380edfcb8
Instruction Fuzzy Hash: 21222C33A0AFC580EA209B15E4402ADE361FB8AF94F855635DA8D07B78DF7CD465CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A570A0F0 Relevance: 16.6, APIs: 11, Instructions: 88COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 00007FF7A570A106
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A135
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A148
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A15B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A16C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A17F
CloseHandle.KERNEL32 ref: 00007FF7A570A188
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A193
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A1A6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A1B8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A1C3

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$CloseCriticalEnterHandleSection
String ID:
API String ID: 2649207071-0
Opcode ID: c33f4b02dd8f6b7dcacff032d374c0c5cdb63b6fa274afd2291ba177bfd6c425
Instruction ID: ffdd57a1b69036575382dfe33a6eece4cee6e15969aca18ff48ae81dacc7144f
Opcode Fuzzy Hash: c33f4b02dd8f6b7dcacff032d374c0c5cdb63b6fa274afd2291ba177bfd6c425
Instruction Fuzzy Hash: A741ED21E6AA52D5FB61BB21D80027CA7B1EB4EF60FC75231D95D273F59E2DE8418320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A570A270 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 155
timethreadCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 43%

			E00007FF77FF7A570A270(void* __ebx, void* __ecx, long long __rbx, signed int __rdx, long long __rbp, void* __r8, signed long long __r9, intOrPtr _a40, intOrPtr _a48, intOrPtr _a56) {
				void* _v24;
				signed int _v40;
				void* _v104;
				long long _v112;
				intOrPtr _v136;
				char _v144;
				long long _v152;
				long long _v160;
				signed int _v168;
				signed short _v170;
				signed short _v172;
				signed int _v174;
				signed short _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				signed int _v200;
				signed int _v208;
				signed int _v216;
				void* __rdi;
				void* __rsi;
				void* __r12;
				signed long long _t106;
				signed long long _t107;
				signed long long _t110;
				void* _t157;
				void* _t161;
				signed long long _t173;
				void* _t175;

				_t173 = __r9;
				_t175 = _t161;
				_v152 = 0xfffffffe;
				 *((long long*)(_t175 + 8)) = __rbx;
				 *((long long*)(_t175 + 0x20)) = __rbp;
				_t106 =  *0xa5720430; // 0x4918c7c3922
				_t107 = _t106 ^ _t161 - 0x000000e0;
				_v40 = _t107;
				_t110 = __rdx;
				_v160 = __rdx;
				_t159 = _a40;
				_v168 = 0;
				 *((long long*)(__rdx + 0x20)) = 7;
				 *(__rdx + 0x18) = _t107;
				 *((short*)(__rdx + 8)) = 0;
				_v168 = 1;
				_t13 = _t107 + 0x40; // 0x40
				r8d = _t13;
				E00007FF77FF7A56EB240(0, __ecx, 0, _t175 - 0x68, __rdx, __r8);
				if ((sil & 0x00000001) == 0) goto 0xa570a336;
				r9d = r8d;
				E00007FF77FF7A56E488C(L"[%d]", _t173);
				asm("repne scasw");
				E00007FF77FF7A56D47C0(__rdx, __rdx,  &_v104,  &_v104, _t157, _a40,  !( &_v104 | 0xffffffff) - 1);
				if ((sil & 0x00000002) == 0) goto 0xa570a3bb;
				_v184 = 0;
				_v180 = 0;
				_v176 = 0;
				_v172 = 0;
				GetSystemTime(??);
				r9d = _v176 & 0x0000ffff;
				_v200 = _v170 & 0x0000ffff;
				_v208 = _v172 & 0x0000ffff;
				_v216 = _v174 & 0x0000ffff;
				E00007FF77FF7A56E488C(L"[%02d:%02d:%02d.%03d]", _t173);
				asm("repne scasw");
				E00007FF77FF7A56D47C0(__rdx, __rdx,  &_v104,  &_v104, _t157, _a40,  !( &_v104 | 0xffffffff) - 1);
				if ((sil & 0x00000004) == 0) goto 0xa570a40b;
				r9d = GetCurrentThreadId();
				E00007FF77FF7A56E488C(L"[%06d] ", _t173);
				asm("repne scasw");
				E00007FF77FF7A56D47C0(__rdx, __rdx,  &_v104,  &_v104, _t157, _a40,  !( &_v104 | 0xffffffff) - 1);
				if ((sil & 0x00000008) == 0) goto 0xa570a42f;
				asm("repne scasw");
				_t171 =  !(__rdx | 0xffffffff) - 1;
				E00007FF77FF7A56D47C0(__rdx, __rdx, _t159, _t159, _t157, _t159,  !(__rdx | 0xffffffff) - 1);
				if ((sil & 0x00000020) == 0) goto 0xa570a499;
				r8d = 1;
				E00007FF77FF7A56D47C0(__rdx, __rdx, "(", _t159, _t157, _t159,  !(__rdx | 0xffffffff) - 1);
				E00007FF77FF7A570ACF0(__ebx, _a56, sil & 0x00000020, __rdx,  &_v144, _t159, _t173, _a48);
				r8d = r8d ^ r8d;
				E00007FF77FF7A56D5250(_t110, _t110, _t107, _t159, _t157, _t159, _t171, _t173 | 0xffffffff);
				if (_v112 - 8 < 0) goto 0xa570a484;
				E00007FF77FF7A56E44D8(_t107, _t110, _v136, _t107, _t157, _t171, _t173 | 0xffffffff);
				r8d = 1;
				E00007FF77FF7A56D47C0(_t110, _t110, ")", _t159, _t157, _t159, _t171);
				if ((sil & 0x00000010) == 0) goto 0xa570a4d2;
				r8d = 3;
				E00007FF77FF7A56D47C0(_t110, _t110, L" : ", _t159, _t157, _t159, _t171);
				asm("repne scasw");
				E00007FF77FF7A56D47C0(_t110, _t110, _a48, _a48, _t157, _t159,  !(_t110 | 0xffffffff) - 1);
				r8d = 1;
				E00007FF77FF7A56D47C0(_t110, _t110, " ", _a48, _t157, _t159,  !(_t110 | 0xffffffff) - 1);
				return E00007FF77FF7A56E4050(_v174 & 0x0000ffff, _v40 ^ _t161 - 0x000000e0, " ",  !(_t110 | 0xffffffff) - 1, _t173 | 0xffffffff);
			}

0x7ff7a570a270
0x7ff7a570a270
0x7ff7a570a27e
0x7ff7a570a287
0x7ff7a570a28b
0x7ff7a570a28f
0x7ff7a570a296
0x7ff7a570a299
0x7ff7a570a2a7
0x7ff7a570a2aa
0x7ff7a570a2af
0x7ff7a570a2c1
0x7ff7a570a2c5
0x7ff7a570a2cd
0x7ff7a570a2d1
0x7ff7a570a2d5
0x7ff7a570a2df
0x7ff7a570a2df
0x7ff7a570a2e7
0x7ff7a570a2f0
0x7ff7a570a2f2
0x7ff7a570a309
0x7ff7a570a31c
0x7ff7a570a331
0x7ff7a570a33a
0x7ff7a570a33e
0x7ff7a570a342
0x7ff7a570a346
0x7ff7a570a34a
0x7ff7a570a353
0x7ff7a570a368
0x7ff7a570a36e
0x7ff7a570a372
0x7ff7a570a376
0x7ff7a570a38e
0x7ff7a570a3a1
0x7ff7a570a3b6
0x7ff7a570a3bf
0x7ff7a570a3c7
0x7ff7a570a3de
0x7ff7a570a3f1
0x7ff7a570a406
0x7ff7a570a40f
0x7ff7a570a41a
0x7ff7a570a420
0x7ff7a570a42a
0x7ff7a570a433
0x7ff7a570a435
0x7ff7a570a445
0x7ff7a570a456
0x7ff7a570a460
0x7ff7a570a469
0x7ff7a570a478
0x7ff7a570a47f
0x7ff7a570a484
0x7ff7a570a494
0x7ff7a570a49d
0x7ff7a570a49f
0x7ff7a570a4af
0x7ff7a570a4bd
0x7ff7a570a4cd
0x7ff7a570a4d2
0x7ff7a570a4e2
0x7ff7a570a511

APIs

swprintf.LIBCMT ref: 00007FF7A570A309
GetSystemTime.KERNEL32 ref: 00007FF7A570A353
swprintf.LIBCMT ref: 00007FF7A570A38E
GetCurrentThreadId.KERNEL32 ref: 00007FF7A570A3C1
swprintf.LIBCMT ref: 00007FF7A570A3DE

Strings

[%02d:%02d:%02d.%03d], xrefs: 00007FF7A570A37A
[%06d] , xrefs: 00007FF7A570A3CA
[%d], xrefs: 00007FF7A570A2F5
: , xrefs: 00007FF7A570A4A5

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: swprintf$CurrentSystemThreadTime
String ID: : $[%02d:%02d:%02d.%03d]$[%06d] $[%d]
API String ID: 4294719311-3835557347
Opcode ID: edd22a6c2a58dc5b7b6573fc0000327affbe386b199eabaa2583348143a99127
Instruction ID: 03872b7a7a55caf821743c138fd49037f598adabbad5553abad217b1ce8ac664
Opcode Fuzzy Hash: edd22a6c2a58dc5b7b6573fc0000327affbe386b199eabaa2583348143a99127
Instruction Fuzzy Hash: AE61A33261A68185E760AB25E4003E9A3A1FB8AFB0F911332EE6D43AE5DF7CD440C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DEF30 Relevance: 15.4, APIs: 10, Instructions: 392
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FF77FF7A56DEF30(char __ebx, void* __ecx, long long __rbx, void* __rcx, long long __rbp, void* __r9) {
				void* _v40;
				signed int _v48;
				long long _v56;
				long long _v64;
				char _v80;
				char _v88;
				long long _v96;
				char _v104;
				char _v112;
				char _v119;
				signed char _v120;
				long long _v128;
				long long _v136;
				long long _v144;
				long long _v152;
				void* __rdi;
				void* __rsi;
				signed char _t142;
				void* _t146;
				void* _t152;
				void* _t258;
				signed long long _t259;
				intOrPtr* _t261;
				intOrPtr* _t262;
				long long _t324;
				char* _t326;
				void* _t329;
				char* _t331;
				char* _t333;
				void* _t334;
				void* _t335;
				intOrPtr* _t340;
				intOrPtr _t356;
				char _t360;
				long long _t378;
				char _t385;
				char _t387;
				char _t389;
				void* _t397;
				char* _t399;
				char* _t401;
				void* _t402;
				void* _t406;
				void* _t409;
				char _t411;
				char _t413;
				long long _t426;
				long long _t432;
				signed long long _t434;
				long long _t437;

				_t323 = __rbx;
				_t258 = _t406;
				_v96 = 0xfffffffe;
				 *((long long*)(_t258 + 0x10)) = __rbx;
				 *((long long*)(_t258 + 0x18)) = __rbp;
				_t259 =  *0xa5720430; // 0x4918c7c3922
				_v48 = _t259 ^ _t406 - 0x00000090;
				_t402 = __rcx;
				_t261 =  *((intOrPtr*)(__rcx + 0x40));
				if ( *_t261 == 0) goto 0xa56def9c;
				_t262 =  *((intOrPtr*)(__rcx + 0x58));
				if ( *_t261 -  *_t262 +  *_t261 >= 0) goto 0xa56def9c;
				 *_t262 =  *_t262 - 1;
				_t340 =  *((intOrPtr*)(__rcx + 0x40));
				_t369 =  *_t340;
				 *_t340 =  *_t340 + 1;
				goto 0xa56df542;
				_t341 =  *((intOrPtr*)(__rcx + 0x88));
				if ( *((intOrPtr*)(__rcx + 0x88)) != 0) goto 0xa56defb0;
				goto 0xa56df542;
				if ( *((long long*)(__rcx + 0x70)) != 0) goto 0xa56defd3;
				_t142 = E00007FF77FF7A56E6DD4( *_t340 + 1, __rbx,  *((intOrPtr*)(__rcx + 0x88)), _t369, _t409);
				if (_t142 == 0xffffffff) goto 0xa56defc7;
				r12d = _t142 & 0x000000ff;
				goto 0xa56defcb;
				goto 0xa56df542;
				_v56 = 0xf;
				r14d = 0;
				_v64 = _t437;
				_v80 = r14b;
				if (E00007FF77FF7A56E6DD4( *_t340 + 1, _t323, _t341, _t369, _t409) == r12d) goto 0xa56df52a;
				if ((_t434 | 0xffffffffffffffff) - _v64 - 1 > 0) goto 0xa56df01b;
				E00007FF77FF7A56E33CC( *_t340 + 1, _t323, _t397, __rbp, _t409, __r9);
				_t324 = _v64 + 1;
				if (_t324 - 0xfffffffe <= 0) goto 0xa56df02f;
				_t146 = E00007FF77FF7A56E33CC( *_t340 + 1, _t324, _t397, __rbp, _t409, __r9);
				if (_v56 - _t324 >= 0) goto 0xa56df05b;
				E00007FF77FF7A56D2250(_t146,  &_v88, _t324, _v64);
				goto 0xa56df085;
				if (_t324 != 0) goto 0xa56df085;
				_v64 = _t437;
				_t265 =  >=  ? _v80 :  &_v80;
				 *((char*)( >=  ? _v80 :  &_v80)) = __ebx;
				goto 0xa56df0c7;
				if (_t324 == 0) goto 0xa56df0c7;
				_t267 =  >=  ? _v80 :  &_v80;
				 *((intOrPtr*)(( >=  ? _v80 :  &_v80) + _v64)) = dil;
				_v64 = _t324;
				_t269 =  >=  ? _v80 :  &_v80;
				 *((char*)(( >=  ? _v80 :  &_v80) + _t324)) = 0;
				_t411 = _v80;
				if (_v56 - 0x10 < 0) goto 0xa56df0dc;
				if (_t411 == 0) goto 0xa56df108;
				goto 0xa56df0e1;
				_t399 =  &_v80;
				_t271 =  >=  ? _t411 :  &_v80;
				_t198 = ( >=  ? _t411 :  &_v80) - _t399;
				if (( >=  ? _t411 :  &_v80) - _t399 > 0) goto 0xa56df108;
				_t273 =  >=  ? _t411 :  &_v80;
				_t274 = ( >=  ? _t411 :  &_v80) + _v64;
				_t200 = _t399 - ( >=  ? _t411 :  &_v80) + _v64;
				if (_t399 - ( >=  ? _t411 :  &_v80) + _v64 <= 0) goto 0xa56df11f;
				E00007FF77FF7A56E44B8();
				if ( &_v88 == 0xfffffffc) goto 0xa56df156;
				_t277 =  >=  ? _v80 :  &_v80;
				_t278 = ( >=  ? _v80 :  &_v80) + _v64;
				_t203 = _t399 - ( >=  ? _v80 :  &_v80) + _v64;
				if (_t399 - ( >=  ? _v80 :  &_v80) + _v64 < 0) goto 0xa56df156;
				E00007FF77FF7A56E44B8();
				_t378 = _v64;
				_t413 = _v80;
				if (_v56 - 0x10 < 0) goto 0xa56df169;
				if (_t413 == 0) goto 0xa56df195;
				goto 0xa56df16e;
				_t326 =  &_v80;
				_t280 =  >=  ? _t413 :  &_v80;
				_t207 = ( >=  ? _t413 :  &_v80) - _t326;
				if (( >=  ? _t413 :  &_v80) - _t326 > 0) goto 0xa56df195;
				_t282 =  >=  ? _t413 :  &_v80;
				_t283 = ( >=  ? _t413 :  &_v80) + _t378;
				_t209 = _t326 - ( >=  ? _t413 :  &_v80) + _t378;
				if (_t326 - ( >=  ? _t413 :  &_v80) + _t378 <= 0) goto 0xa56df1ac;
				E00007FF77FF7A56E44B8();
				if ( &_v88 == 0xfffffffc) goto 0xa56df1d1;
				_t286 =  >=  ? _v80 :  &_v80;
				_t287 = ( >=  ? _v80 :  &_v80) + _v64;
				_t212 = _t326 - ( >=  ? _v80 :  &_v80) + _v64;
				if (_t326 - ( >=  ? _v80 :  &_v80) + _v64 < 0) goto 0xa56df1d1;
				E00007FF77FF7A56E44B8();
				_v128 =  &_v104;
				_v136 =  &_v119;
				_v144 =  &_v120;
				_v152 =  &_v112;
				_t152 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t402 + 0x70)))) + 0x20))();
				if (_t152 < 0) goto 0xa56df510;
				if (_t152 - 1 <= 0) goto 0xa56df238;
				if (_t152 != 3) goto 0xa56df510;
				if (_v64 - 1 >= 0) goto 0xa56df363;
				goto 0xa56df347;
				if (_v104 !=  &_v120) goto 0xa56df41f;
				_t385 = _v80;
				if (_v56 - 0x10 < 0) goto 0xa56df265;
				if (_t385 == 0) goto 0xa56df296;
				goto 0xa56df26a;
				_t401 =  &_v80;
				_t291 =  >=  ? _t385 :  &_v80;
				_t221 = ( >=  ? _t385 :  &_v80) - _t401;
				if (( >=  ? _t385 :  &_v80) - _t401 > 0) goto 0xa56df296;
				_t293 =  >=  ? _t385 :  &_v80;
				_t294 = ( >=  ? _t385 :  &_v80) + _v64;
				_t223 = _t401 - ( >=  ? _t385 :  &_v80) + _v64;
				if (_t401 - ( >=  ? _t385 :  &_v80) + _v64 <= 0) goto 0xa56df2ad;
				E00007FF77FF7A56E44B8();
				if ( &_v88 == 0xfffffffc) goto 0xa56df2e4;
				_t297 =  >=  ? _v80 :  &_v80;
				_t298 = ( >=  ? _v80 :  &_v80) + _v64;
				_t226 = _t401 - ( >=  ? _v80 :  &_v80) + _v64;
				if (_t401 - ( >=  ? _v80 :  &_v80) + _v64 < 0) goto 0xa56df2e4;
				E00007FF77FF7A56E44B8();
				_t426 = _v64;
				_t387 = _v80;
				_t329 =  <  ? _t426 : _v112 - _t401;
				if (_t329 == 0) goto 0xa56df347;
				_t300 =  >=  ? _t387 :  &_v80;
				_t355 =  >=  ? _t387 :  &_v80;
				_t427 = _t426 - _t329;
				_t416 = _t329 + ( >=  ? _t387 :  &_v80);
				E00007FF77FF7A56E4070( >=  ? _t387 :  &_v80, _v56, _t329 + ( >=  ? _t387 :  &_v80), _t426 - _t329);
				_t432 = _v64 - _t329;
				_v64 = _t432;
				_t302 =  >=  ? _v80 :  &_v80;
				 *((char*)(_t432 + ( >=  ? _v80 :  &_v80))) = 0;
				_t356 =  *((intOrPtr*)(_t402 + 0x88));
				if (E00007FF77FF7A56E6DD4( >=  ? _v80 :  &_v80, _t329, _t356, _v56, _t329 + ( >=  ? _t387 :  &_v80)) == 0xffffffff) goto 0xa56df52a;
				goto 0xa56df000;
				_t389 = _v80;
				if (_v56 - 0x10 < 0) goto 0xa56df380;
				if (_t389 == 0) goto 0xa56df3ac;
				goto 0xa56df385;
				_t331 =  &_v80;
				_t304 =  >=  ? _t389 :  &_v80;
				_t236 = ( >=  ? _t389 :  &_v80) - _t331;
				if (( >=  ? _t389 :  &_v80) - _t331 > 0) goto 0xa56df3ac;
				_t306 =  >=  ? _t389 :  &_v80;
				_t307 = ( >=  ? _t389 :  &_v80) + _t356;
				_t238 = _t331 - ( >=  ? _t389 :  &_v80) + _t356;
				if (_t331 - ( >=  ? _t389 :  &_v80) + _t356 <= 0) goto 0xa56df3c3;
				E00007FF77FF7A56E44B8();
				if ( &_v88 == 0xfffffffc) goto 0xa56df3e8;
				_t310 =  >=  ? _v80 :  &_v80;
				_t311 = ( >=  ? _v80 :  &_v80) + _v64;
				_t241 = _t331 - ( >=  ? _v80 :  &_v80) + _v64;
				if (_t331 - ( >=  ? _v80 :  &_v80) + _v64 < 0) goto 0xa56df3e8;
				E00007FF77FF7A56E44B8();
				r9d = 1;
				E00007FF77FF7A56E44E0(( >=  ? _v80 :  &_v80) + _v64, _t331,  &_v120, _t426 - _t329, _t402, _t331, _t426 - _t329);
				if (_v56 - 0x10 < 0) goto 0xa56df418;
				E00007FF77FF7A56E44D8(( >=  ? _v80 :  &_v80) + _v64, _t331, _v80, _t426 - _t329, _t402, _t331, _t427);
				goto 0xa56df542;
				_t360 = _v80;
				if (_v56 - 0x10 < 0) goto 0xa56df43c;
				if (_t360 == 0) goto 0xa56df46d;
				goto 0xa56df441;
				_t333 =  &_v80;
				_t313 =  >=  ? _t360 :  &_v80;
				_t246 = ( >=  ? _t360 :  &_v80) - _t333;
				if (( >=  ? _t360 :  &_v80) - _t333 > 0) goto 0xa56df46d;
				_t315 =  >=  ? _t360 :  &_v80;
				_t316 = ( >=  ? _t360 :  &_v80) + _v64;
				_t248 = _t333 - ( >=  ? _t360 :  &_v80) + _v64;
				if (_t333 - ( >=  ? _t360 :  &_v80) + _v64 <= 0) goto 0xa56df484;
				E00007FF77FF7A56E44B8();
				if ( &_v88 == 0xfffffffc) goto 0xa56df4b6;
				_t319 =  >=  ? _v80 :  &_v80;
				_t320 = ( >=  ? _v80 :  &_v80) + _v64;
				_t251 = _t333 - ( >=  ? _v80 :  &_v80) + _v64;
				if (_t333 - ( >=  ? _v80 :  &_v80) + _v64 < 0) goto 0xa56df4b6;
				_t334 = (_v120 & 0x000000ff) - E00007FF77FF7A56E44B8() + _v64;
				if (_t334 <= 0) goto 0xa56df4fc;
				_t335 = _t334 - 1;
				E00007FF77FF7A56E6B00( *((char*)(_t335 + _v112)), _v112, _t335, _v80,  *((intOrPtr*)(_t402 + 0x88)), _t402, _t378);
				if (_t335 <= 0) goto 0xa56df4ef;
				goto 0xa56df4d0;
				if (_v56 - 0x10 < 0) goto 0xa56df50c;
				E00007FF77FF7A56E44D8(_v112, _t335, _v80, _v56, _t402, _v64, _t427);
				goto 0xa56df542;
				if (_v56 - 0x10 < 0) goto 0xa56df525;
				E00007FF77FF7A56E44D8(_v112, _t335, _v80, _v56, _t402, _v64, _t427);
				goto 0xa56df542;
				if (_v56 - 0x10 < 0) goto 0xa56df53f;
				E00007FF77FF7A56E44D8(_v112, _t335, _v80, _v56, _t402, _v64, _t427);
				return E00007FF77FF7A56E4050( *((char*)(_t335 + _v112)), _v48 ^ _t406 - 0x00000090, _v56, _v64, _t427);
			}

0x7ff7a56def30
0x7ff7a56def30
0x7ff7a56def42
0x7ff7a56def4b
0x7ff7a56def4f
0x7ff7a56def53
0x7ff7a56def5d
0x7ff7a56def65
0x7ff7a56def68
0x7ff7a56def70
0x7ff7a56def75
0x7ff7a56def82
0x7ff7a56def84
0x7ff7a56def86
0x7ff7a56def8a
0x7ff7a56def91
0x7ff7a56def97
0x7ff7a56def9c
0x7ff7a56defa6
0x7ff7a56defab
0x7ff7a56defb5
0x7ff7a56defb7
0x7ff7a56defbf
0x7ff7a56defc1
0x7ff7a56defc5
0x7ff7a56defce
0x7ff7a56defd3
0x7ff7a56defdf
0x7ff7a56defe2
0x7ff7a56defe7
0x7ff7a56deffa
0x7ff7a56df00f
0x7ff7a56df011
0x7ff7a56df01b
0x7ff7a56df023
0x7ff7a56df025
0x7ff7a56df03a
0x7ff7a56df047
0x7ff7a56df059
0x7ff7a56df05e
0x7ff7a56df060
0x7ff7a56df06e
0x7ff7a56df074
0x7ff7a56df083
0x7ff7a56df088
0x7ff7a56df093
0x7ff7a56df099
0x7ff7a56df09d
0x7ff7a56df0b0
0x7ff7a56df0b6
0x7ff7a56df0c7
0x7ff7a56df0d0
0x7ff7a56df0d8
0x7ff7a56df0da
0x7ff7a56df0dc
0x7ff7a56df0ea
0x7ff7a56df0ee
0x7ff7a56df0f1
0x7ff7a56df0fc
0x7ff7a56df100
0x7ff7a56df103
0x7ff7a56df106
0x7ff7a56df108
0x7ff7a56df128
0x7ff7a56df133
0x7ff7a56df137
0x7ff7a56df13a
0x7ff7a56df13d
0x7ff7a56df13f
0x7ff7a56df14c
0x7ff7a56df151
0x7ff7a56df15d
0x7ff7a56df165
0x7ff7a56df167
0x7ff7a56df169
0x7ff7a56df177
0x7ff7a56df17b
0x7ff7a56df17e
0x7ff7a56df189
0x7ff7a56df18d
0x7ff7a56df190
0x7ff7a56df193
0x7ff7a56df195
0x7ff7a56df1b5
0x7ff7a56df1c0
0x7ff7a56df1c4
0x7ff7a56df1c7
0x7ff7a56df1ca
0x7ff7a56df1cc
0x7ff7a56df1e1
0x7ff7a56df1eb
0x7ff7a56df1f5
0x7ff7a56df1ff
0x7ff7a56df20b
0x7ff7a56df210
0x7ff7a56df219
0x7ff7a56df21e
0x7ff7a56df22d
0x7ff7a56df233
0x7ff7a56df242
0x7ff7a56df248
0x7ff7a56df259
0x7ff7a56df261
0x7ff7a56df263
0x7ff7a56df265
0x7ff7a56df273
0x7ff7a56df277
0x7ff7a56df27a
0x7ff7a56df285
0x7ff7a56df28e
0x7ff7a56df291
0x7ff7a56df294
0x7ff7a56df296
0x7ff7a56df2b6
0x7ff7a56df2c1
0x7ff7a56df2c5
0x7ff7a56df2c8
0x7ff7a56df2cb
0x7ff7a56df2cd
0x7ff7a56df2da
0x7ff7a56df2df
0x7ff7a56df2ef
0x7ff7a56df2f6
0x7ff7a56df301
0x7ff7a56df30e
0x7ff7a56df312
0x7ff7a56df315
0x7ff7a56df31c
0x7ff7a56df326
0x7ff7a56df329
0x7ff7a56df33c
0x7ff7a56df342
0x7ff7a56df347
0x7ff7a56df358
0x7ff7a56df35e
0x7ff7a56df363
0x7ff7a56df374
0x7ff7a56df37c
0x7ff7a56df37e
0x7ff7a56df380
0x7ff7a56df38e
0x7ff7a56df392
0x7ff7a56df395
0x7ff7a56df3a0
0x7ff7a56df3a4
0x7ff7a56df3a7
0x7ff7a56df3aa
0x7ff7a56df3ac
0x7ff7a56df3cc
0x7ff7a56df3d7
0x7ff7a56df3db
0x7ff7a56df3de
0x7ff7a56df3e1
0x7ff7a56df3e3
0x7ff7a56df3e8
0x7ff7a56df3f9
0x7ff7a56df40c
0x7ff7a56df413
0x7ff7a56df41a
0x7ff7a56df41f
0x7ff7a56df430
0x7ff7a56df438
0x7ff7a56df43a
0x7ff7a56df43c
0x7ff7a56df44a
0x7ff7a56df44e
0x7ff7a56df451
0x7ff7a56df45c
0x7ff7a56df465
0x7ff7a56df468
0x7ff7a56df46b
0x7ff7a56df46d
0x7ff7a56df48d
0x7ff7a56df498
0x7ff7a56df49c
0x7ff7a56df49f
0x7ff7a56df4a2
0x7ff7a56df4c1
0x7ff7a56df4c7
0x7ff7a56df4d0
0x7ff7a56df4de
0x7ff7a56df4e6
0x7ff7a56df4ed
0x7ff7a56df505
0x7ff7a56df507
0x7ff7a56df50e
0x7ff7a56df519
0x7ff7a56df520
0x7ff7a56df528
0x7ff7a56df533
0x7ff7a56df53a
0x7ff7a56df56d

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4881c8078162d35f82bba43f03a585fc8a805b2fb2cb09d7df4f1abe047ead2c
Instruction ID: d8f1fc9d054b4931751c5e779231d35e5ea1b58c6d6d795640715188bfaa962a
Opcode Fuzzy Hash: 4881c8078162d35f82bba43f03a585fc8a805b2fb2cb09d7df4f1abe047ead2c
Instruction Fuzzy Hash: FC02A62270AB4185EE10AA15E0503ADE752FB8AFD0FD55A31DA9D43BF9DF2CE450CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E7934 Relevance: 15.3, APIs: 10, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00007FF77FF7A56E7934(signed long long __rbx, long long __rcx, long long __rsi, long long __rbp) {
				void* _v40;
				signed int _v48;
				char _v65;
				intOrPtr _v66;
				signed short _v72;
				signed long long _v96;
				signed int _v104;
				char _v120;
				char _v128;
				char _v136;
				long long _v144;
				long long _v152;
				void* __rdi;
				signed int _t102;
				signed int _t130;
				signed int _t135;
				void* _t137;
				void* _t139;
				void* _t164;
				signed long long _t167;
				signed long long _t168;
				intOrPtr* _t169;
				signed int _t170;
				long long _t172;
				signed long long _t180;
				signed char* _t189;
				signed char* _t194;
				signed long long _t211;
				void* _t214;
				int _t222;
				long long _t223;
				long long _t225;
				intOrPtr* _t228;
				long long _t229;
				void* _t231;
				void* _t234;
				void* _t236;
				void* _t239;
				void* _t241;
				signed long long _t242;
				signed long long _t243;
				void* _t245;
				signed long long _t247;
				void* _t249;
				signed long long _t251;
				void* _t253;
				signed long long _t255;

				_t225 = __rsi;
				_t180 = __rbx;
				_t239 = _t231;
				 *((long long*)(_t239 + 0x10)) = __rbx;
				 *((long long*)(_t239 + 0x18)) = __rbp;
				 *((long long*)(_t239 + 0x20)) = __rsi;
				_t167 =  *0xa5720430; // 0x4918c7c3922
				_t168 = _t167 ^ _t231 - 0x00000090;
				_v48 = _t168;
				_t223 = __rcx;
				 *((long long*)(_t239 - 0x58)) = __rcx;
				_v96 = __rbx;
				_t242 = __rbx;
				 *((long long*)(_t239 - 0x50)) = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x14)) == 0) goto 0xa56e7cd0;
				_t228 = __rcx + 4;
				_t10 = _t180 + 1; // 0x1
				_t137 = _t10;
				if ( *_t228 != 0) goto 0xa56e79bb;
				r8d =  *(__rcx + 0x30) & 0x0000ffff;
				r9d = 0x1004;
				_v152 = _t228;
				if (E00007FF77FF7A56EFB68(0, 0, __rbx, _t239 - 0x58, _t234) != 0) goto 0xa56e7ca0;
				E00007FF77FF7A56EA574(_t139, _t168, __rbx, _t239 - 0x58, __rsi, _t228);
				r12d = 0x180;
				_v96 = _t168;
				E00007FF77FF7A56EA5E0(_t180, _t242, _t214, _t223, _t225, _t228, _t253, _t249);
				_t247 = _t168;
				E00007FF77FF7A56EA5E0(_t180, _t242, _t225, _t223, _t225, _t228, _t245, _t241);
				_t255 = _t168;
				E00007FF77FF7A56EA5E0(_t180, _t242, _t225, _t223, _t225, _t228);
				_t251 = _t168;
				E00007FF77FF7A56EA5E0(_t180, _t242, _t225, _t223, _t225, _t228);
				_t243 = _t168;
				_t169 = _v96;
				if (_t169 == _t180) goto 0xa56e7ca0;
				if (_t247 == _t180) goto 0xa56e7ca0;
				if (_t243 == _t180) goto 0xa56e7ca0;
				if (_t255 == _t180) goto 0xa56e7ca0;
				if (_t251 == _t180) goto 0xa56e7ca0;
				 *_t169 = 0;
				 *_t243 = 0;
				if (0 + _t137 - 0x100 < 0) goto 0xa56e7a45;
				if (GetCPInfo(_t222) == 0) goto 0xa56e7ca0;
				if (_v72 - 5 > 0) goto 0xa56e7ca0;
				_t102 = _v72 & 0x0000ffff;
				_v104 = _t102;
				if (_t102 - _t137 <= 0) goto 0xa56e7ab0;
				if (_v66 == 0) goto 0xa56e7ab0;
				_t22 =  &_v65; // 0x1f7
				_t189 = _t22;
				if ( *_t189 == 0) goto 0xa56e7ab0;
				_t130 =  *(_t189 - 1) & 0x000000ff;
				goto 0xa56e7aa0;
				_t170 = _t130;
				 *((char*)(_t170 + _t243)) = 0x20;
				if (_t130 + _t137 - ( *_t189 & 0x000000ff) <= 0) goto 0xa56e7a96;
				if ( *((intOrPtr*)( &(_t189[2]) - 1)) != 0) goto 0xa56e7a8c;
				_v128 = 0;
				_t27 = _t247 + 0x100; // 0x100
				_v136 = 0;
				_v144 =  *_t228;
				_v152 = _t27;
				r9d = 0x100;
				if (E00007FF77FF7A56F2858(_t137,  *((intOrPtr*)( &(_t189[2]) - 1)), _t170, _t180, _t27, _t225, _t243, _t236) == 0) goto 0xa56e7ca0;
				_v120 = 0;
				_v128 =  *_t228;
				_t34 = _t255 + 0x81; // 0x81
				_v136 = 0xff;
				_v144 = _t34;
				_t37 = _t170 + 1; // 0x100
				r8d = _t37;
				_t38 = _t243 + 1; // 0x1
				_v152 = 0xff;
				if (E00007FF77FF7A56EAC68(0,  *((intOrPtr*)(_t223 + 0x14)), E00007FF77FF7A56F2858(_t137,  *((intOrPtr*)( &(_t189[2]) - 1)), _t170, _t180, _t27, _t225, _t243, _t236), _t170, _t180, _t34, _t225, _t243, _t38) == 0) goto 0xa56e7ca0;
				_v120 = 0;
				_v128 =  *_t228;
				_t43 = _t251 + 0x81; // 0x81
				_v136 = 0xff;
				_v144 = _t43;
				_t46 = _t243 + 1; // 0x1
				r8d = 0x200;
				_v152 = 0xff;
				if (E00007FF77FF7A56EAC68(0,  *((intOrPtr*)(_t223 + 0x14)), E00007FF77FF7A56EAC68(0,  *((intOrPtr*)(_t223 + 0x14)), E00007FF77FF7A56F2858(_t137,  *((intOrPtr*)( &(_t189[2]) - 1)), _t170, _t180, _t27, _t225, _t243, _t236), _t170, _t180, _t34, _t225, _t243, _t38), _t170, _t180, _t43, _t225, _t243, _t46) == 0) goto 0xa56e7ca0;
				_t49 = _t247 + 0xfe; // 0xfe
				_t229 = _t49;
				 *_t229 = 0;
				 *((char*)(_t255 + 0x7f)) = 0;
				 *((char*)(_t251 + 0x7f)) = 0;
				 *((char*)(_t255 + 0x80)) = 0;
				 *((char*)(_t251 + 0x80)) = 0;
				if (_v104 - _t137 <= 0) goto 0xa56e7bc5;
				if (_v66 == 0) goto 0xa56e7bc5;
				_t55 =  &_v65; // 0x1f7
				_t194 = _t55;
				if ( *_t194 == 0) goto 0xa56e7bc5;
				_t135 =  *(_t194 - 1) & 0x000000ff;
				goto 0xa56e7bb5;
				r8d = 0x8000;
				 *((intOrPtr*)(_t247 + 0x100 + _t135 * 2)) = r8w;
				if (_t135 + _t137 - ( *_t194 & 0x000000ff) <= 0) goto 0xa56e7ba1;
				if ( *((intOrPtr*)( &(_t194[2]) - 1)) != 0) goto 0xa56e7b97;
				_t61 = _t247 + 0x200; // 0x200
				r8d = 0xfe;
				E00007FF77FF7A56EAE90(0,  *((intOrPtr*)( &(_t194[2]) - 1)), _t247, _t61, _t243);
				_t62 = _t255 + 0x100; // 0x100
				r8d = 0x7f;
				E00007FF77FF7A56EAE90(0,  *((intOrPtr*)( &(_t194[2]) - 1)), _t255, _t62, _t243);
				_t63 = _t251 + 0x100; // 0x100
				r8d = 0x7f;
				E00007FF77FF7A56EAE90(0,  *((intOrPtr*)( &(_t194[2]) - 1)), _t251, _t63, _t243);
				_t164 =  *((intOrPtr*)(_t223 + 0x130)) - _t180;
				if (_t164 == 0) goto 0xa56e7c55;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t164 != 0) goto 0xa56e7c55;
				free(??);
				free(??);
				free(??);
				free(??);
				_t172 = _v96;
				 *_t172 = _t137;
				 *((long long*)(_t223 + 0x130)) = _t172;
				_t71 = _t247 + 0x100; // 0x100
				 *((long long*)(_t223 + 0x140)) = _t71;
				_t73 = _t255 + 0x80; // 0x80
				 *((long long*)(_t223 + 0x138)) = _t229;
				 *((long long*)(_t223 + 0x148)) = _t73;
				_t76 = _t251 + 0x80; // 0x80
				 *((long long*)(_t223 + 0x150)) = _t76;
				 *(_t223 + 0x10c) = _v104;
				goto 0xa56e7cc4;
				free(??);
				free(??);
				free(??);
				free(??);
				_t211 = _t243;
				free(??);
				goto 0xa56e7d25;
				if ( *(_t211 + 0x130) == _t180) goto 0xa56e7ce0;
				asm("lock add dword [eax], 0xffffffff");
				 *(_t211 + 0x130) = _t180;
				 *((long long*)(_t211 + 0x140)) = 0xa5710ed0;
				 *(_t211 + 0x138) = _t180;
				 *((long long*)(_t211 + 0x148)) = 0xa5711360;
				 *((intOrPtr*)(_t211 + 0x10c)) = 1;
				 *((long long*)(_t211 + 0x150)) = 0xa57114e0;
				return E00007FF77FF7A56E4050(0, _v48 ^ _t231 - 0x00000090, _t63, _t243, _t46);
			}

0x7ff7a56e7934
0x7ff7a56e7934
0x7ff7a56e7934
0x7ff7a56e7937
0x7ff7a56e793b
0x7ff7a56e793f
0x7ff7a56e7953
0x7ff7a56e795a
0x7ff7a56e795d
0x7ff7a56e7967
0x7ff7a56e796a
0x7ff7a56e796e
0x7ff7a56e797c
0x7ff7a56e797f
0x7ff7a56e7986
0x7ff7a56e798c
0x7ff7a56e7990
0x7ff7a56e7990
0x7ff7a56e7996
0x7ff7a56e7998
0x7ff7a56e79a3
0x7ff7a56e79a9
0x7ff7a56e79b5
0x7ff7a56e79c0
0x7ff7a56e79c5
0x7ff7a56e79d3
0x7ff7a56e79d8
0x7ff7a56e79e3
0x7ff7a56e79e6
0x7ff7a56e79f1
0x7ff7a56e79f4
0x7ff7a56e7a01
0x7ff7a56e7a04
0x7ff7a56e7a09
0x7ff7a56e7a0c
0x7ff7a56e7a14
0x7ff7a56e7a1d
0x7ff7a56e7a26
0x7ff7a56e7a2f
0x7ff7a56e7a38
0x7ff7a56e7a3e
0x7ff7a56e7a45
0x7ff7a56e7a51
0x7ff7a56e7a63
0x7ff7a56e7a6e
0x7ff7a56e7a74
0x7ff7a56e7a7b
0x7ff7a56e7a7f
0x7ff7a56e7a85
0x7ff7a56e7a87
0x7ff7a56e7a87
0x7ff7a56e7a8e
0x7ff7a56e7a90
0x7ff7a56e7a94
0x7ff7a56e7a96
0x7ff7a56e7a9b
0x7ff7a56e7aa5
0x7ff7a56e7aae
0x7ff7a56e7ab3
0x7ff7a56e7ab7
0x7ff7a56e7abe
0x7ff7a56e7ac2
0x7ff7a56e7ac6
0x7ff7a56e7acd
0x7ff7a56e7adf
0x7ff7a56e7aeb
0x7ff7a56e7aef
0x7ff7a56e7af8
0x7ff7a56e7aff
0x7ff7a56e7b03
0x7ff7a56e7b08
0x7ff7a56e7b08
0x7ff7a56e7b0c
0x7ff7a56e7b13
0x7ff7a56e7b1e
0x7ff7a56e7b2a
0x7ff7a56e7b2e
0x7ff7a56e7b37
0x7ff7a56e7b3e
0x7ff7a56e7b42
0x7ff7a56e7b47
0x7ff7a56e7b4e
0x7ff7a56e7b54
0x7ff7a56e7b5f
0x7ff7a56e7b69
0x7ff7a56e7b69
0x7ff7a56e7b70
0x7ff7a56e7b74
0x7ff7a56e7b78
0x7ff7a56e7b7c
0x7ff7a56e7b83
0x7ff7a56e7b8a
0x7ff7a56e7b90
0x7ff7a56e7b92
0x7ff7a56e7b92
0x7ff7a56e7b99
0x7ff7a56e7b9b
0x7ff7a56e7b9f
0x7ff7a56e7ba4
0x7ff7a56e7bac
0x7ff7a56e7bba
0x7ff7a56e7bc3
0x7ff7a56e7bc5
0x7ff7a56e7bcc
0x7ff7a56e7bd5
0x7ff7a56e7bda
0x7ff7a56e7be1
0x7ff7a56e7bea
0x7ff7a56e7bef
0x7ff7a56e7bf6
0x7ff7a56e7bff
0x7ff7a56e7c0b
0x7ff7a56e7c0e
0x7ff7a56e7c10
0x7ff7a56e7c14
0x7ff7a56e7c24
0x7ff7a56e7c34
0x7ff7a56e7c44
0x7ff7a56e7c50
0x7ff7a56e7c55
0x7ff7a56e7c5a
0x7ff7a56e7c5c
0x7ff7a56e7c63
0x7ff7a56e7c6a
0x7ff7a56e7c71
0x7ff7a56e7c78
0x7ff7a56e7c7f
0x7ff7a56e7c86
0x7ff7a56e7c8d
0x7ff7a56e7c98
0x7ff7a56e7c9e
0x7ff7a56e7ca5
0x7ff7a56e7cad
0x7ff7a56e7cb5
0x7ff7a56e7cbd
0x7ff7a56e7cc4
0x7ff7a56e7cc7
0x7ff7a56e7cce
0x7ff7a56e7cda
0x7ff7a56e7cdc
0x7ff7a56e7cec
0x7ff7a56e7cf3
0x7ff7a56e7d01
0x7ff7a56e7d08
0x7ff7a56e7d16
0x7ff7a56e7d1c
0x7ff7a56e7d55

APIs

GetCPInfo.KERNEL32 ref: 00007FF7A56E7A5B

Part of subcall function 00007FF7A56EFB68: GetLastError.KERNEL32 ref: 00007FF7A56EFBD1
Part of subcall function 00007FF7A56EFB68: free.LIBCMT ref: 00007FF7A56EFC5D

free.LIBCMT ref: 00007FF7A56E7C24
free.LIBCMT ref: 00007FF7A56E7C34
free.LIBCMT ref: 00007FF7A56E7C44
free.LIBCMT ref: 00007FF7A56E7C50
free.LIBCMT ref: 00007FF7A56E7CA5
free.LIBCMT ref: 00007FF7A56E7CAD
free.LIBCMT ref: 00007FF7A56E7CB5
free.LIBCMT ref: 00007FF7A56E7CBD
free.LIBCMT ref: 00007FF7A56E7CC7

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: free$ErrorInfoLast
String ID:
API String ID: 189849726-0
Opcode ID: 56237f1013cf1dc1397bfeea8cdaa334b227246309f0e1c3ee9da10f49af2e64
Instruction ID: 2f852a7445679e5cb47c3327a8647bc19a3dbe45e09aacae25e0ba255bcb8eca
Opcode Fuzzy Hash: 56237f1013cf1dc1397bfeea8cdaa334b227246309f0e1c3ee9da10f49af2e64
Instruction Fuzzy Hash: 97B1F032A0B6C1CAD750EF24E0402AAB7A9FB4AF80FC65135EA5D877A1DF3AD541C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F483C Relevance: 15.2, APIs: 10, Instructions: 177
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 15%

			E00007FF77FF7A56F483C(int __ecx, void* __edx, long long __r8, int* __r9) {
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t39;
				int _t41;
				void* _t43;
				int _t45;
				int _t48;
				int _t50;
				int _t69;
				int _t71;
				int _t72;
				signed long long _t97;
				intOrPtr* _t105;
				int _t108;
				void* _t109;
				long long _t120;
				signed long long _t125;
				void* _t126;
				void* _t127;
				void* _t128;
				void* _t139;
				void* _t140;
				long long _t141;
				long long _t142;

				_t138 = __r9;
				_t127 = _t126 - 0x88;
				_t125 = _t127 + 0x40;
				_t97 =  *0xa5720430; // 0x4918c7c3922
				 *(_t125 + 0x30) = _t97 ^ _t125;
				_t141 =  *((intOrPtr*)(_t125 + 0xb0));
				r12d =  *__r9;
				 *_t125 = 0;
				 *(_t125 + 0x10) = __r9;
				r13d = __edx;
				r15d = __ecx;
				 *((long long*)(_t125 + 8)) = __r8;
				if (__ecx == __edx) goto 0xa56f4aa1;
				if (GetCPInfo(??, ??) == 0) goto 0xa56f493f;
				if ( *((intOrPtr*)(_t125 + 0x18)) != 1) goto 0xa56f493f;
				if (GetCPInfo(??, ??) == 0) goto 0xa56f493f;
				if ( *((intOrPtr*)(_t125 + 0x18)) != 1) goto 0xa56f493f;
				 *_t125 = 1;
				if (r12d == 0xffffffff) goto 0xa56f4932;
				_t69 = r12d;
				if (_t69 <= 0) goto 0xa56f4986;
				_t108 = _t69;
				if (_t108 - 0xfffffff0 > 0) goto 0xa56f4986;
				_t109 = _t108 + _t108 + 0x10;
				if (_t109 - 0x400 > 0) goto 0xa56f496d;
				if (_t109 + 0xf - _t109 > 0) goto 0xa56f4914;
				_t39 = E00007FF77FF7A570C0A0(_t38, 0xffffffffffffff0, _t139, _t140);
				_t128 = _t127 - 0xffffffffffffff0;
				_t105 = _t128 + 0x40;
				if (_t105 == 0) goto 0xa56f4966;
				 *_t105 = 0xcccc;
				goto 0xa56f4980;
				E00007FF77FF7A56E70C0(_t39, _t105);
				goto 0xa56f48d5;
				r9d = r12d;
				 *(_t128 + 0x28) = 0xffffffffffffff1;
				 *((long long*)(_t128 + 0x20)) = _t120;
				_t41 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				_t71 = _t41;
				if (_t41 != 0) goto 0xa56f48d5;
				goto 0xa56f4aa4;
				_t43 = malloc(??);
				if (0xffffffffffffff0 == 0) goto 0xa56f4988;
				 *((intOrPtr*)(0xffffffffffffff0)) = 0xdddd;
				goto 0xa56f4988;
				if (0x1000000000000000 == 0) goto 0xa56f4966;
				E00007FF77FF7A56EB240(_t43, r15d, 0, 0x1000000000000000, _t125 + 0x18, _t71 + _t71);
				r9d = r12d;
				 *(_t128 + 0x28) = _t71;
				 *((long long*)(_t128 + 0x20)) = 0x1000000000000000;
				_t45 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				r15d = 0;
				if (_t45 == r15d) goto 0xa56f4a90;
				if (_t141 == _t142) goto 0xa56f4a07;
				 *((long long*)(_t128 + 0x38)) = _t142;
				 *((long long*)(_t128 + 0x30)) = _t142;
				 *(_t128 + 0x28) =  *(_t125 + 0xb8);
				r9d = _t71;
				 *((long long*)(_t128 + 0x20)) = _t141;
				if (WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??) == r15d) goto 0xa56f4a90;
				goto 0xa56f4a90;
				if ( *_t125 != r15d) goto 0xa56f4a39;
				 *((long long*)(_t128 + 0x38)) = _t142;
				 *((long long*)(_t128 + 0x30)) = _t142;
				r9d = _t71;
				 *(_t128 + 0x28) = r15d;
				 *((long long*)(_t128 + 0x20)) = _t142;
				_t48 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				_t72 = _t48;
				if (_t48 == r15d) goto 0xa56f4a90;
				E00007FF77FF7A56EA5E0(0x1000000000000000, 0x1000000000000000, _t72, _t120, _t141, _t125);
				if (0xffffffffffffff0 == _t142) goto 0xa56f4a90;
				 *((long long*)(_t128 + 0x38)) = _t142;
				 *((long long*)(_t128 + 0x30)) = _t142;
				r9d = _t72;
				 *(_t128 + 0x28) = _t72;
				 *((long long*)(_t128 + 0x20)) = 0xffffffffffffff0;
				_t50 = WideCharToMultiByte(??, ??, ??, ??, ??, ??, ??, ??);
				if (_t50 != r15d) goto 0xa56f4a84;
				free(??);
				goto 0xa56f4a90;
				if (r12d == 0xffffffff) goto 0xa56f4a90;
				 *( *(_t125 + 0x10)) = _t50;
				if ( *((intOrPtr*)(0xffffffffffffff0)) != 0xdddd) goto 0xa56f4aa1;
				free(??);
				return E00007FF77FF7A56E4050(r13d,  *(_t125 + 0x30) ^ _t125, _t72, 0x1000000000000000, _t138);
			}

0x7ff7a56f483c
0x7ff7a56f4849
0x7ff7a56f4850
0x7ff7a56f4855
0x7ff7a56f485f
0x7ff7a56f4863
0x7ff7a56f486a
0x7ff7a56f4875
0x7ff7a56f4878
0x7ff7a56f487c
0x7ff7a56f487f
0x7ff7a56f4882
0x7ff7a56f4888
0x7ff7a56f489a
0x7ff7a56f48a4
0x7ff7a56f48b9
0x7ff7a56f48c3
0x7ff7a56f48c5
0x7ff7a56f48d0
0x7ff7a56f48d2
0x7ff7a56f48d7
0x7ff7a56f48dd
0x7ff7a56f48ed
0x7ff7a56f48f3
0x7ff7a56f48ff
0x7ff7a56f4908
0x7ff7a56f4918
0x7ff7a56f491d
0x7ff7a56f4920
0x7ff7a56f4928
0x7ff7a56f492a
0x7ff7a56f4930
0x7ff7a56f4935
0x7ff7a56f493d
0x7ff7a56f493f
0x7ff7a56f494d
0x7ff7a56f4951
0x7ff7a56f4956
0x7ff7a56f495c
0x7ff7a56f4960
0x7ff7a56f4968
0x7ff7a56f496d
0x7ff7a56f4978
0x7ff7a56f497a
0x7ff7a56f4984
0x7ff7a56f498b
0x7ff7a56f4998
0x7ff7a56f49a1
0x7ff7a56f49ac
0x7ff7a56f49b0
0x7ff7a56f49b5
0x7ff7a56f49bb
0x7ff7a56f49c1
0x7ff7a56f49ca
0x7ff7a56f49d2
0x7ff7a56f49d7
0x7ff7a56f49dc
0x7ff7a56f49e0
0x7ff7a56f49eb
0x7ff7a56f49f9
0x7ff7a56f4a02
0x7ff7a56f4a0b
0x7ff7a56f4a0d
0x7ff7a56f4a12
0x7ff7a56f4a17
0x7ff7a56f4a22
0x7ff7a56f4a27
0x7ff7a56f4a2c
0x7ff7a56f4a32
0x7ff7a56f4a37
0x7ff7a56f4a41
0x7ff7a56f4a4c
0x7ff7a56f4a4e
0x7ff7a56f4a53
0x7ff7a56f4a58
0x7ff7a56f4a63
0x7ff7a56f4a67
0x7ff7a56f4a6c
0x7ff7a56f4a75
0x7ff7a56f4a7a
0x7ff7a56f4a82
0x7ff7a56f4a88
0x7ff7a56f4a8e
0x7ff7a56f4a9a
0x7ff7a56f4a9c
0x7ff7a56f4ac0

APIs

GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F4892
GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F48B1
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F4956
malloc.LIBCMT ref: 00007FF7A56F496D
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F49B5
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F49F0
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F4A2C
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F4A6C
free.LIBCMT ref: 00007FF7A56F4A7A
free.LIBCMT ref: 00007FF7A56F4A9C

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: ByteCharMultiWide$Infofree$malloc
String ID:
API String ID: 1309074677-0
Opcode ID: ddcdf63aba2af7ccbb4f9ff1091687fe12846f0595223e00f381b2a32135b9a6
Instruction ID: 16eefa271183ee638ce614b8606d07a257bf1e477605fd01da960b780590c684
Opcode Fuzzy Hash: ddcdf63aba2af7ccbb4f9ff1091687fe12846f0595223e00f381b2a32135b9a6
Instruction Fuzzy Hash: 6B611733E0A68286E720AB25A440179E3D6FF86FA5F969631D95D07BF8DF3CD4458220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F63B0 Relevance: 15.1, APIs: 10, Instructions: 140COMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32 ref: 00007FF7A56F6456
CloseHandle.KERNEL32 ref: 00007FF7A56F646F
ResetEvent.KERNEL32 ref: 00007FF7A56F6482
CreateEventA.KERNEL32 ref: 00007FF7A56F64D7
CloseHandle.KERNEL32 ref: 00007FF7A56F64F0
SetEvent.KERNEL32 ref: 00007FF7A56F650E
CreateEventA.KERNEL32 ref: 00007FF7A56F6562
CloseHandle.KERNEL32 ref: 00007FF7A56F657B
WaitForSingleObjectEx.KERNEL32 ref: 00007FF7A56F6596
CloseHandle.KERNEL32 ref: 00007FF7A56F65B4

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: Event$CloseHandle$Create$ObjectOpenResetSingleWait
String ID:
API String ID: 3951656645-0
Opcode ID: 71be907ffdb5954fb9f19019735728fde777d6d86074cdaac84bb97474247b25
Instruction ID: bc77c4881d8d5c8386430b8c931651599960e67fd5ce47447e8e4ab44cf39306
Opcode Fuzzy Hash: 71be907ffdb5954fb9f19019735728fde777d6d86074cdaac84bb97474247b25
Instruction Fuzzy Hash: 6961CB32A0E58186EB61EB60E104339F761FB46FB4F955338E66D47AE8DF6CD4488710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E7E88 Relevance: 13.8, APIs: 11, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7A56E7ED4

Part of subcall function 00007FF7A56E484C: HeapFree.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4862
Part of subcall function 00007FF7A56E484C: _errno.LIBCMT ref: 00007FF7A56E486C
Part of subcall function 00007FF7A56E484C: GetLastError.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4874

Part of subcall function 00007FF7A56F33F4: free.LIBCMT ref: 00007FF7A56F3412
Part of subcall function 00007FF7A56F33F4: free.LIBCMT ref: 00007FF7A56F3424
Part of subcall function 00007FF7A56F33F4: free.LIBCMT ref: 00007FF7A56F3436
Part of subcall function 00007FF7A56F33F4: free.LIBCMT ref: 00007FF7A56F3448
Part of subcall function 00007FF7A56F33F4: free.LIBCMT ref: 00007FF7A56F345A
Part of subcall function 00007FF7A56F33F4: free.LIBCMT ref: 00007FF7A56F346C
Part of subcall function 00007FF7A56F33F4: free.LIBCMT ref: 00007FF7A56F347E

free.LIBCMT ref: 00007FF7A56E7EF6
free.LIBCMT ref: 00007FF7A56E7F0E
free.LIBCMT ref: 00007FF7A56E7F1A
free.LIBCMT ref: 00007FF7A56E7F3E
free.LIBCMT ref: 00007FF7A56E7F52
free.LIBCMT ref: 00007FF7A56E7F61
free.LIBCMT ref: 00007FF7A56E7F6D
free.LIBCMT ref: 00007FF7A56E7F9A
free.LIBCMT ref: 00007FF7A56E7FC2
free.LIBCMT ref: 00007FF7A56E7FDC

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: b084e4c1cfd9c5e526710a43c79106415be09ec5de4f2ef4ea707cbabc5b9e00
Instruction ID: b8dfc7aa682c78b9ca5b6a9a2fed64c525891cc349cbc21f888f3df7f449b2a8
Opcode Fuzzy Hash: b084e4c1cfd9c5e526710a43c79106415be09ec5de4f2ef4ea707cbabc5b9e00
Instruction Fuzzy Hash: F441E032E0B5C1C4EE95BA61C4503F9A3A6EF45F95F862431DE0D477A5CF2DD4828231

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DC050 Relevance: 13.7, APIs: 9, Instructions: 176
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 91%

			E00007FF77FF7A56DC050(void* __esi, intOrPtr* __rcx, long long __rdx, void* __r8, long long __r12, long long __r13, long long __r14, long long _a8, long long _a16, long long _a24, long long _a32) {
				intOrPtr* _v72;
				long long _v80;
				void* _v88;
				signed int _t64;
				long long _t117;
				intOrPtr* _t118;
				intOrPtr* _t119;
				signed short* _t124;
				unsigned long long _t127;
				unsigned long long _t130;
				long long _t136;
				intOrPtr* _t137;
				signed short* _t148;
				signed long long _t152;
				signed long long _t155;
				void* _t159;

				_a16 = __rdx;
				_t117 =  *((intOrPtr*)(__rcx + 0x30));
				if (_t117 - _t117 +  *((intOrPtr*)(__rcx + 0x38)) <= 0) goto 0xa56dc07e;
				E00007FF77FF7A56E44B8();
				_t137 =  *((intOrPtr*)(__rcx));
				_v80 = _t117;
				_v88 = _t137;
				if (__rdx == __r8) goto 0xa56dc290;
				_a24 = __r13;
				_a32 = __r14;
				asm("movaps [esp+0x40], xmm6");
				asm("movaps xmm6, [esp+0x20]");
				_a8 = __r12;
				_t155 = _t117 + __rdx;
				_t159 = __r8 - 1;
				_t152 = _t117 + __r8 - 1;
				if (__rdx == _t159) goto 0xa56dc273;
				asm("movdqa [esp+0x20], xmm6");
				if (_t137 != 0) goto 0xa56dc0e6;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56dc0ed;
				if (_t152 -  *((intOrPtr*)( *_t137 + 0x38)) +  *((intOrPtr*)( *_t137 + 0x30)) > 0) goto 0xa56dc10d;
				if (_t137 == 0) goto 0xa56dc105;
				goto 0xa56dc107;
				if (_t152 -  *((intOrPtr*)( *_t137 + 0x30)) >= 0) goto 0xa56dc112;
				E00007FF77FF7A56E44B8();
				_t118 = _v88;
				_t127 = _t152 >> 3;
				if (_t118 != 0) goto 0xa56dc135;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56dc13b;
				if (_t152 -  *((intOrPtr*)( *_t118 + 0x38)) +  *((intOrPtr*)( *_t118 + 0x30)) < 0) goto 0xa56dc14d;
				E00007FF77FF7A56E44B8();
				if (_t118 == 0) goto 0xa56dc157;
				goto 0xa56dc159;
				if ( *((intOrPtr*)( *_t118 + 0x28)) - _t127 > 0) goto 0xa56dc16f;
				if (_t118 == 0) goto 0xa56dc169;
				goto 0xa56dc16b;
				if (_t118 == 0) goto 0xa56dc179;
				goto 0xa56dc17b;
				asm("movdqa [esp+0x30], xmm6");
				_t148 =  *((intOrPtr*)( *((intOrPtr*)( *_t118 + 0x20)) + (_t127 -  *((intOrPtr*)( *_t118 + 0x28))) * 8)) + _t152 * 2;
				if (_t137 != 0) goto 0xa56dc19e;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56dc1a5;
				if (_t155 -  *((intOrPtr*)( *_t137 + 0x38)) +  *((intOrPtr*)( *_t137 + 0x30)) > 0) goto 0xa56dc1c5;
				if (_t137 == 0) goto 0xa56dc1bd;
				goto 0xa56dc1bf;
				if (_t155 -  *((intOrPtr*)( *_t137 + 0x30)) >= 0) goto 0xa56dc1ca;
				E00007FF77FF7A56E44B8();
				_t119 = _v72;
				_t130 = _t155 >> 3;
				if (_t119 != 0) goto 0xa56dc1ed;
				E00007FF77FF7A56E44B8();
				r11d = 0;
				goto 0xa56dc1f3;
				if (_t155 -  *((intOrPtr*)( *_t119 + 0x38)) +  *((intOrPtr*)( *_t119 + 0x30)) < 0) goto 0xa56dc205;
				E00007FF77FF7A56E44B8();
				if (_t119 == 0) goto 0xa56dc20f;
				goto 0xa56dc211;
				if ( *((intOrPtr*)( *_t119 + 0x28)) - _t130 > 0) goto 0xa56dc227;
				if (_t119 == 0) goto 0xa56dc221;
				goto 0xa56dc223;
				if (_t119 == 0) goto 0xa56dc231;
				goto 0xa56dc233;
				_t124 =  *((intOrPtr*)( *((intOrPtr*)( *_t119 + 0x20)) + (_t130 -  *((intOrPtr*)( *_t119 + 0x28))) * 8)) + _t155 * 2;
				if (_t124 == _t148) goto 0xa56dc254;
				_t64 =  *_t148 & 0x0000ffff;
				 *_t124 = _t64;
				 *_t148 =  *_t124 & 0x0000ffff;
				_t136 = _a16 + 1;
				_a16 = _t136;
				if (_t136 != _t159) goto 0xa56dc0c0;
				asm("movaps xmm6, [esp+0x40]");
				return _t64;
			}

0x7ff7a56dc050
0x7ff7a56dc05f
0x7ff7a56dc077
0x7ff7a56dc079
0x7ff7a56dc07e
0x7ff7a56dc081
0x7ff7a56dc086
0x7ff7a56dc08e
0x7ff7a56dc094
0x7ff7a56dc09c
0x7ff7a56dc0a4
0x7ff7a56dc0a9
0x7ff7a56dc0ae
0x7ff7a56dc0b6
0x7ff7a56dc0c0
0x7ff7a56dc0c3
0x7ff7a56dc0c9
0x7ff7a56dc0cf
0x7ff7a56dc0d8
0x7ff7a56dc0da
0x7ff7a56dc0df
0x7ff7a56dc0e4
0x7ff7a56dc0f8
0x7ff7a56dc0fd
0x7ff7a56dc103
0x7ff7a56dc10b
0x7ff7a56dc10d
0x7ff7a56dc112
0x7ff7a56dc11d
0x7ff7a56dc127
0x7ff7a56dc129
0x7ff7a56dc12e
0x7ff7a56dc133
0x7ff7a56dc146
0x7ff7a56dc148
0x7ff7a56dc150
0x7ff7a56dc155
0x7ff7a56dc15d
0x7ff7a56dc162
0x7ff7a56dc167
0x7ff7a56dc172
0x7ff7a56dc177
0x7ff7a56dc17f
0x7ff7a56dc189
0x7ff7a56dc190
0x7ff7a56dc192
0x7ff7a56dc197
0x7ff7a56dc19c
0x7ff7a56dc1b0
0x7ff7a56dc1b5
0x7ff7a56dc1bb
0x7ff7a56dc1c3
0x7ff7a56dc1c5
0x7ff7a56dc1ca
0x7ff7a56dc1d5
0x7ff7a56dc1df
0x7ff7a56dc1e1
0x7ff7a56dc1e6
0x7ff7a56dc1eb
0x7ff7a56dc1fe
0x7ff7a56dc200
0x7ff7a56dc208
0x7ff7a56dc20d
0x7ff7a56dc215
0x7ff7a56dc21a
0x7ff7a56dc21f
0x7ff7a56dc22a
0x7ff7a56dc22f
0x7ff7a56dc23b
0x7ff7a56dc242
0x7ff7a56dc244
0x7ff7a56dc24c
0x7ff7a56dc24f
0x7ff7a56dc25f
0x7ff7a56dc262
0x7ff7a56dc26d
0x7ff7a56dc28b
0x7ff7a56dc29a

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC079
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC0DA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC10D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC129
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC148
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC192
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC1C5
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC1E1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC200

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4030c83a59812f64d6c05d60debb6fb5f98c41b8662f9c9e344c53440360d978
Instruction ID: 711117b522189664476fd0a16c66f2e81cf75ef99d9df570cef1a7adbb892550
Opcode Fuzzy Hash: 4030c83a59812f64d6c05d60debb6fb5f98c41b8662f9c9e344c53440360d978
Instruction Fuzzy Hash: 14619213B1BE9984FB60AF25D840279A3A2FB46F84F866931DE4D43365DE38D8519320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F25EC Relevance: 13.7, APIs: 9, Instructions: 173
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 39%

			E00007FF77FF7A56F25EC(void* __edx, long long __rbx, intOrPtr* __rcx, long long __rdi, long long __rsi, void* __r8) {
				void* _t43;
				int _t45;
				int _t55;
				void* _t71;
				intOrPtr _t84;
				signed long long _t100;
				intOrPtr _t108;
				void* _t113;
				long long _t121;
				intOrPtr* _t122;
				long long _t125;
				char* _t131;
				signed long long _t132;
				void* _t134;
				void* _t135;
				void* _t136;
				void* _t148;
				void* _t149;
				int _t150;
				int _t151;
				int _t153;
				short* _t156;
				void* _t157;
				int _t160;

				_t121 = __rdi;
				 *(_t134 + 0x20) = r9d;
				_t135 = _t134 - 0x40;
				_t132 = _t135 + 0x30;
				 *((long long*)(_t132 + 0x40)) = __rbx;
				 *((long long*)(_t132 + 0x48)) = __rsi;
				 *((long long*)(_t132 + 0x50)) = __rdi;
				_t100 =  *0xa5720430; // 0x4918c7c3922
				 *(_t132 + 8) = _t100 ^ _t132;
				r9d =  *0xa5723f5c; // 0x1
				_t157 = __r8;
				r15d = __edx;
				_t7 = _t121 + 1; // 0x2
				_t71 = _t7;
				if (r9d != 0) goto 0xa56f2679;
				r8d = 1;
				if (GetStringTypeW(_t160, _t156) == 0) goto 0xa56f265e;
				 *0xa5723f5c = 1;
				goto 0xa56f2694;
				GetLastError();
				r9d =  *0xa5723f5c; // 0x1
				r9d =  ==  ? _t71 : r9d;
				 *0xa5723f5c = r9d;
				if (r9d == _t71) goto 0xa56f27a8;
				if (r9d == 0) goto 0xa56f27a8;
				if (r9d != 1) goto 0xa56f27d7;
				if ( *((intOrPtr*)(_t132 + 0x68)) != 0) goto 0xa56f26a2;
				 *(_t132 + 0x78) =  ~( *(_t132 + 0x78));
				r9d =  *(_t132 + 0x58);
				asm("sbb edx, edx");
				 *((intOrPtr*)(_t135 + 0x28)) = 0;
				 *((long long*)(_t135 + 0x20)) = __rbx;
				_t151 = MultiByteToWideChar(_t153, _t150, _t131);
				_t84 = r12d;
				if (_t84 == 0) goto 0xa56f27d7;
				r13d = 0xdddd;
				if (_t84 <= 0) goto 0xa56f2740;
				if (_t151 - 0xfffffff0 > 0) goto 0xa56f2740;
				_t16 = _t151 + 0x10; // 0x1a
				_t113 = _t151 + _t16;
				if (_t113 - 0x400 > 0) goto 0xa56f272a;
				_t17 = _t113 + 0xf; // 0x29
				if (_t17 - _t113 > 0) goto 0xa56f2708;
				E00007FF77FF7A570C0A0(_t41, 0xffffffffffffff0, _t148, _t149);
				_t136 = _t135 - 0xfffffff0;
				_t122 = _t136 + 0x30;
				if (_t122 == __rbx) goto 0xa56f27d7;
				 *_t122 = 0xcccc;
				goto 0xa56f273a;
				_t43 = malloc(??);
				if (0xfffffff0 == __rbx) goto 0xa56f2743;
				 *((intOrPtr*)(0xffffffffffffff0)) = r13d;
				goto 0xa56f2743;
				_t125 = __rbx;
				if (__rbx == __rbx) goto 0xa56f27d7;
				E00007FF77FF7A56EB240(_t43,  *((intOrPtr*)( *__rcx + 4)), 0, __rbx, 0xa57115e0, _t151 + _t151);
				r9d =  *(_t132 + 0x58);
				 *((intOrPtr*)(_t136 + 0x28)) = r12d;
				 *((long long*)(_t136 + 0x20)) = __rbx;
				_t45 = MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t45 == 0) goto 0xa56f2793;
				r8d = _t45;
				_t55 = GetStringTypeW(??, ??, ??, ??);
				_t23 = _t125 - 0x10; // -16
				if ( *_t23 != r13d) goto 0xa56f27a1;
				free(??);
				goto 0xa56f2830;
				r12d =  *((intOrPtr*)(_t132 + 0x70));
				if (r12d != _t55) goto 0xa56f27bc;
				r12d =  *((intOrPtr*)( *__rcx + 0x14));
				if ( *((intOrPtr*)(_t132 + 0x68)) != _t55) goto 0xa56f27ca;
				_t108 =  *__rcx;
				if (E00007FF77FF7A56F47E8(_t55, r12d,  *((intOrPtr*)(_t132 + 0x60))) != 0xffffffff) goto 0xa56f27db;
				goto 0xa56f2830;
				if (0 ==  *((intOrPtr*)(_t108 + 4))) goto 0xa56f2803;
				 *((intOrPtr*)(_t136 + 0x28)) = _t55;
				 *((long long*)(_t136 + 0x20)) = __rbx;
				E00007FF77FF7A56F483C( *((intOrPtr*)(_t108 + 4)), 0, _t157, _t132 + 0x58);
				if (_t108 == __rbx) goto 0xa56f27d7;
				r9d =  *(_t132 + 0x58);
				 *((long long*)(_t136 + 0x20)) =  *((intOrPtr*)(_t132 + 0x60));
				GetStringTypeA(??, ??, ??, ??, ??);
				if (_t108 == __rbx) goto 0xa56f282e;
				free(??);
				return E00007FF77FF7A56E4050(r12d,  *(_t132 + 8) ^ _t132, __rbx, _t108, _t132 + 0x58);
			}

0x7ff7a56f25ec
0x7ff7a56f25ec
0x7ff7a56f25fa
0x7ff7a56f25fe
0x7ff7a56f2603
0x7ff7a56f2607
0x7ff7a56f260b
0x7ff7a56f260f
0x7ff7a56f2619
0x7ff7a56f261d
0x7ff7a56f262b
0x7ff7a56f262e
0x7ff7a56f2634
0x7ff7a56f2634
0x7ff7a56f263a
0x7ff7a56f2647
0x7ff7a56f2654
0x7ff7a56f2656
0x7ff7a56f265c
0x7ff7a56f265e
0x7ff7a56f2664
0x7ff7a56f266e
0x7ff7a56f2672
0x7ff7a56f267c
0x7ff7a56f2685
0x7ff7a56f268e
0x7ff7a56f2699
0x7ff7a56f26a2
0x7ff7a56f26a5
0x7ff7a56f26ac
0x7ff7a56f26b0
0x7ff7a56f26b7
0x7ff7a56f26c4
0x7ff7a56f26c7
0x7ff7a56f26ca
0x7ff7a56f26d0
0x7ff7a56f26d6
0x7ff7a56f26e5
0x7ff7a56f26e7
0x7ff7a56f26e7
0x7ff7a56f26f3
0x7ff7a56f26f5
0x7ff7a56f26fc
0x7ff7a56f270c
0x7ff7a56f2711
0x7ff7a56f2714
0x7ff7a56f271c
0x7ff7a56f2722
0x7ff7a56f2728
0x7ff7a56f272a
0x7ff7a56f2735
0x7ff7a56f2737
0x7ff7a56f273e
0x7ff7a56f2740
0x7ff7a56f2746
0x7ff7a56f2757
0x7ff7a56f275c
0x7ff7a56f276a
0x7ff7a56f276f
0x7ff7a56f2774
0x7ff7a56f277c
0x7ff7a56f2782
0x7ff7a56f2791
0x7ff7a56f2793
0x7ff7a56f279a
0x7ff7a56f279c
0x7ff7a56f27a3
0x7ff7a56f27a8
0x7ff7a56f27b2
0x7ff7a56f27b8
0x7ff7a56f27c1
0x7ff7a56f27c3
0x7ff7a56f27d5
0x7ff7a56f27d9
0x7ff7a56f27dd
0x7ff7a56f27ea
0x7ff7a56f27ee
0x7ff7a56f27f3
0x7ff7a56f27fe
0x7ff7a56f2807
0x7ff7a56f2814
0x7ff7a56f2819
0x7ff7a56f2824
0x7ff7a56f2829
0x7ff7a56f2855

APIs

GetStringTypeW.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF7A56F28BE), ref: 00007FF7A56F264C
GetLastError.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF7A56F28BE), ref: 00007FF7A56F265E
MultiByteToWideChar.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF7A56F28BE), ref: 00007FF7A56F26BE
malloc.LIBCMT ref: 00007FF7A56F272A
MultiByteToWideChar.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF7A56F28BE), ref: 00007FF7A56F2774
GetStringTypeW.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF7A56F28BE), ref: 00007FF7A56F278B
free.LIBCMT ref: 00007FF7A56F279C
GetStringTypeA.KERNEL32(?,?,00000000,?,00000000,0000000A,00000008,00007FF7A56F28BE), ref: 00007FF7A56F2819
free.LIBCMT ref: 00007FF7A56F2829

Part of subcall function 00007FF7A56F483C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F4892
Part of subcall function 00007FF7A56F483C: GetCPInfo.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F48B1
Part of subcall function 00007FF7A56F483C: MultiByteToWideChar.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F49B5
Part of subcall function 00007FF7A56F483C: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,00000001,?,?,?,00000000,?,00000000,?), ref: 00007FF7A56F49F0

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: ByteCharMultiWide$StringType$Infofree$ErrorLastmalloc
String ID:
API String ID: 3804003340-0
Opcode ID: 115f6eea8dedc5ed251d069930978551ce189c9ac9d53966058a53c2e0c20737
Instruction ID: 4bb7843a8ce2b5b144f0a04f6bb816fff2661ab51358e4c222399cb45101a91f
Opcode Fuzzy Hash: 115f6eea8dedc5ed251d069930978551ce189c9ac9d53966058a53c2e0c20737
Instruction Fuzzy Hash: D261C833E0668186D760AF21A840479B796FB46FE8B965135EE1D17BB4CF3CE8448B50

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F181C Relevance: 13.6, APIs: 9, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00007FF77FF7A56F181C(void* __ebx, signed int __ecx, void* __edx, void* __esi, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, signed int _a8, long long _a16, long long _a24) {
				long long _v56;
				void* __rdi;
				void* __r12;
				void* _t34;
				signed int _t49;
				void* _t55;
				signed int* _t59;
				signed int* _t60;
				long long _t66;
				signed long long _t69;
				void* _t76;
				signed long long _t78;

				_t75 = __r8;
				_t71 = __rbp;
				_t65 = __rdx;
				_t64 = __rcx;
				_t34 = __ebx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __ecx;
				r12d = r8d;
				r13d = __edx;
				_t62 = __ecx;
				if (__ebx != 0xfffffffe) goto 0xa56f1861;
				E00007FF77FF7A56E78CC(__rax);
				 *__rax = 0;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 9;
				goto 0xa56f1935;
				if (__ebx < 0) goto 0xa56f190c;
				_t55 = _t34 -  *0xa57289c0; // 0x20
				if (_t55 >= 0) goto 0xa56f190c;
				_t78 = __ecx >> 5;
				_t69 = __ecx * 0x58;
				_t59 =  *((intOrPtr*)(0xa57289e0 + _t78 * 8));
				if (_t55 != 0) goto 0xa56f18c8;
				E00007FF77FF7A56E78CC(_t59);
				 *_t59 = 0;
				E00007FF77FF7A56E78AC(_t59);
				 *_t59 = 9;
				_v56 = _t66;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(_t59, __ecx, __rcx, __rdx, _t69, __rbp, __r8);
				goto 0xa56f1935;
				E00007FF77FF7A56F593C(_t34, _t34, _t62, _t66, _t69, _t76);
				_t60 =  *((intOrPtr*)(0xa57289e0 + _t78 * 8));
				if (( *(_t60 + _t69 + 8) & 0x00000001) == 0) goto 0xa56f18ec;
				r8d = r12d;
				_t49 = E00007FF77FF7A56F1784(_t34, _t34, r13d, _t60, _t62, _t69);
				goto 0xa56f1901;
				E00007FF77FF7A56E78AC(_t60);
				 *_t60 = 9;
				E00007FF77FF7A56E78CC(_t60);
				 *_t60 = _t49;
				E00007FF77FF7A56F59E4();
				goto 0xa56f1935;
				E00007FF77FF7A56E78CC(_t60);
				 *_t60 = _t49 | 0xffffffff;
				E00007FF77FF7A56E78AC(_t60);
				 *_t60 = 9;
				_v56 = _t66;
				r9d = 0;
				r8d = 0;
				return E00007FF77FF7A56E4430(_t60, _t62, _t64, _t65, _t69, _t71, _t75) | 0xffffffff;
			}

0x7ff7a56f181c
0x7ff7a56f181c
0x7ff7a56f181c
0x7ff7a56f181c
0x7ff7a56f181c
0x7ff7a56f181c
0x7ff7a56f1821
0x7ff7a56f1826
0x7ff7a56f1837
0x7ff7a56f183a
0x7ff7a56f183d
0x7ff7a56f1843
0x7ff7a56f1845
0x7ff7a56f184c
0x7ff7a56f184e
0x7ff7a56f1853
0x7ff7a56f185c
0x7ff7a56f1865
0x7ff7a56f186b
0x7ff7a56f1871
0x7ff7a56f187d
0x7ff7a56f188b
0x7ff7a56f188f
0x7ff7a56f189b
0x7ff7a56f189d
0x7ff7a56f18a2
0x7ff7a56f18a4
0x7ff7a56f18a9
0x7ff7a56f18af
0x7ff7a56f18b4
0x7ff7a56f18b7
0x7ff7a56f18be
0x7ff7a56f18c6
0x7ff7a56f18ca
0x7ff7a56f18d0
0x7ff7a56f18d9
0x7ff7a56f18db
0x7ff7a56f18e8
0x7ff7a56f18ea
0x7ff7a56f18ec
0x7ff7a56f18f1
0x7ff7a56f18f7
0x7ff7a56f18fc
0x7ff7a56f1903
0x7ff7a56f190a
0x7ff7a56f190c
0x7ff7a56f1911
0x7ff7a56f1913
0x7ff7a56f1918
0x7ff7a56f191e
0x7ff7a56f1923
0x7ff7a56f1926
0x7ff7a56f194c

APIs

__doserrno.LIBCMT ref: 00007FF7A56F1845
_errno.LIBCMT ref: 00007FF7A56F184E
__doserrno.LIBCMT ref: 00007FF7A56F189D
_errno.LIBCMT ref: 00007FF7A56F18A4

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: f10987436b34bd0968861f3bbb4ff45c1ba2012104b75b240ae358803b696601
Instruction ID: b6115fa1a22971043fbee3d6d512ff59a821ab37e9ff3029b4675ef4576949a2
Opcode Fuzzy Hash: f10987436b34bd0968861f3bbb4ff45c1ba2012104b75b240ae358803b696601
Instruction Fuzzy Hash: 8531EA32D1A68282E3517F35984167DB652BFC2F90F966231DD6D077E2CE3D94018720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F9F60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168
windowCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00007FF77FF7A56F9F60(void* __ebx, long long __rbx, long long __rdx, void* __r8, void* __r9, void* _a8) {
				signed int _v56;
				long long _v64;
				long long _v72;
				char _v88;
				char _v96;
				long long _v112;
				long long _v120;
				long long _v128;
				intOrPtr _v136;
				long long _v152;
				intOrPtr _v160;
				long long _v168;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				long _t70;
				signed long long _t109;
				char _t117;
				long long _t143;
				long long _t144;
				long long _t145;
				long long _t149;
				long long _t150;
				void* _t154;
				void* _t163;
				void* _t164;
				void* _t165;
				void* _t166;
				signed long long _t167;
				void* _t169;
				void* _t170;
				void* _t182;
				void* _t185;
				long long _t186;
				long long _t187;

				_t185 = _t170;
				_v120 = 0xfffffffe;
				 *((long long*)(_t185 + 8)) = __rbx;
				_t109 =  *0xa5720430; // 0x4918c7c3922
				_v56 = _t109 ^ _t170 - 0x000000a0;
				_t186 = __rdx;
				 *((long long*)(_t185 - 0x68)) = __rdx;
				r13d = 0;
				_v136 = r13d;
				 *((long long*)(_t185 - 0x80)) = _t187;
				_v152 = _t187;
				_v160 = r13d;
				_v168 = _t185 - 0x80;
				r9d = 0x400;
				_t70 = FormatMessageA(??, ??, ??, ??, ??, ??, ??);
				_t124 = _v128;
				_v112 = _v128;
				if (_t70 != 0) goto 0xa56fa016;
				 *((long long*)(__rdx + 0x20)) = 0xf;
				 *((long long*)(__rdx + 0x18)) = _t187;
				 *(__rdx + 8) = _t70;
				_t16 = _t187 + 0xd; // 0xd
				r8d = _t16;
				E00007FF77FF7A56D1DC0(_v128, __rdx, "Unknown error", _t154, _t167, __r8);
				_v136 = 1;
				LocalFree(??);
				goto 0xa56fa23e;
				_v64 = 0xf;
				_v72 = _t187;
				_v88 = 0;
				asm("repne scasb");
				E00007FF77FF7A56D1DC0(_v128,  &_v96, _v128, _v128, _t167,  !(_t124 | 0xffffffff) - 1);
				_t143 = _v72;
				if (_t143 == 0) goto 0xa56fa1d4;
				_t163 = _t143 - 1;
				if (_t163 - _t143 <= 0) goto 0xa56fa08e;
				E00007FF77FF7A56E44B8();
				_t144 = _v72;
				_t114 =  >=  ? _v88 :  &_v88;
				if ( *((char*)(( >=  ? _v88 :  &_v88) + _t163)) == 0xa) goto 0xa56fa0da;
				_t164 = _t144 - 1;
				if (_t164 - _t144 <= 0) goto 0xa56fa0c1;
				E00007FF77FF7A56E44B8();
				_t145 = _v72;
				_t116 =  >=  ? _v88 :  &_v88;
				if ( *((char*)(( >=  ? _v88 :  &_v88) + _t164)) != 0xd) goto 0xa56fa18b;
				_t165 = _t145 - 1;
				if (_t145 - _t165 >= 0) goto 0xa56fa0fc;
				E00007FF77FF7A56E3434( >=  ? _v88 :  &_v88, _t124, _v64, _t167 | 0xffffffff);
				_t182 = _v72 - _t165;
				if (_t182 - 0xffffffff >= 0) goto 0xa56fa110;
				_t169 = _t182;
				if (_t182 == 0) goto 0xa56fa181;
				_t117 = _v88;
				_t176 =  >=  ? _t117 :  &_v88;
				_t132 =  >=  ? _t117 :  &_v88;
				_t133 = ( >=  ? _t117 :  &_v88) + _t165;
				_t177 = ( >=  ? _t117 :  &_v88) + _t165;
				_t178 = ( >=  ? _t117 :  &_v88) + _t165 + _t169;
				E00007FF77FF7A56E4070(( >=  ? _t117 :  &_v88) + _t165, _v64 - _t165, ( >=  ? _t117 :  &_v88) + _t165 + _t169, _t182 - _t169);
				_t149 = _v72 - _t169;
				_v72 = _t149;
				_t119 =  >=  ? _v88 :  &_v88;
				 *((char*)(( >=  ? _v88 :  &_v88) + _t149)) = 0;
				_t150 = _v72;
				if (_t150 == 0) goto 0xa56fa1d4;
				goto 0xa56fa070;
				if (_t150 == 0) goto 0xa56fa1d4;
				_t166 = _t150 - 1;
				if (_t166 - _t150 <= 0) goto 0xa56fa1ae;
				E00007FF77FF7A56E44B8();
				_t121 =  >=  ? _v88 :  &_v88;
				if ( *((char*)(( >=  ? _v88 :  &_v88) + _t166)) != 0x2e) goto 0xa56fa1d4;
				E00007FF77FF7A56D1FC0(_t124,  &_v96, _v72 - 1, _t166, _t169, ( >=  ? _t117 :  &_v88) + _t165 + _t169 | 0xffffffff);
				 *((long long*)(_t186 + 0x20)) = 0xf;
				 *((long long*)(_t186 + 0x18)) = _t187;
				 *((char*)(_t186 + 8)) = 0;
				r8d = 0;
				E00007FF77FF7A56D1CA0(_t124, _t186,  &_v96, _v64, _t166, _t169, ( >=  ? _t117 :  &_v88) + _t165 + _t169 | 0xffffffff, _t182 - _t169 | 0xffffffff);
				_v136 = 1;
				if (_v64 - 0x10 < 0) goto 0xa56fa219;
				E00007FF77FF7A56E44D8( >=  ? _v88 :  &_v88, _t124, _v88,  &_v96, _t166, ( >=  ? _t117 :  &_v88) + _t165 + _t169 | 0xffffffff, _t182 - _t169 | 0xffffffff);
				_v64 = 0xf;
				_v72 = _t187;
				_v88 = 0;
				LocalFree(??);
				return E00007FF77FF7A56E4050(0x1300, _v56 ^ _t170 - 0x000000a0,  &_v96, ( >=  ? _t117 :  &_v88) + _t165 + _t169 | 0xffffffff, _t182 - _t169 | 0xffffffff);
			}

0x7ff7a56f9f60
0x7ff7a56f9f71
0x7ff7a56f9f7a
0x7ff7a56f9f7e
0x7ff7a56f9f88
0x7ff7a56f9f90
0x7ff7a56f9f93
0x7ff7a56f9f97
0x7ff7a56f9f9a
0x7ff7a56f9f9f
0x7ff7a56f9fa3
0x7ff7a56f9fa8
0x7ff7a56f9fb1
0x7ff7a56f9fbd
0x7ff7a56f9fc3
0x7ff7a56f9fc9
0x7ff7a56f9fce
0x7ff7a56f9fd5
0x7ff7a56f9fd7
0x7ff7a56f9fe0
0x7ff7a56f9fe5
0x7ff7a56f9fea
0x7ff7a56f9fea
0x7ff7a56f9ff8
0x7ff7a56f9ffd
0x7ff7a56fa008
0x7ff7a56fa011
0x7ff7a56fa016
0x7ff7a56fa022
0x7ff7a56fa02a
0x7ff7a56fa038
0x7ff7a56fa049
0x7ff7a56fa04f
0x7ff7a56fa05a
0x7ff7a56fa070
0x7ff7a56fa077
0x7ff7a56fa079
0x7ff7a56fa086
0x7ff7a56fa097
0x7ff7a56fa0a1
0x7ff7a56fa0a3
0x7ff7a56fa0aa
0x7ff7a56fa0ac
0x7ff7a56fa0b9
0x7ff7a56fa0ca
0x7ff7a56fa0d4
0x7ff7a56fa0de
0x7ff7a56fa0e5
0x7ff7a56fa0e7
0x7ff7a56fa0ff
0x7ff7a56fa106
0x7ff7a56fa108
0x7ff7a56fa10e
0x7ff7a56fa115
0x7ff7a56fa11e
0x7ff7a56fa12b
0x7ff7a56fa135
0x7ff7a56fa138
0x7ff7a56fa13b
0x7ff7a56fa141
0x7ff7a56fa14e
0x7ff7a56fa151
0x7ff7a56fa167
0x7ff7a56fa16d
0x7ff7a56fa179
0x7ff7a56fa184
0x7ff7a56fa186
0x7ff7a56fa18e
0x7ff7a56fa190
0x7ff7a56fa197
0x7ff7a56fa199
0x7ff7a56fa1b7
0x7ff7a56fa1c1
0x7ff7a56fa1cf
0x7ff7a56fa1d4
0x7ff7a56fa1dd
0x7ff7a56fa1e2
0x7ff7a56fa1ec
0x7ff7a56fa1f7
0x7ff7a56fa1fc
0x7ff7a56fa20d
0x7ff7a56fa214
0x7ff7a56fa219
0x7ff7a56fa225
0x7ff7a56fa22d
0x7ff7a56fa235
0x7ff7a56fa264

APIs

FormatMessageA.KERNEL32 ref: 00007FF7A56F9FC3
LocalFree.KERNEL32 ref: 00007FF7A56FA008
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56FA079
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56FA0AC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56FA199

Strings

Unknown error, xrefs: 00007FF7A56F9FEE

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$FormatFreeLocalMessage
String ID: Unknown error
API String ID: 3408990668-83687255
Opcode ID: 7b9eeed1eaa9fbeac6c5963c93b71ae23eb17b54183d238eedd3940b7ac5251d
Instruction ID: 54f6096e9ba4c3faa37c7bd52b6cfae4218fba8ecc92c1d75f86655fdf930f09
Opcode Fuzzy Hash: 7b9eeed1eaa9fbeac6c5963c93b71ae23eb17b54183d238eedd3940b7ac5251d
Instruction Fuzzy Hash: F9718662A09BC185E720AB25E44439EB7A2F745FA4FD15331DAAC076E9DF3CD449CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DE8C0 Relevance: 12.3, APIs: 8, Instructions: 340
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00007FF77FF7A56DE8C0(void* __edx, void* __ebp, long long __rbx, void* __rcx, long long _a24) {
				signed int _v64;
				long long _v72;
				long long _v80;
				char _v96;
				char _v104;
				long long _v112;
				char _v120;
				char _v128;
				void* _v135;
				char _v136;
				void* _v144;
				long long _v152;
				long long _v160;
				long long _v168;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t126;
				void* _t133;
				void* _t156;
				void* _t192;
				signed long long _t222;
				void* _t263;
				long long _t275;
				char* _t277;
				char* _t279;
				long long _t280;
				long long _t285;
				char _t286;
				char _t288;
				char _t291;
				char _t293;
				long long _t301;
				intOrPtr* _t308;
				long long* _t310;
				long long _t311;
				long long _t328;
				char* _t331;
				void* _t333;
				void* _t334;
				signed long long _t336;
				intOrPtr* _t340;
				intOrPtr* _t341;
				long long _t344;
				long long _t352;
				void* _t361;
				long long _t362;

				_v112 = 0xfffffffe;
				_a24 = __rbx;
				_t222 =  *0xa5720430; // 0x4918c7c3922
				_v64 = _t222 ^  &_v144;
				r13d = __edx;
				_t361 = __rcx;
				if (__edx != 0xffffffff) goto 0xa56de908;
				goto 0xa56dee09;
				_t308 =  *((intOrPtr*)(__rcx + 0x48));
				if ( *_t308 == 0) goto 0xa56de941;
				_t340 =  *((intOrPtr*)(__rcx + 0x60));
				if ( *_t308 -  *_t340 +  *_t308 >= 0) goto 0xa56de941;
				 *_t340 =  *_t340 - 1;
				_t310 =  *((intOrPtr*)(__rcx + 0x48));
				_t341 =  *_t310;
				_t285 = _t341 + 1;
				 *_t310 = _t285;
				 *_t341 = r13b;
				goto 0xa56dee09;
				_t311 =  *((intOrPtr*)(__rcx + 0x88));
				if (_t311 != 0) goto 0xa56de956;
				goto 0xa56dee09;
				if ( *((long long*)(__rcx + 0x70)) != 0) goto 0xa56de978;
				E00007FF77FF7A56E68AC(r13b, _t222 ^  &_v144, __rbx, _t285, _t311, _t334, _t341);
				_t155 =  !=  ? r13d : __ebp;
				goto 0xa56dee09;
				_v136 = r13b;
				_v72 = _t311;
				_v96 = 0;
				_v96 = _t285;
				_v80 = 8;
				_t225 =  >=  ? _t285 :  &_v96;
				 *((char*)(( >=  ? _t285 :  &_v96) + 8)) = 0;
				r15d = 0;
				_t286 = _v96;
				if (_v72 - 0x10 < 0) goto 0xa56de9d8;
				if (_t286 == 0) goto 0xa56dea04;
				goto 0xa56de9dd;
				_t331 =  &_v96;
				_t227 =  >=  ? _t286 :  &_v96;
				_t167 = ( >=  ? _t286 :  &_v96) - _t331;
				if (( >=  ? _t286 :  &_v96) - _t331 > 0) goto 0xa56dea04;
				_t229 =  >=  ? _t286 :  &_v96;
				_t230 = ( >=  ? _t286 :  &_v96) + _v80;
				_t169 = _t331 - ( >=  ? _t286 :  &_v96) + _v80;
				if (_t331 - ( >=  ? _t286 :  &_v96) + _v80 <= 0) goto 0xa56dea1b;
				E00007FF77FF7A56E44B8();
				if ( &_v104 == 0xfffffffc) goto 0xa56dea52;
				_t233 =  >=  ? _v96 :  &_v96;
				_t234 = ( >=  ? _v96 :  &_v96) + _v80;
				_t172 = _t331 - ( >=  ? _v96 :  &_v96) + _v80;
				if (_t331 - ( >=  ? _v96 :  &_v96) + _v80 < 0) goto 0xa56dea52;
				E00007FF77FF7A56E44B8();
				_t344 = _v80;
				_t288 = _v96;
				_t335 = _t344;
				if (_v72 - 0x10 < 0) goto 0xa56dea65;
				if (_t288 == 0) goto 0xa56dea91;
				goto 0xa56dea6a;
				_t275 =  &_v96;
				_t236 =  >=  ? _t288 :  &_v96;
				_t176 = ( >=  ? _t288 :  &_v96) - _t275;
				if (( >=  ? _t288 :  &_v96) - _t275 > 0) goto 0xa56dea91;
				_t238 =  >=  ? _t288 :  &_v96;
				_t239 = ( >=  ? _t288 :  &_v96) + _t344;
				_t178 = _t275 - ( >=  ? _t288 :  &_v96) + _t344;
				if (_t275 - ( >=  ? _t288 :  &_v96) + _t344 <= 0) goto 0xa56deaa8;
				E00007FF77FF7A56E44B8();
				if ( &_v104 == 0xfffffffc) goto 0xa56deacd;
				_t242 =  >=  ? _v96 :  &_v96;
				_t243 = ( >=  ? _v96 :  &_v96) + _v80;
				_t181 = _t275 - ( >=  ? _v96 :  &_v96) + _v80;
				if (_t275 - ( >=  ? _v96 :  &_v96) + _v80 < 0) goto 0xa56deacd;
				E00007FF77FF7A56E44B8();
				_v144 =  &_v120;
				_v152 = _t331 + _t344;
				_v160 = _t275;
				_v168 =  &_v128;
				_t126 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t361 + 0x70)))) + 0x28))();
				if (_t126 < 0) goto 0xa56dedf2;
				if (_t126 - 1 > 0) goto 0xa56dedbb;
				_t291 = _v96;
				if (_v72 - 0x10 < 0) goto 0xa56deb38;
				if (_t291 == 0) goto 0xa56deb69;
				goto 0xa56deb3d;
				_t277 =  &_v96;
				_t247 =  >=  ? _t291 :  &_v96;
				_t187 = ( >=  ? _t291 :  &_v96) - _t277;
				if (( >=  ? _t291 :  &_v96) - _t277 > 0) goto 0xa56deb69;
				_t249 =  >=  ? _t291 :  &_v96;
				_t250 = ( >=  ? _t291 :  &_v96) + _v80;
				_t189 = _t277 - ( >=  ? _t291 :  &_v96) + _v80;
				if (_t277 - ( >=  ? _t291 :  &_v96) + _v80 <= 0) goto 0xa56deb80;
				E00007FF77FF7A56E44B8();
				if ( &_v104 == 0xfffffffc) goto 0xa56debb7;
				_t253 =  >=  ? _v96 :  &_v96;
				_t254 = ( >=  ? _v96 :  &_v96) + _v80;
				_t192 = _t277 - ( >=  ? _v96 :  &_v96) + _v80;
				if (_t192 < 0) goto 0xa56debb7;
				E00007FF77FF7A56E44B8();
				_t293 = _v96;
				_t333 = _v120 - _t277;
				if (_t192 == 0) goto 0xa56dec70;
				if (_v72 - 0x10 < 0) goto 0xa56debd5;
				if (_t293 == 0) goto 0xa56dec01;
				goto 0xa56debda;
				_t279 =  &_v96;
				_t256 =  >=  ? _t293 :  &_v96;
				_t196 = ( >=  ? _t293 :  &_v96) - _t279;
				if (( >=  ? _t293 :  &_v96) - _t279 > 0) goto 0xa56dec01;
				_t258 =  >=  ? _t293 :  &_v96;
				_t259 = ( >=  ? _t293 :  &_v96) + _v80;
				_t198 = _t279 - ( >=  ? _t293 :  &_v96) + _v80;
				if (_t279 - ( >=  ? _t293 :  &_v96) + _v80 <= 0) goto 0xa56dec18;
				E00007FF77FF7A56E44B8();
				if ( &_v104 == 0xfffffffc) goto 0xa56dec3d;
				_t262 =  >=  ? _v96 :  &_v96;
				_t263 = ( >=  ? _v96 :  &_v96) + _v80;
				if (_t279 - _t263 < 0) goto 0xa56dec3d;
				E00007FF77FF7A56E44B8();
				_t359 =  *((intOrPtr*)(_t361 + 0x88));
				E00007FF77FF7A56E5B14(_t279, _t279, _v72, _t333, _t344, _t333,  *((intOrPtr*)(_t361 + 0x88)));
				if (_t333 != _t263) goto 0xa56ded83;
				_t352 = _v80;
				 *((char*)(_t361 + 0x79)) = 1;
				if (_v128 !=  &_v136) goto 0xa56dedab;
				if (_t333 != 0) goto 0xa56de9c8;
				if (_t352 - 0x20 >= 0) goto 0xa56ded9c;
				if ((_t336 | 0xffffffffffffffff) - _t352 - 8 > 0) goto 0xa56decbc;
				E00007FF77FF7A56E33CC((_t336 | 0xffffffffffffffff) - _t352, _t279, _t333, _t336 | 0xffffffffffffffff, _t352,  *((intOrPtr*)(_t361 + 0x88)));
				_t84 = _v80 + 8; // 0x10
				_t280 = _t84;
				if (_t280 - 0xfffffffe <= 0) goto 0xa56decdd;
				_t133 = E00007FF77FF7A56E33CC((_t336 | 0xffffffffffffffff) - _t352, _t280, _t333, _t336 | 0xffffffffffffffff, _v80,  *((intOrPtr*)(_t361 + 0x88)));
				if (_v72 - _t280 >= 0) goto 0xa56ded03;
				E00007FF77FF7A56D2250(_t133,  &_v104, _t280, _v80);
				goto 0xa56ded34;
				if (_t280 != 0) goto 0xa56ded34;
				_v80 = _t362;
				_t268 =  >=  ? _v96 :  &_v96;
				 *((intOrPtr*)( >=  ? _v96 :  &_v96)) = r15b;
				_t301 = _v96;
				goto 0xa56de9c8;
				if (_t280 == 0) goto 0xa56de9c8;
				_t270 =  >=  ? _t301 :  &_v96;
				 *((long long*)(_v80 + ( >=  ? _t301 :  &_v96))) = _t301;
				_v80 = _t280;
				_t272 =  >=  ? _v96 :  &_v96;
				 *((char*)(_t280 + ( >=  ? _v96 :  &_v96))) = 0;
				_t328 = _v72;
				_t357 = _v80;
				goto 0xa56de9c8;
				if (_v72 - 0x10 < 0) goto 0xa56ded98;
				E00007FF77FF7A56E44D8( >=  ? _v96 :  &_v96, _t280, _v96, _t328, _t344, _v80,  *((intOrPtr*)(_t361 + 0x88)));
				goto 0xa56dee09;
				if (_t328 - 0x10 < 0) goto 0xa56deda7;
				E00007FF77FF7A56E44D8( >=  ? _v96 :  &_v96, _t280, _v96, _t328, _t344, _v80,  *((intOrPtr*)(_t361 + 0x88)));
				goto 0xa56dee09;
				if (_t328 - 0x10 < 0) goto 0xa56dedb6;
				E00007FF77FF7A56E44D8( >=  ? _v96 :  &_v96, _t280, _v96, _t328, _t335, _v80, _t359);
				goto 0xa56dee09;
				if (r13d != 3) goto 0xa56dedf2;
				E00007FF77FF7A56E68AC(_v136, _t272, _t280, _v96,  *((intOrPtr*)(_t361 + 0x88)), _t335, _v80);
				_t156 =  !=  ? r13d :  !=  ? r13d : __ebp;
				if (_v72 - 0x10 < 0) goto 0xa56dedee;
				E00007FF77FF7A56E44D8(_t272, _t280, _v96,  *((intOrPtr*)(_t361 + 0x88)), _t335, _v80, _t359);
				goto 0xa56dee09;
				if (_v72 - 0x10 < 0) goto 0xa56dee07;
				E00007FF77FF7A56E44D8(_t272, _t280, _v96,  *((intOrPtr*)(_t361 + 0x88)), _t335, _t357, _t359);
				return E00007FF77FF7A56E4050(_v136, _v64 ^  &_v144,  *((intOrPtr*)(_t361 + 0x88)), _t357, _t359);
			}

0x7ff7a56de8d3
0x7ff7a56de8dc
0x7ff7a56de8e4
0x7ff7a56de8ee
0x7ff7a56de8f6
0x7ff7a56de8f9
0x7ff7a56de8ff
0x7ff7a56de903
0x7ff7a56de908
0x7ff7a56de910
0x7ff7a56de915
0x7ff7a56de922
0x7ff7a56de924
0x7ff7a56de927
0x7ff7a56de92c
0x7ff7a56de92f
0x7ff7a56de933
0x7ff7a56de936
0x7ff7a56de93c
0x7ff7a56de941
0x7ff7a56de94c
0x7ff7a56de951
0x7ff7a56de95c
0x7ff7a56de962
0x7ff7a56de96d
0x7ff7a56de973
0x7ff7a56de978
0x7ff7a56de982
0x7ff7a56de98a
0x7ff7a56de991
0x7ff7a56de996
0x7ff7a56de9a8
0x7ff7a56de9ac
0x7ff7a56de9b3
0x7ff7a56de9c3
0x7ff7a56de9cc
0x7ff7a56de9d4
0x7ff7a56de9d6
0x7ff7a56de9d8
0x7ff7a56de9e6
0x7ff7a56de9ea
0x7ff7a56de9ed
0x7ff7a56de9f8
0x7ff7a56de9fc
0x7ff7a56de9ff
0x7ff7a56dea02
0x7ff7a56dea04
0x7ff7a56dea24
0x7ff7a56dea2f
0x7ff7a56dea33
0x7ff7a56dea36
0x7ff7a56dea39
0x7ff7a56dea3b
0x7ff7a56dea48
0x7ff7a56dea4d
0x7ff7a56dea52
0x7ff7a56dea59
0x7ff7a56dea61
0x7ff7a56dea63
0x7ff7a56dea65
0x7ff7a56dea73
0x7ff7a56dea77
0x7ff7a56dea7a
0x7ff7a56dea85
0x7ff7a56dea89
0x7ff7a56dea8c
0x7ff7a56dea8f
0x7ff7a56dea91
0x7ff7a56deab1
0x7ff7a56deabc
0x7ff7a56deac0
0x7ff7a56deac3
0x7ff7a56deac6
0x7ff7a56deac8
0x7ff7a56deade
0x7ff7a56deae3
0x7ff7a56deae8
0x7ff7a56deaf2
0x7ff7a56deb06
0x7ff7a56deb0c
0x7ff7a56deb15
0x7ff7a56deb1b
0x7ff7a56deb2c
0x7ff7a56deb34
0x7ff7a56deb36
0x7ff7a56deb38
0x7ff7a56deb46
0x7ff7a56deb4a
0x7ff7a56deb4d
0x7ff7a56deb58
0x7ff7a56deb61
0x7ff7a56deb64
0x7ff7a56deb67
0x7ff7a56deb69
0x7ff7a56deb89
0x7ff7a56deb94
0x7ff7a56deb98
0x7ff7a56deb9b
0x7ff7a56deb9e
0x7ff7a56deba0
0x7ff7a56debb2
0x7ff7a56debbc
0x7ff7a56debbf
0x7ff7a56debc9
0x7ff7a56debd1
0x7ff7a56debd3
0x7ff7a56debd5
0x7ff7a56debe3
0x7ff7a56debe7
0x7ff7a56debea
0x7ff7a56debf5
0x7ff7a56debf9
0x7ff7a56debfc
0x7ff7a56debff
0x7ff7a56dec01
0x7ff7a56dec21
0x7ff7a56dec2c
0x7ff7a56dec30
0x7ff7a56dec36
0x7ff7a56dec38
0x7ff7a56dec3d
0x7ff7a56dec50
0x7ff7a56dec58
0x7ff7a56dec66
0x7ff7a56dec70
0x7ff7a56dec80
0x7ff7a56dec89
0x7ff7a56dec93
0x7ff7a56deca3
0x7ff7a56deca5
0x7ff7a56decbc
0x7ff7a56decbc
0x7ff7a56decc4
0x7ff7a56decc6
0x7ff7a56dece0
0x7ff7a56decea
0x7ff7a56ded01
0x7ff7a56ded06
0x7ff7a56ded08
0x7ff7a56ded16
0x7ff7a56ded1a
0x7ff7a56ded2a
0x7ff7a56ded2f
0x7ff7a56ded37
0x7ff7a56ded46
0x7ff7a56ded4c
0x7ff7a56ded50
0x7ff7a56ded63
0x7ff7a56ded69
0x7ff7a56ded6c
0x7ff7a56ded74
0x7ff7a56ded7e
0x7ff7a56ded8c
0x7ff7a56ded93
0x7ff7a56ded9a
0x7ff7a56deda0
0x7ff7a56deda2
0x7ff7a56deda9
0x7ff7a56dedaf
0x7ff7a56dedb1
0x7ff7a56dedb9
0x7ff7a56dedbe
0x7ff7a56dedcd
0x7ff7a56dedd5
0x7ff7a56dede2
0x7ff7a56dede9
0x7ff7a56dedf0
0x7ff7a56dedfb
0x7ff7a56dee02
0x7ff7a56dee33

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d40a9783c5088da7ce004c666f8bdd368779f830e9e7fa24a0836714183e228
Instruction ID: 5f8c8549824489716b8834b9251e69977a69dbdd03c7fca1e54060ad62c832ab
Opcode Fuzzy Hash: 9d40a9783c5088da7ce004c666f8bdd368779f830e9e7fa24a0836714183e228
Instruction Fuzzy Hash: 0FE1752270BB4184EE10AA15E04426EF752FB86FE0FD55A32DA9D427F8DF2CE494C760

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DFB00 Relevance: 12.3, APIs: 8, Instructions: 295
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FF77FF7A56DFB00(void* __edx, long long __rbx, long long __rcx, long long __rdx, long long __rsi) {
				void* __rdi;
				void* _t121;
				void* _t162;
				void* _t171;
				void* _t197;
				signed long long _t198;
				signed long long _t223;
				void* _t233;
				void* _t235;
				void* _t237;
				long long _t239;
				long long _t280;
				void* _t282;
				void* _t284;
				long long _t288;
				long long _t289;
				void* _t291;
				signed long long _t292;
				intOrPtr _t294;
				intOrPtr _t296;
				intOrPtr _t299;
				intOrPtr _t301;
				intOrPtr _t326;
				long long _t328;

				_t197 = _t291;
				_t292 = _t291 - 0x70;
				 *((long long*)(_t292 + 0x38)) = 0xfffffffe;
				 *((long long*)(_t197 + 0x10)) = __rbx;
				 *((long long*)(_t197 + 0x18)) = _t288;
				 *((long long*)(_t197 + 0x20)) = __rsi;
				_t198 =  *0xa5720430; // 0x4918c7c3922
				 *(_t292 + 0x68) = _t198 ^ _t292;
				_t289 = __rcx;
				if ( *((long long*)(__rcx + 0x70)) == 0) goto 0xa56dff52;
				if ( *((char*)(__rcx + 0x79)) == 0) goto 0xa56dff52;
				if ( *((intOrPtr*)( *((intOrPtr*)(__rcx)) + 8))() != 0xffffffff) goto 0xa56dfb5d;
				goto 0xa56dff54;
				 *((long long*)(_t292 + 0x60)) = __rdx;
				 *((char*)(_t292 + 0x48)) = 0;
				 *((long long*)(_t292 + 0x48)) = __rcx;
				 *((long long*)(_t292 + 0x58)) = 8;
				_t202 =  >=  ? __rcx : _t292 + 0x48;
				 *((char*)(( >=  ? __rcx : _t292 + 0x48) + 8)) = 0;
				r13d = 0;
				_t294 =  *((intOrPtr*)(_t292 + 0x48));
				if ( *((intOrPtr*)(_t292 + 0x60)) - 0x10 < 0) goto 0xa56dfbb0;
				if (_t294 == 0) goto 0xa56dfbe1;
				goto 0xa56dfbb5;
				_t282 = _t292 + 0x48;
				_t204 =  >=  ? _t294 : _t292 + 0x48;
				_t147 = ( >=  ? _t294 : _t292 + 0x48) - _t282;
				if (( >=  ? _t294 : _t292 + 0x48) - _t282 > 0) goto 0xa56dfbe1;
				_t243 =  >=  ? _t294 : _t292 + 0x48;
				_t244 = ( >=  ? _t294 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t149 = _t282 - ( >=  ? _t294 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t282 - ( >=  ? _t294 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) <= 0) goto 0xa56dfbf0;
				E00007FF77FF7A56E44B8();
				if (_t292 + 0x40 == 0xfffffffc) goto 0xa56dfc24;
				_t246 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				_t247 = ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t152 = _t282 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t282 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) < 0) goto 0xa56dfc24;
				E00007FF77FF7A56E44B8();
				_t296 =  *((intOrPtr*)(_t292 + 0x48));
				_t286 =  *((intOrPtr*)(_t292 + 0x58));
				if ( *((intOrPtr*)(_t292 + 0x60)) - 0x10 < 0) goto 0xa56dfc39;
				if (_t296 == 0) goto 0xa56dfc6a;
				goto 0xa56dfc3e;
				_t233 = _t292 + 0x48;
				_t209 =  >=  ? _t296 : _t292 + 0x48;
				_t156 = ( >=  ? _t296 : _t292 + 0x48) - _t233;
				if (( >=  ? _t296 : _t292 + 0x48) - _t233 > 0) goto 0xa56dfc6a;
				_t249 =  >=  ? _t296 : _t292 + 0x48;
				_t250 = ( >=  ? _t296 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t158 = _t233 - ( >=  ? _t296 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t233 - ( >=  ? _t296 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) <= 0) goto 0xa56dfc79;
				E00007FF77FF7A56E44B8();
				if (_t292 + 0x40 == 0xfffffffc) goto 0xa56dfca3;
				_t252 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				_t253 = ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t161 = _t233 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t233 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) < 0) goto 0xa56dfca3;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t292 + 0x20)) = _t292 + 0x30;
				_t162 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x70)))) + 0x30))();
				if (_t162 == 0) goto 0xa56dfcd1;
				if (_t162 != 0) goto 0xa56dfef9;
				goto 0xa56dfcd5;
				 *((intOrPtr*)(__rcx + 0x79)) = r13b;
				_t299 =  *((intOrPtr*)(_t292 + 0x48));
				if ( *((intOrPtr*)(_t292 + 0x60)) - 0x10 < 0) goto 0xa56dfcef;
				if (_t299 == 0) goto 0xa56dfd20;
				goto 0xa56dfcf4;
				_t235 = _t292 + 0x48;
				_t215 =  >=  ? _t299 : _t292 + 0x48;
				_t166 = ( >=  ? _t299 : _t292 + 0x48) - _t235;
				if (( >=  ? _t299 : _t292 + 0x48) - _t235 > 0) goto 0xa56dfd20;
				_t256 =  >=  ? _t299 : _t292 + 0x48;
				_t257 = ( >=  ? _t299 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t168 = _t235 - ( >=  ? _t299 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t235 - ( >=  ? _t299 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) <= 0) goto 0xa56dfd2f;
				E00007FF77FF7A56E44B8();
				if (_t292 + 0x40 == 0xfffffffc) goto 0xa56dfd63;
				_t259 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				_t260 = ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t171 = _t235 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t171 < 0) goto 0xa56dfd63;
				E00007FF77FF7A56E44B8();
				_t301 =  *((intOrPtr*)(_t292 + 0x48));
				_t284 =  *((intOrPtr*)(_t292 + 0x30)) - _t235;
				if (_t171 == 0) goto 0xa56dfe15;
				if ( *((intOrPtr*)(_t292 + 0x60)) - 0x10 < 0) goto 0xa56dfd81;
				if (_t301 == 0) goto 0xa56dfdb2;
				goto 0xa56dfd86;
				_t237 = _t292 + 0x48;
				_t220 =  >=  ? _t301 : _t292 + 0x48;
				_t175 = ( >=  ? _t301 : _t292 + 0x48) - _t237;
				if (( >=  ? _t301 : _t292 + 0x48) - _t237 > 0) goto 0xa56dfdb2;
				_t262 =  >=  ? _t301 : _t292 + 0x48;
				_t263 = ( >=  ? _t301 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				_t177 = _t237 - ( >=  ? _t301 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58));
				if (_t237 - ( >=  ? _t301 : _t292 + 0x48) +  *((intOrPtr*)(_t292 + 0x58)) <= 0) goto 0xa56dfdc1;
				E00007FF77FF7A56E44B8();
				if (_t292 + 0x40 == 0xfffffffc) goto 0xa56dfdeb;
				_t278 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				_t223 =  *((intOrPtr*)(_t292 + 0x58));
				_t279 = ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) + _t223;
				_t180 = _t237 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) + _t223;
				if (_t237 - ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) + _t223 < 0) goto 0xa56dfdeb;
				E00007FF77FF7A56E44B8();
				E00007FF77FF7A56E5B14(_t237, _t237, ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48) + _t223, _t284,  *((intOrPtr*)(_t292 + 0x58)), _t284,  *((intOrPtr*)(__rcx + 0x88)));
				if (_t284 != _t223) goto 0xa56dff2a;
				if ( *((intOrPtr*)(_t289 + 0x79)) == r13b) goto 0xa56dff40;
				if (_t284 != 0) goto 0xa56dfba0;
				if ((_t223 | 0xffffffff) -  *((intOrPtr*)(_t292 + 0x58)) - 8 > 0) goto 0xa56dfe46;
				E00007FF77FF7A56E33CC((_t223 | 0xffffffff) -  *((intOrPtr*)(_t292 + 0x58)), _t237, _t284, _t289,  *((intOrPtr*)(_t292 + 0x48)),  *((intOrPtr*)(_t292 + 0x60)));
				_t239 =  *((intOrPtr*)(_t292 + 0x58)) + 8;
				if (_t239 - 0xfffffffe <= 0) goto 0xa56dfe64;
				_t121 = E00007FF77FF7A56E33CC((_t223 | 0xffffffff) -  *((intOrPtr*)(_t292 + 0x58)), _t239, _t284, _t289,  *((intOrPtr*)(_t292 + 0x48)),  *((intOrPtr*)(_t292 + 0x60)));
				if ( *((intOrPtr*)(_t292 + 0x60)) - _t239 >= 0) goto 0xa56dfe87;
				_t280 = _t239;
				E00007FF77FF7A56D2250(_t121, _t292 + 0x40, _t280,  *((intOrPtr*)(_t292 + 0x58)));
				goto 0xa56dfeb0;
				if (_t239 != 0) goto 0xa56dfeb0;
				 *((long long*)(_t292 + 0x58)) = _t328;
				_t227 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				 *((intOrPtr*)( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48)) = r13b;
				goto 0xa56dfba0;
				if (_t239 == 0) goto 0xa56dfba0;
				_t267 =  >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48;
				 *((long long*)( *((intOrPtr*)(_t292 + 0x58)) + ( >=  ?  *((intOrPtr*)(_t292 + 0x48)) : _t292 + 0x48))) = _t280;
				 *((long long*)(_t292 + 0x58)) = _t239;
				_t230 =  >=  ?  *((void*)(_t292 + 0x48)) : _t292 + 0x48;
				 *((char*)(_t239 + ( >=  ?  *((void*)(_t292 + 0x48)) : _t292 + 0x48))) = 0;
				_t326 =  *((intOrPtr*)(_t292 + 0x60));
				_t310 =  *((intOrPtr*)(_t292 + 0x48));
				goto 0xa56dfba0;
				if ( *((long long*)(_t292 + 0x60)) == 0x10) goto 0xa56dff14;
				if ( *((long long*)(_t292 + 0x60)) - 0x10 < 0) goto 0xa56dff10;
				E00007FF77FF7A56E44D8( >=  ?  *((void*)(_t292 + 0x48)) : _t292 + 0x48, _t239,  *((intOrPtr*)(_t292 + 0x48)), _t280,  *((intOrPtr*)(_t292 + 0x58)),  *((intOrPtr*)(_t292 + 0x48)), _t326);
				goto 0xa56dff54;
				if ( *((long long*)(_t292 + 0x60)) - 0x10 < 0) goto 0xa56dff26;
				E00007FF77FF7A56E44D8( >=  ?  *((void*)(_t292 + 0x48)) : _t292 + 0x48, _t239,  *((intOrPtr*)(_t292 + 0x48)), _t280,  *((intOrPtr*)(_t292 + 0x58)),  *((intOrPtr*)(_t292 + 0x48)), _t326);
				goto 0xa56dff54;
				if ( *((long long*)(_t292 + 0x60)) - 0x10 < 0) goto 0xa56dff3c;
				E00007FF77FF7A56E44D8(_t230, _t239,  *((intOrPtr*)(_t292 + 0x48)), _t280, _t286,  *((intOrPtr*)(_t292 + 0x48)), _t326);
				goto 0xa56dff54;
				if (_t326 - 0x10 < 0) goto 0xa56dff4e;
				E00007FF77FF7A56E44D8(_t230, _t239, _t310, _t280, _t286, _t310, _t326);
				goto 0xa56dff54;
				return E00007FF77FF7A56E4050(0,  *(_t292 + 0x68) ^ _t292, _t280, _t310, _t326);
			}

0x7ff7a56dfb00
0x7ff7a56dfb08
0x7ff7a56dfb0c
0x7ff7a56dfb15
0x7ff7a56dfb19
0x7ff7a56dfb1d
0x7ff7a56dfb21
0x7ff7a56dfb2b
0x7ff7a56dfb30
0x7ff7a56dfb38
0x7ff7a56dfb42
0x7ff7a56dfb54
0x7ff7a56dfb58
0x7ff7a56dfb62
0x7ff7a56dfb67
0x7ff7a56dfb6e
0x7ff7a56dfb73
0x7ff7a56dfb85
0x7ff7a56dfb89
0x7ff7a56dfb8c
0x7ff7a56dfb94
0x7ff7a56dfba4
0x7ff7a56dfbac
0x7ff7a56dfbae
0x7ff7a56dfbb0
0x7ff7a56dfbbe
0x7ff7a56dfbc2
0x7ff7a56dfbc5
0x7ff7a56dfbd0
0x7ff7a56dfbd9
0x7ff7a56dfbdc
0x7ff7a56dfbdf
0x7ff7a56dfbe1
0x7ff7a56dfbf9
0x7ff7a56dfc04
0x7ff7a56dfc0d
0x7ff7a56dfc10
0x7ff7a56dfc13
0x7ff7a56dfc15
0x7ff7a56dfc1f
0x7ff7a56dfc24
0x7ff7a56dfc2d
0x7ff7a56dfc35
0x7ff7a56dfc37
0x7ff7a56dfc39
0x7ff7a56dfc47
0x7ff7a56dfc4b
0x7ff7a56dfc4e
0x7ff7a56dfc59
0x7ff7a56dfc62
0x7ff7a56dfc65
0x7ff7a56dfc68
0x7ff7a56dfc6a
0x7ff7a56dfc82
0x7ff7a56dfc8d
0x7ff7a56dfc96
0x7ff7a56dfc99
0x7ff7a56dfc9c
0x7ff7a56dfc9e
0x7ff7a56dfcb3
0x7ff7a56dfcc2
0x7ff7a56dfcc4
0x7ff7a56dfcc9
0x7ff7a56dfccf
0x7ff7a56dfcd1
0x7ff7a56dfcd5
0x7ff7a56dfce3
0x7ff7a56dfceb
0x7ff7a56dfced
0x7ff7a56dfcef
0x7ff7a56dfcfd
0x7ff7a56dfd01
0x7ff7a56dfd04
0x7ff7a56dfd0f
0x7ff7a56dfd18
0x7ff7a56dfd1b
0x7ff7a56dfd1e
0x7ff7a56dfd20
0x7ff7a56dfd38
0x7ff7a56dfd43
0x7ff7a56dfd4c
0x7ff7a56dfd4f
0x7ff7a56dfd52
0x7ff7a56dfd54
0x7ff7a56dfd5e
0x7ff7a56dfd68
0x7ff7a56dfd6b
0x7ff7a56dfd75
0x7ff7a56dfd7d
0x7ff7a56dfd7f
0x7ff7a56dfd81
0x7ff7a56dfd8f
0x7ff7a56dfd93
0x7ff7a56dfd96
0x7ff7a56dfda1
0x7ff7a56dfdaa
0x7ff7a56dfdad
0x7ff7a56dfdb0
0x7ff7a56dfdb2
0x7ff7a56dfdca
0x7ff7a56dfdd5
0x7ff7a56dfdd9
0x7ff7a56dfdde
0x7ff7a56dfde1
0x7ff7a56dfde4
0x7ff7a56dfde6
0x7ff7a56dfdfd
0x7ff7a56dfe05
0x7ff7a56dfe19
0x7ff7a56dfe22
0x7ff7a56dfe35
0x7ff7a56dfe37
0x7ff7a56dfe4b
0x7ff7a56dfe53
0x7ff7a56dfe55
0x7ff7a56dfe67
0x7ff7a56dfe6e
0x7ff7a56dfe76
0x7ff7a56dfe85
0x7ff7a56dfe8a
0x7ff7a56dfe8c
0x7ff7a56dfe9a
0x7ff7a56dfe9e
0x7ff7a56dfeab
0x7ff7a56dfeb3
0x7ff7a56dfec2
0x7ff7a56dfecd
0x7ff7a56dfed1
0x7ff7a56dfee1
0x7ff7a56dfee7
0x7ff7a56dfeea
0x7ff7a56dfeef
0x7ff7a56dfef4
0x7ff7a56dfefc
0x7ff7a56dff04
0x7ff7a56dff0b
0x7ff7a56dff12
0x7ff7a56dff1a
0x7ff7a56dff21
0x7ff7a56dff28
0x7ff7a56dff30
0x7ff7a56dff37
0x7ff7a56dff3e
0x7ff7a56dff44
0x7ff7a56dff49
0x7ff7a56dff50
0x7ff7a56dff7a

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DFBE1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DFC15
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DFC6A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DFC9E

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bb00c0e8b7afb0c2600c17caa4aa4b149fb672f7b61d2350a14f23c70e491a44
Instruction ID: f4f32d70ad1050f631d1a5a7f9d4da1352d1382c1b29b1e3605770d52d46e202
Opcode Fuzzy Hash: bb00c0e8b7afb0c2600c17caa4aa4b149fb672f7b61d2350a14f23c70e491a44
Instruction Fuzzy Hash: 09C1972360EB8580EE00AB59E0502A9E762EB87FD4FD51932EA5D037F5DF6DD494C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DBC70 Relevance: 12.1, APIs: 8, Instructions: 145
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7A56DBC70(intOrPtr* __rcx, intOrPtr* __rdx, long long __rdi, long long __rbp, intOrPtr* __r8, intOrPtr* __r9, long long __r12, long long __r13, long long __r15, long long _a8, long long _a16, long long _a24) {
				long long _v32;
				long long _v40;
				void* _t62;
				intOrPtr _t89;
				intOrPtr _t102;
				intOrPtr _t103;
				long long _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				intOrPtr _t120;
				intOrPtr* _t126;
				signed long long _t131;
				unsigned long long _t139;

				 *((long long*)(__rcx)) =  *((intOrPtr*)(__r8));
				 *((long long*)(__rcx + 8)) =  *((intOrPtr*)(__r8 + 8));
				if ( *((long long*)(__rdx + 0x38)) == 0) goto 0xa56dbe4a;
				_v40 = __r15;
				_a8 = __rbp;
				_a16 = __rdi;
				_a24 = __r12;
				r15d = 0;
				_v32 = __r13;
				_t89 =  *__rcx;
				if (_t89 == 0xfffffffc) goto 0xa56dbccf;
				if (_t89 == 0) goto 0xa56dbcca;
				if (_t89 ==  *__r9) goto 0xa56dbccf;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(__rcx + 8)) ==  *((intOrPtr*)(__r9 + 8))) goto 0xa56dbe25;
				_t131 =  *((intOrPtr*)(__rdx + 0x30));
				if (_t131 -  *((intOrPtr*)(__rdx + 0x38)) + _t131 <= 0) goto 0xa56dbcf2;
				E00007FF77FF7A56E44B8();
				_t126 =  *((intOrPtr*)(__rdx));
				_t139 = _t131 >> 3;
				r13d = r13d & 0x00000007;
				if (_t126 != 0) goto 0xa56dbd15;
				E00007FF77FF7A56E44B8();
				goto 0xa56dbd1b;
				if (_t131 -  *((intOrPtr*)( *_t126 + 0x38)) +  *((intOrPtr*)( *_t126 + 0x30)) < 0) goto 0xa56dbd2d;
				E00007FF77FF7A56E44B8();
				if (_t126 == 0) goto 0xa56dbd37;
				goto 0xa56dbd3a;
				if ( *((intOrPtr*)(__r15 + 0x28)) - _t139 > 0) goto 0xa56dbd51;
				if (_t126 == 0) goto 0xa56dbd4a;
				goto 0xa56dbd4d;
				if (_t126 == 0) goto 0xa56dbd5b;
				goto 0xa56dbd5e;
				_t102 =  *__rcx;
				if (_t102 == 0xfffffffc) goto 0xa56dbda0;
				if (_t102 != 0) goto 0xa56dbd79;
				E00007FF77FF7A56E44B8();
				_t103 =  *__rcx;
				if ( *((long long*)(_t103 + 0x20)) - 8 < 0) goto 0xa56dbd89;
				goto 0xa56dbd8d;
				if ( *((intOrPtr*)(__rcx + 8)) - _t103 + 8 +  *(_t103 + 0x18) * 2 < 0) goto 0xa56dbda0;
				E00007FF77FF7A56E44B8();
				 *((short*)( *((intOrPtr*)(__rcx + 8)))) =  *( *((intOrPtr*)( *((intOrPtr*)(__r15 + 0x20)) + (_t139 -  *((intOrPtr*)(__r15 + 0x28))) * 8)) + _t131 * 2) & 0x0000ffff;
				_t120 =  *((intOrPtr*)(__rdx + 0x38));
				if (_t120 == 0) goto 0xa56dbddc;
				 *((long long*)(__rdx + 0x30)) =  *((long long*)(__rdx + 0x30)) + 1;
				if ( *(__rdx + 0x28) << 3 -  *((intOrPtr*)(__rdx + 0x30)) > 0) goto 0xa56dbdcb;
				 *((long long*)(__rdx + 0x30)) = __r15;
				_t36 = _t120 - 1; // -1
				_t107 = _t36;
				 *((long long*)(__rdx + 0x38)) = _t107;
				if (_t107 != 0) goto 0xa56dbddc;
				 *((long long*)(__rdx + 0x30)) = __r15;
				_t108 =  *__rcx;
				if (_t108 == 0xfffffffc) goto 0xa56dbe16;
				if (_t108 != 0) goto 0xa56dbdef;
				E00007FF77FF7A56E44B8();
				_t109 =  *__rcx;
				if ( *((long long*)(_t109 + 0x20)) - 8 < 0) goto 0xa56dbdff;
				goto 0xa56dbe03;
				if ( *((intOrPtr*)(__rcx + 8)) - _t109 + 8 +  *(_t109 + 0x18) * 2 < 0) goto 0xa56dbe16;
				_t62 = E00007FF77FF7A56E44B8();
				 *((long long*)(__rcx + 8)) =  *((long long*)(__rcx + 8)) + 2;
				if ( *((intOrPtr*)(__rdx + 0x38)) != __r15) goto 0xa56dbcb7;
				return _t62;
			}

0x7ff7a56dbc84
0x7ff7a56dbc8e
0x7ff7a56dbc95
0x7ff7a56dbc9b
0x7ff7a56dbca0
0x7ff7a56dbca5
0x7ff7a56dbcaa
0x7ff7a56dbcaf
0x7ff7a56dbcb2
0x7ff7a56dbcb7
0x7ff7a56dbcbe
0x7ff7a56dbcc3
0x7ff7a56dbcc8
0x7ff7a56dbcca
0x7ff7a56dbcd7
0x7ff7a56dbcdd
0x7ff7a56dbceb
0x7ff7a56dbced
0x7ff7a56dbcf2
0x7ff7a56dbcfb
0x7ff7a56dbcff
0x7ff7a56dbd06
0x7ff7a56dbd08
0x7ff7a56dbd13
0x7ff7a56dbd26
0x7ff7a56dbd28
0x7ff7a56dbd30
0x7ff7a56dbd35
0x7ff7a56dbd3e
0x7ff7a56dbd43
0x7ff7a56dbd48
0x7ff7a56dbd54
0x7ff7a56dbd59
0x7ff7a56dbd66
0x7ff7a56dbd6d
0x7ff7a56dbd72
0x7ff7a56dbd74
0x7ff7a56dbd79
0x7ff7a56dbd81
0x7ff7a56dbd87
0x7ff7a56dbd99
0x7ff7a56dbd9b
0x7ff7a56dbda9
0x7ff7a56dbdac
0x7ff7a56dbdb3
0x7ff7a56dbdb9
0x7ff7a56dbdc5
0x7ff7a56dbdc7
0x7ff7a56dbdcb
0x7ff7a56dbdcb
0x7ff7a56dbdcf
0x7ff7a56dbdd6
0x7ff7a56dbdd8
0x7ff7a56dbddc
0x7ff7a56dbde3
0x7ff7a56dbde8
0x7ff7a56dbdea
0x7ff7a56dbdef
0x7ff7a56dbdf7
0x7ff7a56dbdfd
0x7ff7a56dbe0f
0x7ff7a56dbe11
0x7ff7a56dbe16
0x7ff7a56dbe1f
0x7ff7a56dbe49

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBCCA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBCED
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBD08
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBD28
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBD74
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBD9B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBDEA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DBE11

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 22a5dda9e8a811af525db2b3f1416110af8d8fcdbcad987767e050683361c72f
Instruction ID: bfc4d995f2eda46d99b02619a6d398d38efafc9897dd62868f355642fde1c63f
Opcode Fuzzy Hash: 22a5dda9e8a811af525db2b3f1416110af8d8fcdbcad987767e050683361c72f
Instruction Fuzzy Hash: FC514023B07E45C5EA50AB16D04012CE3A2FB46FA4B9A6A35CE5D477B8DF3CE461C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DA9F0 Relevance: 12.1, APIs: 8, Instructions: 132
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 96%

			E00007FF77FF7A56DA9F0(long long __rbx, intOrPtr* __rcx, long long* __rdx, long long __rsi, intOrPtr* __r8, intOrPtr* __r9) {
				void* _t58;
				intOrPtr _t99;
				long long* _t102;
				intOrPtr* _t112;
				intOrPtr* _t116;
				signed short* _t120;
				long long _t123;
				intOrPtr _t124;
				void* _t126;
				void* _t127;
				intOrPtr _t138;

				 *((long long*)(_t126 + 8)) = __rbx;
				 *((long long*)(_t126 + 0x10)) = _t123;
				 *((long long*)(_t126 + 0x18)) = __rsi;
				_t127 = _t126 - 0x40;
				_t102 = _t127 + 0x20;
				 *_t102 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t102 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t124 =  *((intOrPtr*)(_t127 + 0x20));
				_t138 =  *((intOrPtr*)(_t127 + 0x28));
				if (_t124 == 0xfffffffc) goto 0xa56daa48;
				if (_t124 == 0) goto 0xa56daa43;
				if (_t124 ==  *((intOrPtr*)(__r9))) goto 0xa56daa48;
				E00007FF77FF7A56E44B8();
				if (_t138 ==  *((intOrPtr*)(__r9 + 8))) goto 0xa56dab89;
				_t120 =  *((intOrPtr*)(__rcx));
				if (_t120 ==  *((intOrPtr*)(__rcx + 8))) goto 0xa56dab89;
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqa [esp+0x30], xmm0");
				_t99 =  *((intOrPtr*)(_t127 + 0x30));
				_t116 =  *((intOrPtr*)(_t127 + 0x38));
				if (_t99 == 0xfffffffc) goto 0xa56daa8c;
				if (_t99 == 0) goto 0xa56daa87;
				if (_t99 ==  *((intOrPtr*)(__r9))) goto 0xa56daa8c;
				E00007FF77FF7A56E44B8();
				if (_t116 ==  *((intOrPtr*)(__r9 + 8))) goto 0xa56dab18;
				if (_t120 ==  *((intOrPtr*)(__rcx + 8))) goto 0xa56dab18;
				if (_t99 == 0xfffffffc) goto 0xa56daad0;
				if (_t99 != 0) goto 0xa56daaad;
				E00007FF77FF7A56E44B8();
				if ( *((long long*)(_t99 + 0x20)) - 8 < 0) goto 0xa56daaba;
				goto 0xa56daabe;
				if (_t116 - _t99 + 8 +  *(_t99 + 0x18) * 2 < 0) goto 0xa56daad0;
				E00007FF77FF7A56E44B8();
				if ( *_t116 != ( *_t120 & 0x0000ffff)) goto 0xa56dab18;
				if (_t99 == 0xfffffffc) goto 0xa56dab0b;
				if (_t99 != 0) goto 0xa56daae8;
				E00007FF77FF7A56E44B8();
				if ( *((long long*)(_t99 + 0x20)) - 8 < 0) goto 0xa56daaf5;
				goto 0xa56daaf9;
				if (_t116 - _t99 + 8 +  *(_t99 + 0x18) * 2 < 0) goto 0xa56dab0b;
				E00007FF77FF7A56E44B8();
				goto 0xa56daa76;
				 *((long long*)(_t127 + 0x38)) = _t116 + 2;
				if ( &(_t120[1]) ==  *((intOrPtr*)(__rcx + 8))) goto 0xa56dab64;
				if (_t124 == 0xfffffffc) goto 0xa56dab56;
				if (_t124 != 0) goto 0xa56dab33;
				E00007FF77FF7A56E44B8();
				if ( *((long long*)(_t124 + 0x20)) - 8 < 0) goto 0xa56dab40;
				goto 0xa56dab44;
				if (_t138 - _t124 + 8 +  *(_t124 + 0x18) * 2 < 0) goto 0xa56dab56;
				_t58 = E00007FF77FF7A56E44B8();
				 *((long long*)(_t127 + 0x28)) = _t138 + 2;
				goto 0xa56daa32;
				_t112 = _t127 + 0x20;
				 *__rdx =  *_t112;
				 *((long long*)(__rdx + 8)) =  *((intOrPtr*)(_t112 + 8));
				 *((long long*)(__rdx + 0x10)) =  *((intOrPtr*)(_t127 + 0x30));
				goto 0xa56daba6;
				 *__rdx =  *((intOrPtr*)(__r9));
				 *((long long*)(__rdx + 8)) =  *((intOrPtr*)(__r9 + 8));
				 *((long long*)(__rdx + 0x10)) =  *((intOrPtr*)(__r9));
				 *((long long*)(__rdx + 0x18)) =  *((intOrPtr*)(__r9 + 8));
				return _t58;
			}

0x7ff7a56da9f0
0x7ff7a56da9f5
0x7ff7a56da9fa
0x7ff7a56daa08
0x7ff7a56daa12
0x7ff7a56daa17
0x7ff7a56daa21
0x7ff7a56daa25
0x7ff7a56daa2a
0x7ff7a56daa36
0x7ff7a56daa3b
0x7ff7a56daa41
0x7ff7a56daa43
0x7ff7a56daa4d
0x7ff7a56daa53
0x7ff7a56daa5b
0x7ff7a56daa61
0x7ff7a56daa66
0x7ff7a56daa6c
0x7ff7a56daa71
0x7ff7a56daa7a
0x7ff7a56daa7f
0x7ff7a56daa85
0x7ff7a56daa87
0x7ff7a56daa91
0x7ff7a56daa9b
0x7ff7a56daaa1
0x7ff7a56daaa6
0x7ff7a56daaa8
0x7ff7a56daab2
0x7ff7a56daab8
0x7ff7a56daac9
0x7ff7a56daacb
0x7ff7a56daad6
0x7ff7a56daadc
0x7ff7a56daae1
0x7ff7a56daae3
0x7ff7a56daaed
0x7ff7a56daaf3
0x7ff7a56dab04
0x7ff7a56dab06
0x7ff7a56dab13
0x7ff7a56dab18
0x7ff7a56dab21
0x7ff7a56dab27
0x7ff7a56dab2c
0x7ff7a56dab2e
0x7ff7a56dab38
0x7ff7a56dab3e
0x7ff7a56dab4f
0x7ff7a56dab51
0x7ff7a56dab5a
0x7ff7a56dab5f
0x7ff7a56dab64
0x7ff7a56dab6c
0x7ff7a56dab78
0x7ff7a56dab7f
0x7ff7a56dab87
0x7ff7a56dab8d
0x7ff7a56dab95
0x7ff7a56dab9d
0x7ff7a56dabb8
0x7ff7a56dabcc

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAA43
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAA87
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAAA8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAACB
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAAE3
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAB06
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAB2E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DAB51

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c39085dac5a8c37aa111a4ee3f5df2e94acb3f7c8a7dde8f4e7502a9263f1198
Instruction ID: b2125a8a7d221e6307b25973e64d4ffc32eb4b3bde253b9f95f5583e67f87108
Opcode Fuzzy Hash: c39085dac5a8c37aa111a4ee3f5df2e94acb3f7c8a7dde8f4e7502a9263f1198
Instruction Fuzzy Hash: 01516133A0BE45C4DA50AF15E144079A366FB55FA4B9A5732DAAC433E4EF3CE492C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56D4D20 Relevance: 12.1, APIs: 8, Instructions: 99
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 37%

			E00007FF77FF7A56D4D20(intOrPtr* __rcx, void* __rdx, char _a24) {
				long long _v32;
				char _v40;
				void* __rbx;
				void* __rsi;
				intOrPtr _t21;
				long long _t25;

				_a24 = r8b;
				_t25 =  *((intOrPtr*)(__rcx + 0x20));
				_t21 =  *((intOrPtr*)(__rcx + 0x18));
				_a24 = 0;
				if (_t25 - _t21 - __rdx >= 0) goto 0xa56d4d93;
				if (_t21 - _t25 <= 0) goto 0xa56d4d55;
				E00007FF77FF7A56E44B8();
				_v32 = _t25;
				_v40 =  *((intOrPtr*)(__rcx));
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqa [esp+0x20], xmm0");
				return E00007FF77FF7A56D53A0(__rcx, __rcx,  &_v40, _t25,  *((intOrPtr*)(__rcx + 0x18)) -  *((intOrPtr*)(__rcx + 0x20)) + __rdx,  &_a24);
			}

0x7ff7a56d4d20
0x7ff7a56d4d2d
0x7ff7a56d4d34
0x7ff7a56d4d3e
0x7ff7a56d4d49
0x7ff7a56d4d4e
0x7ff7a56d4d50
0x7ff7a56d4d5c
0x7ff7a56d4d65
0x7ff7a56d4d6f
0x7ff7a56d4d74
0x7ff7a56d4d92

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4D50
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4DB0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4DBF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4DCF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4DF6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4E0C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4E20
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4E2F

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 1051cff0eb89c7fb68da50a8adb59ec4bf6f1c5a90234f486663dca69e2acc4d
Instruction ID: 83e3ff19aa27d6268bb14e6c615524b120ec3cd18b703c2ed1ca07e4e06f66f9
Opcode Fuzzy Hash: 1051cff0eb89c7fb68da50a8adb59ec4bf6f1c5a90234f486663dca69e2acc4d
Instruction Fuzzy Hash: A3418463A0BE81C5E720BB24E00016DE3A2FB56F85F961531DE8C17669DF6CE861C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F1650 Relevance: 12.1, APIs: 8, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 69%

			E00007FF77FF7A56F1650(void* __ebx, signed int __ecx, signed int __esi, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, void* __r11, signed int _a8, long long _a16, long long _a24) {
				long long _v56;
				void* __rdi;
				void* __r12;
				void* _t34;
				signed int _t47;
				void* _t53;
				signed int* _t57;
				signed int* _t58;
				long long _t65;
				signed long long _t68;
				void* _t75;
				void* _t76;
				void* _t77;
				signed long long _t79;

				_t75 = __r11;
				_t74 = __r8;
				_t70 = __rbp;
				_t62 = __rcx;
				_t34 = __ebx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __ecx;
				r12d = r8d;
				_t77 = __rdx;
				_t60 = __ecx;
				if (__ebx != 0xfffffffe) goto 0xa56f1695;
				E00007FF77FF7A56E78CC(__rax);
				 *__rax = 0;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 9;
				goto 0xa56f1769;
				if (__ebx < 0) goto 0xa56f1740;
				_t53 = _t34 -  *0xa57289c0; // 0x20
				if (_t53 >= 0) goto 0xa56f1740;
				_t79 = __ecx >> 5;
				_t68 = __ecx * 0x58;
				_t57 =  *((intOrPtr*)(0xa57289e0 + _t79 * 8));
				if (_t53 != 0) goto 0xa56f16fc;
				E00007FF77FF7A56E78CC(_t57);
				 *_t57 = 0;
				E00007FF77FF7A56E78AC(_t57);
				 *_t57 = 9;
				_v56 = _t65;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(_t57, __ecx, __rcx, __rdx, _t68, __rbp, __r8);
				goto 0xa56f1769;
				E00007FF77FF7A56F593C(_t34, _t34, _t60, _t65, _t68, _t76);
				_t58 =  *((intOrPtr*)(0xa57289e0 + _t79 * 8));
				if (( *(_t58 + _t68 + 8) & 0x00000001) == 0) goto 0xa56f1720;
				r8d = r12d;
				_t47 = E00007FF77FF7A56F0EF0(_t34, _t34, __esi & 0x0000001f, _t58, _t60, _t62, _t77, _t74, _t75);
				goto 0xa56f1735;
				E00007FF77FF7A56E78AC(_t58);
				 *_t58 = 9;
				E00007FF77FF7A56E78CC(_t58);
				 *_t58 = _t47;
				E00007FF77FF7A56F59E4();
				goto 0xa56f1769;
				E00007FF77FF7A56E78CC(_t58);
				 *_t58 = _t47 | 0xffffffff;
				E00007FF77FF7A56E78AC(_t58);
				 *_t58 = 9;
				_v56 = _t65;
				r9d = 0;
				r8d = 0;
				return E00007FF77FF7A56E4430(_t58, _t60, _t62, _t77, _t68, _t70, _t74) | 0xffffffff;
			}

0x7ff7a56f1650
0x7ff7a56f1650
0x7ff7a56f1650
0x7ff7a56f1650
0x7ff7a56f1650
0x7ff7a56f1650
0x7ff7a56f1655
0x7ff7a56f165a
0x7ff7a56f166b
0x7ff7a56f166e
0x7ff7a56f1671
0x7ff7a56f1677
0x7ff7a56f1679
0x7ff7a56f1680
0x7ff7a56f1682
0x7ff7a56f1687
0x7ff7a56f1690
0x7ff7a56f1699
0x7ff7a56f169f
0x7ff7a56f16a5
0x7ff7a56f16b1
0x7ff7a56f16bf
0x7ff7a56f16c3
0x7ff7a56f16cf
0x7ff7a56f16d1
0x7ff7a56f16d6
0x7ff7a56f16d8
0x7ff7a56f16dd
0x7ff7a56f16e3
0x7ff7a56f16e8
0x7ff7a56f16eb
0x7ff7a56f16f2
0x7ff7a56f16fa
0x7ff7a56f16fe
0x7ff7a56f1704
0x7ff7a56f170d
0x7ff7a56f170f
0x7ff7a56f171c
0x7ff7a56f171e
0x7ff7a56f1720
0x7ff7a56f1725
0x7ff7a56f172b
0x7ff7a56f1730
0x7ff7a56f1737
0x7ff7a56f173e
0x7ff7a56f1740
0x7ff7a56f1745
0x7ff7a56f1747
0x7ff7a56f174c
0x7ff7a56f1752
0x7ff7a56f1757
0x7ff7a56f175a
0x7ff7a56f1780

APIs

__doserrno.LIBCMT ref: 00007FF7A56F1679
_errno.LIBCMT ref: 00007FF7A56F1682
__doserrno.LIBCMT ref: 00007FF7A56F16D1
_errno.LIBCMT ref: 00007FF7A56F16D8

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 3340a66846d07b0f9e714060594e045375b321804dd7a017f53166dadd991860
Instruction ID: 405c710a711e3f67ca60ee376dce9304a8f0aade3fcb605b51ce00106eb82eba
Opcode Fuzzy Hash: 3340a66846d07b0f9e714060594e045375b321804dd7a017f53166dadd991860
Instruction Fuzzy Hash: 1E31C732E1A68285E3117F35A84157EB552BB82F90F966635EE6D0B7E2CE3DA4018720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F4E0C Relevance: 12.1, APIs: 8, Instructions: 89
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E00007FF77FF7A56F4E0C(void* __ebx, signed int __ecx, void* __esi, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, signed int _a8, long long _a16, long long _a24) {
				signed long long _v56;
				void* __rdi;
				void* __r12;
				void* _t30;
				void* _t47;
				intOrPtr* _t52;
				signed long long _t54;
				signed long long _t55;
				signed long long _t63;
				signed long long _t65;
				signed long long _t68;
				void* _t75;
				void* _t76;
				signed long long _t78;

				_t74 = __r8;
				_t70 = __rbp;
				_t60 = __rcx;
				_t30 = __ebx;
				_a16 = __rbx;
				_a24 = __rsi;
				_a8 = __ecx;
				r12d = r8d;
				_t76 = __rdx;
				_t58 = __ecx;
				if (__ebx != 0xfffffffe) goto 0xa56f4e52;
				E00007FF77FF7A56E78CC(__rax);
				 *__rax = 0;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 9;
				goto 0xa56f4f2b;
				if (__ebx < 0) goto 0xa56f4f01;
				_t47 = _t30 -  *0xa57289c0; // 0x20
				if (_t47 >= 0) goto 0xa56f4f01;
				_t78 = __ecx >> 5;
				_t68 = __ecx * 0x58;
				_t52 =  *((intOrPtr*)(0xa57289e0 + _t78 * 8));
				if (_t47 != 0) goto 0xa56f4eba;
				E00007FF77FF7A56E78CC(_t52);
				 *_t52 = 0;
				E00007FF77FF7A56E78AC(_t52);
				 *_t52 = 9;
				_v56 = _t63;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(_t52, __ecx, __rcx, __rdx, _t68, __rbp, __r8);
				goto 0xa56f4f2b;
				E00007FF77FF7A56F593C(_t30, _t30, _t58, _t63, _t68, _t75);
				_t54 =  *((intOrPtr*)(0xa57289e0 + _t78 * 8));
				if (( *(_t54 + _t68 + 8) & 0x00000001) == 0) goto 0xa56f4edf;
				r8d = r12d;
				E00007FF77FF7A56F4D74(_t30, _t30, _t54, _t58, _t76);
				goto 0xa56f4ef5;
				E00007FF77FF7A56E78AC(_t54);
				 *_t54 = 9;
				E00007FF77FF7A56E78CC(_t54);
				 *_t54 = 0;
				_t65 = _t54 | 0xffffffff;
				E00007FF77FF7A56F59E4();
				_t55 = _t65;
				goto 0xa56f4f2b;
				E00007FF77FF7A56E78CC(_t55);
				 *_t55 = 0;
				E00007FF77FF7A56E78AC(_t55);
				 *_t55 = 9;
				_v56 = _t65;
				r9d = 0;
				r8d = 0;
				return E00007FF77FF7A56E4430(_t55, _t58, _t60, _t76, _t68, _t70, _t74);
			}

0x7ff7a56f4e0c
0x7ff7a56f4e0c
0x7ff7a56f4e0c
0x7ff7a56f4e0c
0x7ff7a56f4e0c
0x7ff7a56f4e11
0x7ff7a56f4e16
0x7ff7a56f4e27
0x7ff7a56f4e2a
0x7ff7a56f4e2d
0x7ff7a56f4e33
0x7ff7a56f4e35
0x7ff7a56f4e3c
0x7ff7a56f4e3e
0x7ff7a56f4e43
0x7ff7a56f4e4d
0x7ff7a56f4e56
0x7ff7a56f4e5c
0x7ff7a56f4e62
0x7ff7a56f4e6e
0x7ff7a56f4e7c
0x7ff7a56f4e80
0x7ff7a56f4e8c
0x7ff7a56f4e8e
0x7ff7a56f4e93
0x7ff7a56f4e95
0x7ff7a56f4e9a
0x7ff7a56f4ea0
0x7ff7a56f4ea5
0x7ff7a56f4ea8
0x7ff7a56f4eaf
0x7ff7a56f4eb8
0x7ff7a56f4ebc
0x7ff7a56f4ec2
0x7ff7a56f4ecb
0x7ff7a56f4ecd
0x7ff7a56f4ed5
0x7ff7a56f4edd
0x7ff7a56f4edf
0x7ff7a56f4ee4
0x7ff7a56f4eea
0x7ff7a56f4eef
0x7ff7a56f4ef1
0x7ff7a56f4ef7
0x7ff7a56f4efc
0x7ff7a56f4eff
0x7ff7a56f4f01
0x7ff7a56f4f06
0x7ff7a56f4f08
0x7ff7a56f4f0d
0x7ff7a56f4f13
0x7ff7a56f4f18
0x7ff7a56f4f1b
0x7ff7a56f4f42

APIs

__doserrno.LIBCMT ref: 00007FF7A56F4E35
_errno.LIBCMT ref: 00007FF7A56F4E3E
__doserrno.LIBCMT ref: 00007FF7A56F4E8E
_errno.LIBCMT ref: 00007FF7A56F4E95

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: fd70bf307f78bc1a0b30db4c381cd12ef6fe9862424e331efe26ad2a528cd58b
Instruction ID: c137a7c47bc632ef96a0d04be686cdac114bb4b7b65ce351110fd2ab4eab2a15
Opcode Fuzzy Hash: fd70bf307f78bc1a0b30db4c381cd12ef6fe9862424e331efe26ad2a528cd58b
Instruction Fuzzy Hash: D031EA32E1B68281E7117F25684167DB552ABC2F70F966335ED3D07BE2CE3DA4018720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F1A0C Relevance: 12.1, APIs: 8, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00007FF77FF7A56F1A0C(void* __ebx, signed int __ecx, void* __esi, signed int* __rax, long long __rbx, void* __rcx, void* __rdx, long long __rsi, void* __rbp, void* __r8, signed int _a8, long long _a24, long long _a32) {
				long long _v40;
				void* __rdi;
				void* __r12;
				signed int _t26;
				void* _t33;
				void* _t52;
				signed int* _t56;
				signed int* _t57;
				long long _t63;
				signed long long _t66;
				signed long long _t74;

				_t72 = __r8;
				_t68 = __rbp;
				_t62 = __rdx;
				_t61 = __rcx;
				_t33 = __ebx;
				_a24 = __rbx;
				_a32 = __rsi;
				_a8 = __ecx;
				_t59 = __ecx;
				if (__ebx != 0xfffffffe) goto 0xa56f1a47;
				E00007FF77FF7A56E78CC(__rax);
				 *__rax = 0;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 9;
				goto 0xa56f1b10;
				if (__ebx < 0) goto 0xa56f1ae7;
				_t52 = _t33 -  *0xa57289c0; // 0x20
				if (_t52 >= 0) goto 0xa56f1ae7;
				_t74 = __ecx >> 5;
				_t66 = __ecx * 0x58;
				_t56 =  *((intOrPtr*)(0xa57289e0 + _t74 * 8));
				if (_t52 != 0) goto 0xa56f1aaf;
				E00007FF77FF7A56E78CC(_t56);
				 *_t56 = 0;
				E00007FF77FF7A56E78AC(_t56);
				 *_t56 = 9;
				_v40 = _t63;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(_t56, __ecx, __rcx, __rdx, _t66, __rbp, __r8);
				goto 0xa56f1b10;
				E00007FF77FF7A56F593C(_t33, _t33, _t59, _t63, _t66, _t74);
				_t57 =  *((intOrPtr*)(0xa57289e0 + _t74 * 8));
				if (( *(_t57 + _t66 + 8) & 0x00000001) == 0) goto 0xa56f1ace;
				_t26 = E00007FF77FF7A56F1950(_t33, 0, _t57, _t59);
				goto 0xa56f1adc;
				E00007FF77FF7A56E78AC(_t57);
				 *_t57 = 9;
				E00007FF77FF7A56F59E4();
				goto 0xa56f1b10;
				E00007FF77FF7A56E78CC(_t57);
				 *_t57 = _t26 | 0xffffffff;
				E00007FF77FF7A56E78AC(_t57);
				 *_t57 = 9;
				_v40 = _t63;
				r9d = 0;
				r8d = 0;
				return E00007FF77FF7A56E4430(_t57, _t59, _t61, _t62, _t66, _t68, _t72) | 0xffffffff;
			}

0x7ff7a56f1a0c
0x7ff7a56f1a0c
0x7ff7a56f1a0c
0x7ff7a56f1a0c
0x7ff7a56f1a0c
0x7ff7a56f1a0c
0x7ff7a56f1a11
0x7ff7a56f1a16
0x7ff7a56f1a23
0x7ff7a56f1a29
0x7ff7a56f1a2b
0x7ff7a56f1a32
0x7ff7a56f1a34
0x7ff7a56f1a39
0x7ff7a56f1a42
0x7ff7a56f1a4b
0x7ff7a56f1a51
0x7ff7a56f1a57
0x7ff7a56f1a63
0x7ff7a56f1a71
0x7ff7a56f1a75
0x7ff7a56f1a82
0x7ff7a56f1a84
0x7ff7a56f1a89
0x7ff7a56f1a8b
0x7ff7a56f1a90
0x7ff7a56f1a96
0x7ff7a56f1a9b
0x7ff7a56f1a9e
0x7ff7a56f1aa5
0x7ff7a56f1aad
0x7ff7a56f1ab1
0x7ff7a56f1ab7
0x7ff7a56f1ac1
0x7ff7a56f1ac5
0x7ff7a56f1acc
0x7ff7a56f1ace
0x7ff7a56f1ad3
0x7ff7a56f1ade
0x7ff7a56f1ae5
0x7ff7a56f1ae7
0x7ff7a56f1aec
0x7ff7a56f1aee
0x7ff7a56f1af3
0x7ff7a56f1af9
0x7ff7a56f1afe
0x7ff7a56f1b01
0x7ff7a56f1b23

APIs

__doserrno.LIBCMT ref: 00007FF7A56F1A2B
_errno.LIBCMT ref: 00007FF7A56F1A34
__doserrno.LIBCMT ref: 00007FF7A56F1A84
_errno.LIBCMT ref: 00007FF7A56F1A8B

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 45ca130e8ce689a6ec9fb1e7b1bd1d1e802a5172bf7414796e69646001ebef35
Instruction ID: 906cf46fe62c5b5cc66d1e2ec6a7408b37e65a0a557b6ae2639feb392539a7a6
Opcode Fuzzy Hash: 45ca130e8ce689a6ec9fb1e7b1bd1d1e802a5172bf7414796e69646001ebef35
Instruction Fuzzy Hash: 66310732E1A78281E3117F31D84127EB652BFC2F90F966635E919076E2CE3DE4008730

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E64C8 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 195
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E00007FF77FF7A56E64C8(void* __eflags, long long __rbx, void* __rcx, long long __rdx, long long __rdi, long long __rsi, signed int** __r8) {
				signed int _t59;
				signed int _t60;
				void* _t79;
				void* _t87;
				void* _t123;
				signed int _t129;
				intOrPtr* _t140;
				intOrPtr* _t141;
				signed int* _t144;
				signed int* _t145;
				signed int* _t146;
				signed int* _t149;
				signed long long _t153;
				long long _t161;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr _t169;
				void* _t171;
				void* _t175;
				signed int** _t176;
				void* _t178;
				signed int* _t179;

				_t159 = __rsi;
				_t140 = _t163;
				 *((long long*)(_t140 + 8)) = __rbx;
				 *((long long*)(_t140 + 0x10)) = _t161;
				 *((long long*)(_t140 + 0x18)) = __rsi;
				 *((long long*)(_t140 + 0x20)) = __rdi;
				_t164 = _t163 - 0x50;
				_t179 = __rdx;
				_t153 = _t140 - 0x38;
				r12d = r9d;
				_t176 = __r8;
				E00007FF77FF7A56E4E5C(_t140, _t153, __rcx);
				if (__r8 == 0) goto 0xa56e6503;
				 *((long long*)(__r8)) = __rdx;
				if (__rdx != 0) goto 0xa56e6532;
				E00007FF77FF7A56E78AC(_t140);
				 *(_t164 + 0x20) =  *(_t164 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *_t140 = 0x16;
				E00007FF77FF7A56E4430(_t140, __rbx, _t153, __rcx, __rsi, _t161, __r8, _t178, _t175);
				goto 0xa56e671b;
				if (r12d == 0) goto 0xa56e6543;
				if (r12d - 2 < 0) goto 0xa56e6508;
				if (r12d - 0x24 > 0) goto 0xa56e6508;
				bpl =  *_t179;
				_t144 =  &(_t179[0]);
				if ( *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x30)) + 0x10c)) - 1 <= 0) goto 0xa56e6575;
				E00007FF77FF7A56EFA5C(bpl & 0xffffffff, 8, 0,  *((intOrPtr*)( *((intOrPtr*)(_t164 + 0x30)) + 0x10c)) - 1, _t140, _t159, _t161, _t164 + 0x30, _t171);
				_t169 =  *((intOrPtr*)(_t164 + 0x30));
				goto 0xa56e6587;
				_t141 =  *((intOrPtr*)(_t169 + 0x140));
				_t59 =  *(_t141 + _t153 * 2) & 8;
				if (_t59 == 0) goto 0xa56e6593;
				bpl =  *_t144;
				_t145 =  &(_t144[0]);
				goto 0xa56e6551;
				if (bpl != 0x2d) goto 0xa56e65a5;
				goto 0xa56e65ab;
				if (bpl != 0x2b) goto 0xa56e65b1;
				bpl =  *_t145;
				_t146 =  &(_t145[0]);
				if (r12d < 0) goto 0xa56e670d;
				if (r12d == 1) goto 0xa56e670d;
				if (r12d - 0x24 > 0) goto 0xa56e670d;
				if (r12d != 0) goto 0xa56e65fb;
				if (bpl == 0x30) goto 0xa56e65e1;
				r12d = 0xa;
				goto 0xa56e6619;
				if ( *_t146 == 0x78) goto 0xa56e65f3;
				if ( *_t146 == 0x58) goto 0xa56e65f3;
				r12d = 8;
				goto 0xa56e6619;
				r12d = 0x10;
				goto 0xa56e6607;
				if (r12d != 0x10) goto 0xa56e6619;
				if (bpl != 0x30) goto 0xa56e6619;
				if ( *_t146 == 0x78) goto 0xa56e6611;
				if ( *_t146 != 0x58) goto 0xa56e6619;
				bpl = _t146[0];
				_t60 = _t59 | 0xffffffff;
				r9d = _t60 / r12d;
				r8d =  *( *((intOrPtr*)(_t169 + 0x140)) + _t153 * 2) & 0x0000ffff;
				if ((r8b & 0x00000004) == 0) goto 0xa56e6643;
				goto 0xa56e665d;
				if ((r8d & 0x00000103) == 0) goto 0xa56e6678;
				if (_t161 - 0x61 - 0x19 > 0) goto 0xa56e665a;
				_t79 = bpl - 0x20 + 0xffffffc9;
				if (_t79 - r12d >= 0) goto 0xa56e6678;
				_t123 = 0 - r9d;
				if (_t123 < 0) goto 0xa56e668c;
				if (_t123 != 0) goto 0xa56e6670;
				if (_t79 - _t60 % r12d <= 0) goto 0xa56e668c;
				if (_t176 != 0) goto 0xa56e6692;
				if ((sil & 0x00000008) != 0) goto 0xa56e669a;
				_t149 =  !=  ? _t179 :  &(_t146[0]) - 1;
				goto 0xa56e66e5;
				_t87 = 0 * r12d + _t79;
				bpl =  *_t149;
				goto 0xa56e662b;
				if ((sil & 0x00000004) != 0) goto 0xa56e66c2;
				_t129 = sil & 0x00000001;
				if (_t129 != 0) goto 0xa56e66e5;
				if (_t129 == 0) goto 0xa56e66ba;
				if (_t87 - 0x80000000 > 0) goto 0xa56e66c2;
				if ((( *(_t164 + 0x90) | 0xe) & 0x00000002) != 0) goto 0xa56e66e5;
				if (_t87 - 0x7fffffff <= 0) goto 0xa56e66e5;
				E00007FF77FF7A56E78AC(_t141);
				 *_t141 = 0x22;
				if ((sil & 0x00000001) == 0) goto 0xa56e66d8;
				goto 0xa56e66e5;
				asm("sbb edi, edi");
				if (_t176 == 0) goto 0xa56e66ee;
				 *_t176 =  &(_t149[0]);
				if ((sil & 0x00000002) == 0) goto 0xa56e66f6;
				if ( *((char*)(_t164 + 0x48)) == 0) goto 0xa56e6709;
				 *( *((intOrPtr*)(_t164 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t164 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0xa56e672b;
				if (_t176 == 0) goto 0xa56e6716;
				 *_t176 = _t179;
				if ( *((intOrPtr*)(_t164 + 0x48)) == dil) goto 0xa56e6729;
				 *( *((intOrPtr*)(_t164 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t164 + 0x40)) + 0xc8) & 0xfffffffd;
				return 0;
			}

0x7ff7a56e64c8
0x7ff7a56e64c8
0x7ff7a56e64cb
0x7ff7a56e64cf
0x7ff7a56e64d3
0x7ff7a56e64d7
0x7ff7a56e64e1
0x7ff7a56e64e5
0x7ff7a56e64eb
0x7ff7a56e64ef
0x7ff7a56e64f2
0x7ff7a56e64f5
0x7ff7a56e64fd
0x7ff7a56e64ff
0x7ff7a56e6506
0x7ff7a56e6508
0x7ff7a56e650d
0x7ff7a56e6513
0x7ff7a56e6516
0x7ff7a56e651d
0x7ff7a56e6523
0x7ff7a56e652d
0x7ff7a56e6535
0x7ff7a56e653b
0x7ff7a56e6541
0x7ff7a56e6543
0x7ff7a56e654d
0x7ff7a56e6559
0x7ff7a56e6569
0x7ff7a56e656e
0x7ff7a56e6573
0x7ff7a56e6575
0x7ff7a56e6584
0x7ff7a56e6589
0x7ff7a56e658b
0x7ff7a56e658e
0x7ff7a56e6591
0x7ff7a56e659e
0x7ff7a56e65a3
0x7ff7a56e65a9
0x7ff7a56e65ab
0x7ff7a56e65ae
0x7ff7a56e65b4
0x7ff7a56e65be
0x7ff7a56e65c8
0x7ff7a56e65d1
0x7ff7a56e65d7
0x7ff7a56e65d9
0x7ff7a56e65df
0x7ff7a56e65e4
0x7ff7a56e65e9
0x7ff7a56e65eb
0x7ff7a56e65f1
0x7ff7a56e65f3
0x7ff7a56e65f9
0x7ff7a56e65ff
0x7ff7a56e6605
0x7ff7a56e660a
0x7ff7a56e660f
0x7ff7a56e6611
0x7ff7a56e6622
0x7ff7a56e6628
0x7ff7a56e662f
0x7ff7a56e6638
0x7ff7a56e6641
0x7ff7a56e664a
0x7ff7a56e6655
0x7ff7a56e665a
0x7ff7a56e6660
0x7ff7a56e6665
0x7ff7a56e6668
0x7ff7a56e666a
0x7ff7a56e666e
0x7ff7a56e6676
0x7ff7a56e667f
0x7ff7a56e6684
0x7ff7a56e668a
0x7ff7a56e6690
0x7ff7a56e6692
0x7ff7a56e6698
0x7ff7a56e66a3
0x7ff7a56e66a5
0x7ff7a56e66a9
0x7ff7a56e66b0
0x7ff7a56e66b8
0x7ff7a56e66bc
0x7ff7a56e66c0
0x7ff7a56e66c2
0x7ff7a56e66c7
0x7ff7a56e66d1
0x7ff7a56e66d6
0x7ff7a56e66df
0x7ff7a56e66e8
0x7ff7a56e66ea
0x7ff7a56e66f2
0x7ff7a56e66fb
0x7ff7a56e6702
0x7ff7a56e670b
0x7ff7a56e6710
0x7ff7a56e6712
0x7ff7a56e671b
0x7ff7a56e6722
0x7ff7a56e6749

APIs

Part of subcall function 00007FF7A56E4E5C: _getptd.LIBCMT ref: 00007FF7A56E4E72

_errno.LIBCMT ref: 00007FF7A56E6508
_errno.LIBCMT ref: 00007FF7A56E66C2

Strings

+, xrefs: 00007FF7A56E65A5
0, xrefs: 00007FF7A56E6601
0, xrefs: 00007FF7A56E65D3
-, xrefs: 00007FF7A56E659A

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$_getptd
String ID: +$-$0$0
API String ID: 3432092939-699404926
Opcode ID: aad5d6a6d4a97e1526b7f6d55b50bd1c2d78e1ed061e41c5c93955d9012505b4
Instruction ID: 2ac4e6d4cb0e8677628b659ddaa002d94283f6566c4265fbd58a3da14d767e08
Opcode Fuzzy Hash: aad5d6a6d4a97e1526b7f6d55b50bd1c2d78e1ed061e41c5c93955d9012505b4
Instruction Fuzzy Hash: 0A712A32D1F642C0FBB56615E41437AA792AF43F58F976135CE5E021E5DF2EE8818322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A5708B10 Relevance: 10.7, APIs: 7, Instructions: 189
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00007FF77FF7A5708B10(void* __ebx, void* __edi, void* __eflags, long long __rbx, signed int __rcx, void* __rdx, void* __r9) {
				void* __rsi;
				signed int _t116;
				void* _t139;
				long long* _t145;
				void* _t150;
				void* _t152;
				void* _t158;
				intOrPtr _t162;
				intOrPtr _t163;
				long long _t165;
				void* _t183;
				long long _t186;
				void* _t188;
				void* _t189;
				long long _t190;
				signed int _t191;
				void* _t193;
				void* _t194;
				intOrPtr _t203;
				long long _t205;
				void* _t208;
				long long _t209;

				_t139 = _t193;
				_t194 = _t193 - 0xa0;
				 *((long long*)(_t194 + 0x30)) = 0xfffffffe;
				 *((long long*)(_t139 + 0x10)) = __rbx;
				 *((long long*)(_t139 + 0x18)) = _t190;
				_t191 = __rcx;
				if (__eflags != 0) goto 0xa5708b4d;
				goto 0xa5708e5a;
				if (__rdx == 0) goto 0xa5708b72;
				goto 0xa5708e5a;
				_t145 =  *((intOrPtr*)(__rcx + 0x230)) -  *((intOrPtr*)(__rcx + 0x228));
				_t116 = 0 % __rcx;
				if (_t145 - 1 >= 0) goto 0xa5708b95;
				goto 0xa5708e5a;
				 *((char*)(_t194 + 0xd0)) = 0;
				_t158 =  *((intOrPtr*)(__rcx + 0x230)) -  *((intOrPtr*)(__rcx + 0x228));
				E00007FF77FF7A56E45E0(_t145, __rcx);
				r14d = 0;
				if (_t145 == 0) goto 0xa5708bc7;
				 *_t145 = _t194 + 0x70;
				goto 0xa5708bca;
				 *((long long*)(_t194 + 0x70)) = _t209;
				E00007FF77FF7A56D4CA0(_t209, _t158, _t194 + 0x70, _t158, _t188, _t194 + 0xd0);
				if ( *((intOrPtr*)(_t194 + 0x90)) !=  *((intOrPtr*)(_t194 + 0x88))) goto 0xa5708c07;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(_t191 + 0x230)) !=  *((intOrPtr*)(_t191 + 0x228))) goto 0xa5708c1c;
				E00007FF77FF7A56E44B8();
				 *((intOrPtr*)(_t194 + 0x20)) = r14d;
				r9d = __edi;
				E00007FF77FF7A57077F0(_t191 + 0x20,  *((intOrPtr*)(_t191 + 0x228)), _t188,  *((intOrPtr*)(_t194 + 0x88)));
				_t150 =  *((intOrPtr*)(_t194 + 0x90)) -  *((intOrPtr*)(_t194 + 0x88));
				_t183 = _t150 - 1;
				if (_t183 - _t150 < 0) goto 0xa5708c6b;
				E00007FF77FF7A56E44B8();
				_t162 =  *((intOrPtr*)(_t194 + 0x88));
				r12d =  *(_t162 + _t183) & 0x000000ff;
				if (r12b == 0) goto 0xa5708d60;
				if ((r12b & 0xffffffff) -  *((intOrPtr*)(_t191 + 0x2a4)) > 0) goto 0xa5708d2a;
				if (r12b - 1 < 0) goto 0xa5708d2a;
				r13d = r12b & 0xffffffff;
				if (r12b == 0) goto 0xa5708d60;
				asm("o16 nop [eax+eax]");
				_t152 =  *((intOrPtr*)(_t194 + 0x90)) - _t162;
				_t189 = _t152 - 1;
				if (_t189 - _t152 < 0) goto 0xa5708cd4;
				E00007FF77FF7A56E44B8();
				_t203 =  *((intOrPtr*)(_t194 + 0x90));
				_t163 =  *((intOrPtr*)(_t194 + 0x88));
				if ( *((intOrPtr*)(_t163 + _t189)) != r12b) goto 0xa5708cf4;
				if (_t203 == _t163) goto 0xa5708cea;
				 *((long long*)(_t194 + 0x90)) = _t203 - 1;
				if (_t209 + 1 - _t208 < 0) goto 0xa5708cb0;
				goto 0xa5708d60;
				if (_t163 == 0) goto 0xa5708d01;
				E00007FF77FF7A56E44D8(_t152, _t163, _t163,  *((intOrPtr*)(_t191 + 0x228)), _t189,  *((intOrPtr*)(_t194 + 0x88)), __r9);
				 *((long long*)(_t194 + 0x88)) = _t209;
				 *((long long*)(_t194 + 0x90)) = _t209;
				 *((long long*)(_t194 + 0x98)) = _t209;
				E00007FF77FF7A56E44D8(_t152, _t163,  *((intOrPtr*)(_t194 + 0x70)),  *((intOrPtr*)(_t191 + 0x228)), _t189,  *((intOrPtr*)(_t194 + 0x88)), __r9);
				goto 0xa5708e5a;
				if (_t163 == 0) goto 0xa5708d37;
				E00007FF77FF7A56E44D8(_t152, _t163, _t163,  *((intOrPtr*)(_t191 + 0x228)), _t189,  *((intOrPtr*)(_t194 + 0x88)), __r9);
				 *((long long*)(_t194 + 0x88)) = _t209;
				 *((long long*)(_t194 + 0x90)) = _t209;
				 *((long long*)(_t194 + 0x98)) = _t209;
				E00007FF77FF7A56E44D8(_t152, _t163,  *((intOrPtr*)(_t194 + 0x70)),  *((intOrPtr*)(_t191 + 0x228)), _t189,  *((intOrPtr*)(_t194 + 0x88)), __r9);
				goto 0xa5708e5a;
				_t186 =  *((intOrPtr*)(_t191 + 0x260));
				if ( *((intOrPtr*)(_t191 + 0x258)) - _t186 <= 0) goto 0xa5708d85;
				E00007FF77FF7A56E44B8();
				_t205 =  *((intOrPtr*)(_t194 + 0x90));
				 *((long long*)(_t194 + 0x60)) =  *((intOrPtr*)(_t191 + 0x240));
				 *((long long*)(_t194 + 0x68)) = _t186;
				if ( *((intOrPtr*)(_t194 + 0x88)) - _t205 <= 0) goto 0xa5708db3;
				E00007FF77FF7A56E44B8();
				_t165 =  *((intOrPtr*)(_t194 + 0x88));
				 *((long long*)(_t194 + 0x40)) =  *((intOrPtr*)(_t194 + 0x70));
				 *((long long*)(_t194 + 0x48)) = _t205;
				if (_t165 -  *((intOrPtr*)(_t194 + 0x90)) <= 0) goto 0xa5708dd1;
				E00007FF77FF7A56E44B8();
				 *((long long*)(_t194 + 0x50)) =  *((intOrPtr*)(_t194 + 0x70));
				 *((long long*)(_t194 + 0x58)) = _t165;
				asm("movaps xmm0, [esp+0x40]");
				asm("movdqa [esp+0x40], xmm0");
				asm("movaps xmm1, [esp+0x50]");
				asm("movdqa [esp+0x50], xmm1");
				asm("movaps xmm0, [esp+0x60]");
				asm("movdqa [esp+0x60], xmm0");
				 *((char*)(_t194 + 0x20)) = 0;
				E00007FF77FF7A56D9750(_t116, _t165, _t191 + 0x240, _t194 + 0x60, _t189, _t194 + 0x50, _t194 + 0x40);
				if ( *((intOrPtr*)(_t194 + 0x88)) == 0) goto 0xa5708e36;
				E00007FF77FF7A56E44D8( *((intOrPtr*)(_t194 + 0x70)), _t165,  *((intOrPtr*)(_t194 + 0x88)), _t194 + 0x60, _t189, _t194 + 0x50, _t194 + 0x40);
				 *((long long*)(_t194 + 0x88)) = _t209;
				 *((long long*)(_t194 + 0x90)) = _t209;
				 *((long long*)(_t194 + 0x98)) = _t209;
				E00007FF77FF7A56E44D8( *((intOrPtr*)(_t194 + 0x70)), _t165,  *((intOrPtr*)(_t194 + 0x70)), _t194 + 0x60, _t189, _t194 + 0x50, _t194 + 0x40);
				return 1;
			}

0x7ff7a5708b10
0x7ff7a5708b1b
0x7ff7a5708b22
0x7ff7a5708b2b
0x7ff7a5708b2f
0x7ff7a5708b33
0x7ff7a5708b44
0x7ff7a5708b48
0x7ff7a5708b69
0x7ff7a5708b6d
0x7ff7a5708b79
0x7ff7a5708b82
0x7ff7a5708b8c
0x7ff7a5708b90
0x7ff7a5708b95
0x7ff7a5708ba4
0x7ff7a5708bb0
0x7ff7a5708bb5
0x7ff7a5708bbb
0x7ff7a5708bc2
0x7ff7a5708bc5
0x7ff7a5708bca
0x7ff7a5708bdf
0x7ff7a5708bf8
0x7ff7a5708bfa
0x7ff7a5708c15
0x7ff7a5708c17
0x7ff7a5708c20
0x7ff7a5708c25
0x7ff7a5708c32
0x7ff7a5708c4a
0x7ff7a5708c4d
0x7ff7a5708c54
0x7ff7a5708c56
0x7ff7a5708c63
0x7ff7a5708c6b
0x7ff7a5708c73
0x7ff7a5708c83
0x7ff7a5708c8d
0x7ff7a5708c96
0x7ff7a5708c9d
0x7ff7a5708ca3
0x7ff7a5708cb3
0x7ff7a5708cb6
0x7ff7a5708cbd
0x7ff7a5708cbf
0x7ff7a5708cc4
0x7ff7a5708ccc
0x7ff7a5708cd8
0x7ff7a5708cdd
0x7ff7a5708ce2
0x7ff7a5708cf0
0x7ff7a5708cf2
0x7ff7a5708cf7
0x7ff7a5708cfc
0x7ff7a5708d01
0x7ff7a5708d09
0x7ff7a5708d11
0x7ff7a5708d1e
0x7ff7a5708d25
0x7ff7a5708d2d
0x7ff7a5708d32
0x7ff7a5708d37
0x7ff7a5708d3f
0x7ff7a5708d47
0x7ff7a5708d54
0x7ff7a5708d5b
0x7ff7a5708d60
0x7ff7a5708d6e
0x7ff7a5708d70
0x7ff7a5708d75
0x7ff7a5708d8c
0x7ff7a5708d91
0x7ff7a5708d9c
0x7ff7a5708d9e
0x7ff7a5708dab
0x7ff7a5708db8
0x7ff7a5708dbd
0x7ff7a5708dc5
0x7ff7a5708dc7
0x7ff7a5708dd1
0x7ff7a5708dd6
0x7ff7a5708ddb
0x7ff7a5708de0
0x7ff7a5708de6
0x7ff7a5708deb
0x7ff7a5708df1
0x7ff7a5708df6
0x7ff7a5708e04
0x7ff7a5708e1e
0x7ff7a5708e2f
0x7ff7a5708e31
0x7ff7a5708e36
0x7ff7a5708e3e
0x7ff7a5708e46
0x7ff7a5708e53
0x7ff7a5708e75

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb120ec78b6aca7237791ca1e518357a6acf2baba424791a472cd37449a4be2c
Instruction ID: ad878ab3c94a91aba7a22fe01ef66740b3f456ad5501fd4b6e57af485753f4cc
Opcode Fuzzy Hash: fb120ec78b6aca7237791ca1e518357a6acf2baba424791a472cd37449a4be2c
Instruction Fuzzy Hash: 8D91632260ABC5D5D660AF25E8403EEE3A1FB8AB50F955231DE8C17B69DF3CD4419720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E50E0 Relevance: 10.6, APIs: 7, Instructions: 146
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 42%

			E00007FF77FF7A56E50E0(void* __edi, intOrPtr __esi, void* __ebp, long long __rbx, short* __rcx, signed char* __rdx, long long __rdi, long long __rsi, void* __r8, void* __r9) {
				void* _t57;
				void* _t72;
				signed long long _t93;
				intOrPtr* _t97;
				intOrPtr* _t98;
				short* _t101;
				long long _t102;
				long long _t113;
				intOrPtr* _t114;
				void* _t119;
				long long _t121;
				signed char* _t122;
				signed long long _t126;
				void* _t127;
				void* _t134;
				int _t136;
				signed char* _t137;
				void* _t139;
				long long _t141;

				_t93 = _t126;
				 *((long long*)(_t93 + 8)) = __rbx;
				 *((long long*)(_t93 + 0x10)) = _t121;
				 *((long long*)(_t93 + 0x18)) = __rsi;
				 *((long long*)(_t93 + 0x20)) = __rdi;
				_t127 = _t126 - 0x50;
				r14d = 0;
				_t119 = __r8;
				_t137 = __rdx;
				_t101 = __rcx;
				_t113 = _t141;
				if (__rcx == _t141) goto 0xa56e5123;
				_t72 = __r8 - _t141;
				if (_t72 != 0) goto 0xa56e511d;
				goto 0xa56e52c9;
				if (_t72 <= 0) goto 0xa56e5123;
				 *((intOrPtr*)(__rcx)) = r14w;
				if (__rdx != _t141) goto 0xa56e5150;
				E00007FF77FF7A56E78AC(_t93);
				r9d = 0;
				r8d = 0;
				 *((long long*)(_t127 + 0x20)) = _t141;
				 *_t93 = 0x16;
				E00007FF77FF7A56E4430(_t93, __rcx, __rcx, __rdx, __r8, _t121, __r8, _t141, _t139);
				goto 0xa56e52c9;
				E00007FF77FF7A56E4E5C(_t93 | 0xffffffff, _t127 + 0x30, __r9);
				if (_t101 == _t141) goto 0xa56e526c;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t127 + 0x30)) + 0x14)) != r14d) goto 0xa56e51c0;
				if (_t119 - _t141 <= 0) goto 0xa56e5190;
				 *_t101 =  *(_t113 + _t137) & 0x000000ff;
				if ( *(_t113 + _t137) == r14b) goto 0xa56e51a5;
				_t114 = _t113 + 1;
				_t102 = _t101 + 2;
				if (_t114 - _t119 < 0) goto 0xa56e5176;
				if ( *((intOrPtr*)(_t127 + 0x48)) == r14b) goto 0xa56e51b8;
				 *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) & 0xfffffffd;
				goto 0xa56e51b8;
				if ( *((intOrPtr*)(_t127 + 0x48)) == r14b) goto 0xa56e51b8;
				 *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) & 0xfffffffd;
				_t97 = _t114;
				goto 0xa56e52c9;
				r9d = __edi;
				 *((intOrPtr*)(_t127 + 0x28)) = __esi;
				 *((long long*)(_t127 + 0x20)) = _t102;
				MultiByteToWideChar(_t136, ??, ??, ??, ??);
				if (_t97 != _t141) goto 0xa56e52b3;
				if (GetLastError() == 0x7a) goto 0xa56e5206;
				E00007FF77FF7A56E78AC(_t97);
				 *_t97 = 0x2a;
				 *_t102 = r14w;
				goto 0xa56e5190;
				r13d = __esi;
				_t122 = _t137;
				if (__esi == r14d) goto 0xa56e523e;
				r13d = r13d - 1;
				if ( *_t122 == r14b) goto 0xa56e523e;
				if (E00007FF77FF7A56EF9CC( *_t122 & 0x000000ff,  *_t122 - r14b, _t97, _t134) == r14d) goto 0xa56e5236;
				if (_t122[1] == r14b) goto 0xa56e51f5;
				goto 0xa56e520f;
				_t98 =  *((intOrPtr*)(_t127 + 0x30));
				r9d = __ebp - r12d;
				 *((intOrPtr*)(_t127 + 0x28)) = __esi;
				 *((long long*)(_t127 + 0x20)) = _t102;
				MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t98 != _t141) goto 0xa56e52b6;
				goto 0xa56e51f5;
				if ( *((intOrPtr*)(_t98 + 0x14)) != r14d) goto 0xa56e527c;
				E00007FF77FF7A56E70C0(_t98, _t137);
				goto 0xa56e52b6;
				r9d = __edi;
				 *((intOrPtr*)(_t127 + 0x28)) = r14d;
				 *((long long*)(_t127 + 0x20)) = _t141;
				MultiByteToWideChar(??, ??, ??, ??, ??, ??);
				if (_t98 != _t141) goto 0xa56e52b3;
				_t57 = E00007FF77FF7A56E78AC(_t98);
				 *_t98 = 0x2a;
				goto 0xa56e5190;
				if ( *((intOrPtr*)(_t127 + 0x48)) == r14b) goto 0xa56e52c9;
				 *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) =  *( *((intOrPtr*)(_t127 + 0x40)) + 0xc8) & 0xfffffffd;
				return _t57;
			}

0x7ff7a56e50e0
0x7ff7a56e50e3
0x7ff7a56e50e7
0x7ff7a56e50eb
0x7ff7a56e50ef
0x7ff7a56e50f9
0x7ff7a56e50fd
0x7ff7a56e5100
0x7ff7a56e5103
0x7ff7a56e5106
0x7ff7a56e5109
0x7ff7a56e510f
0x7ff7a56e5111
0x7ff7a56e5114
0x7ff7a56e5118
0x7ff7a56e511d
0x7ff7a56e511f
0x7ff7a56e5126
0x7ff7a56e5128
0x7ff7a56e512d
0x7ff7a56e5130
0x7ff7a56e5137
0x7ff7a56e513c
0x7ff7a56e5142
0x7ff7a56e514b
0x7ff7a56e5158
0x7ff7a56e5165
0x7ff7a56e516f
0x7ff7a56e5174
0x7ff7a56e517b
0x7ff7a56e5182
0x7ff7a56e5184
0x7ff7a56e5187
0x7ff7a56e518e
0x7ff7a56e5195
0x7ff7a56e519c
0x7ff7a56e51a3
0x7ff7a56e51aa
0x7ff7a56e51b1
0x7ff7a56e51b8
0x7ff7a56e51bb
0x7ff7a56e51cd
0x7ff7a56e51d0
0x7ff7a56e51d4
0x7ff7a56e51d9
0x7ff7a56e51e4
0x7ff7a56e51f3
0x7ff7a56e51f5
0x7ff7a56e51fa
0x7ff7a56e5200
0x7ff7a56e5204
0x7ff7a56e5206
0x7ff7a56e5209
0x7ff7a56e520f
0x7ff7a56e5211
0x7ff7a56e5218
0x7ff7a56e522b
0x7ff7a56e5234
0x7ff7a56e523c
0x7ff7a56e523e
0x7ff7a56e5251
0x7ff7a56e5254
0x7ff7a56e5258
0x7ff7a56e525d
0x7ff7a56e5268
0x7ff7a56e526a
0x7ff7a56e5270
0x7ff7a56e5275
0x7ff7a56e527a
0x7ff7a56e5289
0x7ff7a56e528c
0x7ff7a56e5291
0x7ff7a56e5296
0x7ff7a56e52a1
0x7ff7a56e52a3
0x7ff7a56e52a8
0x7ff7a56e52ae
0x7ff7a56e52bb
0x7ff7a56e52c2
0x7ff7a56e52e7

APIs

_errno.LIBCMT ref: 00007FF7A56E5128

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 7d651b8da09034c2c0d35e20cf68fc683c853b3f3c94acc4a5abf00da545e554
Instruction ID: f70fba3004acb0b18701c4315998dde0cecee36ca3752bdf27d6b5a55c8729f2
Opcode Fuzzy Hash: 7d651b8da09034c2c0d35e20cf68fc683c853b3f3c94acc4a5abf00da545e554
Instruction Fuzzy Hash: A251C52190B682C5E7606B20950027DFBA3FB66FA0F966231DE6D177E4DE3EE4408710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F228C Relevance: 10.6, APIs: 7, Instructions: 79
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00007FF77FF7A56F228C(signed int __ebx, signed int __ecx, void* __edi, intOrPtr* __rax, long long __rbx, void* __rcx, void* __rdx, void* __rbp, void* __r8, signed int _a8, long long _a24) {
				signed int _v40;
				void* __rdi;
				void* __rsi;
				void* __r12;
				signed int _t34;
				void* _t48;
				void* _t51;
				intOrPtr* _t57;
				intOrPtr* _t58;
				signed long long _t61;
				signed long long _t68;

				_t73 = __r8;
				_t69 = __rbp;
				_t65 = __rdx;
				_t48 = __edi;
				_a24 = __rbx;
				_a8 = __ecx;
				_t66 = __ecx;
				if (__edi != 0xfffffffe) goto 0xa56f22b8;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 9;
				goto 0xa56f2391;
				if (__ecx < 0) goto 0xa56f236e;
				_t51 = _t48 -  *0xa57289c0; // 0x20
				if (_t51 >= 0) goto 0xa56f236e;
				_t68 = __ecx >> 5;
				_t34 = __ebx & 0x0000001f;
				_t61 = __ecx * 0x58;
				_t57 =  *((intOrPtr*)(0xa57289e0 + _t68 * 8));
				if (_t51 != 0) goto 0xa56f2317;
				E00007FF77FF7A56E78AC(_t57);
				 *_t57 = 9;
				_v40 = _v40 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(_t57, _t61, __rcx, __rdx, _t68, __rbp, __r8);
				goto 0xa56f2391;
				E00007FF77FF7A56F593C(_t34, __edi, _t61, _t66, _t68, 0xa57289e0);
				_t58 =  *((intOrPtr*)(0xa57289e0 + _t68 * 8));
				if (( *(_t58 + _t61 + 8) & 0x00000001) == 0) goto 0xa56f2355;
				E00007FF77FF7A56F58B8(_t48, 0, _t58, _t61, _t68, _t69, _t73);
				if (FlushFileBuffers(??) != 0) goto 0xa56f2348;
				GetLastError();
				goto 0xa56f234a;
				if (0 == 0) goto 0xa56f2363;
				E00007FF77FF7A56E78CC(_t58);
				 *_t58 = 0;
				E00007FF77FF7A56E78AC(_t58);
				 *_t58 = 9;
				E00007FF77FF7A56F59E4();
				goto 0xa56f2391;
				E00007FF77FF7A56E78AC(_t58);
				 *_t58 = 9;
				_v40 = _v40 & 0x00000000;
				r9d = 0;
				r8d = 0;
				return E00007FF77FF7A56E4430(_t58, _t61, _t58, _t65, _t68, _t69, _t73) | 0xffffffff;
			}

0x7ff7a56f228c
0x7ff7a56f228c
0x7ff7a56f228c
0x7ff7a56f228c
0x7ff7a56f228c
0x7ff7a56f2291
0x7ff7a56f229d
0x7ff7a56f22a3
0x7ff7a56f22a5
0x7ff7a56f22aa
0x7ff7a56f22b3
0x7ff7a56f22ba
0x7ff7a56f22c0
0x7ff7a56f22c6
0x7ff7a56f22d2
0x7ff7a56f22dd
0x7ff7a56f22e0
0x7ff7a56f22e4
0x7ff7a56f22f0
0x7ff7a56f22f2
0x7ff7a56f22f7
0x7ff7a56f22fd
0x7ff7a56f2303
0x7ff7a56f2306
0x7ff7a56f230d
0x7ff7a56f2315
0x7ff7a56f2319
0x7ff7a56f231f
0x7ff7a56f2328
0x7ff7a56f232c
0x7ff7a56f233c
0x7ff7a56f233e
0x7ff7a56f2346
0x7ff7a56f234c
0x7ff7a56f234e
0x7ff7a56f2353
0x7ff7a56f2355
0x7ff7a56f235a
0x7ff7a56f2365
0x7ff7a56f236c
0x7ff7a56f236e
0x7ff7a56f2373
0x7ff7a56f2379
0x7ff7a56f237f
0x7ff7a56f2382
0x7ff7a56f239e

APIs

_errno.LIBCMT ref: 00007FF7A56F22A5
_errno.LIBCMT ref: 00007FF7A56F22F2

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno
String ID:
API String ID: 2918714741-0
Opcode ID: 940a07213795119bc703be0b840b2cf50cf32eea5432c9220b670cdf8d9e1718
Instruction ID: e4acbb68624d3abd507b148987812f39b5d842ec28f9839bbc13e4c58c4e7cbe
Opcode Fuzzy Hash: 940a07213795119bc703be0b840b2cf50cf32eea5432c9220b670cdf8d9e1718
Instruction Fuzzy Hash: B231C433E1A64286F7517B35984577EB652AF93F50F966234EA1D062F2CF3CA4048A24

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E964D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00007FF77FF7A56E964D(void* __rax, intOrPtr _a32, intOrPtr _a56, intOrPtr _a64, intOrPtr _a72, intOrPtr _a80, intOrPtr* _a96, intOrPtr _a208, intOrPtr* _a216, long long _a224, long long _a232) {
				void* _t36;
				void* _t37;
				void* _t44;
				void* _t53;
				intOrPtr* _t68;

				_t53 = __rax;
				_a32 = 1;
				E00007FF77FF7A56EB93C(_t37, _t44, __rax);
				 *(_t53 + 0x2c0) =  *(_t53 + 0x2c0) & 0x00000000;
				if (_a208 == 0) goto 0xa56e9699;
				E00007FF77FF7A56E93E4(1, _a216);
				r8d =  *((intOrPtr*)(_a64 + 0x18));
				RaiseException(??, ??, ??, ??);
				goto 0xa56e96b4;
				_t68 = _a216;
				r8d =  *((intOrPtr*)(_t68 + 0x18));
				RaiseException(??, ??, ??, ??);
				r14d = _a32;
				E00007FF77FF7A56E771C(_t53, _a72, _a80);
				if (r14d != 0) goto 0xa56e971d;
				if ( *_t68 != 0xe06d7363) goto 0xa56e971d;
				if ( *((intOrPtr*)(_t68 + 0x18)) != 4) goto 0xa56e971d;
				if ( *((intOrPtr*)(_t68 + 0x20)) == 0x19930520) goto 0xa56e9706;
				if ( *((intOrPtr*)(_t68 + 0x20)) == 0x19930521) goto 0xa56e9706;
				if ( *((intOrPtr*)(_t68 + 0x20)) != 0x19930522) goto 0xa56e971d;
				if (E00007FF77FF7A56E76E8(_t53,  *((intOrPtr*)(_t68 + 0x28))) == 0) goto 0xa56e971d;
				E00007FF77FF7A56E93E4(1, _t68);
				E00007FF77FF7A56EB93C( *_t68, E00007FF77FF7A56E76E8(_t53,  *((intOrPtr*)(_t68 + 0x28))), _t53);
				 *((long long*)(_t53 + 0xf0)) = _a224;
				_t36 = E00007FF77FF7A56EB93C( *_t68, E00007FF77FF7A56E76E8(_t53,  *((intOrPtr*)(_t68 + 0x28))), _t53);
				 *((long long*)(_t53 + 0xf8)) = _a232;
				 *((long long*)( *((intOrPtr*)(_a56 + 0x1c)) +  *_a96)) = 0xfffffffe;
				return _t36;
			}

0x7ff7a56e964d
0x7ff7a56e964d
0x7ff7a56e9655
0x7ff7a56e965a
0x7ff7a56e9669
0x7ff7a56e9678
0x7ff7a56e9686
0x7ff7a56e9691
0x7ff7a56e9697
0x7ff7a56e9699
0x7ff7a56e96a5
0x7ff7a56e96ae
0x7ff7a56e96b4
0x7ff7a56e96d3
0x7ff7a56e96db
0x7ff7a56e96e3
0x7ff7a56e96e9
0x7ff7a56e96f2
0x7ff7a56e96fb
0x7ff7a56e9704
0x7ff7a56e9711
0x7ff7a56e9718
0x7ff7a56e971d
0x7ff7a56e972a
0x7ff7a56e9731
0x7ff7a56e9736
0x7ff7a56e974a
0x7ff7a56e9765

APIs

_getptd.LIBCMT ref: 00007FF7A56E9655
RaiseException.KERNEL32 ref: 00007FF7A56E9691
RaiseException.KERNEL32 ref: 00007FF7A56E96AE
_getptd.LIBCMT ref: 00007FF7A56E971D
_getptd.LIBCMT ref: 00007FF7A56E9731

Strings

csm, xrefs: 00007FF7A56E96DD

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _getptd$ExceptionRaise
String ID: csm
API String ID: 2255768072-1018135373
Opcode ID: b9f1586c76201837a7cedb49760973dd62f8e83127a431f82f18a74b45bd6239
Instruction ID: 86fcca516e1cbe3226bf234455748ed9ef6a6655a994aef61e7c0cb29b524d3e
Opcode Fuzzy Hash: b9f1586c76201837a7cedb49760973dd62f8e83127a431f82f18a74b45bd6239
Instruction Fuzzy Hash: C4310F7650A746C3EA70AF12E04466AB361FB46F51F815132DE9E077A5CF3EE8498B20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EFE78 Relevance: 10.6, APIs: 7, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 47%

			E00007FF77FF7A56EFE78(void* __ecx, void* __edx, void* __ebp, long long __rax, long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r9, long long _a8, long long _a16, long long _a24) {
				void* __r13;
				long long _t39;
				void* _t41;
				void* _t44;
				signed long long _t52;
				void* _t62;

				_t54 = __rsi;
				_t44 = __rcx;
				_t39 = __rax;
				_a8 = __rbx;
				_a16 = __rsi;
				_a24 = __rdi;
				_t41 = __ecx;
				if ( *0xa5723b90 != 0) goto 0xa56efeb6;
				E00007FF77FF7A56EBF50();
				_t4 = _t54 + 0x1d; // 0x1e
				E00007FF77FF7A56EBD28(_t4, _t41, __rdi, __rsi, __rbp, __r9, _t62);
				E00007FF77FF7A56E55B4();
				_t52 = _t41 + _t41;
				if ( *((long long*)(0xa57210f0 + _t52 * 8)) == 0) goto 0xa56efecf;
				goto 0xa56eff4a;
				E00007FF77FF7A56EA574(__ebp, _t39, _t41, _t44, __rsi, __rbp);
				if (_t39 != 0) goto 0xa56efef0;
				E00007FF77FF7A56E78AC(_t39);
				 *_t39 = 0xc;
				goto 0xa56eff4a;
				E00007FF77FF7A56EFF60();
				if ( *((long long*)(0xa57210f0 + _t52 * 8)) != 0) goto 0xa56eff32;
				if (E00007FF77FF7A56F0438() != 0) goto 0xa56eff2b;
				free(??);
				E00007FF77FF7A56E78AC(_t39);
				 *_t39 = 0xc;
				goto 0xa56eff3b;
				 *((long long*)(0xa57210f0 + _t52 * 8)) = _t39;
				goto 0xa56eff3b;
				free(??);
				LeaveCriticalSection(??);
				return 0;
			}

0x7ff7a56efe78
0x7ff7a56efe78
0x7ff7a56efe78
0x7ff7a56efe78
0x7ff7a56efe7d
0x7ff7a56efe82
0x7ff7a56efe8d
0x7ff7a56efe9d
0x7ff7a56efe9f
0x7ff7a56efea4
0x7ff7a56efea7
0x7ff7a56efeb1
0x7ff7a56efeb9
0x7ff7a56efec9
0x7ff7a56efecd
0x7ff7a56efed4
0x7ff7a56efedf
0x7ff7a56efee1
0x7ff7a56efee6
0x7ff7a56efeee
0x7ff7a56efef5
0x7ff7a56eff01
0x7ff7a56eff12
0x7ff7a56eff17
0x7ff7a56eff1c
0x7ff7a56eff21
0x7ff7a56eff29
0x7ff7a56eff2b
0x7ff7a56eff30
0x7ff7a56eff35
0x7ff7a56eff42
0x7ff7a56eff5f

APIs

_FF_MSGBANNER.LIBCMT ref: 00007FF7A56EFE9F

Part of subcall function 00007FF7A56EBD28: GetModuleFileNameA.KERNEL32(?,?,?,?,?,00007FF7A56EBF84,?,?,?,?,00007FF7A56E48E5,?,?,00000000,00007FF7A56EA598), ref: 00007FF7A56EBDEB

Part of subcall function 00007FF7A56E55B4: ExitProcess.KERNEL32 ref: 00007FF7A56E55C3

Part of subcall function 00007FF7A56EA574: malloc.LIBCMT ref: 00007FF7A56EA593
Part of subcall function 00007FF7A56EA574: Sleep.KERNEL32(?,?,00000000,00007FF7A56EFED9,?,?,?,00007FF7A56EFF83), ref: 00007FF7A56EA5AA

_errno.LIBCMT ref: 00007FF7A56EFEE1
_lock.LIBCMT ref: 00007FF7A56EFEF5
free.LIBCMT ref: 00007FF7A56EFF17
_errno.LIBCMT ref: 00007FF7A56EFF1C
LeaveCriticalSection.KERNEL32(?,?,?,00007FF7A56EFF83), ref: 00007FF7A56EFF42

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$CriticalExitFileLeaveModuleNameProcessSectionSleep_lockfreemalloc
String ID:
API String ID: 1024173049-0
Opcode ID: ac058671c3edeb939d153bb6fb2abfec8c3f6b002bac18dcab764f1b054be2dd
Instruction ID: 8e5798e2d18e0b7f1118d2f32852493c7d3658d1ee1a5ff371b69fa0b87a0dbe
Opcode Fuzzy Hash: ac058671c3edeb939d153bb6fb2abfec8c3f6b002bac18dcab764f1b054be2dd
Instruction Fuzzy Hash: EF213121E1B682C2F654BB11A415379E256EF8BF80F866034EE4E467E6CF3DE441C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DCEF0 Relevance: 9.2, APIs: 6, Instructions: 159
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 83%

			E00007FF77FF7A56DCEF0(void* __ebp, long long __rbx, long long __rcx, intOrPtr* __rdx, long long __rsi, void* __rbp, intOrPtr* __r8) {
				void* _v40;
				intOrPtr _v48;
				intOrPtr _v72;
				long long _v88;
				void* __rdi;
				void* __r12;
				void* _t68;
				void* _t71;
				intOrPtr _t105;
				intOrPtr _t108;
				intOrPtr _t110;
				intOrPtr _t111;
				signed long long _t113;
				intOrPtr _t116;
				intOrPtr* _t120;
				intOrPtr _t122;
				intOrPtr _t123;
				long long _t126;
				long long* _t129;
				long long* _t130;
				signed long long _t144;
				signed long long _t148;
				signed long long _t150;
				intOrPtr* _t153;
				void* _t156;
				intOrPtr* _t159;
				void* _t161;
				void* _t162;
				void* _t164;
				signed long long _t166;
				void* _t168;
				intOrPtr* _t169;
				void* _t171;

				_t159 = __r8;
				_t155 = __rbp;
				_t162 = _t156;
				 *((long long*)(_t162 + 8)) = __rcx;
				_v88 = 0xfffffffe;
				 *((long long*)(_t162 + 0x10)) = __rbx;
				 *((long long*)(_t162 + 0x18)) = __rsi;
				_t169 = __r8;
				_t153 = __rdx;
				_t126 = __rcx;
				_t129 = _t162 - 0x38;
				 *_t129 =  *__rdx;
				 *((long long*)(_t129 + 8)) =  *((intOrPtr*)(__rdx + 8));
				_t130 = _t162 - 0x50;
				 *_t130 =  *__r8;
				 *((long long*)(_t130 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t105 =  *((intOrPtr*)(_t162 - 0x50));
				if (_t105 == 0xfffffffc) goto 0xa56dcf5c;
				if (_t105 == 0) goto 0xa56dcf57;
				if (_t105 ==  *((intOrPtr*)(_t162 - 0x38))) goto 0xa56dcf5c;
				E00007FF77FF7A56E44B8();
				_t144 = _v72 - _v48 >> 1;
				_t148 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t148 - _t144 > 0) goto 0xa56dcfa6;
				if ( *((intOrPtr*)(__rcx + 0x20)) == _t144) goto 0xa56dcfa6;
				r8b = 1;
				if (E00007FF77FF7A56D24C0(__rcx, __rcx, _t144, __rdx, __rbp, _t164, _t171, _t168) == 0) goto 0xa56dcfa6;
				 *(_t126 + 0x18) = _t148;
				if ( *((long long*)(_t126 + 0x20)) - 8 < 0) goto 0xa56dcf98;
				goto 0xa56dcf9c;
				r13d = 0;
				 *((intOrPtr*)(_t126 + 8 + _t148 * 2)) = r13w;
				goto 0xa56dcfa9;
				r13d = 0;
				_t108 =  *_t153;
				if (_t108 == 0xfffffffc) goto 0xa56dcfcb;
				if (_t108 == 0) goto 0xa56dcfc6;
				if (_t108 ==  *_t169) goto 0xa56dcfcb;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(_t153 + 8)) ==  *((intOrPtr*)(_t169 + 8))) goto 0xa56dd0f4;
				_t110 =  *_t153;
				if (_t110 == 0xfffffffc) goto 0xa56dd013;
				if (_t110 != 0) goto 0xa56dcfec;
				E00007FF77FF7A56E44B8();
				_t111 =  *_t153;
				if ( *((long long*)(_t111 + 0x20)) - 8 < 0) goto 0xa56dcffc;
				goto 0xa56dd000;
				if ( *((intOrPtr*)(_t153 + 8)) - _t111 + 8 +  *(_t111 + 0x18) * 2 < 0) goto 0xa56dd013;
				E00007FF77FF7A56E44B8();
				_t113 =  *((intOrPtr*)(_t153 + 8));
				r12d =  *_t113 & 0x0000ffff;
				if ((_t113 | 0xffffffff) -  *(_t126 + 0x18) - 1 > 0) goto 0xa56dd02e;
				E00007FF77FF7A56E33CC((_t113 | 0xffffffff) -  *(_t126 + 0x18), _t126, _t148, _t155, _t159, _t161);
				_t150 =  *(_t126 + 0x18) + 1;
				if (_t150 - 0xfffffffe <= 0) goto 0xa56dd03f;
				_t68 = E00007FF77FF7A56E33CC((_t113 | 0xffffffff) -  *(_t126 + 0x18), _t126, _t150, _t155, _t159, _t161);
				_t116 =  *((intOrPtr*)(_t126 + 0x20));
				if (_t116 - _t150 >= 0) goto 0xa56dd059;
				E00007FF77FF7A56D26D0(_t68, _t126, _t150,  *(_t126 + 0x18), _t166, _t164);
				goto 0xa56dd078;
				if (_t150 != 0) goto 0xa56dd078;
				 *(_t126 + 0x18) = _t166;
				if (_t116 - 8 < 0) goto 0xa56dd06e;
				goto 0xa56dd072;
				 *((intOrPtr*)(_t126 + 8)) = r13w;
				goto 0xa56dd0b0;
				if (_t150 == 0) goto 0xa56dd0b0;
				if ( *((long long*)(_t126 + 0x20)) - 8 < 0) goto 0xa56dd091;
				goto 0xa56dd098;
				_t120 = _t126 + 8;
				 *((intOrPtr*)(_t120 +  *(_t126 + 0x18) * 2)) = r12w;
				 *(_t126 + 0x18) = _t150;
				if ( *((long long*)(_t126 + 0x20)) - 8 < 0) goto 0xa56dd0ab;
				 *((intOrPtr*)( *_t120 + _t150 * 2)) = r13w;
				_t122 =  *_t153;
				if (_t122 == 0xfffffffc) goto 0xa56dd0ea;
				if (_t122 != 0) goto 0xa56dd0c3;
				E00007FF77FF7A56E44B8();
				_t123 =  *_t153;
				if ( *((long long*)(_t123 + 0x20)) - 8 < 0) goto 0xa56dd0d3;
				goto 0xa56dd0d7;
				if ( *((intOrPtr*)(_t153 + 8)) - _t123 + 8 +  *(_t123 + 0x18) * 2 < 0) goto 0xa56dd0ea;
				_t71 = E00007FF77FF7A56E44B8();
				 *((long long*)(_t153 + 8)) =  *((long long*)(_t153 + 8)) + 2;
				goto 0xa56dcfb3;
				return _t71;
			}

0x7ff7a56dcef0
0x7ff7a56dcef0
0x7ff7a56dcef0
0x7ff7a56dcef3
0x7ff7a56dcf04
0x7ff7a56dcf0d
0x7ff7a56dcf11
0x7ff7a56dcf15
0x7ff7a56dcf18
0x7ff7a56dcf1b
0x7ff7a56dcf1e
0x7ff7a56dcf25
0x7ff7a56dcf2c
0x7ff7a56dcf30
0x7ff7a56dcf37
0x7ff7a56dcf3e
0x7ff7a56dcf42
0x7ff7a56dcf4a
0x7ff7a56dcf4f
0x7ff7a56dcf55
0x7ff7a56dcf57
0x7ff7a56dcf66
0x7ff7a56dcf69
0x7ff7a56dcf70
0x7ff7a56dcf76
0x7ff7a56dcf78
0x7ff7a56dcf85
0x7ff7a56dcf87
0x7ff7a56dcf90
0x7ff7a56dcf96
0x7ff7a56dcf9c
0x7ff7a56dcf9f
0x7ff7a56dcfa4
0x7ff7a56dcfa6
0x7ff7a56dcfb3
0x7ff7a56dcfba
0x7ff7a56dcfbf
0x7ff7a56dcfc4
0x7ff7a56dcfc6
0x7ff7a56dcfd3
0x7ff7a56dcfd9
0x7ff7a56dcfe0
0x7ff7a56dcfe5
0x7ff7a56dcfe7
0x7ff7a56dcfec
0x7ff7a56dcff4
0x7ff7a56dcffa
0x7ff7a56dd00c
0x7ff7a56dd00e
0x7ff7a56dd013
0x7ff7a56dd017
0x7ff7a56dd027
0x7ff7a56dd029
0x7ff7a56dd032
0x7ff7a56dd038
0x7ff7a56dd03a
0x7ff7a56dd03f
0x7ff7a56dd046
0x7ff7a56dd052
0x7ff7a56dd057
0x7ff7a56dd05c
0x7ff7a56dd05e
0x7ff7a56dd066
0x7ff7a56dd06c
0x7ff7a56dd072
0x7ff7a56dd076
0x7ff7a56dd07b
0x7ff7a56dd086
0x7ff7a56dd08f
0x7ff7a56dd091
0x7ff7a56dd098
0x7ff7a56dd09d
0x7ff7a56dd0a6
0x7ff7a56dd0ab
0x7ff7a56dd0b0
0x7ff7a56dd0b7
0x7ff7a56dd0bc
0x7ff7a56dd0be
0x7ff7a56dd0c3
0x7ff7a56dd0cb
0x7ff7a56dd0d1
0x7ff7a56dd0e3
0x7ff7a56dd0e5
0x7ff7a56dd0ea
0x7ff7a56dd0ef
0x7ff7a56dd10d

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DCF57
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DCFC6
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DCFE7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DD00E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DD0BE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DD0E5

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7f6f2e91ed5572e42ace02233fa957f2e227a56f2aac9c965945f59fe9a565ff
Instruction ID: b984a7210da46d9fd0687b3f8e745f7389e265efcc7163d10d3afdb9052ff182
Opcode Fuzzy Hash: 7f6f2e91ed5572e42ace02233fa957f2e227a56f2aac9c965945f59fe9a565ff
Instruction Fuzzy Hash: 36613E2360BE4580EA14AF15D14406CE376EB86FA4BD66731CA6D473F4DF39E866C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56D3030 Relevance: 9.1, APIs: 6, Instructions: 149
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 81%

			E00007FF77FF7A56D3030(void* __ebp, long long __rbx, long long __rcx, intOrPtr* __rdx, long long __rsi, void* __rbp, intOrPtr* __r8) {
				void* _v40;
				intOrPtr _v48;
				intOrPtr _v64;
				long long _v88;
				void* __rdi;
				void* __r12;
				void* _t58;
				void* _t61;
				intOrPtr _t91;
				intOrPtr _t94;
				signed long long _t101;
				intOrPtr _t104;
				intOrPtr* _t108;
				long long _t116;
				long long* _t119;
				long long* _t120;
				void* _t127;
				intOrPtr* _t131;
				signed long long _t134;
				signed long long _t136;
				void* _t139;
				intOrPtr* _t142;
				void* _t144;
				void* _t145;
				signed long long _t147;
				void* _t149;
				void* _t151;
				intOrPtr* _t152;
				void* _t154;

				_t142 = __r8;
				_t138 = __rbp;
				_t145 = _t139;
				 *((long long*)(_t145 + 8)) = __rcx;
				_v88 = 0xfffffffe;
				 *((long long*)(_t145 + 0x10)) = __rbx;
				 *((long long*)(_t145 + 0x18)) = __rsi;
				_t152 = __r8;
				_t131 = __rdx;
				_t116 = __rcx;
				_t119 = _t145 - 0x48;
				 *_t119 =  *__r8;
				 *((long long*)(_t119 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t120 = _t145 - 0x38;
				 *_t120 =  *__rdx;
				 *((long long*)(_t120 + 8)) =  *((intOrPtr*)(__rdx + 8));
				_t91 =  *((intOrPtr*)(_t145 - 0x48));
				if (_t91 == 0) goto 0xa56d3091;
				if (_t91 ==  *((intOrPtr*)(_t145 - 0x38))) goto 0xa56d3096;
				E00007FF77FF7A56E44B8();
				_t127 = _v64 - _v48;
				_t134 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t134 - _t127 > 0) goto 0xa56d30dd;
				if ( *((intOrPtr*)(__rcx + 0x20)) == _t127) goto 0xa56d30dd;
				r8b = 1;
				if (E00007FF77FF7A56D24C0(__rcx, __rcx, _t127, _t134, __rbp, _t147, _t154, _t151) == 0) goto 0xa56d30dd;
				 *(_t116 + 0x18) = _t134;
				if ( *((long long*)(_t116 + 0x20)) - 8 < 0) goto 0xa56d30cf;
				goto 0xa56d30d3;
				r12d = 0;
				 *((intOrPtr*)(_t116 + 8 + _t134 * 2)) = r12w;
				goto 0xa56d30e0;
				r12d = 0;
				asm("o16 nop [eax+eax]");
				_t94 =  *_t131;
				if (_t94 == 0) goto 0xa56d30fd;
				if (_t94 ==  *_t152) goto 0xa56d3102;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(_t131 + 8)) ==  *((intOrPtr*)(_t152 + 8))) goto 0xa56d320e;
				if ( *_t131 != 0) goto 0xa56d312a;
				E00007FF77FF7A56E44B8();
				if ( *_t131 != 0) goto 0xa56d312a;
				goto 0xa56d312d;
				if ( *((intOrPtr*)(_t131 + 8)) -  *((intOrPtr*)( *_t147 + 0x20)) < 0) goto 0xa56d313c;
				E00007FF77FF7A56E44B8();
				_t101 =  *((intOrPtr*)(_t131 + 8));
				r13d =  *_t101 & 0x000000ff;
				if ((_t101 | 0xffffffff) -  *(_t116 + 0x18) - 1 > 0) goto 0xa56d3157;
				E00007FF77FF7A56E33CC((_t101 | 0xffffffff) -  *(_t116 + 0x18), _t116, _t131, _t138, _t142, _t144);
				_t136 =  *(_t116 + 0x18) + 1;
				if (_t136 - 0xfffffffe <= 0) goto 0xa56d3168;
				_t58 = E00007FF77FF7A56E33CC((_t101 | 0xffffffff) -  *(_t116 + 0x18), _t116, _t131, _t138, _t142, _t144);
				_t104 =  *((intOrPtr*)(_t116 + 0x20));
				if (_t104 - _t136 >= 0) goto 0xa56d3182;
				E00007FF77FF7A56D26D0(_t58, _t116, _t136,  *(_t116 + 0x18), _t149, _t147);
				goto 0xa56d31a1;
				if (_t136 != 0) goto 0xa56d31a1;
				 *(_t116 + 0x18) = _t147;
				if (_t104 - 8 < 0) goto 0xa56d3197;
				goto 0xa56d319b;
				 *((intOrPtr*)(_t116 + 8)) = r12w;
				goto 0xa56d31d9;
				if (_t136 == 0) goto 0xa56d31d9;
				if ( *((long long*)(_t116 + 0x20)) - 8 < 0) goto 0xa56d31ba;
				goto 0xa56d31c1;
				_t108 = _t116 + 8;
				 *((intOrPtr*)(_t108 +  *(_t116 + 0x18) * 2)) = r13w;
				 *(_t116 + 0x18) = _t136;
				if ( *((long long*)(_t116 + 0x20)) - 8 < 0) goto 0xa56d31d4;
				 *((intOrPtr*)( *_t108 + _t136 * 2)) = r12w;
				if ( *_t131 != 0) goto 0xa56d31f3;
				E00007FF77FF7A56E44B8();
				if ( *_t131 != 0) goto 0xa56d31f3;
				goto 0xa56d31f6;
				if ( *((intOrPtr*)(_t131 + 8)) -  *((intOrPtr*)( *_t147 + 0x20)) < 0) goto 0xa56d3205;
				_t61 = E00007FF77FF7A56E44B8();
				 *((long long*)(_t131 + 8)) =  *((long long*)(_t131 + 8)) + 1;
				goto 0xa56d30f0;
				return _t61;
			}

0x7ff7a56d3030
0x7ff7a56d3030
0x7ff7a56d3030
0x7ff7a56d3033
0x7ff7a56d3044
0x7ff7a56d304d
0x7ff7a56d3051
0x7ff7a56d3055
0x7ff7a56d3058
0x7ff7a56d305b
0x7ff7a56d305e
0x7ff7a56d3065
0x7ff7a56d306c
0x7ff7a56d3070
0x7ff7a56d3077
0x7ff7a56d307e
0x7ff7a56d3082
0x7ff7a56d3089
0x7ff7a56d308f
0x7ff7a56d3091
0x7ff7a56d309b
0x7ff7a56d30a0
0x7ff7a56d30a7
0x7ff7a56d30ad
0x7ff7a56d30af
0x7ff7a56d30bc
0x7ff7a56d30be
0x7ff7a56d30c7
0x7ff7a56d30cd
0x7ff7a56d30d3
0x7ff7a56d30d6
0x7ff7a56d30db
0x7ff7a56d30dd
0x7ff7a56d30ea
0x7ff7a56d30f0
0x7ff7a56d30f6
0x7ff7a56d30fb
0x7ff7a56d30fd
0x7ff7a56d310a
0x7ff7a56d3116
0x7ff7a56d3118
0x7ff7a56d3123
0x7ff7a56d3128
0x7ff7a56d3135
0x7ff7a56d3137
0x7ff7a56d313c
0x7ff7a56d3140
0x7ff7a56d3150
0x7ff7a56d3152
0x7ff7a56d315b
0x7ff7a56d3161
0x7ff7a56d3163
0x7ff7a56d3168
0x7ff7a56d316f
0x7ff7a56d317b
0x7ff7a56d3180
0x7ff7a56d3185
0x7ff7a56d3187
0x7ff7a56d318f
0x7ff7a56d3195
0x7ff7a56d319b
0x7ff7a56d319f
0x7ff7a56d31a4
0x7ff7a56d31af
0x7ff7a56d31b8
0x7ff7a56d31ba
0x7ff7a56d31c1
0x7ff7a56d31c6
0x7ff7a56d31cf
0x7ff7a56d31d4
0x7ff7a56d31df
0x7ff7a56d31e1
0x7ff7a56d31ec
0x7ff7a56d31f1
0x7ff7a56d31fe
0x7ff7a56d3200
0x7ff7a56d3205
0x7ff7a56d3209
0x7ff7a56d3227

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D3091
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D30FD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D3118
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D3137
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D31E1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D3200

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 06a8641fa43e2610765a8969c89ceab00d32e648021870bd44166826c331591f
Instruction ID: 95b936bde0921903275cf75359d4e2528e77e20b24f997eeef44732437583ec1
Opcode Fuzzy Hash: 06a8641fa43e2610765a8969c89ceab00d32e648021870bd44166826c331591f
Instruction Fuzzy Hash: 38513223B0BF4680EB14AF15E44406CB366FB46F94B966A35CE6D077A4DF39E461C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EF7AC Relevance: 9.1, APIs: 6, Instructions: 122
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 63%

			E00007FF77FF7A56EF7AC(void* __ecx, void* __edx, void* __ebp, void* __esp, void* __eflags, long long __rbx, void* __rcx, long long __rdi, long long __rsi, void* __rbp, void* __r8, void* __r10, void* __r11, long long __r12, void* _a8, void* _a16, void* _a24, void* _a32) {
				signed int _v24;
				void* _t46;
				signed int _t49;
				char _t55;
				void* _t64;
				void* _t69;
				signed int _t78;
				long long _t89;
				intOrPtr* _t90;
				long long _t93;
				void* _t95;
				long long _t102;
				long long _t109;
				long long _t112;
				void* _t118;
				void* _t124;

				_t118 = __r11;
				_t95 = __rcx;
				_t64 = __edx;
				_t58 = __ecx;
				_t89 = _t112;
				 *((long long*)(_t89 + 8)) = __rbx;
				 *((long long*)(_t89 + 0x10)) = __rsi;
				 *((long long*)(_t89 + 0x18)) = __rdi;
				 *((long long*)(_t89 + 0x20)) = __r12;
				_t69 = __ecx;
				r13d = r13d | 0xffffffff;
				E00007FF77FF7A56EB93C(__ecx, __eflags, _t89);
				_t109 = _t89;
				E00007FF77FF7A56EF3E8(_t58, __eflags, _t89, __rbx, _t124);
				_t46 = E00007FF77FF7A56EF4A4(_t69, __eflags, _t89);
				r12d = _t46;
				if (_t46 ==  *((intOrPtr*)( *((intOrPtr*)(_t109 + 0xb8)) + 4))) goto 0xa56ef981;
				E00007FF77FF7A56EA574(__ebp, _t89,  *((intOrPtr*)(_t109 + 0xb8)), _t95, _t109, __rbp);
				_t93 = _t89;
				if (_t89 == __rdi) goto 0xa56ef986;
				r8d = 0x220;
				E00007FF77FF7A56EAE90(0x220, _t89 - __rdi, _t89,  *((intOrPtr*)(_t109 + 0xb8)), __r8);
				 *_t93 = 0;
				_t49 = E00007FF77FF7A56EF534(r12d, _t64, __esp, _t89 - __rdi, _t93, _t93, __r8, __r10, _t118);
				r13d = _t49;
				_t78 = _t49;
				if (_t78 != 0) goto 0xa56ef95b;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t78 != 0) goto 0xa56ef85e;
				if ( *((intOrPtr*)(_t109 + 0xb8)) == 0xa5720bb0) goto 0xa56ef865;
				free(??);
				goto 0xa56ef865;
				 *((long long*)(_t109 + 0xb8)) = _t93;
				asm("lock add dword [ebx], 0x1");
				if (( *(_t109 + 0xc8) & 0x00000002) != 0) goto 0xa56ef986;
				if (( *0xa5720a10 & 0x00000001) != 0) goto 0xa56ef986;
				E00007FF77FF7A56EFF60();
				 *0xa5723bd4 =  *((intOrPtr*)(_t93 + 4));
				 *0xa5723bd8 =  *((intOrPtr*)(_t93 + 8));
				 *0xa5723bdc =  *((intOrPtr*)(_t93 + 0xc));
				_v24 = 0;
				if (0 - 5 >= 0) goto 0xa56ef8db;
				 *0x7FF7A5723BC8 =  *(_t93 + 0x10) & 0x0000ffff;
				_v24 = 1;
				goto 0xa56ef8bd;
				_v24 = 0;
				if (0 - 0x101 >= 0) goto 0xa56ef900;
				 *0x7FF7A5720DD0 =  *((intOrPtr*)(0 + _t93 + 0x1c));
				_v24 = 1;
				goto 0xa56ef8e1;
				_v24 = 0;
				if (0 - 0x100 >= 0) goto 0xa56ef926;
				_t55 =  *((intOrPtr*)(0 + _t93 + 0x11d));
				 *0x7FF7A5720EE0 = _t55;
				_v24 = 1;
				goto 0xa56ef904;
				_t90 =  *0xa5720fe0; // 0x2be6d30
				asm("lock add dword [eax], 0xffffffff");
				if (0 != 0x100) goto 0xa56ef944;
				_t102 =  *0xa5720fe0; // 0x2be6d30
				if (_t102 == 0xa5720bb0) goto 0xa56ef944;
				free(??);
				 *0xa5720fe0 = _t93;
				asm("lock add dword [ebx], 0x1");
				E00007FF77FF7A56EFE60();
				goto 0xa56ef986;
				if (_t55 != 0xffffffff) goto 0xa56ef986;
				if (_t93 == 0xa5720bb0) goto 0xa56ef974;
				free(??);
				E00007FF77FF7A56E78AC(_t90);
				 *_t90 = 0x16;
				goto 0xa56ef986;
				r13d = 0;
				return r13d;
			}

0x7ff7a56ef7ac
0x7ff7a56ef7ac
0x7ff7a56ef7ac
0x7ff7a56ef7ac
0x7ff7a56ef7ac
0x7ff7a56ef7af
0x7ff7a56ef7b3
0x7ff7a56ef7b7
0x7ff7a56ef7bb
0x7ff7a56ef7c5
0x7ff7a56ef7c7
0x7ff7a56ef7cb
0x7ff7a56ef7d0
0x7ff7a56ef7d3
0x7ff7a56ef7e1
0x7ff7a56ef7e6
0x7ff7a56ef7ec
0x7ff7a56ef7f7
0x7ff7a56ef7fc
0x7ff7a56ef804
0x7ff7a56ef814
0x7ff7a56ef81a
0x7ff7a56ef81f
0x7ff7a56ef827
0x7ff7a56ef82c
0x7ff7a56ef82f
0x7ff7a56ef831
0x7ff7a56ef83e
0x7ff7a56ef842
0x7ff7a56ef855
0x7ff7a56ef857
0x7ff7a56ef85c
0x7ff7a56ef865
0x7ff7a56ef86c
0x7ff7a56ef877
0x7ff7a56ef884
0x7ff7a56ef88f
0x7ff7a56ef898
0x7ff7a56ef8a1
0x7ff7a56ef8aa
0x7ff7a56ef8b2
0x7ff7a56ef8c0
0x7ff7a56ef8ca
0x7ff7a56ef8d5
0x7ff7a56ef8d9
0x7ff7a56ef8dd
0x7ff7a56ef8e7
0x7ff7a56ef8f0
0x7ff7a56ef8fa
0x7ff7a56ef8fe
0x7ff7a56ef900
0x7ff7a56ef90a
0x7ff7a56ef90f
0x7ff7a56ef916
0x7ff7a56ef920
0x7ff7a56ef924
0x7ff7a56ef926
0x7ff7a56ef92d
0x7ff7a56ef931
0x7ff7a56ef933
0x7ff7a56ef93d
0x7ff7a56ef93f
0x7ff7a56ef944
0x7ff7a56ef94b
0x7ff7a56ef954
0x7ff7a56ef959
0x7ff7a56ef95e
0x7ff7a56ef96a
0x7ff7a56ef96f
0x7ff7a56ef974
0x7ff7a56ef979
0x7ff7a56ef97f
0x7ff7a56ef983
0x7ff7a56ef9a3

APIs

_getptd.LIBCMT ref: 00007FF7A56EF7CB

Part of subcall function 00007FF7A56EF3E8: _getptd.LIBCMT ref: 00007FF7A56EF3F2

Part of subcall function 00007FF7A56EF4A4: GetOEMCP.KERNEL32 ref: 00007FF7A56EF4CE

Part of subcall function 00007FF7A56EA574: malloc.LIBCMT ref: 00007FF7A56EA593
Part of subcall function 00007FF7A56EA574: Sleep.KERNEL32(?,?,00000000,00007FF7A56EFED9,?,?,?,00007FF7A56EFF83), ref: 00007FF7A56EA5AA

free.LIBCMT ref: 00007FF7A56EF857

Part of subcall function 00007FF7A56E484C: HeapFree.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4862
Part of subcall function 00007FF7A56E484C: _errno.LIBCMT ref: 00007FF7A56E486C
Part of subcall function 00007FF7A56E484C: GetLastError.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4874

_lock.LIBCMT ref: 00007FF7A56EF88F
free.LIBCMT ref: 00007FF7A56EF93F
free.LIBCMT ref: 00007FF7A56EF96F
_errno.LIBCMT ref: 00007FF7A56EF974

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: free$_errno_getptd$ErrorFreeHeapLastSleep_lockmalloc
String ID:
API String ID: 2878544890-0
Opcode ID: dbefac1bd4e860cba46ec646c9f1af48dc9b2591202d1de2f3d620e5c24df54c
Instruction ID: c9674ee626ad52f235c7ba17f894ca1f1c6a805c9bd8361def99af4b0e8111e4
Opcode Fuzzy Hash: dbefac1bd4e860cba46ec646c9f1af48dc9b2591202d1de2f3d620e5c24df54c
Instruction Fuzzy Hash: A851E23190B682C7E250AB21A44027DF6A2FB8AF54F965235DE9E473B5DF3DE441C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A5709FC0 Relevance: 9.1, APIs: 6, Instructions: 83
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7A5709FC0(void* __edx, long long __rbx, void* __rcx, long long __rsi) {
				void* _t40;
				void* _t42;
				intOrPtr _t60;
				intOrPtr* _t61;
				long long _t63;
				long long _t72;
				intOrPtr _t73;
				intOrPtr* _t77;
				long long* _t78;
				intOrPtr* _t80;
				long long _t87;
				void* _t90;
				void* _t91;

				 *((long long*)(_t90 + 8)) = __rbx;
				 *((long long*)(_t90 + 0x10)) = _t87;
				 *((long long*)(_t90 + 0x18)) = __rsi;
				_t91 = _t90 - 0x50;
				_t42 = __edx;
				_t60 =  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x60)) + 8));
				if ( *((char*)(_t60 + 0x29)) != 0) goto 0xa5709ffe;
				if ( *((intOrPtr*)(_t60 + 0x18)) - __edx >= 0) goto 0xa5709ff2;
				_t61 =  *((intOrPtr*)(_t60 + 0x10));
				goto 0xa5709ff8;
				_t72 = _t61;
				if ( *((char*)( *_t61 + 0x29)) == 0) goto 0xa5709fe7;
				_t63 =  *((intOrPtr*)(__rcx + 0x30));
				 *((long long*)(_t91 + 0x28)) = _t72;
				 *((long long*)(_t91 + 0x20)) = _t63;
				if (_t63 == 0) goto 0xa570a01a;
				if (_t63 == _t63) goto 0xa570a01f;
				E00007FF77FF7A56E44B8();
				if (_t72 ==  *((intOrPtr*)(__rcx + 0x60))) goto 0xa570a030;
				if (_t42 -  *((intOrPtr*)(_t72 + 0x18)) < 0) goto 0xa570a030;
				goto 0xa570a047;
				_t77 = _t91 + 0x30;
				 *((long long*)(_t91 + 0x38)) =  *((intOrPtr*)(__rcx + 0x60));
				 *((long long*)(_t91 + 0x30)) =  *((intOrPtr*)(__rcx + 0x30));
				_t78 = _t91 + 0x40;
				 *_t78 =  *_t77;
				 *((long long*)(_t78 + 8)) =  *((intOrPtr*)(_t77 + 8));
				_t80 =  *((intOrPtr*)(_t91 + 0x40));
				if (_t80 == 0) goto 0xa570a06e;
				if (_t80 ==  *((intOrPtr*)(__rcx + 0x30))) goto 0xa570a073;
				E00007FF77FF7A56E44B8();
				_t73 =  *((intOrPtr*)(_t91 + 0x48));
				if (_t73 ==  *((intOrPtr*)(__rcx + 0x60))) goto 0xa570a0c3;
				if (_t80 != 0) goto 0xa570a08e;
				E00007FF77FF7A56E44B8();
				goto 0xa570a091;
				if (_t73 !=  *((intOrPtr*)( *_t80 + 0x30))) goto 0xa570a09c;
				E00007FF77FF7A56E44B8();
				if ( *((long long*)(_t73 + 0x20)) == 0xffffffff) goto 0xa570a0c3;
				if (_t80 != 0) goto 0xa570a0af;
				E00007FF77FF7A56E44B8();
				goto 0xa570a0b2;
				if (_t73 !=  *((intOrPtr*)( *_t80 + 0x30))) goto 0xa570a0bd;
				_t40 = E00007FF77FF7A56E44B8();
				goto 0xa570a0c7;
				return _t40;
			}

0x7ff7a5709fc0
0x7ff7a5709fc5
0x7ff7a5709fca
0x7ff7a5709fd0
0x7ff7a5709fd8
0x7ff7a5709fdd
0x7ff7a5709fe5
0x7ff7a5709fea
0x7ff7a5709fec
0x7ff7a5709ff0
0x7ff7a5709ff2
0x7ff7a5709ffc
0x7ff7a5709ffe
0x7ff7a570a006
0x7ff7a570a00b
0x7ff7a570a013
0x7ff7a570a018
0x7ff7a570a01a
0x7ff7a570a022
0x7ff7a570a027
0x7ff7a570a02e
0x7ff7a570a034
0x7ff7a570a039
0x7ff7a570a042
0x7ff7a570a04e
0x7ff7a570a053
0x7ff7a570a05a
0x7ff7a570a05e
0x7ff7a570a066
0x7ff7a570a06c
0x7ff7a570a06e
0x7ff7a570a073
0x7ff7a570a07b
0x7ff7a570a082
0x7ff7a570a084
0x7ff7a570a08c
0x7ff7a570a095
0x7ff7a570a097
0x7ff7a570a0a1
0x7ff7a570a0a6
0x7ff7a570a0a8
0x7ff7a570a0ad
0x7ff7a570a0b6
0x7ff7a570a0b8
0x7ff7a570a0c1
0x7ff7a570a0db

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A01A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A06E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A084
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A097
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A0A8
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A0B8

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b1dad616f5987b4a8820b29c662f81acca57bbf043e1374bbabc96fa387b78c7
Instruction ID: 0cc48668b9b2a30dbc5f66740da33de3eb91d5021a75abf4f6445fabb86be43c
Opcode Fuzzy Hash: b1dad616f5987b4a8820b29c662f81acca57bbf043e1374bbabc96fa387b78c7
Instruction Fuzzy Hash: C9313632A0AB45C5EB51AB15D44016DE7A1FB49F94F960231DA5C177E5EF3CE851C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F5A0C Relevance: 9.1, APIs: 6, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

__initconout.LIBCMT ref: 00007FF7A56F5A3A

Part of subcall function 00007FF7A56F5FDC: CreateFileA.KERNEL32 ref: 00007FF7A56F6005

WriteConsoleW.KERNEL32 ref: 00007FF7A56F5A66
GetLastError.KERNEL32 ref: 00007FF7A56F5A81
GetConsoleOutputCP.KERNEL32(?,?,?,?,00007FF7A56F1218,?,?,?,00000001,00000000,?,00000001,00007FF7A56F171C), ref: 00007FF7A56F5A93
WideCharToMultiByte.KERNEL32 ref: 00007FF7A56F5AC6
WriteConsoleA.KERNEL32 ref: 00007FF7A56F5AEC

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: Console$Write$ByteCharCreateErrorFileLastMultiOutputWide__initconout
String ID:
API String ID: 2210154019-0
Opcode ID: b6307e78168ad8cfc449806c29395060a627c9e19e62e9274fd19f5beea39485
Instruction ID: 74ad049c87aa2e9a7eb35701a3bd494231d793d7fb137b52914dc7e3cc5d80e1
Opcode Fuzzy Hash: b6307e78168ad8cfc449806c29395060a627c9e19e62e9274fd19f5beea39485
Instruction Fuzzy Hash: B0318F32E1A90286E710AB10E554379A2A1FBA7F74FD21331E56D066F4DF7CD808CB20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EB8B8 Relevance: 9.0, APIs: 6, Instructions: 37threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7A56E78B5,?,?,?,?,00007FF7A56E4871,?,?,?,00007FF7A56E4219), ref: 00007FF7A56EB8C2
FlsGetValue.KERNEL32(?,?,?,00007FF7A56E78B5,?,?,?,?,00007FF7A56E4871,?,?,?,00007FF7A56E4219), ref: 00007FF7A56EB8D0
SetLastError.KERNEL32(?,?,?,00007FF7A56E78B5,?,?,?,?,00007FF7A56E4871,?,?,?,00007FF7A56E4219), ref: 00007FF7A56EB928

Part of subcall function 00007FF7A56EA5E0: Sleep.KERNEL32(?,?,?,00007FF7A56EB8EB,?,?,?,00007FF7A56E78B5,?,?,?,?,00007FF7A56E4871), ref: 00007FF7A56EA625

FlsSetValue.KERNEL32(?,?,?,00007FF7A56E78B5,?,?,?,?,00007FF7A56E4871,?,?,?,00007FF7A56E4219), ref: 00007FF7A56EB8FC
free.LIBCMT ref: 00007FF7A56EB91F

Part of subcall function 00007FF7A56EB804: _lock.LIBCMT ref: 00007FF7A56EB854
Part of subcall function 00007FF7A56EB804: _lock.LIBCMT ref: 00007FF7A56EB874

GetCurrentThreadId.KERNEL32 ref: 00007FF7A56EB910

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: ErrorLastValue_lock$CurrentSleepThreadfree
String ID:
API String ID: 3106088686-0
Opcode ID: 47fe6f310744996d0618dde16060a0968cc8db3ffcff5d940b5b223bec7bd5a3
Instruction ID: c1dbaf3a093deb734ac4ce69c2b05043a304cd67da2b915854455cac0b9918b4
Opcode Fuzzy Hash: 47fe6f310744996d0618dde16060a0968cc8db3ffcff5d940b5b223bec7bd5a3
Instruction Fuzzy Hash: E9015624E0B74282EA447B75A444039A292AF4EF60F8A9234DD1D177F5EE3CE4458630

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F33F4 Relevance: 8.8, APIs: 7, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

free.LIBCMT ref: 00007FF7A56F3412

Part of subcall function 00007FF7A56E484C: HeapFree.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4862
Part of subcall function 00007FF7A56E484C: _errno.LIBCMT ref: 00007FF7A56E486C
Part of subcall function 00007FF7A56E484C: GetLastError.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4874

free.LIBCMT ref: 00007FF7A56F3424
free.LIBCMT ref: 00007FF7A56F3436
free.LIBCMT ref: 00007FF7A56F3448
free.LIBCMT ref: 00007FF7A56F345A
free.LIBCMT ref: 00007FF7A56F346C
free.LIBCMT ref: 00007FF7A56F347E

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: free$ErrorFreeHeapLast_errno
String ID:
API String ID: 1012874770-0
Opcode ID: 864e03c431a6d3e9e346be6ff6aff8a7b4752ac3b6a64fe7f5e624e93be13a61
Instruction ID: 8e4e4797cfc2c0dfab091b58888d125d03377f98eabe04704b1dc1ea50dafc3f
Opcode Fuzzy Hash: 864e03c431a6d3e9e346be6ff6aff8a7b4752ac3b6a64fe7f5e624e93be13a61
Instruction Fuzzy Hash: DC012523E1B442C5EAD5FBA1E45103CA726EF86F40FC72131D90E535B29E2DF8858231

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E9204 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00007FF77FF7A56E9204(intOrPtr* __rcx) {
				void* _t11;
				intOrPtr* _t16;

				_t16 =  *((intOrPtr*)(__rcx));
				if ( *_t16 == 0xe0434f4d) goto 0xa56e922d;
				_t13 =  *_t16 - 0xe06d7363;
				if ( *_t16 != 0xe06d7363) goto 0xa56e9246;
				E00007FF77FF7A56EB93C(_t11,  *_t16 - 0xe06d7363, _t16);
				 *(_t16 + 0x100) =  *(_t16 + 0x100) & 0x00000000;
				E00007FF77FF7A56F0124( *_t16 - 0xe06d7363, _t16);
				asm("int3");
				E00007FF77FF7A56EB93C(_t11, _t13, _t16);
				if ( *(_t16 + 0x100) <= 0) goto 0xa56e9246;
				E00007FF77FF7A56EB93C(_t11,  *(_t16 + 0x100), _t16);
				 *(_t16 + 0x100) =  *(_t16 + 0x100) - 1;
				return 0;
			}

0x7ff7a56e9208
0x7ff7a56e9211
0x7ff7a56e9213
0x7ff7a56e9219
0x7ff7a56e921b
0x7ff7a56e9220
0x7ff7a56e9227
0x7ff7a56e922c
0x7ff7a56e922d
0x7ff7a56e9239
0x7ff7a56e923b
0x7ff7a56e9240
0x7ff7a56e924c

APIs

_getptd.LIBCMT ref: 00007FF7A56E921B

Part of subcall function 00007FF7A56F0124: _getptd.LIBCMT ref: 00007FF7A56F0128

_getptd.LIBCMT ref: 00007FF7A56E922D
_getptd.LIBCMT ref: 00007FF7A56E923B

Strings

MOC, xrefs: 00007FF7A56E920B
csm, xrefs: 00007FF7A56E9213

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _getptd
String ID: MOC$csm
API String ID: 3186804695-1389381023
Opcode ID: 00ecfaa5011b527fe4e670c7211831b1227f345612b3d7dc83072e452741e803
Instruction ID: 1167cbaaae9ba48b1e724f6855bd83dde960a7807943177da73990e3f1b66dba
Opcode Fuzzy Hash: 00ecfaa5011b527fe4e670c7211831b1227f345612b3d7dc83072e452741e803
Instruction Fuzzy Hash: 98E0ED76D17242CAE6157B5180463B876F2AF5BF15FC7A070C94C423A28B7E58858A61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F348C Relevance: 7.7, APIs: 6, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00007FF77FF7A56F348C(void* __ebp, signed int __rbx, long long __rcx, signed int __rdi, signed int __rsi, void* __r8, void* __r9) {
				signed int _t88;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t99;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				char _t105;
				char _t106;
				char _t107;
				signed int _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t142;
				signed int* _t149;
				signed int* _t157;
				signed int* _t159;
				signed int _t176;
				char* _t213;
				char* _t214;
				signed int _t216;
				long long _t219;
				signed int _t221;
				signed int* _t223;
				signed int* _t225;
				void* _t226;
				char* _t229;
				void* _t232;
				void* _t233;
				signed int* _t234;
				void* _t236;
				signed int* _t237;
				void* _t239;
				intOrPtr* _t240;

				_t232 = __r9;
				_t228 = __r8;
				_t216 = __rdi;
				_t176 = __rbx;
				_t159 = _t225;
				_t159[2] = __rbx;
				_t159[4] = _t221;
				_t159[6] = __rsi;
				_t159[8] = __rdi;
				_t226 = _t225 - 0x40;
				r12d = 0;
				_t219 = __rcx;
				 *((long long*)(_t159 - 0x28)) = __rcx;
				 *(_t159 - 0x20) =  *(_t159 - 0x20) & _t233;
				if ( *((intOrPtr*)(__rcx + 0x18)) != r12d) goto 0xa56f34d2;
				if ( *((intOrPtr*)(__rcx + 0x1c)) != r12d) goto 0xa56f34d2;
				r13d = 0;
				goto 0xa56f37db;
				_t10 = _t216 - 0x57; // 0x1
				E00007FF77FF7A56EA5E0(__rbx, __rcx, __rdi, __rdi, __rcx, 0xa57201a0, _t239, _t236);
				_t223 = _t159;
				if (_t159 != 0) goto 0xa56f34f4;
				goto 0xa56f382c;
				E00007FF77FF7A56EA574(__ebp, _t159, _t176, _t176, _t219, _t223);
				_t237 = _t159;
				if (_t159 != 0) goto 0xa56f3513;
				free(_t233);
				goto 0xa56f34ea;
				 *_t159 =  *_t159 & r12d;
				if ( *((intOrPtr*)(_t219 + 0x18)) == r12d) goto 0xa56f3788;
				E00007FF77FF7A56EA574(__ebp, _t159, _t176, _t176, _t219, _t223);
				_t234 = _t159;
				_t149 = _t159;
				if (_t149 != 0) goto 0xa56f353d;
				free(??);
				goto 0xa56f350c;
				 *_t159 =  *_t159 & 0x00000000;
				_t142 =  *(_t219 + 0x38) & 0x0000ffff;
				r9d = 0x15;
				_t13 =  &(_t223[6]); // 0x18
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t13;
				_t88 = E00007FF77FF7A56EFB68(4, __r9 - 0x14, _t176, _t226 + 0x30, __r8);
				_t17 =  &(_t223[8]); // 0x20
				r9d = 0x14;
				 *((long long*)(_t226 + 0x20)) = _t17;
				r8d = _t142;
				_t111 = _t88;
				_t89 = E00007FF77FF7A56EFB68(_t111, _t232 - 0x13, _t176, _t226 + 0x30, __r8);
				_t21 =  &(_t223[0xa]); // 0x28
				r9d = 0x16;
				 *((long long*)(_t226 + 0x20)) = _t21;
				r8d = _t142;
				_t112 = _t111 | _t89;
				_t90 = E00007FF77FF7A56EFB68(_t112, _t232 - 0x15, _t176, _t226 + 0x30, __r8);
				r9d = 0x17;
				_t113 = _t112 | _t90;
				_t26 =  &(_t223[0xc]); // 0x30
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t26;
				_t91 = E00007FF77FF7A56EFB68(_t113, _t232 - 0x16, _t176, _t226 + 0x30, __r8);
				r9d = 0x18;
				_t29 =  &(_t223[0xe]); // 0x38
				_t240 = _t29;
				r8d = _t142;
				_t114 = _t113 | _t91;
				 *((long long*)(_t226 + 0x20)) = _t240;
				_t92 = E00007FF77FF7A56EFB68(_t114, _t232 - 0x17, _t176, _t226 + 0x30, __r8);
				r9d = 0x50;
				_t115 = _t114 | _t92;
				_t33 =  &(_t223[0x10]); // 0x40
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t33;
				_t93 = E00007FF77FF7A56EFB68(_t115, _t232 - 0x4f, _t176, _t226 + 0x30, _t228);
				r9d = 0x51;
				_t116 = _t115 | _t93;
				_t37 =  &(_t223[0x12]); // 0x48
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t37;
				_t94 = E00007FF77FF7A56EFB68(_t116, _t232 - 0x50, _t176, _t226 + 0x30, _t228);
				r9d = 0x1a;
				_t117 = _t116 | _t94;
				_t42 =  &(_t223[0x14]); // 0x50
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t42;
				_t95 = E00007FF77FF7A56EFB68(_t117, 0, _t176, _t226 + 0x30, _t228);
				r9d = 0x19;
				_t118 = _t117 | _t95;
				_t45 =  &(_t223[0x14]); // 0x51
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t45;
				_t96 = E00007FF77FF7A56EFB68(_t118, 0, _t176, _t226 + 0x30, _t228);
				r9d = 0x54;
				_t119 = _t118 | _t96;
				_t48 =  &(_t223[0x14]); // 0x52
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t48;
				_t120 = _t119 | E00007FF77FF7A56EFB68(_t119, 0, _t176, _t226 + 0x30, _t228);
				_t50 =  &(_t223[0x14]); // 0x53
				r9d = 0x55;
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t50;
				_t121 = _t120 | E00007FF77FF7A56EFB68(_t120, 0, _t176, _t226 + 0x30, _t228);
				_t54 =  &(_t223[0x15]); // 0x54
				r9d = 0x56;
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t54;
				_t99 = E00007FF77FF7A56EFB68(_t121, 0, _t176, _t226 + 0x30, _t228);
				r9d = 0x57;
				_t122 = _t121 | _t99;
				_t57 =  &(_t223[0x15]); // 0x55
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t57;
				_t100 = E00007FF77FF7A56EFB68(_t122, 0, _t176, _t226 + 0x30, _t228);
				r9d = 0x52;
				_t60 =  &(_t223[0x15]); // 0x56
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t60;
				_t101 = E00007FF77FF7A56EFB68(_t122 | _t100, 0, _t176, _t226 + 0x30, _t228);
				r9d = 0x53;
				_t63 =  &(_t223[0x15]); // 0x57
				r8d = _t142;
				 *((long long*)(_t226 + 0x20)) = _t63;
				_t102 = E00007FF77FF7A56EFB68(_t122 | _t100 | _t101, 0, _t176, _t226 + 0x30, _t228);
				if (_t149 == 0) goto 0xa56f3754;
				E00007FF77FF7A56F33F4(_t102 | _t122 | _t100 | _t101, _t223);
				free(??);
				free(??);
				goto 0xa56f350c;
				_t213 =  *_t240;
				goto 0xa56f376a;
				_t105 =  *_t213;
				if (_t105 - 0x30 < 0) goto 0xa56f3771;
				if (_t105 - 0x39 > 0) goto 0xa56f3771;
				_t106 = _t105 - 0x30;
				 *_t213 = _t106;
				_t214 = _t213 + 1;
				if ( *_t214 != 0) goto 0xa56f3759;
				goto 0xa56f379a;
				if (_t106 != 0x3b) goto 0xa56f3767;
				_t229 = _t214;
				_t107 =  *((intOrPtr*)(_t229 + 1));
				 *_t229 = _t107;
				if (_t107 != 0) goto 0xa56f3778;
				goto 0xa56f376a;
				E00007FF77FF7A56EAE90(_t10, _t107, _t223, 0xa57201a0, _t216);
				 *_t223 =  *( *(_t219 + 0x128));
				_t223[2] = ( *(_t219 + 0x128))[2];
				_t223[4] = ( *(_t219 + 0x128))[4];
				 *_t237 = 1;
				if (_t234 == 0) goto 0xa56f37db;
				 *_t234 = 1;
				if ( *(_t219 + 0x120) == 0) goto 0xa56f37eb;
				asm("lock add dword [eax], 0xffffffff");
				_t157 =  *(_t219 + 0x110);
				if (_t157 == 0) goto 0xa56f3815;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t157 != 0) goto 0xa56f3815;
				free(??);
				free(??);
				 *(_t219 + 0x120) = _t234;
				 *(_t219 + 0x110) = _t237;
				 *(_t219 + 0x128) = _t223;
				return 0;
			}

0x7ff7a56f348c
0x7ff7a56f348c
0x7ff7a56f348c
0x7ff7a56f348c
0x7ff7a56f348c
0x7ff7a56f348f
0x7ff7a56f3493
0x7ff7a56f3497
0x7ff7a56f349b
0x7ff7a56f34a5
0x7ff7a56f34a9
0x7ff7a56f34ac
0x7ff7a56f34af
0x7ff7a56f34b3
0x7ff7a56f34bb
0x7ff7a56f34c1
0x7ff7a56f34c3
0x7ff7a56f34cd
0x7ff7a56f34da
0x7ff7a56f34dd
0x7ff7a56f34e2
0x7ff7a56f34e8
0x7ff7a56f34ef
0x7ff7a56f34fc
0x7ff7a56f3501
0x7ff7a56f3507
0x7ff7a56f350c
0x7ff7a56f3511
0x7ff7a56f3513
0x7ff7a56f351a
0x7ff7a56f3523
0x7ff7a56f3528
0x7ff7a56f352b
0x7ff7a56f352e
0x7ff7a56f3533
0x7ff7a56f353b
0x7ff7a56f353d
0x7ff7a56f3540
0x7ff7a56f3544
0x7ff7a56f354a
0x7ff7a56f3557
0x7ff7a56f355a
0x7ff7a56f355f
0x7ff7a56f3564
0x7ff7a56f3568
0x7ff7a56f356e
0x7ff7a56f357c
0x7ff7a56f357f
0x7ff7a56f3581
0x7ff7a56f3586
0x7ff7a56f358a
0x7ff7a56f3590
0x7ff7a56f359e
0x7ff7a56f35a1
0x7ff7a56f35a3
0x7ff7a56f35a8
0x7ff7a56f35b3
0x7ff7a56f35b5
0x7ff7a56f35bd
0x7ff7a56f35c0
0x7ff7a56f35c5
0x7ff7a56f35ca
0x7ff7a56f35d0
0x7ff7a56f35d0
0x7ff7a56f35dd
0x7ff7a56f35e0
0x7ff7a56f35e2
0x7ff7a56f35e7
0x7ff7a56f35ec
0x7ff7a56f35f2
0x7ff7a56f35f4
0x7ff7a56f3601
0x7ff7a56f3604
0x7ff7a56f3609
0x7ff7a56f360e
0x7ff7a56f3614
0x7ff7a56f3616
0x7ff7a56f3623
0x7ff7a56f3626
0x7ff7a56f362b
0x7ff7a56f3635
0x7ff7a56f363b
0x7ff7a56f363d
0x7ff7a56f3641
0x7ff7a56f3646
0x7ff7a56f364b
0x7ff7a56f3655
0x7ff7a56f365b
0x7ff7a56f365d
0x7ff7a56f3661
0x7ff7a56f3666
0x7ff7a56f366b
0x7ff7a56f3675
0x7ff7a56f367b
0x7ff7a56f367d
0x7ff7a56f3681
0x7ff7a56f3686
0x7ff7a56f3690
0x7ff7a56f3692
0x7ff7a56f369b
0x7ff7a56f36a1
0x7ff7a56f36a6
0x7ff7a56f36b5
0x7ff7a56f36b7
0x7ff7a56f36bb
0x7ff7a56f36c1
0x7ff7a56f36c6
0x7ff7a56f36cb
0x7ff7a56f36d5
0x7ff7a56f36db
0x7ff7a56f36dd
0x7ff7a56f36e1
0x7ff7a56f36e6
0x7ff7a56f36eb
0x7ff7a56f36f5
0x7ff7a56f36fd
0x7ff7a56f3701
0x7ff7a56f3706
0x7ff7a56f370b
0x7ff7a56f3715
0x7ff7a56f371d
0x7ff7a56f3721
0x7ff7a56f3726
0x7ff7a56f372b
0x7ff7a56f3732
0x7ff7a56f3737
0x7ff7a56f373f
0x7ff7a56f3747
0x7ff7a56f374f
0x7ff7a56f3754
0x7ff7a56f3757
0x7ff7a56f3759
0x7ff7a56f375d
0x7ff7a56f3761
0x7ff7a56f3763
0x7ff7a56f3765
0x7ff7a56f3767
0x7ff7a56f376d
0x7ff7a56f376f
0x7ff7a56f3773
0x7ff7a56f3775
0x7ff7a56f3778
0x7ff7a56f377c
0x7ff7a56f3784
0x7ff7a56f3786
0x7ff7a56f3795
0x7ff7a56f37a4
0x7ff7a56f37b3
0x7ff7a56f37c2
0x7ff7a56f37c6
0x7ff7a56f37d1
0x7ff7a56f37d3
0x7ff7a56f37e5
0x7ff7a56f37e7
0x7ff7a56f37f2
0x7ff7a56f37f5
0x7ff7a56f37f7
0x7ff7a56f37fb
0x7ff7a56f3804
0x7ff7a56f3810
0x7ff7a56f3815
0x7ff7a56f381c
0x7ff7a56f3823
0x7ff7a56f384a

APIs

free.LIBCMT ref: 00007FF7A56F350C
free.LIBCMT ref: 00007FF7A56F3533
free.LIBCMT ref: 00007FF7A56F3804
free.LIBCMT ref: 00007FF7A56F3810

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6dfd3ff1200bf06653a9c526eabe73c63303c5f0231cfc1aad9142993ce12b02
Instruction ID: cd19b6f1e11a8708d2dbcc091c5a86bee9730e8ec6c670cc3544e6c1b9e83593
Opcode Fuzzy Hash: 6dfd3ff1200bf06653a9c526eabe73c63303c5f0231cfc1aad9142993ce12b02
Instruction Fuzzy Hash: 06B1C432B1AB818AEB64EB62E0505ADB7A1FB8AF44F815131EE8D437A5DF3CD105C714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A570A560 Relevance: 7.6, APIs: 5, Instructions: 130
fileCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 64%

			E00007FF77FF7A570A560(void* __ebx, void* __ecx, void* __edi, long long __rbx, void* __rcx, void* __rdx, long long __rbp, long long __r8, void* __r9, char _a8, char _a32) {
				void* _v24;
				long long _v40;
				long long _v48;
				long long _v56;
				char _v80;
				long long _v88;
				long long _v104;
				void* __rdi;
				void* __rsi;
				intOrPtr _t74;
				void* _t84;
				void* _t87;
				void* _t92;
				long long* _t93;
				long long _t100;
				void* _t104;
				intOrPtr _t120;
				void* _t135;
				void* _t138;
				void* _t140;
				void* _t145;
				long long _t150;

				_t92 = _t140;
				_v88 = 0xfffffffe;
				 *((long long*)(_t92 + 0x10)) = __rbx;
				 *((long long*)(_t92 + 0x18)) = __rbp;
				_t100 = __r8;
				_t138 = __rdx;
				_t135 = __rcx;
				r12d = 0;
				 *((intOrPtr*)(_t92 + 0x20)) = r12d;
				if ( *((intOrPtr*)(__rcx + 0x28)) == r12b) goto 0xa570a6fe;
				_t136 = __rcx + 0x70;
				_t124 = __rcx + 0x70;
				E00007FF77FF7A57078E0(__ebx, __edi, __r8, __rcx + 0x90, __rcx + 0x70, __rcx, _t136);
				r8d = 0;
				E00007FF77FF7A56D4D20(_t136 + 0x210, _t136);
				r8d = 0;
				E00007FF77FF7A56D4D20(_t136 + 0x240, _t124);
				if ( *((intOrPtr*)(_t100 + 0x18)) == _t150) goto 0xa570a5f7;
				_t93 =  *((intOrPtr*)(_t100 + 0x18));
				if ( *((long long*)(_t100 + 0x20)) - 8 < 0) goto 0xa570a5df;
				goto 0xa570a5e3;
				r8d = _t93 + _t93;
				_t84 = E00007FF77FF7A5709680(__ebx, 0, _t136, _t100 + 8);
				if (_t84 == 0) goto 0xa570a750;
				E00007FF77FF7A57091A0(_t100, _t136, _t100 + 8, _t136, _t138);
				_t74 =  *((intOrPtr*)(_t135 + 0x2d0)) -  *((intOrPtr*)(_t135 + 0x2c8));
				if (_t84 == 0) goto 0xa570a750;
				E00007FF77FF7A56E45E0(_t93, _t136);
				if (_t93 == 0) goto 0xa570a62a;
				 *_t93 =  &_v80;
				goto 0xa570a62d;
				_v80 = _t150;
				_a8 = 0;
				E00007FF77FF7A56D4CA0(_t150, _t100,  &_v80, _t100 + 4, _t136,  &_a8);
				if (_v48 != _v56) goto 0xa570a66c;
				E00007FF77FF7A56E44B8();
				 *_v56 = _t74;
				_t87 = _v48 - _v56 - 4;
				if (_t87 > 0) goto 0xa570a68b;
				E00007FF77FF7A56E44B8();
				E00007FF77FF7A5708A00(_t136);
				_t145 = _t135;
				E00007FF77FF7A56EAE90(8, _t87, _v56 + 4, _v48 - _v56, _t145);
				_t104 = _v48 - _v56;
				if (_t87 != 0) goto 0xa570a6bb;
				E00007FF77FF7A56E44B8();
				_v104 = _t150;
				r8d = _t74;
				WriteFile(??, ??, ??, ??, ??);
				if (_v56 == 0) goto 0xa570a6e3;
				E00007FF77FF7A56E44D8(_v48 - _v56, _t104, _v56, _v56, _t136, _t145,  &_a32);
				_v56 = _t150;
				_v48 = _t150;
				_v40 = _t150;
				_t120 = _v80;
				E00007FF77FF7A56E44D8(_v48 - _v56, _t104, _t120, _v56, _t136, _t145,  &_a32);
				goto 0xa570a750;
				if ( *((intOrPtr*)(_t120 + 0x29)) == r12b) goto 0xa570a721;
				if ( *((long long*)(_t145 + 0x20)) - 8 < 0) goto 0xa570a711;
				goto 0xa570a715;
				E00007FF77FF7A56E6068(L"%s", _t145 + 8, _t145,  &_a32);
				if ( *((long long*)(_t104 + 0x20)) - 8 < 0) goto 0xa570a732;
				goto 0xa570a736;
				r8d =  *((intOrPtr*)(_t104 + 0x18)) +  *((intOrPtr*)(_t104 + 0x18));
				_v104 = _t150;
				return WriteFile(??, ??, ??, ??, ??);
			}

0x7ff7a570a560
0x7ff7a570a56b
0x7ff7a570a574
0x7ff7a570a578
0x7ff7a570a57c
0x7ff7a570a57f
0x7ff7a570a582
0x7ff7a570a585
0x7ff7a570a588
0x7ff7a570a590
0x7ff7a570a596
0x7ff7a570a59e
0x7ff7a570a5a1
0x7ff7a570a5ad
0x7ff7a570a5b2
0x7ff7a570a5be
0x7ff7a570a5c3
0x7ff7a570a5cc
0x7ff7a570a5ce
0x7ff7a570a5d7
0x7ff7a570a5dd
0x7ff7a570a5e3
0x7ff7a570a5ef
0x7ff7a570a5f1
0x7ff7a570a5fa
0x7ff7a570a605
0x7ff7a570a60b
0x7ff7a570a616
0x7ff7a570a61e
0x7ff7a570a625
0x7ff7a570a628
0x7ff7a570a62d
0x7ff7a570a632
0x7ff7a570a64d
0x7ff7a570a660
0x7ff7a570a662
0x7ff7a570a66c
0x7ff7a570a67b
0x7ff7a570a67f
0x7ff7a570a681
0x7ff7a570a68e
0x7ff7a570a696
0x7ff7a570a69d
0x7ff7a570a6ac
0x7ff7a570a6af
0x7ff7a570a6b1
0x7ff7a570a6bb
0x7ff7a570a6c8
0x7ff7a570a6ce
0x7ff7a570a6dc
0x7ff7a570a6de
0x7ff7a570a6e3
0x7ff7a570a6e8
0x7ff7a570a6ed
0x7ff7a570a6f2
0x7ff7a570a6f7
0x7ff7a570a6fc
0x7ff7a570a702
0x7ff7a570a709
0x7ff7a570a70f
0x7ff7a570a71c
0x7ff7a570a72a
0x7ff7a570a730
0x7ff7a570a736
0x7ff7a570a73a
0x7ff7a570a764

APIs

WriteFile.KERNEL32 ref: 00007FF7A570A74A

Part of subcall function 00007FF7A56D4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4D50

Part of subcall function 00007FF7A56D4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4DB0
Part of subcall function 00007FF7A56D4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4DBF
Part of subcall function 00007FF7A56D4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4DCF
Part of subcall function 00007FF7A56D4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4DF6
Part of subcall function 00007FF7A56D4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4E0C
Part of subcall function 00007FF7A56D4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4E20
Part of subcall function 00007FF7A56D4D20: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4E2F

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A662
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A681
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A6B1
WriteFile.KERNEL32 ref: 00007FF7A570A6CE

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo$FileWrite
String ID:
API String ID: 255116272-0
Opcode ID: f65e552bf3d28aa478b740350a4f5241e804a358c94a3600ca4f6d6addcbd357
Instruction ID: 74d27a867431864f075233ba6eb74917a0431d9fd02091e874f4142f42dc9303
Opcode Fuzzy Hash: f65e552bf3d28aa478b740350a4f5241e804a358c94a3600ca4f6d6addcbd357
Instruction Fuzzy Hash: BF51913260AA8185EB20EF25D4405BEE3A1FB8AF94FC65131EA4D177A9DF7CD445C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56D55C0 Relevance: 7.6, APIs: 5, Instructions: 119
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 70%

			E00007FF77FF7A56D55C0(long long __rbx, intOrPtr* __rcx, long long* __rdx, long long __rdi, long long __rsi, long long* __r8, intOrPtr* __r9) {
				void* _t59;
				void* _t60;
				void* _t61;
				intOrPtr _t80;
				intOrPtr _t81;
				intOrPtr _t86;
				intOrPtr _t90;
				intOrPtr* _t91;
				intOrPtr _t92;
				long long _t93;
				long long* _t106;
				intOrPtr* _t107;
				long long _t109;
				long long _t110;
				long long* _t112;
				intOrPtr* _t113;
				long long _t125;
				intOrPtr* _t126;
				void* _t128;
				void* _t129;
				long long* _t136;

				_t103 = __rcx;
				 *((long long*)(_t128 + 8)) = __rbx;
				 *((long long*)(_t128 + 0x10)) = _t125;
				 *((long long*)(_t128 + 0x18)) = __rsi;
				 *((long long*)(_t128 + 0x20)) = __rdi;
				_t129 = _t128 - 0x50;
				_t5 = _t103 + 0x30; // 0x44c748000000e0ec
				_t80 =  *((intOrPtr*)(__r8));
				_t136 = __rdx;
				_t126 = __rcx;
				if (_t80 == 0) goto 0xa56d55fa;
				if (_t80 ==  *__rcx) goto 0xa56d55ff;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(__r8 + 8)) !=  *((intOrPtr*)( *_t5))) goto 0xa56d5670;
				_t81 =  *__r9;
				_t7 = _t126 + 0x30; // 0x44c748000000e0ec
				if (_t81 == 0) goto 0xa56d5617;
				if (_t81 ==  *__rcx) goto 0xa56d561c;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(__r9 + 8)) !=  *_t7) goto 0xa56d5670;
				_t9 = _t126 + 0x30; // 0x44c748000000e0ec
				E00007FF77FF7A56D6320(__r8, __rcx,  *((intOrPtr*)( *_t9 + 8)), __r9, __rcx);
				_t11 = _t126 + 0x30; // 0x44c748000000e0ec
				 *((long long*)( *_t11 + 8)) =  *_t11;
				_t13 = _t126 + 0x30; // 0x44c748000000e0ec
				 *((long long*)(_t126 + 0x38)) = 0;
				 *((long long*)( *_t13)) =  *_t13;
				_t15 = _t126 + 0x30; // 0x44c748000000e0ec
				 *((long long*)( *_t15 + 0x10)) =  *_t15;
				_t17 = _t126 + 0x30; // 0x44c748000000e0ec
				 *_t136 =  *_t126;
				 *((long long*)(_t136 + 8)) =  *((intOrPtr*)( *_t17));
				goto 0xa56d5766;
				asm("o16 nop [eax+eax]");
				_t86 =  *((intOrPtr*)(__r8));
				if (_t86 == 0) goto 0xa56d567d;
				if (_t86 ==  *__r9) goto 0xa56d5682;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(__r8 + 8)) ==  *((intOrPtr*)(__r9 + 8))) goto 0xa56d572e;
				_t106 = _t129 + 0x20;
				 *_t106 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t106 + 8)) =  *((intOrPtr*)(__r8 + 8));
				if ( *__r8 != 0) goto 0xa56d56ae;
				E00007FF77FF7A56E44B8();
				_t90 =  *((intOrPtr*)(__r8 + 8));
				if ( *((char*)(_t90 + 0x39)) == 0) goto 0xa56d56bf;
				E00007FF77FF7A56E44B8();
				goto 0xa56d570c;
				_t107 =  *((intOrPtr*)(_t90 + 0x10));
				if ( *((char*)(_t107 + 0x39)) != 0) goto 0xa56d56e0;
				_t91 =  *_t107;
				if ( *((char*)(_t91 + 0x39)) != 0) goto 0xa56d5708;
				_t92 =  *_t91;
				if ( *((char*)(_t92 + 0x39)) == 0) goto 0xa56d56d2;
				goto 0xa56d5708;
				_t109 =  *((intOrPtr*)(_t92 + 8));
				if ( *((char*)(_t109 + 0x39)) != 0) goto 0xa56d5708;
				asm("o16 nop [eax+eax]");
				_t93 =  *((intOrPtr*)(_t109 + 0x10));
				if ( *((intOrPtr*)(__r8 + 8)) != _t93) goto 0xa56d5708;
				 *((long long*)(__r8 + 8)) = _t109;
				_t110 =  *((intOrPtr*)(_t109 + 8));
				if ( *((char*)(_t110 + 0x39)) == 0) goto 0xa56d56f0;
				 *((long long*)(__r8 + 8)) = _t110;
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqa [esp+0x30], xmm0");
				_t59 = E00007FF77FF7A56D5EB0(_t60, _t61, __r8, _t126, _t129 + 0x40, __r9, _t129 + 0x30, __r9);
				goto 0xa56d5670;
				_t112 = _t129 + 0x30;
				 *_t112 = _t93;
				 *((long long*)(_t112 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t113 = _t129 + 0x20;
				 *((long long*)(_t129 + 0x28)) =  *((intOrPtr*)(_t129 + 0x38));
				 *((long long*)(_t129 + 0x20)) =  *_t126;
				 *_t136 =  *_t113;
				 *((long long*)(_t136 + 8)) =  *((intOrPtr*)(_t113 + 8));
				return _t59;
			}

0x7ff7a56d55c0
0x7ff7a56d55c0
0x7ff7a56d55c5
0x7ff7a56d55ca
0x7ff7a56d55cf
0x7ff7a56d55d6
0x7ff7a56d55da
0x7ff7a56d55e7
0x7ff7a56d55ea
0x7ff7a56d55ed
0x7ff7a56d55f3
0x7ff7a56d55f8
0x7ff7a56d55fa
0x7ff7a56d5603
0x7ff7a56d5605
0x7ff7a56d5608
0x7ff7a56d560f
0x7ff7a56d5615
0x7ff7a56d5617
0x7ff7a56d5620
0x7ff7a56d5622
0x7ff7a56d562d
0x7ff7a56d5632
0x7ff7a56d5636
0x7ff7a56d563a
0x7ff7a56d563e
0x7ff7a56d5646
0x7ff7a56d5649
0x7ff7a56d564d
0x7ff7a56d5651
0x7ff7a56d565c
0x7ff7a56d5660
0x7ff7a56d5665
0x7ff7a56d566a
0x7ff7a56d5670
0x7ff7a56d5676
0x7ff7a56d567b
0x7ff7a56d567d
0x7ff7a56d568d
0x7ff7a56d5697
0x7ff7a56d569c
0x7ff7a56d56a3
0x7ff7a56d56a7
0x7ff7a56d56a9
0x7ff7a56d56ae
0x7ff7a56d56b6
0x7ff7a56d56b8
0x7ff7a56d56bd
0x7ff7a56d56bf
0x7ff7a56d56c7
0x7ff7a56d56c9
0x7ff7a56d56d0
0x7ff7a56d56d5
0x7ff7a56d56dc
0x7ff7a56d56de
0x7ff7a56d56e0
0x7ff7a56d56e8
0x7ff7a56d56ea
0x7ff7a56d56f0
0x7ff7a56d56f8
0x7ff7a56d56fa
0x7ff7a56d56fe
0x7ff7a56d5706
0x7ff7a56d5708
0x7ff7a56d570c
0x7ff7a56d571e
0x7ff7a56d5724
0x7ff7a56d5729
0x7ff7a56d572e
0x7ff7a56d5733
0x7ff7a56d573a
0x7ff7a56d5743
0x7ff7a56d5748
0x7ff7a56d5751
0x7ff7a56d5759
0x7ff7a56d5761
0x7ff7a56d5783

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D55FA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D5617

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f24478f95e3a0eeb8cc74fcbd0085942c264e63632729c83631c048cfd9381a0
Instruction ID: 0c62f98efa88652eb22105b5efdd92e2a01f92d0cbadb48887afdd3a21f714ec
Opcode Fuzzy Hash: f24478f95e3a0eeb8cc74fcbd0085942c264e63632729c83631c048cfd9381a0
Instruction Fuzzy Hash: BC512A23A07F8585DB909F15D48036CB3A6F769F84F95A422DA8D03B64DF39D4A0C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DC520 Relevance: 7.6, APIs: 5, Instructions: 112
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00007FF77FF7A56DC520(long long __rbx, intOrPtr* __rcx, long long* __rdx, long long __rdi, long long __rsi, long long* __r8, intOrPtr* __r9) {
				void* _t51;
				void* _t52;
				intOrPtr _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t79;
				intOrPtr* _t80;
				intOrPtr _t81;
				long long _t82;
				long long* _t94;
				intOrPtr* _t95;
				long long _t97;
				long long _t98;
				long long* _t100;
				intOrPtr* _t101;
				long long _t111;
				intOrPtr* _t112;
				void* _t114;
				void* _t115;
				void* _t121;
				long long* _t122;

				 *((long long*)(_t114 + 8)) = __rbx;
				 *((long long*)(_t114 + 0x10)) = _t111;
				 *((long long*)(_t114 + 0x18)) = __rsi;
				 *((long long*)(_t114 + 0x20)) = __rdi;
				_t115 = _t114 - 0x50;
				_t71 =  *((intOrPtr*)(__r8));
				_t122 = __rdx;
				_t112 = __rcx;
				if (_t71 == 0) goto 0xa56dc55a;
				if (_t71 ==  *__rcx) goto 0xa56dc55f;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(__r8 + 8)) !=  *((intOrPtr*)( *((intOrPtr*)(__rcx + 0x30))))) goto 0xa56dc5a3;
				_t72 =  *__r9;
				if (_t72 == 0) goto 0xa56dc577;
				if (_t72 ==  *__rcx) goto 0xa56dc57c;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(__r9 + 8)) !=  *((intOrPtr*)(__rcx + 0x30))) goto 0xa56dc5a3;
				E00007FF77FF7A56DCB50(__r8, __rcx, __r9, _t121);
				 *((long long*)(_t122 + 8)) =  *((intOrPtr*)( *((intOrPtr*)(_t112 + 0x30))));
				 *_t122 =  *_t112;
				goto 0xa56dc6a6;
				_t75 =  *((intOrPtr*)(__r8));
				if (_t75 == 0) goto 0xa56dc5b0;
				if (_t75 ==  *__r9) goto 0xa56dc5b5;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(__r8 + 8)) ==  *((intOrPtr*)(__r9 + 8))) goto 0xa56dc66e;
				_t94 = _t115 + 0x20;
				 *_t94 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t94 + 8)) =  *((intOrPtr*)(__r8 + 8));
				if ( *__r8 != 0) goto 0xa56dc5e1;
				E00007FF77FF7A56E44B8();
				_t79 =  *((intOrPtr*)(__r8 + 8));
				if ( *((char*)(_t79 + 0x29)) == 0) goto 0xa56dc5f2;
				E00007FF77FF7A56E44B8();
				goto 0xa56dc64c;
				_t95 =  *((intOrPtr*)(_t79 + 0x10));
				if ( *((char*)(_t95 + 0x29)) != 0) goto 0xa56dc61e;
				_t80 =  *_t95;
				if ( *((char*)(_t80 + 0x29)) != 0) goto 0xa56dc648;
				asm("o16 nop [eax+eax]");
				_t81 =  *_t80;
				if ( *((char*)(_t81 + 0x29)) == 0) goto 0xa56dc610;
				goto 0xa56dc648;
				_t97 =  *((intOrPtr*)(_t81 + 8));
				if ( *((char*)(_t97 + 0x29)) != 0) goto 0xa56dc648;
				_t82 =  *((intOrPtr*)(_t97 + 0x10));
				if ( *((intOrPtr*)(__r8 + 8)) != _t82) goto 0xa56dc648;
				 *((long long*)(__r8 + 8)) = _t97;
				_t98 =  *((intOrPtr*)(_t97 + 8));
				if ( *((char*)(_t98 + 0x29)) == 0) goto 0xa56dc630;
				 *((long long*)(__r8 + 8)) = _t98;
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqa [esp+0x30], xmm0");
				_t51 = E00007FF77FF7A56DC760(_t52, __r8, _t112, _t115 + 0x40, __r9, _t115 + 0x30, __r9);
				goto 0xa56dc5a3;
				_t100 = _t115 + 0x30;
				 *_t100 = _t82;
				 *((long long*)(_t100 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t101 = _t115 + 0x20;
				 *((long long*)(_t115 + 0x28)) =  *((intOrPtr*)(_t115 + 0x38));
				 *((long long*)(_t115 + 0x20)) =  *_t112;
				 *_t122 =  *_t101;
				 *((long long*)(_t122 + 8)) =  *((intOrPtr*)(_t101 + 8));
				return _t51;
			}

0x7ff7a56dc520
0x7ff7a56dc525
0x7ff7a56dc52a
0x7ff7a56dc52f
0x7ff7a56dc536
0x7ff7a56dc547
0x7ff7a56dc54a
0x7ff7a56dc54d
0x7ff7a56dc553
0x7ff7a56dc558
0x7ff7a56dc55a
0x7ff7a56dc563
0x7ff7a56dc565
0x7ff7a56dc56f
0x7ff7a56dc575
0x7ff7a56dc577
0x7ff7a56dc580
0x7ff7a56dc585
0x7ff7a56dc591
0x7ff7a56dc59a
0x7ff7a56dc59e
0x7ff7a56dc5a3
0x7ff7a56dc5a9
0x7ff7a56dc5ae
0x7ff7a56dc5b0
0x7ff7a56dc5c0
0x7ff7a56dc5ca
0x7ff7a56dc5cf
0x7ff7a56dc5d6
0x7ff7a56dc5da
0x7ff7a56dc5dc
0x7ff7a56dc5e1
0x7ff7a56dc5e9
0x7ff7a56dc5eb
0x7ff7a56dc5f0
0x7ff7a56dc5f2
0x7ff7a56dc5fa
0x7ff7a56dc5fc
0x7ff7a56dc603
0x7ff7a56dc605
0x7ff7a56dc613
0x7ff7a56dc61a
0x7ff7a56dc61c
0x7ff7a56dc61e
0x7ff7a56dc626
0x7ff7a56dc630
0x7ff7a56dc638
0x7ff7a56dc63a
0x7ff7a56dc63e
0x7ff7a56dc646
0x7ff7a56dc648
0x7ff7a56dc64c
0x7ff7a56dc65e
0x7ff7a56dc664
0x7ff7a56dc669
0x7ff7a56dc66e
0x7ff7a56dc673
0x7ff7a56dc67a
0x7ff7a56dc683
0x7ff7a56dc688
0x7ff7a56dc691
0x7ff7a56dc699
0x7ff7a56dc6a1
0x7ff7a56dc6c3

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC55A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC577
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC5B0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC5DC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC5EB

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 3f9fb94ebf619a72e56c9b87b2a251ac8c4213fab99a0683694bafe1793dd332
Instruction ID: 2d2330b3db7ac9b5cb19a9421d0ad537d4c312a94bf4595aa6f803dca465052d
Opcode Fuzzy Hash: 3f9fb94ebf619a72e56c9b87b2a251ac8c4213fab99a0683694bafe1793dd332
Instruction Fuzzy Hash: A1513C23A0BF8985EB509F19D04026CB7A2F749F84F99A535DA8D437A5DF39E4A1C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DD490 Relevance: 7.6, APIs: 5, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7A56DD490(long long __rbx, void* __rcx, void* __rdx, long long __rdi, long long __rsi, long long __rbp, void* __r12, void* __r13, void* __r14, long long _a8, long long _a16, long long _a24, long long _a32) {

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_a32 = __rdi;
			}

0x7ff7a56dd490
0x7ff7a56dd495
0x7ff7a56dd49a
0x7ff7a56dd49f

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DD4F7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DD50A
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DD562
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DD584
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DD5AF

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 9adf0773738e164250931235ba60c9b3937481e2f1625136ecae2f05f93c4938
Instruction ID: a6270673e3a91cac7e3c102971dbe37f6eba4dfaef550fb6e4a048087f052395
Opcode Fuzzy Hash: 9adf0773738e164250931235ba60c9b3937481e2f1625136ecae2f05f93c4938
Instruction Fuzzy Hash: 79418163B06F8585DA20AF26E50016DE3A6FB49FC8B995532EE8C07B68DE3CE151C750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56D4E70 Relevance: 7.6, APIs: 5, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00007FF77FF7A56D4E70(long long __rbx, intOrPtr* __rcx, long long* __rdx, long long __rdi, long long __rsi, long long __rbp, intOrPtr* __r8, void* __r9, long long _a8, long long _a16, long long _a24, long long _a32) {
				long long _v32;
				char _v40;
				void* _t33;
				intOrPtr _t46;
				intOrPtr* _t54;
				intOrPtr _t57;
				long long* _t58;
				intOrPtr* _t60;
				signed long long _t67;
				long long _t69;
				intOrPtr _t85;
				long long _t86;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_a32 = __rdi;
				_t57 =  *((intOrPtr*)(__rcx + 0x20));
				_t85 =  *((intOrPtr*)(__rcx + 0x18));
				if ((_t57 - _t85 & 0xfffffff0) != 0) goto 0xa56d4eb7;
				goto 0xa56d4edf;
				if (_t85 - _t57 <= 0) goto 0xa56d4ec1;
				E00007FF77FF7A56E44B8();
				_t46 =  *((intOrPtr*)(__r8));
				if (_t46 == 0) goto 0xa56d4ecf;
				if (_t46 ==  *((intOrPtr*)(__rcx))) goto 0xa56d4ed4;
				E00007FF77FF7A56E44B8();
				_t67 =  *((intOrPtr*)(__r8 + 8)) - _t85 >> 4;
				_t58 =  &_v40;
				 *_t58 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t58 + 8)) =  *((intOrPtr*)(__r8 + 8));
				r8d = 1;
				E00007FF77FF7A56D5790(__rcx, __rcx,  &_v40, __rsi, __r8, __r9);
				_t86 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t86 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0xa56d4f18;
				E00007FF77FF7A56E44B8();
				_t54 =  *((intOrPtr*)(__rcx));
				_v32 = _t86;
				_v40 = _t54;
				asm("movaps xmm0, [esp+0x20]");
				asm("movdqa [esp+0x20], xmm0");
				if (_t54 != 0) goto 0xa56d4f3f;
				E00007FF77FF7A56E44B8();
				goto 0xa56d4f42;
				_t69 = (_t67 << 4) + _t86;
				if (_t69 -  *((intOrPtr*)( *_t54 + 0x20)) > 0) goto 0xa56d4f5d;
				if (_t54 == 0) goto 0xa56d4f57;
				if (_t69 -  *((intOrPtr*)( *_t54 + 0x18)) >= 0) goto 0xa56d4f62;
				_t33 = E00007FF77FF7A56E44B8();
				_v32 = _t69;
				_t60 =  &_v40;
				 *__rdx =  *_t60;
				_a8 =  *((intOrPtr*)(_t60 + 8));
				return _t33;
			}

0x7ff7a56d4e70
0x7ff7a56d4e75
0x7ff7a56d4e7a
0x7ff7a56d4e7f
0x7ff7a56d4e91
0x7ff7a56d4e97
0x7ff7a56d4eb0
0x7ff7a56d4eb5
0x7ff7a56d4eba
0x7ff7a56d4ebc
0x7ff7a56d4ec1
0x7ff7a56d4ec8
0x7ff7a56d4ecd
0x7ff7a56d4ecf
0x7ff7a56d4edb
0x7ff7a56d4ee3
0x7ff7a56d4eed
0x7ff7a56d4ef7
0x7ff7a56d4efe
0x7ff7a56d4f04
0x7ff7a56d4f09
0x7ff7a56d4f11
0x7ff7a56d4f13
0x7ff7a56d4f18
0x7ff7a56d4f1b
0x7ff7a56d4f20
0x7ff7a56d4f25
0x7ff7a56d4f2a
0x7ff7a56d4f33
0x7ff7a56d4f35
0x7ff7a56d4f3d
0x7ff7a56d4f46
0x7ff7a56d4f4d
0x7ff7a56d4f52
0x7ff7a56d4f5b
0x7ff7a56d4f5d
0x7ff7a56d4f6c
0x7ff7a56d4f76
0x7ff7a56d4f7e
0x7ff7a56d4f86
0x7ff7a56d4f9c

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4EBC
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4ECF
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4F13
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4F35
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D4F5D

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 0dfe290ad0cdf64aa43669a68593f605fd5eb979421ae91750d4b89d46ba8f38
Instruction ID: 1aae16b953f7e106f08caec03ee949efe6a2807d63ddcb5b63755dbd0fccaa91
Opcode Fuzzy Hash: 0dfe290ad0cdf64aa43669a68593f605fd5eb979421ae91750d4b89d46ba8f38
Instruction Fuzzy Hash: 7C31AD23B0AF8581DA20AB15E40052DE3A5FB89F88F995531EE8C03B68DF7CE851C350

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E4BB8 Relevance: 7.6, APIs: 5, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,00007FF7A56E4CC9,?,?,?,?,00007FF7A56E56F2,?,?,00000001,00007FF7A56E47AB), ref: 00007FF7A56E4BE1
DecodePointer.KERNEL32(?,?,?,00007FF7A56E4CC9,?,?,?,?,00007FF7A56E56F2,?,?,00000001,00007FF7A56E47AB), ref: 00007FF7A56E4BF0

Part of subcall function 00007FF7A56EE508: _errno.LIBCMT ref: 00007FF7A56EE511

EncodePointer.KERNEL32(?,?,?,00007FF7A56E4CC9,?,?,?,?,00007FF7A56E56F2,?,?,00000001,00007FF7A56E47AB), ref: 00007FF7A56E4C6D

Part of subcall function 00007FF7A56EA664: realloc.LIBCMT ref: 00007FF7A56EA68F
Part of subcall function 00007FF7A56EA664: Sleep.KERNEL32(?,?,00000000,00007FF7A56E4C5D,?,?,?,00007FF7A56E4CC9,?,?,?,?,00007FF7A56E56F2,?,?,00000001), ref: 00007FF7A56EA6AB

EncodePointer.KERNEL32(?,?,?,00007FF7A56E4CC9,?,?,?,?,00007FF7A56E56F2,?,?,00000001,00007FF7A56E47AB), ref: 00007FF7A56E4C7C
EncodePointer.KERNEL32(?,?,?,00007FF7A56E4CC9,?,?,?,?,00007FF7A56E56F2,?,?,00000001,00007FF7A56E47AB), ref: 00007FF7A56E4C88

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: Pointer$Encode$Decode$Sleep_errnorealloc
String ID:
API String ID: 1310268301-0
Opcode ID: 5b966a757f574a0e75c82934206f0acfde00076619bb92cc83a203d31cb58b5a
Instruction ID: 944872e2c9793304aacce5bb8b22ee493697ae76fe5415806aecc4e0323f717c
Opcode Fuzzy Hash: 5b966a757f574a0e75c82934206f0acfde00076619bb92cc83a203d31cb58b5a
Instruction Fuzzy Hash: 11215E11B1B742D4EA00BB61E548069E392BF47FC5BC66835DE0D2B775DE7EE0818714

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56FA424 Relevance: 7.6, APIs: 5, Instructions: 68
threadCOMMON

Download Yara Rule

C-Code - Quality: 47%

			E00007FF77FF7A56FA424(void* __edx, intOrPtr* __rax, signed int __rbx, void* __rcx, void* __rdx, long long __rsi, long long __rbp, long long __r8, long long __r9, long long _a8, long long _a16, char _a24, long long _a32, signed int _a40, intOrPtr _a48) {
				long long _v32;
				signed int _v40;
				void* __rdi;
				long _t28;
				intOrPtr* _t45;
				intOrPtr _t50;
				void* _t56;
				intOrPtr* _t57;
				long long _t59;

				_t53 = __rdx;
				_t48 = __rcx;
				_t46 = __rbx;
				_t45 = __rax;
				_a8 = __rbx;
				_a16 = __rbp;
				_a32 = __rsi;
				_t59 = __r8;
				r12d = __edx;
				if (__r8 != 0) goto 0xa56fa473;
				E00007FF77FF7A56E78AC(__rax);
				_v40 = _v40 & __rbx;
				r9d = 0;
				r8d = 0;
				 *__rax = 0x16;
				E00007FF77FF7A56E4430(__rax, __rbx, __rcx, __rdx, __r8, __r9, __r8);
				goto 0xa56fa50a;
				E00007FF77FF7A56F384C();
				E00007FF77FF7A56EA5E0(_t46, _t48, _t53, _t56, _t59, __r9);
				_t57 = _t45;
				if (_t45 == 0) goto 0xa56fa4f7;
				E00007FF77FF7A56EB93C(1, _t45, _t45);
				E00007FF77FF7A56EB804(_t46, _t57,  *((intOrPtr*)(_t45 + 0xc0)));
				_t50 = _a48;
				 *(_t57 + 8) =  *(_t57 + 8) | 0xffffffff;
				_t69 =  !=  ? _t50 :  &_a24;
				_v32 =  !=  ? _t50 :  &_a24;
				 *((long long*)(_t57 + 0x90)) = _t59;
				 *((long long*)(_t57 + 0x98)) = __r9;
				_v40 = _a40;
				CreateThread(??, ??, ??, ??, ??, ??);
				if (_t45 != 0) goto 0xa56fa50c;
				_t28 = GetLastError();
				free(??);
				if (_t28 == 0) goto 0xa56fa50a;
				E00007FF77FF7A56E78EC(_t28, _t45);
				return 0;
			}

0x7ff7a56fa424
0x7ff7a56fa424
0x7ff7a56fa424
0x7ff7a56fa424
0x7ff7a56fa424
0x7ff7a56fa429
0x7ff7a56fa42e
0x7ff7a56fa441
0x7ff7a56fa444
0x7ff7a56fa44d
0x7ff7a56fa44f
0x7ff7a56fa454
0x7ff7a56fa459
0x7ff7a56fa45c
0x7ff7a56fa463
0x7ff7a56fa469
0x7ff7a56fa46e
0x7ff7a56fa473
0x7ff7a56fa482
0x7ff7a56fa487
0x7ff7a56fa48d
0x7ff7a56fa48f
0x7ff7a56fa49e
0x7ff7a56fa4a3
0x7ff7a56fa4a8
0x7ff7a56fa4b9
0x7ff7a56fa4c3
0x7ff7a56fa4d2
0x7ff7a56fa4d9
0x7ff7a56fa4e0
0x7ff7a56fa4e4
0x7ff7a56fa4ed
0x7ff7a56fa4ef
0x7ff7a56fa4fa
0x7ff7a56fa501
0x7ff7a56fa505
0x7ff7a56fa524

APIs

_errno.LIBCMT ref: 00007FF7A56FA44F

Part of subcall function 00007FF7A56E4430: DecodePointer.KERNEL32 ref: 00007FF7A56E4457

_getptd.LIBCMT ref: 00007FF7A56FA48F
CreateThread.KERNEL32 ref: 00007FF7A56FA4E4
GetLastError.KERNEL32 ref: 00007FF7A56FA4EF
free.LIBCMT ref: 00007FF7A56FA4FA

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: CreateDecodeErrorLastPointerThread_errno_getptdfree
String ID:
API String ID: 220819306-0
Opcode ID: ece87a1fc5feb03447c1b275c00dd7aa7aefcaa37945c33b4158078beb98526a
Instruction ID: 046f503edb5c05f642bbb5d94e65be2038acd4048d77f5bd6b1405efe682fea3
Opcode Fuzzy Hash: ece87a1fc5feb03447c1b275c00dd7aa7aefcaa37945c33b4158078beb98526a
Instruction Fuzzy Hash: 4D21D632B0A78186E654ABA5E40066AF395FF45F90F855235EE5C03BA6CF3CE0148710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F8120 Relevance: 7.6, APIs: 5, Instructions: 61
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 61%

			E00007FF77FF7A56F8120(void* __ebx, void* __ecx, void* __edx, long long __rbx, intOrPtr* __rcx, void* __r9, long long __r12, signed char _a8, long long _a16, long long _a24) {
				void* __rsi;
				void* _t27;
				void* _t29;
				void* _t30;
				intOrPtr _t46;
				intOrPtr* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				long long _t65;

				_t30 = __edx;
				_t29 = __ecx;
				_a24 = __rbx;
				_t46 =  *((intOrPtr*)(__rcx + 0x20));
				_t54 = __rcx;
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t46 <= 0) goto 0xa56f813e;
				E00007FF77FF7A56E44B8();
				_t55 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t55 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0xa56f814d;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t55 > 0) goto 0xa56f8159;
				if (_t55 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0xa56f815e;
				E00007FF77FF7A56E44B8();
				_t57 =  *__rcx;
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t46 > 0) goto 0xa56f816d;
				if (_t46 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0xa56f8172;
				E00007FF77FF7A56E44B8();
				if (_t57 == 0) goto 0xa56f817c;
				if (_t57 ==  *__rcx) goto 0xa56f8181;
				E00007FF77FF7A56E44B8();
				if (_t55 == _t46) goto 0xa56f81e4;
				_t58 =  *((intOrPtr*)(__rcx + 0x20));
				_a16 = __r12;
				_t65 = _t55 + (_t58 - _t46 >> 3) * 8;
				if (_t46 == _t58) goto 0xa56f81c5;
				asm("o16 nop [eax+eax]");
				E00007FF77FF7A56F69F0(_t46, _t55 - _t46 + _t46, _t46);
				if (_t46 + 8 != _t58) goto 0xa56f81b0;
				r9d = _a8 & 0x000000ff;
				_t27 = E00007FF77FF7A56F7D10(__ebx, _t29, _t30, _t58 - _t46 >> 3, _t46 + 8, _t65,  *((intOrPtr*)(_t54 + 0x20)), _t55 - _t46, _t54 + 0x10, __r9);
				 *((long long*)(_t54 + 0x20)) = _t65;
				return _t27;
			}

0x7ff7a56f8120
0x7ff7a56f8120
0x7ff7a56f8120
0x7ff7a56f812c
0x7ff7a56f8130
0x7ff7a56f8137
0x7ff7a56f8139
0x7ff7a56f813e
0x7ff7a56f8146
0x7ff7a56f8148
0x7ff7a56f8151
0x7ff7a56f8157
0x7ff7a56f8159
0x7ff7a56f815e
0x7ff7a56f8165
0x7ff7a56f816b
0x7ff7a56f816d
0x7ff7a56f8175
0x7ff7a56f817a
0x7ff7a56f817c
0x7ff7a56f8184
0x7ff7a56f8186
0x7ff7a56f818a
0x7ff7a56f8199
0x7ff7a56f81a0
0x7ff7a56f81a5
0x7ff7a56f81b7
0x7ff7a56f81c3
0x7ff7a56f81c5
0x7ff7a56f81d6
0x7ff7a56f81db
0x7ff7a56f81f0

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8139
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8148
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F8159
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F816D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56F817C

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 94e8535373d5eee8c31459157ca0df03a4c9a942121b1679b2ccc5edc3a1f7ea
Instruction ID: e980e5910eef72571d6237c27baa226bf6053cab17340a1ba24ea86271a75cf3
Opcode Fuzzy Hash: 94e8535373d5eee8c31459157ca0df03a4c9a942121b1679b2ccc5edc3a1f7ea
Instruction Fuzzy Hash: C8216523F06A53E6EA20BB25D1001ADA3A1FB06F40F9D1275DF8C07A55DF29E4A5C370

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56D9D30 Relevance: 7.5, APIs: 5, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7A56D9D30(long long __rbx, intOrPtr* __rcx, long long __rsi, long long __rbp, long long _a8, long long _a16, long long _a24) {
				void* _t23;
				void* _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				intOrPtr _t46;

				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t43 =  *((intOrPtr*)(__rcx + 0x20));
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t43 <= 0) goto 0xa56d9d56;
				E00007FF77FF7A56E44B8();
				_t41 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t41 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0xa56d9d65;
				E00007FF77FF7A56E44B8();
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t41 > 0) goto 0xa56d9d71;
				if (_t41 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0xa56d9d76;
				E00007FF77FF7A56E44B8();
				_t46 =  *__rcx;
				if ( *((intOrPtr*)(__rcx + 0x18)) - _t43 > 0) goto 0xa56d9d85;
				if (_t43 -  *((intOrPtr*)(__rcx + 0x20)) <= 0) goto 0xa56d9d8a;
				E00007FF77FF7A56E44B8();
				if (_t46 == 0) goto 0xa56d9d94;
				if (_t46 ==  *__rcx) goto 0xa56d9d99;
				E00007FF77FF7A56E44B8();
				if (_t41 == _t43) goto 0xa56d9dc0;
				_t40 =  *((intOrPtr*)(__rcx + 0x20)) - _t43;
				if (_t40 <= 0) goto 0xa56d9dbc;
				_t23 = E00007FF77FF7A56E4070(_t41, _t40, _t43, _t40);
				 *((long long*)(__rcx + 0x20)) = _t40 + _t41;
				return _t23;
			}

0x7ff7a56d9d30
0x7ff7a56d9d35
0x7ff7a56d9d3a
0x7ff7a56d9d44
0x7ff7a56d9d4f
0x7ff7a56d9d51
0x7ff7a56d9d56
0x7ff7a56d9d5e
0x7ff7a56d9d60
0x7ff7a56d9d69
0x7ff7a56d9d6f
0x7ff7a56d9d71
0x7ff7a56d9d76
0x7ff7a56d9d7d
0x7ff7a56d9d83
0x7ff7a56d9d85
0x7ff7a56d9d8d
0x7ff7a56d9d92
0x7ff7a56d9d94
0x7ff7a56d9d9c
0x7ff7a56d9da2
0x7ff7a56d9dac
0x7ff7a56d9db7
0x7ff7a56d9dbc
0x7ff7a56d9dd4

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D9D51
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D9D60
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D9D71
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D9D85
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56D9D94

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 395423532e8a034f72e2356662622c31c4559b370181be70f9e98b2c9a67ad87
Instruction ID: 23902b12e0118ecc4484f81f26760963916e6a6a2dee1650e100d53fe7bf953e
Opcode Fuzzy Hash: 395423532e8a034f72e2356662622c31c4559b370181be70f9e98b2c9a67ad87
Instruction Fuzzy Hash: AB1163A2E0BE41C5E760BF65D10007DA3A2EB06F84B962531DE5C1366EEE28E461C361

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56ECB08 Relevance: 7.5, APIs: 5, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7A56ECB3F
GetCurrentProcessId.KERNEL32 ref: 00007FF7A56ECB4A
GetCurrentThreadId.KERNEL32 ref: 00007FF7A56ECB56
GetTickCount.KERNEL32 ref: 00007FF7A56ECB62
QueryPerformanceCounter.KERNEL32 ref: 00007FF7A56ECB73

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: 51358f02df6aa1c520c902237605ff6eac71f778f40a86b1a1b9eb1d44f505ae
Instruction ID: 895889bbeb5dbf66e6612b6c8855a78fbf057e942afbe87d930a44a2ee79bd38
Opcode Fuzzy Hash: 51358f02df6aa1c520c902237605ff6eac71f778f40a86b1a1b9eb1d44f505ae
Instruction Fuzzy Hash: 9801A521A6AB0182E7809F21E890279B360FB0FF90FD66130EE5E17770DE3CD9848320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56FA384 Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7A56FA399
FlsSetValue.KERNEL32 ref: 00007FF7A56FA3B0
GetLastError.KERNEL32 ref: 00007FF7A56FA3B9
ExitThread.KERNEL32 ref: 00007FF7A56FA3C1
GetCurrentThreadId.KERNEL32 ref: 00007FF7A56FA3C8

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: ThreadValue$CurrentErrorExitLast
String ID:
API String ID: 1808566232-0
Opcode ID: 94f429541888e2a87e9ddcd7a9c91dd1b61d2b74d0858537a8fdef3fe104ab33
Instruction ID: 74218cc26be8e372526c3b1b7395c390032db5827e65a2225d71630671bf942b
Opcode Fuzzy Hash: 94f429541888e2a87e9ddcd7a9c91dd1b61d2b74d0858537a8fdef3fe104ab33
Instruction Fuzzy Hash: 18112526E4B74781EF44BB71D80937CA296BF4AF40F861034D90D567B2EE2DA4448330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56D4750 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 26
memoryCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 29%

			E00007FF77FF7A56D4750(intOrPtr* __rcx) {
				void* __rbx;
				void* _t6;
				void* _t7;
				void* _t10;
				intOrPtr* _t11;
				intOrPtr* _t13;
				intOrPtr* _t14;
				void* _t20;
				void* _t21;
				void* _t24;

				_t14 =  *((intOrPtr*)(__rcx));
				_t11 = _t14;
				if (_t11 == 0) goto 0xa56d47a5;
				asm("lock add dword [ebx+0x8], 0xffffffff");
				if (_t11 != 0) goto 0xa56d47a5;
				_t13 =  *_t14;
				 *_t13();
				GetProcessHeap();
				if (HeapFree(??, ??, ??) != 0) goto 0xa56d47a5;
				_t1 = _t13 + 0x49; // 0x49
				r9d = _t1;
				return E00007FF77FF7A570AB00(_t6, _t7, _t10, _t14, "detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0", "void __cdecl boost::detail::free_raw_heap_memory(void *)", _t20, _t21, "D:\\Libraries\\boost\\boost/thread/win32/thread_heap_alloc.hpp", _t24);
			}

0x7ff7a56d4756
0x7ff7a56d4759
0x7ff7a56d475c
0x7ff7a56d475e
0x7ff7a56d4763
0x7ff7a56d4765
0x7ff7a56d476d
0x7ff7a56d476f
0x7ff7a56d4785
0x7ff7a56d4787
0x7ff7a56d4787
0x7ff7a56d47aa

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7A56D476F
HeapFree.KERNEL32 ref: 00007FF7A56D477D

Strings

D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp, xrefs: 00007FF7A56D478B
void __cdecl boost::detail::free_raw_heap_memory(void *), xrefs: 00007FF7A56D4792
detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0, xrefs: 00007FF7A56D4799

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp$detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0$void __cdecl boost::detail::free_raw_heap_memory(void *)
API String ID: 3859560861-3333080286
Opcode ID: bbd1b308470604d059fc8b3b034bf7eafb81cdd28000ebdae6b9dc5dbe87673a
Instruction ID: 85144ad046dd946160be60ce0a9ff033820c94fdfcfb4bf7d80fed04ebfa9e61
Opcode Fuzzy Hash: bbd1b308470604d059fc8b3b034bf7eafb81cdd28000ebdae6b9dc5dbe87673a
Instruction Fuzzy Hash: 4CF03062A07A0792FB54AF32E8415B4A352BF9AF55B8B9430C51D12270EE3CD9458320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56D4110 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 18
memoryCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00007FF77FF7A56D4110(void* __rax, void* __rcx) {
				void* __rbx;
				void* _t5;
				void* _t6;
				void* _t8;
				void* _t10;
				void* _t16;
				void* _t17;
				void* _t20;

				_t10 = __rax;
				GetProcessHeap();
				if (HeapFree(??, ??, ??) != 0) goto 0xa56d414f;
				_t1 = _t10 + 0x49; // 0x49
				r9d = _t1;
				return E00007FF77FF7A570AB00(_t5, _t6, _t8, __rcx, "detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0", "void __cdecl boost::detail::free_raw_heap_memory(void *)", _t16, _t17, "D:\\Libraries\\boost\\boost/thread/win32/thread_heap_alloc.hpp", _t20);
			}

0x7ff7a56d4110
0x7ff7a56d4119
0x7ff7a56d412f
0x7ff7a56d4131
0x7ff7a56d4131
0x7ff7a56d4154

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7A56D4119
HeapFree.KERNEL32 ref: 00007FF7A56D4127

Strings

D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp, xrefs: 00007FF7A56D4135
void __cdecl boost::detail::free_raw_heap_memory(void *), xrefs: 00007FF7A56D413C
detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0, xrefs: 00007FF7A56D4143

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: Heap$FreeProcess
String ID: D:\Libraries\boost\boost/thread/win32/thread_heap_alloc.hpp$detail::win32::HeapFree(detail::win32::GetProcessHeap(),0,heap_memory)!=0$void __cdecl boost::detail::free_raw_heap_memory(void *)
API String ID: 3859560861-3333080286
Opcode ID: 390c634eb8512d6bd36f964db49dd20d87de3fa4aeae6bde1dec52a086757f87
Instruction ID: 2aa9e9339d0521998f6c1c520bed37dd47f74b7af864bc3e42d6bb013b570cfc
Opcode Fuzzy Hash: 390c634eb8512d6bd36f964db49dd20d87de3fa4aeae6bde1dec52a086757f87
Instruction Fuzzy Hash: 65E04FA1F46A4792EB14BB62AC415B49352BF5EF89FC74030C40D62231EE3CA589C320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E9B04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 82%

			E00007FF77FF7A56E9B04(void* __ebx, void* __ecx, void* __edi, void* __ebp, void* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, long long __r8, signed long long __r9) {
				void* __rsi;
				void* __rbp;
				intOrPtr _t102;
				void* _t107;
				void* _t123;
				long long _t126;
				void* _t127;
				void* _t128;
				long long _t170;
				intOrPtr* _t174;
				long long _t177;
				void* _t179;
				void* _t180;
				signed long long _t191;
				void* _t194;

				_t123 = __rax;
				_t107 = __edi;
				_t104 = __ecx;
				 *((long long*)(_t179 + 0x10)) = __rbx;
				 *((long long*)(_t179 + 0x18)) = __r8;
				_t180 = _t179 - 0x70;
				_t191 = __r9;
				_t194 = __rdx;
				_t174 = __rcx;
				if ( *__rcx == 0x80000003) goto 0xa56e9d30;
				E00007FF77FF7A56EB93C(__ecx,  *__rcx - 0x80000003, __rax);
				r15d =  *((intOrPtr*)(_t180 + 0xe0));
				_t177 =  *((intOrPtr*)(_t180 + 0xd0));
				if ( *((long long*)(_t123 + 0xe0)) == 0) goto 0xa56e9ba2;
				E00007FF77FF7A56EB93C(_t104,  *((long long*)(_t123 + 0xe0)), _t123);
				E00007FF77FF7A56EB7B0();
				if ( *((intOrPtr*)(_t123 + 0xe0)) == _t123) goto 0xa56e9ba2;
				if ( *__rcx == 0xe0434f4d) goto 0xa56e9ba2;
				 *(_t180 + 0x30) =  *((intOrPtr*)(_t180 + 0xe8));
				 *((intOrPtr*)(_t180 + 0x28)) = r15d;
				 *((long long*)(_t180 + 0x20)) = _t177;
				if (E00007FF77FF7A56E7528(__rcx, __rdx, __r8, __r9) != 0) goto 0xa56e9d30;
				if ( *((intOrPtr*)(_t177 + 0xc)) != 0) goto 0xa56e9bad;
				E00007FF77FF7A56F0148( *((intOrPtr*)(_t180 + 0xe8)));
				r12d =  *((intOrPtr*)(_t180 + 0xd8));
				 *(_t180 + 0x30) = __r9;
				 *((long long*)(_t180 + 0x28)) = _t180 + 0x60;
				_t126 = _t180 + 0xb0;
				r8d = r15d;
				r9d = r12d;
				 *((long long*)(_t180 + 0x20)) = _t126;
				E00007FF77FF7A56E757C(__ebx, _t123, _t177, _t174);
				_t170 = _t126;
				goto 0xa56e9d26;
				if (r12d -  *_t170 < 0) goto 0xa56e9d19;
				if (r12d -  *((intOrPtr*)(_t170 + 4)) > 0) goto 0xa56e9d19;
				E00007FF77FF7A56E72E8(_t126);
				if ( *((intOrPtr*)(_t126 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x10)) == 0) goto 0xa56e9c44;
				E00007FF77FF7A56E72E8(_t126);
				E00007FF77FF7A56E72E8(_t126);
				_t127 = _t126 +  *((intOrPtr*)(_t126 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x10));
				goto 0xa56e9c46;
				if (_t127 == 0) goto 0xa56e9c93;
				E00007FF77FF7A56E72E8(_t127);
				if ( *((intOrPtr*)(_t127 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x10)) == 0) goto 0xa56e9c8b;
				E00007FF77FF7A56E72E8(_t127);
				E00007FF77FF7A56E72E8(_t127);
				_t128 = _t127 +  *((intOrPtr*)(_t127 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x10));
				goto 0xa56e9c8d;
				if ( *((char*)(_t128 + 0x10)) != 0) goto 0xa56e9d12;
				E00007FF77FF7A56E72E8(_t128);
				if (( *(_t128 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x14) & 0x00000040) != 0) goto 0xa56e9d12;
				E00007FF77FF7A56E72E8(_t128);
				 *((char*)(_t180 + 0x58)) = 0;
				 *((char*)(_t180 + 0x50)) = 1;
				 *((long long*)(_t180 + 0x48)) =  *((intOrPtr*)(_t180 + 0xe8));
				 *((intOrPtr*)(_t180 + 0x40)) = r15d;
				 *((long long*)(_t180 + 0x38)) = _t170;
				 *(_t180 + 0x30) =  *(_t180 + 0x30) & 0x00000000;
				 *((long long*)(_t180 + 0x28)) = _t128 + ( *(_t170 + 0xc) - 1 + ( *(_t170 + 0xc) - 1) * 4) * 4 +  *((intOrPtr*)(_t170 + 0x10));
				 *((long long*)(_t180 + 0x20)) = _t177;
				E00007FF77FF7A56E9A40( *(_t170 + 0xc) - 1, _t107,  *((intOrPtr*)(_t127 +  *((intOrPtr*)(_t170 + 0x10)) + ( *(_t170 + 0xc) +  *(_t170 + 0xc) * 4) * 4 - 0x10)), _t174, _t194, _t177,  *((intOrPtr*)(_t180 + 0xc0)), _t191);
				_t102 =  *((intOrPtr*)(_t180 + 0xb0)) + 1;
				 *((intOrPtr*)(_t180 + 0xb0)) = _t102;
				if (_t102 -  *((intOrPtr*)(_t180 + 0x60)) < 0) goto 0xa56e9bf1;
				return _t102;
			}

0x7ff7a56e9b04
0x7ff7a56e9b04
0x7ff7a56e9b04
0x7ff7a56e9b04
0x7ff7a56e9b09
0x7ff7a56e9b19
0x7ff7a56e9b23
0x7ff7a56e9b29
0x7ff7a56e9b2c
0x7ff7a56e9b2f
0x7ff7a56e9b35
0x7ff7a56e9b3a
0x7ff7a56e9b42
0x7ff7a56e9b52
0x7ff7a56e9b54
0x7ff7a56e9b5c
0x7ff7a56e9b68
0x7ff7a56e9b70
0x7ff7a56e9b80
0x7ff7a56e9b8b
0x7ff7a56e9b90
0x7ff7a56e9b9c
0x7ff7a56e9ba6
0x7ff7a56e9ba8
0x7ff7a56e9bad
0x7ff7a56e9bba
0x7ff7a56e9bbf
0x7ff7a56e9bc4
0x7ff7a56e9bcc
0x7ff7a56e9bcf
0x7ff7a56e9bd8
0x7ff7a56e9bdd
0x7ff7a56e9be2
0x7ff7a56e9bec
0x7ff7a56e9bf4
0x7ff7a56e9bfe
0x7ff7a56e9c04
0x7ff7a56e9c1e
0x7ff7a56e9c20
0x7ff7a56e9c3a
0x7ff7a56e9c3f
0x7ff7a56e9c42
0x7ff7a56e9c49
0x7ff7a56e9c4b
0x7ff7a56e9c65
0x7ff7a56e9c67
0x7ff7a56e9c81
0x7ff7a56e9c86
0x7ff7a56e9c89
0x7ff7a56e9c91
0x7ff7a56e9c93
0x7ff7a56e9cad
0x7ff7a56e9caf
0x7ff7a56e9cbf
0x7ff7a56e9cc4
0x7ff7a56e9ceb
0x7ff7a56e9cf0
0x7ff7a56e9cf5
0x7ff7a56e9cfa
0x7ff7a56e9d00
0x7ff7a56e9d08
0x7ff7a56e9d0d
0x7ff7a56e9d19
0x7ff7a56e9d1f
0x7ff7a56e9d2a
0x7ff7a56e9d47

APIs

_getptd.LIBCMT ref: 00007FF7A56E9B35
_getptd.LIBCMT ref: 00007FF7A56E9B54
_CallSETranslator.LIBCMT ref: 00007FF7A56E9B95

Part of subcall function 00007FF7A56E7528: _getptd.LIBCMT ref: 00007FF7A56E754F

Strings

MOC, xrefs: 00007FF7A56E9B6A

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _getptd$CallTranslator
String ID: MOC
API String ID: 3569367362-624257665
Opcode ID: 701c7f62758117df9d68805bcdd9943e9059ba62097dbbdcab498742cdacb196
Instruction ID: bad1495509fe67cc31d91c3779fc6b32a204231a75010bc89e27e04882746bb1
Opcode Fuzzy Hash: 701c7f62758117df9d68805bcdd9943e9059ba62097dbbdcab498742cdacb196
Instruction Fuzzy Hash: 6961A0B2A0AAC6C5DA20EB15D0803ADB3A2FF82F88F855531DF8D436A5DF79E055C710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E5578 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,000000FF,00007FF7A56E55C1,?,?,00000028,00007FF7A56E48F9,?,?,00000000,00007FF7A56EA598,?,?,00000000,00007FF7A56EFED9), ref: 00007FF7A56E5587
GetProcAddress.KERNEL32(?,?,000000FF,00007FF7A56E55C1,?,?,00000028,00007FF7A56E48F9,?,?,00000000,00007FF7A56EA598,?,?,00000000,00007FF7A56EFED9), ref: 00007FF7A56E559C

Strings

mscoree.dll, xrefs: 00007FF7A56E5580
CorExitProcess, xrefs: 00007FF7A56E5592

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: 8e88595b131e52f817ebab1db4fb07a491aba47a0bed957ca3a8eab92fd5a99f
Instruction ID: 989db7a652d46e66c90fbc9f3f24a2a78e81f6665414f865d6911bc2b132d931
Opcode Fuzzy Hash: 8e88595b131e52f817ebab1db4fb07a491aba47a0bed957ca3a8eab92fd5a99f
Instruction Fuzzy Hash: 2CE01D10F5760383FE557760A84423852527F5EF50FC55039C81E163B1DE2CE546C330

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E8948 Relevance: 6.2, APIs: 4, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00007FF77FF7A56E8948(void* __ebx, void* __ecx, signed long long __edx, void* __eflags, long long __rbx, void* __rcx, void* __r8) {
				void* __rsi;
				void* __rbp;
				void* _t133;
				void* _t147;
				void* _t159;
				void* _t163;
				signed long long _t165;
				signed long long _t166;
				signed long long _t167;
				long long _t178;
				signed long long _t183;
				signed long long _t207;
				signed long long _t209;
				intOrPtr _t210;
				void* _t213;
				void* _t214;
				void* _t216;
				signed long long _t217;
				void* _t219;
				signed long long _t220;
				void* _t223;
				signed long long _t224;
				void* _t227;
				void* _t230;
				signed long long _t231;
				void* _t233;
				signed long long _t234;
				void* _t237;
				void* _t239;
				signed long long _t240;

				_t226 = __r8;
				_t137 = __ecx;
				 *((long long*)(_t223 + 0x20)) = __rbx;
				_t224 = _t223 - 0x210;
				_t165 =  *0xa5720430; // 0x4918c7c3922
				_t166 = _t165 ^ _t224;
				 *(_t224 + 0x200) = _t166;
				_t240 = __edx;
				_t214 = __rcx;
				E00007FF77FF7A56EB93C(__ecx, __eflags, _t166);
				_t217 = _t166;
				_t167 = _t224 + 0x40;
				r8d = 0x83;
				 *((intOrPtr*)(_t224 + 0x28)) = r15d;
				 *(_t224 + 0x20) = _t167;
				E00007FF77FF7A56E8708(__ebx, __r8, _t224 + 0x70, __r8, _t224 + 0x48);
				if (_t167 != 0) goto 0xa56e89b5;
				goto 0xa56e8c24;
				_t183 = _t240 << 5;
				if (E00007FF77FF7A56EBBE0(_t137, _t224 + 0x70,  *((intOrPtr*)(_t183 + __rcx + 0x48))) == 0) goto 0xa56e8c1f;
				E00007FF77FF7A56E70C0(_t114, _t224 + 0x70);
				_t220 = _t167;
				_t12 = _t167 + 5; // 0x5
				E00007FF77FF7A56EA574(_t147, _t167, _t183, _t12, _t217, _t220);
				_t231 = _t167;
				if (_t167 == 0) goto 0xa56e89ae;
				_t234 = _t240 + 3;
				 *((long long*)(_t224 + 0x58)) =  *((intOrPtr*)(_t183 + _t214 + 0x48));
				r8d = 6;
				 *(_t224 + 0x50) =  *(_t214 + _t234 * 4);
				 *((long long*)(_t224 + 0x60)) = _t214 + (_t240 + 0x12 + _t240 * 2) * 2;
				E00007FF77FF7A56EAE90(_t137, _t167, _t224 + 0x68, _t214 + (_t240 + 0x12 + _t240 * 2) * 2, _t226);
				_t28 = _t220 + 1; // 0x1
				_t227 = _t224 + 0x70;
				_t30 = _t231 + 4; // 0x4
				 *((intOrPtr*)(_t224 + 0x44)) =  *((intOrPtr*)(_t214 + 4));
				if (E00007FF77FF7A56EB72C(_t214 + (_t240 + 0x12 + _t240 * 2) * 2, _t30, _t28, _t217, _t220, _t227) == 0) goto 0xa56e8a5b;
				 *(_t224 + 0x20) =  *(_t224 + 0x20) & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4308();
				_t35 = _t231 + 4; // 0x4
				_t207 = _t224 + 0x48;
				 *((long long*)(_t183 + _t214 + 0x48)) = _t35;
				r8d = 6;
				 *(_t214 + _t234 * 4) =  *(_t224 + 0x48) & 0x0000ffff;
				E00007FF77FF7A56EAE90(0, E00007FF77FF7A56EB72C(_t214 + (_t240 + 0x12 + _t240 * 2) * 2, _t30, _t28, _t217, _t220, _t227),  *((intOrPtr*)(_t224 + 0x60)), _t207, _t227);
				if (r15d != 2) goto 0xa56e8b94;
				r8d = 0;
				 *((intOrPtr*)(_t214 + 4)) =  *((intOrPtr*)(_t224 + 0x40));
				if ( *((intOrPtr*)(_t214 + 4)) ==  *((intOrPtr*)(_t217 + 0x27c + _t207 * 8))) goto 0xa56e8acd;
				 *((long long*)(_t217 + 0x27c + _t207 * 8)) =  *((intOrPtr*)(_t217 + 0x29c));
				r8d = r8d + 1;
				if (_t207 + 1 - 5 < 0) goto 0xa56e8aa0;
				goto 0xa56e8aec;
				if (r8d == 0) goto 0xa56e8aec;
				_t209 = r8d;
				 *((long long*)(_t217 + 0x27c)) =  *((intOrPtr*)(_t217 + 0x27c + _t209 * 8));
				 *((long long*)(_t217 + 0x27c + _t209 * 8)) =  *((intOrPtr*)(_t217 + 0x27c + _t207 * 8));
				if (r8d != 5) goto 0xa56e8b88;
				_t63 = _t227 + 0x7a; // 0x7a
				 *((intOrPtr*)(_t224 + 0x38)) = 1;
				 *((intOrPtr*)(_t224 + 0x30)) =  *((intOrPtr*)(_t214 + 0x14));
				 *((intOrPtr*)(_t224 + 0x28)) =  *((intOrPtr*)(_t214 + 4));
				_t69 = _t220 - 0x7e; // -4
				r9d = _t63;
				 *(_t224 + 0x20) = _t224 + 0x100;
				_t159 = E00007FF77FF7A56F2858(_t69, r8d - 5, _t224 + 0x100, _t183,  *((intOrPtr*)(_t217 + 0x27c + _t207 * 8)), _t217, 0xa5710d00, _t224 + 0x48, _t239, _t237, _t233);
				if (_t159 == 0) goto 0xa56e8b78;
				 *(_t224 + 0x100) =  *(_t224 + 0x100) & 0x000001ff;
				if (_t159 != 0) goto 0xa56e8b3d;
				_t210 =  *0xa57203f8; // 0x7ff7a57110d4
				r8d = 0xfe;
				 *(_t217 + 0x280) = 0 | E00007FF77FF7A56F4410(0x1ff, _t224 + 0x100, _t210, 0xa5710d00) == 0x00000000;
				goto 0xa56e8b7f;
				 *(_t217 + 0x280) =  *(_t217 + 0x280) & 0x00000000;
				 *((intOrPtr*)(_t217 + 0x27c)) =  *((intOrPtr*)(_t214 + 4));
				 *(_t214 + 0x108) =  *(_t217 + 0x280);
				if (r15d != 1) goto 0xa56e8ba1;
				 *((intOrPtr*)(_t214 + 8)) =  *((intOrPtr*)(_t224 + 0x40));
				_t133 =  *((intOrPtr*)(0xa5710c80 + (_t240 + _t240 * 2) * 8))(_t219);
				_t178 =  *((intOrPtr*)(_t224 + 0x58));
				if (_t133 == 0) goto 0xa56e8bdd;
				 *((long long*)(_t183 + _t214 + 0x48)) = _t178;
				free(_t230);
				r11d =  *(_t224 + 0x50);
				 *(_t214 + _t234 * 4) = r11d;
				 *((intOrPtr*)(_t214 + 4)) =  *((intOrPtr*)(_t224 + 0x44));
				goto 0xa56e89ae;
				_t163 = _t178 - 0xa5720a20;
				if (_t163 == 0) goto 0xa56e8c12;
				asm("lock add dword [edx], 0xffffffff");
				if (_t163 != 0) goto 0xa56e8c12;
				free(_t213);
				free(_t216);
				 *(_t183 + _t214 + 0x50) =  *(_t183 + _t214 + 0x50) & 0x00000000;
				 *_t231 = 1;
				 *(_t183 + _t214 + 0x58) = _t231;
				return E00007FF77FF7A56E4050(E00007FF77FF7A56F4410(0x1ff, _t224 + 0x100, _t210, 0xa5710d00) == 0,  *(_t224 + 0x200) ^ _t224,  *(_t183 + _t214 + 0x58), 0xa5710d00, _t224 + 0x48);
			}

0x7ff7a56e8948
0x7ff7a56e8948
0x7ff7a56e8948
0x7ff7a56e8958
0x7ff7a56e895f
0x7ff7a56e8966
0x7ff7a56e8969
0x7ff7a56e8974
0x7ff7a56e8977
0x7ff7a56e897a
0x7ff7a56e8989
0x7ff7a56e898c
0x7ff7a56e8991
0x7ff7a56e899a
0x7ff7a56e899f
0x7ff7a56e89a4
0x7ff7a56e89ac
0x7ff7a56e89b0
0x7ff7a56e89bd
0x7ff7a56e89cd
0x7ff7a56e89d8
0x7ff7a56e89dd
0x7ff7a56e89e0
0x7ff7a56e89e4
0x7ff7a56e89e9
0x7ff7a56e89ef
0x7ff7a56e89f6
0x7ff7a56e89ff
0x7ff7a56e8a08
0x7ff7a56e8a0e
0x7ff7a56e8a1e
0x7ff7a56e8a23
0x7ff7a56e8a2b
0x7ff7a56e8a2f
0x7ff7a56e8a34
0x7ff7a56e8a39
0x7ff7a56e8a44
0x7ff7a56e8a46
0x7ff7a56e8a4c
0x7ff7a56e8a4f
0x7ff7a56e8a56
0x7ff7a56e8a60
0x7ff7a56e8a65
0x7ff7a56e8a6a
0x7ff7a56e8a74
0x7ff7a56e8a7a
0x7ff7a56e8a7e
0x7ff7a56e8a87
0x7ff7a56e8a91
0x7ff7a56e8a96
0x7ff7a56e8aaa
0x7ff7a56e8ab4
0x7ff7a56e8abf
0x7ff7a56e8ac9
0x7ff7a56e8acb
0x7ff7a56e8ad0
0x7ff7a56e8ad2
0x7ff7a56e8add
0x7ff7a56e8ae4
0x7ff7a56e8af0
0x7ff7a56e8af9
0x7ff7a56e8afd
0x7ff7a56e8b05
0x7ff7a56e8b13
0x7ff7a56e8b1f
0x7ff7a56e8b22
0x7ff7a56e8b27
0x7ff7a56e8b31
0x7ff7a56e8b33
0x7ff7a56e8b42
0x7ff7a56e8b4d
0x7ff7a56e8b4f
0x7ff7a56e8b5e
0x7ff7a56e8b70
0x7ff7a56e8b76
0x7ff7a56e8b78
0x7ff7a56e8b82
0x7ff7a56e8b8e
0x7ff7a56e8b98
0x7ff7a56e8b9e
0x7ff7a56e8baf
0x7ff7a56e8bb4
0x7ff7a56e8bb9
0x7ff7a56e8bbe
0x7ff7a56e8bc3
0x7ff7a56e8bc8
0x7ff7a56e8bd1
0x7ff7a56e8bd5
0x7ff7a56e8bd8
0x7ff7a56e8be4
0x7ff7a56e8be7
0x7ff7a56e8bee
0x7ff7a56e8bf2
0x7ff7a56e8bf9
0x7ff7a56e8c07
0x7ff7a56e8c0c
0x7ff7a56e8c12
0x7ff7a56e8c1a
0x7ff7a56e8c4e

APIs

_getptd.LIBCMT ref: 00007FF7A56E897A

Part of subcall function 00007FF7A56E8708: _getptd.LIBCMT ref: 00007FF7A56E8742

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _getptd
String ID:
API String ID: 3186804695-0
Opcode ID: b831a8e5acdfc9b34b1f275e6a2a44ae26707a0638727e3522d71a78b478d697
Instruction ID: dc2c44df459da264babe7e0eb83b2d9cdb85433c907ef528705943fa4ed5d02a
Opcode Fuzzy Hash: b831a8e5acdfc9b34b1f275e6a2a44ae26707a0638727e3522d71a78b478d697
Instruction Fuzzy Hash: F7819E72A0A682D6DB24EB25E1842AAB3A1FB45F84F955135DF4D43B64DF3DE041CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56DC2A0 Relevance: 6.1, APIs: 4, Instructions: 146
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 76%

			E00007FF77FF7A56DC2A0(void* __ebx, void* __edx, void* __ebp, long long __rbx, long long __rcx, intOrPtr* __rdx, long long __rsi, void* __rbp, intOrPtr* __r8, void* __r9) {
				void* _v40;
				intOrPtr _v48;
				intOrPtr _v64;
				long long _v88;
				void* __rdi;
				void* __r12;
				void* _t55;
				void* _t58;
				void* _t61;
				intOrPtr _t89;
				intOrPtr _t90;
				intOrPtr _t93;
				signed long long _t94;
				intOrPtr _t97;
				intOrPtr* _t101;
				intOrPtr* _t104;
				long long _t110;
				long long* _t113;
				long long* _t114;
				intOrPtr _t123;
				void* _t125;
				signed long long _t129;
				signed long long _t131;
				intOrPtr* _t134;
				void* _t137;
				intOrPtr* _t140;
				void* _t142;
				void* _t143;
				signed long long _t145;
				void* _t147;
				void* _t149;
				intOrPtr* _t150;
				void* _t152;

				_t142 = __r9;
				_t140 = __r8;
				_t136 = __rbp;
				_t61 = __ebp;
				_t143 = _t137;
				 *((long long*)(_t143 + 8)) = __rcx;
				_v88 = 0xfffffffe;
				 *((long long*)(_t143 + 0x10)) = __rbx;
				 *((long long*)(_t143 + 0x18)) = __rsi;
				_t150 = __r8;
				_t134 = __rdx;
				_t110 = __rcx;
				_t113 = _t143 - 0x38;
				 *_t113 =  *__r8;
				 *((long long*)(_t113 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t114 = _t143 - 0x48;
				 *_t114 =  *__rdx;
				 *((long long*)(_t114 + 8)) =  *((intOrPtr*)(__rdx + 8));
				_t89 =  *((intOrPtr*)(_t143 - 0x38));
				if (_t89 == 0) goto 0xa56dc301;
				if (_t89 ==  *((intOrPtr*)(_t143 - 0x48))) goto 0xa56dc306;
				E00007FF77FF7A56E44B8();
				_t90 = _v64;
				_t123 = _v48;
				if (_t90 - _t123 > 0) goto 0xa56dc31a;
				goto 0xa56dc31d;
				_t125 = _t123 - _t90 - _t90;
				_t129 =  *((intOrPtr*)(__rcx + 0x18));
				if (_t129 - _t125 > 0) goto 0xa56dc35a;
				if ( *((intOrPtr*)(__rcx + 0x20)) == _t125) goto 0xa56dc35a;
				r8b = 1;
				if (E00007FF77FF7A56D24C0(__rcx, __rcx, _t125, __rdx, __rbp, _t145, _t152, _t149) == 0) goto 0xa56dc35a;
				 *(_t110 + 0x18) = _t129;
				if ( *((long long*)(_t110 + 0x20)) - 8 < 0) goto 0xa56dc34c;
				goto 0xa56dc350;
				r12d = 0;
				 *((intOrPtr*)(_t110 + 8 + _t129 * 2)) = r12w;
				goto 0xa56dc35d;
				r12d = 0;
				_t93 =  *_t134;
				if (_t93 == 0) goto 0xa56dc374;
				if (_t93 ==  *_t150) goto 0xa56dc379;
				E00007FF77FF7A56E44B8();
				_t94 =  *((intOrPtr*)(_t150 + 8));
				if ( *((intOrPtr*)(_t134 + 8)) == _t94) goto 0xa56dc46e;
				E00007FF77FF7A56DBBB0(_t61, _t110, _t134, _t134, _t136);
				r13d =  *_t94 & 0x0000ffff;
				if ((_t94 | 0xffffffff) -  *(_t110 + 0x18) - 1 > 0) goto 0xa56dc3a6;
				E00007FF77FF7A56E33CC((_t94 | 0xffffffff) -  *(_t110 + 0x18), _t110, _t129, _t136, _t140, _t142);
				_t131 =  *(_t110 + 0x18) + 1;
				if (_t131 - 0xfffffffe <= 0) goto 0xa56dc3b7;
				_t55 = E00007FF77FF7A56E33CC((_t94 | 0xffffffff) -  *(_t110 + 0x18), _t110, _t131, _t136, _t140, _t142);
				_t97 =  *((intOrPtr*)(_t110 + 0x20));
				if (_t97 - _t131 >= 0) goto 0xa56dc3d1;
				E00007FF77FF7A56D26D0(_t55, _t110, _t131,  *(_t110 + 0x18), _t147, _t145);
				goto 0xa56dc3f0;
				if (_t131 != 0) goto 0xa56dc3f0;
				 *(_t110 + 0x18) = _t145;
				if (_t97 - 8 < 0) goto 0xa56dc3e6;
				goto 0xa56dc3ea;
				 *((intOrPtr*)(_t110 + 8)) = r12w;
				goto 0xa56dc428;
				if (_t131 == 0) goto 0xa56dc428;
				if ( *((long long*)(_t110 + 0x20)) - 8 < 0) goto 0xa56dc409;
				goto 0xa56dc410;
				_t101 = _t110 + 8;
				 *((intOrPtr*)(_t101 +  *(_t110 + 0x18) * 2)) = r13w;
				 *(_t110 + 0x18) = _t131;
				if ( *((long long*)(_t110 + 0x20)) - 8 < 0) goto 0xa56dc423;
				 *((intOrPtr*)( *_t101 + _t131 * 2)) = r12w;
				if ( *_t134 != 0) goto 0xa56dc442;
				E00007FF77FF7A56E44B8();
				_t104 =  *_t134;
				if (_t104 != 0) goto 0xa56dc442;
				goto 0xa56dc445;
				if (_t104 == 0) goto 0xa56dc44f;
				goto 0xa56dc452;
				if ( *((intOrPtr*)(_t134 + 8)) -  *((intOrPtr*)(_t145 + 0x38)) +  *((intOrPtr*)( *_t104 + 0x30)) < 0) goto 0xa56dc465;
				_t58 = E00007FF77FF7A56E44B8();
				 *((long long*)(_t134 + 8)) =  *((long long*)(_t134 + 8)) + 1;
				goto 0xa56dc367;
				return _t58;
			}

0x7ff7a56dc2a0
0x7ff7a56dc2a0
0x7ff7a56dc2a0
0x7ff7a56dc2a0
0x7ff7a56dc2a0
0x7ff7a56dc2a3
0x7ff7a56dc2b4
0x7ff7a56dc2bd
0x7ff7a56dc2c1
0x7ff7a56dc2c5
0x7ff7a56dc2c8
0x7ff7a56dc2cb
0x7ff7a56dc2ce
0x7ff7a56dc2d5
0x7ff7a56dc2dc
0x7ff7a56dc2e0
0x7ff7a56dc2e7
0x7ff7a56dc2ee
0x7ff7a56dc2f2
0x7ff7a56dc2f9
0x7ff7a56dc2ff
0x7ff7a56dc301
0x7ff7a56dc306
0x7ff7a56dc30b
0x7ff7a56dc313
0x7ff7a56dc318
0x7ff7a56dc31a
0x7ff7a56dc31d
0x7ff7a56dc324
0x7ff7a56dc32a
0x7ff7a56dc32c
0x7ff7a56dc339
0x7ff7a56dc33b
0x7ff7a56dc344
0x7ff7a56dc34a
0x7ff7a56dc350
0x7ff7a56dc353
0x7ff7a56dc358
0x7ff7a56dc35a
0x7ff7a56dc367
0x7ff7a56dc36d
0x7ff7a56dc372
0x7ff7a56dc374
0x7ff7a56dc379
0x7ff7a56dc381
0x7ff7a56dc38a
0x7ff7a56dc38f
0x7ff7a56dc39f
0x7ff7a56dc3a1
0x7ff7a56dc3aa
0x7ff7a56dc3b0
0x7ff7a56dc3b2
0x7ff7a56dc3b7
0x7ff7a56dc3be
0x7ff7a56dc3ca
0x7ff7a56dc3cf
0x7ff7a56dc3d4
0x7ff7a56dc3d6
0x7ff7a56dc3de
0x7ff7a56dc3e4
0x7ff7a56dc3ea
0x7ff7a56dc3ee
0x7ff7a56dc3f3
0x7ff7a56dc3fe
0x7ff7a56dc407
0x7ff7a56dc409
0x7ff7a56dc410
0x7ff7a56dc415
0x7ff7a56dc41e
0x7ff7a56dc423
0x7ff7a56dc42e
0x7ff7a56dc430
0x7ff7a56dc435
0x7ff7a56dc43b
0x7ff7a56dc440
0x7ff7a56dc448
0x7ff7a56dc44d
0x7ff7a56dc45e
0x7ff7a56dc460
0x7ff7a56dc465
0x7ff7a56dc469
0x7ff7a56dc487

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC301
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC374
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC430
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A56DC460

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5c141b8904f02e943c942c556673060c55fd9cceccc76b955d807c772474a688
Instruction ID: b1ed74be36f2f3c96c9e2267276f3132953326cdcdd5ec6e1ef204d0729ad956
Opcode Fuzzy Hash: 5c141b8904f02e943c942c556673060c55fd9cceccc76b955d807c772474a688
Instruction Fuzzy Hash: 57513F2360BF4580EB54AF15D44403CA366FB06FA4BA66A35CE6D077B5DF39E861C360

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A570A770 Relevance: 6.1, APIs: 4, Instructions: 132
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 60%

			E00007FF77FF7A570A770(void* __ebx, signed int __ecx, void* __edx, void* __edi, long long __rcx, void* __r8, void* __r9, long long _a40, intOrPtr _a48, void* _a56, void* _a64) {
				signed int _v56;
				long long _v64;
				intOrPtr _v88;
				char _v96;
				long long _v104;
				signed int _v112;
				short _v128;
				char _v136;
				char _v152;
				long long _v168;
				char _v184;
				long long _v192;
				long long _v200;
				long long _v208;
				long long _v216;
				signed char _v232;
				intOrPtr _v248;
				long long _v256;
				void* _v264;
				void* __rbx;
				void* __rdi;
				void* __rsi;
				void* __rbp;
				void* _t72;
				void* _t73;
				signed long long _t92;
				long long _t105;
				long long _t106;
				short _t111;
				short _t112;
				long long _t130;
				long long _t132;
				void* _t133;
				signed int _t134;
				signed long long _t138;

				_t142 = __r9;
				_t72 = __edi;
				_t69 = __ecx;
				_v168 = 0xfffffffe;
				_t92 =  *0xa5720430; // 0x4918c7c3922
				_v56 = _t92 ^  &_v264;
				_t73 = __edx;
				_t106 = __rcx;
				if (r8d -  *((intOrPtr*)(__rcx + 0x318)) < 0) goto 0xa570a9e5;
				r9d =  *(__rcx + 0x2c);
				_v248 = _a48;
				_v256 = _a40;
				_v264 = __r9;
				E00007FF77FF7A570A270(__ebx, __ecx, __rcx,  &_v96, _t134, __r8, __r9);
				_v104 = 7;
				_v112 = _t134;
				_v128 = 0;
				E00007FF77FF7A56D79A0();
				_t111 = _v128;
				_t145 =  >=  ? _t111 :  &_v128;
				_t138 = _v112;
				_t130 = ( >=  ? _t111 :  &_v128) + _t138 * 2;
				if (_t130 == 0) goto 0xa570a87d;
				_t95 =  >=  ? _t111 :  &_v128;
				_t79 = ( >=  ? _t111 :  &_v128) - _t130;
				if (( >=  ? _t111 :  &_v128) - _t130 > 0) goto 0xa570a87d;
				_t97 =  >=  ? _t111 :  &_v128;
				if (_t130 - ( >=  ? _t111 :  &_v128) + _t138 * 2 <= 0) goto 0xa570a89a;
				E00007FF77FF7A56E44B8();
				_t112 = _v128;
				_v216 =  &_v136;
				_v208 = _t130;
				if (_v104 - 8 < 0) goto 0xa570a8bc;
				if (_t112 == 0) goto 0xa570a8f2;
				goto 0xa570a8c4;
				_t132 =  &_v128;
				_t101 =  >=  ? _t112 :  &_v128;
				_t85 = ( >=  ? _t112 :  &_v128) - _t132;
				if (( >=  ? _t112 :  &_v128) - _t132 > 0) goto 0xa570a8f2;
				_t103 =  >=  ? _t112 :  &_v128;
				if (_t132 - ( >=  ? _t112 :  &_v128) + _v112 * 2 <= 0) goto 0xa570a8f7;
				E00007FF77FF7A56E44B8();
				_t105 =  &_v136;
				_v200 = _t105;
				_v192 = _t132;
				asm("movaps xmm0, [esp+0x50]");
				asm("movdqa [esp+0x90], xmm0");
				asm("movaps xmm1, [esp+0x60]");
				asm("movdqa [esp+0x70], xmm1");
				r9d = _v232 & 0x000000ff;
				E00007FF77FF7A56DCD30( &_v96,  &_v184,  &_v152);
				r8d = 2;
				E00007FF77FF7A56D47C0(_t106,  &_v96, L"\r\n", _t132, _t133, _t134,  &_v152);
				_v216 = _t106;
				EnterCriticalSection(??);
				E00007FF77FF7A5709FC0(_t73, _t106, _t106, _t133);
				if (_t105 == 0xffffffff) goto 0xa570a98f;
				E00007FF77FF7A570A560(__ebx, _t69, _t72, _t106, _t106, _t105, _t134,  &_v96, _t142);
				LeaveCriticalSection(??);
				if (_v104 - 8 < 0) goto 0xa570a9b1;
				E00007FF77FF7A56E44D8(_t105, _t106, _v128, _t105, _t133,  &_v96, _t142);
				_v104 = 7;
				_v112 = _t134;
				_v128 = 0;
				if (_v64 - 8 < 0) goto 0xa570a9e5;
				E00007FF77FF7A56E44D8(_t105, _t106, _v88, _t105, _t133,  &_v96, _t142);
				return E00007FF77FF7A56E4050(_t69, _v56 ^  &_v264, _t105,  &_v96, _t142);
			}

0x7ff7a570a770
0x7ff7a570a770
0x7ff7a570a770
0x7ff7a570a77c
0x7ff7a570a788
0x7ff7a570a792
0x7ff7a570a79d
0x7ff7a570a79f
0x7ff7a570a7b3
0x7ff7a570a7b9
0x7ff7a570a7c4
0x7ff7a570a7c8
0x7ff7a570a7cd
0x7ff7a570a7dd
0x7ff7a570a7e3
0x7ff7a570a7f1
0x7ff7a570a7f9
0x7ff7a570a819
0x7ff7a570a826
0x7ff7a570a83a
0x7ff7a570a83e
0x7ff7a570a846
0x7ff7a570a84d
0x7ff7a570a85b
0x7ff7a570a85f
0x7ff7a570a862
0x7ff7a570a870
0x7ff7a570a87b
0x7ff7a570a87d
0x7ff7a570a892
0x7ff7a570a8a2
0x7ff7a570a8a7
0x7ff7a570a8b0
0x7ff7a570a8b8
0x7ff7a570a8ba
0x7ff7a570a8bc
0x7ff7a570a8d0
0x7ff7a570a8d4
0x7ff7a570a8d7
0x7ff7a570a8e5
0x7ff7a570a8f0
0x7ff7a570a8f2
0x7ff7a570a8f7
0x7ff7a570a8ff
0x7ff7a570a904
0x7ff7a570a909
0x7ff7a570a90e
0x7ff7a570a917
0x7ff7a570a91c
0x7ff7a570a922
0x7ff7a570a93d
0x7ff7a570a942
0x7ff7a570a957
0x7ff7a570a95c
0x7ff7a570a964
0x7ff7a570a970
0x7ff7a570a979
0x7ff7a570a989
0x7ff7a570a992
0x7ff7a570a9a2
0x7ff7a570a9ac
0x7ff7a570a9b1
0x7ff7a570a9bd
0x7ff7a570a9c5
0x7ff7a570a9d6
0x7ff7a570a9e0
0x7ff7a570aa00

APIs

Part of subcall function 00007FF7A570A270: swprintf.LIBCMT ref: 00007FF7A570A309
Part of subcall function 00007FF7A570A270: GetSystemTime.KERNEL32 ref: 00007FF7A570A353
Part of subcall function 00007FF7A570A270: swprintf.LIBCMT ref: 00007FF7A570A38E
Part of subcall function 00007FF7A570A270: GetCurrentThreadId.KERNEL32 ref: 00007FF7A570A3C1
Part of subcall function 00007FF7A570A270: swprintf.LIBCMT ref: 00007FF7A570A3DE

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A87D
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7A570A8F2
EnterCriticalSection.KERNEL32 ref: 00007FF7A570A964
LeaveCriticalSection.KERNEL32 ref: 00007FF7A570A992

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: swprintf$CriticalSection_invalid_parameter_noinfo$CurrentEnterLeaveSystemThreadTime
String ID:
API String ID: 1744438772-0
Opcode ID: e23f237a98b1d8089097f5cf546f0080097a3824f3602463ab54cee6507bbf80
Instruction ID: 6f57a8be1a77c1339d3965e0062d7a2755f2d7bdc11e05945c72052b9c5984d8
Opcode Fuzzy Hash: e23f237a98b1d8089097f5cf546f0080097a3824f3602463ab54cee6507bbf80
Instruction Fuzzy Hash: E251252260EBC194DA709B15E8407EEF361FB8AB90F815231D9DD13AA9DF7CD449CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E9250 Relevance: 6.1, APIs: 4, Instructions: 107
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 89%

			E00007FF77FF7A56E9250(long long __rcx, long long __rdx, long long __r8, intOrPtr _a8, void* _a16, intOrPtr _a24, intOrPtr _a32) {
				long long _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _t63;
				void* _t65;
				signed long long _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t69;
				long long _t80;
				void* _t81;
				void* _t82;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				intOrPtr _t100;
				long long _t112;
				long long _t115;
				void* _t121;
				signed long long _t123;
				long long _t128;

				_t80 = _t115;
				 *((intOrPtr*)(_t80 + 0x20)) = r9d;
				 *((long long*)(_t80 + 0x18)) = __r8;
				 *((long long*)(_t80 + 0x10)) = __rdx;
				 *((long long*)(_t80 + 8)) = __rcx;
				r13d = r9d;
				_t112 = __r8;
				_t128 = __rcx;
				_t66 = E00007FF77FF7A56F2550(__rcx, __rdx, __r8);
				E00007FF77FF7A56E72E8(_t80);
				_v64 = _t80;
				E00007FF77FF7A56EB93C(_t65, _t69, _t80);
				 *((intOrPtr*)(_t80 + 0x100)) =  *((intOrPtr*)(_t80 + 0x100)) + 1;
				if (_t66 == 0xffffffff) goto 0xa56e939b;
				if (_t66 - r13d <= 0) goto 0xa56e939b;
				if (_t66 - 0xffffffff <= 0) goto 0xa56e92b9;
				if (_t66 -  *((intOrPtr*)(_t112 + 4)) < 0) goto 0xa56e92be;
				E00007FF77FF7A56F0148(_t80);
				_t123 = _t66;
				E00007FF77FF7A56E72E8(_t80);
				_t81 = _t80 + _t123 * 8;
				_t67 =  *((intOrPtr*)( *((intOrPtr*)(_t112 + 8)) + _t81));
				_v72 = _t67;
				E00007FF77FF7A56E72E8(_t81);
				_t82 = _t81 + _t123 * 8;
				if ( *((intOrPtr*)( *((intOrPtr*)(_t112 + 8)) + _t82 + 4)) == 0) goto 0xa56e930a;
				E00007FF77FF7A56E72E8(_t82);
				_t83 = _t82 + _t123 * 8;
				E00007FF77FF7A56E72E8(_t83);
				_t84 = _t83 +  *((intOrPtr*)( *((intOrPtr*)(_t112 + 8)) + _t83 + 4));
				goto 0xa56e930c;
				if (_t84 == 0) goto 0xa56e936d;
				r9d = _t67;
				E00007FF77FF7A56F2578(0, _t128, _t112);
				E00007FF77FF7A56E72E8(_t84);
				_t100 =  *((intOrPtr*)(_t112 + 8));
				_t85 = _t84 + _t123 * 8;
				_t76 =  *((intOrPtr*)(_t100 + _t85 + 4));
				if ( *((intOrPtr*)(_t100 + _t85 + 4)) == 0) goto 0xa56e9352;
				E00007FF77FF7A56E72E8(_t85);
				_t86 = _t85 + _t123 * 8;
				E00007FF77FF7A56E72E8(_t86);
				_t87 = _t86 +  *((intOrPtr*)( *((intOrPtr*)(_t112 + 8)) + _t86 + 4));
				goto 0xa56e9354;
				r8d = 0x103;
				E00007FF77FF7A570C050(_t87, _t128, _t121);
				E00007FF77FF7A56E7318(_t87, _t80);
				r13d = _a32;
				_t68 = _v72;
				_v68 = _t68;
				goto 0xa56e929d;
				E00007FF77FF7A56EB93C(_t65, _t76, _t87);
				if ( *((intOrPtr*)(_t87 + 0x100)) <= 0) goto 0xa56e93b4;
				E00007FF77FF7A56EB93C(_t65,  *((intOrPtr*)(_t87 + 0x100)), _t87);
				 *((intOrPtr*)(_t87 + 0x100)) =  *((intOrPtr*)(_t87 + 0x100)) - 1;
				if (_t68 == 0xffffffff) goto 0xa56e93c3;
				if (_t68 - r13d <= 0) goto 0xa56e93c3;
				_t63 = E00007FF77FF7A56F0148(_t87);
				r9d = _t68;
				return E00007FF77FF7A56F2578(_t63, _a8, _a24);
			}

0x7ff7a56e9250
0x7ff7a56e9253
0x7ff7a56e9257
0x7ff7a56e925b
0x7ff7a56e925f
0x7ff7a56e9272
0x7ff7a56e9275
0x7ff7a56e927b
0x7ff7a56e9283
0x7ff7a56e9285
0x7ff7a56e928d
0x7ff7a56e9292
0x7ff7a56e9297
0x7ff7a56e92a0
0x7ff7a56e92a9
0x7ff7a56e92b2
0x7ff7a56e92b7
0x7ff7a56e92b9
0x7ff7a56e92be
0x7ff7a56e92c1
0x7ff7a56e92ca
0x7ff7a56e92ce
0x7ff7a56e92d1
0x7ff7a56e92d5
0x7ff7a56e92de
0x7ff7a56e92e7
0x7ff7a56e92e9
0x7ff7a56e92f2
0x7ff7a56e92fb
0x7ff7a56e9300
0x7ff7a56e9308
0x7ff7a56e930f
0x7ff7a56e9311
0x7ff7a56e931d
0x7ff7a56e9322
0x7ff7a56e9327
0x7ff7a56e932b
0x7ff7a56e932f
0x7ff7a56e9334
0x7ff7a56e9336
0x7ff7a56e933f
0x7ff7a56e9348
0x7ff7a56e934d
0x7ff7a56e9350
0x7ff7a56e9354
0x7ff7a56e9360
0x7ff7a56e9368
0x7ff7a56e936f
0x7ff7a56e9389
0x7ff7a56e938d
0x7ff7a56e9396
0x7ff7a56e939b
0x7ff7a56e93a7
0x7ff7a56e93a9
0x7ff7a56e93ae
0x7ff7a56e93b7
0x7ff7a56e93bc
0x7ff7a56e93be
0x7ff7a56e93c3
0x7ff7a56e93e3

APIs

Part of subcall function 00007FF7A56E72E8: _getptd.LIBCMT ref: 00007FF7A56E72EC

_getptd.LIBCMT ref: 00007FF7A56E9292
_SetImageBase.LIBCMT ref: 00007FF7A56E9368
_getptd.LIBCMT ref: 00007FF7A56E939B
_getptd.LIBCMT ref: 00007FF7A56E93A9

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _getptd$BaseImage
String ID:
API String ID: 2482573191-0
Opcode ID: 5665795fcf005ae9679d0fd918da8335e09ef8a53e3ab91a4d23fb740d9e4aa0
Instruction ID: 5468f478aa792c1dc2d15cb2bfbd81b65add216e2f879607075f2c20155f42f7
Opcode Fuzzy Hash: 5665795fcf005ae9679d0fd918da8335e09ef8a53e3ab91a4d23fb740d9e4aa0
Instruction Fuzzy Hash: BA41E762A0B642C5EA20B715D4411BCE7A2AF47F84FC6A131EE5D433F2CE3DE8468320

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E8214 Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00007FF77FF7A56E8214(void* __edi, void* __esi, long long __rcx, void* __rsi) {
				void* __rbx;
				void* _t4;
				intOrPtr _t15;
				void* _t23;
				intOrPtr* _t30;
				void* _t36;

				if (__rcx == 0) goto 0xa56e82ba;
				E00007FF77FF7A56EFF60();
				_t15 =  *((intOrPtr*)(__rcx + 8));
				if (_t15 == 0) goto 0xa56e8255;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t15 != 0) goto 0xa56e8255;
				if ( *((intOrPtr*)(__rcx + 8)) == 0xa5720bb0) goto 0xa56e8255;
				free(_t23);
				E00007FF77FF7A56EFE60();
				if ( *((long long*)(__rcx)) == 0) goto 0xa56e82a1;
				E00007FF77FF7A56EFF60();
				E00007FF77FF7A56E809C(_t4,  *((intOrPtr*)(__rcx)), _t36);
				_t30 =  *((intOrPtr*)(__rcx));
				if (_t30 == 0) goto 0xa56e8297;
				if ( *_t30 != 0) goto 0xa56e8297;
				if (_t30 == 0xa5720a30) goto 0xa56e8297;
				E00007FF77FF7A56E7E88(__rcx, _t30, __rsi, _t36);
				E00007FF77FF7A56EFE60();
				 *((long long*)(__rcx)) = 0xa5720a30;
				 *((long long*)(__rcx + 8)) = 0xa5720a30;
				free(??);
				return 0xbaadf00d;
			}

0x7ff7a56e8217
0x7ff7a56e822a
0x7ff7a56e8234
0x7ff7a56e8237
0x7ff7a56e8239
0x7ff7a56e823d
0x7ff7a56e824d
0x7ff7a56e824f
0x7ff7a56e825a
0x7ff7a56e8263
0x7ff7a56e826a
0x7ff7a56e8273
0x7ff7a56e8278
0x7ff7a56e827e
0x7ff7a56e8283
0x7ff7a56e828f
0x7ff7a56e8291
0x7ff7a56e829c
0x7ff7a56e82a6
0x7ff7a56e82a9
0x7ff7a56e82b0
0x7ff7a56e82ba

APIs

_lock.LIBCMT ref: 00007FF7A56E822A
free.LIBCMT ref: 00007FF7A56E824F

Part of subcall function 00007FF7A56E484C: HeapFree.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4862
Part of subcall function 00007FF7A56E484C: _errno.LIBCMT ref: 00007FF7A56E486C
Part of subcall function 00007FF7A56E484C: GetLastError.KERNEL32(?,?,?,00007FF7A56E4219), ref: 00007FF7A56E4874

_lock.LIBCMT ref: 00007FF7A56E826A
free.LIBCMT ref: 00007FF7A56E82B0

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _lockfree$ErrorFreeHeapLast_errno
String ID:
API String ID: 3188102813-0
Opcode ID: 4d6a6f156befe5a0da9afee2539e0a2b99425bf6e00ddd8f4db7cbe1f4866d2c
Instruction ID: a11210ce3b4eb263b767abf79bec4e990d37b20a5c4c818c1579ca99526890d5
Opcode Fuzzy Hash: 4d6a6f156befe5a0da9afee2539e0a2b99425bf6e00ddd8f4db7cbe1f4866d2c
Instruction Fuzzy Hash: 08115621A17946D9FF657BB0C411379D2529F87F04F8A6534DE0E062E5DE2EA841C271

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EB7DC Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsFree.KERNEL32(?,?,?,?,00007FF7A56EBB51,?,?,00000000,00007FF7A56E4727), ref: 00007FF7A56EB7EB
DeleteCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,00007FF7A56EBB51), ref: 00007FF7A56EFE12
free.LIBCMT ref: 00007FF7A56EFE1B
DeleteCriticalSection.KERNEL32(?,?,?,00000001,?,?,?,?,?,?,?,?,?,00007FF7A56EBB51), ref: 00007FF7A56EFE3B

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: CriticalDeleteSection$Freefree
String ID:
API String ID: 1250194111-0
Opcode ID: 6873f9bc57506945de8e1b5125113889f3f65db8f6cd79cb80fb404202243c4b
Instruction ID: ca73dd7b226b185e7ebc76f006810a9a7b35cebc35458a777fb79c977b029a53
Opcode Fuzzy Hash: 6873f9bc57506945de8e1b5125113889f3f65db8f6cd79cb80fb404202243c4b
Instruction Fuzzy Hash: 90116331E0B642D7FA14AB11E444139E3A1FF4AF50F9A6130DA1D176B6DF2DE451C720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E5F64 Relevance: 6.0, APIs: 4, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7A56E5F64(void* __edi, intOrPtr* __rax, long long __rbx, signed int __rcx, long long _a8) {
				signed int _v24;
				signed int _t16;
				void* _t21;
				void* _t29;
				signed int _t37;
				signed int _t39;
				void* _t43;
				void* _t44;
				void* _t45;
				void* _t49;

				_t39 = __rcx;
				_t35 = __rax;
				_a8 = __rbx;
				_t37 = __rcx;
				if (__rcx != 0) goto 0xa56e5f9c;
				E00007FF77FF7A56E78AC(__rax);
				_v24 = _v24 & __rcx;
				r9d = 0;
				r8d = 0;
				 *__rax = 0x16;
				E00007FF77FF7A56E4430(__rax, __rcx, __rcx, _t43, _t44, _t45, _t49);
				goto 0xa56e5fe2;
				if (( *(_t39 + 0x18) & 0x00000083) == 0) goto 0xa56e5fdc;
				_t16 = E00007FF77FF7A56E6BCC(_t37, _t39, _t44);
				E00007FF77FF7A56F1B24(__rax, _t37);
				if (E00007FF77FF7A56F1A0C(_t21, E00007FF77FF7A56F0EB8(__rax, _t37, _t37, _t43, _t44, _t45, _t49), _t29, _t35, _t37, _t37, _t43, _t44, _t45, _t49) >= 0) goto 0xa56e5fc9;
				goto 0xa56e5fdc;
				if ( *(_t37 + 0x28) == 0) goto 0xa56e5fdc;
				free(??);
				 *(_t37 + 0x28) =  *(_t37 + 0x28) & 0x00000000;
				 *(_t37 + 0x18) =  *(_t37 + 0x18) & 0x00000000;
				return _t16 | 0xffffffff;
			}

0x7ff7a56e5f64
0x7ff7a56e5f64
0x7ff7a56e5f64
0x7ff7a56e5f71
0x7ff7a56e5f77
0x7ff7a56e5f79
0x7ff7a56e5f7e
0x7ff7a56e5f83
0x7ff7a56e5f86
0x7ff7a56e5f8d
0x7ff7a56e5f93
0x7ff7a56e5f9a
0x7ff7a56e5fa0
0x7ff7a56e5fa2
0x7ff7a56e5fac
0x7ff7a56e5fc2
0x7ff7a56e5fc7
0x7ff7a56e5fd0
0x7ff7a56e5fd2
0x7ff7a56e5fd7
0x7ff7a56e5fdc
0x7ff7a56e5fec

APIs

_errno.LIBCMT ref: 00007FF7A56E5F79

Part of subcall function 00007FF7A56E4430: DecodePointer.KERNEL32 ref: 00007FF7A56E4457

_flush.LIBCMT ref: 00007FF7A56E5FA2
_freebuf.LIBCMT ref: 00007FF7A56E5FAC

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: DecodePointer_errno_flush_freebuf
String ID:
API String ID: 1889905870-0
Opcode ID: e85fca2b21714c02f18f57603225243ab33633c5b8a898005f5a6ec10b8aea6d
Instruction ID: dae368a5f26385a7447ef81389fa805abaacdace2e4aa33d43abb3a9fe4a32d0
Opcode Fuzzy Hash: e85fca2b21714c02f18f57603225243ab33633c5b8a898005f5a6ec10b8aea6d
Instruction Fuzzy Hash: 7001D622E1B64285FB14BA74941137D91535FB6F64FAB2230DE19462E6CF3DD4008A20

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F58B8 Relevance: 6.0, APIs: 4, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 66%

			E00007FF77FF7A56F58B8(signed int __ecx, void* __edx, signed int* __rax, void* __rbx, void* __rsi, void* __rbp, void* __r8) {
				signed long long _v24;
				intOrPtr _t28;
				signed int* _t29;
				signed long long _t34;

				if (__ecx != 0xfffffffe) goto 0xa56f58d6;
				E00007FF77FF7A56E78CC(__rax);
				 *__rax =  *__rax & 0x00000000;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 9;
				goto 0xa56f5933;
				if (__ecx < 0) goto 0xa56f590b;
				if (__ecx -  *0xa57289c0 >= 0) goto 0xa56f590b;
				_t34 = __ecx * 0x58;
				_t28 =  *((intOrPtr*)(0xa57289e0 + (__ecx >> 5) * 8));
				if (( *(_t28 + _t34 + 8) & 0x00000001) == 0) goto 0xa56f590b;
				_t29 =  *((intOrPtr*)(_t28 + _t34));
				goto 0xa56f5937;
				E00007FF77FF7A56E78CC(_t29);
				 *_t29 =  *_t29 & 0x00000000;
				E00007FF77FF7A56E78AC(_t29);
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *_t29 = 9;
				return E00007FF77FF7A56E4430(_t29, __rbx, 0xa57289e0, _t34, __rsi, __rbp, __r8);
			}

0x7ff7a56f58bf
0x7ff7a56f58c1
0x7ff7a56f58c6
0x7ff7a56f58c9
0x7ff7a56f58ce
0x7ff7a56f58d4
0x7ff7a56f58d8
0x7ff7a56f58e0
0x7ff7a56f58f6
0x7ff7a56f58fa
0x7ff7a56f5903
0x7ff7a56f5905
0x7ff7a56f5909
0x7ff7a56f590b
0x7ff7a56f5910
0x7ff7a56f5913
0x7ff7a56f5918
0x7ff7a56f591e
0x7ff7a56f5921
0x7ff7a56f5928
0x7ff7a56f593b

APIs

__doserrno.LIBCMT ref: 00007FF7A56F58C1
_errno.LIBCMT ref: 00007FF7A56F58C9

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: __doserrno_errno
String ID:
API String ID: 921712934-0
Opcode ID: 42309f2acd20e35207d32cf45d5d8bb19fd6256df55cf22ec14333df7ab8f0c2
Instruction ID: f5bd89bc9b2161231a76ff1a872a2e0d5a2110079d6e0d5382bbe4e3616486e9
Opcode Fuzzy Hash: 42309f2acd20e35207d32cf45d5d8bb19fd6256df55cf22ec14333df7ab8f0c2
Instruction Fuzzy Hash: FD01F972E1B68681FA443B24894137CA6539F72F31FD66335D92E062F1CF3D64048A31

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56D40C0 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 16
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E00007FF77FF7A56D40C0(intOrPtr* __rcx) {
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t9;
				intOrPtr _t11;
				void* _t14;
				void* _t15;
				void* _t17;

				_t11 =  *__rcx;
				if (_t11 == 0) goto 0xa56d40fc;
				if (_t11 == 0xffffffff) goto 0xa56d40fc;
				if (CloseHandle(??) != 0) goto 0xa56d40fc;
				r9d = 0x1dd;
				return E00007FF77FF7A570AB00(_t3, _t4, _t5, _t9, "CloseHandle(handle_to_manage)", "void __cdecl boost::detail::win32::handle_manager::cleanup(void)", _t14, _t15, "D:\\Libraries\\boost\\boost/thread/win32/thread_primitives.hpp", _t17);
			}

0x7ff7a56d40c4
0x7ff7a56d40ca
0x7ff7a56d40d0
0x7ff7a56d40da
0x7ff7a56d40f1
0x7ff7a56d4100

APIs

CloseHandle.KERNEL32 ref: 00007FF7A56D40D2

Strings

CloseHandle(handle_to_manage), xrefs: 00007FF7A56D40EA
void __cdecl boost::detail::win32::handle_manager::cleanup(void), xrefs: 00007FF7A56D40E3
D:\Libraries\boost\boost/thread/win32/thread_primitives.hpp, xrefs: 00007FF7A56D40DC

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: CloseHandle
String ID: CloseHandle(handle_to_manage)$D:\Libraries\boost\boost/thread/win32/thread_primitives.hpp$void __cdecl boost::detail::win32::handle_manager::cleanup(void)
API String ID: 2962429428-1328045786
Opcode ID: e94c27bac43ffa26f5226572da9408715b3b101fcc1e669ba66f1d71604591b2
Instruction ID: dd31f701ffb369d6111b9a557362d628b69d82d01cfaf4a9649cad5663241160
Opcode Fuzzy Hash: e94c27bac43ffa26f5226572da9408715b3b101fcc1e669ba66f1d71604591b2
Instruction Fuzzy Hash: A4E04F61E0B90380FE14B756A851270A252BF1AF75FC21731D83D631F0EE9CA5568720

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56EA2C8 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 146
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 65%

			E00007FF77FF7A56EA2C8(void* __edi, void* __ebp, void* __rax, long long __rbx, intOrPtr* __rcx, long long __rdx, long long __rsi, long long __rbp, void* __r8, long long __r9, long long _a8, long long _a16, long long _a24, signed int* _a40, char _a48, signed int _a56, signed int _a64) {
				signed int _v32;
				long long _v40;
				char _v48;
				signed int* _v56;
				intOrPtr _t50;
				void* _t52;
				void* _t68;
				void* _t72;
				intOrPtr _t73;
				void* _t75;
				char _t86;
				void* _t103;
				intOrPtr _t105;
				intOrPtr* _t109;
				signed int* _t126;
				long long _t128;
				long long _t131;
				long long* _t146;
				void* _t147;

				_t103 = __rax;
				_t72 = __edi;
				_a8 = __rbx;
				_a16 = __rbp;
				_a24 = __rsi;
				_t131 = __r9;
				_t147 = __r8;
				_t128 = __rdx;
				_t109 = __rcx;
				E00007FF77FF7A56EB93C(_t68, _t75, __rax);
				_t126 = _a40;
				r8d = 0x80000029;
				r9d = 0x80000026;
				r14d = 1;
				if ( *((intOrPtr*)(_t103 + 0x2c0)) != 0) goto 0xa56ea351;
				if ( *__rcx == 0xe06d7363) goto 0xa56ea351;
				if ( *__rcx != r8d) goto 0xa56ea336;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0xf) goto 0xa56ea336;
				if ( *((long long*)(__rcx + 0x60)) == 0x19930520) goto 0xa56ea351;
				if ( *__rcx == r9d) goto 0xa56ea351;
				if (( *_t126 & 0x1fffffff) - 0x19930522 < 0) goto 0xa56ea351;
				if ((_t126[9] & r14b) != 0) goto 0xa56ea4d1;
				if (( *(__rcx + 4) & 0x00000066) == 0) goto 0xa56ea3ef;
				if (_t126[1] == 0) goto 0xa56ea4d1;
				_t86 = _a48;
				if (_t86 != 0) goto 0xa56ea4d1;
				if (_t86 == 0) goto 0xa56ea3b8;
				if ( *__rcx != r9d) goto 0xa56ea3b8;
				_t50 = E00007FF77FF7A56F24BC(_t103, __rcx, _t126, __r9, __rdx, __r9,  *((intOrPtr*)(__r8 + 0xf8)));
				if (_t50 - 0xffffffff < 0) goto 0xa56ea39d;
				if (_t50 - _t126[1] < 0) goto 0xa56ea3a2;
				E00007FF77FF7A56F0148(_t103);
				r9d = _t50;
				_t52 = E00007FF77FF7A56E9250(__rdx, _t131, _t126);
				goto 0xa56ea4d1;
				if (_t52 == 0) goto 0xa56ea3dc;
				if ( *_t109 != r8d) goto 0xa56ea3dc;
				_t73 =  *((intOrPtr*)(_t109 + 0x38));
				if (_t73 - 0xffffffff < 0) goto 0xa56ea3ce;
				if (_t73 - _t126[1] < 0) goto 0xa56ea3d3;
				E00007FF77FF7A56F0148(_t103);
				r9d = _t73;
				goto 0xa56ea3a8;
				E00007FF77FF7A56E7350(_t72, _t109, _t128, _t131, _t128, _t126);
				goto 0xa56ea4d1;
				if (_t126[3] != 0) goto 0xa56ea423;
				if (( *_t126 & 0x1fffffff) - 0x19930521 < 0) goto 0xa56ea4d1;
				if (_t126[8] == 0) goto 0xa56ea418;
				E00007FF77FF7A56E72E8(_t103);
				goto 0xa56ea41a;
				if (_t103 + _t126[8] == 0) goto 0xa56ea4d1;
				if ( *_t109 != 0xe06d7363) goto 0xa56ea498;
				if ( *((intOrPtr*)(_t109 + 0x18)) - 3 < 0) goto 0xa56ea498;
				if ( *((intOrPtr*)(_t109 + 0x20)) - 0x19930522 <= 0) goto 0xa56ea498;
				_t105 =  *((intOrPtr*)(_t109 + 0x30));
				if ( *((intOrPtr*)(_t105 + 8)) == 0) goto 0xa56ea456;
				E00007FF77FF7A56E7300(_t105);
				_t146 =  *((intOrPtr*)( *((intOrPtr*)(_t109 + 0x30)) + 8)) + _t105;
				goto 0xa56ea459;
				r11d = 0;
				if (_t146 == 0) goto 0xa56ea498;
				_v32 = _a64 & 0x000000ff;
				_v40 = _a56;
				_v48 = _a48;
				_v56 = _t126;
				 *_t146();
				goto 0xa56ea4d4;
				_v32 = _a56;
				_v40 = _a48;
				_v48 = _a64;
				_v56 = _t126;
				E00007FF77FF7A56E9D48(_t50,  *_t126 & 0x1fffffff, _t72, __ebp, _a56, _t109, _t109, _t128, _t147, _t131);
				return r14d;
			}

0x7ff7a56ea2c8
0x7ff7a56ea2c8
0x7ff7a56ea2c8
0x7ff7a56ea2cd
0x7ff7a56ea2d2
0x7ff7a56ea2e0
0x7ff7a56ea2e3
0x7ff7a56ea2e6
0x7ff7a56ea2e9
0x7ff7a56ea2ec
0x7ff7a56ea2f1
0x7ff7a56ea305
0x7ff7a56ea30b
0x7ff7a56ea311
0x7ff7a56ea317
0x7ff7a56ea31f
0x7ff7a56ea324
0x7ff7a56ea32a
0x7ff7a56ea334
0x7ff7a56ea339
0x7ff7a56ea345
0x7ff7a56ea34b
0x7ff7a56ea356
0x7ff7a56ea360
0x7ff7a56ea366
0x7ff7a56ea36e
0x7ff7a56ea377
0x7ff7a56ea37c
0x7ff7a56ea38c
0x7ff7a56ea396
0x7ff7a56ea39b
0x7ff7a56ea39d
0x7ff7a56ea3a2
0x7ff7a56ea3ae
0x7ff7a56ea3b3
0x7ff7a56ea3ba
0x7ff7a56ea3bf
0x7ff7a56ea3c1
0x7ff7a56ea3c7
0x7ff7a56ea3cc
0x7ff7a56ea3ce
0x7ff7a56ea3d7
0x7ff7a56ea3da
0x7ff7a56ea3e5
0x7ff7a56ea3ea
0x7ff7a56ea3f3
0x7ff7a56ea3fe
0x7ff7a56ea408
0x7ff7a56ea40a
0x7ff7a56ea416
0x7ff7a56ea41d
0x7ff7a56ea429
0x7ff7a56ea42f
0x7ff7a56ea438
0x7ff7a56ea43a
0x7ff7a56ea442
0x7ff7a56ea444
0x7ff7a56ea451
0x7ff7a56ea454
0x7ff7a56ea456
0x7ff7a56ea45c
0x7ff7a56ea46c
0x7ff7a56ea47b
0x7ff7a56ea48a
0x7ff7a56ea48e
0x7ff7a56ea493
0x7ff7a56ea496
0x7ff7a56ea4a6
0x7ff7a56ea4b5
0x7ff7a56ea4c3
0x7ff7a56ea4c7
0x7ff7a56ea4cc
0x7ff7a56ea4ec

APIs

_getptd.LIBCMT ref: 00007FF7A56EA2EC

Strings

csm, xrefs: 00007FF7A56EA319
csm, xrefs: 00007FF7A56EA423

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _getptd
String ID: csm$csm
API String ID: 3186804695-3733052814
Opcode ID: 98f21436721bd78c3725fa0ca854348773e5603e32f22c9a78c881d467c025b4
Instruction ID: fac5affb394e9e279e65f1462d4c5023da904372ebfd27f745d4b773d2a64f7b
Opcode Fuzzy Hash: 98f21436721bd78c3725fa0ca854348773e5603e32f22c9a78c881d467c025b4
Instruction Fuzzy Hash: 2B51C53290B242C6EB70AE25904837DF692BB42F84F856135DE4D97BA5CF3DE850CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E0850 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00007FF77FF7A56E0850(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9) {
				void* __rbx;
				long long _t35;
				signed int _t43;
				signed int _t44;
				intOrPtr _t48;
				void* _t50;
				void* _t51;
				void* _t52;
				signed long long _t62;
				char* _t68;
				char* _t69;
				intOrPtr _t72;
				void* _t73;
				long long _t74;
				long long* _t76;
				void* _t84;
				void* _t86;
				signed long long _t89;

				_t62 =  *0xa5720430; // 0x4918c7c3922
				 *(_t89 + 0xe0) = _t62 ^ _t89;
				_t72 =  *((intOrPtr*)(__r9 + 0x20));
				_t48 = _t72;
				if (_t48 > 0) goto 0xa56e0891;
				asm("inc ecx");
				if (_t48 < 0) goto 0xa56e0891;
				_t43 =  *(__r9 + 0x18);
				asm("movsd xmm1, [esp+0x158]");
				r9d = 6;
				r9d =  >  ? 0x24 : r9d;
				_t84 = _t86;
				_t73 = _t72 - r9d;
				_t50 = (_t43 & 0x00003000) - 0x2000;
				if (_t50 != 0) goto 0xa56e0969;
				asm("movapd xmm0, xmm1");
				asm("mulsd xmm0, [0x3480b]");
				asm("ucomisd xmm0, xmm1");
				if (_t50 != 0) goto 0xa56e08e1;
				if (_t50 == 0) goto 0xa56e0969;
				asm("xorpd xmm3, xmm3");
				asm("movsd xmm4, [0x347e3]");
				asm("comisd xmm3, xmm1");
				if (_t50 <= 0) goto 0xa56e08fb;
				asm("xorpd xmm1, xmm4");
				goto 0xa56e08fd;
				asm("movsd xmm0, [0x347c3]");
				asm("movsd xmm2, [0x347b3]");
				asm("comisd xmm1, xmm0");
				if (_t50 < 0) goto 0xa56e092a;
				_t51 = _t86 - 0x1388;
				if (_t51 >= 0) goto 0xa56e092a;
				asm("divsd xmm1, xmm2");
				asm("comisd xmm1, xmm0");
				if (_t51 >= 0) goto 0xa56e0913;
				asm("comisd xmm1, xmm3");
				if (_t51 <= 0) goto 0xa56e0961;
				_t52 = _t73 - 0xa;
				if (_t52 < 0) goto 0xa56e0961;
				asm("movsd xmm0, [0x3477a]");
				asm("comisd xmm0, xmm1");
				if (_t52 < 0) goto 0xa56e0961;
				if (_t84 - 0x1388 >= 0) goto 0xa56e0961;
				_t74 = _t73 - 0xa;
				asm("mulsd xmm1, xmm2");
				if (_t74 - 0xa >= 0) goto 0xa56e0940;
				if (0 == 0) goto 0xa56e0969;
				asm("xorpd xmm1, xmm4");
				_t76 = _t89 + 0x50;
				 *((char*)(_t89 + 0x60)) = 0x25;
				 *_t76 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t76 + 8)) =  *((intOrPtr*)(__r8 + 8));
				if ((_t43 & 0x00000020) == 0) goto 0xa56e0995;
				 *((char*)(_t89 + 0x61)) = 0x2b;
				_t68 = _t89 + 0x62;
				if ((_t43 & 0x00000010) == 0) goto 0xa56e09a0;
				 *_t68 = 0x23;
				_t69 = _t68 + 1;
				_t44 = _t43 & 0x00003000;
				 *_t69 = 0x2e;
				 *((char*)(_t69 + 1)) = 0x2a;
				if (_t44 != 0x2000) goto 0xa56e09b9;
				goto 0xa56e09da;
				if (_t44 != 0x3000) goto 0xa56e09c5;
				goto 0xa56e09da;
				r8d = 0x65;
				_t42 =  ==  ? r8d : 0x67;
				 *((char*)(_t69 + 2)) =  ==  ? r8d : 0x67;
				asm("movsd [esp+0x20], xmm1");
				 *((char*)(_t69 + 3)) = 0;
				_t35 = E00007FF77FF7A56E4828(_t89 + 0x60, __r9);
				_t94 = __r9;
				 *((long long*)(_t89 + 0x48)) = _t35;
				 *((long long*)(_t89 + 0x40)) = _t74;
				 *((long long*)(_t89 + 0x38)) = _t84 + 0xa;
				 *((long long*)(_t89 + 0x30)) = _t86 + 0xa;
				 *((long long*)(_t89 + 0x28)) = _t89 + 0x70;
				 *((char*)(_t89 + 0x20)) =  *(_t89 + 0x150) & 0x000000ff;
				E00007FF77FF7A56E0F40( *(_t89 + 0x150) & 0x000000ff, _t44 - 0x1000, _t74, __rcx, __rdx, _t89 + 0x50, __r9);
				return E00007FF77FF7A56E4050( ==  ? r8d : 0x67,  *(_t89 + 0xe0) ^ _t89, __rdx, _t89 + 0x50, _t94);
			}

0x7ff7a56e0860
0x7ff7a56e086a
0x7ff7a56e0872
0x7ff7a56e087f
0x7ff7a56e0882
0x7ff7a56e0884
0x7ff7a56e088a
0x7ff7a56e0891
0x7ff7a56e0894
0x7ff7a56e08a5
0x7ff7a56e08a8
0x7ff7a56e08b1
0x7ff7a56e08b4
0x7ff7a56e08be
0x7ff7a56e08c3
0x7ff7a56e08c9
0x7ff7a56e08cd
0x7ff7a56e08d5
0x7ff7a56e08d9
0x7ff7a56e08db
0x7ff7a56e08e1
0x7ff7a56e08e5
0x7ff7a56e08ed
0x7ff7a56e08f1
0x7ff7a56e08f5
0x7ff7a56e08f9
0x7ff7a56e08fd
0x7ff7a56e0905
0x7ff7a56e090d
0x7ff7a56e0911
0x7ff7a56e0913
0x7ff7a56e091a
0x7ff7a56e091c
0x7ff7a56e0924
0x7ff7a56e0928
0x7ff7a56e092a
0x7ff7a56e092e
0x7ff7a56e0930
0x7ff7a56e0934
0x7ff7a56e0936
0x7ff7a56e0940
0x7ff7a56e0944
0x7ff7a56e094d
0x7ff7a56e094f
0x7ff7a56e0957
0x7ff7a56e095f
0x7ff7a56e0963
0x7ff7a56e0965
0x7ff7a56e096c
0x7ff7a56e0971
0x7ff7a56e0976
0x7ff7a56e097d
0x7ff7a56e0989
0x7ff7a56e098b
0x7ff7a56e0990
0x7ff7a56e0998
0x7ff7a56e099a
0x7ff7a56e099d
0x7ff7a56e09a0
0x7ff7a56e09a6
0x7ff7a56e09a9
0x7ff7a56e09b3
0x7ff7a56e09b7
0x7ff7a56e09bf
0x7ff7a56e09c3
0x7ff7a56e09ca
0x7ff7a56e09d6
0x7ff7a56e09da
0x7ff7a56e09e7
0x7ff7a56e09f2
0x7ff7a56e09f6
0x7ff7a56e0a00
0x7ff7a56e0a0e
0x7ff7a56e0a1b
0x7ff7a56e0a20
0x7ff7a56e0a25
0x7ff7a56e0a2a
0x7ff7a56e0a2f
0x7ff7a56e0a36
0x7ff7a56e0a5d

APIs

swprintf.LIBCMT ref: 00007FF7A56E09F6

Strings

%, xrefs: 00007FF7A56E0971
+, xrefs: 00007FF7A56E098B

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 4a7392d89f1e279d8a6d564c2a1305181f93ac8bdff9bcfff4d940475f5d063f
Instruction ID: 5433ec944ad2cbef5803efb36e2b7fe59b47219e72bebab1e7fc40b971e5468d
Opcode Fuzzy Hash: 4a7392d89f1e279d8a6d564c2a1305181f93ac8bdff9bcfff4d940475f5d063f
Instruction Fuzzy Hash: DE516833A0FB81C8FA229A30E45136AA286AF53FD0F95A231DD8D237A1CF3DD0418750

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E0A60 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00007FF77FF7A56E0A60(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9) {
				void* __rbx;
				long long _t36;
				signed int _t44;
				signed int _t45;
				intOrPtr _t49;
				void* _t51;
				void* _t52;
				void* _t53;
				signed long long _t63;
				char* _t69;
				char* _t70;
				intOrPtr _t73;
				void* _t74;
				long long _t75;
				long long* _t77;
				void* _t85;
				void* _t87;
				signed long long _t90;

				_t63 =  *0xa5720430; // 0x4918c7c3922
				 *(_t90 + 0xe0) = _t63 ^ _t90;
				_t73 =  *((intOrPtr*)(__r9 + 0x20));
				_t49 = _t73;
				if (_t49 > 0) goto 0xa56e0aa1;
				asm("inc ecx");
				if (_t49 < 0) goto 0xa56e0aa1;
				_t44 =  *(__r9 + 0x18);
				asm("movsd xmm0, [esp+0x158]");
				r9d = 6;
				r9d =  >  ? 0x24 : r9d;
				_t85 = _t87;
				_t74 = _t73 - r9d;
				_t51 = (_t44 & 0x00003000) - 0x2000;
				if (_t51 != 0) goto 0xa56e0b69;
				asm("xorpd xmm3, xmm3");
				asm("movsd xmm4, [0x345eb]");
				asm("comisd xmm3, xmm0");
				if (_t51 <= 0) goto 0xa56e0af3;
				asm("xorpd xmm0, xmm4");
				goto 0xa56e0af5;
				asm("movsd xmm1, [0x345cb]");
				asm("movsd xmm2, [0x345bb]");
				asm("comisd xmm0, xmm1");
				if (_t51 < 0) goto 0xa56e0b27;
				_t52 = _t87 - 0x1388;
				if (_t52 >= 0) goto 0xa56e0b27;
				asm("divsd xmm0, xmm2");
				asm("comisd xmm0, xmm1");
				if (_t52 >= 0) goto 0xa56e0b10;
				asm("comisd xmm0, xmm3");
				if (_t52 <= 0) goto 0xa56e0b61;
				_t53 = _t74 - 0xa;
				if (_t53 < 0) goto 0xa56e0b61;
				asm("movsd xmm1, [0x3457d]");
				asm("comisd xmm1, xmm0");
				if (_t53 < 0) goto 0xa56e0b61;
				if (_t85 - 0x1388 >= 0) goto 0xa56e0b61;
				_t75 = _t74 - 0xa;
				asm("mulsd xmm0, xmm2");
				if (_t75 - 0xa >= 0) goto 0xa56e0b40;
				if (0 == 0) goto 0xa56e0b69;
				asm("xorpd xmm0, xmm4");
				_t77 = _t90 + 0x50;
				 *((char*)(_t90 + 0x60)) = 0x25;
				 *_t77 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t77 + 8)) =  *((intOrPtr*)(__r8 + 8));
				if ((_t44 & 0x00000020) == 0) goto 0xa56e0b95;
				 *((char*)(_t90 + 0x61)) = 0x2b;
				_t69 = _t90 + 0x62;
				if ((_t44 & 0x00000010) == 0) goto 0xa56e0ba0;
				 *_t69 = 0x23;
				_t70 = _t69 + 1;
				 *_t70 = 0x2e;
				_t45 = _t44 & 0x00003000;
				 *((char*)(_t70 + 1)) = 0x2a;
				 *((char*)(_t70 + 2)) = 0x4c;
				if (_t45 != 0x2000) goto 0xa56e0bbd;
				goto 0xa56e0bde;
				if (_t45 != 0x3000) goto 0xa56e0bc9;
				goto 0xa56e0bde;
				r8d = 0x65;
				_t43 =  ==  ? r8d : 0x67;
				 *((char*)(_t70 + 3)) =  ==  ? r8d : 0x67;
				asm("movsd [esp+0x20], xmm0");
				 *((char*)(_t70 + 4)) = 0;
				_t36 = E00007FF77FF7A56E4828(_t90 + 0x60, __r9);
				_t95 = __r9;
				 *((long long*)(_t90 + 0x48)) = _t36;
				 *((long long*)(_t90 + 0x40)) = _t75;
				 *((long long*)(_t90 + 0x38)) = _t85 + 0xa;
				 *((long long*)(_t90 + 0x30)) = _t87 + 0xa;
				 *((long long*)(_t90 + 0x28)) = _t90 + 0x70;
				 *((char*)(_t90 + 0x20)) =  *(_t90 + 0x150) & 0x000000ff;
				E00007FF77FF7A56E0F40( *(_t90 + 0x150) & 0x000000ff, _t45 - 0x1000, _t75, __rcx, __rdx, _t90 + 0x50, __r9);
				return E00007FF77FF7A56E4050( ==  ? r8d : 0x67,  *(_t90 + 0xe0) ^ _t90, __rdx, _t90 + 0x50, _t95);
			}

0x7ff7a56e0a70
0x7ff7a56e0a7a
0x7ff7a56e0a82
0x7ff7a56e0a8f
0x7ff7a56e0a92
0x7ff7a56e0a94
0x7ff7a56e0a9a
0x7ff7a56e0aa1
0x7ff7a56e0aa4
0x7ff7a56e0ab5
0x7ff7a56e0ab8
0x7ff7a56e0ac1
0x7ff7a56e0ac4
0x7ff7a56e0ace
0x7ff7a56e0ad3
0x7ff7a56e0ad9
0x7ff7a56e0add
0x7ff7a56e0ae5
0x7ff7a56e0ae9
0x7ff7a56e0aed
0x7ff7a56e0af1
0x7ff7a56e0af5
0x7ff7a56e0afd
0x7ff7a56e0b05
0x7ff7a56e0b09
0x7ff7a56e0b10
0x7ff7a56e0b17
0x7ff7a56e0b19
0x7ff7a56e0b21
0x7ff7a56e0b25
0x7ff7a56e0b27
0x7ff7a56e0b2b
0x7ff7a56e0b2d
0x7ff7a56e0b31
0x7ff7a56e0b33
0x7ff7a56e0b40
0x7ff7a56e0b44
0x7ff7a56e0b4d
0x7ff7a56e0b4f
0x7ff7a56e0b57
0x7ff7a56e0b5f
0x7ff7a56e0b63
0x7ff7a56e0b65
0x7ff7a56e0b6c
0x7ff7a56e0b71
0x7ff7a56e0b76
0x7ff7a56e0b7d
0x7ff7a56e0b89
0x7ff7a56e0b8b
0x7ff7a56e0b90
0x7ff7a56e0b98
0x7ff7a56e0b9a
0x7ff7a56e0b9d
0x7ff7a56e0ba0
0x7ff7a56e0ba3
0x7ff7a56e0ba9
0x7ff7a56e0bad
0x7ff7a56e0bb7
0x7ff7a56e0bbb
0x7ff7a56e0bc3
0x7ff7a56e0bc7
0x7ff7a56e0bce
0x7ff7a56e0bda
0x7ff7a56e0bde
0x7ff7a56e0beb
0x7ff7a56e0bf6
0x7ff7a56e0bfa
0x7ff7a56e0c04
0x7ff7a56e0c12
0x7ff7a56e0c1f
0x7ff7a56e0c24
0x7ff7a56e0c29
0x7ff7a56e0c2e
0x7ff7a56e0c33
0x7ff7a56e0c3a
0x7ff7a56e0c61

APIs

swprintf.LIBCMT ref: 00007FF7A56E0BFA

Strings

+, xrefs: 00007FF7A56E0B8B
%, xrefs: 00007FF7A56E0B71

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: f56427867cc14d5ba6facdcfc3d5dd5fa3c1aaa7c4077d046ccc8f1ad1e565a5
Instruction ID: 513ca7d597cfc4115f76c7dae3ea3777c83ed3e643bdd094bd43765dcab09ec2
Opcode Fuzzy Hash: f56427867cc14d5ba6facdcfc3d5dd5fa3c1aaa7c4077d046ccc8f1ad1e565a5
Instruction Fuzzy Hash: B9515522A1FB80C9E721AB24E4403AAE796FB97F94F959231DD8D137A1DF3ED0458710

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E6DD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00007FF77FF7A56E6DD4(intOrPtr* __rax, long long __rbx, intOrPtr* __rcx, void* __rdx, void* __r8, long long _a8, long long _a16) {
				signed long long _v24;
				signed int _t28;
				signed long long _t31;
				void* _t34;
				signed long long _t60;
				intOrPtr* _t64;
				signed long long _t72;
				signed long long _t82;
				void* _t83;
				void* _t84;
				void* _t91;

				_t88 = __r8;
				_t77 = __rdx;
				_t66 = __rcx;
				_t58 = __rax;
				_a16 = __rbx;
				_a8 = __rcx;
				_t64 = __rcx;
				if ((0 | __rcx != 0x00000000) != 0) goto 0xa56e6e1b;
				E00007FF77FF7A56E78AC(__rax);
				 *__rax = 0x16;
				_v24 = _v24 & _t82;
				r9d = 0;
				r8d = 0;
				_t28 = E00007FF77FF7A56E4430(__rax, __rcx, __rcx, __rdx, _t83, _t84, __r8);
				goto 0xa56e6eed;
				E00007FF77FF7A56EB4D0(_t28 | 0xffffffff, _t66);
				if (( *(_t64 + 0x18) & 0x00000040) != 0) goto 0xa56e6ec1;
				_t31 = E00007FF77FF7A56F0EB8(_t58, _t64, _t64, _t77, _t83, _t84, _t88);
				if (_t31 == 0xffffffff) goto 0xa56e6e62;
				if (_t31 == 0xfffffffe) goto 0xa56e6e62;
				goto 0xa56e6e73;
				if (( *0x7FF7A57209D8 & 0x0000007f) != 0) goto 0xa56e6e9e;
				if (_t31 == 0xffffffff) goto 0xa56e6e98;
				if (_t31 == 0xfffffffe) goto 0xa56e6e98;
				_t72 = _t31;
				_t60 = _t72 >> 5;
				if (( *(_t72 * 0x58 +  *((intOrPtr*)(0xa57289e0 + _t60 * 8)) + 0x38) & 0x00000080) == 0) goto 0xa56e6ec1;
				E00007FF77FF7A56E78AC(_t60);
				 *_t60 = 0x16;
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				E00007FF77FF7A56E4430(_t60, _t64, _t72 * 0x58 +  *((intOrPtr*)(0xa57289e0 + _t60 * 8)), 0xa57209a0, _t83, _t84, 0xa57289e0);
				if (0xffffffff != 0) goto 0xa56e6ee3;
				 *((intOrPtr*)(_t64 + 8)) =  *((intOrPtr*)(_t64 + 8)) + 0xffffffff;
				if (0xffffffff < 0) goto 0xa56e6ed9;
				 *_t64 =  *_t64 + 1;
				goto 0xa56e6ee3;
				_t34 = E00007FF77FF7A56F0468( *_t64 + 1, _t64, _t64, 0xa57209a0, _t83, _t84, 0xa57289e0, _t91);
				E00007FF77FF7A56EB560(_t34, _t64);
				return _t34;
			}

0x7ff7a56e6dd4
0x7ff7a56e6dd4
0x7ff7a56e6dd4
0x7ff7a56e6dd4
0x7ff7a56e6dd4
0x7ff7a56e6dd9
0x7ff7a56e6de3
0x7ff7a56e6df2
0x7ff7a56e6df4
0x7ff7a56e6df9
0x7ff7a56e6dff
0x7ff7a56e6e04
0x7ff7a56e6e07
0x7ff7a56e6e0e
0x7ff7a56e6e16
0x7ff7a56e6e1b
0x7ff7a56e6e25
0x7ff7a56e6e2e
0x7ff7a56e6e36
0x7ff7a56e6e3b
0x7ff7a56e6e60
0x7ff7a56e6e77
0x7ff7a56e6e7c
0x7ff7a56e6e81
0x7ff7a56e6e83
0x7ff7a56e6e89
0x7ff7a56e6e9c
0x7ff7a56e6e9e
0x7ff7a56e6ea3
0x7ff7a56e6ea9
0x7ff7a56e6eaf
0x7ff7a56e6eb2
0x7ff7a56e6eb9
0x7ff7a56e6ec3
0x7ff7a56e6ec5
0x7ff7a56e6ec9
0x7ff7a56e6ed4
0x7ff7a56e6ed7
0x7ff7a56e6edc
0x7ff7a56e6ee6
0x7ff7a56e6ef7

APIs

_errno.LIBCMT ref: 00007FF7A56E6DF4

Part of subcall function 00007FF7A56E4430: DecodePointer.KERNEL32 ref: 00007FF7A56E4457

_errno.LIBCMT ref: 00007FF7A56E6E9E

Strings

@, xrefs: 00007FF7A56E6E21

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$DecodePointer
String ID: @
API String ID: 2310398763-2766056989
Opcode ID: 72ca26e853ff08c01ad7965e478854bad7cf710359f113a4bafd6f72de130865
Instruction ID: 56490990fe84ad8ae4196ebc96996e66cedbd1d0dfa82674e623c24559592467
Opcode Fuzzy Hash: 72ca26e853ff08c01ad7965e478854bad7cf710359f113a4bafd6f72de130865
Instruction Fuzzy Hash: B831F032A1F64281EB54AA74E814339A252AF96F64F966731DE6E461F1CF2EE400C220

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E69E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00007FF77FF7A56E69E4(void* __ecx, void* __edx, long long __rbx, void* __rdx, long long _a8) {
				signed long long _v24;
				void* _t37;
				signed long long _t41;
				void* _t55;
				void* _t56;
				void* _t60;
				signed long long _t62;

				_a8 = __rbx;
				if (( *(__rdx + 0x18) & 0x00000040) != 0) goto 0xa56e6a97;
				_t62 = E00007FF77FF7A56F0EB8(_t37, __rdx, __rdx, __rdx, _t55, _t56, _t60);
				if (r11d == 0xffffffff) goto 0xa56e6a39;
				if (r11d == 0xfffffffe) goto 0xa56e6a39;
				goto 0xa56e6a3c;
				if (( *0x7FF7A57209D8 & 0x0000007f) != 0) goto 0xa56e6a69;
				if (r11d == 0xffffffff) goto 0xa56e6a63;
				if (r11d == 0xfffffffe) goto 0xa56e6a63;
				_t41 = _t62 >> 5;
				if (( *(_t62 * 0x58 +  *((intOrPtr*)(0xa57289e0 + _t41 * 8)) + 0x38) & 0x00000080) == 0) goto 0xa56e6a97;
				E00007FF77FF7A56E78AC(_t41);
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *_t41 = 0x16;
				return E00007FF77FF7A56E4430(_t41, __rdx, 0xa57209a0, _t62 * 0x58 +  *((intOrPtr*)(0xa57289e0 + _t41 * 8)), _t55, _t56, 0xa57289e0) | 0xffffffff;
			}

0x7ff7a56e69e4
0x7ff7a56e69f7
0x7ff7a56e6a13
0x7ff7a56e6a1a
0x7ff7a56e6a20
0x7ff7a56e6a37
0x7ff7a56e6a40
0x7ff7a56e6a46
0x7ff7a56e6a4c
0x7ff7a56e6a57
0x7ff7a56e6a67
0x7ff7a56e6a69
0x7ff7a56e6a6e
0x7ff7a56e6a74
0x7ff7a56e6a77
0x7ff7a56e6a7e
0x7ff7a56e6a96

APIs

_getbuf.LIBCMT ref: 00007FF7A56E6AB8

Part of subcall function 00007FF7A56F0EB8: _errno.LIBCMT ref: 00007FF7A56F0EC1

_errno.LIBCMT ref: 00007FF7A56E6A69

Strings

@, xrefs: 00007FF7A56E6AD5

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno$_getbuf
String ID: @
API String ID: 606515832-2766056989
Opcode ID: a4fa89e5b4d4656ba4716eb9c8b861f2449aaef3002945440b091910db96db11
Instruction ID: 15fba9465bea6b6f5a6f97aff5fedb9452528f40b4311d225755d3832d30664d
Opcode Fuzzy Hash: a4fa89e5b4d4656ba4716eb9c8b861f2449aaef3002945440b091910db96db11
Instruction Fuzzy Hash: E031FB72D1BB46C0EB649A2CE44A33866929B52F68FB6E235CE1D012F5CF7DD851C260

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E0630 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7A56E0630(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9, signed int _a40, intOrPtr _a48) {
				signed int _v40;
				char _v104;
				char _v118;
				char _v119;
				char _v120;
				char _v136;
				long long _v152;
				long long _v160;
				char _v168;
				void* __rbx;
				long long _t28;
				signed int _t32;
				signed int _t34;
				signed long long _t47;
				char* _t52;
				char* _t53;
				long long* _t58;
				signed long long _t68;

				_t47 =  *0xa5720430; // 0x4918c7c3922
				_v40 = _t47 ^ _t68;
				_t58 =  &_v136;
				 *_t58 =  *((intOrPtr*)(__r8));
				_t34 =  *(__r9 + 0x18);
				 *((long long*)(_t58 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_v120 = 0x25;
				if ((_t34 & 0x00000020) == 0) goto 0xa56e0686;
				_v119 = 0x2b;
				_t52 =  &_v118;
				if ((_t34 & 0x00000008) == 0) goto 0xa56e0691;
				 *_t52 = 0x23;
				_t53 = _t52 + 1;
				 *_t53 = 0x49;
				 *((char*)(_t53 + 1)) = 0x36;
				_t32 = _t34 & 0x00000e00;
				 *((char*)(_t53 + 2)) = 0x34;
				if (_t32 != 0x400) goto 0xa56e06b0;
				goto 0xa56e06c7;
				if (_t32 == 0x800) goto 0xa56e06bc;
				goto 0xa56e06c7;
				 *((char*)(_t53 + 3)) = 0x78;
				 *((char*)(_t53 + 4)) = 0;
				_t28 = E00007FF77FF7A56E4828( &_v120, _a48);
				_t74 = __r9;
				_v152 = _t28;
				_v160 =  &_v104;
				_v168 = _a40 & 0x000000ff;
				E00007FF77FF7A56E1B30(0x40, _t32 - 0x800, __rdx, __rcx, __rdx,  &_v136, __r9);
				return E00007FF77FF7A56E4050(_a40 & 0x000000ff, _v40 ^ _t68, __rdx,  &_v136, _t74);
			}

0x7ff7a56e063b
0x7ff7a56e0645
0x7ff7a56e0653
0x7ff7a56e0658
0x7ff7a56e0662
0x7ff7a56e0666
0x7ff7a56e0672
0x7ff7a56e067a
0x7ff7a56e067c
0x7ff7a56e0681
0x7ff7a56e0689
0x7ff7a56e068b
0x7ff7a56e068e
0x7ff7a56e0691
0x7ff7a56e0696
0x7ff7a56e069a
0x7ff7a56e06a0
0x7ff7a56e06aa
0x7ff7a56e06ae
0x7ff7a56e06b6
0x7ff7a56e06ba
0x7ff7a56e06cf
0x7ff7a56e06e1
0x7ff7a56e06e5
0x7ff7a56e06ef
0x7ff7a56e06fd
0x7ff7a56e070a
0x7ff7a56e070f
0x7ff7a56e0716
0x7ff7a56e0738

APIs

swprintf.LIBCMT ref: 00007FF7A56E06E5

Strings

+, xrefs: 00007FF7A56E067C
%, xrefs: 00007FF7A56E0672

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 199c0298df90e3aed58233d8eadc2c7ef0cc3010c3b583627453f619fa6fd15e
Instruction ID: 2517890d19ed90c2caaa68df0ce10f49ef73e27be6639233ac9eda9c02d157eb
Opcode Fuzzy Hash: 199c0298df90e3aed58233d8eadc2c7ef0cc3010c3b583627453f619fa6fd15e
Instruction Fuzzy Hash: 4C31F41250E7C1C9EB219B15E4903AAB792E78AF94F858035DF8C077A5CF3EC409C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56FB5D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 75%

			E00007FF77FF7A56FB5D4(intOrPtr* __rax, long long __rbx, char* __rcx, void* __rdx, void* __rsi, void* __rbp, void* __r8, void* __r9, long long _a8) {
				signed long long _v24;
				void* _t17;
				void* _t19;
				void* _t34;
				char* _t40;
				char* _t41;
				char* _t42;
				char* _t44;
				char* _t46;
				void* _t49;
				char* _t59;

				_t49 = __rdx;
				_t46 = __rcx;
				_a8 = __rbx;
				_t59 =  *((intOrPtr*)(__r9 + 0x10));
				_t44 = __rcx;
				if (__rcx != 0) goto 0xa56fb612;
				E00007FF77FF7A56E78AC(__rax);
				_v24 = _v24 & 0x00000000;
				r9d = 0;
				r8d = 0;
				 *__rax = 0x16;
				E00007FF77FF7A56E4430(__rax, __rcx, __rcx, __rdx, __rsi, __rbp, __r8);
				goto 0xa56fb6a2;
				if (_t49 == 0) goto 0xa56fb5ea;
				 *_t46 = 0;
				_t16 =  >  ? r8d : 0;
				_t17 = ( >  ? r8d : 0) + 1;
				if (_t49 - __rax > 0) goto 0xa56fb638;
				_t19 = E00007FF77FF7A56E78AC(__rax);
				goto 0xa56fb5f4;
				 *_t46 = 0x30;
				_t5 = _t46 + 1; // 0x1
				_t40 = _t5;
				goto 0xa56fb65d;
				if ( *_t59 == 0) goto 0xa56fb650;
				goto 0xa56fb655;
				 *_t40 = 0x30;
				_t41 = _t40 + 1;
				r8d = r8d - 1;
				_t34 = r8d;
				if (_t34 > 0) goto 0xa56fb641;
				 *_t41 = 0;
				if (_t34 < 0) goto 0xa56fb67c;
				if ( *((char*)(_t59 + 1)) - 0x35 < 0) goto 0xa56fb67c;
				goto 0xa56fb672;
				 *_t41 = 0x30;
				_t42 = _t41 - 1;
				if ( *_t42 == 0x39) goto 0xa56fb66f;
				 *_t42 =  *_t42 + 1;
				if ( *_t44 != 0x31) goto 0xa56fb687;
				 *((intOrPtr*)(__r9 + 4)) =  *((intOrPtr*)(__r9 + 4)) + 1;
				goto 0xa56fb6a0;
				_t8 = _t44 + 1; // 0x1
				E00007FF77FF7A56E70C0(_t19, _t8);
				_t9 = _t44 + 1; // 0x1
				_t10 = _t42 + 1; // 0x1
				E00007FF77FF7A56EAE90(0x30,  *_t44 - 0x31, _t44, _t9, _t10);
				return 0;
			}

0x7ff7a56fb5d4
0x7ff7a56fb5d4
0x7ff7a56fb5d4
0x7ff7a56fb5de
0x7ff7a56fb5e2
0x7ff7a56fb5e8
0x7ff7a56fb5ea
0x7ff7a56fb5f4
0x7ff7a56fb5fa
0x7ff7a56fb5fd
0x7ff7a56fb604
0x7ff7a56fb606
0x7ff7a56fb60d
0x7ff7a56fb615
0x7ff7a56fb61c
0x7ff7a56fb61f
0x7ff7a56fb623
0x7ff7a56fb62a
0x7ff7a56fb62c
0x7ff7a56fb636
0x7ff7a56fb638
0x7ff7a56fb63b
0x7ff7a56fb63b
0x7ff7a56fb63f
0x7ff7a56fb645
0x7ff7a56fb64e
0x7ff7a56fb655
0x7ff7a56fb657
0x7ff7a56fb65a
0x7ff7a56fb65d
0x7ff7a56fb660
0x7ff7a56fb662
0x7ff7a56fb665
0x7ff7a56fb66b
0x7ff7a56fb66d
0x7ff7a56fb66f
0x7ff7a56fb672
0x7ff7a56fb678
0x7ff7a56fb67a
0x7ff7a56fb67f
0x7ff7a56fb681
0x7ff7a56fb685
0x7ff7a56fb687
0x7ff7a56fb68b
0x7ff7a56fb690
0x7ff7a56fb697
0x7ff7a56fb69b
0x7ff7a56fb6ac

APIs

_errno.LIBCMT ref: 00007FF7A56FB5EA
_errno.LIBCMT ref: 00007FF7A56FB62C

Strings

1, xrefs: 00007FF7A56FB67C

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _errno
String ID: 1
API String ID: 2918714741-2212294583
Opcode ID: 9de920149e30724e33a27b75c9f7a44d4c9aef464fb0973900e33d5a7901a343
Instruction ID: 6cf487e8e4a6901f4555871938a3ba80e3dfa400c11722e787a79f572ca78fa0
Opcode Fuzzy Hash: 9de920149e30724e33a27b75c9f7a44d4c9aef464fb0973900e33d5a7901a343
Instruction Fuzzy Hash: 9D21E763E1F2C285F757AA28841437DAB929F47F44FDA9030CA8D066F2DE1E9484C731

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E0740 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7A56E0740(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9, signed int _a40, intOrPtr _a48) {
				signed int _v40;
				char _v104;
				char _v118;
				char _v119;
				char _v120;
				char _v136;
				long long _v152;
				long long _v160;
				char _v168;
				void* __rbx;
				long long _t28;
				signed int _t32;
				signed int _t34;
				signed long long _t47;
				char* _t52;
				char* _t53;
				long long* _t58;
				signed long long _t68;

				_t47 =  *0xa5720430; // 0x4918c7c3922
				_v40 = _t47 ^ _t68;
				_t58 =  &_v136;
				 *_t58 =  *((intOrPtr*)(__r8));
				_t34 =  *(__r9 + 0x18);
				 *((long long*)(_t58 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_v120 = 0x25;
				if ((_t34 & 0x00000020) == 0) goto 0xa56e0796;
				_v119 = 0x2b;
				_t52 =  &_v118;
				if ((_t34 & 0x00000008) == 0) goto 0xa56e07a1;
				 *_t52 = 0x23;
				_t53 = _t52 + 1;
				 *_t53 = 0x49;
				 *((char*)(_t53 + 1)) = 0x36;
				_t32 = _t34 & 0x00000e00;
				 *((char*)(_t53 + 2)) = 0x34;
				if (_t32 != 0x400) goto 0xa56e07c0;
				goto 0xa56e07d7;
				if (_t32 == 0x800) goto 0xa56e07cc;
				goto 0xa56e07d7;
				 *((char*)(_t53 + 3)) = 0x78;
				 *((char*)(_t53 + 4)) = 0;
				_t28 = E00007FF77FF7A56E4828( &_v120, _a48);
				_t74 = __r9;
				_v152 = _t28;
				_v160 =  &_v104;
				_v168 = _a40 & 0x000000ff;
				E00007FF77FF7A56E1B30(0x40, _t32 - 0x800, __rdx, __rcx, __rdx,  &_v136, __r9);
				return E00007FF77FF7A56E4050(_a40 & 0x000000ff, _v40 ^ _t68, __rdx,  &_v136, _t74);
			}

0x7ff7a56e074b
0x7ff7a56e0755
0x7ff7a56e0763
0x7ff7a56e0768
0x7ff7a56e0772
0x7ff7a56e0776
0x7ff7a56e0782
0x7ff7a56e078a
0x7ff7a56e078c
0x7ff7a56e0791
0x7ff7a56e0799
0x7ff7a56e079b
0x7ff7a56e079e
0x7ff7a56e07a1
0x7ff7a56e07a6
0x7ff7a56e07aa
0x7ff7a56e07b0
0x7ff7a56e07ba
0x7ff7a56e07be
0x7ff7a56e07c6
0x7ff7a56e07ca
0x7ff7a56e07df
0x7ff7a56e07f1
0x7ff7a56e07f5
0x7ff7a56e07ff
0x7ff7a56e080d
0x7ff7a56e081a
0x7ff7a56e081f
0x7ff7a56e0826
0x7ff7a56e0848

APIs

swprintf.LIBCMT ref: 00007FF7A56E07F5

Strings

+, xrefs: 00007FF7A56E078C
%, xrefs: 00007FF7A56E0782

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 3bca78181c14e379637e49068abc0e93dd171a5e81286bc63a8eb4f6a4bf3c7a
Instruction ID: 246861b1af7dff8e6e9bbd86533cae9bcfa11065a27a6bf5fdf6312f3728c155
Opcode Fuzzy Hash: 3bca78181c14e379637e49068abc0e93dd171a5e81286bc63a8eb4f6a4bf3c7a
Instruction Fuzzy Hash: 8F31D11260E7C1C9EB219B14E4943AAB792EB8AF94F999035DF8C03B95DF7DC409CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E0530 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7A56E0530(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9, signed int _a40, intOrPtr _a48) {
				signed int _v40;
				char _v104;
				char _v118;
				char _v119;
				char _v120;
				char _v136;
				long long _v152;
				long long _v160;
				char _v168;
				void* __rbx;
				signed int _t26;
				long long _t33;
				signed int _t37;
				signed long long _t45;
				long long* _t53;
				char* _t61;
				char* _t62;
				signed long long _t66;

				_t45 =  *0xa5720430; // 0x4918c7c3922
				_v40 = _t45 ^ _t66;
				_t53 =  &_v136;
				 *_t53 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t53 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t26 =  *(__r9 + 0x18);
				_v120 = 0x25;
				if ((_t26 & 0x00000020) == 0) goto 0xa56e0585;
				_v119 = 0x2b;
				_t61 =  &_v118;
				if ((_t26 & 0x00000008) == 0) goto 0xa56e058f;
				 *_t61 = 0x23;
				_t62 = _t61 + 1;
				 *_t62 = 0x6c;
				_t37 = _t26 & 0x00000e00;
				if (_t37 != 0x400) goto 0xa56e05a6;
				goto 0xa56e05bb;
				if (_t37 == 0x800) goto 0xa56e05b2;
				goto 0xa56e05bb;
				r9d = _a48;
				 *((char*)(_t62 + 1)) = 0x78;
				 *((char*)(_t62 + 2)) = 0;
				_t33 = E00007FF77FF7A56E4828( &_v120, __r9);
				_t71 = __r9;
				_v152 = _t33;
				_v160 =  &_v104;
				_v168 = _a40 & 0x000000ff;
				E00007FF77FF7A56E1B30(0x40, _t37 - 0x800, __rdx, __rcx, __rdx,  &_v136, __r9);
				return E00007FF77FF7A56E4050(_a40 & 0x000000ff, _v40 ^ _t66, __rdx,  &_v136, _t71);
			}

0x7ff7a56e053b
0x7ff7a56e0545
0x7ff7a56e0553
0x7ff7a56e0558
0x7ff7a56e0562
0x7ff7a56e0566
0x7ff7a56e056d
0x7ff7a56e0579
0x7ff7a56e057b
0x7ff7a56e0580
0x7ff7a56e0587
0x7ff7a56e0589
0x7ff7a56e058c
0x7ff7a56e0591
0x7ff7a56e0594
0x7ff7a56e05a0
0x7ff7a56e05a4
0x7ff7a56e05ac
0x7ff7a56e05b0
0x7ff7a56e05bb
0x7ff7a56e05c3
0x7ff7a56e05c6
0x7ff7a56e05d9
0x7ff7a56e05e3
0x7ff7a56e05f1
0x7ff7a56e05fe
0x7ff7a56e0603
0x7ff7a56e060a
0x7ff7a56e062c

APIs

swprintf.LIBCMT ref: 00007FF7A56E05D9

Strings

%, xrefs: 00007FF7A56E056D
+, xrefs: 00007FF7A56E057B

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: 1df7e744390f40849ec1a5d9bdad50f2f4d21f9ca7a496e96129a9086ee3ae5b
Instruction ID: 6f8e1947d730db4afdeaa6cca4aa3184f129e011a0ca155f201004aa6ad0f17f
Opcode Fuzzy Hash: 1df7e744390f40849ec1a5d9bdad50f2f4d21f9ca7a496e96129a9086ee3ae5b
Instruction Fuzzy Hash: 4721DD6260E7C0C9EB219B14E4503AAB761EB9AF94F945035DE8C03B99DF6CD046CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56E0430 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00007FF77FF7A56E0430(void* __rcx, void* __rdx, intOrPtr* __r8, void* __r9, signed int _a40, intOrPtr _a48) {
				signed int _v40;
				char _v104;
				char _v118;
				char _v119;
				char _v120;
				char _v136;
				long long _v152;
				long long _v160;
				char _v168;
				void* __rbx;
				signed int _t26;
				long long _t33;
				signed int _t37;
				signed long long _t45;
				long long* _t53;
				char* _t61;
				char* _t62;
				signed long long _t66;

				_t45 =  *0xa5720430; // 0x4918c7c3922
				_v40 = _t45 ^ _t66;
				_t53 =  &_v136;
				 *_t53 =  *((intOrPtr*)(__r8));
				 *((long long*)(_t53 + 8)) =  *((intOrPtr*)(__r8 + 8));
				_t26 =  *(__r9 + 0x18);
				_v120 = 0x25;
				if ((_t26 & 0x00000020) == 0) goto 0xa56e0485;
				_v119 = 0x2b;
				_t61 =  &_v118;
				if ((_t26 & 0x00000008) == 0) goto 0xa56e048f;
				 *_t61 = 0x23;
				_t62 = _t61 + 1;
				 *_t62 = 0x6c;
				_t37 = _t26 & 0x00000e00;
				if (_t37 != 0x400) goto 0xa56e04a6;
				goto 0xa56e04bb;
				if (_t37 == 0x800) goto 0xa56e04b2;
				goto 0xa56e04bb;
				r9d = _a48;
				 *((char*)(_t62 + 1)) = 0x78;
				 *((char*)(_t62 + 2)) = 0;
				_t33 = E00007FF77FF7A56E4828( &_v120, __r9);
				_t71 = __r9;
				_v152 = _t33;
				_v160 =  &_v104;
				_v168 = _a40 & 0x000000ff;
				E00007FF77FF7A56E1B30(0x40, _t37 - 0x800, __rdx, __rcx, __rdx,  &_v136, __r9);
				return E00007FF77FF7A56E4050(_a40 & 0x000000ff, _v40 ^ _t66, __rdx,  &_v136, _t71);
			}

0x7ff7a56e043b
0x7ff7a56e0445
0x7ff7a56e0453
0x7ff7a56e0458
0x7ff7a56e0462
0x7ff7a56e0466
0x7ff7a56e046d
0x7ff7a56e0479
0x7ff7a56e047b
0x7ff7a56e0480
0x7ff7a56e0487
0x7ff7a56e0489
0x7ff7a56e048c
0x7ff7a56e0491
0x7ff7a56e0494
0x7ff7a56e04a0
0x7ff7a56e04a4
0x7ff7a56e04ac
0x7ff7a56e04b0
0x7ff7a56e04bb
0x7ff7a56e04c3
0x7ff7a56e04c6
0x7ff7a56e04d9
0x7ff7a56e04e3
0x7ff7a56e04f1
0x7ff7a56e04fe
0x7ff7a56e0503
0x7ff7a56e050a
0x7ff7a56e052c

APIs

swprintf.LIBCMT ref: 00007FF7A56E04D9

Strings

%, xrefs: 00007FF7A56E046D
+, xrefs: 00007FF7A56E047B

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: swprintf
String ID: %$+
API String ID: 233258989-2626897407
Opcode ID: d3730cdb89768898581950ed3844910f35159086da06fdda1a3db010544c9348
Instruction ID: addc3198afb84760a4e22ddbfdfb6a3199a77e1db3f51cb31b82fcd840228170
Opcode Fuzzy Hash: d3730cdb89768898581950ed3844910f35159086da06fdda1a3db010544c9348
Instruction Fuzzy Hash: 6E21DD6260A7C0C9EB21DB14E4503AEB761EB9AF94F845135EE8C03B99DF6CD046CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A570C547 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E00007FF77FF7A570C547(void* __ecx, void* __rax, void* __rdx) {
				void* __rbx;
				void* _t14;
				void* _t17;
				void* _t27;
				void* _t28;
				intOrPtr* _t29;
				void* _t36;

				_t27 = __rax;
				_t18 = __ecx;
				_t36 = __rdx;
				E00007FF77FF7A56E771C(__rax, _t28,  *((intOrPtr*)(__rdx + 0x50)));
				if ( *((intOrPtr*)(__rdx + 0x20)) != 0) goto 0xa570c5a7;
				_t29 =  *((intOrPtr*)(__rdx + 0xd8));
				if ( *_t29 != 0xe06d7363) goto 0xa570c5a7;
				if ( *((intOrPtr*)(_t29 + 0x18)) != 4) goto 0xa570c5a7;
				if ( *((intOrPtr*)(_t29 + 0x20)) == 0x19930520) goto 0xa570c590;
				if ( *((intOrPtr*)(_t29 + 0x20)) == 0x19930521) goto 0xa570c590;
				if ( *((intOrPtr*)(_t29 + 0x20)) != 0x19930522) goto 0xa570c5a7;
				_t14 = E00007FF77FF7A56E76E8(__rax,  *((intOrPtr*)(_t29 + 0x28)));
				_t26 = _t14;
				if (_t14 == 0) goto 0xa570c5a7;
				E00007FF77FF7A56E93E4(1, _t29);
				E00007FF77FF7A56EB93C(__ecx, _t14, _t27);
				 *((long long*)(_t27 + 0xf0)) =  *((intOrPtr*)(_t36 + 0xe0));
				_t17 = E00007FF77FF7A56EB93C(_t18, _t26, _t27);
				 *((long long*)(_t27 + 0xf8)) =  *((intOrPtr*)(_t36 + 0xe8));
				return _t17;
			}

0x7ff7a570c547
0x7ff7a570c547
0x7ff7a570c54e
0x7ff7a570c555
0x7ff7a570c55e
0x7ff7a570c560
0x7ff7a570c56d
0x7ff7a570c573
0x7ff7a570c57c
0x7ff7a570c585
0x7ff7a570c58e
0x7ff7a570c594
0x7ff7a570c599
0x7ff7a570c59b
0x7ff7a570c5a2
0x7ff7a570c5a7
0x7ff7a570c5b3
0x7ff7a570c5ba
0x7ff7a570c5c6
0x7ff7a570c5d3

APIs

Part of subcall function 00007FF7A56E771C: _getptd.LIBCMT ref: 00007FF7A56E7729
Part of subcall function 00007FF7A56E771C: _getptd.LIBCMT ref: 00007FF7A56E773C

_getptd.LIBCMT ref: 00007FF7A570C5A7
_getptd.LIBCMT ref: 00007FF7A570C5BA

Strings

csm, xrefs: 00007FF7A570C567

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: _getptd
String ID: csm
API String ID: 3186804695-1018135373
Opcode ID: 97aebfb5d78ca228d74b9f39178d7e69d976561db45659c44281a7df79628fe9
Instruction ID: 7ff2ccc1b5d3b88b209983de917a1dbfbbeb032efbd75c23c5106d13048d791a
Opcode Fuzzy Hash: 97aebfb5d78ca228d74b9f39178d7e69d976561db45659c44281a7df79628fe9
Instruction Fuzzy Hash: E8018866906642C9DB306F2388442BCA3A5EF5EF49F9A1135CD0D1A666CF29D480C310

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF7A56F31E8 Relevance: 5.1, APIs: 4, Instructions: 148
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E00007FF77FF7A56F31E8(void* __ecx, void* __ebp, signed int* __rbx, long long __rcx, signed int __rsi) {
				void* __rdi;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				char _t44;
				char _t45;
				char _t46;
				void* _t52;
				signed int _t58;
				void* _t65;
				void* _t73;
				signed int* _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int* _t80;
				char* _t100;
				char* _t101;
				void* _t102;
				long long _t105;
				signed int _t107;
				signed int* _t109;
				signed int* _t111;
				void* _t112;
				char* _t115;
				void* _t118;
				void* _t120;
				signed int* _t123;
				void* _t125;
				signed int* _t127;
				void* _t129;
				signed int* _t130;

				_t80 = __rbx;
				_t52 = __ecx;
				_t75 = _t111;
				_t75[2] = __rbx;
				_t75[4] = _t107;
				_t75[6] = __rsi;
				_t112 = _t111 - 0x40;
				_t105 = __rcx;
				 *((long long*)(_t75 - 0x38)) = __rcx;
				 *((long long*)(_t75 - 0x30)) = __rbx;
				if ( *((intOrPtr*)(__rcx + 0x1c)) != 0) goto 0xa56f322d;
				if ( *((intOrPtr*)(__rcx + 0x18)) != 0) goto 0xa56f322d;
				goto 0xa56f3385;
				_t8 = _t102 - 0x57; // 0x1
				r12d = _t8;
				E00007FF77FF7A56EA5E0(__rbx, _t118, _t102, _t102, __rcx, 0xa57201a0, _t129, _t125);
				_t109 = _t75;
				if (_t75 != _t80) goto 0xa56f3251;
				goto 0xa56f33d6;
				E00007FF77FF7A56EAE90(_t52, _t75 - _t80, _t75,  *(_t105 + 0x128), _t102);
				E00007FF77FF7A56EA574(__ebp, _t75, _t80, _t102, _t105, _t109);
				_t127 = _t75;
				if (_t75 != _t80) goto 0xa56f3282;
				free(_t120);
				goto 0xa56f3249;
				 *_t75 = 0;
				if ( *((intOrPtr*)(_t105 + 0x1c)) == 0) goto 0xa56f3355;
				E00007FF77FF7A56EA574(__ebp, _t75, _t80, _t102, _t105, _t109);
				_t65 = _t75 - _t80;
				if (_t65 == 0) goto 0xa56f3310;
				 *_t75 = 0;
				_t58 =  *(_t105 + 0x3e) & 0x0000ffff;
				r9d = 0xe;
				r8d = _t58;
				 *(_t112 + 0x20) = _t109;
				_t39 = E00007FF77FF7A56EFB68(0, r12d, _t80, _t112 + 0x30, _t102);
				_t14 =  &(_t109[2]); // 0x8
				 *(_t112 + 0x20) = _t14;
				r9d = 0xf;
				r8d = _t58;
				_t40 = E00007FF77FF7A56EFB68(_t39, r12d, _t80, _t112 + 0x30, _t102);
				_t17 =  &(_t109[4]); // 0x10
				_t130 = _t17;
				r9d = 0x10;
				r8d = _t58;
				 *(_t112 + 0x20) = _t130;
				_t41 = E00007FF77FF7A56EFB68(_t39 | _t40, r12d, _t80, _t112 + 0x30, _t102);
				if (_t65 == 0) goto 0xa56f3320;
				E00007FF77FF7A56F31A0(_t41 | _t39 | _t40, _t109);
				r12d = r12d | 0xffffffff;
				free(_t118);
				goto 0xa56f327b;
				_t100 =  *_t130;
				goto 0xa56f3338;
				_t44 =  *_t100;
				if (_t44 - 0x30 < 0) goto 0xa56f333e;
				if (_t44 - 0x39 > 0) goto 0xa56f333e;
				_t45 = _t44 - 0x30;
				 *_t100 = _t45;
				_t101 = _t100 + _t118;
				if ( *_t101 != 0) goto 0xa56f3327;
				goto 0xa56f3379;
				if (_t45 != 0x3b) goto 0xa56f3335;
				_t115 = _t101;
				_t46 =  *((intOrPtr*)(_t115 + 1));
				 *_t115 = _t46;
				if (_t46 != 0) goto 0xa56f3345;
				goto 0xa56f3338;
				_t76 =  *0xa57201a0; // 0x7ff7a5720190
				_t123 = _t80;
				 *_t109 = _t76;
				_t77 =  *0xa57201a8; // 0x7ff7a5723064
				_t109[2] = _t77;
				_t78 =  *0xa57201b0; // 0x7ff7a5723064
				_t109[4] = _t78;
				 *_t127 = r12d;
				if (_t123 == _t80) goto 0xa56f3385;
				 *_t123 = r12d;
				if ( *(_t105 + 0x118) == _t80) goto 0xa56f3395;
				asm("lock add dword [eax], 0xffffffff");
				_t73 =  *(_t105 + 0x110) - _t80;
				if (_t73 == 0) goto 0xa56f33bf;
				asm("lock add dword [ecx], 0xffffffff");
				if (_t73 != 0) goto 0xa56f33bf;
				free(_t102);
				free(??);
				 *(_t105 + 0x118) = _t123;
				 *(_t105 + 0x110) = _t127;
				 *(_t105 + 0x128) = _t109;
				return 0;
			}

0x7ff7a56f31e8
0x7ff7a56f31e8
0x7ff7a56f31e8
0x7ff7a56f31eb
0x7ff7a56f31ef
0x7ff7a56f31f3
0x7ff7a56f3200
0x7ff7a56f3206
0x7ff7a56f3209
0x7ff7a56f320d
0x7ff7a56f3214
0x7ff7a56f3219
0x7ff7a56f3228
0x7ff7a56f3235
0x7ff7a56f3235
0x7ff7a56f323c
0x7ff7a56f3241
0x7ff7a56f3247
0x7ff7a56f324c
0x7ff7a56f325e
0x7ff7a56f326b
0x7ff7a56f3270
0x7ff7a56f3276
0x7ff7a56f327b
0x7ff7a56f3280
0x7ff7a56f3282
0x7ff7a56f3287
0x7ff7a56f3290
0x7ff7a56f3298
0x7ff7a56f329b
0x7ff7a56f329d
0x7ff7a56f329f
0x7ff7a56f32a8
0x7ff7a56f32b1
0x7ff7a56f32b4
0x7ff7a56f32b9
0x7ff7a56f32be
0x7ff7a56f32c2
0x7ff7a56f32cc
0x7ff7a56f32d2
0x7ff7a56f32da
0x7ff7a56f32df
0x7ff7a56f32df
0x7ff7a56f32e8
0x7ff7a56f32ee
0x7ff7a56f32f6
0x7ff7a56f32fb
0x7ff7a56f3302
0x7ff7a56f3307
0x7ff7a56f330c
0x7ff7a56f3313
0x7ff7a56f331b
0x7ff7a56f3320
0x7ff7a56f3325
0x7ff7a56f3327
0x7ff7a56f332b
0x7ff7a56f332f
0x7ff7a56f3331
0x7ff7a56f3333
0x7ff7a56f3335
0x7ff7a56f333a
0x7ff7a56f333c
0x7ff7a56f3340
0x7ff7a56f3342
0x7ff7a56f3345
0x7ff7a56f3349
0x7ff7a56f3351
0x7ff7a56f3353
0x7ff7a56f3355
0x7ff7a56f335c
0x7ff7a56f335f
0x7ff7a56f3363
0x7ff7a56f336a
0x7ff7a56f336e
0x7ff7a56f3375
0x7ff7a56f3379
0x7ff7a56f337f
0x7ff7a56f3381
0x7ff7a56f338f
0x7ff7a56f3391
0x7ff7a56f339c
0x7ff7a56f339f
0x7ff7a56f33a1
0x7ff7a56f33a5
0x7ff7a56f33ae
0x7ff7a56f33ba
0x7ff7a56f33bf
0x7ff7a56f33c6
0x7ff7a56f33cd
0x7ff7a56f33f3

APIs

free.LIBCMT ref: 00007FF7A56F327B
free.LIBCMT ref: 00007FF7A56F3313
free.LIBCMT ref: 00007FF7A56F33AE
free.LIBCMT ref: 00007FF7A56F33BA

Memory Dump Source

Source File: 00000019.00000002.393096520.00007FF7A56D1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FF7A56D0000, based on PE: true

Associated: 00000019.00000002.393086860.00007FF7A56D0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393387487.00007FF7A5710000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393562194.00007FF7A5720000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393792362.00007FF7A572A000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000019.00000002.393835612.00007FF7A572F000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_25_2_7ff7a56d0000_EsgInstallerDelay__1.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8821a1df296688c370d858aa2f429f45ff0a23e2406f815d5f3f7c622645e2ca
Instruction ID: 615c635ea1991c0b34d87191e7725d922daac7ed8e50c96f13eede3781d77960
Opcode Fuzzy Hash: 8821a1df296688c370d858aa2f429f45ff0a23e2406f815d5f3f7c622645e2ca
Instruction Fuzzy Hash: FA519133F0A68186EA64EF16A4401BDB792BB46F80F865531DE9D477A1CE3CE546C360

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\EnigmaSoft\SpyHunter\Defs\Rh\full.dat

C:\Program Files\EnigmaSoft\SpyHunter\Defs\full.def

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Albanian.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Bulgarian.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Simplified).lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Chinese (Traditional).lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Croatian.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Czech.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Danish.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Dutch.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\English.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\Finnish.lng

C:\Program Files\EnigmaSoft\SpyHunter\Languages\French.lng

Windows Analysis Report
file.exe

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.
Tactics:	Impact
Data Sources:	File monitoring, Kernel drivers, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre